Red Team Village CTF- Decfon dc0471x002 (write up)

DoJl1lEVAAAluDC.jpg:large

We had a great day at Defcon Trivandrum (dc0471x002) event.This writeup is about the awesome CTF conducted by Red Team Village. You can visit them here: https://www.redteamvillage.org . The event started by 11 am (if Iam not wrong) and was set to complete by 4 PM. We made a team together and joined the event.

When we enter into the CTF room there was a screen which looked like this.

42800900_1530518533715242_1910148045895368704_n.jpg

Our first task is to find the CTF registration page on the screen, register a team and start playing it.(I really liked this part) Next we were given a WiFi. At first, we thought the registration page would be in local network. So we scanned local range and got about 30 active IP. We went through one by one and started dirbusting it and searching for known exploits.Finally we ended up in doing some thing else. But still we didn’t the registration page.Then my team mate Vishnu Prasad suggested me to check on internet. So I tried to bruteforce subdomain of redteamvillage.org.It didn’t work out.Then we tried searching in HTML source code of redteamvillage.org.But none worked.Then for finding github repo of Red Team Village.I searched redteamvillage (without spaces) and my first link was from twitter.I opened it.It was the search result for “#redteamvillage”. And there was a pastebin link opening it resulted in giving out the CTF registration page. And we got a bonus flag from it.

The theme of the CTF was to own the assets of Victim Corp.

Now we registered our team and had 5 challenges to be finished.

Challenge 1:
First there were a simple challenge to decrypt some hash.It was Md5 we cracked it and got the flag.Easy points! It was given the flag is the password of the SSH server.

Challenge 2:
There was an IP given.So we scanned the IP for open ports.The port 8080 was open.When we visted it,we got redirected to Apache Tomcat login page.By seeing this I got remembered about Rahul’s post about bruteforcing Tomcat login.You can find it here: https://medium.com/bugbountywriteup/from-tomcat-to-nt-authority-system-a79fa09c4abb . Using the Metasploit module we found Tomcat credentials which was set as tomcat:tomcat. Now we got logged into the Tomcat Manager.Then we generated a Metasploit reverse shell for Tomcat (WAR) and uploaded it. Now the problem was my laptop couldn’t get reverse connection from that website. So we used the SSH password from challenge 1 and logged into that SSH server from challenge 1. Then I installed Netcat in that machine and got reverse shell.It was a Windows server so we had difficult time nagivating through it.We searched lot of directories but we couldn’t find the flag.After some time messing up.We did a string search and found the flag.

Challenge 3:
We were given a subdomain and asked to find the flag.At first instance you could find that it was running WordPress. Then we figured out its version and it was the latest one.So we decided to go with dirbuster. After 3 min we found wp-config.php.bkp was found and we downloaded it.Now we did Nmap again to check for SQL ports.But it was not open.Then we checked the dibuster and we had phpmyadmin login page found.Then using the credentials from wp-config.php.bkp we got logged into the phpmyadmin.There we checked into wp-users table and then we replaced the hashed password of the user with another hash. Then using this credentials we got logged into WordPress.Now we tried to find something inside the dashboard but we couldn’t.So we decided to shell it.And metasploit reverse shell didn’t get uploaded(some protective mechanism).So we uploaded a minishell. And checked for txt file and found the flag.Bingo!

Challeneg 4:
This challenge was about to find the scoreboard of the CTF.This challenge was to be finished through a simple OSINT.But I didn’t realise it.Still I tried it in my way. It was pretty simple we checked the js scripts connected with the site and checked it for scoreboard function.Just after a couple of search we found it.Then we just replaced the parameter of the current page https://ctf-dc0471-0x02.redteamvillage.org/index.php?p=game (parameter ‘p’) with the scoreboard function parameter. And there we got another flag.

Challenge 5:
This challenge was named as Russia. Although we couldn’t find the flag. The CTF officails said that,it was about mongodb on port 27017 and mongo express port 9038 with junk data.

In total we had a great a great day together with like minded people,awesome talks,great CTF in a perfectly organised event.

Thanks to Red Team Village and Defcon organisers for this awesome event.

One thought on “Red Team Village CTF- Decfon dc0471x002 (write up)

Add yours

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: