Challenge - Week 8

https://minside.bouvet.no/bouvet-alle/nyheter/ukas-sikkerhetspost-2021-8

“Test i prod”, sa de, “det går bra”.
Det gikk ikke bra! Og nå klarer vi ikke finne igjen flagget vårt!
Kan du hjelpe? Samme format som sist: BVT{<tekst>}

Solution

Upon clicking the link to the challenge, you are presented with this error message:

This is a static html page, with a static error message (typically one you’ll see when you have a SQL injection vulnerability). It is also what we call a red herring, it had nothing to do with the challenge, and changing parameters would not change this error message.

In fact this error was returned no matter what you requested from the server, except for when you requested /favicon.ico - which most browsers do automatically.

Things are not always what they seem

The very first line of the post said:

Temaspesial Ikke alt er som det utgir seg for å være

This is true both for the challenge (fake error message), and the favicon file.

Hiding malware in benign files are not uncommon, it can be used both to bypass filters and sometimes also avoid detection altogether. Some malware also exfiltrate (steal) data by hiding it in pictures.

Some filters will only check file type, and sometimes file headers. The favicon is actually not even a .ico file, if we look at the headers, it’s identified as a PNG file.

Looking at the file size reveals something:

That is one very large icon!

Running strings favicon.ico give us something interesting:

Since we get a file name, and not a flag, we can assume that we might be dealing with a hidden zip file. So let’s try to unzip the icon.

That worked! Let’s look for the flag!

The command used:

sed -E 's/.*(BVT\{[a-zA-Z0-9 _-]*\}).*/\1/' secret-data.json && echo

Simply opening favicon.ico in 7zip and searching for BVT{ in notepad will also do the trick!

The flag

BVT{I can read hidden files}