HackerOne - h1-702 2018 DEFCON CTF Writeup
Disclaimer
I did not solve this puzzle. This writeup will go over what I tried and the flow of my thoughts throughout the process.
Introduction
Since my recent interest in Bug Bounties, while I was at DEFCON 26, I wanted to meet HackerOne staff. I saw a tweet from HackerOne and I was determined to try to meet someone from HackerOne! I decided to hang around the Packing Hacking Village to see if I could catch one of the staff members.
After asking around, unfortunately, I wasn’t able to meet any HackerOne staff, but I was given a puzzle from one of the Packet Hacking Village staff, who explained he was told to given them out to people interested in HackerOne.
Recon and some deciphering…
My first instinct was “I should try to ssh in as root into whatever the domain name is and then cat the file in ./702/puzzle
”, so I put atvdxk.ahebwtr
into a ROT decoder.
Only ROT-7 made sense, so I continued on the assumption atvdxk.ahebwtr
decodes to hacker.holiday
. I got really excited jumped over to CLI to do a nmap scan on hacker.holiday
nmap -sC -sV -oA nmap/initial.nmap -vvv hacker.holiday
My initial nmap scan didn’t show that any port running ssh, so I decided to scan all ports:
nmap -sC -sV -oA nmap/all-ports.nmap -vvv hacker.holiday
The result was the same as my initial nmap scan, but since most ports are filtered, I’m not certain that there is no ssh running. So I tried to ssh into port 22 on hacker.holiday
ssh root@hacker.holiday
My CLI didn’t prompt me to enter a password for root. I thought this was very strange so I decided to run ssh in verbose mode:
ssh root@hacker.holiday -v
I’m not certain why all my ssh attempts are timed out. However, if I had to guess, maybe hacker.holiday
was using AWS’s Elastic Load Balancer, because hacker.holiday had many addresses on the nmap scan.
Web
Unsure of what exactly was going on, I decided to go explore what webpage is being served at port 80.
Upon clicking on rules.txt, I noticed an interesting parameter file=rules.txt
Since it appears the backend outputs the contents of the file you pass into the file parameter, my first instinct upon seeing the file parameter was to try directory traversal to ./702/puzzle
. So I tried:
file=./702/puzzle
file=../../../../../702/puzzle
file=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f702%2fpuzzle
file=../../../../etc/passwd
file=127.0.0.1/../../../../../702/puzzle
My thoughts were “maybe the file doesn’t actually exist”, “how do I enable DEBUG mode?”, and “is the file parameter whitelisted?”, but I have to do some more digging around to find the answer to those questions. So I decided to check to robots file to see if there would be anything interesting there.
After seeing the word flag, I got excited and went to check out what was at hacker.holiday/flag.php
But after inspecting the source code, I didn’t see anything too interesting, so I fired up Burp Suite to see what the HTTP request looked like
I noticed there wasn’t a token being sent through http and there wasn’t a token on the website source code, so I thought it was unlikely to get CSRF on flag.php for MISSING ACCESS TOKEN.
I also noticed in the response back the Server was Apache, so I tried to see if I could use the server to access its own file and output it to me, to skip over MISSING ACCESS TOKEN.
https://hacker.holiday/?file=127.0.0.1/flag.php
https://hacker.holiday/?file=127.0.0.1/../../../../flag.php
But that tactic didn’t work either. Since the description of the CTF says “…test your skills at… file forensics, and image steganography”, I decided to try something else: I downloaded all the images on hacker.holiday
to see if there were any information, particularly a token, hidden in the images.
Forensics and steganography
I ran file
, strings
, exiftool
, and binwalk
on each of the following images below.
All the file
command results indicated the images had the correct extension and strings
command didn’t seem to yield anything too interesting. I was thinking maybe some of the image files would have a gps coordinates attached to it and just a slim chance the coordinates would be the location of h1-702 CTF, but unfortunately none of exif data from the image files had a location attached to it. So I decided to binwalk
all the following images to see if there were any files hidden inside.
I noticed there seems to be zip files in 3 of the image (702.png, mesh.png, hacker101.png), so I decided to use dd to extract them.
To extract the zip from 702.png:
dd if=702.png of=702_out.zip bs=1 skip=85
To extract the zip from mesh.png:
dd if=mesh.png of=mesh_out.zip bs=1 skip=868
To extract the zip from hacker101.png:
dd if=hacker101.png of=hacker101_out.zip bs=1 skip=91
Upon attempting to unzip the files, all of them were missing end of central directory signature. Since binwalk sometimes will mistake png files as containing zips, most of them were missing the central directory file header signature and missing the end of central directory signature, I decided taking the route of repairing and extracting all zips might not be the best use of my time. So I went to explore other options.
Cryptography
I returned back to the puzzle card to search for more information. I noticed that the bottom of the card (letter in green) was probably part of the puzzle.
First, I tried putting the string at the bottom into a ROT decoder, but nothing readable came out. I considered putting each one of the rotations back into the ROT decoder, but then I remembered “1. No bruteforcing is necessary.” from rules.txt
So instead I watched hacker101 crypto attacks video and noticed we have two encoded strings and assuming they are using the same key, I decided to XOR them together, but the result I was something I did not understand how to use. I spent the rest of my time on the puzzle trying to understand the video and trying to figure out where the pieces of information I gathered earlier fit together.
Paths left to be explored
- What would be a valid access token?
- What is at the bottom of the puzzle card?
- Repair and extract the zips
- What is the debug mode?
Conclusion
I wish I had found the puzzle earlier and had more time to work on it, since I really wanted to meet the bug bounty hunters at h1702 and HackerOne staff. I also should’ve brought a burner phone to Defcon, so that I could access Twitter and not miss important events such as, Q and A and hints for the puzzle.
Other than that I thoroughly enjoyed the puzzle and it is still nagging at me to find what was the solution to it. I have much to learn about security in general and that fact excites me.
I would like to thank @nothellow0rld and @JYCSEC for providing some insights when I got stuck.
Updates
8/17/18 - Rikaard created a great writeup for the challenge. I’m a bit upset with myself for not trying out something so simple as trying to pass debug=1, but reading the writeup has put how much I still have to learn into words.