[EN] Write up - WorldGolfChampion - leHACK 2019
Name : WorldGolfChampion 50 Points Description : Help me, i need this flag Url: http://static.wargame.rocks/WorldGolfChampion.pcap Level: Very easy
So it begin with a pcap... When we look quickly the first packet of the exchange we see clear information... Things like "User:tiger" or "Password:"...
Let's follow the TCP stream to see is we can have more information about this...
So... Looks like the log of a terminal... What do we have ?
- he launch firefox to search Ashley Maddison with Qwant... Weird flex but ok...
- then kill the firefox process
- tries to open a keepass database
- forgot the password
- start to panic
- search on Qwant how to reset the master password of a Keepass database
- try random commands like
base64on his keepass database file
By using the command
base64 on the keepass database file, it printed it in the terminal output so a simple
base64 -dof this will give us the original keepass file.
It's looks obvious that we will have to open it to get the flag... Let have a second look on the TCP stream... He used the password
woods1275 to log... Then he tried without success the following to open the database :
Let's gamble on the fact that his password is always "woods"+4 digits.
Small script to build all possibilities from
Then we will use
kpcli to make a nice bruteforce shell script. If the good pass is in our wordlist,
kpcli will stop the script.
Let's run this and go afk, it could take a long time. I go have a beer and talk with the other challengers.
I stayed outside like 30-40 minutes making friends with some guys from Akerva thinking it would take a good moment... When i've left, the "John The Ripper" of Alkanor was already running for a solid 15 minutes with nothing...
It took the huge amount of time of... 2 minutes and 30 seconds ! It found the password like 1 min after I left... Nice move... But anyway i have the pass
woods0180 and the "John The Ripper" of Alkanor is still running with nothing...
Edit : John wasn't working because the wordlist didn't include word with 0 at the beginning so no chance to found 0180 :/
Let's open the database with the KeePassX GUI to have a nice display for the screenshots...
woods0180 works well.
MyBestPlan looks like junk data let's see the one with noting...
This look like a flag... Let's validate.
+50 points, time to go on an other chall !