WiresBDSec CTF 2022 Writeup
-Written By Ayush Varma
Networking: Victim & Attacker
Chall description: NSTechvally is an multinational hosting & cloud service providing company. Recently we have detected some unusal activity to the server. An attacker got access to our server. And we recently found out that the developer did some mistakes developing our website. We have captured the network traffic. Help us to find out how the attacker compromised our server.
Attachment: A pcap file https://drive.google.com/drive/folders/1dDBxMtxXqgGNmBHjOt21O7XA8tvZUbNQ
What is the server ip & the attacker ip?
Flag Format: BDSEC{0.0.0.0_127.0.0.1}
Solution: Upon analyzing the captured pcap file we can clearly see the attacker is trying to brute-force the user id and password upon the FTP server. Hence it is pretty clear that the one sending the request is the attacker's IP and the one receiving the request is the victim's IP.
Attackers IP 192.168.1.10 and victims IP 192.168.1.13
Flag: BDSEC{192.168.1.10_192.168.1.13}
Networking: Which FTP?
What ftp & version the server is using?
Flag Format : BDSEC{ftp_0.0.0}
Solution: We need to find the FTP server version they are using simply by looking that the pcap file in Wireshark we can find the server version
Hence the flag was BDSEC{vsFTPd_3.0.3}
Networking : FTP Creadentials
What is the ftp username & password?
Flag Format : BDSEC{username_password}
Solution: This challenge required a bit of searching as the user's IDs and passwords were brute forced we need to find the place where the login was successful
upon searching and after a bit bit of scrolling the login successfully was found.
The creds before the login is successful are the correct credentials.
Username:ftpadmin Password:ftpadmin
Therefore the flag will be BDSEC{ftpadmin_ftpadmin}
Networking: Uploaded File
What file did the attacker uploaded to the ftp server? [with location]
Flag Format : BDSEC{/location/file_name}
Solution: When the hacker uses the RETER Command to upload the file to the server we can clearly see the file name and file location(the directory file is being uploaded to)
The working directory is files and the file uploaded is .hacker.note
Hence the flag will be BDSEC{/files/.hacker.note}
Networking: Log File
What is the log file name?Flag Format : BDSEC{something.log}
We need to find the name of the log file
Solution: The Attacker was trying to access the log file using the RETER command hence the name of the log file can be clearly seen
the name of the file is dnNmdHBk.log
Hence the flag is BDSEC{dnNmdHBk.log}
Networking: Project Incharge
Who was the incharge of the website project?Flag Format : BDSEC{name}
To find the in charge of the project we dig in further and we find an email text file right click on the packet and select follow stream
we will see the email text saying
From the email we know that the head is Mark
Hence the flag is: BDSEC{Mark}
OSINT :Find the Masterpiece
Chall description: My friend gave me the following stream of numbers and told me to figure out something of it. He gave me a hint that, the thing hidden behind the numbers is very known to me and piano keys might help me to solve the challenge. He also claimed that it is a master piece. So, he also asked for the creation date of that master piece. Please help me to solve that mistery!
3566678889775656–356667888977565–35666899900906–687798–3566678889775656–3566678889775656
Special note: All the letter of the flag are lower case and there will be a special character in the flag unlike the other challenge flags.
Flag format: BDSEC{name_of_the_master_piece,year}
Solution:
As per the given hint, these numbers could resemble the keys of a piano hence by searching a virtual piano and pasting the notes
we get the song which is nothing but “He’s a Pirate” a 2003 track composed by Klaus Badelt. Which was our required flag. The flag was BDSEC{he’s_a_pirate_2003}