
BugCrowd Hosted a LevelUp0x07 CTF in the month of August 2020 which was a web and Android-based capture the flag challenge to actively exploit the web and mobile applications and collect all the flags. Each flag varies in difficulty with the first flag being the easiest, and the last being the hardest.
Summary of CTF:
- Flags are Placed with FLAG{hash} format
- Flags indicate you are on the right track and need to explore around
- First few flags were based on View Source Code, JavaScript files followed by Android APK reversing and Stenography of Image
- Later flags were about Port Knocking and Remote Code Execution
Aim of the CTF:
- Bringdown Obelisk Organization
- Stop execution of WannaSpy Malware
Initial FootHold:
Navigate to https://07.levelupctf.com/ get mission brief

Now when we navigate to /radio we get a login page after viewing source code or https://07.levelupctf.com/assets/js/login.js we get our First Flag and foothold to next flag.
FLAG 1: Login.js File

Now lets us open from below link we got from login.js
https://07.levelupctf.com/222228a4e79d33a299f5d/s3cretc0mmunications/
It seems like an APK file which might be used for secret communications as the name suggests. Let’s Analyze it with apktool.
apktool d communications.apk
We have extracted contents of the APK, let’s grep “FLAG{” string recursively in the extracted folder
grep -r FLAG{ communications/
We get flag in communications/res/values/strings.xml file Now lets view this file.
FLAG 2: Android Strings.xml

Now we have some encrypted_chat_key not sure about its use, after searching through the extracted files the target APK seems to be Obfuscated (*.smali) hence there is no *.java file. For Eg: “communications/smali/com/example/levelup/MainActivity.smali” we can use MobSF tool to easily analyze MainActivity without wasting time on converting smali to Java.
After Viewing MainActivity.java we can find forget password and chat page path along with a header 3NCRYPT3D-CH4T which might be used with encrypted_chat_key we found.

We also get new pages i.e. Forget Password and Chat Page but chat page requires 3NCRYPT3D-CH4T Header which we found in Strings.xml After adding below header in chat page.
We can try accessing the chat page with below request by adding Encrypted-Chat header.
GET /fa694c73da13c94e49cc82b/06a28bdb78b6c02e16862a3/chat HTTP/1.1
Host: 07.levelupctf.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
3NCRYPT3D-CH4T: 8b0955d2682eb74347b9e71ea0558c67
Upgrade-Insecure-Requests: 1
We can now view the chat application.

Right away we cannot read the contents of the chat as it seems like ROT13 cipher text (Reference to Mr. Robot S02E11) lets try decoding the cipher text with decode.org

Now we can try forget password on all listed agent usernames we get two valid users “agent_521bcd5” and “agent_5a247455” and security questions such as Favorite Hobbies and Favorite Lion Name out of which its easier to guess Favorite Lion name if we analyze Uploaded Giraffe Image.

Lets try findings more information about the uploaded Giraffe Image.
FLAG 3: Exif Data of Image
root@rootsploit# wget https://07.levelupctf.com/95f86cccd50.png
root@rootsploit# exiftool 95f86cccd50.png
ExifTool Version Number : 11.99
File Name : 95f86cccd50.png
Directory : .
File Size : 63 kB
File Modification Date/Time : 2020:08:13 04:03:45+05:30
File Access Date/Time : 2020:08:19 10:50:44+05:30
File Inode Change Date/Time : 2020:08:19 10:50:44+05:30
File Permissions : rw-r--r--
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 228
Image Height : 152
Bit Depth : 8
Color Type : RGB
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
SRGB Rendering : Relative Colorimetric
Pixels Per Unit X : 2835
Pixels Per Unit Y : 2835
Pixel Units : meters
Warning : [minor] Text chunk(s) found after PNG IDAT (may be ignored by some readers)
Exif Byte Order : Big-endian (Motorola, MM)
Resolution Unit : inches
Y Cb Cr Positioning : Centered
Exif Version : 0231
Components Configuration : Y, Cb, Cr, -
User Comment : FLAG{e8606532b027bfd324ea31d1b4f116c2}
Flashpix Version : 0100
GPS Latitude Ref : North
GPS Longitude Ref : West
Image Size : 228x152
Megapixels : 0.035
GPS Latitude : 37 deg 43' 58.53" N
GPS Longitude : 122 deg 30' 8.48" W
GPS Position : 37 deg 43' 58.53" N, 122 deg 30' 8.48" W
We got our Flag now lets try finding the co-ordinates where this picture was taken
http://metapicz.com/#landing?imgsrc=https://07.levelupctf.com/95f86cccd50.png

It turns out to be San Francisco Zoo. And a bit of searching about lion names of the Zoo we found three names which we can try.

After trying all three lion names as answer Jahari worked and we have password for “agent_521bcd5”

After Exploring the application we see Target List and radio directory.We get our 4th Flag.
FLAG 4: /radio

After reading the message on radio page we have two things to explore:
- Try Ping Exploit to gain access to Server
- Finding Additional Agent Information from Images in /target
After multiple failed attempts of Ping Exploit from the provided references it was time to move to explore targets page for next flag.
Now Let Analyze all images from the list we find few images have numbers on images.

We can list down these numbers observing all the images: 1337 415 2099 921
Now lets try to enumerate more agent images by brute-forcing it sequentially with Burp Suite Intruder.

Let’s Analyze hidden data in this image with Steghide with password “pwn4llthebugz” from /radio page.
steghide extract -sf agent87.jpeg -p pwn4llthebugz
FLAG 5: Steganography for agent_87.jpg

We can now conclude that port 3389 is having a console to execute WannaSpy but it needs to unlock many door. Let’s Try Port Knocking on earlier found numbers (1337 415 2099 921) along with 3389 as mentioned in console.txt
What is Port Knocking?
Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of pre-specified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port. Port Knocking is very common in CTF (Capture the Flag)
We can use our Port Knocking Script.
https://gist.github.com/rootsploit/db83a6975c7c1337106950b81b6df733/
python3 port-knock.py 07.levelupctf.com -b 1337 415 2099 921 3389

Now using option -b will Brute Force all possible combination of ports specified to ensure we Knock the port successfully.

Let try accessing /console as discovered from the Steganography of the image, server seems to be running Flask Werkzeug which was vulnerable to Remote Code Execution. Let’s try to exploit it further

https://github.com/its-arun/Werkzeug-Debug-RCE/
Remote Code Execution: User Access
Now After performing RCE on the server and listing files we find a flag.txt file

Now Lets try “cat flag.txt”
FLAG 6: Remote Code Execution on Server

After doing some enumeration on server we find /opt/passwords.txt file by viewing .bash_history. And we find passwords to three agent accounts.

After Logging into matriarch account we can finally Shutdown the malware to pass our mission.

FLAG 7: Shutdown WannaSpy

Now we have successfully got all 7 flags for BugCrowd Level0x07 CTF.
Thanks for reading. Follow @RootSploit for more awesome blogs.
Be First to Comment