Hilltop CTF – Writeups

Jun 4, 2020
Share on:

Hi everyone,

A blog post on a different topic this time. I was a Content Engineer for the Hilltop CTF event.

Write-up for the Fuzz challenge.

Challenge name: Fuzz

Creator: MasterWayZ

Category: Analysis/Fuzzing

Summary:

The user is given a URL to look at: http://shellserver1.hilltopctf.masterwayz.nl:5876/

How-To:

  1. Using a program like gobuster, we can try to see what directories exist: gobuster dir -u http://shellserver1.hilltopctf.masterwayz.nl:5876/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt.
  2. We get a /301 redirect of /penguins. From here, it’s a matter of running gobuster dir -u http://shellserver1.hilltopctf.masterwayz.nl:5876/penguins/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt. The txt extension comes from the .txt file part in the README.md file.

Explanation:

  • We use gobuster to try to see what folder it is hidden in. dir specifies directory mode, -u specifies the URL and -w specifies the wordlist.
  • a 301 redirect of /penguins means that we’ve found something. Now we need to find the file in that directory. The new flag, -x specifies the extension used by gobuster to try to find files.

Write-up for the Fuzzy challenge.

Challenge name: Fuzzy

Creator: MasterWayZ

Category: Analysis/Fuzzing, Attacks/Cracking

Summary:

For this challenge, you need to fuzz a Flask webserver to start with. Followed by brute-forcing a password and then automating or guessing the missing character in the flag.

How-To:

  1. First we try to fuzz a directory. We can use gobuster with this. gobuster dir -u http://shellserver1.hilltopctf.masterwayz.nl:39345/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
  2. We will find that we get a 401 error with /email. Looking at it in the webbrowser, we see that we are given a clue that the username is admin, so we just need to brute-force the password. We can do this with hydra. hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 39354 -f shellserver1.hilltopctf.masterwayz.nl http-get /email. We find the the password is ‘michelle’.
  3. We see the flag, sort of. The ‘!’ in the flag has to be some kind of ASCII character. You can try all of them by hand or automate it. Once you’ve done that, you find that it is 5, making the flag HilltopCTF{FuzzyFuzzyFuzzyFuzzyFuzzy5_08b353dc330dcad5734172ff5009f5e6b3826d49fa7243f3e598effb85bef982}.

Explanation:

  • We first use gobuster to try to find out if there’s a hidden directory. dir specifies directory mode and -w specifies the wordlist.
  • We get a 401 for /email. Which means that it is most likely asking for some kind of authentication. Visiting it with a browser shows that the username is ‘admin’.
  • We use hydra to try to crack the password. -l specifies the login, in this case ‘admin’. -P specifies a password file, in this case rockyou.txt, -s is for the port number and -f specifies the hostname, http-get means that we want to use an HTTP GET request and /email is the path that you want to crack.
  • We get access to a partial flag. the ‘!’ in the flag is not valid. We need to try to see what ASCII or Extended ASCII character we can put in there. You can try this yourself, or automate it.

Write-up for the Injection challenge.

Challenge name: Injection

Creator: MasterWayZ

Category: Attacks/SQL Injection

Summary:

For this you need to perform a SQL injection on a webform in order to dump the database.

How-To:

  1. Go to the website. Look at the site and you will see a form. Proxy this form through something like burp, and save the request made.
  2. Use sqlmap with the request. For example, sqlmap -r injection.req.
  3. After running, it will find some ways to perform a SQL injection. After this, the easiest thing to do is to dump everything with sqlmap. Run: sqlmap -r injection.req --dump.
  4. Piece the flag together. It’s spread across three tables. It’s clear what the start and end is, because of the start of the flag and the } at the end of the flag. The piece with no bracket in it at all is the middle one.

Explanation:

  • We visit the website and only see search related things and a web form. This form submits ID to index.php, which is trying to indicate to the user at some kind of SQL is being performed. We proxy the request through burp and save it to a file. (Proxying through Burp is an easy way to get a request. We need the POST request.)
  • We use sqlmap to test the form for SQL Injection. The -r flag specifies the request and we give it the saved request.
  • When it runs for a while, we specify that we want to do MySQL tests only, as it successfully identified it as a MySQL based SQL server. After a while, it will find multiple vulnerabilities.
  • We use sqlmap again with -r to specify the request file and --dump to dump all contents.
  • From here it’s a case of finding the three flag pieces. It’s easy to see the start and end piece (from the { and }) and there is only one middle piece.

Flag locations:

  • The first part is located in the federal table.
  • The second part is located in the taskforce table.
  • The third part is located in the Guests table.

Write-up for the Backstab challenge.

Challenge name: Backstab

Creator: MasterWayZ

Category: Analysis/Fuzzing, Cryptography/Cracking

Summary:

For this challenge, you had to fuzz the initial webserver to see a passwd file and a secured area. You crack the hash and gain access to the secured area, where you fuzz for the flag.

How-To:

  1. Use a program like gobuster to do the inital scan. gobuster dir -u http://shellserver1.hilltopctf.masterwayz.nl:5843/ -w /usr/share/wordlists/directory-list-2.3-medium.txt
  2. After a while, you will see /secure and /passwd. Download the passwd file and use a program like hashcat with rockyou.txt to crack it: hashcat -m 3700 encrypted.hash /usr/share/wordlists/rockyou.txt.
  3. The password will be found and you can log into /secure with the username and password. The username is given in the challenge description.
  4. Fuzz the /secure/ area and you will find /flag. This contains the flag. We can do that with gobuster dir -u http://shellserver1.hilltopctf.masterwayz.nl:5843/secure/ -w /usr/share/wordlists/directory-list-2.3-medium.txt. (note the /secure/ at the end, especially the last /!)

Explanation:

  • First we run gobuster in directory mode to fuzz some directories and files on the webserver. -u specifies the URL and -w specifies the wordlist.
  • Once we download the hash file, we use hashcat to crack this. -m 3700 is equal to setting mode 3700 which is bcrypt. Finally with -w we specifiy the wordlist, in this case rockyou.
  • Once we have the password, we use that to log into the /secure area.
  • Once in the /secure area, we use gobuster on /secure/ to check for hidden files, and it will find /secure/flag which contains the flag.

Write-up for the Johnny challenge.

Challenge name: Johnny

Creator: MasterWayZ

Category: Cryptography/Cracking

Summary:

For this challenge, the user is given an encrypted .zip file with the flag inside.

The user has to crack the password, which is in rockyou.txt

There are many ways to do this, here is one way:

How-To:

  1. Install john
  2. Download the .zip file
  3. Run zip2john flag.zip > encrypted-zip.john
  4. Run john --format=zip encrypted-zip.john --wordlist=/usr/share/wordlists/rockyou.txt
  5. Once it finishes, run john encrypted-zip.john --show
  6. Use the password, which in this case is ‘patricia’.
  7. Unzip the ZIP file, run unzip flag.zip.

Explanation:

  • What we just did above was use the power of John the Ripper to crack the password.
  • zip2john converts the zip file into a format that john can read.
  • The command after that forces the ZIP format on the encrypted john file and cracks it using the rockyou wordlist.
  • Finally, the --show is used to let john show the password.
  • Then you can extract the file and obtain the flag.

Write-up for the Julius challenge.

Challenge name: Julius

Creator: MasterWayZ

Category: Cryptography/Cracking

Summary:

The best way would be to think of the ROT cipher and then identity to use ROT47 as this is the only one that fits. ROT13 and ROT18 lack some of the characters used.

The rotation is a method of brute-force, in this case it’s 13.

The title of this challenge was chosen to make the user think of the the Caesar chipher and hint towards ROT ciphers. However, it’s also a bit misleading as the user will see that the characters used in the encrypted message cannot exist in a Caesar encoded textfile.

Write-up for the OhSINT challenge.

Challenge name: OhSINT

Creator: MasterWayZ

Category: OSINT/Forensics

Summary:

For this challenge you had to perform some OSINT.

We start with looking at the EXIF data of the jpg file, which leaks a URL to a website. From there, you can to find the pieces of the flag that are spread over the website.

How-To:

  1. Run exiftool image.jpg and look at the comments.
  2. Access the website and look for the clues, you will find them here: one is located on the index page, if you press CTRL and A you will find it, or if you view the source. The second one is located in the view source of the index page as well, but can also be found by clicking the Maps button. The third is one found under the blog button and then view source.

Explanation:

  • We download the file and then run exiftool to look at the EXIF data of the fail, which contains a comment with an URL to visit.
  • We visit the url and are presented with a web page. Here it’s a sign to view sources, use CTRL A and visit every page and click everything to find the three hidden flags.

Flag locations:

  • The first part of the flag is hidden as a near-white text on the index.html page.
  • The second part is under the Blog button at blog.html, view the source and see the flag in an HTML comment.
  • The third part is back on the index.html page, under the Location Maps button.

Write-up for the Fuzzy challenge.

Challenge name: Fuzzy

Creator: MasterWayZ

Category: Steganography

Summary:

The user downloads the image.jpg file, opens it in a text editor, finds the ascii85 flag and decodes it.

How-To:

  1. We download the file using wget.
  2. Running strings image.jpg is one of the ways to get the flag.
  3. Identify that the flag is ascii85 encrypted and decrypt it.

Explanation:

  • wget followed by the URL is used to download a file.
  • cat, or strings (and many more tools) are used to display the contents of a file. In this case, both work as the flag is hidden at the bottom of the image.
  • One of the ways to identify that it is ascii85 is because of the characters used in the encoding. You can use a local tool or online tool to decode it and get the flag.

If you have any questions, please let me know. I’ll be seeing if I can release the files and/or containers somehow.

Have a great day!