CTF Walkthrough — Hacken Cup 2018

Update-2 (07-Sept-2018): I just got the confirmation email from HackenProof that, my application is accepted for Hacken cup 2018 ❤

❤ ❤ ❤

Update-1: I was planning to publish this walkthrough after the Hacken Cups results but since HackenProof already made the challenge public and I thought to publish it right away someone can use this walkthrough to solve the challenge.

Challenge is live for a few days I think, you can try to solve it.

Here is the updated post by HackenProof about the Hacken Cup.

Last year’s story

HackIT Organised a 3rd security conference in Kharkiv, Ukraine last year, I was invited to the conference with all the expenses covered, they invited me via Twitter‘s DM and the invitation got into my Request folder somehow I haven’t seen it until the conference was finished.

3rd Hackit Conference Invite.

my reaction seeing this message after the conference was finished.

SHIT !!!!!

I responded and told them, that message was in my twitter’s request folder, that’s why I have not responded.

Now, let’s start the walkthrough — stay with me.

On 7-August-2018, I got the following email from HackenProof. Hackenproof is organizing onsite Hacken Cup Bug Hunting Marathon during HackIT 4.0 — The 4th Global CyberSecurity Forum in Kyiv, Ukraine from 8–11 October.

Email from cup@hackenproof.com
Screenshot of invitation email from HackenProof.

I received the email on my mobile, I clicked on Apply but the button didn’t work, I quickly logged into my Gmail via mac and clicked on Apply again. Still not working.

huhhh!!!??

Then I saw a message at the bottom of the email.

P.S. Follow the white rabbit

Hmm, Something is interesting.

hmm…something is interesting.

After trying few things, I used “Show Original” Option from Gmail and searched for “Apply” keyword.

Found an external IP address.

Got an external IP address. :

http://159.65.204.68

opened it in Google Chrome, the following page appeared

You shall????

You shall what?

Checked the source code: got two images.

http://159.65.204.68/images/404–2–41.png
http://159.65.204.68/images/W9Yjy17.jpg

and also, a sweet message

It would be too easy :)
It really was too easy.
You shall not hack???

You shall not ****? You shall not hack?

I searched it on Google and found out that its a quote from the movie “The Lord of the rings.”

YOU SHALL NOT PASS!!!
You Shall Not Pass!!!!!

Sure, I am not passing.

I started my recon process for the endpoint.

  1. Nmap — 159.65.204.68
nmap -sV 159.65.204.68
Lots of ports are open

Got many open ports and I left them to see later and I tried to see if I can find something interesting via dirsearch.

2. Dirsearch — 159.65.204.68

python3 dirsearch.py -u http://159.65.204.68 -e *

After running Dirsearch, I found a publicly available .git directory and used Dumper tool from Gittools to download the available git directory locally.

I cloned the .git files using the following command.

bash gitdumper.sh http://159.65.204.68/.git/ ehsahil

Gitdumper cloned the publicly available git files into a folder ‘ehsahil

After downloading the git directory locally. I manually go through all the files and directories available publicly.

After getting commit information and other I got inside the objects folders, which contains large numbers of objects.

I found objects folder interesting and decided to look into all of them.

It’s time to find the object Ids. For that, I used find command

find -type f

I got the following result with all the object-ids.

I have to remove all the dots(.) and forward slashes from the above result using sed.

sed -e 's/\.//g'

Saved all object id in an objectids.txt file.

Now, I got all the Object IDs, its time to cat every file to see the contents.

git cat-file -p <object_id>

But manually viewing the contents of the all the objects was time-consuming.

that’s why I tried to automate the process, I created a small ruby script to fetch contents from all Objectid’s.

Here is the sweet and small ruby script. — git.rb

require 'socket'
require 'colorize'
begin  
file = File.open(ARGV[0], "r")
rescue
puts "Usage: ruby git.rb objectsid"
exit
end
file.each_line do |objects|
puts
puts "Content of ObjectID --> #{objects}"
puts "+--------------------------------------------------------+" system("git cat-file -p #{objects}")
puts "Moving to next ObjectID"
puts puts "+--------------------------------------------------+" end

After running the ruby script, I found the index.php source code in 37 Object Folder.

I tried to concatenate the Objectid manually,

My credentials are my credentials none of your credentials !!!
Pheww!!!

Credentials for admin panel.

$username = ‘admin@cup.hackenproof.com’;
$password = ‘Qd79E0FL&R’;

Then, I quickly browse to http://159.65.204.68/admin to see the credentials whether the credentials will work or not.

http://159.65.204.68/admin
ADMIN login page.

Credentials have WORKED!!! Yus!!!

After login, application redirected me to the following page with a file uploading functionality.

http://159.65.204.68/admin/index.php
Admin File uploading endpoint.
ALRIGHT!
Index.php Source Code

Reviewing the index.php file from the objects folder.

  1. Index.php is only checking for mimetype (image/jpeg, image/gif, image/png) to validate the uploaded image is indeed an image or not.

2. Application is uploading the user file on the

/var/www/html/admin/uploads that means

http://159.65.204.68/admin/uploads/<Uploaded-file-name>

3. (preg_match(‘/.php$/’,$file)) — Here the endpoint is only checking for php extension in the filename.

there are many bypasses for this type lousy PHP file validation protection.

One of them is by using php5 as an extension instead of php to bypass the protection.

file with .php extension is not uploading as expected.
Uploaded php file with .php5 extension and file was successfully uploaded.

Uploaded PHP file with “1337.jpg.php5” extension and content-type: image/jpeg

I used p0wny-shell — https://github.com/flozz/p0wny-shell

p0wny shell is successfully uploaded and executed.

After that, I browsed through the internal file system to find the interesting files and hints for the next level.

😮 found “congrats.html” in /super_secret_cup directory.

I didn’t see that coming.

let’s see the content of the congrats.html

FINALLY!! the Private Google docs form link to apply for HackenProof CUP 2018.

cat congrats.html

Let’s Open the “congrats.html” in the browser.

HackenProof you guys are Awesome too.

AND…. Google form for Hacken Cup. 😍😍

Thanks, HackenProof and Hackit Team for allowing me to participant in the HackenProof Cup 2018 Challenge.

Publishing on 05-Sept-2018 at 3:55 AM Indian Standard Time (IST),

until next time.