PoliCTF 2015 - Hard Interview (50pts) writeup
The challenge description was: interview.polictf.it:80
Not much from the description, so let's connect and see what is happening:
mrt:~/ctf/polictf/grab_bag/hard_interview$ nc interview.polictf.it 80
____ __ __
/\ _`\ /\ \__ /\ \__
\ \ \/\ \ __ _____ __ _ __\ \ ,_\ ___ ___ __ ___\ \ ,_\
\ \ \ \ \ /'__`\/\ '__`\ /'__`\ /\`'__\ \ \/ /' __` __`\ /'__`\/' _ `\ \ \/
\ \ \_\ \/\ __/\ \ \L\ \/\ \L\.\_\ \ \/ \ \ \_/\ \/\ \/\ \/\ __//\ \/\ \ \ \_
\ \____/\ \____\\ \ ,__/\ \__/.\_\\ \_\ \ \__\ \_\ \_\ \_\ \____\ \_\ \_\ \__\
\/___/ \/____/ \ \ \/ \/__/\/_/ \/_/ \/__/\/_/\/_/\/_/\/____/\/_/\/_/\/__/
\ \_\
\/_/
___ ____ ___
/'___\ /\ _`\ /'___\
___ /\ \__/ \ \ \/\ \ __ /\ \__/ __ ___ ____ __
/ __`\ \ ,__\ \ \ \ \ \ /'__`\ \ ,__\/'__`\/' _ `\ /',__\ /'__`\
/\ \L\ \ \ \_/ \ \ \_\ \/\ __/\ \ \_/\ __//\ \/\ \/\__, `\/\ __/
\ \____/\ \_\ \ \____/\ \____\\ \_\\ \____\ \_\ \_\/\____/\ \____\
\/___/ \/_/ \/___/ \/____/ \/_/ \/____/\/_/\/_/\/___/ \/____/
____ ____ ____ ___ ____ _ ____ ___ ____ ___ ____ ____ ____ ____ ____ ____ ____ _ _ _ _ _
|__/ |___ [__ | |__/ | | | |___ | \ |__| | | |___ [__ [__ | | |\ | | \_/
| \ |___ ___] | | \ | |___ | |___ |__/ | | |___ |___ |___ ___] ___] |__| | \| |___ |
fish@sword:~$We are greeted with a shell, regular commands to navigate ourself like cd and ls are not working. Let's see is we can get some help:
fish@sword:~$ help
A very hard interview: Codename Blow...Fish
Maybe you can help me with something...
DOD d-base, 128 bit encryption....What do you think?
Maybe slide in a Trojan horse hiding a worm...
I have been told that best "crackers" in the world can do it 60 minutes,
unfortunately i need someone who can do it in 60 seconds...
naturally with the right incentives ;)
If you know what I mean, tell me how a real cracker accesses to a remote super protected server...
Possible commands:
hacker: Write code as a real hacker
help: Give informations about the program
hint: Gives a little hint
exit: Loser...bye Bye
ssh: A tiny ssh command
date: A very useful and innovative featureThe only interesting command we can use is ssh, but where should we connect to?
The 60 seconds quote sounds really familiar and the prompt gives a big hint as well, this is coming from the movie Swordfish and if you watched the movie you would know it's the 'hacker interview' John Travolta gives to Hugh Jackman.
After a quick Google search I found that hacking interview scene from the movie on YouTube. This scene shows a list of 'IP' and this could be exactly what we need for our ssh command:
fish@sword:~$ ssh root@213.225.312.5
... Username not found
... Address reachable
fish@sword:~$ ssh root@312.5.125.233
... Username not found
... Address reachable
fish@sword:~$ ssh root@232.12.10.362
... Username not found
... Address not reachable
fish@sword:~$ ssh root@125.323.12.30
... Username not found
... Address not reachable
fish@sword:~$ ssh root@291.12.112.323
... Username not found
... Address not reachable
fish@sword:~$ ssh root@151.268.115.65
... Username not found
... Address not reachableThe ssh command reports two of these addresses are reachable, but the username is not found. Common username would be root, guest or admin maybe:
fish@sword:~$ ssh guest@213.225.312.5
... Username not found
... Address reachable
fish@sword:~$ ssh admin@213.225.312.5
... Username found
... Address reachableAdmin is found, but nothing happened. Let's try the other reachable address:
fish@sword:~$ ssh admin@312.5.125.233
flag{H4ll3_B3rry's_t0pl3ss_sc3n3_w4s_4ls0_n0t4bl3}We got our flag:
flag{H4ll3_B3rry's_t0pl3ss_sc3n3_w4s_4ls0_n0t4bl3}