Thursday, April 6, 2017

SANS Netwars Experience & CyberCity

Last week I had the wonderful opportunity to partake in the SANS Netwars competition as well as the CyberCity challenge while taking Sec504 at Pentest Austin. Let me start by saying that if you are trying to figure out if you should do it, dive right in and have some fun!!




So what is Netwars? Netwars is a game that is played by utilizing hacking methodologies to score points. The players are ranked by their points score, and how many hints they have taken. There are 5 different levels each requiring a number of points to unlock. The first two levels are played on a VM that is given to you, while levels 3 and 4 are played off of a jump box that you are given access to once you unlock the third level. Level 5 is where you defend your "castle" while attacking others.

At Pentest Austin, Netwars is a three night event that runs on select nights throughout the week. It is also one of the few places for "Coin-A-Palooza" where you can earn challenge coins for completing levels at Netwars. Since Sec504 was the first SANS class that I had taken, it was the only coin I could win. But, I was able to earn my challenge coin on the first night of the competition by advancing to level 2. 


At the end of the third night I had managed to get half-way through the third level, an accomplishment that I did not think that I would be able to do. I managed to rank 78/168 which puts me in just under the half-way mark on the leader board. I was proud of my accomplishment and grateful that I had ventured out of my comfort zone and gave it a try. Oh, and then I won the raffle for a Netwars Continuous subscription that will allow me to tackle that challenge for 4 months. I might be a little excited about starting that.



The final night was devoted to CyberCity. While Netwars had been an individual challenge, CyberCity was groups of 5.  CyberCity is a scale model of a city running real industrial control systems that you are given the chance to hack into. A team of us from Sec504 banded together to try and hack into the lighting control systems for the street lights. The scoreboard for this event is similar to NetWars in that you answer questions to direct you on what you should be doing. As our time ran out my team had managed to venture far into the control systems but came up short of our overall goal. It was a fun experience to say the least. 

So why am I writing about it? Because it is that awesome!! Really though, it was a lot of fun and if you are already immersing yourself into one of the SANS courses do yourself the favor of checking these after-hours events out. 


hackfest2016: Quaoar

Host: MAC OSX
VMware Fusion
Attacker: Kali Linux
Network: Host-Only
Target IP: 172.16.136.130

This walk-through will be a little different from my previous posts, mainly the lack of images. I am transitioning to a new host computer and I went through this vm before setting up a good way to do screenshots. Oh well...


This VM is the first of a series of three that gets harder as you move on. The difficulty listed on vulnhub is very easy. When you start the VM it tells you that the VM is located at 172.16.136.130.

To start I ran a basic port scan utilizing the command "nmap -sV -A 172.16.136.130".  This gave me quite a few results, but what I was most interested in was that port 80 was open and nmap told me that there were sites excluded in the robots.txt file. Time to head there and figure out whats going on.

Browsing to 172.16.136.130 I am greeted with a basic landing page that has a link to an image. Not much to see here... lets look at robots.txt. In that file we can see that /wordpress/ is listed. Oh... and Hackers are disallowed... funny. Looks like we will be exploiting a wordpress site for shell access.

Browsing around /wordpress/ there isn't much here. I can see that Admin created the posts, so that is a login. I wonder how easy this really is...

Yep admin:admin let's you into the admin panel of the Wordpress site. My first thought was to upload a php reverse shell as media or as a new page, but I couldn't find a way to make that work. I thought about editing the plugins that were running php to run a reverse shell, but decided to Metasploit it for added practice of that tool.

Since I have the admin credentials, I can use the module exploit/unix/webapp/wp_admin_shell_upload. I set all my options and typed exploit. I now had meterpreter shell access into the system. This allowed me to start browsing around the directories. I quickly found the first flag in /home/wpadmin.

Flag1: 2bafe61f03117ac66a73c3c514de796e

Seeing that there was a wpadmin user I got curious and tried to ssh to the box using wpadmin:wpadmin to see if the admin had made the same mistake twice. Sure enough it let me in with a /bin/sh shell. I like to utilize /bin/bash so I ran the following python script to change my shell.

python -c 'import pty; pty.spawn("/bin/bash")'

I started browsing around the file system again looking for a way to become root. Knowing that in the past I've had luck with cron jobs being run as root I looked in the /etc/cron.d directory and found a file named php5. Inside of this file was not a way to root like I had hoped, but instead flag 3!!!

Flag 3: d46795f84148fd338603d0d6a9dbf8de

I continued looking and eventually found an upload directory in "/var/www". Inside of that directory there was a config.php file that had mysql credentials listed in it. root:rootpassword!

I ran "su root" and gave it the password I found and sure enough it worked!! I quickly navigated to /root/flag.txt to get the second flag.

Flag 2: 8e3f9ec016e3598c5eec11fd3d73f6fb

With all three flags found that closes out this challenge. Hopefully I'll find time to challenge myself with the others in this series.