Open in app

Sign in

Write

Sign in

CloudSEK’s 2nd challenge! CTF!

Raj Upadhyay
5 min readOct 1, 2020

--

Recently I applied in “Cyber Security Analyst — EWYL Program” so for the second round they organized one CTF.

So here is my approach to how I solve it.

So we have been given one URL. (http://54.244.19.42/)

So let’s open it.

So let’s try to login with credentials that we used to signup for (https://community.xvigil.com/) so let’s see.

So most people were facing the same issue. so all of us try to raise this issue on the forum. So I also raise the same issue.

But after a few minutes, I realize that CTF is already started so I need to bypass this login screen.

So firstly I opened the source code of the page.

As we can see loginFunction() in front of us.

So we can see one if a condition is comparing sliced password with some hex value so let’s decode it.

(if (x == “\x43\x6C\x6F\x75\x64\x53\x45\x4B\x5F”))

So now we know the first 9 characters are “CloudSEK_”

The next thing we can see is the last part of the password is comparing with some hash value so let’s decode this hash value online.

if (z == “06a3cccaafedc5b09b10b4b26f02a9e1”)

So now we know the password is “CloudSEK_jeniffer”. So let’s type any user name and this password and check if it’s working or not.

YAAAAAAAAAAAAAS, we are able to bypass this login screen by finding right password.

So now what we need to do is “access token for developer login portal” which was stored in the HOME directory in the TXT file with the name secret.

So most of the people stuck here (what to do next ???)

If we look at the URL we can see URL contains some “p” parameter and “password” parameter.

It looks like the p parameter needs a base64 value so first let’s decode the current URL.

(http://54.244.19.42/loader.php?p=bWVzc2FnZTFfdG9famFyZWQudHh0Cg%3D%3D&password=CloudSEK_jeniffer)

So the “p” parameter takes a path as value.

So now what we need to do is: we need to give /home/jared/secret.txt path to this “p” parameter. ( we need to do base64 encoding first)

So let’s try to pass this in the URL and see what we get.

YEEEEEES. we cleared 2nd challenge now we have an access token with us.

So let’s go back to the original URL and try to see the robots.txt file.

Now we know the Developer login page also we have an access token with us.

So let’s open this /dev/login.php page.

So we need to send some POST request.

So let’s use Burp Suite to complete this task. so let’s open firefox and capture the request it will look like this

Let’s send this request to the repeater.

And let’s change the request type from GET to POST.

let’s press the go button and see what we get.

So now we need to use ‘access_token’ that we collected earlier.

So we need to specify acess_token in the body, not in the header. so let’s see what response we get.

So now let’s decode our access_token and set ‘admin’ as a user.

default user was set to ‘Jared’

So let’s change it to ‘admin’ and resubmit the request.

YEEEEES, we are able to solve this challenge now let’s see what’s next.

let’s open /CloudSEK_to_win_page.html

So we get one image file. So let’s do some steganography in it.

When I did strings on the image I found some interesting lines.

So our next target URL is /ThE_FlAg_PaGe.html

So let’s visit it.

YEEEEEEEEEEEEEEEES. we completed this CTF.

But wait where we need to submit this FLAG?

So another challenge. we got two images 1) cloudSEK logo and 2)You win jpg.

So let’s try to do some steganography on “you win.jpg”

So see we can read FLAG is KEY so I know that image will have some hidden data so let me try to decode it online.

So now let’s decode it.

So we are finally able to solve this CTF.

Really enjoyed it. (Awesome Experience)

Cloudsek
Ctf
Ctf Writeup
Information Security
Cybersecurity

--

--

Raj Upadhyay
Raj Upadhyay

Written by Raj Upadhyay

191 Followers
54 Following

DFIR Consultant || #LoveToPlayCTF #infosec #cybersecurity #4n6

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams