Hack The Vote 2016 CTF: Sander's Fan Club [web100]

Key Takeaways

all right what is going on everybody welcome back to another video my name is John Hammond this time showcasing uh some of the hack the vote CTF or Capture the Flag competition that's been going on this weekend uh November 4th to November 6th uh it's still Saturday right now I'm just in the middle of it I haven't gotten a whole lot of flags admittedly um but uh I figured I'd be able to show off some of the small ones that I have been able to get this has been admittedly a really difficult CTF at least on it's organized uh by RPI sick so be sure to give them a check out and a thumbs up for an awesome game and it's online at pond. voting and this is their interface which is super cool so it is just the map of the United States for the hack the vote uh uh uh theme and they do have their Jeopardy style display if you just want to look at it by category so I want to show off the web 100 in this video and that is titled uh Bernie Sanders fan club it only it has 185 solves so again uh out of the scheme of things I think there are about 900 people registered 930 950 or so at this point now um H so 185 is is a is a good amount for the people that were able to solve things so okay so the Sanders fan club but 100 points the challenge description is these deplorable Sanders supporters are still fighting shut the site down by finding where the idiot stored his credentials um so it gives us this URL so go ahead and follow that and check it out Bernie Sanders fan club feel the burn man I just love Bernie Sanders he still got a chance etc etc the site is still work in progress it only works in Firefox I think I'm not very good at webdev so I just copied and pasted a bunch of config files from stack Overflow H I think I left my credentials somewhere but I can't seem to find them let me know if you see them okay thanks remember vote Bernie and I guess there are some pictures here of flags but that's all that's on the web page literally literally that's it there's a login and it's just a password box you can enter anything and you will try and authorize although the password is the flag is the only alert message that we get so uh I admittedly spent a lot of time on this challenge kind of just going through rabbit holes uh I iced around on the IRC Channel I tried to talk to some friends and admittedly I would not have been able to solve this challenge without the help of some uh very generous people and uh bouncing ideas back and forth and explaining a worthwhile process here so I'm thankfully running Firefox right now that's why this only it only works in Firefox I think uh as an interesting tidbit although the thing that really put me down a rabbit hole was this I just copied and pasted a bunch of config files from stack Overflow so I think a lot of people for from individuals that I was talking with on an IRC Channel they were like trying to Google things that were like oh in the URL of of stack Overflow or like configuration files for bootstrap considering like it is it is a bootstrap web design page or the backend server because initially you want to reach for like the lwh hanging fruit right is there is there a robots. Tex uh no Al we can see it's an engine X server so we'd want to see oh are there any engine X like configuration files stuff like that um be able to look for that on stack Overflow just basic configuration files Etc um so uh some other stuff that I was interested and curious about I wanted to try and run like other low hanging fruit penetration testing tools with the web application stuff so I initially ran nto which is an awesome uh utility if you haven't heard of I think I've I may have shown it off before open source web server scanner blah blah blah you can check it out on your own if you haven't heard of it before but all I ended up really doing is just passing uh the URL as the host here and it will try and look through it and it immediately finds this really interesting thing uh the anti click jacking x-frame options header is not present but I actually literally just read the wrong line I meant to be rereading this one The Uncommon header link is found with contents flag to jpeg rail equal Styles sheet so that's interesting that was weird obviously since it displays this uncommon header uh and admittedly I didn't really know what to think of that or what to do with it um so I was looking at like well okay flag 2. jpeg that's odd and and and strange I see I check out the source of web page I try to like initially I Googled for common things like this like oh this might have been like sub tutorial comment for someone just trying to find easy config files and stuff like that uh and I see these images the flag one JPEG and the flag 2 JPEG and then I went over to the login at HTML page but again there's nothing there either same kind of content same time of bootstrap Jazz but it's just a JavaScript thing that tells us oh the password is a flag so there's no like communication with the server here it's just weird um some lurking around the IRC Channel some talking with other individuals uh the administrator like the admin that created this CH of this challenge uh shout out to lens I guess um had said that the flag is in the website itself so you don't have to go digging through stack Overflow you don't have to worry about any Firefox specifications stuff like that um you can find it here on the web page I even tried like I I I honestly tried to mirror the entire web page and like strings everything try to like grip through everything and try to find something that is a flag um but to no avail eventually stumbled upon this thing that we ended up using Firebug um which is a a Firefox add-on let me Firebug get Firebug Doom an extension for Firefox to let you like interact and change HTML and JavaScript and CSS stuff wow you're viewing a web page so but you can also just see the traffic and stuff going out as you as you work through it so I was interested in the net Tab and I requested all so then I tried to load the page again and I could see all the information the URLs that are being get and posted with like the typical HTTP uh conversations here and some interesting stuff that I saw was that okay we're getting the HTTP like page we're getting flag. jpeg Etc and I was curious why flag. jpeg was shown up twice one down here with flag one and flag two up here so I was observing some of these and I was going through them more in depth and something stuck out to me was that hm uh response headers connection keep alive content length 223 was it whatever content type text CSS that was weird right uh a JPEG image is not a CSS stylesheet and that's there was that weird link header for flag to jpeg real style sheet that nto had had had pointed out for us here so I was like what and I and I right clicked on this one and I tried to copy as curl so I could see okay I can't obviously change the request that I'm doing with through fire buug but can I see the request that it's getting and I I copy it as the curl command so now I I throw this in uh my terminal and I do this curl command that Firebug just straight up gives us but it's the URL to the flag 2 jpeg however it's accepting it as a CSS file and I'm just going to run it for one thing to see if we can get the uh whatever it returns for us keep in mind my user agent right now is still Firefox because I'm doing this through my web browser I'm like replaying the packet get from Firebug just this time running it through Cur so it gets a CSS file apparently a stylesheet however it's supposed to be a JPEG image and there's a comment at the very end here that says how did I oh never mind I'm pretty sure my credentials are in a text file so boom we've got a lead here we immediately found something and it's a good hint so this is clearly some guidance and what sticks out to me here now is that okay it's supposed to be a text file um I know there was some like ideas oh uh is it flag. text or flag flag 2. text or flag. text and some people again in conversation the IRC channels weren't having any success with that uh flag. jpeg not not flag J okay cool and uh to no avail that that that did not work what I figured was H the the content type it being CSS is weird considering it to JPEG but if it's supposed to be a plain text file according to this my credentials are in a text file it's obviously interpreting it as something weird so let's try and only accept rather than a CSS style sheet a plain text file the M type for that is text overcore plane uh and I run this and we get a password reminder and there's the flag I am very bad with computers I suppose uh this H here uh go tell Chrome developers to support RFC 5988 Firefox is the master race um I guess that's that's that's why it's supposed to only work in Firefox and uh I'll back down and I suppose me running Firebug being being able to see that it it passing the UR the user agent in the curl headers it was able to find it just like that I'm curious what this RFC is I haven't actually read through it but oh it also defines the use of such links in HTV letters of the link hter fil so interesting stuff if you're curious about how the backend works but that's how I got the flag um crazy method admittedly I again I would not have easily figured this out on my own without bouncing ideas off of other people and and and and talking it out so awesome challenge uh had a little bit more to it than like a simple lwh hanging fruit like robots. Tex gig so cool thank you for watching guys I hope you enjoyed this I hope to show off a little bit more of hack the vote uh uh uh challenges and show some writeups for you and uh I'll hope to see you in the next video