On Netcats and Phishing
7/3/2023 2:49:29 PM Central Time
July 28 2021
7:00 AM: My webcam goes on as I click the familiar blue Zoom icon. There's a giant window behind me, with the light of dawn streaming in. It looks pretty, but after a month of the same routine, everyone that's watching is aware that it's just a live timer to when I'm nothing but a silhouette in front of my camera. But that doesn't matter. This is just a prologue to the excitement of today.
11:00 AM: We all exit the zoom call and join Discord. We launch our Kali Linux virtual machines, preparing to attack every last machine on the network. This was the final project of the BeaverWorks Cyber Security course, and we were determined to succeed.
12:30 PM: We are lost and have no idea how to proceed.
1:30 PM: We're making progress. We've split up the work and we're each tackling something that we're passionate about. My target is a blog site with running an older version of WordPress. I resolve to put in a rick roll before I leave.
I remember being really excited when I got accepted to the MIT BeaverWorks Cyber Security course for the summer of 2021. MIT had always been my dream school (as it is for nearly every prospective tech student), and I loved everything to do with computers. In typical fifteen-year-old fashion, I also believed that hacking was the coolest skill ever. Hours of prerequisite courses, an application process, and a month of learning how to exploit softwares had cumulated in this capture-the-flag style Bastion project. We had four days to gain root access on five instructor-provided machines running insecure stock software.
2:00 PM: Five students (one of our group included) have accidentally performed a Denial of Service attack on at least one Bastion machine. A coursewide announcement has been made to inform us that it was against AWS terms of service, they are now angry with us, and that we should stop accidentally performing denial of service attacks.
We decided to divide and conquer. Each of us had our own target machine and we chatted on call as we tried what we knew to get into it. Whenever we were stuck, we would ask the rest of the call for help, and usually, someone would have a breakthrough idea. My machine was an ancient wordpress site with insecure credentials, and a HTML comment that read "I couldn't get the SQL working, so I hard-coded the password. It's still mad secure through."
July 29 2021
9:00 AM: The rick roll has been planted after I brute forced the WordPress credentials, but I've been informed that there's more to this machine than just replacing all the content of this poor soul's blog with the familiar face of a young Rick Astley. Morale hits an all time high.
I soon found out that the vulnerability on the machine was not in the website itself but in the FTP server software that it used. There was a known exploit to send rogue data to the server to open a reverse shell to the host machine.
11:00 AM: I realize I can't open a direct shell connection to the terminal. It errors for unknown reasons.
2:00 PM: I get around the inability to reverse shell by using a webshell instead. It sucks.
It wasn't just me that had to go through the webshell. One of our group members had a similar exploit and was sitting on a webshell as well. We complained for nearly an hour about how badly it sucked and how much we wanted to see complete command feedback which did not get piped into the webshell. I thought of writing my own webshell script that sucked less, but also realized that that would probably take an astronomical amount of time - the kind of time that we didn't have - and that it would probably suck just as much in different ways.
3:00 PM: We realize that the Bastion is configured wrong. Our instructors configure it correctly. I am now able to open a reverse shell connection directly to my terminal. It no longer sucks!
July 30 2021
8:09 AM: I have rooted the machine.
By this point, a majority of our group had too. I went to help a friend finish up with her machine, which was the toughest one of the bastion.
11:30 AM: We accidentally perform another denial of service attack but kill it before it can actually deny any service.
1:00 PM: We secure the last piece of the puzzle. There's a piece of software running on the machine that isn't stock software, but might be exploitable. I help the group member assigned to this machine get it back to her computer where she can analyze it with gdb to see where she can execute rogue code.
2:00 PM: We're out of things to do. I offer to draw us a logo for our presentation. We come up with a group name of "Netcats Gone Phishing".
3:00 PM: Our logo (now my profile picture) is born, along with a set of graphics to use in our presentation. Our whole group now matches profile pictures.
July 31 2021
12:00 PM: After many attempts at sending malicious shellcode over, we finally sweep the CTF.
August 1 2022
We give an awesome presentation, rickrolling an audience of almost 60 people with our rogue webpage. One of our instructors breaks character at the rickroll and unmutes to express some outrage (in a funny way). The profile picture sticks, with all of us, to this day, having it set as our Discord profile pictures.