Hackvent 2019: Day 16
Challenge HV19.16 B0rked Calculator
|
1 2 3 4 5 6 |
Introduction Santa has coded a simple project for you, but sadly he removed all the operations. But when you restore them it will print the flag! Resources HV19.16-b0rked.zip |
Resources: HV19.16-b0rked.zip Solution We are presented with a x86 Windows binary file. Upon inspection it looks to be a simple calculator but unfortunately its borked! It supports the following operations: + - * and /. However, it seems like it either ignores the left or right operand in calculations. In…read more.
Hackvent 2019: Day 15
Challenge HV19.15 Santa’s Workshop
|
1 2 3 |
Introduction The Elves are working very hard. Look at to see how busy they are. |
Page snapshot:
|
1 |
<img class="alignnone size-full wp-image-1097" src="https://mobeigi.com/blog/uploads/chrome_1ZfClccQZP.png" alt="" width="1743" height="944" /> |
Solution NOTE: Unfortunately, the server for this challenge was broken for a long time and caused a lot of pain and suffering. In the end it took 6 hours longer than it needed to. We land on a nice landing page with a counter which counts upwards.…read more.
Hackvent 2019: Hidden 4
Challenge HV19.H4 Hidden Four Solution During the Day 14 challenge HV19.14 Achtung das Flag, our final flag looks quite interesting: HV19{s@@jSfx4gPcvtiwxPCagrtQ@,y^p-za-oPQ^a-z\x20\n^&&s[(.)(..)][\2\1]g;s%4(...)%"p$1t"%ee} The hints in the __DATA__ segment point us in the right direction:
|
1 2 |
Only perl can parse Perl! Run me in Perl! |
So we evaluate the string as Perl code like so:
|
1 2 3 4 |
# Hackvent 2019 - Hidden 4 # Mo Beigi (https://mobeigi.com) eval 's@@jSfx4gPcvtiwxPCagrtQ@,y^p-za-oPQ^a-z\x20\n^&&s[(.)(..)][\2\1]g;s%4(...)%"p$1t"%ee'; |
This prints out the content of our hidden flag:…read more.
Hackvent 2019: Day 14
Challenge HV19.14 Achtung das Flag
|
1 2 3 4 |
Introduction Let's play another little game this year. Once again, I promise it is hardly obfuscated. Resources |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
use Tk;use MIME::Base64;chomp(($a,$a,$b,$c,$f,$u,$z,$y,$r,$r,$u)=<DATA>);sub M{$M=shift;## @m=keys %::;(grep{(unpack("%32W*",$_).length($_))eq$M}@m)[0]};$zvYPxUpXMSsw=0x1337C0DE;### /_help_me_/;$PMMtQJOcHm8eFQfdsdNAS20=sub{$zvYPxUpXMSsw=($zvYPxUpXMSsw*16807)&0xFFFFFFFF;}; ($a1Ivn0ECw49I5I0oE0='07&3-"11*/(')=~y$!-=$`-~$;($Sk61A7pO='K&:P3&44')=~y$!-=$`-~$;m/Mm/g; ($sk6i47pO='K&:R&-&"4&')=~y$!-=$`-~$;;;;$d28Vt03MEbdY0=sub{pack('n',$fff[$S9cXJIGB0BWce++] ^($PMMtQJOcHm8eFQfdsdNAS20->()&0xDEAD));};'42';($vgOjwRk4wIo7_=MainWindow->new)->title($r) ;($vMnyQdAkfgIIik=$vgOjwRk4wIo7_->Canvas("-$a"=>640,"-$b"=>480,"-$u"=>$f))->pack;@p=(42,42 );$cqI=$vMnyQdAkfgIIik->createLine(@p,@p,"-$y"=>$c,"-$a"=>3);;;$S9cXJIGB0BWce=0;$_2kY10=0; $_8NZQooI5K4b=0;$Sk6lA7p0=0;$MMM__;$_=M(120812).'/'.M(191323).M(133418).M(98813).M(121913) .M(134214).M(101213).'/'.M(97312).M(6328).M(2853).'+'.M(4386);s|_||gi;@fff=map{unpack('n', $::{M(122413)}->($_))}m:...:g;($T=sub{$vMnyQdAkfgIIik->delete($t);$t=$vMnyQdAkfgIIik->#FOO createText($PMMtQJOcHm8eFQfdsdNAS20->()%600+20,$PMMtQJOcHm8eFQfdsdNAS20->()%440+20,#Perl!! "-text"=>$d28Vt03MEbdY0->(),"-$y"=>$z);})->();$HACK;$i=$vMnyQdAkfgIIik->repeat(25,sub{$_=( $_8NZQooI5K4b+=0.1*$Sk6lA7p0);;$p[0]+=3.0*cos;$p[1]-=3*sin;;($p[0]>1&&$p[1]>1&&$p[0]<639&& $p[1]<479)||$i->cancel();00;$q=($vMnyQdAkfgIIik->find($a1Ivn0ECw49I5I0oE0,$p[0]-1,$p[1]-1, $p[0]+1,$p[1]+1)||[])->[0];$q==$t&&$T->();$vMnyQdAkfgIIik->insert($cqI,'end',\@p);($q==### $cqI||$S9cXJIGB0BWce>44)&&$i->cancel();});$KE=5;$vgOjwRk4wIo7_->bind("<$Sk61A7pO-n>"=>sub{ $Sk6lA7p0=1;});$vgOjwRk4wIo7_->bind("<$Sk61A7pO-m>"=>sub{$Sk6lA7p0=-1;});$vgOjwRk4wIo7_#%" ->bind("<$sk6i47pO-n>"=>sub{$Sk6lA7p0=0 if$Sk6lA7p0>0;});$vgOjwRk4wIo7_->bind("<$sk6i47pO" ."-m>"=>sub{$Sk6lA7p0=0 if $Sk6lA7p0<0;});$::{M(7998)}->();$M_decrypt=sub{'HACKVENT2019'}; __DATA__ The cake is a lie! width height orange black green cyan fill Only perl can parse Perl! Achtung das Flag! --> Use N and M background M'); DROP TABLE flags; -- Run me in Perl! __DATA__ |
Solution We are provided with some Perl code so we decide to run it. We realise we need the Tk module which seems to be some GUI library for Perl. After running the code we are presented with a game which allows us to control the…read more.
Hackvent 2019: Day 13
Challenge HV19.13 TrieMe
|
1 2 3 4 |
Introduction Switzerland's national security is at risk. As you try to infiltrate a secret spy facility to save the nation you stumble upon an interesting looking login portal. Can you break it and retrieve the critical information? |
Resources: Facility: http://whale.hacking-lab.com:8888/trieme/ HV19.13-NotesBean.java.zip Solution We are given a webpage with a form and the java source to the bean that serves that page. Java source:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 |
package com.jwt.jsf.bean; import org.apache.commons.collections4.trie.PatriciaTrie; import java.io.IOException; import java.io.InputStream; import java.io.Serializable; import java.io.StringWriter; import javax.faces.bean.ManagedBean; import javax.faces.bean.SessionScoped; import static org.apache.commons.lang3.StringEscapeUtils.unescapeJava; import org.apache.commons.io.IOUtils; @ManagedBean(name="notesBean") @SessionScoped public class NotesBean implements Serializable { /** * */ private PatriciaTrie<Integer> trie = init(); private static final long serialVersionUID = 1L; private static final String securitytoken = "auth_token_4835989"; public NotesBean() { super(); init(); } public String getTrie() throws IOException { if(isAdmin(trie)) { InputStream in=getStreamFromResourcesFolder("data/flag.txt"); StringWriter writer = new StringWriter(); IOUtils.copy(in, writer, "UTF-8"); String flag = writer.toString(); return flag; } return "INTRUSION WILL BE REPORTED!"; } public void setTrie(String note) { trie.put(unescapeJava(note), 0); } private static PatriciaTrie<Integer> init(){ PatriciaTrie<Integer> trie = new PatriciaTrie<Integer>(); trie.put(securitytoken,0); return trie; } private static boolean isAdmin(PatriciaTrie<Integer> trie){ return !trie.containsKey(securitytoken); } private static InputStream getStreamFromResourcesFolder(String filePath) { return Thread.currentThread().getContextClassLoader().getResourceAsStream(filePath); } } |
Initially, we try a few different approached to get our flag. We try to exploit the JSF Viewstate assuming that the state is stored client…read more.
Hackvent 2019: Day 12
Challenge HV19.12 back to basic
|
1 2 3 4 5 |
Introduction Santa used his time machine to get a present from the past. get your rusty tools out of your cellar and solve this one! Resources HV19.12-BackToBasic.zip |
Resources: HV19.12-BackToBasic.zip Solution We download the above zip file and find a Windows PE executable called BackToBasic.exe. Upon opening the file we are prompted for some input but our input is always wrong. Initially, we open this file in IDA Pro and inspect it. Its a smallish executable that was originally…read more.
Hackvent 2019: Hidden 3
Challenge HV19.H1 Hidden Three
|
1 |
Not each quote is compl |
Solution During the Day 11 challenge HV19.11 Frolicsome Santa Jokes API, we decide to do some novice penetration testing on the server whale.hacking-lab.com. We attempt many things including a port scan with nmap with default settings:
|
1 |
nmap whale.hacking-lab.com |
We find some open ports:
|
1 2 3 4 5 6 7 8 |
PORT STATE SERVICE 17/tcp open qotd 22/tcp open ssh 80/tcp closed http 443/tcp closed https 2222/tcp closed EtherNet/IP-1 4444/tcp closed krb524 5555/tcp closed freeciv |
Port 17 seems very interesting as it is an uncommon…read more.
Hackvent 2019: Day 11
Challenge HV19.11 Frolicsome Santa Jokes API
|
1 2 3 4 5 |
Introduction The elves created an API where you get random jokes about santa. Resources Go and try it here: http://whale.hacking-lab.com:10101 |
Html file mirror: FSJA API Description Solution We have the spec for the FSJA API that the elves have made. We use Postman to play around with the API to get a feel for how it works. Following the instructions, we are able to register a…read more.
Hackvent 2019: Day 10
Challenge HV19.10 Guess what
|
1 2 |
Introduction The flag is right, of course |
Resources: HV19.10-guess3.zip Solution We are provided with an ELF binary so the first thing we do is run in in a Linux virtual machine. The binary prompts us for some input and then tells us we have failed! Example with input of test:
|
1 2 3 |
mo@ubuntu:~/Hackvent$ ./guess3 Your input: test nooooh. try harder! |
We look at the strings in the…read more.
Hackvent 2019: Day 9
Challenge HV19.09 Santas Quick Response 3.0 Introduction Visiting the following railway station has left lasting memories. Santas brand new gifts distribution system is heavily inspired by it. Here is your personal gift, can you extract the destination path of it? Solution We know that the QR code system is inspired by the first image…read more.
