InfoSec Blog - Our Capture the Flag Experience - Part 1

November 25, 2019

Disclaimer: This article describes hacking for education purposes against a server which invites it. Unauthorized hacking against any server or service is a breach of the University of Guelph Acceptable Use Policy.
 

Over the last week Hanna Guan (Cyber Security Analyst III) and I challenged ourselves with the aview2Akill Capture The Flag (CTF) by creosote. For more information on CTF you can refer to this post by Hanna which can be found here - https://www.uoguelph.ca/ccs/infosec/ctf. This is the first part of a 2-part series where we will go over our experiences with the Box and point out lessons that you can learn from the vulnerabilities that we found.

 

 

The first thing we did is scan the network for our target machine, once we found it, we noticed that there were a few webpages open on port 80.

With this information we were able to snoop around the website and start our reconnaissance. While exploring we found some vital information about this organization and its structure. The things we found included default passwords, hidden web pages, offer of employment letters and detail information on the products this company sells.

One piece of information that was of interest for us was a letter addressed to a new employee named Chuck. In this letter we can see that the password is not explicitly typed out, but it is described. The sender may have thought they were being safe but from other files we found on the site we good put together Chuck’s password. With Chucks credentials in hand we decided to head straight to their HR system, and we were excited to find that these credentials worked! Only to be disappointed after a few minutes when we found out that Chuck has very little permissions in the HR system.

This minor roadblock was not going to stop us, we took to the internet to find out if this HRMS (Human Resources Management System) was vulnerable to anything. Only after a couple of minutes of researching we found that we could create a user with elevated permissions by tricking an HR person into running a program for us (depicted above). This process was accomplished easily through XSS (Cross-Site Scripting) for more information on this type of vulnerability you can look here: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS).

Key lessons learned from our experience:

  • Never save passwords or password descriptions in unprotected areas
  • Lock down web-pages and files that you don’t want people to see
  • Never click on links that you don’t know about or recognize
  • Make sure all your devices and programs are always up to date

I am sure your sitting on the edge of your seat to know what happened next. You are probably wondering “Were they ever able to catch the flag?”. I’d love to tell you, but you will have to wait until the next post in our 2-part series on our experience with aview2Akill.

 

Written by: Joao Bernardo (Cyber Security Analyst, Information Security) with credits to creosote and @roelvb79 on Twitter