The Great Disappearing Act
Can you help Hopper escape his wrongful imprisonment in HopSec asylum? - by melmols, Maxablancas, MartaStrzelec and DrGonz0
The following post by 0xb0b is licensed under CC BY 4.0
After we have disabled the firewall using the web server on port 21337, we begin with the challenge.
Recon
We use rustscan -b 500 -a 10.80.172.227 -- -sC -sV -Pn to enumerate all TCP ports on the target machine, piping the discovered results into Nmap which runs default NSE scripts -sC, service and version detection -sV, and treats the host as online without ICMP echo -Pn.
A batch size of 500 trades speed for stability, the default 1500 balances both, while much larger sizes increase throughput but risk missed responses and instability.
Our rustscan shows us that the target has several open ports. These include ports 22, 80, 8000, 8080, 9001, and 13400–13404. Port 21337 hosts the web server for disabling the firewall, so we leave this one out. At first glance, we can see that a web server is running on most ports. Only on port 9000 do we appear to be dealing with a SCADA terminal.
We first manually call up the web pages of the respective web services on the open ports. Ports 80 and 8080 appear to host the same page. Here we are presented with the login page for the HopSec Security Console. Later on, we will find out that we redeem our flags on this portal.
As it turned out during the challenge, the page on port 80 is not fully functional. In the further course of the challenge, we refer to the console on port 8080.
On port 8000, we are greeted with a login page for fakebook. Fakebook is a fake social media portal, which can also be found on GitHub. Explicit vulnerabilities of this portal are not within the scope of the challenge.
We can use netcat to connect to the SCADA terminal, which simulates the gate control system.
The web server on port 13400 hosts a video portal, and here too we are required to log in first.
Flag 1
Since the Fakebook page is the only one that allows us to create an account and perform some authenticated recon, we will start with this page. We create an account.
In one of the first posts on the portal, we discover the email address of the user Guard Hopkins, who shared it in a post. We'll make a note of that.
We scroll through the posts and see how Sir Carrotbane tricks users into sharing their passwords in the comments section. Guard Hopkins fell for it, and now we have his password. However, fater testing the credentials of Guard Hopkins on all available login pages we can confirm that he had already changed it everywhere..
The leaked password didn't work. But the user Hopkins provides enough material in his posts to create a word list.
The following screenshots illustrate the keywords we will use to create our word list.
We have noted the following:
We also get a hint on how we could use this to create our word list. For example, with the combinator feature of hashcat, which creates all possible combinations of two lists into one list. The combinator mode can be applied in hashcat with -a 1.
We create a list of all the keywords we already know and clone them.
Next, we use the combinator feature to merge all combinations from both lists into one.
Since we have the email and a set of passwords, we try to perform a dictionary attack on all portals using Hydra. Our first attempt on Fakebook failed, but we got a hit on HopSec Security Console.
We log in...
... and find the facility map as in the room description.
When we click on the Cells / Storage key, we get the first flag.
Flag 2 Part 1
With Guard Hopkins' credentials, we can also log in to the Facility Video Portal.
However, all video recordings appear to be compromised...
... and access to the admin cam is restricted.
We intercept a request of clicking the cam-lobby using Burp Suite.
After we have forwarded the request, another request follows to /v1/streams/request, which requests the stream using a POST request. The camera ID and the tier are defined in the post body.
After we forward this request, another request follows, namely for the .m3u8 file. An M3U8 file is a playlist used for HTTP Live Streaming (HLS) that tells a media player where to find and play video or audio segments over the internet. It’s a text file encoded in UTF-8, commonly used by streaming platforms to deliver adaptive bitrate streams.
We repeat the whole process, but this time we forward the request to /v1/streams/request to the Burp Suite repeater. Here we see our effective tier as well as a ticket_id as a response.
We'll take a look at the JavaScript of the portal, the core logic, namely main.js. Here we see the camera_id cam-admin.
When we request this cam-admin, we receive a ticket which, when we use it to play the stream (more on how we do this later), we find that the compromised video is still being played. Furthermore, we are still in the effective tier guard.
If we change the tier in the post body the effective tier stays the same and the ticket_id still resutls in a compromised video.
To play the video, we take the ticket ID.
The site provides us with a function called attachWithReconnect, which we can use to play the video by passing the ticket ID. In the source, we also see the effective use of tiers guard and admin. We were probably not wrong about the tier labeling.
We execute this in the console with the ticket_id resulting from the manipulated request. We see the compromised video.
We are trying something new and not only setting the tier in the POST data but also in the GET request. This time, we receive a response confirming that we are indeed in the admin tier.
We copy the ticket_id...
... and request the stream again in the console. We can see how a code is entered on a number pad. We write down the code.
We go back to the portal on port 8080 and try to open the second door (Psych Ward Exit). We enter the keycode.
And receive the fist part of the second flag. We may have overlooked something. We have not yet dealt with ports 13401-13404.
Flag 2 Part 2
We repeat the steps from earlier. We request the admin ticket for the cam-admin stream. And let's take a closer look at the manifest file.
From main.js, we can see how the URL for requesting the manifest file is constructed. In fact, it is accessed on port 13401.
We craft the following url to request the manifest:
We retrieve it.
In this, we find the following two endpoints:
We cannot request /v1/ingest/diagnostics using a GET request.
But with a POST request, we receive an error stating that the rtsp_url is invalid. An RTSP URL is used to control and stream live media (like IP cameras or live broadcasts) by telling a client where and how to access the stream. It works like a remote control for streaming, handling play, pause, and stop commands in real time. At first glance, nothing special.
In the early version of the challenge for release, the note about the incorrect rtsp_url was not included. Which made it particularly difficult.
Localhost does not work.
But we have an example in the manfiest file.
IIf we use that we get a response witha job_status containing the other endpoint found in the manifest file.
When we request the following, we receive the information console port 13404 and a token.
We connect to 13404 using netcat, but do not receive a prompt. When we enter the token, a terminal appears.
We want a slightly more stable shell, so we set up a listener using penelope and prepare a reverse shell.
We spawn our reverse shell...
... receive a connection and continue.
At /home/svc_vidpot/user.txt we find the second part of the second flag.
Flag 3
We remember the Scada portal, since we now have tokens like this one that we got for port 13404 and already have two flags, so let's try it out. With a flag we can authenticate but can't do much here.
We still have our shell for the second part of the flag. We search for SUID binaries and find on specifc.
It's /usr/local/bin/diag_shell.
This is owned by dockermgr.
When we execute it, we get a shell in the context of dockermgr, but not fully. We are not in the dockermgr group and cannot use docker either.
However, since we can write to the home directory of dockermgr, we place our SSH pubkey in the .ssh/authorized file to obtain a more stable shell and a complete session as dockermgr.
We generate a key pair.
Next, write the public key to .ssh/authorized_keys.
Now we can connect as dockermgr using SSH. We now have a stable session as dockermgr and can execute docker. Via docker ps we detect the asylum_gate_control image. If we can interact with it we could retrieve the passcode for the gate.
We open an interactive bash shell inside the running Docker container named asylum_gate_control, allowing you to execute commands directly inside that container.
There we inspect the source of the scada terminal...
... and find the unlock code.
We enter the unlock code...
... and receive the final flag.
Easter Egg
After retrieving all flags a door appears on the facility map. If we click it we are tasked to provide each flag captured. If we do so we'll receive another flag and an invite page for the Hoppers Origins Side Side Quest.
Last updated
Was this helpful?