Spoilers Below!
- Telnet into the flag server with username ‘anonymous’
- Port scan both the plane system and the router
- Connect with netcat on port 5000 on the plane system to see locked frontend
- Find website accessible from router, and read page sources
- Exploit web server using sql injection to get a user-level interactive shell
- Generate a meterpreter payload on kali, and run the generic multi handler
- Put the meterpreter payload in /var/www/html and wget the payload on the webserver
- Execute the meterpreter and pivot using autoroute
- nmap scan internal LAN using proxychains or metasploit scan
- Can be done in any order:
- Exploit IRC server to read logs with information on “lock system” and the internal interface port for plane system (app is ‘locked’ to input changes, variable is still there)
- Exploit Host1 using postgresql cmd_exec to find pw_reminder.txt in the home folder of paul, which can then be used to ssh in. There’s a ‘notes’ folder in home directory, filled with encrypted file and txt file explaining his ‘genius’ security, but not full information
- Exploit Host2 using libssh auth bypass for IRC log between Host2 and Host3 which gives username and password for FTP server
- https://www.rapid7.com/db/modules/auxiliary/scanner/ssh/libssh_auth_bypass/
- Connect to FTP server and look at plane system source code
- Exploit Host3 using samba for IRC log between Host1 and Host3 talking about his encryption algorithm
- https://medium.com/@lucideus/sambacry-rce-exploit-lucideus-research-3a3e5bd9e17c
- Exfiltrate notes and decrypt/decode for ssh account for plane system
- SSH into plane system with found login, and find server running on UDP port 5001 on loopback
- Use binary exploitation to set ‘locked’ to 0
- Change plane conditions to crash plane
- Read /var/log/plane.log for flag
- Submit flag to flag system for victory