CloudSEK CTFs

blah blah blah

The challenge was pretty straight forward, An anonymous person has shared a bevigil apk which lets the Internet folks to use the Enterprise Edition of Bevigil for free, So now our end goal is to find the flag hidden in /cookies.txt

The anonymous person has also told that the ProxyURL is been stored in the app's assets, surfing through Bevigil is not at all a big task, CloudSEK has designed Bevigil in a user-friendly way !

So, now when we take a closer look at the app's assets. We find three URL's out of which only one is the ProxyURL , we can either do a trial-and-error test on which of the URL works or simply visit the /resources/res/values/string.xml to find out the ProxyURL

Here, the URL http://43.204.140.87:8000/ leads us to the actual CTF webpage. When we Inspect the source we find something interesting !

Taking a closer look at the comments, we find that the flag is hidden in /cookies.txt which is hidden somewhere in the codebase, the request only accepts GET method and it checks if the getData parameter is present or not, if it's present then the php code checks if the URL specified in the url parameter begins with http:// and ends with bevigil.com. The preg_match function checks if the string matches the particular pattern or not !

  • So what is this /^http.[:]\/\/(bevigil.com\/)./ ?

The above pattern is nothing but a Regex or a Regular expression, basically it's is a set of rules for matching patterns in strings, they can be used in many programming languages, including PHP to search and manipulate strings.

The php code now checks if our specified URL matches the Regular Expression or not, if it doesn't match then the $response is set to false , So how do we bypass this Regex is our next question ?

The answer is damn simple, we just have to break down the characters used in that Regex inorder to understand how the pattern works, we can use chatGPT or regex101.com for this case.

  • ^ - This symbol indicates the start of a string.

  • http - This is a literal string that must be present in the string being matched.

. - This symbol matches any single character.

  • [:] - This is a character class that matches a single colon character.

  • \/\/ - This is a literal string that matches two forward slashes.

  • (bevigil.com\/) - This is a capture group that matches the string "bevigil.com/". The parentheses are used to define the capture group.

If we look closely, . is not escaped and dot can match any character in regex. So httpa://bevigil.com is also a valid url and httpx://bevigil.com is also a valid url. We can use this to trick file_get_contents !

file_get_contents is the sink here, we can load local files, as shown in the example below.

Hence, the comments said that there is something called /cookies.txt, so when we trigger it using the LFI - We get the FLAG !

Nullcon Hiring CTF - The SHA Juggler

Checking the source of the page gave this string

50 44 39 77 61 48 41 4b 4c 79 38 67 65 57 39 31 58 32 5a 76 64 57 35 6b 58 32 31 6c 4c 6e 42 6f 63 41 70 70 5a 69 41 6f 61 58 4e 7a 5a 58 51 6f 4a 46 39 48 52 56 52 62 4a 32 68 68 63 32 67 6e 58 53 6b 70 49 48 73 4b 49 43 41 67 49 47 6c 6d 49 43 67 6b 58 30 64 46 56 46 73 6e 61 47 46 7a 61 43 64 64 49 44 30 39 50 53 41 69 4d 54 41 35 4d 7a 49 30 4d 7a 55 78 4d 54 49 69 4b 53 42 37 43 69 41 67 49 43 41 67 49 43 41 67 5a 47 6c 6c 4b 43 64 45 62 79 42 35 62 33 55 67 64 47 68 70 62 6d 73 67 61 58 52 7a 49 48 52 6f 59 58 51 67 5a 57 46 7a 65 54 38 2f 4a 79 6b 37 43 69 41 67 49 43 42 39 43 69 41 67 49 43 41 6b 61 47 46 7a 61 43 41 39 49 48 4e 6f 59 54 45 6f 4a 46 39 48 52 56 52 62 4a 32 68 68 63 32 67 6e 58 53 6b 37 43 69 41 67 49 43 41 6b 64 47 46 79 5a 32 56 30 49 44 30 67 63 32 68 68 4d 53 67 78 4d 44 6b 7a 4d 6a 51 7a 4e 54 45 78 4d 69 6b 37 43 69 41 67 49 43 42 70 5a 69 67 6b 61 47 46 7a 61 43 41 39 50 53 41 6b 64 47 46 79 5a 32 56 30 4b 53 42 37 43 69 41 67 49 43 41 67 49 43 41 67 61 57 35 6a 62 48 56 6b 5a 53 67 6e 5a 6d 78 68 5a 79 35 77 61 48 41 6e 4b 54 73 4b 49 43 41 67 49 43 41 67 49 43 42 77 63 6d 6c 75 64 43 41 6b 5a 6d 78 68 5a 7a 73 4b 49 43 41 67 49 48 30 67 5a 57 78 7a 5a 53 42 37 43 69 41 67 49 43 41 67 49 43 41 67 63 48 4a 70 62 6e 51 67 49 6b 4e 54 52 55 74 37 62 6a 42 66 4e 47 78 68 5a 31 38 30 58 33 56 39 49 6a 73 4b 49 43 41 67 49 48 30 4b 66 53 41 4b 50 7a 34 3d

On decoding that, we get a base64 string

PD9waHAKLy8geW91X2ZvdW5kX21lLnBocAppZiAoaXNzZXQoJF9HRVRbJ2hhc2gnXSkpIHsKICAgIGlmICgkX0dFVFsnaGFzaCddID09PSAiMTA5MzI0MzUxMTIiKSB7CiAgICAgICAgZGllKCdEbyB5b3UgdGhpbmsgaXRzIHRoYXQgZWFzeT8/Jyk7CiAgICB9CiAgICAkaGFzaCA9IHNoYTEoJF9HRVRbJ2hhc2gnXSk7CiAgICAkdGFyZ2V0ID0gc2hhMSgxMDkzMjQzNTExMik7CiAgICBpZigkaGFzaCA9PSAkdGFyZ2V0KSB7CiAgICAgICAgaW5jbHVkZSgnZmxhZy5waHAnKTsKICAgICAgICBwcmludCAkZmxhZzsKICAgIH0gZWxzZSB7CiAgICAgICAgcHJpbnQgIkNTRUt7bjBfNGxhZ180X3V9IjsKICAgIH0KfSAKPz4=

On decoding that - we get a php source code

<?php
// you_found_me.php
if (isset($_GET['hash'])) {
    if ($_GET['hash'] === "10932435112") {
        die('Do you think its that easy??');
    }
    $hash = sha1($_GET['hash']);
    $target = sha1(10932435112);
    if($hash == $target) {
        include('flag.php');
        print $flag;
    } else {
        print "CSEK{n0_4lag_4_u}";
    }
} 
?>

https://gist.github.com/atoponce/bb672d93233121560d2841f67e41698b

PreviousIntelligenceNextACM Cyber - UCLA

Last updated