Description: Are you here on official business? Prove it.
When we visit the page, we are greeted with a generic login page. When attempting to log in as admin, we get redirected to a 403 Forbidden error page.
Since we don’t receive much information from this and it is not a SQL injection vuln, we navigate to /robots.txt and find source code.
So we know our backend is Flask and there is a way that we have to log in. We notice that it is quite difficult to bruteforce the password to decrypt to the requested text. So we turn our attention to cookies.
When we enter the home page, the server calls load_cookie(), which gets “auth” and verifies it. We get our “auth” from do_login(), which only includes username, password, and a check if admin is true. So we mimic this in a short Python script:
Finally we create our “auth” cookie while intercepting a GET request to the home page and enter our value, receiving our flag:
Now we notice that jku is used in localhost, so if we browse to the challenge/static/jwk.json, we receive their signing algorithm:
If we have this, we can forge our own JWK on our own web server and create our own public/private key as well as modify the payload. So to do that, we start by creating our RSA key pair:
We notice in our given JWK that “e” and “n” are defined, so to extract “e” and “n” from our public key, we use a short python script:
Next we have to convert our “e” and “n” to base64 since that is the format we received from the challenge.
Using this information, we add this to our “e” and “n” in our forged JWK:
Adding all the pieces together, we use our private and public key for generating and verifying our JWT respectively. Then we modify our payload to the requested “admin” as well as use the JKU header to include our own web server URI with the forged payload:
Now replacing the cookie on the challenge with our new JWT token, we receive our flag:
OSINT[300Pts] Given Information: I’m so glad we’ve got you on the team; I don’t think we’d have manged to get that last one if it weren’t for you. We’ve been watching the account, and the target just posted another image. This guy really doesn’t learn. We don’t think he’s left Spain yet, but we really need this one pinpointed exactly. Can you work where he took this?
The map here should be accurate to 50 meters.
First thing is to Reverse Image search for any clues. Key search words are Spain Tree Man.
Found an exact copy of the “Tree Man.” Note the tags are: Park Portaventura and Entrance. So we now have an exact location.
We can now see where the entrance is from this map given by the Port Aventura website.
Matching it to Google Maps, then using the link to locate the exact location to the challenge.
OSINT[350Pts] Given Information: Aargh! They gave us the slip again. We got another image from their Twitter, but it doesn’t look like they’re in the same country anymore. Are you able to track them down again for us and tell us the town they’re in? You’re our best man at this point, so we’re expecting great things.
Our map here should be accurate to 500 meters.
Right way the language was a dead give away at Thai or some Southeast Asian Language.
Christianity is not very big in Southeast Asia. Searching for a Christianity Cemeteries yielded:
One of the more interesting results were the Kanchanaburi War Cemetery
The three noticeable features are the same cross, cemetery pattern, and with similar buildings in the background.
OSINT[350Pts] Given Information: Amazing work with that last image! We dispatched a team right away, but it seems our target was one step ahead of us. We’re not sure what they’re planning, but we managed to download one final image off the Instagram account until they locked it down.
Can you work out where this picture was taken? One of the guys thought it might have been Queensferry crossing, but that doesn’t look right. You’ll have to be accurate to within 2 kilometres.
Doing a basic Google search of the username yielding someone from of Chinese origin.
Could just be a coincidence, but checking for suspended bridges in the Chinese area. I found one in Hong Kong called “Tsing Ma Bridge”
The binary is decoded into: _herring. Indicating that this is a red herring. Now “look back into the past” can mean many different things. For this, I looked up spentalkux again and it seems there was a previous version as well.
So I ran pip install spentalkux==0.9.
Importing this version of spentalkux, we are greeted with a different message:
Using CyberChef once again, this message is decoded in the sequence of:
From Base32 -> From Base64 -> gzip
Extracting the gzip gives us a large binary. Following this decoding sequence (lots of trial and error), we eventually reach the flag:
We are given a YouTube link that shows a bunch of barcodes changing quickly within a 6 second video. There are numbers being repeated throughout as well.
So after recording down the numbers, I downloaded this YouTube video and extracted the frames out of the mp4. After running each image through a barcode scanner, we see that there are values of this ordering:
It turns out that the beginning number for each decoded barcode and the numbers being said in the video match. After some careful analysis, we notice that each index of the decoded barcode corresponds to the flag we are looking for:
We have a situation brewing. Last week there was an attack on the prime minister of Morocco. His motorcade was stopped by a road blockade where heavily armed men opened fire on them. Fortunately, the prime minister was able to escape safely but many personnel and a few other ministers did not.
ATLAS, a multi-national Private Military Corporation (PMC) based in Colorado, USA, is our main suspect. We believe they were hired to conduct the hit by the opposition political party.
We flew Agent Jason to Colorado to investigate further. He gained access to their building’s reception area dressed in a suit acting as a potential client with an appointment. He was able to intercept wireless network traffic from their corporate wireless network before being escorted out by guards when they realised the bluff.
The network capture is attached below, see if you can recover any important documents which could help us tie ATLAS to the Morocco incident.
We are given a Wireshark capture file and when looking at it, it seems that they are using the EAPOL protocol with authentication keys.
Looking at each of the keys, they are using 802.11 authentication to encrypt the keys. So I thought to decrypt them somehow.
We’ve managed to exploit a network service running on a C2 server used for orchestrating a large botnet. From there we were able to escalate our privileges and use that server as a proxy to pivot to other machines in the network.
It’s quite fascinating, based on the machines we have found, we think that these guys are a known bad actor, responsible for leaking private documents and data from corporate and government targets, which changes our current focus from a reconnaissance mission to a criminal investigation which involves gathering evidence on them so we can attribute names to actions for further prosecution in the courts.
Thus, we’ve started to image the disks of all the machines we have managed to pivot on. It’s not the most ideal circumstances for admissibility of evidence, but we do have a warrant on the guys involved and we can let our lawyers do the rest.
Anyway, I’ve attached a disk image of a small Linux server which we believe they’re using for temporarily keeping exfiltrated files.
Can you take a look and see what you find?
We are given an image.E01 file and are asked to investigate this. E01 files are Encase image file formats for disk evidence.
I viewed this file using Autopsy. We see a small Linux system in here:
Looking closely into the main files like HOME and ROOT, I found a PGP message long with PGP public and private keys:
To decode this, I exported the PGP message and private key and used gpg.