File decoding, vulnerability search and password cracking. Solving network problems from KnightCTF 2024
I talked about the KnightCTF 2024 tournament, which was organized by a team from Bangladesh. But not all tasks were included there. Below the cut I’ll tell you about four more from the networking category. Read on to find out how to get secret information in bash-history and find the admin password among the dump. Suitable for both experienced and novice professionals
information security
.
: the material does not teach hacking and does not encourage illegal actions. Everything described below only demonstrates what security gaps are found in real web applications. And warns you what to pay attention to when developing software.
Use navigation to jump to the task you are interested in:
→ Task: Hidden File
→ Objective: Confidential
→ Task: Super Admin
→ Task: Famous Tool 2
Task: Hidden File
Condition
What is the flag for a hidden file?
Given
Solution
In the last part
I talked about the Port task, in which you need to find the port number of the server's reverse shell – 6200/tcp. From the exploit code it can be understood that telnet was used for the connection, so all commands were intercepted in clear text. From there I get bash_history.
Contents bash-history.
The output contains the line 37n3vq6rp6k05ov33o5fy5b33sj3rq2sy4p56735853h9. This is not a classic Hex format, but Twin-Hex. It converts the original text into two characters at a time.
Next, I decode the string using Python module for Twin-Hex:
$ python twin_cipher.py -d "37n3vq6rp6k05ov33o5fy5b33sj3rq2sy4p56735853h9"
Done – I get the flag!
Objective: Confidential
Condition
There's something confidential here. Can you find it? Please use the appendix to the first problem.
Flag format: KCTF{fl4G}
Solution
Let's return to bash-history from the previous task. On line 162 I see the downloaded maybeconfidential.zip archive. Let's find out what's in it.
Traffic content.
In Wireshark you can retrieve files that were being transferred at the time the traffic dump was recorded. I choose File → Export objects → HTTPI add maybeconfidential.zip to the filter:
HTTP list.
I'm unpacking the archive. Inside is a .docx file with a picture. It depicts the Knight CTF 2024 mascot::
Archived image.
The .docx format is also an archive, you need to open it. It contains three folders with files and an XML document.
Using a regular text search, I look for KCTF in the title. The flag is in maybeconfidential/maybeconfidential/word/document.xml. Problem solved!
Task: Super Admin
Condition
What is the super admin password in the web application? Download the SQL dump to solve the problem. You may need it to solve other problems.
Flag format: KCTF{password}
Given
SQL dump.
Solution
Interesting task! Since only a dump was given, I decided to start with it. And he was right: inside there was an interesting part with information about users
Contents of the SQL dump.
I take the hash of the root user 5f27f7648285dec7954f5ee1ad696841 and decrypt its hash sum in md5 decoder. I get the password – letmeinroot.
Decoded password from hash sum.
I substitute the password into the line to generate the flag – KCTF{letmeinroot}. Ready!
Task: Famous Tool 2
Condition
What tool did the attacker use to expose the vulnerability of the job editing page? Please use the attachment from the first task.
Flag format: KCTF{toolname/version}
Solution
I continue to work with the already known .pcap file. In the exploit code from the Port task, I use the http contains “sql” filter. I see several requests with IP addresses, protocols and other parameters.
Filter in exploit.
Looks like a scan – need to check. I open package 49187 in Wireshark:
Contents of the package.
I find User-Agent and see the value sqlmap/1.7.10#stable. We conclude that the attacker used the sqlmap tool version 1.7.10 for the attack. Done – let's form a flag.
Interesting materials on CTF
If you want to get acquainted with other tasks of CTF tournaments, I recommend reading previous articles on this topic.
