Room Information:
Today I am going to try out this box which looks very interesting as it is theme based and has a narrative, which I really enjoyed.
We will start of with an Nmap scan of available open ports:
So we have ftp open on port 21, but it does not allow anonymous login, ssh open on port 22 and an Apache web server on port 80.
As we have no credentials for port 21 and 22, we will initially focus on the web server on port 80.
Port 80: Apache Web Server:
As this is more CFT it is likely that we will see stenography, cyphers and other puzzles for us to solve. For this reason I tend to check out everything, especially images and source code for the website. Anyway let’s start.
Straight away, viewing the source code of the landing page we see a comment:
The comment tends to point to a hidden directory /sadistRoom. Let’s explore this room:
/sadistRoom:
We access the key:
Enter the key quick as there appears to be a timer running that will get you killed after a short time.
Locker Room:
Sebastian is hiding inside a locker to make it harder for the sadist to find him. While Sebastian was inside the locker he found a note. That looks like a map of some kind.
Decode this piece of text “Tizmg_nv_zxxvhh_gl_gsv_nzk_kovzhv” and get the key to access the map.
OK, so I spent some time on this and did not get very far, eventually I found a site that allowed me to analyse the cypher.
So, from the results it came up as a Atbash Cipher.
The Atbash Cipher is a really simple substitution cipher that is sometimes called mirror code. It is believed to be the first cipher ever used. To use Atbash, you simply reverse the alphabet, so A becomes Z, B becomes Y and so on.
Using the following site we can solve this:
We can enter the key to access the map:
Let’s navigate to the Safe Haven Room:
Safe haven Room:
OK, so we have a page which also has a gallery. Looking at the code we can see the following comment:
The term ‘search’ makes me think to run a Gobuster scan against this directory.
We do find a hidden directory, let’s navigate to this and see what is there:
Looking at the source code we have the following comment; however, I am not totally sure whether it is relevant to this task.
Clicking on ‘Escape Keeper’, we get a screen saying, “Save Yourself !!!”
So we have to find out the real location of the above image. To do this we can use the Google reverse image search. Download the image to your computer and head over to Google Image Search.
In Google images, click on the camera icon and select the downloaded image and upload. Google should identify the image. Enter this into the prompt to get the Keeper Key.
Keeper Key:
Head back to the Abandoned Room and let’s enter as we now have the Keeper Key:
Abandoned Room:
Let’s go further:
Looks like we are in trouble and we have to get out of here. Checking the source code there are a few points of note
In the comment there is reference that there is a shell on this page, also there is a strange name for a css class ‘pkill’, this is also a Linux command.
The shell got me thinking to other CTF’s I have done where I have uploaded a small webshell and appended ?cmd= to execute a command on the server, so I thought I would try this with this page, but use ?shell=
Using the command ‘ls’ to list the directory works.
Unfortunately every other command I tried I received, “Command Not Permitted”. I started obsessing with ‘pkill’ as I was convinced that this was a hint, as pkill is a Linux command, but still no luck. I was well and truly stuck at this point and spent several hours trying different ideas before reaching out to a kind user on Discord who gave me a valuable hint. The hint was simply ‘Relative Paths’.
Crack the hash, get the new directory I thought. So I copied each MD5 hash on hash killer and they were instantly cracked. Then another 2–3 hours of frustration before I realised that the directory was actually the hash and not the cracked hash. Navigating to the new directory we see a number of files listed which we download to our machine.
you_made_it.txt:
This is just a txt file that says, “You made it. Escaping from Laura is not easy, good job ….”.
helpme.zip:
Unzipping the file we extract two additional files
Helpme.txt:
So we have to get the key on the table and unlock the cell. Strangely the other file is called Table.jpg which appears to be an image file, or so we assume.
Using the EXIFTOOL things are not quite like they look:
Everything points that it is a zip file, also running the command ‘File’ also clearly identifies this as a Zip file.
So lets change the .jpg to a .zip and unzip it:
mv Table.jpg Table.zip
unzip Table.zip
key.wav:
We have a .wav audio file which from the name indicates that it contains a key. Listening to the .wav file is appears to be Morse code and its way to fast for me to work out. A quick search on Google for a Morse code audio decoder and I find the following site:
Uploading the file and pressing ‘Play’ decodes our file.
Joseph_Oda.jpg:
Running the image through both EXIFTOOL and STRINGS did not reveal anything, so time to give Steghide a go:
The key taken from the Morse code is the passphrase to unlock the hidden content in the .jpg file. On entering the passphrase, we can see a file called, “thankyou.txt”. Using Steghide we can extract the file as follows:
steghide extract -sf Joseph_Oda.jpgReading the file we gain the following information:
Its time to log into the ftp server on port 21.
Ftp Port 21:
Using the credentials from the thankyou.txt file we log into the ftp server:
Let’s download these files to our machine using the ‘get’ command and see what we have.
Program:
Inspecting the file program with the ‘file’ command we can see that it is a ELF 64-bit binary, so let run it and see what happens, but first we need to give it executable permissions so we can run it:
chmod +x program
So it looks like we have to add something on the end:
So it would appear that we need to add the correct passphrase on the end to move forward. Let’s look at the random.dic file, which by the sound of it appears to be a dictionary of some sort:
It looks like we will need a simple Python script to brute force the program with the random.dic file. For this I will use Pycharm IDE with a simple script to do this job:
The script successfully finds the passphrase:
Now we have a message, “Decode this ….”, followed by a load of numbers. There are two sites I use for decoding ciphers, the first listed at the beginning of this writeup and the other below:
Entering the text to be decoded into the search box, it suggests that the test is encoded with a Multi-tap Phone Cipher:
We decode the cipher:
We now have a username and a password which will probably allow us to access the ssh service:
It works and we are in:
Let’s have a look around:
Looking in the /home/kidman directory we see some interesting hidden files and the user.txt file:
.readThis.txt:
More decoding and this turns out to be encoded with ROT47:
.the_sys.txt:
This simply reads, “No one can escape from me.”
So back to the .readThis.txt file and we have to search for a string. We can do this with the find command:
Navigating to the file we can see that it is a Python file owned by root, we also write to this file. Let’s look at the code:
It appears to be pulling a random phrase and writing it to the .the_eye.txt file. We can assume that this is being run as a cron job by root:
We are correct, the cron job is being run every two minutes by root. As we have write permission, we can edit the file and add a reverse shell and inherit roots privileges.
Save the file and wait for the cron job to run.
I will be using Pwncat for the listener as it has much more function than a standard Netcat listener.
The cron job runs and we get the reverse shell as root.
Navigating to the /root directory we can grab the root.txt flag:
We can also see another txt file called readMe.txt:
There is only one way we can defeat Ruvik and as we are root, we can simple delete him as a user. Not sure if this is correct, but it is all I can think of:-)
And we are done. I absolutely loved this box, it was a great mixture of storyline, graphics, problem solving and exploiting. Well done to Shafdo for creating this box, please can we have more:-)
