HackerOne - h1-702 2018 DEFCON CTF Writeup

12 Aug 2018

Disclaimer

I did not solve this puzzle. This writeup will go over what I tried and the flow of my thoughts throughout the process.

Introduction

Since my recent interest in Bug Bounties, while I was at DEFCON 26, I wanted to meet HackerOne staff. I saw a tweet from HackerOne and I was determined to try to meet someone from HackerOne! I decided to hang around the Packing Hacking Village to see if I could catch one of the staff members.

After asking around, unfortunately, I wasn’t able to meet any HackerOne staff, but I was given a puzzle from one of the Packet Hacking Village staff, who explained he was told to given them out to people interested in HackerOne.

HackerOne - h1702 Las Vegas DEFCON #HackerHoliday CTF Card

Recon and some deciphering…

My first instinct was “I should try to ssh in as root into whatever the domain name is and then cat the file in ./702/puzzle”, so I put atvdxk.ahebwtr into a ROT decoder.

HackerOne - h1702 #HackerHoliday domain name decoded with ROT-7

Only ROT-7 made sense, so I continued on the assumption atvdxk.ahebwtr decodes to hacker.holiday. I got really excited jumped over to CLI to do a nmap scan on hacker.holiday

nmap -sC -sV -oA nmap/initial.nmap -vvv hacker.holiday

HackerOne - h1702 #HackerHoliday initial nmap scan

My initial nmap scan didn’t show that any port running ssh, so I decided to scan all ports:

nmap -sC -sV -oA nmap/all-ports.nmap -vvv hacker.holiday

The result was the same as my initial nmap scan, but since most ports are filtered, I’m not certain that there is no ssh running. So I tried to ssh into port 22 on hacker.holiday

ssh root@hacker.holiday

My CLI didn’t prompt me to enter a password for root. I thought this was very strange so I decided to run ssh in verbose mode:

ssh root@hacker.holiday -v

HackerOne - h1702 #HackerHoliday ssh connection time outs

I’m not certain why all my ssh attempts are timed out. However, if I had to guess, maybe hacker.holiday was using AWS’s Elastic Load Balancer, because hacker.holiday had many addresses on the nmap scan.

HackerOne - h1702 #HackerHoliday AWS load balancer nmap scan

Web

Unsure of what exactly was going on, I decided to go explore what webpage is being served at port 80.

HackerOne - h1702 #HackerHoliday Web Landing

Upon clicking on rules.txt, I noticed an interesting parameter file=rules.txt

HackerOne - h1702 #HackerHoliday Web HTTP Parameter

Since it appears the backend outputs the contents of the file you pass into the file parameter, my first instinct upon seeing the file parameter was to try directory traversal to ./702/puzzle. So I tried:

file=./702/puzzle

file=../../../../../702/puzzle

file=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f702%2fpuzzle

file=../../../../etc/passwd

file=127.0.0.1/../../../../../702/puzzle

HackerOne - h1702 #HackerHoliday Web Attempt at directory traversal with file

My thoughts were “maybe the file doesn’t actually exist”, “how do I enable DEBUG mode?”, and “is the file parameter whitelisted?”, but I have to do some more digging around to find the answer to those questions. So I decided to check to robots file to see if there would be anything interesting there.

HackerOne - h1702 #HackerHoliday https://d33wubrfki0l68.cloudfront.net/af25fb5b268b8370931b6adfe3490942a187a126/29915/robots.txt

After seeing the word flag, I got excited and went to check out what was at hacker.holiday/flag.php

HackerOne - h1702 #HackerHoliday flag.php missing access token

But after inspecting the source code, I didn’t see anything too interesting, so I fired up Burp Suite to see what the HTTP request looked like

HackerOne - h1702 #HackerHoliday flag.php http get request

I noticed there wasn’t a token being sent through http and there wasn’t a token on the website source code, so I thought it was unlikely to get CSRF on flag.php for MISSING ACCESS TOKEN.

HackerOne - h1702 #HackerHoliday flag.php http get response

I also noticed in the response back the Server was Apache, so I tried to see if I could use the server to access its own file and output it to me, to skip over MISSING ACCESS TOKEN.

https://hacker.holiday/?file=127.0.0.1/flag.php

https://hacker.holiday/?file=127.0.0.1/../../../../flag.php

But that tactic didn’t work either. Since the description of the CTF says “…test your skills at… file forensics, and image steganography”, I decided to try something else: I downloaded all the images on hacker.holiday to see if there were any information, particularly a token, hidden in the images.

Forensics and steganography

I ran file, strings, exiftool, and binwalk on each of the following images below.

All the file command results indicated the images had the correct extension and strings command didn’t seem to yield anything too interesting. I was thinking maybe some of the image files would have a gps coordinates attached to it and just a slim chance the coordinates would be the location of h1-702 CTF, but unfortunately none of exif data from the image files had a location attached to it. So I decided to binwalk all the following images to see if there were any files hidden inside.

HackerOne - h1702 #HackerHoliday binwalk mesh

HackerOne - h1702 #HackerHoliday hacker101

HackerOne - h1702 #HackerHoliday binwalk hacker101

HackerOne - h1702 #HackerHoliday binwalk file

HackerOne - h1702 #HackerHoliday favicon

HackerOne - h1702 #HackerHoliday binwalk favicon

I noticed there seems to be zip files in 3 of the image (702.png, mesh.png, hacker101.png), so I decided to use dd to extract them.

To extract the zip from 702.png:

dd if=702.png of=702_out.zip bs=1 skip=85

To extract the zip from mesh.png:

dd if=mesh.png of=mesh_out.zip bs=1 skip=868

To extract the zip from hacker101.png:

dd if=hacker101.png of=hacker101_out.zip bs=1 skip=91

Upon attempting to unzip the files, all of them were missing end of central directory signature. Since binwalk sometimes will mistake png files as containing zips, most of them were missing the central directory file header signature and missing the end of central directory signature, I decided taking the route of repairing and extracting all zips might not be the best use of my time. So I went to explore other options.

Cryptography

I returned back to the puzzle card to search for more information. I noticed that the bottom of the card (letter in green) was probably part of the puzzle.

First, I tried putting the string at the bottom into a ROT decoder, but nothing readable came out. I considered putting each one of the rotations back into the ROT decoder, but then I remembered “1. No bruteforcing is necessary.” from rules.txt

So instead I watched hacker101 crypto attacks video and noticed we have two encoded strings and assuming they are using the same key, I decided to XOR them together, but the result I was something I did not understand how to use. I spent the rest of my time on the puzzle trying to understand the video and trying to figure out where the pieces of information I gathered earlier fit together.

Paths left to be explored

What would be a valid access token?
What is at the bottom of the puzzle card?
Repair and extract the zips
What is the debug mode?

Conclusion

I wish I had found the puzzle earlier and had more time to work on it, since I really wanted to meet the bug bounty hunters at h1702 and HackerOne staff. I also should’ve brought a burner phone to Defcon, so that I could access Twitter and not miss important events such as, Q and A and hints for the puzzle.

Other than that I thoroughly enjoyed the puzzle and it is still nagging at me to find what was the solution to it. I have much to learn about security in general and that fact excites me.

I would like to thank @nothellow0rld and @JYCSEC for providing some insights when I got stuck.

Updates

8/17/18 - Rikaard created a great writeup for the challenge. I’m a bit upset with myself for not trying out something so simple as trying to pass debug=1, but reading the writeup has put how much I still have to learn into words.