HTB Cyber Apocalypse 2024 CTF Writeups
Vložit
- čas přidán 22. 07. 2024
- 00:00 Intro
00:30 web/flag-command
01:08 web/korp-terminal
03:36 web/timeKORP
05:42 web/labryinth-linguist
06:29 web/testimonial
15:00 web/locktalk
18:47 web/serialflow
24:07 pwn/tutorial
26:26 pwn/delulu
31:00 pwn/writing-on-the-wall
33:00 pwn/pet-companion
39:37 pwn/rocket-blaster-xxx
45:49 pwn/deathnote
50:58 pwn/sound-of-silence
55:03 pwn/oracle
1:00:25 pwn/gloater
1:11:45 rev/boxcutter
1:13:00 rev/packedaway
1:14:13 rev/lootstash
1:14:27 rev/crushing
1:17:28 rev/followthepath
1:22:30 rev/quickscan
1:24:07 rev/metagaming
1:29:06 blockchain/russian-roulette
1:33:40 blockchain/recovery
1:38:31 blockchain/lucky-faucet
1:42:32 hardware/maze
1:43:20 hardware/bunnypass
1:44:11 hardware/rids
1:46:12 hardware/the-prom
1:50:14 hardware/flashing-logs
1:58:35 crypto/dynastic
1:59:42 crypto/makeshift
2:00:37 crypto/primary-knowledge
2:01:55 crypto/iced-tea
2:03:30 crypto/blunt
2:05:49 crypto/arranged
2:13:19 crypto/partial-tenacity
2:19:48 misc/character
2:21:02 misc/stop-drop-and-roll
2:22:10 misc/unbreakable
2:23:37 misc/cubicle riddle
2:27:40 misc/were-pickle-phreaks 1&2
2:35:37 misc/quanutm-conundrum
2:37:23 misc/path-of-survival
2:42:19 misc/multidigilingual
2:45:43 foren/urgent
2:46:30 foren/it-has-begun
2:47:26 foren/an-unusual-sighting
2:49:30 foren/pursue-the-tracks
2:53:02 foren/fake-boost
2:58:24 foren/phreaky
3:00:35 foren/dta-seige
3:06:11 foren/game-invitation
3:09:02 foren/confinement
3:15:06 Outro - Věda a technologie
bro...57 challenges..congrats :)
I bet ladies are impressed xD
haha, I'm not too sure about that. but my wife thinks i'm cool and that's all i need
Nah she don't think that lil bro@@SloppyJoePirates
I'll tell mom you're being mean
Damn bro.. 3+ hours!! gg
🙇 thanks @_CryptoCat, needless to say I'm tired. Excited to see your higher quality web writeups!
@@SloppyJoePirates I know that feeling! I don't have the energy these days, even the web challs took it out of me and I didn't finish them 😁 You are killing it though!
Very interesting video! Well done, keep up the good work! 🐢
Thanks for this bro. Finally my bruised heart can see how to finally solve the challenges
Thx for this high quality writeups ❤
Glad you like them!
good job bro! appreciate your content
Glad you enjoy it!
Very clear and efficient Thank you!
Glad it was helpful!
my bro! my bro!!! amazing work!
Thx for posting - I learn so much from watching your videos!!!!!
Glad you like them!
Wow 🔥
Longest writeup you've made so far
Thank you 😄
Hey Mark! Haha yeah. I was a zombie after, but it was fun. How'd you do? Solve all the pwn/web?
@@SloppyJoePirates not all🗿but I believe I tried 😂
I know you are probably tired but Pico CTF is currently ongoing and the last pwn challenge is heap based maybe you could try solve it and make a writeup later on 🙏
For partial-tenacity I love that you implemented the branch-and-prune recovery algorithm yourself! My rule for challenge making is never make a challenge that I can't solve myself without relying on automated tools (sage or GP/PARI are fine (for discrete log, etc.)).
Dayum, you solved twice as many challenges as I did, but I'm glad our thought processes were very similar for those challenges we both solved. Makes me believe I'm just lacking the knowledge end experience :)
Also great Writeups. I like your pacing.
Hey @DerMichael, glad you like it! Ha yeah, I feel like CTFs are 95% pattern matching tricks you've already seen. Just gotta build up the inventory of tricks.
thanks a lot for this writeup
Awesome video! For the forensics/data siege, I ended up using the "Derive PBKDF2 key" module from Cyberchef (the windows documentation about rfc28... basically listed it as an implementation of pbkdf2 so I thought why not try) and it worked well!
oh wow... haha that is way better. I will keep that in mind for next time. thank you!!
Hats Off Brother! Thanks for sharing your elite knowledge! You were damn 🔥and really showed us what we lack. Most of the hard challenges explanations, that is beyond my comprehension. Got to grind the hardest! Thanks again! Now many of us could sleep finally as well. ❤💯
Hey @mysticgod7406, haha thank you! Glad you like them
You are Genius my friend!
haha thanks @HxN0n3, how'd you do?
@@SloppyJoePiratessolved only 18!
@HxN0n3 heh, still better than most. After 5-10 it feels more like an endurance race
Thanks for such a great videowriteup
Glad you enjoyed it!
Been waiting for this, thanks c0nrad for making CTF easy and fun to learn.
great work blud
2k Subs only ? Come on, guys, smash that subscribe button and show some respect to this awesome dude!
ha, thanks @sudomode_
fyi the Gloater i have another way to solve by overwrite with change user
my solution to that is
- leak pie via "Set Super Taunt"
- overwrite taunts[0] heap address pointing to &taunts[0] with change user overflow
- house of spirit tcache so next tcache point to &taunts, from here overflow libc_start-libc_end so bypass check, super_taunt var, etc.
- leak libc via "Set Super Taunt" ... again
- another house of spirit point to free_hook and win
tbh my approach is because i'm not notice taunt_count check bypass on ida (my bad lol)
oh interesting! I didn't think of trying to modify the libc_start/end with a fake spirit chunk. neat! thanks!
I feel like that sounds more like the intended solution than my solution, but I guess neither were the intended solutions: it looks like they corrupt heap metadata for arbitrary chunks onto stack: github.com/hackthebox/cyber-apocalypse-2024/tree/main/pwn/%5BInsane%5D%20Gloater
Thanks A lot Buddy for The Efforts you put in this video.. I appreciate it.. Can you share any resources or CZcams channels to understand the PWN boxes.. im noob in this
Hey @entertainment_in_blood, sorry for the delay, I needed a break after this CTF. For pwn boxes I like either pwn.college or retired HTB chals!
Thanks for the vid. Just a quick question, could you share your binary exploitation environment, I mean your docker configuration and all? Like I too use a mac and I really want something handy like yours.
It will be greatly appreciated if you could do that.
So one thing to note is I use an old intel mac, I think the newer arm macs make things a little tricky and it seems most use a VM. But I have a video covering the tools here: czcams.com/video/8hUjdRkyi1Q/video.html
good
For 6:25 how do you send your payload without url encoding is there burp suite settings for that ?
Hmmm, I don't think I changed anything in my burp suite settings? I think when I want something URL encoded I right click the highlighted text?
Hello! I was wondering if you have a Mac setup configuration for pwn challenges and if it's possible for you to share it with me? Thank you!
Hey @drama_97, so sorry for the delay. I took a break for a bit.
This video covers my setup:
czcams.com/video/8hUjdRkyi1Q/video.html
Thx a lot! Learnt about blockchain challenges. Did pwn and rev on this one but still haven't pwnd maze of mist. only one ret and barely no gadget to exploit even after trying gazillions things... have you solved it in the end ?
Hey @_hackwell! I haven't solved it yet, but I read the writeup. Since ASLR is off, you can use the gadgets in the VDSO mapping. You'll need to get gdb into the challenge (or maybe you can try dumping with /proc/maps /proc/mem as root). I couldn't get a vanilla ROP to work either :( I couldn't find the vmlinux hash online so I was worried they modified the kernel to allow SETUID ptrace or something and gave up :(
@@SloppyJoePirates ooooh right totally missed this one ret2vdso. Never encountered this before but jumping right to it. Congrats from rpwn team BTW 👍
In forensic challenge unusual sighting how to unzip file and open logs and ssh files?
Because there is password
In the forensics problem named "an-unusual-sighting" how did you extract this? It requires password!!
They asking for password to unzip the file what I do. And which method you use to solve this
Plz replay
Thank you very much. Did you even take a break or sip some water?
haha not too much. I slept quite a bit after this was done =P
Hi
Bro that's crazy awesome!😮
Respect 🫡
What HTB modules would you suggest to understand delulu?
Hey @pryceseely3514, I never did the HTB modules. I did do some stuff on pwn.college and enjoyed it, but I'd guess HT modules are good too, just never did them
@@SloppyJoePirates Hi Joe. I wonder what study resources are you using for web challenges when you first start to do CTF. I understand to reach your level of skills requires patience, dedication and a long time to be good at it. Just wondering what platform you recommend the most. Thanks in advance.
does your mac have arm chip?
Nah, 2019 Intel, I'm afraid to upgrade to the M2
@@SloppyJoePiratesahh, wondered how u ran x86 programs on ur mac. not sure what i should do with my arm chip mac if i want to run x86 for ctfs
Maybe qemu/VM? Not too sure :/
I'm disgusted at how simple that haproxy bypass was. I had figured out the rest but just couldn't get that... Better luck next time I guess
haha, yeah. I feel like CTFs are just memorizing a bunch of little tricks, and now you know it!
can i borrow ur brain bro ?
haha, we need more brains in the field. time to train!
@@SloppyJoePiratesjust found unintended in web apex insane very very simpler than the intended way
Hey @@bengsky13 , ah nice! what'd you find?
@@SloppyJoePiratesI found Xss lead to Rce via chromedriver api rest
Oh interesting! I feel like that's a very underused cheese. If I remember correclty you have to port scan for the chromedriver api first?
misc/unbreakable - print(open('flag.txt').read()) 😃
haha, yeah way simpler. guess I didn't need to drop my unicode cheese =P
Bro.... I spent so fucking long on that shit! I knew it was something like that but I couldn't figure it out clearly. So frigging pissed lol
My biggest issue I think was I saw that it would add the "()" at the end of the command. But couldn't get anything to work after because it kept seeing stuff in the blacklist.
How did it not detect the '? Must of not payed attention close enough to the responses on this. Grrr.