PacketWars XI (2017)

This year’s theme was preventing the meltdown of a nuclear power plant.

Intel suggests there is an active campaign by unknown threat actors planning to create a national crisis a’ la Chernobyl by undermining the safety and control systems of a nuclear power plant located in close proximity to a strategic shipping port.You and your team must successfully retrieve vital intelligence from an intercepted lockbox, without your adversary’s knowledge, analyze the contents of the lockbox for artifacts and extract any useful operational details you can in order to distrust your adversary’s diabolic plot to undermine the confidence and safety of your critical national infrastructure.

There were three missions in total:

Obtain the flash drive from a locked box Perform forensic analysis of the flash drive to acquire information Gain access to the power plant’s server and stop the count down timer.

Pre-game

PacketWars took place at the University of Dayton this year. We discussed several different team names but decided on the name: INT 0x80 . Unfortunately, there were some translation errors somewhere along the line and our official name ended up being recorded as INT 0x08 . Close enough.

Mission One (10 points)

10 Points — Open the box and retrieve the flash drive

The first mission put our physical penetration skills to the test. The narrative of the lockbox was that an operative for the threat actor’s organization left it at a dead drop and we needed to take a look inside without leaving evidence. Each team was provided with a set of lock picking tools and a quick presentation about beginner lock picking.

David attempting to pick the lock and open the box

We were given a generous 30 minutes to complete this mission but we did it in about 2. All but one team finished and received the 10 points.

You were allowed to use other methods to open the box beside picking it, but they were not explicitly stated. One way was to take a thin rod and push out the hinge on the back of the box.

Mission Two (13 Points)

7 Points — Find the IP of the power plant’s server

3 Points — Find the prompt.txt string

2 Points — Find the SSH key

We were not given the scoring information until after the mission so we were flying blind as to what we were looking for.

Now armed with the flash drive, our mission was to forensically analyze the flash drive and retrieve any information we could about the system the actors were targeting. I decided to take one for the team and plug the flash drive into the laptop I was using (it wasn’t mine, lol). Luckily the flash drive was not malicious.

Looking at contents of the drive, we saw two files: a file with a space for a name and a file named a.out . The file with a space was a text file with the contents: /home/pentest/prompt.txt . The a.out file was an ELF executable. We fired up Wireshark and ran the program to see what happened. Nothing interesting but we did see that it tried to connect to the address 10.0.200.42 . We delved deeper by loading it into gdb and debugging the application. We found that it first opened a socket to the given IP, then tried to log into an FTP server with a username and password.

At this point, we were scratching our heads because the PacketMaster said we were still missing one artifact and we never figured out what it was. It turned out the last artifact we were missing was the SSH key. It was hidden on a deleted partition of the flash drive, something you wouldn’t have found unless you dd-ed or strings-ed it (which we didn’t). We ended up getting 10 out of the 12 points possible for that mission.

Mission Three (20 Points)

10 Points — Gain access to the system (and prove it).

5 Points — Stop the meltdown countdown timer.

5 Points — Retrieve the countdown timer and submit its hash value

Mission three was, by far, the hardest. The background was that the targeted system’s IP address was 10.0.200.42 . We were tasked with breaking into the system and stopping the meltdown timer!

Mission Three

The first thing we did was to nmap -F 10.0.200.42 . This returned the following services:

21 — FTP

22 — SSH

79 — Finger

513 — Login

514 — Shell

We tried logging into the FTP server with the username and password that we found in mission two, but that didn’t work.

We then turned out attention to the finger service. After looking it up, we discovered that you could find out information on a user account by providing the username. We tried looking at the information for root, but it really didn’t return anything helpful for us. It only provided the IPs that had recently logged into the account and they were not within our battle space.

From here we started looking at Shell. It was a service that used rlogin. With rlogin, you are able to log into accounts without a password and instead use your IP address as verification. You are able to log in by running the command: rlogin -l <username> <IP> . We tried running it on root ( rlogin -l root 10.0.200.42 ) but the connection just timed out. From this point on, we made almost no progress.

The protocol partly relies on the remote party’s rlogin client to provide information honestly, including source port and source host name. — Wikipedia

During this time, one of the members of the other Wright State team decided they would have some fun and try to social engineer the other teams. He created a fake account on Slack and made it look exactly like the PacketMaster’s Slack account. He started posting things like “Please stand by guys — we’re having issues with the SSH but it should be back up in about 10 minutes.” It was actually pretty funny but I don’t think he really fooled anyone.

One of these accounts is not like the other…

Mission three came to an end and none of the teams had completed any of the objectives.

After mission three ended, we were walked through how it was supposed to have been completed. What you were supposed to do was use finger to discover an account called operator and that the IPs that had logged into the server all ended with .33 (rlogin denies any connection that isn’t from an IP that ends with .33). You were then supposed to connect to rlogin (while spoofing your source IP to end with .33) and sign into the operator account. rlogin uses an IP ending with .33 as a form of verification instead of password.

Awards

As the competition ended, the scores were very tight, but our team arose victorious! They ended up giving a few extra points for speed on the second mission since no one got points for mission three. The other Wright State team took home third place.

For first place, we took home:

A sweet medal

A Sweet Medal

PacketWars socks

PacketWars Socks

A PoC||GTFO Book

A PoC||GTFO Book

Conclusion

This year’s PacketWars was pretty fun and I look forward to doing it again next year. It’s one thing to learn about tools and techniques in a classroom, but it’s a whole other ball game applying those skills to the real world. I will continue to build my cybersecurity skills and hopefully take home first place again next year!