# Description
Recently my team HCS (Heroes Cyber Security) as a official cyber security team from Institut Teknologi Sepuluh Nopember, participated on KnightCTF 2024.
We successfully managed to 1st place out of 734 teams, thank you for @daffainfo, @kiseki, @jjcho, @HalloBim, @circlebytes.
# Table of Content
[toc]
# Web Category
## Levi Ackerman
> Levi Ackerman is a robot!
**Description**
We get a website, which is according to the description to solve this we can visit the `/robots.txt`
**Solve**
Visit http://66.228.53.87:5000/robots.txt and you will get like this
Go visit the link and got flag
```
KCTF{1m_d01n6_17_b3c4u53_1_h4v3_70}
```
## Kitty
> Tetanus is a serious, potentially life-threatening infection that can be transmitted by an animal bite.
**Description**
We got a website with in form login, to solve this we need to do SQL Injection on the login form
**Solve**
Visit the website http://45.33.123.243:5020/ and we got login form like this
For bypass the login form, we can use this payload
`u: " or 1=1-- -`
`p: " or 1=1-- -`
Then you will be redirected to the dashboard
For next step you can read the view-source, which is if you write `cat flag.txt` at the form the flag will be shown
Get the flag
```
KCTF{Fram3S_n3vE9_L1e_4_toGEtH3R}
```
## README
> Read me if you can!!
**Description**
We given a website, that we just need read flag.txt and bypass the 403 Access Denied
**Solve**
Visit the website http://66.228.53.87:8989/ and we got a form like this
To test the form is works or not we can just read the `text.txt`
Which is mean we can read the file, but one problem is when we try to read `flag.txt` we got denied like this
To solve this i got some reference to add some [header](https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/403-and-401-bypasses#http-headers-fuzzing) like this
And we got the flag
```
KCTF{kud05w3lld0n3!}
```
## Fluxx
> Recently I have made a simple app for monitoring and analyzing metrics, events, and real-time data.I used a database which is designed for handling high volumes of timestamped data. But I think its vulnerable find it and get he flag.
**Description**
We given a website that use InfluxDB tech, then we need read the flag from the database
**Solve**
Visit the website http://66.228.53.87:9001/ and get like this
First, we read so many documentation about InfluxDB, and after that we just found a [NoSQL Injection at InfluxDB](https://rafa.hashnode.dev/influxdb-nosql-injection)
Then we make the payload like this
```
") |> yield(name: "1337")
buckets() |> filter(fn: (r) => r.name =~ /^.*/ and die(msg:r.name))
//
```
Do a URL Encode
`%22)%20%7C%3E%20yield(name:%20%221337%22)%20%0D%0Abuckets()%20%7C%3E%20filter(fn:%20(r)%20=%3E%20r.name%20=~%20/%5E.*/%20and%20die(msg:r.name))%20%0D%0A//`
Submit to the website query
And we got flag
```
KCTF{g0UPqVWa0eUT2wF2ipzX3v5pxikvqYhxR9OL}
```
## Gain Access 1
> The web challenges are very much similar to real life application bugs. This is going to be a series of Gain Access with 3 challenges unlocks upon solving one by one. By solving these challenges, you'll gain a practical knowledge of Authentication Bypass Vulnerabilites as well as business logic error. The only difference is you'll not get any bounty but you'll get flags. Give it a try. And keep in mind, Don't make it hard, keep it simple. All the best. Solve the challenges & be a cyber knight.
**Description**
We given a website, that we just need do SQL Injection at the email form
**Solve**
Visit the website http://45.33.123.243:13556/index.php and got a login form like this
If you do view-source, there will be a email for login
Add `'--+-` at the end of email to retrieve flag
And we got flag
```
KCTF{ACc0uNT_tAk3Over}
```
## Gain Access 2
> You've everyting to reach your destination. A knight has lead the path. Follow the path & get the flag. keep in mind, all challenges are based on real life application bugs.
**Description**
We given a website that we need to find the password first of admin and then broke the OTP Authentication to get flag
**Solve**
Visit the website https://gain-access-2.knightsquad.org/ and got form login like this
If you view-source, there will be `<!-- notesssssss.txt -->` and there a email and password hash inside
First we need to find the plaintext password, and i got this [Online Tool](https://md5hashing.net/hash/md5/d05fcd90ca236d294384abd00ca98a2d) and got the plaintext password
We try to login and got a OTP verification like this
But we can bypass by add payload `' or 1=1-- -` in then end of otp value, when we can see the dashboard the flag is vanished
After getting stuck, we likely after getting success logged in we intercept the request to go on `/dashboard.php`
And we got the flag
```
KCTF{AuTh_MIsC0nFigUraTi0N}
```
## Gain Access 3
> So you've come this far huh!! Let me see if you can get this done. It's similar but with a twist. This time the email is sent to the admin only. Just think. keep in mind, all challenges are based on real life application bugs.
**Description**
We given a website that we just need broke the authentication to retrieve flag
**Solve**
Visit the website http://66.228.53.87:6090/ and likely is same with challenge `Gain Access 2`
Simply at the login form we intercept and do same thing to redirect at `/dashboard.php`
And we get flag
```
KCTF{H0sT_hEaDEr_InJeCti0n_R0CkS}
```
# Networking Category
Attachment 1 : [packet.pcapng](https://drive.google.com/file/d/1fmkEYUB-uOAynUGp4a_xMu9NHRhIWeMd/view?usp=sharing)
Attachment 2 : [backup.sql](https://drive.google.com/file/d/1LogNp5VnDq5nySv0TW_EFojL3s4_vjjO/view?usp=sharing)
## Vicker IP
> Hi! It's good to see you again in my networking series. There are total 18 challenges in this series & based on real life events of how can a server be compromised. Please download the attachment which will be used to answer all the questions. Don't make it too complex. Just keep it simple. Hope you'll solve them all. Wish you all a very good luck.
Scenario: Recently one of Knight Squad's asset was compromised. We've figured out most but need your help to investigate the case deeply. As a SOC analyst, analyze the pacp file & identify the issues.
> So let's start with the basic.
What is the victim & attacker ip?
Flag Format: KCTF{victimIp_attackerIp}
**Description**
To solve this, we just need find the victim ip and attacker ip
**Solve**
We can just filter the http request use `wireshark` and you will see there some fuzzing directory attack from ip 192.168.1.7 to 192.168.1.8
```
KCTF{192.168.1.8_192.168.1.7}
```
## Basic Enum
> What tool did the attacker use to do basic enumeration of the server?
> Flag Format: KCTF{toolname}
**Description**
According to the description, we just need to find tool that use by attacker for fuzzing directories
**Solve**
If you follow the redacted http stream you will find this
```
KCTF{nikto}
```
## Vulnerable Service
> What service was vulnerable to the main server?
Flag Format: KCTF{service_version}
**Description**
We just need to find the vulnerable service on the pcap
**Solve**
We just find interesting traffic like this
And after check the by follow the TCP Stream, we sure the vulnerable service was `vsFTPd`
```
KCTF{vsftpd_2.3.4}
```
## Port
> What was the port number of the reverse shell of the server?
Flag Format: KCTF{port}
**Destination**
Find the port number of reverse shell at the pcap file to solve the challenge
**Solve**
You will see the information on pcap like this, surely there two port
```
KCTF{6200}
```
## CVE ID
> What's the CVE id for the vulnerable service?
Flag Format: KCTF{CVE-xxxx-xxxx}
**Description**
Just find the CVE ID of vulnerable service to solve the challenge
**Solve**
Just do simply google dorking `cve vsftpd 2.3.4`
```
KCTF{CVE-2011-2523}
```
## Famous Tool
> The attacker used a popular tool to gain access of the server. Can you name it?
KCTF{toolname}
**Description**
Find the toolname that loaded the exploit to solve the challenge
**Solve**
According to the description it's a popular tool, then i just answer it to `metasploit` because on past i was use the same exploit with that
```
KCTF{metasploit}
```
## Hidden File
> What's the flag of the hidden file?
Flag Format: KCTF{fLaG}
**Description**
Find the hidden file that load a flag
**Solve**
Follow the vstfpd tcp stream and got like this
Decrypt the hash use this [Twin-Hex Cipher](https://www.calcresult.com/misc/cyphers/twin-hex.html)
```
KCTF{ExPloItiNg_S3RvEr_Is_fUN}
```
## Confidential
> There's something confidential. Can you find it?
Flag Format: KCTF{fl4G}
**Description**
Find the confidential to solve the challenge
**Solve**
In this challenge i was use `Network Miner` and found the this zip
Extract and got a word file, if we `CTRL+A` there will be invisible text then just change the color
```
KCTF{Y0U_Ar3_N3tW0rk_M1n3r}
```
## BackDoor
> What is the backdoor file name?
Flag Format: KCTF{filename.ext}
**Description**
Find the backdoor file name on pcap to solve the challenge
**Solve**
Follow the vstfpd tcp stream and got like this
```
KCTF{.621b4CkD0oR.php5}
```
## BackDoor Path
> What is the full path of the backdoor in the server?
Flag Format: KCTF{/full/path}
**Description**
Find the full directory of backdoor
**Solve**
Follow the vstfpd tcp stream and got like this
```
KCTF{/var/www/html/app/assets/.621b4CkD0oR.php5}
```
## Super Admin
> What is the super admin password in the web application?
Flag Format: KCTF{password}
**Description**
Find the super admin password to solve the challenge
**Solve**
You will get attachment `backup.sql` and see the root user like this
Decrypt the [password](https://md5hashing.net/hash/md5/5f27f7648285dec7954f5ee1ad696841)
```
KCTF{letmeinroot}
```
## Admin Flag
> Can you find the Admin Flag of the web server.?
Flag Format: KCTF{fl4G}
**Description**
Find flag of web server that on source code
**Solve**
I use Network Miner to find the source code file
Extract the zip, and if you see the `/views/dashboard.php` there a code like this
Decode the text
```
KCTF{y0U_G0t_tHe_AdMin_Fl4g}
```
## Vuln
> What was the vulnerability on the edit task page & what parameter was vulnerable?
Flag Format: KCTF{VULN_parameter} only the parameter is case sensitive.
**Description**
Find the vulnerability that affect on edit task and parameter name
**Solve**
If you following the http filter on pcap, you will see this
It seems there a SQL Injection attack, then if you do view the source code the vulnerable parameter was `taskId`
```
KCTF{sqli_taskId}
```
## Famous Tool 2
> What tool did the attacker use to identify the vulnerability of edit task page?
Flag Format: KCTF{toolname/version}
**Description**
Find the tool that attacker use to exploit the SQL Injection vulnerability
**Solve**
If you follow the http stream, you will find like this
```
KCTF{sqlmap/1.7.10#stable}
```
## Something Interesting
> There's something interesting. Can you find it?
Flag Format: KCTF{fl4G}
**Description**
Find the interesting flag
**Solve**
If you open the `backup.sql` file there a table named `something`
`zr%uL*_F02#60x?%6#tD%:}8N`
```
KCTF{Y0u_aRe_InTeREsTiNg}
```
## Hidden Page
> There was a hidden page which was only accessible to root & was removed from the web app for security purpose. Can you find it?
Flag Format: KCTF{filename.ext}
**Description**
Find the hidden page, if we logged in as a root user
**Solve**
To solve this back to source code `/views/tasks.php` and you will get like this
```
KCTF{terminal-13337.php}
```
## DB Details
> What is the database username & databasename?
Please use the attachment of the first challenge. And keep in mind that the file you have is the backup file. There might be an update to the database.
Flag Format: KCTF{username_dbname}
**Description**
Find the username of database and database name of webserver
**Solve**
Follow the vstfpd tcp stream and got like this
Which is the username was `db_user` and for the database name you can see at `/models/db.php` source code
```
KCTF{db_user_kctf2024}
```
## API Key
> What's the API Key?
Flag Format: KCTF{API-KEY}
**Description**
Find the apikey that used on webserver
**Solve**
Open the source code `/models/db.php`
```
KCTF{6eea9135-2801-4560-b44c-f297b5f46f2f}
```
# Stegano Category
## Flag Hunt!
> Hunt your way through the challenge and Capture The hidden Flag!!!
Flag Format: KCTF{S0m3th1ng_h3re}
Attachment : [chall.zip](https://drive.google.com/file/d/1oG1Uv8rH1v-Zogaav2KBB5wNwYSmPvy4/view?usp=sharing)
**Description**
Extract the zip by cracking it first and find the different file to get flag
**Solve**
First, you need to crack the zip. I use `fcrackzip`
`fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt chall.zip`
And got the password
Extract the zip and you will get many files
I decode the wav first, but it's not the flag
Then i decide to use `file *` to find the different and the picture 725 is kindly different
Use steghide to extract file of image with password `morsecodetotherescue!!`
Open the flag.txt
```
KCTF{3mb3d_53cr37_4nd_z1pp17_4ll_up_ba6df32ce}
```
## Oceanic
> The ocean's beauty is in its clear waters, but its strength lies in its dark depths.
Flag Format: KCTF{S0m3th1ng_h3re}
Attachment : [challenge.tar](https://drive.google.com/file/d/1zRNxWLBWDu7TiHAdxQrT_pRv8pR_bDqM/view?usp=sharing)
**Description**
Find the flag of wav file with using the clue image for solve the challenge
**Solve**
First we can go to [Aperisolve](https://www.aperisolve.com/), to find any interesting information of `clue.jpg`
We can see there a password `theoceanisactuallyreallydeeeepp` but it's for the wav file
After struggling sometime we found this [reference](https://ctftime.org/writeup/9638) which is using tool named `DeepSound`
Got a flag.png after that, and i use binwalk
Open the flag.txt
```
KCTF{mul71_l4y3r3d_57360_ec4dacb5}
```
Sign in with Wallet
Connect another wallet