<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
	<channel>
		<title>CTF on Blog</title>
		<link>https://joshuachp.dev/tags/ctf/</link>
		<description>Recent content in CTF on Blog</description>
		<generator>Hugo</generator>
		<language>en</language>
		
		
		
		
			<atom:link href="https://joshuachp.dev/tags/ctf/index.xml" rel="self" type="application/rss+xml" />
			<item>
				<title>CyberChallengeIT CTF - Group Challenge</title>
				<link>https://joshuachp.dev/posts/2020-01-06_cyber_challenge/</link>
				<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
				<guid>https://joshuachp.dev/posts/2020-01-06_cyber_challenge/</guid>
				<description>&lt;h1 id=&#34;cyberchallengeit-ctf---group-challenge&#34;&gt;CyberChallengeIT CTF - Group Challenge&lt;/h1&gt;&#xA;&lt;p&gt;During the last week of preparation for che Cyber Challenge IT CTF, we were asked to do a CTF&#xA;challenge our self. We were divided in groups and given a month to come up with a challenge.&lt;/p&gt;&#xA;&lt;p&gt;Our group create an easy and guided challenge, since we were required to solve it in one hour. It&#xA;will cover some basic aspect of all the kind of challenges types like Web Security, Reversing,&#xA;Forensics, Cryptography.&lt;/p&gt;</description>
			</item>
			<item>
				<title>Reply Challenge 2020 - That&#39;s what server says</title>
				<link>https://joshuachp.dev/posts/2020-10-10_reply_challenges_2020_that_is_what_server_says/</link>
				<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
				<guid>https://joshuachp.dev/posts/2020-10-10_reply_challenges_2020_that_is_what_server_says/</guid>
				<description>&lt;h1 id=&#34;reply-challenge-2020---thats-what-server-says&#34;&gt;Reply Challenge 2020 - That&amp;rsquo;s what server says&lt;/h1&gt;&#xA;&lt;p&gt;This is the Writeup for the 300 points Web challenge for Reply Challenge CTF. During the CTF I and&#xA;my team achieved first blood on this challenge. The challenge consists of finding a service endpoint&#xA;on a web page, with a login API. Then you have to exploit an &lt;strong&gt;XXE&lt;/strong&gt; (XML External Entities)&#xA;Injection to get an &lt;strong&gt;LFI&lt;/strong&gt; (Local File Inclusion) to get the sysadmin credentials to login on the&#xA;service and get the flag.&lt;/p&gt;</description>
			</item>
			<item>
				<title>TryHackMe - Blue</title>
				<link>https://joshuachp.dev/posts/2020-09-03_tryhackme_blue/</link>
				<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
				<guid>https://joshuachp.dev/posts/2020-09-03_tryhackme_blue/</guid>
				<description>&lt;h1 id=&#34;tryhackme---blue&#34;&gt;TryHackMe - Blue&lt;/h1&gt;&#xA;&lt;blockquote&gt;&#xA;&lt;p&gt;The room link can be found at &lt;a href=&#34;https://tryhackme.com/room/blue&#34;&gt;TryHackMe - Blue&lt;/a&gt;&lt;/p&gt;&#xA;&lt;/blockquote&gt;&#xA;&lt;p&gt;For this room, I will be using the Metasploit framework.&lt;/p&gt;&#xA;&lt;h2 id=&#34;recon&#34;&gt;Recon&lt;/h2&gt;&#xA;&lt;p&gt;We begin with a Nmap of the box to see the services and get their version.&lt;/p&gt;&#xA;&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;msf5 &amp;gt; db_nmap -sC -sV 10.10.47.219&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Now we can see all the running services with the &lt;code&gt;services&lt;/code&gt; command.&lt;/p&gt;&#xA;&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;msf5 &amp;gt; services&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Services&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;========&lt;/span&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;host           port   proto  name               state  info&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;----           ----   -----  ----               -----  ----&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;10.10.47.219   &lt;span style=&#34;color:#ae81ff&#34;&gt;135&lt;/span&gt;    tcp    msrpc              open   Microsoft Windows RPC&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;10.10.47.219   &lt;span style=&#34;color:#ae81ff&#34;&gt;139&lt;/span&gt;    tcp    netbios-ssn        open   Microsoft Windows netbios-ssn&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;10.10.47.219   &lt;span style=&#34;color:#ae81ff&#34;&gt;445&lt;/span&gt;    tcp    microsoft-ds       open   Windows &lt;span style=&#34;color:#ae81ff&#34;&gt;7&lt;/span&gt; Professional &lt;span style=&#34;color:#ae81ff&#34;&gt;7601&lt;/span&gt; Service Pack &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; microsoft-ds workgroup: WORKGROUP&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;10.10.47.219   &lt;span style=&#34;color:#ae81ff&#34;&gt;3389&lt;/span&gt;   tcp    ssl/ms-wbt-server  open&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;10.10.47.219   &lt;span style=&#34;color:#ae81ff&#34;&gt;49152&lt;/span&gt;  tcp    msrpc              open   Microsoft Windows RPC&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;10.10.47.219   &lt;span style=&#34;color:#ae81ff&#34;&gt;49153&lt;/span&gt;  tcp    msrpc              open   Microsoft Windows RPC&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;10.10.47.219   &lt;span style=&#34;color:#ae81ff&#34;&gt;49154&lt;/span&gt;  tcp    msrpc              open   Microsoft Windows RPC&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;10.10.47.219   &lt;span style=&#34;color:#ae81ff&#34;&gt;49158&lt;/span&gt;  tcp    msrpc              open   Microsoft Windows RPC&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;10.10.47.219   &lt;span style=&#34;color:#ae81ff&#34;&gt;49160&lt;/span&gt;  tcp    msrpc              open   Microsoft Windows RPC&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;On this machine, we will focus on the &lt;strong&gt;SMB&lt;/strong&gt; service which is on port &lt;code&gt;445&lt;/code&gt;.&lt;/p&gt;&#xA;&lt;p&gt;We can gather more information using the module &lt;code&gt;auxiliary/scanner/smb/smb_version&lt;/code&gt;. Running it the&#xA;services page will lock more like this.&lt;/p&gt;&#xA;&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;10.10.47.219  &lt;span style=&#34;color:#ae81ff&#34;&gt;445&lt;/span&gt;    tcp    smb                open   Windows &lt;span style=&#34;color:#ae81ff&#34;&gt;7&lt;/span&gt; Professional SP1 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;build:7601&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;name:JON-PC&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;workgroup:WORKGROUP &lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;signatures:optional&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Also we run &lt;code&gt;auxiliary/scanner/smb/smb1&lt;/code&gt; to check if the box has support for SMBv1.&lt;/p&gt;&#xA;&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;msf5 auxiliary&lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;scanner/smb/smb1&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt; &amp;gt; run&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;+&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt; 10.10.47.219:445      - 10.10.47.219 supports SMBv1 dialect.&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;*&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt; 10.10.47.219:445      - Scanned &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; of &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; hosts &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;100% complete&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;*&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt; Auxiliary module execution completed&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;As the machine name implies the box could be exploitable via &lt;strong&gt;EternalBlue&lt;/strong&gt;. Since the machine has&#xA;&lt;strong&gt;Windows 7&lt;/strong&gt; installed and &lt;strong&gt;SMBv1&lt;/strong&gt; enabled, it is most likely vulnerable. You can read more here&#xA;&lt;a href=&#34;https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010&#34;&gt;Microsoft - EternalBlue&lt;/a&gt;.&lt;/p&gt;&#xA;&lt;p&gt;We can check if the machine is vulnerable by running the module&#xA;&lt;code&gt;auxiliary/scanner/smb/smb_ms17_010&lt;/code&gt;.&lt;/p&gt;&#xA;&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;msf5 auxiliary&lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;scanner/smb/smb_ms17_010&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt; &amp;gt; run&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;+&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt; 10.10.47.219:445      - Host is likely VULNERABLE to MS17-010! - Windows &lt;span style=&#34;color:#ae81ff&#34;&gt;7&lt;/span&gt; Professional &lt;span style=&#34;color:#ae81ff&#34;&gt;7601&lt;/span&gt; Service Pack &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; x64 &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;64-bit&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;*&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt; 10.10.47.219:445      - Scanned &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; of &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; hosts &lt;span style=&#34;color:#f92672&#34;&gt;(&lt;/span&gt;100% complete&lt;span style=&#34;color:#f92672&#34;&gt;)&lt;/span&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;[&lt;/span&gt;*&lt;span style=&#34;color:#f92672&#34;&gt;]&lt;/span&gt; Auxiliary module execution completed&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;</description>
			</item>
			<item>
				<title>TryHackMe - Easy Peasy</title>
				<link>https://joshuachp.dev/posts/2020-08-06_tryhackme_easy_peasy/</link>
				<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
				<guid>https://joshuachp.dev/posts/2020-08-06_tryhackme_easy_peasy/</guid>
				<description>&lt;h1 id=&#34;tryhackme---easy-peasy&#34;&gt;TryHackMe - Easy Peasy&lt;/h1&gt;&#xA;&lt;blockquote&gt;&#xA;&lt;p&gt;The room link can be found at &lt;a href=&#34;https://tryhackme.com/room/easypeasyctf&#34;&gt;TryHackMe - Easy Peasy&lt;/a&gt;&lt;/p&gt;&#xA;&lt;/blockquote&gt;&#xA;&lt;h2 id=&#34;enumeration&#34;&gt;Enumeration&lt;/h2&gt;&#xA;&lt;p&gt;First we scan for open ports and services&lt;/p&gt;&#xA;&lt;h3 id=&#34;nmap&#34;&gt;Nmap&lt;/h3&gt;&#xA;&lt;p&gt;We use nmap with some default arguments.&lt;/p&gt;&#xA;&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;sudo nmap -sV -sC -oA nmap/first $IP&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;It will return.&lt;/p&gt;&#xA;&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;PORT   STATE SERVICE VERSION&#xA;80/tcp open  http    nginx 1.16.1&#xA;| http-robots.txt: 1 disallowed entry&#xA;|_/&#xA;|_http-server-header: nginx/1.16.1&#xA;|_http-title: Welcome to nginx!&#xA;&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;From the first scan we can see that port &lt;code&gt;80&lt;/code&gt; is open with &lt;strong&gt;nginx&lt;/strong&gt; version &lt;code&gt;1.16.1&lt;/code&gt;&lt;/p&gt;</description>
			</item>
			<item>
				<title>TryHackMe - Vulnversity</title>
				<link>https://joshuachp.dev/posts/2020-09-02_tryhackme_vulnversity/</link>
				<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
				<guid>https://joshuachp.dev/posts/2020-09-02_tryhackme_vulnversity/</guid>
				<description>&lt;h1 id=&#34;tryhackme---vulnversity&#34;&gt;TryHackMe - Vulnversity&lt;/h1&gt;&#xA;&lt;blockquote&gt;&#xA;&lt;p&gt;The room link can be found at &lt;a href=&#34;https://tryhackme.com/room/vulnversity&#34;&gt;TryHackMe - Vulnversity&lt;/a&gt;&lt;/p&gt;&#xA;&lt;/blockquote&gt;&#xA;&lt;h2 id=&#34;reconnaissance&#34;&gt;Reconnaissance&lt;/h2&gt;&#xA;&lt;h3 id=&#34;nmap&#34;&gt;Nmap&lt;/h3&gt;&#xA;&lt;p&gt;First, we do a simple Nmap scan&lt;/p&gt;&#xA;&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;&#34;&gt;&lt;code class=&#34;language-sh&#34; data-lang=&#34;sh&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;nmap $IP&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;PORT     STATE SERVICE&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;21/tcp   open  ftp&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;22/tcp   open  ssh&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;139/tcp  open  netbios-ssn&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;445/tcp  open  microsoft-ds&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;3128/tcp open  squid-http&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;3333/tcp open  dec-notes&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;We find six ports open, we can now make a more in-depth scan with &lt;code&gt;nmap -sC -sV $IP&lt;/code&gt;. It will found&#xA;the service type and version.&lt;/p&gt;</description>
			</item>
	</channel>
</rss>
