Writeup: WGMY 2020

H0j3n
16 min readDec 7, 2020

--

Writeup by team H0j3n

Category: Web

DankDebrid

We can confirm that this server is running by AWS ec2, using nslookup. This is quite useful since we can narrow down our scope and try to focus on AWS penetration testing later on.

Continuing with our enumerations, up next, of course, directory scanning to take a look at what directories that the server has to offer to us.

If we go to /index.jsp we are greeted by a homepage

Try to login into the system, and check the response on burp we get

We also got some hint at the bottom of the response

If we take a look carefully, we can see <form> in the response, we can see that there is a functionality that allows us to download video from an inputted URL. It's a nice feature but this is, however, could lead to P2 severity bug according to bugcrowd's (opens new window)VRT. Take note of that so we can craft our request for the exploit.

Before we go further on our crafted exploit, let us understand how it works.

Server-Side Request Forgery (SSRF)

SSRF is a web security vulnerability that allows an attacker to make a request into the internal host/file in the infrastructure. For example, assume that you have a local REST API in your local network and you didn't expose it to the internet, however, the server that you exposed on the internet able to hit any of your endpoints internally. Successful SSRF can able to make a request to your internal endpoint and perform unwanted actions or even arbitrary commands.

Some useful report related to SSRF:

Now that is out of the way, let's craft our payload.

Since we know that we are dealing with AWS service EC2, we can be sure that there are internal metadata and user data instance internally. Here AWS Documentation (opens new window)that explains more detail on that matter.

Our malicious request would look like this.

In the burp response, we get something like this

Now that we know their security-credentials, we can expand our payload into this:

Looking at the response, now we have AccessKeyId and SecretAccessKey to leverage our exploitation.

We can now access their assets using these two fruits by using aws-cli in our terminal. But first, we need to tell aws-cli that we want to access their assets, hence, those two keys come to play.

Now, initially, we did not know which region is the server hosted in AWS, but that would not be such a problem since we can refer to aws region list (opens new window). We could try it one by one but knowing that wargames are hosted in Malaysia, a Singapore serverap-southeast-1 is the most reasonable choice to go.

As we mentioned above on the little hint that the organizer gave us, we can straight-up retrieve the file with aws-cli command

Finally, we got the flag!

Flag => wgmy{fce704324cced786680972eeafd406da}

Jika Kau Fikirkan Kau Boleh

We start this challenge by enumerating directory, as a result, we get:

By using curl to on http://s.wargames.my:20041/uploads, we can view its source code on how the upload function is mounted

We can use curl to upload remote code execution(RCE) request

and the response:

Success! Now we can do fun stuff in burp

Great! We have remote code execution now. We can try to spawn out reverse shell but navigating through burp is easier plus we were lazy that time.

Next, if we ls in the / In the directory, we can see a file called start.sh, and if we look into that file, we get:

The script means that the key was randomly generated to store in the Redis database and our flag is a store within it. So, to obtain the flag we need the key first.

By running a command redis-cli KEYS * we could get all list of keys in the Redis database.

as of the response, we get: xbAhcqH4thzpk

Now, we can simply get the key data to obtain the flag:

Flag => wgmy{9fdfa2a48a1aa104166faa4026c61eb2}

Category: Reverse Engineering

BabyRev

For this reversing challenge, we decompile it using Ghidra, we got a block of code like this.

We can get the value inside SHUFFLE just double click the variable.

We also can get the value of Xor

If we take a look at the code below, we can see that ss which after rename and get from the input after XOR and change by SHIFT are compare with te 159 because it specifies 3 which could mean substr("abcdefg","abc***",3). Which means it will compare with the index 27 with 159.

So probably our password would look like this.

So we need a script that can make the cross-reference for us to compare the previous and new output.

For the exploit, we made 2 scripts to compare. One is doing it manually, the latter is automated

  • Manual
  • Automated

Looking at the script. We need to update the previous list after we generate new output. The initial list does not matter as long as after the first output, 159 is exist in those last digits.

We do not fully understand how it really works, so after some time doing it manually. The output that produced seems repetitive.

We tried submitting all of this but all were wrong. But after carefully check the difference between those four, the third flag is the correct one after we changed % to b

Flag => wgmy{76420d7abbe073a20436d2fb14%15963}

Category: Mobile

SpeedyQuizy

Given the APK file. Using an online apk decompiler, we can decompile the file. Inside source code StartQuiz.java, below some snippet of the code

We know that it used socket to connect to the server, therefore we can just nc to server ww2.wargames.my with port 8080.

Typing ok will lead to the question.

But the server is randomly selected from a set of questions. Therefore we need to fetch the question so we can create a script to answer it. Using the script below we can fetch some of the questions.

Below is a list of some of the questions

The script below will automatically answer all of the question.

Category: Forensic — Lord Kiske’s Server

Introduction

Download the ova file and we write a simple python script to get the SHA256 of lordkiske-server.ova

Flag => wgmy{c4ea7f5c3a23990844ea6518c02740c66c4c8a605314f3bd9038f7ebfa7b9911}

[Analysis] Attacker’s IP Address

Once we have the ova , we tried to open using Oracle Virtual Box and it works! Since the challenge asking for the attacker’s IP Address. First, we can see that all files are encrypted with .durian extension in /var/www/html

Let’s check any PHP files that are note encrypted maybe that we can find something.

find /var/www/html/ -type f -iname "*.php" 2>/dev/null

We tried to grep anyone who trying to reach one of these files in /var/log/apache2/acccess.log and found the attacker's IP.

cat /var/log/apache2/access.log | grep -E "we.php|b404.php|musangkeng.php"

Go to CyberChef and encrypt IP 172.128.31.78 to MD5 hash.

Flag => wgmy{0941b6865b5c056c9bbb0825e1beb8e9}

[Analysis] Hash of Webshell

Since we have found several files without .durian extension in /var/www/html/wp-content/uploads/ . One of these surely is the web shell. Since the file we.php starts with character w , we assume that this is the web shell.

To reduce the scope, we check again /var/log/apache2/access.log and see that the attacker first trying to POST and GET the file like below.

Calculate the sha1sum of we.php and wrap with wgmy{}

Flag => wgmy{96894e24bf860dd85fbdcc7fbfbad203108489d1}

[Analysis] Path of Webshell

We have the path and the filename already, so just go to Cyberchef and encrypt /var/wwww/html/wp-content/uploads/we.php to MD5.

Flag => wgmy{cc93f2436a9fdc6f19c1fa8bd865f8f3}

[Analysis] Hash of Ransomware

The file b404.php is encoded with base64. Remove all of the php tags and get only the base64. Use the command below to decode.

cat b404.php | tr "\n" " " | sed 's/ //g' | base64 -d

We can see the php code that the attacker used to encrypt all of the victim’s files. Thus, this is the ransomware used by the attacker.

Calculate the sha1sum of b404.php and wrap with wgmy{}

Flag => wgmy{ba235cdbd9eb05082aa6e15cec762465884256f9}

[Analysis] Location of ransomware

We have the path and the filename already so just go to Cyberchef and encrypt /var/www/html/wp-content/uploads/b404.php to MD5.

Flag => wgmy{86051201744543abeda8b8efd0933e98}

[Analysis] CnC Hostname

We can try to check deep inside the b404.php and found out one of the POST request has been made to musangkeng.wargames.my

Encrypt musangkeng.wargames.my to MD5 and wrap with wgmy{}

Flag => wgmy{d7357e55e21847601d4eacb01fe13313}

[Hacking] Hack the Hacker

By checking the hacker address, We got this.

Tried to enumerate using Dirsearch and found

The file rw.txt consists of the decoded version of ransomeware. We got several endpoints which are

Each of the endpoints has it own functions . By checking getnote.php it needs parameters.

By checking the code again, we found the parameters needed which are host and key

We tried to put a random value in the parameter and it redirects us to another page.

We can see that what we input in the parameter reflected beside Hi . We tried to check which parameter is reflected and its host parameter. Let’s try inject with some php code.

But it’s not showing anything? Checking the page source, we can see that the PHP syntax is commented.

Let’s check the code again, what is the actual value received by this parameter? It using file_get_contents() to fetch one file. From the internet, we can see the usage of this function.

It means that key the parameter is actually needed to be a file? Because it trying to read or fetch a file, let’s try putting index.php with our phpinfo() injected.

It works! So right now, let’s try to write a backdoor with a unique name so that no one will be able to guess :)

It works! Let’s get the flag

Flag => wgmy{771341f6a19a96560311ca36c6b6a5da}

[Analysis] Restoration of the Lord Kiske’s server

Since we have the backdoor already we found one filename decrypter.txt . It seems like all of the parameters would become arguments to be receive by dec.php. So let’s try to make on dec.php with the function of dec locally.

But right now we do not have $key and $iv !

  • Solutions 1

We can get $key and $iv in this directory

$key = 3fe26007e4c66a5d650f9d373ba27ee2cdb61d11$iv = 313dcdceb5f4b075d0980863c498ce4c66084888
  • Solutions 2

To get the $iv first, we need to check the time when b404.php is executed.

From here we can recreate the $iv using the script below.

Try running the php and we get the $iv . Now to get the $key first, we need to get exact time and the host. We already have the host . But for time , we need to think harder haha. From the log below.

We see that the attacker time is 03/Dec/2020:19:11:58 +0000 which is using GMT time. But if we look back at our directory most of the file got encrypted is created or changes at 4 December 19:11 . The time also almost the same just the day is different. Let’s try to convert it using online tools.

Once we get the time needed, let’s put it again in the code below.

Running the php the file gives us the $key !

  • Decrypt the file

To decrypt the files just run the dec.php like below.

Run the command like above and we get the flag :)

Flag => wgmy{9ed95e1721c3aab37bd7c67496f868a2}

Category: Cryptography

BabyRSA

The challenge gives us one python file

We have n,c & e but we do not know p & q . So after searching and googling found the method used to solve which are fermat factorization .

  • First Part
  • Second Part
  • Last Part

Run the script and we get the flag!

Flag => wgmy{20e6852af817ca67678df52a1668186c}

Long Crypto Guessing

In the question, we received a python file and server to nc.

Reading through the code, they give the first 3 random numbers to the user then we need to enter (guess/predict) the next number (remainder of divide by 10000) that the server-generated correctly for 1000 times consecutively!

In PRNG(pseudo-random generator) class it generates a random a,b and give p value, it has state value initialize through object creation. After that function next is to create calculate the next number using the number before. Therefore the function is a type of linear function. This specific generator are called Linear Congruential Generator(LCG)

In here, the server will generate a random number that will become the seeds of the PRNG object, then it will generate the next 3 numbers and print to users. Since it is a type of linear function.

Therefore seeds are state or the first term of the equation, we are gonna call it T. Then it will generate the next 3 terms.

In LCG, it has 3 integers.

  • Multiplier a
  • Increment b
  • Modulus p

p is given in the source code 11760071327054544317 , So we need to find a and find b to predict/solve the next number. Since we have 2 equation and 2 unknown a and b , we can solve the equation. Here are the detailed explanations of finding the missing Multiplier & Incremenet, also contains different ways to crack LCG. Once we find out the a and b , we can find out the next number using the script below.

By implementing some of this code to find a and b then we write the script to answer 1000 consecutive number correctly until it return a flag.

Category: Steganography

Nuisance

Given the file nuisance.arc . Open the file using HxD to look for the signature file, quick Google of .arc file type signature found 41 72 43 01 which is a FreeArc compress file.

Download FreeArc software. In this software we cannot extract the file due to it is corrupted. But the software has the ability to repair the damaged archive.

After repairing and extract, we still cannot open flag.palm. So we did a quick google again on .palm file and found some information and it says that the file is an image file Palm OS Bitmap Image that can be open with the application ImageDisk. Download ImageDisk and open the file using it.

Category: Misc

Defuse The Bomb!

Given the file bomb.zip . The file is a Zip bomb which contains a file that has multiple time compress. Open it using Winrar.

We can see that one of the zip contains file size and CRC32 that is different. So we just click it to reveal another of the same situation. So we just click all zip file that is different until it reaches to flag.txt. Then we just extract the flag.txt file but the file is 2GB, So we cannot open with any normal text editor, but HxD can open it, then scroll down to find the flag!

Scoreboard

Conclusion

We really enjoy the challenges and this writeup created by all of the team members of H0j3n. Without them, this write-up would not be able to finish!

Member:

References

  1. https://imnirfn.github.io/gitbook/writeups/wgmy2020.html (s3ns3 Writeup)
  2. https://kaitorque.medium.com/writeup-for-wargames-my-2020-efd31dd80ec2 (Kaitorque Writeup)

--

--

H0j3n
H0j3n

No responses yet