CTF : CyberHeroes

CTF CyberHeroes writeup. Source THM. Announced difficulty level: Easy

Posted by Boula-Bytes on 19 June 2022

CTF : CyberHeroes

Informations

  • IP: 10.10.73.215
  • MYIP: 10.8.98.126

First enumeration

Basics

  • NMAP
console
$ sudo nmap -p- -A 10.10.73.215
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-19 20:59 CEST
Nmap scan report for 10.10.73.215
Host is up (0.037s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 55:ee:04:9a:d3:45:4e:0d:92:e6:1d:dc:62:08:b4:e8 (RSA)
|   256 d8:92:2f:fc:72:f6:87:86:ab:85:f9:d4:4e:6b:a0:8c (ECDSA)
|_  256 07:0c:f0:04:95:86:c5:52:0b:80:46:f4:30:71:c2:39 (ED25519)
80/tcp open  http    Apache httpd 2.4.48 ((Ubuntu))
|_http-server-header: Apache/2.4.48 (Ubuntu)
|_http-title: CyberHeros : Index
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (92%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.11 (92%), Linux 3.2 - 4.9 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   37.08 ms 10.8.0.1
2   37.18 ms 10.10.73.215

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.72 seconds

Vulnerabilities search

In source code of the page view-source:http://10.10.73.215/login.html

javascript
<script>
    function authenticate() {
      a = document.getElementById('uname')
      b = document.getElementById('pass')
      const RevereString = str => [...str].reverse().join('');
      if (a.value=="h3ck3rBoi" & b.value==RevereString("********")) {
        var xhttp = new XMLHttpRequest();
        xhttp.onreadystatechange = function() {
          if (this.readyState == 4 && this.status == 200) {
            document.getElementById("flag").innerHTML = this.responseText ;
            document.getElementById("todel").innerHTML = "";
            document.getElementById("rm").remove() ;
          }
        };
        xhttp.open("GET", "RandomLo0o0o0o0o0o0o0o0o0o0gpath12345_Flag_"+a.value+"_"+b.value+".txt", true);
        xhttp.send();
      }
      else {
        alert("Incorrect Password, try again.. you got this hacker !")
      }
    }
  </script>

Exploit

We need to reverse the password string :

console
$ echo '********' | rev
********

let's try h3ck3rBoi and ****

I try to log in and got :

Congrats Hacker, you made it !! Go ahead and nail other challenges as well :D flag{**}

Done !

\o/