AWSN Cadet CTF

Feb 21, 2020 by Kush, Nishchal

Introduction

I was fortunate enough at attend an Australian Women in Security Networ (AWSN) session. Following the session there was a beginner level capture the flag (CTF) hosted off http://149.28.182.32:8000. These are my notes from the CTF. Additional things to note are, firstly, that for the Web challenges, challenge 4 is called flag5, and challenge 5 references flag4. Secondly, the submission for the Cryptography password challenge expects the flag in the format flag{flag_value}. Finally, the notes below contain spoilers, and actual flags submitted.

Governance, Risk and Compliance(GRC)

Make Bank! (and secure it) - 100 pts.

Hint: Which PCI DSS (Payment Card Industry Data Security Standard) requirement details compliant disk encryption standards? The flag format is #.#.#

https://www.google.com/search?channel=crow2&client=firefox-b-d&q=pci+dss+disk+encryption
PCI Requirement 3.4.1 - Use of Disk Encryption
Submitted: 3.4.1

Not Bees - 100 pts.

Hint: What standard does the Australian Government ISM (Information Security Manual) recommend for developing web applications?

Submitted: OWASP

Stenography

Hidden in plain sight - 10 pts.

Hint: FatCat.jpg

Checked exif data - found nothing
Extracted strings - found flag.txt
Asked for assistance and Teej provided the hint that sometimes there are files which can contain other files, assumed it was some sort of archive
Renamed the file .7z and used 7zip to extracted flag.txt
Submitted: flag{h1dd3n_z1p_arch1v3}

Packet Analysis

The Cattening - 10 pts.

Hint: Download Wireshark (https://www.wireshark.org/),

Opened packet capture file PacketCATure.pcapng
Reviewed conversation statistics (Statistics -> Conversations -> IPv4), found conversation between 192.168.1.11 and 192.168.1.21
Applied conversation as filter (ip.addr==192.168.1.11 && ip.addr==192.168.1.21), found HTTP get requests, mostly with 404 responses
Updated the filter to check for successful HTTP response, ((ip.addr==192.168.1.11 && ip.addr==192.168.1.21) && (http.response.code == 200)), found request URI http://192.168.1.11/0auh462tdk1ja51hd/ctfcat.jpg
Used Wiresharks built in object export feature to extract all HTTP objects and saved ctfcat.jpg
Reviewed the downloaded image
Submitted: flag{CTFCat_approves_this_pic}

Blood in the water - 10 pts.

Hint: download Wireshark (https://www.wireshark.org/)

Opened packet capture file Login_Capture.pcapng
Reviewed conversation statistics (Statistics -> Conversations -> IPv4), took an interest in the conversation with extended duration towards the end of the capture and applied it as a filer (ip.addr==192.168.10.12 && ip.addr==192.168.100.23)
Saw HTTP get request for what appeared to be the logon page, so filtered for all HTTP POST requests in the conversation ((ip.addr==192.168.10.12 && ip.addr==192.168.100.23) && (http.request.method == “POST”)), found 4 packets
Manually reviewed the conversation to check the form data, the usernames and passwords contained the term fakeuser, except for one, which had credentials as supermegaawesomeuser and password123
Submitted: flag{password123}

Cryptography

Decaying Bakers Dozen 10 pts.

Hint: Cipher text: ZbyqlYbnsf, Format of flag is flag{flagtext}

Used https://www.boxentriq.com to attempt to identify the cipher, but decided to try a ROT13, i.e. Ceasar cipher with key of 13
Submitted: flag{MoldyLoafs}

Et tu, hacker? 10 pts.

Hint: Encrypted text: Hipqqts_lxiw_rnqtg_spvvtgh, Format of flag: flag{flagText}

Surely they wouldn’d use the same cipher twice, i discounted Ceaser and attempt to brute force as a monoalphabetic substitution cipher
Got stuck and asked for help, Jess suggested a Wikipedia search for the challenge name to see if any cipher names were listed, she meant Ceasar!
Used boxentriq found key = 15, found stabbed with cyber daggers
Submitted: flag{Stabbed_with_cyber_daggers}

Passwords 10 pts.

Hint: An infamous hacker has given you a challenge to crack their encrypted password: 726ad07bc398372b56a52e3de8693679. They were tricked into giving it away in 2005 and now, after changing it, want to ensure its secure.

The hash looked like N MD5, so submitted to crackstation, found as hunter1
Submitted: flah{hunter1}

Web Application

1 - Clever Name - 10 pts.

Hint: Link: http://149.28.182.32/ Flag will be in the following format: flag{flagtext}

Navigated to site at http://149.28.182.32/
Viewed page source view-source:http://149.28.182.32/
Submitted: flag{49ff06b7f8308567c05d11789bcdfce3}

2 - Directives - 10 pts.

Hint: Link: http://149.28.182.32/ Hint: Look where robots are told where not to go. Flag will be in the following format: flag{flagtext}

Navigated to site, then added robots.txt as file to get
Submitted: flag{5ba36c59528a23ef681f4b6ac075a59b}

3 - Divisive - 10 pts.

Hint: Chocolate chip or oatmeal + raisin? Link: http://149.28.182.32/flag3 Flag will be in the following format: flag{flagtext}

Naviagated to the page
Text on the page stated To get the flag you need to be an 'admin' but you are just a 'user' at the moment
Realised the chocolate chop or oatmeal were references to cookies
Used Firefox Cookie Quick Manager extensiont to exit the value of the usertype cookie
Changed value of usertype from user to admin
Reloaded the page
Submitted: flag{15304bcd6350f0143d8a2b30027393b6}

4 - Silly SQLi - 10 pts.

Hint: Link: http://149.28.182.32/flag5 Flag will be in the following format: flag{flagtext}

Attempted manual SQL injection, username as admin, and password as xx’ OR 1 = ‘1’ – x
Submitted: flag{c6e7c99838881e4db32561804a32e7d4}

5 - Final Boss - 10 pts.

Hint: Link: http://149.28.182.32/flag4 Final boss challenge - no hints. Flag will be in the following format: flag{flagtext}

Navigated to page and found location of flag in page text, this usually means file includion or directory traversal
Manually reviewed page source, found http://149.28.182.32/flag4/showimage.php?file=cat.jpg
Attempted http://149.28.182.32/flag4/showimage.php?file=/../../../../../etc/flag4.jpg, found flag image
Submitted: flag{db990109b423a8607765c68097ee9fcd}