Writeup by team H0j3n
Category: Web
DankDebrid
We can confirm that this server is running by AWS ec2, using nslookup
. This is quite useful since we can narrow down our scope and try to focus on AWS penetration testing later on.
Continuing with our enumerations, up next, of course, directory scanning to take a look at what directories that the server has to offer to us.
If we go to /index.jsp
we are greeted by a homepage
Try to login into the system, and check the response on burp we get
We also got some hint at the bottom of the response
If we take a look carefully, we can see <form>
in the response, we can see that there is a functionality that allows us to download video from an inputted URL. It's a nice feature but this is, however, could lead to P2
severity bug according to bugcrowd's (opens new window)VRT. Take note of that so we can craft our request for the exploit.
Before we go further on our crafted exploit, let us understand how it works.
Server-Side Request Forgery (SSRF)
SSRF is a web security vulnerability that allows an attacker to make a request into the internal host/file in the infrastructure. For example, assume that you have a local REST API
in your local network and you didn't expose it to the internet, however, the server that you exposed on the internet able to hit any of your endpoints internally. Successful SSRF can able to make a request to your internal endpoint and perform unwanted actions or even arbitrary commands.
Some useful report related to SSRF:
Now that is out of the way, let's craft our payload.
Since we know that we are dealing with AWS service EC2, we can be sure that there are internal metadata and user data instance internally. Here AWS Documentation (opens new window)that explains more detail on that matter.
Our malicious request would look like this.
In the burp response, we get something like this
Now that we know their security-credentials, we can expand our payload into this:
Looking at the response, now we have AccessKeyId
and SecretAccessKey
to leverage our exploitation.
We can now access their assets using these two fruits by using aws-cli
in our terminal. But first, we need to tell aws-cli
that we want to access their assets, hence, those two keys come to play.
Now, initially, we did not know which region is the server hosted in AWS, but that would not be such a problem since we can refer to aws region list (opens new window). We could try it one by one but knowing that wargames are hosted in Malaysia, a Singapore serverap-southeast-1
is the most reasonable choice to go.
As we mentioned above on the little hint that the organizer gave us, we can straight-up retrieve the file with aws-cli
command
Finally, we got the flag!
Flag => wgmy{fce704324cced786680972eeafd406da}
Jika Kau Fikirkan Kau Boleh
We start this challenge by enumerating directory, as a result, we get:
By using curl
to on http://s.wargames.my:20041/uploads
, we can view its source code on how the upload function is mounted
We can use curl to upload remote code execution(RCE) request
and the response:
Success! Now we can do fun stuff in burp
Great! We have remote code execution now. We can try to spawn out reverse shell but navigating through burp is easier plus we were lazy that time.
Next, if we ls
in the /
In the directory, we can see a file called start.sh
, and if we look into that file, we get:
The script means that the key
was randomly generated to store in the Redis database and our flag is a store within it. So, to obtain the flag we need the key
first.
By running a command redis-cli KEYS *
we could get all list of keys in the Redis database.
as of the response, we get: xbAhcqH4thzpk
Now, we can simply get the key
data to obtain the flag:
Flag => wgmy{9fdfa2a48a1aa104166faa4026c61eb2}
Category: Reverse Engineering
BabyRev
For this reversing challenge, we decompile it using Ghidra, we got a block of code like this.
We can get the value inside SHUFFLE
just double click the variable.
We also can get the value of Xor
If we take a look at the code below, we can see that ss
which after rename and get from the input after XOR
and change by SHIFT
are compare with te 159
because it specifies 3
which could mean substr("abcdefg","abc***",3).
Which means it will compare with the index 27
with 159
.
So probably our password would look like this.
So we need a script that can make the cross-reference for us to compare the previous and new output.
For the exploit, we made 2 scripts to compare. One is doing it manually, the latter is automated
- Manual
- Automated
Looking at the script. We need to update the previous list after we generate new output. The initial list does not matter as long as after the first output, 159
is exist in those last digits.
We do not fully understand how it really works, so after some time doing it manually. The output that produced seems repetitive.
We tried submitting all of this but all were wrong. But after carefully check the difference between those four, the third flag is the correct one after we changed %
to b
Flag => wgmy{76420d7abbe073a20436d2fb14%15963}
Category: Mobile
SpeedyQuizy
Given the APK file. Using an online apk decompiler, we can decompile the file. Inside source code StartQuiz.java, below some snippet of the code
We know that it used socket
to connect to the server, therefore we can just nc
to server ww2.wargames.my
with port 8080
.
Typing ok
will lead to the question.
But the server is randomly selected from a set of questions. Therefore we need to fetch the question so we can create a script to answer it. Using the script below we can fetch some of the questions.
Below is a list of some of the questions
The script below will automatically answer all of the question.
Category: Forensic — Lord Kiske’s Server
Introduction
Download the ova
file and we write a simple python script to get the SHA256
of lordkiske-server.ova
Flag => wgmy{c4ea7f5c3a23990844ea6518c02740c66c4c8a605314f3bd9038f7ebfa7b9911}
[Analysis] Attacker’s IP Address
Once we have the ova
, we tried to open using Oracle Virtual Box
and it works! Since the challenge asking for the attacker’s IP Address. First, we can see that all files are encrypted with .durian
extension in /var/www/html
Let’s check any PHP files that are note encrypted maybe that we can find something.
find /var/www/html/ -type f -iname "*.php" 2>/dev/null
We tried to grep anyone who trying to reach one of these files in /var/log/apache2/acccess.log
and found the attacker's IP.
cat /var/log/apache2/access.log | grep -E "we.php|b404.php|musangkeng.php"
Go to CyberChef and encrypt IP 172.128.31.78
to MD5
hash.
Flag => wgmy{0941b6865b5c056c9bbb0825e1beb8e9}
[Analysis] Hash of Webshell
Since we have found several files without .durian
extension in /var/www/html/wp-content/uploads/
. One of these surely is the web shell. Since the file we.php
starts with character w
, we assume that this is the web shell.
To reduce the scope, we check again /var/log/apache2/access.log
and see that the attacker first trying to POST and GET
the file like below.
Calculate the sha1sum of we.php
and wrap with wgmy{}
Flag => wgmy{96894e24bf860dd85fbdcc7fbfbad203108489d1}
[Analysis] Path of Webshell
We have the path and the filename already, so just go to Cyberchef and encrypt /var/wwww/html/wp-content/uploads/we.php
to MD5.
Flag => wgmy{cc93f2436a9fdc6f19c1fa8bd865f8f3}
[Analysis] Hash of Ransomware
The file b404.php
is encoded with base64. Remove all of the php
tags and get only the base64. Use the command below to decode.
cat b404.php | tr "\n" " " | sed 's/ //g' | base64 -d
We can see the php
code that the attacker used to encrypt all of the victim’s files. Thus, this is the ransomware used by the attacker.
Calculate the sha1sum of b404.php
and wrap with wgmy{}
Flag => wgmy{ba235cdbd9eb05082aa6e15cec762465884256f9}
[Analysis] Location of ransomware
We have the path and the filename already so just go to Cyberchef and encrypt /var/www/html/wp-content/uploads/b404.php
to MD5.
Flag => wgmy{86051201744543abeda8b8efd0933e98}
[Analysis] CnC Hostname
We can try to check deep inside the b404.php
and found out one of the POST
request has been made to musangkeng.wargames.my
Encrypt musangkeng.wargames.my
to MD5 and wrap with wgmy{}
Flag => wgmy{d7357e55e21847601d4eacb01fe13313}
[Hacking] Hack the Hacker
By checking the hacker address, We got this.
Tried to enumerate using Dirsearch and found
The file rw.txt
consists of the decoded version of ransomeware.
We got several endpoints which are
Each of the endpoints has it own functions
. By checking getnote.php
it needs parameters.
By checking the code again, we found the parameters needed which are host
and key
We tried to put a random value in the parameter and it redirects us to another page.
We can see that what we input in the parameter reflected beside Hi
. We tried to check which parameter is reflected and its host
parameter. Let’s try inject with some php
code.
But it’s not showing anything? Checking the page source, we can see that the PHP syntax is commented.
Let’s check the code again, what is the actual value received by this parameter? It using file_get_contents()
to fetch one file. From the internet, we can see the usage of this function.
It means that key
the parameter is actually needed to be a file? Because it trying to read or fetch a file, let’s try putting index.php
with our phpinfo()
injected.
It works! So right now, let’s try to write a backdoor with a unique name so that no one will be able to guess :)
It works! Let’s get the flag
Flag => wgmy{771341f6a19a96560311ca36c6b6a5da}
[Analysis] Restoration of the Lord Kiske’s server
Since we have the backdoor already we found one filename decrypter.txt
. It seems like all of the parameters would become arguments to be receive by dec.php. So let’s try to make on dec.php
with the function of dec
locally.
But right now we do not have $key
and $iv
!
- Solutions 1
We can get $key
and $iv
in this directory
$key = 3fe26007e4c66a5d650f9d373ba27ee2cdb61d11$iv = 313dcdceb5f4b075d0980863c498ce4c66084888
- Solutions 2
To get the $iv
first, we need to check the time when b404.php
is executed.
From here we can recreate the $iv
using the script below.
Try running the php
and we get the $iv
. Now to get the $key
first, we need to get exact time
and the host.
We already have the host
. But for time
, we need to think harder haha. From the log below.
We see that the attacker time is 03/Dec/2020:19:11:58 +0000
which is using GMT
time. But if we look back at our directory most of the file got encrypted is created or changes at 4 December 19:11
. The time also almost the same just the day is different. Let’s try to convert it using online tools.
Once we get the time
needed, let’s put it again in the code below.
Running the php
the file gives us the $key
!
- Decrypt the file
To decrypt the files just run the dec.php
like below.
Run the command like above and we get the flag :)
Flag => wgmy{9ed95e1721c3aab37bd7c67496f868a2}
Category: Cryptography
BabyRSA
The challenge gives us one python file
We have n,c & e
but we do not know p & q
. So after searching and googling found the method used to solve which are fermat factorization
.
- First Part
- Second Part
- Last Part
Run the script and we get the flag!
Flag => wgmy{20e6852af817ca67678df52a1668186c}
Long Crypto Guessing
In the question, we received a python file and server to nc.
Reading through the code, they give the first 3 random numbers to the user then we need to enter (guess/predict) the next number (remainder of divide by 10000) that the server-generated correctly for 1000 times consecutively!
In PRNG(pseudo-random generator) class it generates a random a,b
and give p
value, it has state
value initialize through object creation. After that function next
is to create calculate the next number using the number before. Therefore the function is a type of linear function. This specific generator are called Linear Congruential Generator(LCG)
In here, the server will generate a random number that will become the seeds of the PRNG object, then it will generate the next 3 numbers and print to users. Since it is a type of linear function.
Therefore seeds are state
or the first term of the equation, we are gonna call it T. Then it will generate the next 3 terms.
In LCG, it has 3 integers.
- Multiplier
a
- Increment
b
- Modulus
p
p
is given in the source code 11760071327054544317
, So we need to find a
and find b
to predict/solve the next number. Since we have 2 equation and 2 unknown a
and b
, we can solve the equation. Here are the detailed explanations of finding the missing Multiplier
& Incremenet
, also contains different ways to crack LCG. Once we find out the a
and b
, we can find out the next number using the script below.
By implementing some of this code to find a
and b
then we write the script to answer 1000 consecutive number correctly until it return a flag.
Category: Steganography
Nuisance
Given the file nuisance.arc
. Open the file using HxD
to look for the signature file, quick Google of .arc
file type signature found 41 72 43 01
which is a FreeArc compress file.
Download FreeArc software. In this software we cannot extract the file due to it is corrupted. But the software has the ability to repair the damaged archive.
After repairing and extract, we still cannot open flag.palm
. So we did a quick google again on .palm
file and found some information and it says that the file is an image file Palm OS Bitmap Image
that can be open with the application ImageDisk. Download ImageDisk and open the file using it.
Category: Misc
Defuse The Bomb!
Given the file bomb.zip
. The file is a Zip bomb which contains a file that has multiple time compress. Open it using Winrar.
We can see that one of the zip
contains file size and CRC32
that is different. So we just click it to reveal another of the same situation. So we just click all zip file that is different until it reaches to flag.txt. Then we just extract the flag.txt file but the file is 2GB, So we cannot open with any normal text editor, but HxD can open it, then scroll down to find the flag!
Scoreboard
Conclusion
We really enjoy the challenges and this writeup created by all of the team members of H0j3n. Without them, this write-up would not be able to finish!
Member:
- H0j3n (Linkedin, Twitter, Github)
- Kaitorque (Linkedin, Twitter, Github)
- s3ns3 (Linkedin, Twitter, Github)
References
- https://imnirfn.github.io/gitbook/writeups/wgmy2020.html (s3ns3 Writeup)
- https://kaitorque.medium.com/writeup-for-wargames-my-2020-efd31dd80ec2 (Kaitorque Writeup)