ELI Challenge #1 - Sneaks

This challenge can be found when Eli takes care of sneaky-sneaks trying to breach into Säkerhetsbubbla.

The Setup

There's some service running on a port it wasn't originally meant to run on, on this host...

Help Eli find the service that doesn't follow the rules and it'll give you the flag. The flag will be in format KEY{...}

(no need to scan all ports, just the first 100 + hint: it's running as the anonymous user)

The Ports

First, we need to figure out the IP address we'll have to scan. Using a CLI utility such as dig or ping will help. Remember you should only give these tools the domain name, without the path.

I've replaced the IP address with X.XX.XX.XXX for the rest of this article, in case it changes in the future.

Now, we can use nmap to scan the first 100 ports and see what is open.

$ nmap -p 1-100 X.XX.XX.XXX
...
80/tcp open  http
99/tcp open  metagram

The HTTP server on port 80 is the one we'd expect for a website, so the flag must be somewhere behind port 99. metagram doesn't ring a bell, but let's just cURL what's there.

$ curl X.XX.XX.XXX:99
curl: (1) Received HTTP/0.9 when not allowed

No luck. Second thing to try after cURL is always ncat:

$ ncat X.XX.XX.XXX 99
220-⠀⠀⠀⠀⠀⠀⢀⣀⣀⣀⣤⣤⣤⣤⣤⣤⣤⣤⣤⣤⣤⣤⣤⣀⣀⠀⠀⠀⠀⠀
220-⠀⠀⠀⠀⠀⠀⣾⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⠀⠀⠀⠀⢀⠀⠈⡇⠀⠀⠀⠀
220-⠀⠀⠀⠀⠀⠀⣿⠀⠁⠀⠘⠁⠀⠀⠀⠀⠀⣀⡀⠀⠀⠀⠈⠀⠀⡇⠀⠀⠀⠀
220-⣀⣀⣀⠀⠀⠀⣿⠀⠀⠀⠀⠀⠄⠀⠀⠸⢰⡏⠉⠳⣄⠰⠀⠀⢰⣷⠶⠛⣧⠀
220-⢻⡀⠈⠙⠲⡄⣿⠀⠀⠀⠀⠀⠀⠀⠠⠀⢸⠀⠀⠀⠈⠓⠒⠒⠛⠁⠀⠀⣿⠀
220-⠀⠻⣄⠀⠀⠙⣿⠀⠀⠀⠈⠁⠀⢠⠄⣰⠟⠀⢀⡔⢠⠀⠀⠀⠀⣠⠠⡄⠘⢧
220-⠀⠀⠈⠛⢦⣀⣿⠀⠀⢠⡆⠀⠀⠈⠀⣯⠀⠀⠈⠛⠛⠀⠠⢦⠄⠙⠛⠃⠀⢸
220-⠀⠀⠀⠀⠀⠉⣿⠀⠀⠀⢠⠀⠀⢠⠀⠹⣆⠀⠀⠀⠢⢤⠠⠞⠤⡠⠄⠀⢀⡾
220-⠀⠀⠀⠀⠀⢀⡿⠦⢤⣤⣤⣤⣤⣤⣤⣤⡼⣷⠶⠤⢤⣤⣤⡤⢤⡤⠶⠖⠋⠀
220-⠀⠀⠀⠀⠀⠸⣤⡴⠋⠸⣇⣠⠼⠁⠀⠀⠀⠹⣄⣠⠞⠀⢾⡀⣠⠃⠀⠀⠀⠀
220-⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠁⠀⠀⠀⠀⠀
220- Welcome to Säkerhetsbubbla ftp
220

Awesome! Let's ftp into that server then.

The Cat

After a bit of trial and error, I figured out you needed the -p "passive" flag in order for everything to work properly.

$ ftp -p X.XX.XX.XXX 99
Connected to X.XX.XX.XXX.
220-⠀⠀⠀⠀⠀⠀⢀⣀⣀⣀⣤⣤⣤⣤⣤⣤⣤⣤⣤⣤⣤⣤⣤⣀⣀⠀⠀⠀⠀⠀
220-⠀⠀⠀⠀⠀⠀⣾⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⠀⠀⠀⠀⢀⠀⠈⡇⠀⠀⠀⠀
220-⠀⠀⠀⠀⠀⠀⣿⠀⠁⠀⠘⠁⠀⠀⠀⠀⠀⣀⡀⠀⠀⠀⠈⠀⠀⡇⠀⠀⠀⠀
220-⣀⣀⣀⠀⠀⠀⣿⠀⠀⠀⠀⠀⠄⠀⠀⠸⢰⡏⠉⠳⣄⠰⠀⠀⢰⣷⠶⠛⣧⠀
220-⢻⡀⠈⠙⠲⡄⣿⠀⠀⠀⠀⠀⠀⠀⠠⠀⢸⠀⠀⠀⠈⠓⠒⠒⠛⠁⠀⠀⣿⠀
220-⠀⠻⣄⠀⠀⠙⣿⠀⠀⠀⠈⠁⠀⢠⠄⣰⠟⠀⢀⡔⢠⠀⠀⠀⠀⣠⠠⡄⠘⢧
220-⠀⠀⠈⠛⢦⣀⣿⠀⠀⢠⡆⠀⠀⠈⠀⣯⠀⠀⠈⠛⠛⠀⠠⢦⠄⠙⠛⠃⠀⢸
220-⠀⠀⠀⠀⠀⠉⣿⠀⠀⠀⢠⠀⠀⢠⠀⠹⣆⠀⠀⠀⠢⢤⠠⠞⠤⡠⠄⠀⢀⡾
220-⠀⠀⠀⠀⠀⢀⡿⠦⢤⣤⣤⣤⣤⣤⣤⣤⡼⣷⠶⠤⢤⣤⣤⡤⢤⡤⠶⠖⠋⠀
220-⠀⠀⠀⠀⠀⠸⣤⡴⠋⠸⣇⣠⠼⠁⠀⠀⠀⠹⣄⣠⠞⠀⢾⡀⣠⠃⠀⠀⠀⠀
220-⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠁⠀⠀⠀⠀⠀
220- Welcome to Säkerhetsbubbla ftp
220 
Name (X.XX.XX.XXX:louis): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (X,XX,XX,XXX,255,62).
150 Here comes the directory listing.
-rw-rw-r--    1 0        0              13 May 21 16:23 flag.txt
226 Directory send OK.
ftp> cat flag.txt
?Invalid command
ftp> get flag.txt
227 Entering Passive Mode (X,XX,XX,XXX,254,44).
150 Opening BINARY mode data connection for flag.txt (13 bytes).
226 Transfer complete.
13 bytes received in 0.0002 seconds (60.1879 kbytes/s)
ftp> 
221 Goodbye.

After logging in with the "anonymous" username, we can get flag.txt and download our prize!