Network King of the Hill Write-ups
As followers of my site may know, I was put in charge of creating another hacker war game for this years Louisville Infosec. I decided to try something different: NetKotH: Network King of the Hill.
The core concept was that attackers attempt to compromise and hold a system, while other teams do the same. Once one team gets in, they try to harden up the box so other teams can't get in. Points are based on how long each team can maintain control. The token I based control of a system on was a defacement of the website on each system. Teams had to put their team name in a <team></team> tag, and my scoring software would scrape the sites once per min and automatically generate a score board website. This automated scoring makes things somewhat simpler than scoring by hand. Another thing that made NetKotH easier to run is that I just have to put up some vulnerable boxes (or VMs in our case), rather than having to come up with my own CTF (capture the flag) scenarios every time we want to run a hacker war game.
Purehate from Question-Defense and the BackTrack 4 team was kind enough to join me in the NetKotH endeavor. The idea is that we would watch the socre board, and switch things up if one person pulled too far ahead of the pack, and generally just put “salt in their game”. Purehate did an awesome job, especially considering I left him alone without the root/admin passwords when I had to go off and give my talk. I just forgot to give them to him, and at that point it did not seem much was happening anyway. Things got interesting while I was away it seems. :) Read the write-ups for details.
We did not get as much of a turnout for NetKotH as I had hoped,
but it was a good test run for when we set it up at
Hack3rcon. Purehate and I plan to polish it some in the coming weeks. Below are
further details of how the event was organized, and write-ups from
the participates on how they tried to “hack the system”.
If anyone wants the soring source code I'll send it to you, but I
plan to wait till I have time to clean it up for a more public
Each contestant was give the following rules:
Network King of
Adrian Crenshaw and Martin Bos are running a live hacking event on the top floor. Go to the NetKotH area to register. The winner gets an iPod Touch.
1. The teams will be given IPs to web servers with vulnerabilities to attack, their goal is to deface the front page on each. Expect there to be a Linux and a Windows box, and maybe some surprises. :) The IPs for this game are:
Versions will be switching during the game.
2. Teams try to put up their own defacement, take down other people's defacement, and lock down the box to keep others teams out. The teams name must be in the <team></team> tag when they deface the site for the scoring system to register it, but they can change the page however they like.
3. Once per minute (more or less) the scoring software will see who currently owns the site, and score it.
4. Referees will work as a blue team to occasionally step in and change things on the target IPs. Fix the defacement, patch, roll back changes, switch Operating Systems, etc, just to even the playing field and make things interesting.
1. Only penetrate the hosts at the given IPs, not the scoring box (10.0.0.99) or other contestant's boxes. XSS of a player may be ok as long as it’s not destructive. >:)
2. DoS and network routing/traffic attacks are allowed, even on the traffic coming to and from contestants and the scoring box.
3. Stay on the NetKotH network while attacking.
4. Martin and Adrian may change/add other rules at will.
You may view the current scores by surfing to 10.0.0.99.
Ruben Daniel Dodge
Okay well I guess I will just say before I get started Adrian did an amazing job with the setup of the CTF event. Now down to business. I came in at 8:30AM and adrian had that as the start time. So I went ahead and got started discovering the computers ports and services with nmap. I was there until almost 10:00 am before anyone showed up and then there were only us two who had never competed before so it took FOREVER for us to both really get off the ground due to us having limited experience. The first box 10.0.0.1 was a linux box running a apache server and openssh. The apache server version was vulnerable but metasploit was having some issues trying to encode the exploit even when I unsetg encoder it still was trying to encode the exploit before using it. Anyways 10.0.0.2 was originally a windows XP SP0 which I gained a shell to right when adrian decided to switch up the setup on it due to the fact that the other competitor having a 12 minute run with it so I was behind. He replaced the SP0 box with a SP2 or SP3 box not really sure as I focused the rest of my efforts on the wildcard box which was a windows 98 box we were getting a shell but no session in the box neither me or my competitor managed to do it so adrian ended up giving an easy opportunity for points he made the windows 98 computer share its c drive on the network. So my friend Jeff who is my next door neighbor was the one who found that he had shared the c drive on the network.
Jeff ended up just being a temporary team member seeing as he was only there for about 30 mins or so. But I "defaced" the website with my team name and scored 12 points then adrian changed the wildcard computer to a linux box. So me and my competitor were tied. I scanned the linux box 10.0.0.3 it had about 5-6 different services running and about 2 maybe 3 services could have been exploited but i found that the samba version was the easiest to exploit and the most reliable. I used a exploit located under multi/samba/ in metasploit. This gave me a reverse command shell which I then had to run the /bin/bash command to gain a remote shell with root access. First thing I did was create 1-2 users which would be decoys one was named "pwnme" and the other one I forgot the name of it. Anyways so I changed the root password aswell in order to always keep access open to the box. The computer had OpenSSH running on it already so I just ssh'ed to the box under the root user. "Purehate" who was one of the people moderating the competition repeatidly killed my metasploit exploit process and he took the bait and deleted the created users and didn't focus on the root user. So I had a constant ssh session open to the 10.0.0.3 box. I started to gain consistant points and then Purehate decided to switch things up he removed all the defaced webpages and then all of us had to go back in and redeface the pages. One of my competitors (2 more had just registered around 1PM) had gotten the exploit working in the 10.0.0.3 linux box and manged to block my ip address with ip tables. So I went in and changed my ip address to a static ip address so I could avoid the firewall rules he had instilled. I sshd back into the root user of the box then used iptables to reject all other ip addresses except mine. I did make a newbie mistake and ended up blocking my own by a typo and then noone could access the box so purehate had to go in and reset it. I had rejected connections from the 10.0.0.99 box aswell which was the score box and so i probably lost about 20 points before I relized it wasnt gaining anymore points. The site was defaced I was just not getting points for it anymore.
Then I fixed that mistake and started pulling farther ahead of my competitor. Purehate decided to pull a trick on us all and on my end he deleted the var/www/ folder which was the website folder. I recreated the html file and went to the page to find out it still said the site didnt exist. I found out it was in an apache2 config he had changed the allow website config to a directory under /root/ so I had to change it back. When I did I found out he deleted the www folder and had to recreate it and the html file. Finally I was getting points again. But there was a team "uky" who noone knew who they were but they had control of the 10.0.0.1 box or so we thought. They had setup a server with xammp and then arp poinsed the scoring box to check their ip address for the 10.0.0.1 site. This allowed them to not have to exploit the box or deface the site all it did was make it so the scorebox would see the actual site everyone else would have control of the boxes and actually deface the site but not receive points for it. I tried the password on the 10.0.0.1 box I had gotten from SQL injecting the website it was hosting. I logged in as greg and found a password which was used in the 2009 ctf. It turns out the uky team had already changed it so my easy way into the box had been eliminated and the exploit wasnt working which was supposed to work with the apache version it was running.
Anyways finally it came to a close when that team had pulled ahead of me and the other competitor. I ended up with 52 points and second place. The uky team had 130. Anyways so i learned a HUGE ammount during this conference adrian and the other people managing the competition gave us hints here and there and if we didnt know a command to do something they would tell us the base command so we could figure out which command to use and then how to use it by looking at the help pages. For the last 2 hours of the competition i had the 10.0.0.3 box under my control but the uky team basicly bypassed it for that last hour so I got no points. Anyways I really enjoyed myself and will definatly compete next year it was definatly interesting and fun to work on first hand the things everyone talk about with eachother everyday. Hope to see you there next year everyone!!
I participated in Adrian and Martin's “Network King of the Hill” challenge. This was my first time participating in a network related competition. Not only was it fun but there was a lot to do and complete under ever changing circumstances. I was using my laptop running the Arch Linux OS, I recently(7 days) migrated to Arch Linux on my laptop from a copy of BackTrack after using Arch for servers for quite some time. Unfortunately, I hadn't had time to set up all the network/pen testing tools that I would have liked and I didn't think about bringing a bootable BT USB stick(shame on me). I was stuck with Nmap and MetaSploit and a few other tools that I grabbed from the Arch repo's while I was there. Of course, this made the event much more interesting and time intensive.
The event started at 8:30 AM, I didn't make it to the event until around 9:30-10. Either my Google Map directions were off ( I swear they were) or I am slighty blind and cannot navigate. I drove around Louisville for more than an hour trying to find the place. And that's a shame because of how big Churchill Downs is, who could miss that? It turns out I was driving right around it the entire time. Doh!
Anyways, I'm done rabbling, time for the event info!
Note: By the way, I like details, so that's what I'm going to
try and give.
When I arrived I was escalated up to the 4th floor in the
Jockey Suites where the event was taking place. I plopped down my
laptop and was given a rules sheet by Adrian and told that I could
start anytime. Cool. Away, I go...
After I connected to the hostile network described by the Access Point ESSID, “NetKotH”, I immediately began a quick scan of the network to see what was all there: nmap -sP 10.0.0.0/24
They were only using the 4th octet for host addressing. I
counted around 8 machines if I remember correctly, including the
ones listed on the paper as the targets. I'm sure that some of
these were laptops of the guys running the event as well. They
were in the back doing who knows what. I set up static arp tables
to the target boxes in case some APR was done: arp -s 10.0.0.1
FE:ED:BE:EF:00. As time progressed we had many more on the
network. I then began to start looking for open ports and
enumerating the services listening on those open ports, the most
used 1000 by default(not the standard 1024): nmap -n -PN -sV
10.0.0.1 10.0.0.2 10.0.0.3
This yielded some good information to start with, I than
immediately fired up msfconsole to hopefully get a shell with root
priveledges. I started with an old unpatched Windows box. It was
running a vulnerable version of msrpc which uses port 135 TCP.
Note: I had forgotten a great deal of info regarding the services, the operating systems, and the exploits I ran on those services. So bear with me, if the info is incorrect, the concepts are still there. I didn't sleep the night before(lame excuse, right?), I have to stop doing that.
I executed a msrpc exploit on that box to give me a root shell:
I migrated to the explorer process by listing the processes
with ps and using migrate <process id>. I did this in case
someone in the back room decides to kill my initial process. I
would then lose my connection and my shell of course. So I have a
root shell in 10 minutes of playing, I'm doing pretty good. I open
another terminal window and do a more thorough scan of the
network, this time, I scan all 0-65535 ports hoping for some
oddity.<to be continued>
Back to meterpreter, I tell meterpreter to give me a
windows(msdos) shell so I can traverse the directory structure and
find the iss directory and the default page it was serving for a
http connection. Everything was installed in the default IIS
directory. I do this by using shell which will give you the native
I defaced the page by: echo '<team>KeisterStash</team> > default.htm.(KeisterStash is one of my handles)I had some trouble getting it to display the tags correctly, I don't use windows often. I tried the various ticks, double quotes, and single quotes until I found the one I wanted. In *nix if you use the tags in quotes like this: “<team>KeisterStash</team>”: it would display it without the quotes, which is what I want.
Unfortunately, in windows it would either remove the tags or
display them in quotes depending on which delimiter you used,
I could've used the vnc payload but I didn't have a vnc client
installed. I also could've used meterpreter to download a file,
modify it on my box, and then have meterpreter upload it back. I'm
sure there are other methods as well.
Eventually, I had overwritten the file with the team tags
properly, which were being scanned by the scoreboard computer.
Shortly after, KeisterStash was displayed on the scoreboard. Cool.
The thorough Nmap scan seemed to be taking days to complete
with those VM's. An hour later, I still didn't get any results, so
I killed the scan. Tried again still nothing, errrrr.
Oh well, scratch that. I then did another nmap scan using, this time for UDP ports: nmap -sU -p- -n -PN 10.0.0.1 10.0.0.2 10.0.0.3, I wasn't having any luck completing these scans either, bummer.
I spent a great deal of time trying to exploit he other two
systems, I wasn't having any luck. So, I tired a few different
attack vectors, Adrians contests rely on a wide variety of attack
I compiled nbtscan and scanned the boxes for smb shares,
10.0.0.3 had a share open. At the time, I've never used mount -t
cifs/mount.cifs to use smb shares so I avoided it. I've only used
smbclient in the past(didn't have it at the moment), though, I
quickly changed that after I went home. I could've man'd it or
downloaded smbclient, but I felt like working on something else. I started to take a look at box 1:
The 10.0.0.1 box was running a webserver and an older version
of ssh, 5p1. I believe it was an running an older version of
Debian. I'm sure exploit-db or milw0rm would've been helpful. I
took the webserver route, which was vulnerable to sql injection,
because I've never messed with web app stuff. I'm severly lacking
in it. This would be a good time, everything is already set up! I
half way knew the basic query: ' OR 1=1. I couldn't remember the
what the comment character in sql was, so I went out and googled
it. Next thing I know, I had admin access on the page. I racked up
a few more points, I'm still in the lead.
A little more insight:
The website had a link to a web page called adminchat which had
a dialogue that was deliberately put there to help us gleen info
on what could be done. It displayed three usernames, which I
picked one. I opened wireshark and sniffed for http traffic
looking for the POST request info, to show me the data sent. It
was in the form of
or something similar to that. I plucked the username 'greg'
from the chat page and used the ' OR 1=1 - - to replace them in
their appropriate variables in the url. Success!
Back to box three:
Box three, 10.0.0.3, was running the Metasploitable vulnerable
VM that was put out a couple months ago. It has a large range of
services running on it, most of which were probably vulnerable. I
connected to the telnet server on the box, logging in as the
default username and password of msfadmin(I've used it before) :).
Once in, I added a iptables rule to block everyone from accessing
this machine but me: iptables -A INPUT -s ! 10.0.0.135 -j DROP
I traversed to the Apache root document directory and defaced
index.html. Racked up a few more points. I then was trying to
write a shell script that tested for the presence of the
index.html file and then to rewrite it with my
<team>KeisterStash</team> every 5 minutes, but to my
luck, as soon as I was getting ready to upload it via ncat, Martin
restarted the box because people were still having trouble
reaching it due to my iptables rule.
He then changed the default accounts for the box. I couldn't
figure out how to get back in, I couldn't get shell by exploiting
the vulnerable SAMBA server, maybe the service crashed? Or someone
killed it after getting in? I don't know, but whatever happened,
it sucked. I was doing good until Martin slowed my roll.
One of the guys got in immediately after the restart. Asked
around for iptables help and ended up writing a similar rule to
the one I had written. I couldn't reach the box, but I
circumvented it easily. I thought of two things I could've quickly
done; either send him a deauth frame with aireplay or to set my ip
address as him and see what happened. I chose the simple route of
statically setting my ip address to his, I scanned the network and
figured out who he was:
ifconfig wlan0 10.0.0.147. He was then given a new dhcp lease and couldn't talk to the box. Hehehe.
I still couldn't get in to the box, so I was back to box 1. My
new goals was to figure out how to set greg a password or create a
new account via SQL injection.
Note: After I left, I had a thought that I wish had came to me
during the competition. Earlier someone had mentioned they created
a backdoor on box 3 (potentially the same guy who killed the SAMBA
service) i.e find that backdoor!
After trying a torrent of sql injection queries I was having no
I was getting pretty tired and decided to call it a day, I had
a hour and 30 minute drive home yet. I parted ways somewhere
between 2-3, I was in second when I left.
The competition was fun and enjoyable, it was nice to have an
enviroment already set up to play with various tools e.g. home
labs take time and resources. Better yet, duking it out with some
guys you've never met is always cool.
Thanks to all the others that participated too, for keeping me on my toes.
I did everything in backtrack with some reference and testing help from a windows machine.
With morning talks, we didn’t really get a chance to start attacking until lunch time. Since the goal was to keep our team flag up on any of the three servers for as long as possible, it made most sense to target a machine that was not being targeted by other attackers. People often tend to ignore Linux machines or leave them for last, and the scoring site confirmed that was the case in this competition as well. Since no one had seemingly touched the Linux machine, my strategy would be to attack and hold it for as long as possible.
The web app running on the Linux machine was written in PHP and was already leaking sensitive info via public access to logs and chats. This was the chosen attack vector. I suspected the login page was subject to SQL injection (and it was). In addition, the output of the DNS page looked like nslookup, so I figured it was vulnerable to command injection (and, it was as well). If possible, I always prefer to get shell access. Thus, I injected a command that setup a netcat listener to /bin/sh on a random port. Shell access was useful, but, unfortunately www-data didn't have write permissions to /var/www.
At this point we went down a path we would eventually abandon – trying to get root access to modify the files on the webserver. Based on a sudo history file in greg's home directory, it seemed like greg probably had sudo access. Greg also had a PII truecrypt file in his home directory – thinking that may have clues to his password, I pulled that down (again, using netcat). There was a script in /var/www that was used to rebuild the DB that I had seen when we first got shell access – it contained the password for the truecrypt file. But, the truecrypt file contained a password protected 7zip file. Looking around the filesystem for clues to the 7zip password led us nowhere, so we decided to take another approach.
My exploration of the filesystem had given us the root password to the MySQL database that housed the account info for the webapp. Since we couldn’t change the www files, perhaps we could utilize the existing web app functionality to pull a string from the MySQL DB and put it on the main page. I looked at header.php and saw the username of the logged in user was displayed on the home page. So, we setup a quick netcat relay to the mysql port and utilized the mysql client in backtrack to add a user with cid 0 and our team name (this meant anyone who had not logged in before would be logged in as our team name). Of course, anyone could hit the "reset DB" script at anytime (and they did), so I setup a cron job to dump our user into the MySQL table every minute.
This quickly put us in first place, and then the server seemingly went offline. I noticed that a new server running IIS showed up in its place. We assumed the server was rogue (though, we know now it was probably setup by the CTF admins), and someone had either taken down the Linux machine (not likely since no one had seemingly touched it), or arp poisoned the network. If someone was doing network level attacks, we needed to get a head start, so I fired up apache and put a page up with our team name. I then configured backtrack to respond to each of the 3 server IPs.
However, since the CTF servers were all running on the same physical machine (and, thus, virtual switch) as VMs, we could not reply to arp requests from the scoring server quicker than the real servers. Instead, I used arpspoof to flood the scoring server with arp replies that pointed to my rogue webserver - forcing the scoring server to check our rogue apache server.
Fortunately, this was towards the end of the competition, and owning all three servers allowed us to quickly secure the lead we had gained by defacement of the site on the original Linux machine.