Hacking Scenario - SparkCTF 2024
TASK 0:
Basically you are familiar with investigation scenarios where you have to put pieces together in order to hunt down the threat actor, this one is different, this one is that type of scenarios where you help the threat actor, starting from the bottom, the company you are attacking today is called Spark Open Source Projects ©.
Task 1:
Attachemeent: NiceSmell.pcapng
By reading the description we can get an idea about the task, Peer-To-Peer File transfer. First, we start with enabling all protocols, because some of them aren't enable by default in wireshark.
Now after getting a quick first look at the captured packets. We can notice some remarkable protocols. BT-Tracker, BT-DHT and Bitorrent. We are looking for the sender ID and as we know bitorrent is peer-to-peer. So Basically how does bitorrent work? If we parse a torrent file, we get the URL of the tracker, the creation date, the name and size of the file, and alot of raw data containing SHA-1 hashes of each piece, which are equally-sized parts of the file we want to download. The exact size of a piece varies between torrents, but they are usually somewhere between 256KB and 1MB. Which means large files can be devided into thousands of parts. then each part gets downloaded from available peers then check them against the hashes from our torrent file, assemble them together, and finally we’ve got a file!
But what's a Tracker ?
So basically a tracker is like a list of people you share the torrent with which we get our peers from.
By making a simple GET request to the Tracker URL with a few query parameters.
info_hash, peer_id, port, uploaded, downloaded, compact, left.
In order to start downloading a file from a peer.
So we check the Handshake in order to retrieve the Peer-ID.
We check The first packet.
The Client (Reciever) requested the file from a specific peer, that's what we are interested in The sender.
And That's the flag: SparkCTF{2d7142343435302d3679566652664e752e777e32}
Task 2:
Attachemeent: Zip_pass_is_1337.zip
This Description implies that the file that was retrieved from the torrent is a "sensitive artifact". Artifacts are forensic objects that have some forensic value. Any object that contains some data or evidence of something that has occurred like logs, registery hives, and many more. we are tasked to retrieve the signature of the hidden file. in other words it's SHA256 hash that's specified in the flag format.
After Uzipping we get a spark.AD1 file.
AD1 files are logical images similar to a container. They are used to hold file-level acquisitions.
Let's fire up FTK-Imager and load the file.
As we all know, most people save their files in their Desktops so that's going to be our first Go-To.
Desktop Path:
=@%SystemRoot%\User\User_Name\Desktop
If we check our Users Directory we will be met with the following directories:
by checking the Administrator's Desktop we find two .eml files, Manual.eml and Reply.eml
Let's Check the first file, Manual.eml
The mail implies that, a manual has been sent as an attachemment under the name Delivery.zip. But it seems to be protected with a password. And there's a hint about what the password might be.
The HASH of the password you use for EVERYTHING .
which means that our dear user, uses only one password for everything which is bad practice.
Now we have two tasks at hand.
Let's check the other file Reply.eml
it seems to be the duplicate of manual.eml so there's nothing interesting.
Delivery.zip is located under
=@%SystemRoot%\User\Default\Documents\
Then Extract it.
It also includes data about the recently used files, programs used, or devices connected to the system
The Windows registry consists of Keys and Values.
A registry hive is a group of keys, subkeys and values stored within a single file on the disk. and they get loaded into memory when the operating system is started or a user logs in.
Registry Structure:
Windows Registry consists of the following 5 root keys:
We are interested in HKEY_LOCAL_MACHINE which contains SAM and SYSTEM which contain the credentials for all the users in this machine.
The Registry is located under this directory:
=@%SystemRoot%\Windows\System32\config\
Now we retrieved SAM and SYSTEM let's retrieve the password.
for this we can use impacket-secretsdump which is pre-installed in kali linux, or we can use the script secretsdump.py from impacket's github.
The password is the nthash for Administrator. 2bd9ee65238cdd1279c3c825ed9b3479
now we use to unzip Delivery.zip
Then we get the SHA256 hash of the file inside it which is Wcam-2024.pdf
Flag: SparkCTF{32ba1fd8c988a15ccad6ab95a6fdf93ce915071ec59ce093bf700ba736bf06a2}
task 3 :
After cracking the zip's password and checking this file :
Obviously there are some usefull and useless information, our main focus is to determine an IP address as the flag format requires, since the tag is "OSINT" and there is a hint on the bottom right of the PDF that says "Spark open-source projects", we can, by hacker nature, asumme that github would lead somewhere, and in fact it doest, searching for "spark wcam-2024"
The repo has a README.md file, the full manual and the firmware of the camera, seems interesting, but remember we are seeking the IP of the device, so after checking page 3 on the manual:
This is the algorithm for translating the IP to NID/network ID, so in order to get the IP weed to reverse this simple algorithm, so first we take the Network ID: 27-de6a-Qxx-3
as for the fourth part, there are quite a few possiblites so chatgpt wrote me this small script that will test if a machine has port 80 open, as the device has a web interface(mentionned in the full manual page 4)
Result :
Flag : SparkCTF{20.199.81.207}
task 4 :
Connecting to that port takes us to this interface :
The fourth option seems tempting also its the only one that has an input funcionality :
tho we need to understand how the binary works first before performing any attack, the task can't be solved with out at least reversing the binary behind this. Back to the github repo, along with the full manual, there is a firmware for the device, and for sure the firmware would contain the filesystem, this article helps a lot when it comes to reversing and extracting the file system.
The home director, after extracting the squash file system, has a manual.md file with the following content :
So there are files mentionned in the manual like logs.txt
and old.txt
which are requested by the service running on port 7005
, for example the second option request the link.txt
:
An assumption might cross your mind, the files are in the same directory as the binary right?, now searching for the links.txt
file using this command :
kali@kali$ find . -name logs.txt -type f
Heading over to that directory, there is a bunch of binaries, the binary requests 3 files, so using strings
and grep
we can find the correct binary :
kali@kali$ strings -f * | grep 'links.txt'
so server
is the correct binary(run it in case of doubt)
file command :
checksec :
– pass_reset():
– functions
– authority_checker():
based on the information gathered from reversing the binary, we have to make a jump to the authority_checker
function, rewrite the first parameter to the value 0xDEADFACE
and the password will be printed.
solver :
Result :
Flag : SparkCTF{t2jTmg2Vp548SX8P}
base on the manual found on the home directory, the login for the web app is the combo camera:t2jTmg2Vp548SX8P
lets try it :
and it worked :
the logs page is the following :
it has this feature of searching through the logs, the logs must be stored somewhere, a database for example, but thats an assumtion we will check for later, as for now, the source code must be in the firmware too, but how to find it? well the path to the logs page is \logs
, so another file command :
kali@kali$ find . -name logs* -type f
heading over to that directory, multiple files can be found :
the main file app.py
has the source code for the app, but the interesting part is found in dbhelper.py
:
so the database is sqlite and there is another table called webcam_users
with 4 columns username
, password
, service
and port
, trying to perform an union attack to pivot from a table to the other might work, to check how many columns the first query fetches I used this payload :
and to leak everything out of the second table I used this payload :
Result :
we found the creds for another service running on port 1338
and its called shell, using netcat we provide the given information and then :
Spark{H0p1ng_7h3_ch41n_w4s_FUN!_4_Y0u_H3CK3R}
Find this document incomplete? Leave a comment!
for more info DM us on discord "alternox3051" and "rudy4487".
SparkCTF2024
Hacking-Scenario