Writeup Cyber Threat Force : Smasher

For this challenge, we were given two files: smasher-1.0.0.AppImage smasher_Setup_1.0.0.exe I only looked at the AppImage one, since I’m running linux. Launching the program reveals an electron app: We can simply use the dev tools to reveal the source code. Only one javascript file is there, login.js: function Login() { var i = { _keyStr: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=", encode: function(r) { var t, e, o, a, n, c, h = "", d = 0; for (r = i.
Read more →

Writeup Cyber Threat Force : Verify this

For this challenge, we were given a Stagged.exe executable. Before running it on our machine, we can try to run it against hybrid analysis, an online malware analysis service. Here is the link to the full report. We can see in the “Network Analysis” tab that the program made two requests: HTTP Traffic” part of the report" Trying to download the first image gives us a PE file. If we upload it again, we see that it also makes a request to /ordertoexecute.
Read more →

Writeup Cyber Threat Force : Welcome to the matrix

Read more →

Writeup Cyber Threat Force : Flag checker

For this challenge, we were given a program executable. $ ./program ./program FLAG $ ./program MYFLAG failed Seems like it valides the flag that is passed as an argument. Let’s open the binary in Ghidra. There are a lot of functions defined, and looking at the exports we see that quite a lot of them start with caml_. I didn’t know you could compile OCaml to C, that’s pretty neat.
Read more →

Writeup Cyber Threat Force : Take your time

For this challenge, we were given a TakeYourTime executable, which seems to hang when we run it. We can analyze its code using ghidra: unsigned int FLAG[] = { 0xb5, 0x63, 0x98, 0x3d, 0xb5, 0x06, 0x46, 0xba, 0x0f, 0xd5, 0x47, 0xce, 0x97, 0xef, 0x7b, 0x28, 0xdb, 0xe7, 0x39, 0x10, 0xb0, 0xf5, 0x44, 0xec, 0x30, 0x88, 0x46, 0xf6, 0x88, }; undefined8 main(void) { byte bVar1; int iVar2; uint local_28; int local_24; ulong local_20; local_28 = 0; local_20 = 0x32; while (local_20 < 0x4f) { bVar1 = fibonacci(); local_28 = local_28 >> 8 | (local_28 ^ bVar1) << 0x18; local_20 = local_20 + 1; } srand(local_28); local_24 = 0; while (local_24 < 0x1d) { bVar1 = FLAG[local_24]; iVar2 = rand(); putchar((uint)bVar1 ^ iVar2 % 0xff); local_24 = local_24 + 1; } puts("\nGood you can validate the chall with this password ;)!
Read more →

Writeup Cyber Threat Force : Return to the school

This challenge involved solving an ASCII maze in under 10 seconds. I can’t include a demo because I’m writing this after the CTF ended. My script uses the astar package, because I was too lazy to re-implement A* manually. It isn’t particularly pretty, but at least it is functionnal. Here it is: import math from pwn import * from astar import AStar def parse_maze(source): source = source.strip() source = source.split('\n') source = source[:-1] # Remove last line (dots) source = [list(l[1:-1]) for l in source] # Remove left and right dots return source # Mostly copied from the astar package example.
Read more →

Writeup Cyber Threat Force : PrivEsc

For this challenge, we were given SSH access to a machine, as the user ctf. After running sudo -l, we quickly find that we can run the /opt/Ivazov binary as ctf_cracked. The user in question has a flag.txt file in their home, which only they can read. We also notice env_keep += LD_PRELOAD. From there, we can try an LD_PRELOAD exploit. The steps taken here are copied from the guide was was just linked.
Read more →

Writeup Cyber Threat Force : bof_3

For this challenge, we also were given a service executable. It was hosted remotely. NOTE: since I’m writting this after the CTF ended, the demos are done locally. $ checksec ./service [*] '/home/vivescere/ctf/bof_3/service' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) $ ./service password: mypassword nop NX enabled, and partial RELRO. Let’s take a look at the binary using Ghidra: undefined4 main(void) { ignorMe(&stack0x00000004); puts("password: "); vuln(); puts("nop"); return 0; } void vuln(void) { undefined local_70 [104]; read(0,local_70,0x96); return; } We have an overflow, but not much else going on.
Read more →

Writeup Cyber Threat Force : bof_2 (with PrivEsc)

For this challenge, we were also given a service executable. It was also hosted remotely. NOTE: since I’m writting this after the CTF ended, the demos are done locally. Level 1 $ checksec service [*] '/home/vivescere/ctf/bof_2/service' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX disabled PIE: PIE enabled RWX: Has RWX segments $ ./service Hello authentifie toi ! Username: vivescere Bienvenue vivescere password: mypassword oops i have lost my db sorry This time, the only protection that’s activated is PIE, which means addresses won’t be stable.
Read more →

Writeup Cyber Threat Force : bof_1 (with GetShell & PrivEsc)

For this challenge, we were given a service executable. It was also hosted remotely. NOTE: since I’m writting this after the CTF ended, the demos are done locally. Level 1 $ checksec service [*] '/home/vivescere/ctf/bof_1/service' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400000) $ ./service hello who are you? vivescere Hello vivescere We do have NX enabled, along with canaries and partial RELRO. Also, the executable is statically linked, meaning we won’t have access to the libc easily.
Read more →