Hackistanbul CTF Algeria Writeup
Summary
As always I scanned ports with nmap with some magical nmap parameters and nmap result showed me that machine had some standard Windows ports open + 80 http port was open. Then I opened the http port on my browser, it had XMPP server index page. I visited some pages on index and found phpinfo page. The machine was Windows 7 Professional Edition Service Pack 1 so I thought the magical eternalblue exploit should work. After exploiting with eternalblue I had the NT SYSTEM role on the Algeria machine then I directly went to Administrator/Desktop directory to read root.txt but it said something like “nope, flag is not here”. This was the real trick but I’ve seen a question like this before so it wasn’t so hard for me to read the flag from root.txt. I could read the flag with basic .bat script.
Starting with nmap scan

It had some Windows ports open, when I saw the http port open then I visited it on my browser. A XMPP server page welcomed me(I forgot to take a screenshot of it).
Browsing on the XMPP page
While I was browsing on the XMPP page I saw the phpinfo page. This page said that Algeria machine was Windows 7 Professional Edition Service Pack 1. Every time I see the Windows 7 operating system, I start thinking about eternalblue exploit.

After that I ran the msfconsole and used this module exploit/windows/smb/ms17_010_eternalblue[1] to Algeria machine.
B00M “meterpreter session 1 opened”
And I had the role of NT SYSTEM because of the eternalblue.
Searching for root.txt

I found root.txt in the Administrator’s Desktop folder but it said “The problem is not the root, it’s the branches!”.
After this message I executed dir /R command to see if any detail was there.

Ta daa I saw the branches mentioned in root.txt file, and there was about 800 hundred branches.
Capturing the FLAG
I’ve seen this kind of questions before therefore I executed more <root.tx:Branch_99[2] command to check if it was working and it worked.

I couldn’t use the command to manual check for the flag therefore I wrote a small Windows Shell script.
for /l %%x in (1, 1, 1000) do ( more <root.txt:Branch_%%x )This script executed the more command 1000 times for me. But since I was at the terminal screen I couldn’t see the flag with my eyes because there was almost no difference between the 1000 lines of code in my terminal.
Therefore I directed the output of my script to a file called buldum.txt(I don’t know why I named it like that). After that I downloaded the buldum.txt file to my computer and deleted similar text by using gedit.

And the flag:

Bonus:
My eternalblue-scanner script had automatically taken the screenshot of Algeria machine :)

Reference:
- Eternalblue Exploit https://en.wikipedia.org/wiki/EternalBlue ↩
- Hide text in a text https://www.howtogeek.com/howto/windows-vista/stupid-geek-tricks-hide-data-in-a-secret-text-file-compartment/ ↩
Originally published at calap.co on September 9, 2018.
