This CTF is so fun and i learned a lot and i got to test what i learned from my pwn altough i solve only 1 of them but still im making a progress same thing with reverse also. Unfortunately didnt got enough time to finish anything on last day challenge since i got some project to do and some classes to attend. Still i hope you enjoy my writeup
challenge solved
Web: Toy Workshop, Toy Management,Gadget santa, Elf Directory
reversing: Infiltration,Gift wrapping
forensics: baby apt, Honeypot,Persist, Giveaway
pwn: Mr Snowy
PWN
Mr Snowy
this challenge was easy buffer overflow where you just find the exact buffer to overflow it and add a memory address for where it should execute it next
running checksec we see that theres No stack cannary and PIE based on what i understand No stack cannary helps in preventing bufferoverflow since we dont have it there probably this one is a bufferoverflow. using file to check out what is this we see that its 64bit
checking out what the program does we see we got some options if we pick 2 on the first option it will just exit the program same thing with the option 2 after pressing 1
reversing the program in ghidra we got 3 things to look on the main function
checking out the snowman function we see a buffer of 64 and investigate function
checking out the investigate function same thing it has 64 buffer and looks like we can inject our payload here
looking for more function we see deactive camera function where it does an fopen() to get the flag
what we know is that we need to jump to deact camera function to get a flag and buffer overflow the deactivate option since if we press 1 to investigate it will just show new options
next thing to do is find the deactivate camera memory address to find this just simply use radare2 and use afl to list the functions
since we found the memory address we need to find the exact buffer we know theres 64bytes to overflow it. i have script that find the exact offset of the buffer its also the same with cryptocat script for getting the offset lots of
thanks to cryptocat since he have this script it was easy to find the offset and i learned lots from him also you can check out his channel on youtube
https://www.youtube.com/c/CryptoCat23
https://github.com/Crypto-Cat/CTF/blob/main/pwn/official_template.py
running the script it gave us the exact offset of 72
right now we have buffer of 72 and the memory address that we would like to jump to or going to be executed next is build the script
running the script we see we got our fake flag next thing is to add our docker ip and port
running the script we got our flag
Forensics
baby apt
this challenge have a simple wireshark challenge and it appears that theres some kind of RCE happened
downloading the zip file it gave us out only a pcap file
checking out the content to get a better overview of the challenge i sort it by protocol and we see that there are some http there
checking out this http on tcp stream follow we see some kind of like command injection on the mail
as i analyze all of the tcp stream we see the last tcp stream have some kind of encoded value and also trying to remove something as the challenge description says someone hacked in santa server and destroyed the present lists
checking out what this hacker destroyed we see that the flag is in there
Honeypot
this one is a memory challenge where i find it a bit hard since theres tons of possible combination for the flag
the thing we need to do are
- Find the full URL used to download the malware.
2. Find the malicious’s process ID.’
3. Find the attackers IP
the tool were going to use is called volatility i think in remnux have it as default also you can find this tool in github. Im using the version 2 of this tool
in a memory forensics first thing to do is to identify the profile we could use on this image
next thing i do since we are trying to find the malicious PID we can use psxview if i remember correctly this lists the all process including the hidden ones
sudo vol — file=honeypot.raw — profile=Win7SP1x86 psxview
after running the command we can see 2 suspicious process whoami.exe and HOSTNAME.exe
next thing i did run also pstree same thing it just list the process in the memory and we got the same result but you can take note that theres also a powershell.exe running this is also might be to take note at
sudo vol — file=honeypot.raw — profile=Win7SP1x86 pstree
next command i used is netscan this will list all of the network stuffs
sudo vol — file=honeypot.raw — profile=Win7SP1x86 netscan
upon analyzing we see this ip address that has been ESTABLISHED on a suspicious port which is 4444
we got now our attacker ip since its using an unusual port we might need to be suspicious with this one so we need to find 2 more evidence to get the flag. Also take note this is like also a reverse shell or something based on what i understand
researching what command we could use to extract details such as the download, and internet history i found this link
https://volatility-labs.blogspot.com/2012/09/howto-scan-for-internet-cachehistory.html
sudo vol — file=honeypot.raw — profile=Win7SP1x86 pslist | grep iexplore
sudo vol — file=honeypot.raw — profile=Win7SP1x86 yarascan -Y “Client UrlCache” -p 3324,3344
sudo vol — file=honeypot.raw — profile=Win7SP1x86 yarascan -Y “/(URL |REDR|LEAK)/” -p 3324,3344
upon running them we only got the same link. there are also some notable links in there but i believe this is the right link based on what i had researched
DEST,,,Santa@https://windowsliveupdater.com/christmas_update.hta
this probably the one we are trying to find https://windowsliveupdater.com/christmas_update.hta
right now we got 2 evidence last thing to find is the malicious process
going back in our process we got 3 things to look and try at
powershell.exe , whoami.exe, HOSTNAME.exe
what we could do is dump this 2 process which is whoami.exe and HOSTNAME.exe and check them in virustotal
there are 2 things we need to do inorder for us to dump is to find the offset of that malicious process and a place where we could dump the files
to get the offset we can use this command
sudo vol -f honeypot.raw — profile=Win7SP1x86 filescan > filescan.txt we should output this one to a file since it gives us all of the files in the system
first we find the whoami.exe the left side part is what we want thats called the offset
next thing to do is to extract that file from the image the command to extract the file is this
sudo vol -f honeypot.raw — profile=Win7SP1x86 dumpfiles -Q 0x000000003e6cab60 -D dumps/
Q is like for the our offset and -D is the destination where it going to dumps the extracted file
uploading the file to virus total we see that its not malicious so next thing is we need to dump the other file which is HOSTNAME.exe
sudo vol -f ransomeware.raw — profile=Win7SP1x86 dumpfiles -Q 0x000000003f4faf80 -D dumps/
uploading the other file we see that its malicious
as of now we got our 3 evidence so we could now get our flag next is we find the pid of the process HOSTNAME.EXE and the Pid of HOSTNAME.EXE is 4036
to sum it all up what we have right now is this
- Find the full URL used to download the malware.https://windowsliveupdater.com/christmas_update.hta
2. Find the malicious’s process ID.: 4036
3. Find the attackers IP: 147.182.172.189
as the instruction said we need to md5 all 3 evidence and submit those as the flag
echo -n “https://windowsliveupdater.com/christmas_update.hta_4036_93.184.220.29" | md5sum
but submitting that it rejected as our flag so i tried the other Pid which is the powershell.exe as we know whoami.exe is not malicious so we could go to this one instead
the reason why we should go to powershell.exe since its trying to compromise this windows machine we know that it would use the powershell.exe or cmd.exe to get things done such as downloading backdoors, enumerating for priv esc and etc. so what i did is change the Pid we got to the Pid of powershell.exe
next is we submit this as our flag and it was successful HTB{969b934d7396d043a50a37b70e1e010a}
Persist
again with memory forensics challenge this one is easier if you knew where to find the stuffs you needed but for me i did all steps ive done on the previous challenge as i thought it would be like this but apparently the solution for this was way more simple
as the challenge description says the pc got slow boot time and have blue window popping up in a split second which could be considered as the powershell as it was colored blue and some of the windows do have some pop ups of powershell upon booting up
to cut short my adventures in exploring this memory and finding the startup, task scehduler and some stuffs i found a command cheat sheet on hacktricks that helped me solve the challenge
one thing that caught my eye was the autoruns and it gave a link on a github that could be used as a plugin
https://github.com/tomchop/volatility-autoruns
checking out what this plugin do it seems like to find persistence point on the memory file which is also what we needed as the challenge name and challenge description describe how this challenge would be like
sudo vol — plugins=volatility-autoruns/ — profile=Win7SP0x86 -f persist.raw autoruns
running the command we found our target faster which is the powershell
next thing to do is go to cyberchef and decode the payload from base64
after cleaning it up we see now our flag
Giveaway
this challenge had vba macros on a word document file so this will be a malware analysis
checking out the file we see only a word document since this is a word doc we can use olevba for analyzing macros
olevba — deobf — decode christmas_giveaway.docm
checking the result give us a bit of the flags but its still incomplete so we need to find more parts of it
so browsing more for the results i found this one interesting
as it seems like it contains some pieces of the flag and also a web so after putting up some puzzle pieces we got this
as for earlier we found pieces of broken flag we can now add the things we found
WEB
Toy Workshop
this challenge is easy but tricky and actually i kinda like it since doing the module of xss in academy.hackthebox now you could put your skills to test onto this one
checking out whats the web looks like its just this nothing like where we could input our payloads or such
checking the file we see that its in the cookies but checking the cookies at the web we dont have that
this 3 files i find them interesting as it contains the flag and the things we could do
at first i thought this was a puppeeter exploit but i was wrong so re-reading the source code it might be something has to do with cookie stealing going back to the website we dont see anything there
opening console developer we see that theres a thing called elf_info(<specify elf_id>)
after doing that we see it pop ups something and we can now input some stuffs
after trying various stuffs such as sqli, the puppeteer exploit i was stuck so the thing about this challenge is that there is called queries.hbs which is found on the views one thing i noticed is that this queires is the admin panel
and knowing that the goal is to get the cookies in this queries panel
so the easiest way to steal cookies is thru XSS we got 2 ways todo this we setup ngrok or use xsshunter to steal cookies for the xsshunter
on my opinion this challenge was like doing blind xss as we know that our payload will prompt on the other end or not
going to xsshunter we submit the first basic xss payload
after sending the payload we see on the XSS Fires tab the result of our XSS
theres also a view full report upon clicking that one we see are flag now in the cookie value
unfortunately i dont know why it doesnt work with my ngrok but you can definitely get the flag thru using ngrok
Toy Management
this one was really so simple challenge just had an SQLI on the admin panel
checking the source comes first since we dont know if the value of what we would like to login as they might be something like Administrator, admin , santa or something
confirming stuffs we see the fake flag and also the users admin and manager it also have some hash
checking out the webpage is just a simple login page with christmas decoration
since we got a hash previously we could just use that as our password to crack it faster just go to crackstation or use john or hashcat
using that as our password it gave us wrong since it has database in it we could do some SQLI
after doing some SQLI we got a successful login
Gadget Santa
this one have a simple solution but again HTB added a twist in getting the flag and made it fun
checking out the website it looks like a normal site with some kind of monitoring and some kind of commands being executed at the backend
since we know that theres a command thats being executed we can just do some simple command injection
checking out if we could more such as adding option like -lsa on the system to check if the flag is being hidden but it seems that spaces doesnt work
there are ways to bypass this and you can see them in payloadofallthings in github to bypass simple spaces we could just use $IFS doing academy.hackthebox for command injection will help you to understand more on bypassing stuffs also $IFS is a special shell lvariable for linux that if you inputs it will be transformed into spaces
looking around for flag we dont see it anywhere so lets check the source code
checking out the source code it has some kind of filter happening here also checking other files it just tells me that it has RCE vuln but the odd thing the flag.txt is not found in challenge so finding that first takes priority so we know where we could get the flag
after checking each file we found it on the /config and stored in the ups_manager.py and it seems like a directory on a web server
checking out also the config/santa_mon.sh it seems that its doing a curl command on localhost:3000 for its status and also curl localhost:3000/restart fo resetting it and this restart is could also be found where the flag is stored at
right now we know theres 2 web running one publicly and one internally thats running on port 3000. Checking that out if we curl 127.0.0.1:3000 it should give us a response of running as we had seen on the ups_manager.py
since its successfully curl that then we could now also get the flag
Elf Directory
this challenge doesnt have any downloadable part and the exploit here was broken auth
checking out the web it has some login and register
after doing some registration we got this permission denied on editing our profile
so checking out if theres a cookie for the website to check if it stores some kind of like administrative controls
since we found and i noticed the approved: false lets try making it true and we encode it to base64 and url encode all of special characs next thing to do is to add this as our new cookie and refresh the webpage
after adding our new cookies we see some uploads here. After uploding some files it seems like it only accepts a png file
so trying various bypass methods and stuffs we did not get anything so trying to understand how this file upload works
- Chaning file extension doesnt work / double file extension or adding some kind of null bytes and some others stuffs there none of them works
- Changing file Content-Type doesnt let us bypass the file upload also
the only thing i could think of a way to bypass this is thru uploading a crafted png since based on what does this filter do it only accepts the correct hex value of the png file i think there are 2 ways to do this
- is to edit the hex file of a payload.php to the format of hex value of png to make it a proper png file
- the 2nd way is to get a legitimate png file and craft it this one is much way more easier
if you’ve done wreath network on THM this one is kinda similar for more reference you can check this link also https://vulp3cula.gitbook.io/hackers-grimoire/exploitation/web-application/file-upload-bypass#php-getimagesize
to craft the payload on our png we need to do this
checking the payload with exiftool we will see the Comment section our payload
next is to rename the crafted png with a first file extension of .php and followed by .png just in case we need double extension for by passing just to make sure we got successful bypass
next thing to do is to upload the crafted png file and intercept it with burp and do som commands execution but upon trying that it failed so next thing to do is to remove the .png file extension
upon removing that .png extension we got a successful response unlike the first try of uploading it that payload show pictures and trying some commands there doesnt work also
to access the file we could just check the 3rd intercept of the burp or check the source code. make sure the burp is listening when you access the uploaded file and also to remove the view-source:
after trying it we got a successful RCE and next is just to get the flag
Reversing
Infiltration
this challenge is so creative and doesnt feels like rev at all but this was fun to know this kind of challenge
checking out the file we got a stripped file
since this challenge needs a docker connection we could just put our docker ip and port there as the program requires to run after doing that we see nothing and just like that
honestly i did all tricks i know from reversing and doesnt get me anywhere so i reread the challenge description and got ideas from it as it says internal communication tools checking out google what we could use for that its kinda something related to network some of the results there
as we know that this challenge is connecting to the docker we could use wireshark to sniff the communication on whats going on between this program and on the docker instance
so what i did run wireshark and start listening on the network then run the ./client IP PORT and after that i turn off the wireshark scan as i dont want to get huge packet lists after checking the result as always we go with TCP stream > follow and then we got our flag
Gift Wrapping
this one is easy as the challenge description says its wrapped up tight which gave me idea on the next step
checking out what were up against its a 64 bit elf and no section header as the challenge description says the hint
we could do strings and grep for upx to verify that this was compressed by it
since its confirmed that it was compressed by upx we could now decompress it
to decompress the file just use upx -d <filename> after doing that we see that the file is not stripped now
running the program it asks for magic word entering anything could result to wrong password so next thing is to decompile it with ghidra
after decompiling it theres lot of
we could just filter it out by typing main since main is the most interesting part we could check for
after going to main we see what the program does earlier such as asking for the magic word checking what the app does it has some local variables being looped that is being XOR with hex value of 0xf3
after analyzing more we see that ivar1 is our input as ive seen on the if else part also the ivar1 is being compared and check on a certain value if this value compares to our input this will give as a successful password
checking out that check function it doesnt decompile it but we got some values that we could use for this is also similar to some previous ctf ive done
to get the flag what we need to do is to get the hex value near on that memory address i guess sorry dont know what really is called but based on what i understand thats a memory address i think
so now we need to decrypt this value going to cyberchef could do so first we need to add from hex as the value is in a hex format next is we add xor and the key is 0xf3 as we see that earlier it has loop and doing some xor in our local variable such as this LOCAL VAR ^ 0xf3 that could be a sign that 0xf3 is the key
after doing that we got our flag
also trying to input the flag as our magic word it let us welcome inside