Capture The Flag

Capture The Flag (CTF) is a cyber security competition or challenges for hackers or security researchers to compete in and practice their skills. Often it may require contestants to break into servers or test of other cyber security skills to obtain a certain sentence known as flag. Once submitted the contestant submits the flag, it proves that the contestant competes the challenge.

This page contains all the write-ups of CTFs I have taken part and tried. For those password protected especially HackTheBox CTF, it is because those machines/challenges have not retired yet. Input the flag as the password to see the content.

Cryptography

Hardware

Machine

  • HackTheBox – Armageddon
    • Use Drupal website CVE to access server, pivot from Apache user from web shell to local user, use Hashcat crack Drupal hash to get user’s password, privilege escalation using Snap GTFObin.
  • HackTheBox – Backdoor
    • Manually enumerate WordPress plugin directory, exploit directory traversal to leak running processes, exploit gdbserver for reverse shell, attach to root’s screen for root shell.
  • HackTheBox – BountyHunter
    • XXE with base64 encoding and URL-encoding is required on the XML document with base64 encoding needed to leak file contents for initial access to the machine. Custom exploit against eval() vulnerability is needed to be made for privilege escalation.
  • HackTheBox – Cap
    • Understanding web directories, knowing how to use Wireshark, finding file capabilities for privilege escalation.
  • HackTheBox – Explore
    • ES File Explorer open port vulnerability was exploited to gain credentials to SSH access the machine. Tunnel was further used to access internal ADB service for privilege escalation.
  • HackTheBox – Knife
    • Exploit PHP 8.1.0-dev CVE and using Knife/Chef for privilege escalation
  • HackTheBox – Late
    • Use OCR for SSTI in Flask system for initial access, and emulate for user-owned file in system for privilege escalation executed by root using pspy to verify.
  • HackTheBox – Love
    • Time-based SQL injection used to bypass authentication in voting system 1.0, exploit unrestricted file upload CVE for RCE in voting system 1.0, escalate privilege in Win10 via AlwaysInstallElevated thru Metasploit
  • HackTheBox – OpenAdmin
    • Exploit OpenNetAdmin 18.1.1 CVE, exploit bad password practice, file enumeration, cracking encrypted SSH private key for a password, and Nano GTFObin privilege escalation
  • HackTheBox – Pandora
    • Enumerate SNMP for initial access, SQL injection on the internal website to pivot to another user, and utilize path hijacking of a SUID program for privilege escalation.
  • HackTheBox – Paper
    • Enumerate HTTP response for the domain name, enumerate version of WordPress and a post’s comment for a vulnerability to know about a sub-domain, exploit a chatbot’s arbitrary read vulnerability to leak SSH keys for initial access, using LinPEAS to discover and exploit CVE-2021-3560 for privilege escalation.
  • HackTheBox – Photobomb
    • Enumerating the webpage source for backdoor access to login to a webpage, using command injection vulnerability for initial access, and path hijacking via sudo for root privilege.
  • HackTheBox – Precious
    • Enumerate the downloaded PDF metadata to discover vulnerable PDF converter pdfkit used and use command injection, enumerate directory to pivot user, and exploit ruby deserialization yaml.load for privilege escalation.
  • HackTheBox – Previse
    • Enumerate a page hidden by URL redirect (status 302), exploiting unsanitized input for use for the server PHP’s exec(), cracking of MD5 hash with Hashcat for initial access, and using path hijacking for privilege escalation.
  • HackTheBox – RedPanda
    • SSTI in search bar for RCE, enumerate for user-owned vulnerable JAR file periodically run by root, study JAR file source code to exploit it via directory traversal and XXE to leak root’s SSH private key.
  • HackTheBox – Schooled
    • Enumerate vhost for subdomains, XSS to steal session cookie, exploit Moodle’s CVE-2020-14321 RCE, access MySQL using one-liner, crack BCrypt hash with Hashcat, exploit ‘pkg’ GTFObin for privilege escalation.
  • HackTheBox – Shocker
    • Access Apache server with shellshock CGI vulnerability and Perl privilege escalation
  • HackTheBox – Support
    • Enumerate SMB shared folder, use dnSpy to reverse engineer a .NET binary for LDAP credentials, LDAP query to find another user’s credentials, initial access via winrm, and privilege escalate using Kerberos Resource-based Constrained Delegation.
  • HackTheBox – Timelapse
    • Enumerate SMB, crack password-protected ZIP file with zip2john, crack password-protected PFX file with crackpkcs12, generate public and private key to login via evil-winrm, enumerate PowerShell command history for credentials, pivot to another user account, privilege escalate via LAPS.
  • HackTheBox – Trick
    • DNS zone transfer enumeration to leak subdomain, ffuf fuzz for another subdomain, LFI to leak SSH private key for initial access, fail2ban misconfiguration for privilege escalation.
  • HackTheBox – Writeup
    • CMS Made Simple CVE SQL time-based injection and path hijacking for privilege escalation spotted by Pspy for currently running processes.
  • Proving Grounds – AuthBy
    • PM me for password to access it (Only give to those I know personally)
  • Proving Grounds – Banzai
    • PM me for password to access it (Only give to those I know personally)
  • Proving Grounds – Nibbles
    • PM me for password to access it (Only give to those I know personally)
  • Proving Grounds – CalmAV
    • PM me for password to access it (Only give to those I know personally)
  • Proving Grounds – Fail
    • PM me for password to access it (Only give to those I know personally)
  • Proving Grounds – Hawat
    • PM me for password to access it (Only give to those I know personally)
  • Proving Grounds – Heist
    • PM me for password to access it (Only give to those I know personally)
  • Proving Grounds – Hunit
    • PM me for password to access it (Only give to those I know personally)
  • Proving Grounds – Hutch
    • PM me for password to access it (Only give to those I know personally)
  • Proving Grounds – Jacko
    • PM me for password to access it (Only give to those I know personally)
  • Proving Grounds – Meathead
    • PM me for password to access it (Only give to those I know personally)
  • Proving Grounds – Medjed
    • PM me for password to access it (Only give to those I know personally)
  • Proving Grounds – Nickel
    • PM me for password to access it (Only give to those I know personally)
  • Proving Grounds – Payday
    • PM me for password to access it (Only give to those I know personally)
  • Proving Grounds – Slort
    • PM me for password to access it (Only give to those I know personally)
  • Proving Grounds – Sybaris
    • PM me for password to access it (Only give to those I know personally)
  • Proving Grounds – Tico
    • PM me for password to access it (Only give to those I know personally)
  • Proving Grounds – UT99
    • PM me for password to access it (Only give to those I know personally)
  • Proving Grounds – Vault
    • PM me for password to access it (Only give to those I know personally)
  • Proving Grounds – Wombo
    • PM me for password to access it (Only give to those I know personally)
  • TryHackMe – Attacktive Directory
    • Kerberos user enumeration using Kerbrute on DC, AS-REP Roasting using GetNPUsers on DC, Hashcat to crack Kerberos hashes, dumping password hashes from DC, and using Evil-WinRM to access the DC.
  • TryHackMe – Post-Exploitation Basics
    • Enumeration via Powerview, Bloodhound, Server Manager, and Event Viewer will be done along with dumping LSA secrets NTLM password hashes and Golden ticket using Mimikatz. Metasploit module will be used for persistency.

Misc

Mix (Crypto, RE, Web, Pwn, etc)

  • CTF.SG CTF 2022
    • Usage of IDA Pro, exploiting MD5 magic hashes, SSRF to steal cookies, ROP, buffer overflow + array arbilitary write to leak stack cookies and bypass ASLR.
  • Flare-On 9
    • Reverse PHP code, obfuscated dotnet code via dynamic method, cryptography misconfiguration for RSA resulting in decrypting chahca20 encryption too, reverse C++ OOP program, reverse C programs, reverse JavaScript/Python-based EXE programs, and reversed macOS img file.
  • SANS Holiday Hack Challenge 2021
    • Cryptography, Active Directory pentesting via keberoasting and WriteDACL privilege, SQL injection, command-line proficiency, configurating Fail2Ban, bypassing YARA rules, misuse Flask’s cookies, exploring file’s metadata, Verilog and Python programming, SSRF on MIDS servers, learning about Log4J vulnerability, art of debugging with ltrace and strace, HTTP request fuzzing, boolean logics, learning Splunk’s filters, and GNU/Linux shellcoding.

Mobile

Pwn (Binary Exploitation)

Reverse Engineering

Web

Advertisement