Return to forum

Hacker2222 · October 24, 2022 at 1:50 PM

plz discuss here

reversing challenge:
thanks @HTBContestant

Hidden Content

You must register or login to view this content.

forensics challenge:
thanks @Solo1

Hidden Content

You must register or login to view this content.

nirs · October 24, 2022 at 2:04 PM

in web, i think the JWT is the key, its strangely implemented (token inside token)
sqli didn't yield me any results, also running hashcat on the token (the inside one) didnt get me anything

HTBContestant · October 24, 2022 at 2:06 PM

For reversing, use "strings" -> [GQh{'f}g wLqjLg{ Lt{#`g&L#uLpgu&Lc'&g2n -> Then Use CyberChef to decode

The PWN one has the password in the file, but I don't know how to "make a wish", the connection always just aborts.

Meep · October 24, 2022 at 2:12 PM

Pwn challenge looks like shellcode.

  local_a8 = 0;
  local_a0 = 0;
  local_98 = 0;
  local_90 = 0;
  local_88 = 0;
  local_80 = 0;
  local_78 = 0;
  local_70 = 0;
  local_68 = 0;
  local_60 = 0;
  local_58 = 0;
  local_50 = 0;
  local_48 = 0;
  local_40 = 0;
  local_38 = 0;
  local_30 = 0;
  local_28 = 0;
  local_20 = 0;
  local_18 = 0;
  local_14 = 0;
  read(0,&local_a8,0x95);
  (*(code *)&local_a8)();

Also NX not set meaning its capable of it (no protection). Did not get it working yet.

HTBContestant · October 24, 2022 at 2:23 PM

(October 24, 2022, 02:10 PM)Hacker2222 Wrote:
(October 24, 2022, 02:04 PM)nirs Wrote: in web, i think the JWT is the key, its strangely implemented (token inside token)
sqli didn't yield me any results, also running hashcat on the token (the inside one) didnt get me anything

it prob is sqli in database.py at registration

(October 24, 2022, 02:06 PM)HTBContestant Wrote: For reversing, use "strings" -> [GQh{'f}g wLqjLg{ Lt{#`g&L#uLpgu&Lc'&g2n -> Then Use CyberChef to decode

The PWN one has the password in the file, but I don't know how to "make a wish", the connection always just aborts.

what recipe in cyberchef ?

I just used the Magic function with Crib = "HTB{", intensive mode active and depth of 5. This would be it: https://gchq.github.io/CyberChef/#recipe=XOR(%7B'option':'Hex','string':'13'%7D,'Standard',false)

nirs · October 24, 2022 at 2:29 PM

(October 24, 2022, 02:10 PM)Hacker2222 Wrote:
(October 24, 2022, 02:04 PM)nirs Wrote: in web, i think the JWT is the key, its strangely implemented (token inside token)
sqli didn't yield me any results, also running hashcat on the token (the inside one) didnt get me anything

it prob is sqli in database.py at registration

yup you're right, i was focusing on login

killerbee · October 24, 2022 at 2:32 PM

for crypto compute the gcd of c1 -c2 and N is p
then compute c1 - p ^e1mod N
it is indeed the flag

HTBContestant · October 24, 2022 at 2:32 PM

For web: The admin account already exists, but when I try to log in, I get a server error.
Also, in the frontend/dashboard multiple other things are shown if you are logged in as admin, for example {{flag}}. And yea, the MySQL credentials are in the code, too, so if you could connect to it, that might help to get the admin hash. The flag is stored in a config, which is read in routes.py when accessing /dashboard. So in short, we just need to login as admin by getting their password or token.

MillicentBystander · October 24, 2022 at 3:10 PM

Lets go!

fkrch1978tze · October 24, 2022 at 3:11 PM

Forensics is just a traditional malicious VBA, need to deobfuscate the payload