TUCTF Meets Clue

My friends and I played two CTFs this weekend, although that might be a bit generous.  The first was by Kaspersky and was incredibly difficult.  The second one, TUCTF, was more geared towards beginner/intermediate.  That was much more our speed.

There were a set of Clue-themed web challenges that I’d like to record here.

Mrs. White’s Messy Maids

Our clue is:

Mrs. White’s simple website might be hiding some murderous intentions…

http://18.218.152.56/

There’s not a whole lot here…

If we look at the source code:

<html>
  <head>
    <title>Mrs. White</title>
    <link rel="stylesheet" href="styles.css">
  </head>

  <body>
    <h1>Welcome to Mrs. White's Maid Service</h1>
    <img src="https://tinyurl.com/ybbtf3nv" height="500">
    <p>We offer only the best maids for all your cleaning needs
    <br>
    To learn more about our services, call 275-317-3581
    <!-- I might kill if I could find him. Stupid Mr. /Boddy --></p>
  </body>
</html>

Credit to my friend who caught the HTML comment here.  Mr. Boddy is another Clue character (one who ends up murdered for knowing the secrets of his “friends”).

That forward slash looks suspicious.  If we try out http://18.218.152.56/Boddy…

Mr. Green’s Weird Website

Next up is Mr. Green.  My friends and I spent forever on this one and made it way, way harder than it needed to be.

While investigating Mr. Green for something completely unrelated, we found this login page. Maybe you can find a way in?

http://18.219.196.70/

The website is just a login form.  I tried all sorts of SQL injection with no luck.

Another friend joined the CTF and tried the most obvious option(s)… it turned out to be admin/admin.  Default credentials, people!

Colonel Mustard’s Simple Signin

We know Col Mustard is up to something–can you find a way in to tell us what?

http://13.59.239.132/

When we check out the website, we see another login form.

If we try the obvious option again, admin/admin (or admin/password, etc.), it doesn’t work.  No big surprise here, though… unlikely that two challenges would use the same idea.

I decided to give the SQL injection another try.  The winning combo is “admin” and ' OR 1=1 -- 

Professor Plum’s Ravenous Researcher

This one is technically listed after Miss Scarlett, but this is the order we found the flags in.

Professor Plum is hiring! Maybe you can get the job!

http://18.223.185.148/

Professor Plum has a confusingly large number of webpages for the given challenge (4 or so?)

The first page looks like this:

It has a link to /researcher.php, where it mentions Mr. Boddy again.  We need to find him.

If we click the link on that page, we get directed to /looking.php, with a message that says to look in a different part of the mansion.

One of my friends found /search.php, which looks like this:

If we type something in, and hit enter, we get the same “try again” message.  Open up dev tools, however, and you’ll see that a cookie has been sent along with the request:

If we swap out “%3D%3D” for “==”, we see that it’s the base64 encoding of “billiard room”.  From the Wiki page for Clue(do), we see that there’s a handful of possible rooms in the mansion:

I’m cheating a little bit here… the answer ends up being “Billiard Room” but I tried all of the other options first.

In Dev Tools, you can right-click and copy a request as cURL command.  I did that, and stripped out all of the extra headers, so that I had this left:

$ curl 'http://18.223.185.148/looking.php' -H 'Cookie: Found_Boddy=1; Location=YmlsbGlhcmQgcm9vbQ%3D%3D'

You’ll notice that I also switched the Found_Boddy cookie to 1, since we’re trying to find him.  “YmlsbGlhcmQgcm9vbQ%3D%3D” is the base64 encoded version of “Billiard Room.”

Here’s the response back:  

<title>Success!</title><link href="file.css" rel="stylesheet" type="text/css"><h1><center>Congrats! You found him</center></h1><p>TUCTF{1_4ccu53_pr0f3550r_plum_w17h_7h3_c00k13_1n_7h3_b1ll14rd_r00m}</p>

Miss Scarlett’s Resume Requests

Last but not least…

Something is up with Miss’s Scarlet’s acting site. Maybe you can take a look?

http://18.220.239.106/

Her website looks like this:

There’s a link to a contact page.  If we check that out…

Again, looking for Mr. Boddy.  If we try the same trick as with Mrs. White, by looking at http://18.220.239.106/Boddy:

No luck.  However, there is a hint in the source code:

<body>
  <h2>That was a really good try...Did you think it would be that easy?
  <!--Maybe look into how easy it would be to receive some tissues in the 'post'--></h2>
</body>

After trying out all sorts of additional parameters on the end of contact.php (i.e. http://18.220.239.106/contact.php?post=somemessagehere), one of my friends made a post request to /Boddy.

$ curl -X POST http://18.220.239.106/Boddy/

Here’s our response, and the flag!

<html>
  <head>
    <title>Mr. Boddy</title>
    <style>[removed for length]</style>
  </head>
  <body>
    <h1>TUCTF{1_4ccu53_m155_5c4rl37_w17h_7h3_kn1f3_1n_7h3_h77p_r3qu357}</h1>
  </body>
</html>