Mr_H4sh

Infosec, CTF and more

Spydersec Solution

Before starting, thanks to Spydersec for the challenge. It was really fun.

The Hack Game offered by Spydersec hosted on Vulnhub involves basic hacking techniques and basic forensics, and a bit of logic.

First step: INFORMATION GATHERING

The description provided on Vulnhub says that the machine will have an IP assigned automatically, so once I have done my magic setting up the VM, I’ve run the following command to discover the IP address of the victim machine, as an attacker…

fping -a -g 192.168.56.1/24 > alive_hosts.txt

…and 30 seconds later this is the result:

192.168.56.101 (victim)
192.168.56.102 (attacker)

So, we agree that the IP 192.168.56.101 belongs to the machine to attack. Sweet!

After that I’ve started scanning the victim’s open ports.

nmap -sT -p- -Pn 192.168.56.101 > nmap_scan.txt

…after a quick coffee, this is what I’ve found:

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-09-06 19:32 BST
Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.77% done
Stats: 0:00:57 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 24.89% done; ETC: 19:36 (0:02:52 remaining)
Stats: 0:01:25 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 43.13% done; ETC: 19:36 (0:01:52 remaining)
Stats: 0:01:50 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 60.95% done; ETC: 19:35 (0:01:10 remaining)
Stats: 0:02:30 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 91.98% done; ETC: 19:35 (0:00:13 remaining)
Stats: 0:02:39 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.47% done; ETC: 19:35 (0:00:01 remaining)
Nmap scan report for 192.168.56.101
Host is up (0.00055s latency).
Not shown: 65533 filtered ports
PORT   STATE  SERVICE
22/tcp closed ssh
80/tcp open   http
MAC Address: 08:00:27:3A:CE:14 (Cadmus Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 160.03 seconds

Great, port 22 and 80 open!

So, let’s see what the server gives us on 192.168.56.101:80: screenshot-1

Second step: VULNERABILITY SCAN

Nice, a very static page with some broken links. There must be something in there.

I’ve read the source code, and I’ve found a script with a particular name:

eval(p,a,c,k,e,t)

It’s a long and uglified script, so I’ve “beautified” it on JS Beautifier and I’ve got this output:

61: 6c: 65: 72: 74: 28: 27: 6d: 75: 6c: 64: 65: 72: 2e: 66: 62: 69: 27: 29: 3b

What is it? It’s a HEX encoded string! We can go to this website and decode the string. Once decoded, this is what I’ve got:

alert('mulder.fbi');

Mulder…FBI…it reminds me of Fox Mulder from X-Files. Old times, nice times.

Well, what can I do with this string? It’s clearly a file.

I had a look at the cookies, and guess what? I’ve found a cookie called URI with the following content:

/v/81JHPbvyEQ8729161jd6aKQ0N4/

I’ve noticed that the status code of http://192.168.56.101:80/v/81JHPbvyEQ8729161jd6aKQ0N4/ is Forbidden, so the folder exists!

What if the folder contains the file mulder.fbi?

HEX
wget http://192.168.56.101:80/v/81JHPbvyEQ8729161jd6aKQ0N4/mulder.fbi

Congratulations, you’ve got the first flag of this CTF!

Third step: FORENSICS

.fbi is an extension I have never heard of in my life, so the terminal says that it is a MP4 file.

# file mulder.fbi

mulder.fbi: ISO Media, MP4 v2 [ISO 14496-14]

I found out that it’s a video of The Platters - Twilight Time (It’s catchy, I’m still hearing it now). Nice song, nothing wrong with it. Nor with the file. Or maybe there is.

So, let’s start with our Google-Fu: the platters twilight time mulder fbi

Wikipedia says that this song is used on the episode 5x11 of X-Files called “Kill Switch”. Pay attention to these lines: Fox Mulder (David Duchovny) and Dana Scully (Gillian Anderson) arrive and identify the bodies of the drug dealers. Mulder also identifies the man with the laptop as Donald Gelman, "a Silicon Valley folk hero" who aspired to create an artificial intelligence. Mulder takes Gelman's laptop and finds a CD inside. When he puts it into the car stereo, it plays "Twilight Time" by The Platters. However, the agents take it to the Lone Gunmen, who discover that the disc contains a large quantity of encrypted data.

The Wikipedia link is here

This means that the video might have a hidden file. Let’s try to see how to extract a file from a MP4.

I’ve googled a bit more, and I’ve found this: Hide encrypted files inside videos

So, TrueCrypt. I’ve installed a Linux version of TrueCrypt and I managed to mount the hidden partition to one of the volumes, but it requires a password…

Fourth step: FOTOFORENSICS

I spent time trying to figure out what to do. Nothing. Blind.

So I went back on the static website of the CTF and I’ve downloaded it.

It didn’t occur to me that, sometimes, people can hide informations within images, or comments…but, well, this is what happened:

I’ve started some metadata analysis on the image Challenge.png, and this is what I’ve found:

# exiftool Challenge.png

ExifTool Version Number         : 9.74
File Name                       : Challenge.png
Directory                       : .
File Size                       : 83 kB
File Modification Date/Time     : 2015:09:01 07:25:59+01:00
File Access Date/Time           : 2015:09:12 10:38:25+01:00
File Inode Change Date/Time     : 2015:09:12 10:38:09+01:00
File Permissions                : rw-r--r--
File Type                       : PNG
MIME Type                       : image/png
Image Width                     : 540
Image Height                    : 540
Bit Depth                       : 8
Color Type                      : RGB with Alpha
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Noninterlaced
Background Color                : 255 255 255
Pixels Per Unit X               : 2835
Pixels Per Unit Y               : 2835
Pixel Units                     : meters
Comment                         : 35:31:3a:35:33:3a:34:36:3a:35:37:3a:36:34:3a:35:38:3a:33:35:3a:37:31:3a:36:34:3a:34:35:3a:36:37:3a:36:61:3a:34:65:3a:37:61:3a:34:39:3a:33:35:3a:36:33:3a:33:30:3a:37:38:3a:34:32:3a:34:66:3a:33:32:3a:36:37:3a:33:30:3a:34:61:3a:35:31:3a:33:64:3a:33:64
Image Size                      : 540x540

Can you see what I see at a glance?

Exactly, it is another HEX encoded string hidden in the comments. Let’s go again on our trusted website and decode in the following way:

Hex -> Hex -> Base64

This is what I’ve retrieved by string decoding this way: A!Vu~jtH#729sLA;h4%

Now… a string that looks like a complex password, an unmounted partition…it’s clear now!

Fifth step: MOUNT AND ENJOY!

Use the retrieved string as a password to mount the partition…et voilà!

I’ve found the file Flag.txt with the following content:

Congratulations! 

You are a winner. 

Please leave some feedback on your thoughts regarding this challenge… Was it fun? Was it hard enough or too easy? What did you like or dislike, what could be done better?

https://www.spydersec.com/feedback

Conclusion

As I said at the beginning of the post, it’s been a pleasure to play this CTF. More than hacking techniques, it’s an actual case that can happen in real life. Never give up when you’re ‘blind’.

A special thanks goes to Spydersec for the effort.

As usual, for any information or comment, please do not hesitate to leave a comment.

./A