Description: ORG-C has given us access to one of their file servers – conveniently served over HTTP without authentication. There is no requirement to brute-force infra here, please avoid doing so http://files.secedu.site/
Navigating to http://files.secedu.site, we see it is a file hosting site with some instructions on how to access each employee’s files. We know one of the employees listed on the site already from week 1 challenges, so we will try them first.
1
2
3
4
http://files.secedu.site/laytonpayden.html
http://files.secedu.site/layTONPAYDEN/flag.txt
->
SECEDU{first_f14g_0n_th3_right_tr4ck}
Navigating to layton’s directory shows us a file named flag.txt which has the flag.
Description: They’ve seen how eaisily we decoded their captured message in week 1, and now they’ve turned up the heat with some random data. Find what they’re sending over our network. File: cap.pcapng
Only Elite hackers know strings…
1
2
strings cap.pcapng | grep SEC
|dar me, to bid you SECEDU{r34ding_pi3c3_by_pi3c3} stay your anger. Juno has sent me, who cares for both of you alike. Cease, then, this brawling, and do not draw your sword; rail at him if you will, and your railing will not be vain, for I tell you- and it shall surely be- that you shall hereafter receive gifts three times as splendid by reason of this present insult. Hold, therefore, and obey."
Description: There is something else they want to quickly test – a portal where the employees enter their hours. They’re worried that Layton may have also tricked the system somehow, and recieved more pay than they had wanted to give out. Automation for this company is a bane..
nc chals.secedu.site 5005
Connect via nc and login with the user LAYTON (this was a guess), then infer the add command from the welcome message. Adding hours over the max of 35 a couple times will give you the flag.
1
2
3
4
5
6
7
8
9
10
11
12
nc chals.secedu.site 5005
New session started
LOGIN > LAYTON
Welcome. You may "add" hours to your worksheet here
add
You have added an hour. You are now on 4 hours.
...
add
...
Too many hours entered (35 is the max). Resetting to zero.
You have added an hour. You are now on 37 hours.
SECEDU{st0l3n_funds_h3r3}
Description: Interesting, Layton has popped up once or twice before… Why does he have encrypted data? He seems like the kind of guy to use fairly common passwords, I’m sure he can’t be too malicious.
But, what could his involvement be?
What secrets is he hiding?
Search for the flag by decrypting the data.
Navigating back to the files site from the Source challenge, we see another file in Layton’s directory which has some hexdumps of encrypted files.
From the week 2 challenge “Vaulting” we recovered a password protected PEM file, from the description this will most likely be used to decrypt the files. From the description we also know he uses common passwords, so maybe we can crack the password for the PEM file.
I tried a couple different PEM cracking software like john the ripper, but the only one that worked was pemcrack for whatever reason.
1
2
3
4
./pemcrack ../private.pem /usr/share/wordlists/rockyou.txt
--- pemcrack v1.0 - by Robert Graham ----
-> 123456
found: password
After that, I will remove the password from the PEM key with rsacracker so we won’t have to deal with it later.
1
rsacracker --key private.pem --password password --private
After saving the hexdump file from the site locally, we will use a python script to extract each chunk individually, revert it to raw data with xxd -r and then decrypt each with the provided PEM key.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
import subprocess
import tempfile
import os
import re
def extract_and_decrypt_chunks(input_file):
with open(input_file, 'r') as f:
content = f.read()
chunks = re.findall(r'Dumping \./chunk_[a-z]{2}\.enc:\n([\s\S]+?)(?=\n\nDumping|\Z)', content)
for i, chunk in enumerate(chunks):
with tempfile.NamedTemporaryFile(mode='w', delete=False) as temp_file:
temp_file.write(chunk)
temp_file_name = temp_file.name
try:
# Convert hexdump to binary
xxd_process = subprocess.Popen(['xxd', '-r', temp_file_name], stdout=subprocess.PIPE)
# Decrypt the chunk
openssl_process = subprocess.Popen(
['openssl', 'pkeyutl', '-decrypt', '-inkey', '../id_rsa', '-in', '-'],
stdin=xxd_process.stdout,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE
)
output, error = openssl_process.communicate()
print(f"Decrypted chunk {i+1}:")
print(output.decode('utf-8', errors='ignore'))
print("-" * 40)
if error:
print(f"Error for chunk {i+1}:")
print(error.decode('utf-8'))
print("-" * 40)
finally:
os.unlink(temp_file_name)
if __name__ == "__main__":
input_file = "paste.txt"
extract_and_decrypt_chunks(input_file)
The flag is in the output:
1
2
python3 dec.py | grep -i SECEDU
use in public transportation systems. SECEDU{public_tr4nsp0rt_pwn'd??}
Description: After a review, we found that ORG-C is hosting an unusual website on their servers…
How can we break through, and find what secrets lay beneath?
The website is the same as a previous challenge and we know it uses JWTs for authentication. Inspecting the token in burpsuite we see it is using the public key algorithm RS256.
1
2
{"alg":"RS256","typ":"JWT"}
{"username":"Br0kenC1ph3r23","role":"user","id":4}
This algorithm uses a private key on the server to sign each JWT, other sites can confirm the JWT’s legitimacy with a public key as well. If we are not provided with this public key we can recover it with a tool like JWT-Key-Recovery:
1
2
3
4
5
6
7
8
9
10
11
./recover.py <jwt-1> <jwt-2>
...
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkbjFh12wFjB3r5fdXyfB
G5t7KeWFxMIGjSGFDbaQG/QROm4RqXmiC5aNCQlaOVjxXnWUba1Zpi2YeKlzBAgm
NJv3TRZGtuELCOedv3o+QpYhLV3rqNAqVBZlQGzlcA3prtXRA2XIn/6E0AHDirY8
RH0kdawvF0gAUWITe6ijrPXzqR3dmv9r6TaOpBAmkWRhw12yGWgryE05bmKiYe1y
0k2kL1qPb5UISC3GC//9KXmnjMjMJLKG8uL8kIcoSq3zJq/bnC90UVjbJhYHx/Jn
tUwCha073oC7dnbx9np8BVVfAjfuzqaIlI4hDLfCxHod6WtvVArvDpA0bvMpRE13
8QIDAQAB
-----END PUBLIC KEY-----
After retrieving the public key, we can attempt an “Algorithm Confusion Attack” on the server.
What this boils down to is using the server’s public key to sign a JWT with a different algorithm such as “HS256”, since “HS256” is a symmetric algorithm the server’s public key will be used as the secret for the new token. Upon receiving the new token, the server will attempt to verify the signature of the token with its public key, however since these are effectively the same the verification will pass and we can bypass the token validation.
You can read more about this type of attack and how to perform it using burp suite, here.
Using the debugging tools in our browser or burpsuite’s proxy, we notice some requests to /api/admin, we are of course denied as a normal user. Performing the attack above with recovered the public key and changing the “user” in the JWT to admin, we can send another request to /api/admin for the flag:
1
2
3
4
5
{
"data": "idk yet",
"flag": "SECEDU{consider_me_confused}",
"success": true
}