 Hey everyone, quick announcement before we dive into this video. If you didn't know, Guide Point Security is kicking off an event tomorrow, September 22nd, that's going to be a super beginner-friendly capture-the-flag competition. It's all about introductory challenges aimed to get people introduced to the field. So it's for absolute newcomers or CISOs that just haven't spent time on the keyboard yet and it's going to be a ton of fun. The game is hosted and put on by Guide Point Security and powered by Storm CTF. The folks that bring capture-the-flag games to a lot of different cybersecurity conferences and offer custom training. So if you play and you really like what you see, you can definitely start the conversation and just ask them, hey, can you bring an event like this to me or to my company or to whatever you specifically are doing? You can have them build a CTF specific and tailored to you and your audience. This game specifically is going to be running every month for six months and a week at a time and it's totally free. So if you want something new, if you want something fresh, something really beginner-friendly and a lot of great foundation fundamentals to get started in the scene and if you want to jump in, you can register now online with the link in the description below. I'm really excited for it. I know Storm CTF and the guys over there are incredible and always do a great job putting on a game. So please do head over there. I'm really excited for tomorrow and I'll see you on the scoreboard. Hello, everyone. Welcome back to the YouTube video. My name is John Hammond and we are still looking at some challenges from the Down Under CTF or the capture-the-flag event that went on this past weekend. So let's hop on over to my screen and I want to showcase some of the simple web category challenges. This first one is called Legos or Legos. I don't know how to pronounce that. It says, I love pasta. I won't tell you what my special secret sauce is though and we have a link to go to this page here. So if I open that up in a new tab, I can go access it there and it says, this is my second favorite pasta sauce. This is my second favorite pasta sauce. I've safely hidden away my favorite sauce. So immediately my knee-jerk reaction on a CTF challenge is to look at the source code, especially in a web challenge, a web category. I want to look at the HTML or really what that website and that web page is made of. So as reflex, I'll hit control U on my keyboard to activate that hot key so I could view source. So like look at the HTML code. When I do that on this challenge, I get this little pop-up that says, hey, that's not allowed. Okay. That's frustrating. I thought let's try another method. If I could right-click in view source. No, that's not letting me do it either. Okay. Great. What do I do here? Can I like curl the page and like look at it? Manually. I'll fire up a terminal here and I'll just kind of curl this thing. There we go. Okay. Looks like we have the code that I could see. This is my second favorite pasta sauce. I've safely hidden my favorite sauce and there's sauce.jpeg. I guess we could download that if we really wanted to. Oh, and there's some JavaScript here. Document on key down. And these are probably the key combinations to ask me that I would press to go ahead and view the source. That's annoying. There's also a disable mouse right-click.js. Looks like it's loading that and that's probably something that I could access. I wonder actually if I, so if I hit a F12 on my keyboard to open up the developer tools, right? I can get into the inspector tab and you might have noticed that I accidentally just had the flag visible there. Script here. I can see that there's this same code that would disable what I was looking at previously. I have in the div section here, everything that I just saw via curl. I'll submit on this so you can see a little bit more. I also don't have the stuff expanded in the head tag. So let's look at that. And my favorite pasta sauce, the style. Okay, that's the CSS that we saw previously. And there's that script source for disable my mouse right-click. I could go check that out. Can I go to that? Can I click in that and go see it? I guess maybe I can go to like the debugger. Oh yeah. So in the debugger, you can look at the JavaScript code that's being ran on a particular page here. So that shall ductf in the page here has the index for what we've already seen. I'll try and make that a little bit bigger again so you can see it. And it also has that disable mouse right-click. And this probably sticks out as like a sore thumb here though. Document add listener context menu. It'll prevent that from executing and notify you. Hey, that's not allowed. So you can't right-click and get that context menu to view source. There we go. The source reveals my favorite secret sauce and there is the flag. This is kind of neat. I realized, sure, it's kind of a cheesy challenge, cheeky thing where you just are tripping over being able to view the source. And once you actually view the source, the flag is right there. Maybe that's a cool note thing just to make for your learning is, hey, this is how you can and literally can be done. Two disable right-clicking, two disable that control you. Maybe there's more learning in the creation of this challenge than there is in solving it. Totally fine by me. I think this is still kind of a good thing to showcase. So there's that flag. You can go ahead and submit that and get your points. Obviously, now that we, like even just viewing what we saw, we could read this file. Like if we were to go back to our web browser and literally access it in the URL bar, it's JavaScript. So you could just navigate to that and it's accessible client side. So there it is. And you just access that. You could curl that down if you wanted to, but that's all it really takes. No catch up, just sauce, raw sauce, numbers. Thanks guys. That was good. That was fun. That was a nice little cute one. I realized that's not enough to make a video on. So let's dive into the second challenge, web badman. This has significantly less solves than the others, though it is marked easy. And it says, we launched a game and now it is no longer launched. Can you figure out what had happened? Plaques help. We have another link here and eventually they released a hint because so many players were struggling with this thing. And I know I for one was struggling with this. Epic website one. Game status broke AF. Dude, same here. I know that feeling. Hi everyone. We just want to let you know that this website is still under development and we're trying our absolute best. You're, that's not true. You're lying to me to get it up and running, but we are running into issues and we aren't sure what's going on. Me right now. And there's this, the meme video. I'm going to turn my volume down. I'm going to play this. It puts on like this, like this bouncy, neat and cool song. And then it gets into the dude just screaming. I appreciate that. I'm grateful for that experience. Click to start blocking ads. Maybe you can't hear it, but it makes me laugh, you know? Great. Oh, and by the way, my music tastes Alex in Tokyo Rose, fantastic synth wave, new retro wave stuff and pendulum. They just released new track and I'm really excited that they're back. So that's, those are my recommended videos apparently. Anyway, here's a button, beat boop copyright 2020. I give you the source on this page. If I hit control you, I can zoom in on the source here. So you can see it, regular HTML boilerplate stuff, regular title and the style sheet is being pulled from CDN or cloud delivery network service thing. And that's a third party external resource. So that's probably not pertinent to the CTF and we don't have to care about it. There's the page body. We have an HTML comment here. You can kind of see that by that green text. It says AHRF, so an anchor tag or a link to HTTPS Epic Game Play, do you CTF? Play our new game here. Cool, okay, let's check that out. I just want to go through the rest of the source code, but nothing else really sticks out. This is all the stuff that we already read on the webpage. There's nothing new, no JavaScript, no other peculiar HTML comments. So we've got this to work with, HTTPS Epic Game Play, do you CTF? Play our new game here. Okay, I'll put up a new tab, spit that in. And we're having trouble finding that site. We can't connect the server at epicgame.play.du CTF. Does that exist? Can I like curl that page? Could not resolve host Epic Game Play, do you CTF? Does it need to be like HTTP? Are they fooling me? Does it need to be like on the specific port, the same one that we're on? No, no, no. What about vvvv, get some verbose output in there. I don't want the port in there because they mentioned literally the anchor tag and the link showcases that. And that just can't find it, it doesn't know what it is. I was stuck on this for a long time. I'll be completely honest. We were literally looking at this probably for three or four hours and we were just like, okay, what the crap, I can't solve this. I literally, you know, like I do, I would go in the Discord and I would just scroll through the chat. I'd search control F and just look for people mentioning this challenge to see if there's any like hints or anything, any oscent you can pull out from the admins of the game. And there was nothing, I didn't know what to do with this. We tried cheesy stuff. Like we would edit our et cetera host file, sudo nano et cetera host. And like maybe it would have to map to the original chow because when you go to this page, it's chow.ductf. And we could just, okay, look up that if we wanted to. We take that domain name and then if I were to like NS look up or do a dig on chow.ductf, there we have that IP address. We could try and go to that. I thought maybe that was a thing. There we go. You go in our web browser that we've set that, we could try and load that page. Now it'll start to load something, but it'll just hang. Like I'll try and curl it one more time. That just takes forever. There's just nothing there that just didn't work. And that wasn't, that wasn't what it was. I thought like, okay, what the heck? Is it just play.ductf? Is that a thing? Because that's a thing that has its own page. If I NS look up that, would that work? We'll try marking that in my et cetera host file, putting that IP address. And this is all a rabbit hole. I'm just showcasing the steps where I was stumbling and failing and not getting this to work either. When I set it to play.ductf, I was like, oh, it just brought me back to the CTF site and they're like, oh, that's useless. But I mean, it makes sense. The original thing was play.ductf. So that was wrong and that didn't work either. What the heck? I was freaking out. I didn't know what to do. I figured like, all right, let's just table it. Let's do it later. Let's solve other challenges. So I removed that from my host file and et cetera. Eventually they released a hint because so many, so few people were solving this. So you could check out the hint here and it said, boss, we're firing you. The game doesn't even load. Web badman. It was just a simple misconfiguration. I clicked the wrong button and I was still scratching my head like, what does that mean? What button do you press in deploying a web server? Like Apache Engine X is like what PHP? And I didn't know. They kept emphasizing this B, this badman. And I was like, is it something with the button? The button doesn't go anywhere. It doesn't do anything. You view the source and there's no form attached to that button. It doesn't do anything. I was tweaking out. Eventually I had a really weird thought and I correlated this in my head for a little bit. I eventually was like, there is no epic game.play.ctf. If I were to try and look up that epic game.play.ducttf, it couldn't find anything. And when you do that, when you're doing an NS lookup or you're doing a dig, okay, I guess I copied the button for some reason, you're looking at a DNS A record, right? Or the address, the IP address that this domain name will refer to. And I was like, that's funky. If there's just nothing that exists there, but that's clearly denoted in the source code as the domain that we're working with. And they keep referencing a B. They say they clicked the wrong button. They pressed the wrong button. Was it a, did they enter like a B record instead of an A record? And I was like, that's not a thing. That's not a thing. So you could dig this to do another DNS query, search for an A record, but there's nothing there, A record by default. So I thought like, oh, let's use dig.tact.t to specify a different type of record. And I'll look for a B record. That's not a thing. There's no such thing as a DNS B record. So it just returned it an A record again. And I thought like, okay, what the heck? There's gotta be something. Let me just do like a tact T any. So I slapped that in and I get a response. Epic game has an H info record. And I thought that was weird because I don't normally see that. And it's RFC 8482. What is that? Why is that there? I Googled that, looked around, tried to do some information. And I looked at this RFC or request for comments. Is that the right acronym? Defining a standard, right? The information, the document that specifies this thing is going to exist in technology. This RFC 8482 says, we will provide minimum size responses to DNS queries that have a Q type equals any. So domain name system, what we just did with dig that tact T any command, the operator of an authoritative DNS server might choose not to respond to such queries for such reasons of local policy, motivated by security performance or other reasons. And that tells me that, okay, when I request a dig tact T any or when I request any record to return as much as that DNS server could tell me, it explicitly told me it wasn't going to give me any information. I thought that's weird. I don't normally see that. I don't think that's a normal thing. So it sounded like, is it trying to purposefully hide something from me? So I thought like, all right, whatever, I'll just be like microscopic. I'll just zoom in on one specific thing that I want to look at. Give me a text record, give me a TXT record. Gosh, darn it. I saw that and I was like, I swore right out loud. I was like, F dang it. That's it, there's your flag. That right there. Wait, I'm confused. What are record types in DNS? It was just a simple text record challenge. And it was kind of nested and bundled behind a bunch of other stuff. I was like, oh, there's going to be a web challenge where I'm looking at this web page, but there's nothing on this web page. It's just a static page with an empty link. And I'm like, is this supposed to be what it is? So that threw me for a loop for a while. And that's all it took. But that was my rationale after banging my head against the wall for a long time after kind of trying hard on that. I was just like the B, some reason made me think of A and I thought that was an A record. So I went back to DNS and I tried all those things, but that's cool. And that's a learning point for me because this RFC 8482, I didn't realize you could just specify like, look, I don't want to respond to any queries for just any resource record from a DNS server. I thought that was kind of neat because I don't think I've seen that before. Like, look, I'm not going to tell you anything. Don't give me a tell me anything request. You have to specifically tell me what you want. And then when you're being that granular, when you're being that precise and explicit, then it'll give you what you're looking for. Maybe we got to write something. Maybe we got to write a tool just to be able to look for stuff. I thought earlier when I was struggling with this, like I should just run like sublister to find brute force different domain names. I mean, I don't know. But this RFC is kind of cool to note. The challenge was kind of neat. And I liked that. That was good. It was a struggle, but a simple solution in the end. Very, very cool. Alrighty, thanks so much for watching everybody. This was a blast. I hope you don't mind me talking for so much. I don't mean to make these long videos for such simple challenges, but I like to showcase my thought process and talk about really what I went through. Thanks for watching everybody. If you liked this video, please do press that like button. Maybe leave a comment. I'd love that. Maybe subscribe. I'm super duper grateful. If you like capture the flag and you enjoyed this CTF, please do register for B-Sides Boston CTF or B-Sides Boss.CTF.Games. You can go register that website right now. I'm hosting the capture the flag competition on September 26th, I think this coming Saturday. So I hope you guys play. I hope you guys enjoy. I'd love to see you there. Thanks so much for watching everybody. I love you. I'll see you in the next video.