tkh4ck.github.io

Personal website and blog of tkh4ck

View on GitHub

HCSC 2024 - Csak egy litván hálózat

Description

Volt egyszer egy cég Európában, Litvániában, akik álmodtak egy nagyot.

Méltatlanul alulreprezentált a népszerűségük, holott minden téren felvehetik a versenyt a nagy gyártókkal. De mire is képesek ők? A kihívás során elképesztő hálózati megoldásokkal találkozhatsz. Olyan magasságokat is láthatsz, ahová nem kell a lift.

Készítői kommentek:

Flag formátum: HCSC24{...} ahol a ‘…’ helyén szerepel a flag.

By TheAdam

Hint 1 (cost 0): /tool/push és utálom a szomszédaim, de mindig megtalálom őket

Hint 2 (cost 175): Portb 11111101000

Metadata

Solution

I needed the two hints to solve this challenge.

The challenge was running on 10.10.(1-9).10:32860. Nmap says the following:

32860/tcp open     ssh     MikroTik RouterOS sshd (protocol 2.0)

Let’s try to SSH in and guess that the credentials are admin/admin:

$ ssh admin@10.10.5.10 -p 32860
  MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 7.13.5 (c) 1999-2024       https://www.mikrotik.com/

Press F1 for help

[admin@hcsc-main-1] >

It worked, we are in a Miktorik router.

Unfortunately, we are a read-only user, we cannot modify the configuration, however, we can execute many useful commands like: /export show-sensitive verbose which prints almost all the relevant details about the router (hcsc-main-1.conf).

SSH port forwarding is disabled, so we cannot do dynamic port forwarding + socks + proxychains…

If we check the interfaces, it is interesting that there are two of the: ether1 and ether3. If we run mac-scan and ip-scan tools we can find some internal devices in the 192.168.1.0/24 range:

[admin@hcsc-main-1] > interface ethernet print
Flags: R - RUNNING
Columns: NAME, MTU, MAC-ADDRESS, ARP
#   NAME     MTU  MAC-ADDRESS        ARP
0 R ether1  1500  52:54:00:12:34:56  enabled
1 R ether3  1500  52:54:00:12:34:51  enabled

[admin@hcsc-main-1] > tool mac-scan
interface: ether3
Columns: MAC-ADDRESS, ADDRESS, AGE
MAC-ADDRESS        ADDRESS        AGE
52:54:00:12:34:56  192.168.1.1     18
52:54:00:12:34:11  192.168.1.200   15
52:54:00:12:34:51  0.174.0.0       18

[admin@hcsc-main-1] > tool ip-scan
address-range     as-value     duration     freeze-frame-interval     interface     without-paging

[admin@hcsc-main-1] > tool ip-scan address-range=192.168.1.0/24
Columns: ADDRESS, MAC-ADDRESS
ADDRESS        MAC-ADDRESS
192.168.1.1    52:54:00:12:34:56
192.168.1.42   6A:8F:E2:47:8D:B2
192.168.1.200  52:54:00:12:34:11

The IP address 192.168.1.42 looks interesting, as it has a completely different MAC address as the other devices.

What is very very confusing is that our current router has the MAC address of 52:54:00:12:34:56 and the device at 192.168.1.1 also has the same MAC address, but it is a different device. Our device does not have any IP address on the ether3 interface:

[admin@hcsc-main-1] > ip address print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
#   ADDRESS       NETWORK   INTERFACE
0 D 10.0.2.15/24  10.0.2.0  ether1

Because of this we cannot communicate with the devices on an IP level, but we might be able to use mac-telnet to login to the other devices.

MAC telnet is used to provide access to a router that has no IP address set. It works just like IP telnet. MAC telnet is possible between two MikroTik RouterOS routers only.

[admin@hcsc-main-1] > tool mac-telnet 6A:8F:E2:47:8D:B2
Login: admin
Password:
Trying 6A:8F:E2:47:8D:B2...

Welcome back!
[admin@hcsc-main-1] > tool mac-telnet 52:54:00:12:34:11
Login: admin
Password:
Trying 52:54:00:12:34:11...
Connected to 52:54:00:12:34:11


  MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 7.13.5 (c) 1999-2024       https://www.mikrotik.com/

Press F1 for help

[admin@hcsc-internal-client] >

We could log in to 192.168.1.200 with admin / admin. However, we cannot go further because of the restrictive firewall rule, but we can ping the other two devices:

[admin@hcsc-internal-client] > :for i from=1 to=256 do={ /ping "192.168.1.$i" count=1 }
Columns: SEQ, HOST, SIZE, TTL, TIME
SEQ  HOST         SIZE  TTL  TIME
  0  192.168.1.1    56   64  15ms510us
[...]
Columns: SEQ, HOST, SIZE, TTL, TIME
SEQ  HOST          SIZE  TTL  TIME
  0  192.168.1.42    56   64  5ms153us
[...]

[admin@hcsc-internal-client] > ip firewall filter print
Flags: X - disabled, I - invalid; D - dynamic
 0    chain=output action=drop protocol=tcp

Let’s try to login to 192.168.1.1 (admin / admin):

[admin@hcsc-main-1] > tool mac-telnet 52:54:00:12:34:56
Login: admin
Password:
Trying 52:54:00:12:34:56...
Connected to 52:54:00:12:34:56


  MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 7.13.5 (c) 1999-2024       https://www.mikrotik.com/

Press F1 for help

[admin@hcsc-internal-main] > interface print
Flags: R - RUNNING
Columns: NAME, TYPE, ACTUAL-MTU, MAC-ADDRESS
#   NAME    TYPE   ACTUAL-MTU  MAC-ADDRESS
0 R ether1  ether        1500  52:54:00:12:34:56

[admin@hcsc-internal-main] > ip address print
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS         NETWORK      INTERFACE
0 192.168.1.1/24  192.168.1.0  ether1

[admin@hcsc-internal-main] > ip firewall export
# 2024-05-02 23:04:10 by RouterOS 7.13.5
# software id =
#

There are no firewall restrictions!!! We can now try to communicate with 192.168.1.42. Let’s run a short script to determine whether it has any HTTP ports open:

[admin@hcsc-internal-main] > :for i from=1 to=65535 do={ :do { /tool/fetch output=user http-method=get url="http://192.168.1.42:$i/" } on-error={ :put $i } }
2023
      status: finished
  downloaded: 0KiB
    duration: 0s
        data: <html> <head><title>Index of /</title></head> <body> <h1>Index of /</h1><hr><pre><a href="../">../</a> <a href="flag.txt">flag.txt</a> 27-Apr-2024 07:49 44
              </pre><hr></body> </html>
  status: failed
2025

Port 2024 is open and there is /flag.txt file, let’s download is:

[admin@hcsc-internal-main] > /tool fetch url="http://192.168.1.42:2024/flag.txt" output=user
      status: finished
  downloaded: 0KiBse]
       total: 0KiB
    duration: 1s
        data: HCSC24{ROUTEROS-IS-THE-NEAREST-TO-THE-B1ST}

Flag: HCSC24{ROUTEROS-IS-THE-NEAREST-TO-THE-B1ST}