-
Network Scan and Attack Vector
Fri, 06 Aug 2021 21:45:48
Unknown Device URL: http://192.168.10.1 Path: 192.168.10.1 Ports: PORT STATE SERVICE 80/tcp filtered http Pwnd: False Notes: Drobo 5n2 URL: http://192.168.10.137 Path: 192.168.10.137 Ports: PORT STATE SERVICE 80/tcp closed http 139/tcp open netbios-ssn 445/tcp open microsoft-ds 548/tcp open afp 5000/tcp open upnp 5001/tcp open commplex-link Pwnd: False Notes: Not shown: 995 closed ports Asus RT N53 URL: http://192.…
-
Pivot Notes
Sat, 01 May 2021 14:00:51
When looking through the Control4 machine, we noticed that the IP address range it is on is not in the 192.168.10.0/24 subnet. It is actually in the 172.16.10.0/24 network. ifconfig eth0 Link encap:Ethernet HWaddr 00:0F:FF:13:D6:1A inet addr:172.16.10.4 Bcast:172.16.10.255 Mask:255.255.255.0 UP BROADCAST NOTRAILERS RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1 RX packets:122800 errors:0 dropped:0 overruns:0 frame:0 TX packets:119369 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:35281332 (33.6 MiB) TX bytes:32480603 (30.9 MiB) Interrupt:13 lo Link encap:Local Loopback inet addr:127.…
-
Black Box 1 Flag Writeup
Sat, 08 Aug 2020 13:29:43
Previous Exploit Doing a search of Control 4 C4-HC250-BL + exploit in Google netted us with the default password used to exploit. http://www.davidsonfamily.ca/discussion-board/topic/logging-into-controller/ Black Box 1 Flag I noticed there was a Black Box Challenge for Control 4, which we previously exploited. With the password we previously used, we could ssh into the ip to access the directory: /etc/init.d/c4server. We took the MD5 sum of /etc/init.d/c4server to retrieve the flag.
-
Control4 Flag
Sat, 08 Aug 2020 13:22:15
After doing some research on the control4 product, we found that there is a default root password. user password root t0talc0ntr0l4! Getting the flag The flag is located on the SD card, so we go look in /mnt/sd/ $ cd /mnt/sd/ $ ls Flag.txt flash lost+found We found the flag, and now we can cat it out and capture it.
-
Setting Up and Using Tools
Sat, 08 Aug 2020 12:18:30
We’ve learned how to use couple different tools since we’ve started working on the SOHOplessly Broken CTF. Kali We set up a Vagrant machine to use as a common starting place for each of our machines. It has all of the standard Kali tools installed, as well as some other standard exploit tools. Requirements Git Vagrant Virtualbox Package Managers It is recommended to use a package manager for installing and updating this software.…
-
Day2 Port Scan Update
Sat, 08 Aug 2020 12:16:14
After getting connected to the SOHOplesslyBroken VPN, we did an nmap scan of the local IP range for any devices. This as an update to show what flags have already been captured. nmap 192.168.10.0/24 Control4 Open Source Software Notice url: http://192.168.10.101/ PORT STATE SERVICE 21/tcp closed ftp 22/tcp closed ssh 80/tcp open http Current State: Has not been accessed.…
-
Mosquitto Flag
Sat, 08 Aug 2020 11:19:07
The hint for the flag was. See if you have the patience to scratch the itch; patience is key. Mosquitto bites are so annoying! Connect at: 209.97.159.20:1883 Creds: iot:iot We had a feeling that this had something to do with MQTT based off the mosquitto name. Searching for port 1883 confirmed this, as this is a standard port of MQTT. We installed the mosquitto client using: sudo apt install -y mosquitto-clients We then connected to the server using:…
-
Fortinet Flag
Fri, 07 Aug 2020 23:33:58
Finding the exploit, we did some google-fu and learned a bit about some of the exploits for the device, but we didn’t know which device on the network it was. We connected to one of the devices and figured out that the favicon of the admin page was Fortinet’s logo. From there we started to run some of the exploits. The one that worked for us was https://www.exploit-db.com/exploits/43386 Exploit #!/usr/bin/env python # SSH Backdoor for FortiGate OS Version 4.…
-
GeoVision Flag
Fri, 07 Aug 2020 23:33:44
Doing a search of GeoVision GV-SNVR0811 + exploit in Google netted us with a ton of results with the following exploit. https://www.exploit-db.com/exploits/45065 Exploit # Exploit Title: GeoVision GV-SNVR0811 Directory Traversal # Exploit Author: Berk Dusunur # Google Dork: N/A # Type: Hardware # Date: 2018-07-21 # Vendor Homepage: http://www.geovision.com.tw/product/GV-SNVR0811 # Software Link: http://www.geovision.com.tw/product/GV-SNVR0811 # Affected Version: N/A # Tested on: Parrot OS # CVE : N/A # Proof Of Concept GET Request GET .…
-
Nuuo NVR Mini Flag
Fri, 07 Aug 2020 14:02:00
We were able to get the flag off of our first device using a known exploit. We found this known exploit by searching for the device + exploit in to Google. We found the following vulnerability in Exploit Database. https://www.exploit-db.com/exploits/40209 Script #!/usr/bin/env python # # # NUUO Remote Root Exploit # # # Vendor: NUUO Inc. # Product web page: http://www.nuuo.com # Affected version: <=3.0.8 # # Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS # functionality.…
CTF Fun and Write Ups