Winja CTF @ Nullcon Goa 2023 Edition Solutions

Winja CTF @ Nullcon Goa 2023 Edition Solutions

Hello, Everyone! I trust you had a fantastic time at Winja CTF 2023 – Goa Edition. I hope you found the challenges intriguing.

In this blog post, I will be sharing the solutions to the challenges I built.

Faulty Portal

This was a web challenge that’s based on collibra.


Collibra is a software company that specializes in data governance and cataloging solutions. It provides a platform that helps organizations manage and govern their data assets, ensuring that data is accurate, consistent, and compliant with regulations.

Lets get to the solution.

The landing page looks like this.

If you go to the page-source, you will find that there is a todo that talks about installing collibra.

With this information, you’ll have a jot down a list that contains possible collibra file and directory names and bruteforce.

You will get a hit for collibra.properties which has the username and password. But there is still a hunt for url

It says check notes.

An easy guess is to check in notes files. But we dont know the extension yet. Extension list can be bruteforced and you will get a hit for notes.png. But it shows this.

Retrieve the file using wget and open the file in vim. You will see a base64 text.

Now make the file of the format

<img src="data:image/png;base64,iVBORw0KG..." />

This is the html representation. Also save the file as notes.html and you will see the vulnerable path `/mysecretflag.php`.

Now just visit the path and enter the credentials to get the flag.

Crawlwise

This challenge is inspired by a dependency confusion attack where you just need to identify the unusual package name and get the flag.

Lets get to the solution.

Once you get to https://github.com/Winja-Events/CrawlWise, you will see a lot of code around AI/ ML and how different models are implemented. The code is a misdirection and the original vulnerability lies here.

See something different here?
Its the package name of line number 7 winja-exploitr. So you simply need to run pip3 install winja-exploitr. Once the package is installed, nothing will happen as such (even when you import it).

Now go to site-packages path of your python environment and search for package winja_exploitr. In the main.py file, you will find your flag.

And there you see the flag! Hope you learned about AI/ML implementations too šŸ™‚

Mycamera App

My camera app is an Android application that clicks a photo and uploads it somewhere. But does it really uploads stuff? The challenge is inspired from the real-world scenario where you need to read the code and strings.

Lets get to the solution.
The app is a basic one and once a photo is clicked, you will get a toast saying image is uploaded.

Now there is nothing much in the UI, so we can move to app decompilation.

Decompile it using jadx and open the extracted files in android studio. Its gives better code readability.

You will see a few java files. But the interesting stuff lies in strings.xml and EncryptDecrypt.java

In strings.xml you will see the following keys that are interesting and suggest that firebase is used.

    <string name="key">AIzaSyDVoHL4OvktJRo-gQo952SP8ytyz22LAOA</string>
    <string name="client_id">467331769845-sdd0ukl3fmj2irb0nor30801dqc0hp73.apps.googleusercontent.com</string>

Here, the key is a misdirection as all we need is the project name and the path where the flag may be existing

    <string name="upload_bucket">mysecr3tpaper</string>
    <string name="image_upload_folder">/secrets</string>

The bucket has public read access so you can run the following command to get the flag

curl -X GET "https://firestore.googleapis.com/v1/projects/mysecr3tpaper/databases/(default)/documents/secrets"

You will see multiple flags here. But the correct one is the one that is encrypted.

Cant guess what encryption is used? Time to go back to the code. The EncryptDecrypt file mentioned about Blowfish Algorithm. So you can decrypt the text using the secretkey provided in the code to get your flag.

Go to https://sladex.org/blowfish.js/ and enter your encrypted text and key. Mode is CBC.

Timetrek

The challenge starts with access to docs file https://docs.google.com/document/d/1wThMjs8Ro2IMY8K026kso5Fqtk4RsPH6rEYsESN1b8g/edit?pli=1
This looks like documentation which is been reviewed by someone. You will have to first request the permissions. And I give you the commenter access.

If you scroll through the comments, you will observe that they are talking about scheduling a meeting and the user says that my username for the calendar is same. (A hint was provided that the preferred calendar is not google calendar)

This is directed towards calendy account of the user.

Simply go to https://calendly.com/infosecshreya to get the flag.

That’s all for this post. We look forward to reconnecting with all of you in the next event! Until then, happy hunting! šŸ™‚

shreyapohekar

Iā€™m Shreya Pohekar, a Senior Product Security Analyst at HackerOne. I enjoy sharing my thoughts and insights through blogging, turning complex security topics into engaging and accessible content for my readers.

Leave a Reply