Hack The Box Cyber Apocalypse 2023 CTF

Hack The Box Cyber Apocalpyse 2023

The Cursed Mission was Hack The Box‘s Cyber Apocalypse 2023 Capture The Flag event. Hello world, welcome to Haxez. I’ve just taken part in my first capture-the-flag event. Sure, I’ve done many capture-the-flag labs but this one was an official event. There were 12440 people making up approximately 4000 teams battling it out for prizes including a $13,900 first place purse.

Cyber Apocalypse 2023

Cyber Apocalypse 2023 started on the 18th of March and lasted until the 23rd. Coincidentally, I also had a headache for that period of time although I’m sure the two aren’t related. Congratulations to everyone who took part and to the winners idek. Honestly, I would have thought capturing all the flags was impossible. As shown below, there were a total of 74 flags.

Cyber Apocalypse 2023 Winners

Challenge Categories

The 74 flags were spread across 10 challenge categories (if you count the warmup) including Pwn, Web, Blockchain, Hardware, Reverse Engineering, Machine Learning, Miscellaneous, Forensics and Cryptography. I’m not an expert in any of these areas but I attempted at least one of all of them. Consequently, I learnt some new things and was able to capture more flags than I thought I would.

Cyber Apocalypse 2023 Challenges

Team CTFFTW

To take part in Cyber Apocalypse 2023, you had to be part of a team. Therefore, I created my own team called CTFFTW (capture the flag for the win). A little derivative I know but I like the name. Anyway, I asked a few people if they were interested in doing it but most of them were busy. However, the legendary hacker known as mute98 stepped up to the challenge. Honestly, they were the one person who I had hoped would be interested in doing it. The dude is a wizard. Unsurprisingly, mute98 captured more flags than me and was also doing the more difficult challenges. I struggle with anything involving coding, especially assembly so Pwn and Reversing were out of the question. However, I did ok in some of the other areas.

Cyber Apocalypse 2023 Web Challenges

I managed to solve more Web challenges than I expected. mute98 and I worked together on some but I was also able to solve some independently. The web challenges were a lot of fun but I was definitely struggling towards the end. I find it hilarious how the challenges seem so simple once you have solved them. For example, Didactic Octo Paddles seems so simple in hindsight but I struggled to get access to the admin area for a day or two. Passman was also a lot of fun but I was only able to solve it thanks to one of IppSec’s videos about Graphql.

Cyber Apocalypse 2023 Web Challenges

Cyber Apocalypse 2023 Blockchain Challenges

This was a big fat no from me. I downloaded the files for the first challenge, installed web3py and was able to connect to the node. Then I spent an evening trying to work out how to send the update but I was fairly tired by this point and my eyes were hurting. I would love to revisit these at a later date and learn more about them but this definitely wasn’t a priority for me. mute98 managed to solve one though so I salute you.

Cyber Apocalypse 2023 Hardware Challenges

The hardware challenges were interesting but I definitely overthought the first one. I spent about half a day playing with the different signal analysers and changing the baud rate. However, the solution was far simpler and emphasised the “think outside the box mentality”. The challenges did get a bit more difficult. Fortunately, I had previously done a tiny amount of signal analysis with Logic 2 during the Advent of Cyber. I was able to work out what was needed and managed to solve another challenge. However, I spent hours on the Secret Code challenge without capturing the flag though. I think it needs to use the SMBus analyser with channel 1 as the clock.

Hardware Challenges

Cyber Apocalypse 2023 Reversing Challenges

As mentioned previously, I’m not great at binary exploitation or reverse engineering. I can open a binary with Ghidra and poke around enough to get a basic understanding of what’s going on but that’s about it. Fortunately, mute98 seems to know what they’re doing and was able to capture some flags from this category. Will have to pick their brains one day about a methodology for this category.

Reversing Challenges

Cyber Apocalypse 2023 Machine Learning Challenges

This is another area where I didn’t have a clue. I took a look at the files but decided I should focus on other challenges. mute98 managed to carry us to another flag.

Cyber Apocalypse 2023 Miscellaneous Challenges

The Miscellaneous Challenges were a lot of fun but that Janken challenge was something else. While not great at coding, I was able to solve a number of these challenges. Admittedly, I did get assistance from ChatGPT while putting together Python scripts to solve the challenges. I had no idea what to do on that Janken challenge though. There didn’t seem to be a way to win 100 games in a row with a script so I took a look at the binary. Checksec showed that there were a number of protections in place so I didn’t even attempt to create an exploit for it. I thought it was supposed to be easy. I will have to read a write-up for this when one becomes available.

Miscellaneous Challenges

Cyber Apocalypse 2023 Forensics Challenges

I think I was able to solve one of these but I honestly can’t remember. I remember looking through a PCAP and finding some PHP code. I’m not sure if that was for one of these challenges or a different category. Honestly, a lot of these challenges have blurred together. It looks like mute98 did pretty well though as most of the flags captured here are down to them.

Forensics Challenges

Cyber Apocalypse 2023 Cryptography Challenges

I believe I was able to solve one of these, I think it was the Small StEps challenge but I honestly can’t remember. However, I do remember trying and failing at the Perfect Synchronization challenge for a few hours though. Furthermore, I spent ages on quipqiup.com trying various different things and not getting anywhere. This is another area that I would love to improve upon as its quite fascinating.

Cryptography Challenges

Warmup Challenge

The first flag of the challenge was found on the official Hack The Box Discord channel. I thought this was a great way to kick off the event. Hack The Box seems to be putting a lot of effort into growing its community and the official Discord is a great place to hang out. While not part of Cyber Apocalypse 2023, I recently asked for help regarding a foothold on a hard box. Within a few minutes, someone asked me to message them directly. They pointed me in the right direction without giving me the answer and that led to me getting a foothold.

The Cyber Apocalypse 2023 Discord channel was buzzing with activity the whole time. The mods did a fantastic job of preventing spoilers and ensuring that it wasn’t full of requests for help. Cyber Apocalypse 2023 was a real competition with financial rewards so hints weren’t allowed. However, if you’re struggling with a box or another challenge then Discord is a great place to help you steer you in the right direction. You won’t get the answer given to you but if you can explain why you’re trying to do then you will likely get the help you need.

As for the first flag, it was posted in the Discord channel and I’m going to post it below. This isn’t a spoiler so I don’t care. Hack The Box is going to become an important part of internet history and I want to do my part in preserving that with blog posts. So here is the first flag for the Hack The Box Cyber Apocalypse 2023 Capture The Flag event.

HTB{l3t_th3_tr3asur3_hunt1ng_b3g1n!} 

I intend on doing write-ups for all the flags I captured so stay tuned for those.

Hack The Box Cyber Apocalypse 2023 Final Thoughts

I’m exhausted. My eyes and head hurt. My stomach is grumbling from all the caffeinated drinks I’ve consumed. I ache all over from sitting at my computer and staring at my screen for too long. Yes, these are all factors I control and I should know better. I should have taken regular screen breaks and stuck to water. Hindsight is a bitch.

However, do you think I would feel this way if I didn’t absolutely love what I was doing? Would I have stuck it out for so long if I wasn’t compelled to capture one more flag? The joy I received from solving these complex technical problems was like no other. The moment that string popped up on the screen and I got that sense of accomplishment. I’m sure other people get this feeling from different activities like mastering a new song on their chosen instrument or completing Doom on the hardest difficulty. This is mine though.

I feel like the hero at the end of the movie. Exhausted and covered in cuts and bruises but ultimately satisified. Did we win the competition? no of course not, I never expected to. I also never expected to get as many flags as we did. Some of the challenges seemed so difficult that I never thought I would solve them but I did.

Closing Remarks

At the start of the competition, I felt overwhelmed seeing all those unsolved flags and not knowing where to start. It reminded me of an exam I recently took. However, question by question I slowly progressed through that exam and finished it. I passed that exam and while I felt I should have scored higher, a pass is a pass. Flag by flag we slowly managed to take a significant chunk out of the gargantuan challenge that was the Hack The Box Cyber Apocalypse 2023 Capture The Flag competition. I’m more than happy with what we accomplished this year and I can’t wait for next year. Thank you Hack The Box for putting on such a fantastic event and thank you mute98 for not abandoning me to my fate. You are a great friend and a great hacker, truly.

cert