ESGISECURITYDAY - DeadEnd
06 Apr 2018description: Pas mal pour un Skid. Bah qu’est ce que tu attends, tu as son IP, son port. Alors go ! Rejoins M0th3r !
category: Forensic
The challenge was available at ctf.hacklab-esgi.org on port 8083. We can use netcat to connect to the service, it is asking for an host and a port. We supposed it would try to connect back or at least pung back. I put my VPS IP and the port 4242.
Connection from 24.241.180.159.in-addr.arpa.celeste.fr 51260 received!
SSH-2.0-paramiko_2.4.2As expected we got a connect back from the challenge, revealing a sensitive data about it. The DeadEnd challenge is using Paramiko, a python library to interact with ssh. We set up a honeypot called sshesame from https://github.com/jaksi/sshesame.
go get -u github.com/jaksi/sshesame
snap install sshesameWe force sshesame to listen on port 22, and we wait for the connect back, if everything is working correctly we may get some credentials.
INFO[0000] Listening listen_address="[::]:22"
INFO[0022] Client connected client="159.180.241.24:10729"
INFO[0022] Password authentication accepted client="159.180.241.24:10729" password="BiteDePouletYoloSwagLolilolé" user=SuperEvilHackerOfShit version=SSH-2.0-paramiko_2.4.2
INFO[0022] SSH connection established client="159.180.241.24:10729"
INFO[0022] Channel requested channel=session client="159.180.241.24:10729" payload="[]"
INFO[0022] Request received channel=session client="159.180.241.24:10729" payload="echo \"Here is the flag: ESGI{St0o0ooo0P_L00k1ngF0r_M3!}\" > /tmp/flag" request=execHere we see the credentials, and after connected it try to write the flag inside the /tmp/flag.
username = "SuperEvilHackerOfShit"
password = "BiteDePouletYoloSwagLolilolé"
flag = "ESGI{St0o0ooo0P_L00k1ngF0r_M3!}"