Press "Enter" to skip to content

BugCrowd LevelUp0x07 CTF Writeup

Bug Crowd LevelUp0x07 CTF Writeup by RootSploit

BugCrowd Hosted a LevelUp0x07 CTF in the month of August 2020 which was a web and Android-based capture the flag challenge to actively exploit the web and mobile applications and collect all the flags. Each flag varies in difficulty with the first flag being the easiest, and the last being the hardest.

Summary of CTF:

  1. Flags are Placed with FLAG{hash} format
  2. Flags indicate you are on the right track and need to explore around
  3. First few flags were based on View Source Code, JavaScript files followed by Android APK reversing and Stenography of Image
  4. Later flags were about Port Knocking and Remote Code Execution

Aim of the CTF:

  1. Bringdown Obelisk Organization
  2. Stop execution of WannaSpy Malware

Initial FootHold:

Navigate to https://07.levelupctf.com/ get mission brief

Bug Crowd LevelUp0x07 CTF Mission Brief - BugCrowd CTF
Mission Brief

Now when we navigate to /radio we get a login page after viewing source code or https://07.levelupctf.com/assets/js/login.js we get our First Flag and foothold to next flag.

FLAG 1: Login.js File

First Flag of CTF in login.js - Bug Crowd CTF by RootSploit
Flag 1: login.js

Now lets us open from below link we got from login.js

https://07.levelupctf.com/222228a4e79d33a299f5d/s3cretc0mmunications/

It seems like an APK file which might be used for secret communications as the name suggests. Let’s Analyze it with apktool.

apktool d communications.apk 

We have extracted contents of the APK, let’s grep “FLAG{” string recursively in the extracted folder

grep -r FLAG{ communications/

We get flag in communications/res/values/strings.xml file Now lets view this file.

FLAG 2: Android Strings.xml

Flag 2 and Encrypted Chat Key - RootSploit
Flag 2: Android Strings.xml

Now we have some encrypted_chat_key not sure about its use, after searching through the extracted files the target APK seems to be Obfuscated (*.smali) hence there is no *.java file. For Eg: “communications/smali/com/example/levelup/MainActivity.smali” we can use MobSF tool to easily analyze MainActivity without wasting time on converting smali to Java.

After Viewing MainActivity.java we can find forget password and chat page path along with a header 3NCRYPT3D-CH4T which might be used with encrypted_chat_key we found.

MainActivity.java generated from MobSF
MainActivity.java

We also get new pages i.e. Forget Password and Chat Page but chat page requires 3NCRYPT3D-CH4T Header which we found in Strings.xml After adding below header in chat page.

We can try accessing the chat page with below request by adding Encrypted-Chat header.

GET /fa694c73da13c94e49cc82b/06a28bdb78b6c02e16862a3/chat HTTP/1.1
Host: 07.levelupctf.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
3NCRYPT3D-CH4T: 8b0955d2682eb74347b9e71ea0558c67
Upgrade-Insecure-Requests: 1

We can now view the chat application.

Chat Application Access - Bug Crowd CTF by RootSploit
Chat Page Access

Right away we cannot read the contents of the chat as it seems like ROT13 cipher text (Reference to Mr. Robot S02E11) lets try decoding the cipher text with decode.org

ROT13 Chats Decoded
Decoded Chats

Now we can try forget password on all listed agent usernames we get two valid users “agent_521bcd5” and “agent_5a247455” and security questions such as Favorite Hobbies and Favorite Lion Name out of which its easier to guess Favorite Lion name if we analyze Uploaded Giraffe Image.

Security Questions
Security Questions for agent_521bcd5

Lets try findings more information about the uploaded Giraffe Image.

FLAG 3: Exif Data of Image

root@rootsploit# wget https://07.levelupctf.com/95f86cccd50.png
root@rootsploit# exiftool 95f86cccd50.png
ExifTool Version Number         : 11.99
File Name                       : 95f86cccd50.png
Directory                       : .
File Size                       : 63 kB
File Modification Date/Time     : 2020:08:13 04:03:45+05:30
File Access Date/Time           : 2020:08:19 10:50:44+05:30
File Inode Change Date/Time     : 2020:08:19 10:50:44+05:30
File Permissions                : rw-r--r--
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Image Width                     : 228
Image Height                    : 152
Bit Depth                       : 8
Color Type                      : RGB
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Noninterlaced
SRGB Rendering                  : Relative Colorimetric
Pixels Per Unit X               : 2835
Pixels Per Unit Y               : 2835
Pixel Units                     : meters
Warning                         : [minor] Text chunk(s) found after PNG IDAT (may be ignored by some readers)
Exif Byte Order                 : Big-endian (Motorola, MM)
Resolution Unit                 : inches
Y Cb Cr Positioning             : Centered
Exif Version                    : 0231
Components Configuration        : Y, Cb, Cr, -
User Comment                    : FLAG{e8606532b027bfd324ea31d1b4f116c2}
Flashpix Version                : 0100
GPS Latitude Ref                : North
GPS Longitude Ref               : West
Image Size                      : 228x152
Megapixels                      : 0.035
GPS Latitude                    : 37 deg 43' 58.53" N
GPS Longitude                   : 122 deg 30' 8.48" W
GPS Position                    : 37 deg 43' 58.53" N, 122 deg 30' 8.48" W

We got our Flag now lets try finding the co-ordinates where this picture was taken

http://metapicz.com/#landing?imgsrc=https://07.levelupctf.com/95f86cccd50.png
Exif Data leaking Location Information about the picture leading us to Exact location where image was clicked
Co-ordinates San Francisco Zoo

It turns out to be San Francisco Zoo. And a bit of searching about lion names of the Zoo we found three names which we can try.

Lions at San Francisco Zoo
Zoo Lion Names

After trying all three lion names as answer Jahari worked and we have password for “agent_521bcd5”

Access to Agent Account after guessing right Answer to Security Question
Agent Account Access

After Exploring the application we see Target List and radio directory.We get our 4th Flag.

FLAG 4: /radio

Flag 4 found in /radio page - Bug Crowd CTF by RootSploit
Flag 4: /radio

After reading the message on radio page we have two things to explore:

  1. Try Ping Exploit to gain access to Server
  2. Finding Additional Agent Information from Images in /target

After multiple failed attempts of Ping Exploit from the provided references it was time to move to explore targets page for next flag.

Now Let Analyze all images from the list we find few images have numbers on images.

Hidden Numbers in Images as a Hint in CTF - Bug Crowd CTF by RootSploit
1337 Hidden in Image

We can list down these numbers observing all the images: 1337 415 2099 921

Now lets try to enumerate more agent images by brute-forcing it sequentially with Burp Suite Intruder.

Brute Force Agent images with Burp Suite Intruder - Bug Crowd CTF by RootSploit
Brute Force Agent images

Let’s Analyze hidden data in this image with Steghide with password “pwn4llthebugz” from /radio page.

steghide extract -sf agent87.jpeg -p pwn4llthebugz

FLAG 5: Steganography for agent_87.jpg

Performing Steganography on Images - Bug Crowd CTF by RootSploit
Flag 5: Steganography

We can now conclude that port 3389 is having a console to execute WannaSpy but it needs to unlock many door. Let’s Try Port Knocking on earlier found numbers (1337 415 2099 921) along with 3389 as mentioned in console.txt

What is Port Knocking?

Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of pre-specified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port. Port Knocking is very common in CTF (Capture the Flag)

We can use our Port Knocking Script.

https://gist.github.com/rootsploit/db83a6975c7c1337106950b81b6df733/

python3 port-knock.py 07.levelupctf.com -b 1337 415 2099 921 3389
Performing Port Knocking on target server to open port 3389 - Bug Crowd CTF by RootSploit
Port Knocking with Python

Now using option -b will Brute Force all possible combination of ports specified to ensure we Knock the port successfully.

Port Knocked Successfully - Bug Crowd CTF by RootSploit
Port Knocked Successfully

Let try accessing /console as discovered from the Steganography of the image, server seems to be running Flask Werkzeug which was vulnerable to Remote Code Execution. Let’s try to exploit it further

Flask Werkzeug  Console Access - Bug Crowd CTF by RootSploit
Werkzeug Console Access

https://github.com/its-arun/Werkzeug-Debug-RCE/

Remote Code Execution: User Access

Now After performing RCE on the server and listing files we find a flag.txt file

Listing files on target server - Bug Crowd CTF by RootSploit
List Files on target server

Now Lets try “cat flag.txt”

FLAG 6: Remote Code Execution on Server

Obtained Flag.txt by performing Remote Code execution on the server
Flag 6: Remote Code Execution

After doing some enumeration on server we find /opt/passwords.txt file by viewing .bash_history. And we find passwords to three agent accounts.

Found Agent Credentials for three accounts - Writeup by RootSploit
Agent Credentials Found

After Logging into matriarch account we can finally Shutdown the malware to pass our mission.

Destroy WannaSpy Malware - Bug Crowd CTF
Destroy WannaSpy

FLAG 7: Shutdown WannaSpy

Final Flag Captured - PWNED CTF
Pwn3d

Now we have successfully got all 7 flags for BugCrowd Level0x07 CTF.

Thanks for reading. Follow @RootSploit for more awesome blogs.

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *