CTF

This post documents my process for solving the Blocky box on Hack The Box. The machine revolves around web enumeration, WordPress, reverse engineering a Java plugin, MySQL credential hunting, and privilege escalation. Reference https://0xdf.gitlab.io/2020/06/30/htb-blocky.html Recon Nmap nmap -sC -sV 10.10.10.37 PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.5a 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 8192/tcp closed sophos Notes: ...

This post documents my process for solving the LoveTok box on Hack The Box. The challenge involves analyzing PHP source code, understanding the misuse of addslashes, and exploiting command injection through the eval function. Description True love is tough, and even harder to find. Once the sun has set, the lights close and the bell has rung… you find yourself licking your wounds and contemplating human existence. You wish to have somebody important in your life to share the experiences that come with it, the good and the bad. This is why we made LoveTok, the brand new service that accurately predicts in the threshold of milliseconds when love will come knockin’ (at your door). Come and check it out, but don’t try to cheat love because love cheats back. ...

Description Can you use the portals to get to the right place? You are provided with a 32-bit executable: └─$ file portal portal: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=2777afda2049624cbbecde55650e58f347efcd29, for GNU/Linux 3.2.0, not stripped Using checksec on this binary reveals that there are no security defenses enabled: [*] '/home/kali/ctf/uscctf2024/pwn/portal/portal' Arch: i386-32-little RELRO: No RELRO Stack: No canary found NX: NX unknown - GNU_STACK missing PIE: No PIE (0x8048000) Stack: Executable RWX: Has RWX segments Stripped: No This is a straightforward “return-to-win” challenge. Upon inspecting the binary with objdump, you can see that the function win is the goal: ...

Page Source Inspection The actual functionality of uploading and downloading files weren’t working so I looked at the page source. I saw this portion of the source: const searchFile = async () => { let formData = new FormData(searchForm); console.log([...formData][0]); let response = await fetch('/search/' + [...formData][0][1], { method: 'GET', }); searchWrapper.hidden = false; if (response.status === 200) { searchMessage.innerHTML = 'File found. Download link: <a href="/download/' + [...formData][0][1] + '">Download</a>'; } else { searchMessage.innerHTML = 'File not found.'; } } If we look closer, once a file is found from the search bar (or the search functionality), there will be a linked provided by the site that accesses the path of that file: ...

Beginner pwn: First challenge #include <stdio.h> #include <stdlib.h> #include <string.h> int main() { char command[110] = "cowsay \""; char message[100]; printf("Give me a message to say!\n"); fflush(stdout); fgets(message, 0x100, stdin); strncat(command, message, 98); strncat(command, "\"", 2); system(command); It has been a while since I have done any CTFs! So I struggled a little bit looking at the code and what they do. When I pass 109 A’s, it still runs the cowsay bin. When you pass in 113 A’s, the output starts to show a single ‘A’: ...

Challenge: Brainstorm This is a room that tests on reverse engineering a chat program to exploit a Windows machine. Recon Nmap: ─$ nmap -sC -sV -Pn 10.10.37.33 Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-22 00:02 EDT Nmap scan report for hi-hormel-wg010.hi.umn.edu (10.10.37.33) Host is up (0.22s latency). Not shown: 997 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: TIMEOUT | ftp-syst: |_ SYST: Windows_NT 3389/tcp open ssl/ms-wbt-server? | rdp-ntlm-info: | Target_Name: BRAINSTORM | NetBIOS_Domain_Name: BRAINSTORM | NetBIOS_Computer_Name: BRAINSTORM | DNS_Domain_Name: brainstorm | DNS_Computer_Name: brainstorm | Product_Version: 6.1.7601 |_ System_Time: 2023-09-22T04:05:48+00:00 | ssl-cert: Subject: commonName=brainstorm | Not valid before: 2023-09-21T03:52:41 |_Not valid after: 2024-03-22T03:52:41 |_ssl-date: 2023-09-22T04:06:19+00:00; +1s from scanner time. 9999/tcp open abyss? Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 216.80 seconds First thing I noticed was Port 21 ftp was open with the anonymous FTP login enabled. I checked it out by running ftp 10.10.37.33 with the name anonymous. ...

Challenge: Relevant Recon NMAP I was not able to find any clues from the initial Nmap scans and other tools that I used. So I looked up the official writeup, and the author suggests to run a scan that detects the open ports and then run more focused Nmap scan on them. He created a tool threader3000 and I decided to give it a try. The result showed that port 80, 139, 135, 445, 3389, 5985, 49663, 49666, and 49668. And these 40,000s are commonly used for backend operations within virtual environments such as AWS. ...

Challenge: HackPark In this box, it introduces Hydra, RCE & WinPEAS tools/techniques to exploit a Windows System. Recon NMAP nmap -sC -sV -O -sT 10.10.170.188 Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-20 18:27 UTC Nmap scan report for ip-10-10-170-188.eu-west-1.compute.internal (10.10.170.188) Host is up (0.00068s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) | http-robots.txt: 6 disallowed entries | /Account/*.* /search /search.aspx /error404.aspx |_/archive /archive.aspx |_http-server-header: Microsoft-IIS/8.5 |_http-title: hackpark | hackpark amusements | http-methods: |_ Potentially risky methods: TRACE 3389/tcp open ssl/ms-wbt-server? |_ssl-date: 2023-06-20T18:28:29+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=hackpark | Not valid before: 2023-06-19T18:14:25 |_Not valid after: 2023-12-19T18:14:25 | rdp-ntlm-info: | Target_Name: HACKPARK | NetBIOS_Domain_Name: HACKPARK | NetBIOS_Computer_Name: HACKPARK | DNS_Domain_Name: hackpark | DNS_Computer_Name: hackpark | Product_Version: 6.3.9600 |_ System_Time: 2023-06-20T18:28:24+00:00 MAC Address: 02:51:BA:0B:1C:1B (Unknown) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2012 (89%) OS CPE: cpe:/o:microsoft:windows_server_2012:r2 Aggressive OS guesses: Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 (87%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 79.85 seconds Port 80 runs Microsoft HTTPAPI httpd 2.0. Also, port 3389 indicates that once we get the cred to get onto the target machine we can remotely access it by using xfreerdp or rdesktop. ...

Challenge: Alfred This box is about exploiting Jenkins (misconfiguration). Jenkins is an open source continuous integration/continuous delivery and deployment (CI/CD) automation software DevOps tool written in the Java programming language. This tool is used to implement CI/CD workflows, called pipelines. This box introduces a tool called Nishang which is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. ...

Challenge: Blue There wasn’t a description, so I ran nmap on the IP address that I was given: PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-time: | date: 2023-04-30T01:23:49 |_ start_date: 2023-04-30T01:19:21 | smb2-security-mode: | 210: |_ Message signing enabled but not required | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: haris-PC | NetBIOS computer name: HARIS-PC\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2023-04-30T02:23:51+01:00 |_clock-skew: mean: -19m03s, deviation: 34m35s, median: 54s Port 135 was open, so I googled if there were any exploits regarding the msrpc service. I was able to find this article. ...