Hackfest 2022 - Beginner CTF - Writeup
This year’s Hackfest, nicknamed “Ressurection”, was the 14th edition of the conference. It was a great opportunity (for me at least) to reconnect with old colleagues I had not seen since 2020 and to meet new poeple.
This post is a partial writeup of the challenges I’ve had the time to solve as part of the Beginner CTF.
Due to time and logistic constraints, I opted to participate only in the Beginner CTF. It was available over the conference wifi network and did not require much preparation. Overall, it was a good refresher. The challenges that I’ve looked at were well made, kudos to the authors.
Here is how the organizers describe this CTF:
Beginner: A good place to start! Take on dozens of challenges created specifically for learning. Are you stuck on a challenge? Contact the creator of the challenge for an explanation and he will be happy to guide you!
AWS Track
This track was interesting because it explores some of the AWS CLI areas that I have personally never used.
Warning: The AWS access keys and tokens have been replaced with placeholders.
01 - AWS whoami (5 pts)
Challenge description:
In AWS, a user needs to generate an access key and a secret key to interact with the AWS API. Can you find out to whom this set of credentials belongs to?
- Access key:
${AWS_ACCESS_KEY_1}
- Secret key:
${AWS_SECRET_ACCESS_1}
Note: The us-east-1 AWS region is to be used for all challenges in this category.
How to solve:
$ export AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_1}"
$ export AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_1}"
$ export AWS_DEFAULT_REGION="us-east-1"
$ aws sts get-caller-identity
{
"UserId": "AIDASECYGINVY654B7UBL",
"Account": "012345678901",
"Arn": "arn:aws:iam::012345678901:user/${HF_FLAG_1}"
}
The flag is in the ARN: ${HF_FLAG_1}
References:
02 - AWS cat mysecrets.txt (6 pts)
Challenge description:
In AWS, Secrets Manager can act as a sort of password manager for your applications, and access to those secrets can be logged and restricted. Using the credentials given in the AWS whoami challenge, can you recover the flag stored it the following secrets manager’s secret?
hf-aws-beginner-challenge2-secret
How to solve:
$ # The environment variables set for the whoami challenge are still set
$ aws secretsmanager get-secret-value --secret-id hf-aws-beginner-challenge2-secret
{
"ARN": "arn:aws:secretsmanager:us-east-1:012345678901:secret:hf-aws-beginner-challenge2-secret-1ZcN0L",
"Name": "hf-aws-beginner-challenge2-secret",
"VersionId": "88694825-9080-49ad-a01f-c22cc08f79ab",
"SecretString": "${HF_FLAG_2}",
"VersionStages": [
"AWSCURRENT"
],
"CreatedDate": 1666218640.248
}
The flag is in the secret string: ${HF_FLAG_2}
References:
03 - AWS ls and cp (7 pts)
Challenge description:
AWS S3 (Simple Storage Service) can be used to store files in a bucket like in a regular file system’s folder. Using the credentials given in the AWS whoami challenge, can you recover the flag from the following bucket?
hf-aws-beginner-challenge3-bucket-012345678901
How to solve:
$ # The environment variables set for the whoami challenge are still set
$ aws s3 ls s3://hf-aws-beginner-challenge3-bucket-012345678901
2022-10-19 18:32:13 36 flag.txt
aws s3 cp s3://hf-aws-beginner-challenge3-bucket-012345678901/flag.txt .
download: s3://hf-aws-beginner-challenge3-bucket-012345678901/flag.txt to ./flag.txt
$ cat flag.txt
${HF_FLAG_3}
The flag was in the flag.txt
file: ${HF_FLAG_3}
04 - AWS mongodump (8 pts)
Challenge description:
AWS DynamoDB provides a fast key/value store similar to a MongoDB collection. Using the credentials given in the AWS whoami challenge, can you recover the flag from the following table?
hf-aws-beginner-challenge4-table
How to solve:
$ # The environment variables set for the whoami challenge are still set
$ aws dynamodb scan --table-name hf-aws-beginner-challenge4-table
{
"Items": [
{
"flag": {
"S": "${HF_FLAG_4}"
}
}
],
"Count": 1,
"ScannedCount": 1,
"ConsumedCapacity": null
}
The flag was returned in the flag
object: ${HF_FLAG_4}
References:
05 - AWS sudo (9 pts)
Challenge description:
In AWS, you can assume different roles to interact with the AWS API as another resource. For example, you could assume the role of a Lambda function you created to troubleshoot its permissions. Using the credentials given in the AWS whoami challenge, can you assume the role
arn:aws:iam::012345678901:role/hf-aws-beginner-challenge5-role
and run the following command?
aws ssm get-parameter --name hf-aws-beginner-challenge5-parameter
$ # The environment variables set for the whoami challenge are still set
$ aws sts assume-role \
--role-arn "arn:aws:iam::012345678901:role/hf-aws-beginner-challenge5-role" \
--role-session-name AWSCLI-Session
{
"Credentials": {
"AccessKeyId": "${AWS_ACCESS_KEY_2}",
"SecretAccessKey": "${AWS_SECRET_ACCESS_2}",
"SessionToken": "${AWS_STS_TOKEN_1}",
"Expiration": "2022-10-29T19:29:26Z"
},
"AssumedRoleUser": {
"AssumedRoleId": "AROASECYGINV2VM2REZ34:AWSCLI-Session",
"Arn": "arn:aws:sts::012345678901:assumed-role/hf-aws-beginner-challenge5-role/AWSCLI-Session"
}
}
$ AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_2}" \
AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_2}" \
AWS_SESSION_TOKEN="${AWS_STS_TOKEN_1}" \
aws ssm get-parameter --name hf-aws-beginner-challenge5-parameter
{
"Parameter": {
"Name": "hf-aws-beginner-challenge5-parameter",
"Type": "String",
"Value": "${HF_FLAG_5}",
"Version": 1,
"LastModifiedDate": 1666218640.537,
"ARN": "arn:aws:ssm:us-east-1:012345678901:parameter/hf-aws-beginner-challenge5-parameter",
"DataType": "text"
}
}
The flag was in the Value
of the returned Parameter
object: ${HF_FLAG_5}
References:
06 - AWS curl (10)
Challenge description:
In AWS, the access to some publicly accessible resources (such as an S3 Bucket or an API Gateway) can be restricted using a signature mechanism. This signature can be generated using a set of AWS credentials and a library such as Python’s AWSRequestsAuth. Some tools, such as Postman, even integrate this signature mechanism in their supported authentication methods. Using the credentials given in the AWS whoami challenge, can you recover the flag the following URL?
This challenge took me a while to figure since I never had the opportunity to play with signed requests. I had to search on the Internet to find something that would suite.
How to solve:
- Make a virtualenv and install the
aws-requests-auth
package:$ python3 -m venv venv $ source venv/bin/activate $ pip install aws-requests-auth
- Create a small python script (
solve_challenge_06.py
) with the content:import boto3 import requests from aws_requests_auth.aws_auth import AWSRequestsAuth from urllib.parse import urlparse url = os.getenv('HF_CHALLENGE_URL') aws_service = 'execute-api' auth = AWSRequestsAuth( aws_access_key=os.getenv('AWS_ACCESS_KEY_ID'), aws_secret_access_key=os.getenv('AWS_SECRET_ACCESS_KEY'), aws_region=os.getenv('AWS_DEFAULT_REGION'), aws_host=urlparse(url).netloc, aws_service=aws_service) response = requests.get(url, auth=auth) response.raise_for_status() print(response.text)
- Run the script:
$ # The environment variables set for the whoami challenge are still set $ HF_CHALLENGE_URL="https://1f1xwaoef4.execute-api.us-east-1.amazonaws.com/api/" python3 solve_challenge_06.py {"flag":"${HF_FLAG_6}"}
The flag was found in the response data: ${HF_FLAG_6}
References:
- https://1f1xwaoef4.execute-api.us-east-1.amazonaws.com/api/
- https://devpress.csdn.net/python/630461cec67703293080c231.html
- https://stackoverflow.com/questions/63322894/using-aws-boto3-invoke-api-gateway-from-ec2-instance
- https://devpress.csdn.net/python/630461cec67703293080c231.html
07 - AWS python3 my_script.py (6 pts)
Challenge description:
AWS Lambda allows to run code without the need to setup any server. It supports various programming languages, such as Node.js, Python, Ruby, Java, Go and .NET Core. Can you execute the following Lambda function?
hf-aws-beginner-challenge7-lambda
How to solve:
$ # The environment variables set for the whoami challenge are still set
$ aws lambda invoke --function-name hf-aws-beginner-challenge7-lambda lambda_exec.log
{
"StatusCode": 200,
"ExecutedVersion": "$LATEST"
}
cat lambda_exec.log
"${HF_FLAG_7}"
The flag was in the lambda function execution logs: ${HF_FLAG_7}
Reference:
08 - AWS docker pull (8 pts)
Challenge description:
AWS ECR (Elastic Container Registry) acts as an AWS managed docker repository to host your container images. Can you pull and run the docker image from the following private ECR repository?
012345678901.dkr.ecr.us-east-1.amazonaws.com/hf-aws-beginner-challenge8-repository
How to solve:
- Use the
get-login-password
ECR command to configure the docker daemon login:$ # The environment variables set for the whoami challenge are still set $ aws ecr get-login-password | docker login --username AWS --password-stdin 012345678901.dkr.ecr.us-east-1.amazonaws.com WARNING! Your password will be stored unencrypted in /home/dtvezina/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store
- Pull the container image from the registry:
$ docker pull 012345678901.dkr.ecr.us-east-1.amazonaws.com/hf-aws-beginner-challenge8-repository Using default tag: latest latest: Pulling from hf-aws-beginner-challenge8-repository 213ec9aee27d: Pull complete Digest: sha256:27f39eb1cc2372af477820713ea7604fb0b8a106bcc9f97c5c9c2031c00c137e Status: Downloaded newer image for 012345678901.dkr.ecr.us-east-1.amazonaws.com/hf-aws-beginner-challenge8-repository:latest 012345678901.dkr.ecr.us-east-1.amazonaws.com/hf-aws-beginner-challenge8-repository:latest
- Check the container images available:
$ docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE 012345678901.dkr.ecr.us-east-1.amazonaws.com/hf-aws-beginner-challenge8-repository latest 8ebc85c05ed2 9 days ago 5.54MB
- Run the container image (we are trusting the challenge designers here -
obviously do not run untrusted images in the real world)
$ docker run 8ebc85c05ed2 ${HF_FLAG_8}
The flag was printed in the container’s standard output: ${HF_FLAG_8}
References:
- https://docs.aws.amazon.com/cli/latest/reference/ecr/get-login-password.html
- https://docs.aws.amazon.com/AmazonECR/latest/userguide/docker-pull-ecr-image.html
09 - AWS cat /var/log/* (7 pts)
Challenge description:
AWS CloudWatch Logs allows you to centralize logs from pretty much everything, including AWS services, applications logs or AWS API interractions. Log groups contain logs streams, which in turn contain log events. Can you retrieve the events from the following log group?
hf-aws-beginner-challenge9-log-group
How to solve:
- Check which log streams are availble with the log group
hf-aws-beginner-challenge9-log-group
:$ # The environment variables set for the whoami challenge are still set $ aws logs describe-log-streams --log-group-name hf-aws-beginner-challenge9-log-group { "logStreams": [ { "logStreamName": "some-log-stream", "creationTime": 1666218648086, "firstEventTimestamp": 1666218452782, "lastEventTimestamp": 1666218452782, "lastIngestionTime": 1666218745806, "uploadSequenceToken": "49617124642278214119312939883891311975180274722603532770", "arn": "arn:aws:logs:us-east-1:012345678901:log-group:hf-aws-beginner-challenge9-log-group:log-stream:some-log-stream", "storedBytes": 0 } ] }
- Get the content of the log stream named
some-log-stream
$ aws logs get-log-events --log-group-name hf-aws-beginner-challenge9-log-group --log-stream-name some-log-stream { "events": [ { "timestamp": 1666218452782, "message": "${HF_FLAG_9}", "ingestionTime": 1666218745806 } ], "nextForwardToken": "f/37157913160581310312750303562572275654679098760710848512/s", "nextBackwardToken": "b/37157913160581310312750303562572275654679098760710848512/s" }
The flag was in the event message: ${HF_FLAG_9}
References:
- https://docs.aws.amazon.com/cli/latest/reference/logs/describe-log-streams.html
- https://docs.aws.amazon.com/cli/latest/reference/logs/get-log-events.html
10 - AWS login (10 pts)
Challenge description:
Cognito Identity Pools can provide temporary AWS credentials for users based on token from several identity providers, such as Cognito, Amazon, Apple, Facebook, Google, Twitter, OpenID, SAML and more. This can allow for complex application flow, such as granting authenticated users of a Web application to directly access files in an S3 bucket. This can also be configured for guest (unauthenticated) users. Can you get guest temporary credentials for the following identity pool (use the same command as the AWS whoami challenge with the credentials you will find to get the flag)?
us-east-1:1d9c2acf-1d03-4f5e-b8a7-559f4d4c0eff
This challenge was also interesting. I had not played with Cognito so this was a learning experience for me.
How to solve:
- List the identity ID from the identity pool:
$ # The environment variables set for the whoami challenge are still set $ aws cognito-identity get-id --identity-pool-id us-east-1:1d9c2acf-1d03-4f5e-b8a7-559f4d4c0eff { "IdentityId": "us-east-1:27887403-1035-4c57-a1a0-2d9d636df012" }
- Get the credentials from the identity ID:
$ aws cognito-identity get-credentials-for-identity --identity-id "us-east-1:27887403-1035-4c57-a1a0-2d9d636df012" { "IdentityId": "us-east-1:27887403-1035-4c57-a1a0-2d9d636df012", "Credentials": { "AccessKeyId": "${AWS_ACCESS_KEY_3}", "SecretKey": "${AWS_SECRET_ACCESS_3}", "SessionToken": "${AWS_STS_TOKEN_2}", "Expiration": 1667080099.0 } }
- Let’s use STS to check the identity (similar to the
whoami challenge):
$ AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_3}" \ AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_3}" \ AWS_SESSION_TOKEN="${AWS_STS_TOKEN_2}" \ aws sts get-caller-identity { "UserId": "AROASECYGINV7KCTU6W4N:CognitoIdentityCredentials", "Account": "012345678901", "Arn": "arn:aws:sts::012345678901:assumed-role/${HF_FLAG_10}/CognitoIdentityCredentials" }
The flag was in the ARN: ${HF_FLAG_10}
References:
Cipher Track
This track covers some of the commonly used encoding techniques used in CTFs.
Base64 (2 pts)
Challenge description:
If you see a string that seems encoded, contains only numbers, letters, / and = and might finish with either one or two = (but not all the time) you should try this decoding method. It is also used by pentesters to transfer files over the network and to make sure we are not missing any parts Here is the string : SEYtMGEzMGI3MzBiNDRjNzhmMGMyZDdkMDRiNzQxNWVjOWY=
Base64 is commonly used not just in CTF but in many protocols as a form of encoding.
How to solve:
$ printf 'SEYtMGEzMGI3MzBiNDRjNzhmMGMyZDdkMDRiNzQxNWVjOWY=' | base64 -d; echo ""
${HF_FLAG_11}
The flag is: ${HF_FLAG_11}
References:
Julius (3 pts)
Challenge description:
One of the first used cipher in history.
Challenge:
XV-6v597s1ttqr467v7rv5498qqt1r41899
Juluis refers to the Ceasar cipher which is a substitution cipher commonly used in CTF events.
How to solve:
- The easy way is to play around with the ROT13 amount in Cyberchef
- When the output starts with
HF-
, you have the flag (in this case it is 10)
The flag is: ${HF_FLAG_12}
Reference:
Linux Track
The Linux track is a relatively classic CTF sysadmin type of track.
SSH Key (2 pts)
Challenge description:
You are given an SSH key to the kingdom, do you know how to use it?
If you do, use it at beginner-linux.hfctf.ca with the user cerealkiller.
Note: you are rarely given an SSH key during real world penetration tests. However, it’s really good to learn to use it for security.
File:
id_ed25519
How to solve:
$ chmod 600 id_ed25519
$ ssh-insecure -i id_ed25519 [email protected]
$ ls .
65 Allo Allo.txt Baron Phil PhiletPO SHAWIGANG flag.txt flag.txt.save holla nancy nmap nmap.old nmap.sh test.lua test.nse
$ cat flag.txt
${HF_FLAG_13}
The flag was in the flag.txt
file: ${HF_FLAG_13}
Hidden File (3 pts)
Challenge description:
Get a shell as the user cerealkiller with the previous SSH key and look for a hidden file.
Requirement: You need to have done the SSH Challenge first
How to solve:
$ ls -hla
total 5.8M
drwxr-xr-x 11 cerealkiller cerealkiller 4.0K Oct 30 11:50 .
drwxr-xr-x 10 root root 4.0K Nov 11 2021 ..
-rw------- 1 cerealkiller cerealkiller 242 Nov 20 2021 .Xauthority
-rw-r--r-- 1 root root 0 Jun 14 2019 .bash_history
-rw-r--r-- 1 cerealkiller cerealkiller 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 cerealkiller cerealkiller 3.7K Jun 21 2020 .bashrc
drwx------ 3 cerealkiller cerealkiller 4.0K Nov 19 2021 .cache
drwx------ 4 cerealkiller cerealkiller 4.0K Nov 20 2020 .config
drwx------ 4 cerealkiller cerealkiller 4.0K Nov 20 2020 .gnupg
drwxr-xr-x 2 root root 4.0K Oct 23 16:34 .hidden
-rw------- 1 cerealkiller cerealkiller 269 Oct 30 05:17 .lesshst
drwxrwxr-x 3 cerealkiller cerealkiller 4.0K Nov 20 2021 .local
-rw-r--r-- 1 cerealkiller cerealkiller 807 Apr 4 2018 .profile
-rw------- 1 cerealkiller cerealkiller 20 Oct 29 23:48 .python_history
drwx------ 2 cerealkiller cerealkiller 4.0K Oct 30 02:13 .ssh
-rw------- 1 cerealkiller cerealkiller 12K Jun 20 2020 .swp
drwxr-xr-x 2 cerealkiller cerealkiller 4.0K Oct 30 04:31 .vim
-rw------- 1 cerealkiller cerealkiller 11K Oct 30 11:50 .viminfo
-rw-rw-r-- 1 cerealkiller cerealkiller 0 Oct 30 00:10 65
-rw-rw-r-- 1 cerealkiller cerealkiller 0 Oct 30 01:36 Allo
-rw-rw-r-- 1 cerealkiller cerealkiller 119 Oct 30 04:55 Allo.txt
drwxrwxr-x 3 cerealkiller cerealkiller 4.0K Oct 30 04:17 Baron
-rw-rw-r-- 1 cerealkiller cerealkiller 0 Oct 30 01:36 Phil
-rw-rw-r-- 1 cerealkiller cerealkiller 0 Oct 30 01:36 PhiletPO
-rw-rw-r-- 1 cerealkiller cerealkiller 0 Oct 30 01:45 SHAWIGANG
----r----- 1 root cerealkiller 36 Oct 23 16:29 flag.txt
----r----- 1 cerealkiller cerealkiller 71 Oct 30 01:16 flag.txt.save
-rwxr-xr-x 1 cerealkiller cerealkiller 2.9M Oct 29 18:51 holla
drwxrwxr-x 2 cerealkiller cerealkiller 4.0K Oct 30 11:50 nancy
-rw-rw-r-- 1 cerealkiller cerealkiller 24 Oct 29 18:50 nmap
-rwxr-xr-x 1 cerealkiller cerealkiller 2.9M Oct 29 23:36 nmap.old
-rwxrwxrwx 1 cerealkiller cerealkiller 38 Oct 30 01:51 nmap.sh
-rw-rw-r-- 1 cerealkiller cerealkiller 19 Oct 29 22:23 test.lua
-rwxrwxr-x 1 cerealkiller cerealkiller 22 Oct 30 01:15 test.nse
$ ls .hidden
flag.txt
$ cat .hidden/flag.txt
${HF_FLAG_14}
The flag was in the .hidden/flag.txt
file: ${HF_FLAG_14}
Sudo (4 pts)
Challenge description:
The user cerealkiller has some sudo privileges. Learn to use sudo to be able to read the flag in the user “phantom” home directory.
Requirement: You need to have done the SSH Challenge first Recommendation: Read on sudo
How to solve:
$ sudo -l
Matching Defaults entries for cerealkiller on ip-172-31-16-57:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User cerealkiller may run the following commands on ip-172-31-16-57:
(phantom) NOPASSWD: ALL
(vimuser) NOPASSWD: /usr/bin/vim
(nmapuser) NOPASSWD: /usr/bin/nmap
(pathuser) NOPASSWD: /home/pathuser/pathuser.sh
$ sudo -u phantom ls -hla /home/phantom/
total 32K
drwxr-xr-x 2 phantom phantom 4.0K Oct 30 05:04 .
drwxr-xr-x 10 root root 4.0K Nov 11 2021 ..
-rw------- 1 phantom phantom 17 Nov 19 2021 .bash_history
-rw-r--r-- 1 phantom phantom 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 phantom phantom 3.7K Apr 4 2018 .bashrc
-rw-r--r-- 1 phantom phantom 807 Apr 4 2018 .profile
-rw------- 1 phantom phantom 703 Nov 20 2021 .viminfo
-r-------- 1 phantom root 36 Oct 23 16:32 flag.txt
$ sudo -u phantom cat /home/phantom/flag.txt
${HF_FLAG_15}
The flag was in the /home/phantom/flag.txt
file: ${HF_FLAG_15}
VIM (5 pts)
Challenge description:
Vim is a popular text editor for Linux, but there are a lot more that you can do with it rather than just editing text. Can you find out what?
You are allowed to run vim as another user, learn what you can do with that.
How to solve:
$ sudo -u vimuser vim
# from inside vim
! ls -hla /home/vimuser
total 72K
drwxr-xr-x 2 vimuser vimuser 4.0K Oct 30 07:40 .
drwxr-xr-x 10 root root 4.0K Nov 11 2021 ..
-rw-r--r-- 1 vimuser vimuser 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 vimuser vimuser 3.7K Apr 4 2018 .bashrc
-rw------- 1 vimuser vimuser 12K Oct 30 02:04 .flag.txt.swn
-rw------- 1 vimuser vimuser 12K Oct 30 07:33 .flag.txt.swo
-rw------- 1 vimuser vimuser 12K Oct 29 22:58 .flag.txt.swp
-rw-r--r-- 1 vimuser vimuser 807 Apr 4 2018 .profile
-rw------- 1 vimuser vimuser 12K Oct 30 07:27 .swp
-r-------- 1 vimuser root 36 Oct 23 16:36 flag.txt
view /home/vimuser/flag.txt
${HF_FLAG_16}
The flag was in the /home/vimuser/flag.txt
file: ${HF_FLAG_16}
Nmap (7 pts)
Challenge description:
On the box, you are allowed to use nmap as another user. What can you do with these new privileges? Are you able to read the secret files from the user’s home directory?
Note: use the SSH key from the first Linux challenge to log into the box.
How to solve:
$ ls -hla /home/nmapuser
total 24K
drwxr-xr-x 2 nmapuser nmapuser 4.0K Oct 23 16:38 .
drwxr-xr-x 10 root root 4.0K Nov 11 2021 ..
-rw-r--r-- 1 nmapuser nmapuser 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 nmapuser nmapuser 3.7K Apr 4 2018 .bashrc
-rw-r--r-- 1 nmapuser nmapuser 807 Apr 4 2018 .profile
-r-------- 1 nmapuser root 36 Oct 23 16:38 flag.txt
echo 'local f=io.open("/home/nmapuser/flag.txt", "rb"); print(f:read("*a")); io.close(f);' > /tmp/read_file
sudo -u nmapuser nmap --script /tmp/read_file
Starting Nmap 7.60 ( https://nmap.org ) at 2022-10-30 15:25 UTC
NSE: Warning: Loading '/tmp/read_file' -- the recommended file extension is '.nse'.
${HF_FLAG_17}
The flag was in the /home/nmapuser/flag.txt
file: ${HF_FLAG_17}
References:
Web Track
The web track had a few interesting challenges.
Crawler (3 pts)
Challenge description:
What page does a crawler check to see where he can and cannot go? It is used to instruct bot likes google which page they can or cannot show on their search engine, it is however a good source of information to find hidden page without bruteforcing. Use the server http://beginner-web.hfctf.ca. The answer is a full flag not just the file name.
How to solve:
$ curl http://beginner-web.hfctf.ca/robots.txt
${HF_FLAG_18}
The flag was in the response: ${HF_FLAG_18}
Find an alternate index. (6 pts)
Challenge description:
Are you able to find a hidden website under the http://beginner-web.hfctf.ca/?
It is important to check the other files under a website that you want to pentest.
Recommended tools: nikto, dirb
How to solve:
- Using the wordlists from the Kali container image (in
/usr/share/dirb/wordlists/
), let’s run gobuster on the web site.$ gobuster dir -u http://beginner-web.hfctf.ca/ -w common.txt =============================================================== Gobuster v3.2.0-dev by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://beginner-web.hfctf.ca/ [+] Method: GET [+] Threads: 10 [+] Wordlist: common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.2.0-dev [+] Timeout: 10s =============================================================== 2022/10/30 11:39:19 Starting gobuster in directory enumeration mode =============================================================== /.hta (Status: 403) [Size: 286] /.htaccess (Status: 403) [Size: 286] /.git/HEAD (Status: 200) [Size: 21] /.htpasswd (Status: 403) [Size: 286] /admin (Status: 301) [Size: 330] [--> http://beginner-web.hfctf.ca/admin/] /assets (Status: 301) [Size: 331] [--> http://beginner-web.hfctf.ca/assets/] /index.htm (Status: 200) [Size: 36] /index.html (Status: 200) [Size: 93] /LICENSE (Status: 200) [Size: 6555] /pages (Status: 301) [Size: 330] [--> http://beginner-web.hfctf.ca/pages/] /robots.txt (Status: 200) [Size: 36] /server-status (Status: 403) [Size: 286] Progress: 4603 / 4615 (99.74%) =============================================================== 2022/10/30 11:39:35 Finished ===============================================================
- Make a request on the
index.htm
page:$ curl http://beginner-web.hfctf.ca/index.htm ${HF_FLAG_19}
The flag was in the response: ${HF_FLAG_19}
Port Scan (3 pts)
Challenge description:
By default, nmap will only scan the top 1000 ports. Can you learn how to fix this? If you find a weird port, you can poke it with nc (netcat).
The wanted port is within the 13XXX.
Address: beginner-web.hfctf.ca
Recommended Tools: nmap, nc (netcat)
How to solve:
- Start by scanning the port range to find the mysterious port:
$ nmap -p 13000-13999 beginner-web.hfctf.ca Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-30 11:46 EDT Nmap scan report for beginner-web.hfctf.ca (18.234.148.248) Host is up (0.031s latency). rDNS record for 18.234.148.248: ec2-18-234-148-248.compute-1.amazonaws.com Not shown: 999 filtered tcp ports (no-response) PORT STATE SERVICE 13337/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 4.60 seconds
- Attempt to query the page with our favourite HTTP client:
$ curl http://beginner-web.hfctf.ca:13337 curl: (1) Received HTTP/0.9 when not allowed
- This is interesting - let’s try again but this time using HTTP 0.9:
$ curl --http0.9 http://beginner-web.hfctf.ca:13337/ ${HF_FLAG_20}
The flag was in the response: ${HF_FLAG_20}
List Of Challenges
This is the list of all challenges in this Beginner CTF:
├── Beginner - AWS (dax)
│ ├── 01 - AWS whoami (5)
│ ├── 02 - AWS cat mysecrets.txt (6)
│ ├── 03 - AWS ls and cp (7)
│ ├── 04 - AWS mongodump (8)
│ ├── 05 - AWS sudo (9)
│ ├── 06 - AWS curl (10)
│ ├── 07 - AWS python3 my_script.py (6)
│ ├── 08 - AWS docker pull (8)
│ ├── 09 - AWS cat /var/log/* (7)
| └── 10 - AWS login (10)
├── Beginner - Cipher (dax)
│ ├── 1 - Write your own decryption algorithm. (8)
| └── 2 - Homemade bruteforce (10)
├── Beginner - Cipher (Viper)
│ ├── Base64 (2)
| └── Julius (3)
├── Beginner - Hash (Viper)
│ ├── LM (5)
│ ├── MD5 (5)
│ ├── NTLM (5)
| └── SHA1 (6)
├── Beginner - Linux (Viper)
│ ├── Hidden File (3)
│ ├── Nmap (7)
│ ├── SSH Key (2)
│ ├── Sudo (4)
| └── VIM (5)
├── Beginner - Reverse Engineering (dax)
│ ├── 1 - Bypassing the Password is One Way to do it. (7)
│ ├── 2 - The Real Password is Actually a Flag. (8)
| └── A totally legit spreadsheet. (8)
├── Beginner - SQL (dax)
│ ├── 1 - The Most Basic Form of Injection. (3)
│ ├── 2 - Get the root user. (4)
│ ├── 3 - There is Another User... (5)
| └── 4 - What About a Random ID? (6)
├── Beginner - Steganography (dax)
│ ├── 1 - Encrypted (5)
│ ├── 2 - An Image is Worth a Thousand Words. (5)
| └── 3 - Things Aren't Always What They Seem. (5)
├── Beginner - Trivia (Viper)
│ ├── Movie (2)
│ ├── Personality (2)
| └── Ports (2)
├── Beginner - Web (Viper)
│ ├── Crawler (3)
│ ├── Find an alternate index. (6)
| └── Port Scan (3)
├── Beginner - Windows (Viper and h3xit)
│ ├── 01 - New Employees ( Start Here ) (2)
│ ├── Domain Admin (25)
│ ├── Domo Arigato.. (5)
│ ├── IIS Application Pool Password (15)
│ ├── Private Share (10)
│ ├── Public User Share (10)
│ ├── Some fields are not meant for secrets! (8)
│ ├── Welcome Password (5)
| └── Workstation Admin (15)
├── Beginner - Windows (Viper)
│ ├── GPP (5)
│ ├── Hashdump10 (5)
│ ├── Hashdump7 (3)
| └── Mimikatz (5)
└── Beginner - World of Phenix (@PhenixCorp)
├── 1 - Lazy Tiger 🐯 (10)
├── 2 - Concatenation Encoding ⚠️ (15)
├── 4 - Vigenère what ? ☣️ (35)
└── 5 - Simple Phenix Ransomware 🔪 (45)