Part 2: Solving ESET’s Pentest Challenges

I stumbled upon pentest.join.eset.com while running a Pentest Training a couple of months ago. I find the challenges friendly to anyone trying to dive into penetration testing. This is a continuation of the first post — https://medium.com/@johntroony/solving-esets-pentest-challenges-79f6f5e9657f

7. Secret message

Message Hidden in Image

How I solved it:

This is a very simple challenge but I think I took a wrong start with my analysis. I’ll document all the steps I took (including the wrong turns I made) just to show you I also make mistakes and how my solving process looks like.

I downloaded the image and jumped straight into steganalysis. I checked to see what type of image/file I was dealing with and found out it was a JPEG file (it is always important to know what sort of filetype you are dealing with).

filetype examination

I then checked if there are any hidden (text) files/data within the image file using binwalk. Didn’t find anything interesting. Binwalk is a firmware analysis tool but its signature scanning can be used in steganalysis or generally analyzing unknown binary files.

binwalk output

I checked for strings to see if I’ll get anything unusual or close to the challenge’s hint. I didn’t.

strings output

With all these attempts, I decided to go for steghide to see if it can extract any hidden data from the file. But it asked for a password which I had no clue (I guessed using eset/ESET/Eset but they all failed).

steghide output

At this point, my CTF instincts started kicking in. I decided to brute-force the password using stegcracker and the default Kali Linux rockyou.txt wordlist. After about 25 mins without any success, I felt like this was a wrong approach. Considering how the other challenges were easy, I must be doing something wrong.

stegcracker output

A bit frustrated, I realized I’m overthinking. I opened up stegsolve and
loaded the image file. I ran a basic analysis on the image file and noticed something interesting.

stegsolve

Now, I questioned my previous attempts. Then I remembered, strings (the tool) ignores any string with less than 3 characters (by default) when processing an input file. So maybe I set the strings character length to 1 and analyse the file again? Sure thing!

strings with length set

I started to see where I went wrong. I decided to remove the new lines on the output, and the answer was in front of me :)

strings with length set and new lines trimmed

Maybe I could have seen this much better and within the first few steps if I had considered to include ExifTool in my initial analysis. And this is one of the lessons I learned from this exercise — refining my analysis methods (check for metadata within the first few steps).

Exiftool metadata extraction (Don’t overthink)

8. Cookie

Cookie challenge

How I solved it:

Trying to access the website, you get a response with error code 403 (access forbidden).

Error 403

Checking the cookies, I noticed a cookie is set — admin_auth_restricted with value restricted. By the way, I use EditThisCookie, a Chrome extension (any similar add-on/extension can achieve the same) https://github.com/ETCExtensions/Edit-This-Cookie

Cookie Edit

I tried changing the value of the cookie to ‘unrestricted’ then ‘allowed’ but they all failed.

Modifying the cookie

So I decided to delete the cookie and it worked :)

Solved.

9. IP address

Get the IPs

How I solved it:

Assuming I understood the question, below is what I did :)

IPv4 and IPv6

10. Restricted access

How I solved it:

Accessing the intranet URL, we get the following message.

So I had to trick the server, act like the web request/traffic is via an internal proxy. To do this, I had to use the X-Forwarded-For header which is a common method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer (you can also use curl)

11. User-Agent

How I solved it:

Accessing the URL using my browser, I got my user-agent header echoed back as the web response.

Checking Google’s documentation on what its bot uses. I picked the following header to access the URL again. I used Burp to modify my headers (you can also use curl).

And it worked perfectly fine :)

12. Hash

How I solved it:

Hashing is a method of cryptography that converts any form of data into a unique string of text. It is called a one-way-function since you are not supposed to derive the data used in generating the unique string. So the only way to get the user data is to use a lookup table — a table containing words and their corresponding hashes. This purely depends on the complexity of the word used. If it’s not a word from the common dictionary words, the difficult it gets.

That said, there are a number of online services that have these lookup tables populated and you can try your luck. I used https://crackstation.net/

Acrobat is the solution for this challenge

13. B2T Encoding

How I solved it:

The encoded message seems like a Base64 encoded string — looking like it is padded with the ‘==’ characters.

The decoded message is IT_is_just_encoding

Conclusion

These are basic challenges and pretty nice for newbies. By solving the challenges you get to build a solid method of attempting to break security. You’ll have a problem-solving mindset and see your engagements as little boxes of puzzles to solve.

Try to crack the registration form at hack-the-box (HTB) and using the ideas shared here and try out the challenges in HTB. You can also checkout ctftime for upcoming CTF challenges and register for junior challenges.

If you are totally new to CTFs, please check the following resources :

0. CTF Players Club (if you are in Nairobi) https://ctfplayers.club/

  1. Keep a tab on http://ilabafrica.ac.ke for upcoming hackathon challenges, security workshops and training (say hi when meet).
  2. Checkout CTF-Tools https://github.com/zardus/ctf-tools

3. Watch all the 42 videos in this playlist and take notes. John Hammond is an awesome guy.

4. Subscribe to LiveOverflow

Have fun!

If I was a writer I’d have nice words to put here :) Purple Teamer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store