Since my recent interest in Bug Bounties, while I was at DEFCON 26, I wanted to meet HackerOne staff. I saw a tweet from HackerOne and I was determined to try to meet someone from HackerOne! I decided to hang around the Packing Hacking Village to see if I could catch one of the staff members.
After asking around, unfortunately, I wasn't able to meet any HackerOne staff, but I was given a puzzle from one of the Packet Hacking Village staff, who explained he was told to given them out to people interested in HackerOne.
Recon and some deciphering…
My first instinct was “I should try to ssh in as root into whatever the domain name is and then cat the file in
./702/puzzle”, so I put
atvdxk.ahebwtr into a ROT decoder.
Only ROT-7 made sense, so I continued on the assumption
atvdxk.ahebwtr decodes to
hacker.holiday. I got really excited jumped over to CLI to do a nmap scan on
nmap -sC -sV -oA nmap/initial.nmap -vvv hacker.holiday
My initial nmap scan didn't show that any port running ssh, so I decided to scan all ports:
nmap -sC -sV -oA nmap/all-ports.nmap -vvv hacker.holiday
The result was the same as my initial nmap scan, but since most ports are filtered, I'm not certain that there is no ssh running. So I tried to ssh into port 22 on hacker.holiday
My CLI didn’t prompt me to enter a password for root. I thought this was very strange so I decided to run ssh in verbose mode:
ssh firstname.lastname@example.org -v
I’m not certain why all my ssh attempts are timed out. However, if I had to guess, maybe
hacker.holiday was using AWS’s Elastic Load Balancer, because hacker.holiday had many addresses on the nmap scan.
Unsure of what exactly was going on, I decided to go explore what webpage is being served at port 80.
Upon clicking on rules.txt, I noticed an interesting parameter
Since it appears the backend outputs the contents of the file you pass into the file parameter, my first instinct upon seeing the file parameter was to try directory traversal to
./702/puzzle. So I tried:
My thoughts were “maybe the file doesn’t actually exist”, “how do I enable DEBUG mode?”, and “is the file parameter whitelisted?”, but I have to do some more digging around to find the answer to those questions. So I decided to check to robots file to see if there would be anything interesting there.
After seeing the word flag, I got excited and went to check out what was at
But after inspecting the source code, I didn’t see anything too interesting, so I fired up Burp Suite to see what the HTTP request looked like
I noticed there wasn’t a token being sent through http and there wasn’t a token on the website source code, so I thought it was unlikely to get CSRF on flag.php for MISSING ACCESS TOKEN.
I also noticed in the response back the Server was Apache, so I tried to see if I could use the server to access its own file and output it to me, to skip over MISSING ACCESS TOKEN.
But that tactic didn’t work either. Since the description of the CTF says “…test your skills at… file forensics, and image steganography”, I decided to try something else: I downloaded all the images on
hacker.holiday to see if there were any information, particularly a token, hidden in the images.
Forensics and steganography
binwalk on each of the following images below.
file command results indicated the images had the correct extension and
strings command didn’t seem to yield anything too interesting. I was thinking maybe some of the image files would have a gps coordinates attached to it and just a slim chance the coordinates would be the location of h1-702 CTF, but unfortunately none of exif data from the image files had a location attached to it. So I decided to
binwalk all the images to see if there were any files hidden inside.
I noticed there seems to be zip files in 3 of the image (702.png, mesh.png, hacker101.png), so I decided to use dd to extract them.
To extract the zip from 702.png:
dd if=702.png of=702_out.zip bs=1 skip=85
To extract the zip from mesh.png:
dd if=mesh.png of=mesh_out.zip bs=1 skip=868
To extract the zip from hacker101.png:
dd if=hacker101.png of=hacker101_out.zip bs=1 skip=91
Upon attempting to unzip the files, all of them were missing end of central directory signature. Since binwalk sometimes will mistake png files as containing zips, most of them were missing the central directory file header signature and missing the end of central directory signature, I decided taking the route of repairing and extracting all zips might not be the best use of my time. So I went to explore other options.
I returned back to the puzzle card to search for more information. I noticed that the bottom of the card (letter in green) was probably part of the puzzle.
First, I tried putting the string at the bottom into a ROT decoder, but nothing readable came out. I considered putting each one of the rotations back into the ROT decoder, but then I remembered “1. No bruteforcing is necessary.”
So instead I watched hacker101 crypto attacks video and noticed we have two encoded strings and assuming they are using the same key, I decided to XOR them together, but the result I was something I did not understand how to use. I spent the rest of my time on the puzzle trying to understand the video and trying to figure out where the pieces of information I gathered earlier fit together.
Paths left to be explored
- What would be a valid access token?
- What is at the bottom of the puzzle card?
- Repair and extract the zips
- What is debug mode?
I wish I had found the puzzle earlier and had more time to work on it, since I really wanted to meet the bug bounty hunters at h1702 and HackerOne staff. I also should’ve brought a burner phone to Defcon, so that I could access Twitter and not miss important events such as, Q&A and hints for the puzzle.
Other than that I thoroughly enjoyed the puzzle and it is still nagging at me to find what was the solution to it. I have much to learn about security in general and that fact excites me.
8/17/18 - Rikaard created a great writeup for the challenge. I’m a bit upset with myself for not trying out something so simple as trying to pass debug=1, but reading the writeup has put how much I still have to learn into words.