Everything Is Just Dandy!

HackTheBox – Developer

2022 01 15
00:00 – Intro
01:04 – Start of nmap
03:00 – Examining the web page, noticing every URL with admin gets redirected to a django login
05:00 – Creating an account and looking at the page to discover CTF Challenges
06:15 – CHALLENGE 1: Phished List, a protected excel spreadsheet. Remove protection to see hidden cells
11:50 – Submitting a writeup, discovering an old version of Firefox talks to us
14:00 – Checking for Tab Nabbing vulnerability and explaining it
17:30 – Creating a phishing page by mirroring the page with wget and then using PHP to log submitted credentials
29:30 – Phishing worked, got the admin’s password. Login to Django to see another website (Sentry)
33:00 – Creating an error message in Sentry to get an error message, which contains a secret key used to encrypt the cookie
36:10 – Grabbing a django deserialization payload then installing django on python2 to use the payload
40:15 – Changing the payload in the exploit to a reverse shell, avoiding any bad characters for URL and getting a reverse shell
46:13 – Logging into Sentry Postgres Databae then enumerating tables and dumping the users table and cracking karl’s password
52:25 – Discovering Karl can execute the authenticator binary with sudo, strings shows it is a rust binary. Copy it back to our box
56:55 – Examing the binary in Ghidra
58:55 – Discovering a call to Crypto::AES::CTR, using the rust docs to figure out what our variables are
1:01:22 – Showing that AES-CTR does not have defined block sizes
1:05:00 – Using GDB to help our analysis, showing how to setup break points around what our decompiler shows
1:10:36 – Examining memory to confirm our static analysis was correct
1:11:15 – Grabbing the encrypted blob the program is comparing against to get the password and getting root
1:15:40 – CHALLENGE 2: PSE, an dotnet binary that runs a uses PS2EXE to run powershell to encrypt a string
1:21:20 – CHALLENGE 3: Get Lucky, a small binary that rolls a dice. We exploit it mainly in GDB but after recording, probably could have done LD_PRELOAD, im not sure
1:34:50 – CHALLENGE 4: RevMe.exe, just open the binary in DNSpy and grab the flag, also show doing this with strings if we change the encoding
1:37:10 – CHALLENGE 5: Authentication, another Rust binary. Just have to find the correct spot to set a break point and see the password in memory
1:44:40 – CHALLENGE 6: PwnMe, a simple challenge that we can use GDB to find the password
1:49:30 – CHALLENGE 7: Easy Encryption, a simple XOR Challenge where we can use known plaintext (or bruteforce) to recover the key
1:53:29 – CHALLENGE 8: Triple Wamy, another XOR Challenge where we have to just do the XOR’s backwards to get the flag