30 March 2023

Pentesting Fun Stuff

following the cyber security path…

SpyderSec: Challenge

7 years ago n0w4n

Location

https://download.vulnhub.com/spydersec/SpyderSecChallenge.ova

Description

You are looking for two flags. Using discovered pointers in various elements of the running web application you can deduce the first flag (a downloadable file) which is required to find the second flag (a text file). Look, read and maybe even listen. You will need to use basic web application recon skills as well as some forensics to find both flags.
Level: Intermediate

Enumeration

┌─[✗]─[n13mant@planetmars]─[~]
└──╼ $sudo nmap -A -T4 -sV -p- 192.168.110.4
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-09-07 14:41 CEST
Nmap scan report for 192.168.110.4
Host is up (0.00028s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: SpyderSec | Challenge
MAC Address: 08:00:27:56:11:10 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.13
Network Distance: 1 hop

Just like the description said. I need to focus on the website at port 80.
page1-xfiles
I let dirb run to get some information about possible pages.

┌─[n13mant@planetmars]─[~]
└──╼ $dirb http://192.168.110.4
-----SNIP-----
---- Scanning URL: http://192.168.110.4/ ----
+ http://192.168.110.4/favicon.ico (CODE:200|SIZE:1150)
+ http://192.168.110.4/index.php (CODE:200|SIZE:8883)
==> DIRECTORY: http://192.168.110.4/v/
-----SNIP-----

Not an awful lot.
When I look at the source code there is some obfuscated javascript. After running it through http://jsbeautifier.org/ and decoded the hex output, the final result was: alert(‘mulder.fbi’);
The truth is out there……mulder.fbi. It looks like this boot2root has a X-Files theme.
xfiles
From the site I examined 2 pictures. 1 of them had an interesting comment.

35:31:3a:35:33:3a:34:36:3a:35:37:3a:36:34:3a:35:38:3a:33:35:3a:37:31:3a:36:34:3a:34:35:3a:36:37:3a:36:61:3a:34:65:3a:37:61:3a:34:39:3a:33:35:3a:36:33:3a:33:30:3a:37:38:3a:34:32:3a:34:66:3a:33:32:3a:36:37:3a:33:30:3a:34:61:3a:35:31:3a:33:64:3a:33:64
—-decode—-
51:53:46:57:64:58:35:71:64:45:67:6a:4e:7a:49:35:63:30:78:42:4f:32:67:30:4a:51:3d:3d
—-decode—-
QSFWdX5qdEgjNzI5c0xBO2g0JQ==
—-decode—-
A!Vu~jtH#729sLA;h4%

When I looked at the HTML headers I saw that the site loaded some cookie which looked an awful lot like an URL. Especially because it begins with the /v/ folder dirb found earlier.
cookie
When I add mulder.fbi to the string, I get a file to download.

Music to my ears

platters
The mulder.fbi file was a mp4 file with a song from The Platters. I examined the file but I couldn’t find anything odd about it. I did however still had that password-like string from before. Steganography came to mind. But how with a mp4? A search on Google did the trick. I searched for a way to extract a file from a video by means of steganography and tried different tools. But they all reported that the video file in question didn’t had a concealed file within. After some additional searching I stumbled onto a site explaining what was another possibility.

Final flag

Because Truecrypt was replaced by Veracrypt, I used this program to extract the file from the mp4 file.
veracrypt
After mounting the file I got the final flag.

Congratulations!
You are a winner.
Please leave some feedback on your thoughts regarding this challenge… Was it fun? Was it hard enough or too easy? What did you like or dislike, what could be done better?
https://www.spydersec.com/feedback

Conclusion

It was a small challenge but still I needed time to discover the solution to the final conundrum.
Fun to do with some new stuff to learn on my part.
 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.