0xk4k45h1

Active Directory
CTF
HackTheBox
- Machines
  - Devvortex
  - Drive
  - Editorial
  - Intuition
  - PC
  - Visual
- Sherlock
Mobile Pentesting
- Android
Home

Contact

Copyright © 2024 | Yankos

Home > CTF > 0xL4ugh 2024

Now Loading ...

0xL4ugh 2024

OSINT: Lost In History (easy)
Description MM0X and xElessaway were in a mission to find someone but seems they had a stalker and got us this picture of them both. can you identify the place they were? Flag Format: 0xL4ugh{The Name of the place with spaces} solution Let’s go after analyzing the image i found some notes which may be important They are numbered in this img label 1: a reflection of a word label 2&3: are statues The word in label one after zooming and guessing the rest of the word i believe it’s ‘المومياوات’ The statues are indication that this may be a museum So when i searched using ‘متحف المومياوات’ i found this result The place is The national museum of Egyptian Civilization and you can confirm that by searching for photos of this museum Then the flag is 0xL4ugh{The national museum of Egyptian Civilization}
CTF · 2024-02-10
Misc: Library (hard)
Description Built a book library, however my friend says that i made a nasty mistake! Author: zAbuQasem nc 172.190.120.133 50003 Solution There’s an attached code with the challange and we will care about challange.py file in it The content is #!/usr/bin/env python3 # -*- coding: utf-8 -*- from rich.console import Console import re import shlex import os FLAG = os.getenv("FLAG","FAKE_FLAG") console=Console() class Member: def __init__(self, name): self.name = name class Book: def __init__(self, title, author, isbn): self.title = title self.author = author self.isbn = isbn class BookCopy: def __init__(self, book): self.book = book self.available = True class SaveFile: def __init__(self, file_name=os.urandom(16).hex()): self.file = file_name class Library: def __init__(self, name): self.name = name self.books = {} self.members = {} def add_book(self, book, num_copies=1): if book.isbn in self.books: self.books[book.isbn] += num_copies else: self.books[book.isbn] = num_copies def add_member(self, member): self.members[member.name] = member def display_books(self,title=''): if not title == '': for isbn, num_copies in self.books.items(): book = isbn_to_book[isbn] if book.title == title: return book.title else: console.print("\n[bold red]Book not found.[/bold red]") else: console.print(f"\n[bold green]Books in {self.name} Library:[/bold green]") for isbn, num_copies in self.books.items(): book = isbn_to_book[isbn] status = f"{num_copies} copies available" if num_copies > 0 else "All copies checked out" console.print(f"[cyan]ISBN: {isbn} - Status: {status}[/cyan]") def search_book(self): pattern = console.input("[bold blue]Enter the pattern to search: [/bold blue]") matching_books = [] for isbn, num_copies in self.books.items(): book = isbn_to_book[isbn] if re.fullmatch(pattern,book.title): matching_books.append(book) if matching_books: console.print(f"\n[bold yellow]Found matching books for '{pattern}':[bold yellow]") for book in matching_books: status = f"{num_copies} copies available" if num_copies > 0 else "All copies checked out" console.print(f"[cyan]ISBN: {book.isbn} - Status: {status}[/cyan]") else: console.print(f"[bold yellow]No matching books found for '{pattern}'.[/bold yellow]") def check_out_book(self, isbn, member_name): if member_name not in self.members: console.print(f"\n[bold red]Member '{member_name}' not found.[/bold red]") return if isbn not in isbn_to_book: console.print("\n[bold red]Book not found.[/bold red]") return if isbn not in self.books or self.books[isbn] <= 0: console.print("\n[bold red]All copies of the book are currently checked out.[/bold red]") return member = self.members[member_name] book_copy = BookCopy(isbn_to_book[isbn]) for i in range(len(member_books.setdefault(member_name, []))): if member_books[member_name][i].book.isbn == isbn and member_books[member_name][i].available: member_books[member_name][i] = book_copy self.books[isbn] -= 1 console.print(f"\n[bold green]Successfully checked out:[/bold green] [cyan]{book_copy.book} for {member.name}[/cyan]") return console.print("\n[bold red]No available copies of the book for checkout.[/bold red]") def return_book(self, isbn, member_name): if member_name not in self.members: console.print(f"\n[bold red]Member '{member_name}' not found.[/bold red]") return if isbn not in isbn_to_book: console.print("\n[bold red]Book not found.[/bold red]") return member = self.members[member_name] for i in range(len(member_books.setdefault(member_name, []))): if member_books[member_name][i].book.isbn == isbn and not member_books[member_name][i].available: member_books[member_name][i].available = True self.books[isbn] += 1 console.print(f"\n[bold green]Successfully returned:[/bold green] [cyan]{member_books[member_name][i].book} by {member.name}[/cyan]") return console.print("\n[bold red]Book not checked out to the member or already returned.[/bold red]") def save_book(title, content='zAbuQasem'): try: with open(title, 'w') as file: file.write(content) console.print(f"[bold green]Book saved successfully[/bold green]") except Exception as e: console.print(f"[bold red]Error: {e}[/bold red]") def check_file_presence(): book_name = shlex.quote(console.input("[bold blue]Enter the name of the book (file) to check:[/bold blue] ")) command = "ls " + book_name try: result = os.popen(command).read().strip() print(result) if result == book_name: console.print(f"[bold green]The book is present in the current directory.[/bold green]") else: console.print(f"[bold red]The book is not found in the current directory.[/bold red]") except Exception as e: console.print(f"[bold red]Error: {e}[/bold red]") if __name__ == "__main__": library = Library("My Library") isbn_to_book = {} member_books = {} while True: console.print("\n[bold blue]Library Management System[/bold blue]") console.print("1. Add Member") console.print("2. Add Book") console.print("3. Display Books") console.print("4. Search Book") console.print("5. Check Out Book") console.print("6. Return Book") console.print("7. Save Book") console.print("8. Check File Presence") console.print("0. Exit") choice = console.input("[bold blue]Enter your choice (0-8): [/bold blue]") if choice == "0": console.print("[bold blue]Exiting Library Management System. Goodbye![/bold blue]") break elif choice == "1": member_name = console.input("[bold blue]Enter member name: [/bold blue]") library.add_member(Member(member_name)) console.print(f"[bold green]Member '{member_name}' added successfully.[/bold green]") elif choice == "2": title = console.input("[bold blue]Enter book title: [/bold blue]").strip() author = console.input("[bold blue]Enter book author: [/bold blue]") isbn = console.input("[bold blue]Enter book ISBN: [/bold blue]") num_copies = int(console.input("[bold blue]Enter number of copies: [/bold blue]")) book = Book(title, author, isbn) isbn_to_book[isbn] = book library.add_book(book, num_copies) console.print(f"[bold green]Book '{title}' added successfully with {num_copies} copies.[/bold green]") elif choice == "3": library.display_books() elif choice == "4": library.search_book() elif choice == "5": isbn = console.input("[bold blue]Enter ISBN of the book: [/bold blue]") member_name = console.input("[bold blue]Enter member name: [/bold blue]") library.check_out_book(isbn, member_name) elif choice == "6": isbn = console.input("[bold blue]Enter ISBN of the book: [/bold blue]") member_name = console.input("[bold blue]Enter member name: [/bold blue]") library.return_book(isbn, member_name) elif choice == "7": choice = console.input("\n[bold blue]Book Manager:[/bold blue]\n1. Save Existing\n2. Create new book\n[bold blue]Enter your choice (1-2): [/bold blue]") if choice == "1": title = console.input("[bold blue]Enter Book title to save: [/bold blue]").strip() file = SaveFile(library.display_books(title=title)) save_book(file.file, content="Hello World") else: save_file = SaveFile() title = console.input("[bold blue]Enter book title: [/bold blue]").strip() author = console.input("[bold blue]Enter book author: [/bold blue]") isbn = console.input("[bold blue]Enter book ISBN: [/bold blue]") num_copies = int(console.input("[bold blue]Enter number of copies: [/bold blue]")) title = title.format(file=save_file) book = Book(title,author, isbn) isbn_to_book[isbn] = book library.add_book(book, num_copies) save_book(title) elif choice == "8": check_file_presence() else: console.print("[bold red]Invalid choice. Please enter a number between 0 and 8.[/bold red]") What a huge code !! Don’t worry after a fast examination we will know that there’s only small interesting part The interesting part is the choice number 8 cuz it calls the function check_file_presence() and its content is def check_file_presence(): book_name = shlex.quote(console.input("[bold blue]Enter the name of the book (file) to check:[/bold blue] ")) command = "ls " + book_name try: result = os.popen(command).read().strip() print(result) if result == book_name: console.print(f"[bold green]The book is present in the current directory.[/bold green]") else: console.print(f"[bold red]The book is not found in the current directory.[/bold red]") except Exception as e: console.print(f"[bold red]Error: {e}[/bold red]") It’s interesting cuz it the only one containing command execution and the command we can say its supplied from the user (not exactly) Okay let’s analyze this function We have book_name is concatenated with ls and the result is executed as command This appears to be vulnerable to command injection and we see that that the blacklist is very poor but the problem is in shlex.quote this puts the input in quots Then your dreams about supplying ;whoami as input so the command becomes ls ;whoami are destroyed becaused the command became ls ';whoami' What can we do then ?!!! After searching i found this amazing article I recommend it The most important thing we got from it is that shlex.quote() escapes the shell's parsing, but it does not escape the argument parser of the command you're calling, and some additional tool-specific escaping needs to be done manually, especially if your string starts with a dash (-). So What about making the input something like -la resulting in the command ls -la without the problem of quotes. ┌──(youssif㉿youssif)-[~] └─$ nc 172.190.120.133 50003 Library Management System 1. Add Member 2. Add Book 3. Display Books 4. Search Book 5. Check Out Book 6. Return Book 7. Save Book 8. Check File Presence 0. Exit Enter your choice (0-8): 8 Enter the name of the book (file) to check: -la total 56 drwxr-sr-x 1 challeng challeng 4096 Feb 9 23:44 . drwxr-xr-x 1 root root 4096 Feb 1 14:20 .. -rw-r--r-- 1 challeng challeng 9 Feb 9 23:52 0xL4ugh{TrU5t_M3_LiF3_I5_H4rD3r!} -rw-r--r-- 1 challeng challeng 9 Feb 9 22:20 ;ls -rw-r--r-- 1 challeng challeng 9 Feb 9 18:07 FLAG -rw-r--r-- 1 challeng challeng 9 Feb 9 22:49 ay -rw-rw-r-- 1 root root 8975 Jan 31 22:43 challenge.py -rw-rw-r-- 1 root root 103 Jan 31 22:19 exec.sh -rw-r--r-- 1 challeng challeng 9 Feb 9 16:48 nice -rw-r--r-- 1 challeng challeng 11 Feb 9 17:19 pouet -rw-r--r-- 1 challeng challeng 9 Feb 9 23:44 test The book is not found in the current directory. Nice We got it, The flag is right there !! The flag: 0xL4ugh{TrU5t_M3_LiF3_I5_H4rD3r!}
CTF · 2024-02-10
Misc: GitMeow (medium)
Description Just another annoying git challenge :) Author: zAbuQasem nc 172.190.120.133 50001 Solution There’s an attached code with the challange and we will care about challange.py file in it The content is import os from banner import monkey BLACKLIST = ["|", "\"", "'", ";", "$", "\\", "#", "*", "(", ")", "&", "^", "@", "!", "<", ">", "%", ":", ",", "?", "{", "}", "`","diff","/dev/null","patch","./","alias","push"] def is_valid_utf8(text): try: text.encode('utf-8').decode('utf-8') return True except UnicodeDecodeError: return False def get_git_commands(): commands = [] print("Enter git commands (Enter an empty line to end):") while True: try: user_input = input("") except (EOFError, KeyboardInterrupt): break if not user_input: break if not is_valid_utf8(user_input): print(monkey) exit(1337) for command in user_input.split(" "): for blacklist in BLACKLIST: if blacklist in command: print(monkey) exit(1337) commands.append("git " + user_input) return commands def execute_git_commands(commands): for command in commands: output = os.popen(command).read() if "{f4k3_fl4g_f0r_n00b5}" in output: print(monkey) exit(1337) else: print(output) commands = get_git_commands() execute_git_commands(commands) When we analyze the code carefully, we will find many important things The program accepts input from user and this input is used in git command in the format git input The input is tested against the words in the blacklist you can execute more than one command supplying endline means no more input So we need to make use of git commands to get the flag. Let’s start the challange ──(youssif㉿youssif)-[~] └─$ nc 172.190.120.133 50004 _____ _ _ ___ ___ | __ (_) | | \/ | | | \/_| |_| . . | ___ _____ __ | | __| | __| |\/| |/ _ \/ _ \ \ /\ / / | |_\ \ | |_| | | | __/ (_) \ V V / \____/_|\__\_| |_/\___|\___/ \_/\_/ [+] Welcome challenger to the epic GIT Madness, can you read /flag.txt? Enter git commands (Enter an empty line to end): I started by trying simple commands like git status, git log and this is done by supplying status & log as inputs [+] Welcome challenger to the epic GIT Madness, can you read /flag.txt? Enter git commands (Enter an empty line to end): status log On branch master Untracked files: (use "git add <file>..." to include in what will be committed) ../../.dockerenv ../../bin/ ../../dev/ ../../etc/ ../ ../../lib/ ../../proc/ ../../run/ ../../sbin/ ../../sys/ ../../tmp/ ../../usr/ ../../var/ nothing added to commit but untracked files present (use "git add" to track) commit c208c6664cc72304ec7803c612c10a4f468338e8 Author: zAbuQasem <zAbuQasem@0xL4ugh.com> Date: Sat Feb 10 00:31:43 2024 +0000 . commit 14f7055bac6cffb5e5c052577c4b607ef776de6c Author: zAbuQasem <zAbuQasem@0xL4ugh.com> Date: Fri Feb 9 21:05:03 2024 +0000 i commit bc7f31f90f4c9071af36e50059a61fd7630dc2a2 Author: zAbuQasem <zAbuQasem@0xL4ugh.com> Date: Fri Feb 9 19:58:48 2024 +0000 a commit ab5579000510625d0c8340b5b5ee06fbb32ac3d0 Author: zAbuQasem <zAbuQasem@0xL4ugh.com> Date: Fri Feb 9 19:48:05 2024 +0000 a commit f57b0e151d5ed760ed6b78af993d8f69a48a0b1a Author: zAbuQasem <zAbuQasem@0xL4ugh.com> Date: Fri Feb 9 17:03:30 2024 +0000 dummy commit 76877ac666f00e4928cbdad873eb1b3d2011ebbb Author: zAbuQasem <zAbuQasem@0xL4ugh.com> Date: Fri Feb 9 16:57:01 2024 +0000 dummy commit 504f31a3c83e8cca42a9ef17d4bf74b89bff9d66 Author: zAbuQasem <zAbuQasem@0xL4ugh.com> Date: Fri Feb 9 16:57:00 2024 +0000 dummy After them i tried to make use of git diff but i got error and the error because diff is blacklisted So we need to search more and after searching i found it The command git log --stat -M which provides a detailed overview of the commit history, including file modifications and renames. [+] Welcome challenger to the epic GIT Madness, can you read /flag.txt? Enter git commands (Enter an empty line to end): log --stat -M commit 4d6f6931ab8c2de5d54755d933ef0c629a2e821b Author: zAbuQasem <zAbuQasem@0xL4ugh.com> Date: Sat Feb 10 00:26:34 2024 +0000 . Notes: 0xL4ugh{GiT_D0c3_F0r_Th3_WiN} flag.txt | 1 + 1 file changed, 1 insertion(+) commit b02cbef94904b3d8247d96568290432a3031b152 Author: zAbuQasem <zAbuQasem@0xL4ugh.com> Date: Fri Feb 9 19:49:18 2024 +0000 a archive123.zip | Bin 1927 -> 28391 bytes 1 file changed, 0 insertions(+), 0 deletions(-) commit 27adc7dc97eef4a627344c44df44b2058002e9d0 Author: zAbuQasem <zAbuQasem@0xL4ugh.com> Date: Fri Feb 9 17:00:50 2024 +0000 dummy archive123.zip | Bin 0 -> 1927 bytes 1 file changed, 0 insertions(+), 0 deletions(-) commit 90f6d50253dd542fcad7ab2def60e79403212ccd Author: zAbuQasem <zAbuQasem@0xL4ugh.com> Date: Fri Feb 9 16:24:39 2024 +0000 dummy git-diagnostics-2024-02-09-1624.zip | Bin 0 -> 14631 bytes 1 file changed, 0 insertions(+), 0 deletions(-) commit 5926449b1592558e499f72e5820fc5518def581a Author: zAbuQasem <zAbuQasem@0xL4ugh.com> Date: Fri Feb 9 16:21:38 2024 +0000 dummy git-diagnostics-2024-02-09-1621.zip | Bin 0 -> 14490 bytes 1 file changed, 0 insertions(+), 0 deletions(-) commit ca244e18bb33e611af1d4d7397d9ab31d0af7972 Author: zAbuQasem <zAbuQasem@0xL4ugh.com> Date: Fri Feb 9 16:11:24 2024 +0000 KAY .gitconfig | 5 ++++ __pycache__/banner.cpython-311.pyc | Bin 0 -> 966 bytes banner.py | 20 +++++++++++++ challenge.py | 56 ++++++++++++++++++++++++++++++++++++ entrypoint.sh | 22 ++++++++++++++ exec.sh | 18 ++++++++++++ git-diagnostics-2024-02-09-1540.zip | 0 git-diagnostics-2024-02-09-1545.zip | 0 git-diagnostics-2024-02-09-1546.zip | 0 git-diagnostics-2024-02-09-1548.zip | 0 git-diagnostics-2024-02-09-1552.zip | 0 git-diagnostics-2024-02-09-1556.zip | 0 12 files changed, 121 insertions(+) You got it look at the output again the flag is right there. The flag: 0xL4ugh{GiT_D0c3_F0r_Th3_WiN}
CTF · 2024-02-10
OSINT: Cheater (medium)
Description Our team received a request from a man who believes his wife may be cheating on him. He asked us to help by checking her accounts for any evidence. He provided his wife’s name, “Hamdia Eldhkawy” and mentioned that a friend informed him she shared a picture with someone on social media. He couldn’t find the image and wants us to discover the man’s real name. Flag Format: 0xL4ugh{First Name_Last Name} Solution Let’s go First i started searching using Hamdia Eldhkawy using google after some trials i found nothing useful I decided to try searching for Hamdia Eldhkawy using bing search good news, i found an instagram profile instagram_profile I searched within the profile trying to get useful information for next steps examining followers posts I stuck for a long time here as i thought the followers or the people reacting to her posts maybe interesting, so i spent some time with some reacting users but with no useful information I also tried using the pictures in her posts in reverse image search, but also with no useful results Then i noticed important thing that all the posts are about AI generated pictures This may indicate that she is interested in AI and this gave me a hint to the next step Let’s go back to bing and search using Hamdia Eldhkawy ai and we got this results The OPENAI link is the treasure here OPENAI post When we go in we find interesting comment from a user called Hamada_Elbes I remember you, Hamada Hamade_Elbes was an OSINT challange in 0xl4ugh ctf 2023 xDDDD anyway let’s back and look at the comment The comment is: Haha Hamdia, I already caught that :wink: I can share it with your husband <3 with the photo below After analyzing this image carefully we will find important information First, The url may move us to the post Second, Hamdia mentioned her boyfriend in the post but the picture is cropped so we just know that his account starts by spide and this’s not enough When we try to access the link in the image we willn’t get that post Maybe Hamdia deleted it ummmmmmmmmmmmmm Good one, Hamdia but you are too late as Hamada_Elbes caught you xDD We need to reach that deleted post and in this situation we will think abount web archiving I tried wayback machine but with no useful results Then i searched for an alternative and after many trials this worked with me archive.ph Let’s open it and get the info we need The treasures in here finally she mentioned spidersh4zly What are you waiting for?! Let’s search for him on instagram And this is his account There’s another link in his profile for more information, and i see that there’s nothing else important Let’s go to this link We see many accounts for spidersh4zly after analyzing them i found that all are useless except the gmail We can use the gmail in getting his real name using a powerful tool called epieos Go to its site insert the email and let it makes its magic And here’s the results We found him. He is Abdelfatah ElCanaway Congratz we got it. The flag: 0xL4ugh{Abdelfatah_ElCanaway}
CTF · 2024-02-10

Touch background to close