Introduction
Inspector Gadget was known for having a multitude of tools available for every occasion. Can you find them all?
Complete write up for the Inspector Gadget challenge at Cyber Apocalypse 2021 CTF hosted by HackTheBox.eu. This article is a part of a CTF: Cyber Apocalypse 2021 series. You can fork all my writeups directly from the GitHub.
Learn more from additional readings found at the end of the article. I would be thankful if you mention me when using parts of this article in your work. Enjoy!
Basic Information
| # | |
| Type | CTF / Web |
| Name | Cyber Apocalypse 2021 / Inspector Gadget |
| Started | 2021/04/19 |
| URLs | ctf.hackthebox.eu/ctf/82 |
| ctftime.org/event/1304 | |
| Author | Asentinn / OkabeRintaro |
| https://ctftime.org/team/152207 |
Target of Evaluation
We are given the IP and a port as a target of evaluation:
46.101.54.25:31511
Recon
This was an introductory level challenge that could be completed only with a browser and embedded dev tools. Nevertheless, I'm documenting my approach, because at the time being I couldn't know that.
Doing the initial scan with nmap to find more about the ToE:
sudo nmap -A -Pn -p 31511 46.101.54.25 -oN nmap/initial.nmap
# Nmap 7.91 scan initiated Mon Apr 19 20:48:54 2021 as: nmap -A -Pn -p 31511 -oN nmap/initial.nmap 46.101.54.25
Nmap scan report for 46.101.54.25
Host is up (0.043s latency).
PORT STATE SERVICE VERSION
31511/tcp open unknown
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| accept-ranges: bytes
| cache-control: public, max-age=0
| last-modified: Mon, 19 Apr 2021 04:45:39 GMT
| etag: W/"2ef-178e872c538"
| content-type: text/html; charset=UTF-8
| content-length: 751
| Date: Mon, 19 Apr 2021 18:49:07 GMT
| Connection: close
| <html lang="en">
| <head>
| <meta charset="UTF-8">
| <title>Inspector Gadget</title>
| <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no">
| <link rel="icon" href="/static/images/favicon.png">
| <link rel="stylesheet" href="/static/css/main.css">
| </head>
| <body>
| <center><h1>CHTB{</h1></center>
| <div id="container"></div>
| </body>
| <script src='https://cdnjs.cloudflare.com/ajax/libs/three.js/87/three.min.js'></script>
| <script src='https://threejs.org/examples/js/controls/OrbitControls.js'></script>
| <script src='https://cdnjs.cloudflare.com/ajax/lib
| HTTPOptions:
| HTTP/1.1 404 Not Found
| content-type: application/json; charset=utf-8
| content-length: 76
| Date: Mon, 19 Apr 2021 18:49:07 GMT
| Connection: close
| {"message":"Route OPTIONS:/ not found","error":"Not Found","statusCode":404}
| RPCCheck, RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Length: 65
| Content-Type: application/json
|_ {"error":"Bad Request","message":"Client Error","statusCode":400}
1 service unrecognized despite returning data. If you know the service/version,
please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31511-TCP:V=7.91%I=7%D=4/19%Time=607DD0A3%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,3F8,"HTTP/1\.1\x20200\x20OK\r\naccept-ranges:\x20bytes\r\ncac
SF:he-control:\x20public,\x20max-age=0\r\nlast-modified:\x20Mon,\x2019\x20
SF:Apr\x202021\x2004:45:39\x20GMT\r\netag:\x20W/\"2ef-178e872c538\"\r\ncon
SF:tent-type:\x20text/html;\x20charset=UTF-8\r\ncontent-length:\x20751\r\n
SF:Date:\x20Mon,\x2019\x20Apr\x202021\x2018:49:07\x20GMT\r\nConnection:\x2
SF:0close\r\n\r\n<html\x20lang=\"en\">\n\x20\x20\x20<head>\n\x20\x20\x20\x
SF:20\x20\x20<meta\x20charset=\"UTF-8\">\n\x20\x20\x20\x20\x20\x20<title>I
SF:nspector\x20Gadget</title>\n\x20\x20\x20\x20\x20\x20<meta\x20name=\"vie
SF:wport\"\x20content=\"width=device-width,\x20initial-scale=1,\x20user-sc
SF:alable=no\">\n\x20\x20\x20\x20\x20\x20<link\x20rel=\"icon\"\x20href=\"/
SF:static/images/favicon\.png\">\n\x20\x20\x20\x20\x20\x20<link\x20rel=\"s
SF:tylesheet\"\x20href=\"/static/css/main\.css\">\n\x20\x20\x20</head>\n\x
SF:20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20<center><h1>CHTB{</h1></cente
SF:r>\n\x20\x20\x20\x20\x20\x20<div\x20id=\"container\"></div>\n\x20\x20\x
SF:20</body>\n\x20\x20\x20<script\x20src='https://cdnjs\.cloudflare\.com/a
SF:jax/libs/three\.js/87/three\.min\.js'></script>\n\x20\x20\x20<script\x2
SF:0src='https://threejs\.org/examples/js/controls/OrbitControls\.js'></sc
SF:ript>\n\x20\x20\x20<script\x20src='https://cdnjs\.cloudflare\.com/ajax/
SF:lib")%r(HTTPOptions,E1,"HTTP/1\.1\x20404\x20Not\x20Found\r\ncontent-typ
SF:e:\x20application/json;\x20charset=utf-8\r\ncontent-length:\x2076\r\nDa
SF:te:\x20Mon,\x2019\x20Apr\x202021\x2018:49:07\x20GMT\r\nConnection:\x20c
SF:lose\r\n\r\n{\"message\":\"Route\x20OPTIONS:/\x20not\x20found\",\"error
SF:\":\"Not\x20Found\",\"statusCode\":404}")%r(RTSPRequest,91,"HTTP/1\.1\x
SF:20400\x20Bad\x20Request\r\nContent-Length:\x2065\r\nContent-Type:\x20ap
SF:plication/json\r\n\r\n{\"error\":\"Bad\x20Request\",\"message\":\"Clien
SF:t\x20Error\",\"statusCode\":400}")%r(RPCCheck,91,"HTTP/1\.1\x20400\x20B
SF:ad\x20Request\r\nContent-Length:\x2065\r\nContent-Type:\x20application/
SF:json\r\n\r\n{\"error\":\"Bad\x20Request\",\"message\":\"Client\x20Error
SF:\",\"statusCode\":400}");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: bridge
Running: Oracle Virtualbox
OS CPE: cpe:/o:oracle:virtualbox
OS details: Oracle Virtualbox
Network Distance: 2 hops
TRACEROUTE (using port 31511/tcp)
HOP RTT ADDRESS
1 1.30 ms XXX.XXX.XXX.XXX
2 62.76 ms 46.101.54.25
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Apr 19 20:49:12 2021 -- 1 IP address (1 host up) scanned in 19.36 seconds
Given port is a TCP open port for which nmap could not determine OS version although -A (OS detection, version detection, script scanning, and traceroute) option is specified.
Website
Let's try to open this in browser as GET gives some HTML code.
It shows the flying robot with the CHTB{ in the middle. Inspecting the page source code:
<!--1nsp3ction_-->commenthttps://threejs.org/examples/js/controls/OrbitControls.jsscript
The robot and the scenery seems to originate from the following repository:
https://zultanzul.github.io/ThreeJS-Robot/
But on ToE we rotate the camera is disabled - maybe we need to enable this by updating update() method in /static/js/main.js?
/static/js/main.js
Starts with console.log, that apparently I've missed:
console.log("us3full_1nf0rm4tion}");
Now, checking the combination of the two phrases I've found so far.
The following are not the correct flags:
CHTB{us3full_1nf0rm4tion}CHTB{us3full_1nf0rm4tion1nsp3ction_}CHTB{us3full_1nf0rm4tion_1nsp3ction}CHTB{1nsp3ction_us3full_1nf0rm4tion}
After trying to enable controls that are disabled in the update() (THREE.TOUCH not defined error). I'm moving to look in the other files.
/static/css/main.css
/* c4n_r3ve4l_ */
Let's try then once again to assemble the flag.
Flag
CHTB{1nsp3ction_c4n_r3ve4l_us3full_1nf0rm4tion}
Cover photo by Ales Nesetril on Unsplash