Skip to main content

Recon Village CTF @ Defcon 26

Defcon 25's Recon Village CTF was a ton of fun and my team was very much looking forward to participating during Defcon 26. I think in comparison to last year, this year's CTF proved to be a bit more challenging, and we decided to go full force to get top 3. It was a close race, but we were passed at the end and got knocked into 5th.

Below are the challenges that were released and a write-up of the solutions. We'll be ready for another round at Defcon 27!

Challenge 1

Performing a search for the email address, it was easy to determine that it was associated with a Tumblr account. 

Once at the Tumblr page; however, there was no post made on August 2. Time to blast back into the past with the internet archive, the Wayback Machine.

Searching for the Tumblr URL along with 'post', we find a post made on August 2 that was deleted. Following this link we arrive at the missing post:

And finally, heading to the Pastebin link, we arrive at the flag:

Challenge 2

It's easy to miss, but it's possible to scroll down in this challenge for a slight hint:

Based on this information as well as the free hint which mentions Docker, all we need to do is do a Docker pull for this. Upon downloading and accessing the image, it is only running htop, and there is nothing else of interest. However, we can issue the following command to check the history of changes, and this reveals the flag.

Challenge 3

Performing a simple search on Google with the information given, it is easy to find an unprotected Google spreadsheet that contains all the meeting information as well as the GoToMeeting access code, which is the flag.

Challenge 4

Heading to the provided site, we encounter a simple web app. 

Inputting a name will just return a hello, but the interesting thing to check out is the GitHub fork banner in the upper-right corner. 

This GitHub contains the index.php resource which gives more insight into what is running on this page.

Different than the source code viewable from the browser, this shows a /opt/flag.txt will be called when certain requirements are fulfilled.

Furthermore, looking at the code some more, we see that serialization/unserialization is taking place.

Based on this, we can serialize all of the data needed, and passing it into the input field we are able to grab the flag.

Challenge 5

Once again using the information on hand, we head to Stack Overflow and looked up the people who earned this badge. We found the following user:

Heading to site that was listed gives a bit more information.

Finally, using a whois lookup for the domain, we find the postal code for the user, which is our flag.

Challenge 6

Since this is E-sports related, the best bet for information in Liquipedia. We can then zero in on the exact competition.

Our fourth place team doesn't have a dedicated page, but you can still view the roster by hovering over the thumbnail of the team logo.

Only two of the players have a page and more history playing, so it's just a matter of checking each of them out. The flag ended up being the alternate ID of Friis.

Challenge 8

The link provided is for Telegram, and upon joining the chat room, there is a bot that allows you to issue shell commands, but in a very limited capacity. However, it was possible to issue the 'ssh' command. Hoping that no password was required, we issued 'ssh' with the '-t' flag to execute a command, and we received the flag.

Challenge 9

Connecting to the site, we arrive at a simple login page. As the challenge text mentioned, just using the provided creds alone will not allow us to enter the site.

Looking at the page elements, you can see a hidden input field for 'identitycode'. (I deleted the hidden parameter before the screenshot). So this is what we need to log into the site.

Using curl to grab all the source code, we discovered a hidden snippet of code which reveals a hidden directory. Once again using curl on this directory, we find a base64 encoded string, which reveals yet another hidden directory along with an access code.

Heading to the newly discovered page, we input the access code and are gifted with a bunch of JSON data for user configs.

This is where my team got stuck, but it seems that it is possible to enter this information paired with the initial credentials in order to get a token code from Google, which can then be used to enter the site and grab the flag.

Challenge 13

Since we know this is for a docker repository, we tried curl with the default port to get the catalog information for what repositories are available. Following up once we saw the repository, we queried this repository for the tags list.

We then did a docker pull for this image, and ran it to get a command prompt. Knowing that this has to do with AWS test code, the .aws folder looks like a great place to start the investigation.

Checking out the contents of .aws, we find the flag.

Final Tally

We had a blast participating and it w as a close race at the end to solidify the scores. Congrats to all of the winners, and a big thank you to the organizers. See you all next year!


Popular posts from this blog

Basic Pentesting: 1 Walkthrough

It's been quite a while since doing a VM (been busy moving, new job, etc...), and I saw that a bunch of new ones had been uploaded to Vulnhub, so I finally got a chance to sit down and have some fun.

Basic Pentesting: 1 was fun. Definitely geared towards beginners, but it made for an enjoyable night!

Naturally, start with an arp-scan to determine the machine's IP, and then use nmap to determine what services and ports are up.

Following up on this, running Sparta will help see if there is anything interesting as well.

Nikto discovers an interesting file on the HTTP server, so let's head over and find out what is there...
(Note: you will need to add the domain to your /etc/hosts file to properly browse.)

Mmmm a WordPress blog. Surely this use locked it down real tight and it's perfectly up to date!

admin:admin... How secure! Arriving at the admin portal we have free reign to do whatever we please with the plugins and site. So, I got my handy PHP reverse shell code and d…

Game of Thrones CTF: 1 Walkthrough

VM name:
Game of Thrones Hacking CTF

Collect all the flags

This was a refreshing challenge after doing a bunch of boot-to-root VMs, and I had a lot of fun--especially with the theme being Game of Thrones. There was also a ton to learn from it. So let's get to it...

Arp-scan and Nmap first as usual to find out the target IP and ports/services enumeration.

We've got a lot to sort through, but let's hit port 80 first by accessing it with a browser.

Taking a look at the source, we get a full scoop on the rules, goals, and some hints.

Next we take a look at robots.txt.

Let's explore these one by one. First: /the-tree/. We are stopped by Jon Snow, who seems to be telling us that we know nothing, but looking at the source code for this page we get another hint.

Look at those capital letters spelling it out for us. We need to change our user-agent to be the three-eyed raven as indicated by robots.txt.

Now that we added a user agent and swapped to it, reloading the pa…