Cyber Security Analyst challenge #2: CTF Walkthrough
Introduction
Today we are going to crack a vulnerable Web Challenge. It was created by CloudSEK and its team. This is a Capture the Flag type of challenge. It contains one flag that is accessible after decoding a flag image that we get while our challenge and even form link is also a type of flag capture which is further accessible by decoding the image that we got during flag capturing. It was an Intermediate level Challenge. It made me think and work on it a few times. It is an example that enumeration and harder thinking is key to success (flag and form link in our case). It is not possible to capture flag without proper enumeration and hard thinking.
Penetration Testing Methodology
Enumeration
Nmap ,View page Source
Exploiting
Hex decoder, Crack station, Jwt.io, Base64encode/decode
Privilege Escalation
cURL ,Compress-or-die.com, Steghide
Capture the flag
Capture form link
Walkthrough
Enumeration
Since we have the HTTP service running on the given IP, let’s take a look at the webpage hosted.
http://54.244.19.42/
There was a Secure Login webpage. It required Username and Password, which was basically also our first challenge to find its credentials. So we tried checking its Page Source and yes we found something interesting as shown below.
Exploitation
After analyzing the code, we found that above login page only requires Password to login and not Username and Password is combination of encodes strings of x and z
We decoded z = jeniffer
We decoded x = CloudSEK_
So, our combined Password became CloudSEK_jeniffer
So, finally we were able to login into webpage but the game is not over, we have further challenge to find secret.txt file as shown below.
The URL marked above is nothing but the location we also got to see in page source, that only gave us the answer that we only require Password to login.
Now we have to find secret.txt file as shown above and it is also giving us hints of home directory of Jared machine and we know in Linux home directory looks like ../home/Jared/secret.txt. I tried to directly access this but it didn’t work. Then I tried using Nmap on given IP and found robots.txt as an interesting file.
I tried to access robots.txt file and got two sub files in it and from them the second one worked for me.
This asked me to send post request, but our first aim is to get to secret.txt file because we required the access token which is further used to send post request as shown above.
So, I researched and found that this page has LFI (Local file Inclusion) vulnerability i.e I can access some local files or files from my local directory, which is the thing we required to reach secret.txt file. So, I tried with:
http://54.244.19.42/dev/login.php?file=../../../home/jared/secret.txt
It also asked me to make post request and I was not able to find access token, so I thought of decoding the parameter in URL loader.php?p=bWVzc2FnZTFfdG9famFyZWQudHh0Cg%3D%3D&password=
And it gave me some promising answer and on using that message in URL I am getting same page that I got using the above URL. So, that thing strikes my mind and I thought of encoding ../../../home/jared/secret.txt and got below shown result.
So, I tried accessing the URL using above code i.e
http://54.244.19.42/loader.php?p=Li4vLi4vLi4vaG9tZS9qYXJlZC9zZWNyZXQudHh0&password=CloudSEK_jeniffer
and able to get access code for developer login portal.
This access code is in the form of JWT (JSON Web Token) ie in the form of a.b.c and when we used this token for post request, It asked for admin user and on analyzing (jwt.io) this token we found that the user is jared.
So we changed user to admin and copied the new access token as shown:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.xLtLdUxXsGB7EqP49a8xQziqpjkVKeJ9o2nix4xLf5M
Privilege Escalation
Now we tried sending POST request to http://54.244.19.42/dev/login.php with help of cURL as shown below and got result to reach up to our flag.
So on opening http://54.244.19.42/CloudSEK_to_win_page.html we got below image.
The hint given under the image is telling that something is hidden in it. So, I used an online site to decode it and found below mentioned details.
I found that comment interesting and tried opening it.
Reading Flag
See what I got!!! THE FLAG!!
But still we are one step away and that step is to find the submission link!!! They again gave us the hint that this image can have some information stored, so lets try to figure out any information using steghide tool in Kali Linux.
I firstly downloaded the image as shown and then used steghide tool to decode it and saved my output to bn.txt file as shown. It asked for the passphrase which is nothing but our flag.
Getting Submission Link
Can you guess what I have got??…. Yes I finally got the submission link!!!!!!
