Hackistanbul CTF Algeria Writeup

Summary

As always I scanned ports with nmap with some magical nmap parameters and nmap result showed me that machine had some standard Windows ports open + 80 http port was open. Then I opened the http port on my browser, it had XMPP server index page. I visited some pages on index and found phpinfo page. The machine was Windows 7 Professional Edition Service Pack 1 so I thought the magical eternalblue exploit should work. After exploiting with eternalblue I had the NT SYSTEM role on the Algeria machine then I directly went to Administrator/Desktop directory to read root.txt but it said something like “nope, flag not here”. This was the real trick but I’ve seen a question like this before so it wasn’t so hard for me to read the flag from root.txt. I could read the flag with basic .bat script.

Starting with nmap scan

(Screenshot from my team member miador)

It had some Windows ports open, when I saw the http port open then I visited it on my browser. A XMPP server page welcomed me(I forgot to take a screenshot of it).

Browsing on the XMPP page

While I was browsing on the XMPP page I saw the phpinfo page. This page said that Algeria machine was Windows 7 Professional Edition Service Pack 1. Every time I see the Windows 7 operating system, I start thinking about eternalblue exploit.

Algeria PHPinfo

Continuing with metasploit framework

After that I ran the msfconsole and used this module exploit/windows/smb/ms17_010_eternalblue[1] to Algeria machine.

B00M “meterpreter session 1 opened

And I had the role of NT SYSTEM because of the eternalblue.

Searching for root.txt

searching-for-root

I found root.txt in the Administrator’s Desktop folder but it said “The problem is not the root, it’s the branches!“.

After this message I executed dir /R command to see if any detail was there.

algeria-flag-branches

Ta daa I saw the branches mentioned in root.txt file, and there was about 800 hundred branches.

Capturing the FLAG

I’ve seen this kind of questions before therefore I executed more <root.tx:Branch_99[2] command to see if it was working and it worked.

capturing-the-flag

I couldn’t use the command to manual check for the flag therefore I wrote a small Windows Shell script.

for /l %%x in (1, 1, 1000) do (
more <root.txt:Branch_%%x
)

This script executed the more command 1000 times for me. But since I was at the terminal screen I couldn’t see the flag with my eyes because there was almost no difference between the 1000 lines of code in my terminal.

Therefore I directed the output of my script to a file called buldum.txt(I don’t know why I named it like that). After that I downloaded the buldum.txt file to my computer and deleted similar text by using gedit.

captured-the-flag

And the flag:

algeria-flag

Bonus:

My eternalblue-scanner script had automatically taken the screenshot of Algeria machine :)
eternalblue-scanner

Reference:


  1. 1.Eternalblue Exploit wikipedia
  2. 2.Hide text in a text howtogeek