Capturing the Flags

Apr 8, 2016 05:02 PM
635957060970586728.jpg

Yo everyone! This is how ForLulz have hacked the CTF server:

An aggresive nmap scan without ping has shown 2 open ports: 10001 and 49999, and gave us some info on the target.

nmap -A -Pn 1.2.3.4

Another service scan has revealed that the service behind port 10001 is Apache Tomcat/Coyote JSP Engine 1.1.

nmap -sV -p10001,49999 -Pn 1.2.3.4

The default credentials to log into it are tomcat:tomcat, so we quickly got through the login page at 1.2.3.4:10001/manager/html and found ourselves on the management page.

635957063565120089.jpg

Next, we used msfvenom to create a .war file with a meterpreter payload...

635957061428399913.jpg

...and uploaded it to the server using the management interface. The next step was to navigate 1.2.3.4/meterpreter/zxqoymrjds.jsp to activate our payload. Et voila! The server is ours! (almost)

635957061971836990.jpg

Once we got a shell, downloading the flags was easy - 'find / -name "*.gpg" 2>/dev/null' found all files encrypted with gpg, and we used meterpreter's download feature to download the flags.

635957062579181669.jpg

Now the only thing left is to decrypt the flags and win!

There was a challenge flag too, which could only be read by root. Sadly at that point it was getting late and I couldn't participate anymore. Secondly, decrypting all flags would take many, many hours on a beefy rig. Use 4 character passwords next time, Suser!

Comments

No Comments Exist

Be the first, drop a comment!