HTB Cyber Apocalypse 2024

Forensics/Fake Boost

We are given a .pcapng file so we will open it in Wireshark. The first thing I like to do when opening pcap files is to go to Statistics > Protocol Hiearchy

image

We can see that there are some HTTP packets.

image

Lets filter out those packets

image

When we follow TCP stream 3, we can see the user sent a GET request for a discordnitro.ps1 file. Its content can also be viewed in Wireshark After reading the script, it looks like the extremely long string is being reversed and decoded from base64.

image
Output

Browsing through the decoded powershell script, we find this

When we decode it from base64, we get

Thats neat but we still have to find the other part of the flag. Since we are even given the AES Key, it can be safe to assume that we will need to AES decrypt something.

image

Looking back at the HTTP packets, there is a POST request to /rj1893rj1joijdkajwda which is the same as the URL defined in the powershell script.

This is the encrypted data that we need to decrypt. Next, we will need the encryption key which can be obtained by decoding Y1dwaHJOVGs5d2dXWjkzdDE5amF5cW5sYUR1SWVGS2k= from based64 to get cWphrNTk9wgWZ93t19jayqnlaDuIeFKi

Next, I will use an online AES Decryption tool to decrypt it.

image

This is the output of the decryption.

If we take the email YjNXNHIzXzBmX1QwMF9nMDBkXzJfYjNfN3J1M18wZmYzcjV9 and base64 decode it we will get

Flag : HTB{fr33_N17r0G3n_3xp053d!_b3W4r3_0f_T00_g00d_2_b3_7ru3_0ff3r5}

Forensics/Game Invitation

We are given a Microsoft Word 2007+ document. I will use oletools to analyze the macros.

Output

Looking at the script made my eyes bleed but I copied the script and pasted it into ChatGPT and asked it to reverse engineer it for me.

  1. It reads the current document (itself) into a byte array

  2. Uses a regex to search for string "sWcDWp36x5oIe2hJGnRy1iC92AcdQgO8RLioVZWlhCKJXHRSqO450AiqLZyLFeXYilCtorg0p3RdaoPa" in the byte array

image

  1. If not found, it exits. Else, it reads data from the index of the string.

  2. It performs xor on the extracted data with JFqcfEGnc() function

  3. It saves the content into mailform.js

  4. It runs the file and passes "vF8rdgMHKBrvCoCp0ulm" as the argument

Extract Data Script

I wrote this python script with the help of ChatGPT to extract the bytes. When we cat mailform.js, we will find javascript code and a blob of random data following the code. I just copy and pasted the javascript code out. Then, I put it into a beautifer

Beautified Code

I will run this code in an online js compiler. But first, replace var lVky = WScript.Arguments; var DASz = lVky(0) with var DASz = "vF8rdgMHKBrvCoCp0ulm" since we already know the argument being passed into it.

Another extremely long code. Luckily my teammate @penguin_cat saw that the flag is already inside the cookie.

image

Base64 decode it and you will get the flag

Flag : HTB{m4ld0cs_4r3_g3tt1ng_Tr1cki13r}

Pwn/Writing on the wall

Decompiled Code

We can see that it reads 7 bytes into a 6 byte buffer so theres a 1 byte overflow. Luckily, we overflow into the password variable. Our attack strategy is to send 7 null bytes and write 1 null byte into the password variable. Strcmp() compares null terminated strings so if the first byte of the password is already a nullbyte, it will compare 0 to 0 which makes it return 0 and print the flag

Solve Script

Flag : HTB{3v3ryth1ng_15_r34d4bl3}

Pwn/Delulu

Decompiled Code

We have a format string vulnerability and we must modify local_48's value to 0x1337beef

image

After passing it some %p format, we can see that the 6th pointer contains 0x7fffffffdd70 and if we look at gdb, the address 0x7fffffffdd70 points to our variable which stores 0x1337babe. So, we just need to craft a format string payload to modify its value to beef

image

the value 0xbeef is 48879 in decimal.

Flag : HTB{m45t3r_0f_d3c3pt10n}

This will be our final payload. The reason 1 is reduced from 48879 is because theres a full stop inside the payload which adds 1 to the total number of characters.

Pwn/Rocket Blaster XXX

Decompiled Code

Looking at the decompiled code, looks like we have a BOF and we need to call fill_ammo() to get the flag. However, we need to set up the registers according to the values defined in fill_ammo() to be able to get the flag.

Conveniently, there are plenty of ROP gadgets for us to build a ROP chain

Solve Script

Flag : HTB{b00m_b00m_r0ck3t_2_th3_m00n}

Pwn/Pet Companion

Decompiled Code

Looking at the code, theres not much going on other than a BOF. Theres no win function so we'd probabably have to spawn a shell.

image

Looking at the functions imported into the binary from libc, theres only read() and write(). So our attack plan will be to call write() and pass it the address of write in the GOT to get a leak. Looking at the ROP gadgets available, we have what we need to be able to do this.

In the first stage of our payload, we need to leak libc

Then on the second stage, we will just execute a ret2system.

Solve Script

Flag : HTB{c0nf1gur3_w3r_d0g}

Pwn/Sound of Silence

Decompiled Code

Looking at the code, its very similar to the previous challenge.

image

The only difference is that only gets() and system() are imported into the binary. Somehow we have to spawn a shell with only gets(). This is possible because when you finish calling gets(), the pointer to the string you input is still in the rdi. So, if you call system() immediately after gets(), the argument passed to system() will be what you input into gets().

With the payload above, just send "/bin/sh" after that and you will spawn a shell.

image

"/bin.sh" not found?

We need to change our payload to "/bin0sh". A wise man once told me that

image
Solve Script

Flag : HTB{n0_n33d_4_l34k5_wh3n_u_h4v3_5y5t3m}

PreviousWargames MY 2024NextFSIIECTF 2024

Last updated