HackMD - Collaborative Markdown Knowledge Base

<Center><h1> CTF – PUBG </Center> #### Hi folks.... This is a write up on PUBG-CTF, which is one of the CTF hosted by Net-square solutions Pvt. Ltd. among employees as an activity to enhance their knowledge and problem-solving ability. The all over CTF experience was great, and somehow, I was able to crack challenges, and win the CTF. This CTF was not so predictable, and one needs to spend extra time to understand and make a way into the VM. Whenever I play any CTF, first thing I always keep in mind is to use basic enumeration tools in start like dirb, Nmap etc. and check out HTML source code of any Web challenge if it exists. This gives me a basic idea to understand the challenges and give me some options and cases to solve it. <h3> Challenge 1: </h3> The <b>first challenge</b> was just to visit an IP. I opened this IP in the browser and an image showed up of PUBG. I tried to decode the image using some online image decryption tools but failed to get anything. As usual, I shifted my focus towards enumeration, code of the application and used dirb tool but unfortunately, I could not find any hidden path. Then I tried with Nmap for enumerating services running on open ports. So, I found two services running, SSH and SMB. ![](https://i.imgur.com/ZxLoN6H.png) Hmm, I could try a couple of things on these services to make my way in. I started with SSH and tried to find any hint of username or password from that web page’s HTML source code but I could not find anything. At this moment, I was pretty sure that webpage may not have anything related to this challenge. I dragged my focus to SMB and to get more information about this service I used a tool known as “smbclient”. There are several other tools for enumeration and work on SMB one can use like: nbtscan, SMBMap , Smbclient etc. To know more about <b>SMB enumeration</b> visit here “https://www.hackingarticles.in/a-little-guide-to-smb-enumeration/”. I used the command: <b>“smbclient -L \\10.50.137.137”</b> ![](https://i.imgur.com/JZ91jDt.png) As a result, I got two different user names which are available for SMB. 1. V3n0m 2. pumpkindota My second step was digging into the V3n0m by running the command <b>"smbclient //<span></span>IP/V3n0m"</b> I managed to connect to it and view the items in the current directory. ![](https://i.imgur.com/XwzkGlz.png) And finally, I found “Flag.txt” present in this directory. Now, the challenge was to read the flag file. I had tried multiple commands to read the file, tried to do cat and use strings to read it but, was unsuccessful. Yes, my bad, I was treating SMB shell as SSH shell. As soon as I realized it, I started searching for the particular commands in the SMB without wasting any time, and finally, I come across a useful link that solved my problem “https://wiki.hpc.uconn.edu/index.php/File_transfer_via_SMB”. I couldn’t read Flag.txt in the shell but I could fetch the file and read it locally. I used command <b>“get Flag.txt”</b> in SMB shell and the file got downloaded in my system. ![](https://i.imgur.com/m9bBv57.png) I opened the file and look what I found, ![](https://i.imgur.com/UJIvUBF.png) Now, as the flag was encoded. I tried to decode the flag using base64 decoding using an online base64 decoder, and I found a flag in reverse order. ![](https://i.imgur.com/SLB6LDz.png) I reverse it back and got my first flag and flag was: <b>Flag</b> : ![](https://i.imgur.com/ESKgRXX.png) <h3> Challenge 2: </h3> When earlier I accessed V3n0m folder over SMB <b>“Readme.txt”</b> file drew my attention. I download that file and got credentials for V3n0m user. ![](https://i.imgur.com/7VQG9id.png) As SSH service was running on this server. I tried to connect to the server using V3n0m user’s credentials. ![](https://i.imgur.com/efLsgNk.png) I started digging into various directories to find flag but unable to find anything. An idea to use Find command struct my mind. I first tried to locate all directories which had write permissions for user V3n0m. I looked for any CTF related browsable directory. ![](https://i.imgur.com/oH0vBs3.png) got few folders with the names of Guns and of course, these guns are used in PUBG game. I opened every folder and every folder were having a “Secret” folder and in folder “M416” I got a shell file <b>“LostPassword.<span></span>sh”</b>. I executed it and it delivered me “pumpkindota” user’s credential. ![](https://i.imgur.com/5PDeX3g.png) I was confused a little bit, but after some time I tried to login into the “pumpkindota” with the password but unable to find any useful file/flag. I tried to access root account with command “sudo -i” and I was able to find the “Flag.txt”. ![](https://i.imgur.com/oXMNoUT.png) I read the flag and tried to reverse it but the result was not making any sense. So the only reason behind this could be the use of encoding. I tried multiple decoding techniques online related to shifting of characters and finally, I found that it was ROT13 encoding. So, our final flag was: <b>Flag</b> : ![](https://i.imgur.com/99GMrSu.png) Thanks for reading my write-up!!:) Follow me on <a href="https://twitter.com/iForamDave?s=09">Twitter</a> and <a href="https://www.linkedin.com/in/foram-dave-368466143">linkedIn</a> . <div style="text-align: right">By - Foram Dave</div>