Another year, another CrikeyCon. And with it, a new free ticket challenge.

new challenge tks crikey luv u (n u 2 humanised)

Again, like last year, I already had a ticket. But I thought I’d give it a go anyway.

Looks like base64, so let’s do a quick decode.

is base64

Now that almost looks like an IP address. I went through a few different encryptions before I figured this one out. Adding up the numerical value of all the letters actually gives a valid IP, but unfortunately wasn’t the correct one.

But let’s try ROT13 (using command line so I look cool).

so much cooler than copy+paste into rot13.com

Pretty self explanatory. Go to 149.28.189.150.

good joke

Accessing the site the wrong way…? DNS…? Maybe I need the proper URL. Maybe there’s a PTR record that’ll map the IP to a domain name…

so much cooler than searching on mxtoolbox.com

Look at that. A nice happy domain name. Let’s take a look now.

so safe, so secure

Now I guess I need to find the home folder URL. Let’s test out the search function by entering “test”.

is GET parameter

Cool, works on a GET parameter. I suck at SQL injection, and this wouldn’t give me any errors, so I brought out the sledgehammer and used sqlmap.

overkill billy, y u do dis
success

Looks like we’ve got injection. What’s the database we’re playing with?

y
found

Looks like we’re using userdb. Let’s see what tables there are.

it literally gives you the query. git gud and inject manually
no u

Surprise surprise, it’s a users table. Called users. Let’s dump all the info inside.

dump it all, johnny
cool cool

Alright, let’s check out this megasecretsuperhomedir.

i will find it, how dare ye

Now, there’s two methods you could go down. Find the six CrikeyCon dates (this is CrikeyCon VI) and test’em manually, or just generate a big ol’ wordlist with all the combinations and bruteforce the URLs.

I went for the latter.

Let’s make our wordlist. First the months, then the years, then script up combining them.

months
years
fancy one line script

Let’s check if that worked. Gonna cat the file…

worked

Now let’s bruteforce it. I use gobuster, which I installed with apt install gobuster. Some people prefer to compile the golang from source. Those people are wrong.

crikeycon iii

Now let’s take a look inside…

it’s INSIDE the computer

Info I need is inside the image. Let’s be good little boys and check inside.

no fun exif data 🙁
filenames r gud

Looks like there are file(s) to extract. I followed this fantastic resource on how to extract the file.

Firstly, find the byte position of the end of the JPEG (looking for 0xffd9).

We can see that 0xffd9 is split over the 4th and 5th byte after 0x00017dc0. So we need to skip past 0x00017dc5. But what’s that in decimal?

bash iz c00l

Alright, now let’s extract that file.

Did it work?

ye

Alright, let’s grab the file inside.

And let’s see what’s inside.

There were definitely a lot more steps and challenges than the previous challenge last year (see below). Anyways, CrikeyCon 2019 should be great!