I’ve just gone through my friend’s debut CTF; a Risk of Rain 2 inspired CTF by Joseph of cyber-operations.net. Whilst short, it was practically a game jam for someone who had never constructed a CTF before, only played them. So with that in mind this was certainly a quite well-made, coherent and fun CTF. I certainly enjoyed every minute of it (other than figuring out the password format :P more on that later).

I’ll try and structure this fairly chronologically :)

Reconnaissance & Enumeration

First step, find out what’s going on on the machine and where the machine is on the network. There are sometimes challenges where finding the target IP through network scanning is required, but this was one of those where its simply outputted once the machine is booted up.

So, with the IP 192.168.154.128, I proceeded to do a quick service scan with

$ sudo nmap -sV 192.168.154.128

and found the following main TCP ports:

  • 20, FTP, closed
  • 21, FTP, open
  • 22, SSH, open
  • 80, HTTP, open
  • 443, HTTPS, closed

A route for file transfer, secure shell and web serving. Not yet willing to assume the FTP server was easy to break into, I went with the simplest and opened the website. Upon opening it, I was greeted by a blog landing page for the Engineer character, with a post on their favourite item, their favourite turret, bio and social handle. The item being the bustling fungus and their social being @ROR2ENGINEER. There was only an image of the turret, not what it was.

Of course, with any website in a CTF, and especially at the start of one, you gotta check the website’s source. And sure enough there was a flag there: L0ok1ng_Thr0ugh_Sc

Steganography

Underneath the turret is a caption stating that this is Engineer’s favourite turret, but it’s worded “myfavturret”, so clearly this is a passphrase of some sort. Passed it through steghide and sure enough, there was a text file hidden within that read “Bullet”.

Web Scraping

Checking robots.txt is a must, and for this site it was a huge one with one completely inconspicuous entry. It was a <long hex string>.txt, and initially I only tried decoding the hex. After failing that, I just ignored it and moved on assuming it was possibly a red herring, like an absolute plonker.

Anonymous FTP Login

Having spent a decent amount of time scraping the rest of the site and running the rest of the images through exiftool and steghide just in case, I moved onto the FTP server. First checked if it was a vulnerable version of vsftpd (it wasn’t) and then thought maybe it was a login that was given away, namely perhaps engineer:Bullet (nope, but the server did handily tell me it was an “anonymous login only server”). Log in with anonymous:anonymous and bam, we’re on the server. Quick ls reveals a file with flag gUY_fAwKEs_1OGin and another file with Engineer’s favourite stage (Rallypoint Delta) and his supposed login (the file actually tells us his username is indeed engineer and his password should be something secure like a combination of things he likes, “in the order IFST”. I had figured out his favourite stage, item and turret, but didn’t know what F stood for, and initially thought it was Foe.

Web Scraping Cont.

It took talking about the CTF to finally realise the string was a hash. Plop it into crackstation and bish bash bosh, we have the real filename we want. Navigate to that and we find flag S3creT_rOb0t_mD5 and a pointer to Engineer’s super secret, his favourite friend (Captain).

Gaining Access

So we’ve got all elements of the password, should be easy right? No, bold of you to assume that, because this turned out to be what Joe chose to be the unnecessarily rage inducing part of the CTF. It wasn’t as simple as Bustling FungusCaptainRallypoint DeltaBullet; I’d tried lower case, I’d tried different whitespace placements including none, but to no avail. Fortunately for me and my soon-to-be punched monitor, Joseph told me what part was different. Unfortunately for you, I won’t be revealing that. Have fun ;)

After getting the password right and connecting to the machine over SSH, a quick ls reveals a file with user flag 1_LOve_FunGu5_M0r3_ThAn_AnYth1ng. Now for the fun bit… kinda.

Privilege Escalation

This was meant to be the best part of the CTF, and I was warned to not look at .bash_history and history as Joseph forgot to clear them, but he also forgot to disable super user for engineer. So I just sudo su’d myself to /root and there we have the root flag EnGIn33rS_bAD_SU1D. In retrospect I don’t know why being able to sudo didn’t come across as strange, I thought maybe it was hard to find the last flag even as root. Obviously since the flag mentions SUID it’s a SUID exploit privesc. So I got LinEnum.sh and ran it (a bit overkill since I could find SUID files with find) and we find :) that find and nmap are files with an SUID. I’ve already exploited find for privesc before but I did forget how in that moment and just looked it up. It’s as simple as:

$ find . -exec <COMMAND_TO_RUN_AS_ROOT> \; -quit

And then…

<em>We’re in.</em>

All in all a great CTF, be sure to check out Joseph’s website and perform intensive OSINT and dox the man ofc, goes without saying :)