We found the flag – infosec_flagis_whatsorceryisthis
Our trick still works! We were able to find valuable information when looking at the page source. Going to the file listed we noticed it was a dump of SQL tables. Looking through the tables we noticed suspicious output, which we guessed was some type of encoding. Using information we learned from a previous challenge we were able to deduce that the encoding was hexadecimal encoding. From there we were able to find the flag.
Going to the following link, we see the following:
Doing a right click, view page source we see the following:
So from the hint we’re looking for a back-up file.
Since this is on a Linux box, let’s see what what the naming conventions are for backup files.
Let’s see if there’s a backup folder.
That led us to a dead-end.
Let’s try adding .old at the end of the file.
Adding the “.old” at the end of the URL and pressing enter we get the following:
Hmm… this looks like another file. Let’s open it.
Opening the file in a text editor we get the following:
Looking at the file we see the the first paragraph, which matches our first screenshot.
Next we see commented out code, that is asking us to download a mysterious file, “iamadecoy”.
Let’s navigate to this file and see what we find.
After the file downloads, we try to open it.
Hmm… that’s weird when clicking on the file a prompt is shown asking what type of file this is.
Since we don’t know what type of file it is, let’s go to this site here, to find out.
After uploading our file we determine that is a pcap file.
We’re going to need Wireshark for this one…
Opening Wireshark, and opening our file we’re presented with the following:
The beginning of the file is DNS queries that are rejected we can ignore that.
Searching through the file we notice some HTTP requests that are getting files, in particular – HoneyPy.png
Going to packet 633
We can reconstruct this exchange.
Going to File –> Export Objects –> HTTP
We get the following:
Our file is highlighted in the above screenshot, so let’s click Save.
Opening the file we get our flag!
Use the hints that are provided! We knew that the file we were looking for was a backup. After playing around with the filenames we discovered that the file we were looking for ended in an “.old”. Once we opened the file we noticed there was another file “imadecoy”. After downloading that file and trying to open it our operating system was confused on the file type. Uploading our file to the above link we determined that the file had a pcap (packet capture) extension, and we would need to use Wireshark.
Opening Wireshark, we determined that the file we needed was inside of an HTTP packet. Reconstructing the packet we were able to download the file we needed. After opening that file we received our flag. This challenge was a multi-step process. It’s very important to pay attention to detail.
Doing a right click, view page source we see the following:
We noticed there’s an extra CSS (Cascading Style Sheets). Let’s see what’s in this file.
Going to the file we see the following:
Hmm… this looks interesting. Knowing a thing or two about CSS, the colors are represented in hex (hexadecimal, base 16) form. More can be found here.
I’m thinking this is the actual flag, but it’s just encoded.
Using out knowledge from other challenges, let’s try base64 decoding, since it has worked before.
Going to the link here, and typing in the encoding we get the following:
Our decoding wasn’t successful. This encoding is not base64.
Going back to the challenge, we know that CSS uses hexadecimal to represent colors.
Maybe the encoding is in hexadecimal form.
Going to Google and typing in “converting hexadecimal to text” we get the following link.
Putting our encoding in the text box and changing the decoding to “hexadecimal to text” we get the following:
We found the flag!
Attention to detail! We noticed that there was another file when we did the right click, view page source. Going to that page we noticed that there was encoding. We first tried base64 which did not work. Going back to the drawboard on how CSS works, we know the colors are represented in hexadecimal. Doing a Google search of hexadecimal to text we were able to find the flag.
Note: Make sure when downloading that you add the binutils package to import the strings command.
Copy the app.exe file into the cygwin directory (that you specified in your installation) so you navigate to that file.
After downloading cygwin, and using the strings command we see the following:
We found the flag – infosec_flagis_0x1a!
Again, our normal tricks of viewing the page source did not work. We noticed that when we executed the program that it was the netstat command getting information on our network. From there we decided that we would need to see the source of the application to see if the flag was hidden in there. Turns out it was. Overall lesson, be flexible with your tool belt and think outside of the box!
Today’s challenge will be #3 from the InfoSec Institute.
Going to the following link we’re presented with the following:
Looking at the screen we’re presented with a qr code.
Doing a right click, view source we see the following:
Doing a quick Google search of “QR code decoder” we go to the following site.
Entering the proper information and uploading our file we see the following:
Doing a Google search of our output the code is actually Morse code!
Another Google search to decode the code gives us the following site.
Putting our code inside of the decoder we get the following:
We found the flag!!!
Right click, view page source saves the day again. By doing this we found that there is a qrcode being displayed on the page. Doing a quick Google search we found a QR code decoder that gave us morse code. Another Google search yielded the flag.
When in doubt view page source and Google searches!
Doing a right click view page source we see the following:
Looking at the page we see the following hint – “Hypertext Transmission Protocol”
Pressing F12 to view the developer tools and going to the “Network” tab we see the following:
Inside the set-cookie we see “fusrodah=vasbfrp_syntvf_jrybirpbbxvrf”. This is interesting…
Doing a quick Google search and putting in the second half of our value we get the following link for ROT-13.
ROT-13 is a rotation 13 cipher. This cipher rotates each character by 13 characters.
Using the following site, and putting in our value we get:
We retrieved the flag.
Use the hints provided. We our trust right click, view page source, but that didn’t help us. Going back to the page we noticed that the hint was HTTP. Using the development tools inside Chrome and going to the network tab we saw the files retrieved when accessing the site.
Clicking on the page, and viewing the headers we noticed that the cookie was being set. Using this information inside Google we were able to decode the message.