Cybersecurity

Description Can you use the portals to get to the right place? You are provided with a 32-bit executable: └─$ file portal portal: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=2777afda2049624cbbecde55650e58f347efcd29, for GNU/Linux 3.2.0, not stripped Using checksec on this binary reveals that there are no security defenses enabled: [*] '/home/kali/ctf/uscctf2024/pwn/portal/portal' Arch: i386-32-little RELRO: No RELRO Stack: No canary found NX: NX unknown - GNU_STACK missing PIE: No PIE (0x8048000) Stack: Executable RWX: Has RWX segments Stripped: No This is a straightforward “return-to-win” challenge. Upon inspecting the binary with objdump, you can see that the function win is the goal: ...

The search bar didn’t seem to be a viable target for XSS injection because either it simply echoes the search query or it sanitizes/blocks the payloads I tested (for example, the payloads generated by XSStrike didn’t work). Next, I explored the “Leave a Comment” section, which includes multiple input fields. When posting a comment, I noticed that the inputs aren’t reflected directly back on the page. Searching for a comment only shows the search result, not the actual comment content, which means we need to identify which input area, if any, is vulnerable. ...

Beginner pwn: First challenge #include <stdio.h> #include <stdlib.h> #include <string.h> int main() { char command[110] = "cowsay \""; char message[100]; printf("Give me a message to say!\n"); fflush(stdout); fgets(message, 0x100, stdin); strncat(command, message, 98); strncat(command, "\"", 2); system(command); It has been a while since I have done any CTFs! So I struggled a little bit looking at the code and what they do. When I pass 109 A’s, it still runs the cowsay bin. When you pass in 113 A’s, the output starts to show a single ‘A’: ...

Challenge: Brainstorm This is a room that tests on reverse engineering a chat program to exploit a Windows machine. Recon Nmap: ─$ nmap -sC -sV -Pn 10.10.37.33 Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-22 00:02 EDT Nmap scan report for hi-hormel-wg010.hi.umn.edu (10.10.37.33) Host is up (0.22s latency). Not shown: 997 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: TIMEOUT | ftp-syst: |_ SYST: Windows_NT 3389/tcp open ssl/ms-wbt-server? | rdp-ntlm-info: | Target_Name: BRAINSTORM | NetBIOS_Domain_Name: BRAINSTORM | NetBIOS_Computer_Name: BRAINSTORM | DNS_Domain_Name: brainstorm | DNS_Computer_Name: brainstorm | Product_Version: 6.1.7601 |_ System_Time: 2023-09-22T04:05:48+00:00 | ssl-cert: Subject: commonName=brainstorm | Not valid before: 2023-09-21T03:52:41 |_Not valid after: 2024-03-22T03:52:41 |_ssl-date: 2023-09-22T04:06:19+00:00; +1s from scanner time. 9999/tcp open abyss? Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 216.80 seconds First thing I noticed was Port 21 ftp was open with the anonymous FTP login enabled. I checked it out by running ftp 10.10.37.33 with the name anonymous. ...

Challenge: Relevant Recon NMAP I was not able to find any clues from the initial Nmap scans and other tools that I used. So I looked up the official writeup, and the author suggests to run a scan that detects the open ports and then run more focused Nmap scan on them. He created a tool threader3000 and I decided to give it a try. The result showed that port 80, 139, 135, 445, 3389, 5985, 49663, 49666, and 49668. And these 40,000s are commonly used for backend operations within virtual environments such as AWS. ...

Challenge: HackPark In this box, it introduces Hydra, RCE & WinPEAS tools/techniques to exploit a Windows System. Recon NMAP nmap -sC -sV -O -sT 10.10.170.188 Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-20 18:27 UTC Nmap scan report for ip-10-10-170-188.eu-west-1.compute.internal (10.10.170.188) Host is up (0.00068s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) | http-robots.txt: 6 disallowed entries | /Account/*.* /search /search.aspx /error404.aspx |_/archive /archive.aspx |_http-server-header: Microsoft-IIS/8.5 |_http-title: hackpark | hackpark amusements | http-methods: |_ Potentially risky methods: TRACE 3389/tcp open ssl/ms-wbt-server? |_ssl-date: 2023-06-20T18:28:29+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=hackpark | Not valid before: 2023-06-19T18:14:25 |_Not valid after: 2023-12-19T18:14:25 | rdp-ntlm-info: | Target_Name: HACKPARK | NetBIOS_Domain_Name: HACKPARK | NetBIOS_Computer_Name: HACKPARK | DNS_Domain_Name: hackpark | DNS_Computer_Name: hackpark | Product_Version: 6.3.9600 |_ System_Time: 2023-06-20T18:28:24+00:00 MAC Address: 02:51:BA:0B:1C:1B (Unknown) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2012 (89%) OS CPE: cpe:/o:microsoft:windows_server_2012:r2 Aggressive OS guesses: Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 (87%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 79.85 seconds Port 80 runs Microsoft HTTPAPI httpd 2.0. Also, port 3389 indicates that once we get the cred to get onto the target machine we can remotely access it by using xfreerdp or rdesktop. ...

Challenge: Alfred This box is about exploiting Jenkins (misconfiguration). Jenkins is an open source continuous integration/continuous delivery and deployment (CI/CD) automation software DevOps tool written in the Java programming language. This tool is used to implement CI/CD workflows, called pipelines. This box introduces a tool called Nishang which is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. ...

Challenge: Blue There wasn’t a description, so I ran nmap on the IP address that I was given: PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-time: | date: 2023-04-30T01:23:49 |_ start_date: 2023-04-30T01:19:21 | smb2-security-mode: | 210: |_ Message signing enabled but not required | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: haris-PC | NetBIOS computer name: HARIS-PC\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2023-04-30T02:23:51+01:00 |_clock-skew: mean: -19m03s, deviation: 34m35s, median: 54s Port 135 was open, so I googled if there were any exploits regarding the msrpc service. I was able to find this article. ...

Description This is one of the challenges of the beginner track in HackTheBox. I was given a binary with no source code. This indicated that I would need to use Ghidra to look at the decompiled source code. First, some checks on the binary: ─$ file ./vuln ./vuln: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=ab7f19bb67c16ae453d4959fba4e6841d930a6dd, for GNU/Linux 3.2.0, not stripped No defensive mechanisms are turned on for this challenge. ...

Description I made a bot to automatically answer all of your questions. nc lac.tf 31180 My approach Again, the source code, its binary, and the Dockerfile were given. Looking at the sour code code: #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> int main(void) { setbuf(stdout, NULL); char input[64]; volatile int give_flag = 0; puts("hi, how can i help?"); gets(input); if (strcmp(input, "give me the flag") == 0) { puts("lol no"); } else if (strcmp(input, "please give me the flag") == 0) { puts("no"); } else if (strcmp(input, "help, i have no idea how to solve this") == 0) { puts("L"); } else if (strcmp(input, "may i have the flag?") == 0) { puts("not with that attitude"); } else if (strcmp(input, "please please please give me the flag") == 0) { puts("i'll consider it"); sleep(15); if (give_flag) { puts("ok here's your flag"); system("cat flag.txt"); } else { puts("no"); } } else { puts("sorry, i didn't understand your question"); exit(1); } } After looking at the source code, I noticed that there is a give_flag variable and a buffer that we can overflow since the user input is received with gets(). Unlike the previous challenge I worked on, give_flag variable would always be located after the buffer input so we won’t be able to modify the value of give_flag this time. ...