Statement: Someone was able to successfully break into the admin account!
Do you know what the old password was?
Flag format: The password, case insensitive
The challenge provides a JSON file containing logs.
These logs and scenarios are designed to be real-ish, they’re simpler and given that the entire data set covers 1hr all malicious activity is conducted on a condensed time frame.
Searching in the logs, I find a log generated by the webmail indicating that the password for the admin@shop.downunderctf.com account has been changed:
{
"_time": "2021-01-01T09:26:52.000+0000",
"sender": "noreply@shop.downunderctf.com",
"recipient": "admin@shop.downunderctf.com",
"direction": "Outgoing",
"outcome": "Unknown",
"subject": "Your shop.downunderctf.com Password Has Been Changed",
"attachments": "null",
"logSource": "Webmail"
}
I notice that at the same timestamp, a URL with a base64 encoding is generated:
{
"_time": "2021-01-01T09:26:52.000+0000",
"origin": "58.164.62.91",
"site": "shop.downunderctf.com",
"method": "GET",
"referer": "shop.downunderctf.com/changepassword",
"useragent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.36 Safari/537.36",
"url": "shop.downunderctf.com/login?ref=M2RjOTE5ZGUxODZkMWE4ZWU2MmZmZjkyZDgwODM5Zjc6NmQ3YzViM2U3OTZkODMzYjNmZGQ0MGY0Y2U1N2ZhY2Q%3D",
"logSource": "Http:Web"
}
I decode the string encoded in base64:
echo "M2RjOTE5ZGUxODZkMWE4ZWU2MmZmZjkyZDgwODM5Zjc6NmQ3YzViM2U3OTZkODMzYjNmZGQ0MGY0Y2U1N2ZhY2Q=" | base64 -d
We get the following string corresponding to two MD5 hashes in the format oldpassword:newpassword:
3dc919de186d1a8ee62fff92d80839f7:6d7c5b3e796d833b3fdd40f4ce57facd
I couldn’t get the password value by dictionary attack or bruteforce with hashcat, so I used an online tool.
Flag: ozzieozzieozzie