Salaheldin

March 14, 2019

Stall Mucking Report Cranberry Pi terminal challenge

Hint Challenge @ The 2018 SANS Holiday Hack Challenge [ Kringlecon ]

CTF Writeup

📍 Wunorse Openslae at 1nd floor go right enter the room continue forward you find him.
kc18_elves_elf_22.png

Hi, I’m Wunorse Openslae

What was that password?

Golly, passwords may be the end of all of us. Good guys can’t remember them, and bad guess can guess them!

I’ve got to upload my chore report to my manager’s inbox, but I can’t remember my password.

Still, with all the automated tasks we use, I’ll bet there’s a way to find it in memory.

icon-idea

Plaintext Credentials in Commands > Keeping Command Line Passwords Out of PS

https://blog.rackspace.com/passwords-on-the-command-line-visible-to-ps


solution-icon.png

1- First let’s use command ls to list directories & files:

7-terminal-2.jpg

2- Take a look at content of report.txt for any leads:

7-terminal-3.jpg

3- Use ps command as suggested in hints to display the usernames / passwords on the command line for the running processes , write the command as following :

ps Twww

T Basic options: all processes on this terminal, w Show threads options : unlimited output width

7-terminal-4.jpg

4- Interesting command related to samba :

/bin/bash /home/manager/samba-wrapper.sh --verbosity=none --no-check-certificate --extraneous-command-argument --do-not-run-as-tyler --accept-sage-advice -a 42 -d~ --ignore-sw-holiday-special --suppress --suppress //localhost/report-upload/ directreindeerflatterystable -U report-upload

So the username report-upload and the password directreindeerflatterystable and the share folder //localhost/report-upload/

You can find more about smbclient here: https://www.computerhope.com/unix/smbclien.htm

5- Now let’s upload the report to the share folder using smbclient to access share folder :

smbclient //localhost/report-upload/ -U report-upload directreindeerflatterystable

Then upload the file report.txt :

put report.txt

7-terminal-5.jpg

7-terminal-6.jpg


kc18_elves_elf_22.png

Thank goodness for command line passwords - and thanks for your help!

Speaking of good ways to find credentials, have you heard of Trufflehog?

It’s a cool way to dig through repositories for passwords, RSA keys, and more.

I mean, no one EVER uploads sensitive credentials to public repositories, right? But if they did, this would be a great tool for finding them.

But hey, listen to me ramble. If you’re interested in Trufflehog, you should check out Brian Hostetler’s talk!

Have you tried the entropy=True option when running Trufflehog? It is amazing how much deeper it will dig!

Oh my! Santa’s castle… it’s under siege!

We’re trapped inside and can’t leave.

The toy soldiers are blocking all of the exits!

We are all prisoners!

icon-idea

Trufflehog Tool:

https://github.com/dxa4481/truffleHog

Trufflehog Talk:

Brian Hostetler is giving a great Trufflehog talk upstairs