Discussion?
The entire final involves just one desktop system, accessible via the iink in the description for 261’s RTB Final challenge. All portions of the final are either on that machine or attached to it (reachable via a web browser or a ssh client, as noted below). All portions of the final are to be performed from the command line (i.e., in a terminal window on the desk machine).
The wifi portions of the lab involve the WLAN interface attached to your desktop. If you become stuck, please review the worksheet for Lab 12. To minimize confusion, the wireless network SSIDs have been renamed but have retained the “open”, “wep”, and “wpa” parts.
The crypto portion of the lab involves a file (crypto.aes), which is located in the /root/Desktop/Labs folder. If you become stuck, please review the worksheet for Lab 13.
Finally, the distcc portion of the lab uses the new version of Metasploit. Use care when performing the set up (section below). The target is in the 192.168.10.x IP range. You’ll need to:
find the target
exploit the target to acquire access
find the “valuable” file
determine various credentials
use those credentials to access the target (using SSH)
find the flag
If you become stuck, please review the worksheet for Lab 4.
In most cases (but not on the distcc target), root’s password is toor.
As always, if any part of the architecture is not working, contact joatd via the TC4 Discord server.
IMPORTANT: Since the final uses a different machine, your wifi interface may have a different number associated with it.
IMPORTANT: If you need a dictionary, the rockyou.txt file is located in /tmp/wordlists.
261-1.1 Open wifi?
1) Join the open wi-fi network.
2) Find the hidden machine.
3) Find the port listening on the hidden machine.
4) Use lynx or Firefox to connect to the port listening on the hidden machine to acquire the flag. Hint: not the SSH port. Hint: the file’s name is flag.txt so you must point a browser at the IP, port and filename.
261-1.2 WEP wifi?
1) Crack the WEP-protected wifi network and join it.
2) Find the hidden machine.
3) Find the port listening on the hidden machine.
4) Use lynx or Firefox to connect to the port listening on the hidden machine to acquire the flag. Again, not the SSH port. Hint: see hint for open network.
Note: For the WEP challenge, the student machines are in the .100 to .200 range. .253 is part of the lab (don’t try to connect to it). The target machine will use an IP address other than those.
261-1.3 WPA2 wifi?
1) Brute force the WPA2-protected wifi network (wpa-net) and join it.
2) Find the hidden machine.
3) Find the port listening on the hidden machine.
4) Use lynx or firefox to connect to the port listening on the hidden machine to acquire the flag. Again, not the SSH port. Hint: same as above.
261-2 Decrypt this file?
1) To acquire the flag, decrypt the file “crypto.aes” which can be found on your desk machine’s desktop.
261-3 Distcc and John?
1) Perform the following for setup.
1a) As root, run -/etc/init.d/postgresql restart-
1b) As root, run -apt-get install -y john-
1c) As root, run -cp /root/Desktop/Labs/password.lst /usr/share/john/-
1d) As root, run -su - msf-
1e) As msf, run -msfdb init-
1f) As msf, run -sudo msfconsole-
If/when it asks for a password for the msf account, the password is -msf-.
The above is required because the new version of metasploit is being used and it is designed to not run from the root account.
2) Find the hidden machine on the network. The target will be located somwhere in the 192.168.10.100 to .200 range. It will NOT be one of the following:
- 192.168.10.1 - this is an interface on your GUI desktop
- 192.168.21.x - this is one of the wifi networks
- 192.168.22.x - this is one of the wifi networks
- 192.168.23.x - this is one of the wifi networks
- 192.168.24.x - this is one of the wifi networks
3) Gain access to the machine detected above (not via SSH).
4) Acquire the “interesting file” from a user’s home directory. Note: it will likely download into the /home/msf folder.
5) Crack the authentication using that “interesting file”.
6) Use the credentials to connect to the target machine (via SSH) and su to root.
7) Acquire the flag from root’s home directory.
As always, if something doesn’t appear to be working correctly (i.e., something is broken).
Troubleshooting?
1) The newer version of Metasploit, in our environment, doesn’t intercept Ctrl-z properly. Instead, it backgrounds the entire MSF process instead (i.e., returns you to the msf@desk prompt).
You can bring the MSF process back by running: fg
2) Once you’ve found the “valuable” file, make note of its full path.
3) Then run “exit” a few times, until you see the “meterpreter ” prompt.
4) Then run your download command. Example (adjust to suit your needs):
download /home/distcc/WhateverTheFilenameIS
This will download the file to whatever folder you were in when you started msfconsole.
5) You can then exit msfconsole altogether and process your newly downloaded file.