nopedawn

UTCTF 2023

https://ctftime.org/event/1919


Challs

CategoryChallenge
Forensics“Easy” Volatility
NetworkingA Network Problem - Part 1
NetworkingA Network Problem - Part 2
ReversingReading List

“Easy” Volatility

Description

I’ve included the flag in as shell command. Can you retrieve it?
I recommend using the volatility3 software for this challenge.
Here is the memory dump: debian11.core.zst
This problem also comes with a free profile! debian11_5.10.0-21.json.zst
Both of these files are compressed using zstd.
This challenge’s flag looks like a UUID.

Note: the volatility challenges do not have a flag format to discourage grepping. They all should be possible without guessing. If you have trouble, remember that you can ask for help.

By Daniel Parks (@danielp on discord)

We need the symbol table for the corresponding kernel.

bash
$ ls
debian11.core  debian11.core.zst  debian11_5.10.0-21.json  debian11_5.10.0-21.json.zst

As the symbol table in the form of a JSON file is already provided in this challenge, we can simply move it to the directory /volatility3/symbols.

bash
$ mv debian11_5.10.0-21.json /home/nopedawn/.local/lib/python3.10/site-packages/volatility3/symbols

Then, we can continue recover the bash command history from memory.

bash
$ vol -f debian11.core linux.bash
Volatility 3 Framework 2.4.1
Progress:  100.00               Stacking attempts finished
PID     Process CommandTime     Command

467     bash    2023-03-05 18:21:23.000000      # 08ffea76-b232-4768-a815-3cc1c467e813
Flag

08ffea76-b232-4768-a815-3cc1c467e813


A Network Problem - Part 1

Description

There are some interesting ports open on betta.utctf.live, particularly port 8080.
By Robert Hill (@Rob H on discord)
betta.utctf.live:8080

We can establish a network connection by using netcat then sending data through that connection. In this context, the command will establish a connection to the host betta.utctf.live on port 8080, which is a server or service that can receive connections to perform certain network interactions.

bash
$ nc betta.utctf.live 8080
Hi Wade! I am using socat to broadcast this message. Pretty nifty right? --jwalker utflag{meh-netcats-cooler}

After the connection is successfully established, we will receive response data from the host in the form of text and also a flag.

Flag

utflag{meh-netcats-cooler}


A Network Problem - Part 2

Description

betta.utctf.live has other interesting ports. Lets look at 445 this time.
By Robert Hill (@Rob H on discord)
betta.utctf.live:445

We can use the command enum4linux -a betta.utctf.live to run the enum4linux program in the terminal and perform enumeration on the host betta.utctf.live.

enum4linux is a tool used to examine Windows and Samba systems in order to search for information about users, user lists, group information, security policy information, and information about running services. In this context, the command will attempt to perform enumeration on the betta.utctf.live host with the -a option that allows searching for more detailed information, such as searching for Samba shares, user information, and other information.

In general, the enum4linux program is used to scan and gather information on systems connected to a network in order to evaluate the security of those systems, including searching for potential vulnerabilities and security holes that attackers can exploit.

bash
$ enum4linux -a betta.utctf.live
===============================( Share Enumeration on betta.utctf.live )===============================
        Sharename       Type      Comment
        ---------       ----      -------
        WorkShares      Disk      Sharing of work files
        BackUps         Disk      File Backups.
        IPC$            IPC       IPC Service (Samba Server)
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on betta.utctf.live

//betta.utctf.live/WorkShares   Mapping: OK Listing: OK Writing: N/A
//betta.utctf.live/BackUps      Mapping: DENIED Listing: N/A Writing: N/A

[E] Can't understand response:

NT_STATUS_CONNECTION_REFUSED listing \*
//betta.utctf.live/IPC$ Mapping: N/A Listing: N/A Writing: N/A

We have discovered SMB share WorkShares. It will useful for us to find more files we can work with.

Let’s enumerate SMB using smbclient tool. Upon password prompt hit Enter and we will be logged in WorkShares smb share.

bash
$ smbclient //betta.utctf.live/WorkShares
Password for [WORKGROUP\nopedawn]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Mar  9 02:45:05 2023
  ..                                  D        0  Thu Mar  9 02:45:05 2023
  shares                              D        0  Thu Mar  9 02:45:05 2023

                9974088 blocks of size 1024. 6101912 blocks available
smb: \> cd shares\
smb: \shares\> ls
  .                                   D        0  Thu Mar  9 02:45:05 2023
  ..                                  D        0  Thu Mar  9 02:45:05 2023
  Advertising                         D        0  Thu Mar  9 02:45:05 2023
  OfficeFun                           D        0  Thu Mar  9 02:45:05 2023
  IT                                  D        0  Thu Mar  9 02:45:05 2023

                9974088 blocks of size 1024. 6101884 blocks available
smb: \shares\> cd IT\
smb: \shares\IT\> ls
  .                                   D        0  Thu Mar  9 02:45:05 2023
  ..                                  D        0  Thu Mar  9 02:45:05 2023
  Itstuff                             D        0  Thu Mar  9 02:45:05 2023

                9974088 blocks of size 1024. 6101660 blocks available
smb: \shares\IT\> cd Itstuff\
smb: \shares\IT\Itstuff\> ls
  .                                   D        0  Thu Mar  9 02:45:05 2023
  ..                                  D        0  Thu Mar  9 02:45:05 2023
  notetoIT                            N      380  Thu Mar  9 02:45:05 2023

                9974088 blocks of size 1024. 6101632 blocks available
smb: \shares\IT\Itstuff\>more notetoIT
I don't understand the fasination with the magic phrase "abracadabra", but too many people are using them as passwords. Crystal Ball, Wade Coldwater, Jay Walker, and Holly Wood all basically have the same password. Can you please reach out to them and get them to change thier passwords or at least get them append a special character?

-- Arty F.

utflag{out-of-c0ntrol-access}
Flag

utflag{out-of-c0ntrol-access}


Reading List

Description

I created this binary to keep track of some strings that I want to read. I thought I put a CTF flag in it so I’ll remember to make a problem for UTCTF, but I can’t seem to find it…

By Caleb (@eden.caleb.a#6541 on Discord)

The command strings readingList | grep "utflag" is used to extract strings from the binary elf file readingList, then search for strings that contain the keyword "utflag" in the resulting string output.

bash
$ strings readingList | grep "utflag"
utflag{string_theory_is_a_cosmological_theory_based_on_the_existence_of_cosmic_strings}

strings is a command used to extract and print sequences of characters that are readable as strings from a given file input. In this case, readingList is the file from which the strings will be extracted.

Flag

utflag{string_theory_is_a_cosmological_theory_based_on_the_existence_of_cosmic_strings}

Prev
Codeby Games CTF 2023
Next
Nullcon CTF 2023