In

EWYL CloudSek CTF Walkthrough

  Lets Begin the Game



Target IP:  http://54.244.19.42 




On visiting the above IP address a webpage appears like above image.Now we will see the front-end source of the website by right-clicking the page and then choose View Source.The browser will open the java source code of the website and will look like below image.



Lets dig into the code :)

The code uses two variables for username and password in which the password field is actually split into two halves.The JS code uses a built in function called slice() to strip off the string specified as the second parameter.Basically the scripts strips off from the 9 th character starting the index from 0 and stored in variable 'x'.The rest of the part is fed into the variable 'y'.



This code snippet illustrates the working of slice() function in Javascript.





On analysing the Javascript code in the console , they make use of one more variable 'z' which is the MD5 hash of the data in variable 'y'.A condition is being checked in an If statement which is a clue.So lets check it out.


Now lets decode the hash.You can use any online tool for finding the reverse hash of it. Here I used CrackStation.




Meanwhile , there is one more to crack, the first password, the one stored in variable 'x'.The code stored in variable is of a hex value and lets have some fun with python.




We got the password as x= CloudSEK_ and y= Jennifer. 

Now we will append the password together and give it to URL to navigate to the page.

URL: http://54.244.19.42/loader.php?p=bWVzc2FnZTFfdG9famFyZWQudHh0Cg%3D%3D&password=CloudSEK_jeniffer





The link will redirect to a page that displays a message like this.


So as the next clue , there should be login portal as developer login portal page.Now lets see whether the page is under restricted access , for that we will look for robots.txt.

The disallow tag in robots.txt will make a page unrestricted from illegitimate access.So now we will navigate here and see.For a login page , there is a need to get the access token as an alternative to the password inorder to bypass the authentication check.


The page has a vulnerability called Local File Inclusion.By using Local File Inclusion Vulnerability,the path in which the vulnerability exist should be encoded to base64 and supplied along with the URL in the address bar.During the scan we could find that the loader.php is moreover a script that reads what ever files are present in the directory.This vulnerability lets us to comprimise the access code of the machine.


Thus the below access token will help to bypass the login page.







Now we will send a POST request with the access_token using a tool "CURL".The below image shows a curl command that takes access_token as data arguments and triggering a POST request to the login page.


The above URL ../CloudSEK_to_win_page.html will redirect to a page like one below.




The above URL will be the page which contains an image.The image has to be downloaded and it contains some strings embedded in it.

The embedded strings inside an image can be taken by using the linux command strings

When using the strings command list of strings inside the image will be displayed which contains a URL of an html page.




The above URL will show a page like this .

The Game isn't over yet.Lets see the fun part of it:)

We will now use the tool Steghide to extract the hidden text in the You Win Image.



Some of you might be thinking what's wrong with this."If you find in dark , you will find your worth".Just have a look at the above webpage and observe the dark part of it.Well Ofcourse it is the You Win image.


Lets open the text file and see our worth:)






Tags:
Adhi

Hai ,I am Adarsh.I like contributing articles related to computer security.If you wish to post your articles in HashPlanet Security,drop me a mail at hashplanetsec@gmail.com .Expecting to know more about me.? Just click the links below....

0 comments:

Post a Comment