CTFtime.org

Security report

by syssec-bs / syssec

Rating: 5.0

**This is a possible solution, provided by Syskron Security.**

The challenge description contains an encrypted message and an encrypted attachment. The sender used an OpenPGP key, which was formerly used by BB Industry. You also learn about "Marie Lučanová," who updates the OpenPGP keys on the Senork website.

## Find and download the .git folder
On https://[_link removed as it is unavailable now_]/.git/, you find an exposed Git folder. Exposed Git folders can contain secrets that shouldn't be on the internet. This was several times in the news in 2020. There is even a new tool, [Gitjacker](https://github.com/liamg/gitjacker), for this.

Download the .git folder (e.g., use wget: `wget --recursive --no-parent [link]`).

## Investigate the repository to find a private OpenPGP key
After downloading the repo, you can use the usual `git` commands to investigate the repo. This will ultimately reveal a private OpenPGP key that was quickly replaced by a new key pair. You can restore the key by entering `git checkout 7872f1`.

## Get the password for the private OpenPGP key
The private OpenPGP key was encrypted. However, we know that "Marie Lučanová" manages the keys. So, you can try her password from the leaked password database (Leak audit challenge). It actually works.

## Decrypt the message and attachment
You can use the decrypted private OpenPGP key to decrypt the message and attachment. For this step, you need to use CyberChef (this was a known bug in the challenge communicated to all participants).

## Investigate the message and pcap file
The message points to a security vulnerability in BB's products. It contains a password as proof ("Pa22w0rD1232132!"). In the pcap file, you can find cleartext FTP traffic. The "ftp-data" contains folder structures and a transmitted backup file (hmi_backups2.zip). You can extract this file, using Wireshark, for instance.

## Decrypt hmi_backups2.zip
The last step is decrypting the hmi_backups2.zip file, using the password provided by the security researcher in the e-mail. The file hmi7_backup1002 contains the flag.

Flag: `syskronCTF{vu1n3R4b1llTy f0und!}`

Comments