Before starting, thanks to Spydersec for the challenge. It was really fun.
First step: INFORMATION GATHERING
The description provided on Vulnhub says that the machine will have an IP assigned automatically, so once I have done my magic setting up the VM, I’ve run the following command to discover the IP address of the victim machine, as an attacker…
…and 30 seconds later this is the result:
So, we agree that the IP
192.168.56.101 belongs to the machine to attack. Sweet!
After that I’ve started scanning the victim’s open ports.
…after a quick coffee, this is what I’ve found:
Great, port 22 and 80 open!
So, let’s see what the server gives us on
Second step: VULNERABILITY SCAN
Nice, a very static page with some broken links. There must be something in there.
I’ve read the source code, and I’ve found a script with a particular name:
It’s a long and uglified script, so I’ve “beautified” it on JS Beautifier and I’ve got this output:
What is it? It’s a HEX encoded string! We can go to this website and decode the string. Once decoded, this is what I’ve got:
Mulder…FBI…it reminds me of Fox Mulder from X-Files. Old times, nice times.
Well, what can I do with this string? It’s clearly a file.
I had a look at the cookies, and guess what? I’ve found a cookie called URI with the following content:
I’ve noticed that the status code of
Forbidden, so the folder exists!
What if the folder contains the file
Congratulations, you’ve got the first flag of this CTF!
Third step: FORENSICS
.fbi is an extension I have never heard of in my life, so the terminal says that it is a MP4 file.
I found out that it’s a video of The Platters - Twilight Time (It’s catchy, I’m still hearing it now). Nice song, nothing wrong with it. Nor with the file. Or maybe there is.
So, let’s start with our Google-Fu:
the platters twilight time mulder fbi
Wikipedia says that this song is used on the episode 5x11 of X-Files called “Kill Switch”. Pay attention to these lines:
Fox Mulder (David Duchovny) and Dana Scully (Gillian Anderson) arrive and identify the bodies of the drug dealers. Mulder also identifies the man with the laptop as Donald Gelman, "a Silicon Valley folk hero" who aspired to create an artificial intelligence. Mulder takes Gelman's laptop and finds a CD inside. When he puts it into the car stereo, it plays "Twilight Time" by The Platters. However, the agents take it to the Lone Gunmen, who discover that the disc contains a large quantity of encrypted data.
The Wikipedia link is here
This means that the video might have a hidden file. Let’s try to see how to extract a file from a MP4.
I’ve googled a bit more, and I’ve found this: Hide encrypted files inside videos
TrueCrypt. I’ve installed a Linux version of TrueCrypt and I managed to mount the hidden partition to one of the volumes, but it requires a password…
Fourth step: FOTOFORENSICS
I spent time trying to figure out what to do. Nothing. Blind.
So I went back on the static website of the CTF and I’ve downloaded it.
It didn’t occur to me that, sometimes, people can hide informations within images, or
comments…but, well, this is what happened:
I’ve started some metadata analysis on the image
Challenge.png, and this is what I’ve found:
Can you see what I see at a glance?
Exactly, it is another HEX encoded string hidden in the comments. Let’s go again on our trusted website and decode in the following way:
This is what I’ve retrieved by string decoding this way:
Now… a string that looks like a complex password, an unmounted partition…it’s clear now!
Fifth step: MOUNT AND ENJOY!
Use the retrieved string as a password to mount the partition…et voilà!
I’ve found the file
Flag.txt with the following content:
As I said at the beginning of the post, it’s been a pleasure to play this CTF. More than hacking techniques, it’s an actual case that can happen in real life. Never give up when you’re ‘blind’.
A special thanks goes to Spydersec for the effort.
As usual, for any information or comment, please do not hesitate to leave a comment.