Lab, Web Security

SpyderSec Challenge Write Up { MSF }

Hello! Everyone. Nice to meet u. Today we ( 133730 , System , 404 ) are try to solve about the SpyderSec Challenge from vulnhub.It really nice challenge and we have new experience about the truecrypt. We want to share our knowledge about this challenge.So writ up about this :)

SpyderSec Lab Welcome Screen
spyderlab welcome screen

Firstly,We need to find the IP of Target. Therefore, search our ip first with ifconfig command
ifconfig

Now our IP is 192.168.0.106 and then continue the whole network ip with nmap scan.
nmap -sn 192.160.0.0/24

Now we see all IP on my network. Host is Up.
network scan with nmap

We know about the Target IP that is 192.168.0.108. So that to know what services are running on this ip we will use nmap again to scan.
nmap -sV 192.168.0.106
target ip scan

You will see two port are running. SSH port 22 is closed but website service port 80 is running. Therefore we decide the website is running on the IP (192.168.0.108 ). See the IP on the web browser.
web browser

Yeah! Now we see the website to pentest. Usually check all thing ( File name, Directory , Link ) on the website but don’t see any about this. we just see the some text on the main page and 3 photos. we know need to check the source code carefully.
source code

we found the javascript eval function in the source code and want to know what is it is.So need to unpack this eval js function. We search javascript unpacker on google and select this website.

http://matthewfl.com/unPacker.html

Evail code in javascript

Unpack above js code. we get the some result of hex value.
javascript unpacker

Result Hex value
61:6c:65:72:74:28:27:6d:75:6c:64:65:72:2e:66:62:69:27:29:3b

Change Hex to Character in Hackbar
hex to character

After change the hex value to character, we get the some clue ” alert(‘mulder.fbi’); ” .
clue of challenge

No idea what we continue. After thinking 15 minutes, decide to search the website http response ( you can use burp ) but now we use firebug.viewing some header we found next clue on the cookies value that is new directory.
cookies value

check the directory http://192.168.0.108/v/81JHPbvyEQ8729161jd6aKQ0N4/ on the web browser.
But we see Forbidden! about this direcotry.let’s me think about the first clue mulder.fbi is file?. read again about the challenge description .
They said need to download file on the description for first flag.
forbidden

Yes. check the filename.ext (mulder.fbi) on the forbidden directory.
The full path of the link is http://192.168.0.108/v/81JHPbvyEQ8729161jd6aKQ0N4/mulder.fbi
download video

After download the mulder.fbi file and look up the video. It really nice song about old :D.i think the flag is in this video file. No idea about this.
I send the message to spydersec. ” I got the video file and what we continue.”. They reply “Nice job getting the first flag. Interrogate the file… determine if it is just an MP4 or something more. Good luck!” . We thanks so much about the hits. After searching hide file in the video at google.we see trucrypte method. So need to open the download file with truecrypt.
truecrypt

When mount the video file(mulder.fbi) with truecrypt. it said need password
password need in truecrypt

Time to search again the password in the site. Check again all images and source code.
we use exiftool for more details about the images. we download the Challenge.png
Challenge images

Open Challenge.png image with exiftool. We get some hit hex value in the Comment
comment

Copy this hex code and change character 2 time with hex decode.
hex

we get base64 result . after decode base64 result
base64

we get the password of the truecrypt file.
password

Copy the Password “A!Vu~jtH#729sLA;h4%” and Paste in the truecrypt file
truecrypt with password

Bango! now we get the final flag.txt file.
flag.txt

Video on Youtube

Thanks a lot for SpyderSec about nice challenge and thanks u all our msf members.
Cheer! Logout@Sleep!

Previous Post Next Post

You Might Also Like

2 Comments

  • Reply Bob March 30, 2016 at 1:11 am

    I like how you got stuck and then messaged to spydersec to ask them what to do next :)
    I would probably do the same.
    Thanks for a good walk-through.

  • Reply Creatigon March 30, 2016 at 8:51 am

    welcome bro. we will try to write other challenges. Thanks u for your nice comment. ;)

  • Leave a Reply