Skip to content

IPv6 Sandbox Terminal Challenge

Elf Introduction

Help Jewel Loggins in KringleCon Talks Lobby

Well hello! I'm Jewel Loggins.
I have to say though, I'm a bit distressed.
The con next door? Oh sure, I’m concerned about that too, but I was talking about the issues I’m having with IPv6.
I mean, I know it's an old protocol now, but I've just never checked it out.
So now I'm trying to do simple things like Nmap and cURL using IPv6, and I can't quite get them working!
Would you mind taking a look for me on this terminal?
I think there's a Github Gist that covers tool usage with IPv6 targets.
The tricky parts are knowing when to use [] around IPv6 addresses and where to specify the source interface.
I’ve got a deal for you. If you show me how to solve this terminal, I’ll provide you with some nice tips about a topic I’ve been researching a lot lately – Ducky Scripts! They can be really interesting and fun!

Hints and Other Resources

Hints from talking with Jewel

IPv6 Reference
Check out this Github Gist with common tools used in an IPv6 context.

Other Resources

IPv6 Address format
https://en.wikipedia.org/wiki/IPv6_address

Terminal Introduction

Open the IPv6 Sandbox terminal in the KringleCon Talk Lobby

Screenshot

Solution

For this challenge we need to find another machine in the network that we can get the Candy Striper password from.

Using the command ifconfig we learn that our IP address is 192.168.160.3, so let's start with a simple scan of our local class C network with nmap to see what is there.

nmap -sn 192.168.160.1/24

Screenshot

From this we see that there is a server named ipv6-server.ipv6guest.kringlecastle.com with the IPv4 address 192.168.160.2. Let's see what ports are open on it.

map -sT 192.168.160.2

Screenshot

Port 80 is open, so let's see what we get when we connect.

curl 192.168.160.2

Screenshot

Unsurprisingly, given the description of this challenge, there is nothing interesting on the IPv4 port. So, let's see what IPv6 ports are open.

nmap -6 -sT ipv6-server.ipv6guest.kringlecastle.com

Screenshot

Now we see two ports, 80 and 9000 are open. Using cURL with both of these ports we find the answer we are looking for on port 9000.

curl http://[2604:6000:1528:cd:d55a:f8a7:d30a:e405]:80
curl http://[2604:6000:1528:cd:d55a:f8a7:d30a:e405]:9000

Screenshot

Answer

PieceOnEarth

Completion

Talk to Jewel to receive hints for Objective 5) Strange USB Device

Great work! It seems simpler now that I've seen it once. Thanks for showing me!
Prof. Petabyte warned us about random USB devices. They might be malicious keystroke injectors!
A troll could program a keystroke injector to deliver malicious keystrokes when it is plugged in.
Ducky Script is a language used to specify those keystrokes.
What commands would a troll try to run on our workstations?
I heard that SSH keys can be used as backdoors. Maybe that's useful?