Want to join ESET as a pentester?

As the title says do you want to join ESET? There is an ESET link where you can prove your skill and send the report to [email protected] . In this post I will share some of the challenges write up.

Do not follow if you seriously want to solve this by yourself.

*Tests are done using Firefox browser.

Leaked Password

Task: We received a report that there are leaking information, the server is sending out the passwords. There is nothing in the HTML code of page. Send us the username and leaked password.

Solution: In Firefox open inspect element. When you send GET request you will see following in header response

Authorization: Basic cGVudGVzdDE6a1RON2NlSlU4aw==

Screenshot

It is a base64 encoded string.

$ echo cGVudGVzdDE6a1RON2NlSlU4aw== | base64 -d
pentest1:kTN7ceJU8k

Hidden Files

Task: The administrator stores a backup of important data into a file and downloads it to his computer. The file is protected by having a very long name (more than 100 random characters). Such a long password cannot be guessed by brute force in short time. Administrator took precautions against robots and forbid to include the file in search results. Send us backed up password.

Solution: Our hint is here “Administrator took precautions against robots and forbid to include the file in search results.”

Visit https://pentest.join.eset.com/robots.txt

I got 404 on other files except for this one.

So download it and unzip.

$ unzip 99291b7e678c97d443bbf032feaa4851503333aadc3b92693af817cb072ef3d1a4963defdcd25f28dbf56cb85e1e3caddb2de900.zip
Archive:  99291b7e678c97d443bbf032feaa4851503333aadc3b92693af817cb072ef3d1a4963defdcd25f28dbf56cb85e1e3caddb2de900.zip
  inflating: password.txt       	 

$ cat password.txt
Admin password: fjo52fgfg56hw3fdddaqlm

Secret key:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,32495A90F3FF199D
lrMAsSjjkKiRxGdgR8p5kZJj0AFgdWYa3OT2snIXnN5+/p7j13PSkseUcrAFyokc
V9pgeDfitAhb9lpdjxjjuxRcuQjBfmNVLPF9MFyNOvhrprGNukUh/12oSKO9dFEt
s39F/2h6Ld5IQrGt3gZaBB1aGO+tw3ill1VBy2zGPIDeuSz6DS3GG/oQ2gLSSMP4
OVfQ32Oajo496iHRkdIh/7Hho7BNzMYr1GxrYTcE9/Znr6xgeSdNT37CCeCH8cmP
aEAUgSMTeIMVSpILwkKeNvBURic1EWaqXRgPRIWK0vNyOCs/+jNoFISnV4pu1ROF
92vayHDNSVw9wHcdSQ75XSE4Msawqv5U1iI7e2lD64uo1qhmJdrPcXDJQCiDbh+F
hQhF+wAoLRvMNwwhg+LttL8vXqMDQl3olsWSvWPs6b/MZpB0qwd1bklzA6P+PeAU
sfOvTqi9edIOfKqvXqTXEhBP8qC7ZtOKLGnryZb7W04SSVrNtuJUFRcLiqu+w/F/
MSxGSGalYpzIZ1B5HLQqISgWMXdbt39uMeeooeZjkuI3VIllFjtybecjPR9ZYQPt
FFEP1XqNXjLFmGh84TXtvGLWretWM1OZmN8UKKUeATqrr7zuh5AYGAIbXd8BvweL
Pigl9ei0hTculPqohvkoc5x1srPBvzHrirGlxOYjW3fc4kDgZpy+6ik5k5g7JWQD
lbXCRz3HGazgUPeiwUr06a52vhgT7QuNIUZqdHb4IfCYs2pQTLHzQjAqvVk1mm2D
kh4myIcTtf69BFcu/Wuptm3NaKd1nwk1squR6psvcTXOWII81pstnxNYkrokx4r2
7YVllNruOD+cMDNZbIG2CwT6V9ukIS8tl9EJp8eyb0a1uAEc22BNOjYHPF50beWF
ukf3uc0SA+G3zhmXCM5sMf5OxVjKr5jgcir7kySY5KbmG71omYhczgr4H0qgxYo9
Zyj2wMKrTHLfFOpd4OOEun9Gi3srqlKZep7Hj7gNyUwZu1qiBvElmBVmp0HJxT0N
mktuaVbaFgBsTS0/us1EqWvCA4REh1Ut/NoA9oG3JFt0lGDstTw1j+orDmIHOmSu
7FKYzr0uCz14AkLMSOixdPD1F0YyED1NMVnRVXw77HiAFGmb0CDi2KEg70pEKpn3
ksa8oe0MQi6oEwlMsAxVTXOB1wblTBuSBeaECzTzWE+/DHF+QQfQi8kAjjSdmmMJ
yN+shdBWHYRGYnxRkTatONhcDBIY7sZV7wolYHz/rf7dpYUZf37vdQnYV8FpO1um
Ya0GslyRJ5GqMBfDS1cQKne+FvVHxEE2YqEGBcOYhx/JI2soE8aA8W4XffN+DoEy
ZkinJ/+BOwJ/zUI9GZtwB4JXqbNEE+j7r7/fJO9KxfPp4MPK4YWu0H0EUWONpVwe
TWtbRhQUCOe4PVSC/Vv1pstvMD/D+E/0L4GQNHxr+xyFxuvILty5lvFTxoAVYpqD
u8gNhk3NWefTrlSkhY4N+tPP6o7E4t3y40nOA/d9qaqiid+lYcIDB0cJTpZvgeeQ
ijohxY3PHruU4vVZa37ITQnco9az6lsy18vbU0bOyK2fEZ2R9XVO8fH11jiV8oGH
-----END RSA PRIVATE KEY-----

We got the admin password and the private key.

Hidden Form

Task: If the administrator wants to manipulate the content of this site, she must log in. Can you find what URL she uses? Send us the URL. Note – the login form is not real, the entered values are not processed.

Solution: Just a guess, the page should be as follow. You can use dirbuster to find it.

https://pentest.join.eset.com/admin

Word Document

TASK (I know this is all caps): Read the application manually (can be downloaded from here) and send us login credentials that could be valid for application login.

Solution: Use doc_steg tool here. The doc was created by Petr Hromada and last saved by Pavol Bondra if you see the following:

$ python docx_extractor.py manual.docx
-- snip --
Creator:  Petr Hromada
-- snip --
LastSavedBy:  Pavol Bondra
-- snip --

And as we know from manual the user name is in format firstname.lastname we can combine it and get the username. Since the doc is last saved by Pavol username must be pavol.bondra. Or may be Pavol (admin) might have created it for Petr (not sure).

Username: Petr.Hromada
Username: Pavol.Bondra

And the password is 1234567890 as mentioned in Docx.

DNS Discover

Task: This server has other DNS names than pentest.join.eset.com. Which are they? Send us the list of the names and where did you find them.

Solution: Search in Google and you will find the CNAME for pentest.join.eset.com ie pentestjoinesetothername.eset.com. I found it in https://www.robtex.com/dns-lookup/pentest.join.eset.com

Js Reverzing

Task: Find the correct username and password and send them to us.

Solution: Checked the source code and found the javascript where username is mentioned as neadmin and the password I calculated as “**********

Explanation:

*  charcode is 42

Password is greater than 10 and less than 20, so if we think it as having 10 char then

42x10=420

From script,

Var b=1
b+=a.charCodeAt(i);return b%421==0

So, it is adding 1 to the password and it should give reminder 0 after divided by 421 number which we get exactly from above

420+1=421
421%421=0

There are other possibilities too. Similarly, the answer could be “********+)

Secret Message

Task: Your secret message is hidden in the picture.

https://pentest.join.eset.com/img/eset.jpg

Solution:

$ exiftool  eset.jpg 
ExifTool Version Number         : 10.80
File Name                       : eset.jpg
-- snip --
Warning                         : Invalid EXIF text encoding for UserComment
User Comment                    : secret_message_kefjsssimn40256mdd
Image Width                     : 97
-- snip --

Cookie

Task: The URL for managing our site is /admin-auth. But you cannot access it, something prevents you from doing so. Send us the value which blocks the access and how did you bypass it.

Solution: Something that is blocking access is the following:

Cookie: admin_auth_restricted=restrictted

Remove it and send it again using inspect element you will see the following response:

Congratulations!

IP Address

Task: Under what IP address does our server see you? Send us how/where can you prove it.

Solution: I know the answer but this is for you. Send me the answer in your comment.

Restricted Answer

Task: Only internal users who use our proxy with outgoing IP 10.10.10.10 have access to the page /intranet. Send us the number of logged-in users and the key settings you used to bypass the proxy check.

Solution:

To solve this use inspect element. Edit and Resend request add following header and send it.

X-Forwarded-For: 10.10.10.10

You will get the following reply

Number of logged in users: 1068

User-agent

Task: Access to the page /google.bot is only available to search engines, you cannot access it from a regular browser, or can you? Send us information displayed on this page and the key settings you used to get there.

Solution: I used firefox plugin User-Agent-Switcher which switches my user-agent to Google-bot and gave me the following

INDEX-me, my Bot.

Hash

Task: Send us a password that matches the following MD5 hash

79964bba8e244c76648f88c3ce161e64

SOLUTION (Again??): We can find various websites which can decode md5sum for us. I used https://md5decrypt.net/

79964bba8e244c76648f88c3ce161e64 : Acrobat

b2t-encoding

Task: Send us decoded message

SVRfaXNfanVzdF9lbmNvZGluZw==

Solution:

$ echo SVRfaXNfanVzdF9lbmNvZGluZw== | base64 -d
IT_is_just_encoding

Leave a Reply

Your email address will not be published. Required fields are marked *