Writeups

We just launched an online password management, we would like you to look into our infrastructue and spot any issues. Category: Cloud Solver: rgw, linaScience Flag: HTB{ph00L_T4k3_tHy_pl345UR3_ri9ht_0r_WR0n9!} Writeup We get an IP address and run a full port scan with host detection (nmap -A -p-) and see a few open ports: PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 8.4p1 Debian 5 (protocol 2.0) | ssh-hostkey: | [...] 80/tcp open http syn-ack nginx 1.18.0 |_http-title: Sophist Key Manager | http-methods: |_ Supported Methods: GET HEAD POST |_http-server-header: nginx/1.18.0 8080/tcp open ssl/http-proxy syn-ack |_http-title: Site doesn't have a title. | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS | ssl-cert: Subject: commonName=admin | [...] 8443/tcp open ssl/https-alt syn-ack | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Server returned status 401 but no WWW-Authenticate header. | fingerprint-strings: | GenericLines, Help, Kerberos, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest: | HTTP/1.0 401 Unauthorized | Audit-Id: 7ec84791-51f5-437c-977d-2c4954bf15ec | Cache-Control: no-cache, private | Content-Type: application/json | Date: Fri, 25 Mar 2022 17:33:27 GMT | Content-Length: 129 | {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401} | HTTPOptions: | HTTP/1.0 401 Unauthorized | Audit-Id: 8e9af1ed-aba6-4463-bf14-afd6e003d2b2 | Cache-Control: no-cache, private | Content-Type: application/json | Date: Fri, 25 Mar 2022 17:33:27 GMT | Content-Length: 129 |_ {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401} |_http-title: Site doesn't have a title (application/json). | ssl-cert: Subject: commonName=k3s/organizationName=k3s | [...] 10250/tcp open ssl/http syn-ack Golang net/http server (Go-IPFS json-rpc or InfluxDB API) |_http-title: Site doesn't have a title (text/plain; charset=utf-8). | ssl-cert: Subject: commonName=sophist | [...] 10251/tcp open unknown syn-ack 31337/tcp open ssh syn-ack OpenSSH 8.6 (protocol 2.0) | ssh-hostkey: | [...] We can see that the node is the master node of a Kubernetes Cluster. Port 80 and 8080 are application service ports, 8443 is a Kubernetes API Port (HTTPS), ports 10250 and 10251 are Kubelet API Ports and 31337 is an application NodePort. ...

Steam Door Steam-security analysts have spotted a new unknown persistence technique used in the wild. But they are not able to understand how it works since steam-technology is involving at very fast rates. Please analyse this memory dump and find the persistence mechanism used by the malicious steam actors. Flag format: HTB{md5sum }. For example: HTB{55e7dd3016ce4ac57b9a0f56af12f7c2} Download: drive.google.com/file/d/1OP_r3c9Crvym28suH9K7ro5JNN0Pzx5_ Category: Forensics Solver: lmarschk, mp455 Flag: HTB{db042f659831045cc3748324b481507e} Writeup Summary: Analysis of windows memory dump and file extraction out of it. ...

UniLab Category: unilab Solver: rgw, linaScience, nh1729 Writeup We get an IP address and run a port scan using nmap. We see only one open port, 80 We open the IP in our browser and get redirected to http://moodle.unilab.htb/. We also the header Server: Microsoft-IIS/10.0. After adding the domain and IP to our hosts file, we see a moodle index page: We register and enroll in the only course available, Linear Algebra 1: ...

In the steam world, you need some trustworthy companions to help you continue your journey. What’s better than a handmade, top-tier, state of the art arachnoid machine?! Exactly, nothing! Come to Arachnoid Heaven and craft yours as soon as possible? Category: pwn Solver: t0b1, linaScience Flag: HTB{l3t_th3_4r4chn01ds_fr3333} Writeup In this pwn challenge, we receive a binary called arachnoid_heaven. TL;DR: The craft_arachnoid function allocates 96 bytes of memory but leaks the first 16 bytes. The delete_arachnoid function frees the name and code of an arachnoid, but does not remove the pointers from the global arachnoid array, nor does it decrease the arachnoid count. As malloc allocates adjacent memory cells, we can combine the two functions, to write an arachnoids name into a memory region where a previously allocated arachnoids code pointed to. Then, we can obtain the flag. ...

Category: Fullpwn Solver: rgw, 3mb0, t0b1 Flag (user): HTB{7h4T_w45_Tr1cKy_1_D4r3_54y} Flag (root): HTB{M0un73d_F1l3_Sy57eM5_4r3_DaNg3R0uS} Writeup User We receive a machine IP. Upon a portscan, we find that only port 80 is open. The website, GoodGames, contains some random information and a signup and login page. We can sign up and log in with a user, but nothing new appears on the site. We see that the login page is vulnerable to sql injection. We run SQLMap, dump all tables and see that one table, users, contains a user adminwith email admin@goodgames.htb and hashed password 2b22337f218b2d82dfc3b6f77e7cb8ec. When putting the hash into crackstation [1], we find that the cleartext is superadministrator. ...

his insane scientist wants to craft the most powerful android in the world! Help him collect many 🔩 to achieve his goal. Also, he needs many 💎 to make it even more strong and pwoerful than any other android. Good luck adventurer! Category: misc Solver: 3mb0, nh1729 Flag: HTB{w1th_4ll_th353_b0lt5_4nd_g3m5_1ll_cr4ft_th3_b35t_t00ls} Writeup When connecting to the port and ip with netcat, we get a menu: 1. Instructions 2. Play > If we enter 1, we get the rules of the game: ...

The network in which our main source of steam is connected to, got compromised. If they managed to gain full control of this network, it would be a disaster! Category: forensics Solver: lmarschk, 3mb0 Flag: HTB{n0th1ng_1s_tru3_3v3ryth1ng_1s_d3crypt3d} Writeup We have got a package capture file. We view this capture by looking over the tcp streams. We notice many attemps of establishing SMB connections. We notice that the suspected attacker (192.168.1.9) is starting to connect to user1 (192.168.1.7), asmith (192.168.1.10) and user2 (192.168.1.11). Although 17 of 26 tcp streams are connection attemps via SMB only 300 of 22,000 packages are transmitted that way. So we dont expect much information in them. ...

Our new steam traffic light system is malfunctioning due to increased pressure, which has caused the lights to get stuck. We need to revert the system to manual and change the lights to clear a path through the city for a government vehicle to go through. The path is highlighted in the HMI. Category: scada Solver: rgw Flag: HTB{w3_se3_tH3_l1ght} Writeup We receive an IP of the challenge VM. When we scan for ports, we see ports 22, 80 and 502 to be open. First, we look at Port 80. We are greeted with a website containing a road network with six junctions that each have 4 traffic lights. There is also a train with a route: ...

We have intercepted an encrypted message with critical information, and also managed to recover the machine that is able to decrypt it, with a copy of the source program it should run to decrypt the message. The crazy scientist that built this machine was accidentally killed during the extraction. It’s a very elaborate mechanical machine with tons of pipes and valves but we managed to reverse-engineer its logic and build a simulation out of it, but now we need to convert the source of the program into something that the machine is able to understand and execute! The encrypted message is already loaded into the simulation. ...

Category: Fullpwn Solver: lmarschk Flag: HTB{c1_cd_c00k3d_up_1337!} Writeup When scanning the machine, we get the following results Nmap scan report for 10.129.96.74 Host is up (0.036s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Mega Engines 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 8080/tcp open http Jetty 9.4.43.v20210629 | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Jetty(9.4.43.v20210629) |_http-title: Site doesn't have a title (text/html;charset=utf-8). Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 109.79 seconds When looking at port 8080, we find a Jenkins with an open registration form. When registering there, we can create a new project via New Item -> Freestyle Project. ...

Steam Technologies is a service provider which uses strictly steam-powered computers. They have recently developed a new type of oracle taking advantage of the steam-power architecture. They offer a huge price in case someone decrypts the message from their service. Are you up for the challenge? Category: crypto Solver: n1k0, nh1729 Flag: HTB{m4ng3r5_4tt4ck_15_c001_4nd_und3rv4lu3d} Writeup We need to decrypt an RSA ciphertext and for that we are provided with the ciphertext, the public key, and an oracle. We can query the oracle with ciphertexts, it decrypts them with the private key belonging to the provided public key, and then responds with the byte length of the decrypted message. ...

Quick we need to get access to the bunker and we are running out of time! The door is using an advanced steam-powered door locking mechanism which we cannot breach. One of our scientists managed to make a tool that measures the mechanical stress of the pipes moving steam during the verification of the password and created a power consumption model but it looks like just random signals. Can you find anything useful in the data? ...

An unknown maintainer managed to push an update to one of our public docker images. Our SOC team reported suspicious traffic coming from some of our steam factories ever since. The update got retracted making us unable to investigate further. We are concerned that this might refer to a supply-chain attack. Could you investigate? Docker Image: steammaintainer/gearrepairimage Category: forensics Solver: 3mb0 Flag: HTB{1_r34lly_l1k3_st34mpunk_r0b0ts!!!} Writeup Firstly, we download the provided docker image with docker pull steammaintainer/gearrepairimage and inspect the layers of it on DockerHub [1]: ...

On a path to avenging his father, Tex Chance manufactured steam-powered robots to capture all the animals of your island to build a powerful army of fused mutated organisms using his powerful Sigma technology. You can’t let them take away your loyal doggo Julius. The robots have been trained to classify all the objects they encounter using the SigmaNet network. Can you use your laser pointer to change some of the robot’s vision pixels forcing it to misclassify your dog’s image as a non-animal object? ...

You’ve found a portal for a firmware upgrade service, responsible for the deployment and maintenance of rogue androids hunting humans outside the tractor city. The question is… what are you going to do about it? Category: Web Solver: rgw, nh1729, n1k0 Flag: HTB{i_slipped_my_way_to_rce} Writeup In this web challenge, we get a docker template of a flask web server. The user can upload .tar.gz archives which are extracted into a temporary directory on the server. Then, the structure is moved to a static directory to be presented to the user. The flag can be found in a file on the system. ...

Jones and his crew have started a long journey to discover the legendary treasure left by the guardians of time in the early beginnings of the universe. Mr Jones, though, is wanted by the government for his crimes as a pirate. Our agents entered his base and discovered digital evidence about the way captain Jones contacts with his closest friends back home. We managed to get his last message, sent to his best friend. Could you help us decrypt it? ...

We’ve installed our Kubernetes cluster inside a steam powered computer, however there’s a lot of smoke, therefore we think a bolt is missing. Could you please investigate? Category: cloud Solver: t0b1 Flag: HTB{dOn7_3Xpo53_Ku83L37} Writeup According to the challenge description, we will face a Kubernetes cluster which we will have to exploit. Using nmap, we find the following open ports, most of which appear to be known Kubernetes ports: 22/tcp - ssh 2379/tcp - etcd 2380/tcp - etcd 8443/tcp - Kubernetes API (normally on port 6433) 10249/tcp - Kubelet API 10250/tcp - Kubelet API 10256/tcp - Kube-Proxy health check First, we do some basic checks against the Kubernetes API port. A curl -k https://10.129.228.17/livezreturns ok. That shows the Kubernetes is alive and running. Next, we check whether the anonymous user has too much access rights by running curl -k -X GET -H 'Accept: application/json' https://10.129.228.17:8443/api/v1/namespaces/default/pods/. However, that is not the case, as we receive a message that the anonymous user is not allowed to list the pods. ...

Meet SteamCoin, the first decentralized cryptocurrency of the SteamPunk realm that provides you the liberty to exchange value without intermediaries and translates to greater control of funds and lower fees. Sign up today in our SteamCoin wallet to get equipped with the tools and information you need to buy, sell, trade, invest, and spend SteamCoins. Category: Web Solver: nh1729, n1k0, t0b1 Flag: HTB{w3_d0_4_l1ttl3_c0uch_d0wnl04d1ng} Writeup The challenge consists of a Node.js web service hosted in a docker container. We are provided with the docker file. It is a login interface that allows creating new users and uploading files with common image file extensions. The users are managed by a CouchDB and the service is placed behind a HAProxy. ...

After following a series of tips, you have arrived at your destination; a giant vault door. Water drips and steam hisses from the locking mechanism, as you examine the small display - “PLEASE SUPPLY PASSWORD”. Below, a typewriter for you to input. You must study the mechanism hard - you might only have one shot… Category: Reversing Solver: s3rpentL0ver Flag: HTB{vt4bl3s_4r3_c00l_huh} Writeup The challenge is downloaded via a zip file. After unpacking it, we get a single executable file named “vault”. The first thing we do when we download a potentially malicious executable is, of course, to execute it. The output looks like this: ...

As you approach SafetyCorp’s headquarters, you come across an enormous cogwork tree, and as you watch, a mechanical snake slithers out of a valve, inspecting you carefully. Can you build a disguise, and slip past it? Category: misc Solver: 3mb0, lmarschk Flag: HTB{45ts_4r3_pr3tty_c00l!} Writeup For this challenge, we can download the python code (python 3.10 to be able to use the new match-case statement) for a server that offers python remote code execution via eval. But the server has some security checks to prevent us from executing arbitrary python code: ...

We received this strange advertisement via pneumatic tube, and it claims to be able to do amazing things! But we there’s suspect something strange in it, can you uncover the truth? Category: reversing Solver: rgw, 3mbo Flag: HTB{33zy_VBA_M4CR0_3nC0d1NG} Writeup For this challenge, we can download a zip file. When unpacking it, we see a single file Upgrades.pptm. When opening the presentation in LibreOffice, we immediately find that it contains macros: ...

Your mechanical arm needs to be replaced. Unfortunately, Steamshake Inc which is the top mechanical arm transplants has a long waiting list. You have found a SQL injection vulnerability and recovered two tables from their database. Could you take advantage of the information in there to speed things up? Don’t forget, you have a date on Monday! Category: crypto Solver: n1k0 Flag: HTB{t3ll_m3_y0ur_s3cr37_w17h0u7_t3ll1n9_m3_y0ur_s3cr37_15bf7w} Writeup In the provided source code we see that we need to provide a signed message (ECDSA) for a specific appointment to get the flag. Additionally, there is a list of appointments and a list of signatures for these appointments. So probably we need to use this to forge a signature. It is suspicious that we also get the 7 least significant bits of the nonce k, which is used for signing. A quick research on malleability and private key recovery of ECDSA signatures [1][2] reveals that not only the reuse of k or a bias in its selection poses a security issue, but also leakage of the nonce, even partially, can be used to recover the private key if enough signatures are provided. ...

The devil is enticing us to commit some sandboxed SSTI feng shui, would you be interested in doing so? Category: web Solver: davex, shm0sby Flag: HTB{b3nt_tw1g_t0_my_will!} Writeup The task was very simple. We had the source code of the challenge and we knew there was /flag which might contain our flag. ;) The challenge used Symfony as application framework and Twig as templating engine. We simply had to use basic injection on Twig which could be found in [1]. ...

I wrote this advanced program to only work on my computer but I think I might have made a mistake somewhere, as I can’t even confirm my own identity. Category: reversing Solver: t0b1 Flag: HTB{Id3nt1ty_c0nf1rmat1on} Writeup In this challenge we get a Windows executable. We open it up in Ghidra to see what it does. The main function is printing Starting to confirm identity... and then calls the RegOpenKeyExA function with Control Panel\Desktop as the argument. ...

After a long investigation we have revealed the enemy’s service, which provides their agents with any needed documents. Recent events indicate that there are double agents among us. We need to read the double_agents.txt file in order to identify their names and treat them accordingly. Can you do it? Category: crypto Solver: kh1 Flag: HTB{1v_sh01d_b3_r4nd0m} Writeup When connecting to the server, it sends Welcome, agent! Request a document: When sending something after this, the server interprets it as hexadecimal data and decodes it. If the decoded data is a multiple of 16 bytes long, it is decrypted (using AES in CBC mode) and the content of the file with the decrypted string as name is returned. ...