The first demo challenge started on the 8th of June at 09:15. The participants downloaded a RAR file from a file sharing platform. The archive contained a .txt file and a password protected RAR file.

Inside the .txt file the participants could find GPS coordinates, which indicated a place in Bucharest. At that location there was important information regarding the password for the RAR file.

HackTheZone

At that location, the competitors found a sheet of paper glued underneath an ad panel. The paper had a message coded in Braille. The decoded message is HckTheZonBraille.

HackTheZone

Unzipping the RAR file revealed a .DOCX file. At a first glance it did not contain anything strange.

HackTheZone
HackTheZone

In order to go further with this challenge, forensics knowledge is required. .DOCX files are actually archives. Therefore we change the file extension from .DOCX to .RAR. We open it and find a media folder which contains 2 pictures. This is strange since we have only found 1 picture at the previous step. We extract the 2nd picture and transfer it to a virtual machine for further analysis.

HackTheZone

We can convert this to string using an online convertor. This also reveals the flag.

HackTheZone

Using our forensics knowledge, we know that the easiest way to hide information inside a picture is using steganography. We follow this approach. The flag can be extracted using steghide without a password. As we can see, the flag is coded in binary.

HackTheZone

Initially, we tried binwalk but this did not reveal anything unusual.

HackTheZone

The second demo challenge started on the 21st of July at 10:00. The participants downloaded an email file from a file sharing platform. The rules for this challenge were sent on Slack.

HackTheZone

The content of the email was the following

HackTheZone

The email does not reveal any details about a possible target. We go ahead and analyze the header. Underlined are the important parts. The email was sent using the blindspot.club server, rather than the Protonmail service.

HackTheZone

Accessing http://blindspot.club, reveals the following webpage.

HackTheZone

We started scanning for vulnerabilities using a couple of tools, to include Dirbuster and Niko. Meanwhile, we tried default credentials, such as admin/admin, until we were able to log on using blindspot/blindspot (username/password).

HackTheZone

We also looked for platform vulnerabilities and found the following.

HackTheZone

In order to start testing we chose the vulnerabilities with the highest scores. The first one was CVE-2019-12744. Doing some searching on google we found a blog that has a tutorial on how to exploit this vulnerability.

HackTheZone

First, we need a webshell. We found one (and plenty more) on GitHub.

HackTheZone

We upload the webshell on the website.

HackTheZone

We try to execute it using the instructions found on the blog but we receive a 404 Error 🙁 .

HackTheZone

As a result, we go back on the blog and observe a tricky part.

HackTheZone

In the same time, we also get a hint from the HTZ Staff

HackTheZone

We now understand that we have to do some fuzzing in the URL. To do this, we Wfuzz and a wordlist containing numbers so that we can find the path for running the Webshell

HackTheZone

Unfortunately we cannot find a wordlist containing numbers. We have to generate one using Crunch.

HackTheZone

We try Wfuzz again and we discover three directories: 21,23, and 24.

HackTheZone

Using the 24th directory, we find the Webshell (hooray). Now we can use it to execute commands

HackTheZone

Reading the directions again, the flag can be found in the user home folder. We check the users and find “blindspot”.

HackTheZone

Running the “ls” command does not reveal the flag file. However using “ls -lah” returns hidden files, among which we see flag.txt

HackTheZone

We open flag.txt and we realize that its content is encrypted using Brainfuck

HackTheZone

An online decoder helps us here. And the flag is revealed

HackTheZone

The participants received an URL and a hint indicating the flag format – HTZ{SHA1}.

Accessing the given URL, we find the following web page.

HackTheZone

The source code of this webpage reveals a Base64-encoded comment. Decoding the comment we get the following credentials: admin@htz.evil; Th3Str0nGestP@ssW0rd!Evah!

HackTheZone

We test them on the login page but without success. In the source page we also observe whaat.php. This redirects to the HTZ official video on youtube. Looking at the JavaScript content at the end of the page we find:

HackTheZone

Again, we decode the Base64 comment and discover that it is actually a piece of code. This checks the credentials. The eval() method also requires a Base64 parameter. The most important clue here is the length method applied on passwords. If this returns TRUE, it will show “You don’ have a valid username and password”. This means that the password field must be empty. We try again with this approach

HackTheZone

It looks like it works. Now we need to use some SQL Injection. If we leave the field empty and submit, the page returns the format of the SQL Query

HackTheZone

We try a simple SQL injection and submit “1 OR 1=1”. This represents SELECT bookname.authorname FROM books WHERE number=1 OR 1=1. We get the following page

HackTheZone

Analyzing the result, we realize that we need to use the UNION operand. Therefore, we try “1 union all select 1,@@version”. This query returns the database version and the fact that it runs on Ubuntu

HackTheZone

The command “1 union all select 1, user()” returns the database user

HackTheZone

If we try to brute force the database it will not work. It seems that the database is protected against this type of attacks based on IP. However, if we change the public IP then we can send queries again.

We try again using manual queries. The result of the following query can be seen below. “1 union all select 1, schema_name FROM information_schema.schema”. This returns the available databases.

HackTheZone

We see that an automated tool is not useful here, unfortunately. We proceed with manual quires. “1 union all select 1, schema_name FROM information_schema.schemata” returns the following

HackTheZone

When we try “1 union all SELECT 1, table_name FROM information_schema.tables Where table_schema = ‘challenge’ ”, the query fails and we get the following message: What are you trying to do? Awesome hacking skillzz but you can’t hack me anymore!

The next approach would be to get all the tables from within the database. “1 union all Select 1, table_name FROM information_schema.tables” will do the trick. We get some interesting tables, among which, books, flags, secret, and users.

When trying to see the columns within each table, we get the same message as explained at point 12. So we decide to dump all the column names from the database with “1 union all select 1, column_name FROM information_schema.columns.” We see that there is one column named flag.

“1 union all select 1, flag FROM flags” returns the following

HackTheZone

“1 union all select 1, username FROM secret” will return:

HackTheZone

“1 union all select 1, password FROM secret” gives us the flag. HTZ{27eecdf78c0f93e9d7a456670d02405d46bdf8e3}

The challenge started with a picture and some details from the staff

HackTheZone

The details indicate that the flag is at Mechano Pub, specifically in their Wi-Fi network. As a result, once we connected to their Wi-fi, we started the recon on 192.168.0.125

HackTheZone

The scan gives us some important information. Ports 8080 and 8443 open, SMB also open

HackTheZone

A few days before the challenge, a member of the HTZ staff shared an article about SMB. We follow this path. For a full scan we chose enum4linux. We do not possess credentials so most of the information is not available. However, our tool returned something interesting

HackTheZone

This means that SMB allows blank credentials. In order to find the specific share to connect to, we use smbmap with blank credentials

HackTheZone

As we can see, we only have access to DVR. We go ahead and connect to it with the same blank credentials

HackTheZone

The only file present in DVR is DVR.jpg. We copy it on our local machine for further investigation.

Simply opening the file is not an option as it returns an error. However, cat command gives us important information. Perhaps username: argus, and password: ArgusDVRHTZ

HackTheZone

It’s time to move on the web portion now. When accessing 192.168.0.125 from a browser, we get a login page. We use the credentials we have found previously, and we get in.

HackTheZone

It seems that we get new credentials, username: Argus, password:ArgusHTZ###. We go back to enum4linux with new information and run enum4linux -u Argus -p ArgusHTZ### -a 192.168.0.125

HackTheZone

Flag is now available. We go ahead an connect to it using smbclient and the same credentials. Here we find a flag.txt and again we copy it on our local machine

HackTheZone

After a short analysis, we realize that the message is encrypted in base64.

After decryption, we find that the .txt file is actually a picture

HackTheZone

The tool we used, CyberChef, has an option to save the output. We save it as .jpg and we get the flag

HackTheZone