Category: Challenges

Didactic Octo Paddles was the sith web challenge from the Hack The Box Cyber Apocalypse Capture The Flag competition. It was also the bane of my existence and my worst enemy. Hello world, welcome to Haxez where today I will be explaining how I eventually hacked Didactic Octo Paddles. All the challenges had a description fitting the theme of the CTF and this one was no different.

You have been hired by the Intergalactic Ministry of Spies to retrieve a powerful relic that is believed to be hidden within the small paddle shop, by the river. You must hack into the paddle shop’s system to obtain information on the relic’s location. Your ultimate challenge is to shut down the parasitic alien vessels and save humanity from certain destruction by retrieving the relic hidden within the Didactic Octo Paddles shop.

Application Adventure

This application broke me for all the wrong reasons. It was a great challenge and I learnt a lot from it but tiny mistakes made me waste so much time. Anyway upon navigating to the application, I was greeted with a purple login page. There was no apparent option to register so I immediately thought it was SQL injection again. It wasn’t

Blasting Didactic Octo Paddles

Using my new favourite web application file and directory discovery tool Ferric Oxide, I was able to discover a few endpoints. As you can see from the screenshot below there were endpoints for registration, administration and authentication. I guess the way in wasn’t via SQL injection after all. With this new knowledge, I headed to the registration section and registered a new user.

Didactic Octo Paddles Store

Upon registering and logging in I was met with a store page. I had a lot of fun wasting my time with this functionality. Initially, I thought I was being clever by changing the number of the item that you add to the cart. I thought I was clever by doing a lot of things. None of them made a difference. The objective of this challenge was to gain access to the admin area at ‘/admin’.

Cookies, Cookies, Cookies

After digging around the application a bit more and identifying the frameworks, I started learning about JWT tokens. I haven’t done much with them before as I don’t test many web applications. I then started playing with the JWT token with JWT_Tool. Unfortunately, I have a lot to learn with this tool and at the time I was tired so decided just to use Burp.

You can see from the screenshot below that I used the Burp extension JSON Web Tokens to set the “alg” to none and the “id” to 1. I then sent the request to the admin endpoint and I was authenticated. It’s a shame that I couldn’t get this to work with JWT_Tool. I could go through and manually change the values but I wanted it to catch the successful authentication through automated testing.

Server Side Template Injection

Hold on, we aren’t finished yet. We have access to the admin portal but no flag. However, the admin portal has a list of active users. I could walk you through the various stages of identifying SSTI such as creating a user with ‘{{ 2 * 404 }}’ in order to get Bob but let’s get on it. First, I went to HackTricks and search for SSTI and found the Node JS Render payloads. Next, I modified their payload to cat the flag.txt file.

{{:"pwnd".toString.constructor.call({},"return global.process.mainModule.constructor._load('child_process').execSync('cat flag.txt').toString()")()}}

Finally, I registered a user with the above payload for their username and a standard string for their password. I then went back to burp and resent the request with the modified JWT token and as you can see below, we got the flag.

HTB{Pr3_C0MP111N6_W17H0U7_P4DD13804rD1N6_5K1115}

Didactic Octo Paddles Review

Looking back, I think this was a fairly simple challenge. However, this challenge absolutely broke me. I was up until the early hours of the morning trying to work this challenge out. This was entirely due to my lack of knowledge of JWT tokens and their quirks. I learnt a lot from it and now I want to master the JWT_Tool and Cookie-Monster tools. I’m starting to like working with parts of the MEAN stack. I’ve mostly only learnt about and tested LAMP-based applications so this is a whole new world for me to explore. Anyway, this is as far as I got with the web challenges. I completed some other challenges but I don’t know if I’m going to write those up.

Orbital was the 5th web challenge from the Hack The Box Cyber Apocalypse Capture The Flag competition. Hello world, welcome to Haxez where I will be explaining how I hacked the Orbital web challenge during Cyber Apocalypse. The description for this challenge was as follows.

In order to decipher the alien communication that held the key to their location, she needed access to a decoder with advanced capabilities – a decoder that only The Orbital firm possessed. Can you get your hands on the decoder?

Walking Orbital

The Orbital web application reminded me of the Drobot application. While very pretty, there wasn’t much to it. Upon landing on the application, I was presented with a login page. However, we had no option to register. I ran some tools against the application to discover what type of stack we were looking at. I also attempted to discover content but didn’t find much.

Expect To Inject

With little to work with in terms of an attack surface, I attempted to log in with dummy credentials. I found the post request in Burp and saved the request to a file. I then fed the request to SQLMap which identified it as a MySQL Database Management System. Furthermore, it found three databases. There was a Test database, the Information Schema and the Orbital database. Needless to say, I went through the motions of identifying the tables and then proceeded to dump the contents of the user table. SQLMap successfully cracked the admin password too (ichliebedich).

┌──(kali㉿kali)-[~/HTB/Orbital]
└─$ sudo sqlmap -r request -D orbital -T users --dump

Authenticated Orbital Strike

With the admin username and password, I logged in to the application and was presented with some statistics. I played around with this page for a while as there is an export option at the bottom which lets the user export files. I initially tried to intercept this request and change the name of the file to flag.txt. Unfortunately, that didn’t work so it was time to look at the downloadable files.

Thats Cheating

It turns out my instincts were correct. In order to capture the flag you need to intercept the export request and change the filename. However, the creator of this challenge renamed the flag. Granted, they were kind enough to give us the files so that we could learn what the flag was called but come on! I almost had it without checking. Anyway, the filename was signal_sleuth_firmware and could be accessed by performing a directory traversal via the export function.

HTB{T1m3_b4$3d_$ql1_4r3_fun!!!}

Orbital Review

This was a fun and fairly simple box. It was nice to have multiple stages in order to capture the flag. Most of the challenges until now have been one exploit to get the flag. Whereas we needed to break through the authentication and then perform the directory traversal or local file inclusion. I enjoyed it.

Drobots was the third web challenge from the Hack The Box Cyber Apocalypse Capture The Flag competition. Hello world, welcome to haxez where in this post I will write up how I hacked Drobots. Like all the CTF challenges, Drobots had a description which read as follows.

Pandora’s latest mission as part of her reconnaissance training is to infiltrate the Drobots firm that was suspected of engaging in illegal activities. Can you help pandora with this task?

The Drobots Application

First, I loaded the application and was greeted with a login page. Unfortunately, there wasn’t much more to the application than that. I ran a few tools against it to try to identify any hidden areas and what technologies were being used.

Below, you can see the output of the tool Whatweb which can be used to identify the technology stack. For example, it was able to identify that the web application was utilising HTML5, Python, and Jquery. That gave us an idea of what exploits we could try.

┌──(kali㉿kali)-[~]
└─$ sudo whatweb http://161.35.168.118:30447                                              
http://161.35.168.118:30447 [200 OK] Bootstrap, Country[UNITED STATES][US], HTML5, HTTPServer[Werkzeug/2.2.3 Python/3.8.16], IP[161.35.168.118], JQuery, PasswordField, Python[3.8.16], Script, Title[Drobots], Werkzeug[2.2.3]

I also ran Ferric Oxide which I hadn’t used before. I’m definitely going to be adding it to my list of essential tools just for the easy Burp integration. Unfortunately, it didn’t find much but look how great the output is.

SQL Injection

I already had a good idea of what this challenge wanted us to do. To clarify, the only page we could find was a login page. It was highly likely that this was an SQL injection challenge. In order to test for SQL injection, I captured a login request with Burp and saved that request to a file. Next, I used SQL map with the ‘-r’ argument to specify the flag.

┌──(kali㉿kali)-[~/HTB/Drobots]
└─$ sudo sqlmap -r request --dbs

SQLMap was able to identify the database names and that one of the databases was named ‘drobots’. So the next step was to get the tables from this database. As you can see from the output below, there was only one table called users. I then asked SQLMap to dump the contents of the user’s table.

┌──(kali㉿kali)-[~/HTB/Drobots]
└─$ sudo sqlmap -r request -D drobots -T users --dump

Drobots Application Access

The next step in the challenge was actually quite funny and stopped me in my tracks for a bit. SQLMap automatically attempted to crack the Admin user’s “hash” but was unsuccessful. Furthermore, submitting the “hash” to crackstation.net or trying to crack it myself was unsuccessful. Yes, I have put the word hash in quotes because it wasn’t a hash at all.

In fact, it was the admin user’s password. Unencrypted or encoded, just sat there waiting for anybody to steal it. I was able to login with the username admin and the string retrieved from the SQL injection. Upon logging in to the application, the flag was right there at the top of the table.

HTB{p4r4m3t3r1z4t10n_1s_1mp0rt4nt!!!}

Drobots Review

This was a fun application that reinforced SQL injections skills and got you to think slightly outside of the box. The password trick was a bit mean and I guarantee it was 100% intended. I’m sure there were many people it didn’t fool but I’m sure a lot of people got stuck at this stage for a while. Anyway, I enjoyed this challenge.

Gunhead was the second web hacking challenge of the Hack The Box Cyber Apocalypse Capture The Flag competition. Hello world, welcome to Haxez where I will be talking about the web hacking challenge Gunhead. Notably, this challenge is a great step up from the first challenge and like the other challenges here is the description.

During Pandora’s training, the Gunhead AI combat robot had been tampered with and was now malfunctioning, causing it to become uncontrollable. With the situation escalating rapidly, Pandora used her hacking skills to infiltrate the managing system of Gunhead and urgently needs to take it down.

Enumerating The Gunhead Application

The Gunhead application had a bit more functionality than the first application. It appeared to be an interface for a weapons control system. There were a number of interactable icons on the right side of the page. The first option showed us the status of the bot, the second told us its needs and the third appeared to be a command window.

Command Window

The command window had a help option. Obviously, running ‘/HELP’ in the terminal showed us that we had a number of commands that we could run. These commands included ‘/CLEAR’ to clear the current terminal, ‘/STORAGE’ to list the current storage space and ‘/PING’ which lets us ping a target.

Looking at the source it seems that ‘/STORAGE’ command is printing prewritten information. However, the ‘/PING’ command appears to be directly invoking systems commands. If we can find a way to tack on additional commands then perhaps we can enumerate the filesystem and find and cat the flag.

Gunhead Command Injection

By running the ping command with an IP address and a semicolon, we can add our own commands on to the end such as the list command. For example, if we were to run ‘/PING 10.10.10.10; LS -LASH;’ then we would see the output of the list command. Unfortunately no ‘flag.txt’ file here.

If we continue enumerating the filesystem we can see that the flag file is in the ‘/’ directory. Consequently, all we should need to do now is cat the file.

Gunhead Capture The Flag

As shown below, we were able to capture the flag.txt file by appending the ‘cat’ command. Next, all we need to do now is copy the flag and submit and we’re done.

HTB{4lw4y5_54n1t1z3_u53r_1nput!!!}

Gunhead Review

The Gunhead web hacking challenge was a lot of fun and a good place to start learning about command injection. I remember that the Mr Robot lab had a similar vulnerability. Anyway, there isn’t much more to say about the challenge than that. It was well-designed and had fun visuals. I like challenges with strong themes as it helps to immerse you.

Trapped Source is the first Web challenge of the Hack The Box Cyber Apocalypse Capture The Flag competition. Hello world, welcome to Haxez where today I will write about my experience with the Trapped Source challenge. As with all the other challenges, the description for the Trapped Source challenge was as follows.

Intergalactic Ministry of Spies tested Pandora’s movement and intelligence abilities. She found herself locked in a room with no apparent means of escape. Her task was to unlock the door and make her way out. Can you help her in opening the door?

Now the question is, how do I write 300 words about a challenge that requires you to view page source? I have to write 300 words so that Yoast SEO doesn’t complain about not writing 300 words. Therefore, I’m going to write about how I have to write 300 words just to satisfy the SEO gods.

The Trapped Source Application

Once we spawn the docker container, we can head to the IP and port in our browser. I loved the presentation of the application, the pixelated font on the keypad and the colour design was great. Other than that, there wasn’t much to the application. As you can see from the image below, the challenge is to input the correct pin.

So how do we solve this challenge? how do we find the correct pin in order to get the flag? Perhaps we could brute force it. However, based on the name of the challenge I’m going to go out on a limb and say we should view the source. I’m sorry if this sounds patronising but I need to pad out this write-up.

The Source Of The Solution

Right-clicking the page to view the page source or inspecting it will show you the code being rendered by your browser. Unfortunately, it seems that our website developer included the secret pin in the javascript. There are lessons to be learned here about secure coding practices and client-side coding but that’s for a later date.

Trapped Source Flag Captured

After punching in the pin we get our flag. You can type it out but if you expand the source code a bit more, you will see the flag which you can copy and paste. I.m not even sure if you needed to put the pin in to solve it. It doesn’t make sense that you would need to. If its all client side then the flag should be client-side too, I just didn’t bother to check.

HTB{V13w_50urc3_c4n_b3_u53ful!!!}

Trapped Source Review

The Trapped Source challenge was fun and a well-designed challenge for the first web challenge. I’m glad that it wasn’t just a case of view source and win (although it might have been). It seems the creators of the challenge had fun making it. I had fun solving it and hopefully, you’re having fun reading about it. Anyway, that’s all for this challenge.

Debug was the third hardware hacking challenge of the Hack The Box Cyber Apocalypse Capture The Flag Competition. Hello world, welcome to Haxez, this challenge was a lot of fun and wasn’t too difficult provided you had the right extensions installed. The description for debug was as follows.

Your team has recovered a satellite dish that was used for transmitting the location of the relic, but it seems to be malfunctioning. There seems to be some interference affecting its connection to the satellite system, but there are no indications of what it could be. Perhaps the debugging interface could provide some insight, but they are unable to decode the serial signal captured during the device’s booting sequence. Can you help to decode the signal and find the source of the interference?

Debug With Logic 2

As with the first challenge, we needed to open the files with Logic 2. However, the answer wasn’t right in front of us like last time. I had previously used Logic 2 before during the Try Hack Me Advent Of Cyber. However, that challenge told us what analyzer we needed to use and the exact settings needed. I thought it would be best to start with Async Serial but I had no idea what the baud rate would be. There are ways to calculate the baud rate manually but thankfully there is also an extension.

Configuring The Analyzer

Once the extension was installed, I shift clicked from one high point of the signal to the other. This then provided an estimation of the baud rate. I added a new Aysnc Serial analyzer for the RX channel and gave it the correct baud rate.

Debug The Signal

Finally, the data window started producing text. I must admit that I thought this was cool. It reminded me of the film Aliens for some reason. Something to do with the ASCII art and the satellite dish I think. Anyway, a lot of text was spat out and I have to salute whoever made this because they didn’t need to put this level of detail into it. Hidden in this transmission was the flag and all you had to do was assemble it.

HTB{547311173_n37w02k_c0mp20m153d}

Debug Review

This was a really fun challenge but I have to be honest, I found it easier than the first challenge. With this challenge, I felt that I knew what I had to do immediately. The first challenge completely threw me off for a long time. I really appreciate the level of detail that went into the transmission. It made me smile. Anyway, that’s all for the hardware challenges. I couldn’t solve secret code and from the write-ups, I’ve read, it didn’t look easy.

Critical Flight was the second hardware hacking challenge of the Hack The Box Cyber Apocalypse Capture The Flag competition. Hello world, welcome to Haxez, in this post I’m going to be discussing my experience solving the Critical Flight hardware hacking challenge. All challenges have a description and you can find Critical Flight’s below.

Your team has assigned you to a mission to investigate the production files of Printed Circuit Boards for irregularities. This is in response to the deployment of nonfunctional DIY drones that keep falling out of the sky. The team had used a slightly modified version of an open-source flight controller in order to save time, but it appears that someone had sabotaged the design before production. Can you help identify any suspicious alterations made to the boards?

Opening Critical Flight Files

I have no previous experience with GBR files. Honestly, it took me far too long to find something that would open them. In the end, I found an application called GerberLogix. The application allowed me to open all the files at once and was very simple to use. It does seem dated but it got the job done for the task at hand.

Critical Flight GerberLogix

As you can see from the image below, when opening the files they are combined. It’s like layers in photoshop or gimp and each layer was coloured differently. There wasn’t much else for me to do so I started selecting and unselecting different layers.

Revealing The Flag

After playing with the layers for a bit I eventually found a flag. However, no matter how I structured it, the flag wasn’t accepted. I initially thought that someone had made a mistake and forgot to add the end squiggly bracket but I should have known better. These folks don’t make mistakes.

Pulling Back The Layers

After tinkering with the layers a bit more, I finally noticed the second part of the flag. Of course, they didn’t forget to close the flag. These are hackers we’re talking about, syntax is incredibly important. As you can see below, there were two parts to the flag and we needed to combine them to solve the challenge.

HTB{533_7h3_1nn32_w02k1n95_0f_313c720n1c5#$@}

Critical Flight Review

This challenge was great in my opinion, it didn’t require too much tinkering. Once I found an application to open the files it was simple. I did try opening the files with GIMP as I read somwhere that they were brush files. That didn’t work out too well. Anyway, not much more to say about it. Fun challenge.

Timed Transmission was the first hardware challenge of the Hack The Box Cyber Apocalypse 2023 CTF event. Hello world, welcome to Haxez. In this post, I’m going to describe my experience solving the Time Transmission hardware challenge. All the challenges in this CTF have a great description following the theme of the competition. The introduction to the challenge was as follows.

“As part of your initialization sequence, your team loaded various tools into your system, but you still need to learn how to use them effectively. They have tasked you with the challenge of finding the appropriate tool to open a file containing strange serial signals. Can you rise to the challenge and find the right tool?”

Timed Transmission Files

After reading the description, we can download the challenge files which are achieved in a zip file. Extracting the zip files revealed a file named ‘Captured_Signals.sal’. There was also a ‘_MACOSX’ file which I presume contained the Mac OS equivalent files.

Our first challenge was to identify how to open these files. Performing a google search for ‘.sol’ files solved that question pretty quickly. Unfortunately, that was only the beginning of the challenge. Admittedly, I spent far longer on this challenge than I should have. Furthermore, the answer was under my nose the whole time, I just couldn’t see it.

Saleae Logic 2

The provided files could be opened with a program called Logic 2 from Saleae. Logic 2 allows the user to capture and analyse signals. Upon opening the file, the answer is right in front of you. The different message fragments make up the flag. Unfortunately, and embarrassingly, I didn’t see it. I spent hours trying to analyse the different channels with various different analyzers.

So provided you didn’t immediately zoom and mess with the signal, this should have been easy to solve. Unfortunately, I did mess with the signal and even went as far as extracting the individual channels from the file and looking through those. I wasted a lot of time.

HTB{b391N_tH3_HArdWAr3_QU3St}

Timed Transmission Review

I didn’t enjoy this challenge for the wrong reasons. It should have been a fun introduction to hardware hacking but I went and overcomplicated it. However, the challenge itself is fun and I like how the creators were able to make the signals spell out the flag.

Money Flowz is an easy Opensource Intelligence (OSINT) gathering exercise created by Sm4rtK1dz on Hack The Box. Hello world, welcome to Haxez. in this post I’m going to track down where Frank Vitalik’s money flows. Notably, I assume that this is an Ethereum blockchain-based challenge as Ethereum was created by Vitalik Buterin. I wanted to do this challenge because I’m taking part in the 2023 CTF and there are blockchain challenges. Sadly, this didn’t help.

The Challenge Money Flowz

Navigating to the challenge, we aren’t given much information. In fact, all we are given is the following “Frank Vitalik is a hustler, can you figure out where the money flows?”. indeed, the first thing I did was perform a basic google dork for the name Frank Vitalik. As can be seen, there are a lot of results. Obviously, some of these results are even for walkthroughs of the challenge. We need to be careful not to click those.

The Freecoinz Scam

After stalking through his Reddit user’s post history I stumbled upon a link to a scam. The scam claims to give you free crypto if you send crypto. Sadly this was (and potentially still is) a popular crypto scam. Twitter used to be full of bots impersonating Elon Musk claiming that he would give you free crypto. Anyway, the page gives you an Ethereum address. Furthermore, there is also a comment that suggests what network we should investigate.

Wow! I can't believe they are giving free coins into the ropsten net!

RIP Ropsten and Proof Of Work

Ropsten was a test network for Ethereum, one of the largest and most popular blockchain networks. It was designed to provide developers with a way for testing their smart contracts. Ropsten was a “testnet” that mimiced the main Ethereum network. It had the same functionality, but the key difference was that its native currency had no real-world value. Ropsten Ether (Ropsten ETH or “test ETH”) couldbe obtained for free from certain faucets or could be mined using specialized software.

Using Ropsten, developers can deploy and test their smart contracts and dApps in a sandbox environment. This meant that they could deploy contracts without worrying about potentially expensive mistakes. Once the testing is complete and any bugs or issues are resolved, the code can then be deployed on the main Ethereum network with greater confidence.

As you may be aware, Ethereum deployed a massive change to the way in which its blockchain works. BitCoin uses a model called proof of work. Miners solve complicated maths puzzles and are rewarded with BitCoin. Without going too deep, this verifies the integrity of the blockchain. Ethereum used to be based on this model too. However, you may also be aware that mining for cryptocurrency uses a lot of energy. Therefore, environmentalists have spoken out against crypto mining.

Ethereum and Proof Of Stake

Ethereum changed the model from proof of work to proof of stake. Proof of Stake (PoS) is a consensus algorithm used to secure and validate transactions on the network. Additionally, validators are chosen to create new blocks and validate transactions based on the amount of cryptocurrency they “stake”.

Instead of relying on computational power (as in Proof of Work) to secure the network, PoS systems rely on validators. Furthermore, these validators are incentivized to act honestly because they stand to lose their staked cryptocurrency.

The process of staking involves locking up a certain amount of cryptocurrency as collateral. Then, it is used to participate in the consensus process. Validators are then randomly selected to create and validate blocks based on the amount of cryptocurrency they have staked. Validators earn transaction fees and newly minted cryptocurrency as a reward for their work.

PoS is considered to be more energy-efficient than Proof of Work. To explain, it does not require large amounts of computational power to validate transactions. Furthermore, It is also generally considered to be more secure. It is more difficult and expensive to acquire a large amount of cryptocurrency to manipulate the network.

Solving Money Flowz

If you’ve tried to solve this challenge recently then you may have noticed that the blockchain explorer is no longer available. To my knowledge, there is no way to solve this challenge via the intended method. As you can no longer query the chain, you can no longer find the transaction containing the flag. Unfortunately, this means I can’t demonstrate how to do it but I will leave the flag below. I do wonder whether it’s possible to retrieve the blockchain somehow. Like a wayback machine for blockchains. Granted, most blockchains don’t need one.

HTB{CryPt0Curr3ncy_1s_FuNz!!}