Five of the web series challenges were Clue-themed. The other three are a reference to Ready Player One, which I haven’t seen.
But I have used git before, and that’s what this challenge is (mostly) about. All three challenges use the same website.
Easter Egg: Copper Gate
Our hint here says:
How did I end up here? – Joker
http://18.191.227.167/
I poked around the website for a while, looking for anything related to the hint. Request referral, maybe? No luck. I watched the weird egg video on the screen. No luck with that either.
I also played around with some things related to dates, given the “check back later” message.
Using dirbuster, one of my teammates found a .git directory at:
http://18.191.227.167/.git/
Having your git repository online is a bad idea… you’ve essentially given the source code (and entire history) of your website to everyone. Good news for us, though.
Open up a command line, and type:
wget -r 'http://18.191.227.167/.git/'
This will copy the git repository to whatever directory you’re in.
Back on the website, you may have poked around in the files at the /.git/
endpoint. If you made your way to http://18.191.227.167/.git/logs/refs/heads/master
, you would see this log of git commits:
Looks promising!
I know we’re looking for the copper egg, but the “The Jade Flag” one seems pretty obvious, no? Let’s try that. Grabbing the commit hash from that line:
$ git checkout 893b1b87772183d283b450faa2836dac7c9653a3
You’ll get some warning messages about detached HEAD
state, which is usually a bad thing, but this is just a CTF challenge so I don’t care. 😛
You could look around at the new and changed files using a command line, but I looked at the directory (GUI) instead.
We see there’s a folder called “enterthecoppergate” and inside, a file called gate.html. Or, on the website, it’s: http://18.191.227.167/enterthecoppergate/gate.html
There it is! Well… sorta.
VFVDVEZ7VzNsYzBtM19UMF9UaDNfMDQ1MTVfVGgzX0MwcHAzcl9LM3l9Cg==
But that looks like base-64, so we can decode it.
TUCTF{W3lc0m3_T0_Th3_04515_Th3_C0pp3r_K3y}
One down, two to go!
Btw, this page also gave us a hint for jade:
The Jade Key
The updates conceal the Jade Key
in a backup long neglected
But you can only retrace your steps
once the logs are all collected
Easter Egg: Jade Gate
If we look at our commit log again, we see more references to Jade. If you try a few of them, you’ll find pages where there’s the Jade Key, but it’s SHA-512 hashed. Or 256. Finally, when you get to the “FINE BE THAT WAY” commit, you’ve found it.
761c7ef2510514ae24cfdd8172e34fd85e71b568 Joker <joker@hahacienda.com> 1542850907 -0800 commit: FINE BE THAT WAY
In retrospect, making us wade through a bunch of different commits probably should have been expected, as our hint is:
Gotta make sure I log my changes. – Joker
Anyway, you can find the Jade Key at http://18.191.227.167/youfoundthejadegate/gate.html
, or your local copy, if you’ve got the correct git commit.
TUCTF{S0_Th1s_D035n7_533m_l1k3_175_f41r_8u7_wh0_3v3r_s41d_l1f3_15_f41r?}
One more left!
Easter Egg: Crystal Gate
Last clue:
I don’t wanna go anywhere.
Another clue that makes way more sense in retrospect.
If you poke around some more, you’ll find that there’s a “crystalsfordays” directory, with a “traversethebridge” page. Again, in retrospect, the “traverse” is a BIG hint.
Since we don’t see anything in our local copy containing the crystal key, we can show it on the website:
http://18.191.227.167/crystalsfordays/traversethebridge.php
The page reads:
Note: Only used for access management and to check user info.
Note2: I can't seem to remember the param. It's "file"
Okay, so let’s pass a file parameter in the URL. Props to my teammate who came up with the idea of path traversal. If you try out a few options, you’ll find that this request:
http://18.191.227.167/crystalsfordays/traversethebridge.php?file=../../
will result in this message:
Note: Only used for access management and to check user info.
Note2: I can't seem to remember the param. It's "file"
.. .bash_history webserver . .bash_logout .bashrc .bash_profile TheEgg.html
TheEgg! That’s what we want.
So, if we request that…
http://18.191.227.167/crystalsfordays/traversethebridge.php?file=../../TheEgg.html
We get this message:
Note: Only used for access management and to check user info.
Note2: I can't seem to remember the param. It's "file"
THE END
Congratulations! You have discovered the crystal key and unlocked the egg. Thank you for your participation in this competition and I hope you enjoyed the trip, as well as learned a few things in the process.
- Joker
TUCTF{3_15_4_M4G1C_NUMB3R_7H3_crys74L_k3Y_15_y0ur5!}
And there you have it! 3 for 3!