Writeups

We received an email from one of our clients regarding an invoice, with contains an attachment. However, after calling the client it seems they have no knowledge of this. We strongly believe that this document contains something malicious. Can you take a look? Category: forensics Solver: mp455 Writeup Since we suspect that the given document ‘invoice.docx’ contains something malicious, we refrain from opening/executing it for the moment. But there are other ways to inspect docx documents: ...

When you set the rules, everything is under control! Or not? Category: Pwn Solver: Pandoron, t0bi First let’s run checksec kindergarten. [*] '/home/user/htb-unictf-2020/kindergarten/kindergarten' Arch: amd64-64-little RELRO: Full RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x400000) RWX: Has RWX segments This is good! No stack canary, no position independent code. This must be easy, right? main function undefined8 main(void) { size_t sVar1; setup(); sec(); sVar1 = strlen(&kids_must_follow); write(1,&kids_must_follow,sVar1); read(0,ans,0x60); kinder(); sVar1 = strlen("Have a nice day!!\n"); write(1,"Have a nice day!!\n",sVar1); return 0; } setup setups the challenge buffering for networking. No buffering is used. Everything is written as soon as possible. ...

You found an ol’ dirty mirror inside an abandoned house. This magic mirror reflects your most hidden desires! Use it to reveal the things you want the most in life! Don’t say too much though.. Category: Pwn Solver: t0b1 Writeup We start by using the checksec tool, to check what security measures are enabled on the binary. $ checksec mirror [*] '/home/user/htb-unictf-2020/mirror/mirror' Arch: amd64-64-little RELRO: Full RELRO Stack: No canary found NX: NX enabled PIE: PIE enabled We see that no canary is found, which means that we will most likely have to exploit a stack based buffer overflow to overwrite some values on the stack. ...

The Royal Mint of Spain has just called, all their money’s gone. It seems to be coming from their new credit card system linked to the blockchain. Can you investigate and replicate the exploit? They just deployed a test contract for you, steal the ether they stored on it! Category: Blockchain Solver: davex, shm0sby Writeup When we opened up the challenge website we received the code of the deployed smart contract and the address of this contract. We shorted the source of the contract to the important parts ...

I’ve been once told that my name is difficult to pronounce and since then I’m using it as a password for everything. Category: Reversing Solver: t0b1 Writeup We get a binary called my_name_is. Running the file command tells us that it is a 32-bit, dynamically linked executable. It also shows that the binary is not stripped, which is useful when decompiling it. $ file my_name_is my_name_is: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=c8d536794885d0c91e2270d7c6b9a9f14dda9739, not stripped Running the binary itself gives us the following output. ...

A brave warrior stands in front of the harshest enemy, a untouchable evil spirit who possesses his allies. Will he be able to overcome this enemy?A brave warrior stands in front of the harshest enemy, a untouchable evil spirit who possesses his allies. Will he be able to overcome this enemy? Category: Reverse Solver: t0b1, lmarschk For this challenge, the gameboy rom was supplied. Walkthrough Download the binary Find out it is a gameboy rom apt install visualboyadvance VisualBoyAdvance Patchofthe_Ninja.gb GameBoy game runs, there is a Dojo that can’t be entered It says: I need to patch the evil spirits away Lets use GhidraBoy for Ghidra and sameboy to debug and patch the binary. Find out that all prior steps were not needed, just use the simple, old stuff: Use strings Patchofthe_Ninja.gb | grep HTB to get the flag HTB{C00l_Shurik3n} lmm@lmm-think-05:~/Documents/htb/ctf_2020$ strings -n 10 Patch_of_the_Ninja.gb 3>PATCHOFTHENINJA #2*#2*#"^#V! #2*#2*#"^#V! #2*#2*#2^#V!b0 9^#V#~#foDM! 9V+^+~+ngDM 9V+^+~+ngDM 9V+^+~+ngDM 9V+^+~+ngDM V+^+F+N+:ng #2*#2*#"^#V! #2*#2*#"^#V! #2*#2*#"^#V! #2*#2*#"^#V! ~++2^#V!b> You have retrieved Congratulations! This is not the Flag you're looking for. Where am i? What For a second I felt really weird, what happened? My head hurts a lot, what was Ninjas don't run away from a challenge... The water seems very calm. Hey you shouldn't be in here! This is the "Hack the box" server room. Staff only! He's stuck in some trance-like I need to patch the evil spirits HTB{C00l_Shurik3n} ` ` ` p h ` ` ` ` d j ` ` ` p ` ()*+,-./0123456( 789:;<=>?@ABCDE7 **much more content** ...

One of our client have reported that they might have been compromised and they don’t know how this happened, we have dump everything including USB traffic. Can you look at it and find out how our client got the virus in the first place? Category: forensics Solver: mp455 Writeup We can download a zip file. If we unpack it there is the file capture.pcapng . Wireshark This file we can open with Wireshark where we see captured USB traffic. ...

Is everything in life completely random? Are we unable to change our fate? Or maybe we can change the future and even manipulate randomness?! Is luck even a thing? Try your “luck”! Category: Misc Solvers: t0b1, lmarschk Writeup In this challenge we get a binary and can spawn a docker container. Downloading and running the binary yields the following output. 💎 Cosy Casino 💎 Current cosy coins: 69.69 1. Generate lucky number. 2. Play game. 3. Claim prize. 4. Exit. Afterwards, we took a look into the decompiled sources of the program. The main function is straight forward. ...

During the attempt to exploit a secure crypto-processor we identified some embedded logic in it. We were able to recreate the logic diagram and make a block diagram to map its connections to the original circuit. We need to identify its use, which may lead to compromising the chip. Category: Hardware Solver: davex Writeup We first looked up the content of the challenge website is. When you entered the website you could saw a diagram of the system described in the description. ...

A rogue employe managed to steal a file from his work computer, he encrypted the file with RSA before he got apprehended. We only managed to recover the public key, can you help us decrypt this ciphertext? Category: Crypto Solvers: 3mb0, lmarschk, HTTP418, miroka For this challenge, we had a public RSA key with 1026 Bit and a file that was encrypted with the corresponding private key. First approach: manual generate private key We analyzed the given public key with openssl rsa -noout -text -inform PEM -in pubkey.pem -pubin: ...

Join the HTB x UNI Qualifications discord channel. Category: Welcome Solver: t0bi Walkthrough The challenge description states that we should join the HTB x Uni Qualifications discord channel. From the CTF intro slides we know that we have to message the HackTheBoxBot with ++htbctf uni-ctf-2020 {Un!CTF_0f_HTB_2020_is_l33t}. Doing that will add us to the Uni CTF support channels. There we find the uni-ctf-rules channel. Carefully reading the rules reveals the flag in the following rule. 5. Do not try to exchange flags/write-ups/hints of the challenges during the competition with other teams participating or to other external entities. HTB{l3t_th3_htb_x_uni_ctf_pwn1ng_b3g1n}. ...