Writeups

Hackers made it onto one of our production servers. We’ve isolated it from the internet until we can clean the machine up. The IR team reported four different backdoors on the server, but didn’t mention what they were and we currently can’t get in touch with them. We need to get this server back into prod ASAP - we’re losing money every second it’s down. Please find the four backdoors (both remote access and privilege escalation) and remove them. Your creds are user / hackthebox, and that user will have full sudo rights, so running sudo su - will provide a shell as root. Remove any malicious files and configurations, and then run /root/solveme as root to get the flag. ...

Our domain has been attacked. An APT group has taken over our server and they have locked us out. Our incident response team was able to find some files added on the upload directory but havent been able to extract any information from them. Could you help us login back? Category: crypto Solver: Miroka, HTTP418, kh1 Flag: HTB{15b_4tt4ck5_4r3_c001} Writeup What we got encryption.py - the script used to encrypt the new password leaks - the script’s variables n, rp, and rq new_password - the encrypted new password encryption.py resembles RSA encryption with two primes p and q that are slightly above square numbers and the variables rp = 228 and rq = 75 tell us, how much above. We have also given the implicit RSA-e-Variable of the public key as it is a constant in the encryption.py. ...

Time for an emoji-test! No need to worry.. You have 500 seconds to answer 100 questions. Five seconds for each question is more than enough! You need to score 100/100 in order to win an amazing prize! Good luck! Category: misc Solver: lmarschk Flag: HTB{3m0j1s_R_fUn_4nd_m4k3_m3_c0d3_f4st} Writeup Starting with a telnet connection to the server, we are given a set of questions: Trying 139.59.202.58... Connected to docker.hackthebox.eu. Escape character is '^]'. You have only a few seconds for each question! Be fast! ⏰ Question 1: ❌ 🌞 🍧 👺 🦄 - 🦄 ❌ 🦄 👺 Answer: > 123 Time: 2.47 Wrong answer! 😿 The correct answer was 11382 The problem is, that when it is taking too long to get an answer, the connection will be shut down from the server. So there is no possibility to solve this one “by hand”, needing a script in order to do so. ...

There is serious suspicion that John is a double agent. We found the cipher in his trash can. It looks like he extracted the message and forgot to get rid of the evidence. Can you decrypt the secret message? Category: crypto Solver: kh1 Flag: HTB{m1551ng_v4lu35_m4k3_m3_s1ck} Writeup flag.txt contains a list of 32 lists containing 32 numbers from 0 to 255 each. This is a One-Time-Pad with 32 parts, xoring the lists and interpreting the result as ascii code gives the flag. ...

Just some not so regular disable_functions / open_basedir PHPfu. Category: web Solver: davex, shm0sby, lmarschk Flag: HTB{iconv_r34lly_b3_d01ng_us_lik3_th4t} Writeup The challenge php file was quite simple itself, it was a Docker container with some further configs. The configs were the more interesting thing. The php file only included an GET-parameter which then has been sent to an eval()-call. Also we know there is a file called /readflag which obviously prints the flag. ...

A brave warrior stands in front of the harshest enemy, a untouchable evil spirit who possesses his allies. Will they be able to overcome this enemy? Category: reversing Solver: 3mb0, HTTP418, mp455 Flag: HTB{Retr0_Kunai} Writeup We found ourself here in a reversing challenge. So - as we were used to - we prepare for a static binary analysis. Open Ghidra and install the GhidraBoy [1] to inspect the Game Boy ROM. ...

You’re being interrogated in the enemy’s headquarters. Fake it and get out of there alive, without telling them anything! Category: pwn Solver: t0b1, Pandoron Flag: HTB{m0ms_sp4gh3tt1_1s_f4k3!} Writeup The first thing we do is running the checksec tool to get any clues where this challenge might be heading. It outputs the following. [*] '/home/user/htb-unictf-2020/finals/pwn/reality_check/reality_check' Arch: i386-32-little RELRO: Full RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) We extract the following information: ...

A remote facility is secured by a two-part access control system. The exterior device contains a keypad that is connected to a microcontroller, which sends entered passwords to a remote API for authorization. During an operation, we succeeded in tapping the connection between the keypad and embedded device. The only thing preventing us from gaining access to the facility now is to decode the obtained data and send the password to /api. ...

During your usual crop field stroll you were abducted by aliens. Luckily you were able to escape their grip and flee to an escape pod, but alas starting it requires a key code. Figure out how this strange mechanism works and return to earth. Category: reversing Solver: t0b1 Flag: HTB{_3st3r31K3yP4d_} Writeup In this challenge we get a binary. We start by analyzing it in Ghidra and find the following main function (we already renamed the functions to be more readable). ...

While I was surfing the web I probably clicked something that I shouldn’t have, and now I believe that someone knows everything about me. Help me find out what is going on! The profile is Win10x64_17134. drive.google.com/file/d/1bwsV4ESzTVlEHeSyIjJROdxUgt31aBQ5 Category: forensics Solver: 3mb0, mp455 Flag: HTB{t3ll_me_@ll_Your_S3cr3ts} Writeup This time we got an url: drive.google.com/file/d/1bwsV4ESzTVlEHeSyIjJROdxUgt31aBQ5 Here we find a zip archive containing two files: tioe.pcap and ioe.raw tioe.pcap Let’s focus on tioe.pcap. This packet capture file can be divided in two parts. First HTTP Traffic and after that plain TCP streams. ...

A famous TV channel has decided to deploy Smart Contracts in a novel quiz game format. They want an audit of their code to make sure they are ready for the official launch. Will you be able to steal the ether stored in this contract? Category: blockchain Solver: davex, lmarschk Flag: HTB{N0b0dY_WiLL_R3ceIv3_M0n3y} Writeup In this challenge, you receive the address of a deployed smart contract and its source code. The source of the contract is: ...

Who let the blacklists out? Category: web Solver: davex, shm0sby Flag: HTB{wh0_l3t_th3_w4fs_0ut?!..w00f..w00f.w00f!} Writeup When you entered the site of the challenge the site directly gives you the source of the challenge. <?php require('database.php'); $user = $_GET['user']; $pass = $_GET['pass']; if (!isset($user) || !isset($pass) || preg_match_all('/(select|union|where|\(|\.|\')/i', $user.$pass)) { highlight_file(__FILE__); exit; } $mysql = get_db(); $mysql->multi_query("SELECT * FROM `users` WHERE `username` = '${user}' AND `password` = '${pass}'"); do { if ($result = $mysql->store_result()) { if ($row = $result->fetch_assoc()) { echo json_encode($row) . '<br/>'; } $result->free(); } } while ($mysql->next_result()); $mysql->close(); As you can see we can enter two variables via getting parameters and they are checked for some keywords. Therefore we are not permitted to have a select, union or where statement (case insensitive) or neither a ' nor ( in our variables. ...

Join the HTB x UNI Finals discord channel. Category: warmup Solver: t0b1 Flag: HTB{f1n4lists_ass3mbl3_f0r_th3_ult1m4t3_pwn4ge_ev3nt} Writeup As the challenge description states, one has to join the HTB x UNI Finals discord channel. There we find the uni-ctf-finals-rules channel that contains the rules of the CTF. Carefully reading the rules, just like every good CTF player, we find the flag in there. How generous!

The SOC identified a bunch of suspicious emails with ZIP attachments. The zips don’t have executables in them, so how dangerous can they be? Category: forensics Solver: 3mb0, mp455 Flag: HTB{d4ng3r0Us_z1p_ZiP_z1pp3R} Writeup In the provided zip archive there is another archive callled zipper.zip. We can also extract this archive to the files zipper.jpg and zipper.lnk. As .lnk is the file extension for windows shortcuts we inspect its properties. As target there is ...

If you are not strong enough to beat the boss, you need to find another way to win the game! Category: Misc Solver: t0b1 Writeup In this challenge we get a binary. As the description says, we need to find another way to win the game!. Running the binary shows that its a little game. At first we can choose between two game modes. Obviously the Izi! mode is not available ;). ...

The earth has been taken over by cyborgs for a long time. We are a group of humans, called ‘The Rebellion’, fighting for our freedom. Lately, cyborgs have set up a lab where they insert microchips inside humans to track them down. Our team of IT experts has hacked one of the cyborgs’ mail servers. There is a suspicious encrypted mail which possibly contains information related to the location of the lab. Can you decrypt the message and find the coordinates of the lab? ...

We intercepted a serial communication between two microcontrollers. It seems that the first microcontroller is using a weird protocol to access a flash memory controlled by the second microcontroller. We were able to retrieve 16 sectors of the memory before the connection was disrupted. Can you retrieve what it was read? Category: Hardware Solver: davex Writeup For this challenge, the only thing you received was a zip file containing two files. ...

I am the Doctor and I am in huge trouble. Rumors have it, you are the best time machine engineer in the galaxy. I recently bought a new randomiser for Tardis on Yquantine, but it must be counterfeit. Now every time I want to time travel, I will end up in a random year. Could you help me fix this? I need to find Amy and Rory! Daleks are after us. Did I say I am the Doctor? ...

I made a service for people to cache their favourite websites, come and check it out! But don’t try anything funny, after a recent incident we implemented military grade IP based restrictions to keep the hackers at bay… Category: web Solver: davex, lmarschk Writeup The first look at the challenge already gave an intuition how the solution looks like. The title of the web page was Rebind Me. This hints that the solution might be a DNS Rebind attack. ...

Chasa, world’s most dangerous gangster, is planning to equip his team with new tools. There is a cargo ship arriving tomorrow morning and the coast guard needs your help to seize the cargo. Our investigators have found the crypto service used by Chasa and his team to communicate for these kind of jobs. Can you decrypt the broadcasted message and identify the container to be seized? Category: Crypto Solvers: 3mb0, mp455, lmarschk ...

Our new conspiracy theorist intern has blocked everyone from the coffee machine because he saw that aliens were trying to steal the “out of the world” secret recipe. Your mission is to unveil the secrets that lie behind his profound madness and teach him a javaluable lesson. Category: Reversing Solvers: t0b1, lmarschk TL;DR This challenges was very nice but also hell of a ride. The main thing being done here is to use the Java Native Interface (JNI) to run a JVM from native C++ code. Then the behaviour of functions like Character.valueOf or System.exit is altered to obfuscate what is being done. In the end it uses several mappings to encode the flag in the binary. ...

We think our website has been compromised by a bad actor. We have noticed some weird traffic coming from a user, could you figure out what has been exfiltrated? Category: forensics Solver: mp455 Writeup We can download a zip file. If we unpack it there is the file capture.pcapng . Wireshark This file we can open with Wireshark where we see captured network packets. Since the description stated worries about the website we can filter the packets for http. ...

A classmate was assigned with developing a website using a prototype-based language called Javascript. Now we have Gunship, a tribute page to the legendary synthwave band.. what could possibly go wrong? Solver: davex Category: web Walktthrough The first look at the challenge already hinted at a part of the solution. The title of the challenge webpage is This hints that AST injections will be part of this challenge. Furthermore, the first look into the sourcecode of the challenge gave a huge hint for the solution ...

We added a new AI to our server (discord.gg/hackthebox) called “HTB × Uni AI”, in order to help our members with data analysis. However, the bot has now gone rogue and is trying to deactivate the server itself, as it perceives it as a threat. We can’t get in contact with the server administrator and the bot has disabled interactions with it, can you help us deactivate the AI bot and save the server by using the !shutdown command on the bot? ...

During a routine check on our servers we found this suspicious binary, but when analyzing it we couldn’t get it to do anything. We assume it’s dead malware but maybe something interesting can still be extracted from it? HTB{m1N1m411st1C_fL4g_pR0v1d3r_b0T} Category: Reversing Solver: Pandoron Writeup We start by trying to execute this binary on a linux system, since this is an ELF64 binary, which immediately returns with an exception: “EXCEPTION! ABORT”: pandoron@kali:~/Desktop/CTF$ ./ircware.file EXCEPTION! ABORT So let us just dive into the static analysis of this challenge and find where the error message is referenced. I used the program “binary ninja” to disassemble and also partially decompile it. All symbols where stripped from the binary, so all symbols you will see here are manually annotated by me using binary ninja. ...