I am among the organizers of this CTF and CTF author , In this writeup I'll be showing and explaining solving the two of the machines I made namely ; `white` and `get leet 2` where `White` was a linux Ubuntu based Box and `Get-Leet-2` was a Windows Based Box, Starting up with `White` which was the Linux! --- ### WHITE I'm just gonna go ahead fast with this LOL, we have port 80 and 22 open , checking on port 80 we have the apache page, So running gobuster with wordlist `SecLists/Fuzzing/fuzz-Bo0om.txt` and you get `/secret/` which has index.php which is a rabbit hole so dirsearching inside the dir we find `index.txt` which carries credentials for a user named `marce` with password `marce@2021`, I now use the creds found to login with SSH to the machine, and we are in, Checking for user privileges : ```text marce@white:~$ sudo -l Matching Defaults entries for marce on white.fqwkjfhbenledfj4uincv222dc.bx.internal.cloudapp.net: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User marce may run the following commands on white.fqwkjfhbenledfj4uincv222dc.bx.internal.cloudapp.net: (ALL) NOPASSWD: /usr/bin/escalator ``` So we are able to run the binary `/usr/bin/escalator` as sudo with marce : ```text marce@white:~$ sudo escalator BLACKTEK SOLUTIONS WRITER enter password : admin Imposter!!!!! ``` Okay so we dont have the password! , now we have to reverse engineer the binary we pull it to our local machine using netcat , And then we reverse engineer it to understand how it behaves: ```text [0x7f30aff86090]> afl 0x5650cf53f080 1 42 entry0 0x5650cf541fe0 1 4124 reloc.__libc_start_main 0x5650cf53f0b0 4 41 -> 34 sym.deregister_tm_clones 0x5650cf53f0e0 4 57 -> 51 sym.register_tm_clones 0x5650cf53f120 5 57 -> 50 sym.__do_global_dtors_aux 0x5650cf53f070 1 6 sym.imp.__cxa_finalize 0x5650cf53f160 1 5 entry.init0 0x5650cf53f000 3 23 map._home_tahaafarooq_Desktop_gameofhacks_machines_white_escalator.r_x 0x5650cf53f250 1 1 sym.__libc_csu_fini 0x5650cf53f254 1 9 sym._fini 0x5650cf53f1b5 4 54 sym.PassVerify 0x5650cf53f1f0 4 93 sym.__libc_csu_init 0x5650cf53f165 1 80 main 0x5650cf53f030 1 6 sym.imp.puts 0x5650cf53f050 1 6 sym.imp.printf 0x5650cf53f060 1 6 sym.imp.__isoc99_scanf 0x5650cf53f040 1 6 sym.imp.system 0x5650cf53e000 3 376 -> 365 loc.imp._ITM_deregisterTMCloneTable 0x5650cf53e1aa 5 32 -> 55 fcn.5650cf53e1aa ``` So as shown we have 2 functions which are suspicious and must be viewed : `main` and `sym.PassVerify` So let's start with main:  Yeah so we see it asks for password and then passes the inputted value to the function `sym.PassVerify` , So now let's disassemble the function:  ```text mov eax, dword [rax] cmp eax, 0x208d9 ``` As shown it is compared with `0x208d9` which is hex for `133337` , so let's try putting that as the password this time: ```text marce@white:~$ sudo escalator BLACKTEK SOLUTIONS WRITER enter password : 133337 h4k-it{3c1d660d022cb17617aba460c40b339d} ``` And there we have the flag ! --- ### GET LEET 2 This is a windows box , which is also apparently my first box made in windows hehe! First did a quick nmap scan: ```text ┌──(tahaafarooq㉿blacktek)-[/opt/SecLists/Fuzzing] └─$ nmap -F 20.124.220.101 Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-21 11:30 EAT Nmap scan report for 20.124.220.101 Host is up (0.32s latency). Not shown: 92 filtered tcp ports (no-response) PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server 49154/tcp open unknown 49155/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 6.53 seconds ``` We have port 80 opened , 21 opened and ports which lead to SMB protocols and also 3389 which is used for processing RDP sessions! So checking the port 80 on the web it brings the default IIS page , so I now perform Dirbusting , using gobuster to check if there are any hidden folders or files: ```text ┌──(tahaafarooq㉿blacktek)-[/opt/SecLists/Fuzzing] └─$ gobuster dir -u http://20.124.220.101/ -w fuzz-Bo0oM.txt 130 ⨯ =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://20.124.220.101/ [+] Method: GET [+] Threads: 10 [+] Wordlist: fuzz-Bo0oM.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2021/11/21 11:34:21 Starting gobuster in directory enumeration mode =============================================================== /%2e%2e//google.com (Status: 403) [Size: 312] /\..\..\..\..\..\..\..\..\..\etc\passwd (Status: 403) [Size: 312] /Secret/ (Status: 200) [Size: 326] /secret/ (Status: 200) [Size: 326] =============================================================== 2021/11/21 11:36:48 Finished =============================================================== ``` Found a directory named `secret` I decide to open it  but nothing specific was found but checking the source code I got : ```<!--britney:br1t****--!>``` which meant like some sort of creds but they didn't work of course on the SMB or any authorization, So I decide to dirbust again: ``` ┌──(tahaafarooq㉿blacktek)-[/opt/SecLists/Fuzzing] └─$ gobuster dir -u http://20.124.220.101/secret/ -w fuzz-Bo0oM.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://20.124.220.101/secret/ [+] Method: GET [+] Threads: 10 [+] Wordlist: fuzz-Bo0oM.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2021/11/21 11:42:08 Starting gobuster in directory enumeration mode =============================================================== /\..\..\..\..\..\..\..\..\..\etc\passwd (Status: 403) [Size: 312] /index.html (Status: 200) [Size: 326] /users.txt (Status: 200) [Size: 308] =============================================================== 2021/11/21 11:44:35 Finished =============================================================== ``` and we see `users.txt` , I now read it : ``` ┌──(tahaafarooq㉿blacktek)-[~/Desktop] └─$ cat users.txt ��creds -> it usually start with br1t but then I easily forget the other following words, maybe br1tney or br1tneer! or br1tn3yy or br1tn3y!@ or br1tn3y@ ``` So we now have multiple passwords to guess for britney , I now try SMB with the creds: ```text ┌──(tahaafarooq㉿blacktek)-[~/Desktop] └─$ smbclient -L //20.124.220.101/ -U britney 1 ⨯ Enter WORKGROUP\britney's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C Disk C$ Disk Default share D$ Disk Default share inetpub Disk IPC$ IPC Remote IPC SMB1 disabled -- no workgroup availabl ``` it worked with the password `br1tn3y@` and I see we have access to `inetpub` so I open `inetpub ` to see if I can get any creds: ```text ┌──(tahaafarooq㉿blacktek)-[~/Desktop] └─$ smbclient //20.124.220.101/inetpub -U britney Enter WORKGROUP\britney's password: Try "help" to get a list of possible commands. smb: \> dir . D 0 Fri Nov 19 14:04:46 2021 .. D 0 Fri Nov 19 14:04:46 2021 custerr D 0 Fri Nov 19 14:04:46 2021 temp D 0 Fri Nov 19 20:17:33 2021 wwwroot D 0 Fri Nov 19 20:17:33 2021 7736063 blocks of size 4096. 4426628 blocks available smb: \> cd wwwroot dismb: \wwwroot\> dir . D 0 Fri Nov 19 20:17:33 2021 .. D 0 Fri Nov 19 20:17:33 2021 iis-85.png A 99710 Fri Nov 19 14:01:20 2021 iisstart.htm A 701 Fri Nov 19 14:01:20 2021 secret D 0 Sun Nov 21 11:08:58 2021 7736063 blocks of size 4096. 4426628 blocks available smb: \wwwroot\> cd secret smb: \wwwroot\secret\> dir . D 0 Sun Nov 21 11:08:58 2021 .. D 0 Sun Nov 21 11:08:58 2021 index.html A 326 Fri Nov 19 14:55:12 2021 users.txt A 308 Fri Nov 19 14:58:02 2021 7736063 blocks of size 4096. 4426628 blocks available smb: \wwwroot\secret\> ``` So far we got nothing inside `wwwroot` so I shift my working dir to `temp`: ```text smb: \temp\> dir . D 0 Fri Nov 19 20:17:33 2021 .. D 0 Fri Nov 19 20:17:33 2021 rerun.bat A 88 Fri Nov 19 19:34:48 2021 7736063 blocks of size 4096. 4428644 blocks available ``` we get a file inside there named `rerun.bat` , so I pull it to my system for a better understanding to what it does: ```text ┌──(tahaafarooq㉿blacktek)-[~/Desktop] └─$ cat rerun.bat @echo off sqlcmd -u iiss -p 11ss___ 127.0.0.1:/db_name/something.db -o something.log ``` And here we see that it's somehow pulling from a db and outputing it to a log file with username as `iiss` and password as `11ss___` , so I now try accessing SMB using those creds: ```text ┌──(tahaafarooq㉿blacktek)-[~/Desktop] └─$ smbclient -L //20.124.220.101/ -U iiss Enter WORKGROUP\iiss's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C Disk C$ Disk Default share D$ Disk Default share inetpub Disk IPC$ IPC Remote IPC SMB1 disabled -- no workgroup available ``` and it worked , I now try accessing `C` which is odd, but britney couldn't access it: ```text ┌──(tahaafarooq㉿blacktek)-[~/Desktop] └─$ smbclient //20.124.220.101/C -U iiss Enter WORKGROUP\iiss's password: Try "help" to get a list of possible commands. smb: \> dir $Recycle.Bin DHS 0 Thu Feb 7 21:18:10 2019 Boot DHS 0 Fri Nov 5 14:19:20 2021 bootmgr AHSR 403390 Wed Feb 10 18:18:05 2016 BOOTNXT AHS 1 Tue Jun 18 15:18:29 2013 Documents and Settings DHSrn 0 Thu Aug 22 17:48:41 2013 inetpub D 0 Fri Nov 19 14:04:46 2021 Packages D 0 Fri Nov 19 13:46:06 2021 PerfLogs D 0 Thu Aug 22 18:52:33 2013 Program Files DR 0 Fri Nov 19 15:55:25 2021 Program Files (x86) D 0 Fri Nov 19 15:55:28 2021 ProgramData DHn 0 Thu Aug 22 17:48:41 2013 Recovery DHSn 0 Fri Nov 5 14:21:39 2021 System Volume Information DHS 0 Thu Feb 7 21:16:18 2019 Users DR 0 Fri Nov 19 19:10:05 2021 Windows DR 0 Fri Nov 19 14:05:35 2021 WindowsAzure D 0 Fri Nov 19 13:46:09 2021 7736063 blocks of size 4096. 4426564 blocks available smb: \> ``` But then remember the port that is opened 3389 it allows an RDP session so logging in with `iiss` credentials using remmina or directly from windows you are able to gain access to the desktop:  So we open the files and the start looking for flag, and eventually the flag will be found inside `C:\Users\admin\Desktop\` but also will be found in `C:\Temp\`:  I hope you enjoyed every bit of the CTF challenges!