CTF Politeknik Mersing 2017 Writeups

Some writeups for CTF Politeknik Mersing 2017.

Honestly, I'm not really expert and experience guy in crafting and create a CTF question challenges. But for this competition,  my intention is only meant for begineers folks. And susprisingly some of them are able to answers it and not.

By putting some basic cryptography elements + basic exploitation which is based on Metasploitable2 vulnerable Images. 

Ok, here are the list of questions and challenges for the event:

Information Gathering

1. Mesej Tersembunyi (Flag 1)

2. Mesej Tersembunyi lagi (Flag 2)

Exploitation

1. Mencari Kucing sesat (Flag 3)

2. Tidak Benar Belaka (Flag 4)

3. Tiga Abdul - Abdul Wahab, Abdul Wahib & Abdul Wahub (Flag 5)

Forensic Challenge

1. Image Forensic - Steganography 

With total of 6 challenges! All you have to do is own this box in order to get all the flags except for Steganography.

Flag 1: Mesej Tersembunyi

Viewing the source from browser we found this.

<!-- Dulu2 punya password "TmlhdEluc29uZ01hdGFLYWppc2VtYXJOZ2lzZW5n" -->

Notice the hash is actually decode with base64. Simple! We decode it and we got this:

NiatInsongMataKajisemarNgiseng

Flag 2: Mesej Tersembunyi lagi

This one is different with the first flag.

<!-- Ada banyak FLAG dalam Server nie, jom kita cari Link lama - http://192.168.190.148/test/-->

Based on the HTML comment there is /test directory which is accessible. Browse to it, we found one text file "info.txt"

c2640ee9637a20fa50bd2b6e531771a2

The hash is not encode with base64. So how? We can use online hash identifier to identified it, there are plenty of site we could use. Well, the hash is MD5. The key is there is no need to crack this hash. You have to Google it and search it with the right keywords, "MD5 Decryptor"

From the screenshot, our flag is SelamatDatangKeCRAC17

Flag 3: Mencari Kucing sesat

The first step to owning a box is to perform recon and check for the open port and what are the  service running? We can also run some fast scan with Nmap or use Netcat etc.

:8180/manager/html

To exploit this you will need a valid credentials. Well there is a good wordlist for this one, rockyou! Next we have to brute-force it with whatever tools or scripts that you have. 

The Valid Credentials are:

Username: tomcat

Password: sulaiman

We can use Metasploit Tomcat Deploy exploit to do that. Once it succesfully exploited you will straight away found the flag. Simple? Finding the TomCat is not that hard.

JanganMakanIkanMiao

Flag 4: Tidak Benar Belaka

If you notice there is another interested services that can be simply exploit with. Unreal IRCd with version of 3.2.8 running on port 9091. Same thing this can the exploit with Metasploit UnrealIRCd

There is no need to a valid credentials for this.  Compare with the Flag 3 the privilege level is only a tomcat but its not root. But this one we are being grant with a root! Yes! We are totally owned the box! 

Flag 5: Tiga Abdul - Abdul Wahab, Abdul Wahib & Abdul Wahub

The point for this flag is high. Why? Because its complicated! If you already solve flag 4 means you have been granted with full access. If you notice there is a 3 user at /etc/passwd

1. wahub
2. wahab
3. wahib

What next is you will need to pull the password hash and crack it with whatever password cracking tools you like e.g. John the Ripper or HashCat etc.

wahub:$1$wAd6iz60$j0LoaQfuGu2VxM5LgLYTW.:17434:0:99999:7:::

wahab:$1$Wwm0/WYO$F7HYtMitsDcs6jsod/aUv.:17434:0:99999:7:::

wahib:$1$psHas9Xy$3KEL.ZXivW/KLG3A2JVhG0:17434:0:99999:7:::

I prefer to use JTR. 

john --format=aix-smd5 crackthis.txt 

Using default input encoding: UTF-8

Loaded 3 password hashes with 3 different salts (aix-smd5, AIX LPA {smd5} (modified crypt-md5) [MD5 32/32])

Press 'q' or Ctrl-C to abort, almost any other key for status

WtA              (wahab)

ZeU              (wahib)

OcX              (wahub)

3g 0:00:00:00 DONE (2017-10-02 13:56) 50.00g/s 50.00p/s 100.0c/s 100.0C/s OcX

Use the "--show" option to display all of the cracked passwords reliably

So we got this hash cracked with JTR. As we can see the password is only 3 character long. Back to the question "Tiga Abdul - Abdul Wahab, Abdul Wahib & Abdul Wahub" what do we got if we combine all those password.

WtaZeUOcX 

Look like a flag? Maybe? What if we convert the string into ROT 13 Cipher? 

Our flag is JgnMrHBpK

Well....Jangan marah ye, nnt kena jual. hahaaa..

Last one! Forensic Challenge - Steganography

This one quite thinker. We have to find hidden flag in this images:

Normally we'll be using standard photo/images like Photoshop or Gimp etc, but that might not be the right tools to find the answers. So, I'm gonna use this one, a freeware hex editor or any hex editor that you like.

At first, when we open up the images with the editor. Notice there is a Google? Let's find if there any Google within the images. By right you should find two text-string with "Google" 

If you really look into and check back on the hex code, the code itself are being repeated. So? Did you notice what are the different between those two?

Going back to the second code with text-string Google.

The additional code was, 526d685a4e485a364e474575546e6856655735344d30453d and this may be our answer for this challenges. 

I put clue for this, "Encryption within Encryption" With the hash we got, what are the exactly code that we have? 

Its simple, identify and decode it! That's it! 

1. 526d685a4e485a364e474575546e6856655735344d30453d (Hex Code)

2. RmhZNHZ6NGEuTnhVeW54M0E= (Base64)

3. FhY4vz4a.NxUynx3A

One the of the participant already got this, they fail to identify the last one which is actually using ROT 13 Cipher. The answer for it was: 

SuL4im4n.AkHlak3N 

That's concluded my writeups. I did plan to put a Binary Analysis Challenges for this CTF, but I'm not really good with my Reverse Engineering skills, knowledge etc. Maybe next time.

Any comments and critic are welcome. Thanks!