The information to get started the challenge with the challenge was:
In the HTML-source of that URL we see an interesting comment:
<title>You got PWNED!</title>
<!– ERROR: Could not write logfile – attacking 83.163.xx.xx:22 –>
The IP-address shown is my own, so I started checking my sshd-logs, and indeed, they show a few login attempts coming in from the CTF-server:
[code highlight=”2,5,8″]Dec 28 21:15:23 mgmt sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=67.31c3ctf.aachen.ccc.de
Dec 28 21:15:25 mgmt sshd: Failed password for invalid user admin from 18.104.22.168 port 37865 ssh2
Dec 28 21:15:26 mgmt sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=67.31c3ctf.aachen.ccc.de
Dec 28 21:15:28 mgmt sshd: Failed password for invalid user oracle from 22.214.171.124 port 37866 ssh2
Dec 28 21:15:29 mgmt sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=67.31c3ctf.aachen.ccc.de
Dec 28 21:15:30 mgmt sshd: Failed password for invalid user hans from 126.96.36.199 port 37867 ssh2[/code]
So, it looks like the CTF-server is trying to attack me. Let’s get Kippo answer these SSH-requests and harvest some credentials of the users trying to login:
[code]2014-12-28 21:58:03+0100 [SSHService ssh-userauth on HoneyPotTransport,5,188.8.131.52] login attempt [admin/admin] failed
2014-12-28 21:58:05+0100 [SSHService ssh-userauth on HoneyPotTransport,6,184.108.40.206] login attempt [oracle/oracle123] failed
2014-12-28 21:58:06+0100 [SSHService ssh-userauth on HoneyPotTransport,7,220.127.116.11] login attempt [hans/=l@Zy+&’}M_.]<zEcDN9] failed[/code]
Ok, some ‘default’ attempts from users admin and oracle, but hans most definitely looks very promising. I added the user/password to Kippo’s userdb and tried again…
[code] 2014-12-28 22:03:55+0100 [SSHService ssh-userauth on HoneyPotTransport,101,18.104.22.168] hans trying auth password
2014-12-28 22:03:55+0100 [SSHService ssh-userauth on HoneyPotTransport,101,22.214.171.124] login attempt [hans/=l@Zy+&’}M_.]<zEcDN9] succeeded
2014-12-28 22:03:55+0100 [SSHService ssh-userauth on HoneyPotTransport,101,126.96.36.199] hans authenticated with password
2014-12-28 22:03:55+0100 [SSHService ssh-userauth on HoneyPotTransport,101,188.8.131.52] starting service ssh-connection
2014-12-28 22:03:55+0100 [HoneyPotTransport,101,184.108.40.206] connection lost[/code]
This time, we see that the account logs in just fine, but drops the connection even before the welcome-banner is sent.
Let’s try the harvested credentials on the attacking machine:
[shell highlight=”10″]$ ssh firstname.lastname@example.org
RSA key fingerprint is 67:93:80:c8:13:ea:04:de:95:79:2f:d3:1b:fc:88:73.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘220.127.116.11’ (RSA) to the list of known hosts.
email@example.com’s password: =l@Zy+&’}M_.]<zEcDN9
Last login: Sun Dec 28 21:45:22 2014 from xx.xx.xx.xx
hans@31c3ctf-rick:~$ cat flag.txt
And, there it is… another fine flag…
Also, we find here the starting point needed for the roll-challenge:
[shell]hans@31c3ctf-rick:/tmp/.xxx/usr/share/binfmts/. $ ls -fl
-rwxr-xr-x 1 hans hans 813773 Dec 29 16:30 malware.old
drwxr-xr-x 3 hans hans 4096 Dec 29 19:01 ..
drwxr-xr-x 2 hans hans 4096 Dec 29 19:01 .
-rw-r–r– 1 hans hans 144 Dec 29 16:34 note.txt
-rwxr-xr-x 1 hans hans 2423671 Dec 29 16:19 malware
hans@31c3ctf-rick:/tmp/.xxx/usr/share/binfmts/. $ cat note.txt
malware.old is the original binary, malware is the debug build with some debugging output to troubleshoot problems, exploit works against both.