HTB x UNI CTF 2021: HackTheBox University Capture The Flag Qualifiers

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we're going to take a look at some of the challenges from the hector box university qualifiers 2021 uh you can see we've got a range of different categories here we've got some web challenges some phones some crypto reversing forensics hardware misc scada cloud and we have this full phone category as well which is like the height of the box machines we can get user and root on three different machines as you can see i've solved relatively few challenges so far um the ctf is pretty difficult i mean the challenges you've got like two three solves and quite a lot of these challenges i think some probably yeah one solve um despite the fact you've got 2363 players from nearly 600 teams so i'm lagging quite far behind hopefully catch up a little bit um but i doubt i'm going to be able to get that many of the challenges done hopefully we'll get some nice walkthroughs from john hammond or something to uh catch up on what i miss uh but let's take a look at some of the challenges the first challenge we're going to take a look at is called peel back the layers it's a forensics challenge and the description says an unknown maintainer managed to push an update to one of our public docker images our stock team reports suspicious traffic coming from some of our steam factories ever since the update got retracted making us unable to investigate further we're concerned that this might refer to a supply chain attack could you investigate and then we get the docker image name so let's take a copy of this we don't have any files or anything to download for this one so we'll need to go and investigate the docker image i'm very bad with docker and any kind of containers so whenever i come across challenges like this i normally have to go and look for a docker cheat sheet to try and just work out all the different commands that i can run so let's go and grab one i don't want a pdf something on github would be better uh let's check this one out i mean we could just use the docker manual and the help but sometimes i find these cheat sheets are put together a little bit better in terms of the commands and stuff we can run um anyway the first thing i want to do is pull the docker image so let me just mention i don't know if anybody else has these problems but with power i have a problem where i need to run this docker fix every time i boot my operating system i have an alias set for it just that i can run docker underscore fix and that will fix it but let me just um grab docker from my bash aliases so this is what i had to do to fix this just found this from the github and i've had to do this for several months and it doesn't seem to be any solution i'm aware of so just in case anybody else has this problem as well you can run this command to make your docker images work um okay so let's try and do docker pull and we're gonna pull that image and let's run docker image ls we can see that we've got our image here we can use docker we just run docker and then hit the tab you'll get a list of all the different commands that you can run here so as you can see there's quite a lot which is why if you're not really if you don't use docker too much cheat sheets can help a little bit but let's do docker inspect and then we'll inspect the only image that we have there and we can go and have a look through this information but the first thing we should notice is that we have these layers we have three layers and the challenge description well the name of the challenge was peel back the layers and i think the description mentioned something about it as well so that's certainly of interest but let's try and run the container anyway we'll do docker run dash i t uh to make it interactive so we can jump into the shell that's gonna run we're inside the shell so the first thing i actually tried to do here was just see if i could grip out like hack the box from maybe it's somewhere in the file system i can do dash i um for case insensitive dash r let's send any permission denied errors to dev null uh let's also it's capital i to ignore binary files uh so you can run through that to try and basically search the entire file system just see if we've got hack the box in one of the files this didn't come back with anything for me so let me just close that i'm going to open up a new tab and let's try and do docker history run docker history on the image and we'll actually see some of the various changes that were made to it but because it doesn't let us see everything we can't see the full file names and stuff that we added here or the full commands what we can also do is run docker history and then add no trunk so it's not truncated and then we'll just same again steam maintainer so that'll give us the full commands that are run uh we can see that we have some files being copied for example so this was copied over to user share lib lib.so and then we have the ld preload being set here to that same file so let's go ahead and see if we have these files available let's go over to our running docker container and try and cd in here and see if we have a cd lib and we don't have the lib there so this file is no longer available so at this point i started looking for some solutions in terms of extracting layers from the docker image i found a github tool here called docker layer extract and if we just go and have a look at the instructions for this we'll need to let's see what we have here docker save my image tag and then what we want to save it to an atar file so let's try and do that let's do docker save and then the steam maintainer get repair image do dash o and save it to layers.tar try and run that and that's all looking good we need to go and download this as a get so let's grab that as well get clone and let's see what we need to do next so we run docker layer extract passing the image file and then that's to extract the newest layer okay we're not interested in the newest layer we want to have a look at all of them so let's do docker layer extract and then the image file.tar and then list and that's going to list out the different images so uh docker layer extracts let's paste this in the image file is dot dot slash layers dot and okay let's see what we have here we don't have a docker layer extract file did i need to install that somehow let's have a look oh i need to build it one second you see this is what happens whenever you solve a challenge and then try to make a right up the day later and completely forgotten what you did so we're going to do go build main.go and now we'll just run main let's pass in that image file which was dot dot slash images oh it was layers.tar sorry and we want a list trying to run that we get our three layers so we've got the three different layers here which is looking good basically what i did was go and check out all of these layers you can probably actually link it back to what we checked earlier in terms of the history to see where the file was but i just checked each of the three layers so if we go back to our documentation here we can see we've got this docker layer extract image file and then we can just do extract and specify what we want to extract we can also give the layer id here so i'm going to use layer id let's go back we'll run the same command again instead of list we're going to do extract and we're going to pass in layer id was there a dash in that layer id no there wasn't okay and then we just pick an id so let me grab this one first of all missing layer output file let's do dash o layer okay overwrite a file new layer let's see what we've got here so we've got this new layer available to us now which is a tar archive so we'll do tar tf new layer i bet it's going to give me an error saying it needs to be no okay i thought it's going to give me an error saying it needed the correct extension now notice that we don't have the file that we were looking for there we do have this which we could extract and go and take a look at we could do tar dash xf and we'll say new and then we'll do sorry new layer and we'll do the i'll just say user see does that give us a user yep cd user and then we have okay it's only given us a share there oh it was a hidden file was it oh s-l-a-r-t yeah so we have this file now so we can do file dot wh lib it's actually empty so maybe it's not empty in our previous version let me remove that user folder and let's try another layer so [Music] i've forgotten what the layers were called uh list the layers let's do the second layer take a copy of the id let's go and paste this in here new layer exists let's do new layer 2 we're going to do the same thing again we want to well we just want to have a look here actually what's in there so let's do tar tf new layer 2 and this time we have this lib rs.so which is exactly what we're looking for so let's try and extract this tar i'm just going to do tar xvf and extract all of this and do new underscore layer 2 and now if we go into our user directory you can see we actually have our lib rs.so so let's go and take a look at it let's go into share lib and have a look at the file it's a binary linux binary so it's all good we could have a look at the strings in it so you can get an idea what's going on strings greater than 10 see if we've got any strings in here maybe might just have a flag which it doesn't look like it does we could try to run it obviously we should probably analyze it a bit more to see what it's actually doing before we do that but um yeah segmentation fault um so i opened it up in geardro at this point which i'm not going to do right now just because it takes a while for me to boot up gear draw let me open up gdb phone debug instead and let's have a look if we can disassemble it in this way so we have some various functions here i think if we disassemble con if we disassemble the con this is a bit it's a bit easier to look at in gearjob because we have the decompiled code as well as the assembly code but if we have a look here there's actually some hex values in the which are being moved as you can see into registers rax rdx etc so we can go here and let's do on hex paste that in and if you look at this htb and then we have this curly brace that's looking pretty good let's grab the second one and do the same thing again on hex and again it's in the reverse order but it's looking pretty good so what i did here was just take this to cyber chef and we can try to convert it from hex there so let's grab a copy of the first bit paste this in here let's so i'll go from hex so you can see it as it's going you can see that in there and let's grab the second bit and the third one starting to come together obviously it's in reverse order here because of the endingness so the bytes are in reverse order essentially but if we paste all this in this looks like our last one down here paste all that in now we need to fix the endingness so you can do this in cyber chef as well just go to swap endianness and this is just like whenever we're doing buffer overflows we go through and reverse the order of the bytes whenever we're dealing with addresses and stuff like that at the moment it's set to word length four but we want to change this to a and there you see how the box i really like steampunk robot and then some gibberish the reason we have this gibberish is this last value is missing one digit basically so we need to pad it with a zero but we can't pad it with at the end because it's in reverse order so we want to pad it at the beginning so let's see where that d is you can see the d right here and i'm just going to add a zero before the d and that's going to retrieve the full password uh another way you could have done that i think if let me close this down let me actually just cut this out cat lib rs. so you can actually see bits in here so if you didn't sort out the padding on that final section you could have actually grabbed the end of the flag just from running cat on that file um but that's the first challenge done the next challenge is called strike back it's a forensics challenge and the description says a fleet of steam blimps wait for the final signal from their commanders in order to attack goggles town kingdom a recent cyber attack has us thinking the enemy managed to discover our plans and prepare a counter attack will the fleet get ambushed so we've got some files downloaded i've already got those downloaded and we've got a pcap file and a mini dump crash report with 17 streams so we could have a look i was interested in this free steam dump keep saying stream but steam you could have a look in here for strings maybe string is greater than 10. just get rid of a bit of noise and we can see immediately then we have this n patrick user and we can see some of the environment variables and things like that didn't really see too much else of interest in here so let's open up wireshark we'll open up the peak up so with the packet capture open let's first of all have a look at the file properties we'll see the pcap was it was captured for six minutes and 33 seconds we can see the date and stuff in case that's relevant maybe um i mean this is a recent one but if it was an old one it might give you an indication of what kind of attack was happening at the time you can also see we've got 261 packets close that down and let's go back into statistics and protocol hierarchy just get an idea what kind of data we actually have in here so we've got mostly well mostly it's all tcp but we've got 11.5 percent here of uh http let's have a look actually here at the data though so just right click that and select select it we can go through we have some post requests here to the same id each time but we can see that there are some different requests we could go and follow those http streams and see what's actually going so we can see its application data being sent uh if we exit the filter go to file and export objects http you'll see also we have a lot of files here we've got this free steam.exe which would be interesting to take a look at we've got some other things here let's uh let's save these all to a new directory uh did that save them all let's have a look yeah we've got them all downloaded so we can run file and see what sort of data we're looking at we've got this executable file so now we might want to have a look at that and see if there's anything of interest i mean any of the streams should have also showed up whenever we checked that earlier but you might want to take it over to windows and have a look in a debugger or something like that the first thing i actually did here was upload this to virustotal to see whether it would come back with anything interesting and if we upload it here we'll see we get 49 out of 65 detect this is malicious and you see the first result there is cobalt strike you see quite a few of those as well going through it same here in community we can see cobalt strike hack tool analysis report etc so oops if we search for cobalt strike for anybody just think who isn't aware this is basically a tool which is available it says threat emulation software it's good for red teaming and has quite advanced kind of setup for post exploitation with command and control centers and it seems to be a very user friendly way of setting up these covert channels um so in this case we'd be interested to see how this is actually working and what what uh what we can do with the data i went down quite a few rabbit holes and i was trying to solve this challenge so let me give you an example of a couple we have this mini dump explorer which i tried to use on windows because obviously we had the free steam.dump which was the mini dump crash report i did manage to get this tool up and running but i didn't find anything of interest in any of those sections in it um i was also looking to see whether we could use something like red air so if we do radar uh dot slash freedom freesteem.dump aa to analyze afl we can see the functions we can select some functions here do like s fcn and check each one do pdf to disassemble it i mean go and start having a look through some of this data we can have a look through our sections as well and i did actually go through quite a few of these sections just kind of looking looking around didn't didn't find much of interest but didn't exactly know what i was looking for although i did come across some let me open up this article i came across an article about understanding the cobalt stripe payloads and in it kind of talks about decrypting some payloads in there and one thing i did notice here was the payload header x86 variant and it gives you an example of the signature which i actually thought was matching here you see we have our cld it's fc 4883 um fc e8 but instead of four three we have zero five um so i kind of played around this for a little while but it didn't get me towards the solution so let me kinda jump over to well actually just before we jump over to what did work for me obviously if you go to this article this will give you a good bit of information about how the payloads work and the planet control center works and what sort of indicators there are i think the as far as i could tell there's a free and a paid version and it will use different kinds of encryption for the payloads depending on what you're using so either xor maybe or aes depending i'm not too sure i don't have too much experience with cobalt strike to be honest uh but i think if we scroll down towards the bottom of this we have this you can find our raw payload decoder and extractor for the most common encodings it uses a parser from previous chapters to save your manual work so we could download this and in fact i did download this i downloaded the where's the payload tools so we have this payload extractor payload parser let me i'll download them just kind of might as well show the rabbit holes i went down maybe some of these could have worked maybe i wasn't using them properly let's see now let's w get this one and the same with the parser and then let's see what the instructions are so we can just run all right python parser and then pass in the memdump so python cs parser i'm going to do dot dot slash dot slash free dump oh no wait two minute uh pattern not found okay let me try that again with the uh capture nothing either okay it did come back with some stuff last time i'm pretty sure let me see maybe it's something maybe it was something in this files folder i used instead try free steam no okay oh actually my mistake i think it was the cs payload extractor use that with the free steam dump and yeah all right so it does show xor bcon and it comes back with this payload which it dumped i didn't find anything to do with it from there so all right that's enough for the rabbit holes let's jump over to the resources which actually helped me get this sorted um so i found this by dadia stevens probably pronouncing that incorrectly um but for the last forensics challenge we did or the reversing challenge with the powerpoint they also create the tool the ole vba and vba 3 i believe and quite a lot of um ole-based tools for looking at malware and they basically describe here in the article that they've been looking they mentioned that they've been looking at several different samples of cobalt strike beacons used in malware attacks so essentially what we're looking at here is we're looking at the communications between the command and control server of cobol and the malware which is actually sending off their beacons or responding to them and as they mentioned here if the pro version was used the paid version it would be using aes to encrypt http traffic or communicating over http and encrypting the data with aes otherwise they'll presumably the other one is the xor um so they go through some the process here of getting the dump which i guess we already have and they mentioned that they have this file the cs extract key dot py so um i basically kind of followed along with us let's w get the extract key i also try some other stuff by the way there's like a um there's like a python extension for cobalt strike i can't remember what it was called now i can't remember but it didn't work for me anyway probably due to me not knowing how to use it or set up correctly okay so we download this anyway let's see what he's running he tried to run python extract cs extract key on the dump let's try that first of all python cs extract key on free steam dump um okay nothing happens you can see then that they went to get a key from the c2 they went and grabbed this hex string and they passed that in with the dash c parameter so let's go and take a look at the one of the post requests i'm going to set this to http we'll go in here we've got our data it's not the first one i'm going to get the first one we've got a data i'm going to right click and copy as heck stream let's try that again but we'll do dash c paste that in we run through it and now you see it's actually searching for aes keys and hmac keys it's going through it's searching for all this looking good notice that it's searching for a raw key and it'll do that again here and it doesn't actually find one so in his example he does find a raw key and then he uses another script that he created called pass http traffic to actually decode the traffic and [Music] he used the dash r but we don't have that so if we go and have a look at his code you see that there are some different options available one of the options was the raw key another one is this hmac and aes key which we do have we were able to extract those two so let's try and do the same thing but instead of using a raw key we'll use those values let's grab this script wget and we're gonna do python cs pass http traffic let me actually just go back and see exactly what he did okay not much different so we're actually using the peak up this time right we're going to decrypt the peak up and we're going to do dash k and did i just close that now comment what order it was in dash k and it's the h mark followed by the aes separated by a colon so we've got our hmac right here i'm going to space certain colon and then our aes key as well and then we want to give it our pickup file capture.picab all right pip install pi shark run that again and this looks good it's run through a lot of stuff you can see it's actually pulled out this pdf file file name download we've got a excel spreadsheet as well we've got a document and we can go go and have a look through this data here we've got quite a bit of information including these hashes as well so we could actually grab these hashes and i'm going to go ahead and replace the new line using regex so we're escaping the backslash there replace all just to make it formatted a little bit better and some of these values are the same but let me try and take out the ones that are different oh that wasn't a different one this one is different and this one is different on this one so we could crack these with hash cart or john the ripper or something i'm going to take it to crack station i do have a crack station word list on my vm but i don't think it's the full crack station word list that they use here you can see they've got a 19 gig 1.5 billion entry lookup table uh oh in fact they actually have more than that for md5 they have 190 gig and 15 billion okay it's probably going to take forever to bring up this option though what i need to do as well in the meantime let's go back to what we were just doing we had some of those files to which were mentioned there and notice that we have this dash e option to extract files extract the payload so let's run this again and do dash e and this time we've now extracted some of these files as well let's go back to crack station correct station finds one of the passwords of steam and one as being empty but it doesn't find the admin password uh but it's not important for us if we go back here and actually have a look at the files we have our payload here and it says confidential if we have a look through it we'll quickly find our flag the next challenge is called upgrades it's a reverse and challenge and the description says we received a strange advertisement via pneumatic tube and it claims to be able to do some amazing things but we suspect there's something strange in it can you uncover the truth uh so we've got a file to download in this case i've downloaded the folder let's go and take a look at it and we have a powerpoint 2007 plus document in here um what i'm going to do is just go and open up a document which can help with some of these style challenges uh so if you go to hat tricks you can find a there's actually not too much really in this cheat sheet in terms of what you can do with malicious documents you'll find some other tools and stuff elsewhere you might wonder why i always this is the first thing i do whenever i come to these challenges it's not necessarily that i can't remember what's in these references or cheat sheets or manuals it's more just i'm trying to show how i would approach these challenges if i didn't know what was um what how to approach it you know these are the kind of resources that you can go and have a look at for example here this is telling us that we can use some different tools ole tools we can use what did it mention office dissectors powerful analyst analyst framework um etc so i'm not really going to go through this but just i'm just opening up to show this is a good methodology it's a good way of approaching challenges you try and work out what the challenge type is about in this case we've got a some kind of an office document so the first thing to do should be going to have a look at something like office file analysis um unless you already know exactly how to approach it the first thing i'm going to do anyway is unzip the powerpoint so you can just unzip this with the standard command and this will give us the whole structure and we can we can basically go now and let's do code well first thing we should probably do is try and grep for hack the box and do it case insensitive and oh do it recursively as well um we do actually find some okay well let's try and do hack the box with the curly brace and we don't find any so how the bot htb is in there somewhere case insensitive but not not with the flag format uh so yeah let's open up codium and we can just do that with the dot to get the whole folder structure we open this up and this will give us we can basically just browse through all the different sections now so um if you have it set to automatically format files what i normally do is go in here and hit control and s and that'll quickly give you the a better format just for going through it and i essentially went through here just through each file to see if there's anything of interest i have seen challenges before where there's been data hidden in some of these files and we can go through we have our slides you know we have our theme there's a lot of different files we can go through and check here to see what's going on we've got our media here as well we can see some images which are used in the powerpoint we can also just go and try and open up the powerpoint as well so you might want to do this in windows if you have like a windows vm because some macros and things like that will only work on windows office microsoft office in this case we open this up we've got four slides and it's telling us by just clicking through this presentation our automated systems are hard work installing system upgrades already um okay we can go in here to tools macros and have a look and see what macros we have upgrades just go and flick through some of these we have this module one which it looks like then we have some code right in this vba script so um there's a few different ways you could approach this you could try and reverse this manually you could go and try and run this elsewhere in like a sandbox to try and get the result but there are some tools that are available to us to um to do this as well so as the hat tricks cheat sheet thing mentioned we can use some ole tools so if you just go and do ole tab here you'll see we've got ole file id map meta objects vba a lot of different things we could just try you don't necessarily need to know what all these do just try and run run them and see what happens maybe a flag will pop out maybe it'll give you a hint as to what to do um or maybe you'll just get some errors and it won't give you anything but what i'm looking for here is the ole vba or vba 3 i don't know whether it's going to make much of a difference if we just try and run that to get our help menu up we'll see that it can deal with different types of documents and it's going to try to extract and analyze the macros so you can see here clear text de-obfuscate and analyze malicious macros so if we just try and run that ole vba let's do ola vba 3 upgrades it's going to run through it's found some suspicious functions and the use of hex strings and stuff like that it tells us we can use the flag d of to de-obfuscate a bit further although it doesn't really seem to have done too much we could also use dash dash decode to see all that's decoded some of the hex but again we're not really any closer to getting a flag so let's go and take a look at another tool um there is a tool called viper monkey which will do some slightly more advanced obfuscation and analysis of these macros which we can download and install so let's go and try this out another thing to mention if you don't have a windows vm and you want to try and run things dynamically you can use something like app dot any dot run sometimes okay that uh don't know what happened there setting up your web editor no thank you uh app.any.run and you can basically go here and you can just upload a you know a malicious powerpoint or document or you can provide a url or a binary or something like that you can tell it what operating system you want you need to register and sign in and stuff if you don't have a paid account then all of your tasks will be public so be careful about what you upload to it but yeah i'm not going to run that now didn't really provide much output in this case so let's do this viper monkey so i'm going to do git clone cd viper monkey and it's mentioned something here about a docker script install docker and then run okay all right docker monkey sh let's see docker chmod will run docker monkey and then dot slash dot dot slash and upgrades dot pptm let's pull in the docker container it's doing all that stuff for us and now you can see that it's attempting to copy the file into the container the powerpoint.pptm checking for updates and it's going to go through the analysis failed to read metadata and you can see it's running through here let me oh it went through very quickly so you can see it's actually executing its call in each of these functions which were obfuscated and it's basically obfuscating as it goes so you can have a look through here and try and work out what it's what it actually did in terms of if you want to try and accomplish this stuff manually um but it runs through we get some information about different functions that are used heuristics entry points etc username and if we go down to the bottom we'll see that we've decoded seven strings and one of them is the flag and that's how i solve this challenge i'd be interested to know if anybody used any different tools or if you solve that manually what was your approach to doing it because you i very regularly go to these kind of automated tools first of all when trying to obfuscate some of these macros so i'll be interested to see some other solutions to this one the next challenge is called the vault it's a reversing challenge and the description says after following a series of tips you arrived at your destination a giant vault door water drips and steam hisses from the locking mechanism as you examine the small display please supply password below a typewriter for you to input you must leave the mechanism hard if you only have one shot so we've got a file downloaded already it is a 64-bit lsb pi executable it's not stripped sorry it is stripped so we're not going to be able to see function names and things like that um let's make it executable and just run it first of all try and run it it just says could not find credentials you might want to try and run it with ltrace or something and see if we can see where it's trying to grab the credentials from but uh looking pretty obfuscated to me so let's jump over to geardraw and have a look at the code so we've got our functions here on the left there's going to be no main function because it's stripped so we go to the entry function and this is where we can see the program starting off and it immediately calls us one function then returns let's take a look at that and we can see this is where the majority of the code is where the majority of the functionality is um so let's start this from beginning we have this basic if stream is open and you can see so we've got here bevar 2 is checking to see if the file is open here and if it's not it's going to come back and say could not find any credentials so if you're going to have a look and see what's actually what's it trying to open you'll see here this address you double click it and we see here on the left this is flag.txt so why don't we just go and create a flag.txt just do touch flag.txt let's try and run this again with ltrace and this time we get incorrect credentials anti-intruder sequence activated which you can see down here is where it's jumped to so uh we'll try and trace our way through this a little bit more let's maybe try and rename some of the variables and stuff so this is making a little bit more sense we i'm going to change this to is file open and okay no what i'm going to change that to is credentials because you can see it was reused down here so this is the credentials which have been opened it's going to make sure that it finds the credentials that's all good and then we have a loop which is here so this is looping up to 19 in hex which is 25 in decimal so this is just like our loop which is looping through each character i guess let's change this to i just because i'm more familiar with seeing that as a as a loop counter and we also have this 241 which is set to zero and where is that used okay so this is looping through it looks like this is just checking the string length if i'm not mistaken i'm going to change this to str len so presumably we need to make sure this is 25 characters otherwise we're going to get that error i'm going to go back and modify the flag that we have then so let's just bear in mind what output we have at the moment let's open up flag.txt i'm going to do we know it's going to begin with htb so we'll do that and we'll make this up to 25 characters is that 25 24 all right we'll save that and try and run this again this time we get a lot more output so you can actually see it's gone through the 25 characters that we've input and you can see here this is http curly brace and then we've got the a's the 97 in hex so that repeats all the way through and we can see that it's com each time it's the numbers that we've entered are being compared it looks like to these numbers that we have on the left so without really going through the code too much here we obviously have a comparison which is being done here between the credentials we enter and what i presumably then the corrects creds so i'm going to update that and um yeah without really looking at this too much we have some stuff going on in here we have a conversion between an int and a uint i'm not sure whether i probably didn't get the intended solution on this because what i did try to do here initially was to go and grab these numbers and in fact let me i have these in my notes let me copy and paste these over uh so i basically try and try to use all these numbers and if we go to something like cyber chef you can convert these into their ascii their raw bytes okay so we're going to go from decimal and you can see that some of these aren't actually going to be proper characters let me save this to flag.txt i'm just going to save that to downloads and then let's move that to this directory try and run it again and we run through this time you see they all match so the number each time matches what we have there but it's not simple string compare which is being done so it doesn't actually get us the flag it doesn't get us any closer so let's try and reevaluate how we do this i'm guessing the intended solution would have been to work out what you need to input into that flag.txt file in order to make it equal the flag in the output um you know after the you insert in conversions done but that's not how i solved it anyway let's have a look at how i went through this so the other thing we haven't talked about yet is this bevar one variable we have which is basically a flag to set to false if any of the credentials any of the characters don't match what they should be so i'm going to rename that as correct you can see here correct is initially set to true it's going to loop through check each character in the correct credits versus the credits that are entered in the flag.txt and if any of them don't match then we'll get false so that whenever we get to the end of the loop it's going to say either credentials correct or incorrect credentials so the way i approached this was basically just to check this comparison here so we can see that each time in a loop it's going to compare the correct credentials to the incorrect ones so if we set a breakpoint up there we'll be able to check each one of those characters and we can see whenever we highlight this on the right in the decompiled code it selects the correct address on the disassembled code on the left so we can actually see that we have a value being moved from the stack into this credentials and then we have another value which is being moved into the ecx this actually i didn't really set this up very well because this isn't actually the correct credits here the correct credits are being moved into the ecx i believe but we'll go and we'll go and check this out anyway so we could set up a break point we don't want that breakpoint well we could set up a breakpoint there i'm going to set up a breakpoint here where it actually does the comparison between credentials and ecx and ecx is going to be our correct cred so i'll take a copy of this and let's go over to i'm going to open this up in gdb phone debug we can't um because it's stripped let's go info functions uh not because it's stripped because we don't have the function we don't have the full addresses because pi is enabled so each time the program loads it'll have a different address but the offsets will always be the same to the functions so in terms of what we grabbed there let's try and we can use something called break rva which will we can provide an offset so in this case we wanted that offset right here the c c3 a1 and if we say break rva and 0x paste that in it's not going to allow us to set it at the moment because the program needs to be running it needs to find out what these offsets are first of all i think let me try and just run it first of all and then do that again now we still need to start it so i'm going to do start i to start the first instruction we'll do that again we get our break point let's just hit continue we hit continue it gets to our break point you can see here now it's got the actual full address but it's comparing the eax to the ecx and we can go here and see what we actually have so we have our rax we have our rcx see the rax let me try and print rax you see there it's quite a big value but if we do eax we actually get minus 32 so i guess this is to do with the you in and in conversion we had there i remember saying maybe the correct or the intended solution was to try and um you know account for that conversion but i'm not too sure but uh we don't actually need to do that because we know that the ecx is has the value that we're actually comparing right so we can do p e c x and that has 72 in it let's hit continue again do the same thing we've got an 84 let's say continue again same thing 66 and these are basically the values of our flag right if we go to from decimal 86 sorry not 86 what was that 66 is b so we had htb there we can do again continue print it one more time one two three so we should be expecting to see a curly brace which we do uh and we can basically keep going through in this fashion and getting each character of the ecx so 118 is a v again continue pcx116 it's a bit of a tedious process here kind of semi-manually running through that but if we keep going in this fashion we will get our entire flag what i'm going to do is just copy over the values let me paste these in so this was the flag here https are cool v tables uh so if we go here and keep doing the same thing let me actually keep that open in the background and kind of see it a little bit next was our 98 which you can see here 98 continue and again 108 51 and yeah we get through each element of the flag so yeah i'm gonna be really interested to see how other people solve this one i feel like i didn't really solve it as intended but maybe i'm wrong the next challenge is called slippy it's a web challenge and the description says you've found a portal for a firmware upgrade service responsible for the deployment and maintenance of rogue androids hunting humans outside the track to see the question is what are you going to do about it we've got a server to connect to and some files to download so let's go and get things working locally first of all we've got a docker script here so we'll do build docker and while that's running let's open this up in codium let's take a look at the code so we can take a look at the docker file just to get an idea i mean we can see here that it's a flask application and we can see here that python don't write bytecode is set disable pi cache not too sure how relevant that is for us um we've got a config here as well again sometimes interesting you can sometimes see for example what logs are available so if there's like a log poisoning challenge or something like that uh but the main part of the code is here in the challenge section we've got a run dot py which is just launching the application we've got a flag here a fake flag for testing and let's start off at main dot py we've got some blueprints registered here we've got api let's actually let's while this is while we're going through it just so it makes a bit more so we can compare the visuals of the code let's go and have a look here so open this up we've got current slippy jet version it's 3.03 please select a new version of firmware as atar.gz file guns up to upload so we need to select a file to upload and we know that there was an api there let's try and access it not found okay don't really need to look at the source because we have the full source code so let's go and take another look through here so we have config.py we can see an upload folder is being set so obviously the files are uploaded this is the upload directory we've got a secret key being generated go into util so this is where the main stuff is happening that we're interested in we can see we've got uh one function in here which is called extract from archive it's going to take in a file and as you can see here it's going to make sure it's a tar file return true if the name points to atar archive that we're able to handle it's going to make sure it's using gunzip as well so we need to be aware of that and then it's going to set an extract directory which is going to be in upload folder which we saw was previously defined but it's also going to use this generate function here which is just going to get 15 bytes of hex random hex um we can see that down here it's also going to loop through then it's going through the tar archive and getting the extracted files out there and it's going to return that too it's basically going to return a list of the files that we have inside of that and then it's going to close it um see if we have anything else interesting here we've got our index.html not really we can see this is the archives folder some javascript probably not of much interest to us in this case and we have our roots here okay so this is where we make a post request to unslippy and that's gonna uh call extract from archive with the tar file that we provide and then if it returns a list of files i.e the files that were extracted uh we'll get the 200 okay with a list of those files so first thing we'll do is just test out the normal functionality so if we go and create a file let's just say touch i'm gonna what something i actually tried to do was to try and create a file that does like seven times seven see if it was like ss ti server side template injection but um if you look at the code it's never actually it doesn't call render template on the output anywhere so it wasn't really important it wasn't really um likely to do anything but let's just do it anyway we create that as a file and then we'll say tar we need to make sure we use the gun zip c said vf and we'll just create this we'll call it flag dot tar dot gz and pass in this file we just created so if we try to upload this it's going to come back with our extracted list and then it just gives us the option to download it actually what was interesting you can see there if we highlight that as well we have the random value all those random hex values in the archives direct directory but if we weren't sure how to approach this challenge a good thing to do would be to go and search something like tar upload exploit some keywords relating to the challenge that we're trying to solve and just go through we have some uh this is actually interesting it was a recent hack the box challenge i'll not spoil which one it is but um that made use of some of the some of the techniques in here but it's not related to this challenge and we might have to scroll down a little bit for some reason some reason google just always gives me better results let's have a look yeah uh this was an article i found which talks about zip slip and the name of the challenge is slippy i've got a file upload here slippy jet version which so that would kind of make sense says uh in this article we'll walk through two of the most exploited vulnerabilities involving zip files obviously we're using atar.gz files so things might be slightly different or they might not be if we can find some tool that deals with all of them and in terms of some exploits this goes through a couple of examples but essentially if we can use a file name which has um directory traversal in it and try and traverse back we can potentially do some kind of exploit that way uh the second technique that they go through here is using sim links so setting up a shortcut to another file this is what i was trying initially actually before i looked into these techniques but whenever i did did that whenever i used any of these techniques here it would it would not allow me to upload the file whenever you upload it it would say it was an invalid zip zip file um be interested to see if anybody else got anything working that way but um let me jump over to a tool that i found which helped with this okay so it's called evil arc there's probably various tools this was developed 11 years ago and it still worked pretty well here as you can see um evil arc lets you create a zip file that contains files with directories reversal characters in their embedded path because we can't simply do that in our command line you can't just create a file with dot dot slash in a if we try to do that let me try like you see we'll get okay we get permission denied but let's try um it's created it but it's basically created it back in the directors it's created it like in my home directory there so let me remove that okay but yeah that's the point anyway we can't just easily create the file name through the terminal um however as it says we can do this through a script basically so let's grab the python script yes 2011 so presumably not going to be python3 and okay that's not what we wanted to do and you can see that it deals with different file types as well it's going to be able to do our gz file and it also has some different options in terms of the platform so you can set it to let's see the options here well that's actually we'll try and run it and then oh python two incorrect arguments okay uh well the options here anyway we can specify we can specify the operating system dash o so obviously we're gonna it says it defaults to windows so we're gonna make sure we need to specify that as unix we set our path as well that we have the depth which is by default eight which is not necessarily what we'll want and the output and the input files and stuff so let's try it out and what i'm going to try and do is if we go to our back to our directory here and we can try and overwrite one of these files so let's try and overwrite um run dot py we can we can overwrite any of them but any of those python ones but um we'll set our depth to four and then dash o u for unix dash f for our file name which we can just set as new dot i'll do it as flag actually because i want to overwrite that old one um and then the file oh actually we need to also just create a file so i'm just going to touch run dot py create an empty file hopefully it'll break the program and then we know things are working as they should so you can see that creates that is created with this file name let's go and try to upload it you can see here run.py we click it we get run.py we get a connection reset we go back here and refresh the page we've got connection reset go and have a look at our docker and we can see here detector change in app run.py reloading so we've just overwritten run.py with nothing and crashed the server so that's good obviously we need to restart the server now but we know that we can overwrite that and that's a step forward to trying to get some code execution so that we can read the flag uh this was relative relatively simple but it did take me a while like i was kind of putting the overwrite in some different files and different things in the files before i got something to work but um it's relatively simple how i got here in the end was at util.py whenever we upload an art um an archive to extract it's gonna return our extracted file names but we know that it's important os already so if we were to go and update this let me we don't want to update that one one update um a malicious one here let's do codium util dot py uh also whenever i was trying this i had the name as utils.py for for a good 10 or 20 minutes and i kept uploading the file and wondering why it wasn't working it's because i was overwriting well i was writing utils instead of util.py um but okay yeah let's uh because it's already got os let's go here and say instead of returning extracted file names do return [Music] os dot system ls i'm going to save that and we're going to run the same thing again i'm going to change that to util and i'm going to change the depth to 3 because this is one directory up we run through that we'll upload it and we get a message saying make sure it's valid let's refresh the page let's actually go back and have a look at a docker not looking good i'm going to try that again ah this time it worked okay we go back to our docker still nothing interesting but we've only just overwritten util.py so we actually in order to trigger this again we need to upload another file so i'm going to upload the same thing again could not be uploaded but if we go over here and have a look you see it's actually listed out the files in the directory so we know we've got code execution we can now say we want to get the flag but if we cut the flag.txt it's just going to print out on the server which we're not going to see whenever we test this remotely so something we can do is try to copy it over to a directory that we can access for example static so let's go and modify the code slightly and instead of listing we're going to say cats no we're going to say copy flag to application [Music] static we know it's application because we see here application we've got static which is just typically a writable directory and if we save that run this again upload the file again we not we're not going to get any output there but let's try and access slash static slash flag and we didn't get it okay one second let's try and upload that again could not be uploaded this time oh static flags still not found what did i miss copy flag to application static util python oh um okay i know i i know what's going on we need to restart the server don't we because we've we we changed the server to not actually upload files anymore it's just going to return the it's going to return os system it's not going to execute any of this code anymore um there's probably a far better way to do that we don't really need to return i guess we can just call os system and just carry on doing the file upload but oh well this is the last time i'm going to do it i'm just gonna i'm just gonna leave it as is let's try it one more time upload upload and let's try and access static slash flag gives us an option to download it that's great so we can download it and go and have a look at it but we i think we should be able to just go and have a look at that in uh in burp maybe no oh it doesn't show but oh wait interesting okay uh well it doesn't really matter now does it let's cut out downloads flag we've got our fake flag for testing so everything's working as it should do let's go and test out remotely grab the server and the port number just go ahead and upload this same payload and again let's go static slash flag awesome save that and then we'll just do the same thing this time we need to cut out the second one oh what am i doing um backslash two there we go i slipped my way to rce um and one thing to mention if you come across challenges like this and you haven't done that type of exploit before you haven't come across a type of vulnerability uh as very very often happens to me um although i was able to find some uh some documentation on zip slip and stuff like that if you also just search for zip slip ctf write up um you'll find good examples i think that's quite often a better way to get an understanding than just looking through kind of articles and stuff about it this one on set juice was really good and used pretty much the same technique that i used in that example in terms of overwrite in the run.py it's using zip instead of a instead of a tar file but most of it was pretty similar they used also exec and server side template injection in it just something worth worth mentioning the next challenge is called arachnoid heaven it's a pwn challenge and the description says in the steam world you need some trustworthy companions to help continue your journey what's better than a handmade top tier state state-of-the-art arachnoid machine exactly nothing come to the arachnoid heaven and craft yours as soon as possible so we've got a service connector we've also got a file to download let's go and take a look at it we can check the file type first of all and we'll see that's a 64-bit lsb pi executables so each time the program loads is going to have some different addresses we'll just need to bear that in mind if we're setting up breakpoints and stuff like that it's not stripped so we'll be able to see the function names and stuff this time but let's try and make it executable and we'll try and run it we'll also run check stack as well since the phone challenge we'll see what protections are enabled on the binary in this case we've got basically everything enabled it's fully protected so we're not going to be injecting shellcode on the stack to execute uh if we do have a buffer overflow we would need to worry about making sure we don't overwrite the canary with a invalid value so we need to like leak the canary and overwrite it with the correct one uh we're not gonna be able to overwrite entries in the global offset table and as i mentioned pi is enabled so each time the program loads it's gonna have slightly different addresses uh that's fine let's try and run the program see what happens we've got some options to craft delete view and obtain arachnoid so we could just try and go through some of these and see what happens we can enter in a name there you'll see that it actually ran over the allowed length so it went uh it actually took some of those a's as another option we can try and delete that we can try and view them you can see that we have an interesting code there let's actually try and open let's try and add a new one view the arachnoids okay so these both have this one has a code of bad okay and then we have an option to obtain as well we'll just select an index of one of them and then we get unauthorized okay so we're going to want to go and analyze this a little bit more let's go and take a look at geardraw so over in gearjr we'll take a look at our functions on the left and not strip so we can go straight to the main function and we'll see that we have first of all we've got this setup which is being called and the setup is going to set up something so you can see it's actually set up an alarm with ff in it so 255 so this is going to basically mean that if we're running the program in a debugger or if we're just running let's test it out after a while it's going to set off this alarm and just close the program so what i'm going to do even just before we jump through the code let's go and patch that out i do have a patch binary script here in my potent directory you can grab this on the github or you can just type it out there's not really too much to grab to be honest but copy that here let's open up in codium and this binary it's just at the moment it's just like a little template here you can see it's going to open up a binary in this case let's get the file name it's going to open it up and then it's going to patch out in this case it's patching out p trace which will stop you which in some other challenges if p trace is being checked it'll basically just check to see whether you're running inside of a debugger and if it will then it might just exit the program so sometimes you want to patch that out in this case we're going to patch out the alarm and we're just basically saying replace the alarm with the ret instructions so just return instead of instead of doing that and that's it we can just literally run python patch binary it creates this patch so we're going to move patched to patch to arachnoid heaven make that executable and now we can run this again this is basically the same but it just doesn't have that alarm in it so we can leave it running as long as we want without it crashing uh and that other way let's go and have a look at the code so let's leave the setup function let's go back to the main function so in terms of our functionality here we've got a message being printed out to welcome us we've got a piece of code which basically says if we don't enter one two three four or five it's gonna exit and we've got our main menu options craft delete view and obtain so let's go and take a look at craft first of all we go in here and we can see first of all we can see some mallet calls here so i'm going to give a quick disclaimer that i'm terrible with anything related to the heap and my explanations here probably won't be as good as some of my stack buffer overflows and stuff which i have a bit of a better understanding of but i'll do my best anyway let's see how it goes we've got a canary here so what i'm going to do is just instantly as we go through let's rename some of these variables so that we can kind of try to understand what everything's doing we have a mallet which is being called here with 16 bytes and another one with 40 bytes and another one with 40 bytes and then these are being assigned to new locations we have a read here so it's asking us for the name and it reads in 20 bytes so this is just in hex you can either go over you can go to the left and just highlight that and it will say what it is in decimal 20 or you can calculate it from the hex so from hex from base 16 we have 4 plus 1 times 16 which is 20 and then with these we have 8 plus 2 times 16 which is 40. so if it's not a big hex number it's easy enough to just convert in in your head um but since we know this is what's reading the name i'm going to instantly rename that to name and again we can it changes the variables in a few places so we can kind of see what's going on a little bit better we can also see here string copy is being done from default code into name one and name one down here is assigned to this pv var one so i'm going to change that as well to code because we know that's where the code is being moved to we can also see this is the count so i'm going to change that to count and i think that's changed everything i think that's basically all the variables we're interested in so let's just try and run through that again we've got some alex being called and malik has been done for a code malik's being done for uh sorry for name first of all we had that of 10 so 16 bytes we have the mallet being done for code we have another mallet being called there after the name is set as a pointer to code i have name one being set to code all right so some of this is a little bit hard for me to follow we don't really need to understand everything that's going on with the code luckily because otherwise i'd very rarely solve any challenges um as long as we can identify what the important bits are that's all good so uh new entries added anyway our new arachnoid and we get the index returned to us and it increments the count let's go and we'll jump we'll come back to this later let's go and jump into the next function let me go back to main here go back to main let's take a look at delete so again we could go and set some of these up we've got our canary here we can it's going to read in the index which is going to be this local 12. and update that and say index and this is just updating that as well so index times 0x80 that was i'm not going to go back but the 0x80 was in our last function is like the offset the size i guess um it's going to print out the index that we selected the name and the code and if it's not a valid index it's going to say invalid otherwise it's going to call free first of all on the name and then secondly on the code which we know was eight bytes after from that code that we were on previously let me just jump back to create to craft so you remember we had this um uh uh we had this set 0x8c is the name and then plus eight was the code we go back there again and that's exactly what's happening here it's free in those so um we've got a potential use after free vulnerability here whereby we're able where malek's being called it's then being freed and then we can go and recreate something so let me just grab a link as i say i'm not i'm not particularly good with these kind of exploits so let's have a look at um some information on it so use after free once free is called an allocation allocator is free to reallocate the chunk of memory and future calls to malik if it so chooses however if the program author isn't careful and uses the free object later on the contents may be corrupt or even attacker controlled this is called a use after free or uaf and we've got a simple example here you can go and take a look at this or some other examples as well but let's jump back over to our code and see how we can take advantage of this let's just go and see what else we had in terms of functions we we've had a look at our craft and delete let's take a look at view and there's nothing much of interest here we can rename this again we can set up our canary and so i can area this is what's stopping us from overflowing the buffer as well if we were to overflow the buffer if there was a buffer overflow then we would need to make sure that this canary isn't overwritten with a new value because you can see down here before we return which is where the buffer overflow would happen it's going to check to see that the canary still equals what it equaled at the beginning so if we overwrite everything on the stack then it won't equal that um but yeah it's not related to this challenge anyway let's keep going we've got this local 1c i'm going to change that to eyes because i'm used to seeing loops with an eye index and this doesn't really matter we're just going to loop through each of the arachnoids um and print them out so not too much going on there and finally we have obtain so instantly we'll see this cat flag.txt so we know this is where we need to go um let's go and have a look through this we've got our canary we have the index here so say an invalid index so let's change that to index and we have a string compare then so it's going to compare the 0x80 plus 8. so the index we provide is going to that index and then it's going to 0x80 plus 8 which if we remember was the code not the name so there's a name and there's a code and it's comparing it to spidey so you can see here six is going to compare six characters let me just highlight that the eax is the return and then we have in the rdi we have our first string we have our second string in the rsi and then we have the number of characters we want to compare in the rdx and if the index is zero it's going to come back catflag.txt otherwise it's going to come back unauthorized so we need to make sure that the code equals spidey so let's go and let's we can go through in gdb here and set up some break points and stuff and try and get a better idea what's going on in the background so pi is enabled here so we want to get the offset of this string compare you can see it's right here 1 6 3 c i'm going to take a copy of that i'm going to go back over here let's do gdb pone debug arachnid arachnoid sorry and we can have a look at our functions here if we wanted to go and disassemble any in here we could do to try and get some addresses as well for example that obtain arachnoid we could go in here to find the same address but um let's do break rba 0x it's not going to work because it's not being run so let's do star i start on the first instruction we'll do that again break rba and we'll hit continue and now we want to try and well let's just first of all let's go to obtain arachnoid and we'll say zero it's going to say invalid because we haven't created one that's craft one and what was the name it wanted it wanted to be spidey but that's what we want the code to be so let's run that you'll see we've got spidey arachnoid index let's have a look if we now view them we'll see that it's arachnoid and the code is bad now if we go to obtain for set 0 as index we're going to hit this breakpoint and immediately you see we have bad and we have spidey and we could go up here and have a look at the actual parameters this is the string and compare so it's comparing six characters from bad and from spidey so from these two locations obviously these don't match so that's where our problem is going to be but because of this potential this use after free vulnerability we have there what we should be able to do here is try to delete this first one and let's go and [Music] craft a new one and now i'm going to call this one spidey now let's view and look at this we've got an arachnoid with the name bad and the code spidey which is exactly what you wanted so let's go ahead and create a fake flag because we know it's going to catflag.txt fake flag to flag.txt let's go to obtain and it's the zeroth element um it's comparing spidey and spidey so you know that we've done the right thing hit continue it didn't actually print the flag there but i think this is just like a gdb thing let me go let's try that manually so we'll craft one i'm just gonna not call it anything i'm gonna delete that first one i'm going to craft a new one and i'm going to call it spidey and i'm going to view and there we've got our first one is is called bad with the code spidey rather than the other way around so now if we go to obtain enter in the zeroth element and we get that fake flag so now it's just gonna be a case of running against the server but let's just try and understand a little bit better what happened there well i'm going to explain it how i understand it anyway i might be i might be wrong on this somebody can correct me in the comments if i am but as far as i'm aware whenever we go to this delete it's first calling free on the name remember it did two separate mallocs one for the name and one for the code it calls free on the name it calls free on the malloc sorry not free on the malik it calls free on the free on the name and then free on the code and as far as i'm aware because that's the last thing that was freed whenever we then go back to craft it'll reuse that chunk that it'll basically put the name which is the first thing that we enter in the same address as what does where the code was previously because that was the last thing that was freed so whenever we type in the name it's actually pointing to where the code should be hopefully that makes sense it probably doesn't because i don't understand the stuff particularly well myself so i'm probably not explaining it as well as um as somebody could do but let's go and test it out anyway see if we can get this working on the remote server it should just be the same case as it was testing it locally grab the server and the port number let me minimize this so you can see it a little better connect this with netcat and we're gonna craft we're going to delete let's view again see we view that and it's actually messed up the code let's go and craft a new one and let's set it to spidey let's view again everything's looking good we've got a arachnoid with the namepad and the code spidey go to obtain zeroth element and we get back our flag and that's going to wrap it up with this video as you can see we've still got a bit of time left on the ctf but i probably won't have time to get through many challenges tomorrow and i want to check out the new hack the box machine that was released tonight i've also got to go through and edit this video which takes me a little while to hopefully get most of the microphone pops out of the audio uh but i hope you've enjoyed the video anyway give it a like subscribe and all that and i recently put up some resources on my github i have all the scripts and stuff from ctf competitions and hack the box challenges and things like that on there and i've just added some good sites for doing capture flags and hacking boxes and stuff like that some good content creators to subscribe to i'm really hoping we'll see some videos from john hammond on the harder challenges i didn't get solved and even on the challenges i did solve because i'm sure he'll solve them in a different way i'll probably explain them better i'm also hoping that they'll release these full phone boxes and hopefully al hazard will go through them on his live streams i've put up his youtube channel here but he really streams on twitch and just uploads some of the videos but as much as i love watching ipsec and xct ipsec's always got a great in-depth walkthrough and xct just gives you everything you need to know in as short a time as possible but i've been really enjoying the twitch streams anyway i highly recommend them but yeah that wrap it up for this video if you have any questions or comments leave them below thanks

Info

Channel: CryptoCat

Views: 3,089

Rating: undefined out of 5

Keywords: hackthebox, HTB, Hack The Box, HackTheBoxEU, HTB x UNI, university ctf, capture the flag, CTF, hacking, infosec, cyber-security, forensics, malware, DFIR, reverse engineering, pwn, binary exploitation, wireshark, traffic analysis, zip slip, bug bounty, websec, appsec, RCE, UAF, use after free, VBA, malicious macro, phishing, network security, memory dump, zipslip, debugging, dynamic analysis, static analysis, ghidra, GDB, pwndbg, pwntools, web security, application security, OWASP, DVWA, Cobalt Strike

Id: QEZ4D17Fu40

Channel Id: undefined

Length: 85min 3sec (5103 seconds)

Published: Sun Nov 21 2021