Day 3 - HTB Cyber Santa CTF: HackTheBox Capture The Flag 2021

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we're going to take a look at day three of the hacker box cyber santa capture flag competition we've got a new challenge for each day of the competition so we're going to go through in order of the number of solves currently we've got our web challenge first with 335 solves and then crypto with 162 and then forensics with 143 pwn with 75 and reversing with 55 which i haven't yet done so hopefully we get that one finished as well uh but let's start with this web challenge it's called gadget center and the description says it seems the evil elves have broken a controller gadget for the good old candy cane factory can you team up with the real red team santa to hack back so as with the previous challenges we've got a server to launch and we've got some source codes download as well i'm going to go straight to the server i'm just going to go to this as i did when i was solving it because obviously competition starts you might not want to jump straight into the source code you might want to go and see if you can quickly identify what the vulnerability is and an exploiter so we go to the site we've got this terminal running where we can call ups status restart list processors list ram list connections the storage uh immediately you might notice that these are commands that we can run on our linux terminal that would immediately make me think about command injection we've got a command up here which is being sent as the query and depending what we select here it has some different options but we know that if we're in the linux terminal and we do ls or something like that we can run one command but we can also do ls and then enter a semicolon and then say i don't know ifconfig and that will run both commands one after the other we can do other things as well we can use the pipe characters and we can use ands we can use the bash syntax to execute commands so sometimes these things will be filtered out and that's what we want to test for first of all so let's try and do semicolon ls and you'll see we get back the list of the files in the directory so the next thing we might want to try is to see can we list a directory up let's do ls.slash and we don't get anything there let's see if we're maybe the space being blocked maybe it's the command so we might try another command like id but id works so it seems like the space is being blocked so we want to go and have a look at the source code at this stage what i actually did first of all here was just to search bypass space filter bash we can open up our good old hat tricks and look at some of the examples in here so you can see here we've got some examples bypass ip ip filter in forbidden spaces is what we're interested in and we've got a few different options here i went through and i tried a couple of them this one was actually the one that worked for me but we're not going to be able to cut the oh we can cut etc password okay i didn't think that worked for me earlier all right well that's good stuff let's try and do ls and then we'll use that as a space so we can do dot dot slash and we can list the directory up we might want to then try to cut out the shell scripts and that also works for us uh but we have a lot of this code available to us so as soon as i haven't seen any flag mention there or any files worth reading let's go and take a look at the source code and see where the flag is so we're going to have a look at the config first of all we'll see that we have that santa mon sh we also have this ups manager which if we go back to list the directories i don't believe we saw here no so that should be in the same directory as santa underscore mon but we don't see it and if we take a look at the ups manager at the code we have this get json we've got a check service so this seems to be the commands that we're running if we have a look here we've got this gps status we've got restart we've got list processors and we've got the restart here we've got our check service and these are the outputs that we get whenever that runs we've also got this option where you can call restart so we already did that as well the restart service and there's another one get flag so let's just go back there and see first of all this is set to command equals list processors is it as simple as saying get flag it's not so we can go back here so this is actually a directory if self.path equals get flag let me go back and do this restart because whenever we restart there it's very very similar code here so it's saying if it's restart call this and that's what we're seeing so can we try to make a curl request or wget requests to this get flag directory let's have a look and see what the ip address is of the local server it's 127.0.0.1 3 000. so if we were to go here and inject a command and say we want to curl uh we can't use a space can we let's go back to one of these commands and we'll do curl htcp one two seven point zero point zero point one one three three no sorry not one three three seven i'm so used to being on that four three thousand get flag and then we run that and we get back our flag so we didn't really need to look through too much of the code there to work out what's going on in fact we didn't actually touch the challenge directory at all sometimes going in there can cause a little bit of extra confusion if none of this is actually relevant to the challenge and you stumble across these these files before you stumble across the ups manager then you might waste a bit of time basically so it's good ideas to have a quick flick through these and just see which ones have any interesting keywords in them especially if it's a challenge where the flag is being held somewhere like this gps manager one the next challenge is called missing reindeer it's a crypto challenge and description says not only elves took control of santa's christmas factory but they kidnapped rudolph as well our cyber spy has managed to capture an email related to sansa's favorite reindeer can you help them decrypt the message so we've got a file to download in this case was actually an email let's open it up message.email and we've basically got an email that's been sent here it says hello mr jingles we got the reindeer as you requested there's a problem though his nose is so red and bright that it makes it very hard to hide him anywhere near the north pole we have moved to a secret location far away i've encrypted this information with your public key in case you know who is watching and we've got a public key here my immediate thought when i saw this was it's very small normally you see quite a few lines of base64 text here and we've also got what looks like our base64 uh we've got uh well it actually says here secret.anc because we have a base64 encoded ciphertext and we've got a public key so hopefully we'll be able to crack this public key this is the kind of crypto challenge i like where i don't have to do any of the maths and hopefully can just use a tool to do it for me i'm going to call this ciphertext paste that in and we also want to create a public.key and we'll grab the key from here so we use the rsa tool on i think day one video not to actually solve the challenge but just generate a public key and that's another tool that i'm going to return to to solve this challenge the reason being it has quite a lot of different attacks you can see these different attacks here that will just run by default if we just provide it a file that we want to on cipher you can see here we have onsite for file or we can unsight for the actual base64 text as well that'd be fine and we can provide a public key we can provide a private key or we can try to retrieve a private key etc and in fact this is exactly what we're going to do here on cipher file we're going to run the the script with the public key and then the file that we want to uncipher so let's go and download the repo i don't still have it from the other day i typically reset my vm to a snapshot after i've done a ctf or even just at the end of a few hours of just like my having loads of files and newly installed packages and scripts and things that i just don't want to be permanently on the vm it also means that whenever i'm making videos and things like that i generally don't have things installed so if people who are watching the video run into the same issues and they need to set up something or configure something i also have to do it okay so with the rsa tool here what we can do with that public key is dump some of the parameters so we can say here public key dot dot slash public key and then do dump and this will tell us what the n is and what the e is you can see that e is very small so there are a variety attacks that you could could be used against this we could search something like exponent here to see which ones would line up what i actually did at the time was just run this in the background while i was working on other challenges so without even specifying an attack we can just say we want to uncipher a file and it will try all the different attacks on it so we'll do that with what's it called ciphertext.base64 you could also have here recov an option to recover the private key dash private let's enable that as well we'll start running through this it took about five minutes whenever i did this during a ctf although i installed sage math afterwards because i got a lot of errors with some of the attacks saying it couldn't run because of sage math and i understood i installed stage math and then whenever i tried to run this again it actually took a really long time so i've uninstalled sagemath hopefully this will just take a few minutes to run in the meantime if you do like crypto unlike myself and you want to go and understand a bit more about some of these challenges and how you could accomplish this manually there's some good walkthroughs out there this one goes through a lot of different rsa challenges applying theoretical attack and we have some python scripts in here some examples of different challenges from ctfs which might which might come across in future um i'm going to go back and let's wait for this ctf tool to complete okay so actually took about five minutes to come back i'd say it probably would be quicker just to go and use a script because you know that what the issue is we've got a weak exponent as we could see whenever we dumped out the public key it didn't manage to retrieve the private key but we did get back our flag the next challenge called persist it's a forensics challenge and the description says although santa's just updated his infra problems still occur he keeps complaining about slow boot time and a blue window popping up for a split second during startup the it support elves the itl support suggested that he should restart his computer our classic it spot so we've got this zip to download it's another memory image like we dealt with previously so we could go over to hack tricks and have a look at the volatility reference volatility cheat sheet or we could go and have a look at the reference again on github i'm going to go back to the github reference i'm going to kind of go to this one a little bit quicker let's just go and open up the cheat sheet and remember we've got this auto volatility which you can use to basically run through all the different plugins in one go and kind of dump everything out we've got volatility two and three if you're using three you don't need to specify a profile but if you're using two you do i've already gone ahead and done that and it's the same profile as we're using last time so you need to specify that each time you run a plug-in and you have some examples here so if you're using volatility two we'll be using this syntax and this one didn't really take me too long we're told we mentioned it mentioned something about persistence maybe i know it didn't it yeah it did during a second startup said the window was popping up so there's some kind of persistence there and a common technique is to put that into the registry so if we go back here and run we've got our profile now let's set the profile to this one and we can run something like hive list i'm not going to run through all the various commands that we ran through last time you could do the i think there was some stuff in the command line and uh you can have a look at environment variables and have a look at the processes and things like that but based on the challenge description i've got a good idea where we need to go here it's not oh i still have image info as a plugin so we run through that and it comes back with these registry keys we could dump some of these out so we could go and say hive dump and then specify an offset or we can use print key which is what i'm going to use so we can say print key and provide the key that we want to print i'm just going to go and copy and paste this but essentially i'm looking to grab this registry key of run and also have run once which are often used for persistence so we saw some what looks like some kind of base64 code here and again we have another powershell command like we had with the last forensics challenge yesterday so let's go and take a copy of this let's go and decode it we could just go to our terminal and say echo echo that out to oh that was supposed to go in the middle of the quotes what happened echo yep base64 d and that'll decode that for us and that's it we've got back our flag so it was a nice quick and easy one if you know what to look for um if you didn't you could kind of search forensics persistence or forensics persistence techniques or something like that and straight away you'll see here persistence registry keys and it tells you about indicators of compromise you can look for and where these registry keys are located and how to identify malware the next challenge is called naughty list it's a poem challenge and the description says the elves are stolen santa's list and now he does not know who's good and who was bad this form will help him recreate his list and send out the gifts were you good good enough or were you naughty and again we've got a service connect too but we've also got a binary to download and this one came with a lib c library which is a big hint as to what the vulnerability is going to be but let's just go ahead and we'll check the file type for naughty list we'll see it's not stripped again so it's going to be quite easy to reverse engineer or well it's not going to be as hard as it would be if it's stripped there's no pie either so that's good let's also check the binary protection see what's been different to the last couple of phone challenges we did and in this case we've got full railroad so not really going to be too important here we've got no canaries so we don't need to worry about that if there is a buffer overflow which this is a good indication there will be nx is enabled so in yesterday's challenge we injected shell code onto the stack and execute it we're not going to be able to do that here and no pi so this is going to make it a little bit easier the address is going to be the same each time the program runs so let's make it executable and just have a play around with it before we go and have a look in gear draw it asks us to enter a name says name letters only just entering a few characters here we could try to overflow these i'm going to put in the age and then it asks us name of the gif you want and why you're good enough to deserve it and on that one i put in plenty of a's and got back a segmentation fault which means we've crashed the program we've probably overwritten the instruction point it was something uh which isn't a valid memory address i.e these a's so let's go and take a look at it engine i'm going to try and speed through this a little bit quicker than some of the phone challenges that i've done videos for in the past so if i go through this too quickly for you you think i'm missing stuff out that it's not really making sense go back and try and look at some of my earlier phone videos as i'll try not to cover everything but i'll try to cover enough that it will make sense for somebody who might not done this challenge before uh so we've got these various functions here anyway set up we've got a banner we've had these in the previous challenges this is literally just to do some animations so it might look quite intimidating you've got some stuff going on here you don't know what it's what it's doing but it's not actually relevant to the challenge we have then they get names we can go and have a look here and see what's going on it's making sure that the names within a certain character range is looping through and making sure let's see if this is going to fit here we've got it one f characters being read let's just actually keep going through because whenever the way i solved this was i had a quick look at that function i had a quick look at this one as well and thought this looks quite similar to the last one and actually we've already got a segmentation fall on it on the the last one so yeah this doesn't really matter too much we're gonna enter in our name gonna do our surname we're gonna get the internet age it's gonna display that out and then it's gonna call get description and get description has a 32 byte buffer and it's reading in three c zero bytes which if we go over here onto the left and highlighter is 960 in decimal so we've got a lot of space there if we overflow this buffer and let's go and see if we can exploit it then but what are we going to try to inject there if we think back to day one's challenge we had a function here somewhere that we could just return to and it would print out the flag or get a shell or something like that so like a win function in the second day we were able to execute our own shell code on stacks we just injected some shell code and executed it today we don't have either of those options can't inject shell code we've got no interest in functions here which is going to print a flag for us and we've been given this lib c library which is kind of a hint that we want to return to libsy slipsie has a lot of interesting functions in it and basically if we go and have a look at our global offset table here here's the different functions which are part ellipse c and every version of c will have slightly different offsets for these functions and every operating system or well different operating systems will have different versions of ellipse on them so essentially what happens rather than whenever you build a program rather than just including all of this code so do print f and do alarm and read and all that sort of stuff in there it will just uh insert these into the global offset table and then the first time these functions are called within the program it's going to go off to your liberty library find out where the officer is and then it'll populate this global offset table with the address of that function in libc and once we once that's been loaded if we can leak that address we can then return to that function because you know what the address is and then we can start finding our way to other functions within libc so hopefully that made sense let's go and see if we can start to put it together and it'll probably make a little bit more sense and actually what i'm going to do rather than grabbing the template and building this up from scratch which i quite often do in these videos i'm going to go back to a recent hack the box ctf which had some similar challenges in it not the challenges are reused these are just common challenges there's only so many you know ctfs will have a return to libsy attack or a return to win or a shell code injection challenge and as long as they're different enough that people who don't understand what the challenge is about can just copy a script it's not it doesn't really matter too much but in this case i was able to go and have a look at scripts that had been put together or that put together in that last in a video for the synthetic red team ctf and let me just talk through i'm going to copy this over to codium because i find it it looks a bit better i'm not actually going to run the script i'm just going to show this is kind of the manual approach i would take whenever solving these challenges so let's open this up in codium as in the previous challenges we're just using this template so all this stuff up here is not really anything to worry about we're just using this as a helper function just so we can easily swap between gdb and remote and local and we've got this to find the i offset to the instruction pointer and then just setting up our login and things like that and here's our code so we've ident we've set up our libc library here this is my local libsy library and this is the libc library we've downloaded for the server so whenever i want to run against the server i'll uncomment this and vice versa we're finding the instruction pointer officer and i've got a rdi gadget here so essentially what i've done is i've gone and done wrapper dash dash file on naughty list for example these are the rob gadgets we have here we can go ahead and we can search for pop rdi and we get an address here and we can basically go and paste this into our scripts and this is something that we'll need whenever we're building up our payloads here so you can see we've got our first payload to leak the lib c function and this is what i was talking about a second ago so in our previous challenges we've overwritten the instruction pointer with either the location or some shell code that we've put on the stack or with the address of a win function in this case we're going to leak out the address of a global offset table function in this case i've chosen puts but you could quite easily say printf or something else here and what i'm doing here is we're basically popping this into the rdi the global offset table puts address and then whenever we call puts it's going to grab the puts address from the rdi and then it's going to print it to the screen so if we change this to you know gets that would do the same thing it would put the guess address in the rdi register and then whenever puts is called it looks into the rdi register for its parameter it sees that it's got the gets address and then it prints that location out to the screen and then we need to do another payload so we need to go back once we've once we've exploited this oh that's the wrong one display oh no sorry that was the right one get description so once we've exploited this we've overflown a buffer we've printed out the address of our lib c library but we haven't got a shell we haven't printed the flag so we need to go back to the beginning in this example i went back to main but actually we could say that we want to go back to get description so we've leaked our address we're going to go back to the start of this function so we can do another buffer overflow and this time we're going to pivot from the global offset table address from the libsy library address that we've leaked to a libsy function that's going to be of use to us so yeah we're just sending the payload off here we print out our leaked address we're then going to find out what's the base address of libc and we can do that by subtracting because we have our libsy library loaded here as an elf we know where all those functions are in our local libsy library or the server one that we've got downloaded so we can just say that whatever address has been leaked subtract the lib c dot symbols.puts from it that gets us back to the base of the libsy library and then we can start finding our way to other functions for example lib c i've i've actually updated the libc base address here so we've actually updated the elf so we're now using whatever the server has we can then go ahead and call systems who call in system here we're passing in bin sh which we're just searching for again in the libsy library and we just build up another payload so we pop the bin sh string into the rdi and then system's gonna be called and that's basically just gonna run system uh bin sh which is obviously gonna retrieve a shell for us now i recommend whenever you're learning buffer overflows i do kind of recommend going and finding these addresses manually so you can do that in gdb you can do that with read elf you can you know use strings to go and find these offsets the lipstick library and then you can go and use something like the lipsy database to go and find out what whenever the server leaks an address you can go and identify what version libsy the server is using just by putting in the address and the function here i'm going to go through all that because i feel like if you want to go back and if you want to learn a bit more about that just go back through and have a look at some of my previous videos where i explain that in more depth i particularly recommend the rop emporium series which i did it was one of the first video series i did so the quality of the videos aren't very good but in terms of the actual code you know you've got eight challenges each one is a 32-bit and a 64-bit challenge and i went through and each one i tried to do like a really manual script where we locate all of the address offsets we put everything together manually and then i would go and try to do an autophone script where i just tried to make it in as little code as possible using rop objects and cool things like that um so yeah if you're interested go back and you can kind of go through those i'll try not to i'll try not to cover everything again so that's how we would go ahead and do this anyway i'm going to show how i actually solve the challenge i didn't even look at this script what i did was grabbed my ropstar scripts so this was for the same challenge but i just did two scripts for it and this rockstar script will automate things even more i mean this script is so reusable i think i've probably solved about 10 challenges just by just by changing like three or four lines in the script each time so for example there we want to grab this pop rdi gadget in fact sorry i have a pop rdi gadget there we don't need to we don't need that at all the reason we don't need it is because it's gonna find all that for us oh sorry this is a wreck gadget okay we might need the rec gadget sometimes if the if the stack isn't 16 byte aligned sometimes you'll need to align it and that's why i've inserted that there um i wouldn't need this locally typically but whenever we're running against a remote server often we do so a few things we need to update here anyway we need to update obviously our file name is naughty list so this is exactly how i solve the challenge i change that first of all remember that we need to enter in a name surname for name and an age and they're all separated by colons oh sorry they're all the prompt for each one of them is a colon as we can verify here so we're going to say once you see a colon it's asking you for let me just insert some bytes here because the updated phone tools is really funny about it it works but it'll give you some errors um and we'll just go here and say crypto so after you see a colon send crypto after you see another one send car after you see another one it's the age so then we send off the payload to crash the program it's going to find out what the offset is to the instruction pointer and it's going to return that for us here we could run that verifier i'm not even going to bother let's just keep going this is the interesting part here so here we've actually created a rob object as you can see here which can simplify the generation of rock chains so if we go back just very quickly to the script we were looking at a second ago to the kind of more manual version of this we built up this payload and we said pop rdi and we're putting the global offset table puts address into the rdi the call inputs we go back to main but actually if we create a wrap object and give it the binary as a parameter it can find all of that for us and build the rock chain so we can just say we want you to find how how to call puts and this is the parameter we want you to put out and then we want you to go back to main in this case i'm going to say go back to was it get description yeah so rather than go back to main where we would have to enter in all of our details again our name and all that let's just go back to the buffer overflow we also need to do this at the start just for our initial data entry oh i meant to put the bites in there it's really annoying me how they've updated phone tools to complain every time you don't have that now okay so there we go it's not after a angular bracket in this case it's after a semicolon i'm also going to do pretty print rob dump just so that we can have a look at the rock chain uh let's see if that works we might need to convert it to a chain first before we dump it and then we've got some we've got a receive line here we're leaking out the put so we're just actually printing out the puts address here so that's exactly the same as it was in the previous example we've done our first payload we leak out the addresses and our second payload remember we did the same thing again where we had to build up this payload pop rdi put in the bin sh et cetera in this case i'm just doing one line rob dot system and we're searching for the bin sh string and note that we had to update our wrap object so our object is no longer an object of our vulnerable binary it's actually the lib c that we're using now so that we can find the so that we can resolve these functions and these addresses and things and again we're gonna do rock.dump just so we can go and have a look and see what kind of rock chain it's built up and how it's done that and we're gonna send that off as a payload so i mean very little has actually been changed there we have updated our binary name we've updated just some of the inputs and the outputs really but in terms of the exploit everything is the same here and we might need to modify some of these receive lines and stuff like that just to deal with the output as well but we shouldn't need to change any of our payloads at all let's go and try it out locally first of all have we got this libsy let's update the libsy library to our local version and i'm going to try and just run was that the red gadget that we had there as well let me just make sure that was five three six seven five six again probably isn't needed locally but it might be on the server side all right we run python exploit it runs through and notice here that we've got end of file so it didn't work and also the address that it's leaked that doesn't look like the right format for us you can see here it's the lipsy bass is three one three three three which isn't definitely isn't correct so yeah we need to go and play around basically with the receive lines here i actually did that and worked out that it was i think we need to do i o dot receive lines six lines before it's going to leak the address and then sorry six lines so we're going to send off our first payload and then it's gonna we're gonna receive six lines and then the seventh line is gonna be our leaked address and hopefully that's all right let's try it out we run through that we get a shell and it doesn't say end of file so we can try and do id we can try and list our files and it seems to have worked for us and if you're going to have a look through that we can actually see because we did this rob dump we can actually see the payload that's put together so the payload is like what we put together manually here on the the manual github version where you can see it's identified the address of pop rdi it's popped the in this case the bin s h string into the rdi from the libc library and then it's called system and in our first payload it popped the got puts address into the rdi and then it called puts and then it called getdescription so this is the payload it's built so something worth bearing in mind if you're doing a challenge and you really can't get a payload working you might be able to actually automate it and then just print out the result to try and learn how to do it which is something i've actually done with format string vulnerabilities before you know used phone tools and then printed out the payload that it puts together and then use that to identify how you would do it manually although i still kind of struggle with those so now we want to go and do this on the remote server anyway i'm gonna go and change the debug mode to info just so we get a little bit less output i'm gonna go and update this libc library we want to tell it we want to use the one that we were provided for the server but if we weren't doing that i'll show you how we could identify it as well let's run this again sorry let's run it with remotes and let's go and grab the server and the port number paste that in run that on the remote server and very quickly it stopped out the rub gadgets but very quickly we get back our shell and we can cut the flag.txt so yeah if we hadn't been given that lib c library uh how would we identify what the server is using we would basically leak out the address so we know that we're leaking out the global offset table put stress because that's what we specified so we'd go and grab this address here we would go to that libsy database and let's just put that in here not in there sorry on this side and in here we're going to say puts and we'll do find and that's going to tell us what libsy libraries this could be in this case we've only got one possibility which is this one here and then we can just go in here and find out what are the offsets from the base or what's the difference from the library we're using another option is if you have like 10 or 15 live c libraries here and you don't want to manually go through and check each one you could download them and then you could automate your script to just loop through all of the libsy libraries in the folder and try and run the exploit and then just try and grab the flag out of the output but yeah that's how we can return to libsy or rep to system anyway so we've covered a return to win we've covered injection of shell code onto the stack and execution and we've covered return to libsy using rop gadgets presumably tomorrow maybe we'll have a format string vulnerability or we'll have maybe a global offset table right um challenge or something be interested to see again if i went over this too quickly for anybody i've done a lot of different poem videos and i repeat myself a lot in them so if you're trying to learn this stuff just go and watch a couple of those videos and eventually it'll sink in like it's kind of sunken to me the final challenge is called intercept it's a reversing challenge and the description says we managed to covertly spy on someone else's communications as well as obtain partial code for their experimental encryption algorithm can you find out where they're planning the next meeting so i've already got the files downloaded in this case we've got two files we've got a intercept.asm which is assembly code and we got intercept.pcapp which is obviously a packet capture gonna have a look at that one first of all and we'll see there's only six packets in here to take a look at we can follow the tcp stream and see what we've got here nothing readable anyway so we might want to convert this into raw grab the hex values in case we need to use them later but we obviously need to go and have a look and see what the asm is doing as well so we'll just save this here for later let's go and open this up in codium the assembly intercept.asm i've got an extension here to just give some syntax highlighting or some you know color code in for this uh which you can just go and find down here in this extensions tab i just searched asm and installed the first thing which popped up and we don't have too much here we've got a our sections here at the beginning we've got a do encrypt function which is obviously going to be what we want to focus on so i'm not an expert with assembly i kind of know just as what i need to to get challenges done whether it's reverse engineering or potent but i'll learn a little bit every now and then if you get it pretty quickly but without a great understanding we can still try to work through and just get an idea what's going on here if you're not too experienced with assembly one thing which might confuse you looking at things like this is that you can see a mix of 64-bit and 32-bit registers being used so we have a eax being used here but we also have rbp instead of ebp instead of esp we've got our rsp so it's 64-bit we can still use 32-bit registers you can still use 32-bit data size and similarly you have this al register so if you go and google al register and this is basically the lowest eight bits of the eax and you have that for each of the registers as well so anytime you see i quite often have to go on google to see exactly what some of these registers are just because i don't spend a lot of time looking at assembly but yeah so we've got basically we know this is grabbing an eight by we can see here it's moving eight bytes anyway but this just means it's moving it from the lowest eight bits of the eax so at the beginning we had the edi is the first parameter which is provided two functions you have your edi your esi well yeah rdi rsi and rax and so the parameters being passed in it's been moved into the eax and then the lowest eight bits of that which is eight bytes we're dealing with anyway is being moved to the stack and then we have this move x zx instruction we could go and google this and see what it is it's not really going to be too important for us in this case it's kind of doing a similar thing in terms of well let's open it up anyway we'll open up this documentation here is in this case we can move a byte to a word or to a double word or a quad word so we're increasing the size but we're using the zero extension to basically keep it at the same value hopefully that makes sense it's not really too important anyway again there are certain key parts here that we want to focus on certain operations a lot of this is just assembly being assembly moving creating pointers and moving things from place to place so it can do the actual operations but essentially we've taken a parameter we've moved it about a bit from the edi to the eax and al here creating a byte pointer the important thing is we'll see down here that we have 19 being added to the eax and then we have an xor that's being done with our previous value we then have and add in 55 to the eax and then it's going to move this into the states objects with the rip as the pointer so you can see that this was used here it was moved to the eax and at the end of the encrypt function the output value is moved into this as well so this is going to be then reused when we get back to here as the encrypt function keeps looping around so yeah that that's basically the core functionality of this we have we're taking in say we're taking in a byte as we can see here we're taking in a biter time we're adding 19 we're performing an xor and then we're adding 55 and then we loop through saving the state of that the whole time so we can go and try to put together a script to do that sort of equation and see if we can solve the challenge with the data that we've extracted into sublime actually the data we have in sublime here is not actually quite correct so you see the output we got here from saving the payloads in wireshark but if we go and use t-shock in fact i can show in wireshark here as well so if we go through the packets let's have a look at the first packet we've got our data here let's go to the next one the next one doesn't have that data but it has this tcp payload which is the last 16 bytes so in our first packet we had the last six bytes and the second one we have this tcp payload but it's not the same data type if we let's go back here if you select this here and apply as a filter you can actually see here that's data.data and if we were looking at the tcp payload applies filter selected that's tcp.payload so there's two different values so if we what we just extracted there didn't grab everything we can get some we can get some of this with t shark if we do t sharp r intercept pass in that pickup and then we want to say we want to grab fields and we're interested in extracting the tcp.payload we run that and we get quite a different output here so whenever i was doing this challenge i actually i was using that original sublime what we have in sublime there and the first part of this decoded fine but then we ran into problems because this is incremental so each time it takes in a byte it's going to use the output of the encrypt function on the next byte so if you miss any of the data here whenever going through to decrypt it's not going to give you the correct output so initially all i had working was this where it was printing hello but we didn't get any of this stuff here uh yes we need this stuff we're basically going to put this on on the one line and we'll go and paste this into our python script i'm just going to go and open up the solve script and we'll take a look at so our code here is relatively straightforward we've got our encrypted data which we're going to unhex using the pwm tools function which is just going to convert hex decoder strings so you can see here you can put in some different values different data types and it'll decode that and then we're going to set up our decryption in byte form we're going to loop through each byte in the encrypted text and we're going to perform the calculations so we need to let's go back to our assembly i want to kind of i'm not sure if i can split the screen on this yes we can but it's going to make it a little bit harder there we go all right that's looking good so we've got our encryption over here on the right let's see if we can go through it we've got this add 19 that happens to begin with which we have here so we've got a loop counter which is starting at zero and we know that on the first iteration there is going to be no 55 because it's gonna add 19 and then it's going to do the xor it's only after that that it's going to add 55 so on the first iteration it's going to be 55 times 0 so it's not actually going to apply but we are going to do the plus 19 and then it's going to add 55 and go around for the next iteration and that will basically keep going all the way through so you could do that a little bit you could you could write that as like count equals zero and then instead of saying 55 times i we could say count plus 19 and then we just do count plus equals 55 after each iteration that's it's functionally the same code but if we want to do all on one line and save that variable variable space we can do um so yeah we're gonna do that we then need to xor it with the byte uh sorry we're first doing a modulus there as well so we need to make sure it's within the valid byte range which is there's 256 possible bytes from zero zero to ff uh so we'll make sure it's in the correct range and then convert it to a character and then xor it with the byte that we're currently processing that's going to keep looping through as i say it's important that we're not missing any data here because it'll influence the rest of the data and then once we finish that we're just going to print out the flag hopefully so hopefully that makes sense let's go and try and run the program and see what happens we run that we get some errors about the pawn tools bytes issues which actually to be honest i found it hard initially to even see this text i think i ran the script a couple of times not even realizing the flag was there because i was just seeing all these errors but we do have this at the end saying hello is this working looks like the connection is established our next meeting will be at 90 and it's got the coordinates there make sure to bring the stolen presence the password to get in will be and then we have our flag so yeah i'm not too sure exactly i'm not even really sure where the error is coming from in this case because i've set up bytes here i've set up bytes here we're doing decode here i really don't know where that's coming from okay so that's gonna wrap it up for day three of the hack the box cyber santa competition we've got two more days left there's more challenges out in about one hour so hopefully we'll be able to get all of those done as well if you have any questions comments leave them down below thanks

Info

Channel: CryptoCat

Views: 1,139

Rating: undefined out of 5

Keywords: Cyber Santa, HackTheBox, Hack The Box, HTB, Capture The Flag, CTF, base64, PCAP, Wireshark, traffic analysis, APT, buffer overflow, RSA, ASM, assembly, persistence, malware, command injection, ROP, lib-c, binary exploitation, pwn, exploit, pwntools, pwndbg, GDB, checksec, canary, PIE, GOT, libc, python, strace, ltrace, debugging, static analyis, dynamic analysis, offsec, radare, r2, crypto, reversing, forensics, DFIR, ethical hacking, web exploit, pentesting, pen-test, bug bounty, writeup, cyberchef, GCHQ, NSA, IDA, xmas, htb

Id: 3GGpyEkt8GE

Channel Id: undefined

Length: 47min 9sec (2829 seconds)

Published: Tue Dec 07 2021