Try   HackMD

I am among the organizers of this CTF and CTF author , In this writeup I'll be showing and explaining solving the two of the machines I made namely ; white and get leet 2 where White was a linux Ubuntu based Box and Get-Leet-2 was a Windows Based Box, Starting up with White which was the Linux!

WHITE

I'm just gonna go ahead fast with this LOL, we have port 80 and 22 open , checking on port 80 we have the apache page, So running gobuster with wordlist SecLists/Fuzzing/fuzz-Bo0om.txt and you get /secret/ which has index.php which is a rabbit hole so dirsearching inside the dir we find index.txt which carries credentials for a user named marce with password marce@2021, I now use the creds found to login with SSH to the machine, and we are in, Checking for user privileges :

marce@white:~$ sudo -l
Matching Defaults entries for marce on
    white.fqwkjfhbenledfj4uincv222dc.bx.internal.cloudapp.net:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User marce may run the following commands on
        white.fqwkjfhbenledfj4uincv222dc.bx.internal.cloudapp.net:
    (ALL) NOPASSWD: /usr/bin/escalator

So we are able to run the binary /usr/bin/escalator as sudo with marce :

marce@white:~$ sudo escalator
BLACKTEK SOLUTIONS WRITER
enter password : admin
Imposter!!!!!

Okay so we dont have the password! , now we have to reverse engineer the binary we pull it to our local machine using netcat , And then we reverse engineer it to understand how it behaves:

[0x7f30aff86090]> afl
0x5650cf53f080    1 42           entry0
0x5650cf541fe0    1 4124         reloc.__libc_start_main
0x5650cf53f0b0    4 41   -> 34   sym.deregister_tm_clones
0x5650cf53f0e0    4 57   -> 51   sym.register_tm_clones
0x5650cf53f120    5 57   -> 50   sym.__do_global_dtors_aux
0x5650cf53f070    1 6            sym.imp.__cxa_finalize
0x5650cf53f160    1 5            entry.init0
0x5650cf53f000    3 23           map._home_tahaafarooq_Desktop_gameofhacks_machines_white_escalator.r_x
0x5650cf53f250    1 1            sym.__libc_csu_fini
0x5650cf53f254    1 9            sym._fini
0x5650cf53f1b5    4 54           sym.PassVerify
0x5650cf53f1f0    4 93           sym.__libc_csu_init
0x5650cf53f165    1 80           main
0x5650cf53f030    1 6            sym.imp.puts
0x5650cf53f050    1 6            sym.imp.printf
0x5650cf53f060    1 6            sym.imp.__isoc99_scanf
0x5650cf53f040    1 6            sym.imp.system
0x5650cf53e000    3 376  -> 365  loc.imp._ITM_deregisterTMCloneTable
0x5650cf53e1aa    5 32   -> 55   fcn.5650cf53e1aa

So as shown we have 2 functions which are suspicious and must be viewed : main and sym.PassVerify So let's start with main:

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Yeah so we see it asks for password and then passes the inputted value to the function sym.PassVerify , So now let's disassemble the function:

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More → 

mov eax, dword [rax]
cmp eax, 0x208d9

As shown it is compared with 0x208d9 which is hex for 133337 , so let's try putting that as the password this time:

marce@white:~$ sudo escalator
BLACKTEK SOLUTIONS WRITER
enter password : 133337
h4k-it{3c1d660d022cb17617aba460c40b339d}

And there we have the flag !

GET LEET 2

This is a windows box , which is also apparently my first box made in windows hehe!

First did a quick nmap scan:

┌──(tahaafarooq㉿blacktek)-[/opt/SecLists/Fuzzing]
└─$ nmap -F 20.124.220.101            
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-21 11:30 EAT
Nmap scan report for 20.124.220.101
Host is up (0.32s latency).
Not shown: 92 filtered tcp ports (no-response)
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
49154/tcp open  unknown
49155/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 6.53 seconds

We have port 80 opened , 21 opened and ports which lead to SMB protocols and also 3389 which is used for processing RDP sessions!

So checking the port 80 on the web it brings the default IIS page , so I now perform Dirbusting , using gobuster to check if there are any hidden folders or files:

┌──(tahaafarooq㉿blacktek)-[/opt/SecLists/Fuzzing]
└─$ gobuster dir -u http://20.124.220.101/ -w fuzz-Bo0oM.txt                                                          130 ⨯
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://20.124.220.101/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                fuzz-Bo0oM.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/11/21 11:34:21 Starting gobuster in directory enumeration mode
===============================================================
/%2e%2e//google.com   (Status: 403) [Size: 312]
/\..\..\..\..\..\..\..\..\..\etc\passwd (Status: 403) [Size: 312]
/Secret/              (Status: 200) [Size: 326]                  
/secret/              (Status: 200) [Size: 326]                  
                                                                 
===============================================================
2021/11/21 11:36:48 Finished
===============================================================

Found a directory named secret I decide to open it

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

but nothing specific was found but checking the source code I got :

<!--britney:br1t****--!>

which meant like some sort of creds but they didn't work of course on the SMB or any authorization, So I decide to dirbust again:

┌──(tahaafarooq㉿blacktek)-[/opt/SecLists/Fuzzing]
└─$ gobuster dir -u http://20.124.220.101/secret/ -w fuzz-Bo0oM.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://20.124.220.101/secret/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                fuzz-Bo0oM.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/11/21 11:42:08 Starting gobuster in directory enumeration mode
===============================================================
/\..\..\..\..\..\..\..\..\..\etc\passwd (Status: 403) [Size: 312]
/index.html           (Status: 200) [Size: 326]                  
/users.txt            (Status: 200) [Size: 308]                  
                                                                 
===============================================================
2021/11/21 11:44:35 Finished
===============================================================

and we see users.txt , I now read it :

┌──(tahaafarooq㉿blacktek)-[~/Desktop]
└─$ cat users.txt                                                               
��creds -> it usually start with br1t but then I easily forget the other following words, maybe br1tney or br1tneer! or br1tn3yy or br1tn3y!@ or br1tn3y@

So we now have multiple passwords to guess for britney , I now try SMB with the creds:

┌──(tahaafarooq㉿blacktek)-[~/Desktop]
└─$ smbclient -L //20.124.220.101/ -U britney                                                                           1 ⨯
Enter WORKGROUP\britney's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C               Disk      
        C$              Disk      Default share
        D$              Disk      Default share
        inetpub         Disk      
        IPC$            IPC       Remote IPC
SMB1 disabled -- no workgroup availabl

it worked with the password br1tn3y@ and I see we have access to inetpub so I open inetpub to see if I can get any creds:

┌──(tahaafarooq㉿blacktek)-[~/Desktop]
└─$ smbclient //20.124.220.101/inetpub -U britney 
Enter WORKGROUP\britney's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Fri Nov 19 14:04:46 2021
  ..                                  D        0  Fri Nov 19 14:04:46 2021
  custerr                             D        0  Fri Nov 19 14:04:46 2021
  temp                                D        0  Fri Nov 19 20:17:33 2021
  wwwroot                             D        0  Fri Nov 19 20:17:33 2021

                7736063 blocks of size 4096. 4426628 blocks available
smb: \> cd wwwroot
dismb: \wwwroot\> dir
  .                                   D        0  Fri Nov 19 20:17:33 2021
  ..                                  D        0  Fri Nov 19 20:17:33 2021
  iis-85.png                          A    99710  Fri Nov 19 14:01:20 2021
  iisstart.htm                        A      701  Fri Nov 19 14:01:20 2021
  secret                              D        0  Sun Nov 21 11:08:58 2021

                7736063 blocks of size 4096. 4426628 blocks available
smb: \wwwroot\> cd secret
smb: \wwwroot\secret\> dir
  .                                   D        0  Sun Nov 21 11:08:58 2021
  ..                                  D        0  Sun Nov 21 11:08:58 2021
  index.html                          A      326  Fri Nov 19 14:55:12 2021
  users.txt                           A      308  Fri Nov 19 14:58:02 2021

                7736063 blocks of size 4096. 4426628 blocks available
smb: \wwwroot\secret\>

So far we got nothing inside wwwroot so I shift my working dir to temp:

smb: \temp\> dir
  .                                   D        0  Fri Nov 19 20:17:33 2021
  ..                                  D        0  Fri Nov 19 20:17:33 2021
  rerun.bat                           A       88  Fri Nov 19 19:34:48 2021

                7736063 blocks of size 4096. 4428644 blocks available

we get a file inside there named rerun.bat , so I pull it to my system for a better understanding to what it does:

┌──(tahaafarooq㉿blacktek)-[~/Desktop]
└─$ cat rerun.bat  
@echo off
sqlcmd -u iiss -p 11ss___ 127.0.0.1:/db_name/something.db -o something.log

And here we see that it's somehow pulling from a db and outputing it to a log file with username as iiss and password as 11ss___ , so I now try accessing SMB using those creds:

┌──(tahaafarooq㉿blacktek)-[~/Desktop]
└─$ smbclient -L //20.124.220.101/ -U iiss  
Enter WORKGROUP\iiss's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C               Disk      
        C$              Disk      Default share
        D$              Disk      Default share
        inetpub         Disk      
        IPC$            IPC       Remote IPC
SMB1 disabled -- no workgroup available

and it worked , I now try accessing C which is odd, but britney couldn't access it:

┌──(tahaafarooq㉿blacktek)-[~/Desktop]
└─$ smbclient //20.124.220.101/C -U iiss      
Enter WORKGROUP\iiss's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  $Recycle.Bin                      DHS        0  Thu Feb  7 21:18:10 2019
  Boot                              DHS        0  Fri Nov  5 14:19:20 2021
  bootmgr                          AHSR   403390  Wed Feb 10 18:18:05 2016
  BOOTNXT                           AHS        1  Tue Jun 18 15:18:29 2013
  Documents and Settings          DHSrn        0  Thu Aug 22 17:48:41 2013
  inetpub                             D        0  Fri Nov 19 14:04:46 2021
  Packages                            D        0  Fri Nov 19 13:46:06 2021
  PerfLogs                            D        0  Thu Aug 22 18:52:33 2013
  Program Files                      DR        0  Fri Nov 19 15:55:25 2021
  Program Files (x86)                 D        0  Fri Nov 19 15:55:28 2021
  ProgramData                       DHn        0  Thu Aug 22 17:48:41 2013
  Recovery                         DHSn        0  Fri Nov  5 14:21:39 2021
  System Volume Information         DHS        0  Thu Feb  7 21:16:18 2019
  Users                              DR        0  Fri Nov 19 19:10:05 2021
  Windows                            DR        0  Fri Nov 19 14:05:35 2021
  WindowsAzure                        D        0  Fri Nov 19 13:46:09 2021

                7736063 blocks of size 4096. 4426564 blocks available
smb: \>

But then remember the port that is opened 3389 it allows an RDP session so logging in with iiss credentials using remmina or directly from windows you are able to gain access to the desktop:

So we open the files and the start looking for flag, and eventually the flag will be found inside C:\Users\admin\Desktop\ but also will be found in C:\Temp\:

I hope you enjoyed every bit of the CTF challenges!

Last changed by 
Tahaa Farooq
お前はもう死んでいる
0
1
473

Read more

UnderPass Hackthebox Writeup

An easy box from HTB, we first get access to daloradius with weak credentials using them to expose a potential user with his hashed (weak) password, I crack the password ending up getting the plaintext password and we use the password to login to the host via SSH! Easy Win! Lastly we escalate our privileges by taking advantage of Mosh (Mobile Shell). 🚀

May 10, 2025
Secret Writeup Hackthebox

So found 3 open ports , 22(SSH), 80(HTTP) , 3000(HTTP) with Node.js , Opening port 80 it had a landing page which was titled Dump Docs , and both were also there on port 3000 with a file named files.zip attached which contains the source code of how the api works

Apr 27, 2025
DLINK DPH-400SE - Exposure of Sensitive Information to an Unauthorized Actor

With default credential for the guest user “guest:guest” to login on the web portal, the guest user can head to maintenance tab under access and modify the users which allows guest user to modify all users as well as view passwords for all users.

Feb 20, 2025
File Transfer Tricks

As a penetration tester, you have happened to gain access to a few target hosts (windows & linux) within the scope of your engagement and you are now required to transfer some files from your host to the target's host and vise versa, what do you do?

Jan 13, 2025
Read more from Tahaa Farooq
Published on HackMD