Categories
Capture The Flag

Web Challenges – Cohesion Writeup

These are the writeups for Reverse Engineering Challenges of the Cohesion CTF by IEEE NCU.

1. Post Office

Web Challenges - Cohesion Writeup 1

Opening the website gives us the following screen.

Web Challenges - Cohesion Writeup 2

It says that we need to go to counter 22. If we click on Counter 1 button, it sends us over here.

Web Challenges - Cohesion Writeup 3

Now, you can either keep clicking links and go to Counter 22 manually, or you can just edit the GET parameter to reach there more efficiently.

On the counter 22, we see a new button “Read The Letter”

Web Challenges - Cohesion Writeup 4

When we click on this, we are sent to this page.

Web Challenges - Cohesion Writeup 5

And then again to the counters. At the bottom of the page, it says that this is a POST office. Let’s try sending a POST request for the flag instead of GET request.

Web Challenges - Cohesion Writeup 6

Go back to Counter 22 and inspect element of the page.

Web Challenges - Cohesion Writeup 7

Now change GET over here to POST and clock the button now.

Web Challenges - Cohesion Writeup 8

Voila, here’s the flag: cohesion.ctf{Y0u_h4v3_G0T_m41l}

Web Challenges - Cohesion Writeup 9

2. Johnny With Tori

Web Challenges - Cohesion Writeup 10

Opening up the website gives us the following screen.

Web Challenges - Cohesion Writeup 11

There’s nothing here, except the animation, not even in the source code. Let’s try opening robots.txt

Web Challenges - Cohesion Writeup 12

Disallow /flag/, that looks interesting. And on scrolling down, we also find a key over here. That might be useful later.

Web Challenges - Cohesion Writeup 13

Anyways, let’s open the flag directory.

Web Challenges - Cohesion Writeup 14

There’s a flag here, checking its value in the source code gives us a base64 encoded string. Decoding it gives us n0t_tH3_c0rr3ct-Fl4g

Which is obviously not the correct flag, guess its a rabbit hole then. Let’s intercept this request in burpsuit and see the request.

Web Challenges - Cohesion Writeup 15

We can see there’s a cookie over here. And it looks like a JWT Token. Let’s head over to https://jwt.io/ and try to decode it.

Web Challenges - Cohesion Writeup 16

Voila, it’s using a JWT Token to login to the application. We can try the key we saw in robots.txt here. As it’s using HS256, a symmetric cipher, the same key can be used to decode and encode the token.

Trying the key gives signature verified, that’s great. In the challenge description, it said that only the author has access to the REAL flag. Let’s try changing the user to the name of author, mystog3n.

Web Challenges - Cohesion Writeup 17

Sending this as the cookie now gives logged in as mystog3n.

Web Challenges - Cohesion Writeup 18

Checking the flag now gives another base64 encoded string.

Web Challenges - Cohesion Writeup 19

Decoded it give us the flag: cohesion.ctf{JwT_t0k3N_t0_Th3_w1n}

3. Gamer Boy

Web Challenges - Cohesion Writeup 20

Opening the link in the browser gives us the following page.

Web Challenges - Cohesion Writeup 21

As we can see, there is a search box.

Web Challenges - Cohesion Writeup 22

Maybe we can try SQL injection attack over here.

Web Challenges - Cohesion Writeup 23

The double quotes (“) are escaped over here, so let’s try adding another backslash (\) to see that is it escaped.

Web Challenges - Cohesion Writeup 24

No, it’s not! We’ve got SQL injection now. Let’s now try exploiting it.

Using the ORDER BY query, we know that there are 5 columns.

Web Challenges - Cohesion Writeup 25

Now let’s try UNION SELECT.

Web Challenges - Cohesion Writeup 26

Let’s get the table names from information scheme by using query:

\” union select 1,2,3,TABLE_NAME,5 from information_schema.tables;#

Web Challenges - Cohesion Writeup 27
Web Challenges - Cohesion Writeup 28

So there’s a table named “hidden“, this looks quite interesting. Let’s enumerate the columns in this tables with the query:

\” union select 1,2,3,COLUMN_NAME,TABLE_NAME from information_schema.columns;#

Web Challenges - Cohesion Writeup 29
Web Challenges - Cohesion Writeup 30

Aha, there’s a column named flag in the table hidden. Let’s get that by the query:

\” union select 1,2,3,flag,5 from hidden;#

Web Challenges - Cohesion Writeup 31

Here’s the flag: cohesion.ctf{1nj3ct10n-4tt4ck_15-b35t}

4. Word in the Press

Web Challenges - Cohesion Writeup 32

Opening up the website gives us this.

Web Challenges - Cohesion Writeup 33

We can try to enumerate the users by adding a GET parameter ?author=1.

Web Challenges - Cohesion Writeup 34

We can see that it redirects to https://ctf-word-in-the-press-t3ppmfifsq-as.a.run.app/author/mystog3n/, which means the username is mystog3n.

Web Challenges - Cohesion Writeup 35

Let’s go the WordPress Login Page by heading to https://ctf-word-in-the-press-t3ppmfifsq-as.a.run.app/wp-login.php.

Web Challenges - Cohesion Writeup 36

Fire up burp suit and intercept a login request.

Web Challenges - Cohesion Writeup 37

Send this request to the intruder and set the attack to sniper mode with the password as the selected parameter.

Web Challenges - Cohesion Writeup 38

Now add rockyou to the payload and start the attack.

Web Challenges - Cohesion Writeup 39

After a while, you can see that butterfly has different content length than others so let’s try this as the password.

Web Challenges - Cohesion Writeup 40

And we’ve got access to the WordPress Dashboard.

Web Challenges - Cohesion Writeup 41

Head over to Appearance->Theme Editor.

Web Challenges - Cohesion Writeup 42

And now open up functions.php.

Web Challenges - Cohesion Writeup 43

On scrolling down, we can see the flag cohesion.ctf{W0RDPR355_H4CK1NG_U51NG_R0CKY0U}

Web Challenges - Cohesion Writeup 44

5. Jack Jill

Web Challenges - Cohesion Writeup 45

Opening up the website gives us this.

Web Challenges - Cohesion Writeup 46

We can find nothing over here. Let’s try gobuster on it.

It shows that there is a Readme.md and .git folder.

Opening Readme.md gives us this. Which is obviously a fake flag.

Web Challenges - Cohesion Writeup 47

Let’s run git-dumper on it to get the git folder.

Now we have a local repository of the website. Running >git log says that this was the initial commit and nothings here now.

Web Challenges - Cohesion Writeup 48
Web Challenges - Cohesion Writeup 49

Running >git branch tells us that there are 2 branches in this repository, dev and final.

Web Challenges - Cohesion Writeup 50

Let’s check the dev branch now. You can do so by running >git checkout dev

Web Challenges - Cohesion Writeup 51

Now running >git log gives us the following commit history.

Web Challenges - Cohesion Writeup 52

We can see that in the last commit flag was removed. So let’s see the changes since that commit by running

>git show 529926fecc442b805e516c451d34f5cc9e84f95c

Web Challenges - Cohesion Writeup 53

Here’s the flag now: cohesion.ctf{git-c0mm1t1ng_t0_th3_c4u53}

Get the latest tech news and updatesethical hacking tutorials and cybersecurity tips and tricks. Check out MeuSec for more.

Sometimes we include links to online retail stores and/or online campaigns. If you click on one and make a purchase we may receive a small commission.

Comments:

1 reply on “Web Challenges – Cohesion Writeup”

Leave a Reply

Your email address will not be published. Required fields are marked *