VULNCON CTF is a 24-hour CTF event that corresponds with the VULNCON 2020 virtual hacking conference.
I did get started on this one a bit late, with only a few hours left in the competition, so I will try to get through as many as I can!
The link takes you to a webpage that has this banner:
Checking the source code yielded nothing of interest.
The instructions clarify that you CAN use Gobuster. In most of the other challenges, brute forcing is not allowed.
Early on in the scan a /projects directory popped up:
If you view the source code, you can see a comment that points towards an image:
If you navigate there, a QR code appears:
If you decode that, it appears to be text that just says, “Hello”
On the /projects page it mentions that “27 is my lucky number”. So I changed the image number from 0 to 27, and another QR code popped up:
This one decoded as 13.
Using the same process, the next one decoded as “not”
At this point I just started trying the image numbers in succession, starting at 0, they spelled out:
“Hello and welcome to this challenge! We hope that collecting these images was not that hard for you, anyways just so you know I love the number 13.
From here, I downloaded Image 13 and opened it in CyberChef:
You can see what looks to be a string of Base64:
Which can then be further decoded with Rot13.
This one gives you a .pcap file to open.
If you follow the TCP streams one by one, each one has a different letter/number. Add all of them together and you will get a Base64 code.
VGhlIGZsYWcgaXMtPiBCMXRfYnlfQjF0X3YxYV9uYwo=
For this one I started out in CyberChef by converting the hex:
From here I saved the output as a zip file. It opened up as a password protected pdf, which I used pdf2john to get into, with the help of THIS tutorial.
I first grabbed the password hash from the pdf:
Then cracked the hash to find the password, “butterfly”.
After opening up the pdf file, I found this, which looks like Daenerys on top of one of her dragons, Drogon.
Drogon is a hint that points towards the Dragon Language from Skyrim:
Which translates to:
v u l n ey o n d r a ey o n i ey i s ey oo l
You will notice there is no C in the Dragon Alphabet. If you replace all the “ey” with “c”, you get:
vulncondraconiciscool
OSINT has always been my favorite. I did waste the remainder of my time doing this challenge, but it was worth a fair amount of points.
I started out by searching for tim3zapper and found a Twitter profile:
If you search through Tom’s tweets, you see that he speaks about one of them being removed.
From here I headed to the WayBack Machine to see if there were any snapshots saved. There was one from December 5th, which showed the tweet that was removed:
From here I searched for the new username on Google, and found this:
Using the search function on that page, I was able to find Tom again.
He has two posts:
I did a Google image search for this photo, and found it was taken by a photographer named Agustin Anaya.
If you try to contact him through that link though, it mentions that the email address is hidden for the photographer’s privacy.
I started looking for more info about the photographer on Google, eventually coming to this webpage with more of Agustin’s photos:
If you right-click on “Contact Photographer”, you can copy the email address, and then paste it in notepad or something.
I wish I could have dug a bit more into the other OSINT challenges, but I did run out of time. There is always next year!
Happy Hacking! ❤
