Salaheldin

March 14, 2019

Stall Mucking Report Cranberry Pi terminal challenge

Hint Challenge @ The 2018 SANS Holiday Hack Challenge [ Kringlecon ]

CTF Writeup

📍 Holly Evergreen at 1nd floor go left enter lobby continue forward until you find him.
kc18_elves_elf_15.png

Hi, I’m Holly Everygreen.

Oh that Bushy!

Sorry to vent, but that brother of mine did something strange.

The trigger to restart the Candy Striper is apparently an arcane HTTP call or 2.

I sometimes wonder if all IT folk do strange things with their home networks.


solution-icon.png

1- Recommended watch KringleCon - Chris Davis & Chris Elgee talk about HTTP2:

https://www.youtube.com/watch?v=9E-8HkDs-kQ

2- First let’s view nginx.conf file in /etc/nginx/ , write the command in terminal :

cat /etc/nginx/nginx.conf

9-terminal-2.jpg

You will find the server is using http2 .

3- Let’s use curl tool to get the server response:

curl --http2-prior-knowledge http://localhost:8080/

9-terminal-3.jpg

You will find a hint from server response :

To turn the machine on, simply POST to this URL with parameter “status=on”

4- Let’s run our curl tool again and add “status=on” parameter to turn the machine on :

curl --http2-prior-knowledge -d “status=on” http://localhost:8080/

9-terminal-4.jpg


kc18_elves_elf_15.png

Unencrypted HTTP/2? What was he thinking? Oh well.

Have you ever used Bloodhound for testing Active Directory implementations?

It’s a merry little tool that can sniff AD and find paths to reaching privileged status on specific machines.

AD implementations can get so complicated that administrators may not even know what paths they’ve set up that attackers might exploit.

Have you seen anyone demo the tool before?