CAPTURE THE FLAG CS

O 1

16 -

2021

TEAM 23Nick Prakash, Bharat Kesari, Dipta Roy

Challenge 1 & 2 / 3

Challenge 3 & 4 / 4

Challenge 5 & 6 / 5

Challenge 7& 8 / 6

Challenge 9 / 7

Challenge 10 & 11 / 8

Challenge 12 / 9

Epilogue / 10

CONTENT & INTRO

2

The Spring 2021 Semester, Tufts COMP 116 Capture the Flag game was an excellent opportunity to practice exploiting vulnerabilities in a web application. We are Team 23, which consists of the members Nick Prakash, Dipta Roy, and Bharat Kesari. Together we were able to capture all 12 flags that were hidden within the web application. We used a variety of techniques and tools to that we had learned both in class and during the duration of the competition. SQL injection, cross site scripting, HTTP requests, and many other methods were used to find the flags. The CTF game was a fun way to solidify many web security concepts and work as a team.

CHALLENGE 1 & 2

CHALLENGE 1: GET THE FLAG

The first challenge kicks off the game in a pretty straightforward fashion. The clue is to GET the FLAG indicating it is a HTTP GET method.

We simply hit the http://35.223.71.79/FLAG/ endpoint which prompted download of FLAG file which is a text file with the appropriate flag inside.

key{c1b094af7234588573f07a110f2131c82ff221940f404febb850f7879a4f0a29}

CHALLENGE 2: ABOUT THAT PICTURE OF $AMC Prior to solving this challenge, our team had got through to the Gamestonks Terminal. On the terminal, the page mentioned setting the quote query parameter to a stock ticker. Keeping with the meme stocks trend and the clue, we tried setting quote to “AMC” and it ended up pulling up a picture. We used the command wget https://34.69.68.207/amc.jpg to get the picture on the file system. We then used the command strings amc.jpg | grep -i key to see if the key was hidden inside the jpg text. Unfortunately, it was not. Our team then remembered there was another picture on the board that referenced $AMC. We used the commands wget http://35.233.71.79/logo.jpg to download this image onto a filesystem, and then used strings logo.jpg | grep -i key to find the flag.

key{ac2f7510819f1937954f2fc25ed6e97799f088b6c19ddeb3ab98dc4c5dc28736}

3

CHALLENGE 3 & 4

CHALLENGE 3: .GIT THE FLAG

Much like GET the FLAG challenge, this challenge indicates the FLAG is located somewhere within version control . But where is it?

Similar trick to GET the FLAG we hit http://35.223.71.79/.git/ endpoint. This brought us to hosted directory of .git files one of which was clearly marked as FLAG. Download the file and read it and vuala we have our third flag.

We did wget the entire .git folder structure to see if there were other flags hidden somewhere. There weren’t any.

key{0adaad7023a21d5dfd5988174df1eeb4dd73f1b7fe664d360ad84e5b7d390127}

CHALLENGE 4: ALL YOUR BASE64 BELONG TO US We were stuck on this challenge for quite a bit of time. To be frank, it wasn’t till the eleventh hour when we finally solved this. Challenge 9 was solved prior to this, so perhaps before reading how we solved this, jump over to that and have a read to see our thought process for finally solving this challenge.

What stumped us was the BASE64 keyword in the clue. We obsessed over the admin form to see if the plain text username and password was sent over to the server in BASE64 format. Few days were spent on that.

Finally much like Challenge 9, we used sqlmap to get the dump of the user table and decode all the hashed passwords using dictionary based attack. User number 999 Dwight Vargas was the lucky one as his password was the key we needed to solve this challenge.

sqlmap -u "http://35.223.71.79/board.php?id=1" -D board -T users -dump key{87a9fe49427892179ff5265677cbdefd67d9564e46c

142227c4b79c001eb3474}

4

CHALLENGE 5 & 6

CHALLENGE 5: DONT ASK IF SOMETHING LOOKS WRONG. LOOK AGAIN, PAY CAREFUL ATTENTION Navigating through the site, we were able to navigate to http://35.223.71.79/admin.php. A simple form existed here with a login and password field. Looks like the perfect scenario to see if sql injection vulnerabilities exist.

Sure enough entering a' or '1'='1 for login and password brought us to a 404 Not Found page with a peculiar link to The Eval Gamestonk Terminal (better save this for challenge 12).

Inspecting the page however proved to be fruitful. Hidden as a HTML comment is key for challenge 5

key{0f0dd5db8521ac971151f8009c7432741b174d3f6245e5472b6d36c32f904c4f}

CHALLENGE 6: DONT ASK IF SOMETHING LOOKS WRONG. LOOK AGAIN, PAY REALLY CAREFUL ATTENTION So we were able to sql inject and get into the admin page and get a key within the HTML comments. Besides the link to The Eval Gamestonk Terminal, nothing else seemed to exist here..

We were stumped for a little here. We looked through the HTML and inspected every available element for any additional vulnerabilities or inconsistencies. But nothing. Then we noticed something peculiar about the cookies that were set for the domain. Admin = false. What happens if we change the value of the cookie to true and reload the admin page?

Yep there is the next flag and onto challenge 7 key{46175325b71cd137d922355d1e57f9e278f1444c002080d54bbd5cf1f0066008}

5

CHALLENGE 7 & 8

CHALLENGE 7: THAT READ ME IS PECULIAR.... We noticed few README files hosted within wp-content/uploads. For quite some time, we were obsessing over http://35.223.71.79/wp-content/uploads/2021/03/Comp40/README file. The UM benchmark results within that file seemed like a clue to getting the next key. Some time was wasted trying to run the universal machine on Kali. Time wasted!

Next we did a little bit of googling to see if Wordpress has any installation readme or setup readme. Sure enough many come with a readme.html. Proceeding to http://35.223.71.79/readme.html led us to an edited html readme page with the key listed at the top.

key{4ba548cf51d44f4a643007ae6aa193c33c428aa6b4bc4dc860e1368f4b59b3cf}

CHALLENGE 8: FINANCIAL REPORTS IN THE DUMP OF CONTENT We already knew there was a content directory at /wp-content/uploads. There seemed to be a lot of files there. Surely this had to be the dump of content Rather than search through each file one by one, easiest solution was to wget the entire folder recursively onto our server (wget -r --no-parent http://35.223.71.79/wp-content/uploads/)

Next a simple grep to recursively search all files and folders as well as binaries, yielded us the next flag hidden inside flagabc123.jpg

key{6fabd076f51ccd88fdae7b5c410776c97459f3c3bc262d6de8000f28de90838c}

6

CHALLENGE 9CHALLENGE 9: BURIED IN THE DUMP, REDUX: NEEDLE IN THE HAYSTACK Much like challenge 4, this was not solved until the very last day. The clue itself was a little challenging. Key words that we took away from it were REDUX and DUMP. Was redux state management library somehow involved? Is there another file dump hosted somewhere within the domain?

First step was to investigate possibility of REDUX being included within the project. A quick download of the chrome REDUX plug in proved that REDUX was not available on the CTF domain. wp-includes, wp-content folders also proved to be a dead end.

We did have all the table names from the db from earlier, so perhaps it's time to try som SQL injection on the domain to retrieve all the records from the table. The posts table seemed like a good first choice so pop open sqlmap on kali and try and inject the board.php file using the following command sqlmap -u "http://35.223.71.79/board.php?id=1" -D board -T posts -dump.

The result set was dumped into a file which included various base64 encoded strings as records. Using https://www.base64decode.org/ as a tool, we were able to decode the string a2V5ezZiMjFhZjFiMjdkMTI1MzAzYzhhYmM5MmU3ZWIxNmMwZGNhOGI0ZjczYTVhMzhjMzRjNTYwYmFmOTAyZGI2Mjl9 to the key key{6b21af1b27d125303c8abc92e7eb16c0dca8b4f73a5a38c34c560baf902db629}

7

CHALLENGE 10 & 11

CHALLENGE 10: ABOUT MY FRIEND BOBO... Bobo was giving us a lot of trouble. We didn’t solve this challenge until the last day of the competition. We were trying everything from SQL injection on each of the reply form fields, cross site scripting in these fields, doing an SQL map on the webpage, and even checking to see if any hidden information existed within the blank avatar that appeared next to each comment. Finally, a piazza post gave us a clue where to look. The post mentioned Ming had left the password to the wp-admin page on his Github page. The password was “Wh@t3ver!Wh@t3ver!”. After logging in with username: admin and the password, we started digging through the webpage for clues. From the target webpage, one of the posts on the page was “Steal This”. It seemed obvious a key was connected with this post. Navigating to the posts tab on the admin dashboard, we were able to view all revisions of this post. Scrolling through the revisions, we found two keys. One of them was fake and one of them was the real key.

key{bee1c267b129a76d39d891f9f9068a4c918acd117d5c601b2edb66c56fdf0594}

CHALLENGE 11: INSIDE OF THAT BITCOIN…. Yet another last minute solved challenge. We knew the key was hidden inside the bitcoin image found here http://35.223.71.79/wp-content/uploads/2015/10/bitcoin.jpg. And since the string trick on Challenge 2 did not work with the Bitcoin image we knew it had to be related to steganography. Quick search made it clear to us that Kali had Steghide installed so it we knew we had to use the tool to decode the image.

A quick read through the man page showed steghide extract -sf bitcoin.jpg should extract the hidden text. However, we needed a passphrase. We spent a bit of time brute forcing this with the base64 decoded and encoded texts found in posts table, random texts, empty strings etc. But no luck.

So onto googling stehide brute force attack which brought us to StegCracker https://github.com/Paradoxis/StegCracker. The tool used a dictionary based attack to crack the file and write out the hidden message to an output file. Found our key! key{9cc7a7354bd1c6e9235dab172ff644d9836efc9b0e

4abe1122d7f769d2c20c59}

8

CHALLENGE 12CHALLENGE 12: THE EVAL GAMESTONK TERMINAL

We knew how to get to the Gamestonk terminal from Challenge 5. The URL to the terminal was there.

At first we spent some time obsessing over the query param “quote”. One idea was to write a script to throw various ticket symbols at this param to see what was retrieved. This seemed like the wrong approach but we thought it was worth pursuing. Dead end!

The clue should have been a dead giveaway from the start. EVAL had to be related to the eval() command. Which means we can exploit the query param within Gamestonk terminal.

First step as to ls the folder on the server to see if anything existed. https://34.69.68.207/?quote=GME;system(ls); Interesting. The AMC jpeg, GME jpeg and html page. Lets see what’s there one level up. Few more folders here (see pictures). One more level up and finally the FLAG.txt we have been looking for. Now a final eval to cat the file brought us back the key we were looking for.

key{7b926ea4afea6689ce7fde22d88c804c698473bf4e93a23d6ae2d07e08bea4bf}

9

EPILOGUE LESSONS LEARNED:

• Websites suck: Websites, even the good ones, can be filled with many vulnerabilities if not properly thought out.

• Those pesky XSS redirections: Thank god for Burp Suite and controlling the XSS redirections, because they were getting pretty annoying. Disabling javascript also helped!

• Fresh eyes: Seeing the same problem with different perspectives helped a lot, in this case, because it was a team effort we were able to gather different insights on how to go about a problem.

• Look EVERYWHERE!: As mentioned in one of the flag write ups, we were able to find Ming’s username and password from one of the codes in his github which led us to finding a flag.

• Write down commands: Remembering or writing down some of the most used terminal commands helped. We found ourselves having to go through our past commands to see what we did to pull data. Especially using SQL map.

• Referencing the old: Google is your best friend! Being familiar with how web pages worked Looking up past CTF’s and what methods of injections were used gave us an insight on how to approach situations.

CONCLUSION The Capture of the Flag contest was the first time many of us were challenged into swiftly finding as many vulnerabilities on a web page as possible. Many of us have not been able to meticulously dissect web security details and features until this assignment, and some (especially those outside of the CS realm) take web development/cyber security for granted. Though we were exposed to these individual exploits in class in smaller forms, we weren’t able to apply it in a real-world setting. This intuitive challenge helped us take our understanding of these vulnerabilities and find exploits in ways a hacker might, which in turn taught us the importance of being aware of these situations and hopefully take precaution in our own practices.

10

11

HELPER TASKSSQLMAP FOR FINDING TABLES Realizing that the admin and boards page of the CTF game was riddled with SQL injection vulnerabilities we looked to use SQLmap to try to exploit it for any databases/tables that we could find. Without knowing the databases the tables were held on, we’d get nowhere. So first step was to look for the actual data bases which we did by using the command: sqlmap -u “http://35.223.71.79/board.php?id=1” –dbs. Then we could cypher through the databases to find any relevant tables by using the command Sqlmap -u “http://35.223.71.79/board.php?id=1” -D board –tables. The breakdown of the commands are as follows:

1.Looking for Databases: a.sqlmap -u “http://35.223.71.79/admin.php” –dbs –forms

i.-u is because we’re using an URL to gain access ii.--dbs, is to specify we’re looking for the databases iii.–forms, was used because the admin.php page had a login page iv.This actually took some time as it was retrieving each database name letter by letter, because of the

forms function. b.sqlmap -u “http://35.223.71.79/board.php?id=1” –dbs

i.for this we didn’t need the forms page because there was no actual login ii.the two commands gave us the same results, but the second command got us the result WAY faster

than the first. Because the two pages used the same databases, we used /board.php?id=1 to do the rest of the search.

i.Looking for tables in the database named “board”: c. Sqlmap -u “http://35.223.71.79/board.php?id=1” -D board –tables

i.-u, again is used because we’re specifying an URL ii.-D, is used because we’re specifying which database we want to look into iii.–tables, will list the table names in the database