“Hack Me If You Can” CTF 2016 — Catch the Droid Walkthrough
Team Agathon of which I am a part of participated at the “Hack Me If You Can” Capture the Flag contest organized by the Cyber Security batch of Sri Lanka Institute of Information Technology (SLIIT), which was a part of the CodeFest 2016 at SLIIT.
Catch the Droid, was once of the 5 CTF boxes we had to hack into and in this blog, I will be doing a ‘walk-through’ through the levels in it. We were provided with the .ovf file of the Virtual machine and done firing up VMware Player and importing it, I was good to go.
Level 1
I set the network adapter to Host-only. Doing an ifconfig, I found out the name of the network interface to be ‘vmnet1’ and started a ‘netdiscover’ on that interface to get the IP address of our VM.
sudo netdiscover -i vmnet1So looks like we found our IP. Next I used ‘Zenmap’ — the GUI version of nmap to scan the host with the IP address I just got.
And there we have a port 80 open in the host 192.168.198.128. Firing up Firefox I navigated to the IP to see what we have. And got this.
So there we have the Username and the password for the next level.
Username: droids Password: applethedukeLevel 2
And the cipher text was in Binary.
00101110 00101101 00101110 00101110 00100000 00101101 00101110 00101110 00101110 00100000 00101101 00101110 00100000 00101110 00101101 00101110 00101110 00100000 00101110 00101110 00101101 00100000 00101110 00101101 00101110 00101110 00100000 00101110 00101101 00101101 00101110 00100000 00101101 00101101 00101110 00101110 00100000 00101110 00101101 00100000 00101101 00101101 00101101 00100000 00101110 00101101 00101110 00101110 00100000 00101110 00101110 00100000 00101110 00101110 00101110 00101101 00100000 00101101 00101101 00101110 00101110 00100000 00101101 00101101 00101110 00101110Using an online tool to convert the binary code to ASCII and it returned a Morse code.
.-.. -... -. .-.. ..- .-.. .--. --.. .- --- .-.. .. ...- --.. --..I used an online Morse code decoder to decode. It returned ‘LBNLULPZAOLIVZZ’ and still it didn’t look like what we want. In fact it was not the Key to Level 3. But it did look like another cipher text and this time it must be something like the Caesar cipher. Once again the internet helped me out. The key was 19 and the password to the next level is ‘EUGENEISTHEBOSS‘.
Level 3
In this step, we are provided with a Packet capture file. Firing up wireshark, I opened the file and saw that there are several TCP, FTP packets.
The FTP and FTP-DATA files mean that there has been a File Transfer of some sort.
The TCP stream of the FTP-DATA packet of 1448 bytes (interesting) was as follows.
Looks like we have a mkv file to deal with. Downloading the TCP stream I got a zip file with a mkv file in it. And the video contained the key to the next level itself.
Key to Level 4 : kill3rcr0cLevel 4
The goal of this level is to extract the Administrator (admin) credentials using this search function. Playing around with it gives you the idea of query it executes to extract the data.
Note that the passwords are encrypted. Anyways, the query should look like:
SELECT * FROM
WHERE LIKE ‘%%’
Anyways, chances for SQL Injection has been disabled at the front-end using a regular expression and the source code does not contain any form of precautions for SQL Injections so we are lucky here.
I fired up Burp Suite, to try making changes to the headers so that I could perform a SQL Injection.
And baam!!! It returned all the records including the Administrator credentials.
Although we could guess the type of hash here, we could always use some tool like Hash ID to identify the hash.
So it is a md5 hash. I asked HashKiller to decrypt this hash for me. And the password was “gonzales“.
Level 5
Going through the source code in this level refers to the Javascript file ../js/validation.js. And it contains a function that checks if the enters credentials are valid. The implementation of the function compares the user entered strings with the username and password for the next level.
function isValid(uname, pwd){ if(!(uname == "level4pass") && !(pwd == "magentaBlack") ){ alert("Incorrect Username and Password!"); return true; }else{ window.location.replace("/MyGameMyPlay/Infinity.php"); alert("Success!"); return false; } }Level 6
Going through the source code, we find a comment giving us the link to a dictionary. Which means, we may have to perform a bruteforce attack to pass this level.
But the link returns a 404: Not found. Changed the first letter to lowercase and there it was. Having got the dictionary in hand, I once again fired up Burp suite. After intercepting, at the intruder I set the positions and loaded the dictionary.txt into payloads.
Once the attack is finish, while going through the requests, we find a change in the length of a request.
So here is the password for the final level. -> panthrX
The final flag: DroidIIisAllYours!
Other CTF Walkthroughs from “Hack Me If You Can” 2016
Special Thanks to Sirs and Madams, brothers and sisters of the Cyber Security batches at SLIIT (2015/16).
Published November 8, 2016November 14, 2016
Originally published at nandunb.wordpress.com on November 8, 2016.
