KnightCTF 2024 - Writeup

This is a writeup for forensics, networking, steganography and web challenges from KnightCTF 2024. This was the first CTF I did not really enjoy due to the 10 attempts flag submission feature which blocked me in solving certain challenges. Hope CTFs never use this feature ever again.

Scenario [Forensics]

My boss, Muhammad, sent me this dump file of a memory. He told me that this OS has a malware virus that runs automatically. I need to find some more information about this OS, and the hacker also created some files in this OS. He gave me a task to solve this within 24 hours. I am afraid. Will you please help me? My boss sent some questions; please solve them on my behalf. There are total 7 challenges in this series. Best of luck.

OS [Forensics]

Question: What is the OS version?

Flag: KCTF{7.1.7601.24214}

Use Windbg with the command !analyze -v.

IP Addr [Forensics]

Question: What is the IP address of this system?

Flag: KCTF{10.0.2.15}

Use Windbg with the command du poi(poi(srvnet!SrvAdminIpAddressList)) and keep inputting du command to load each line.

Password [Forensics]

Question: What is the login password of the OS?

Flag: KCTF{squad}

Use Volatility2 hashdump plugin to get the password hashes and crack it.

Note [Forensics]

Question: My boss has written something in the text file. Could you please help me find it?

Flag: KCTF{Respect_Y0ur_Her4nki}

Use Volatility2 and dump the suspicious text file. An encoded flag can be found in the text file.

Execution [Forensics]

Question: My leader, Noman Prodhan, executed something in the cmd of this infected machine. Could you please figure out what he actually executed?

Flag: KCTF{W3_AR3_tH3_Kn1GHt}

I just strings grep the memory dump and found the flag lol.

Intended way: Use Volatility2 consoles plugin and find the executable file and command.

Path of the Executable [Forensics]

Question: What is the path folder of the executable file which execute privious flag?

Flag: KCTF{C:\Users\siam\Documents}

Similar to Task 5, just take the path of the executable file.

Malicious [Forensics]

Question: What is the malicious software name?

Flag: KCTF{MadMan.exe}

Use Volatility2 autoruns plugin, a suspicious software can be found.

Scenario [Networking]

Recently one of Knight Squad’s asset was compromised. We’ve figured out most but need your help to investigate the case deeply. As a SOC analyst, analyze the pacp file & identify the issues.

Vicker IP [Networking]

Question: What is the victim & attacker ip?

Flag: KCTF{192.168.1.8_192.168.1.7}

Checking the conversations in Wireshark, the attacker (192.168.1.7) seems to be communicating with our server (192.168.1.8).

Basic Enum [Networking]

Question: What tool did the attacker use to do basic enumeration of the server?

Flag: KCTF{nikto}

Filter the victim or attacker’s IP address and slowly analyze the packets, Nikto logs can be found in TCP stream 43.

Vulnerable Service [Networking]

Question: What service was vulnerable to the main server?

Flag: KCTF{vsftpd_2.3.4}

Several suspicious FTP data can be identified in the pcap. Looking into the FTP packets, it is shown that vFTPd 2.3.4 is indeed being exploited.

CVE ID [Networking]

Question: What’s the CVE id for the vulnerable service?

Flag: KCTF{CVE-2011-2523}

Just research online on vsFTPd 2.3.4 exploits.

Famous Tool [Networking]

Question: The attacker used a popular tool to gain access of the server. Can you name it?

Flag: KCTF{metasploit}

Researching more on CVE-2011-2523, several video demonstrations show Metasploit being used to gain access.

PORT [Networking]

Question: What was the port number of the reverse shell of the server?

Flag: KCTF{6200}

Similarly, CVE-2011-2523 already explains which port is exploits.

Hidden File [Networking]

Question: What’s the flag of the hidden file?

Flag: KCTF{ExPloItiNg_S3RvEr_Is_fUN}

The flag can be found in TCP stream 1532, however, I could not decode it before the CTF ended. After asking other players on Discord, the true method is Twin Hex (that is too guessy).

Confidential [Networking]

Question: There’s something confidential. Can you find it?

Flag: KCTF{Y0U_Ar3_N3tW0rk_M1n3r}

Extract the confidential.zip file from Wireshark and unzip it to obtain a docx file. Analyzing it, the flag is hidden somewhere in the file.

Pretty straightforward, just resize the image and colorize every text.

BackDoor [Networking]

Question: What is the backdoor file name?

Flag: KCTF{.621b4CkD0oR.php5}

Analyzing TCP streams again, we can find a php file being created and renamed.

BackDoor Path [Networking]

Question: What is the full path of the backdoor in the server?

Flag: KCTF{/var/www/html/app/assets/.621b4CkD0oR.php5}

Similar to Task 9, just take the path of the php file.

Super Admin [Networking]

Question: What is the super admin password in the web application?

Flag: KCTF{letmeinroot}

We are given a SQL database attachment called backup.sql and the root password hash can be found within it. We also know its MD5 from the process_login.php.

Admin Flag [Networking]

Question: Can you find the Admin Flag of the web server?

Flag: KCTF{y0U_G0t_tHe_AdMin_Fl4g}

Analyzing everything, I came across the other zip file app.zip obtained previously. Unzipping and looking through its files, we stumble across dashboard.php where a seemingly encoded cookie can be found.

Vuln [Networking]

Question: What was the vulnerability on the edit task page & what parameter was vulnerable?

Flag: KCTF{sqli_taskId}

By following HTTP traffic in the pcap, we can see a supposedly SQL injection attack going on. So we can check the vulnerable source code in process_edit_task.php and the parameter can be found. So the vulnerablility is SQLi and the parameter is taskId.

Famous Tool 2 [Networking]

Question: What tool did the attacker use to identify the vulnerability of edit task page?

Flag: KCTF{sqlmap/1.7.10#stable}

Check the HTTP stream of the attack, the tool used was SQLMap.

Something Interesting [Networking]

Question: What is the super admin password in the web application?

Flag: KCTF{Y0u_aRe_InTeREsTiNg}

I had no clue how to solve this, so I asked other members on Discord and they mentioned a suspicious query in the previous SQL database. In the backup.sql file there a table called something. It is another guessy challenge, I tried ROT47 and it worked out.

Hidden Page [Networking]

Question: There was a hidden page which was only accessible to root & was removed from the web app for security purpose. Can you find it?

Flag: KCTF{terminal-13337.php}

A suspicious php file for root can be found in tasks.php.

DB Details [Networking]

Question: What is the database username & databasename?

Flag: KCTF{db_user_kctf2024}

After spending several minutes on looking at the app files, I actually found the username and password in the previous vFTPd stream. So the username and password is actually db_user and kctf2024 respectively.

API Key [Networking]

Question: What’s the API Key?

Flag: KCTF{6eea9135-2801-4560-b44c-f297b5f46f2f}

The API key can be found in db.php.

Oceanic [Steganography]

Question: The ocean’s beauty is in its clear waters, but its strength lies in its dark depths.

Flag: KCTF{mul71_l4y3r3d_57360_ec4dacb5}

We are given an image and a wav audio file. So I tried analyzing the audio file on Audacity but nothing relevant was found.

Analyzing the metadata of the image file, an encoded message can be found. It is probably a hint to find the flag, so I did some research and came across a blog on audio steganography with the tool called DeepSound, kinda sus as it represents the challenge and the hint given.

Using the password obtained from the metadata, we can extract a flag.png from it. So we binwalk the png and find the flag.

Flag Hunt! [Steganography]

Question: Hunt your way through the challenge and Capture The hidden Flag!!!

Flag: KCTF{3mb3d_53cr37_4nd_z1pp17_4ll_up_ba6df32ce}

We are given a protected zip file. Using binwalk, we can find multiple image files, text files and a wav file. So, since I have no clue what the password is, I just brute-forced it with John the Ripper.

zip2john chall.zip > hash
john --wordlist=$rockyou hash

After extracting the zip with the password, we can start analyzing the text files. Unexpectedly, img725.jpg was different from the rest.

Listening to the audio file, it sounded like Morse code. However, the decoded Morse code was not the flag. So I tried stegsolve on the outlier image file and got the real flag.

Kitty [Web]

Question: Tetanus is a serious, potentially life-threatening infection that can be transmitted by an animal bite.

Flag: KCTF{Fram3S_n3vE9_L1e_4_toGEtH3R}

We are given a login page, so I analyzed the page source and stumbled across the Javascript file. It says that the credentials are username and password.

document.getElementById('login-form').addEventListener('submit', function(event) {
    event.preventDefault();

    const username = document.getElementById('username').value;
    const password = document.getElementById('password').value;

    const data = {
        "username": username,
        "password": password
    };

    fetch('/login', {
        method: 'POST',
        headers: {
            'Content-Type': 'application/json'
        },
        body: JSON.stringify(data)
    })
    .then(response => response.json())
    .then(data => {
        // You can handle the response here as needed
        if (data.message === "Login successful!") {
            window.location.href = '/dashboard'; // Redirect to the dashboard
        } else {
            // Display an error message for invalid login
            const errorMessage = document.createElement('p');
            errorMessage.textContent = "Invalid username or password";
            document.getElementById('login-form').appendChild(errorMessage);

            // Remove the error message after 4 seconds
            setTimeout(() => {
                errorMessage.remove();
            }, 4000);
        }
    })
    .catch(error => {
        console.error('Error:', error);
    });
});

After logging it, we are redirected to the dashboard page. Same thing I analyzed the page source and found a script field.

<script>
    function addPost(event) {
        event.preventDefault();
        const post_in = document.getElementById('post_input').value;
        
        if (post_in.startsWith('cat flag.txt')) {
            fetch('/execute', {
                method: 'POST',
                headers: {
                    'Content-Type': 'application/x-www-form-urlencoded'
                },
                body: `post_input=${encodeURIComponent(post_in)}`
            })
            .then(response => response.text())
            .then(result => {
                const contentSection = document.querySelector('.content');
                const newPost = document.createElement('div');
                newPost.classList.add('post');
                newPost.innerHTML = `<h3>Flag Post</h3><p>${result}</p>`;
                contentSection.appendChild(newPost);
            });
        } else {
            const contentSection = document.querySelector('.content');
            const newPost = document.createElement('div');
            newPost.classList.add('post');
            newPost.innerHTML = `<h3>User Post</h3><p>${post_in}</p>`;
            contentSection.appendChild(newPost);
        }
    }
</script>

The script mentioned the command cat flag.txt in the input field, doing so we can get the flag.

Levi Ackerman [Web]

Question: Levi Ackerman is a robot!

Flag: KCTF{1m_d01n6_17_b3c4u53_1_h4v3_70}

We are given a website with a picture of Levi from Attack on Titan, nothing else. So by reading the question, I navigated to robots.txt and the flag can be obtained.