ISTS 14 Mega File Challenge07 Mar 2016
Browsing to the IP given for the challenge (port 80) loaded the Mega File website:
I created an account and logged in, and was greeted with the site’s home page.
The ‘Choose Account’ dropdown menu only had one account, which was my own (#6). Attempting to tamper with the parameter and show the files of a different user did not yield any results.
Browsing to the Share Files tab, I was able to find other users by both name and ID, and had the option to share files with them. I found the admin user by searching for user 1 and clicked the Share button.
From there, I went back to the home page and changed the account parameter to 1. This listed the files in the admin’s account.
The contents of the files were as follows:
one of my workers told me that jim bought the debug pin code from slugworth on kittencoin. we should probably have one of the techs change that pin and we need to look into the kittencoin site to see if they shared the pin on there or not, better get it off of there so no one else can get it
Running a port scan on the IP revealed several other websites and services.
Browsing to port 8000 revealed the KittenCoin website.
I created an account and was greeted with KittenCoin’s home page.
The Lookup function allowed me to search for users by ID. I tried a basic SQL injection to enumerate all of the application’s users:
From there, I modified the SQL injection to get a better idea of the structure of the database. I started with the following injection to enumerate the tables, and columns within those tables, in the application:
1' union select table_name, column_name FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema'; #
This returned the following results:
I checked the values of the comments column in the transfers table to see if the PIN was stored there, and sure enough it was!
Now that I had the PIN, I moved on to the next website (port 8080). This site was a random number generator implemented in Flask.
Entering purposefully malformed data (such as a lower bound that’s higher than the upper bound) would bring up the Werkzeug debug page.
There was an option to open an interactive console, which was protected by a PIN.
Entering the PIN I just found on the KittenCoin site did the trick, and I now had a Python command shell!
I used the subprocess module to run OS commands and store the results in a variable. Running an “ls -a” in the default directory listed the following files:
The privkey file seemed fruitful, so I cat’ed the file to the output variable and printed it.
So now I have an RSA private key, which will probably come in useful later on. Moving on to the final website, I found a simple login page.
I was able to log in using the credentials from credentials.txt, and was greeted with the following message:
Switching to Kali, I base64 decoded the text and stored it in a file, and also stored the private key in a separate file. Using openssl, I decrypted the ciphertext with the private key which revealed the flag.