You are looking for two flags. Using discovered pointers in various elements of the running web application you can deduce the first flag (a downloadable file) which is required to find the second flag (a text file). Look, read and maybe even listen. You will need to use basic web application recon skills as well as some forensics to find both flags.
1 2 3 4 5
There is just one page for the web server:
1 2 3
I used an online JS beautifier to deobfuscate this to a hex string, which I then decoded to
alert(‘mulder.fbi’);. This name is familiar to me from the X-Files. Anyway, not sure about its relevance for now. Moving on with the information gathering, since nothing came out of Nikto or Gobuster, I browsed the page in Burp, and noticed a strange cookie being set:
URL decoding this gave me the value
/v/81JHPbvyEQ8729161jd6aKQ0N4/ Tried browsing to this and got a 403 Forbidden error. There is some piece of the puzzle missing..so I took the next step and downloaded all the images and ran them through exiftool..and finally got some luck with the Challenge.png image, which had a hex comment:
Had to hex-decode this 2 times to get a base64 string: QSFWdX5qdEgjNzI5c0xBO2g0JQ==, which I decoded to
A!Vu~jtH#729sLA;h4%. This looks like a password, but where to use it?
With the hints from the description, knowing that a file will need to be downloaded, I treated mulder.fbi as a file and tried appending it to the URL path that gave me a forbidden error: http://192.168.145.141/v/81JHPbvyEQ8729161jd6aKQ0N4/mulder.fbi
That actually worked and I downloaded the file, which is apparently an MP4:
This is a song by The Platters. Since I couldn’t use steghide on a video, I googled for MP4 steganography and found this Lifehacker article about embedding a TrueCrypt volume in a video. I installed Veracrypt and used it to mount the file as a volume, in TrueCrypt mode. At the password prompt, I used the string that I’ve decoded earlier, and it served me the volume, with a file called Flag.txt inside!
1 2 3 4 5 6 7 8
The main takeaways from this challenge for me were the steganography possibilities for video files. Until next time!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22