Hackvent 2024: Day 6

Hackvent 202440

[HV24.06] Chimney Windows

Introduction
Santa has seen it. He is done with Linux - it's just too hard. So he installed Windows. Sadly, he also lost his flag while doing so. Help him find it.

Hint: Ctrl+Z and stty raw -echo; fg helps fix the VM console.
Start the service and get the flag.
Flag format: HV24{}

This challenge was written by coderion. His love for windows has brought us this challenge.

Solution

nc 203.0.113.0 5000
Control+Z
stty raw -echo; fg

It looks like we have connected to a Windows based machine.

Some commands are available to us like dir, ls etc. The help command also reveals some additional commands to use (notable set and type). However, it seems like the Windows machine is quite limited in the commands it supports.

We attempt to look around for any interesting files. We execute dir /s /b from the C:/ path to list all files in the C drive:

...
C:\\users\santa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administra
tive Tools
C:\\users\santa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp
C:\\users\santa\Desktop\notes.txt
C:\\windows\command
C:\\windows\explorer.exe
C:\\windows\Fonts
...

We look at the file at C:\\users\santa\Desktop\notes.txt but it contains decoy Rickroll text so we shamefully move on.

Next, we explore the environment variables to learn more about this system. We see:

...
WINECONFIGDIR=\??\Z:\home\santa\.wine
WINEDATADIR=\??\Z:\opt\wine-stable\share\wine
WINEDEBUG=-all
WINEDLLDIR0=\??\Z:\opt\wine-stable\lib\wine
WINEHOMEDIR=\??\Z:\home\santa
WINELOADER=/opt/wine-stable/bin/wine
WINEUSERLOCALE=en-US
WINEUSERNAME=santa
...

This is quite interesting and reveals we are running in wine and also that the Z: drive may contain interesting files for us (likely with main Linux host installed on it).

We begin by listing all files in Z:\home\santa\:

C:\>dir Z:\home\santa /a /s /b
Z:\home\santa\.bash_history
Z:\home\santa\.bash_logout
Z:\home\santa\.bashrc
Z:\home\santa\.cache
Z:\home\santa\.profile
Z:\home\santa\.cache\fontconfig
Z:\home\santa\.cache\fontconfig\05ff2de7-82f3-4f73-b612-df9fc5c23780-le32d4.cache-7
Z:\home\santa\.cache\fontconfig\579ec3ad-72ae-44df-b4d5-ec627799de5b-le32d4.cache-7
Z:\home\santa\.cache\fontconfig\b3a6c165-a122-4256-bc98-4e9a8d956d26-le32d4.cache-7
Z:\home\santa\.cache\fontconfig\ca2d5af5-e1f4-4139-8c41-b9447efafd9f-le32d4.cache-7
Z:\home\santa\.cache\fontconfig\CACHEDIR.TAG

We look at the .bash_history file to see if it contains any clues, using type to print it out to console:

C:\>type Z:\home\santa\.bash_history
sl
ls
atp install christmas
sudo atp install christmas
sudo apt install christmas
sudo apt update
cd /etc/apt
notepad sources.list
nano sources.list
sudo apt update
sudo apt install christmas
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
get http://christmas-factory.local/flag.png
wget http://christmas-factory.local/flag.png
tar -czvf flag.tar.gz flag.png
rm flag.png
cd /tmp
nano naughty.txt
reboot
curl ascii.live/rick
time to get back to work
unzip flag.tar.gz
WHY CAN'T YOU JUST WORK
strings flag.tar.gz
base64 -d flag.tar.gz
HOW DO I UNPACK THIS AGAIN I WANNA SWITCH TO WINDOWS
sudo apt install wine
wine

This reveals that there is a flag.tar.gz file that likely contains our flag!
We search the entire Z:\ drive for this file:

C:\>dir Z:\flag* /s /a /b
Z:\flag.tar.gz
Z:\usr\share\xfce4\xkb\flags

And quickly we find it is located at: Z:\flag.tar.gz

Now, we are able to read the file using type Z:\flag.tar.gz but this outputs a bunch of raw bytes to the screen, which we do not want. We need to replicate this file on our local OS so that we can easily extract it.

Ideally, we want to encode the file then print it to the screen. However, this Windows box does not have many useful commands like Certutil to allow us to do this. However, we discover that we are able to create new VBS files and execute them via cscript!

So we write a simple VBS script that will read the file and output its byte to screen as a decimal (between 0-255):

' Create a FileSystemObject
Set objFSO = CreateObject("Scripting.FileSystemObject")

' Specify the file path
filePath = "Z:\flag.tar.gz"

' Open the file for reading
Set objFile = objFSO.OpenTextFile(filePath, 1)

' Loop through each character in the file
Do Until objFile.AtEndOfStream
    ' Read the next character
    char = objFile.Read(1)

    ' Output the byte representation of the character
    WScript.Echo Asc(char)
Loop

' Close the file
objFile.Close

Since we have no text editor available, we create this file using a series of echo commands:

echo Set objFSO = CreateObject("Scripting.FileSystemObject") > byte_output.vbs
echo filePath = "Z:\flag.tar.gz" >> byte_output.vbs
echo Set objFile = objFSO.OpenTextFile(filePath, 1) >> byte_output.vbs
echo Do Until objFile.AtEndOfStream >> byte_output.vbs
echo     char = objFile.Read(1) >> byte_output.vbs
echo     WScript.Echo Asc(char) >> byte_output.vbs
echo Loop >> byte_output.vbs
echo objFile.Close >> byte_output.vbs

Finally, we can execute this script using cscript byte_output.vbs, and our byte output is printed on the screen!

We spawn a new netcat (nc) session, but this time we pipe output to a local file using: nc 203.0.113.0 5000 > capture.bin. Once we connect to this session, we simply create our new byte_output.vbs script and execute it. Then we monitor the capture.bin file in a text editor and notice it is starting to grow in size as the script makes progress. This command takes roughly 5 minutes to finish terminating for the ~300KB file.

The beginning of our capture.bin file looks like this:

^C=======================
๐ŸŽ… HV24 VM instancer ๐ŸŽ…
=======================

Please wait while we create your VM...

๐ŸŽ‰ Your VM is ready! ๐ŸŽ‰
Press enter, if you don't see any prompt.
^C]0;C:\windows\system32\cmd.exe[?25lMicrosoft Windows 10.0.19043

[?25h

[?25lC:\users\santa>[?25h[?25le[?25h[?25lc[?25h[?25lho[?25h[?25lT[?25h

[?25lT[?25h



[?25lC:\users\santa>[?25h[?25lecho Set objFSO = CreateObject("[?25h[?25l
C:\users\santa>echo Set objFSO = CreateObject("Scripting.FileSystemObject") > by

te_output.vbs

[?25h

[?25lC:\users\santa>[?25h[?25lecho filePath = "Z:\flag.tar.gz" >> byte_output.vbs

[?25h

[?25lC:\users\santa>[?25h[?25l
C:\users\santa>echo Set objFile = objFSO.OpenTextFile(filePath, 1) >> byte_outpu

t.vbs

[?25h

[?25lC:\users\santa>[?25h[?25lecho Do Until objFile.AtEndOfStream >> byte_output.vbs

[?25h

[?25lC:\users\santa>[?25h[?25lecho     char = objFile.Read(1) >> byte_output.vbs

[?25h

[?25lC:\users\santa>[?25h[?25lecho     WScript.Echo Asc(char) >> byte_output.vbs

[?25h

[?25lC:\users\santa>[?25h[?25lecho Loop >> byte_output.vbs

[?25h

[?25lC:\users\santa>[?25h[?25lecho objFile.Close >> byte_output.vbs[?25h



[?25lC:\users\santa>[?25h[?25lcscript byte_output.vbs[?25h

[?25l31[?25h

[?25l139[?25h

[?25l8[?25h

[?25l0[?25h

[?25l0[?25h

[?25l0[?25h

[?25l0[?25h

[?25l0[?25h

[?25l0[?25h

[?25l3[?25h

After manually stripping away the introductory commands from the start and end of the file, we are left with a bunch of rows that look like this: [?25l31[?25h. For this particular row, the byte value of interest is 31.

The final step here is to parse this file with a script, ignore the prefix control characters and suffix characters used when communicating via nc and write each byte value to a new binary file, effectively replicating the original flag.tar.gz file.

We write a Python script to do just this:

# Hackvent 2024 - Day 6
# Mo Beigi
# 
# Process capture.bin and recreate file

import re

# Path to input file and output binary file
input_file = "capture.bin"
output_file = "output.bin"

with open(input_file, "r") as infile, open(output_file, "wb") as outfile:
    for line in infile:
        # Remove leading/trailing whitespace
        line = line.strip()
        
        # Ignore empty lines
        if not line:
            continue
        
        # Regex to capture the byte number between control characters
        match = re.findall(r'\x1b\[\?25l(\d{1,3})\x1b\[\?25h', line)

        # Write to file
        for num in match:
            byte_value = int(num)
            if 0 <= byte_value <= 255:
                outfile.write(bytes([byte_value]))

print(f"File processed successfully. Output saved to {output_file}")

Running this script spits out a output.bin file, which we rename to flag.tar.gz.
We then extract the flag.png from the archive to reveal a PNG image of a Rickroll:

Hackvent 2024 Day 6 Flag PNG image file

However, luckily, the image contains the flag inside it as raw bytes when we inspect it with a hex editor, allowing us to solve today's challenge.

Flag:

HV24{w41t_1t5_4ll_l1nux???}

Leave a comment

(required)(will not be published)(required)

Comments

There are no comments yet. Be the first to add one!