CloudSEK CTF Walkthrough

Few days back I participated in CTF challenge which was a part of EWYL program organized by CloudSEK. This was an amazing and engaging CTF challenge. This story is the walkthrough of the same.

We were provided with a link(URL: http://54.244.19.42/) to login page which asks for the Username and the Password. But there were no username and password with me that can help me login to the page.

Step 1: My first approach was to check the page source. To view the page sources Right click on the login page >> Click View page source option. Below is the screenshot of the page source.

Step 2: While scrolling on the page source I found a JavaScript code which includes the login function. I found that there was no validation for the username. It means that I can type any username or even leave it blank. And the password was divided into two parts. One part is given in Hex format (\x43\x6C\x6F\x75\x64\x53\x45\x4B\x5F) and the MD5 hash was given for the other part.

Step 3: I used online tool to decode both hex and MD5 hash to get the password. The password I got was CloudSEK_jeniffer.

Step 4: Enter the password. I was logged in as jared. There was a message that I can find the access token inside the home directory in a text file named as secret.

I wondered where I can find the home directory and then that secret.txt file. I looked at the URL of the page. I found a parameter p and it has a strange code.

URL: http://54.244.19.42/loader.php?p=bWVzc2FnZTFfdG9famFyZWQudHh0Cg%3D%3D&password=CloudSEK_jeniffer

Step 5: It was a base64 code. I decoded it using an online tool. It was some file name. It means that the URL was taking the file name as parameters.

Step 6: I thought of LIF vulnerability. If this vulnerability exists than the attacker can read the important files and folders on the server. An attacker can navigate to any directory or file on the web server.

In previous step I got to know that I can find a secret.txt file in the home directory and we were logged in a user jared. So, I tried to navigate to /home/jared/secret.txt

I encoded the path into base64 because the URL was taking the parameter in the base64 encoded form.

Step 7: I successfully found the access token for the login portal.

Step 8: I open the online tool to find out about the access token. This token was for the user jared. I the previos step I got to know that the user jared is not allowed to access other files. So, those files may be accessed by the admin.

Step 9: I changed the user name to the admin and got new access token for the admin user.

Step 10: Now what!!! Where is the login portal? What is the path to it? These questions arise. I knew about the robots.txt file. It is a file that tells search engine crawlers which pages or files the crawler can or can’t request from your site. May be this file can have some information. So, I gave it a try and yes found the path to the developer login portal.

Step 11: Tried visiting the link http://54.244.19.42/dev/login.php

But it says that the page only accepts POST request.

Step 12: I used curl command to generate the post request. But it says No ‘access_token’ specified. Hence, I figured out where to use the access code that I found earlier.

Step 13: Open the Burp suite to intercept the request to /dev/login.php page. Right click on the request >> Click on Change request method to make it a post request. Send the request to the Repeater and add access token at the end and click send. In the response window I found a link to the another page.

Step 14: Visited the link http://54.244.19.42/CloudSEK_to_win_page.html

The page appeared as show below in the screenshot.

Step 15: The page contained nothing other than an image. I saved the image to my system and used exiftool (Terminal tool) to get meta data of the image. There I found path to another html page with the name ThE_FlAg_PaGe.html

Step 16: Visited the link http://54.244.19.42/ ThE_FlAg_PaGe.html. I got the flag but where to submit the flag that’s the question now.

Step 17: The page shown above also contains two images one is the CloudSEK logo and the other images says YOU WIN! May be that image can have the form link. So, I saved the image to my system and used exiftool to check the meta data but didn’t find anything there.

Step 18: There are many other steganography tools available. So, I used steghide to find out if something is there hidden in the image. Steghide asks for the passpharse means a password to extract. In the web page above it was written that “The flag is the key to the next door”. I gussed that the flag that I have found can be the password. I enter the flag as password. And yes that was the correct password. The tool extracted a text file named as “comp3tion_m3ssag3.txt” that was embedded in the image.

Step 19: Open the text file. It contains the form link where I need to submit my walkthrough. And here the challenge ends.

TH4NK Y0U!!!