CyberSec_Blog

      Fourth Side Quest (BreachBlocker Unlocker) started by discovering the key through reverse engineering an HTA file from the Advent of Cyber Day 21 room and using it to remove the firewall on the target machine. Let's start with command used : root@ip-10-81-182-239:~# :~# seq -w 0 999999 > codes.txt root@ip-10-81-182-239:~# :~# COOKIE='session=.eJxtj11rwkAQRf_LPIsPKX40IKjgQwttTRsUEQmzm4lZ3Oza2UlESv-7WlCK5vmeey73B7CWkpwYjUI5xMI1dUCh22VRgZn2OUEMq35qF5_J4G3RWyYNfa2Ok-f0ZTt8lUgG2H_fDpO9eqK5nhym32nx0USzEfzTNMSmMBd_gTZcB9Baf6A8y32FxgWI10AYhFjVzhkKXSkr2NzBdGbtH6uR2cs5pPFjrQMV2hK5Lbsp267XgdhhdXkdFBPqUlmvd8Qtot8TkGpzmQ.aUpUuw.lQbR5-wD3QPxVos09eGYYGnQyEU' root@ip-10-81-182-239:~# :~# gobuster dir -u https://10.81.135.120:8443 -w /usr/share/wordlists/dirbus 'emeter/directory-list-2.3-medium.txt -x .txt, js,py, html, zip - k pip3 install aiosmtpd root@ip-10-81-182-239:~# :~# aiosmtpd -n -l 0.0.0.0:25 -c aiosmtpd.handlers.Debugging stdout nmap -sC -sV -p- <IP> Python...

  Second Side Quest (Scheme Catcher) started with discovering the key in the Advent of Cyber Day 9 room and using it to remove the firewall on the target machine. Afterwards, fuzzing a web application on the target for directories we were able to discover a file with a binary inside and analyzing the binary we discovered another endpoint. Checking out this endpoint we discovered the application running on another port and reverse enginering it we discovered a Use-After-Free vulnerability and with a heap exploitation exploit we were able to get remote code execution and a shell inside a container. Inside the container we discovered a SSH key which we used to get a shell on the host and reverse engineering and exploiting a vulnerable kernel module we were able to escalate to root and complete the room. Python Script : #!/usr/bin/env python3 from pwn import * import io_file context . update ( arch = " amd64 " , os = " linux " , log_level = " error "...