baby bonechewercon

The devil is enticing us to commit some sandboxed SSTI feng shui, would you be interested in doing so? Category: web Solver: davex, shm0sby Flag: HTB{b3nt_tw1g_t0_my_will!} Writeup The task was very simple. We had the source code of the challenge and we knew there was /flag which might contain our flag. ;) The challenge used Symfony as application framework and Twig as templating engine. We simply had to use basic injection on Twig which could be found in [1]....

March 24, 2021 · 1 min · davex, shm0sby

Confirmation of Identity

I wrote this advanced program to only work on my computer but I think I might have made a mistake somewhere, as I can’t even confirm my own identity. Category: reversing Solver: t0b1 Flag: HTB{Id3nt1ty_c0nf1rmat1on} Writeup In this challenge we get a Windows executable. We open it up in Ghidra to see what it does. The main function is printing Starting to confirm identity... and then calls the RegOpenKeyExA function with Control Panel\Desktop as the argument....

March 24, 2021 · 4 min · t0b1

Double Agents

After a long investigation we have revealed the enemy’s service, which provides their agents with any needed documents. Recent events indicate that there are double agents among us. We need to read the double_agents.txt file in order to identify their names and treat them accordingly. Can you do it? Category: crypto Solver: kh1 Flag: HTB{1v_sh01d_b3_r4nd0m} Writeup When connecting to the server, it sends Welcome, agent! Request a document: When sending something after this, the server interprets it as hexadecimal data and decodes it....

March 24, 2021 · 2 min · kh1

HideAndSeek

Hackers made it onto one of our production servers. We’ve isolated it from the internet until we can clean the machine up. The IR team reported four different backdoors on the server, but didn’t mention what they were and we currently can’t get in touch with them. We need to get this server back into prod ASAP - we’re losing money every second it’s down. Please find the four backdoors (both remote access and privilege escalation) and remove them....

March 24, 2021 · 4 min · lmarschk, mp455, 3mb0

Locked Out

Our domain has been attacked. An APT group has taken over our server and they have locked us out. Our incident response team was able to find some files added on the upload directory but havent been able to extract any information from them. Could you help us login back? Category: crypto Solver: Miroka, HTTP418, kh1 Flag: HTB{15b_4tt4ck5_4r3_c001} Writeup What we got encryption.py - the script used to encrypt the new password leaks - the script’s variables n, rp, and rq new_password - the encrypted new password encryption....

March 24, 2021 · 4 min · miroka, HTTP418, kh1

mathemoji

Time for an emoji-test! No need to worry.. You have 500 seconds to answer 100 questions. Five seconds for each question is more than enough! You need to score 100/100 in order to win an amazing prize! Good luck! Category: misc Solver: lmarschk Flag: HTB{3m0j1s_R_fUn_4nd_m4k3_m3_c0d3_f4st} Writeup Starting with a telnet connection to the server, we are given a set of questions: Trying 139.59.202.58... Connected to docker.hackthebox.eu. Escape character is '^]'....

March 24, 2021 · 6 min · lmarschk

Missing Pieces

There is serious suspicion that John is a double agent. We found the cipher in his trash can. It looks like he extracted the message and forgot to get rid of the evidence. Can you decrypt the secret message? Category: crypto Solver: kh1 Flag: HTB{m1551ng_v4lu35_m4k3_m3_s1ck} Writeup flag.txt contains a list of 32 lists containing 32 numbers from 0 to 255 each. This is a One-Time-Pad with 32 parts, xoring the lists and interpreting the result as ascii code gives the flag....

March 24, 2021 · 39 min · kh1

one line php challenge

Just some not so regular disable_functions / open_basedir PHPfu. Category: web Solver: davex, shm0sby, lmarschk Flag: HTB{iconv_r34lly_b3_d01ng_us_lik3_th4t} Writeup The challenge php file was quite simple itself, it was a Docker container with some further configs. The configs were the more interesting thing. The php file only included an GET-parameter which then has been sent to an eval()-call. Also we know there is a file called /readflag which obviously prints the flag....

March 24, 2021 · 5 min · davex, shm0sby, lmarschk

Patch of the Ninja

A brave warrior stands in front of the harshest enemy, a untouchable evil spirit who possesses his allies. Will they be able to overcome this enemy? Category: reversing Solver: 3mb0, HTTP418, mp455 Flag: HTB{Retr0_Kunai} Writeup We found ourself here in a reversing challenge. So - as we were used to - we prepare for a static binary analysis. Open Ghidra and install the GhidraBoy [1] to inspect the Game Boy ROM....

March 24, 2021 · 2 min · 3mb0, HTTP418, mp455

reality check

You’re being interrogated in the enemy’s headquarters. Fake it and get out of there alive, without telling them anything! Category: pwn Solver: t0b1, Pandoron Flag: HTB{m0ms_sp4gh3tt1_1s_f4k3!} Writeup The first thing we do is running the checksec tool to get any clues where this challenge might be heading. It outputs the following. [*] '/home/user/htb-unictf-2020/finals/pwn/reality_check/reality_check' Arch: i386-32-little RELRO: Full RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) We extract the following information:...

March 24, 2021 · 5 min · t0b1, Pandoron

Remote

A remote facility is secured by a two-part access control system. The exterior device contains a keypad that is connected to a microcontroller, which sends entered passwords to a remote API for authorization. During an operation, we succeeded in tapping the connection between the keypad and embedded device. The only thing preventing us from gaining access to the facility now is to decode the obtained data and send the password to /api....

March 24, 2021 · 1 min · kh1

Synchronous Keypad

During your usual crop field stroll you were abducted by aliens. Luckily you were able to escape their grip and flee to an escape pod, but alas starting it requires a key code. Figure out how this strange mechanism works and return to earth. Category: reversing Solver: t0b1 Flag: HTB{_3st3r31K3yP4d_} Writeup In this challenge we get a binary. We start by analyzing it in Ghidra and find the following main function (we already renamed the functions to be more readable)....

March 24, 2021 · 4 min · t0b1

time if of the essence

While I was surfing the web I probably clicked something that I shouldn’t have, and now I believe that someone knows everything about me. Help me find out what is going on! The profile is Win10x64_17134. drive.google.com/file/d/1bwsV4ESzTVlEHeSyIjJROdxUgt31aBQ5 Category: forensics Solver: 3mb0, mp455 Flag: HTB{t3ll_me_@ll_Your_S3cr3ts} Writeup This time we got an url: drive.google.com/file/d/1bwsV4ESzTVlEHeSyIjJROdxUgt31aBQ5 Here we find a zip archive containing two files: tioe.pcap and ioe.raw tioe.pcap Let’s focus on tioe....

March 24, 2021 · 5 min · mp455, 3mb0

tvQuizGame

A famous TV channel has decided to deploy Smart Contracts in a novel quiz game format. They want an audit of their code to make sure they are ready for the official launch. Will you be able to steal the ether stored in this contract? Category: blockchain Solver: davex, lmarschk Flag: HTB{N0b0dY_WiLL_R3ceIv3_M0n3y} Writeup In this challenge, you receive the address of a deployed smart contract and its source code....

March 24, 2021 · 3 min · davex, lmarschk

WafWaf

Who let the blacklists out? Category: web Solver: davex, shm0sby Flag: HTB{wh0_l3t_th3_w4fs_0ut?!..w00f..w00f.w00f!} Writeup When you entered the site of the challenge the site directly gives you the source of the challenge. <?php require('database.php'); $user = $_GET['user']; $pass = $_GET['pass']; if (!isset($user) || !isset($pass) || preg_match_all('/(select|union|where|\(|\.|\')/i', $user.$pass)) { highlight_file(__FILE__); exit; } $mysql = get_db(); $mysql->multi_query("SELECT * FROM `users` WHERE `username` = '${user}' AND `password` = '${pass}'"); do { if ($result = $mysql->store_result()) { if ($row = $result->fetch_assoc()) { echo json_encode($row) ....

March 24, 2021 · 3 min · davex, shm0sby

Welcome

Join the HTB x UNI Finals discord channel. Category: warmup Solver: t0b1 Flag: HTB{f1n4lists_ass3mbl3_f0r_th3_ult1m4t3_pwn4ge_ev3nt} Writeup As the challenge description states, one has to join the HTB x UNI Finals discord channel. There we find the uni-ctf-finals-rules channel that contains the rules of the CTF. Carefully reading the rules, just like every good CTF player, we find the flag in there. How generous!...

March 24, 2021 · 1 min · t0b1

Zipper

The SOC identified a bunch of suspicious emails with ZIP attachments. The zips don’t have executables in them, so how dangerous can they be? Category: forensics Solver: 3mb0, mp455 Flag: HTB{d4ng3r0Us_z1p_ZiP_z1pp3R} Writeup In the provided zip archive there is another archive callled zipper.zip. We can also extract this archive to the files zipper.jpg and zipper.lnk. As .lnk is the file extension for windows shortcuts we inspect its properties. As target there is...

March 24, 2021 · 2 min · mp455, 3mb0

Arcade

If you are not strong enough to beat the boss, you need to find another way to win the game! Category: Misc Solver: t0b1 Writeup In this challenge we get a binary. As the description says, we need to find another way to win the game!. Running the binary shows that its a little game. At first we can choose between two game modes. Obviously the Izi! mode is not available ;)....

7 min · t0b1

Baby Rebellion

The earth has been taken over by cyborgs for a long time. We are a group of humans, called ‘The Rebellion’, fighting for our freedom. Lately, cyborgs have set up a lab where they insert microchips inside humans to track them down. Our team of IT experts has hacked one of the cyborgs' mail servers. There is a suspicious encrypted mail which possibly contains information related to the location of the lab....

2 min · lmarschk

Block

We intercepted a serial communication between two microcontrollers. It seems that the first microcontroller is using a weird protocol to access a flash memory controlled by the second microcontroller. We were able to retrieve 16 sectors of the memory before the connection was disrupted. Can you retrieve what it was read? Category: Hardware Solver: davex Writeup For this challenge, the only thing you received was a zip file containing two files....

3 min · davex

Buggy Time Machine

I am the Doctor and I am in huge trouble. Rumors have it, you are the best time machine engineer in the galaxy. I recently bought a new randomiser for Tardis on Yquantine, but it must be counterfeit. Now every time I want to time travel, I will end up in a random year. Could you help me fix this? I need to find Amy and Rory! Daleks are after us....

4 min · miroka

Cached Web

I made a service for people to cache their favourite websites, come and check it out! But don’t try anything funny, after a recent incident we implemented military grade IP based restrictions to keep the hackers at bay… Category: web Solver: davex, lmarschk Writeup The first look at the challenge already gave an intuition how the solution looks like. The title of the web page was Rebind Me. This hints that the solution might be a DNS Rebind attack....

3 min · davex, lmarschk

Cargo Delivery

Chasa, world’s most dangerous gangster, is planning to equip his team with new tools. There is a cargo ship arriving tomorrow morning and the coast guard needs your help to seize the cargo. Our investigators have found the crypto service used by Chasa and his team to communicate for these kind of jobs. Can you decrypt the broadcasted message and identify the container to be seized? Category: Crypto...

5 min · 3mb0, mp455, lmarschk

Coffee Invocation

Our new conspiracy theorist intern has blocked everyone from the coffee machine because he saw that aliens were trying to steal the “out of the world” secret recipe. Your mission is to unveil the secrets that lie behind his profound madness and teach him a javaluable lesson. Category: Reversing Solvers: t0b1, lmarschk TL;DR This challenges was very nice but also hell of a ride. The main thing being done here is to use the Java Native Interface (JNI) to run a JVM from native C++ code....

13 min · t0b1, lmarschk

Exfil

We think our website has been compromised by a bad actor. We have noticed some weird traffic coming from a user, could you figure out what has been exfiltrated? Category: forensics Solver: mp455 Writeup We can download a zip file. If we unpack it there is the file capture.pcapng . Wireshark This file we can open with Wireshark where we see captured network packets. Since the description stated worries about the website we can filter the packets for http....

3 min · mp455