CNO Day 4 Metasploitable


Awesome tip #1: In metasploit console (msfconsole), once you have loaded up an exploit, take show payloads for a spin. This will show all payloads that are compatible with the given exploit. Awesome!

Today we got the chance to work on Metasploitable 3, a Windows VM with a number of vunerability and flags (15ish of them).

Its a great way to take this knowledge and apply it to an actual machine. I wont detail a full walkthrough, as there are already plenty, and I don’t want to ruin the learning experience.

Once we gained a root shell no the (windows) machine, discovering the flags (images from a deck of cards), you will stumble upon pretty interesting obfuscation techniques. The 15 flags are somewhere. To add more forensic depth to the challenge, flags were corrupted/encoded/buried.

One page had a hex string (yes a hex string, not to be confused with base64). You’ll need to be comfortable with converting and decoding a range of formats, for example:

base64conv -i hex -o raw -r viewstate-data.txt -w joker.png

Alternate data streams on NTFS are one method of making files less visible. To show them:

dir /R

Simple base64 decoding:

base64 -d encoded-flag.txt > flag.png

Extracting hidden images out of pdf and docx files:

pdfimages TODO
unzip -d flag.docx

Grepping on Windows, with findstr for example:

findstr /S /M /P /C:"hearts" *.log 2>null
  • /S recurse
  • /M print only the filename
  • /P skip binary (non-printable) files
  • /C search string
  • 2>nul pipe file access errors to a blackhole

TODO’s

  • Get the Red and Blue Team books, which contain very useful common commands for dealing with Windows and NIX based operating systems.
  • Checkout Pico CTF. A simpler CTF, that builds up with gradient nicely.
  • Checkout CTF time.
  • Check out XOR encoding
  • Read up on rainbow tables.