2020-05-06

Let's be transparent about this. (Derpcon CTF Challenge 2)

The second challenge I made for the https://derpcon.io CTF (read about the first challenge here) was a medium difficulty challenge starting at https://derp.randori.com. The idea was to utilize some modern reconnaissance techniques and hide in plain sight, similar to system configurations I have seen in the past.



As before let’s take a look at the source and see if there are any hints. Right click -> View Page Source
View Source
Looking at the HTML we see comments that lead me to believe there is some other environment at play. The comment tells me a developer has made sure something has to be removed before being released to prod. This makes me think there must be some sort of staging or development environment.

Comments are our friends
Certificate Transparency Logs
Certificate Transparency Logs were created to help domain owners, CAs, and domain users aware of what certificates were being issued to help them discover erroneous or maliciously issued certificates. We can utilize these logs to see what host names have been, or are in use for particular domains.

There are many places these logs are stored, for this example we will use https://crt.sh
A query on crt.sh for %.randori.com will reveal the last certificate they registered was for https://derp-dev.randori.com and https://derp.randori.com. This fits with our guess that there must be a dev site somewhere. 
crt.sh
Sadly that hostname does not resolve.
No Resolution

TLS Certificate

Another place we can look for information about a website is the TLS certificate. Certificates can often divulge information about systems.
Cert Info
Yummy Details
For my command line junkies where is a ugly one-liner
OpenSSL FTW
Seeing the DNS name in the certificate gives us a hint that this site might be doing double duty. 

Often with virtual hosts, servers will respond differently depending on what host is set in the HTTP request.  Let’s give it a try and see if anything changes.
Nope
Now let’s try with the host header set...
Our Flag
That does it. Hopefully the challenge was fun and folks got to learn something about TLS, Certificate logs,  virtual hosts.

Thanks again to the hosts of derpcon.io for a wonderful virtual conference.

2020-05-03

Derpcon CTF challenge 1

I had the opportunity to make a couple challenges for the https://derpcon.io/ CTF. I had fun making the challenges, so I figured I would drop some quick notes here about how I would have gone about solving them.

A big thank you to all the DERP organizers for a great virtual conference in this interesting time.

Challenge 1 was a beginner challenge that started at https://www.randori.com/

While this challenge is relatively simple, it does demonstrate a common workflow and introduces some useful utilities.

First things first I like to figure out what I am working with. Let's take a look at the source code for the page. Right click -> View Page Source

https://www.randori.com
Something I see regularly in source code is comments that point me to something interesting about an app. Here we find a hint about the image.
HTML Source Code
To the terminal we go! Grab the image and take a look. Here we use wget to download the file.
Download the file
With the file in hand we can use the file utility to discover what type of file this is. (file file file)
Using the file command
Nothing super unusual there. The file we downloaded has an extension .png and appears to be a PNG file. We should check to see if there are any interesting strings in the file for this we use the ... you guessed it strings command. I like to start with -8 which will only show strings that are 8 characters or longer.
Using the strings command
That last string looks like base64 ... Luckily there are more commands that help us. I'm going to run strings again, grab the last line of output, then pass that output to the base64 utility.
wrapping up
And that wraps it up. For sure this is a classic beginner CTF challenge, it introduces some fundamental tools and has (hopefully) just enough hints to keep a beginner interested.

The next challenge was a bit more interesting, stay tuned for derpcon challenge 2.

PS. If you played in the CTF let me know what these challenges wound up being called.

Update 1:
Challenge was called "Something Derpy" thanks to @Zzyzzx

Update 2:
Here is the challenge image:


2020-05-02

Hello World... again

Good new everyone! I'm reviving the blog..