BDSec CTF 2023 MISC and Networking Writeup

Networking Writeup for BDSec CTF 2023

Networking Writeup for BDSec CTF 2023

20th Jul 2023

MISCWriteupNetworking

Author: Ramon Bello

This are the Miscellaneous and Networking Challenges that I solved during BDSec CTF 2023

MISC

Challenge 1: What is this?

Image of challenge

I have some files. But I have no idea what are these

Here we were given a zip file to download. The zip contains one image file and over 300 unknown files. The files are in sequence and named flag_aa, flag_ab,....,flag_ba, flag_bb,... to flag_np. On viewing the image file (flag_aa), I realized that it was incomplete, only a black strip at the top showed.

incomplete photo

The first idea I got is that the other files came from the photo. On checking the hex values of few files apart from flag_aa, they had no "magic number". Magic number is what makes a png file be recognisable as a png file by a computer.Next I proceeded to manually copy the hex of flag_ab and append it to flag_aa using bless, a gui hex editor. It worked, a strip of pixel was recovered. I couldn't do it by hand for over 300 files, so I wrote a python code to do the task.

#!/usr/bin/env python3

def merge_hex_files(file_prefix, num_parts, output_path):
    merged_hex = b""
    for i in range(num_parts):
        letter1 = chr(97 + (i // 26))  
        letter2 = chr(97 + (i % 26))
        part_file = f"{file_prefix}_{letter1}{letter2}"
        with open(part_file, 'rb') as f:
            hex_data = f.read()
            merged_hex += hex_data

    with open(output_path, 'wb') as f: 
        f.write(merged_hex)

    print(f"Image parts merged successfully bro! Saved to {output_path}")

if __name__ == "__main__":
    file_prefix = "flag"
    num_parts = 354
    output_path = "merged_image.png"

    merge_hex_files(file_prefix, num_parts, output_path)

This could be easily achieved by shell command.

cat * > finalflag.png

Success, it appended each file to flag_aa as they were named alphabetically.

merged photo

Flag: BDSEC{1tS_@_PnG_f1LE_}

Networking

Challenge 1: IP Addr

image of challenge

On opening the challenge.pcapng file, it was a pretty big file. Well, the challenge was asking what the attacker and server ip was.

image proof

We can see that 192.168.1.7 was sending SYN packets but recieved RST packets in repeatedly. One could say that 192.168.1.7 was pinging because it was repeated several times.

Attacker IP : 192.168.1.7

Server IP : 192.168.1.5

Flag: BDSEC{192.168.1.5_192.168.1.7}

Challenge 2: Hostname

image of challenge

I almost exhausted the numbers of tries here but my teammates asked me to retry anyways since they were working on other challenges. I thought the question was asking the hostname of the ctf platform at first. I rechecked IP Addr and it was updated to show that the challenge.pcapng file was for all networking challenges.

image of proof

On this HTTP response, we can see the request URI as http://nanomate-solutions.com/

Flag: BDSEC{nanomate-solutions.com}

Challenge 3: Follow The Path

image of challenge

The task was to find the path of the Admin endpoint. From the log, the attacker was fuzzing for directories and he/she found the admin endpoint and login page.

Image of solution

The endpoint is /app/admin_panel.

Flag: BDSEC{/app/admin_panel}

Challenge 3: Compromised Account

Image of challenge

We were told to find the account that was compromised as a result of the attack. Going through the packets, I found multiple HTTP POST request that looks more like bruteforce attempts on the login page.

Image of clue

In the picture, packet 7025 was the last bruteforce attempt and the response packet: 7027 gave a login successful reponse and a 302 redirect to the dashboard.

Image of solution

Here we can see the email and password as tareq@gmail.com and tareq@nanomate respectively. On the dashboard response packet, we can see the username as tareq.

Flag: BDSEC{tareq_tareq@nanomate}

Challenge 4: Compromised Database

Image of challenge

After the attacker got access to the dashboard, he/she attempted to get the database by SQL injection process. Through the user agent one could see that the attacker used Sqlmap version 1.6.10#stable to automate it.

Image of flag

Flag: BDSEC{sqlmap/1.6.10#stable}

Challenge 5: Database Flag

Image of challenge

Here, there is a compromised database after the SQL injection process.

Image of flag

In packet 9276, we can find the flag as a response to a sql injection GET request.

Flag: BDSEC{Dev3L0peR_sH0uLD_n3veR_TrusT_uSer_InPuT}

Challenge 6: Compromised Admin Account

Image

An admin account entry was gotten through the database breach.

Image

This POST request is after the sql injection phase and its the compromised admin account details.

Flag: BDSEC{41528ac7f116e9661cf57be7cd79e1a2}

Challenge 7: Crackable?

Image of challenge

Was the admin password 41528ac7f116e9661cf57be7cd79e1a2 crackable?

Yes!

Image of solution

The flag was identified as MD5.

Flag: BDSEC{y0u_cR4cK3d_m3}

Challenge 8: Was it vulnerable?

image

Going back to process_task_details.php, the attacker was able to do sql injection and at the beginning, there was an IDOR vulnerability.

Flag:BDSEC{IDOR_SQLI}