Incredibly Covert Malware Procedures

Forensics [100 pts]

Description: We got hacked! Can you see what they took?

We are given a pcap file, when analyzing it, we see that it is full of ICMP information. Looking at the first packet, we see that it is the beginning of a PNG header:

The last packet also contains an IEND, which marks the end of a PNG file. So it looks like they are sending parts of a PNG for each packet. The only issue is that we have to parse and filter our data to capture the correct bytes.

Since the requests and replies are the same, using tshark to extract the unique data sections of the pcap, we can get a better picture for the png.

Our goal is to grab the correct position to get a valid picture, so using a valid png, we use this as a guide to get the correct bytes:

Grabbing the correct first line from the pcap data and iterating down to the end, we are able to form a png that gives us a flag:

Perhaps I could’ve parsed it better..but it is still readable.

Note Surfer

Web [250 pts]

Description: Check out our new sticky note website!

We are given two endpoints for this challenge. I found an unintended solution for this challenge so I will be discussing how happened..

http://one.jh2i.com:50020 – Where we create an account
http://one.jh2i.com:50039 – Where we can link our account from :50020 via OAuth and create notes / report to admin.

After creating an account on :50020 and linking it with :50039, we are able to create notes and report to admin.

First, the reporting feature is common for XSS and CSRF, so I wanted to see if I could steal some information from the admin. So using this payload:

We were able to send it to the admin and have them visit our site.

I originally wanted to read their HTML just to see what it looked like, but base64 decoding our response twice reveals the admin dashboard + the flag:

Template Shack

Web [150 pts]

Description: Check out the coolest web templates online!

When we first visit the site we are greeted with a normal dashboard and seems to use a template engine. So we know our exploit will involve templates.

One useful information is the JWT, when decoded, gives this:

So we know it is using HS256 and if we want to elevate our privileges, we need our username to be admin. HS256 can be brute forced if it has a weak secret, so trying that with JTR, we receive the signature secret:

Changing the JWT username to “admin” and verifying it with our secret will allow us to access the admin panel.

An interesting find when we visit a 404 page on the side navbar:

Since it is printing us /admin/charts.html, we can try to use this as an injection point for SSTI.

Using the payload {{config}}, we leak information about the application:

Using this payload, we are able to see the current files in the directory:

{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}

Now we do see a flag.txt, so we simply change the ‘ls’ to cat the flag:

Lightweight Contact Book

Web [150 pts]

Description: Lookup the contact details of any of our employees!

When we visit the page, we see an employee look-up tool.

Given the name “Lightweight”, this hints that the web app is using LDAP (Lightweight directory access protocol)

Resource: https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol

Typing an asterisk (*) in the search bar gives us all the users.

So, our goal is to do an LDAP injection to leak information. We cannot sign in as admin without the password, but we do see a “forgot password” feature for the web app. Clicking on it gives this information:

The description field is a built-in LDAP field. More reading here: https://docs.bmc.com/docs/fpsc121/ldap-attributes-and-associated-fields-495323340.html

After messing around with the search bar and receiving errors, one payload gives us a pass:

administrator)(&(cn=administrator)(description=v*)

This payload will show the admin user and verifies that our payload matches what is stored in the description field.

Using a short python script, we can do a blind LDAP injection to retrieve the password:

Logging in with “administrator” and the extracted password “very_secure_hacktivity_pass”, we get the flag: