KringleCon 2018 - Stall Mucking Report
Stall Mucking Report involved uploading a document to an SMB share. The catch: the NPC doesn't give you the username or the password.
This challenge was also fairly easy, and the hint that was given by the Wunorse Openslae NPC led you in the direction for finding the cleartext password with the ps command.
Accessing the Challenge
Clicking on the challenge revealed a message from the Wunorse Openslae NPC in a terminal display.
Thank you Madam or Sir for the help that you bring!
I was wondering how I might rescue my day.
Finished mucking out stalls of those pulling the sleigh,
My report is now due or my KRINGLE's in a sling!
There's a samba share here on this terminal screen.
What I normally do is to upload the file,
With our network credentials (we've shared for a while).
When I try to remember, my memory's clean!
Be it last night's nog bender or just lack of rest,
For the life of me I can't send in my report.
Could there be buried hints or some way to contort,
Gaining access - oh please now do give it your best!
- Wunorse Openslae
So, the goal was to upload a file named report.txt to the samba share.
Finding the Credentials in Cleartext
As I stated before, Wunorse Openslae gave a hint in the form of a URL link for identifying cleartext samba credentials using ps. So, with that in mind, I used ps to find the credentials.
My first attempt didn't show me the results, so I piped ps -ef to less so that the text would wrap.
Now, we can see more information given by ps -ef. Looking closely, we can see that the user (indicated by the -U option) is report-upload and the password is directreindeerflatterystable. You might notice that there is also a -u manager option. Just bear in mind, that option is used with sudo, and not the actual command to upload the file to the share.
Uploading the File
A common executable used for SMB shares is smbclient. This is the tool I went with to upload the file. The command syntax looks like this:
smbclient -U report-upload //localhost/report-upload/
I passed the user's password when prompted, which then dropped me into an smb shell. From there, I used the put command with report.txt file.
Once the file was uploaded, I was shown the following display and successfully completed the challenge.
Conclusion
This was another fun, relatively easy challenge. I like how the designers of the challenge emphasized the importance of password integrity and to avoid not only password reuse, but also the sharing of passwords.