jng | tribbletron
jng | tribbletron
  • About
  • CTFs
    • Target x WiCyS CTF 2024
      • D2 Look for Insider Threats
      • D8 YARA Analysis
      • O3 Constructing your Phish
      • O7 Bypass the EDR
      • O8 Performing an Exfil of a Filesystem
      • O9.1 Escalate your Privileges
    • US CyberGames IV 2024
      • USCG IV: Forensics
      • USCG IV: Web
    • DoD Cyber Sentinel 2024
    • Amazon x WiCyS CTF 2023
    • PicoCTF.org
      • PicoCTF 2024
      • PicoCTF 2023
  • Links
    • Readings
  • Tools
  • Notes
    • To Burp or Not to Burp
    • Common issues
    • Rankings
Powered by GitBook
On this page
  1. CTFs
  2. Target x WiCyS CTF 2024

O3 Constructing your Phish

Last updated 10 months ago

You have your credential harvester ready to go, but how exactly are you going to trick your victims into visiting the site hosting it? Much like the harvester, your "hook" will work best if it mimicks something legitimate that the victim is expecting to see.

While researching The Lucky Lion leading in preparation for this attack, you had discovered that the casino uses multi-factor authentication for employees. Specifically, you learned that they use Squishy Security, a budget security solution notorious for a host of backdoors. Employees need to scan a QR code to sign up with the service on their company phones, so perhaps we can phish them to click on our harvester? Given this , can you engineer an attack QR code to capitalize on Squishy Security's lackluster control mechanisms?

Objectives

  • Crack the MFA QR code's security scheme

  • Submit your own malicious QR code that is the same as the example, except it would redirect to "http://wood-chewers.trees" instead of the normal casino sign-in. NOTE: if the example QR's text had any special formatting/encryption applied, so should your submitted QR!

Tools Required

  • A QR code generator (you can find one on , as well as potentially other helpful tools for this challenge!)

Solution: I love this challenge, but it should've been worth more than 100 points. Many players struggled over it. But I immediately noticed the encryption method hidden in the email: XOR. Cause it mentions a fake company called "Xpert Online Resilience".

The first step is to decode the QR code, which you can do in CyberChef using the recipe: Parse QR Code, then Base64, then XOR with "07192022" as the key.

How did I know the key? I expected that "mfa_secret" field would be part of the unencrypted field. And when I used "mfa_secret" as the key, I got "07192022". And then I noticed the bottom of the email mentions "July 19th, 2022", so that date must be important enough to be the actual key.

With the most difficult part over, the next step is to edit the fields to create the phishing QR. After submitting that to the QR checking page, I got the flag.

Flag: flag{WI$h_I'd_Squ!sh3d_Th@t_BuG}

MFA onboarding email
Validate your QR code here to get your flag!
CyberChef