Skip to content

Instantly share code, notes, and snippets.

/ Secret
Created Mar 7, 2017

What would you like to do?

Wargames 2017 January

  1. Opening shows a Gitlab installation. Quick analysis shows that they installed the latest version, so there may be no known vulnerability out there.
  2. The hint given is "The fundamental". The first thing comes to my mind is DNS, since it is one of the first thing being done when accessing a website.
  3. Checking the DNS record reveal these TXT record
id 36415
opcode QUERY
flags QR RD RA
;ANSWER 299 IN TXT "N3q8ryccAASpcFcnsAAAAAAAAAA1AAAAAAAAAOOaNWJd7k4PCFF/aUiqAKhV/q9uV8Qm51pm+GJ7TUy7ofBPHvcz6ZcmIeRv6dH3Ts/mpF6hHldwnakFMsrole1lTb4vjz0jbyEyGW69sZb0d/p5E5UPEJFitc1SUu5AWOII4d2kOUsaO+8yqB4QBrlzZnzzRTXncrDJMn7GYY/Zm4DuLTlQyisTAm072O27wJS3ChzEPcozQ+htBTk4n7T1+YA" "Wt36dV7hb7R3z96Pm9VDiXhcGMAEJgIAABwsBAAIkBvEHAQpTBzOpWSfwSpXaIwMBAQVdABAAAAEADHyAlgoB4Q5axwAA" 299 IN TXT "v=spf1 mx a ip4: a:nasikakwok include:domainengkau -all"
  1. If we combine those 2 base64 string and decode it, we will get a 7zip archive (37 7a bc af is 7zip archive header)
$ echo -n "N3q8ryccAASpcFcnsAAAAAAAAAA1AAAAAAAAAOOaNWJd7k4PCFF/aUiqAKhV/q9uV8Qm51pm+GJ7TUy7ofBPHvcz6ZcmIeRv6dH3Ts/mpF6hHldwnakFMsrole1lTb4vjz0jbyEyGW69sZb0d/p5E5UPEJFitc1SUu5AWOII4d2kOUsaO+8yqB4QBrlzZnzzRTXncrDJMn7GYY/Zm4DuLTlQyisTAm072O27wJS3ChzEPcozQ+htBTk4n7T1+YAWt36dV7hb7R3z96Pm9VDiXhcGMAEJgIAABwsBAAIkBvEHAQpTBzOpWSfwSpXaIwMBAQVdABAAAAEADHyAlgoB4Q5axwAA" | base64 -d | xxd
00000000: 377a bcaf 271c 0004 a970 5727 b000 0000  7z..'....pW'....
00000010: 0000 0000 3500 0000 0000 0000 e39a 3562  ....5.........5b
00000020: 5dee 4e0f 0851 7f69 48aa 00a8 55fe af6e  ].N..Q.iH...U..n
00000030: 57c4 26e7 5a66 f862 7b4d 4cbb a1f0 4f1e  W.&.Zf.b{ML...O.
00000040: f733 e997 2621 e46f e9d1 f74e cfe6 a45e  .3..&!.o...N...^
00000050: a11e 5770 9da9 0532 cae8 95ed 654d be2f  ..Wp...2....eM./
00000060: 8f3d 236f 2132 196e bdb1 96f4 77fa 7913  .=#o!2.n....w.y.
00000070: 950f 1091 62b5 cd52 52ee 4058 e208 e1dd  ....b..RR.@X....
00000080: a439 4b1a 3bef 32a8 1e10 06b9 7366 7cf3  .9K.;.2.....sf|.
00000090: 4535 e772 b0c9 327e c661 8fd9 9b80 ee2d  E5.r..2~.a.....-
000000a0: 3950 ca2b 1302 6d3b d8ed bbc0 94b7 0a1c  9P.+..m;........
000000b0: c43d ca33 43e8 6d05 3938 9fb4 f5f9 8016  .=.3C.m.98......
000000c0: b77e 9d57 b85b ed1d f3f7 a3e6 f550 e25e  .~.W.[.......P.^
000000d0: 1706 3001 0980 8000 070b 0100 0224 06f1  ..0..........$..
000000e0: 0701 0a53 0733 a959 27f0 4a95 da23 0301  ...S.3.Y'.J..#..
000000f0: 0105 5d00 1000 0001 000c 7c80 960a 01e1  ..].......|.....
00000100: 0e5a c700 00                             .Z...
  1. Trying to extract the archive will ask for password. Fuk
$ 7z x

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i7-3520M CPU @ 2.90GHz (306A9),ASM,AES-NI)

Scanning the drive for archives:
1 file, 261 bytes (1 KiB)

Extracting archive: /home/akmal/

Enter password (will not be echoed):
ERROR: /home/akmal/
Can not open encrypted archive. Wrong password?

Can't open as archive: 1
Files: 0
Size:       0
Compressed: 0
  1. I think we need to bruteforce. Initially I try the default password.lst that comes with JTR but fail. And then someone told me to use rockyou password list, and it is inside that list. There's lots of way to bruteforce 7zip archive. Im using this -
$ cat ~/Documents/rockyou.txt|./7za x ~/
Extracting  Extracting  Everything is Ok
Password Found : wakeboarding
  1. Yay we got the password! Extracting the archive revealed a folder "rockyou" with a file flag.txt inside. THe content of flag.txt is
cat rockyou/flag.txt 
  1. So there is the flag - wargame.my2017@NasiKakWokBest
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.