Set Solutions Cyber CTF Write-up
Hello guys, my name is Pranav Gadekar, AKA Zedd and here I am with my first write-up about the Capture The Flag competition that was hosted by Set Solutions (@setsolutionsinc). I hope you get to know something new from this one.
This was a 4 week event and I learned a lot of new things. Each week new challenges were being added and winners were decided on the weekly basis.
So, without further ado, let us get to the interesting part.
Week 1:
1. Data about data (5 Points):
Provided: Image metadata.jpg (Embedded in the challenge prompt itself.)
Description: No description provided.
We were given an image in the challenge description itself. So the idea was that we had to check the metadata for that image to find the flag.
I used an online service provided by this website for viewing the metadata for the uploaded image. In that metadata, there was a flag that we had to submit to score the points.
2. Hidden in Plain Sight (10 Points):
Provided: Image File => xmasstory.png (Embedded in the challenge prompt itself.)
Description: No description provided.
Here, the flag was embedded into the png file using the Steganography and we had to get it out.
We will be using Steghide to solve this challenge.
$ steghide extract -sf xmasstory.png
This will give us the flag that we can submit to complete the challenge and get the points.
3. Serialized Data (15 Points):
Provided: File => soSerial.bin
Description: This one is going to be a real pickle…
From the challenge description, it was clear that we had to work with the Python pickle file. Pickle is a Python module that is used to serialize and de-serialize the Python objects. You can find more information about it here.
We have to use the pickle.load() function to reconstruct the original object and thereby get the flag.
4. Zipped Away (20 Points):
Provided: Zip File => confidential.zip
Description: Its in the zip file…
We were provided a zip file along with the challenge description and that file was password protected. So, we had to brute-force that password to open that zip archive and the get the flag stored in the file in that archive. In this case too I decided to go with the online tools, and I found a website that can be used to recover the password protected zip files. There was a website that provided this service. After it found the password, we can use that password to unzip that file and then get the flag file stored in that archive.
5. Anonymize Me (30 Points) (Not Solved):
Provided: A link to the web application.
Description: How do they do it???
Hint: You will need to exploit the RCE vulnerability in the API call to read the flag which is hard-coded in the Lambda source code.
The idea here was that we were given a web application that was taking an input from user a website that you had to visit, and then the application would visit that site on behalf of the user and display the contents of the website.
One of the hints provided stated that we have to exploit an RCE vulnerability to read the flag stored in the lambda source code.
I tried many different approaches for this challenge, but I could not figure out how to get the flag out of the source code. So, in the end, I had to leave this challenge unsolved.
Week 2:
1. Initial Access (5 Points):
Provided: Image with the text “Use the Source.” and A link to the web application.
Description:
** Automated brute forcing and/or fuzzing is prohibited and will result in your account being banned **
From the Description of the challenge, it is clear that the challenge is not about brute-forcing the username and password. Also, the image embedded in the challenge prompt says “Use the Source”, so there must be something hidden in the source code of the challenge webpage. On examining it, there is a username and a password stored in the comments.
Username : vluna
Password : My5up3rS3cur3Pa55w0rd123
Use it to log in to the application and on successful login, you will get your flag.
2. Needle in a Haystack (15 Points):
Provided: CSV File => needle-n-haystack.csv
Description:
A common tactic in threat hunting is binary frequency analysis. High-frequency file hashes are likely to be legitimate files (unless you’ve got an already out-of-control worm problem). Unique files (that are not seen elsewhere in the network) are more likely to pose a threat.
The attached CSV file contains a list of unique instances of different binary files across the network (represented by their MD5 hash checksums). Can you identify the workstation name that corresponds to the MD5 hash of the file that only appears one-time on the network?
We were given the Workstation ID and the Binary Hash related to that workstation, and we had to find the workstation ID that corresponds to the binary hash that appears only once in the given file.
So for this, I used the following command:
$ cat needle-n-haystack.csv | cut -d’,’ -f2 | sort | uniq -u
Here we will output the contents of the needle-n-haystack file, then cut them on the second column to get the hashes and then we will sort them and get the hash that appears only once using the ‘uniq -u’ command.
Once we get the hash, we need to find the Workstation ID that corresponds to that hash value. For that we will use
$ cat needle-n-haystack.csv | grep “e357ae71cc9c8b30dc7e40df9048065b”
grep command will find the lines that have this hash in them and will print those lines on the screen.
After that we need to submit that Workstation ID to complete the challenge.
3. TXT (20 Points):
Provided: 5196.info
Description: 5196.info and “A Matter of Record” in an image.
In this, we are given a domain record and the challenge title says TXT, so it must have something to do with the TXT record for the domain.
But before that we will check the ANY records for the given domain.
$ dig ANY 5196.info
In the ANSWER section there is a mention of RFC 8482. We will come back to it later.
First we will check the TXT record for the given domain.
$ dig TXT 5196.info
Here in the ANSWER section, we will get the flag.
Now onto the RFC8482. According to the official docs, it is used for “Providing Minimal-Sized Responses to DNS ANY-Type queries”. Here is the official document for that RFC and a Cloudflare blog to clear things a little bit further:
https://tools.ietf.org/html/rfc8482
https://blog.cloudflare.com/rfc8482-saying-goodbye-to-any/
4. Photographer (25 Points) (Not Solved):
Provided: Pcap File => portfolio.pcap
Description: An image of monkey holding a camera ;)
We were provided with the PCAP file, which is a Packet Capture file created by the Wireshark. The challenge title was the word ‘Photographer’, so it was clear that we had to work with some kind of image file captured during the transit.
There are different approaches available to open the pcap files, some of them being opening it in the Wireshark, or using Tshark, which is a command-line version of Wireshark. It is also possible to open them in Tcpdump utility, and there are many tools available to open them online without the need to download anything.
After opening that file, you can find that there were some captured images present in that file, one of them being flag.jpg.
After finding that flag file, I spent quite a good amount of time in trying to get the flag out of that. Unfortunately, I was unable to solve this one, maybe I was missing some minute detail.
5. Confused Deputy DevOps (30 Points) (Not Solved):
Provided: A link to the web application.
Description:
Alicia is developing a new app. It also looks like there is an admin interface here.
Not sure if there is enough attack surface to break in from the app alone. But perhaps you can find a way to get administrator privilege by sending a phishing email to Alicia.
They say that humans are the weakest link in the security chain. And besides, Alicia is always checking her email and often clicks on hyperlinks that are sent to her.
Here we have a web application that has mainly 2 functionalities: a page that greets the user and an admin page where the flag is hidden. We need to authenticate as an admin to get the flag.
On the first glance, we can see that the first page takes a query parameter called username from the URL and the value passed in that parameter is directly returned in the page source. So, it is an obvious choice for the Cross-Site Scripting vulnerability (XSS) and indeed, that page is vulnerable to an XSS attack. Now, we need to use that XSS vulnerability to make an admin send her cookies to us, and then we can use those cookies to authenticate as an admin and get the flag.
Unfortunately, as could make that XSS to send her cookies to us. I was getting blocked by something called as Cross-Origin Read Blocking (CORB). It is a security feature that blocks the cross-origin responses, so in a nutshell, it was blocking the cookie that was being sent.
In the end, after many tries, I moved on to the next challenge keeping it unsolved, but I got to learn a lot of new things.
Week 3:
1. SSHout Out (5 Points):
Provided: Nothing is needed.
Description: Give a SSHout out to ssh0wcase.pan0pt1c0n.net on the 222!
This was a basic challenge where all we have to do is to ssh onto the ssh0wcase.pan0pt1c0n.net server on port 222 and the flag will be provided to us in the SSH banner.
2. Privilege Escalation (10 Points):
Provided: A link to the web application.
Description:
You are logged into an unprivileged user account on the app. See if you can figure out how to give yourself an upgrade and become an administrator on the app.
We were provided a link to the web application where we were logged in as the user with basic privileges, and we had to become an admin to get the flag.
So, first we will start tinkering with the application. If you click on update profile, it makes a POST request to the backend server, but if you look closely at the request, there was a parameter ‘isAdmin=false’ that was being passed to the server. So, if that parameter is not being validated at the backend, then we can change the value to True to see if we can become administrator, and it did work. As soon as you escalate your privileges to administrator, you will be presented with the flag.
3. “Big Time” (15 Points):
Provided: Zip File => credential.zip containing passwd.txt and shadow.txt
Description:
Your name is Michael Bolton, and your company (Initech) really needs to start treating their engineers better. They don’t understand. You could come up with a program that could rip that place off big time…BIG TIME!
Unfortunately, it looks like one of those pesky security guys may have caught onto your plan and has changed the password on your account. But thanks to an unrestricted NFS mount point on the root directory, you have a copy of the credential files from the server. See if you can get the password for the michael.bolton account.
The challenge provided us with the credential.zip file which on unzipping, provided us with the passwd.txt and shadow.txt file. On checking these 2 files, it was clear that these are the copies of the /etc/passwd and /etc/shadow file that are present on the Linux and other Unix-like systems. So now we have to crack the hash of the password associated with the user Michael Bolton complete the challenge.
So, here are different approaches that we can try, first of which being checking that hash on some of the popular hash cracker websites, like crackstation.net. This approach did not work in this case. Other way is to use the widely used password cracking tools like JohnTheRipper or Hashcat.
In this case, we will use JohnTheRipper to crack the password. For John to work on this file, we need to combine the passwd and shadow file into one file. There is a command called as ‘unshadow’ that will do this task for us.
$ unshadow passwd shadow > crack_this_john.txt
Here the unshadowed, ie. the combined contents will be stored in the crack_this_john.txt file.
Now, we will need some kind of dictionary for brute-forcing. We will be using the RockYou.txt file that comes preloaded with most of the Linux systems, or else it can also be downloaded form here.
Now, we will pass the unshadowed file and the wordlist file to John to try and crack the password.
$ john crack_this_john.txt — wordlist=/usr/share/wordlists/rockyou.txt
Let the John run for some time, and it will crack the password. Submit that password to complete the challenge.
4. Ride the WAVs (20 Points):
Provided: Audio File => ReadySetSecure.wav
Description: No Description Provided.
This challenge provided us with a WAV file. So, we will first start with some of the obvious things like Steganography first. I tried using Steghide on this file to get the data embedded into the file, but it did not succeed.
$ steghide extract -sf ReadySetSecure.wav
So, I started to check if there are any other tools available that can work with WAV files. After some research, I came across this repository. It had various tools that can be of great use while solving Steganography challenges. Among those tools, there was a tool called Wavsteg that is used to hide a file in a .wav file using least significant bit steganography.
$ stegolsb wavsteg -r -i ReadySetSecure.wav -o output.txt -n 2 -b 100
where, -r is used to specify that we want to recover the files, -i will be given the input wav file to work with, the output will be stored in output.txt file, -n specifies the number of LSBs to use and -b specifies the number of bytes to recover.
On running the above command, output.txt file will be created, which will give us the flag.
5. Head Basher (25 Points):
Provided: File => README.md
Description: No Description Provided.
Hint: Maybe just run the file contents in Bash? ¯\_(ツ)_/¯ What’s the worst that could happen???
We were given a README file which looked complete gibberish, so it took me quite long time to realize how to solve this one. My thinking was that maybe they are trying to say ‘Bash Header’, like the shebang line that is used to provide the path to the interpreter that needs to be used to run this file.
So after some obstacles, I checked the hint provided, and indeed my thinking was right. We have to run this file as a bash file to get the flag.
$ bash README.md
Week 4:
Week 4 was the best week for me in the complete competition, as I was able to solve all the challenges this week.
1. Insecure Authentication (5 Points):
Provided: Text File => basicRequest.txt
Description:
A shared workstation has been observed making insecure authentication requests to a web service. Because this is a shared workstation, we need to determine what user account is connecting to the secure web-service. Review the attached web request and attempt to determine the user account.
We are given a text file, which turns out to be a web request made to some server. There in that request, there is an Authorization header which uses the Basic authorization with some value which seems to be a base64-encoded string. On decoding that string, you get ‘bill.lumbergh:7oZjibW2LcxmnfSE2hDThLmBZR28w8fj’ where bill.lumbergh is the username for that user. We supply that as a flag and we will get the points.
2. Yo Dawg Encoding (10 Points):
Provided: File => base64x32
Description:
Xzibit has taken your flag and Base64 encoded it 32 times over. If you value your time, you might want to consider some automation to unwrap this one…
The idea behind this challenge was not to do this process by hand, as it will take a lot of time. Instead, we should create a script that can perform this faster and will save us a lot of time.
This can be done in Bash by using the for loop which will decode the string repeatedly for the 32 times, and at the end of that loop, you will get your flag.
3. Deep Thought (15 Points):
Description: You can interface with Deep Thought at 18.206.232.111 on TCP port 31337.
This was an OSINT kind of challenge. Here, we were given a IP and port number to connect.
We will use Netcat for that:
$ nc 18.206.232.111 31337
On connecting, it printed out a banner and a question was presented which had to be answered to get a flag, with the question being “What is the Answer to the Ultimate Question of Life, the Universe, and Everything???”
I tried some answers that came in my mind, but that obviously did not work. So, I searched it on Google, and it turned out to be a joke in Douglas Adams’s 1979 novel, The Hitchhiker’s Guide to the Galaxy, whose answer is 42.
You type 42 as an answer and it will give you the flag.
4. 16th Century Crypto (20 Points):
Provided: The image FrenchDude.jpg embedded in the challenge prompt, which by the way, is the photograph of Blaise de Vigenère, who is known for the Vigenère cipher.
Description:
We have the ciphertext…
EpwvzanieGckfyyvfNctiplXfin
…but we don’t have the key.
The flag is the clear-text.
Here, from the image that has been added into the challenge prompt, it is clear that the Vigenère Cipher has been used to encode the flag. So, we need to decode it to get the flag.
There are some excellent services available online that can be used to decode the Vigenère Cipher, one of which is https://www.decode.fr. We will provide the encoded string there and select the option of ‘Automatic Decryption’ as we do not know the key that was used during encryption. So, the application will try to determine the key automatically, and will provide all the possible results to us, from which we need to select the one which looks most appropriate.
In this case, the string was “DecryptedVigenereCipherText”, which we can submit to complete the challenge.
5. Bucket Diving (25 Points):
Provided: apiUser.config
Description: Don’t keep all your eggs in one bucket!
We were given a config file which contained the ‘Access key Id’ and ‘Secret Access key’. The Access key Id is starting with ‘AKIA’ so it is an Access Key for the AWS account.
To use it, you will need to have an AWS-CLI installed. In there, type aws configure and it will ask you for the ‘AWS Access Key ID’ and ‘AWS Secret Access Key’.
After providing the given keys, I used aws s3 ls to list the s3 buckets associated. There I found a bucket which is surely the one that we are looking for. On further listing the contents of that bucket, there is a file called flag.txt. Now we just need to copy that file from that bucket to our local machine and read it to get the flag.
For this purpose, we can use
$ aws s3 cp s3://<bucket_name>/flag.txt .
and then read the flag.txt file to get the flag.
6. Hard Coded (30 Points):
Provided: Text File => web_request.txt and PowerShell Script => encrypt.ps1
Description:
We are attempting to understand the C2 communication patterns of a malware sample. The sample uses PowerShell to routinely beacon out every 5 seconds with an HTTPS request. Although the requests have been intercepted and decrypted by the network proxy, the malware is also performing application-layer encryption of the HTTP POST request data. Fortunately, we found a hardcoded key and the encryption function that the malicious code is using to encrypt the data (encrypt.ps1). We’ve attached an encrypted web request (web_request.txt). See if you can decrypt the HTTP POST data and let me know what it says?
If we check out the web_request.txt file, it is capture of the request made to some server, but the POST data in the request has been encrypted, so we need to figure out a way to decode that data.
Let us check the encrypt.ps1 script.
It is a Windows Powershell script file, and it is using a key that is hardcoded into the script to encrypt that POST data. So, now we will be needing a script that can be used to decrypt that data by providing the same key that was used for the encryption.
So, I did some research online and came across this post. So, we can use the decryption script provided there by making some modifications, and after running that script in the Powershell, you will get the flag.
So, overall this was a great learning experience for me. Also, I was in the top 10 of the final leaderboard. Although, there were some challenges that took some time for me to solve, I like to think that my overall performance was good.
Now I think this is enough for one post. If you have any questions or you want to say something, you can always hit me up on Twitter at @PranavGadekar9. Until next time.
