On Monday 25th of March took place a Capture the Flag (CTF) competition in Royal Holloway as part of the Security Testing course. Due to the Spring break the participation was limited to 10 people, but whoever was interested was free to participate remotely. Hopefully, we were able to form three teams of four people each and shared the laboratory space. Two of my teammates were going to participate remotely which initially was thought as a drawback.
At first the professor described the rules and restrictions of the game as well as the pointing system that would be used.
Each team was owning a BackTrack and a Server machine. The Server was a modified Metasploitable, which was easy to figure out from some known vulnerable applications like tikiwiki. Moreover, we had to decide a secret phrase and a big secret phrase (the flags) that were placed somewhere in our systems from the operator of the event. The teams were allowed to attack each other in order to gain access to the opponents’ servers using all the appropriate means, but there were some restrictions regarding the defending techniques, where no denial of services and no system reboots where allowed.
As for the pointing system, we earned:
- 1 point for each leaked password
- 3 points for each secret phrase
- 5 points for each big secret phrase
In addition, the respective points where reduced from the team that its passwords, secret and big secret phrases, were revealed.
Obviously, the aim of the CTF was to collect the highest number of points! In order to achieve our purpose we planned to attack as soon as possible, while we were trying to strengthen our defence. In the rest of the post I’m going to refer to the efforts of our team.
Before the CTF event, we were thinking that we will be given enough time to prepare our Server in order to reduce vulnerabilities (exploitable applications and misconfigurations). However, our assumptions were dropped and we began to attack and defend simultaneously. First of all, we retrieved the running processes on our machine in order to point out the vulnerable ones and fix them. At the same time, a scan on the network for the opponents’ machines was conducted, trying to figure out the versions of the running applications in order to search for any available exploits.
Each Server had a number of users (e.g ftp, service) and there was also a special user (our was ‘daisy’) with a probably weak password, vulnerable to brute force attack. Our first priority was to change these passwords to stronger ones. The first attack was performed at the vsftpd (Very Secure FTPD) application using an exploit from Metasploit (vsftpd_234_backdoor), which returned a shell with root privileges. Then, it was easy to retrieve the secrets and big secrets of the rest of the teams, gaining our first points and leading the scoreboard.
In the meantime, we were trying to find a solution in order to avoid any possible attack to our machine using the same exploit by setting an option in the configuration file covering this hole.
Unfortunately, the Servers allowed the connection with rlogin and any user (even root) without the use of password. By the time we fixed this issue (by removing .rhosts file from users folders in order to ask for a password), our system was already compromised (the netstat results of TCP connections where on fire!). From then on, each team was able to acquire each others secrets, so after an 1.30 hour we were all even.
One of the teams tried to block access using iptables, an incident that was reported, so they lost some points. Their action gave us the idea to modify the other Servers’ iptables by adding entries that allowed access to their systems only from our machines (BackTrack and Server)! For a while, they where confused so we had enough time to prepare our system and our next attack. Another vulnerability was found to the IRC process (running on port 6667), which was also exploitable using Metasploit (unreal_ircd_3281_backdoor), gaining root access to the other teams’ Servers. Although, we knew the vulnerabilities, we were not able to fix some of them (like the irc).
After the break the operator of the event asked for new big secrets and placed them into our machines. Subsequently, all the systems were again compromised and the big secrets were revealed. Nevertheless, we were trying to find new weaknesses in case we gained some points for our variety of attacks. Some of the members of the team were trying to exploit a NFS misconfiguration which allows to mount shared folders from other servers, when the professor announced that the winner will be whoever unzips first a locked zipped file placed in a certain location. Using hints that were located in the same folder, the purpose was to find the unique users of each Server (like ‘daisy’) and type their initial letters in alphabetical order. The tricky part was to use capital letters instead of lowercase!
As we were the first team to unzip the file, we won the CTF!! Congratulations to my team members for our collaboration and efficiency and to our opponents for their competitiveness!! I would also like to thank our professor for organising the event.
Being my first CTF event ever, I was awaiting to participate and give my best in order to win. Despite the fact that the number of teams was limited to three teams, the level of pressure and competition was high enough, so we were able to test and extend our skills and learn which errors to avoid in the future. The ability to adjust effectively to current conditions and estimate the situation given restricted amount of time before acting was some of the valuable skills gained through this process. Moreover, it was important that we managed to overcome the communication difficulties we faced due to remote collaboration over Skype.
All in all, it was a great experience, we enjoyed with the rest of the team members as well as with our ‘opponents’ and I’m looking forward to more to come!!