Aidan Dunn

Aidan Dunn

Aspiring Information Security person. I post as I learn.

Crikey Con 2019 Free Ticket Challenge

3 minute read

I was reading a Medium post about the OSCP from Luke Stephens (his Twitter) a few days ago and I noticed he had another article titled “How I Hacked My Way to a Free CrikeyCon Ticket and a New Job”. This looked interesting. It was interesting and I decided to follow Luke on Twitter. I then saw the 2019 edition of the CrikeyCon free ticket challenge and thought it would be a fun idea to give it a shot, whether or not I intended to go in the running for the free ticket itself.

One of the recruiters from Humanised Group (Australian recruiting company) posted this picture:

Poster

So, our starting point is this string from the twitter post.

It looks like a Base64 string. Lets try to decode it. My favorite tool for this is CyberChef.

Running it through the Base64 decoder, we see some sort of pattern here.

Base64 decode

In these CTF style challenges, simple substitution ciphers are popular. My first thought was to try the most obvious one, ROT13.

Rot13

Success! What do we have? A string that corresponds to a IP address.

Navigating to the IP address we see a message about DNS.

IP

Trying a DNS lookup tool (or even running something like Traceroute or going to the Shodan page for that IP) returns the real domain name. The tool I like to use is View DNS.

DNS

What’s here? A site with a form with a search box for the users and some indication about a database. The user droppyadmin seems like a subtle hint to an SQL Injection vulnerability (relevant xkcd).

Correction: I discovered that ‘droppy’ is actually the name of the con mascot (the koala in the picture at the top of this page).

SQL Vulnerability

I fired up SQL map and ran a test on the /?query= field.

sqlmap -u humanisedcc2019challenge.crikeycon.com/index.php?query=

Whaddayaknow, it’s vulnerable. sqlmap shows us what the payload looks like:

SQL Vulnerability

Lets see what tables we have in the database:

sqlmap -u humanisedcc2019challenge.crikeycon.com/index.php?query= --tables

We see there is a users table. Lets dump that:

sqlmap -u humanisedcc2019challenge.crikeycon.com/index.php?query= -T users --dump

The result for droppyadmin’s homefolder is a subdirectory called:

http://humanisedcc2019challenge.crikeycon.com/droppysmegasecretsuperhomedir2019

Navigating to that URL we see the next step:

Hidden DirectoryThere is a hidden subdirectory with the name of a month plus one of the previous years of CrikeyCon. Looking on the crikeycon.com website archives I notice that there was a 2017 and 2018 con. The twitter account begins in 2014 and scrolling through confirms there was also a 2014, 2015 and 2016 con.

I tried a couple by hand to see if I could get lucky. No cigar. Time to brute force.

I wrote a quick and dirty bash script to generate my wordlist:

Wordlist

And off to gobuster (dirbuster works well too if you want a GUI):

gobuster -u http://humanisedcc2019challenge.crikeycon.com/droppysmegasecretsuperhomedir2019/ -w list.txt

We find our hidden directory is called November2016. In here we find an image with the name and logo of the company that made this challenge along with the following text:

Good job, you made it this far…in the image below is the email address and subject you need to use to email to be in the running for a free CrikeyCon2019 ticket. Trust me, the info is in there….somewhere :)

After downloading the image, the first step is to see if there’s anything wrong with the image. I like to use an online tool called Foto Forensics as my starting point. Nothing wrong there.

Next we want to see if there are any files hidden in the image. Using binwalk, we can see there is a ZIP file hiding away.

binwalk HumanisedPic.jpg

We can extract the zip with a tool like foremost.

foremost HumanisedPic.jpg

We see there’s also a text file inside the zip folder called Congratulations.txt. Using 7zip we extract the Congratulations.txt file from the zip.

7z e *zipname*

And there we have it. The contact information to be into win the free ticket. Not a difficult challenge by most CTF standards, but an enjoyable test nevertheless. It should be noted that although this writeup seems brief and to the point, it did take me a couple of hours and I had to think about what I needed to do (and try a few things that didn’t work) at some of the steps. I am still a beginner after all.

Thanks to Humanised Group for the fun challenge.

Updated:

Leave a comment

You may also enjoy

HackTheBox Curling Writeup

7 minute read

Curling is an easy rated Linux box on www.hackthebox.eu worth 20 points. This is my second ever box on HTB so I’m still learning the ropes.

Pi Hole Your Life

6 minute read

These days most of us use some form of an ad blocker on our web browsers (if you don’t already, uBlock Origin is the place to start). Ads are not only annoyi...

Two Factor Authentication with 1Password

2 minute read

There’s a lot of chatter in the information security community how SMS 2FA is awful, and with all the recent high-profile cases of sim swapping attacks due t...

Changing my Password Mentality

4 minute read

When I was a bit younger, I used to have a favourite password for everything. Given that I’m still not that old, my ignorance was not that damaging. I still ...