SecurityByte (http://securitybyte.org) is India’s largest hacking conference conducted in Bangalore. To make this event more interesting, they do arrange capture the flag events (Web & WI-FI hacking challenges). More details about the events and the rules are available at http://securitybyte.org/#!/events.
This year’s Web CTF is being powered by NII Consulting. To qualify for the main CTF event, you have to solve the pre challenge which is available to remote users. The goal of the pre challenge is to read the flag present in the flag-ctf.txt file located at http://ctf.securitybyte.org/ctf-2011/index.html. This pre-challenge is well crafted and gives a lot of learning. I have solved this puzzle in 3 hours with the help of my friend kc. I am putting this walkthrough to show the thought process we took throughout the challenge and to be a resource for people who are learning application security.
Lets begin the hack….
When I opened the site first thing that caught to my eyes is, every image in the website has a logo saying Removable logo. This made me think about steganography and felt that some clues are hidden in these images. Later used a couple of image steganography tools to find whether they’ve stored any information in the image or not. Learned a lot about the steganography but could not find any clues for this challenge .
Moved to contacts page and clicked on buttons. Though the buttons have any name, it showed contact.phps in the URL and displayed Page not found message. Looked in the view source of contacts page and found an interesting comment <!– Do you see something wrong here… –>. This comment made us to try different combinations of contact page ex:contact.php, contacts.php,contacts.phps…. . In the end nothing worked.
Looked for robots.txt file and observed a couple of interesting things.
Access to the /login/ directory displayed a login page which is vulnerable to SQL injection. Logged into the site in first attempt by typing admin as username and ‘ or 1=1— as password. Hurray we have got admin welcome page which has a textbox where we can enter any IP address and find out the traceroute. We can use Linux pipe (|) to append our commands to the IP.
Used ls command to find the files located in our main directory (ctf-2011).
The first file in the result is named as ReadTheFlag. It appeared that we almost got the solution. Used cat command to read the file content.
Oops…. It displayed some junk data along with an error message saying failed while decrypting the content of flag-ctf.txt file. Hmmmm…now really don’t know how to decrypt the file contents. After a little brain storming and few searches, noticed a string r34dm3 which appears interesting because this value is prepended to /root/flag-ctf.txt in the error message.
Our guess worked well. Above command displayed the decrypted content of flag-ctf.txt file. We tried to read the file for couple of times and found that it is displaying random value every time.
The value displayed on the screen is Ascii Hex encoded value.
Tango down. we have read the decoded value of the flag and submitted it to the challenge. Game over !
Thanks to the securitybyte team for arranging an awesome challenge.