Author: Michael

Home / Author: Michael

Hilltop CTF – Writeups

June 4, 2020 | CTF, Hilltop CTF, Security | No Comments

Hi everyone,

A blog post on a different topic this time. I was a Content Engineer for the Hilltop CTF event.

Write-up for the Fuzz challenge.

Challenge name: Fuzz

Creator: MasterWayZ

Category: Analysis/Fuzzing


Summary:

The user is given a URL to look at: http://shellserver1.hilltopctf.masterwayz.nl:5876/

How-To:

  1. Using a program like gobuster, we can try to see what directories exist: gobuster dir -u http://shellserver1.hilltopctf.masterwayz.nl:5876/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt.
  2. We get a /301 redirect of /penguins. From here, it’s a matter of running gobuster dir -u http://shellserver1.hilltopctf.masterwayz.nl:5876/penguins/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt. The txt extension comes from the .txt file part in the README.md file.

Explanation:

  • We use gobuster to try to see what folder it is hidden in. dir specifies directory mode, -u specifies the URL and -w specifies the wordlist.
  • a 301 redirect of /penguins means that we’ve found something. Now we need to find the file in that directory. The new flag, -x specifies the extension used by gobuster to try to find files.

Write-up for the Fuzzy challenge.

Challenge name: Fuzzy

Creator: MasterWayZ

Category: Analysis/Fuzzing, Attacks/Cracking


Summary:

For this challenge, you need to fuzz a Flask webserver to start with. Followed by brute-forcing a password and then automating or guessing the missing character in the flag.

How-To:

  1. First we try to fuzz a directory. We can use gobuster with this. gobuster dir -u http://shellserver1.hilltopctf.masterwayz.nl:39345/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
  2. We will find that we get a 401 error with /email. Looking at it in the webbrowser, we see that we are given a clue that the username is admin, so we just need to brute-force the password. We can do this with hydra. hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 39354 -f shellserver1.hilltopctf.masterwayz.nl http-get /email. We find the the password is ‘michelle’.
  3. We see the flag, sort of. The ‘!’ in the flag has to be some kind of ASCII character. You can try all of them by hand or automate it. Once you’ve done that, you find that it is 5, making the flag HilltopCTF{FuzzyFuzzyFuzzyFuzzyFuzzy5_08b353dc330dcad5734172ff5009f5e6b3826d49fa7243f3e598effb85bef982}.

Explanation:

  • We first use gobuster to try to find out if there’s a hidden directory. dir specifies directory mode and -w specifies the wordlist.
  • We get a 401 for /email. Which means that it is most likely asking for some kind of authentication. Visiting it with a browser shows that the username is ‘admin’.
  • We use hydra to try to crack the password. -l specifies the login, in this case ‘admin’. -P specifies a password file, in this case rockyou.txt, -s is for the port number and -f specifies the hostname, http-get means that we want to use an HTTP GET request and /email is the path that you want to crack.
  • We get access to a partial flag. the ‘!’ in the flag is not valid. We need to try to see what ASCII or Extended ASCII character we can put in there. You can try this yourself, or automate it.

Write-up for the Injection challenge.

Challenge name: Injection

Creator: MasterWayZ

Category: Attacks/SQL Injection


Summary:

For this you need to perform a SQL injection on a webform in order to dump the database.

How-To:

  1. Go to the website. Look at the site and you will see a form. Proxy this form through something like burp, and save the request made.
  2. Use sqlmap with the request. For example, sqlmap -r injection.req.
  3. After running, it will find some ways to perform a SQL injection. After this, the easiest thing to do is to dump everything with sqlmap. Run: sqlmap -r injection.req --dump.
  4. Piece the flag together. It’s spread across three tables. It’s clear what the start and end is, because of the start of the flag and the } at the end of the flag. The piece with no bracket in it at all is the middle one.

Explanation:

  • We visit the website and only see search related things and a web form. This form submits ID to index.php, which is trying to indicate to the user at some kind of SQL is being performed. We proxy the request through burp and save it to a file. (Proxying through Burp is an easy way to get a request. We need the POST request.)
  • We use sqlmap to test the form for SQL Injection. The -r flag specifies the request and we give it the saved request.
  • When it runs for a while, we specify that we want to do MySQL tests only, as it successfully identified it as a MySQL based SQL server. After a while, it will find multiple vulnerabilities.
  • We use sqlmap again with -r to specify the request file and --dump to dump all contents.
  • From here it’s a case of finding the three flag pieces. It’s easy to see the start and end piece (from the { and }) and there is only one middle piece.

Flag locations:

  • The first part is located in the federal table.
  • The second part is located in the taskforce table.
  • The third part is located in the Guests table.

Write-up for the Backstab challenge.

Challenge name: Backstab

Creator: MasterWayZ

Category: Analysis/Fuzzing, Cryptography/Cracking


Summary:

For this challenge, you had to fuzz the initial webserver to see a passwd file and a secured area. You crack the hash and gain access to the secured area, where you fuzz for the flag.

How-To:

  1. Use a program like gobuster to do the inital scan. gobuster dir -u http://shellserver1.hilltopctf.masterwayz.nl:5843/ -w /usr/share/wordlists/directory-list-2.3-medium.txt
  2. After a while, you will see /secure and /passwd. Download the passwd file and use a program like hashcat with rockyou.txt to crack it: hashcat -m 3700 encrypted.hash /usr/share/wordlists/rockyou.txt.
  3. The password will be found and you can log into /secure with the username and password. The username is given in the challenge description.
  4. Fuzz the /secure/ area and you will find /flag. This contains the flag. We can do that with gobuster dir -u http://shellserver1.hilltopctf.masterwayz.nl:5843/secure/ -w /usr/share/wordlists/directory-list-2.3-medium.txt. (note the /secure/ at the end, especially the last /!)

Explanation:

  • First we run gobuster in directory mode to fuzz some directories and files on the webserver. -u specifies the URL and -w specifies the wordlist.
  • Once we download the hash file, we use hashcat to crack this. -m 3700 is equal to setting mode 3700 which is bcrypt. Finally with -w we specifiy the wordlist, in this case rockyou.
  • Once we have the password, we use that to log into the /secure area.
  • Once in the /secure area, we use gobuster on /secure/ to check for hidden files, and it will find /secure/flag which contains the flag.

Write-up for the Johnny challenge.

Challenge name: Johnny

Creator: MasterWayZ

Category: Cryptography/Cracking


Summary:

For this challenge, the user is given an encrypted .zip file with the flag inside.

The user has to crack the password, which is in rockyou.txt

There are many ways to do this, here is one way:

How-To:

  1. Install john
  2. Download the .zip file
  3. Run zip2john flag.zip > encrypted-zip.john
  4. Run john --format=zip encrypted-zip.john --wordlist=/usr/share/wordlists/rockyou.txt
  5. Once it finishes, run john encrypted-zip.john --show
  6. Use the password, which in this case is ‘patricia’.
  7. Unzip the ZIP file, run unzip flag.zip.

Explanation:

  • What we just did above was use the power of John the Ripper to crack the password.
  • zip2john converts the zip file into a format that john can read.
  • The command after that forces the ZIP format on the encrypted john file and cracks it using the rockyou wordlist.
  • Finally, the --show is used to let john show the password.
  • Then you can extract the file and obtain the flag.

Write-up for the Julius challenge.

Challenge name: Julius

Creator: MasterWayZ

Category: Cryptography/Cracking


Summary:

The best way would be to think of the ROT cipher and then identity to use ROT47 as this is the only one that fits. ROT13 and ROT18 lack some of the characters used.

The rotation is a method of brute-force, in this case it’s 13.

The title of this challenge was chosen to make the user think of the the Caesar chipher and hint towards ROT ciphers. However, it’s also a bit misleading as the user will see that the characters used in the encrypted message cannot exist in a Caesar encoded textfile.


Write-up for the OhSINT challenge.

Challenge name: OhSINT

Creator: MasterWayZ

Category: OSINT/Forensics


Summary:

For this challenge you had to perform some OSINT.

We start with looking at the EXIF data of the jpg file, which leaks a URL to a website. From there, you can to find the pieces of the flag that are spread over the website.

How-To:

  1. Run exiftool image.jpg and look at the comments.
  2. Access the website and look for the clues, you will find them here: one is located on the index page, if you press CTRL and A you will find it, or if you view the source. The second one is located in the view source of the index page as well, but can also be found by clicking the Maps button. The third is one found under the blog button and then view source.

Explanation:

  • We download the file and then run exiftool to look at the EXIF data of the fail, which contains a comment with an URL to visit.
  • We visit the url and are presented with a web page. Here it’s a sign to view sources, use CTRL A and visit every page and click everything to find the three hidden flags.

Flag locations:

  • The first part of the flag is hidden as a near-white text on the index.html page.
  • The second part is under the Blog button at blog.html, view the source and see the flag in an HTML comment.
  • The third part is back on the index.html page, under the Location Maps button.

Write-up for the Fuzzy challenge.

Challenge name: Fuzzy

Creator: MasterWayZ

Category: Steganography


Summary:

The user downloads the image.jpg file, opens it in a text editor, finds the ascii85 flag and decodes it.

How-To:

  1. We download the file using wget.
  2. Running strings image.jpg is one of the ways to get the flag.
  3. Identify that the flag is ascii85 encrypted and decrypt it.

Explanation:

  • wget followed by the URL is used to download a file.
  • cat, or strings (and many more tools) are used to display the contents of a file. In this case, both work as the flag is hidden at the bottom of the image.
  • One of the ways to identify that it is ascii85 is because of the characters used in the encoding. You can use a local tool or online tool to decode it and get the flag.

If you have any questions, please let me know. I’ll be seeing if I can release the files and/or containers somehow.

Have a great day!

Hi everyone,

Time for a new blog post about the adventure I’ve been having for the past two days.

On June 2nd, my server, a DL380G6 started to suddenly take-off. The fans were roaring at 70%, and the temperature sensor near the PCI Riser was showing 110 C. Of course this is not supposed to happen, in this blog post, I will take you through my experience of troubleshooting this and hopefully this can help you.

Okay, so we know that the temperature sensor is showing a very high temperature. Let’s remove the PCI riser and see if the sensor is defective or not. I removed it, and it was showing a normal 60 C. Okay, so there is some PCI card that is getting very hot.

Step two: we put the riser back in. However, since my has two cards in it, I leave one out. I left the Smart Array P420 RAID controller in, and took the quad gigabit NIC out. I turn it back on, and once the sensor initializes, I check it. It was once again showing 110 C. Very odd.

Next I swap the cards around, having the NIC in the bottom slot, and I take out the RAID controller. I once again turn it back on, and now it seems to be fine. Temperature shows 64 C. Well, it seems to be the controller then.

Next step: let’s put the RAID controller back in, and leave its backup capacitor disconnected. I saw that in the IML that the controller says that it is defective. Maybe this causes it. I disconnect the backup capacitor, and now all seems okay. So maybe it was the backup capacitor.

I put the network card back in, start the server once again and all seems well. I boot the ESXi host and let VMs slowly start back up. However, we’re not done yet!

VMware suddenly gives a purple screen of death, as you can see in this screenshot:

I thought it was a one-time thing. (in a production environment, you should not do this! Immediately investigate why the crash occurred!). I restart the server and try agan. This time, it crashes, once again. When I look at the logs through the debugger, I see that nothing really is showing, other than slow response times.

I shut the server back down and take out the controller. The heatsink feels quite warm. I press on it a little bit to make sure that it’s still secured in place, and check the SAS connectors to make sure that they are seated in properly with no dust in them. I turn the server back on, however, now it’s taking off again. Showing 113 C on the sensor.

By accident while taking out the riser card, I touch the heatsink of my RAID controller and burn my hand. So the problem is definitely not fixed yet, and properly the controller crashed because of overheating.

I removed the controller and put the SAS cables in the on-board P410i controller. Temperatures are normal and the server has been running for a bit over a day without crashing.

Ultimately, it looks like my P420 controller has died. I should still have warranty on it from the company I bought it from, so I’m going to try to RMA it. Hopefully that will be possible.

Thank you for reading, if you have any questions feel free to contact me on my website or Twitter and I hope you learned something.

Have a great day

Hi all!

This post will be about the current state (05/20/2020 06/04/2020) of my home lab. Please keep in mind that I also have two ESXi hosts that I rent from a datacenter in Germany that I partially use for my home lab (though they are nowhere near as powerful as my home server).

Here are some pictures:

The black device on the wall is my ISP’s modem. It’s set to bridge mode, meaning it does not do any NAT, DHCP, etc. That routes to my EdgeRouter (which you can see on the edge of the plank in the first picture). This is the main router. It runs DHCP, does NAT, runs a BGP daemon and I have a VLAN on there for NSX-T.

The host you see here, is my HP Proliant DL380G6. It has two Intel Xeon X5660s (6 cores/12 threads at 2.8 GHz), and 288 GB of DDR3 ECC memory at 1333 MHz. I have six drives in it as you can see, they are connected with two SAS cables to an extra RAID card I have in the server, a Smart Array P420. I have two 2TB HDDs in it, a 320GB HDD, two 500GB SSDs and (now, with the update) two 1TB SSDs. Sadly on June 2nd 2020 my P420 controller died, more info here, so right now I use the build-in Smart Array P410i. The colorful cables all go up through the ceiling, into my bedroom’s floor, to a network switch as you can see down here:

Here you can see my Raspberry Pi collection,stacked on my Humax decoder. The black switch at the bottom is my 24 port non-PoE EdgeSwitch 24 Lite. It’s currently full. Stacked on top I have my older TP-Link TL-SG2216. Currently it’s not in use… yet.
Laying on that switch in a UniFi UAP-AC-PRO (more on that later). On the blue box I have a Raspberry Pi 4 Model B 4GB. I use this as a test machine sometimes. On the upper plank I have a Unifi Security Gateway for the WiFi and Guest network.
Next to that is a Unifi 8 port 60W PoE switch. Connected to that is the UAP-AC-PRO you see in the picture, and there’s one downstairs as well. Next to that is a Raspberry Pi 3 Model B I believe, connected to a ADS-B receiver dongle with matching antenna next to the RPi.
There used to a second RPi to the right of it, but it’s on my project table at the moment. That used to be connected with a SDR dongle, and has its antenna on the plank below, on the right side against the wall. That’s my indoor antenna I use to listen in on the airbands (which in The Netherlands is legal at the time of writing).

That’s the current state of my homelab right now. Hopefully it gives you an idea on what I run right now. It’s not done yet… I possibly need to update in a few years as officially, my CPUs don’t support ESXi 7.

I also want to go10 gigabit at some point, but that’s all years away most likely.

Thank you for reading and have a great day!

Hi everyone,

A few days ago, I was surprised with a Twitter DM from the VMUG Advantage Twitter account.

It turns out, that secretly, Heath Johnson from VMware has been in touch with the VMUG Advantage team about me without telling me.

I’m not sure how he managed to pull it off, but VMUG Advantage and me and partnering up! I’ve been given a sponsored 1 year VMUG Advantage subscription, which is amazing! And many, many thanks to Heath for making it happen!

Of course, in return I’ll blog about my adventures with VMUG Advantage. TestDrive is something that I have been exploring lately along with how much easier it’ll be for me to get things set up in my lab using for evaluation licenses.

If you are not sure what you get with VMUG Advantage, or not even sure what it is, let me explain it for you.

VMUG Advantage is a subscription you can get, which gives you discounts amongst other benefits. You get 100$ off of VMworld and you get 20-35% off of training.
Other than that, you also get access to 365-day evaluation licenses. These non-production use licenses are valid for 365 days and are perfect for use in your lab. You also get the downloads, though it may take a bit for the latest version of a product to be on it. This is what is available as of writing this, as of May 4th 2020:

  • Workstation 15 Pro
  • Fusion 11 Pro
  • Cloud Foundation 3.9.1
  • NSX-T 3.0
  • Site Recovery Manager
  • vRealize Suite 2019
  • vRealize Network Insight
  • vSAN 7
  • vSphere 7
  • vCenter 7
  • vSphere 6.x
  • vCenter 6.x
  • vSAN 6.x
  • NSX-V
  • vRealize Orchestrator
  • vRealize Operations for Horizon
  • Horizon Advanced Edition
  • vCloud Suite Standard

I’m not entirely sure of all the versions, but this is what I got.

Not only that (which in my opinion is already amazing), you also get access to VMware TestDrive. With TestDrive you get access to multiple product environments, even some of them as sandboxes. This includes:

Ready to Use Experiences:

  • Workspace ONE
  • Workspace ONE UEM
  • Horizon Cloud
  • Horizon
  • App Volumes
  • Dynamic Environment Manager
  • vSAN
  • PKS
  • velocloud
  • AppDefense

Sandbox Experiences:

  • Workspace ONE UEM
  • Workspace ONE Access
  • Workspace ONE Express

You also get access to the following Sample Integrations:

  • Dropbox
  • Office 365
  • Salesforce

I’m very, very thankful for Health to organize this and I’m very excited to make more blog posts about it. It’s coming soon along with other blog posts about some lab changes.

See you in the next post!

Hi everyone,

Here’s a quick tip for the home lab people with old servers that can’t afford to get new hardware (like me).

It seems like that you can override the installer terminating when an unsupported CPU is detected.

What you need to do, is when booting from the ESXi ISO, press CTRL+O, and type in:

allowLegacyCPU=true

This will allow you to install or upgrade an ESXi 6.7 installation.

I’ve tested this from my server with two X5660s and have no issues so far currently there is an issue where if you run ESXi 7.0 on older hardware, you may not be able to start virtual machines in a nested VM. For example, if you have a Linux VM on an ESXi host VM on the physical host, starting the Linux VM may crash your nested ESXi host. This was an upgrade from 6.7 to 7.0, however, I have not tested this with an upgrade from other 6.x versions to 7.0, please let me know on Twitter and I will update the blog post.

Of course, this is not supported in any way. However, it’s good for us people that can’t afford to buy new hardware with newer CPUs. It means we get to use our old hardware for a bit longer.

Thank you for reading and I hope to see you soon in new blog posts. The blog posts are coming back, with good news to come 🙂

Stay safe and have a great day!

Software review: 4K Video Downloader

March 31, 2020 | Uncategorized | No Comments

Hi everyone,

In this post I’d like to make a highlight of a piece of software I have been using called 4K Video Downloader.

This program is very useful to download videos from sites such as YouTube and Twitch. However, it can download from many more and even playlists!

You can get started with the program here. ( https://www.4kdownload.com/products/product-videodownloader/?r=free_license )

Pros:
– Can download videos from YouTube, Facebook, Vimeo, SoundCloud, Flickr, Dailymotion, Metacafe and registered Twitch streams. (These are officially supported, sometimes it works on other sites as well. You can always request one to be added here.
– Can extract audio from a video and just save it as an MP3 or similar.
– Can download playlists.

Cons:
– Requires a license to get the maximum use out of it. (Which is understandable.)

It’s a program that I definitely recommend for people who want to save YouTube videos, especially in the time of many take-downs.

You can get started with the program here. ( https://www.4kdownload.com/products/product-videodownloader/?r=free_license )

Thank you for reading and I hope to see you in the next one.

Hi everyone,

You may have noticed that my blog has gone very quiet recently.

For who asked, I didn’t make it into the vExpert 2020 program.

On a more recent note: COVID-19 is getting a real challenge. Right now I sit at home, in self-isolation and things are very, very boring.

For now I’m still free of the virus and don’t go outside unless I have to.

Sadly all this isolation and boredom makes my depression get more intense, so I’ll try to do things to try to avoid that.

Other than that, stay safe everyone.

See you in the next post, which hopefully comes soon..

Hi readers,

In this part of the series, we will be deploying the VMware Horizon Unitied Access Gateway Appliance. It’s similar to the old Horizon Security server, and I myself mainly use it so I can connect to my Horizon connection server from a public IP address. (from my /24 block)

First what we do is download and deploy the UAG OVA template. In my set-up, a normal deployment will suffice and two NICs are enough. One is for the internal LAN, and one is for the external network.

Continue to go through the steps and turn the VM on, then after a while browse to the IP of the appliance on port 9443 followed by logging in with the admin account and password you provided during installation.

When we log in we get a screen, on this screen we click on select under manual.
Enable “Edge Service Settings” and click on the gear at Horizon Settings, then enable Horizon and copy the settings below. PCOIP URL should be the public IP address of the UAG. Blast and Tunnel External URL should be the public FQDN of the UAG.

Next we log into the Connection Server. Click on Servers under Settings and then click on Connection Servers. Click on your Connection Server and then edit.

We want to disable Secure Tunnel, PCoIP Secure Gateway and Blast Secure Gateway, as our UAG will handling doing this.

We can also let the UAG appear under gateways in the dashboard. To do this, we log into the UAG and click on select under manual again (if you have logged out already). Then we click on the gear at System Configuration under Advanced Settings. Change the UAG name to something friendly. We will need it later.

Back to the Horizon 7 Console, we expand Settings and then click on Servers. Click on Gateway and click Register. In here, fill in the friendly name you gave the UAG in the previous step.

Now the UAG shows in the dashboard.

In order the access the HTML UI through the UAG, we need to either disable Origin Checks on the Connection Server, or configure the Connection Server’s locked.properties with the UAG addresses. You only have to do one of them, but both is followed by restarting the “VMware Horizon View Connection Server” service. (Disable origin checks is showed below.)

One final thing that I want to do is change the TLS and chiper settings: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA should give you good security and good results. You can change this under the UAG Admin page, then under Advanced Settings followed by System Configuration.

Finally, I want to configure a trusted SSL certificate for the internet facing side. We can do this under “TLS Server Certificate Settings” under Advanced Settings in the UAG Admin panel. You will have to upload the private key file and the full chain certificate file along with choosing what interface to apply it to. In my case I selected Internet interface.

This covers this part of the Horizon 7.11 series. In the next part, we will be creating a Windows 10 Desktop image.

I hope that this was useful for you and see you in the next post.

Hi readers,

In this third part of the series, we will be deploying the Connection Server., the base of the Horizon package.

First, we will need a server or virtual machine running Windows Server 2012 or higher. The OS requirement is simple (source):

Operating System Version Edition
Windows Server 2008 R2 SP1 64-bit Standard Enterprise Datacenter
Windows Server 2012 R2 64-bit Standard Datacenter
Windows Server 2016 64-bit Standard Datacenter
Windows Server 2019 64-bit Standard Datacenter

The following hardware requirements apply (source):

Hardware Component Required Recommended
Processor Pentium IV 2.0GHz processor or higher 4 CPUs
Network Adapter 100Mpbs NIC 1Gbps NICs
Memory Windows Server 2008 R2 64-bit 4GB RAM or higher At least 10GB RAM for deployments of 50 or more remote desktops
Memory Windows Server 2012 R2 64-bit 4GB RAM or higher At least 10GB RAM for deployments of 50 or more remote desktops

Here I have installed a Windows Server 2016 VM. We mount the Connection Server ISO and start the installation .exe file. We accept the license agreements, and install the Horizon 7 Standard Server. In my case, I want to use HTML Access so I use that too.

Next we fill in the data recovery password. Be sure to keep it somewhere safe. Then I choose to let the installer update Windows Firewall to open some ports. Followed by authorizing as a Domain Admin.

After the installation, we can access the console through this link:

It will ask for a license. Fill in your license or your trial license.

Here I added a vCenter so I can use it in the next part.

If you would like more information or have any questions, feel free to contact me. There’s also a nice TechZone article that goes a bit more in-depth in the process of this.

See you in the next part!