SpyderSec: Challenge

References

• http://www.hackingarticles.in/hack-spydersec-vm-ctf-challenge/
• https://www.vulnhub.com/entry/spydersec-challenge,128/#

Writeup

• Recon: http://10.0.2.146
  • root@kali:~/Downloads# exiftool SpyderSecLogo200.png
  • 其中Comment內容為：35:31:3a:35:33:3a:34:36:3a:35:37:3a:36:34:3a:35:38:3a:33:35:3a:37:31:3a:36:34:3a:34:35:3a:36:37:3a:36:61:3a:34:65:3a:37:61:3a:34:39:3a:33:35:3a:36:33:3a:33:30:3a:37:38:3a:34:32:3a:34:66:3a:33:32:3a:36:37:3a:33:30:3a:34:61:3a:35:31:3a:33:64:3a:33:64
  • 看起來是hex，轉成string為51:53:46:57:64:58:35:71:64:45:67:6a:4e:7a:49:35:63:30:78:42:4f:32:67:30:4a:51:3d:3d
  • 看起來還是hex，再轉一次：QSFWdX5qdEgjNzI5c0xBO2g0JQ==
  • 看起來是base64，decode後得到A!Vu~jtH#729sLA;h4%
• 網頁檢視原始碼，發現有一段被混淆的javascript：
  • eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('7:0:1:2:8:6:3:5:4:0:a:1:2:d:c:b:f:3:9:e',16,16,'6c|65|72|27|75|6d|28|61|74|29|64|62|66|2e|3b|69'.split('|'),0,{}))
  • 使用javascript unpacker得到：61:6c:65:72:74:28:27:6d:75:6c:64:65:72:2e:66:62:69:27:29:3b
  • decoded to string得到：alert('mulder.fbi');
• 瀏覽網頁發現cookie值為：/v/81JHPbvyEQ8729161jd6aKQ0N4/
  • http://10.0.2.146/v/81JHPbvyEQ8729161jd6aKQ0N4/網頁存在，但無權限
  • http://10.0.2.146/v/81JHPbvyEQ8729161jd6aKQ0N4/mulder.fbi為一個MP4檔
• 此MP4使用了隱碼術(Steganography)，在裡面藏了TrueCrypt file (http://oskarhane.com/hide-encrypted-files-inside-videos/)。
  • 使用veracrypt解開，選擇TrueCrypt Mode，並輸入先前得到的A!Vu~jtH#729sLA;h4%密碼。
  • 得到flag!