Pentest hackathlon event

Here is a quick summary of a hackathlon contest I participated in a few days ago. It was organized in co-operation by our university and Accenture.

The goal was to demonstrate why certain (sadly popular) bad practices can be seriously harmful to organizations information security. Additionally, I believe, Accenture screened for prospective future employees. My personal goal was to simply learn more about penetration testing.

Here are the challenges, or "stages", I was mostly involved with. All the employees presented in the following examples are fictional.


Find open ports
With basic nmap scan you could quickly see that there were two very basic ports open on the server - port 22 for SSH connection and port 80 for HTTP connection. Of course, this was too simple and I immediately realized there has to be more. So we did a comprehensive scan on all of the 65535 ports for TCP and UDP protocols. This kind of a scan takes some time to finish, but in the end one extra UDP port was found. 

Find out which operating system is used
Nmap has version discovery function (-sV), which we used to figure out which operating system is running on the server. We concentrated this version discovery on the ports we knew are open, which made the scan quite fast. The operating system was Ubuntu Linux. Additionally, we found out that there is an apache server responding to html requests on port 80, and an openssh service running on port 22.

Find the username of one of the employees
This was quite tricky for me, and we spent a lot of time to find this information. When you studied the source code of the html page displayed by the server, you could see a link to .xls document. You could open that, and notice from the url path that the document is located in "/documents/" directory. By removing the name of the document from the url path, you were able to access the documents folder. There were like five documents available for downloading. When you inspected the metadata of the documents, you found out that in most of the documents the creator was stated clearly with his/hers full name. However, in one of the pdf-documents the creator was not stated with his full name, but with his username "jkorhone".

Find a password of an employee
Before we started our quest to figure out one of the passwords, we wanted to figure out the usernames of the three other employees. This way our changes on gaining access to their server and finding a password for one of the users would be much higher.

Because the employees were introduced on the webpage, we knew that the username "jkorhone" belonged to "Juhani Korhonen". Now we knew the syntax the company used to generate the usernames of the employees. You just take the first letter from the first name and then add 7 first letters of the last name. Using this rule we deduced the usernames of the other three employees, and added all of them on a username list.

The SSH service running on the server was the only login medium we could try our username list on. To do this we used a login cracker called hydra. It tries different passwords on a username(s), and in case finds a match, informs the user. We had received a password list from the organizers, so we guessed that at least one of the passwords on that list will work. However, we did not know if we could find a match for all of the usernames, or even if all of the users are allowed an access through the SSH connection. So we had to try them all.

We provided hydra with a list of usernames and with a separate list of passwords. After running the process for quite a while a match was found. One of the four usernames matched to one of the 17000 passwords. We logged in to the machine through the SSH and gained root access. After this, one could do pretty much anything on the server. We fought the urge to issue the "shutdown now -h" command, which would close the server and prevent anyone else accessing it.
 

In conclusion

There were more challenges, but we were not able to finish those. In addition to the ones mentioned above, my team managed to crack a certain WLAN's WEP encryption using Wifite. Then, after connecting to that network, we found there a server running Windows 2003. My team members used metasploit to exploit a vulnerability on the server software and gained access to the machine.

These accomplishments took us to the second place, which was quite nice. After all, this was my first time in such a competition (and pretty much my firts time trying to hack into a system). As a conclusion, it was very fun! I will definitely practice more, and do better next time! Most importantly, I learned a lot and gained new motivation to keep improving my knowledge. Many thanks to Accenture and our university for organizing such a great event!