Do not follow if you seriously want to solve this by yourself.
*Tests are done using Firefox browser.
Task: We received a report that there are leaking information, the server is sending out the passwords. There is nothing in the HTML code of page. Send us the username and leaked password.
Solution: In Firefox open inspect element. When you send GET request you will see following in header response
Authorization: Basic cGVudGVzdDE6a1RON2NlSlU4aw==
It is a base64 encoded string.
$ echo cGVudGVzdDE6a1RON2NlSlU4aw== | base64 -d pentest1:kTN7ceJU8k
Task: The administrator stores a backup of important data into a file and downloads it to his computer. The file is protected by having a very long name (more than 100 random characters). Such a long password cannot be guessed by brute force in short time. Administrator took precautions against robots and forbid to include the file in search results. Send us backed up password.
Solution: Our hint is here “Administrator took precautions against robots and forbid to include the file in search results.”
I got 404 on other files except for this one.
So download it and unzip.
$ unzip 99291b7e678c97d443bbf032feaa4851503333aadc3b92693af817cb072ef3d1a4963defdcd25f28dbf56cb85e1e3caddb2de900.zip Archive: 99291b7e678c97d443bbf032feaa4851503333aadc3b92693af817cb072ef3d1a4963defdcd25f28dbf56cb85e1e3caddb2de900.zip inflating: password.txt $ cat password.txt Admin password: fjo52fgfg56hw3fdddaqlm Secret key: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,32495A90F3FF199D lrMAsSjjkKiRxGdgR8p5kZJj0AFgdWYa3OT2snIXnN5+/p7j13PSkseUcrAFyokc V9pgeDfitAhb9lpdjxjjuxRcuQjBfmNVLPF9MFyNOvhrprGNukUh/12oSKO9dFEt s39F/2h6Ld5IQrGt3gZaBB1aGO+tw3ill1VBy2zGPIDeuSz6DS3GG/oQ2gLSSMP4 OVfQ32Oajo496iHRkdIh/7Hho7BNzMYr1GxrYTcE9/Znr6xgeSdNT37CCeCH8cmP aEAUgSMTeIMVSpILwkKeNvBURic1EWaqXRgPRIWK0vNyOCs/+jNoFISnV4pu1ROF 92vayHDNSVw9wHcdSQ75XSE4Msawqv5U1iI7e2lD64uo1qhmJdrPcXDJQCiDbh+F hQhF+wAoLRvMNwwhg+LttL8vXqMDQl3olsWSvWPs6b/MZpB0qwd1bklzA6P+PeAU sfOvTqi9edIOfKqvXqTXEhBP8qC7ZtOKLGnryZb7W04SSVrNtuJUFRcLiqu+w/F/ MSxGSGalYpzIZ1B5HLQqISgWMXdbt39uMeeooeZjkuI3VIllFjtybecjPR9ZYQPt FFEP1XqNXjLFmGh84TXtvGLWretWM1OZmN8UKKUeATqrr7zuh5AYGAIbXd8BvweL Pigl9ei0hTculPqohvkoc5x1srPBvzHrirGlxOYjW3fc4kDgZpy+6ik5k5g7JWQD lbXCRz3HGazgUPeiwUr06a52vhgT7QuNIUZqdHb4IfCYs2pQTLHzQjAqvVk1mm2D kh4myIcTtf69BFcu/Wuptm3NaKd1nwk1squR6psvcTXOWII81pstnxNYkrokx4r2 7YVllNruOD+cMDNZbIG2CwT6V9ukIS8tl9EJp8eyb0a1uAEc22BNOjYHPF50beWF ukf3uc0SA+G3zhmXCM5sMf5OxVjKr5jgcir7kySY5KbmG71omYhczgr4H0qgxYo9 Zyj2wMKrTHLfFOpd4OOEun9Gi3srqlKZep7Hj7gNyUwZu1qiBvElmBVmp0HJxT0N mktuaVbaFgBsTS0/us1EqWvCA4REh1Ut/NoA9oG3JFt0lGDstTw1j+orDmIHOmSu 7FKYzr0uCz14AkLMSOixdPD1F0YyED1NMVnRVXw77HiAFGmb0CDi2KEg70pEKpn3 ksa8oe0MQi6oEwlMsAxVTXOB1wblTBuSBeaECzTzWE+/DHF+QQfQi8kAjjSdmmMJ yN+shdBWHYRGYnxRkTatONhcDBIY7sZV7wolYHz/rf7dpYUZf37vdQnYV8FpO1um Ya0GslyRJ5GqMBfDS1cQKne+FvVHxEE2YqEGBcOYhx/JI2soE8aA8W4XffN+DoEy ZkinJ/+BOwJ/zUI9GZtwB4JXqbNEE+j7r7/fJO9KxfPp4MPK4YWu0H0EUWONpVwe TWtbRhQUCOe4PVSC/Vv1pstvMD/D+E/0L4GQNHxr+xyFxuvILty5lvFTxoAVYpqD u8gNhk3NWefTrlSkhY4N+tPP6o7E4t3y40nOA/d9qaqiid+lYcIDB0cJTpZvgeeQ ijohxY3PHruU4vVZa37ITQnco9az6lsy18vbU0bOyK2fEZ2R9XVO8fH11jiV8oGH -----END RSA PRIVATE KEY-----
We got the admin password and the private key.
Task: If the administrator wants to manipulate the content of this site, she must log in. Can you find what URL she uses? Send us the URL. Note – the login form is not real, the entered values are not processed.
Solution: Just a guess, the page should be as follow. You can use dirbuster to find it.
TASK (I know this is all caps): Read the application manually (can be downloaded from here) and send us login credentials that could be valid for application login.
Solution: Use doc_steg tool here. The doc was created by Petr Hromada and last saved by Pavol Bondra if you see the following:
$ python docx_extractor.py manual.docx -- snip -- Creator: Petr Hromada -- snip -- LastSavedBy: Pavol Bondra -- snip --
And as we know from manual the user name is in format firstname.lastname we can combine it and get the username. Since the doc is last saved by Pavol username must be pavol.bondra. Or may be Pavol (admin) might have created it for Petr (not sure).
And the password is 1234567890 as mentioned in Docx.
Task: This server has other DNS names than pentest.join.eset.com. Which are they? Send us the list of the names and where did you find them.
Solution: Search in Google and you will find the CNAME for pentest.join.eset.com ie pentestjoinesetothername.eset.com. I found it in https://www.robtex.com/dns-lookup/pentest.join.eset.com.
Task: Find the correct username and password and send them to us.
* charcode is 42
Password is greater than 10 and less than 20, so if we think it as having 10 char then
Var b=1 b+=a.charCodeAt(i);return b%421==0
So, it is adding 1 to the password and it should give reminder 0 after divided by 421 number which we get exactly from above
There are other possibilities too. Similarly, the answer could be “********+)“
Task: Your secret message is hidden in the picture.
$ exiftool eset.jpg ExifTool Version Number : 10.80 File Name : eset.jpg -- snip -- Warning : Invalid EXIF text encoding for UserComment User Comment : secret_message_kefjsssimn40256mdd Image Width : 97 -- snip --
Task: The URL for managing our site is /admin-auth. But you cannot access it, something prevents you from doing so. Send us the value which blocks the access and how did you bypass it.
Solution: Something that is blocking access is the following:
Remove it and send it again using inspect element you will see the following response:
Task: Under what IP address does our server see you? Send us how/where can you prove it.
Solution: I know the answer but this is for you. Send me the answer in your comment.
Task: Only internal users who use our proxy with outgoing IP 10.10.10.10 have access to the page /intranet. Send us the number of logged-in users and the key settings you used to bypass the proxy check.
To solve this use inspect element. Edit and Resend request add following header and send it.
You will get the following reply
Number of logged in users: 1068
Task: Access to the page /google.bot is only available to search engines, you cannot access it from a regular browser, or can you? Send us information displayed on this page and the key settings you used to get there.
Solution: I used firefox plugin User-Agent-Switcher which switches my user-agent to Google-bot and gave me the following
INDEX-me, my Bot.
Task: Send us a password that matches the following MD5 hash
SOLUTION (Again??): We can find various websites which can decode md5sum for us. I used https://md5decrypt.net/
79964bba8e244c76648f88c3ce161e64 : Acrobat
Task: Send us decoded message
$ echo SVRfaXNfanVzdF9lbmNvZGluZw== | base64 -d IT_is_just_encoding