SpyderSec Challenge Write Up { MSF }

Hello! Everyone. Nice to meet u. Today we ( 133730 , System , 404 ) are try to solve about the SpyderSec Challenge from vulnhub.It really nice challenge and we have new experience about the truecrypt. We want to share our knowledge about this challenge.So writ up about this 🙂

SpyderSec Lab Welcome Screen

Firstly,We need to find the IP of Target. Therefore, search our ip first with ifconfig command

Now our IP is 192.168.0.106 and then continue the whole network ip with nmap scan.
nmap -sn 192.160.0.0/24

Now we see all IP on my network. Host is Up.

We know about the Target IP that is 192.168.0.108. So that to know what services are running on this ip we will use nmap again to scan.
nmap -sV 192.168.0.106

You will see two port are running. SSH port 22 is closed but website service port 80 is running. Therefore we decide the website is running on the IP (192.168.0.108 ). See the IP on the web browser.

Yeah! Now we see the website to pentest. Usually check all thing ( File name, Directory , Link ) on the website but don’t see any about this. we just see the some text on the main page and 3 photos. we know need to check the source code carefully.

we found the javascript eval function in the source code and want to know what is it is.So need to unpack this eval js function. We search javascript unpacker on google and select this website.

http://matthewfl.com/unPacker.html

Evail code in javascript

Unpack above js code. we get the some result of hex value.

Result Hex value
61:6c:65:72:74:28:27:6d:75:6c:64:65:72:2e:66:62:69:27:29:3b

Change Hex to Character in Hackbar

After change the hex value to character, we get the some clue ” alert(‘mulder.fbi’); ” .

No idea what we continue. After thinking 15 minutes, decide to search the website http response ( you can use burp ) but now we use firebug.viewing some header we found next clue on the cookies value that is new directory.

check the directory http://192.168.0.108/v/81JHPbvyEQ8729161jd6aKQ0N4/ on the web browser.
But we see Forbidden! about this direcotry.let’s me think about the first clue mulder.fbi is file?. read again about the challenge description .
They said need to download file on the description for first flag.

Yes. check the filename.ext (mulder.fbi) on the forbidden directory.
The full path of the link is http://192.168.0.108/v/81JHPbvyEQ8729161jd6aKQ0N4/mulder.fbi

After download the mulder.fbi file and look up the video. It really nice song about old :D.i think the flag is in this video file. No idea about this.
I send the message to spydersec. ” I got the video file and what we continue.”. They reply “Nice job getting the first flag. Interrogate the file… determine if it is just an MP4 or something more. Good luck!” . We thanks so much about the hits. After searching hide file in the video at google.we see trucrypte method. So need to open the download file with truecrypt.

When mount the video file(mulder.fbi) with truecrypt. it said need password

Time to search again the password in the site. Check again all images and source code.
we use exiftool for more details about the images. we download the Challenge.png

Open Challenge.png image with exiftool. We get some hit hex value in the Comment

Copy this hex code and change character 2 time with hex decode.

we get base64 result . after decode base64 result

we get the password of the truecrypt file.

Copy the Password “A!Vu~jtH#729sLA;h4%” and Paste in the truecrypt file

Bango! now we get the final flag.txt file.

Video on Youtube

Thanks a lot for SpyderSec about nice challenge and thanks u all our msf members.
Cheer! Logout@Sleep!