Hackistanbul CTF Algeria Writeup

Mustafa Çalap
Sep 9, 2018 · 4 min read

Summary

As always I scanned ports with nmap with some magical nmap parameters and nmap result showed me that machine had some standard Windows ports open + 80 http port was open. Then I opened the http port on my browser, it had XMPP server index page. I visited some pages on index and found phpinfo page. The machine was Windows 7 Professional Edition Service Pack 1 so I thought the magical eternalblue exploit should work. After exploiting with eternalblue I had the NT SYSTEM role on the Algeria machine then I directly went to Administrator/Desktop directory to read root.txt but it said something like “nope, flag is not here”. This was the real trick but I’ve seen a question like this before so it wasn’t so hard for me to read the flag from root.txt. I could read the flag with basic .bat script.

Starting with nmap scan

(Screenshot from my team member miador)

It had some Windows ports open, when I saw the http port open then I visited it on my browser. A XMPP server page welcomed me(I forgot to take a screenshot of it).

Browsing on the XMPP page

While I was browsing on the XMPP page I saw the phpinfo page. This page said that Algeria machine was Windows 7 Professional Edition Service Pack 1. Every time I see the Windows 7 operating system, I start thinking about eternalblue exploit.

After that I ran the msfconsole and used this module exploit/windows/smb/ms17_010_eternalblue[1] to Algeria machine.

B00M “meterpreter session 1 opened

And I had the role of NT SYSTEM because of the eternalblue.

Searching for root.txt

I found root.txt in the Administrator’s Desktop folder but it said “The problem is not the root, it’s the branches!”.

After this message I executed dir /R command to see if any detail was there.

Ta daa I saw the branches mentioned in root.txt file, and there was about 800 hundred branches.

Capturing the FLAG

I’ve seen this kind of questions before therefore I executed more <root.tx:Branch_99[2] command to check if it was working and it worked.

I couldn’t use the command to manual check for the flag therefore I wrote a small Windows Shell script.

for /l %%x in (1, 1, 1000) do ( more <root.txt:Branch_%%x )

This script executed the more command 1000 times for me. But since I was at the terminal screen I couldn’t see the flag with my eyes because there was almost no difference between the 1000 lines of code in my terminal.

Therefore I directed the output of my script to a file called buldum.txt(I don’t know why I named it like that). After that I downloaded the buldum.txt file to my computer and deleted similar text by using gedit.

And the flag:

Bonus:
My eternalblue-scanner script had automatically taken the screenshot of Algeria machine :)

Reference:

  1. Eternalblue Exploit https://en.wikipedia.org/wiki/EternalBlue
  2. Hide text in a text https://www.howtogeek.com/howto/windows-vista/stupid-geek-tricks-hide-data-in-a-secret-text-file-compartment/

Originally published at calap.co on September 9, 2018.

Mustafa Çalap

Written by

Computer Science - https://calap.co

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade