Sat. Oct 24th, 2020

Pentesting Fun Stuff

following the cyber security path…

Defence Space CTF: 2017

Location

https://download.vulnhub.com/defencectf2017/DEFENCESPACECTF-2017.ova

Description

The story line on the CTF is based on true life happening in Northern Nigeria, however the author has adopted the code name “Operation Lafia dole”.
The exercise start from simple information gathering, which is applicable to both military and cyber based operation, to complex infiltration and encryption been used by intelligence agency around the world to pass out secret.
It has 7 flags to be captured.

Getting started

Because the box runs on a static IP adres I need to change my network settings of Vbox. When that’s done I can start with a port/service scan.

FTP, HTTP, HTTPS and SSH on a non-standard port. Let’s get a feel of the challenge.

In the source code of the page there is an interesting piece.

Uhm….first flag?
Next I examine the javascript files. ‘/assets/lafiya.js’ had 2 things that caught my eye.

Flag number 2. Which looks like a MD5 string.

The second thing was in the same file.

Next I ran Nikto.

  • phpinfo() found
  • phpMyAdmin found

When I connect with the SSH server I get another flag.

Encrypt…..looks like I’m being guided to the HTTPS server.
Inside the SSL certificate there is another flag. But this time there is something added to it.

Unit+990 = Unit990
After a while and a few tries with the idea of this being an username, I tried it in my browser as a folder.

In the source code there is a comment.

At the bottom there was a final comment.

When I follow the clue from the previous flag (admin.php) I get another login screen.
Again I check the source code. Another interesting comment but with a slight twist.

Time to put sqlmap to work.

When I searched my notes for something with ‘airforce’ I noticed I missed a previous clue inside a comment I found earlier. There was a piece of code inside the comment that was very interesting.

Let’s try that basic piece of SQL injection on the login page from earlier.

That looks like an invitation to a SSH visit.

After some time inside this box I start to think this was a waste of time and I got side-tracked. Time for the admin login page and inject there some SQLi.

Fun that I got access, but this system didn’t gave me any direction on how to go on. It felt like a dead-end. Because there was a lot of information gathered I created a list with everything I found and ran it through dirsearch.

401….restricted access. Bummer. But the funny thing is……when I use port 443 I don’t need any credentials to enter. The gate is wide open.

On entering I get flag number 7. Which should be the end of this funny but strange CTF.

But why would there be a clue inside the last and final flag? Because there is a button on the left of the dashboard that’s called ‘widgets’ I guess I’m not done yet.

There is a sound file and an image to be downloaded. As there is nothing else in here and the clue pointed directly to this page I guess there is some steganography in place. Unfortunately I need a password.
Because there is no clue where the password can be found I need to create a wordlist. Because this CTF has a story to tell, there is a lot of information throughout all the files on the website. To make the wordlist I copy the content of every file into 1 text file. With ‘sort’ and ‘grep’ I filter this file so it will consist of strings from 5 chars and more. I did it this way, because CeWL only filters out letters and nothing else. With this list I tried to brute-force both files.

Guess that is it. Nothing really that marks the end.

Conclusion

This CTF was a strange one at best. No real techniques were needed and it felt more like a goose hunt. The creators really wanted to tell a story, but missed out with the challenging part. I always enjoy a themed CTF, but this one was a bit too much theme.

1 thought on “Defence Space CTF: 2017

  1. I have fun with, cause I discovered exactly what I was looking for.
    You’ve ended my four day lengthy hunt! God Bless you man. Have a great day.
    Bye

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.