HackABit CTF Qualifiers 0x01 - WriteUp
💥 Hack-A-Bit 0x01 💥⌗
In the Hack-a-Bit (HaB) category infastructure, you will find the following challenges with their designated points:
-
- Captain (75 points)
-
- Seashell (75 points)
-
- Loading (100 points)
-
- Location (100 points)
-
- Connector (125 points)
-
- Boat (125 points)
-
- Inspector (150 points)
-
- Hammer (150 points)
With each challenge we will figure out the problems and how to solve each one:
- Captain 🌊 -⌗
Challenge: Cloud infrastructure is migrating to containerized technology in many places, lets get started with containers. Run this docker container with the environment variable FLAG_ENABLER set to give_me_the_flag.
Container: https://hub.docker.com/r/nathanielsinger/hackabit0x01-infrastructure-container1
|
Solution: The point of this challenge is for the challenger to find a way to run the container with defining the set variable in the container. For this challenge you can use any updated distro of Linux. Before we could use the pull request in URL given, we first need to install the Docker packages necessary using the command line below:
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
After that we pull the container from the URL:
docker pull nathanielsinger/hackabit0x01-infrastructure-container1
Afterwards, all we need to do is set the ENV. variable for the container which, after a google search later, we get the following command:
sudo docker run -e FLAG_ENABLER=give_me_the_flag nathanielsinger/hackabit0x01-infrastructure-container1 #
This brings the output: flag{you_aren’t_the_captain_just_yet}
- Seashell 🐚 -⌗
Challenge: SSH runs the internet. Connect to utkwrgubhj.qualifier.hackabit.com on port 22 with user hackerman and the provided private key.
Key: Go to File
|
Solution: The point of this challenge is for the challenger to learn about connections with private and public keys and how to gain access into a session using one of the keys. To begin with, after downloading the key, we are told in the challenge that we will have to use SSH (secure socket shell) on port 22, which SSH runs on default. In order to use a key with SSH for a session we use the -i parameter for the following command:
ssh -i id_rsa hackerman@utkwrgubhj.qualifier.hackabit.com #make sure you go to the directory where you saved your file
However, the session doesn’t accept this because the key has too many accessible permissions. To reduce the permissions needed for the session to just read the key, we will use the command bellow:
chmod 400 id_rsa
After this we will just run the first command and get the output: flag{shesellsseashellsbytheseaaaaaaashore}
Side Note: I tried running these commands on the actual session but it appeared to be down.
- Loading 🌀 -⌗
Challenge: What’s in this ISO thing?
|
Solution: With this challenge we are given the same Docker container from the Captain challenge. With no clue on what the challenge has in store, let’s see what information we can get from extracting the image from the container and saving it to our system using the command below.
docker save nathanielsinger/hackabit0x01-infrastructure-container1 > image.tar
Finally, just like a .zip file, we have to unpack the .tar file using the following command:
tar -xvf image.tar
Afterward, go to the directory you’re in and find the folder 89552…ea423 and the file layer.tar. Unpack the .tar tar -xvf layer.tar
With that, you go from root > flag_image.iso
then cat FLAG.TXT
Getting the output: flag{consider_it_loaded_hackerman}
- Location 🌎 -⌗
Challenge: Now with the same image, dive on in and find the iso image. What is the absolute path to the iso image stored within the container? Include the filename in the path for your submission.
|
Solution: This one is pretty simple, the path of the file is just the location in the container. If we go back to the folder root
from layer.tar to flag_image.iso
, it would be something like /root/flag_image.iso
- Connector 🔌 -⌗
Challenge: Connect to the mysql server at dyxvqmjwaj.qualifier.hackabit.com and read out the flag. Here are some user accounts:
|
Solution: For this challenge we need to go into the challenge’s MySQL database, I used MySQL for this. With this challenge I installed it on Windows using this link here After completing the installation process, we have to create a new MySQL Connection like the below images:
Then we put the following information in the fields:
With this we should connect to the server, however, it would appear that the server is actually down. Nevertheless, when going to each user and checking their tables, you’ll eventually go to user4
and find the table with the solution’s flag.
Flag: flag{oh_sql_my_sql}
- Boat ⛵ -⌗
Challenge: Sometimes we need to run a machine on a specific address or virtualize a network, get this running on: 172.22.1.11.
Container: https://hub.docker.com/r/nathanielsinger/hackabit0x01-infrastructure-container2
|
Solution: This challenge just giving us a Docker container to run on an IP. First things first, grab the pull request from the URL run it and wait, we get an error.
Not to worry however, from this Docker discussion, here, we find out that an error response might be due to the fact that we have to specify the version of the container. In the form, it says that we can go to the container and under the header “tags” get the version we need.
docker pull nathanielsinger/hackabit0x01-infrastructure-container2:v1.0.0
Now that we have the container, we need to figure out on how to set this to an IP. With some googling, we will find a Docker documentation for just this feature here. Using the link above, we can create our own commands as such in the following image:
And you get the following flag: flag{its_just_an_address_man}
- Inspector 🔍 -⌗
Challenge: Oh look its Bits, something changed though… see if you can track it down.
File: Go to File
With this file, we are given the code documentation for the bot “Bits” in the HaB Discord server. At a first glance, it might be difficult to determine what the challenge is asking but looking into the challenge’s material, here, it appears that we are supposed to get a git version of Bits.
When looking through the files in Bits, we get to a file with the directory C:\Users\$USER\Downloads\bits\bits\.git\logs\HEAD
. Inside of this file, we get the following commit hash a0235bf2cf43159eff20f5b3d568a21ab288c9ff
with the description flag_stuff
.
First, go to the directory where bits is stored, then use the command below to go to the committed version of flag_stuff
.
git checkout a0235bf2cf43159eff20f5b3d568a21ab288c9ff
After that we are given a file called “flag”. Now we use this command to read the file:
cat flag
Or this command:
grep -r "flag"
Giving us the output: flag{don’t_try_harder…look_harder}
- Hammer 🔨 -⌗
Challenge: Check out oslyxpzcgs.qualifier.hackabit.com and see if you can find the vuln. No help on this one, nothing crazy though… enumerate harder :)
The flag is stored in an environment variable.
With this challenge I actually didn’t finish this. I would just do it right here, however, it would appear that the session is currently down, but what I’ve learned from this challenge is that it’s a vsftpd Smiley Face Backdoor
vulnerability. Apparently using the :) in the username results in shell listening on TCP port 6200.
You can learn more here.
~ CodeAPretzel