You are looking for two flags. Using discovered pointers in various elements of the running web application you can deduce the first flag (a downloadable file) which is required to find the second flag (a text file). Look, read and maybe even listen. You will need to use basic web application recon skills as well as some forensics to find both flags.
└──╼ $sudo nmap -A -T4 -sV -p- 192.168.110.4
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-09-07 14:41 CEST
Nmap scan report for 192.168.110.4
Host is up (0.00028s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-title: SpyderSec | Challenge
MAC Address: 08:00:27:56:11:10 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.13
Network Distance: 1 hop
Just like the description said. I need to focus on the website at port 80.
I let dirb run to get some information about possible pages.
└──╼ $dirb http://192.168.110.4
---- Scanning URL: http://192.168.110.4/ ----
+ http://192.168.110.4/favicon.ico (CODE:200|SIZE:1150)
+ http://192.168.110.4/index.php (CODE:200|SIZE:8883)
==> DIRECTORY: http://192.168.110.4/v/
Not an awful lot.
The truth is out there……mulder.fbi. It looks like this boot2root has a X-Files theme.
From the site I examined 2 pictures. 1 of them had an interesting comment.
When I looked at the HTML headers I saw that the site loaded some cookie which looked an awful lot like an URL. Especially because it begins with the /v/ folder dirb found earlier.
When I add mulder.fbi to the string, I get a file to download.
Music to my ears
The mulder.fbi file was a mp4 file with a song from The Platters. I examined the file but I couldn’t find anything odd about it. I did however still had that password-like string from before. Steganography came to mind. But how with a mp4? A search on Google did the trick. I searched for a way to extract a file from a video by means of steganography and tried different tools. But they all reported that the video file in question didn’t had a concealed file within. After some additional searching I stumbled onto a site explaining what was another possibility.
Because Truecrypt was replaced by Veracrypt, I used this program to extract the file from the mp4 file.
After mounting the file I got the final flag.
You are a winner.
Please leave some feedback on your thoughts regarding this challenge… Was it fun? Was it hard enough or too easy? What did you like or dislike, what could be done better?
It was a small challenge but still I needed time to discover the solution to the final conundrum.
Fun to do with some new stuff to learn on my part.