CyberTalents: Web Category

CyberTalents: Web Category

cybertalents.com/challenges/web

Tools Used

JS Deobfuscate | De4JS | MD5 Online | Base64 Decode | Decode.fr Morse | Reqbin

Admin Has The Power

Description:

Administrators only has the power to see the flag , can you be one ?

Solution:

Let's go to the link. We can see a webpage with a login form. Let's view the source and we find some credentials written as below:

<!-- TODO: remove this line ,  for maintenance purpose use this info (user:support password:x34245323)-->

Let's login using this. Great, we logged in but however we don't have the priviledge! Let's hit F12 and go to developer tools. Check out the "Cookies" in Application Tab. Now, we change the value of role to admin and hit enter to save.

Reloading the page will give us the flag: hiadminyouhavethepower

This is Sparta

Description:

Morning has broken today they're fighting in the shade when arrows blocked the sun they fell tonight they dine in hell

Solution:

Clicking the link takes us to a page with a login form. Let's view its source and we find an abnormal script tag at the bottom.

<script>
var _0xae5b=["\x76\x61\x6C\x75\x65","\x75\x73\x65\x72","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x70\x61\x73\x73","\x43\x79\x62\x65\x72\x2d\x54\x61\x6c\x65\x6e\x74","\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x43\x6F\x6E\x67\x72\x61\x74\x7A\x20\x0A\x0A","\x77\x72\x6F\x6E\x67\x20\x50\x61\x73\x73\x77\x6F\x72\x64"];function check(){var _0xeb80x2=document[_0xae5b[2]](_0xae5b[1])[_0xae5b[0]];var _0xeb80x3=document[_0xae5b[2]](_0xae5b[3])[_0xae5b[0]];if(_0xeb80x2==_0xae5b[4]&&_0xeb80x3==_0xae5b[4]){alert(_0xae5b[5]);} else {alert(_0xae5b[6]);}}
</script>

The code is obfuscated, let's decode it first. There's an online tool here: lelinhtinh.github.io/de4js. Decoding it gives us the following JS code.

var _0xae5b = ["value", "user", "getElementById", "pass", "Cyber-Talent", "Congratz \x0A\x0A", "wrong Password"];

function check() {
    var _0xeb80x2 = document[_0xae5b[2]](_0xae5b[1])[_0xae5b[0]];
    var _0xeb80x3 = document[_0xae5b[2]](_0xae5b[3])[_0xae5b[0]];
    if (_0xeb80x2 == _0xae5b[4] && _0xeb80x3 == _0xae5b[4]) {
        alert(_0xae5b[5]);
    } else {
        alert(_0xae5b[6]);
    }
}

Following the code logic and replacing the variables will give out the username and password. Both username and password are: Cyber-Talent.

Let's login with that and see what happens. After loggin in, we see the flag as alert. FLAG: {J4V4_Scr1Pt_1S_Aw3s0me}

I Am Legend

Description:

If I am a legend, then why am I so lonely?
Flag Format : FLAG{}

Solution:

Clicking the link takes us to a login page. If we view the source, we can see a weird-looking JS code at the bottom with just '[' and ']'. Let's use this online tool: deobfuscatejavascript.com and deobfuscate the JS code. Deobfuscating it gives us the below code.

String.fromCharCode(102, 117, 110, 99, 116, 105, 111, 110, 32, 99, 104, 101, 99, 107, 40, 41, 123, 10, 10, 118, 97, 114, 32, 117, 115, 101, 114, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 91, 34, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 66, 121, 73, 100, 34, 93, 40, 34, 117, 115, 101, 114, 34, 41, 91, 34, 118, 97, 108, 117, 101, 34, 93, 59, 10, 118, 97, 114, 32, 112, 97, 115, 115, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 91, 34, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 66, 121, 73, 100, 34, 93, 40, 34, 112, 97, 115, 115, 34, 41, 91, 34, 118, 97, 108, 117, 101, 34, 93, 59, 10, 10, 105, 102, 40, 117, 115, 101, 114, 61, 61, 34, 67, 121, 98, 101, 114, 34, 32, 38, 38, 32, 112, 97, 115, 115, 61, 61, 32, 34, 84, 97, 108, 101, 110, 116, 34, 41, 123, 97, 108, 101, 114, 116, 40, 34, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 67, 111, 110, 103, 114, 97, 116, 122, 32, 92, 110, 32, 70, 108, 97, 103, 58, 32, 123, 74, 52, 86, 52, 95, 83, 99, 114, 49, 80, 116, 95, 49, 83, 95, 83, 48, 95, 68, 52, 77, 78, 95, 70, 85, 78, 125, 34, 41, 59, 125, 32, 10, 101, 108, 115, 101, 32, 123, 97, 108, 101, 114, 116, 40, 34, 119, 114, 111, 110, 103, 32, 80, 97, 115, 115, 119, 111, 114, 100, 34, 41, 59, 125, 125)

Now it is simpler than previous. We need to open a browser window and use the console from developer tools. Pasting the whole code there will give us a more clear JS code as below.

function check(){

    var user = document["getElementById"]("user")["value"];
    var pass = document["getElementById"]("pass")["value"];

    if(user=="Cyber" && pass== "Talent"){
        alert(" Congratz \n Flag: {J4V4_Scr1Pt_1S_S0_D4MN_FUN}");
    } 
    else {
        alert("wrong Password");
    }
}

Now even though we know the username and password, we don't need logging in. Because we have found the flag: {J4V4_Scr1Pt_1S_S0_D4MN_FUN}

Encrypted Database

Description:

The company hired an inexperienced developer, but he told them he hided the database and have it encrypted so the website is totally secure, can you prove that he is wrong ??

Solution:

Clicking the link takes us to a website. Viewing the page source, we find few things such as a route for 'secret-admin' from where the assets are being served. Let's go to the route 'secret-admin'.

Now here comes a login page. Let's view the source for this also. We can see a hidden input which has a value "hidden-database/db.json". Let's append that to our current route and see what we can get.

We get a JSON response back with flag: ab003765f3424bf8e2c8d1d69762d72c. Now this looks like a MD5 hash. Let's crack it using md5online.org/md5-decrypt.html

We find the text: "badboy". Now this is our answer to the problem.

Newsletter

Description:

the administrator put the backup file in the same root folder as the application, help us download this backup by retrieving the backup file name

Solution:

Let's go to the link. We can find a form that takes email address as a value and adds it to the newsletter list.

Hmm, it is defined as an email type input, let's change it to 'text' using Inspect Elements (F12) and see if we can insert some linux commands- since we will be working with directories.

Even after changing it to text type input, we still get warning from the server side. The server requires '@' and '.' in the input string.

What we can do is- append '@' and a '.' in the input along with our linux command in the beginning- contained by backticks. In order to append, we'll use && in-between.

Then, we get the command: whoami && @. Let's enter it and we get the output 'www-data'. Which means it works! Now, let's try 'ls -la' command to list the current directory contents.

We enter this: ls -la && @. and we get the following as the output:

total 8
drwxr-xr-x 1 root root 81   Sep 6 21:32 . 
drwxr-xr-x 1 root root 18   Sep 1 2020  .. 
-rwxr-xr-x 1 root root 124  Sep 6 20:50 emails_secret_1337.txt
-rwxr-xr-x 1 root root 0    Sep 6 20:50 hgdr64.backup.tar.gz
-rwxr-xr-x 1 root root 2366 Sep 6 20:50 index.php

Here, we can find the name of the backup file. Which is "hgdr64.backup.tar.gz". This is the answer to the problem!

Who Am I?

Description:

Do not Start a fight you can not stop it

Solution:

Okay, now here's another login page. As usual, viewing the source will give us the following code segment:

<!-- 
    Guest Account:
    -=-=-=-=-=-=-=-
    Username:Guest
    Password:Guest  
-->

Now, we will login with these credentials.

Okay, we got logged in however we don't have access as admin. Let's head over to the developer tools and see if they have any authentication system or not. Going to Developer Tools > Application > Cookies gives us "Authentication" token value: bG9naW49R3Vlc3Q%3D

Now, let's try base64 decode using online tool, such as: base64decode.org. It'll give the following string: login=Guest7. Well, let's overwrite our login as 'admin'. So, we need to base64 encode this string: login=admin. Base64 encoding it gives us the following: bG9naW49YWRtaW4=. Let's save it in the cookie value and reload the page.

Hurray! We get the flag: FLag{B@D_4uTh1Nt1C4Ti0n}

Blue Inc

Description:

Blue Inc is a new social media website that's still under construction, However it doesn't have registration yet, but if you are interested in seeing our website then you can login with demo/demo.

Solution:

They have given us a demo login. Let's head over to the login page and enter the credentials.

Nice, we got logged in. But we do not have anything yet. As usual, let's go to the cookie tab and we find a cookie with "user" key having "demo" as the value. Let's change it to "admin". And reload the index page.

Great! We got the flag: 15716a249064f7e9684a816dcdb05282

Easy Message

Description:

I Have a Message for you.

Solution:

Hmm, another login page. Let's head over to the source.

Well, nothing here. There's no credentials or hint given. Let's try going to the 'robots.txt' page and see if anything is there.

User-agent: *
Disallow: /?source

Bazinga! We get a disallowed route rule. Let's type it in and see if we can get anything. Whoa! We got a PHP code as below. Which gives us the username and password in base64 encoded form.

<?php
$user = $_POST['user'];
$pass = $_POST['pass'];

include('db.php');

if ($user == base64_decode('Q3liZXItVGFsZW50') && $pass == base64_decode('Q3liZXItVGFsZW50')
    {
        success_login();
    }
    else {
        failed_login();
}
?>

Let's decode the username and password. Both username and password is: 'Cyber-Talent'. Let's login with it!

Okay, we got logged in and there's a message waiting for us. It clearly looks like Morse Code. Let's head over to dcode.fr/morse-code and decode it.

From different results, we find: FLAG(I-KN0W-Y0U-AR3-M0RS3). Yup, this is our flag!

Got Controls

Description:

We believe we made a good job protecting our infrastructure, can you bypass our controls.

Solution:

Okay, this server is printing the same thing over and over. It won't let us access the page from browser. Let's try cURL.

curl http://35.197.254.240/gotcontrol/ 
>> Sorry, your IP is not allowed, this server is only accessible from local machine or local LAN.

Okay, curl GET request is not helping as well. After this, I searched the internet a bit and found that we can change header that can make the request look like coming from a local server. So, we try the following command.

curl --verbose --header "X-Forwarded-For: 127.0.0.1" -X GET http://35.197.254.240/gotcontrol/
>> You got me, here's the flag : FLAG{NEVER_TRUST_HEADERS}

And, we got the flag!

Back To Basics

Description:

not pretty much many options. No need to open a link from a browser, there is always a different way

Solution:

Clicking the link takes us to Google. Why's that? Let's grab the page using wget command.

wget http://35.197.254.240/backtobasics

We get a file called 'backtobasic' [text/html] saved in our directory. The file contains the following:

<script> document.location = "http://www.google.com"; </script>

Now, what can we do? Everytime we click the page, it takes us to Google. Same for cURL or wget.

Let's try to find the 'robots.txt' file. Hmm, looks like this website doesn't have any. Now, we can try a POST request to see if we can get anything back. Let's head over to reqbin.com/post-online and try out their tool.

Okay, great! We got a weird-looking JS code returned!

var _0x7f88=["","join","reverse","split","log","ceab068d9522dc567177de8009f323b2"];function reverse(_0xa6e5x2){flag= _0xa6e5x2[_0x7f88[3]](_0x7f88[0])[_0x7f88[2]]()[_0x7f88[1]](_0x7f88[0])}console[_0x7f88[4]]= reverse;console[_0x7f88[4]](_0x7f88[5])

Let's deobfuscate the code by replacing the variables. We finally end up with the following code.

var arr = [
  "",
  "join",
  "reverse",
  "split",
  "log",
  "ceab068d9522dc567177de8009f323b2",
];

function reverse(input) {
  flag = input.split("").reverse().join("");
}

console.log = reverse;
console.log(arr[5]);

Running the script will give us the flag: 2b323f9008ed771765cd2259d860baec. Well, this is our answer.