O8 Performing an Exfil of a Filesystem

You have a solid foothold in The Lucky Lion's environment - now it's time to start poking around. Looking through more of the emails from the account you compromised, you see something interesting: a backup of a server was recently uploaded to a secure fileshare. You wager there could be some valuable information to sell if you can get those files, but the backup is password protected.

To get you started, we've provided you with the host & port where we've noticed a password vault service running. You can connect to it with Netcat (nc) as shown at the bottom.

Note: the hints worth 50 are about the ZIP!

Objectives

• Find a way to extract passwords from the vault so you can download the ZIP

• Once you obtain the ZIP, find a way to break the encryption scheme and find the flag file within

Tools Required

• Shell environment with nc (netcat) installed

Additional Resources

• All about ZIPs

• ValuVault documentation

nc 0.cloud.chals.io 18529

Solution: This one was tough for many. It has two parts: break out of a python sandbox and crack a zip file. Those could seriously be their own separate challenges. I handled the python part alone, but was forced to spent points on hints about the zip file. (After I cracked the zip file, I had only 4 min left to work on O10 before the CTF was over.)

The provided email only gives you the username "admin" and a link to the zip file. The password is in a Postgresql web server called ValuVault. ValuVault's weakness is a feature called "MOTD" (aka Message of the Day) which can be set to greet users about what time or date it is. This can be modified using Python. But MOTD treats everything as string, except for Python placeholders {now.date} and {now.time}. Those placeholders are also limited to printing time or date. For example, running MOTD "Object Info: {now.class.name}" gave me the output: "Object Info: SimpleDate | {'date': datetime.date(2024, 8, 8), 'time': datetime.time(4, 2, 53, 396707)}" Googling ways to exploit Python, led me to write-ups for a CTF called "PyJail", which led me to read about hacking Python sandboxes, and after trying multiple Python exploits...

# Obtain globals from an object of a class
class_obj.__init__.__globals__

...one got me the master password for Valuvault:

With the master password, you can get all the Valuvault passwords.

Using "admin" and "8szS)89Y$jDq0t}BS:Hj<37J" allowed me to download backup.zip, but the file is password-protected. Additionally, we discover two text files inside that are encrypted by ZipCrypto: flag.txt and slots.txt. bkcrack can generate decryption keys for ZipCrypto, if you give it unencrypted content (aka plaintext) to compare against. But where would I get that? I figured since the flag format is usually "wicys2024{", then that could be the plaintext. I added a curly bracket too, cause the minimum is 12 bytes. This approach failed:

After that, I succumbed to hints: HINT 1: You have a password-protected ZIP, and you can analyze it to see that it's encrypted with ZipCrypto. What other analysis can you do of the zip while it's encrypted? Not everything is hidden... View Hint

HINT 2: There's a familiar looking file in the Zip... one that we saw in the password vault. If we download it from the same URL we got the zip (just changing the filename to get the different file) and supply the vault password, we now have an encrypted zip and a plaintext file from inside the zip. Are there any tools out there that could help us crack it now? Apparently, slots.txt file is also at "https://target-flask.chals.io/vault/slots.txt" and you can download it with "admin" and "/D~Yl9I*966aI:F0A]4NL7/L" (which is the password of "slots_admin" in Valuvault). IRL, this would make no sense cause why would you put your server backup in the same place as where you backed up from?! What also drove me crazy is that text files automatically display in a web browser, rather than downloading into the Downloads folder. I couldn't wget slots.txt from that site either cause the login page blocks it. Copying and pasting also ruins the text file, which causes a "ciphertext is smaller than plaintext" error in bkcrack. The easy and simple solution to this, is to right-click the webpage and choose "Save As". Then it works. After I got a working slots.txt, I ran it against the encrypted slots.txt, got the encryption keys, and used those to decrypt flag.txt. Catting the decrypted result will show the flag.

Flag: {xamine_your_zip_pretty_darn_quick} Special thanks to Caelum: I initially couldn't get running bkcrack, which made me think it was incompatible with my VmWare Kali VM running on an M1 Mac. Terminal was showing "zsh: exec format error: ./bkcrack". Eventually, Caelum explained how to install with "git clone" (aka "build from source"), instead of downloading the tar package.