Phase 1 Challenges - Hacky Holidays Space Race CTF 2021

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we're going to take a look at some of the challenges from the hacky holiday space race 2021 and the competition started today second july it's running for three weeks um if you're watching this video the competition's over because obviously i can't post solutions to the challenges while it's ongoing but if you're interested next year um you can apply it's teams of up to four players um you can get prizes for student teams non-student teams the best write-ups and video write-ups etc and basically it's a ctf competition we've got the usual kind of categories misc uh reverse in web network crypto and there'll be new challenges released each week so we have these three phases um a little bit more information here rules don't be brute force in the network etc and that's about it really so i've got a team together here just with a couple of students from the masters course in my university and i've done the initial teaser challenge here so let's take a look at that first of all so the first teaser challenge is a web challenge and the description says you arrived at the launch platform of space race teams around you are preparing for the event the best they can by gathering the crew and designing the flag at the outset of the camp you notice the hacky holidays admin base you decide to stake out and see what's happening after a while you notice that people are only allowed to access the admin base when they show the hacky holidays admin flag below and then we have this png file so let's open that up and this gives us a flag that we can have a look at um we've also got a little bit more info here it says open the flag designer and see if you can hack your way into the admin base only the url and this following url are part of the teaser challenge so we can go and open this up that url doesn't quite look the same as the one we have here so let me just oh there we go all right um so we've got a flag creation page here so let's have a look at our flag we've got three lines here in the background so yep that's good um our colors let me actually move this out of the way a bit so we can see it and oh now we can't see our actual flag there okay there we go um so we've got a dark orange at the top and then a light orange and then a yellow and then we need to sort out our overlay here which is number 11 number 12 number nine this little spot down here um and the color of that yep it's on the right color already and then we have another overlay which is this pattern that we need then so we cycle through these um we've already got the color correctly if we actually cycle through those we'll find that there isn't um a symbol matching this so what we want to do there is what i did here was just inspect the 14th element and if you actually do that you'll see that we've got 14 buttons here and then we have this one you can see it's grayed out and we have here button class button primary active right here we have button primary d none so i'm going to change that and say active as well i'm going to close down the dev tools and change that to 15 and there we've got our flag so that's the first challenge so with the first teaser challenge out the way we'll start phase one and uh you can see here here's all the challenges that are currently available for us in phase one the rest will be unlocked in seven days basically um so our first we have a teaser challenge in phase one which is called locked out so let's go on to that first of all it's the cloud challenge and if we take a look at the description there it says after a relaxing space walk you realize that you've been locked out your spaceship by the spaceship's ai thankfully you remember that you prepared for this eventuality by storing access keys in an external storage and then we can see here that 25 points obtaining external access keys open the external storage and see if there's something useful in there so we can open that up it's an amazon web service here an s3 bucket and if we have a look at the xml content we've got here we can see that we have this key to external spaceship storage.txt so let's just try and access that in the browser and it gives us access to the file without any issues and in here we have the first part of our flag so i submitted that i'm not going to submit it again because it takes a long time just to come back and say you've already submitted this flag and that's the first part of our flag and then we also have some more information here so we've got these two values let's go to the next part the challenge though see what it says it says you've managed to get keys see if you can get inside and check the internal spaceship storage so it's telling us that these are keys i don't know much about aws but if we search aws keys in google and just have a look at some of the documentation we can just go and verify what kind of format we expect to see them in so for example here we have access keys consists of two parts we have the access key id and then the secret access key and if you look at what we have here it looks remarkably similar to the access key id and the key that they the secret key that they have there's also information about how to configure these stuff here as well so you can go and look through that documentation but um we can do this through the command line so let's go to aws aws oh i actually need to install it sudo apt-get install aws cli once that's installed then we can do aws i'm going to do configure it's asking us for an access key id so that's the first part paste that in it's asking for the secret part which is right here paste that in as well and then region name we could leave that as default but it's also available to us here eu s1 and i'll leave that as default as well so now we've configured that if we do aws s3 ls um then now we see that we have our external which we saw already and we also have this internal as well so let's try and list this directly let's do aws s3 ls and lists the internal storage and in here we have another file called spaceship keys so we want to we want to download this basically but if we try to access this through the browser let me just show what happens here if we just update our url to the internal update update that to internal let's update this spaceship keys as well as the file name and you'll see that we get access denied so because we don't have the keys set up here we're not able to access that from the browser but what we can do is aws s3 cp s3 and then we pass in the s3 bucket and then the file that we want to get spaceship dash keys and i'm just going to copy that to our local location here and see that's been copied so now if we do cat dot spaceship keys and there we've got our second flag as well the next challenge is called bow shock and it's a reversing challenge it says bow shock is an amazing phenomenon but you better not get too close and it also says can you find out how to minimize both short can prevent everything from turning into dust so we've got this jar file to download let's i'm going to grab the link and then just wget to the desktop um something you might want to just do first of all just have a quick look at strings something i pretty much always do but um we're going to want to go and have a look at the code of this so there's quite a few tools you can use i'm going to use gd gui here um hacker 101 the ctf resources there have some good uh resources in terms of tools that you can use and some challenges as well to try out android stuff so that's worth bearing in mind but if we open up both shock here we can have a look and have a look at a manifest file we can see here we've got this class and then here's our the bulk of our code so we've got this class bow shark let's have a look at our main method and kind of trace this back so uh well this is going to start at the beginning we've got this get get input it's saying set the amount of plasmas correct the amount of to the correct amount to minimize both shock and it's going to take a integer from us it's going to take a number and this total input is going to be incremented based on whatever number we provide and then it's going to check did the number we provide here if get input if the number we provided wasn't 333 then it will call bow shock and both shots basically going to print this out say all dust in the wind now exit the application so if we do enter 333 then it's not going to go to bow shock it's going to go we survive another day and it's going to loop back to this get input function up here so essentially it's just going to keep looping through and asking us for numbers and we need to provide these numbers in the correct sequence and if we do that at the end we'll get this victory ctf both short total input so we don't really need to even run the program because we can see how this is working right so let me even uh if we just open up i'm bad at maths let's just open this up and do um 333 plus 942 plus four 142. seven so our flag is going to be ctf both shot one four one seven but just to show that as well by running the tool let's um let's do java dash jar shock and you can see here it's asking us to provide an amount so if we put an incorrect amount here one three three seven we get that all dust in the wind so we need to run it again provide 333 and then provide 942 and then provide 142. and if you do it in that sequence we get back our flag ctf both short 1417. so i've already submitted that flag but that's two different ways that you could solve the challenge well not really two different ways because you still need to reverse and you still need to have a look at the code to work out what numbers need to be entered here the next challenge is called unidentified flying object it's a stego challenge and the description says we've seen an unidentified fine object passing by it was created on one of the universe's most advanced printers and then for the first part of the challenge here it says the ufo was forged on one of the universe's most advanced printers do you know which make and model answer uh in this format make and model so in previous challenges we've had to enter ctf with the curly braces so just to know that that's a slightly different format and then we have this gcode file to download so i'm going to download that with wget while that's downloading let's go and have a look what is g code because it's not something i'd had any experience with really you can see here it's the most widely used computer numerical control programming language it's used mainly in computer aided manufacturing to control automated machine tools and has many variants so um it seems like this is used in quite a lot of 3d printing software so um with bearing in mind let's go and take a look at the file should be downloaded now and uh it's very big file there's a lot of lines in it how many lines 490 000 lines nearly so a lot more than i can really um manage to read through but uh if you scroll well i mean i just kind of scroll through this and have a look based on the way sublime uh shows you the structure here you can kind of scroll through and see if there's anything which sticks out there are certain parts um but i don't really know too much about the syntax of g code so uh if we go down towards the bottom of the file we do have this these settings which are enabled and in here i notice the gtech a10 m which if we go and google that we find that that's actually a printer maker model so if we submit the first flag as so uh well i can't i can't submit it again there but um that was that was the first flag anyway the making the model of the printer and if we go to the second part do you know how g-code files work maybe you can find a hidden message along the layers and this one does have the usual flag format so in this case i was having a look at some different tools that we could potentially use to run this code you have some online simulators but i did find myself that they were quite slow to run so the tool that i ended up using to solve this was cam optics let's go and grab a copy of it you see here it's an open source g-code simulator and let's go and first of all want to get it downloaded here's the linux 64-bit so download that installation instructions right here for debian so if that's downloaded we'll just paste that in and that should be installed so let's try and run it you see here we get this error about lib v8 so there was a message here saying if you get um the missing lib v8 then we'll need to run this so let's also run that and let's try and run it again looking better there we go getting a nice user interface up here so i don't really know anything about this tool but i know that you can run the simulation here we can hit play and it's going to go through or we can use this position at the bottom to manually do that let me just pause it we can just drag the slider along and then it'll actually load as it goes or we can play it we can speed that up and slow it down uh let me speed it up we can reverse the direction of it etc so we want to load our own code in here so let's add a new file gcode and grab this from the desktop i'm going to delete this one and then we want to run the simulation so we can zoom in just with the uh scroll scrolling on the mouse we can use the left click to rotate it and we can use the right click to move it around so i want to kind of move this around a bit try and get a good angle on it and what i basically found here is just from going through the position a bit you'll start to identify some text so let me zoom in a bit more there you can see that ying underscore sa right so keep going a little bit more ying underscore sa and then we can see at what looks like a c there so this is really hard to see but you can if you move it if you rotate it as you go you can kind of see it a bit more so you can see there's an f over here s a we have the c here um and i basically just kind of played around with this for a little bit until i was able to identify that this is saying flying underscore saucer i'm sure there's a far better way to do it because well i mean the description here says do you know how layers work but i'm assuming that if you kind of understand more about how these files are structured you would know what to strip out just to be able to retrieve the flag in a more in a more readable way um but i mean this got me the flag without having to spend a lot of time learning exactly how to modify this code so um i'll leave it at that but i'll be interested if anybody solved this in a more professional way do let me know in the comments the next challenge is called enumerate in the cloud it's a cloud challenge and the description says the spaceship that you will use in the space race is almost ready one of the last steps is to verify that all the systems are operational unfortunately the ai control and system information decided to take a personal time off for a few days leaving you without any easy access to the spaceship systems this is not a problem because as a cyber security specialist in the ship you know the spaceship cloud infrastructure like the back of your hand and then a little bit more information about the first parts that's the five part challenge first part says your spaceship is located here can you find the external information panel so let's open up the url that it gives us and this has taken us to this planet bucket s another s3 bucket like the last cloud challenge we took a look at let's have a look at the source code here and if we view the source code not too much here but we have an image source which is linked into a different bucket so this is rocket bucket instead of planet bucket so let's take a look at that instead let's take the view source off we're not interested in this image so we'll just load the base directory and in here we can see that we've got an external information panel.txt we've got a flag.txt as well so let's grab that first of all this is our first flag so we can open this up grab that and then as the first flag so let's go on to the next next section the next section is saying obtaining the spaceship access keys you've gained access to the external information endpoint can you access the spaceship logs to obtain access keys so let's go and grab this external information panel.txt as well and see what they've left for us now we open up we've got another url here this one is going to an execute api um domain and uh to the logs directory so let's try and access that oh i didn't copy that properly uh so we'll try and oh how strange um there we go so we're trying to access this new url we get request method get is not allowed let's open up our developer tools here and go into the network tab reload the page and we'll just try and send this off as a different type of request so we can hit reset resend here edit and resend and let's change this from get to post send it again and let's have a look and see what the response was of that the response was post is not allowed either so both get and post to being declined let's see if we can just to automate um not automate but to speed this process up a little bit let's send this through burp suite so i'll grab this request and send it to the repeater and it just means we can try out some different methods http methods without having to um click edit and resend and stuff each time so x post isn't allowed either we've tried get we we could try ahead uh so that came back okay but it's not giving us any extra information we could try options uh not allowed either let's try puts and there we've got back some information and in here we'll see we've got our next flag so we grab that and go and submit it here move on to the third part of the challenge which says you've managed to access the spaceship you see a cleaning bucket the lambda thrusters information panel tag and the espace cloud computing system tags what does the tag in the cleaning bucket say so let's go back i'm gonna open um this up where is it burp suite okay i'm gonna request this in the browser so we'll go show response and browser take a copy of that url and i just so it's a bit easier just to read through this json json file uh so we have this looks like a docker config um and yeah so we've got our first flag there but we need to have a look for our aws secret access key and our access key id so in our last challenge we were given these in one of the files and we needed to go input these into the aws command line system so let's go and try and do that now so we'll go aws configure and it asks us for our access key i've still got the last one in so let's go and grab this new one first of all our access key id and then our secret key as well we'll leave the other stuff as the defaults and now let's see if we can just have a look so aws s3 ls and we can list the different buckets that are available to us so we've already looked at the planet bucket and the rocket bucket we've also got this cleaning bucket so let's see if we can aws s3 um ls cleaning bucket and you'll see there's actually nothing available to us there let's go back to our challenge info and it says you managed to access the spaceship you see a cleaning bucket the lambda thrusters information panel tag and the espace what does the tag in the cleaning bucket say alright so what we can do here is aws s3 api and then let's do get here just hit tab and you'll see with the auto complete we've got quite a few different options here but one of them will be get bucket tagging so let's do that get bucket tagging and we try to run that's going to say now you need to provide a bucket so let's do that as well and the bucket name is right here so we paste that in we get back some tags and you'll see here hacky holidays users we've got our next flag so we'll take a copy of that and go and paste it right here and then we'll get on to our fourth stage so the fourth flag is saying what is the tag in the lambda thrusters information panel so i wasn't too sure what to look for here but if we just go and search aws lambda and we'll see the it's an event driven serverless computing platform provided by amazon as part of aws so this is another part of aws if you do aws and then tab for autocomplete here you'll see we've got a lot of different options available one of them is lambda so we can go to lambda and then autocomplete again so if you basically play around with some of these options in here let's go and try and list tags for example it doesn't work we need to provide a resource let's try and list functions oops list functions and we list the functions we get this another json file back and in here we can see we have two different lambda function functions one of them is this lambda thrusters and now we have the full name of that and we also have this full function id so let's go back and see if we can now list the tags we just tried to list tags and it told us we need to provide a resource let's do dash dash resource and let's paste that in and you'll see it's come back with our fourth flag and then our next tag that we need to get is the espace computing cloud system so grab this and go and paste it into our fourth flag field and we're on the fifth and final stage which is what is the tag in the espace cloud computing system so and this was another one took me a little a little while to um determine i was kind of looking at some of the well it says e cloud computing system so i kind of took that as e c s and here we have ecs but we also have ec2 and some other things ef-s the elastic file system a few different things it could be i kind of played around with them for a while and eventually found that if we run aws ec2 describe tags then we get this final flag and that's the challenge complete the next challenge is a web an ocean challenge called euphoria and the description says euphoria specializes in organizing your trip to space get some tickets while they last so we've got a system that we need to launch here i'll start launching that in case it takes a minute to boot it up and this will give us access to our own instance so it says here this challenge is intentionally vulnerable and you're allowed to find vulnerabilities for more information click here this is basically just telling us about not brute force in systems um but yeah let's open up this link we have two parts this challenge the first one says invite only can you get the valid invite code the flag is the invite code you see my teammate already solved this but i want to make some walkthroughs for the challenges so um i came back in to check it out myself and um if we do go in and check it out we'll see this page be an astronaut we've got solo crew fleet we can try and click on a few of these and see do they do anything and you'll see actually when we click on the fleet one we get this option is invitation only please enter invite code so what i'm going to do is just have a look at the source code and see what's actually going on when we click that you see there's this function which is created var code so it's taking an invite code from us it's making sure first of all that it's going to be 12 characters long if it is it'll continue then to it's grabbing the substrings splitting off splitting this into three parts whatever we enter it's inserting a dash in between each part and then it's going to check each part individually to see do they match these three things so what i'm going to do i'm going to go and open up the dev tools and let me go to the debugger just so we can see the code as we're we're doing this but essentially we know the first part of the key is going to be ufo because that's what it's checking for the second part is this btoa which is basically base64 encoding so we can go and paste that in here and see that all right we need to enter ufo dash uh v u z p dash and then what's the last part asking us for the char code as well so well we could um we could work that out but i'm just gonna go ahead and take a copy of that let's paste it here and it's two three four so we need to enter ufo vu zp 234 and we'll take a copy of that contact us and then okay so yep great please continue with the booking process so we've got the correct flag now we just need to go and submit that here and then the second part of the challenge is can you access the members only area so let's go back and have a look so if we go to the members section here and we have a login box the first thing i've tried here was just to enter an apostrophe and the password to see if we've got an sql injection try some default credentials admin admin no look so if we go to the i've forgotten password link and we'll try admin recover and we get username not found so we've got a way to test whether a username is valid or not and um upon looking around the site a little bit saw this twitter and linkedin url uh the twitter is just uh an alert box there's not actually anything there but linkedin will take us to the page unfortunately we have to log in in order to even view the page i did try to find a workaround for this or even some kind of disposable or shared linkedin accounts that you could just use the credentials for but um i didn't have any looks i'm gonna have to sign in here unfortunately um just give me two seconds okay and once we get logged in we'll see here that we have this euphoria be an astronaut it's located amsterdam we've got 43 followers one employee let's have a look at that and a couple of posts that were put up here as well so i had a look through the posts and didn't really see there's a couple of comments but it's mostly people asking for flags it doesn't seem to be put there by the author we do have this linkedin member co-founder at euphoria and then there's another one as well it's only showing linkedin member for me it originally was showing their names as well so we can have a look at those if it allows us to it doesn't appear to be in this case um well the i don't know why it's showing just linkedin member here you don't have access to this profile okay uh well whenever i did solve the challenge it did allow me to access that the the name is elliot talton let's see if yep there we go we can open that up and um if we go back to the euphoria back to our challenge site and to the about section what i found in here is a little message by the ceo ben organa or borgana so this is kind of a hint that the username format might be the first initial followed by the surname and we've got a couple of names now we have the elliot tolton and we have ben organa uh but if we grab this bogana and let me go and try to hit forgotten password and then here we get answer security question what's your place of birth okay so we can go back and have a look what does he actually say here euphoria started as a small two-person company but since the very beginning we were dreaming big i can never forget the day when we decided to establish a pillars of this company with elliot talton in our trip to our hometown that day will be with me until the end et cetera so um we know that they're both from the same hometown and the security question being asked is what is your place of birth so let's go and have a look elliot tartan do they just disclose their location anywhere and we'll see that they shared a couple of posts one of them is actually this one visiting lands lance hughes cafe reminds me of childhood memories so let's take a copy of this let's paste that into google see where is this located and just grab the location paste in here we get wrong answer okay let me try that again um i'm pretty sure that was the correct answer let me watange it was yeah okay and there's the password so we grab this password go and login paste in the password and then we get our second flag the next challenge is called space snacks it's a miscellaneous challenge and the description says find the answers to the treasure hunt to gain access to the cake in the space cafe so we've got seven parts this challenge and the first part says you find a rotten apple next to a piece of paper with 13 circles on it on some text uh what's the message so we've got this message here it mentioned 13 there and looking at the message it's quite clear that a rotation has been done on it so we've got the correct format here for the flag it's all um the standard alphabetical characters so let's go and throw this into cyber chef and do a rot 13. considering it had the 13 as the hint there probably not gonna need to do much there we go so we've got our first part of the flag and let's go on to the next part second part the roman space empire you find a page with roman insignia at the top with some text what could it mean so we've got another piece it actually looks very similar to the last piece doesn't it but we've got um jam here at the front of it instead of pgs so i'm gonna throw this in here and we can rotate by some different numbers here so there we go 19 we've got ctf the one tree solid that could also be minus seven as that'll rotate to the same place and let's go into the third part so it says you hear the heavy heavy bass line of 64 speakers from the next compartment uh you walk in and the song changes to writings on the wall could be some strange code etcetera um so you can see this is base64 encoded we've got the equal sign there at the ends good good sign although there couldn't be some sometimes it could be some other base encoding as well so it's worth bearing in mind base64 if it really looks like it's base64 but it doesn't actually work for you then there's a good chance it might be some other basicity or base encoding so let's paste that in there basically for decoded we've got ctf i like the buttery biscuit base so let's go on to the fourth part and here if you've some challenges like this before you recognize that quite quickly as most code so there's a lot of different sites you can do these conversions on but let's just stay on cyber chef and go from morse code get rid of this base64 encode in paste that in and then we get our next flag as well and we'll go on to the fifth part and the fifth part says you're now in the space cafe the cake is the container that you should not they should not be here you see random names on all the containers what what will the docker never name a container please enter it as all right this is interesting i didn't actually know this but we'll just google um docker never name a container and yeah you find an article here quite quickly why boring wozniak will never be generated as a container so that's the answer anyway it's boring wozniak and the reason is because there's a part of the code here which says if the name equals boring wozniak then it'll basically pick another name because steve wozniak is not boring so there's the fifth part let's go into the sixth part and it says here there may be more cake the eighth cake and left with a note with a secret algorithm to unlock the cake treasury we saw it happening on exactly january the 1st 2030 and so it gives you this full date and time are you the visionary that can figure out the pin code and here's the pin code generation algorithm so we've got this generate pin function and it's calling s rand on the time zero so it's going to get the current time of well the time since the time started in 19th january 1970 in seconds and then it's going to return the random so that's given us basically a seed there it's going to return a value but we know that their seed is essentially this date right so we can go and try and calculate that ourselves so to demonstrate this let's go and create a new file i'm going to do new dot c and basically going to paste in the code that we have there so we've got the generate pin code exactly as it is in the challenge and then we've just included the headers that we need to in order to get the functions we need the random and the time and then i've created a main method here which is just going to generate a pin and then it's going to print that pin out to us so if we save that and let's compile it gcc gcc new new chmod new and now if we run new and every time we run it we're going to get a different value because we're getting well every second that we run it we'll get a different value if we run it multiple times per second we'll get the same value but um what we want to do is find out what value did they get because they run it at this time so we can go to something like epoch converter dot com and we can actually just go and enter in this date so the date was january the 1st 2030 so we'll put in here 20 30 the first of the first and the time was 11 23 45 so 11 23 45 a.m we'll generate that as the epoch timestamp grab a copy of that and then i'm just going to go and update the c code so instead of getting the time the current time we're just going to specify that as a time instead and that's going to be our seed so if we compile this again and run it every time we run it we're going to get the same value and this is our flag so that's the sixth one let's get the final seventh flag so we have this flag here it says the treasury consists of cake hidden stars in space hidden on stars in space so we've got the space and stars stuff here let's grab a copy of that i'm just going to throw this into the c file for now actually and what i'm going to do is we want to find and replace i'm going to replace the space with a 1 replace all and i'm going to replace the star with a the asterisk with a zero replace all grab that and that's going to throw that into cyber chef as well and convert from binary so anytime you see whatever the encoding is there you know it happened to be spaces and stars there but it could have been a's and b's it could have been ones and twos anytime you see only two digits there's a good chance that you just need to convert it into a binary format and then convert it there is actually there is a function in cyber shift so that you don't need to specify this as zeros and ones you could um specify what the two values are but i can't remember exactly what it is just as easy to convert it anyway the next challenge is called deleted flag it's a pwn challenge and the description says delete is your flag oops and note the remote system architecture is 64-bit we've got a little bit more of a description here saying we've removed your flag good luck getting it back and it tells us what format the flag's in so we've got an instance we can launch here remotely but we've also got the c file that we can download to take a look at so let's try and get this working locally first of all i'm just gonna w get that and let's open it up so let's step through the code here and try and work out what's going on we've got a main method and we can see that it's going to open this flag.txt file which is obviously of great interest to us it's doing that with file open f open and it's going to remove the flag which is not what we want but although it's been removed from the file system we know that it's actually been opened into this file pointer right here and if it successfully remove the flag it's just going to say so so we can continue otherwise if it failed to i'll exit the program it's going to print out another statement saying about removing the flag and then we have this buffer which is set up it's calling map to let's go and have a quick look at the some documentation for m up so map is used for mapping between a process address space and either files or devices when a file is mapped to the process address space the file can be accessed like like an array in the program this is one of the most efficient ways to access the data in the file and provides a seamless coding interface that is natural for a data structure that can be accessed without the abstraction of reading and writing from files so we can see here that the parameters that it's taken in let's go and see what we actually have here the first thing is the address we have this set to zero we have then the length so it's reading in 4096 bytes protect so the uh what kind of access is permitted so we have here maybe the following flags read write exec or non in this case we've got read write and exec and then we have flags here set so we have the anonymous and the private flags anonymous this is used to create anonymous mapping means that mapping is not connected to any files but then we also have the private when this flag is used the mappings will not be seen by any other processors and changes made will will not be written to the file finally we've got a file descriptor minus one here and then the offset as zero um we then have this void function sc which is taken in the buff and then we have this read which is occurring into the buff okay so um it's going to take some input of us here and it's going to put it into this function which you can see down here sc is called down here so whatever we actually enter here is going to be executed as directly as code or whatever we enter here whatever's red in here um we then we have the setup set comp which occurs before that as well so the set comp rules are set up here i've only dealt with these set comp protections in one challenge previously was the blacksmith challenge and hack the box um but let's have a let's have a better look at that in a second you can see the send file as mentioned here but we'll go and run the setcom we'll go and run the application with setcomp and see uh if we can get a better visualization of what's going on so if we want to try and compile this here let's do gcc app.c output to app you'll see that we get this error here about setcom we actually need to compile it with dash l set comp and then you see i also get another error because i also need to sudo apt get install libsec libsec comp dev so we just need to get this installed and then this should compile okay let's try and compile it again so it compiled without errors we could have a look at the security protections here but i guess it doesn't really matter too much we don't have any buffer overflows or anything that we're exploiting so we don't particularly need to worry let's see if we can run the program then run the program you see we get goodbye flag error removing the flag file so because we don't actually have this flag.txt on the file system it's not going to be able to remove that so why don't we try and say echo fake flag to flag.txt and then try and run it again and you'll see this time we've got flag file successfully removed what do you have to say about your precious flag so we could enter something in here we get a segmentation fault because remember whatever's being read from our input here is being executed as shell code basically um and that's not we didn't enter valid shell code there anyway so let's have a look at the set comp rules here let me create this flag file again i'm going to run sudo setcomp tools and then dump and then we'll run the app you'll see here it asks us again i'm just going to say same thing again and you'll see this time it's jumped into the this kind of if statement here so we have some conditions essentially and if this isn't allowed then the process will be killed so you can see here if the address space is less than it's going to jump down to five if it's down to seven where seven is kill okay so if any of these conditions are met if if the architecture is not correct it's gonna jump down and kill the process if the address space isn't in the right range it's going to kill the process and then finally if the function being called is not send file it's going to kill the process so it's only if all these conditions are met okay that it's going to get to this allow which is what we want and this basically means that we're only going to be able to use the send file function call which we'll need to go and have a look into now now what i'm going to do now is copy over a phone tool script which i use so you can grab this from my github if you're interested a lot of people find that it's unnecessary but um i like it i'll explain why in a second and for this challenge it's probably a little bit overkill we don't need this function here to find the offset of the instruction pointer because there's no buffer overflow but um we'll take that out take out some of this kind of boilerplate code and the reason i like this is because whenever you run the program by default it's just going to run locally but if we pass in gdb and capital letters afterwards it'll call gdb and call whatever script we have here so we can set up some break points we could try and find out what the pi base is or break rba from the pi base and i think it just speeds up debugging but um if you also if you provide remote and capital letters with a server and a port it'll just you'll be able to swap between local and remote very very quickly um but we'll show that anyway uh let's just update the file name here and because we have our context.binary being set it means throughout this script we don't need to worry about address types and um shellcode and stuff like that it's going to know that we're dealing with a 64-bit linux system and we won't need to to deal with that let's also set this to debug just so we can find out a little bit more what's going on and we know that we need to create a flag.txt so every time the program runs it's going to delete the flag.txt we don't want to have to create one manually every time so let's just create one here fake flag and this is what we're going to be trying to steal then we can also save our payload so let's just for now we'll just say the payload is equal to uh some a's and then we'll save that to a file later on once we get the payload working it means that we've got a payload that we can just send off to the netcat server if you want or just send it in locally and what do we want to send the line after so if we create let's do our echo flag to flag.txt and if we try to run the program now you'll see that this is a statement it gives us so we can just grab we can just take the question mark but i'm going to take that flag question mark and we'll say that after you receive that line send the payload and we'll get rid of this receive until we'll just go straight into an interactive shell and let's go and test this out and see if it's function to run python exploit and you can see our debug is showing that what we've received here it sent off these a's and then we've got an ender file nothing interesting has happened because we got a segmentation fault you can see we've got that core dump because we didn't send it any valid shell code so that's what we need to sort out next the only thing is we know that in terms of our shell code we can only use the send file function so if you're going to have a look at send file and the syntax of it we'll find that it copies data between one file descriptor and another because this copy is done within the kernel send file is more efficient in a combination of read and write which would require transfer and data to and from the user space and it takes a file out file descriptor and an in file descriptor the offset and then the size and the count so if we go back to our code we know that this has been open into a file pointer here um in google in around a little bit what i did find was we know that we have a zero one and two which is our in out and error outputs but i found in here just somebody mentioning that using three um is would convert a file descriptor to a file pointer so let's go let's just go and test this out locally go back to our exploit code and we'll update our payload here so the payload will be equal to asm so we need to convert this into shell code we'll do shellcraft dot send file and then we can provide our parameters so we have at the beginning it was the outs file descriptor and then the in file descriptor so out we want this to go to the standard output we want it to be printed back to our screen and then we'll try the three file descriptor to read in that um file pointer that was opened and then i just left this offset at zero and then in terms of the amount that we want to read this doesn't really matter well i mean it depends what size the flag is but i just took this as 4096 from here but you can use a lower number without any issues there and we're writing that payload that's great let's go and test this out locally we test it out locally and you see that we've actually printed out the fake flag which is exactly what we'd expect just to show then in terms of the gdb if i now run that again and type in gdb at the end you can see that actually opens up another window i have that breakpoint set to file open which means now we can just jump in we can start having a look around the stack and the registers and it's a good way of debugging because now if i want to go if i want to run this again i don't want to go and update my code to say i'm not using gdb i can just take away this gdb run the tool again and we get our flag back and it also means that whenever we go to try this remotely let's go and just launch the server we're going to try and launch this remotely take a copy of this address and then without having to update any of the code at all i'm just going to type in here remote and capital letters paste in that address and port remove the colon and then send that off and that sends the exact same exploit off but you'll notice we didn't get a flag so you can see here this is the shell code you can actually see the shell code that's assembled and this is a good way to try and learn what uh instructions map to different function calls but the reason this didn't work anyway is to do with this file description i'm not 100 sure why i did a bit of googling around but if we increment this to five it seems to be something to do with the setup they have on the server um i'm not 100 sure something to do with maybe child it being a child process maybe somebody can let me know in the description why that had to be updated but if we run that again with that set to five instead you'll see this time we get our flag it's a 32 hex um 32 hex flag as we expected and then we can submit that the next challenge is called knock knock knocking on shuttle's door it's a web proversk and network challenge and we've got a back-end system we've got a launch here we've also got this word list to download so let me take a copy of that download it to the desktop and we might want to have a look and see what's actually in there so it looks like uh it looks like a password list but um let's see what we've got to do here we've got to download of vpn as well so i'm going to take a copy of that actually it's not going to allow me to wget that i've got to use the auth key here so download that and let's start the vpn and then check to make sure we've got an ip address which we do so that's looking good so the first part of the challenge here says we found a web server at 10.6.0.2 you may need the word list to attach this challenge which door should i knock notes answer them as commerce so it looks like we need to find some port numbers here and then enter them in as the flag this is the address that we've been given to access so now that we're connected to that vpn we should be able to access it in the browser so we're through to the international hackie space station and we have a link here take action which doesn't seem to take us anywhere of interest we've got a email address let's have a look at the page source and we have a lot of javascript in here this seems to just be some stuff from libraries um i'm not going to look into it into too much detail you can see it looks like quite a bit of obfuscation there but we've been told to that we might need that word list so the first thing i'm going to do is just go and see if we can do some directory and file discovery here so i'm going to run go buster dir for the dir mode and let's go dash u for this url and then our word list is challenge word list so just gonna run through that it's quite a small word list anyway 999 words and you see that we get to this link who is there so let's go and open that up and see what's going on we've got a directory here with an open sesame file inside it so we open that up and then we see it would be a tcp sin to knock all the doors of the air locks and we've got these four port numbers or these four numbers anyway and if we go back to our challenge we can then enter those in in this flag format the next part of the challenge says do you have remote access yet gain remote access the system using that open door so let's go back and look at those ports again and essentially the idea here is that if we knock on these ports in this order we should be able to open up a new port that we'll be able to connect to so um just before we go and look a bit more into that let's start an nmap scan i'm gonna do sudo nmap uh run this against all ports on the ip address we'll put this on for both just so we can see as it's coming through and basically we know port 80 is open but we're not expecting probably to see any other ports open here because what we're doing at the moment or what we're about to do let's go on google port knocking so we'll see that in computer networking port knocking is a method of externally open imports on a firewall by generating a connection attempt on a set of pre pre-specified closed ports so um it's been configured that if these four closed ports are knocked on in order with a syn packet then uh you should open up some other predetermined port we're not gonna know what port that is but there's a few different ways we can carry this out and then we can go and uh check this out now i do know what what port is because i've already completed the challenge and i can say that this get this scan does take quite a while and it's not a high port so it's probably not found the port already but let's go and prepare some of the commands anyway for doing the port knocking we could use something like knock d and use 10.6.0.2 and then pass in the ports one three three seven six eight six one seven eight we could also use knock so we can basically use the same syntax knock and then pass in those ports or we could do it with n map there's plenty of other ways we could do it as well but we could say for x in one three three seven six eight six one seven eight do nmap and then we need to set max retries to zero and essentially we'll just be looping through here so it's going to loop through and loop through each one of these items assign it to x and then it's going to run this map scan against x oh one thing i did miss there was the ip so it'd be zero point 10.6.0.2 um and uh all of these ways should work for us let's go back here and see so we're about uh probably about fifty percent of the way through the scan we haven't found the open port yet so i'm gonna go ahead and i'm gonna just use this knock here i don't want to use multiple because if if there's any problems with the order that they go in then we're not going to open up the port but um after we've done that knock we can try and run the scan again and you'll see that it's discovered port 2021 now on the ip address so let's go over and try to connect that on netcat point two 10.6.0.22 twenty one looks like anything's happening but if we try to list the files we'll actually see that we've got flag.txt right here so that's the second flag completed as well let's let me close a couple of these windows down and we can stop the nmap scan and now if we go back to the challenge and see the third part of it it says can you gain further control so it sounds like we need to escalate our privileges uh if we go back here you'll notice that we can't tab autocomplete and if we type something in we can't move back and forwards we want to try and make this more interactive shell i did try connecting back through netcap but we don't actually seem to have netcat installed um also try and run python here so we don't seem to get much but if we actually have a look in the bin directory we do have python 3 available so let's try and run bin python 3 and we could try to connect a reverse shell here or let's just try import pty pty dot spawn bin bash and that's looking better now we can do ctrl and z scty raw dash echo and then fg to bring it back to the foreground and now let's export a term equals x term so we can clear the shell now we can clear and now if we try to auto complete you see we've got exactly what we'd like to see and we can also now go back and have a look to see are there any other accounts which there are we've got this control account which is obviously the account we need to connect to so honestly i spent a long time enumerating the system and trying to look for passwords and stuff try sudo l first of all we don't have a we don't have the password for space sorter again we're not gonna be able to go to control because we don't have the password for that either so we could go and have a look around some what about the web directory was there anything there that we didn't know about um but we don't actually find anything let me just go back a second just go into the log in here we have the not d log so this is where we can actually see the stages of providing the four ports and then it calls open sesame and it's running this command so it's using soca to connect uh to open up this port 2021 and then whenever we connect to it it's connecting as a space otter obviously we want to escalate our privileges to not not to root in this case but to control let's see if we can even go to uh cd home cd control no we can't even list anything in there try and go to root can't list anything there um we could get some scripts to go and copy over in fact whenever i was solving the challenge i did copy lin p's over and run that and if we do that we will find and we don't see anything here here with the cron tab but we will find a script which we can overwrite so in the ops directory we have the safety check dot sh which if we take a look at it in fact let's also have a look here so this is owned by root but you can see it's world writable so we can modify this and presumably then this is being executed by root periodically so let's try and well let's try and run the script first of all try to run it you see we get here oxygen is a okay so whatever condition is happening here we're meeting this one so why don't we just try and modify the file we'll go and take out this line which we know is being executed whenever the script runs and we can go and put something else in here because i know that the python shell seems to work i'm going to go and grab a let's go python reverse shell cheat sheet go and grab a nice one liner here python okay this one looks good we know we've got python 3 here so let me just go and modify it with our ip address and we'll basically set this up to connect back to a reverse shell which will hopefully then be running as a privileged user set this to one three three seven we know this is python three so i'll just take a copy of that reverse shell one liner and let's go and paste it into nano write out save it and exit oh we should be setting up a listener here and see dash nlvp one three three seven and presumably then this script is running maybe once every minute or so and we should then get a reverse shot okay so it took a long time actually that must have been close to 10 minutes but um we did get a connection and we now have our third flag pseudo to the moon the next challenge is called skylock capsule it's a web challenge and the description says we have the best capsules available for your deployment into space so we've got an instance we need to launch here and it's a two-part challenge the first part is called tokens it says get your capsule now can you gain access the capsule of admin so let's go and take a look at the site that has given us it's called space race app and it says welcome space crew this page will display the deployment specs of your capsule after login so we might want to go and try and just log in first of all admin admin and we get this alert say it's been denied let's go and try just put an apostrophe in here see if there's any kind of sql injection might want to have a look at the source as well nothing of interest there let's go and try and register a new account now whenever i tried to register a new account i actually created it as admin and it allowed me to do without any errors but it wouldn't allow me to proceed to the next stage so that's worth bearing in mind note that also if we go from being logged in to accessing the capsule and try to get specs it says failed retrieve and spec so let's go and log out and then log in as that account we should create just a a username password and then try to access the specs again and this time it's successfully retrieved them so let's go and see what actually happened there in burp suite so we registered a new account right here let's actually check our login so we got this 403 fail with the incorrect password we went and created a new account 200 okay came back we sent off this json object with all our user details and then whenever we tried to request the capsule spec we got this json web token error so it was expecting a json web token which we didn't provide because we have no authorization token here but whenever we logged out and then logged back in again upon the successful credentials being answered here we got this token back which is our json web token so then you can see whenever we actually tried to retrieve the specs our json web token is right here in the authorization header so we could take this over to if you have the plugin installed you can get this plugin for burp suite to enter the json web token right here and get some information about the algorithm that's being used and then the data that we have in there as well which we can well we can also see that right here so you can see our password has been turned into this negative integer but we want to see can we potentially modify this token can we change this so that we're actually the admin instead of a maybe we'll need to change the id as well maybe to zero or one you would presume that the admin account is so let's look at doing that you should be able to do that in here but i'm actually going to go to jwt dot io which is a site that i often use for this and let's go and paste the token in here you can see we've got all of our details we can see here we've got invalid signature at the moment let me try and update this to admin and see our tokens updating as we type in i'm and change the id to one as well although i'm not too sure if it's important now you see it says here that the signature has been verified but actually let's take a copy of this and go and test it out so if we want to let me i'll go to we'll send this to the repeater so we're going to find the post request was a post request it was a get request to capsule so i'm going to send this to the repeater and then i'm going to just go and update this authorization header with our new one and send that off and you'll see we get here invalid signature so um the issue is here although for some reason saying that the signature is verified here we do actually need to enter the correct signature here in order to in order for it to be verified by the server so how i solve this let me go back and grab the original json web token here and i'm going to go and just create i'm going to go and put this into a file called hash just paste that there i'm going to use john the ripper to crack it so we'll say john hash and then we'll pass it a word list user share wordless rock u and we run that and very quickly it comes back with this password skylog 140584 so let's take a copy of that and go and see if we can validate our new json web token with that paste that in there i'm gonna take a copy of this and let's go back to our repeater we'll send it off for this new token and you'll see that we get back this admin account and in it we have this flag as well so that's our first flag breaking them jwts and we also have here note the password for the admin which is also a negative integer so let's go back to enclose down this json web token page now and let's go back to the second part of the challenge which is called hashin and it says skylock is making use of super safe non-cryptographic hashing algorithms can you log in as admin so we might try to search for the hash that we we got for the admin but it's quite an unusual looking one let's try and search for it anyway um not we're looking for um let's grab our the hash from the a username that we provided and instead i'll search for this with the letter a nothing okay whenever i did this i think i i submitted it as abc so let's go and create a new account quickly and let's create an account abc abc register let's log out log back in abc abc and then we need to get the specs and let's go and have a look at those this time we've got this password it's not negative this time and so this time i'll search for this and abc and you'll see we come back with this crc32 so let's have a look crc 32 hash um and we'll find some information about it we'll see that's not actually designed for hashing um and as was mentioned in the description of the challenges a non-cryptographic hashing algorithm um so we're going to try and brute force this hash anyway it's hopefully going to be easy enough for us to do i will move it over to hashcat on my host system just because it's a lot quicker than running it inside the vm or one thing we would need to do in this case we just search for hash cart modes crc32 you can have a look at it in the manual as well and the just to make sure you know what the mode that we have to set it to is in this case let's go crc 32 it's 11 500 and then the format that it has to be specified as well is kind of um you can't just put in the the the integer value that we have there so you'll need to convert it into hex and then you'll put in the hex value and then it'll be followed by eight zeros and that's the only way that i could get hash cat to run it so we need to convert it into hex and we also need to be aware that it's currently a negative integer so if we were converting abc into hex it would be fine but in this in this case we also need to do a little shift to convert it so we can just run python and then we'll do hex let me grab the password again so we're going to convert that negative and then we'll do modulo shift here and this is the hex value that we'll be able to use so the hex value will be provided like zero zero zero zero zero zero i also tried to run it with the crackstation word list and didn't get any results back for it um so let's see how we can get around that as well so we've got the hash ready so we can do here type hashes and you can see that we formatted that like i just described a second ago and the way that i eventually got solve this was using a rule so i'm going to run hashcart hashcat.exe attack mode 0 and then the mode was 11500 we're going to use these hashes and then the rule was the one rule to rule them all and then the word list i used was rock u so i did it initially i initially tried rock u and then i tried crack station which both run pretty quick as long as i'm not inside the vm but neither of them got a result um but whenever i use the one rule to rule them all i guess it reversed probably or just maybe appended the zero to one of the values but anyway this is the this is the password that we managed to grab here so i'm going to take a copy of that let's go back to the vm and let's go and try and log in with the new password so we'll log in admin just going to paste that in and there we get our flag uh crc 32 hash collision successful so there could be other values then that will result in the same hash there that wasn't necessarily the password that was used but um we were able to find a collision the next challenge is called mines laser it's a crypto challenge and the description says can you clear our path there appears to be a bunch of mines along our trajectory so we've got a back-end server that we need to launch here but we've also got this.nim file to download so we'll take a copy of the link and there's only one part of the challenge that says use your laser to remotely detonate all the mines so we can download this nim file and we can open this up in codium or your ide of choice you'll see i don't get any syntax highlighting here so let's go and see if we've got an extension that we can install here's nim language support and if we install that we get some syntax highlighting here we go and have a look through the code we also need to generate a we also need to compile it so let me just see if i need to install and then if we check the help options here you'll see that we can compile it so we can just run nim command which is compile and then our project file so we'll run nim compile and pass in mine's laser you see it's managed to build that there we now have a binary mines laser so we can actually start running that we start running and nothing's happening so let's actually go and take a look at the code see what's going on and if we have a look in here you'll see that we have this process here to serve a connection on port one two three four so before even digging through the code and trying to work out what's going on let's just try and connect to that with netcat we'll put it on the tab here and then netcat localhost one two three four and you'll see here we get this use your laser to remotely detonate the mines are you sure let's just try and put in a command doesn't work so let's go and see what the syntax is and we can see here that it takes uh an input from us which is line and then it's going to split that into x y which is splitting on a comma and then it's going to pass those and make sure that x is between 0 and 8 and the same for y so let's just go back to the terminal and try and enter 0 comma 1 and you'll see here we've got bom successfully detonated let's try and enter another position zero comma two so you can see that it's moving downways smoothing column ways let's do zero comma three and now we've actually uh we've hit something we weren't supposed to hit and it's ended the game and it showed us what the correct answer would have been if we would have managed to get get them all right so we need to find out how this map is generated we can see that we have the mines here generated using rand um 64. so it's using a 64-bit random value to declare what the mines are if you go back and have a look at this this is actually an 8x8 grid so essentially this is a random value and the way that the nim script works is it's used it's calling randomize to begin with let's actually go and search for nim script random if we open up some of the documentation we'll find some basic usage so we can see here that randomize is called initially to initialize the default random number generator if this is not called the same results will occur every time so this is called if you go back to a script this is called at the beginning of the script but it's not called every time a new client connects so even though a new every new client is getting a new random value from this uint64 the same seed is essentially being used for every client and if we go back here and we can actually see that the type of rng that was used um i don't know how to pronounce this so xor or zoro shiro 128 library which if we go and actually google this and try and get a bit of information we can find some links about breaking the cryptography so let's take a copy of this just search for cracking you'll see that we can find some articles pretty quickly and i don't want to go into the maths too deeply mainly because um i'll not be able to explain it very well let me just um explain how i solved it based on this article so this article here does explain a little bit about the algorithm that's being used it's been it's using the google chrome browser and links to another we've got another couple of articles here explaining how to crack it we can have a look at the function as well so this is the actual function that has the vulnerability and this is an example of an attack to predict the next value so taken a sequence if we play a couple of games and we find out what is the correct sequence for say two or three games in a row are we able to crack it so that we can predict what the next value is going to be and as i say the maths is explained in quite a lot of detail between these articles i think particularly this blog post here on securityevaluators.com has a lot of details about the maths and stuff but i'm gonna skip that here let's go and have a look down here there was a solution that was posted onto github and i essentially made use of this in my solution so you can see here that it's talking about the random generator that we're about to crack and if we want to get this tool running we can do a pip install here so i'm actually going to just set up the python local environment let's do source payment 2 and then pip install that and then we'll also need to get clone the repo i'm going to download that here and here we have a couple of different things we have that we can do a single shift we also have the shift all so the single shift will actually find the original seed if you want to try and find out what was the original seed shift all will find out the original seed and then all the net the variations are going to come after it which is what we're interested in so if we can as i say feed it and the the last two game boards the last three game boards it should be able to then tell us what the next one is so with the setup out the way let's have a look at the solution i put together so i created a couple of scripts here we've got one called find sequence which we'll take a look at first of all and if we have a look here essentially i've got this set to a client count of three at the moment so you could you could change this if you wanted we can set this up to let's set this up to 10 just to take a look at it and it's going to loop through then 10 clients it's going to make a connection to our local server and it's going to keep looping through until it loses the game essentially making an attempt because we want to lose a game we want to lose three games in a row or ten games in a row whatever and get the correct output so we'll try and lose a game we'll get the output and then this is me just replacing some of the stuff in there turning it into binary um the same you could probably do this in a far better way i don't i just kind of hacked this together um we need to reverse the order of some of this this is just based on the way that the bits are test tested here so whenever this is sent through it's going to call test bit and set bit and clear bit and based on how it's using the lsb of the bytes you just kind of have to do a little bit of reversing around um so i'll throw all this code on github anyway but we do that we'll create then uh unsigned 64-bit hex value and then it's going to do that however many times we want to do it let me just put this back down 2-3 however many times you want to do it and then it's going to print out and i've just got this set to print out with the python script as well just to make it very easy for finding the next sequence so without further ado let's test that out and let me actually set this to debug mode just so you can see a bit more about what's going on and then we run python find sequence and you can see here we've run in this case three games but yeah let's go and modify that and just test it out again so in fact let me just show you whenever we set that to two we can run two games we're printing out these two values here and you see that we've got this command ready to copy and paste over to our other terminal where we have this xoro shift script we try and run that and you'll see here we get um what we've entered there was the eight twos value and the nine eight value so you can see here eight two nine eight and then this is the next possible value so the next game that we possibly run could be this one but you'll also see that we have eight two and the nine eight value here and then the next possible game could be this one so uh it basically depends how many games we play and how many values we have in the sequence as to how reliable this is going to be if i go back and set this to three again it should work every time it should get a definite value every time so let me take a copy of that and paste this in and you'll see now then there's only one possibility so we have our frm 82 value here we have our seven e value we have our b8 value and then the next value is going to be this five two the problem is if we go and play another game now then the next value isn't going to be the five two so we have to be careful here that we go and solve this before we play another game um and it means that whenever you're trying to debug it it just can take a little while but um in order to solve it then let's see what else we've got set up here we've got a solved game script as well and you can see here the the script's essentially going to take the value from us so we've just been given the fourth value in the sequence we need to provide that as an argument to the solve game script it's then going to create a connection a new remote connection to the server and we're going to basically just play the game and enter in the correct values so there's not really too much to that it's quite a similar kind of loop that's going on to the last script i should have really integrated these all into one script but i you know i already spent enough time probably more time than was required just trying to automate this and playing around with python but um yeah that's the script let's test it out so i'll go back to this window here let's do python solve game we paste in our value and you'll see it runs again it predicted this board and then this was the finished game solved let me actually go back and change that to debug put that on debug let's go and do the let's do our fine sequence again so we've got a sequence of three take a copy of that go and paste this into our other terminal we grab the fourth element in the sequence because we already have the first three and then we go and run solve game and just paste in that value that we've just grabbed you see with debugging you can actually see it going through every move and then it gets to the end and then we've correctly solved it we've got our magic flag so now what we need to do is go and run this against the server let's launch up a instance close down some of these windows i will take a copy of this url this address and i'm just going to go and update then the remote value here and i'll take a copy of that and throw that over to find sequence as well and let's try and run this again i'm going to turn that off debug just so it's a little bit cleaner and we need to find sequence find the sequence we get our three values we'll go and find the next item in the sequence take a copy of it go back to solve game paste in you see it takes a little bit longer once we run against the server but we get our flag pretty quickly anyway the next challenge is called stolen research it's a forensics challenge and the description says a malicious actor has broken into a research center and has stolen some important information help us investigate their confiscated laptop memory dump know if you need to crack passwords during this challenge all potential passwords appear in rock u75 and the pcap is only relevant for the last subtask and it also tells us not to brute force the rock q75 or we'll get the ip band so there's a memory dump to download here and the peak up which we don't need until the fifth part anyway so i've downloaded both of those the memory dump takes a while to download so the first part of the challenge says it's called kernel release that says what sort of os and kernel is act are using give us a kernel release version and that should be the output of you name dash r so we want the output of you name dash r on the memory dump so if we check the file type of the memory dump it just shows that it's a data let's try and have a look at the strings greater than 10 and there's a lot of strings in there we might want to try and grab out certain keywords like password but in this case we're still going to get a lot of results let's go and have a look at some specialist tools for analyzing memory dumps and the most important of which is volatility so just open up a cheat sheet here although there's some great documentation on the volatility github which we'll get into later because we'll need it for some of the for some of the next parts of the challenge you can also use this auto volatility this is something which i've used sometimes on ctfs if you just want to try and quickly just run all the plugins possible and just dump everything so you can then go and search for flags that's an option in this case we're just going to use volatility and we need to first of all determine what profile the image is and that's essentially what we're being asked to do here as well because it's saying find you name dash r so it's in find out what the kernel release version is and we basically need to do the same thing here we need to find out what operating system is and what profile that we'll be able to use so we can do that with the image scan let me see here's in the documentation we have image info and kdbg scan so we'll use image info to try and determine the type of the dump let's try and run that now image info dash f memdump uh that took a lot longer than it looked to not find a profile but if we go back to the cheat sheet here we can see that we can actually download some profiles linux and mac profiles from the volatility github we can also uh well we can download profiles from other sources or we can generate our own profiles custom profiles so um let's open up a couple of links here to take a look at so you can see here in terms of custom profiles in some cases like in the case below um there may be a specific linux version for which we have to build a profile you can see here then we need to generate a dwarf file um so we'll we'll have a look at this shortly but um you can see here that the actual command they've used is to just check for the linux version here in the memory dump so let's try and do that now i'm just gonna paste that in and we'll change this to memdump and this has actually come back then with the linux version so here's a linux version here 5.10.0 cali a amd 64. so if we go back to our first part of our challenge that's the output of the you name dash r let's compare it to what we have here in parrot so it's also 5.10 0.0 um but kali 8 instead of parrot instead of six power one let's have a look at the second part of the challenge as well so the next part is that was 25 points it's gone up to 125 points so quite a jump and it's called tooling the description says hope you made a good custom profile in the meantime the attacker is using some tooling for reconnaissance purposes give us a parent process id process id oh parent process id the process id and the tool name and not the process name so we need to give the ppid the pid and the tool name in capital letters by looks for their separated by underscores so that means we need to go back and have a look at this custom profile stuff and see if we can generate one so i've jumped over to the cali machine here which is running on virtualbox and if we check the u name dash r here we'll see that we've got a slight issue this is 5.10.0 which is good but it's kali 9 instead of cali 8. so i don't want to go through everything i tried and go through all the steps of downloading and installing everything because it took quite a while to get this working but and there's a couple of links here which i found useful which you could check out if you run into a similar challenge like this but mostly the the documentation on the github is very useful for setting this up one thing that we do need to do is essentially change this to kali 8 so in order to do that i had to download the headers from let me grab the link here so i had to grab the headers in here for kali 8 and there are only certain ones we need let's have a look at the ones that i needed to download so you can see here we have the common we have the amd 64 headers and then we also have the image as well and the debug so all of these were required and then once we have all of those downloaded we can install them just with the um sudo dpkg-i and then install all dot dab that will install them but it doesn't change the version we still need to we still need to reload and swap the kernel version so to do that we can do well let me just do sudo reboot now and one thing that i found kind of annoying when doing this is whenever you boot up virtualbox of boot up cali in virtualbox here so we go into the advanced options but it doesn't show which first version of the kernel that you're actually booting up here hopefully yeah there we go so i managed to get the kali 8 there but you can see that i had a lot of different versions so now we've reloaded let's have a look at our kernel version and you see now we're on kali eights we're ready to go and start generating the profile let's go and open up the documentation okay kept that open that's handy i'm going to go to the official github here and you can see then so we need to do a few things we need to install dwarf dump and some other libraries i've done all that already because you can see that i've already got everything built here on this system so get all that installed if you need to do that locally if you're working on this challenge or similar challenge and then we need to go to volatility tools let me follow along these steps so cd volatility tools linux we need to make and then we need let's do the head module.dwarf there's our module.warfare and you can see here as well the symbols contained in system map so i did have some issues in with this stage let me see if we have some issues here as well actually um system map is in boot so let's uh cap boots system map do we have kali eights so we have kali seven seven and kelly nine which i had before i installed those headers so we do have cali8 there and it's working okay but um the issue that i i did have originally was the system map wasn't showing up and i had to follow the steps along here to generate them so you can see here that if you don't have the correct system map then you can use nm on the vm linux file so let's locate vm linux and you'll see we have this file if i run nm that will generate the correct system maps you can see that i've already actually copied it over to boot but it it did have to be manually copied over so if we follow this and let's say to desktop and system map and that is how i produce the system up and once we've got a system up we've got a dwarf file as well we can go ahead and zip up our profile so let's do that just copy this command over so we're zipping into the profile our module.dwarf and our system map and then we just basically need to copy that over to our or for me to copy over to the parrot vm where would analyze the memory dump but if we were doing this all within uh kali we could also just use volatility in here and copy over the memory dump but i'm going to jump back over to the power system okay so we're back over on parrot note that i don't have volatility installed here at the moment so i'm going to go and i do have volatility installed but i don't have the volatility from github which we need the profiles folder for to copy this into so oh well that was the only way i was able to get this working myself so rather than using the native version let's git clone this let's go into volatility see what we've got i'm using the python 2 virtual environment there is a volatility 3 but um the profile setup is a little bit different so let's uh i'm just going to use this we use python set up install and you can see here already we have this plugins overlays let's go back to our guide here for the custom profiles and you can see that what we need to do we need to generate our profile and then we need to copy the zip folder over to overlays linux so let's copy over our profile to volatility plugins overlays linux and now let's try to run python vol.py and info and what we're hoping to see here is the linux profile so scroll up past all the plugins here and you can see we have yep we have a windows profiles here and we actually now have this linux profile x64 so this is our custom linux profile so let's see if we can actually test this out now you can see here we have a list of different linux commands that we can run and our challenge was to find a process id parent process id process id and name of a reconnaissance tool used by the attacker so for that we could use one of these process lists process let's do the aux one so i'm gonna run this we're gonna run python vol profile is equal to linux profile x64 and then we want our memory dump so home desktop mem doesn't have auto complete so memdump dot vman and then the command that we want to run in this case psox so we get the full process list here and we can scroll up and have a look through this to see what's of interest but um it won't take us too long to find that we have multigo running here which is a well-known reconnaissance tool and we can have a look and see that our parent process id is here 1208 and it's launching this one zero eight two uh bash command both call in multigo so essentially the flag here was um 1208 108.2 multigo and the next part of the challenge says uh the title is password the actor and the challenge says what is the password of the actor so if we go back to our volatility let's go to the github here and have a look at the documentation we'll look at the wiki we have command references for linux and in here we can go and have a look at the different commands and what they do we have some which will sound particularly interesting like check creds so we've been asked to find a password here so that might be the first thing we want to run let's try that linux check creds let's go back and see what else we have here as well so we have check creds we could also list our bash history where is that linux bash uh okay so didn't find any creds let's have a look at the bash and it did retrieve some bash commands we can see that multigo was called we have password here reboot history but no credentials in there anyway we would also want to start having a look around the file system so we can enumerate through files let me go back up here do we have a files section so we can map memory uh we have find file it doesn't have the enumerate files option here let me let's just run this without an input and it'll give us a list of commands available oh no it won't okay we need to pass in h so we'll get a list of commands here some of these commands aren't showing on the wiki so for example we have linux enumerate files which you can see there so let's try and run that so we've enumerated the files and file system we might want to output that to a text file and go and grep through for files of interest notice that we have an smb share here a server ip address and we can see we've got a share research which might be of interest you can see here some trash as well um but at the moment we're trying to recover some credentials so we've enumerated the files let's go and have a look here at the find file function which it says that we can pass in dash f and a file directory a location of a file and find out whereabouts that is in memory that i node and using the inode then we can then extract that file so why don't we try and go back and i didn't even check the files we've enumerated there let's just try and use the linux find file and let's look for etc password and we've got the inode so we should be able to take a copy of this and let's pass this with the dash i flag and then dash o for the output and then we'll just call this password so you can see it grabs that pretty quickly let's have a look see if it it looks good so we have this user invictus which is going to be the user we're interested in let's see if we can do the same thing for the shadow which we could then use to crack the password and then we can just grab that inode as well by the way if you're wondering why this is going so fast for me it's not my computer it's just that i'm skipping i'm cutting out parts of the video it does take a while sometimes searching for files and things like that so we'll save this to shadow let's have a look at it and that also looks good so we do have a hash here to crack now kali did actually recently upgrade the hash or change the hash format that it uses and it's using this yes crypt i believe this is a recent update anyway and it's using this yes script which there seems to be some problems with hashcart at the moment in terms of decrypting in terms of cracking those hashes so um this hashtag issues page i did notice that john the ripper or the john jumbo does support it if you use this pass through this dash dash format equals crypt so we'll grab this hash take a copy of that let's go to the desktop and just put this in a file called hash paste that in and then let's try and run let's just run john first of all john hash and then we'll pass in the word list dash dash word list equals rock u dash 75.txt you'll see here we've got no password hashes loaded so we need to provide this format crypt as we saw in the hashcat github issues so let's pass that in let me see if we can pass it in at the end and you can see this time it's actually trying to crack the password hash so that took a few minutes complete we can see it reliably cracked our password of security one so we can take a copy of that and just go and input that now as our flag for the third part of the challenge and move on to the fourth part which says password of the share the actor compromised sensitive credentials of the research center and use them to authenticate to a network share what is the password of the network share they logged on to so you'll remember that we whenever we were looking through the files we did see some mentions of a file called of a share called research so let's see if we can have a look into that this challenge did actually take me a long time to solve i spent a long time going through files on the file system which i don't want to do here but let me just show that if we let's do linux enumerate files and i'm just going to grip out for log to see what we've got um the way i actually went through this was you can extract all the files in the file system into their relevant folders and then just browse them as you would your normal linux file system i'm not going to do that here because it took a long time to extract them but that's a good way to get around the file system what we will find though which should have been a hint for me throughout the challenge is that the solution for us is not going to be in the file system directly and if we go back to this cheat sheet here on volatility we'll see that there's a memory dump section where it says the memory dump of a process will extract everything of a current status of the process the proc dump module will only extract the code so we have this memdump for us in linux it'll be a slightly different command which we can find here but um that's something that'll be worth bearing in mind but obviously we need to find a process to dump in order to try and retrieve this password for the network share so let's have a look here look we've got a syslog why don't we have a look at that we can do our find file linux find file dash i o syslog and if we print out the syslog we should see in here we have this command here okay so um kerberos authentication with invictus at work group not possible and then we have this one here from the uh smb gvs fsd smb spawner and it's on pid1315 so if we wanted to try and perform the dump that we that i mentioned there in order to do that in linux we can do that as follows we'll use linux dump map dash p and then the process id which in this case is one three one five we try to run that and it's going to come back with an error saying we need to provide a directory so let's make a new directory and let's provide that with dash d dump and this will extract a lot of different files for us so the reason this took me so long is because i was dumping a lot of different processors um including this one but look how many files there are to go through and if we go let's go to the dump directory so we have all these files in here we can check the file type we can have a look at the strings uh but we do have a lot in here so again we might want to start grapping things and this is essentially what i did was find that if we grep for let's grab for research and we have some files here which match so i essentially went through these through each one and let's run string stash m10 grep research any which looked interesting so you can see these strings in here which look interesting let's try and let's send this to a file just call that temp and we'll open that up and essentially just go through i went through each one at a time and looked for things like research and things like password and the ip address of the share as well until we find something doesn't look like this is the right one let's try let's try that with a second file as well again have a look for research doesn't look like any passwords i did have a look for these hashes and see if anything was just in hex encoding let's try the third file you could really just run the strings on all five of these files i guess i'm going to go through through each one we have plenty of research here and we also have some mentions of password here as well retype password enter new password and just as going as we're going through this look we have this password here or we have a string which looks like a password shuttle 981 2983 so i grabbed this password grabbed that word when i saw it and submitted that as a password and that was the correct password so the fifth part of the challenge is worth 250 points this is five times the points of the previous challenge so stolen information unfortunately it looks like some very sensitive information was stolen can you recover it and we have this stolen peacock which we know is part of this challenge and it does say that it's relevant only for the last challenge it doesn't mention whether the memory dump is also relevant for the last part of the challenge which um led me down some rabbit holes so let's go and open up this pcap see what's going on uh if we open it up the first thing i like to do is just go and have a quick look at the file properties find out what kind of peacock we're dealing with here is it was captured for two minutes it's got 653 packets and we can see it was captured in july the 1st july we can go in and have a look at the protocol hierarchy as well and just see what kind of data we're dealing with in this case mostly smb data we have one udp packet which we might want to go and check out doesn't look of interest so let's just go and start scrolling through here and see what we see we can see all these encrypted smb packets which we're not able to filter by we have our protocol request at the beginning let's have a look here okay uh we can see the ip address there so essentially what i did at this point was go and have a look can we decrypt smb3 decrypt wireshark i'm going to show you a couple of the kind of rabbit holes i went into before showing how i solved the challenge so there's a couple of articles here and this pdf document as well was actually so there's a pdf presentation here about decrypting well it has uh some information about different features available in wireshark in the new version of wireshark but you can see here that y shot can decrypt smb3 traffic and it must have the initial connection steps the user must provide a session key and this is how we get the session key so i was wondering whether we would need to grab some of this from the dump and that's was one of the rabbit holes i was going into you can see here if we go into the protocols and wireshark we can actually add some of this information let's go and have a look at that so we've got a protocols and then this is how you would normally do the same for decrypting ssl and stuff as well so we go to smb smb2 and you can see here we've got a secret session keys for decryption so we want to put in a session id and a session key i couldn't find a service client or a client to server but it doesn't look like we need it anyway let me just go back and see where we can find this so we want to go through to our protocol request and right here we have the setup request if we go in here and just drill down on this smb protocol info you'll see that we have our session id right here so it's we don't need the 0x but it's this b0 6d value and then we also have somewhere we also have a session key right here b35056 so i'm going to basically go back to the preferences and back to our protocols let's go and try and input this into the smb 2 section so we need to add a new one i'll just copy and paste this from my earlier notes there's our session id which we just saw and then here's our session key as well so we paste that in that's enough for us click ok and go back and see if we can have a look at the encrypted smb data notice that we can't have a look at the encrypted smb data but the packet capture is looking a little bit different so whenever i was solving this i didn't actually realize that that had made some that that had made a difference because we still have all these encrypted smb stuff so at that point i started looking into alternative solutions and i was interested in this ntlm ssp stuff and found that actually there is a tool which can extract these hashes from packets so let me go and let's just go and open up this github link so there's a tool ntlm raw unhide and if we let's i'll download this now into the let's just git clone this and i'm going to run python 3 and tlm raw and high let me just minimize this so you can see it a bit better and nclm raw and hide and then we just need to pass in the packet capture stolen.pick up ng and you can actually see it very quickly recovers our hash so at this point i threw this hash into hashkat and started trying to crack it but while i was doing that i was also looking into the pro providing the passwords and the protocols in wireshark and actually if we go to let's go back to edit preferences let's go back to our protocols and this time let's have a look for ntlm you see here we've got ntlmssp let's try and enter in our password shuttle which was from the last part of the challenge hit ok so anything looking different here it doesn't look like it at the moment let's try and just close this down and open up again that's interesting so it turns out that the solution that i thought had solved it for me wasn't the solution initially so although we've entered in the smb session key and session id and we've entered in that ntlm password we still don't have the decrypted data so i'm just going to go back to one of another article which i used whenever i was trying to solve the challenge initially the problem is when you're trying to do so many things at once sometimes things just start working and you're not sure exactly what you did to fix it it looks like then what i did earlier to get this working was changing the protocol settings for the kerberos so let's go and have a look at that now go into preferences protocols krb5 and then you see we have here try to decrypt the kerberos blobs there we go click ok and you can see that now we've actually got decrypted smb packets so we could go and start looking through these and see what's going on the first thing i did here was to export objects smb you can see that we have all of our share objects here so i'm just gonna save them all to the desktop let's close this down and now you can see we have these images one of them is this image here which has ctf secret research facility as the flag and that's the fifth and final part of the forensics challenge solved

Info

Channel: CryptoCat

Views: 2,336

Rating: undefined out of 5

Keywords: ctf, capture the flag, hacky holidays, space race, hackazon, deloitte, hacking, wargames, writeup, walkthrough, tutorial, infosec, reversing, reverse engineering, assembly, reveng, crypto, stego, misc, forensics, web, osint, pwn, exploit, security, cyber-security, kali, ida, ghidra, pwntools, malware, learn, hacker, h4x0r, cyberchef, debugging, gdb, pwndbg, pen-testing, disassembly, python, radare, hackathon, jwt, seccomp, aws, ppc, volatility, vol, memory dump, dwarf, port knocking, wireshark, tshark, privesc, red team, offsec, oscp, xor

Id: hY446_xs-DE

Channel Id: undefined

Length: 120min 58sec (7258 seconds)

Published: Mon Jul 26 2021