 All right, what is going on everybody welcome back another video My name is John Hammond this time showcasing some of the hack the vote CTF or capture the flag competition That's been going on this weekend November 4th to November 6th. It's still Saturday right now just in the middle of it I haven't gotten a whole lot of flags admittedly But I figured I'd be able to show off some of the small ones that I have been able to get this has been admittedly Really difficult CTF at least on mine. It's organized by RPI sec So be sure to give them a check out and a thumbs up for an awesome game And it's online at Pone Dot voting and this is their interface, which is super cool so That is just the map of the United States for the hack the vote Theme and they do have their Jeopardy style display if you just want to look at it by category so I want to show off the web 100 in this video and that is titled Bernie Sanders fan club. It only has 185 solves so again out of the scheme of things I think there are about 900 people registered 930 or 950 or so at this point now So 185 is a good amount for the people that were able to solve things So okay, it's the Sanders fan club about a hundred points The challenge description is these deplorable Sanders supporters are still fighting shut the site down by finding where the idiot stored his credentials So it gives us this URL. So I'll go ahead and follow that and Check it out Bernie Sanders fan club field the burn Man, I just love Bernie Sanders. He's still got a chance. It's that or it's that or the site is a little work in progress It only works in Firefox. I think I'm not very good at web dev So I just copied and pasted a bunch of config files from Stack Overflow. Hmm. I Think I left my credentials somewhere, but I can't seem to find them. Let me know if you see them Okay, thanks remember And I guess there are some pictures here of flags, but that's all that's on the web page Literally, literally, that's it. There's a login And it's just a password input box You can enter anything and you will try and authorize although the password is the flag is the only alert message that we get so I Admittedly spent a lot of time on this challenge kind of just going through rabbit holes. I asked around on the IRC channel I tried to talk to some friends and admittedly I would not have been able to solve this challenge without the help of some very generous people and Bouncing ideas back and forth and explaining a worthwhile process here so I'm thankfully running Firefox right now. That's why this only it only works in Firefox. I think as an interesting tidbit Although the thing that really put me down a rabbit hole was this I just copied and pasted a bunch of config files from Stack Overflow So I think a lot of people from individuals that I was talking with on the IRC channel They were like trying to Google things that were like oh in the URL of Stack Overflow or like configuration files for bootstrap considering like it is it is a bootstrap web design page or The back-end server because initially you want to reach for like the low-hanging fruit, right? Is there is there a robots.txt? No, all over we can see it's an nginx server. So we'd want to see oh, are there any nginx like configuration files stuff like that Be able to look for that on Stack Overflow just basic configuration files etc So some other stuff that I was interested and curious about I wanted to try and run like other low-hanging fruit Penetration testing tools with the web application stuff. So I initially ran Necto, which is an awesome utility if you haven't heard of I think I've I may have shown it off before open source web server scanner Blah blah blah you can check it out on your own if you haven't heard of it before but all I ended up really doing is just passing the URL as the host here and It will try and look through it and it immediately finds this really interesting thing The anti-click jacking x-frame options header is not present but I actually literally just read the wrong line I meant to be reading this one the uncommon header link is found with contents flag to jpeg rail equal style sheets That's interesting. That was weird. Obviously, this displays this uncommon header and admittedly. I didn't really know what to think of that or what to do with it So I was looking at it like well, okay flag to dot jpeg. That's odd and strange I see I Check out the source the web page I try to like initially I'd googled for common things like this like oh this might have been like Tutorial comment for someone just trying to find easy Config files and stuff like that and I see these images the flag one jpeg and the flag two jpeg And then I went over to the login at html page But again, there's nothing there either Same kind of content and same time bootstrap jazz, but it's just a JavaScript thing It tells us oh the passage is a flag so there's no like communication with the server here. It's just weird So I'm lurking around the IRC channel and some talking with other individuals the administrator like the admin that created this chat of this challenge Shout out to lens. I guess Had said that the flag is in the website itself So you don't have to go digging through stack overflow. You don't have to worry about any firefox specifications of like that You can find it here on the web page and even tried like I honestly tried to mirror the entire web page And like strings everything try to like Grip through everything and try to find something that is a flag But to no avail Eventually stumbled upon this thing that we ended up using firebug Which is a firefox add-on me firebug An extension for firefox to let you like interact and change html and JavaScript and css stuff Wow, you're viewing a web page so But you can also just see the traffic and stuff going out as you work through it so I Was interested in the net tab and I requested all so then I tried to load the page again and I could see all the information the URLs that are being get and posted with like the typical HTTP conversations here and Some interesting stuff that I saw Was that okay? We're getting the HTTP like page We're getting the flag dot jpeg, etc. And I was curious why a flag that jpeg was it showed up twice One down here with flag one and flag two up here. So I was observing some of these and I was going through them more in-depth And something stuck out to me was that hmm Response headers connection keep alive content like 223 was it whatever a content type text css That was weird, right? A jpeg image is not a css style sheet and that's there was that weird link header for flag to jpeg rel style sheet that Niktoe had had pointed out for us here. So I was like what and I and I right-clicked on this one and I tried to copy as curls so I could see okay I can't obviously change the request that I'm doing with through fire bug But can I see the request that it's getting and I copy it as the curl command so now I throw this in My terminal and I do this curl Command that fire bug just straight up gives us but it's the URL to the flag to jpeg however, it's accepting it as a css file and I'm just gonna run it for one thing to see if we can get the Whatever it returns for us Keep in mind my user agent right now is still Firefox Because I'm doing this through my web browser. I'm like replaying the packet get from fire bug Just this time running it through curl so it gets CSS file apparently a style sheet. However, it's supposed to be a jpeg image And there's a comment at the very end here that says how did I? Never mind. I'm pretty sure my credentials are in a text file. So boom. We've got a lead here We immediately found something and it's a good hint. So this is clearly some guidance and What sticks out to me here now is that okay, it's supposed to be a text file. I know there was some like ideas. Oh Is it flag dot text or flag flag two dot text or flag dot text and some people again in conversation in the IRC channels weren't having any success with that flag dot jpeg not Okay, and To no avail that that that did not work What I figured was hmm the content type it being CSS is weird considering it to jpeg But if it's supposed to be a plain text file according to this My credentials are in a text file. It's obviously interpreting it as something weird So let's try and only accept rather than a CSS style sheet a plain text file The mind type for that is text over score plane and I run this and We get a password reminder and there's the flag. I am very bad with computers I Suppose this hint here go tell Chrome developers to support RFC five nine eighty eight Firefox is the master race um, I guess that's that's that's why it's supposed to only work in Firefox and I'll pull this back down and I suppose me running firebug being being able to see that it passing the You are the user agents in the curl headers. It was able to find it just like that I'm curious what this RFC is I Haven't actually read through it, but oh It also defines use of such links in each of your letters of the link So interesting stuff if you're curious about how the back end works, but that's how I got the flag Crazy method admittedly I again I would not have easily figured this out on my own without bouncing ideas off of other people and talking it out so awesome challenge Had a little bit more to it than like a simple low-hanging fruit like robots.txt gig. So cool. Thank you for watching guys I hope you enjoyed this. I hope to show off a little bit more of hack-to-vote Challenges and show some write-ups for you and I hope to see you in the next video