Keyword of the day (4 points)
Ahoy, officer,
one of deck cadets (remember your early days onboard) had a simple task to prepare simple web application to announce keyword of the day. He claimed that the task is completed, but he forgot on which port the application is running. Unfortunately, he also prepared a lot of fake applications, he claims it was necessary for security reasons. Find the keyword of the day, so daily routines on ship can continue.
May you have fair winds and following seas!
The webs are running somewhere on server keyword-of-the-day.cns-jv.tcc
.
Hints
- Use VPN to get access to the server.
Solution
The description indicates that there should be many websites/applications on the host. Let's scan.
Note: If you forget to include the "scan all ports" flag when invoking nmap
the scan will yield just one of them.
Therefore, I am very grateful to the orgs that they included this hint in the task description.
$ nmap keyword-of-the-day.cns-jv.tcc -p-
Nmap scan report for keyword-of-the-day.cns-jv.tcc (10.99.0.155)
Host is up (0.035s latency).
Not shown: 65301 closed tcp ports (conn-refused)
PORT STATE SERVICE
60000/tcp open unknown
60004/tcp open unknown
...(a lot of ports omitted for clarity)...
60494/tcp open unknown
60495/tcp open unknown
If we try to open any of those websites we'll find out that it does something (obfuscated JS) for a while and then displays a random smiley face. Let's check if all these webpages differ somehow. I.e. let's save all of them to the filesystem, calculate checksums and check how many of each there are.
$ nmap keyword-of-the-day.cns-jv.tcc -p 60000-60495 | grep -o "^60..." | while read port; do curl -s http://keyword-of-the-day.cns-jv.tcc:$port > $port.html; done
$ sha1sum.exe 60*html > checksum.sha1
$ cut -d' ' -f1 checksum.sha1 | sort | uniq -c
11 04a8b02794407ca56e089e5d76783c64438e2ff5
9 04c927a3fb8704ea3c9421b4d33873c3e42b9e0c
10 1306b0177fcb4407611f91f193dab1258ef9c57c
1 15085c50f48be6d21bb9881a80451f51a7391946
10 31f2a6a9038f5d6ebaffc90db6ea4a98274ccc6d
10 41a5c86a6ff7eface468f107db4d6f4a463d3812
10 499e748319507810a3ec1cba361e5721c90d5602
10 5300b5846b82302c9098f315db96f1464ae20aad
10 5fe4c48d6913031c39d22cac958885cfc81fa7de
9 69b72c3a9327260e170c1f9855beb8f00155e191
10 6d809ad4ebeb30ae98e2936b2a65b731c14c2b7a
10 6f96637d24cab3e47bb595d49de4f7ffd82e2760
7 74bd7fa1033b6d1e9b526c734910450d3718d82c
9 9a1b61d3c3f60173af554be565fe1355f1cfedd8
10 a22722eea8b1462344806ef4a55c39bfbab0f4f7
10 a6a07f13dfcd6fb21d15a29703b64d18a914a7b0
10 ab6fa176220296048dada88bc0a4c9652834c34f
9 b259b2b91c0eb0d98a6446e6a0b11ffb3b16aab2
10 b40b802572180f240414250e65127f2e5508698c
8 b4a759e04c9ce55468e6f35cf6226335704c0e32
10 c8535da07047918de995eff8b31f236e2bd85344
10 cfdf1674fbd7ae293583aa03389b28143ac50509
10 d5b36ad6807864195c0a7797d0bee76f02e671a7
10 e053a54405d43a934e9091cef52bdb2f3c488c09
11 f1c55f90bdae8dce2ea1fe02587c0fbc991208dc
It seems that even though there really are many versions of the app, there are just 25 unique ones. Even more interestingly, one of them appears only once. Let's check which one it is.
$ grep 15085c50f48be6d21bb9881a80451f51a7391946 checksum.sha1
15085c50f48be6d21bb9881a80451f51a7391946 *60257.html
Let's open the one running on port 60257
then.
Now we just need to open the correct URL to retrieve the flag