Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Kali Linux CTF Blueprints

You're reading from   Kali Linux CTF Blueprints Build, test, and customize your own Capture the Flag challenges across multiple platforms designed to be attacked with Kali Linux

Arrow left icon
Product type Paperback
Published in Jul 2014
Publisher Packt
ISBN-13 9781783985982
Length 190 pages
Edition 1st Edition
Arrow right icon
Author (1):
Arrow left icon
Cameron Buchanan Cameron Buchanan
Author Profile Icon Cameron Buchanan
Cameron Buchanan
Arrow right icon
View More author details
Toc

Table of Contents (9) Chapters Close

Preface 1. Microsoft Environments 2. Linux Environments FREE CHAPTER 3. Wireless and Mobile 4. Social Engineering 5. Cryptographic Projects 6. Red Teaming A. Appendix Index

Scenario 3 – trivializing TFTP

Trivial File Transfer Protocol (TFTP) is an older service that presents blind FTP services to unauthenticated users. It was traditionally used to install lightweight, thin clients and transfer configurations from one location to another, similar to SNMP. Simply connect to the port, knowing the exact location of the file you want to copy, and copy away. The vulnerability here is that anyone who knows the kind of architecture hosting the TFTP service will be able to guess the location of sensitive files. There are numerous ways to make sure that TFTP is set up in a relatively safe way (though the lack of authentication does make it hard to justify), but that's not what we're after. We're after a nice vulnerable setup that we can chase down.

To start with, you need to decide which TFTP provider you want to use. You can score a double win here by selecting a build with vulnerabilities associated.

TFTPD32 2.2 is vulnerable to a buffer overflow, which can be a nice starting point for those beginning infrastructure tests and vulnerability assessments. For TFTPD32, there's an associated Metasploit module, and the version is disclosed in the headers, so a beginner can easily get a shell going. TFTPD32 also works on all architectures, is free, and provides older versions from their website. It is one of the best examples of a great resource for a CTF creator. It is available at http://tftpd32.jounin.net/.

Alternatively, you can enable the Windows TFTP solution through the Programs and Features and Enable Windows Features options for Windows 7 or equivalent options if running a different version. This has no known vulnerabilities to exploit with Metasploit or similar, but doesn't require hunting down to install.

Once downloaded, perform the following normal checks:

  • Make sure Windows Firewall or other such solutions are off
  • Make sure any antivirus is off if you intend to let testers use Metasploit

TFTP works by creating a socket directly to the folder you create it in. By default, it will be in a specific installation folder which only allows access to the installation files and README files. This can be set up as a basic exploit, if you wish, by placing a flag file in the folder; however, you would have to tell the attackers the name of the file, which defeats the purpose of this challenge and the vulnerability underlying in TFTP. In order to make it more interesting, try setting up TFTP in root C:\ or hunting down a version that allows directory traversal. TFTPD32 won't allow users to go up directories, but will only allow them to travel down into the depths of whatever folder structure you have, so moving from the install folder to the System32 folder isn't possible.

Run the TFTP solution in whichever folder you wish, and test it from a remote location. An exploit guide can be found at the end of this chapter.

If you're using TFTPD32, your configuration should look like the next screenshot. The Create "dir.txt" files selection is optional because seasoned testers will look for it immediately as it will give away the structure of the directory. If you want to make the challenge harder, turn this off. Have a look at the following screenshot:

Scenario 3 – trivializing TFTP

Vulnerabilities

There are multiple briefs available for this scenario dependent on which files you wish to host:

  • SSH keys could be stored for use in further scenarios
  • Credentials for other boxes
  • Access to hashes on older OSs that are crackable

The key thing to remember when setting up a TFTP-related scenario is that the attackers will not be able to see which files are present or which folder they are in. This means that barring any default answers as shown in the exploit guide, they are unlikely to know what you've hidden there unless you give them clues. This can be set up as part of a larger exercise and is shown in situ in Chapter 6, Red Teaming.

This particular vulnerability can easily be set up on Linux, if required, by using a different installation. There are many TFTP packages for Linux; it's just a matter of picking one that suits you.

lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image