Hidden

For this challenge we are given two files: Taking a look at the executable first, we see that it's a fairly simple program that appears to be XORing a pre-existing flag and then writing it to a file. Since it appears the flag is hard coded in the binary, with a dummy flag being present in the binary given to us, the first step is to extract the XORed output since we can use the following property of XOR to calculate the flag: (key XOR flag) XOR (key XOR dummyflag) XOR dummyflag = flag ...

Invitation

In this forensics challenge we are given a word document, and this one does have macros! We can extract the macros using olevba, and see that the code is: However, instead of deobfuscating this ourselves, we can get something else to do the work for us. [ViperMonkey], another incredibly useful tool by [Philippe Lagadec], can be used to emulate the VBA macros. It does this by essentially converting the macro code to Python,...

AlienPhish

In this forensics challenge we are given a Powerpoint that we need to analyse. The will be expecting there to be macros that we will need to analyse / Reverse Engieer to figure out the flag. We can first use olevba for this, this is a tool by [Philippe Lagadec] who has made a whole collection of Office Forensics tools. However, as seen above there are no macros in the file. Instead of further analysis, we can simply run the (likely) malicious file in a malware...

PhaseStream 3

We are given the following Python code which encrypts two messages with the SAME KEY in AES Counter mode, we know of the the plaintexts. Because the key is reused, it is actually fairly easy to decrypt the flag. (See [here] for someone who knows what they're on about, and a program to do it, but I'm going to do it in CyberChef.) If you're interested, it's called a known-plaintext attack. Succinctly, because the key is reused in Counter mode: p1 xor...

PhaseStream 4

We are given the following code, a slight advance on the previous PhaseStream challenges as we are only given two ciphertexts, and no plaintext. The code encrypts two messages with the same key using AES in Counter mode. As we established in the previous PhaseStream challenges counter mode is bad! Because these two plaintexts are encrypted with the same key in counter mode, it essentially becomes an XOR...apparently. Borrowing from...

Off the grid

Again, we are given a capture. This time it's the communication between a device an an OLED screen. We've also been given a schematic showing which channels go to which pins on the device. After a quick search we find that this OLED screen communicates over both i2c and SPI, with the pins in the schematic matching a 3-wire SPI interface. Loading an analyzer up in Saleae Logic we see this: To...

secure

Once again we have a capture of some wire protocol, supposedly this is a capture of a device communicating with a micro SD card. Opening it up in Saleae Logic shows the following: After having a bit of a google we find that SD cards communicate over a protocol known as Serial Peripheral Interface (SPI), so we use the analyzer on the capture. Deciding which channels in the capture map to...

Input as a Service

Connected to the service and discovered that it was a Python prompt/eval Typed some sums to confirm this: Imported os so that I could use ls, and discovered the flag in the same directory.

compromised

Similarly to [serial_logs] we've been given a .sal file. Opening this up in Saleae Logic we see two channels with data in: When playing around with the analyzers earlier I noticed that the I2C analyzer takes input from two channels, so I tried that. It seemed to decode correctly and showed a sequence of writes to two different addresses. | | | |-|-| |...

serial_logs

We've been given a file supposedly containing serial logs, a sal file. Since there was a similar challenge in the previous CTF: [block] I guessed that I'd be able to open this in Saleae Logic (which has been updated to version 2 since the last writeup). Opening up this file in Logic we see the captured communications in 'channel 1': To decode this we can use the 'async serial' analyzer....

pwnEd Crypto: scuffed_rsa

We're given a broken implementation of RSA in Python: The first things to notice are that e isn't the usual 65537, and isn't prime either. Then n evaluates to just p instead of pq, so the output we're given: uses the wrong private key. So, we're given n which is prime, thus there isn't really a p or q, the ciphertext c and e. Using sources to [work out how RSA works] and [calculate the correct value for d]([https://whiteheadsoftware.dev/rsa-]...

PwnEd: PreCTF part 5

Once we have access to the webserver, we find a SUID binary owned by root and the source code: This is a classic TOC/TOU vulnerability, if we pass it a symlink we can change what the symlink points to after the program checks file access, but before reading the file, we can have it read any file. So with a simple program that rapidly exchanges two symlinks: Then, while running this program at the same time as spamming the SUID program: The flag is eventually printed.

Simulation

Another binary cheesed by angr:

PLUG

We are given a packet capture containing USB packets: We can use tshark to extract the packet data to a file: Running binwalk: We can use [PCRT] to extract the png: ||| |-|-| | | | The QR code contains the flag: HTB{IN73R3S7iNG_Us8_s7UFf}

HTBxUni AI

HTBxUni AI was a misc challenge where we are given the information that there's a discord bot on Hack The Box Discord called HTB X Uni AI and we need to shut it down Firstly we retrieved the Discord ID of this bot so we could try to invite him to some server where we could interact with him So we get the ID 764609448089092119 Then using this ID we can invite the bot to our server using a...

Welcome

Hey! Who left this flag just lying around... HTB{l3t_th3_htb_x_uni_ctf_pwn1ng_b3g1n}

kindergarten

Kindergarten is the first pwn challenge of the HTB x UNI 2020 CTF, we are given a 64 bit ELF binary which we must exploit to read a flag stored on the server. Using Ghidra we can decompile the binary and read a rough representation of the original code. In the main method we find a C read call which writes to an area of memory labelled ans which is 90 bytes long at 0x602040. Then a...

Weak RSA

This crypto challenge is also relatively straightforward, it's a copy of another crypto challenge. We are given a Public Key and an enciphered message, we can use the [RsaCtfTool.py] and it somehow manages to derive the private key from the public key, and then decipher the encrypted message using this private key. The flag is HTB{b16_e_5m4ll_d_3qu4l5_w31n3r_4774ck}. ⚡ Magic ⚡

Nuclear Disaster

In this crypto challenge, we are given a file with 5 different parameters in: n, e, a, g, c, and c2: Googling for similar challenges gives us [this], we can just use the script from there to solve ours. It gives us the output: 3xtr4H34t1nr34ct0r. This is the password for the root user on the box, so we can just su root, enter the password and then grab the flag! ...

Warren Buffer

We are again given a PCAP, this contains a mixture of both encrypted TLS and plaintext HTTP. (Eventually) we noticed that the last character of each useragent in each of the HTTP requests is different: Collecting all of these together, we get 68 74 74 70 73 25 33 41 2f 2f 67 68 6f 73 74 62 69 6e 2e 63 6f 2f 70 61 73 74 65 2f 79 71 74 73 65 6b 39 33, converting this from hex we get a URL:...

Exfil

We are given a PCAP file that we can view in Wireshark, this contains a lot of packets, but none of these seem to contain much actual information. Giving it a closer look, it appears to be exfiltrating each bit of a character of various fields at a time. It will sleep for three seconds if the bit is a 1, or return immediately if it is a 0. After some trial and error, we can select only the relevent packets by using the packet filter...

Gunship

Gunship is the first web challenge of the HTB x UNI 2020 CTF, we are given a webpage titled "AST Injection" and containing an input form which sends a JSON object to the server. In the source code we find that Handlebars is used for templates, and there is a mention to AST Injection by po6ix. Using google we can find an article which explains methods for AST Injection and Prototype pollution on two templating frameworks, Handlebars and Pug. ...

Cache

We are presented with a webpage, and we have to provide a URL such that we can eventually read a local file, and the /flag endpoint. We are given the code for this, an obvious solution would be to simply provide a URL such as http://localhost:1337/flag, but in the source code we can see that local IP addresses are disallowed. We can see that this explicitly disallows a local IP as if we try it, we get an error back: Instead, what we can...

kapKan

kapKan was a Forensics Challenge from HTB x Uni CTF 2020. We are given a blank word document named invoice.docx, opening the file gives us a blank word document. Although, on opening we get the following warning: The warning suggests there is something going on deeper within this file. We go on to open to document in some text editor and investigate. After a quick scan through we find the following interesting tag: `<w:fldSimple w:instr="...

Block

Block provides us with a binary dump named dump.bin and a capture of a serial communication sequence.logicdata. We can use Saleae Logic to open the sequence.logicdata file and analyze it. After interpreting the file as an 'async serial' communication with even parity bits we see some useful data: Which can then be formatted into the following: Which, after some fiddling I found that the first digit of each number represented the sector...

IRCWare

IRCWare is a program that connects to 127.0.0.1:8000 and acts as an IRC Client, when it first connects it sends the following 'commands': Analyzing the program in radare2 we see that it uses no library functions, and does all IO by making syscalls itself: After connecting to the socket and printing it's opening message, the program enters a loop of reading input into a buffer, and processing the input: ...

Patch of the ninja

Patch of the ninja is a nice gameboy advance game where you have to 'patch the evil spirits away'. ||| |-|-| | | | However the flag was just in the binary unmodified.

moneyHeist

We are given the source code for a smart contract on the Ethereum blockchain, and the address where it has been deployed. The goal is to empty the balance and then request the flag from the challenge site using the Check Flag button. | Challenge page | | |-|-| | | | The contract address: 0x396D73A08F112e67dd89245707BbDc00dCFA24F7...

My name is (what?)

my_name_is is a 32 bit linux executable. Upon opening it in radare2 we find that it first checks if a debugger is attached by calling ptrace and checking the result: However we can just patch the binary to ignore this check lol. By tracing the library calls with ltrace we see that the program fetches our user id with geteuid, then gets the passwd field (which contains our username,...

Buggy Time Machine

We are given the code to a random number generator (RNG) and the goal is to determine the internal state of the RNG so that we provide it with a seed such that it will produce a given output (2020) - doing so gives us the flag! From the code, we can determine the it uses a [Linear congruential generator (LCG)], which is known to be weak; this uses a multiplier (m), addition (c) and modular value (n) to compute the next state,...

VVVV8

VVVV8 is a patch to [V8] that adds a fourth parameter to TypedArray.copyWithin. [TypedArray] is an interface used by objects such as [Uint8Array] These objects can be used to wrap [ArrayBuffer]([https://developer.mozilla.org/en-]...

@Dive_Monkey challenge

Completed using Kali Linux OS, Wireshark, zsteg tool and GCHQ’s Cyber Chef. First, we are presented with the file, LUHack.pcapng. pcapng is a filetype packet capture format which holds a data dump that has been collected over a network. In order to find what we want to from this file, we had to export as a HTTP. By exporting the objects on the PCAPNG file as HTTP we are given a ZIP file containing a image of the matrix. This was unzipped...

Borderlands

For borderlands we are given the IP of a web application running inside a network named network 1. Upon running an application scan with nmap -A we observe that there is an exposed git repository: We can use [git-dumper] to dump this repo: Now we can see the source of the website: Inside home.php we find the first flag: Inside the git log there is a commit with the message: We can use git diff to show us the changes in that commit: Which gives us...

Checks

Checks is a rather simple program, it performs a few simple checks but took a while to fully understand as it is statically linked, preventing use of ltrace to trace libc calls. The first check the program performs is to retrieve the username of the user running the program. And to then compare it with the string '800'. To bypass this check, I opted to replace the username string with...

QR Codes

There were three posters around the room that the competition was being held in. Each poster had a QR code on it with some parts missing (We were later sent the original files, which will be used in the writeup as they are better quality). QR Code 1: QR Code 2: QR Code 3: Luckily, upon scanning the first QR code,...

Kittykoinz

*"The inventor of kittykoinz had the great idea to implement a transaction fee, so she can get more moneyz. She stressed the developers to get this feature ASAP. Never stress the devs..."* We are provided with a web version of this program to netcat to, and the source code as a jar file. After patching the jar file so that it will run, we are provided with the following options: Let's try and get the flag: ...

Matroyshka

Matryoshka a.k.a. Russian nesting dolls are a set of wooden dolls of decreasing size which are designed to fit inside each other. The name of this challenge suggested that there would be multiple layers of challenges to solve This challenge provided us with a file containing a large base64 encoded string: Decoding the base64 to ascii produced another base64 string but with additional obstacles: ...

Smart Steganography

A more challenging steganography challenge using least-significant-bit encoding. We are given a large PNG of some smarties (cropped): Usual steganographic methods don't seem to return anything significant, but the large filesize of the image indicates that maybe there is something encoded in the least significant bit of each pixel in the image. We can use Python and the PIL library to extract the least significant bit of each pixel...

Stadiums

"Jamie, a big football fan, created his very first web site. Since it is so handy to have a publicly accessible web site, Jamie also stores a secret file on it, which he often needs to access from remote. Can you find this file?" Accessing the site at the URL given shows us this page: A good first step with web challenges is to use nikto to scan for common vulnerabilities - The result of the scan is shown below: ![Nikto...

Aegypius Monachus

This challenge gives us the ciphertext: prnea{43clscfif3u}tlr. After trying several ciphers I found that it was a rail fence cipher with 4 rails. To decode we write out how the string would be encoded To encrypt the string, the characters of the string would be written down in the order given above, then read off left to right, to to bottom (1,7,13,19,2,6,...) So, to decode we just write in the characters of the ciphertext left to right, and read off in the zigzag pattern. Giving us the flag:...

Hotel

We're given a URL and a pcap file, being told that we have captured some traffic from "Jake". First thing we need to do is open the pcap in Wireshark. If we've captured traffic, hopefully it will include the username and password. Once in Wireshark we filter by http We're looking for POST requests, and more specifically, the data the contain. There are two in the screenshot above, the first one contains the following: ![First POST...

Fish 'n' Chips

The message given on the challenge page: Very simple substitution, replacing 🍟 with - and 🐟 with . gives us morse code: pactf{- .... . ..-. .. ... .... -- ..- ... - -... . .... .- -.. -.. --- -.-. -.-} Decoded to ASCII: pactf{THEFISHMUSTBEHADDOCK}

Snapshots

We are given a dump from a thumbdrive and need to find a flag hidden in one of the images. We can use foremost or photorec to recover the images, I will use foremost. Looking in the files that it found, we see the flag in one of the images. Flag: pactf{pictUR3-PICture!!}

Welcome to Manchester

We are given a stream of binary data that we must somehow decode. We eventually worked out that it used Manchester Coding. We can use an online decoder (such as [this]) to decode it, we are then left with: We can then decode this from binary in [CyberChef] into ASCII and this gives us the flag: Flag: pactf{ph4sE-enc0d1ng-PE}

Rolling Printer

We are given an image of a QR code and are tasked to find out when the file was printed. We are told that the flag is in the format pactf{yyyyMMddHHmm}. We first look in the metadata to find out when the image was created None of the dates or times are the correct flag (we are later told that it is not about the creation data or anything found in the metadata). However, if we open the image in paint on Windows, and then fill the background with black, some marks appear that we could not see...

Trailer

This is a simple steganography challenge, this was easily solved by running the standard stego tools. We are given a PNG image of a tractor. Nothing visually stands out in the image so we can run strings on it. We can then use grep to search for the flag as we know that the flag format is pactf{...}. strings trailer.jpg | grep pactf We get nothing, is there a file hidden inside the image? It has found an image, this can also be done with foremost. If we open the extracted image, we can see the...

Sharp Look

In the CTF we were given two images. As the description said ''Look sharp and compare the two images!''. So basically by having image 1 - [http://prntscr.com/nan35psqt] and image 2 - [http://prntscr.com/nan35p], I decided to go with the terminal in Linux to find the hidden flag but I didn't use the terminal properly and it resulted in googling for simple image comparer online - [https://www.imgonline.com.ua/eng/difference-between-two-images.php] . By uploading the two images and putting the result...

Flag Calculator

First we decompiled the program using dnSpy, yielding: I made a guess that not much was being done, and that the program was only slow due to c# being slow. And rewrote it into C. The result is: pactf{dot4019346342N3T}

Secret Service Online

We were provided with an assembly file that seems to be the result of having GCC dump the assembly of a C program. First I assembled the assembly into an executable program using gcc sso.s -o sso Then the assembled program was inspected with radare2 to find the address of the final branches that either displays 'FAIL' or the flag, these were noted down and used in a simple angr script to find an input string that results in the success state being reached. This results in: After finding a valid...

Kangaroo Jack

Kangaroo jack is a simple buffer overflow, we start by opening up the program in radare2 Here we can see that there is a function named flag, I take a guess that we need to jump to this function and then the flag will be printed. I take a look into main to see how large the buffer is, seems it's 0x400 bytes (1024) Once I know the rough offset, I open the...