Skip to main content

Hackim18 - Web2

·2 mins·
Web Write-Up Ctf
Table of Contents
Hackim18 - This article is part of a series.
Part 4: This Article

Description
#

This is the second challenge in the web category of the hackim 2018 CTF. There is no description for this challenge besides what may be the challenge’s title: Hidden in Plain Sight

Resolution
#

The website displays a single  static page without much further informations. Looking into the cookies and network analysis doesn’t reveal anything interesting.

At this point, looking for usual files and directories is a good thing to do. There is no robots.txt but a directory listing can be found under a .git/ folder.

It’s now possible to retrieve the content of this directory and all the source files. Some more detailed informations and tools to do this can be found here.

Here is the result of the extraction:

$ ls
header.jpg index.html style.css

Nothing more that can’t be found by looking in the browser. Because there is a directory listing, it’s possible to have a look at all the commits that have been done by opening the .git/logs/HEAD file:

The commit “Adding any other additional files” seems interesting. Let’s checkout the files for this commit :

$ git checkout 096a77768a37271151786b67af92c2ca82760dff
HEAD is now at 096a777... Adding any other additional files
$ ls
3e90c63922fa145442bb58d18b62af6c21717fee index.html style.css
header.jpg

There is a new folder! What’s inside ?

$ cd 3e90c63922fa145442bb58d18b62af6c21717fee/
$ ls
index.php style.css
$ cat index.php
<html>
 <head>
 <link rel="stylesheet" type="text/css" media="screen" href="style.css" />
 </head>
 <body>
 <form class="login" method="post">
 <h1 class="login-title">Login for flag</h1>
 <input name="user" id="user" type="text" class="login-input" placeholder="Username" autofocus>
 <input name="pass" id="pass" type="password" class="login-input" placeholder="Password">
 <input type="submit" value="Lets Go" class="login-button">

 <?php
error_reporting(0);
$FLAG = readfile('/var/flags/level1.txt');
if (!empty($_POST['user']) && !empty($_POST['pass'])) {
 if(checklogin($_POST['user'],$_POST['pass'])){
 echo "<font style=\"color:#FF0000\"><h3>The flag is: $FLAG</h3><br\></font\>";
 }else{
 echo "<br /><font style=\"color:#FF0000\">Invalid credentials! Please try again!<br\></font\>";
 }
}

function checklogin($u,$p)
{
 if (($u) === "passwordisinrockyou" && crc32($p) == "550274426"){ //
 return true;
 }
 }
?>
</form>
</body>
</html>

What a surprise ! There is an index.php inside another folder ! Accessing it in the browser gives this login page:

The user can be seen hardcoded in the source code of index.php (passwordisinrockyou) and the password must have a CRC32 of 550274426. Luckily, the username gives a hint, telling that the password is contained in the famous “rockyou” wordlist.

Downloading the wordlist and using a simple python script to check the CRC32 of every password contained in it, finds the password after 10 seconds.

import binascii
f = open("rockyou.txt","r")
for e in f.readlines():
  if binascii.crc32(e.strip()) % (1<<32) == 550274426:
    print e

# trumpet

The flag was hackim18{'SeCuRiTy-MisConfiGuraTionS-ArE-Bad'}

Hackim18 - This article is part of a series.
Part 4: This Article