Scavenger Hunt
Opening up the last challenge from stage1:
There is a flag hidden somewhere on our website, do you think you can find it? Good luck!
Ok, should not be too difficult to find the flag, most efficient way would be probably to download the whole website and grep it from there. Lets login to our linux machine for this.
Downloading the website with wget:
wget -r -m 2 -l 10 "https://play.icec.tf"
we got the following content:
sami@SNIPER:~$ cd play.icec.tf/
sami@SNIPER:~/play.icec.tf$ ls
forgot_password index.html login static
Hmm, something is not quite right here. There are much more content in the webpage. Ah right, we need to login in order to have access to all the pages, lets login with firefox and get the GET header after login POST with firefox "Network monitor". This allows you to save headers in curl format and our header would be:
curl "https://play.icec.tf/team/" --2.0 -H "Host: play.icec.tf" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" -H "Accept-Language: fi-FI,fi;q=0.8,en-US;q=0.5,en;q=0.3" --compressed -H "Referer: https://play.icec.tf/login/" -H "Cookie: __cfduid=dce17d4a95816c30948a9866c92bc47351471894222; _ga=GA1.2.1784704268.1471894224; _gat=1; session=.eJwNyVsOgjAQQNGtkPkmbHQVugZ9YEjTTh8gpQWm9QFh7_J1k3M34EiL4TEM2gMDe5FzkXR81U1hlKJm9d_S_7a1k02OIYmSdYfyHcsbrjSo-m5Gb-aERVw-whLkwI0T1GkC7twgi0dg1ETC6mM-gu19RgnxIJPcCdq8zSGRXnivgJ1vVbX_AcVTNII.CqL-IQ.2pBipnNktGSAMmK-w_ruHPMryiI" -H "Connection: keep-alive" -H "Upgrade-Insecure-Requests: 1"
We can use this almost straight with wget, just need to amend all "-H" with "--header" and lets remove --compressed, --2.0 and curl from the front.
wget -r -m 2 -l 10 "https://play.icec.tf/team/" --header "Host: play.icec.tf" --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0" --header "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" --header "Accept-Language: fi-FI,fi;q=0.8,en-US;q=0.5,en;q=0.3" --header "Referer: https://play.icec.tf/login/" --header "Cookie: __cfduid=dce17d4a95816c30948a9866c92bc47351471894222; _ga=GA1.2.1784704268.1471894224; _gat=1; session=.eJwNyVsOgjAQQNGtkPkmbHQVugZ9YEjTTh8gpQWm9QFh7_J1k3M34EiL4TEM2gMDe5FzkXR81U1hlKJm9d_S_7a1k02OIYmSdYfyHcsbrjSo-m5Gb-aERVw-whLkwI0T1GkC7twgi0dg1ETC6mM-gu19RgnxIJPcCdq8zSGRXnivgJ1vVbX_AcVTNII.CqL-IQ.2pBipnNktGSAMmK-w_ruHPMryiI" --header "Connection: keep-alive" --header "Upgrade-Insecure-Requests: 1"
Boom works like a charm, we have now much more content to look for
ls play.icec.tf/
cdn-cgi forgot_password index.html problem-static shell tickets
challenges login logout scoreboard static user
ok lets start finding:
grep -r "icectf" "play.icec.tf/"
Ugh, too much stuff.
grep -r "icectf{" "play.icec.tf/"
What, nada?.. oh right case sensitive.
grep -r "IceCTF{" "play.icec.tf/"
Now we have some amount of stuff, we got the first challenge flag:
In this capture the flag competiton you're hunting for these strings, we call them "flags". These flags always begin with "IceCTF{" followed by a message in 1337sp34k and end with "}". Here's an example flag "IceCTF{h3l10_wr0ld}"
We have the sandcastle instructions:
This flag is not in the standard flag format. The flag contains digits and no special characters, convert the message to lowercase and then add IceCTF{message} to it.
We have someone from the scoreboard:
play.icec.tf/scoreboard/index.html: <tr class="teamrow ineligible visible"><td class="rank"></td><td>Laks og Nødder</td><td>IceCTF{th1s_1s_n07_4_fl49}</td><td>226</td></tr>
I can confirm, the above was not the flag. Hmm what is going wrong here. Why can't I find the flag, I've got the whole page. Could it be encoded? In stage1?
I decided to head to bed and think about it more some other time (it's 3am again!).
We were thinking about this together with my colleague who is the other member in our CTF team and we noticed it. Damm, the home page of IceCTF is not the subdomain play.icec.tf it is the main domain www.icec.tf, we have another possible place to look for!
This one does not have any logins so we can just wget recursively:
wget -r -m 2 -l 10 "https://icec.tf"
sami@SNIPER:~/play.icec.tf/icec.tf$ ls
about apple-touch-icon-180x180.png challenges index.html
android-chrome-192x192.png apple-touch-icon-57x57.png contact manifest.json
apple-touch-icon-114x114.png apple-touch-icon-60x60.png faq sponsors
apple-touch-icon-120x120.png apple-touch-icon-72x72.png favicon-16x16.png static
apple-touch-icon-144x144.png apple-touch-icon-76x76.png favicon-32x32.png
apple-touch-icon-152x152.png cdn-cgi favicon-96x96.png
Bunch of stuff, lets try our luck this time.
sami@SNIPER:~/play.icec.tf/icec.tf$ grep -r "IceCTF{"
sponsors: <img class="activator" src="/static/images/logos/syndis.png" alt="IceCTF{Y0u_c4n7_533_ME_iM_h1Din9}">
There we go, much better!
We found our flag from the html code next to Syndis logo. :P
IceCTF{Y0u_c4n7_533_ME_iM_h1Din9}
Nice challenge, made me study how to use headers / with wget (even tho that was not even needed!)