CTF Walkthrough — Hacken Cup 2018
Update-2 (07-Sept-2018): I just got the confirmation email from HackenProof that, my application is accepted for Hacken cup 2018 ❤
Update-1: I was planning to publish this walkthrough after the Hacken Cups results but since HackenProof already made the challenge public and I thought to publish it right away someone can use this walkthrough to solve the challenge.
Challenge is live for a few days I think, you can try to solve it.
Here is the updated post by HackenProof about the Hacken Cup.
Last year’s story
HackIT Organised a 3rd security conference in Kharkiv, Ukraine last year, I was invited to the conference with all the expenses covered, they invited me via Twitter‘s DM and the invitation got into my Request folder somehow I haven’t seen it until the conference was finished.
my reaction seeing this message after the conference was finished.
I responded and told them, that message was in my twitter’s request folder, that’s why I have not responded.
Now, let’s start the walkthrough — stay with me.
On 7-August-2018, I got the following email from HackenProof. Hackenproof is organizing onsite Hacken Cup Bug Hunting Marathon during HackIT 4.0 — The 4th Global CyberSecurity Forum in Kyiv, Ukraine from 8–11 October.
Email from cup@hackenproof.com
I received the email on my mobile, I clicked on Apply but the button didn’t work, I quickly logged into my Gmail via mac and clicked on Apply again. Still not working.
Then I saw a message at the bottom of the email.
P.S. Follow the white rabbitHmm, Something is interesting.
After trying few things, I used “Show Original” Option from Gmail and searched for “Apply” keyword.
Got an external IP address. :
http://159.65.204.68opened it in Google Chrome, the following page appeared
You shall what?
Checked the source code: got two images.
http://159.65.204.68/images/404–2–41.pnghttp://159.65.204.68/images/W9Yjy17.jpg
and also, a sweet message
It would be too easy :)
You shall not ****? You shall not hack?
I searched it on Google and found out that its a quote from the movie “The Lord of the rings.”
YOU SHALL NOT PASS!!!Sure, I am not passing.
I started my recon process for the endpoint.
- Nmap — 159.65.204.68
nmap -sV 159.65.204.68
Got many open ports and I left them to see later and I tried to see if I can find something interesting via dirsearch.
2. Dirsearch — 159.65.204.68
python3 dirsearch.py -u http://159.65.204.68 -e *
After running Dirsearch, I found a publicly available .git directory and used Dumper tool from Gittools to download the available git directory locally.
I cloned the .git files using the following command.
bash gitdumper.sh http://159.65.204.68/.git/ ehsahilGitdumper cloned the publicly available git files into a folder ‘ehsahil’
After downloading the git directory locally. I manually go through all the files and directories available publicly.
After getting commit information and other I got inside the objects folders, which contains large numbers of objects.
I found objects folder interesting and decided to look into all of them.
It’s time to find the object Ids. For that, I used find command
find -type fI got the following result with all the object-ids.
I have to remove all the dots(.) and forward slashes from the above result using sed.
sed -e 's/\.//g'Saved all object id in an objectids.txt file.
Now, I got all the Object IDs, its time to cat every file to see the contents.
git cat-file -p <object_id>But manually viewing the contents of the all the objects was time-consuming.
that’s why I tried to automate the process, I created a small ruby script to fetch contents from all Objectid’s.
Here is the sweet and small ruby script. — git.rb
require 'socket'
require 'colorize'begin
file = File.open(ARGV[0], "r")
rescue
puts "Usage: ruby git.rb objectsid"
exit
end
file.each_line do |objects|
puts
puts "Content of ObjectID --> #{objects}"
puts "+--------------------------------------------------------+" system("git cat-file -p #{objects}")
puts "Moving to next ObjectID"
puts puts "+--------------------------------------------------+" end
After running the ruby script, I found the index.php source code in 37 Object Folder.
I tried to concatenate the Objectid manually,
Credentials for admin panel.
$username = ‘admin@cup.hackenproof.com’;
$password = ‘Qd79E0FL&R’;Then, I quickly browse to http://159.65.204.68/admin to see the credentials whether the credentials will work or not.
http://159.65.204.68/admin
Credentials have WORKED!!! Yus!!!
After login, application redirected me to the following page with a file uploading functionality.
http://159.65.204.68/admin/index.php
Reviewing the index.php file from the objects folder.
- Index.php is only checking for mimetype (image/jpeg, image/gif, image/png) to validate the uploaded image is indeed an image or not.
2. Application is uploading the user file on the
/var/www/html/admin/uploads that means
http://159.65.204.68/admin/uploads/<Uploaded-file-name>3. (preg_match(‘/.php$/’,$file)) — Here the endpoint is only checking for php extension in the filename.
there are many bypasses for this type lousy PHP file validation protection.
One of them is by using php5 as an extension instead of php to bypass the protection.
Uploaded PHP file with “1337.jpg.php5” extension and content-type: image/jpeg
I used p0wny-shell — https://github.com/flozz/p0wny-shell
p0wny shell is successfully uploaded and executed.
After that, I browsed through the internal file system to find the interesting files and hints for the next level.
😮 found “congrats.html” in /super_secret_cup directory.I didn’t see that coming.
let’s see the content of the congrats.html
FINALLY!! the Private Google docs form link to apply for HackenProof CUP 2018.
Let’s Open the “congrats.html” in the browser.
AND…. Google form for Hacken Cup. 😍😍
Thanks, HackenProof and Hackit Team for allowing me to participant in the HackenProof Cup 2018 Challenge.
Publishing on 05-Sept-2018 at 3:55 AM Indian Standard Time (IST),
If you like my blog posts and my work, Please consider checking out my “Buy me a coffee” page
until next time.
