 What's going on everybody, my name is John Hammond and welcome back to some more MITRE CTF. The competition is about to end. I spent the last like five hours just recording these videos so that's why I've been like swagging out in the bathrobe, hoping that's cool. I'm gonna tackle Web 150, which I believe is the last thing I can cover here that I have solved. I don't know if the game will remain open or if the challenges will remain accessible but I wanted to share what I could and I'm really looking forward to these write-ups for stuff that I didn't solve because the forensics one is fascinating, the QVR code is really cool, I want to look at the binary stuff, etc, etc. So this challenge is called My First Blog. The description is I wish Canonical would release a blog platform to make everything so easy to use and just works. So this is my blog. So it's just a spot for me to talk about how much I love Canonical. I love Canonical. As someone who's getting started with Linux, I love Canonical. They build the easiest to use Linux distribution I can find, they build so many useful tools. I've tried out Juju, Bizarre, Ubuntu, Launchpad, and learning PHP. I recently learned about PHP and I can't stop switching everything over to it. In fact, the blog is now powered completely by PHP, I think. I changed the file extension at least and added a little PHP coding below here that should pretty much do it. I have the PHP code commented out though since I can't seem to get it to work. So we could try, and I had done this for a while, just try to go to index.php or php2 or php3, etc. It looks like it's just not going to respond because there's nothing there, that makes sense. So I tried robots.txt, you know, you're low-hanging fruit for regular web challenge. I tried, if that will ever turn me down, cool, I tried .git, etc. And I didn't get anything with that, but it got me thinking about this and this is after lots and lots of testing of brute forcing, different file extensions of running derbuster, running gobuster, running derb, of anything I could get my hands on it. It felt like I didn't have a foothold here, so I just kept staring at it, kept staring at the challenge prompts, and I kept seeing canonical. And I'm like, why the heck are they talking about canonical? And why did I have these references to Bizarre, Ubuntu, Launchpad, and stuff? So I tried to Google some of these. I tried to say, like, is it juju? What is that? OK, that's not what I wanted. What is Bizarre? I know it's a version control system. They're yelling at GitHub, so what? Why? Does normally it's there's a web challenge where there's a publicly accessible .git directory, and that way you could you could download and work with it. So I was like, what the heck is why is Launchpad in there? Why is canonical in there? Why is Bizarre in there? So I tried to Google a little bit more about Bizarre and. OK, Bizarre, how about Launchpad? Yeah, that gives me a little bit more information. OK, great. That's probably why I was talking all the stuff about canonical, because if I actually Google Bizarre canonical. You'll be pointed in the right direction. It's a version control system. And if you go to check it out, you can find that it is very, very similar to. Here's the user guide. OK, cool. I want to get the documentation. I want to learn all about it because maybe maybe this is what I should be looking for. Are there files that are being left as artifacts on on the website that I could just be able to read and work with? So I actually tried it to work with with Bizarre. I went up, went ahead and installed it. It was BZR. So you can pseudo, let me go open up. Sorry, pseudo apt install BZR. And then that would let you work with it. I'm on Ubuntu, whatever distro or package manager that you need. But I went into my temp directory and I created something with BZR. I had, I don't know if it's still there. Probably in a reboot killed it. Yeah. I created Bizarre a directory and then I went into it and I try to use BZR init. So for the longest time, I was like, what else is in this? What does it do? Does it have anything like it does? And it does. It has a dot BZR. So I said, let's take a look at what that is. Is that in there? Is that accessible? Is that a thing? Really anti-climactic with the lag. But yeah, OK, forbidden. That's totally a file. We're just not allowed to access it. So for the longest time, for like four or five probably, OK, not four or five hours, but maybe one or two hours. I was like, what do I do? What else can I find in here? Can I check? Can I check the read be? What are what are these files that I can access? And that would load. I'd be able to work with it. I could check out the branch form out. I could check out repository. I started to read through a lot of these things. So grep, tach, or anything just to see what kind of information and files might be accessible. Like Durstate looks like something that I could read and that would be able to like grab things out of if you wanted to check out in Durstate, etc. Because what I wanted to do in all in all ultimatum, what I wanted to do was to use something like Git tools, internet wages, Git tools, because that has a script and I've used it many times before. You've probably seen me cover it. It has a Git dumper. So given a URL that has a publicly accessible .git directory, it could just download and work through all those files. It just pulled them down. And I thought, well, I don't know if there's a thing like that for bizarre. I kept googling for it. I kept trying to find it. I couldn't track it down. So I thought, well, do I just have to figure out how these pack files and objects merge together? How does that work? So I would try to in my bizarre file. And this is this is all tangential. This is not the way to get the fly right now is super easy. But I just wanted to explain to you my mindset because a lot of people tell me they like hearing about that for some reason or like, how did you solve that problem? What made you what brought you to that conclusion? Whatever. So let's just touch a file. Let's say file and let's go ahead and get at it. I'm sorry, BZR at it. Wow. BZR, that file. Cool. And then we could BZR commit. Cool. And that's fine. Anything as our like message and then we can BZR log and we can see it there. We have a revno and I'm assuming that is a revision number. A lot like kind of a shaw one hash or the commit ID messages that get would have. So peculiar, right? I thought now let's take a look at the internals. Now let's move into the dot BZR file and see what else is here that I didn't have before. Now I have some packed files that I would have been able to work with or find. So I'm curious where would I be able to determine these things? I wanted to see is this pack name available literally anywhere? So I would try and like run find and then while read line to determine all the files that I could look at. I would try and run strings on that line and I would do done and then I would try and grep for that string to be able just to determine it. But it didn't seem to be anywhere. Even what looked to be the dur state when I downloaded this earlier. This hash looks similar but it's not the same. So I couldn't track down where that pack file was. Me as a human being, like me as a person I could not do it. And then my roommate Caleb, well it's a tiger best dude in the world. I'm happy he was tackling the CTF with me because he's like, well, this is stupid. Why are we trying to correlate how this can be pieced and puzzled together when bizarre obviously knows how to do it? Is there a way to like get clone and bizarre? And then we got to that notion where yes, it absolutely is possible. You can run bzr branch given a location and if we just gave it the URL here or this actual address, it will try and look at it as if it were repository because it is because the dot bzr file is there and it just needs a directory to put it all in. So let's just say files. So now it downloads it, moves into files and there is our index.php. If you wanted to you could busy our log, see what we're looking with and these are all things you could have found in the internals if had you just like requested that file in the web browser but because we're able to use this with bizarre we can download the file, work with it as if it's a real repository because it is. So now let's cat index.php and there is the flag. So cool, right? I don't have time to cover at least I don't know if I'll have time to cover to solve or even continue to work on web 200 but from what I understand if you pull that one down actually I can't I don't know I'm not gonna I'm not gonna bleed that topic and concept that challenge into this video I don't want to do that but this is the flag for this challenge you could submit that and for the second one it's the exact same thing where you have the blogging platform with a little bit more repository information. There are a lot more revision numbers and stuff to look through and it goes into some bitcoin addresses and I have yet to solve it don't know if I'll be able to I don't know if the challenges are going to remain up and available but I thought that was very cool because I'd never worked with bizarre before I had no idea what I was doing and I was just trying to put the puzzle pieces together and it took some cool insight and epiphany to be like why can't I just download it why can't I why can't bizarre do what I am trying to do and it can I just need to learn how so hope you guys enjoyed this one hope it was fun there's that flag you can go ahead and jot it down submit it save this knowledge for later tuck it away in your brain and thanks for watching hope you enjoy these if you did like this video please do like comment and subscribe I'd love to see you in the discord server there's a link in the description it's a cool party place full of CTF players programmers and hackers you can hang out with me and some other cool people that are super duper smart we'll we'll tackle some capture the flag competitions in the voice chat and it's just a party it's the party place to be so come on and jam it's the space jam I'd love to see you on Patreon I'd love to see you on PayPal I am so grateful for all of your support and what you do to help keep this afloat keep me going keep this channel going so thank you love love you guys I love you I love you I love you I love you gonna end the video now it's getting weird