Posts About CTF

Hack The Box: Blue

It's been a while, but this is my last write-up of the machines in the Hack The Box Beginner Track. This machine is called Blue.

Enumeration

As with several of the other challenges, all we're given to start with is the IP address of the target. Let's start with a simple nmap port scan:

$ nmap -A -Pn blue.htb
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-23 23:03 BST
Nmap scan report for blue.htb (10.129.126.4)
Host is up (0.045s latency).
rDNS record for 10.129.126.4: blue
Not shown: 991 closed tcp ports (conn-refused)
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp … 

Read more

Hack The Box: Snow Scan

Thought Machine recently entered the Hack The Box (HTB) Business CTF 2023. This is a capture the flag (CTF) contest open to companies. Keen to put my skills to the test, I naively joined our small team.

The contest was organised by category, with challenges ranging from hacking (emulated) SCADA devices (industrial control systems) to breaking blockchain systems.

Perhaps unsurprisingly, the challenges were waaaay harder than I expected. There were various difficulty levels, but they were pretty far removed from the levels on regular HTB machines and challenges.

Needless to say, I didn't contribute much to my team's effort. I completed the Drilling Platform challenge and most of Intelligence Service. I started on the Snow Scan challenge as well, but I ran out of time.

Being an "easy" challenge, I naively expected it to fall well within my abilities. Surely I could do this? After the main contest finished, what … Read more

Hack The Box: Under Construction

This is my seventh write-up of the Hack The Box Beginner Track. This is the first machine or challenge in the track labelled "medium" difficulty. The others have so far been "easy", so this could be a bit more involved than what we've seen so far. Let's dive in.

The Challenge

As with You Know 0xDiablos and Weak RSA, we're given a zip archive to download, along with an IP/port combination. The former appears to contain the source for a Node.js web app. Visiting the IP/port, we see the following in the browser:

Login page

We don't have an account to log in with, so let's try registering a user. Surprisingly, this works, and we can now log in with the new account:

Home page

Looks like the site is still a work in progress. Using the source code, perhaps there's a weakness we can leverage to get past this page … Read more

Hack The Box: Netmon

This is my sixth write-up of the Hack The Box Beginner Track. This challenge is called Netmon.

Enumeration

Similarly to Lame and Jerry, we're given the IP address of the machine we need to break into. As in those cases, we start by running nmap against the target:

$ nmap -A -Pn netmon.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-03 22:47 BST
Stats: 0:00:07 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 20.00% done; ETC: 22:48 (0:00:24 remaining)
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.27% done; ETC: 22:47 (0:00:00 remaining)
Stats: 0:00:15 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 95.00% done; ETC: 22:47 (0:00:00 remaining)
Nmap scan report … 

Read more

Hack The Box: You Know 0xDiablos

I've been steadily working my way through the Hack The Box Beginner Track, writing each challenge up here as I go. This is the fifth write-up. So far the challenges have ranged from exploiting well-known vulnerabilities in Windows to breaking weak RSA public keys.

The Challenge

This challenge is a little different to the ones we've covered on the track so far. We're given a file to download and an IP/port to attack. Downloading the file, named vuln, it looks like a Linux executable:

$ file vuln
vuln: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=ab7f19bb67c16ae453d4959fba4e6841d930a6dd, for GNU/Linux 3.2.0, not stripped

Intriguing... We can use objdump to examine the executable's symbols:

$ objdump -t vuln

vuln:     file format elf32-i386

SYMBOL TABLE:
...
00000000       F *UND*    00000000              printf@@GLIBC_2.0
00000000       F *UND*    00000000              gets@@GLIBC_2.0
08049391 g … 

Read more

Hack The Box: Jerry

This is my fourth write-up in a series on the Hack The Box Beginner Track. This challenge is called Jerry, and it's a lot more like a classic CTF than the previous two in my view, Find the Easy Pass and Weak RSA.

Enumeration

Firing up the box and our attack machine, let's start with a straightforward Nmap scan:

$ nmap -Pn -A -T4 jerry.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-11 16:11 GMT
Nmap scan report for jerry.htb (10.129.24.108)
Host is up (0.014s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-title: Apache Tomcat/7.0.88
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned … 

Read more

Hack The Box: Weak RSA

This is the third in a series of write-ups of challenges from the Hack The Box Beginner Track.

The Challenge

The previous challenge, Find The Easy Pass, gave us a Windows executable to reverse engineer. In this sense it didn't align with my expectations of what a CTF involves.

This challenge, Weak RSA, is similar in the sense that we're given two files to download. This time though, neither of them are executable:

$ file key.pub
key.pub: ASCII text
$ file flag.enc 
flag.enc: data

Looking at the contents of key.pub, it looks like an RSA public key:

$ cat key.pub 
-----BEGIN PUBLIC KEY-----
MIIBHzANBgkqhkiG9w0BAQEFAAOCAQwAMIIBBwKBgQMwO3kPsUnaNAbUlaubn7ip
4pNEXjvUOxjvLwUhtybr6Ng4undLtSQPCPf7ygoUKh1KYeqXMpTmhKjRos3xioTy
23CZuOl3WIsLiRKSVYyqBc9d8rxjNMXuUIOiNO38ealcR4p44zfHI66INPuKmTG3
RQP/6p5hv1PYcWmErEeDewKBgGEXxgRIsTlFGrW2C2JXoSvakMCWD60eAH0W2PpD
qlqqOFD8JA5UFK0roQkOjhLWSVu8c6DLpWJQQlXHPqP702qIg/gx2o0bm4EzrCEJ
4gYo6Ax+U7q6TOWhQpiBHnC0ojE8kUoqMhfALpUaruTJ6zmj8IA1e1M6bMqVF8sr
lb/N
-----END PUBLIC KEY-----

We can confirm this with OpenSSL:

$ openssl rsa -pubin -in key.pub -text -noout
RSA Public-Key: (1026 bit)
Modulus:
    03:30:3b:79:0f:b1:49:da:34:06:d4 … 

Read more

Hack The Box: Find The Easy Pass

This is the second in a series of write-ups of challenges from the Hack The Box Beginner Track.

In my first write-up, Lame, I talked about how capture the flag (CTF) challenges can generally be broken down into three phases: enumeration, gaining a foothold, and privilege escalation.

This challenge, Find The Easy Pass, is a bit different from a regular CTF, because there is no machine to break into. Instead, we're given a Windows executable file.

Leaving aside the question of whether it's safe to run random executables you downloaded from the internet, this is what appears when the file is launched:

Password prompt

Entering a possible password into the text box and clicking Check Password tells us whether we have the right password:

Wrong password

Given the name of the challenge, it's pretty clear that the password is the flag we have to find.

We have a program that we can use to … Read more

Hack The Box: Lame

I've been doing a lot of Hack The Box lately. For those who don't know, Hack The Box (HTB) is a playground for would-be hackers to test their skills against machines with various security vulnerabilities. The point isn't to use these skills for nefarious or illegal purposes. Instead, the aim is to train people to think more critically about potential security weaknesses in software so that they can design and implement systems with security in mind. Each machine on HTB has a digital flag (typically a file on the machine containing some secret string) that the hacker must capture. This type of set up is called capture the flag, or CTF.

Newcomers to HTB can start with the Starting Point machines to familiarise themselves with the CTF process. Generally speaking, gaining admin privileges on a target machine is achieved in three stages:

  1. Enumeration - determining the services the target is running … 

Read more