WebSec CTF Writeups for all challenges

This CTF ran from July 7, 2017 to July 8, 2017. This CTF ran for eactly 24 hrs and we had easy, medium and hard challenges. Based on the GameBoard, almost all the challenges were solved by at least 1 participant. We had 1 challenge, that was left unsolved because it was pretty hard. This CTF was organized in a way, that we tested the challenges based on current and past vulnerability reports. We wanted to see if Nepali hackers were reading and were up to date on recent security events. Here is the writeups (this is gonna be long)


Web Challenges

For web challenges, they all varied from easy to hardest.

0day is out! — Severity: Easy

For this challenge, competitors were provided a username and password that they could not change. They had to find a report of another user and see if they could read it. After logging in, they see the following interface:

We made it look as basic as possible

When they click on the report id, they are shown the page that shows their report information. First thing to try here as competitors would be to change the link that is: http://104.223.95.189/report/report.php?id=2 to link http://104.223.95.189/report/report.php?id=1. The idea behind is, if we have our report ID to be 2, we can hope that another user probably had the report id 1. However, when the competitor visits report ID 1 with the link they are greeted with this page:

What happens when unauthorized user visits the page

Hint for this challenge is that sometimes some dev might leave a comment without knowing. And also the thing to notice is that for report ID 2 (which competitor has access to) says: Nginx has a 0day that can also be RED HERRING. Whaaatt?

When the source of the page is viewed following comment is located: <! — -Dev note: Our api should be done soon so that it reduces the load — !>. So basically they have an API being designed which could potentially be vulnerable. If we run a directory search we notice that there is API directory at 104.223.95.189/api/ which says that the file reportloader.php is functional. Lets give a shot to reportloader.php then. When just visiting the page, we see the page that is basically a 403. So how this work? If we append ?id=1, we can successfully see the report loaded by the API. and it has the flag: flag{w3ird_id0r_435089}.


Want to get hired?-Severity: Medium

This CTF challenge was resume creator for our competitors. (Not quite). When they go to the link in the challenge, they have to put their name and email. Once they submit the data, a fake PDF resume is generated:

Pretty impressive resume right?

You can also check the PDF resume it would create by downloading this PDF: https://mega.nz/#!lWBBkZYK!bI2fBRvNtqqroEZ9pF3FQHipKhMwlZpkT_wmLcrvl2Y

Moving on… Once you download the PDF, you can see that this was created by TCPDF. Now the challenge said that the flag was in the lower directory which likely means either a LFI or RCE (both can work for this). If we lookup vulnerabilities in TCPDF by simply searching TCPDF RCE, we get some pretty cool exploits, one of them is:

<tcpdf method="Rect" params=");echo `id`;die(" />

This can be found on this link. TCPDF had a RCE where HTML was not properly sanitized. Using the above payload, we can see that this challenge is also vulnerable to RCE:

RCE image for the challenge

Now all we need to do is put the payload: ls ../ instead of id and we can see there is a txt file called flag.txt on the lower directory. Once we print its result, we get the flag: flag{why_pdf_why_38943}.


Find the Secret Message-Level:Hard

For this all that was provided was the slack link: supersecurectf.slack.com and the information: supersecretteam was working on a super secret project. can you find out what it is?. This challenge in a sense required that our competitors be updated in recent security releases. For slack specifically the team at Detectify had found major leakages on Github repos about companies xoxp- and xoxb- token. (If you do not know what this leak was read the report here).

We already know this can be found on Github and we also the know the alleged username: supersecretteam. When we look up the username on Github, we find the following repo for this account:

We tried to make things easier by make it obvious that the token will be in a repo that looks legit, what could be more legit that an app called newapp, with description: From Jobert Abma Rail's app project, Jobert (Co-Founder of HackerOne), has a repo of a vulnerable Rails app that people can test and understand security of Rails web apps. Once in the forked repo, if you went to the commit: https://github.com/supersecretteam/newapp/commits/master you can see that the secrets.yml was recently updated by us. There lies the token: 204068644966-nX0qoQEU80nEdvBcViUnXi65. Now you will have to spend a little time to understand how the Slack API works. This token was for a bot so the Slack API for bot is here. There, we can use this token to do multiple things: list users in the slack, read IM (internal messages) sent to the bot etc. Internal Message is what we are after so we can use im.list to see the list of messages that were sent to the bot:

Im.list result in Slack API

From there we can use im.history to see the messages for individual channels. The first one is from Slackbot, so we can technically ignore it. If we check channel: D5YLGQKUZ, we see the following messages:

The flag was: flag{sup3r_s3cret_flag_839045}.


OSINT Level 1

For this challenge, we gave a .eml file to our competitors. EML is a file extension mostly related with email files. When you open it, depending on how it is opened you can see the content of the email. From Mac, we can see the following screen:

Going to the link takes us to a pastebin site here: https://pastebin.com/6H14BTvg. This basically looks like a bad version of a a fake ransomware. The hacker gives us a phone number to message so that we can get the BTC (this will never happen in real life). If we look the number online, we can find that this is from a fake phone number site where you can receive the message sent to it. The flag was set to delete after 24 hrs. In the list of messages that was received by the number, you can find the flag: flag{best_h4cker_82943}.

Forensics

We only had one challenge for Forensics this time:

We found this weird file-Level:Easy

For this challenge, they are given a file with no extension. After some check you can find that this a .crx file. CRX file is a chrome extension file which also works as a zip. All we had to do now is unzip the file and see the most recently updated file which happens to have the flag in it: flag{crx_1s_z1p}.

Quizes

We also had mini quiz questions for our competitors:

Who am I?

The question was: I made everyone cry and was prevented by this guy?.

This basically gave a hint to wannacry and the person who prevented this is malwaretech (we did not want to dox him even though most medias already did that). So the flag will be flag{wannacry_malwaretech}.

Cipher

This was a 1 point cipher question: Some created a fine cipher and got 3 B’s in the class: iodj{Diilqh_flskhu_809}.

For this A fine cipher = Affine Cipher and 3 B’s is what we need to decode it:

flag{Affine_cipher_809}

Misc #1

Surprisingly, only two teams solved this challenge. This was an easy 5 points. All they had to do was go to twitter.com/uraniumhacker and in the bio is the flag: flag{just_4_g33k}.

What is the IP of Crystal Seas Seafood

This one was a little hard quiz because all they got was this picture:

Image given to the competitors

This challenge is a real life situation one. This image was captured by Shodan because the IP address had open VNC port at 5900. You can find open VNC in Shodan by looking up port 5900. This one could take a little time depending on how you searched it. Competitors could just click view images and see all the image of open VNCs that Shodan has pulled, or go one by one per result and find it there. This was the IP that had the picture: https://www.shodan.io/host/184.155.9.246 When you see the picture now, the time is changed because Shodan frequently updates their DB.