These will include the challenges I was able to do in the last 2 hours of the 24 hour ctf @ CodeFest 2021. I was able to solve the entire pwn category which was easy and beginner friendly and one forensics challenge which was very practical and straight-forward. Pwn Category C is Hard Download files from here This was the first challenge which has stack overflow vulnerability and the goal was to overflow the buf and call a hidden function called print_flag. Let's start by analyzing the function in radare2. r2 -R'stdin=input.txt' ./source_fixed.

Points: 100 This is the writeup for the challenge start from pwnable.tw. This is the very first challenge on the website and a simple one for that matter. There is a simple buffer overflow on the binary but no jmp to esp gadget, so we need to create a rop chain to find the address of esp and then jmp to it in order to make the binary execute our shellcode. That being said let's get started. Analyzing the binary We can download the binary from the site and throw it in gdb to get a closer look. gdb ./start

Category : Toddler's Bottle The challenge flag was of reverse engineering category. Reverse Engineering is a handy skill to have while pwning binaries. The challenge gives only a binary and which mentions that it has allocated a malloc and saved the flag in that. So let's start the challenge. Let's read the prompt and download the important files to our box. wget http://pwnable.kr/bin/flag chmod +x flag Dry Run Let's give the binary a dry run and see what happens.

Category : Toddler's Bottle The third challenge from the pwnable.kr is the bof. But the twist here is , it's not vanilla bof that we see everywhere. The vanilla bof is simple: we overflow the buffer, overwrite the eip and then make it execute the payload. Here we need to overwrite a specific variable in order to gain command execution on the server. So let's get started. Setup GDB I will be using the gdb debugger with peda extension to exploit this challenge. So you can install gdb from your linux repositories and download peda from here. Let's start by reading the challenge prompt and download the important files to our box. wget "http://pwnable.kr/bin/bof" wget "http://pwnable.kr/bin/bof.c"

Category : Toddler's Bottle This blog post will be part of the binary exploitation series. I am new to this kind of stuff and will be posting about them as I learn. In this series we will be hacking pwnable.kr challenges. I heard that is a great resource to learn from. Toddler's Bottle So the first category is Toddler's Bottle. They are supposed to be easy beginner level binary exploitation challenges. Thus we will be starting from there. fd The first challenge name is fd and it talks about Linux file descriptors in the challenge prompt. Lets login into the server and check the binary. We ssh into the server with a password guest.

Category : Toddler's Bottle The second challenge from the binary exploitation series that I'll be posting. This challenge is Collision and is supposed to be loosely based around the hash collision concept. Let's start with the challenge prompt. The challenge prompt talks about the md5 hash collision and we get the login credentials for the server. Login into the server and copy all the files to your box to analyse them further. scp -P 2222 col@pwnable.kr:/home/col/col* . Dry Run

Natas 0 The level is really simple, the prompt say that you can find the password on this page. If you right click to view the page source you can find the password there. This can also be achieved through pressing Ctrl+U, handy shortcut. One can also go full hackerman and do inspect elment to view the source in order to retrive the password. Natas1 This level is similar to natas level 0, in this the makes have disabled the right click fucntionality. Intended Solution

The BrainFuck was a nice quick box to go through on the hackthebox site. It was rated insane but it felt more like a medium box. The box had 2 virtual name servers which had two different sites. One was Wordpress and the other was text forum based on flarum. We had to exploit both the servers to gain SSH access to the box. The box also had an SMTP server that was not intended for exploitation but to merely interact. so let's get started! Nmap we start with the Nmap scan, so see which all ports are open on the box. # Nmap 7.80 scan initiated Thu Mar 26 22:25:36 2020 as: Nmap -sC -sV -oN Nmap/brainfuck 10.10.10.17 Nmap scan report for 10.10.10.17 Host is up (0.41s latency). Not shown: 995 filtered ports PORT STATE SERVICE VERSION

The Devel box was also simple windows box in which we find FTP listening o port 21 which has anonymous login allowed that allows us to put file on the server. The ftp files were on hosted by web service IIS 7 port 80. We place a aspx shell through ftp get RCE then do privesc on windows 7 box with MS15-051. Nmap Scan we will run a nmap scan to find all the open ports on the sever, to do run the following command. namp -sC -sV -oN nmap/devel 10.10.10.5 which get us the following output, # Nmap 7.80 scan initiated Tue Mar 17 20:25:42 2020 as: nmap -sC -sV -oN nmap/devel 10.10.10.5

The granny is simple hackthebox in which we will exploit the improper permissions on the HTTP methods to get RCE and then leverage it with malicious ASPX file to gain the meterpreter session. For privilege escalation we will use windows CVE ms14_070_tcpip_ioctl. So lets get started Nmap we start with the nmap scan for to find all the port. Also i will run a nmap scan for all ports in background to have some enumeration running in the background. nmap -sC -sV -oN nmap/granny 10.10.10.15 nmap scan for all ports in background nmap -p- -v -oN nmap/allports 10.10.10.15

Luke was a simple box with no privilege escalation, there was alot of enumeration, so lets get started. Nmap nmap -sC -sV -oA nmap/luke 10.10.10.137 # Nmap 7.70 scan initiated Mon May 27 05:07:59 2019 as: nmap -sC -sV -oA Luke 10.10.10.137 Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-27 15:57 IST Nmap scan report for luke.io (10.10.10.137) Host is up (0.16s latency). Not shown: 995 closed ports

nmap -sC -sV -oA nmap/onetwoseven.htb 10.10.10.133 # Nmap 7.70 scan initiated Wed Apr 24 15:36:04 2019 as: nmap -Pn -sC -sV -oA nmap/onetwoseven 10.10.10.133 Nmap scan report for 10.10.10.133 Host is up (0.16s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10*deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 48:6c:93:34:16:58:05:eb:9a:e5:5b:96:b6:d5:14:aa (RSA)