Another year, another CrikeyCon. And with it, a new free ticket challenge.

Again, like last year, I already had a ticket. But I thought I’d give it a go anyway.
Looks like base64, so let’s do a quick decode.

Now that almost looks like an IP address. I went through a few different encryptions before I figured this one out. Adding up the numerical value of all the letters actually gives a valid IP, but unfortunately wasn’t the correct one.
But let’s try ROT13 (using command line so I look cool).

Pretty self explanatory. Go to 149.28.189.150.

Accessing the site the wrong way…? DNS…? Maybe I need the proper URL. Maybe there’s a PTR record that’ll map the IP to a domain name…

Look at that. A nice happy domain name. Let’s take a look now.

Now I guess I need to find the home folder URL. Let’s test out the search function by entering “test”.

Cool, works on a GET parameter. I suck at SQL injection, and this wouldn’t give me any errors, so I brought out the sledgehammer and used sqlmap
.


Looks like we’ve got injection. What’s the database we’re playing with?


Looks like we’re using userdb
. Let’s see what tables there are.


Surprise surprise, it’s a users table. Called users
. Let’s dump all the info inside.


Alright, let’s check out this megasecretsuperhomedir.

Now, there’s two methods you could go down. Find the six CrikeyCon dates (this is CrikeyCon VI) and test’em manually, or just generate a big ol’ wordlist with all the combinations and bruteforce the URLs.
I went for the latter.
Let’s make our wordlist. First the months, then the years, then script up combining them.



Let’s check if that worked. Gonna cat
the file…

Now let’s bruteforce it. I use gobuster
, which I installed with apt install gobuster
. Some people prefer to compile the golang from source. Those people are wrong.

Now let’s take a look inside…

Info I need is inside the image. Let’s be good little boys and check inside.


Looks like there are file(s) to extract. I followed this fantastic resource on how to extract the file.
Firstly, find the byte position of the end of the JPEG (looking for 0xffd9).


We can see that 0xffd9 is split over the 4th and 5th byte after 0x00017dc0. So we need to skip past 0x00017dc5. But what’s that in decimal?

Alright, now let’s extract that file.

Did it work?

Alright, let’s grab the file inside.

And let’s see what’s inside.

There were definitely a lot more steps and challenges than the previous challenge last year (see below). Anyways, CrikeyCon 2019 should be great!