The information to get started the challenge with the challenge was:
Seems like somebody got pwned http://184.108.40.206
In the HTML-source of that URL we see an interesting comment:
<!DOCTYPE html> <html> <head> <title>You got PWNED!</title> </head> <body> <!-- ERROR: Could not write logfile - attacking 83.163.xx.xx:22 --> <center>
The IP-address shown is my own, so I started checking my sshd-logs, and indeed, they show a few login attempts coming in from the CTF-server:
Dec 28 21:15:23 mgmt sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=67.31c3ctf.aachen.ccc.de Dec 28 21:15:25 mgmt sshd: Failed password for invalid user admin from 220.127.116.11 port 37865 ssh2 .. Dec 28 21:15:26 mgmt sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=67.31c3ctf.aachen.ccc.de Dec 28 21:15:28 mgmt sshd: Failed password for invalid user oracle from 18.104.22.168 port 37866 ssh2 .. Dec 28 21:15:29 mgmt sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=67.31c3ctf.aachen.ccc.de Dec 28 21:15:30 mgmt sshd: Failed password for invalid user hans from 22.214.171.124 port 37867 ssh2
So, it looks like the CTF-server is trying to attack me. Let’s get Kippo answer these SSH-requests and harvest some credentials of the users trying to login:
2014-12-28 21:58:03+0100 [SSHService ssh-userauth on HoneyPotTransport,5,126.96.36.199] login attempt [admin/admin] failed 2014-12-28 21:58:05+0100 [SSHService ssh-userauth on HoneyPotTransport,6,188.8.131.52] login attempt [oracle/oracle123] failed 2014-12-28 21:58:06+0100 [SSHService ssh-userauth on HoneyPotTransport,7,184.108.40.206] login attempt [hans/=l@Zy+&'}M_.]<zEcDN9] failed
Ok, some ‘default’ attempts from users admin and oracle, but hans most definitely looks very promising. I added the user/password to Kippo’s userdb and tried again…
2014-12-28 22:03:55+0100 [SSHService ssh-userauth on HoneyPotTransport,101,220.127.116.11] hans trying auth password 2014-12-28 22:03:55+0100 [SSHService ssh-userauth on HoneyPotTransport,101,18.104.22.168] login attempt [hans/=l@Zy+&'}M_.]<zEcDN9] succeeded 2014-12-28 22:03:55+0100 [SSHService ssh-userauth on HoneyPotTransport,101,22.214.171.124] hans authenticated with password 2014-12-28 22:03:55+0100 [SSHService ssh-userauth on HoneyPotTransport,101,126.96.36.199] starting service ssh-connection 2014-12-28 22:03:55+0100 [HoneyPotTransport,101,188.8.131.52] connection lost
This time, we see that the account logs in just fine, but drops the connection even before the welcome-banner is sent.
Let’s try the harvested credentials on the attacking machine:
$ ssh firstname.lastname@example.org RSA key fingerprint is 67:93:80:c8:13:ea:04:de:95:79:2f:d3:1b:fc:88:73. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '184.108.40.206' (RSA) to the list of known hosts. email@example.com's password: =l@Zy+&'}M_.]<zEcDN9 Last login: Sun Dec 28 21:45:22 2014 from xx.xx.xx.xx hans@31c3ctf-rick:~$ ls flag.txt hans@31c3ctf-rick:~$ cat flag.txt 31c3_a5bb3ead8fbc6617374ea3f57f0563d2
And, there it is… another fine flag…
Also, we find here the starting point needed for the roll-challenge:
hans@31c3ctf-rick:/tmp/.xxx/usr/share/binfmts/. $ ls -fl total 3176 -rwxr-xr-x 1 hans hans 813773 Dec 29 16:30 malware.old drwxr-xr-x 3 hans hans 4096 Dec 29 19:01 .. drwxr-xr-x 2 hans hans 4096 Dec 29 19:01 . -rw-r--r-- 1 hans hans 144 Dec 29 16:34 note.txt -rwxr-xr-x 1 hans hans 2423671 Dec 29 16:19 malware hans@31c3ctf-rick:/tmp/.xxx/usr/share/binfmts/. $ cat note.txt malware.old is the original binary, malware is the debug build with some debugging output to troubleshoot problems, exploit works against both.