NeverLAN CTF 2020

NeverLAN CTF is a beginner friendly CTF . Me any my friend D4mianWayne did this together, it’s really fun and we enjoyed it. In this post I write a walkthrough for the CTF.

Web

The Webpage:

The title of the challenge is Cookie Monster

  • Google search “cookie monster favorite guy red”
  • It’s a character named Elmo

Got the Flag!

Stop the Bot

The Webpage:

It says bot everywhere so I looked at robots.txt

The robots exclusion standard, also known as the robots exclusion protocol or simply robots.txt, is a standard used by websites to communicate with web crawlers and other web robots. The standard specifies how to inform the web robot about which areas of the website should not be processed or scanned.

It shows the files or directories in the webpage.

It shows flag.txt

SQL Breaker

The Webpage:

Found a Login page

Since it is an SQL Breaker I tried some normal sql injection

Source : https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection

admin'-- - : admin

It Worked!!

SQL Breaker 2

The Webpage:

Another login page

Like Before I tried some normal SQLi

' or 1=1 limit 1 -- -+

It says only admin user can see the flag, Since the normal sqli works, So adding an offset to the payload (offset 1) will make me select the next from the list.Implicit offset is 0. The 1 in the limit states, show me 1 line of output so if you do LIMIT 1 OFFSET 1. It will give you one line, specifically the second line in the output

' or 1=1 limit 1 offset 1-- -+

Follow Me!

It looks like the page keeps on redirecting ,If a website returns 302 redirect page, browser don’t bother loading the page. So normally we won’t see that data. If we prevent following of redirects, we’ll be able to view the page. I captured the request in burp and started Follow Redirecion, at a particular domain I got Flag.

Browser Bias

The Webpage shows us a message that the site is only optimized for browsers that run on commodo 64. So I googled which browser do that.

Its Hyperlink 2.5e

So I capture the request in burp and changed the User Agent to Hyperlink 2.5e from Firefox.

PCAP

Unsecured Login

HTTP requires data to be transferred from one point to another over the network. The transfer of resources happens using TCP So I searched directly as tcp contains flag

Unsecured Login2

Did the same thing as I did on the first challenge

This time flag is in url so I opened it to get the flag

FTP

Since its FTP, I tried searching as FTP and checked each packet in ftp. Found the flag in FTP-DATA Protocol.

Teletype Network

The file name give me the hint so I searched for telnet contains flag

Hidden ctf on my network

So from the given hint : When a new machine connect to an network , DHCP first assign IP for the machine.

Note

We can even use strings to get flag , because everything in plain text, thats why it works.

RECON

Front Page of the Internet

I googled Front Page of the Internet and found it is reddit

Since the creator of this challenge is ZestyFE I searched for his account in reddit.

The Big Stage

Hint : One time we keynoted @SaintCon… I think I remember hiding a flag in our pres

So I started googling about the conference and found a YT link

https://www.youtube.com/watch?v=1wthauUWsGI

Did some fastforwarding at 1:49:40 found an example of a CTF flag.

Hint : NeverLAN’s secret Track 2

Track represents Music maybe , when I register for CTF I saw Music category in the main page.

https://neverlanctf.com/

So I opened that and found Track1 Track2 Track3 (If its not displayed reload the page.)

We know Track2 is what we want, Its an youtube video so I opened link directly to YT and found the flag in comments.

Thats just Phreaky

Hint : The first of many stories that have been told. 01 September 2017 14:01

From the given hints I googled and opened the first link which relates everything with the hint

Looks like some story.

I searched the flag in source code of the page.

Forensic

OpenBackPack

I started with strings and steghide not good results then I tried binwalk.

binwalk - tool for searching binary images for embedded files and executable code

It extracted the files.

-e, --extract
              Automatically extract known file types

Look into the past

I downloaded the file to my machine and extracted and started searching whats there.

root@w0lf:~/CTF/CTFTIME/NeverLAN /2020/Forensic/look_into_the_past/home/User# ls -la
total 52
drwxr-xr-x 9 1000 rvm 4096 Feb  8 21:54 .
drwxr-xr-x 3 1000 rvm 4096 Feb  8 21:54 ..
-rw-r--r-- 1 1000 rvm  349 Feb  7 00:03 .bash_history
-rw-r--r-- 1 1000 rvm  864 Feb  7 00:04 .bashrc
drwxr-xr-x 2 1000 rvm 4096 Feb  8 21:54 Desktop
drwxr-xr-x 2 1000 rvm 4096 Feb  8 22:22 Documents
drwxr-xr-x 2 1000 rvm 4096 Feb  8 21:54 Downloads
drwxr-xr-x 2 1000 rvm 4096 Feb  8 21:54 Music
drwxr-xr-x 2 1000 rvm 4096 Feb  8 21:54 Pictures
-rw-r--r-- 1 1000 rvm  672 Feb  7 00:04 .profile
drwxr-xr-x 2 1000 rvm 4096 Feb  8 21:54 Public
drwxr-xr-x 2 1000 rvm 4096 Feb  8 21:54 Videos
-rw-r--r-- 1 1000 rvm   37 Feb  7 00:03 .vimrc

Found .bash_history

In computing, various shells maintain a record of the commands issued by the user during the current session. The history command works with the command history list.

Found some commands history.

I looks like 3 passwords we created and decoded the flag.txt file to flag.txt.enc and the 3 passwords are split into 3 places

  • Embeded pass1 in a image using Steghide.
  • Created an user with pass2.
  • pass3 Added in sqlite database.

So I started from pass1

steghide embed -cf doggo.jpeg -ef $pass1 
mv doggo.jpeg ~/Pictures

Its embeded in an image and its located in /Pictures

root@w0lf:~/CTF/CTFTIME/NeverLAN /2020/Forensic/look_into_the_past/home/User/Pictures# steghide extract -sf doggo.jpeg 
Enter passphrase: 
wrote extracted data to "steganopayload213658.txt".

root@w0lf:~/CTF/CTFTIME/NeverLAN /2020/Forensic/look_into_the_past/home/User/Pictures# ls
doggo.jpeg  steganopayload213658.txt

root@w0lf:~/CTF/CTFTIME/NeverLAN /2020/Forensic/look_into_the_past/home/User/Pictures# cat steganopayload213658.txt 
JXrTLzijLb

They didnt used any password so I left the passphrase empty.

pass2

useradd -p '$pass2'  user

New user added with the name of user and pass2, basically passwords will be in /etc/shadows

I did cat /etc/shadows

user:KI6VWx09JJ:18011:0:99999:7:::

pass3

sqlite3 /opt/table.db "INSERT INTO passwords values ('1', $pass3)"
tar -zcf /opt/table.db.tar.gz /opt/table.db

A Sqlite Database created and pass3 inserted into passwords and its in /opt directory.

root@w0lf:~/CTF/CTFTIME/NeverLAN /2020/Forensic/look_into_the_past/opt# ls
table.db.tar

root@w0lf:~/CTF/CTFTIME/NeverLAN /2020/Forensic/look_into_the_past/opt# file table.db.tar 
table.db.tar: POSIX tar archive

root@w0lf:~/CTF/CTFTIME/NeverLAN /2020/Forensic/look_into_the_past/opt# tar -xvf table.db.tar 
table.db

Got 3 pass now

We know they encrypted with openssl with these command

openssl enc -aes-256-cbc -salt -in flag.txt -out flag.txt.enc -k $(cat $pass1)$pass2$pass3

Now we can decrypt the flag.txt.enc to flag.txt with the passwords we found.

I combined all 3 passwords

openssl enc -d -aes-256-cbc -salt -in flag.txt.enc -out flag.txt -k JXrTLzijLbKI6VWx09JJnBNfDKbP5n

-d for decode

Chicken Little

Chicken Little 1

I logged in with the given credentials

They Provide the password in Welcome.txt

Chicken Little 2

Hint : Password is hidden

We can view all files even hidden files using ls -la

Chicken Little 3

If I cat the BAWKBAWK.txt it keeps on printing BAWK and We know that on every password has level before the password. So I used grep that level

Chicken Little 4

Its a binary file so we can use strings to see printable characters in the file.

Chicken Little 5

This is an gzip file but I cant decompress it because the extension is missing, I added them and tried extracting.

gzip -d the_sky_is_falling.gz

-d = decompress

Chicken Little 6

The Hint is we need to download the image file to our machine and see it

Reference : https://linuxize.com/post/how-to-use-scp-command-to-securely-transfer-files/

SCP (secure copy) is a command-line utility that allows you to securely copy files and directories between two locations. With scp , you can copy a file or directory: From your local system to a remote system

Chicken Little 7

The Hint is we can get level7 password in normal hash location which is /etc/shadow and crack them using hashcat.

I copied the hashes to my machines and named it as hash

-m 1800  = sha512crypt
-a 3     =  attack mode

How do you find its sha512crypt? I used john before that and it shows me what hash it is?

Trivia

Milk Please

Cookies were designed to be a reliable mechanism for websites to remember stateful information.

Flag:Cookies

Professional guessing

Flag:Password Cracking

Base 2^6

Flag:Base64

AAAAAAAAAAAAAA! I hate CVEs

With the give hint I googled the exploit

https://www.exploit-db.com/exploits/47995

This is because of pwfeedback

Flag:pwfeedback

Rick Rolled by the NSA???

I googled with the hint

https://arstechnica.com/information-technology/2020/01/researcher-develops-working-exploit-for-critical-windows-10-vulnerability/

Flag: CVE-2020-0601

We managed to get into the position of 136 out of 1121