Slingshot Orbit of Technology

For a total of 300-points and using Node.js; this challenge required submitting a line-by-line solution via telnet or [ netcat / ncat / nc ].

The difficulty in this challenge came form having to craft the email in a very particular way which the server was expecting. For example: used the wrong syntax[1], improper use of case in the command(s) or spacing. Simply put, without the proper solution – the flag would not display.

Kudos to all who conqueror this challenge!

Question:

• Connect to the smtp server at sb1.cyberskyline.com:3060 and send an email to daniel@hacker.test from the address, user4928@hacker.test, with a title saying you have the latest exploit and he will open it, allowing you to unlock the flag.
• This SMTP server does not follow protocol exactly, but close enough.
• What is the flag you receive from sending the spoofed email?

Code:

HELO HACKER.TEST
MAIL FROM:<user4928@hacker.test>
RCPT TO:<daniel@hacker.test>
DATA
From: "user4928" <user4928@hacker.test>
To: "daniel" <daniel@hacker.test>
Subject: you have the latest exploit
.
QUIT


Answer/Solution:

Telnet:

$ telnet sb1.cyberskyline.com 3060
Trying 104.236.16.36...
Connected to sb1.cyberskyline.com.
Escape character is '^]'.
220 sb1.cyberskyline.com ESMTP CyberSkyline
HELO HACKER.TEST
250 Hello HACKER, sb1.cyberskyline.com at your service
MAIL FROM:<user4928@hacker.test>
250 OK Sounds good, I like this idea
RCPT TO:<daniel@hacker.test>
250 OK Seems like a good person to write a note to
DATA
354 Go ahead, send all the cyber big data
From: "user4928" <user4928@hacker.test>
To: "daniel" <daniel@hacker.test>
Subject: you have the latest exploit
.
250 Ok: I will try my best to send this, I'm the little server that could
QUIT
221 Don't leave... I'm just a sad lonely server... closing connection.
Your flag is NCL-SAAS-3564 Thank you for playing
Connection closed by foreign host.

Netcat:

$ ncat sb1.cyberskyline.com 3060
220 sb1.cyberskyline.com ESMTP CyberSkyline
HELO HACKER.TEST
250 Hello HACKER, sb1.cyberskyline.com at your service
MAIL FROM:<user4928@hacker.test>
250 OK Sounds good, I like this idea
RCPT TO:<daniel@hacker.test>
250 OK Seems like a good person to write a note to
DATA
354 Go ahead, send all the cyber big data
From: "user4928" <user4928@hacker.test>
To: "daniel" <daniel@hacker.test>
Subject: you have the latest exploit
.
250 Ok: I will try my best to send this, I'm the little server that could
QUIT
221 Don't leave... I'm just a sad lonely server... closing connection.
Your flag is NCL-SAAS-3564 Thank you for playing

Reference:
[1] https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#SMTP_transport_example

Getting errors when updating? Check your /etc/apt/sources.list because the labeled “kali” in repository is now “sana” – replace or add:

# Regular repositories
deb http://http.kali.org/kali sana main non-free contrib
deb http://security.kali.org/kali-security sana/updates main contrib non-free

# Source repositories
deb-src http://http.kali.org/kali sana main non-free contrib
deb-src http://security.kali.org/kali-security sana/updates main contrib non-free

Afterwards you may have to import your key into your apt-keyring:

apt-key adv --keyserver hkp://keys.gnupg.net --recv-keys 7D8D0BF6

Have extra space on your micro SD card but are not seeing it. No big deal, simply run the commands below to expand your drive space.

root@kali:~# df -h

Filesystem      Size  Used Avail Use% Mounted on
rootfs          2.9G  1.5G  1.2G  56% /
/dev/root       2.9G  1.5G  1.2G  56% /
devtmpfs        460M     0  460M   0% /dev
tmpfs            93M  468K   93M   1% /run
tmpfs           5.0M     0  5.0M   0% /run/lock
tmpfs           186M     0  186M   0% /run/shm

See above how only 1.2G of space is being used.

root@kali:~# wget http://www.alexrams.com/blog/wp-content/uploads/2015/11/raspi-expand-rootfs.sh
root@kali:~# fdisk -l
Disk /dev/mmcblk0: 28.8 GiB, 30908350464 bytes, 60367872 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x000cdbaa

Device         Boot  Start      End  Sectors  Size Id Type
/dev/mmcblk0p1           1   125000   125000   61M  c W95 FAT32 (LBA)
/dev/mmcblk0p2      125001 60366847 60241847 28.7G 83 Linux

Most likely via fdisk -l the starting sector of partition 2 will be “125001”. The script provided above has already made the adjustment.

root@kali:~# chmod +x raspi-expand-rootfs.sh
root@kali:~# sh raspi-expand-rootfs.sh
root@kali:~# df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/root        29G  4.4G   23G  17% /
devtmpfs        369M     0  369M   0% /dev
tmpfs           373M     0  373M   0% /dev/shm
tmpfs           373M  5.5M  367M   2% /run
tmpfs           5.0M     0  5.0M   0% /run/lock
tmpfs           373M     0  373M   0% /sys/fs/cgroup
tmpfs            75M  4.0K   75M   1% /run/user/0
tmpfs            75M  4.0K   75M   1% /run/user/110
tmpfs            75M     0   75M   0% /run/user/1000

root@kali:~# reboot

When using the screen tool you may be unable to start a screen session but instead encounter an error:

Cannot open your terminal '/dev/pts/0' - please check.

This is because another user (you) initiated the current terminal – you probably did a sudo su into the user you are now trying to run screen as, right?

There are two ways to resolve this:

• Sign out and properly connect / sign in as the user you wish to use.
• Run script /dev/null to own the shell (more info over at Server Fault); then try screen again.

Important: Do not chmod the virtual terminal device like suggested at (way too many) places around the interwebs. This gives other users read and write access to the terminal session!

Maybe you even want a different terminal multiplexer. You might want to take a look at tmux.