Arcade

If you are not strong enough to beat the boss, you need to find another way to win the game! Category: Misc Solver: t0b1 Writeup In this challenge we get a binary. As the description says, we need to find another way to win the game!. Running the binary shows that its a little game. At first we can choose between two game modes. Obviously the Izi! mode is not available ;). ...

March 1, 2021 · 7 min · t0b1

Baby Rebellion

The earth has been taken over by cyborgs for a long time. We are a group of humans, called ‘The Rebellion’, fighting for our freedom. Lately, cyborgs have set up a lab where they insert microchips inside humans to track them down. Our team of IT experts has hacked one of the cyborgs’ mail servers. There is a suspicious encrypted mail which possibly contains information related to the location of the lab. Can you decrypt the message and find the coordinates of the lab? ...

March 1, 2021 · 2 min · lmarschk

Block

We intercepted a serial communication between two microcontrollers. It seems that the first microcontroller is using a weird protocol to access a flash memory controlled by the second microcontroller. We were able to retrieve 16 sectors of the memory before the connection was disrupted. Can you retrieve what it was read? Category: Hardware Solver: davex Writeup For this challenge, the only thing you received was a zip file containing two files. ...

March 1, 2021 · 3 min · davex

Buggy Time Machine

I am the Doctor and I am in huge trouble. Rumors have it, you are the best time machine engineer in the galaxy. I recently bought a new randomiser for Tardis on Yquantine, but it must be counterfeit. Now every time I want to time travel, I will end up in a random year. Could you help me fix this? I need to find Amy and Rory! Daleks are after us. Did I say I am the Doctor? ...

March 1, 2021 · 4 min · miroka

Cached Web

I made a service for people to cache their favourite websites, come and check it out! But don’t try anything funny, after a recent incident we implemented military grade IP based restrictions to keep the hackers at bay… Category: web Solver: davex, lmarschk Writeup The first look at the challenge already gave an intuition how the solution looks like. The title of the web page was Rebind Me. This hints that the solution might be a DNS Rebind attack. ...

March 1, 2021 · 3 min · davex, lmarschk

Cargo Delivery

Chasa, world’s most dangerous gangster, is planning to equip his team with new tools. There is a cargo ship arriving tomorrow morning and the coast guard needs your help to seize the cargo. Our investigators have found the crypto service used by Chasa and his team to communicate for these kind of jobs. Can you decrypt the broadcasted message and identify the container to be seized? Category: Crypto Solvers: 3mb0, mp455, lmarschk ...

March 1, 2021 · 5 min · 3mb0, mp455, lmarschk

Coffee Invocation

Our new conspiracy theorist intern has blocked everyone from the coffee machine because he saw that aliens were trying to steal the “out of the world” secret recipe. Your mission is to unveil the secrets that lie behind his profound madness and teach him a javaluable lesson. Category: Reversing Solvers: t0b1, lmarschk TL;DR This challenges was very nice but also hell of a ride. The main thing being done here is to use the Java Native Interface (JNI) to run a JVM from native C++ code. Then the behaviour of functions like Character.valueOf or System.exit is altered to obfuscate what is being done. In the end it uses several mappings to encode the flag in the binary. ...

March 1, 2021 · 13 min · t0b1, lmarschk

Exfil

We think our website has been compromised by a bad actor. We have noticed some weird traffic coming from a user, could you figure out what has been exfiltrated? Category: forensics Solver: mp455 Writeup We can download a zip file. If we unpack it there is the file capture.pcapng . Wireshark This file we can open with Wireshark where we see captured network packets. Since the description stated worries about the website we can filter the packets for http. ...

March 1, 2021 · 3 min · mp455

Gunship

A classmate was assigned with developing a website using a prototype-based language called Javascript. Now we have Gunship, a tribute page to the legendary synthwave band.. what could possibly go wrong? Solver: davex Category: web Walktthrough The first look at the challenge already hinted at a part of the solution. The title of the challenge webpage is This hints that AST injections will be part of this challenge. Furthermore, the first look into the sourcecode of the challenge gave a huge hint for the solution ...

March 1, 2021 · 5 min · davex

HTBxUni AI

We added a new AI to our server (discord.gg/hackthebox) called “HTB × Uni AI”, in order to help our members with data analysis. However, the bot has now gone rogue and is trying to deactivate the server itself, as it perceives it as a threat. We can’t get in contact with the server administrator and the bot has disabled interactions with it, can you help us deactivate the AI bot and save the server by using the !shutdown command on the bot? ...

March 1, 2021 · 2 min · t0b1

ircware

During a routine check on our servers we found this suspicious binary, but when analyzing it we couldn’t get it to do anything. We assume it’s dead malware but maybe something interesting can still be extracted from it? HTB{m1N1m411st1C_fL4g_pR0v1d3r_b0T} Category: Reversing Solver: Pandoron Writeup We start by trying to execute this binary on a linux system, since this is an ELF64 binary, which immediately returns with an exception: “EXCEPTION! ABORT”: pandoron@kali:~/Desktop/CTF$ ./ircware.file EXCEPTION! ABORT So let us just dive into the static analysis of this challenge and find where the error message is referenced. I used the program “binary ninja” to disassemble and also partially decompile it. All symbols where stripped from the binary, so all symbols you will see here are manually annotated by me using binary ninja. ...

March 1, 2021 · 5 min · Pandoron

kapKan

We received an email from one of our clients regarding an invoice, with contains an attachment. However, after calling the client it seems they have no knowledge of this. We strongly believe that this document contains something malicious. Can you take a look? Category: forensics Solver: mp455 Writeup Since we suspect that the given document ‘invoice.docx’ contains something malicious, we refrain from opening/executing it for the moment. But there are other ways to inspect docx documents: ...

March 1, 2021 · 2 min · mp455

kindergarten

When you set the rules, everything is under control! Or not? Category: Pwn Solver: Pandoron, t0bi First let’s run checksec kindergarten. [*] '/home/user/htb-unictf-2020/kindergarten/kindergarten' Arch: amd64-64-little RELRO: Full RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x400000) RWX: Has RWX segments This is good! No stack canary, no position independent code. This must be easy, right? main function undefined8 main(void) { size_t sVar1; setup(); sec(); sVar1 = strlen(&kids_must_follow); write(1,&kids_must_follow,sVar1); read(0,ans,0x60); kinder(); sVar1 = strlen("Have a nice day!!\n"); write(1,"Have a nice day!!\n",sVar1); return 0; } setup setups the challenge buffering for networking. No buffering is used. Everything is written as soon as possible. ...

March 1, 2021 · 3 min · Pandoron, t0b1

mirror

You found an ol’ dirty mirror inside an abandoned house. This magic mirror reflects your most hidden desires! Use it to reveal the things you want the most in life! Don’t say too much though.. Category: Pwn Solver: t0b1 Writeup We start by using the checksec tool, to check what security measures are enabled on the binary. $ checksec mirror [*] '/home/user/htb-unictf-2020/mirror/mirror' Arch: amd64-64-little RELRO: Full RELRO Stack: No canary found NX: NX enabled PIE: PIE enabled We see that no canary is found, which means that we will most likely have to exploit a stack based buffer overflow to overwrite some values on the stack. ...

March 1, 2021 · 7 min · t0b1

moneyHeist

The Royal Mint of Spain has just called, all their money’s gone. It seems to be coming from their new credit card system linked to the blockchain. Can you investigate and replicate the exploit? They just deployed a test contract for you, steal the ether they stored on it! Category: Blockchain Solver: davex, shm0sby Writeup When we opened up the challenge website we received the code of the deployed smart contract and the address of this contract. We shorted the source of the contract to the important parts ...

March 1, 2021 · 3 min · davex, shm0sby

my name is

I’ve been once told that my name is difficult to pronounce and since then I’m using it as a password for everything. Category: Reversing Solver: t0b1 Writeup We get a binary called my_name_is. Running the file command tells us that it is a 32-bit, dynamically linked executable. It also shows that the binary is not stripped, which is useful when decompiling it. $ file my_name_is my_name_is: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=c8d536794885d0c91e2270d7c6b9a9f14dda9739, not stripped Running the binary itself gives us the following output. ...

March 1, 2021 · 3 min · t0b1

Patch of the Ninja

A brave warrior stands in front of the harshest enemy, a untouchable evil spirit who possesses his allies. Will he be able to overcome this enemy?A brave warrior stands in front of the harshest enemy, a untouchable evil spirit who possesses his allies. Will he be able to overcome this enemy? Category: Reverse Solver: t0b1, lmarschk For this challenge, the gameboy rom was supplied. Walkthrough Download the binary Find out it is a gameboy rom apt install visualboyadvance VisualBoyAdvance Patchofthe_Ninja.gb GameBoy game runs, there is a Dojo that can’t be entered It says: I need to patch the evil spirits away Lets use GhidraBoy for Ghidra and sameboy to debug and patch the binary. Find out that all prior steps were not needed, just use the simple, old stuff: Use strings Patchofthe_Ninja.gb | grep HTB to get the flag HTB{C00l_Shurik3n} lmm@lmm-think-05:~/Documents/htb/ctf_2020$ strings -n 10 Patch_of_the_Ninja.gb 3>PATCHOFTHENINJA #2*#2*#"^#V! #2*#2*#"^#V! #2*#2*#2^#V!b0 9^#V#~#foDM! 9V+^+~+ngDM 9V+^+~+ngDM 9V+^+~+ngDM 9V+^+~+ngDM V+^+F+N+:ng #2*#2*#"^#V! #2*#2*#"^#V! #2*#2*#"^#V! #2*#2*#"^#V! ~++2^#V!b> You have retrieved Congratulations! This is not the Flag you're looking for. Where am i? What For a second I felt really weird, what happened? My head hurts a lot, what was Ninjas don't run away from a challenge... The water seems very calm. Hey you shouldn't be in here! This is the "Hack the box" server room. Staff only! He's stuck in some trance-like I need to patch the evil spirits HTB{C00l_Shurik3n} ` ` ` p h ` ` ` ` d j ` ` ` p ` ()*+,-./0123456( 789:;<=>?@ABCDE7 **much more content** ...

March 1, 2021 · 2 min · lmarschk, t0b1

Plug

One of our client have reported that they might have been compromised and they don’t know how this happened, we have dump everything including USB traffic. Can you look at it and find out how our client got the virus in the first place? Category: forensics Solver: mp455 Writeup We can download a zip file. If we unpack it there is the file capture.pcapng . Wireshark This file we can open with Wireshark where we see captured USB traffic. ...

March 1, 2021 · 1 min · mp455

Rigged Lottery

Is everything in life completely random? Are we unable to change our fate? Or maybe we can change the future and even manipulate randomness?! Is luck even a thing? Try your “luck”! Category: Misc Solvers: t0b1, lmarschk Writeup In this challenge we get a binary and can spawn a docker container. Downloading and running the binary yields the following output. 💎 Cosy Casino 💎 Current cosy coins: 69.69 1. Generate lucky number. 2. Play game. 3. Claim prize. 4. Exit. Afterwards, we took a look into the decompiled sources of the program. The main function is straight forward. ...

March 1, 2021 · 4 min · t0b1, lmarschk

Trace

During the attempt to exploit a secure crypto-processor we identified some embedded logic in it. We were able to recreate the logic diagram and make a block diagram to map its connections to the original circuit. We need to identify its use, which may lead to compromising the chip. Category: Hardware Solver: davex Writeup We first looked up the content of the challenge website is. When you entered the website you could saw a diagram of the system described in the description. ...

March 1, 2021 · 3 min · davex

Weak RSA

A rogue employe managed to steal a file from his work computer, he encrypted the file with RSA before he got apprehended. We only managed to recover the public key, can you help us decrypt this ciphertext? Category: Crypto Solvers: 3mb0, lmarschk, HTTP418, miroka For this challenge, we had a public RSA key with 1026 Bit and a file that was encrypted with the corresponding private key. First approach: manual generate private key We analyzed the given public key with openssl rsa -noout -text -inform PEM -in pubkey.pem -pubin: ...

March 1, 2021 · 3 min · 3mb0, lmarschk, HTTP418, miroka

Welcome

Join the HTB x UNI Qualifications discord channel. Category: Welcome Solver: t0bi Walkthrough The challenge description states that we should join the HTB x Uni Qualifications discord channel. From the CTF intro slides we know that we have to message the HackTheBoxBot with ++htbctf uni-ctf-2020 {Un!CTF_0f_HTB_2020_is_l33t}. Doing that will add us to the Uni CTF support channels. There we find the uni-ctf-rules channel. Carefully reading the rules reveals the flag in the following rule. 5. Do not try to exchange flags/write-ups/hints of the challenges during the competition with other teams participating or to other external entities. HTB{l3t_th3_htb_x_uni_ctf_pwn1ng_b3g1n}. ...

March 1, 2021 · 1 min · t0b1