Defcamp CTF Quals 2014 - Network 100 – PCT (100pts) writeup

The challenge description was: My manager lives at 10.13.37.21. Any guest is always welcome. But he has a secret. Can you find it out?

After visiting the page at 10.13.37.21 we are greeted with a login form:

Defcamp CTF Quals 2014 - Network 100 – PCT (100pts) writeup - 01

We can't do much from here, only thing we notice is the password is accepted when 16 characters long. If smaller it says the password is too short.

So the manager has a secret, and guest is always welcome. Entering username guest without any password didn't work either because as we said earlier it must be at least 16 characters long. Time to launch nmap:

mrt:~/d-ctf/network-100$ nmap 10.13.37.21

Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-19 16:40 EDT
Nmap scan report for 10.13.37.21
Host is up (0.14s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 10.45 seconds

Port 22 is open, we can try and ssh into the manager's box. Since the description mentioned that guest is always welcome, let's try and ssh with the user guest.

mrt:~/d-ctf/network-100$ ssh guest@10.13.37.21
guest@10.13.37.21's password:

We don't know the password, first hunch is to use guest as the password since it's a pretty common occurence and we're in.

Note: I would like to point out I'm still unsure if I solved this mission the proper way because there were already a couple files apparently made from other people trying to solve the mission.

After listing what was in the current directory we could see a folder called toolkit made by root. Inside that folder was a tcpdump binary. What I did was run tcpdump, and go to the login page and try to log and see if anything would be captured or triggered:

Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-37-generic x86_64)

* Documentation: https://help.ubuntu.com/
Last login: Sun Oct 19 20:35:04 2014 from 10.20.0.170
$ cd toolkit

$ ./tcpdump -nnvvXSs 1514 | grep pass
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes
0x01c0: 6e61 6765 7226 7061 7373 3d74 6573 7469 nager&pass=testi
0x0120: 6d65 206f 7220 7061 7373 776f 7264 2e me.or.password.
0x00d0: 7226 7061 7373 3d74 6f70 7365 6372 6574 r&pass=topsecret
0x00e0: 6d61 6e61 6765 7270 6173 7377 6f72 64 managerpassword

Just after my attempt at login in with a random login and password I captured another login with the password: topsecretmanagerpassword

Going back to the page and login in with these credentials we are greeted with the following message:

The secret is behind 0f388689dc4728cfde0de9a1ee47c8d3. Don't tell anyone!

Looking online for that MD5 we have the unfortunate luck to find it:

The secret is behind 0f388689dc4728cfde0de9a1ee47c8d3 : ididyourmom

Well that's cute.

We got our flag:

ididyourmom