This year I created the challenge for the T2 conference held in Helsinki, Finland. (http://www.t2.fi/challenge/)
I'd like to share with you how my solution looks like.
The challengers started out with nothing more than a network dump (http://www.t2.fi/bin/t209-challenge.pcap)
I wrote a small tool to parse/list the pcap content and then work with the data in it:
The tool is nothing special, but let's look at the output:
We see clearly some cleartext "Echo Test" and as answer some random chars. I'll let you decide how to figure out that it's actually RC4 encryption, as I'm not really a cryptographic expert. I'd go trough a list of known encryption algorithms and test until I find the correct one. If you happen to know a way to identify RC4 on a reliable way, please let me know.
Now that we know that the encryption is RC4, we can focus on how to crack the password. The hint for the challenge was: "sometimes time is the key." I know this was all a bit vague, but as in the time creating the challenge, for me this hint was so clear. Why I gave this hint, well I was coding the RC4 encryption and thought let's do the encryption time based, which in my code was:
As you can see it's a long integer which I then divide by 60 to get the minutes since epoche. Now as we know the algorithm and what the key should be we can brute force the packet, to make this easier I added the "Echo Test", so that you have a plain text string to match for decryption. Here's the result:
And we got the key! As this was so much fun, let's just brute force packet number 14 as well, it's fast enough.
Seems like there's an image to download and some information about a backdoor. Let's download the image. After the download we can check the file to see if we can recognize the file format (i know it's .vmdk, but let's get step by step through).
The Vmware Image
It's a vmware disk image, so let's boot it up and scan it:
Only ssh is open and we don't have the access information. I know that here we could just mount the image and change the hash in /etc/shadow and like that we can login, but this not how I intended to solve it. In this case I replayed the traffic we got from the pcap file to see if there's something changing. As you maybe remember there was a ICMP timestamp request in the pcap file, so I started with this:
Let's do another scan of the host now:
Now we see port 139 is open. Now we know how the backdoor daemon is activated.
We know that the messages are encrypted with RC4 based on the time() function rounded to the minute. I wrote a small client to communicated with it:
As we see the encryption based on the time is working, the '-s 57' is the time difference in seconds between my box and the challenge vmware image. From this daemon there are 3 kinds of data available:
Echo daemon (sends back what you sent)
Let's look at 2 and 3 in detail
2.) This option will give you two major information for the challenger:
3.) This option will send you the username, password hash and the tcp magic key needed to activate the connect back shell. But I added a little 'joke' there, as I didn't wanted to make it too easy, so I added the information in an image :) The data received, speaks for itself:
And here's the image:
The password hash is pretty straight forward (raw-MD5):
Connect Back Shell
Now the challenger has every information they need to connect to the shell. If you send a tcp packet which has as payload T2CHALLENGEROCKS + TCP Port you'll get a login prompt, where you can login with the information you got from the image:
I'm on the Box, but where are my privs
At this point the challenger is connected with low privileges:
He will not be able to do much on this box, for this reason I added the Module path, as I hope the challenger will find the clue to do a strings on the module to get following information:
If the challenger now type bdhelp on the command line they'll see this little menu show up. I assume that most people will try the ioctl command first, but let's start with the hfiles one:
If the challenger will now search for the files he'll find the important piece:
If you try to read the 'hiddenchl09file.txt' file you'll only get a permission denied as it's only readable by root.
The second command is the ioctl command:
if you launch it :
Oops something went wrong I guess :) But I'm not that evil, so let's strace it:
We can see that there's an ioctl call to file descriptor 0 with the value 31337, as well as the reason that it's not working (/bin/sh was spelled wrong). So let's code a fixed version, recompile it statically, upload it and execute it to get root access as shown below:
Finally we're root !
The mail address
As we're root now, we can read the hidden file.
All the hashes should be self explaining except the ioctl one. I've hidden the hash in an additional elf header section.
Now you can just look at the content in this section:
And we're done :) I hope you enjoyed the challenge.