Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

#BSidesVienna: Ticket Challenge Solution

So after a manic few weeks I’ve finally had a chance to throw together a quick solution post of the BSides Challenge.

The challenge started off with a simple link to http://www.untrustedsite.net which contained the following image.

For those who aren’t Star Wars fans, a quick search should have led you in the right direction… No droids. Well, as there’s no droids.txt on your average website, you’d be wise to check out the robots.txt page. This page however is more than a simple pointer to robots.txt, it also provides hints and information in the form of HTML comments and Server header responses…

Depending on the User-Agent string you connect with, the X-Hint value and the hidden HTML comment at the start of the page will change. There are a variety of possible values, and I’ll leave them up to you to find if you want… some are funny, some are helpful, some are cryptic! For example, accessing the site with Internet Explorer (or a user-agent string containing ‘IE’) you’ll get ‘X-Hint: Colder than cold’ and the HTML comment ‘Internet Explorer? Really!’. Yeah, I’m a funny man… it’s a curse.

The next hint you can get from this page is in the image itself… Metadata! By pulling down the image and viewing the metadata values with exiftool, you can see a few helpful hints.This is also where the answer can be found.. if you know what value the answer really is! We’ll come back to this later on.

Taking a look at the robots.txt page will give you a few very obvious hints… If you don’t get these, well, there’s no hope.

Looking at the information in robots.txt should lead you to a few places. Obviously solution.php is one of the possible places to get the solution… yes, even though it says it’s not. Sorry, I lied 😉 The User-Agent lines should also give you the information you need to find the required hints.

This is where there are two paths you can follow. By using the BSidesViennaChallenge User-Agent string on iknowtheanswer.php and solution.php you get the details on how to email the answer, and the 2 halves of the hash value to use (in solution.php the div id is the first half of the hash, and the second half appears when you make a request using the correct User-Agent string.



Putting these 2 parts together you get the entire hash, as well as the email address…. 427e5301cc0f2c204c37f37f63976de3 [AT] bsidesvienna [dot] com. However the iknowtheanswer.php also provides you with the path for solution number two by pointing you at the Metadata.

Requests to the start page using the BSidesVienna and BSidesViennaChallenge User-Agent strings will also point you at which of the many Metadata tags you need to use…. ‘Current IPTC Digest’. As we mentioned earlier, running the saved jpg through exiftool we get a range of information… and a few hints if you needed them. The value for IPTC is the same hash we found using solution one… and therefore the correct email address to win a ticket.

You’ll also see a few hints in their like the Make,  Camera Model, Maker Notes, and especially the keywords. These all point you to look at the robots.txt, and the ua-tester tool (for testing specific user-agent strings).

No matter which way you looked at the contest there was always a hint to drive things forward if you were looking hard enough that is! Looking at server headers, HTML comments and the differences in data returned from a site are all important aspects of web application penetration testing, and are widely know. That said, i understand not everybody got the answer… I just hope that people had fun in the process, and maybe even learnt something useful.

Congratulations to the winners who got the correct answer, and for those wanting to play around with the challenge, I’ll be leaving the site up to play with for a while yet.

Hope to see you all in Vienna for BSidesVienna!


Comments are closed.

%d bloggers like this: