Junior 35C3 CTF Writeup
The 35C3 CTF had a junior version this year which was a bit easier than the main but still challenging to me since I only got to solve 3 challenges.
Visiting the web page and reading the code, we are to do a directory traversal using the Accept-Language header and also escape the filter that replaces the ../
The final payload:
The flag is loaded and we decode it from base64.
The web page didn’t give much info and there were no clues after viewing it’s source.
I decided to bruteforce directories using dirsearch and got a robots.txt and a backup directory.
The robots.txt file shows there is a .DS_Store file in the backup folder.
Googling about this file I get this from wikipedia:
In the Apple macOS operating system, .DS_Store is a file that stores custom attributes of its containing folder, such as the position of icons or the choice of a background image. The name is an abbreviation of Desktop Services Store, reflecting its purpose. It is created and maintained by the Finder application in every folder, and has functions similar to the file desktop.ini in Microsoft Windows. Starting with a full stop (period) character, it is hidden in Finder and many Unix utilities. Its internal structure is proprietary.
After downloading it, I tried to cat its contents but that wasn’t useful. I later found this tool, python-dsstore, written in python that parses DS_Store files and gives the directory information, surprisingly it was written by the author of the challenge, @gehaxelt.
The output says there are 20 directories as shown.
I tried doing the process manually to visit each of the directories but it was tedious so I decided to bruteforce it with dirsearch again.
I created a custom wordlist with a/, b/, c/, noflag.txt, flag.txt, .DS_Store based on the files I found on the first few directories I visited, I found noflag.txt so I guessed there must be a flag.txt. It worked and dirsearch found the flag.
This was a nice challenge since I learned something about information disclosure vulnerability because of the .DS_Store file.
A good read I found about this topic if you want to read some more https://0day.work/parsing-the-ds_store-file-format/ .
First I checked what kind of binary we are given using binwalk.
Googling about jffs2 file system, I found jefferson tool that can extract the files.
I also realized that binwalk can also extract the files but it still relies on the jefferson tool to do that therefore the dependencies that are required by jefferson need to be installed (check jefferson repo for this).
Running the following commands we get the flag.
Even though most of the challenges we categorized as easy, they were still a bit challenging for me. I take it as a challenge for 2019 to be better. I am still satisfied that I was able to at least solve more than one challenge.
I got position 284/520 in the ctf, not too bad in my opinion. I guess next time I’ll get a team to play with.