Ethical Hackers Italiani Contest #1
The complete Write-Up
Introduction
Some days ago, my friend Pierpaolo Palmisano tagged me on a Ethical Hacker Italiani group post. This post prometed the first group contest mades by Alessandro Vannini and Eugenio Fontana.
Contest Disclaimer
No disclaimer was present. The only file given from the organiser was Contest_27Marzo.zip; was an open contest.
Technical Write-Up
First, I extracted the zip file and I found 9 files, 4 images, 2 pcap files, 2 text files and finally 1 file without extension. I started the contest by analyzing the image files.
Image analysis
Tipically, the images can contains data using 3 techniques: , exif, image manipulationand steganography.
Exif, aka Exchangeable image file format, is a standard that specifies the formats for images, sound, and ancillary tags used by digital cameras (including smartphones), scanners and other systems handling image and sound files recorded by digital cameras. Sometimes, the contest organiser insert a custom tag to hide useful data to complete the challenge.
To extract all exif tags I used exiftool from Kali and I found this:
that converted from octal base is: L0n3Ha
Completed the exif tag extraction, I analyzed the image manipulation. To complete this task I used the ELA techniques. ELA, aka Error Level Analysis, is the analysis of compression artifacts in digital data with lossy compression such as JPEG.
ELA showed me a manipulated section on the data3.jpg image file.
that converted from hexadecimal base is: L0n3Hack3R1!
Completed the ELA analysis, I analyzed the steganography information hiding. Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video.
The only solution, to accomplish, is find the original image and compare it with the given from the challenge.
I used the Google Image Search Engine and TinEye services to search the original images and I found this:
As it possible to see, the image size is different with same resolution, color deph and compression. The data6.jpg file contains another file
I tried to extract this file using steghide with the L0n3Hack3R1! password but nothing. Steghide uses another algorithm to hide the information.
SPG file analysis
This is the file without extension. Before to open it, I saw the content with an Hex editor like HxD
The first two bytes 0x50,0x4B indicates that it is a zipped files, than, I added the extension .zip and I extracted its content.
This zip package contained the setup of an Steganography tool named SteganPEG.
With the software installed, I tried to extracted the hiding information using the L0n3Hack3R1! password. The steganography software has extracted a xlsx file.
Excel file analysis
I tried to open the new file, but, it requested me a password. I tried to insert the passwords that I collected with before steps but nothing.
To unlock the SpreadSheet I used a web service called lostmypass.com. REMEMBER! This is a contest! Never upload business document on this type of services
The excel password was: sushi
Inside the spreadsheet I found another password: !p4ssn0tF0unD!
PCAP file analysis
The Contest_27Marzo.zip file contained also two pcap files. The pcap contains network packet data created during a live network capture; used for “packet sniffing” and analyzing data network characteristics; can be analyzed using software that includes the libpcap or WinPcap libraries.
Using Wireshark, I used the Conversation Statistics feature to order the remote host communication.
As it possible to see, there is a remote IP(parially masked) that communicates over 3389 TCP port and after over the 46551 TCP port. The 3389 port number indicates, tipically, for RDP service.
Using nmap, I enumerated the service that listen on the port 46551, and I found that the RDP service on the remote server was listen on this port and not on the 3389 port. Probably, the port was modify.
Text file analysis
The Contest_27Marzo.zip file contained two text file, data7.txt that contained a MD5 hash and data8.txt that was a dictionary file.
The 4f778f29f5fba0c17ac619ed37abf728 hash correponded to hack1\HaCK!ngCont3st string.
Testing the RDP
Obtained all of possible evidences, I tried the RDP connection to remote server using the hack1\HaCK!ngCont3st as username and !p4ssn0tF0unD! as password.
and… I'm logged in!
On the desktop I found a text file named dato4.txt that contains a remote connection username to a FTP server.
Testing the FTP
With the data8.txt dictionary, I bruteforced the login password using hydra.
and I obtained the rivalries password.
Obtained the password, I tried to connect to FTP using hacking as username and rivalries as password.