RootCon14 CTF: Sour Wine Web Challenge Write Up

Alexis Lingad
3 min readSep 23, 2020

--

Our team (Hackuna Beta) was the first team that managed to get this web challenge (and even the first to get a flag in web category) so I have this urge to share how we get the flag in this challenge.

CHALLENGE:
-We are given a web server in http://139.180.145.207, nothing more, nothing less.
-The web server has a home page with a picture in it:

  • It also has a text below the image: “tmmcmvwtxkmqlnljxjva64znugaogmgfydik”

ENUMERATION:
1. We checked first the robots.txt but it redirect as in its 404 error page with a text “NOPE”
2. We check the directories using dirsearch, dirb, and gobuster but found nothing, except to the images directory that I thought there’s some hidden clues in those images but there’s none
3. We also check the source code and it has this line of code:
<img src=”../images/totallyweb.PNG” alt=”N20xWVNxR3VxbnBheWR4TFFudEV4dVpya2pSb0dyMzRhR1RpazZlN0IzckM=” class=”center”>
We decode the N20xWVNxR3VxbnBheWR4TFFudEV4dVpya2pSb0dyMzRhR1RpazZlN0IzckM= using base64 and we found this:
7m1YSqGuqnpaydxLQntExuZrkjRoGr34aGTik6e7B3rC
We have this strategy that before we dig deeper in a possible rabbithole, we must enumerate first the whole thing so I’ll let this pass for now
4. In this kind of situation, the only thing that we are not yet enumerating is the code below the image: tmmcmvwtxkmqlnljxjva64znugaogmgfydik
Using the online encryption analyzer tool here: https://www.boxentriq.com/code-breaking/cipher-identifier
we managed to identify that this is possibly a Vigenere cipher

5. Here’s the hard part that took the team several hours to find out, the KEY. In Vigenere cipher, you need a key to decode something. Few hours before the RootCon CTF ends, one of my teammates discover that the possible key was related to jojo’s bizzare adventures just because the photo is inline with that anime series. Well, I’m not familiar with that anime so I really do not have idea. Then we come up with the key bizarreadventures and we got the message:
sencvestupidstuffinb64zwdcallitmemes
Using manual substitution, you can come up with this kind of message:
send stupidstuff in base 64 call it memes
6.
Since this is web, we come up with having a parameter called “meme” as it says and send a base64 encoded word called stupidstuff as it says which is c3R1cGlkc3R1ZmY=
What we actually visit:
http://139.180.145.207/?memes=c3R1cGlkc3R1ZmY=
7.
We got the flag there:
RC14{0xhell0fr13ndtyf0rm3m3s}

OPINION:
The challenge is somehow “forced” to be web in my opinion since it is full of crypto things. I appreciate the work of those people who worked hard to make this challenge. I also create challenges for my HackWar platform and I know the grueling process and how hard it is to come up with this kind of challenge. Overall, we had fun and enjoyed the RootCon 14 CTF! Till next CTF.

SCOREBOARD before the CTF ends:

--

--

Alexis Lingad

CRTO | OSWP | eCPPT | eCDFP | eWPT | CEH | Author of Cyber Defender | Creator of Hackuna Anti-Hack | WTH Hacker Games Champion 2015&2017 | alexislingad.org