This weekend I had the pleasure of attending Pecan+CTF 2023, a cybersecurity capture the flag competition where year 9-12 students from across Australia compete. The competition was broken into three divisions: beginner, intermediate and advanced. My team of 4 was put into the beginner division, which in hindsight was an underestimation of our skill level, especially considering we had already competed in this competition. We got third in the beginner division, and seventh overall which is an improvement over last year, where we placed tenth overall. I am fairly happy with this placement, however two of the teams that beat us were from Burgmann, and in a lower grade than us, so it does not feel good to lose to them. The program was split into two days - Saturday was a training session / Q&A with industry representatives, and Sunday was the actual competition.
Saturday (Day One)
To be honest, I went into day one feeling quite pessimistic about the content covered, and overall experience. Last year, day one involved simple training exercises which I already knew, so I was not expecting to learn anything - especially considering I had already learned it last year. This attitude was not very positive, as it left me trying to distract myself during the lectures to save me from boredom. What I realised, is that the lectures did cover content I wasn’t familiar with, for example I am fairly farmilar with the Linux terminal, where I know basic commands, command combinations, and navigation techniques however I was not familiar with exiftool - a package to view and modify a file’s EXIF data. This was bad because when it came to the competition I did not retain a lot of the information I only sort of listened to. The most interesting section I actually payed attention to was cryptography, and more specifically hashing. I did not fully understand what hashing was, and was under the assumption that it was reversible with a key. It seems obvious now, but I learnt that a hashing function is used to create a unique identifier for a file or application, and is not reversible, although it can be cracked by guessing the source of the hash.
Sunday (Day Two)
Day two was the day of the competition. Unfortunately me and two of my team members were under the assumption that the competition started at 10:30 AM (AEST), but it actually started at 10:00 AM, meaning we were 30 minutes late to start the competition. This was a poor start, which left us ill-prepared for an immediate start, and meant we were the latest team in the top 10 to answer a question, despite answering our first question within a few minutes of us all getting there. The first question of note that I answered was a web question called cookies.
Cookies (web)
The webpage for cookies had a login screen. The first thing I did was look at the page source as there are often clues written in comments. The source had a login for a test user written in HTML comments, the username and password were both test. I also checked the robots.txt file and found \administrator is an endpoint. I tried to access \administrator endpoint, but I did not have sufficient permissions. From here, I looked at the browser cookies and noticed a user cookie with a MD5 hash as the value. With the assumption that the user cookie was the MD5 hash of either the username or password, I generated the MD5 hash for ‘test’, and it was identical to the user cookie value. With this information, I inferred that I could access the \administrator endpoint by changing the user cookie value to the MD5 hash for ‘administrator’. Once I altered the cookie, and went to the \administrator endpoint I was presented with the flag in plaintext. The next questions I answered were open-source intelligence (OSINT) questions, so I will just give my process for this kind of question.
OSINT
The OSINT questions that I answered were simple find the location of an image questions. My process for this type of OSINT question is to first open the image, and see if I recognise anything, and if not notice any distinguishing characteristics of this location, like company name on a building, or text written in a specific language. Occasionally, this is enough information to work off, but this was not the case for the Pecan OSINT questions. I then re-read the title and description of the problem to see if any clues are given, one of the questions had the title ‘wkwkwk’, which is how Indonesians express laughter over texts (instead of hahaha). If this still isn’t enough information to work off, I try a reverse image search on Google, which is much better at noticing distinguishing features than I am. After this, I go onto Google Maps, find the location I think is correct, and confirm it by going into street view.
Pickle me this part one (web)
This challenge was similar to cookies, however I was not the only one working on it, so this explanation will not be nearly as detailed. The webpage is simple with a login page. First I looked at the HTML source, and found there is an endpoint at /source, which returns the flask backend. From the source, I found the \info endpoint which takes a payload of ‘username’, and then displays information pertaining to the given username from the user_info database. Next I tried logging in with the username and password being test, and to my surprise it successfully logged in as a test user. I know this is random, but this is how I did it, it might be possible to send a post to the /add_user endpoint and create a user (admin is not required), but the test user already exists, so there is no need. Now logged in, I went back to the /info endpoint and gave a payload of ‘username=admin’, which returned a sha256 hash of the admin password. Once cracked using an online database, I logged in as admin and went to the /notes endpoint. This displays a list of note ID hashes, where the notes can be accessed by making a request to /note with the ‘ni={note ID hash here}’ payload. The flag is the second note in the list.
Reflection
Did you enjoy Pecan+ this year?
Well yes, despite it being my birthday on Saturday I managed to have a good time. Pecan+ seems to make me crave cybersecurity (especially web) for about a week. It is very intellectually stimulating to find the holes in a system, even though these problems are fairly elementary compared to real penetration testing. It is also really exciting to see how much Pecan+ is growing - it started as just Perth vs. Canberra, and this year there were 129 teams from across Australia. What really sold Pecan+’s growth to me was that ANU, UC and CIT all wanted to let participants use their facilities, Canberra is not that big of a place, so it is impressive to see such a high magnitude of interest.
You cannot participate again, but would you consider becoming an organiser?
Short answer, yes I would consider having some sort of organisational role in Pecan+. I am not sure whether I would be a good candidate for this as I am planning on studying computer science, not a cybersecurity degree. I am sure there is something I could add, I am just not certain that I would add enough. Although I suppose if I get involved with a cybersecurity club, it may become an option.