5k33tz - CTF Writeups

CTF Writeups

Vulnhub IMF 1 – Boot2Root

The VM for the CTF challenge is located at https://www.vulnhub.com/entry/imf-1,162/

Description:

IMF is a intelligence agency that you must hack to get all flags and ultimately root. The flags start off easy and get harder as you progress. Each flag contains a hint to the next flag. I hope you enjoy this VM and learn something.

Difficulty:

Beginner/Moderate

I started off with an nmap scan for to get a lay of open ports:

nmap -p 1-65535 -T4 -A -v 192.168.1.38

Nothing too interesting, except port 80/tcp open.

On the “Contact Us” page we’re able to see a couple employee emails:

Roger S. Michaels – Director
rmichaels@imf.local

Alexander B. Keith – Deputy Director
akeith@imf.local

Elizabeth R. Stone – Chief of Staff
estone@imf.local

We find the first flag in the source of the contact.php page:

<!– flag1{YWxsdGhlZmlsZXM=} –>

Decoding the string, we get the contents of flag1:
echo YWxsdGhlZmlsZXM= | base64 --decode

Flag1: allthefiles

Using Flag1 as a reference to Flag2, I start looking at all the files from source, and a particular bunch catch my eye, which also look like Base64.

“js/ZmxhZzJ7YVcxbVl.js”
“js/XUnRhVzVwYzNS.js”
“js/eVlYUnZjZz09fQ==.min.js”

Appending the strings together, and decoding:
echo ZmxhZzJ7YVcxbVlXUnRhVzVwYzNSeVlYUnZjZz09fQ== | base64 --decode

Which reveals Flag2:

flag2{aW1mYWRtaW5pc3RyYXRvcg==}

Flag2: imfadministrator

Browsing to http://192.168.1.38/imfadministrator/ bring us to a login console:

Since source seems to be a common theme for this CTF, I check source, and see a nice comment:

Admittedly after trying many brute-force combinations for all of the local emails (with and without the domain), I took a hint on this flag. You don’t know what you don’t know, but I learned something new. Apparently in the PHP strcmp function, it will  Returns < 0 if str1 is less than str2; > 0 if str1 is greater than str2, and 0 if they are equal. https://secure.php.net/manual/en/function.strcmp.php
Furthermore, attempting to compare a string to an array will return NULL, and in this case will allow a login bypass, and spit out the flag.

So, using burp and changing the POST data for the password field from

to

Shoutout to reedphish for their write-up on this flag, and helping me learn something new (https://reedphish.wordpress.com/2016/11/20/imf-walkthrough/)

Flag3: continueTOcms

As the flag suggests, I click on the IMF CMS link and continue to CMS.

By the looks of the URL structure, my first inclination would be for a possible SQL injection:

Since this is post-auth, I will use sqlmap with my new cookie, and attempt to enumerate the databases:
sudo sqlmap -u 'http://192.168.1.38/imfadministrator/cms.php?pagename=home' --cookie 'PHPSESSID=je70kk8bmq1fb8n6kh8oger6k5' --dbs

This confirms my suspicions of injection as a vector, and shows the available databases:

Since the admin database is the most interesting looking, we will dump it with the following command:
sudo sqlmap -u 'http://192.168.1.38/imfadministrator/cms.php?pagename=home' --cookie 'PHPSESSID=je70kk8bmq1fb8n6kh8oger6k5' --dbs --dump admin

This produces a new image we haven’t seen before:

Scanning the QR code, reveals flag4{dXBsb2Fkcjk0Mi5waHA=}
Flag4: uploadr942.php

Browsing to our new upload page, we’re presented with an option to upload a file:

My first theory is to upload a php webshell, but attempting to upload php, exe, and txt files, results in “Error: Invalid file type”. After trying many different file types, I was able to upload image files. My initial thoughts next brought me to find a way to insert a php cmd shell in the image, as I learned how to do this by tainting log files in OSCP. This is where I started falling flat and getting stuck, so I got a little push from another write-up. Kudos to the first person to figure this out, although you can upload any image type, you’re only able to use the php cmd shell with gif’s. So I inserted the php cmd shell in the .gif file, and uploaded it.

An interesting note, if you inspect the element after a successful upload, there is a unique hash in the comments.

In other write-ups they were able to deduce that the image is uploaded to /imfadministrator/uploads/HASH.extension

So if I navigate to:

http://192.168.1.38/imfadministrator/uploads/1ef7eeabeb61.gif

I can see the header of the gif file. And more importantly can send commands to the shell, for example:

Will give me a directory listing. And I can cat out the flag in this directory:
http://192.168.1.38/imfadministrator/uploads/1ef7eeabeb61.gif?cmd=cat%20flag5_abc123def.txt


Flag5: agentservices

***TO BE CONTINUED FOR FLAG 6***

IceCTF – Alien Message

Stage 1: Alien Message

Description: We found this suspicous image online and it looked like it had been planted there by an alien life form. Can you see if you can figure out what they’re trying to tell us?

Going to the image we see:

22

Admittedly this puzzle took me about 30 minutes to figure it out and find the key. I should have went off my first hunch when I thought to myself that the background looked extremely similar to the background in Futurama.

After some searching I found a key on Google for a language called Alienese…made by the creators of Futurama.

23

With this new-found key, we can start decoding the message. This can either be done by hand, or with a nifty little site: http://cs.oswego.edu/~dreichel/alienese_decoder/

The only caveat is being careful with the symbols as the same symbol can be different sizes, signifying upper and lower-case letters.

Flag = IceCTF{gOOd_n3wZ_3vERyoN3_1_L1k3_fU7ur4Ma_4nd_tH3iR_4maZ1nG_3As7eR_39G5}

IceCTF – Scavenger Hunt

Stage 1: Scavenger Hunt

Description: There is a flag hidden somewhere on our website, do you think you can find it? Good luck!  

The easiest way to get the content of a site it to pull it back with wget, recursively:

19

Once we have all the relevant files, we can use grep to search in all of the files we pulled back. cd into icec.tf directory in your Linux box, and run the following command:

20

This will recursively grep through all of the files in your current directory (and sub-directories), looking for icectf{ (-i is for case-insensitive, -r is for recursively).

Doing the grep will give us one hit in a file called sponsors:

21

Flag = IceCTF{Y0u_c4n7_533_ME_iM_h1Din9}

IceCTF – Time Traveler

Stage 1: Time Traveler

Description: I can assure you that the flag was on this website at some point in time.

Going to the web page provided gives you this:

16

Viewing source doesn’t provide anything interesting. The description gives me a hint to look at how the webpage may have been in the past. There are two good tools/sites for this:

http://cachedview.com/
and
http://archive.org/web/

Plugging the URL into Wayback Machine shows one saved/cache on June 1st, 2016:

17

 

Clicking on the entry gives me exactly what I was expecting; a view of the page in the past:

18

Flag = IceCTF{Th3y’11_n3v4r_f1|\|d_m4h_fl3g_1n_th3_p45t}

IceCTF – Substituted

Stage 1: Substituted

Description: We got a substitute flag, I hear they are pretty lax on the rules… crypted.txt

Clicking on the link brings us to the substituted flag, with much other text:

13

I’d like to give a shout out to my co-worker (you know who you are) for making an amazing find: http://quipqiup.com/index.php

quipqiup is a cryptogram solver that allows the input for “clues” or seed type values.

Here is the list of clues that we’ve deduced from the puzzle. These we likely guesses, that turned out to be correct:

Lw! = Hi!
Gyzvecy ke WvyVKT! = Welcome to IceCTF!
The former clue is confirmed at the bottom, where we can see a string that is taking shape of a flag – WvyVKT{jzgjrd_zwdkym_ke_reso_dsbdkwksky_tzjqd}

This will allow us to enter the clues to let the solver do its magic:

14

The top hit gives us something that is in English, and what appears to be a flag:

15

 

Flag = IceCTF{always_listen_to_your_substitute_flags}

IceCTF – Rotated!

Stage 1: Rotated!

Description: They went and ROTated the flag by 5 and then ROTated it by 8! The scoundrels! Anyway once they were done this was all that was left VprPGS{jnvg_bar_cyhf_1_vf_3?}

The ROT in the description should be a dead give-away that the flag is being encrypted with a rotation cipher. The only question is, which one?

When dealing with ROT, I always like to start off by trying different substitutions on: http://rot13.com/

Using ROT13, which is the default on the site, give us the flag:

12

Flag = IceCTF{wait_one_plus_1_is_3?}

IceCTF – Move Along

Stage 1: Move Along

Description: This site seems awfully suspicious, do you think you can figure out what they’re hiding?

Clicking the link brings you to the webpage:

6

The page didn’t have anything interesting; nothing to click on or highlight, just the image.

My next step was to view the source:

7

Decided to click on the img src link to the jpg, which didn’t give me anything I wasn’t expecting, just the image from the main page.

I did notice that the jpg was was nested in a directory named “move_along”:

8

So my next instinct is to see if I can traverse to the move_along directory, and I can:

9

Doing so reveals another directory with 32 hex characters, presumably the MD5 of something.

Clicking into the directory shows that there is another jpg, named secret.jpg:

10

Clicking on the link reveals a new image, with the flag:

11

 

Flag = IceCTF{tH3_c4t_15_Ou7_oF_THe_b49}

 

 

IceCTF – All your Base are belong to us

Stage 1: All your Base are belong to us

Description: What a mess… we got a raw flag but now what do we do… flag.txt

Clicking on the flag.txt link brings us to the webpage:

4

I needed to convert the binary to its ASCII representation, so I Googled for a Binary to ASCII converter, and found: http://www.binaryhexconverter.com/binary-to-ascii-text-converter

Converting the binary to ASCII gives the flag:

5

Flag = IceCTF{al1_my_bases_are_yours_and_all_y0ur_bases_are_mine}

IceCTF – Spotlight

Stage 1: Spotlight

Description: Someone turned out the lights and now we can’t find anything. Send halp! spotlight

Clicking on the link brings you to a site with a flash light that you can move around the screen; simulating being in the dark:

1

Searching around reveals nothing.

Next I decided to view the source code for the page.

2

Decided to click on the spotlight.js link to view the source for the JavaScript.

Looking through the source code for the JS, the flag is present.

3

 

Flag = IceCTF{5tup1d_d3v5_w1th_th31r_l095}