Hackfest 2021 Writeup - HellCorp

Hackfest 2021 Writeup - HellCorp


01 - Welcome (1 of 2)

I did not get a screenshot of this challenge. But it was something about catching someone trying to escape from hell. We had a network capture of the Wi-Fi traffic to do it.

I downloaded the file and opened it in Wireshark. But the traffic was encrypted, so I could not read it.

Encrypted Traffic

I searched a little bit how to decrypt it from a PCAP file. But I failed to find it, so I left that challenge aside.

One of my teammates kept looking at it. And he found how to do it with Aircrack-ng.

$ aircrack-ng -a1 hellcorp_1.cap


I took the key (68:33:21:21:43) and used it in Wireshark to decrypt the IEEE 802.11 traffic.

Decryption Key

Now I could see the traffic on the network, and I could filter to view only the HTTP traffic.

Http Traffic

In this traffic, I could see a POST to a login page. I opened it and the flag was the password being sent.

First Flag

Flag: HF-45BB35801D55AEA01DDDE4419BFCA649

02 - Escape (2 of 2)

In the second challenge, we also got a PCAP file. But this one had stronger encryption, and the traffic captured was in HTTPS.


Well that was weird... I swear I saw a link to a page named how_to_escape_from_hell.html in the HellCorp wiki. This must be why someone attacked HellCorp's wireless network...

The problem is: I heard that they hardened their infrastrucutre. WPA2 encrypted network, SSL certificates, etc...

I must try to access this web page and get out of here.

I noticed yesterday that they frequently change the password of HellCorp's public WiFi (sadly not connected to their intranet) and they write it on one of the meeting room's walls.

The passwords always have this in common :

The passwords are fairly simple
They always contain the word "hell"
They are always reversed (for example 12345 becomes 54321)
With a bit of luck, they might use the same password policy for their internal wireless network.

I need to hack this network and find a way to access the web page.

PS: I already took the rockyou.txt wordlist and extracted all passwords that contain "hell", I just need to find a way to reverse them...

This one was using a stronger encryption, but we had a word list to use to brute force it.


We only needed to reverse the words in the file. I wrote a small python script to do it.

file = open('rockyou_hellcorp.txt', 'r')
for line in file.readlines(): 
    line = line.strip()
    line = line[::-1]

Then I could use Aircrack-ng to crack the password.

$ aircrack-ng -a2 -w rev.txt hellcorp_2.pcap


I used the found key (srekcahllehnitor) to decrypt the PCAP file.

WAP Password

But as mentioned, the web traffic was all encrypted, so I could not read it. But I found some FTP traffic. This was not encrypted. It contained the username and password used to connect to the server. But that was not very useful.

FTP Traffic

FTP uses a different port for file transfer. So I looked around the FTP traffic, and I found a zip file being transferred.

File Transfer

I saved the raw data to my machine and tried to uncompress it.

unzip file.zip 

Archive:  file.zip
   creating: migrations/
[file.zip] migrations/env.py password: 

The file was password protected. I tried the password used to connect the the FTP server (autobackup), and it worked. I got a backup of the web site.

$ unzip file.zip 
Archive:  file.zip
   creating: migrations/
[file.zip] migrations/env.py password: 
  inflating: migrations/env.py       
  inflating: migrations/alembic.ini  
 extracting: migrations/README       
  inflating: migrations/script.py.mako  
   creating: migrations/versions/
  inflating: migrations/versions/9d53acb7ea19_users_table.py  
  inflating: hellcorpwiki.py         
   creating: app/
  inflating: app/routes.py           
  inflating: app/forms.py            
   creating: app/templates/
  inflating: app/templates/how_to_escape_from_hell.html 

Then I just grepped for the flag. I found the flags for both challenges.

$ grep -R 'HF-' .

./app/templates/how_to_escape_from_hell.html:        HF-B545032E743874E554A73B2721E18C24

Flag: HF-B545032E743874E554A73B2721E18C24