Gunship

A classmate was assigned with developing a website using a prototype-based language called Javascript. Now we have Gunship, a tribute page to the legendary synthwave band.. what could possibly go wrong? Solver: davex Category: web Walktthrough The first look at the challenge already hinted at a part of the solution. The title of the challenge webpage is This hints that AST injections will be part of this challenge. Furthermore, the first look into the sourcecode of the challenge gave a huge hint for the solution...

5 min · davex

HTBxUni AI

We added a new AI to our server (discord.gg/hackthebox) called “HTB × Uni AI”, in order to help our members with data analysis. However, the bot has now gone rogue and is trying to deactivate the server itself, as it perceives it as a threat. We can’t get in contact with the server administrator and the bot has disabled interactions with it, can you help us deactivate the AI bot and save the server by using the !...

2 min · t0b1

ircware

During a routine check on our servers we found this suspicious binary, but when analyzing it we couldn’t get it to do anything. We assume it’s dead malware but maybe something interesting can still be extracted from it? HTB{m1N1m411st1C_fL4g_pR0v1d3r_b0T} Category: Reversing Solver: Pandoron Writeup We start by trying to execute this binary on a linux system, since this is an ELF64 binary, which immediately returns with an exception: “EXCEPTION!...

5 min · Pandoron

kapKan

We received an email from one of our clients regarding an invoice, with contains an attachment. However, after calling the client it seems they have no knowledge of this. We strongly believe that this document contains something malicious. Can you take a look? Category: forensics Solver: mp455 Writeup Since we suspect that the given document ‘invoice.docx’ contains something malicious, we refrain from opening/executing it for the moment. But there are other ways to inspect docx documents:...

2 min · mp455

kindergarten

When you set the rules, everything is under control! Or not? Category: Pwn Solver: Pandoron, t0bi First let’s run checksec kindergarten. [*] '/home/user/htb-unictf-2020/kindergarten/kindergarten' Arch: amd64-64-little RELRO: Full RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x400000) RWX: Has RWX segments This is good! No stack canary, no position independent code. This must be easy, right? main function undefined8 main(void) { size_t sVar1; setup(); sec(); sVar1 = strlen(&kids_must_follow); write(1,&kids_must_follow,sVar1); read(0,ans,0x60); kinder(); sVar1 = strlen("Have a nice day!...

3 min · Pandoron, t0b1

mirror

You found an ol' dirty mirror inside an abandoned house. This magic mirror reflects your most hidden desires! Use it to reveal the things you want the most in life! Don’t say too much though.. Category: Pwn Solver: t0b1 Writeup We start by using the checksec tool, to check what security measures are enabled on the binary. $ checksec mirror [*] '/home/user/htb-unictf-2020/mirror/mirror' Arch: amd64-64-little RELRO: Full RELRO Stack: No canary found NX: NX enabled PIE: PIE enabled We see that no canary is found, which means that we will most likely have to exploit a stack based buffer overflow to overwrite some values on the stack....

7 min · t0b1

moneyHeist

The Royal Mint of Spain has just called, all their money’s gone. It seems to be coming from their new credit card system linked to the blockchain. Can you investigate and replicate the exploit? They just deployed a test contract for you, steal the ether they stored on it! Category: Blockchain Solver: davex, shm0sby Writeup When we opened up the challenge website we received the code of the deployed smart contract and the address of this contract....

3 min · davex, shm0sby

my name is

I’ve been once told that my name is difficult to pronounce and since then I’m using it as a password for everything. Category: Reversing Solver: t0b1 Writeup We get a binary called my_name_is. Running the file command tells us that it is a 32-bit, dynamically linked executable. It also shows that the binary is not stripped, which is useful when decompiling it. $ file my_name_is my_name_is: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux....

3 min · t0b1

Patch of the Ninja

A brave warrior stands in front of the harshest enemy, a untouchable evil spirit who possesses his allies. Will he be able to overcome this enemy?A brave warrior stands in front of the harshest enemy, a untouchable evil spirit who possesses his allies. Will he be able to overcome this enemy? Category: Reverse Solver: t0b1, lmarschk For this challenge, the gameboy rom was supplied. Walkthrough Download the binary Find out it is a gameboy rom apt install visualboyadvance VisualBoyAdvance Patchofthe_Ninja....

2 min · lmarschk, t0b1

Plug

One of our client have reported that they might have been compromised and they don’t know how this happened, we have dump everything including USB traffic. Can you look at it and find out how our client got the virus in the first place? Category: forensics Solver: mp455 Writeup We can download a zip file. If we unpack it there is the file capture.pcapng . Wireshark This file we can open with Wireshark where we see captured USB traffic....

1 min · mp455

Rigged Lottery

Is everything in life completely random? Are we unable to change our fate? Or maybe we can change the future and even manipulate randomness?! Is luck even a thing? Try your “luck”! Category: Misc Solvers: t0b1, lmarschk Writeup In this challenge we get a binary and can spawn a docker container. Downloading and running the binary yields the following output. 💎 Cosy Casino 💎 Current cosy coins: 69.69 1....

4 min · t0b1, lmarschk

Trace

During the attempt to exploit a secure crypto-processor we identified some embedded logic in it. We were able to recreate the logic diagram and make a block diagram to map its connections to the original circuit. We need to identify its use, which may lead to compromising the chip. Category: Hardware Solver: davex Writeup We first looked up the content of the challenge website is. When you entered the website you could saw a diagram of the system described in the description....

3 min · davex

Weak RSA

A rogue employe managed to steal a file from his work computer, he encrypted the file with RSA before he got apprehended. We only managed to recover the public key, can you help us decrypt this ciphertext? Category: Crypto Solvers: 3mb0, lmarschk, HTTP418, miroka For this challenge, we had a public RSA key with 1026 Bit and a file that was encrypted with the corresponding private key. First approach: manual generate private key We analyzed the given public key with openssl rsa -noout -text -inform PEM -in pubkey....

3 min · 3mb0, lmarschk, HTTP418, miroka

Welcome

Join the HTB x UNI Qualifications discord channel. Category: Welcome Solver: t0bi Walkthrough The challenge description states that we should join the HTB x Uni Qualifications discord channel. From the CTF intro slides we know that we have to message the HackTheBoxBot with ++htbctf uni-ctf-2020 {Un!CTF_0f_HTB_2020_is_l33t}. Doing that will add us to the Uni CTF support channels. There we find the uni-ctf-rules channel. Carefully reading the rules reveals the flag in the following rule....

1 min · t0b1