Winja CTF x Nullcon x c0c0n 2020

Nitesh Surana
8 min readSep 19, 2020

--

Hello World! I participated in the c0c0n Winja CTF 2020 sponsored by Nullcon on a fine Saturday afternoon, and below is a writeup of the challenges I solved (and some I forgot to submit).

Much thanks to amazing organizers at Winja, Nullcon and c0c0n for the fast paced challenges, it was very refreshing! :)

Yolo so went solo :p

The challenges touched the following domains:

Web, Steganography, OSINT, PCAP Packet Analysis, Weak Password Exploitation, Well-known Vulnerable Application Exploitation, Esoteric Language and Obfuscation, Reverse Engineering, Source Code Review to name a few.

Challenges were divided into 4 sections L1,L2,L3 and L4, in an increasing order of difficulty.

  1. ZIPBOMB — Weak Passwords:

Let’s face it: Almost everyone has done this at some point in their lives; keeping ‘password’ as the password itself.

‘/usr/share/wordlists/rockyou.txt.gz’ is the wordlist generally used for CTFs and here’s the story associated with it by the awesome Jack Rhysider from Darknet Diaries.

The files have been nested in this way:

myfile -> file.tar.gz -> file.gz -> flag.txt [protected]

fcrackzip -uD -p rockyou.txt file.zip

fcrackzip cracks the correct password from the ‘rockyou.txt’ wordlist, which is ‘pass123’ and we can get the flag as flag{n0t_as_g0od_as_middl3_Ou1_righ1}

2. F@#$ YOUR MIND — Esoteric Language + Obfuscation

Contents of file.txt

At first, this looks like the esoteric language called ‘BrainF**k’, but this is all the more advanced Javascript Obfuscation.

You can use online tools like Obfuscated JS Decoder to decode the contents of file.txt and you get the flag as —

flag{cr@zy-e50t3r1c-l@ngu@g3_ejsSoOM7bh_MyNameIsDrLeamas}

Many times such obfuscation is seen in real world attacks where attackers obfuscated malicious payloads using such techniques to evade/bypass various types of detection mechanisms. Many AVs and EDRs depend on the strings in a file to classify it as malicious. Give this a read :)

3. FTP FTW — Software with known vulnerability:

We are given an OVA appliance ‘ftp.ova’ and we need to fetch the flag from the machine. Importing and firing it up on Virtualbox, we are prompted with a login session:

Now after trying some trivial passwords such as admin:admin, root:toor, winja:winja we perform a port scan with the default scripts enabled using our favorite nmap, so that if the signatures of the services being run are present in the database of known signatures of nmap, we can look for vulnerable versions of the services being run.

But, before that, I need the IP Address of the VM. So, I do a quick scan on my private IP Range since the VM is on Bridged Mode.

Now, I perform a full port scan (just to be sure as there might be rabbit holes), enumerating all the possible ports from 0–65535.

Now, ProFTPD 1.3.3c suffers from a Backdoor Command Execution and there is an available module on Metasploit Framework (which is an arsenal of tools/exploits/shellcodes and what not) [I did a beginner friendly presentation on this at Null/OWASP Bangalore Meetup :) ]

Firing up Metasploit Framework, I look for ProFTPD using:

search ProFTPD

Now, that I have an exploit, I need to plug-in the right set of parameters and payload. In our case, we only need the IP Address of the victim machine.

We do a

set RHOSTS 192.168.1.12

Now, we are almost done but we have the payload missing. We first see the list of payloads and we choose cmd/unix/reverse_perl and configure the options as:

Now, we are ready to try and see if that works or not.

So, we hit:

Except the exclamation ofcourse :)
We have a root shell on the VM!

Hence, we have the flag which was there in the root directory. This is one of the classic examples to begin with while using Metasploit Framework.
Hence the flag is flag{backdoor_rces_are_terrifying_arent_they}

4. Trader’s Gambit 1 — Web:

Navigating to the website, we are greeted with a login form.

I tried some default credentials (I just love them) which didn’t work. Then I went for the most classic SQL injection and GG.

And, we have the first flag:

However, I couldn’t find the second flag on checking the source code and other assets, so I moved onto the next challenge.

5. Risk Aversion and Liar Liar

Liar Liar!

We see base64 encoded data in the file and we decode it in the following format:

Base64 encoded string -> Hex string -> ASCII

Hence we get the flag as: flag{8su3nsh_HONESTY_is_the_Best_Policy}

For this challenge, all we had to do was ‘cat’ on Linux or ‘more’ on Windows to get the flag as: flag{QKHek1Oblm_MrGrinnyWouldLikeToCongratulateYou}

6. #APictureSaysItAll — OSINT Challenge:

We head onto Twitter to see if any sort of information has been shared in the form of text, images, links, accounts being followed etc. We come across the Google Drive link and download the image (with no interesting exif metadata):

And the Instagram Link from the following Twitter Account :

With a public profile with just one upload:

However, the password was not very readable. So I did the most hacker thing, ever.

Yes, I inspected the elements on the page to find the picture.

“…after all, we’re all alike” ~ The Mentor

Here we can see in the img tag the text contained in the image. But that’s not enough to assure a password. However, the second link gives the clear picture.

Now, we have a JPEG image and a password. Had it been the case we had an email address, that would be worth checking but for now, steghide can be used since we have a passphrase.

steghide extract -sf img.jpeg

This was a nice challenge as sometimes, people tend to leak out information out in the wild, not even knowing that they are vulnerable. There is a recent article on what went down with former Australian Prime Minister in a similar context. One should be careful/conscious of the information being put out.

7. Jump the Shark! — PCAP Analysis:

In the PCAP file, we are given TCP Streams in which someone is trying out a password bruteforce on a webapp. A normal failed attempt looks like:

In case of a failed login, we get ‘invalid’ in the response. So, there must be some sequence for which we have a non ‘invalid’ response. The length of the packets are also the same for all the responses, so that parameter cannot be taken into finding the needle in the haystack.

Another way can be by using plain strings:

Now, the flag was not accepted in the first go. Well, the flag required one last decoding from Hex to ASCII.
Hence, the flag is: flag{alWd2mxA7TCtD_TheyWorkedForKorla}

8. Assembling it All Together 1 — Web:

Upon visiting the link, we see a login panel.

While trying to login as ‘admin’, we get this popup:

Digging more into the source code from where this popup originated, we find the function which shows the Admin Password and there we have the flag.

Hence, the flag is flag{b3c4m3r00t_n7hf298ncq38h_OnTheVergeOfEscape}

That’s it folks! Thank you for reading the write-up and I hope some of it made sense :)

If you find any discrepancies in the write-up or you feel I missed out on something, feel free to share. Stay safe!

--

--