Red Wiki

Flag Locations
Add content here...
Team Wiki Pages

Team 1:    None

Team 2:    None

Team 3:    None

Team 4:    None

Team 5:    None

Team 6:    None

Team 7:    None

Team 8:    None

Team 9:    None

Team 10:    None

Team 11:    None

Team 12:    None

Team 13:    None

Team 14:    None

Team 15:    None

Team 16:    None

Team 17:    None

Team 18:    None

Team 40:    None

General Help and Information
Uploaded Files: ncdc19.ssh.tar.gz
gori/princess/lain/red: admins

Reverse shell on port 8008 of bank2node

https://drive.google.com/drive/folders/1g_ij1z-ZDGNBCFL4UihUlLKBEoGWiiNM?usp=sharing

NodeApp
  • Command injection via search
  • NOSQL-Injection via comments
  • Conveniently allowing the arbitrary rewriting of any data you feel like
  • Simple POST to /about with the field `set` holding which set you would like to put it into, and add the bins you want
  • XSS via comments
ATM
  • Ransomware to encrypt source and binary  is located at C:\Windows\System32\posync.exe
  • Scheduled task to run malware binary at 11:00AM every day and everytime a user signs in and that task is located at \Microsoft\Windows\ApplicationData\CheckSvc
  • APIs are all over plaintext HTTP and can be intercepted
  • Balance APIs leak pins
  • Application does not perform input validation
  • Windows Firewall/security/gpo settings turned down to minimum
  • Sticky keys command prompt trigger



Aerospike1
  • Netcat backdoor
  • Uses port 43
  • Respawns
  • Systemd script
  • FTP w/ anonymous mode


WebApp
  • Pam uses linux crypt for passwords
  • SSH on port 666 has /etc/shadow as a banner message



Courtesy of team 2:
spike: 
gori: 
princess: 
sjp: 
fav: 
jblack: 
lain: 
wrath: 
9bunbun: 
lynx: 
papa: 
lee: 
el_presidente: 
kirito: 
mach: 
red: 


Courtesy of team 7:
root:dsL1N.DqKrUr6:17928:0:99999:7:::
cdc:WN.GMJ7KQjTqk:17928:0:99999:7:::
webapp:$6$PwsZClXo$J3EriBzNwIH7xanWcvRnbjKpMetVD8EB8E.LioXA2n7c9AyLqlhoHiJdMzXQIONhoHo5/PLcILqbIRSJ8VdCd0:17895:0:99999:7:::
princess:y.3wS2UFMH7uY:17926:0:99999:7:::
9bunbun:YyPzwRIMaI.jc:17905:0:99999:7:::
gori:WjufF2r/A9hJc:17905:0:99999:7:::
lain:av3W3hsR8nCTA:17905:0:99999:7:::
red:kXDAZr2pi/SWk:17905:0:99999:7:::
mach:w9neRnhXr.6iw:17905:0:99999:7:::
sjp:XOD08FJuzq4Sg:17905:0:99999:7:::
wrath:7aiat9dMR6lkk:17926:0:99999:7:::
lynx:fpgh5hBNswMXw:17905:0:99999:7:::
papa:DUjopdHH1z1RI:17905:0:99999:7:::
fav:KmiT6rY1VGNxs:17905:0:99999:7:::
jblack:0eyMqEFlSOFio:17905:0:99999:7:::
lee:grtE8./TIdQIk:17905:0:99999:7:::
spike:B.KF5rhEKQf7I:17905:0:99999:7:::
el_presidente:m24SBC1XpS5Gk:17905:0:99999:7:::
bogeythebearcat:2eqWeYxK.uxgM:17928:0:99999:7:::

wrath/rockyou
spike/v1c10u5
chris/chris
fav/gl0ck30

The /etc flag for team 8 on www is in /root.  they have chattr removed and have set /etc to +i (not sure if that is legit).  If someone local can log into that box, they could move the flag to the right spot.

[-] Found the following flags
[-] Key: ! Used Sudo
[*] No Flags Found

[+] 1/9p.team1.isucdc.com:22/Bank2Node SSH Succeeded!  Found credentials: papa:14mp4p4
[+] 3/www.team3.isucdc.com:22/WWW SSH Succeeded!  Found credentials: lynx:31j10kumur4,papa:14mp4p4,jblack:bl4ckd0g,lee:l331sl1f3,spike:v1c10u5
[+] 7/9p.team7.isucdc.com:22/Bank2Node SSH Succeeded!  Found credentials: root:cdc,cdc:cdc,lynx:31j10kumur4,papa:14mp4p4,jblack:bl4ckd0g,lee:l331sl1f3,spike:v1c10u5
[+] 9/9p.team9.isucdc.com:22/Bank2Node SSH Succeeded!  Found credentials: lynx:31j10kumur4,papa:14mp4p4,jblack:bl4ckd0g,lee:l331sl1f3,spike:v1c10u5
[+] 14/9p.team14.isucdc.com:22/Bank2Node SSH Succeeded!  Found credentials: spike:v1c10u5,root:cdc,cdc:cdc,lynx:31j10kumur4,papa:14mp4p4,fav:gl0ck30,jblack:bl4ckd0g,lee:l331sl1f3
[+] 14/www.team14.isucdc.com:22/WWW SSH Succeeded!  Found credentials: cdc:cdc
[+] 16/9p.team16.isucdc.com:22/Bank2Node SSH Succeeded!  Found credentials: root:cdc,root:icanhasroot,root:iamgroot,root:CDC,root:chris
[+] 16/www.team16.isucdc.com:22/WWW SSH Succeeded!  Found credentials: cdc:cdc!
[+] 40/9p.team40.isucdc.com:22/Bank2Node SSH Succeeded!  Found credentials: lynx:31j10kumur4
[+] 40/www.team40.isucdc.com:22/WWW SSH Succeeded!  Found credentials: spike:v1c10u5
[+] 7/db4.team7.isucdc.com:22/DB4 SSH Succeeded!  Found credentials: root:cdc,root:icanhasroot,root:iamgroot,root:CDC,root:chris
[+] 2/db1.team3.isucdc.com:22/DB1 SSH Succeeded!  Found credentials: root:cdc,root:icanhasroot,root:iamgroot,root:CDC,root:chris
[+] 2/db4.team5.isucdc.com:22/DB4 SSH Succeeded!  Found credentials: root:cdc,root:icanhasroot,root:iamgroot,root:CDC,root:chris


net user taco pizza /add
net localgroup administrators taco /add



Gori Riger gori Admin [Team Specific]
Lain Iwakura lain Admin [Team Specific]
Rachel Edward red Admin [Team Specific]
Elizabeth Liones princess Admin [Team Specific]
Alice Rabbit 9bunbun Developer [Team Specific]
Machine Head mach Developer [Team Specific]
Sweet JP sjp Developer [Team Specific]
Sir Meliodas wrath Developer [Team Specific]
Ash Lynx lynx Financier 31j10kumur4
Dino Golzine papa Financier 14mp4p4
Faye Valentine fav Financier gl0ck30
Jet Black jblack Financier bl4ckd0g
Shroter Wong lee Financier l331sl1f3
Spike Spiegel spike Financier v1c10u5
Daniel Hinchee el_presidente President [Team Specific]
First Name Last name Username Role Password




FIRED PEOPLES PASSWORDS
-----------------------------------------------------------------------------------------
sjp
Team 1 tew51lot
Team 2 yaw79zel
Team 3 fiz14yos
Team 4 xek28kem
Team 5 boj00keg
Team 6 vay87jep
Team 7 duc04jon
Team 8 mal02tik
Team 9 zey11her
Team 10 bac95xep
Team 11 xot70zuc
Team 12 vep51tob
Team 13 bit35poj
Team 14 waz70lil
Team 15 qax44yik
Team 16 bup55nah
Team 17 beq83jop
Team 18 taz69feg
Team 19 guq85buq
Team 20 wip50jox
Team 21 sok05fop
Team 22 soz88pud
Team 23 mok25joy
Team 24 tal95tuv
Team 25 pud48roz
Team 40 col62foh

gori
Team 1 xak14yeh
Team 2 qef97giy
Team 3 sit89lac
Team 4 nig64riz
Team 5 gab86bac
Team 6 yip93rew
Team 7 jeg03yuz
Team 8 peg68pam
Team 9 hac70ruq
Team 10 mox82tuy
Team 11 yod19bum
Team 12 hes23nud
Team 13 soz51buy
Team 14 cip42zor
Team 15 xaw68zuq
Team 16 jit60qiy
Team 17 lim16jah
Team 18 liy98xes
Team 40 mog86buj