Where Irregulars are part of the Game
Here’s what we see when we open the image.
Exiftool doesn’t have any interesting metadata.
Let’s toss it into a iSteg.
I think it found something. What about you?
Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.
Opening the file with a text editor yields… (if you’re old like me you may recognize it)
Wingdings! Head over to dcode.fr and translate it.
Hit the Start button and we’re provided with a URL and port.
Open the site in a browser and enable source debugging, usually “F12” as the challenge suggests.
If you click on the blue Capture The Flag button, you may observe a VERY quick pop-up.
If we scroll to the bottom of the source code, (in CTF’s and Malware I always tend to hunt bottom up first), we see that the pop-up being invoked is at ./capture_the_flag.htm/. If we append that to our current URL…
We get to our flag page. Here I right clicked on the “Your flag is:” to select View Page Source.
As with previous interactive challenges, we’ll start with the obvious “Start”
We have a URL and port. Let’s open this in Chrome.
Pressing cook next to one of the recipes starts a countdown timer.
F12 in Chrome will toggle the Developer options.
Navigating to Application > Storage reveals the cookies. We have a cookie for in_oven with a Base64 value.
This gets decoded as {“recipe”: “Magic Cookies”, “time”: “10/11/2023, 15:50:04”}
Having also reviewed the source code it looks like this value that’s representing the start of the ‘baking.’ Either we can wait around for 120 hours to see what happens next, or we can travel through time. Sort of.
So we know the formula for the cookie values. We can use that to generate our own cookie. Using the same text, only changing the date to 10/06/2023, we’ll encode that string in Base64.
There’s a plugin for Chrome called “🍪 EditThisCookie “.
Substitute the Base64 we generated and apply the cookie.
Refresh the window and the flag should appear.
Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.
If you went to the web page in a browser, there was a suggestion to use nmap. There was also an embedded video of Rick Astley.
Nmap is a tool I’ve used over and over in my career. I may have even had Nmap Ninja on my resume or LinkedIn at a time. I always get a kick out of seeing it used in movies, and it’s be used in a lot.
A basic, albeit thorough nmap command gives us:
Ok, so let’s start knocking on ports.
It’s not SSH. What about the other ports? When we telnet to port 8888 we get…
Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.
Hit Start.
So we’ve got a url and a specific port. Firefox web browser yields…
So we need an Authorization header. 🤔
Time to look at the provided files. It looks to be the export of a Splunk application.
Time to download an eval copy of Splunk and… pause. There’s probably a simpler way to attack this.
The Silver Searcher is a command line tool I picked up during the CTF and I love it. It’s like Grep on PCP.
Once installed, the base command is ag, followed by what you’re searching for, and where. So let’s do a quick search for Authorization on all the contents of this directory.
That looks interesting. A clue? One of the PowerShell scripts has Authorization and what looks to be Base64 code.
We also see a comment about the $PORT being dynamic based on the Start button. Decoding the string in CyberChef…
At this point we have all the pieces, we just need to put them together. I started to look at different ways to pass an Authorization header to a web server. There’s proxy tools galore. And then there’s the basic’s like curl. After a bit of brushing up on my syntax I had:
curl -H "Authorization: Basic [longStringFromThePowershell]" http://site:$PORT
Yay what looks like more Base64. Once more with our Chef’s hat and…
rita was a tool I hadn’t used before but it was very easy to use. I installed it on my REMnux box and then ran it against the dataset.
I then used the command to generate an html report.
Looking through the DNS requests there’s something sketchy indeed.
Let’s go take a look at that.
Let’s start with the_silver_searcher again and see if we have any luck with “Password”.
There’s a number of hits including references to an encryptedUsername and encryptedPassword in the logins.json file. So we’ve got some encrypted Firefox user passwords. If only there were a utility that could decrypt those. Enter firepwd.py, an open source tool to decrypt Mozilla protected passwords.
Run the script in Python and point it to the directory for the user profile (where the logins.json file is).
That’s a pretty LEET password 😉
Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.
Baker Street Forensics 