CTF Write-up on Cloudsek’s 2022 Earn While You Learn Program(EWYL-2021) selection.

hi there, To day im going to Write detailed write up on the CTF Challenge for selection in Cloudsek’s EWYL-2022 Internship. Hope you enjoy it while reading and get some knowledge, and if i do any mistake I apologize for that so lets begin.

In This challenge we only got IP address lets be it as 13.235.95.179 as example.

Target: 13.235.95.179

1st i started doing recon/enumeration on the target ip, by scanning ports with nmap

sudo nmap -sS -Pn -v -top-ports=1000 -oA output.txt
# which gives 3 ports are open also sees in image

which gives me result of 3 ports are open in this Machine which is

# on further enumerate service on this open ports found service running on it
sudo nmap -sS -Pn -v -p 22,80,5000 -sV -oA outputfile.txt
22/tcp   ssh   OpenSSH
80/tcp   http  Apache httpd
5000/tcp http  Werkzeug httpd 

Which gives that there is 3 service one is ssh but the version is not vulnerable so next step is to look at the port 80 & 5000 for further digging.

Challenge 1: http://13.235.95.179:80/index.html

which gives me page

Index page for Challenge 1

here from viewing source code i got path to php file which gateway.php which is linked to button alohomora.

gateway.php looks like this

visiting gateway.php i have login box & after reading that page, for many times and guessing I got wizardry.txt page.

on visiting wizardry.txt we got one username Cloudster and dobby’s message for further going in challenge

from that we got long Encoded Strings looks like this

0rIStbXV0rKCFbXStbXSlbKyErW11dKyghIVtdK1tdKVsrW11dXSlbKyErW10rWytbXV1dKyghW10rW10pWyErW10rIStbXV0rKCEhW10rW11bKCFbXStbXSlbK1tdXSsoIVtdK1tdKVshK1tdKyErW11dKyghW10rW10pWyshK1tdXSsoISFbXStbXSlbK1tdXV0pWyshK1tdK1srW11dXSsoISFbXStbXSlbKyErW11dXSgrWyFbXV0rKFtdK1tdKVsoIVtdK1tdKVsrW11dKyghIVtdK1tdWyghW10rW10pWytbXV0rKCFbXStbXSlbIStbXSshK1tdXS

This is Base64 encoded String, on decoding i got another encoding which is in JSFuck which is encoding of js with only use of [](!+) these character .

[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[]

On decoding this JSFuck encoding i got alert(“id3nt1ty_card.php”); i got php file name which is id3nt1ty_card.php.

on visiting page gives me image of Identity card for Hogwarts.

after reading on that page, which say only wizard can able to see, so something is hidden, so i think there my be a GET parameter and this shows us identity card so possible parameter will be identitycard, name, id_no, id so after some trial and error i see when using id parameter ?id=1 i got reponse from web page which says

?id=1

so i start fuzzing for different value for Id param possibly (IDOR). so at ?id=4 i got another response which give an interesting message which stats.

Anyways, have a look at this before you bruteforce...zweihundertzwölf**

here weird strings got attention, on googling it is just German language on translating it to English i got two hundred and twelve (212) so on changing Id to ?id=212 gives me different response than usual which is

id=212

• so here we have x=436c3075445f53654b5f which is hex encoding of Cl0ud_SeK_
• the hint says, we need to predict the password of gateway of realm’s password which is divided in 2 parts, 1 is hex encoded and 2nd is on url , but here they need password to open that pastebin message.
• so after views source i found there is hidden href element pointing
  /images/phpcard.PNG
• on viewing that page i got php code i.e

• By reading comment this says, we need to analyze the code and predect the password, so possibly this password is for pastebin site which contains our 2nd part of password

Getting Password for Pastebin

• for solving this i modified this code and create local instance and understand how it works and based on this i created possible payloads which can be generated as some conditions is done in the code, so here is my code.

<?php
if(array_key_exists("passphrase",$_REQUEST))
{
echo ($_REQUEST['passphrase'] > 22) && ($_REQUEST['passphrase'] <
55);
if(strstr($_REQUEST['passphrase'],"carbonblack") &&
($_REQUEST['passphrase']> 22 ) && ($_REQUEST['passphrase']< 55)){
echo "\nthis may be password";
}
else{
echo "better luck next time"; }}
?>

by creating local instance in php and understand to logic that our password have 2 parts
1. it must contain string carbonblack
2. it must have number which is 50> && <22
so we need to generate password which contains string+number
to generate passwords i had written a python script for generating set of payloads which fulfill this conditions

• using this script it will generate password like 45carbonblack, carbonblack45,carbonblack45carbonblack
• so run php code locally and use burp intruder to fuzz and for one type of
  password we successfully enter in if condition i.e number+carbonblack
• so i have spearete out that password which successfully go into if condition of php code and trigger echo statement.
• now Bruteforce this passwords to pastebin site which have our secret. and
  33carbonblack works as password and we got second part of the password for gateway of realm

alert("The second part of the password: W0rK_iS_FuN");

Combing Both Part to get Password for Out Gateway.php

x= Cl0uD_SeK_
y= W0rK_iS_FuN
Password is : Cl0uD_SeK_W0rK_iS_FuN
username: we got from wizardry.txt file i.e Cloudster

Now from previous page which gives us hint to use these password for Gateway.
on entering username= Cloudster & password= Cl0uD_SeK_W0rK_iS_FuN we have access to new page which is we1c0mE_start.php

we1c0mE_start.php

• on reading on page, there must be something related to chocolate frog card image
• on viewing page source we see referenece of 2 image i.e images/cfcardbg0.png & images/cfcard.png
• so pssible something related to image, so downloaded both image for forensic analysis of both images.
• so there is not any hidden file is embaded in image, but after viewing image meta data using exiftool i found interenstng comment in cfcard.png

Krasy8 unicode key 7 --> Sl}lsf8fJs7|KfzLrf^pUMsHn (Move to next key with domain:5000 port)

• here we got some encrypted text and comment saying move to next key in 5000 port.
• after googling i found user name Krasy8 on github which have repository
  Encrypton-decryption
• in this repo they specify encryption based on unicode table which also reflect in our comment
• so Clone this repo & go to Encryption-Decryption/src/main/java in where
  application is already compiled into bytecode we just need to run command to decrypt our flag.

java Application -mode dec -key 7 -alg unicode -data
"Sl}lsf8fJs7|KfzLrf^pUMsHn"
# which gives output
#The input is: Sl}lsf8fJs7|KfzLrf^pUMsHn
#The result is: Level_1_Cl0uD_sEk_WiNFlAg

Challenge 1 is Completed and Flag is Level_1_Cl0uD_sEk_WiNFlAg

Now for 2nd Challenge http://13.235.95.179:5000/

• on visitng page we got one image and one text None , on reading image & title i guess there some parameter which looks like search & server
• so tried to use GET parameter ?server= & search= one by one,
  value puted in ?search=hello is reflected as below image

• since from the port scanning and service enumerating we know this is Python Application i think About SSTI(server side template
  injection) , so start for injecting payload that may give me error or execute code .
• injected ?search={{7*7}}
  #which gives 49 means template is remdering userinput
• injecting ?search={{user.name}}
  # which throws an Exception and give long debug error message from that we know that jinja2 is used
• injected ?search={{config.items()}}
  # which returns a current configuration entries

• on reading confiuration there is ‘SECRET_KEY’, ‘FINAL{Nothing to hide on
  /adieu}’) which gives us a route /adieu
• on visiting /adieu page we sees a image containing message. on viewing page source, there is hidden html element which is referencing a Git Repository https://github.com/aayush-vish/cloudSEK-CTF
• but this Url gives 404 which means the repo is deleted or private
• so may be exploring a user which is aayush-vish
• on reviewing user’s repository , found one repository Git-Tutorial where there is one file called Hogwarts The Hacker , so possibly this repo is related to Challange , on viewing this file we got git-hub Acccess Token which is Base64 encoded

{
"github-token-to-access-the-repo":
Z2hwX2g2c1NKdXpHbUJ1SEszM0FVMnNwT3V5WHpVMDVJeDB6OXN6c==
}
#_#Happy Hacking Hogwarts !!!!!#_#
# Decoded Token ghp_h6sSJuzGmBuHK33AU2spOuyXzU05Ix0z9sz

• since we have github access token, and previous repository may be private , since we cant see that in publicly, using github access token i able to clone whole repository

git clone https://ghp_h6sSJuzGmBuHK33AU2spOuyXzU05Ix0z9sz:x-oauth-
basic@github.com/aayush-vish/cloudSEK-CTF.git

• now we have access to private repository of CTF, on reading README.md got message.

# cloudSEK-CTF
### This is the repository you to need to visit to solve the CTF. Try your RECON TECHNIQUES.

• use some recon , sees the commit log using git log and found that some files are updated.
• Now i used Visual studio code with Git Extension to explore the repository.
  by visiting Branches i see there is commit in xvifli_pages list.lst on comparing both old & new file, git had High Lighted what is changed from previous, so on Line 4552
• Text is change from CTF{congratulation}} to
  CTF{Congratulations_Level02_Completed}
  SO Finally i Got 2nd Flag also.

Flag2: CTF{Congratulations_Level02_Completed}

That’s it,

thank you for reading my Write-up, since this is my first Write-up i apologize for mistakes and thank you

You can follow me in Twitter DK_9510