Here’s a quick demo of something I quickly jammed together over the weekend for my Dad. More info to come, along with additional pictures, circuitry, and some proper screenshots

Basically it’s an iOS app to control solenoid valves via a Raspberry Pi over a JSONRPC interface.

We are now connected to the company’s proxy. We are given the hint early on that:

Consider that the ECWI system is secure and does not allow direct traffic from the DMZ to the internal network. Additionally, it does not allow direct connections on arbitary ports from the internal network to the DMZ”

We perform some network connection analysis, using ifconfig, route, arp, netstat, and additionally look at the squid access log.

From Sales Pitch we discover the server has some internal bound services, most notably telnet (port 23) - These are listed on the internal management page. It is only accessible from inside the network however.

Fortunately, telnet is a text based protocol, so we can easily just do a proxyHTTP CONNECT to it via the proxy.

$> telnet 172.16.5.30 3128
CONNECT 10.10.5.30:23 HTTP/1.0

Task: Explain the misconfiguration of the squid proxy

Nb, this could only be answered once the flag for Murphy’s law was captured, since there was no easy solution to cat /etc/squid3/squid.conf any other way.

This is due to misconfiguration in the proxy configuration file:

$> cat /etc/squid3/squid.conf

Task: Connect to the management panel of the proxy server

Proxy is misconfigured, allowing anyone externally to use it to access internal infrastructure.

We take advantage of this. We set our HTTP proxy to it, however we still don’t know what the box’s internal IP is.

We try 127.0.0.1 via the proxy, however no luck. Upon inspecting the “Frontend” page we realise it has INT: x.x.x.x EXT: x.x.x.x in the <title></title> html tag.

We load up INT: x.x.x.x via the proxy and the flag is revealed.