2017 Defence CTF Walkthrough

0
444

The DHQCTF is a virtual machine and works best in Virtual Box. Download the OVA file open up Virtual Box and then select File –> Import Appliance. Choose the OVA file from where you downloaded it. After importing the OVA file it is best to make sure that USB 2.0 is disabled before booting up the VM. The networking is setup as a Host-Only Adapter for networking but you can change this before booting up depending on your networking setup. If you have any questions please send me a message on Twitter @silexsecure and I’ll be glad to help.

  1. There are no great limits to discovering service running on platform because there are no limits of intelligence, when it come to cyber warfare
  2. “We shall go on to the end. we shall fight on the Air and Land, we shall fight with growing confidence and growing strength with Intelligence , we shall defend our Cyber Space, whatever the cost may be, we shall fight with HEX ”
  3. it will be difficult often impossible – for us to infiltrate without predominently scanning
  4. Relevant, actionable intelligence tailored to your security mission
  5. Late Lt. Col Abu Ali’s Head Unit 99056 Command “OPERATION LAFIYA DOLE” After a successful conclusion in the fight againt terrorism and insurgency in Far North East. He build a massive information-sharing system, detailing national security personnel involved in the operation and individuals cleared for accessing OPERATION LAFIYA DOLE Classified Sysem, to flag who among them might be potential insider threats.but unfortunately he died as a hero who sacrificed his life for peace to reign in Nigeria identify the unit DB and Break into it.
  6. The Only Secure token I need is the One that can work on mutiple platform (AKA Double Agent)
  7. Late Wing Commander Chinda Hedima is an expert in unmanned aircraft,
    He double as Defense Intelligence Agency surveillance and reconnaissance Unit.
    The Air Component of OPERATION LAFIYA DOLE. He single handedly recorded air campaign against the BHT which in return captured the satellite image of CHIBOK girls before the Spy Craft Crashed, He sent a stenography messages to DIA /AIRFORCE Cloud system before he was killed, you goal is to retrieve the audio and visual image and decipher it for the agency.

Introduction Flag 1

For us information gathering is the building block of every operation be it in the military or hacking also inspecting the source will results in finding our intro flag. At the FOOTER portion of the source, I also notice that three scripts are included – but one has a filename, which appear to be Base64 encoded. RmxhZyAwIChuZXRkaXNjb3Zlcik= after decoding it, it gave me Flag 0 (net discover)

A quick glance at the ip address 192.168.56.20 shows your how the home page look like, viewing source code is second in command

The more information you gather , the more chances you stand in winning your advisery, NMAP, ZMAP, Maltego can do all the job in information gthering process. so let go to kali linux and use a tool called netdiscover, I have actually discover my ip address 192.168.56.20

As we continue in pursuit of our second flag, while viewing the source code, I found a remark close to assets/lafiya.js “Make sure you stick to intel gathering” so I decide to click on the link to know what’s in for me

Flag 2
We shall go on to the end. we shall fight on the Air and Land, we shall fight with growing confidence and growing strength with Intelligence , we shall defend our Cyber Space, whatever the cost may be, we shall fight with HEX

in our famous military quote by Winston Churchill, you see Hex at the end , meaning that there is an hexidecimal flag on the code , so I quickly fire my hexidemical encoder which give me these in return Flag 2 9a8780281d3e37c597cee7ca58bfd435 after decoding the md5 in return it gave me the next instruction NMAP

NMAP is a pridominent port scanner, without wasting much time I went to my kali linux fire up nmap on the terminal with set prefrences show in the screen shot , in return it reveal a whole lot of miss configuration , open port etc. mind you we are following the instruction from the operation based command in sambisa , so stick with me as we move into these jorney.

Flag 2B

well well well, military are know for intelligence, Restricted access, Encrypted communication and vigillance , so military has a way of communication we don’t know so let try to tunnel over ssh to see if we can get some info when I type these commands on my terminal I found that every steep I take there is a Cam7 watching me, I can find another flag on the system flag 2B, let see if is making sence to us . Flag{53c82eba31f6d416f331de9162ebe997}

Ok so now I know why the Operation Lafia Dole has different operational command. Is clear to me that all eggs cant be in one basket , am seeing MD5 hashes for additional clues So 53c82eba31f6d416f331de9162ebe997 = “encrypt”. I think the top commander are passing out classified info to Abuja

Flag#3 – DEfence Intelligence Agency is know for intercepting and breaking ssl
Every system in the world today employ ssl as a means of transporting secure information, so I know the military joint operation “Operation Dole” wont be different, in additional to the clue “encrypt”. I decide to add ssl to my   ip then I foundthe third flag.

Flag3 = 19c562a36aeb455d09534f93b4f5236f990 + 39 39 30

Combination of md5+ hex gave me my new hint : Unit990 , so as you can see Unit990 lead by Late Lt.Col Abu Ali build a massive information sharing classified system for the defence. Whaooo so what else ? so I fire up my browser with the following ip 192.168.56.20/Unit990 what I see is defence classified system amazing !!!!!!

We are 1 steep ahead of logging into Military classified system, but I landed in military user classified page, will need to find the login system to test against sql injection and further compromise the system, first thing first,

  1. I fire up websploit on kali to see if I can get admin page but found [admin.php] but needed to be very sure, so i result into viewing source code for more clue

FLAG 4: The Military Employee Database to Predict Traitors

Found a comment attached to Base64 encoded ZmxhZyA0IHthZG1pbi5waHB9 = flag 4 {admin.php} good flag 4 re-confirm to us that websploit was actually correct, so the flag is admin.php. hmm we still got a lot of work to be done at the footer end of the page something drew my attention so I paid more attention to it …

if you look at these box closely you will see ‘or’1’=’1 well this a magic wand for those of us who are familiar with sql injection so I fired in these password in return I see these instruction from military decipher board with when the operation will be over , had to speed things up here . Looking at the board u can see late col abuali ssh details plus the password… maybe you will need to login to see what Late Lt Col abuali had to say before he died!!! So emotional

 Flag#5 – “ INJECT The Tunnel   ”

Visiting link http://192.168.56.20/Unit990/admin.php well I see a proper login to access classified system however still need to look for clues to guide me on these mission , old trick works very well when it comes to CTF , so just keep looking at source code over and over

Found similar image as that of the admin user page but these has an encoded 64 bit message with message escaping is automatic here ooops RmxhZyA1IHtTUUwgaW5qZWN0aW9ufQ== going further to encode show us our next assignment. Flag 5 {SQL injection}

Amazing just 1 steep ahead logging into Military classified system, any tricks can work here because these system is vulnerable to sql injection I decided to fire up my kali linux with a tool sqlmap adding clientview.php?id=1 or just scanning the whole of the system. Typing may be complex here thou just follow the screen shot … we will make a video of it soon …

 Amazingly the password you get shares a folder to another military operation .

Flag#6 – “ Double Agent still exist   ”
ZmxhZyA2IHtOaWdhaXJmb3JjZWNsb3VkfQ== flag 6 {Nigairforcecloud}After making Base64 decode we found out flag 6 which says double agent intresting what I quickly did was to try the Nigairforcecloud as a password but it fail, when I tried logging the ash as a password it login instantly.

you can still recall on the home page of CTF we laid emphasis on two mission
1. Was classified system
2. Airforce cloud system

so we actually have two main portal running on these platform, so i quickly recall flag name Double agent I tried 192.168.56.20/ Nigairforcecloud it return a page Operation Lafia Dole Airforce cloud restricted content. But I can’t find neither username nor password hmmmRecalling Late Wing Commander Chinda Hedima who was described as an expert in unmanned aircraft, I think he has something to do with airforcloudsystem, I quickly went to goggle to type is name, was heart broken how he died still feeling sober .. well these is the best way for us as a company to get these hero name ringing on our mind. Quickly jump to these page assets/lafiya.jsFound something interesting to me “head up” email id c.hedima@airforce.mil.ng, think these must be the username but what could be used as the password!!!! Still thinking . I pulse for a moment went back to google to read how he died, the place and the location, I tried Northeast, Nigeria, Maiduguri did not work …oops I took a moment return back watch the video of how he was beheaded and I heard him mention Borno behold I went back to assets/lafiya.js , I saw a map coordinate maps/kanuri/Borno/@11.8664433,10.9088387 again, I went ahead to try Borno Behold I login into the system so much excitement but I needed to know what he recorded and what he was sending to Defense Intelligence agency in Nigeria before his flight was shutdownFlag#7 – “ DSA / DIA / DSS are looking for Steganography to Unlock the Code retrive cloud image for the agency to act on is intel.

Flag 7: 3aa652f41d8b4a23e17937149c784868 widgets is a link on the Nigerian air force cloud where all satellite images, intelligence are been stored with. We need to start deciphering those data for defense intelligence agency to produce actionable intelligence . need to go back to Kali linux to use a tool called steghideReady to go into forensic, well let see how it work, Stenography is the oldest way of sending messages through secrecy however modern spy agent also used same technology in sending out message to various branch and department. Today we will be using Kali to decrypt secret messages captured by the air force fighter jet that was shutdown …well if you are looking for password for encrypted flight data scramble assets/lafiya.js , you will find another location called Bama1987 that where terrorist dominate before it was shutdown by military kudos to the army force of Nigeria

SHARE
Previous articleSky Dog Work-Through