lmao (from this CTF writeup):

The final step, emitting the target language, which is nowadays often NOT C, is our greatest weakness in 2024. A new generation of engineers and systems folk have discovered the fruits of Chris Lattner's labor and staked their claim on today's software landscape. Unfortunately for reverse engineers, we continue to deal with the Cambrian explosion in binary diversity without commensurate improvements in tools. We eat shit reading worsening pseudo-C approximations of things that are not C. This problem will probably not get solved in the near future. There is no market for a high-quality Rust decompiler. First, no one writes exploits or malware in languages like Rust or Haskell. Unlike C/C++/Obj-C, the Rust/Haskell/etc ecosystems are predominantly open-source further decreasing the need for reverse engineering. Lastly, improved source control and ready availability of managed enterprise services (i.e. GitHub) make first-party loss of source code much rarer nowadays. So like, no one really cares about decompiling Rust other than unfortunate CTF players. Golang is a notable exception. Golang is like, the language for writing malware--great standard library, good cross-platform support, brain-dead easy concurrency, easy cross-compilation, fully static linking, and design with junior programmers in mind. You could shit out a Golang SSH worm in like 200 LoC crushing carts and ketamine no problem. People worry about AGI Skynet hacking the Pentagon to trigger a nuclear holocaust but really it's more gonna be like eastern European dudes rippin' it with some hella gang weed ChatGPT ransomware. So maybe we'll get a good Golang decompiler first?

Writeup shasha.pop.corp haxat0n telef0nica

Fuimos a kakear al edificio de telefónica (scl) a un CTF organizado por dreamlabs. Nos trataron súper bacán, cafecito, pizza, bebidas energéticas, aguita, de todo. buen ambiente y harto kakinggggg :). Andaban las mojojos, las kalila, y a la otra que le dicen.

A continuación les muestro como resolvimos uno de los challenges hasta llegar al mítico id 0.

Lo primero, había un host con poodle que nos daba pistas sobre un wordpress y sus credenciales (?).

                                   Figura 1: msfk0nsole at w0rk.

Obviamente probamos http://afrodita.pop.corp/wp-admin/ con esas credenciales. Había un post privado con un archivo con una clave pública =).

                                   Figura 2: una flagcita pa los cauros

Andabamos motivados y osamos a escalar privilegios. Recordé un par de techs descritas por ahí (https://payatu.com/guide-linux-privilege-escalation/) y se dió la mano de escalar privilegios con sudo.

                                   Figura 3: exploiting sudo rights/user

Entonces metiéndole x aquí y x allá, jugando con PATH incluso, encontramos la flag del papi root utilizando el binario cucaracha (que ejecutaba por detroit un vim). Entonces se le pasó la ruta de la flag como argumento (a cucaracha) y lo abrió con privilegios de id0 sin drama.

... que nos dio los primeros puntitos.

saludines!

rgbCTF 2020 Writeups

Below are writeups for various problems from (rgbCTF)[https://ctftime.org/event/1042], specifically the ones that I (Timeroot) managed to solve. This is Advanced Reversing Mechanics 1 and Advanced Reversing Mechanics 2, [another witty algo challenge name], Five Fives, icanhaz, Laser 1 and Laser 2, Lofi, THE LYCH KING, Object Oriented Programming, ralphie, Sadistic Reversing 1 and Sadistic Reversing 2, Time Machine, TooSlow, and Ye Olde PRNG.

This was played under (1064CBread)[https://ctftime.org/team/5320], and we ended up getting 2nd place. :)

Advanced Reversing Mechanics 1

As the name (“ARM1”) suggests, this is an ARM binary. It’s also 32-bit, so make sure to open it in 32-bit IDA or you won’t be able to decompile. The problem statement gives some bytes,

71, 66, 61, 42, 53, 45, 7A, 40, 51, 4C, 5E, 30, 79, 5E, 31, 5E, 64, 59, 5E, 38, 61, 36, 65, 37, 63, 7C,

This function is pretty simple: main passes the input to encrypt_flag(char*), then prints out the result as series fo hex values. So what does encrypt_flag do?

char *__fastcall encryptFlag(char *result) { char v1; // r3 int v2; // t1 v1 = *result; if ( *result ) { do { *result = v1 - 1; v2 = (unsigned __int8)(result++)[1]; v1 = v2; } while ( v2 ); } return result; }

It loops through the bytes and adds one to each. Great. So take the given array, look each character up in [http://asciitable.com], look one previous, and write that down. Honestly it was faster that way than automating it. And you get the flag!

Advanced Reversing Mechanics 2

This problem is similar in structure to ARM1, but encrypt_flag() looks considerably more complicated:

_BYTE *__fastcall encryptFlag(_BYTE *result) { unsigned int v1; // r3 _BYTE *i; // r1 int v3; // r3 bool v4; // zf unsigned int v5; // r3 unsigned int v6; // r2 __int64 v7; // r2 v1 = (unsigned __int8)*result; if ( *result ) { for ( i = result; ; v1 = (unsigned __int8)*i ) { v6 = (unsigned __int8)(v1 - 10); if ( v1 > 2); v7 = i - result; if ( !*i ) break; v3 = v7 - 5 * (((signed int)((unsigned __int64)(0x66666667LL * (signed int)v7) >> 32) >> 1) - HIDWORD(v7)); v4 = v3 == 2; v5 = (((unsigned __int8)*i > v3)) & 0xFF; if ( v4 ) LOBYTE(v5) = v5 - 1; *i = v5; } } return result; }

… but why reverse when we can black-box? Some playing around reveals that the Nth character of output only depends on the first N characters of input. So let’s use this function, encrypt_flag, as an oracle, and try progressively longer things until we get our goal. We write a solver:

#include "stdio.h" #include "string.h" #define HIDWORD(foo) ((foo >> 32) & 0xFFFFFFFF) char* encryptFlag(char *result) { unsigned char v1; // r3 char *i; // r1 int v3; // r3 char v4; // zf unsigned int v5; // r3 unsigned int v6; // r2 unsigned long long v7; // r2 v1 = (unsigned char)*result; if ( *result ) { for ( i = result; ; v1 = (unsigned char)*i ) { v6 = (unsigned char)(v1 - 10); if ( v1 > 2); v7 = i - result; if ( !*i ) break; v3 = v7 - 5 * (((signed int)((unsigned long long)(0x66666667LL * (signed int)v7) >> 32) >> 1) - HIDWORD(v7)); v4 = v3 == 2; v5 = (((unsigned char)*i > v3)) & 0xFF; if ( v4 ) v5 = v5 - 1; *i = v5; } } return result; } void main(int argc, char** argv){ char* goal = "\x0A\xFB\xF4\x88\xDD\x9D\x7D\x5F\x9E\xA3\xC6\xBA\xF5\x95\x5D\x88\x3B\xE1\x31\x50\xC7\xFA\xF5\x81\x99\xC9\x7C\x23\xA1\x91\x87\xB5\xB1\x95\xE4"; int len = strlen(goal); printf("Len %d\n", len); char trial[35+1]; char check[35+1]; for(int l=0;l toVisit = new LinkedList(); LinkedList<integer> toMark = new LinkedList(); for(int x=0;x 0){ int vis = toVisit.pop(); { int x = vis/5000; int y = vis%5000; if(!map[x][y]) continue; if(marked[x][y]) continue; islands++; System.out.println("Island at "+x+", "+y); } toMark.push(vis); while(toMark.size() > 0){ int mark = toMark.pop(); int x = mark/5000; int y = mark%5000; if(!map[x][y]) continue; if(marked[x][y]) continue; marked[x][y] = true; if(x>0) toMark.add((x-1)*5000 + (y-0)); if(x0) toMark.add((x-0)*5000 + (y-1)); if(y guesses = new ArrayList(); for(int x=1;xicanhaz2

and file icanhaz2 tells us that it’s xz again:

mv icanhaz2 icanhaz2.xz && xz -d icanhaz2.xz

and we’re left with an SVG now. Viewing the SVG, it appears blank. Opening up the SVG in a text editor shows many lines of the form

<rect x="66" y="30" width="1" height="1" fill="#fffffd"></rect>

That is, boxes that are just barely off-white, in the blue channel. So find-and-replace #fffffd with #000000, and we get a visible QR code. PAss that into [https://zxing.org/w/decode] and we get a base64 string:

/Td6WFoAAATm1rRGAgAhARYAAAB0L+Wj4AbxAN1dAA2XxNFhRNBaOJSxhV08AXoOcZxtalpXU+c+q/ppfZc1/t0z3BU/P16F9jAlXbjrzh5cXk/9vLbc+8NQJ8PNawtALEPD17f25zdggODx3xzNLY3SjGTIlX0fbqo6HFkHYkIzOjjUgJcN1KbzGRouW+G8TakjrJ4y5Pk7jv/stqRiV0ICPYxKpnZSEn0aLzQSl46j6H3BBUBhRuGgxue3TXIzw5HGMlchgNBs6SCfHU0SkX4zlSKqOWSyKrJ5JMgwC47en2kI68/tRNQYaYzvGGcWcR/iEgNYO/jHVDVLAAAAADjqmgxrEIjCAAH5AfINAADD+B/oscRn+wIAAAAABFla

de-b64ing that gives garbled nonsense, but it starts with ý7zXZ��æ.. whic looks like another XZ compressed file. So run

echo "/Td6WFoAAATm1rRGAgAhARYAAAB0L+Wj4AbxAN1dAA2XxNFhRNBaOJSxhV08AXoOcZxtalpXU+c+q/ppfZc1/t0z3BU/P16F9jAlXbjrzh5cXk/9vLbc+8NQJ8PNawtALEPD17f25zdggODx3xzNLY3SjGTIlX0fbqo6HFkHYkIzOjjUgJcN1KbzGRouW+G8TakjrJ4y5Pk7jv/stqRiV0ICPYxKpnZSEn0aLzQSl46j6H3BBUBhRuGgxue3TXIzw5HGMlchgNBs6SCfHU0SkX4zlSKqOWSyKrJ5JMgwC47en2kI68/tRNQYaYzvGGcWcR/iEgNYO/jHVDVLAAAAADjqmgxrEIjCAAH5AfINAADD+B/oscRn+wIAAAAABFla" | base64 --decode | xz -d

and it prints(!) out

█████████████████████████████████ █████████████████████████████████ ████ ▄▄▄▄▄ █▀▀ ███ ▀▀█ ▄▄▄▄▄ ████ ████ █ █ █▄▀██▀▀▀ ▀█ █ █ ████ ████ █▄▄▄█ █ ▄ █ ▄ ██ █▄▄▄█ ████ ████▄▄▄▄▄▄▄█ █ ▀▄█ █▄█▄▄▄▄▄▄▄████ ████ ▄▀ ▀▀▄▄▀▀█ ▀ ▀ ▄▄▀▄ ▀████ ████▄█▀▄▀▀▄█ ▀▀ ▀▀▀▀▀▄▀▀█▄ ████ ████▄ █▀ █▄ ██▄ █▀██▀ ▀▄▀ ████ ████▄▀█▄█▄▄ ▄▀█ █ ██▄▀▀ ▀▄█▀ ████ ████▄▄▄▄██▄▄▀▀ █ ▄▀▄ ▄▄▄ ▄█▀ ████ ████ ▄▄▄▄▄ █▄█▀▄ ▄▀▄ █▄█ █ ▄████ ████ █ █ █▀█▄▀▄▀▄█▄▄▄ █▄▄█████ ████ █▄▄▄█ █▀▄██▀▀ ▀▀█ █▄█▄█▄████ ████▄▄▄▄▄▄▄█▄▄█▄█▄█▄▄█▄██▄█▄▄████ █████████████████████████████████ █████████████████████████████████

which scans in a QR code reader to rgbCTF{iCanHaz4N6DEVJOB}.

Laser 1 - Factoring

The basic approach for LaserLang here is to

Figure out a “normal” assembly implementation, using reads/writes/adds/branches/gotos

Write all the code in one line

Implement the branches and gotos by leaving the line to skip around.

To avoid the headache of juggling the order of a stack, we use a separate stack for each conceptual “register” (including “array registers”).

One nice thing about keeping your Laser program in one line like this, is that you can write all your documentation below it in the same file – a unique way to comment! So my English description of the code was actually just below the program, in my .lsr file. It was as follows:

I rsUD>rsUs rsU %⌝ > D(r'1'×'0'l ⌝ UU # \pDrsUs/ \ Dp/ print "1" store N to stack 0 store 2 to stack 1 main loop: duplicate N move N to stack 1 move N to stack 2 duplicate x move x to stack 2 modulo if 0: copy x to stack 2 decrement x (on stack 1) duplicate x duplicate x multiply (compute x2) duplicate N move N to stack 1 check greater than contine loop if 0 return

“N” is the number we’re supposed to factor. It lives in stack 0. “x” is the number we’re going to try dividing by, and we start with x = N. It lives in stack 1. We repeatedly make a copy of N and x, and divide and compute the remainder. If the remainder is 0, we copy x to stack 2 (our “results” stack). We decrement x, and continue our main loop only if x is still positive. At the end we return stack 2.

Laser 2 - Sorting

(See Laser1.md for some general tips on writing good Laser code.)

We sort through a version of selection sort, see https://en.wikipedia.org/wiki/Selection_sort. We have a list of “remaining” numbers (stacks 0/1), and a sorted list of “selected” numbers (stack 2). These are initially the given input, and empty, respectively.

In each step, we want to pick out the smallest number from the remaining ones, and put it on top of our “selected” stack. So we take the first number from “remaining” (in stack 0) and move to “selected”. Then we go one by one through each “remaining” number, moving them to stack 1 as we do so. Each time we move one from stack 0 to stack 1, we compare it with stack 2; if the number on stack 1 is smaller than on stack 2, we swap them. In this way, by the time stack 0 is empty, the smallest number has been put on stack 2.

Then we copy stack 1 back to stack 0 for the next loop.

We do this until the “remaining” list is empty, at which point stack 2 has been sorted. We return stack 2.

Code:

I> c'1'g ⌝p sUs >DsU r UrwD l⌝psUswUwDD> DcsU'0'g !⌝p >c⌝pw \>D \ \p / \ / \ p/ \p / \ / p \ sUsU # take input to stack 0 find smallest element: move top element to stack 2 loop: move top of 0 to 1 duplicate top of 1 copy top of 2 to 1 compare. if smaller, pop swap top of 1 and 2 else, pop check stack 0 cardinality if NOT 0, loop #copy stack 1 back to stack 0 check stack 1 cardinality if 0, skip: move top of 1 to 0 go back to check check stack 0 cardinality if NOT 1, main loop move last thing up return on stack 2

Lo-fi

We are given a .wav file. Listening to it, it’s generally some nice simple music; around 30 seconds, it gets a little bit more random. As it ends, there’s a few quick beeps that sound out of place. What are those beeps?

Opening this up in Audacity and looking at the spectrogram, we see the letters “tinyurl” spelled out by the quick beeps. This suggests that we need to find a ‘shortcode’, and then visit http://tinyurl.com/.

The flavortext (“Don’t let your dreams be ones and zeroes”) suggests that we should be looking for something like binary. The somewhat irregular notes in the second half of the song (29.6s - 41.5s) are a candidate. Starting from the drop, we count with the beat, writing down a 0 for each time there is no note, and 1 for each time there is. The pitch is irrelevant.

This gives the string 011001100110101000101101001100110011000000110010. Doing this in real time was way to hard, but if we slowed the song down by 4x it was much more doable. Music training is recommended.

We have 48 bits, which is good, cause that’s a multiple of 8. Decoding to ASCII gives “fj-302”. http://tinyurl.com/fj-302 redirects to a Pastebin that says rgbCTF{subscr1b3_t0_qu1nt3c_0n_yt_plz}.

LYCH King

In retrospect, perhaps this should have been done black-box, like almost everything in this category (ARM1/ARM2/SadRev1/SadRev2) was. But hey, who doesn’t want to reverse compiled Haskell?

Yeah, this binary is Haskell that was compiled by GHC. That might be reasonably accessible to you, if you (1) know Haskell, (2) know how STG machines work, and (3) know GHC’s conventions for storing thunks and STG type data. I meet, like, 0.5/3 requirements.

Goolging for “Haskell decompiler” quickly turns up [https://github.com/gereeter/hsdecomp] as exactly what we need: a decompiler for GHC-compiled 64-bit executables. Great! Let’s try it out!

$ python3 runner.py ../../rgbctf/lych/lich Error in processing case at c3uZ_info Error: Error Location: 140 Disassembly: mov rax, qword ptr [rbp + 8] mov rcx, rbx and ecx, 7 cmp rcx, 1 jne 0x407d33 add r12, 0x18 cmp r12, qword ptr [r13 + 0x358] ja 0x407d48 mov qword ptr [r12 - 0x10], 0x407c28 mov qword ptr [r12], rax lea rbx, [r12 - 0x10] mov rsi, rbx mov r14, rax mov ebx, 0x4bd600 add rbp, 0x10 jmp 0x49cf08 Main_main_closure = >>= $fMonadIO getArgs (\s3mc_info_arg_0 -> $ putStrLn ((\Main_a_info_arg_0 -> !!ERROR!!) (head s3mc_info_arg_0))

The results are a bit disappointing. It got as far as recognizing that the program is printing out some function of the input, but then it errored. How do we handle errors? We comment them out!

[https://github.com/Timeroot/hsdecomp/commit/a9244145d89019b2e8b0f45a9e23f5c043ec8155]

Basically forcing the decompiler to plow through broken stuff. (We also fix one incorrect assumption about jae being the only branch used in a certain type of case statement.) We definitely don’t get correct decompilation, but we get a lot more than before.

Main_main_closure = >>= $fMonadIO getArgs (\s3mc_info_arg_0 -> $ putStrLn ((\Main_a_info_arg_0 -> case == r3jo_info Main_a_info_arg_0 [] of c3uZ_info_case_tag_DEFAULT_arg_0@_DEFAULT -> zipWith (on (\s3m3_info_arg_0 s3m3_info_arg_1 s3m3_info_arg_2 s3m3_info_arg_3 s3m3_info_arg_4 -> . (\s3m1_info_arg_0 s3m1_info_arg_1 s3m1_info_arg_2 s3m1_info_arg_3 s3m1_info_arg_4 -> fmap $fFunctor-> chr) (\s3m2_info_arg_0 s3m2_info_arg_1 s3m2_info_arg_2 s3m2_info_arg_3 s3m2_info_arg_4 -> xor $fBitsInt)) ord) Main_a_info_arg_0 ((\Main_g_info_arg_0 Main_g_info_arg_1 -> case == r3jo_info Main_g_info_arg_0 [] of c3se_info_case_tag_DEFAULT_arg_0@_DEFAULT -> take (length $fFoldable[] Main_g_info_arg_0) (intercalate [] (map (\s3lV_info_arg_0 s3lV_info_arg_1 s3lV_info_arg_2 s3lV_info_arg_3 s3lV_info_arg_4 -> show $fShowInteger) (Main_v_info Main_g_info_arg_1 (length $fFoldable[] Main_g_info_arg_0) (S# 0)))) ) Main_a_info_arg_0 (S# 1997) ) ) (head s3mc_info_arg_0) ) ) r3jo_info = $fEq[] $fEqChar Main_v_info = \Main_v_info_arg_0 Main_v_info_arg_1 Main_v_info_arg_2 -> case == $fEqInteger Main_v_info_arg_0 (Main_r_info Main_v_info_arg_0) of c3qB_info_case_tag_DEFAULT_arg_0@_DEFAULT -> case >= $fOrdInteger Main_v_info_arg_2 (toInteger $fIntegralInt Main_v_info_arg_1) of c3qM_info_case_tag_DEFAULT_arg_0@_DEFAULT -> : Main_v_info_arg_0 (Main_v_info ((\Main_p_info_arg_0 -> + $fNumInteger Main_p_info_arg_0 (Main_r_info Main_p_info_arg_0)) Main_v_info_arg_0) Main_v_info_arg_1 (+ $fNumInteger Main_v_info_arg_2 (Main_mag_info Main_v_info_arg_0))) Main_mag_info = \Main_mag_info_arg_0 -> case == $fEqInteger Main_mag_info_arg_0 (S# 0) of c3mD_info_case_tag_DEFAULT_arg_0@_DEFAULT -> case > $fOrdInteger Main_mag_info_arg_0 (S# 0) of c3mI_info_case_tag_DEFAULT_arg_0@_DEFAULT -> case patError 4871050 Main_r_info = \Main_r_info_arg_0 -> case == $fEqInteger Main_r_info_arg_0 (S# 0) of c3oc_info_case_tag_DEFAULT_arg_0@_DEFAULT -> + $fNumInteger (* $fNumInteger (mod $fIntegralInteger Main_r_info_arg_0 (S# 10)) (^ $fNumInteger $fIntegralInteger (S# 10) (- $fNumInteger (Main_mag_info Main_r_info_arg_0) (S# 1)))) (Main_r_info (div $fIntegralInteger Main_r_info_arg_0 (S# 10)))

Even if you know Haskell, this is pretty unreadable, because

Everything is named very obtusely

Everything is pretty in prefix notation (e.g. + (f X) ((g h) Y)) instead of f X + g h Y)

A good chunk of code is missing.

We can’t fix the third part, but we can fix the first two, and use our pRoGraMmErs inTUiTioN to fill in the blanks for the third. Cleaned up:

Main_main_closure = >>= $fMonadIO getArgs (\ARGS -> $ putStrLn ((\ARG0 -> case (ARG0 == "") of __default -> zipWith (on (. (fmap $fFunctor-> chr) (xor $fBitsInt)) ord) HEAD ((\HEAD0 YY -> case (XX == "") of __default -> take (length HEAD0) (intercalate [] (map show (Function_V YY (length HEAD0) 0))) ) HEAD 1997 ) ) (head ARGS) ) ) String_Eq = $fEq[] $fEqChar -- Adds X to its digital reversal, repeatedly, in a loop -- Each time it adds the current number of digits in X to Z, a running counter (starts at 0) -- Continues until Z exceeds Y, the limit. Y is the length of HEAD0. Function_V X Y Z = case (X == (Function_R X)) of __default -> case (Z >= (toInteger Y)) of __default -> : X (Function_V ((X + (Function_R X))) Y (Z + (Function_mag X))) -- decompilation broke down here entirely -- but based on context, will guess it's the magnitude (Base 10) of A0. Function_mag A0 = case (A0 == 0) of __default -> case (A0 > 0) of __default -> case (A0 patError "lich_cipher.hs:(20,1)-(23,15)|function mag" -- returns R(X/10) + (X%10)*(10^mag(X)). -- this computes the _base 10 digit reversal_ of X. Function_R X = case (X == 0) of __default -> ( (X mod 10) * (10 ^ ((Function_mag X) - 1))) + (Function_R (X div 10))

So now the operation is pretty clear. It takes a number, 1997, and repeatedly adds it to its own base-10 reversal. It continues this until (a) it reaches a palindromic sum or (b) we have more terms than we have characters in our input string. This is what Function_V accomplishes, using Function_mag and Function_R as components.

Then intercalate [] (map show ...) turns these integers into strings and joins them. So for the sequence 1997 -> 1997 + 7991 = 9988 -> 9988 + 8899 = 18887 -> ..., we get the list ["1997", "9988", "18887", ...], and then the string "1997998818887".... The zipWith ... fmap structure is a bit obtuse, but we see xor, and HEAD (the input) and the digit string, so we can guess that it’s XORing the input with the magic digit string.

A quick trial of the program confirms this. Wow, so it’s just XORing the input with this magic string. Maybe I should have noticed that the program was its own inverse…? Nah.

So, we have encrypted text, and the program undoes itself. But we’re told the problem “has been changed very slightly” since it was first written. Two options: patch the program, or reimplement it. Patching it in IDA is easy, since searching for the bytes CD 07 (1997 in hex) turns it up right away. The relevant instruction is at 0x407C57 for those curious. I try a few different values (1997 is a year, right? So maybe 2020? 2019? 2000? 1996? 1998? Or maybe 2008, the year that the Lich King came out for WoW?) but none work, and it’s kind of slow doing this by patching it in IDA over and over.

So I reimplement the code to try a wide variety of seeds:

img = "./lich" fh = open('./cipher', 'rb') goal = bytearray(fh.read()) fh = open('./uncipher', 'rb') other = bytearray(fh.read()) def revDig(num): rev_num=0 while (num > 0): rev_num = rev_num*10 + num%10 num = num//10 return rev_num # Function to check whether the number is palindrome or not def isPalindrome(num): return (revDig(num) == num) def getPad(seed): res = "" while not isPalindrome(seed) and len(res) invParts = new Hashtable(); String[] classes = new String[]{"bv","cd","fg","gl","gq","gx","iy","mo","pr","qa","qg","vh","wz","xp","xq"}; char xorKey = new EncryptionKeyInstantiator().getEncryptionKeyFactory().getEncryptionKey(); for(String clazz : classes){ Class> clz = Class.forName(clazz); Object object = clz.getConstructors()[0].newInstance(); Method[] methods = clz.getDeclaredMethods(); for(Method m : methods){ try { String out = (String)m.invoke(object); String out2 = (String)clz.getDeclaredMethod(out).invoke(object); String out3 = (String)clz.getDeclaredMethod(out2).invoke(object); String in_enc = clazz + m.getName(); System.out.println(in_enc+" ~=> "+out3); char[] in_arr = in_enc.toCharArray(); for(int i=0;i "+out3); } catch(Exception e){ System.out.println(e); } } } String ans = ""; for(int i=0; i<goalstring.length i string bit="goalString.substring(i," bot="invParts.get(bit);" system.out.println> "+bot); ans += bot; } System.out.println(ans);

and then javac Main.java && java Main, we get Nice. Flag: rgbCTF{enterprisecodeee}.

Ralphie!

We’re given an image of a “decoder ring” of yore – but looking more closely, in the top left, is a QR code, with a variety of colors. Presumably we want something with just one color. So open it up in GIMP and play with the levels: go to “Curves”, and give the red channel a curve that is flat at 0 until the very very end. We’re left with a nice cyan QR code. Drop it in [https://zxing.org/w/decode.jspx] and we get a flag, rgbCTF{BESURETODRINKYOUROVALTINE}.

Sadistic Reversing 1

The program takes in a string and outputs an array of the style

[100, 93, 12, ... ]

and we want to find the input that matches the given output. Opening it up in IDA, the relevant strings show this is running on the Graal SubstrateVM, a toolchain for compiling Java to native code. (This theory is bolstered by the fact that invoking the program with no argument leads to a java.lang.ArrayIndexOutOfBoundsException). Reversing compiled SubstrateVM doesn’t sound like much fun, so can we blackbox this?

Some experimentation reveals that, like many simple ciphers (ahem, ARM2) the Nth character only depends on the input up to N. So we just try progressively longer things finding the right character by guessing at each step.

Solver script:

import subprocess import string import random img = "./itJX.so" goal = [114, 20, 119, 59, 104, 47, 75, 56, 81, 99, 23, 71, 56, 75, 124, 31, 65, 32, 77, 55, 103, 31, 96, 18, 76, 41, 27, 122, 29, 47, 83, 33, 78, 59, 10, 56, 15, 34, 94] query = '' matchingNow = 0 while True: sub = random.choice(string.printable) trial = query + sub result = subprocess.Popen([img, trial], universal_newlines=True, stdout=subprocess.PIPE) arr = eval(result.stdout.readlines()[0].strip()) matchingTrial = 0 if(arr == goal[0:len(arr)]): query = trial matchingNow = matchingTrial print("Built ",query)

After a couple seconds, Built rgbCTF{th1s_pr0bably_w@s_d1ff1cult6362}

Sadistic Reversing 2

This is a lot like Sadistic Reversing 1, but it seems that certain numbers of output depend on other ones elsewhere in the input – but still, the first byte of output is determined by just one thing, and the second byte is determined by two, and so on. Probably some loop of the form

long state = 0; for(int i=0; i<input.length i char next="input.charAt(" mystery1 result.append mystery2 state="mystery3(state,next);" so let blackbox this. since we not sure where have to change a byte in input get the right output just choose random place and hope it improves it. import subprocess string img="./itwk.so" goal="[117," query="rgbCTF{th1s_pr0bably_w@s_d1ff1cult6362_aaabbbcccd}" matchingnow="0" while true: flipper="random.randrange(0,len(query))" sub="random.choice(string.printable)" trial="query[0:flipper]" result="subprocess.Popen([img," universal_newlines="True," stdout="subprocess.PIPE)" arr="eval(result.stdout.readlines()[0].strip())" matchingtrial="0" if> matchingNow: query = trial matchingNow = matchingTrial print("Built ",query)

Takes about two minutes to run. (And what a shame I didn’t optimize it – we missed first blood by a matter of seconds!)

Secure RSA

We are given the following nonsense:

Secure RSA (SRSA) is a new, revolutionary way to encrypt your data that ensures the original message is unrecoverable by hackers. Top scientists from around the world have confirmed this mathematically irrefutable fact. 3 of our very own RGBSec members have developed this method, and we present it to you here. Granted, the method is very simple, and we aren't quite sure why nobody has thought of it before. Levying the power of uninjectivity, we set e to a small number. 0, in fact. Let's calculate the cipher now: (anything)^0 = 1. Since the message before encryption could have been any number in the world, the ciphertext is uncrackable by hackers. n: 69696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969 e: 0 c: 1

Well, yes, okay, there’s clearly no way to undo this encryption, but the flag data has to be somewhere – the flavortext then? We have a lot of flavortext. Looking at the first letters of each sentence:

ST3GL0LS

so the flag is rgbCTF{ST3GL0LS}.

Time Machine

The “time machine” here immediately hints a timing attack. Indeed, what does the binary do?

Generate a securely random password from the alphabet ABC...XYZ

Check user input against the password, one character at a time, returning as soon as it fails

Let the user try again, up to 250 times

If the user input matches, print out the flag.

The “one character at a time” part is what makes this vulnerable as a timing attack, as strings that match on longer prefixes take longer to check. This is over the network, so a few extra nanoseconds of checking would be totally unrecognizable, but the challenge server helpfully pauses for a whole second after each matching character. This makes the timing attack easy.

Solver script:

from socket import socket from telnetlib import Telnet import time allowed = "UVWXYZAFBCDQRSTGHIJNOPKLEM" sock = socket() sock.connect(('167.172.123.213', 13373)) #sock.connect(('localhost', 5555)) print("Header: ",sock.recv(1024)) print("Header2: ",sock.recv(1024)) known = "" for i in range(8): maxtime = 0 bestchar = "-" for trial in allowed: query = known + trial + "U"*(7-len(known)) print "Try ",query start = time.time() sock.send(query+'\n') result = sock.recv(1024) print("> " + result) result = sock.recv(1024) print("> " + result) end = time.time() tt = 1000*(end-start) print "Time = ",tt if(tt > maxtime): maxtime = tt bestchar = trial print "Keep ",bestchar known += bestchar print "Think it's ",known sock.send(known+'\n') result = sock.recv(1024) print("> " + result) t = Telnet() t.sock = sock t.interact() sock.close()

Too Slow

We’re given a binary which, we are told, will output the flag, albeit very slowly. The binary has two ffunctions: generate_key(), which returns an int32, and win(), which takes that int32 and generates the key. Figuring that generate_key() will probably be the slow part, let’s reverse that first. Hex-Rays gives

__int64 generate_key() { int v0; // eax __int64 v2; // [rsp-8h] [rbp-8h] __asm { endbr64 } for ( *((_DWORD *)&v2 - 2) = 0; *((_DWORD *)&v2 - 2) > (8*(i%4)))&0xFF); int aByte = (int)((a >> (8*i))&0xFF); int res = kByte ^ aByte; System.out.print((char)(res)); } } }

giving the flag rgbCTF{pr3d1ct4bl3_k3y_n33d5_no_w41t_cab79d}.

Ye Old PRNG

We are strongly suggested that this is an “old” PRNG. Googling for old random number generation implementations mostly brings up stuff about LCGs ([https://en.wikipedia.org/wiki/Linear_congruential_generator]) and LFSRs ([https://en.wikipedia.org/wiki/Linear_feedback_shift_register]), so we’re expecting one of those.

Connecting to the server, we can request numbers that are 3 to 100 digits long; it will then produce a sequence of random numbers for us. One of those first things to jump out is that each number appears to be entirely determined by the previous: in particular, when using 3 digits, “69” is always seen to generate “476”, and this appears to occur rather frequently.

Moving up to 100 digits numbers, it’s pretty clear that it’s not an LCG. An LCG is affine, so two inpurt numbers that are “a” apart lead to k*a difference in the results; from two (input,output) pairs we can determine what k is, and then check this against a third pair. It doesn’t work. It could be an LFSR but it’s not clear exactly how that would translate here. An LFSR generates a stream of bits, which would need to be converted to these integers. And as we noted, there doesn’t seem to be any hidden state.

Another big giveaway is that on the n=4 setting, we sometimes see loops like 4200 -> 6400 -> 9600 and so on, all ending with double zeros. There’s something base-10ish going on here.

A bit more digging on PRNGs brings us to [https://en.wikipedia.org/wiki/List_of_random_number_generators], where we see that the oldest one is the “middle square” algorithm. This fits perfectly: 69*69 = 4761 -> 476, and 4200*4200 = 17640000 -> 6400.

We write this in Mathematica as f[a_] := IntegerDigits[a^2, 10][[50, 150]], although a bit of padding comes in to play with a^2 is not full length. We can predict numbers and we pass the server. </input.length></goalstring.length>

Welcome Presentation

Details

CATEGORY: forensics OBSERVED DIFFICULTY: 1/5 CTF: Unnamed

Challange

[Text lost but we are given a pptx file]

Solution

We are given a powerpoint presentation, when viewd it is empty.

We can explore the contents of the file by renaming it as a .zip file and extracting it with the unzip command.

Looking around, we find a file named "hidden", inside is the flag base64 encoded.

--1103

TryHackMe: RootMe CTF Detailed Walkthrough | 2022

RootMe is an easy CTF machine to solve available on TryHackMe, today we will be taking a look at exploiting the machine. 

Contents:-

We will first do an Nmap scan to find the open ports that we can exploit. 

We then use go busterto to do the directory brute-forcing. 

We then upload the PHP reverse shell to get the initial foothold o the system. 

We then search for the SUID bits, that are set. 

We then exploit the binary that has a SUID bit set. 

Read full Walkthrough

Writeup: The SANS HOLIDAY HACK CHALLENGE 2021 - Kringlecon 4 CALLING BIRDS!

Another year, another SANS Holiday Hack Challenge! Here's my writeup for the 2021 edition!

It’s that time of the year again, to reveal my writeup for the Sans Holiday Hack Challenge. This time around Sans named the game “Kringlecon 4 – Calling Birds!”. My last year submission resulted in an “Honorable Mention”. Since I have had major issues with documenting massive writeups using WordPress , I have decided to skip converting my writeup to HTML. Instead, I’ll just link to the PDF. Here…

View On WordPress

[Media] ​​hacking-writeups

​​hacking-writeups Helpful shell commands and lots of writeups from machines solved on Hack the Box and also walkthroughs from CTF competitions. https://github.com/BitFlippa27/hacking-writeups/tree/main/htb/ctf/cyber-apocalypse-2023/web #cybersecurity #infosec #pentesting #redteam

Something Awesome: Proposal (UPDATED)

Topic: Learning the basics of web hacking with HackTheBox’s Web CTF challenges

My goal is to learn various methods of web hacking using HackTheBox as a practical means of achieving this goal. If it turns out that the difficulty of the basic levels that I’ve assigned myself was too easy, I’ll delve into learning other security-related CTFs by doing further extension levels (further explained below under Extensions).

The main website I’m going to be using is HackTheBox. I chose HackTheBox since the learning curve didn’t seem to steep - there’s enough questions that were rated ‘easy’ compared to other websites where the difficulty was unlisted and/or the topic was uncategorised. I felt that it was a good stepping stone before diving deep into the more complex wargames such as pwnable.kr (after this project), which I feel has a much steeper learning curve, and different learning topics.

I was thinking of something doable if I allocated 3~4 hours a week to do and came up with the conclusion of learning the basics of web hacking + writing a report + (possibly) doing my extension tasks would be feasible.

By the end of my Something Awesome, I hope to:

Have a solid foundation of web encryption methods and ways of cracking these encryption methods

Understand the technical theory behind encryption and decryption methods

Understand how to use a suite of web hacking tools

Proficiently hack web applications using methods derived from self, i.e. to stop being a “script kiddie”

Task:

Complete all activities from HackTheBox’s Web CTF challenges.

7 activities

5 “easy” problems

1 “medium” problem

1 “hard” problem

Comprehensive writeup on methods of web hacking learned from CTF challenges.

Extensions:

Complete activities apart from the Web CTF challenges. Several to choose from, preferably one that was rated as a “medium” difficulty problem or higher and the more, the merrier.

Marking:

High Distinction range:

Completing all web CTFs AND delves into other, harder CTFs on HTB

Writeup shows an expert understanding of web application hacking AND other topics of hacking

Distinction range:

Completing all 5 easy problems, 1 medium problem AND 1 hard problem

Writeup shows an expert understanding of web application hacking

Credit range:

Completing all 5 easy problems AND 1 medium problem

Writeup shows a sufficient understanding of web application hacking

Pass range:

Completing all 5 easy problems

Writeup is lacking, shows minimal understanding of web application hacking

Something Awesome Project

Something Awesome Goals: For my something awesome project, I would like to participate in CTF and wargames in overthewire.org to build up my fundamental knowledge of security concepts and make attempts on exploiting vulnerabilities on web app.   Stages and Milestones: A general writeup will be posted on my blog every week including my time spent on the challenges, possible screenshots, code snippets and my approach to solving the challenges. From week 2 to week 6 I am planning to solve 6 Natas challenges every week, the schedule of solving the challenges are as follows: Week2: Solve 3 Natas challenges on Friday and 3 Natas challenges on Saturday Week3: Solve 3 Natas challenges on Monday and 3 Natas challenges on Friday Week 4: Solve 3 Natas challenges on Monday and 3 Natas challenges on Friday Week 5: Solve 3 Natas challenges on Friday and 3 Natas challenges on Saturday Week 6:  Solve 3 Natas challenges on Monday and 3 Natas challenges on Friday For week 7 and week 8 I will be focusing on solving one of the challenges on Hack-The-Box.eu Marking Rubric: FL: Only solved a few CTF or wargame challenges. (Less than 10) PS: Solved at least 10 levels of Natas in Overthewire. CR: Solved 25 levels of Natas in Overthewrie. DN: Completed 30 levels of Natas HD: Completed Natas in Overthewrie and solved one challenge on Hack-The-Box.eu Contingency: I will adjust the number of challenges that need to be done each week depending on the difficulty of the challenges. Extension: If I managed to complete everything listed above in advanced, I will try to solve another hack the box challenge.

mein gott, this CTF writeup is delightful

(any day where you get to start by decoding punchcards, then reverse engineer some rando hipster cpu, and then hack some RNG, is an excellent day)

Hacked space engineers download early access

#Hacked space engineers download early access how to#

#Hacked space engineers download early access update#

#Hacked space engineers download early access archive#

#Hacked space engineers download early access Patch#

Big thanks to Baidu for putting that party together! The DEF CON spirit of discovery and community is a truly global thing and we’re grateful to all of you for making DEF CON what it is. Our hacker friends in China are having a VR party for DEF CON 30 with a big, beautiful virtual meeting space and media shared from the show. Zoom acaba de corregir una falla de seguridad importante - Digital Trends (Espagnol)Ī Flaw in the VA’s Medical Records Platform May Put Patients at Risk - WiredĭC30 Car Hacking Village Badge - Intrepid Control Systemsĭesigning the DEF CON 29 and 30 Badges (featuring MK Factor) Hacker Hangouts (YouTube)ĭEF CON 30 OBD-Kill Badge First Flight - Intrepid Control Systemsĭefcon 30 badge release the patch/fix to the bug of smoked badge. Potential hack vulnerability for some Boeing planes fixed: Researchers - Business Insurance Inglis: People, companies need to replicate collective cyber defense seen in Ukraine - The Record White House Cyber Director: ‘Defense is the New Offense’ for Cyber - Nextgov The Zoom installer let a researcher hack his way to root access on macOS The Verge ‘Hackers against conspiracies’: Cyber sleuths take aim at election disinformation - Politico Logran hackear Starlink por solo 25 dólares Muy Computer New exploits can bypass Secure Boot and modern UEFI security protections - CSO OnlineĭEF CON 30 Comes of Age with Hacker Homecoming - Security Systems News

#Hacked space engineers download early access Patch#

US Emergency Alert System Has ‘Huge Flaw’ - Broadcasters Must Patch NOW - Security Boulevard Russian Hackers Are Escalating and Diversifying Their Attacks on Ukraine, Research Says - Gizmodo What to watch for as 'Hacker Summer Camp' gets underway in Las Vegas - CyberscoopĮclypsium Calls Out Microsoft Over Bootloader Security Woes - Tech Target Reproductive Justice in the Age of Surveillance: Panel at DEF CON 30 - EFF Playing for All the Jelly Beans at the EFF Benefit Poker Tournament at DEF CON - EFF John Deere Jailbreak Shows It’s All Built on Outdated, Unpatched Hardware - Boing BoingĪ New Jailbreak for John Deere Tractors Rides the Right-to-Repair Wave - Wired Sick Codes Jailbreaks Tractor at DEF CON - Fierce Electronics Zoom Patches Mac Auto-Updater Vuln that Granted Root Access - Ars TechnicaĮlection Disinformation Fears Loom Over Hacker Confab - Politico The Next Big Jailbreak in Tech: John Deere Tractors - Gizmodoīlack Hat and DEF CON Roundup - ThreatpostĬarnegie-Mellon Team Wins DEF CON Hacking Competition - Business Wire #DEFCON: CISA Director Praises Congress and International Cybersecurity Cooperation - Infosecurity Magazine How Sanctions Impact Internet Operators - Infosecurity Magazine StarLink Ground Stations Successfully Hacked - Hackadayīlack Hat and DEF CON visitors differ on physical risk management - The Register Hackers Come Home to Vibrant Community - Dark Reading Hackers Took Over a Commercial Satellite to Broadcast Hacker Movies - Vice This String of Emojis is Actually Malware - Vice

#Hacked space engineers download early access update#

We’ll update soon with more writeups and breakdowns as they appear. Here’s an early roundup of DEF CON 30 press mentions. DEF CON 30 Press Roundup!ĭEF CON 30 is in the books, and it looks like we made a little news. In case you missed it: learn all about the magical mystery musical badge from DEF CON 30 in the opening talk for DC30 with The Dark Tangent and MKFactor, the badge creators. Keep an eye on it for even more coming soon Contest results, talk videos, CTF packet caps, video of the music events and more! Happy weekend! DEF CON 30 Badge talk Video! All for the low, low price of one internet click. Missing DEF CON 30? We've updated our Conference Archive! Get your hands on a cornucopia of DC30 content - the program, LiveCTF, photos, video and even a soundtrack to vibe with while you browse.

#Hacked space engineers download early access archive#

Enjoy and share widely! Archive Page is Live for DEF CON 30!

#Hacked space engineers download early access how to#

We've released a talk from farm hacking pioneer Sick Codes on the intricacies of agricultural equipment cyber security, and how to break and modify it. Caesars Forum, Flamingo, Linq, and Harrah's inĬoming Up Javascript is disabled on your browser.Īccess the Conference Calendar for DEF CON 30 Get your receipt for DEF CON 30!Ĭash Receipt Early Release Video - Hacking the Farm by Sick Codes!

WriteUp for Something Awesome Project

Something Awesome proposal:  https://superbobthebuilderfan.tumblr.com/post/185628975027/something-awesome-proposal-hackthebox

OBJECTIVES

Categories I plan to explore are Crypto, or Stego, or Pwn, or Web, or Misc, or Forensics, or Mobile. The aim was to complete one or more challenges in the categories I chose to explore. In achieving my aim I would have learned various hacking techniques, practical hacking skillsets, and developed my skills in hacking.

PLANNED 

I chose to explore Crypto, Misc, Stego, and Pwn (Pwn is extension work)

Get invite code for hackthebox.eu, explore hackthebox’s environment and restrictions as a non-VIP member, research about ciphers and encryption types +  Setup/explore programs/tools and the environment for digital forensics and penetration testing and CTF’s (Kali Linux) + Complete one or more challenges in the above-stated categories.

ACTUAL

I was able to get the invite code, I explored hackthebox’s environment and restrictions as a guest member, studied many various ciphers and encryption types, successfully dual-booted Windows and Kali Linux, explored preinstalled programs/tools and the environment. Furthermore, I managed to complete one or more challenges in all chosen categories except Pwn. Pwn will be completed in Week 9 as declared in my Something Awesome proposal blog (link is at the very top).

WHAT I LEARNT

Invite code, environment, ciphers, encryptions, crypto

Week 2-3

https://superbobthebuilderfan.tumblr.com/search/week3%20somethingawesome

Refer to the above link to see the completed challenges and goals for week 2-3.

In week 2, I obtained the invite code and didn’t blog about it until week3. It was easy because I have done something similar to this before such as hacking the game Cookie Clicker and Clicker Heros. 

I learnt:  

how to make POST request via terminal by typing curl -XPOST [INSERT URL]. 

about hackthebox’s environment such as where the discussion forums are, settings page, my profile page, how to check my progress, where the challenges are, where the pen-testing labs are, where the pen-testing machines are

many new ciphers and encryptions, the most unique one I discovered was Fernet (symmetric encryption) 

Kali Linux, penetration and digital forensics tools, CTFs tools

Week 4

https://superbobthebuilderfan.tumblr.com/search/week4%20somethingawesome

Refer to the above link to see completed goals for week 4.               

I learnt:

how to dual boot 2 OS’s on one laptop

commands such as netdiscover, nmap, gobuster

tools such as Burpe Suite, BruteSpray, Hashcat, John the Ripper and many more for password attacks

tools for sniffing and spoofing such as Wireshark, bettercap, Wifi Honey

tools for hardware hacking such as android-sdk, apktool, Arduino

tools for information gathering such as arp-scan, Xplico, InTrace, iSMTP

tools for vulnerability analysis such as Oscanner, Powerfuzzer, sfuzz

tools for wireless attacks such as Airbase-ng, Aircrack-ng, Fern Wifi Cracker

tools for web applications such as DirBuster, fimap, FunkLoad

forensic tools such as Binwalk, bulk-extractor, Capstone

stress testing tools such as DHCPig, FunkLoad, iaxflood

reverse engineering tools such as apktool, dex2jar, diStorm3, edb-debugger

reporting tools such as CaseFile, cherrytree, CutyCapt

hardware hacking tools such as android-sdk, apktool, Arduino

I learnt about the existence of those tools and their purposes and their usage and tested them out, but not all of them.

Misc

Week 5-6 

https://superbobthebuilderfan.tumblr.com/search/week5%20somethingawesome

Refer to the above link to see completed challenges for week 5-6. 

I learnt:

To pay attention to details because I have attempted one that is similar. It was under the same programming language category “Esteroic programming language” in week 3. The previous was Brainfuck, this one is Piet and malbolge. The whole list of Esteroic programming languages  https://en.wikipedia.org/wiki/Esoteric_programming_language

Steganography

How to extract zip folders in terminal: extract [INSERT ZIP FOLDER NAME]

How to solve steganography using steghide extract -sf [INSERT FILE NAME], which is a command-line tool 

Base64 encryption can be done twice 

Renaming files to the correct format is good practice 

How to base64 decode once and twice in terminal: base64 --decode [INSERT FILE NAME] | base64 --decode

How to check file properties in terminal: file [INSERT FILE NAME]

ls -R and  fcrackzip -v -u -D -p [inputfilepath] [path to the file/folder wanted to crack]  command

How to fix  "E : Unable to Locate Package" Error In Kali Linux

Application of pdfcrack tool

Stego

Week 7-8

Part 1 (week7): https://superbobthebuilderfan.tumblr.com/post/186443678597/htb-stego-da-vinci

Part 2 (week8): https://superbobthebuilderfan.tumblr.com/post/186443681237/htb-stego-davinci

Refer to the above link to see completed challenges for week 7-8.

I learnt:

strings and binwalk command, the rest of the knowledge required had already been acquired from previous challenges such as steghide and base64

OVERVIEW OF MY EXPERIENCES FOR THE PROJECT

As a first-timer in the field of CTFs and I am surprised I could solve more than one challenge in each chosen category. I feel like I have achieved my objectives for the Something Awesome project as I have learnt hacking techniques and skills, both technical, and theoretical, and problem-solving skills. The skillset I have learnt would potentially be useful for completing future CTFs and as a security major computer science student. I did my best to be on schedule and if not, I would extend myself by doing another challenge whenever I am ahead of schedule. I am satisfied with the amount of effort I put in from the beginning (Week 2) of this project to now (Week 8).

Tryhackme Pickle Rick Walkthrough | 2022

It's a detailed walk-through going through each and every step that you are going to need when enumerating the Pickle Rick machine on Tryhackme.

What we are going to see.

We will be enumerating the Pickle Rick machine which is available on TryHackMe. 

We are going to do Directory Enumeration 

We will be using the command panel to get into the server and obtain the shell. 

We will then enumerate the server to find the flags that are needed. 

Get the Detailed Walkthrough

Writeup: The SANS HOLIDAY HACK CHALLENGE 2020 - Kringlecon 3 French Hens!

Writeup: The SANS HOLIDAY HACK CHALLENGE 2020 – Kringlecon 3 French Hens!

It’s that time of the year again, to reveal my writeup for the Sans Holiday Hack Challenge. This time around Sans named the game “Kringlecon 3 – French Hens”. My last year submission resulted in an “Super Honorable Mention”. This year I got an “Honorable Mention” under my own name. Since I have had major issues with documenting massive writeups using WordPress , I have decided to skip converting…

View On WordPress

Something Awesome Roundup

My proposal I wrote for myself a month and a week ago can be found here:

Initially, I set out to learn how to penetration test and do CTF challenges. I had a list of websites that I wanted to try and test, as well as setting out to do blogs on every challenge I did. While I’ve not done as much as I’d like in terms of challenge quantity, I learned a fair few things over the course of my project and I know the path to take to learn more. CTF is one of those things where you need to gather more vulnerabilities and skills to use, continuous learning, etc.

The following will be a writeup as to everything I’ve blogged on regarding the project.

--------------- ------------------------- ------------------------- -------------------------

I made 14 blog posts total. On average, 2 per week (seven weeks), semi-consistent. I wrote three last week and one this week. I’m a bit too busy to pull a table, else I would make a table of activity.

I first performed the introduction challenge on hackthisbox.org, where you’re required to hack an invite code to make an account on the website. This was mainly recon work, some knowledge on how JS worked, and googling. Probing hackthisbox.org proved to me that the site was rather advanced (probably hence the challenge), so I went on other sites to probe around.

I went on CTFLearn.com next, probed around and did a few challenges, then on pwnable.kr. Both these sites weren’t something I was looking for, and microcorruption.com was regarding microprocessors, which I’m still rather shaky on. 

Next, I tried hackthissite.org, which taught me a few basic skills I had heard about with its Basic Levels #1 - 10. I learned different types of SQL injections (mainly from OWASP), Server-Side Includes (SSI) attacks, and half of the top 10 OWASP attacks at a basic level. 

It was then that I moved onto its Realistic Challenges, which I spent most of the challenge on. Each one got very progressively harder, to the point where I spent a significant amount of time poking around and learning a lot about different techniques in my own time to try and push. Each realistic challenge on HackThisSite I tried has its own blog post. Performing different types of SQL injections was very fun, decoding passwords and cryptography was demonstrating a lot of things discussed but not taught in lecture, so I thought it fit the course very well. It forced me to self learn a lot of things, actively trying to learn (watching youtube videos on CTFing, etc)

My write up on all 10 challenges and each technique I used to successfully complete it can be found here.

Next, I looked around for a different kind of challenge - I wanted to write up more sites in my report. I tried OverTheWire, but due to time constraints I couldn’t finish what I wanted. OverTheWire gave me some rather rudimentary (scaled) challenges to do on terminal, sshing. I learned how to do basic commands with flags better, which I should probably master.

Overall, I think I did decently dispersed work, though I would have liked to do more. Most of my time was spent researching independently. 

Also, the Hacknet OST is really nice with work. I guess I discovered it in doing this challenge.

[Media] ​​HackTheBox CTF Cheatsheet

​​HackTheBox CTF Cheatsheet This cheatsheet is aimed at CTF players and beginners to help them sort Hack The Box Labs on the basis of operating system and difficulty. This list contains all the Hack The Box writeups available on hackingarticles. We have performed and compiled this list based on our experience. Please share this with your connections and direct queries and feedback to Hacking Articles. https://github.com/Ignitetechnologies/HackTheBox-CTF-Writeups