{"id":1070,"date":"2023-09-25T11:38:28","date_gmt":"2023-09-25T11:38:28","guid":{"rendered":"https:\/\/shreyapohekar.com\/blogs\/?p=1070"},"modified":"2023-09-25T11:40:26","modified_gmt":"2023-09-25T11:40:26","slug":"winja-ctf-nullcon-goa-2023-edition-solutions","status":"publish","type":"post","link":"https:\/\/shreyapohekar.com\/blogs\/winja-ctf-nullcon-goa-2023-edition-solutions\/","title":{"rendered":"Winja CTF @ Nullcon Goa 2023 Edition Solutions"},"content":{"rendered":"\n

Hello, Everyone! I trust you had a fantastic time at Winja CTF 2023 – Goa Edition. I hope you found the challenges intriguing. <\/p>\n\n\n\n

In this blog post, I will be sharing the solutions to the challenges I built.<\/p>\n\n\n\n

Faulty Portal<\/h2>\n\n\n\n

This was a web challenge that’s based on collibra.<\/p>\n\n\n\n


Collibra is a software company that specializes in data governance and cataloging solutions. It provides a platform that helps organizations manage and govern their data assets, ensuring that data is accurate, consistent, and compliant with regulations.<\/p>\n\n\n\n

Lets get to the solution.<\/p>\n\n\n\n

The landing page looks like this.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

If you go to the page-source, you will find that there is a todo that talks about installing collibra.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

With this information, you’ll have a jot down a list that contains possible collibra file and directory names and bruteforce.<\/p>\n\n\n\n

You will get a hit for collibra.properties<\/code> which has the username and password. But there is still a hunt for url<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

It says check notes.<\/p>\n\n\n\n

An easy guess is to check in notes files. But we dont know the extension yet. Extension list can be bruteforced and you will get a hit for notes.png<\/code>. But it shows this.
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Retrieve the file using wget and open the file in vim. You will see a base64 text.<\/p>\n\n\n\n

Now make the file of the format <\/p>\n\n\n\n

<img src=\"data:image\/png;base64,iVBORw0KG...\" \/><\/pre>\n\n\n\n
This is the html representation. Also save the file as notes.html and you will see the vulnerable path `\/mysecretflag.php`.<\/p>\n\n\n\n
Now just visit the path and enter the credentials to get the flag.<\/p>\n\n\n\n
<\/p>\n\n\n\n
Crawlwise<\/h2>\n\n\n\n
This challenge is inspired by a dependency confusion attack where you just need to identify the unusual package name and get the flag.<\/p>\n\n\n\n
Lets get to the solution.<\/p>\n\n\n\n
Once you get to https:\/\/github.com\/Winja-Events\/CrawlWise, you will see a lot of code around AI\/ ML and how different models are implemented. The code is a misdirection and the original vulnerability lies here.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/p>\n\n\n\n
See something different here?
Its the package name of line number 7 winja-exploitr<\/code>. So you simply need to run pip3 install winja-exploitr<\/code>. Once the package is installed, nothing will happen as such (even when you import it). <\/p>\n\n\n\n
Now go to site-packages path of your python environment and search for package winja_exploitr. In the main.py file, you will find your flag.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
And there you see the flag! Hope you learned about AI\/ML implementations too \ud83d\ude42<\/p>\n\n\n\n
<\/p>\n\n\n\n
Mycamera App<\/h2>\n\n\n\n
My camera app is an Android application that clicks a photo and uploads it somewhere. But does it really uploads stuff? The challenge is inspired from the real-world scenario where you need to read the code and strings.<\/p>\n\n\n\n
Lets get to the solution.
The app is a basic one and once a photo is clicked, you will get a toast saying image is uploaded<\/code>.<\/p>\n\n\n\n
Now there is nothing much in the UI, so we can move to app decompilation.<\/p>\n\n\n\n
Decompile it using jadx and open the extracted files in android studio. Its gives better code readability.<\/p>\n\n\n\n
You will see a few java files. But the interesting stuff lies in strings.xml and EncryptDecrypt.java<\/p>\n\n\n\n
In strings.xml<\/code> you will see the following keys that are interesting and suggest that firebase is used.<\/p>\n\n\n\n
    <string name=\"key\">AIzaSyDVoHL4OvktJRo-gQo952SP8ytyz22LAOA<\/string>\n    <string name=\"client_id\">467331769845-sdd0ukl3fmj2irb0nor30801dqc0hp73.apps.googleusercontent.com<\/string><\/code><\/pre>\n\n\n\n
Here, the key is a misdirection as all we need is the project name and the path where the flag may be existing<\/p>\n\n\n\n
    <string name=\"upload_bucket\">mysecr3tpaper<\/string>\n    <string name=\"image_upload_folder\">\/secrets<\/string><\/code><\/pre>\n\n\n\n
The bucket has public read access so you can run the following command to get the flag<\/p>\n\n\n\n
curl -X GET \"https:\/\/firestore.googleapis.com\/v1\/projects\/mysecr3tpaper\/databases\/(default)\/documents\/secrets\"<\/code><\/pre>\n\n\n\n
You will see multiple flags here. But the correct one is the one that is encrypted.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Cant guess what encryption is used? Time to go back to the code. The EncryptDecrypt file mentioned about Blowfish<\/code> Algorithm. So you can decrypt the text using the secretkey provided in the code to get your flag.<\/p>\n\n\n\n
Go to https:\/\/sladex.org\/blowfish.js\/ and enter your encrypted text and key. Mode is CBC.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Timetrek<\/h2>\n\n\n\n
The challenge starts with access to docs file https:\/\/docs.google.com\/document\/d\/1wThMjs8Ro2IMY8K026kso5Fqtk4RsPH6rEYsESN1b8g\/edit?pli=1
This looks like documentation which is been reviewed by someone. You will have to first request the permissions. And I give you the commenter access.<\/p>\n\n\n\n
If you scroll through the comments, you will observe that they are talking about scheduling a meeting and the user says that my username for the calendar is same. (A hint was provided that the preferred calendar is not google calendar)<\/p>\n\n\n\n
This is directed towards calendy account of the user.<\/p>\n\n\n\n
Simply go to https:\/\/calendly.com\/infosecshreya to get the flag.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
That’s all for this post. We look forward to reconnecting with all of you in the next event! Until then, happy hunting! \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"
Hello, Everyone! I trust you had a fantastic time at Winja CTF 2023 – Goa Edition. I hope you found the challenges intriguing. In this blog post, I will be sharing the solutions to the challenges I built. Faulty Portal This was a web challenge that’s based on collibra. Collibra is a software company that […]<\/p>\n","protected":false},"author":1,"featured_media":1087,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1070","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","entry","has-media"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/1070"}],"collection":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/comments?post=1070"}],"version-history":[{"count":5,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/1070\/revisions"}],"predecessor-version":[{"id":1088,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/1070\/revisions\/1088"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media\/1087"}],"wp:attachment":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media?parent=1070"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/categories?post=1070"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/tags?post=1070"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}