Posts

2022 Cloud Village CTF at DEF CON 30 - Multi Cloud Shenanigans

Image
"Clair is a Google Cloud Administrator at PeopleBack Corp in California. Her company has acquired a product and to provide more availability to the customers they had to go multi-cloud setup. The appication is not available to their customer outside California. Can you find the issue and get the content of the site?" Hint PeopleBackCorp recently acquired BeoShaft After the hint was released, I finally had a hit using the Code Search feature on sourcegraph.com for one of the terms relating to the challenge: BeoShaft From there, I browsed directly to https://github.com/BeoShaft and clicked through the small amount of contents in the repo until I saw this image: "Word Art.jpeg" The string " dc5vf5almyxxx " caught my attention right away. At first I thought this may be part of a URL for a lambda function. I crossed checked its length with a function that exists in my personal account and they didn't add up. Even if I removed the X's at the end of the s

DEF CON 29 - Cloud Village CTF

Image
The Cloud Village  CTF at DEF CON 29  was challenging and educational. Strupo_ flew solo and the event ended with Welcome Thrillhouse Group in 16th place. There were four groups of challenges with 11 challenges in total. Strupo_ solved three challenges during the event, one after the event, and made some semblance of progress on a few of the others.  For the few challenges solved; the write-ups are enough for a complete walk-through.  Concerning the rest, some limited notes were outlined but not expanded upon so that this post stays relatively short. Let's get into it. Like Duh! Level 0 - Play this first (100) "Hello everyone, The flag format for all the challenges is of the following format.     The string FLAG-{ followed by 32 characters that look like Base64, closed with a }     The flag format is this exact string format     The flag is case sensitive     Submitting anything else/any other format shows that you have not read or understood this message :( For example, the

HTB Business CTF 2021 - Theta

Image
Hack The Box (HTB) hosted its very first "corporate only" CTF this past weekend and called it  HTB Business CTF 2021 . Participants had to create new accounts directly linked to their employer, teams were capped at 10, and the challenges were mostly intermediate to hard on the difficulty scale.  HTB Business CTF 2021 Sadly, I was alone on my team and only had the first day of the event to devote. So, I decided to focus only on the cloud challenges and I was able to solve the first one. So without further ado... Let's get into it. Theta We're in the practice of open source cloud services and thinks that the deployment is secure so far. As a part of a pentest engagement, can you test and report the vulnerabilities? I began this challenge with a port scan: nmap -p- -sV -Pn --open -iL target.txt -oA nmap-theta_full --stats-every 120s Nmap scan report for 10.129.171.200 Host is up (0.043s latency). Not shown: 65533 closed ports PORT     STATE SERVICE VERSION 22/tcp   open 

TryHackMe - Mustacchio

Image
Here is Strupo_'s write-up for an "Easy boot2root Machine" called Mustacchio , by zyeinn , on  TryHackMe.com . The challenge was solved by conducting some basic enumeration, exploiting an XXE injection vulnerability, cracking a password, and leveraging an SUID binary to root the system.  Enumeration To begin, nmap was used to determine open ports: $ nmap -p- --open -sV -v -Pn -oA nmap-mustacchio 10.10.81.167 <snip> PORT     STATE SERVICE VERSION 22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) 80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu)) 8765/tcp open  http    nginx 1.10.3 (Ubuntu) <snip> Manually browsing to the web servers revealed a mustache based blog on 80/tcp and an admin login prompt hosted on 8765/tcp as seen below: Admin Panel Login Next, ffuf was used to enumerate content on the web server: $ ffuf -u http://10.10.81.167/FUZZ -w /usr/share/wordlists/dirb/big.txt <snip> .htaccess               [Statu