TUCTF’s Ready Player One Challenges (hint: git is your friend)

Five of the web series challenges were Clue-themed.  The other three are a reference to Ready Player One, which I haven’t seen.

But I have used git before, and that’s what this challenge is (mostly) about.  All three challenges use the same website.

Easter Egg:  Copper Gate

Our hint here says:

How did I end up here? – Joker

http://18.191.227.167/

I poked around the website for a while, looking for anything related to the hint.  Request referral, maybe?  No luck.  I watched the weird egg video on the screen.  No luck with that either.

I also played around with some things related to dates, given the “check back later” message.

Using dirbuster, one of my teammates found a .git directory at:

http://18.191.227.167/.git/

Having your git repository online is a bad idea… you’ve essentially given the source code (and entire history) of your website to everyone.  Good news for us, though.

Open up a command line, and type:

wget -r 'http://18.191.227.167/.git/'

This will copy the git repository to whatever directory you’re in.

Back on the website, you may have poked around in the files at the /.git/ endpoint.  If you made your way to http://18.191.227.167/.git/logs/refs/heads/master, you would see this log of git commits:

Looks promising!

I know we’re looking for the copper egg, but the “The Jade Flag” one seems pretty obvious, no?  Let’s try that.  Grabbing the commit hash from that line:

$ git checkout 893b1b87772183d283b450faa2836dac7c9653a3

You’ll get some warning messages about detached HEAD state, which is usually a bad thing, but this is just a CTF challenge so I don’t care. 😛

You could look around at the new and changed files using a command line, but I looked at the directory (GUI) instead.

We see there’s a folder called “enterthecoppergate” and inside, a file called gate.html.  Or, on the website, it’s:  http://18.191.227.167/enterthecoppergate/gate.html

There it is!  Well… sorta.

VFVDVEZ7VzNsYzBtM19UMF9UaDNfMDQ1MTVfVGgzX0MwcHAzcl9LM3l9Cg==

But that looks like base-64, so we can decode it.

TUCTF{W3lc0m3_T0_Th3_04515_Th3_C0pp3r_K3y}

One down, two to go!

Btw, this page also gave us a hint for jade:

The Jade Key

The updates conceal the Jade Key
in a backup long neglected
But you can only retrace your steps
once the logs are all collected

Easter Egg:  Jade Gate

If we look at our commit log again, we see more references to Jade.  If you try a few of them, you’ll find pages where there’s the Jade Key, but it’s SHA-512 hashed.  Or 256.  Finally, when you get to the “FINE BE THAT WAY” commit, you’ve found it.

761c7ef2510514ae24cfdd8172e34fd85e71b568 Joker <joker@hahacienda.com> 1542850907 -0800	commit: FINE BE THAT WAY

In retrospect, making us wade through a bunch of different commits probably should have been expected, as our hint is:

Gotta make sure I log my changes. – Joker

Anyway, you can find the Jade Key at http://18.191.227.167/youfoundthejadegate/gate.html, or your local copy, if you’ve got the correct git commit.

TUCTF{S0_Th1s_D035n7_533m_l1k3_175_f41r_8u7_wh0_3v3r_s41d_l1f3_15_f41r?}

One more left!

Easter Egg: Crystal Gate

Last clue:

I don’t wanna go anywhere.

Another clue that makes way more sense in retrospect.

If you poke around some more, you’ll find that there’s a “crystalsfordays” directory, with a “traversethebridge” page.  Again, in retrospect, the “traverse” is a BIG hint.

Since we don’t see anything in our local copy containing the crystal key, we can show it on the website:

http://18.191.227.167/crystalsfordays/traversethebridge.php

The page reads:

Note: Only used for access management and to check user info.
Note2: I can't seem to remember the param. It's "file"

Okay, so let’s pass a file parameter in the URL.  Props to my teammate who came up with the idea of path traversal.  If you try out a few options, you’ll find that this request:

http://18.191.227.167/crystalsfordays/traversethebridge.php?file=../../

will result in this message:

Note: Only used for access management and to check user info.
Note2: I can't seem to remember the param. It's "file"
.. .bash_history webserver . .bash_logout .bashrc .bash_profile TheEgg.html

TheEgg!  That’s what we want.

So, if we request that…

http://18.191.227.167/crystalsfordays/traversethebridge.php?file=../../TheEgg.html

We get this message:

Note: Only used for access management and to check user info.
Note2: I can't seem to remember the param. It's "file"
THE END

Congratulations! You have discovered the crystal key and unlocked the egg. Thank you for your participation in this competition and I hope you enjoyed the trip, as well as learned a few things in the process.

- Joker

TUCTF{3_15_4_M4G1C_NUMB3R_7H3_crys74L_k3Y_15_y0ur5!}

And there you have it!  3 for 3!