CloudSEK CTF Walkthrough

Satyam Kanojiya[547y4m]
5 min readOct 1, 2020

Challenge-2

Greetings !

This is the detailed write-up for CloudSEK CTF Event which is based on web/stenography and special thanks to CloudSEK Team for providing this wonderful challenge. First of all I think that this challenge would be of jeopardy style as usual but no it’s not like that.

To Chaliye shuru krte hain…….

Challenge starts with a link or in particular an I.P address i.e. http://54.244.19.42/ after visiting this link a login form showed up.

After lot trying with my correct login credentials it showed “Incorrect credentials” only. Then my mind said ‘hey! check source code’ after reviewing the source code of that page from top it look as normal but going bottom side reveals lot much information about working of the login page. I guess that maybe this is also a part of challenge and I guessed right, at the XVIGIL-community page in instructions it is revised that the login is also a part of task and have to bypass that for further proceeding. Heading over to source code of that page and you can see the below screenshot provided.

Going through source code “loginfunction( )” attracted me and discovered:-

· that the there is no use of username variable in given code to authorize.

· Saw the variable x & y the password is splitted into two parts from index ‘9’.

· And variable z content is converted into md5 hash shown in 2nd if statement and upon cracking the hash with https://crackstation.net/ it would give “jeniffer”. Now, the half part of the password is with us.

· Looking through first if statement it is again encoded and by normal seeing I can identify that it is encoded in Hex converting upon it give “CloudSEK_”. I used online rapidtables hex to ascii text converter. https://www.rapidtables.com/convert/number/hex-to-ascii.html

So the final password is “CloudSEK_jeniffer” and you can give any username it not matters much.

Above are the snapshot of how I get password. When feeding this password to login form take us to a new page.

Reading this give me the idea of directory traversal like “/home/jared/secret.txt” and in source code nothing much to see. After lot brainstorming with myself and trying didn’t find any way to proceed then I check the URL of the page there is some encoded content decoding/analyzing it ended up giving “message1_to_jared.txt” and it is encoded in Base64 maybe page have a filter of Base64.

And I realized that’s why my normal English commands is failing and I do same, encoded my command “/home/jared/secret.txt” in Base64 now same looks like this “L2hvbWUvamFyZWQvc2VjcmV0LnR4dA==” giving up the following URL in search bar takes to a different page where we got our credentials/JWT Token for access.

http://54.244.19.42/loader.php?p=L2hvbWUvamFyZWQvc2VjcmV0LnR4dA==&password=CloudSEK_jeniffer

For Base64 encoding/decoding — https://gchq.github.io/CyberChef

Wait where to use this token & how ??

Where is login portal?? All will be answered down here……….

Then I decided to use gobuster tool for enumerating directories because I had to find login portal. I ran this below command and found 3 worthy directories.

Command — gobuster dir -e -u http://54.244.19.42/ -w /usr/share/dirb/wordlists/common.txt

Output —

http://54.244.19.42/devError 403 forbidden

http://54.244.19.42/index.phpWebpage of 1st login form not for our access token

http://54.244.19.42/robots.txtOpening this gave us the path to login portal we want

But nothing fruitful here at first sight for me.

Now we have portal & token but how to submit it is the new obstacle for me because I never deal with this type of stuff but ya I know about the JWT Token. So, this time I take the help of hints provided in XVIGIL community page. By reading it has 2 ways to do using burp-suite, curl. I taked the path of curl and googling through topic landed me on this helpful curl command cheat sheet on GitHub. https://gist.github.com/joyrexus/85bf6b02979d8a7b0308

Using curl command passing the given token as POST data throws an error of “access_token not specified” and correcting that an admin issue comes up. After spending time I totally forgot that I had to edit JWT Token, by editing it with https://jwt.io/ it look like this.

Finally! got a index to different webpage for further action.

Curl command — curl -X POST http://54.244.19.42/dev/login.php — data “access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.xLtLdUxXsGB7EqP49a8xQziqpjkVKeJ9o2nix4xLf5M”

Output — <script>window.location.href=”../CloudSEK_to_win_page.html”;</script>

Checking the source code of same page didn’t elaborate much but it contains a image named CloudSEK_AboutToWin.jpg which may show a path to final destination. I downloaded the image and started playing with it, within seconds I got path to next webpage.

Command used - file CloudSEK_AboutToWin.jpgOutput – ‘/ThE_FlAg_PaGe.html’

Yay! got the flag but no link for submission maybe another stenography challenge, again source code checking is important all looks normal but there are 2 images this time. I downloaded the images named CloudSEK_logo.png & you_are_winner_indeed_img.jpg.

Starting with the CloudSEK_logo.png it has nothing important in meta-data & comments. Checked with binwalk, file, zsteg commands.

Heading over to you_are_winner_indeed_img.jpg tried checking metadata but nothing there, then remind that webpage said that flag is the key. So, I used steghide tool for looking form link in you_are_winner_indeed_img.jpg and extracted a text file named compl3tion_m3ssag3.txt with passing flag as passphrase.

Voila! Challenge completed.

I really enjoyed the challenge and appreciated the vastness of the topic covered in CTF.

Hunting is fun!

--

--