Skip to content

Captain Crypto's Castle

Jenn Janesko edited this page Apr 2, 2019 · 18 revisions

Captain Crypto's Castle had the following description.

Captain Crypto seems to be building his own social network, "Captain Crypto's Castle"! Get in to steal his identity!

Going to the website, the following login mask was presented:

After trying a few basic things:

  • sql injection,
  • command injection,
  • XSS, and, I did not find anything suspicious.

I decided to take a look at the link "Forgot Password?". The forgot password screen shows a set of questions to answer to recover a password. This, of course, is not good practice. So, I figured this was likely the way to get to Captain's Crypto's information. The password reset page asked for 3 different pieces of information.

The username at this point was unknown. The IBAN value was provided in the Captain Crypto's Demand challenge (the very first CTF challenge). And, the last question, the worst password, could be found online. This left the username. I tried CaptainCrypto and different variations of this, but I wasn't able to guess. So, I went back to the original description and read more closely.

Captain Crypto seems to be building his own social network

I thought about it and guessed that maybe he might have an account in another social network. After looking quickly at Facebook and Twitter, I found a suspicious account in Twitter.

This user had the right name, was a follower of @BSidesMunich. Using the following information:

  • User: MucCrypto
  • IBAN: DE91500105174425265142
  • Worst Password: 123456

After submitting the form, the following message was displayed:

After logging in with the displayed password, Captain Crypto's profile (and the flag) were displayed.