Lost in Parity

Lost in Parity I deleted the flag. python3 xor.py ./f* > xor rm xor.py flag.txt Author: @miko Category: misc Solver: frcroth, mp455 Flag: ENO{R41D1NG_F1L3S_4R3_W3?} The challenge gives us a bunch of files - 255 files and the xor-file. A quick random sample of wc -c suggests that all files including the xor-file have the same size: 26 bytes. The challenge description hints that the xor-file might be the result of applying the xor-operation to the 255 files and the flag....

March 21, 2024 · 2 min · frcroth, mp455

Itchy Route

Itchy Route Get straight to the point and list your options! Category: misc Solver: frcroth, mp455 Flag: ENO{4NY_M0R3_QU35T10N5M4RK5_0C?N?} When connecting to this challenge, nothing greets us and if we are polite and ask “hello”, it responds with: Request contained some illegal characters: “hello” Also, when we take too long, we get different errors, e.g.: Request timeout: firewall getting suspicious. This already tells us that we probably need to use a script to interact here, since we won’t be able to type quickly enough....

March 20, 2024 · 3 min · frcroth, mp455

missingcat

missingcat Where is my cat? 😿 Category: misc Solver: frcroth, mp455 Flag: ENO{0xCAT_BUT_H4PP1_THANK_Y0U!} We were given the following script: import subprocess cmd = input("Give me your command: ") if len(cmd) > 2: print("Command is too long!") try: cmdstring = [cmd, "flag.txt"] print(f"Executed command: {cmdstring}") result = subprocess.check_output(cmdstring, timeout=1) except: result = b"No 😿" print(result.decode()) So we need to find a command that gives us the flag and whose name is only 2 letters long....

March 20, 2024 · 2 min · frcroth, mp455

Timecode

Timecode Times change you, and numbers. Category: misc Solver: frcroth, mp455 Flag: ENO{S0M3_J4V4_1NT3G3R5_4R3_C4CH3D} When we connect to the host, we get a challenge: Registered as user b6ee888b-6f24-4049-b0e2-ee227233973f New Challenge (2024-03-20T19:57:49.535Z) 69 51 97 43 01 65 After trying out some values, sending the same numbers gives a cryptic response: 69 51 97 43 01 65 ‘85’ is not equal to ‘69’ ‘66’ is not equal to ‘51’ ‘79’ is not equal to ‘97’ ‘86’ is not equal to ‘43’ ‘127’ is not equal to ‘01’ ‘95’ is not equal to ‘65’ Challenge failed....

March 20, 2024 · 4 min · frcroth, mp455

Airshop Incognito

The latest wave of phishing documents has our team stumped. Figure out what they are doing and get the flag. Category: Forensics Solver: lmarschk, mp455 Flag: HTB{hT4_j4V@sCr1pT_vBs_0h_mY!} Writeup Summary: Deobfuscate the Makro and the JS Script We get a phishing document airship_incognito.doc. When we open the document we get the notification that this document contains macros. Inside the document we see an image that invotes us to the “unveiling of the airship incognito”....

August 9, 2022 · 2 min · lmarschk, mp455

Buzzword Soup

“Random nonces? Where we’re going, we don’t need random nonces!” - D. Brown Category: crypto Solver: 3mb0, nh1729 Flag: HTB{buzzw0rd_s0up_h45_n3v3r_t45t3d_s0_g00d} Writeup For this challenge, we were given a python script that processes the flag and some other file alongside its output and additional files used . import random from Crypto.Util.number import bytes_to_long from functools import reduce def buzzor(b1, b2): return bytes([_b1 ^ _b2 for _b1, _b2 in zip(b1, b2)]) def buzzrandom(): return bytes([random....

August 9, 2022 · 3 min · 3mb0, nh1729

New Era

New Era Now that Microsoft will disable Macros coming from the web, APT groups look for alternative ways to bypass MOTW. Thus, our SOC team analyses daily, dozens of different container-based malicious document in different file formats. Make sure you analyse this document properly although it seems to be safe. Category: Forensics Solver: 3mb0, mp455 Flag: HTB{sch3dul1ng_t4sks_1s_c00l_but_p0w3rsh3ll_w1th0ut_p0w3rsh3ll_1s_c00l3r} Writeup Summary: Decompile and deobfuscate the VBA p-code. Microsoft wants to fight the macro malware incident rate by denying all macros from documents that are downloaded from the web and therefore have the “Mark of the Web” (MOTW) [1]....

August 9, 2022 · 2 min · lmarschk, mp455

Pierce

We just launched our brand new pierce inventory which has wide variety of antique jewellery collection. Order before we run out of the stock. Category: Cloud Solver: rgw, linaScience Flag: HTB{f0rg3ry_t0_IMDS_1s_fun!!!} Writeup We get an IP address and run a full port scan with host detection (nmap -p- -A). We see three open ports: PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | [....

August 9, 2022 · 3 min · rgw, linaScience

Relic

Relic In some long-forgotten cave, you’ve come across a strange relic of the distant past. Can you reawake it and uncover its secrets? Category: rev Solver: lmarschk, t0b1 Flag: HTB{c0r3_dump5_4r3_c00l_f0r_d3bugg1ng} Writeup Coredump and original script given. Script encrypts a flag, then aborts to generate coredump. Coredump still contains the key. We can get the start of the key by XORing the HTB{ string with the given encrypted flag. Using the start of the key, we can search the coredump for the original key....

August 9, 2022 · 1 min · lmarschk, t0b1

Roboquest

In order to automate our procedures, we have created this data collector steam robot that will go out and ask questions on random citizens and store the data in his memory. Our only problem is that we do not have a template of questions to insert to the robot and begin our test. Prepare some questions and we are good to go! Category: pwn Solver: t0b1 Flag: HTB{r0b0fl0w_tc4ch3_p01s0n} Writeup Libc given, 2....

August 9, 2022 · 3 min · t0b1

Salesman

I see you are new in town adventurer! Here you can pick whatever you want to continue your journey. Need a pet companion? Our arachnoids are the best. Ready to fight? Our pistols are here for you. Lost in time? Our watch will definately save you! Category: pwn Solver: t0b1, s3rp3ntL0v3r Flag: HTB{00b_4nd_p1v0t_2_th3_st34m_w0rld!} Writeup See solve script below. Solver from pwn import * LOCAL = False HOST = '167.172.52.221' PORT = 30371 CHALLENGE = '....

August 9, 2022 · 2 min · t0b1, s3rp3ntL0v3r

Somewhat Correlated

Sometimes, you can find patterns in seemingly random things… Category: crypto Solver: 3mb0, nh1729 Flag: HTB{n01sy_LF5R-1s_n0t_l0ud_3n0ugh} Writeup For this challenge, we were given a python script that processes the flag alongside its output. import random from hashlib import sha512 class LFSR: def __init__(self, state, taps): self.state = list(map(int, list("{:0128b}".format(state)))) self.taps = taps def clock(self): outbit = self.state[0] newbit = sum([self.state[t] for t in self.taps]) & 1 self.state = self.state[1:] + [newbit] return outbit key = random....

August 9, 2022 · 5 min · 3mb0, nh1729

Sophist

We just launched an online password management, we would like you to look into our infrastructue and spot any issues. Category: Cloud Solver: rgw, linaScience Flag: HTB{ph00L_T4k3_tHy_pl345UR3_ri9ht_0r_WR0n9!} Writeup We get an IP address and run a full port scan with host detection (nmap -A -p-) and see a few open ports: PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 8.4p1 Debian 5 (protocol 2.0) | ssh-hostkey: | [....

August 9, 2022 · 7 min · rgw, linaScience

Steam Door

Steam Door Steam-security analysts have spotted a new unknown persistence technique used in the wild. But they are not able to understand how it works since steam-technology is involving at very fast rates. Please analyse this memory dump and find the persistence mechanism used by the malicious steam actors. Flag format: HTB{md5sum }. For example: HTB{55e7dd3016ce4ac57b9a0f56af12f7c2} Download: drive.google.com/file/d/1OP_r3c9Crvym28suH9K7ro5JNN0Pzx5_ Category: Forensics Solver: lmarschk, mp455 Flag: HTB{db042f659831045cc3748324b481507e} Writeup Summary: Analysis of windows memory dump and file extraction out of it....

August 9, 2022 · 2 min · lmarschk, mp455

UniLab: User

UniLab Category: unilab Solver: rgw, linaScience, nh1729 Writeup We get an IP address and run a port scan using nmap. We see only one open port, 80 We open the IP in our browser and get redirected to http://moodle.unilab.htb/. We also the header Server: Microsoft-IIS/10.0. After adding the domain and IP to our hosts file, we see a moodle index page: We register and enroll in the only course available, Linear Algebra 1:...

August 9, 2022 · 3 min · rgw, linaScience, nh1729

Arachnoid Heaven

In the steam world, you need some trustworthy companions to help you continue your journey. What’s better than a handmade, top-tier, state of the art arachnoid machine?! Exactly, nothing! Come to Arachnoid Heaven and craft yours as soon as possible? Category: pwn Solver: t0b1, linaScience Flag: HTB{l3t_th3_4r4chn01ds_fr3333} Writeup In this pwn challenge, we receive a binary called arachnoid_heaven. TL;DR: The craft_arachnoid function allocates 96 bytes of memory but leaks the first 16 bytes....

December 2, 2021 · 5 min · t0b1, linaScience

GoodGames

Category: Fullpwn Solver: rgw, 3mb0, t0b1 Flag (user): HTB{7h4T_w45_Tr1cKy_1_D4r3_54y} Flag (root): HTB{M0un73d_F1l3_Sy57eM5_4r3_DaNg3R0uS} Writeup User We receive a machine IP. Upon a portscan, we find that only port 80 is open. The website, GoodGames, contains some random information and a signup and login page. We can sign up and log in with a user, but nothing new appears on the site. We see that the login page is vulnerable to sql injection....

December 2, 2021 · 3 min · rgw, 3mb0, t0b1

Insane Bolt

his insane scientist wants to craft the most powerful android in the world! Help him collect many 🔩 to achieve his goal. Also, he needs many 💎 to make it even more strong and pwoerful than any other android. Good luck adventurer! Category: misc Solver: 3mb0, nh1729 Flag: HTB{w1th_4ll_th353_b0lt5_4nd_g3m5_1ll_cr4ft_th3_b35t_t00ls} Writeup When connecting to the port and ip with netcat, we get a menu: 1. Instructions 2. Play > If we enter 1, we get the rules of the game:...

December 2, 2021 · 6 min · 3mb0, nh1729

Keep the steam activated

The network in which our main source of steam is connected to, got compromised. If they managed to gain full control of this network, it would be a disaster! Category: forensics Solver: lmarschk, 3mb0 Flag: HTB{n0th1ng_1s_tru3_3v3ryth1ng_1s_d3crypt3d} Writeup We have got a package capture file. We view this capture by looking over the tcp streams. We notice many attemps of establishing SMB connections. We notice that the suspected attacker (192.168.1.9) is starting to connect to user1 (192....

December 2, 2021 · 4 min · lmarschk, 3mb0

LightTheWay

Our new steam traffic light system is malfunctioning due to increased pressure, which has caused the lights to get stuck. We need to revert the system to manual and change the lights to clear a path through the city for a government vehicle to go through. The path is highlighted in the HMI. Category: scada Solver: rgw Flag: HTB{w3_se3_tH3_l1ght} Writeup We receive an IP of the challenge VM. When we scan for ports, we see ports 22, 80 and 502 to be open....

December 2, 2021 · 4 min · rgw

Mechanical Madness

We have intercepted an encrypted message with critical information, and also managed to recover the machine that is able to decrypt it, with a copy of the source program it should run to decrypt the message. The crazy scientist that built this machine was accidentally killed during the extraction. It’s a very elaborate mechanical machine with tons of pipes and valves but we managed to reverse-engineer its logic and build a simulation out of it, but now we need to convert the source of the program into something that the machine is able to understand and execute!...

December 2, 2021 · 6 min · rgw, nh1729

Object

Category: Fullpwn Solver: lmarschk Flag: HTB{c1_cd_c00k3d_up_1337!} Writeup When scanning the machine, we get the following results Nmap scan report for 10.129.96.74 Host is up (0.036s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Mega Engines 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 8080/tcp open http Jetty 9....

December 2, 2021 · 2 min · lmarschk

Oracle Leaks

Steam Technologies is a service provider which uses strictly steam-powered computers. They have recently developed a new type of oracle taking advantage of the steam-power architecture. They offer a huge price in case someone decrypts the message from their service. Are you up for the challenge? Category: crypto Solver: n1k0, nh1729 Flag: HTB{m4ng3r5_4tt4ck_15_c001_4nd_und3rv4lu3d} Writeup We need to decrypt an RSA ciphertext and for that we are provided with the ciphertext, the public key, and an oracle....

December 2, 2021 · 3 min · n1k0, nh1729

Out of Time

Quick we need to get access to the bunker and we are running out of time! The door is using an advanced steam-powered door locking mechanism which we cannot breach. One of our scientists managed to make a tool that measures the mechanical stress of the pipes moving steam during the verification of the password and created a power consumption model but it looks like just random signals. Can you find anything useful in the data?...

December 2, 2021 · 4 min · rgw

Peel back the layers

An unknown maintainer managed to push an update to one of our public docker images. Our SOC team reported suspicious traffic coming from some of our steam factories ever since. The update got retracted making us unable to investigate further. We are concerned that this might refer to a supply-chain attack. Could you investigate? Docker Image: steammaintainer/gearrepairimage Category: forensics Solver: 3mb0 Flag: HTB{1_r34lly_l1k3_st34mpunk_r0b0ts!!!} Writeup Firstly, we download the provided docker image with docker pull steammaintainer/gearrepairimage and inspect the layers of it on DockerHub [1]:...

December 2, 2021 · 2 min · 3mb0