The first ever BSides Australia conference has finished up, and it was an absolute blast.
I had the opportunity to contribute to the BSides CTF component by coming up with the Trivia section and creating a boot2root style challenge (aptly named Mr Robot). The challenge had a few stages to complete (including a short dance on the internet), resulting in the acquisition of an Android phone hidden in the CTF room which contained the flag for 400 points.
For those that didn’t get around to finding/completing it, here’s a quick write-up.
Finding the box
At the CTF kickoff, no hints were provided about this challenge. Those who were listening on their network interface would have eventually seen a broadcast request coming from an unknown box at 192.168.2.29:
Using Google to research “Mr Wellick”, “EvilCorp”, etc, points us to the character Tyrell Wellick from the Mr Robot series. Makes sense. So we will assume the following:
- If account naming conventions stand true, Tyrell Wellick’s account should be ‘wellickt’; and
- His password starts with ‘ratsy’.Generating a potential password list based on the above should be pretty easy:
Using our newly generated password list, we can attack the SSH service…and eventually we find that his password is ‘ratsyG0d2h’. Logging in to Tyrell’s account via SSH, we see another journal entry:
The trick here is twofold:
1. Find a writeable directory (in this case, research on the shell you already have should help you identify multiple candidates, such as the directories ‘s3cr3t’ and ‘admin’)…
2. Create an article on the intranet to allow the SELECT injection to differentiate between empty and populated results when attacking search.php.
Now when we run –os-shell and choose a custom directory (/var/www/html/s3cr3t/) we get our os-shell:
On The Internet
Ok, so it’s time to actually send a real email to this address, ensuring the subject line simply has ‘t0tallyEVILman’ in it. Soon after sending, we receive a reply:
Locating Tyrell’s Mobile
Not a difficult challenge, but certainly not something that can be punched out in half an hour. 4 teams submitted the correct flag in the last 5 hours of the competition. It was fun to create this little challenge, and I hope that those who found the box had a bit of fun with it as well.