[ Home ] [ Writeups ] [ Articles ] [ Cheatsheets ] [ CVE ] [ EOF ]


.:: Witchehh - SANTHACKLAUS CTF 2019 ::.
Title : Witchehh - SANTHACKLAUS CTF 2019
Author : Cabir  
Date : Friday, Dec 20, 2019
Modified : Friday, Dec 20, 2019
Reading time: 2 minutes and 5 seconds.

.: DESCRIPTION :.

The challenge begin with a website of Billy elivre, a man explaining how to do a strong password. His pseudo is witchehh, His name is Billy Délivre, He recommended to make password with this pattern : dicaprio.23.jagaaan


-=[Witchehh - SANTHACKLAUS CTF 2019]=-

 1-----------------
 2DIRB v2.22    
 3By The Dark Raver
 4-----------------
 5
 6OUTPUT_FILE: dirb.log
 7START_TIME: Mon Dec 16 20:05:29 2019
 8URL_BASE: http://46.30.204.44:1000/
 9WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
10
11-----------------
12
13GENERATED WORDS: 4612
14
15---- Scanning URL: http://46.30.204.44:1000/ ----
16+ http://46.30.204.44:1000/cgi-bin/ (CODE:403|SIZE:279)
17==> DIRECTORY: http://46.30.204.44:1000/img/
18+ http://46.30.204.44:1000/index.php (CODE:200|SIZE:5039)
19+ http://46.30.204.44:1000/server-status (CODE:403|SIZE:279)
20
21---- Entering directory: http://46.30.204.44:1000/img/ ----
22----------------- 

Go check in the img/ directory. There is a picture with port 2000 write on it, and it’s not include the main page. but also:

1# Nmap 7.70 scan initiated Mon Dec 16 20:06:12 2019 as: 
2    nmap -sV -oN nmap.log -Pn -v 46.30.204.44
3    Nmap scan report for 46.30.204.44
4    Host is up (0.013s latency).
5    Not shown: 998 filtered ports
6    PORT     STATE SERVICE     VERSION
7    1000/tcp open  http        Apache httpd 2.4.38 ((Debian))
8    2000/tcp open  cisco-sccp?

Let’s check the port 2000: –> Username : This account does not exist

So lets go on it with Telnet and use his pseudo as an username:

1$ telnet 46.30.204.44 2000 
2Username: witchehh 
3Password: 

When you created an account on his website, your cookie is set like H=90ebd54ded8e68191ab102429edd29993c185e43c1b43de0fd346b40c1b26c60ce1e4ae84c334da7c2ee81cb4dbfb48d for example the cookie is your SHA384 hashed password.

In this case it means JeanJean. So maybe we need to bruteforce the password on the telnet. But first let’s go to OSINT: nothing on Twitter and Linkedin But we have a Facebook profile : Délivre Billy

We found a picture with a hash wrote on it : 90ebd54ded8e68191ab102429edd29993c185e43c1b43de0fd346b40c1b26c60ce1e4ae84c334da7c2ee81cb4dbfb48d:annec

I made a simple python script to generate a wordlist that will be used to bruteforce with hascat his hash.

This wordlist is based on all the information we gathered on him on facebook. The challenge was very oriented on a specific pattern:

 1#!/usr/bin/env python3
 2    import os
 3    
 4    words = ["senegal","islande","iceland","moscou","moscow","russie","russia",
 5    "florence","tokyo","japan","japon","italie","italy","coree","coreedusud",
 6    "korea","southkorea","forrestgump","pitt","bradpitt","hanks","tomhanks",
 7    "willis","brucewillis","debbouze","jameldebbouze","dicaprio","leonardodicaprio",
 8    "jean-claudevandamme","jcvd","vandamme","inglouriousbasterds","kruger","dianekruger",
 9    "christophwaltz","waltz","laurent","melanielaurent","tarantino","quentintarantino",
10    "backtothefuture","spielberg","stevenspielberg","zemeckis","robertzemeckis",
11    "michaeljfox","jfox","christopherlloyd","lloyd","leathompson",
12    "thompson","crispinglover","glover",
13    "thefifthelement","garyoldman","oldman","ianholm","holm","oklahoma","christucker",
14    "tucker","millajovovich","asterixetobelixmissioncleopatre","asterix","obelix",
15    "gerarddepardieu","depardieu","alainchabat","chabat","monicabelluci","bellucci",
16    "clauderich","rich","gerarddarmon","darmon","christianclavier","clavier",
17    "christophernolan","nolan","inception","thor","thorragnarok","thelordoftherings",
18    "lotr","lucas","georgeslucas","ewanmcgregor","mcgregor","hamill","markhamill",
19    "starwars","goku","songoku","sangoku","dragonballz","dragonball","onepunchman",
20    "saitama","roronoazoro","roronoa","zoro","onepiece","sololevelling",
21    "nahonjamanlebeleob","sungjinwoo","sungjin-woo","sevendeadlysins",
22    "thesevendeadlysins","nanatsunotaizai","meliodas","shigeokageyama",
23    "mobpsycho100","mobusaikohyaku","swordartonline","sodoatoonrain",
24    "kirito","kirigayakazuto","kirigaya","kazuto","hunterxhunter",
25    "hantahanta","gon","freecss","gonfreecss","mercury","venus","earth",
26    "mars","jupiter","saturn","uranus","neptune","pluto","mercure",
27    "venus","terre","mars","jupiter","saturne","uranus","planets",
28    "universe","travel","strength", "inspiration", "jcvd", "humor","laugh",
29    "japan", "korea", "anime", "strong", "OMAEWAMOUShindeiru","omaewamoushindeiru",
30    "gollum","seoul","capetown","kirkjufell","lakemasazir","masazir","azerbaijan",
31    "nowhere","Loire Atlantique","loire","atlantic","annecy"]
32
33    symbols = [".","-","*",'~','!',';',",","_","&","=","+","#","$","]","?","["," "]
34    f = open("wordlist.txt","w")
35    
36    for i in words:
37        for j in words:
38            for s in symbols:
39                for x in symbols:
40                    f.write(i.lower().strip(" ")+s+"44"+x+j.lower().strip(" "))
41                    f.write("\n")
42    f.close()
43    print("[+]SUCCESS")
44    os.system("wc -l wordlist.txt")

Then we run hashcat to findout the password:

1hashcat -m 10800 -a 0 hash.txt wordlist.txt --potfile-path hashoutput.txt --force

Then we found the password: annecy+44+saitama

1`➜ 46.30.204.44 telnet 46.30.204.44 2000 
2Trying 46.30.204.44... 
3Connected to 46.30.204.44. 
4Escape character is '^]'. 
5Username : witchehh 
6Password : annecy+44+saitama 
7Welcome, here is your flag : SANTA{Cr4cK_L0rD} ^] 
8telnet> Connection closed.`

.: FLAG :.

SANTA{Cr4cK_L0rD}

[ Home ] [ Writeups ] [ Articles ] [ Cheatsheets ] [ CVE ] [ EOF ]