Add evil website writeup

p4-team · Mar 20, 2018 · 2a4d431 · 2a4d431
1 parent 0a4b248
commit 2a4d431
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 0 deletions.
diff --git a/2018-03-18-backdoor-ctf/README.md b/2018-03-18-backdoor-ctf/README.md
@@ -8,3 +8,4 @@ Team: ak, c7, Eternal, msm, naz, rev, rodbert, shalom
 * [Awesome Mix 1 (crypto)](crypto_mix1)
 * [Captcha Revenge (web)](web_captcha)
 * [Array List (pwn)](pwn_array)
+* [Evil Website (forensics)](evil_website)
diff --git a/2018-03-18-backdoor-ctf/evil_website/README.md b/2018-03-18-backdoor-ctf/evil_website/README.md
@@ -0,0 +1,31 @@
+# Evil Website (forensics)
+
+We're given a directory containing lots of interesting firefox stuff.
+
+```
+┌[michal@Bobik] [/dev/ttys002] [master ⚡] 
+└[~/Downloads/Chall]> ls
+AlternateServices.txt              containers.json                    firebug                            modifyheaders.conf                 serviceworker.txt
+SecurityPreloadState.txt           content-prefs.sqlite               formhistory.sqlite                 notificationstore.json             sessionCheckpoints.json
+SiteSecurityServiceState.txt       cookies.sqlite                     gmp                                permissions.sqlite                 sessionstore-backups
+addonStartup.json.lz4              cookies.sqlite-shm                 gmp-gmpopenh264                    pkcs11.txt                         shield-preference-experiments.json
+addons.json                        cookies.sqlite-wal                 gmp-widevinecdm                    places.sqlite                      storage
+blocklist.xml                      crashes                            handlers.json                      places.sqlite-shm                  storage.sqlite
+blocklists                         datareporting                      key3.db                            places.sqlite-wal                  times.json
+bookmarkbackups                    extensions                         key4.db                            pluginreg.dat                      weave
+browser-extension-data             extensions.json                    kinto.sqlite                       prefs.js                           webapps
+cert8.db                           favicons.sqlite                    lock                               revocations.txt                    webappsstore.sqlite
+cert9.db                           favicons.sqlite-shm                logins.json                        saved-telemetry-pings              webappsstore.sqlite-shm
+cert_override.txt                  favicons.sqlite-wal                mimeTypes.rdf                      search.json.mozlz4                 webappsstore.sqlite-wal
+compatibility.ini                  features                           minidumps                          secmod.db                          xulstore.json
+```
+
+Unfortunately, all we had to do is notice a pretty suspicious cookie:
+
+![cookie](cookie.png)
+
+Decoding the base64 gave us a weird `Targa image data` file.
+You might be tempted to look for some weird ancient software just to view it, but as it turned out that the best way was to actually just import it into gimp as raw data:
+
+![solution](solution.png)
+
diff --git a/2018-03-18-backdoor-ctf/evil_website/cookie.png b/2018-03-18-backdoor-ctf/evil_website/cookie.png
diff --git a/2018-03-18-backdoor-ctf/evil_website/solution.png b/2018-03-18-backdoor-ctf/evil_website/solution.png