00:00 - Intro
01:04 - Start of nmap
03:00 - Examining the web page, noticing every URL with admin gets redirected to a django login
05:00 - Creating an account and looking at the page to discover CTF Challenges
06:15 - CHALLENGE 1: Phished List, a protected excel spreadsheet. Remove protection to see hidden cells
11:50 - Submitting a writeup, discovering an old version of Firefox talks to us
14:00 - Checking for Tab Nabbing vulnerability and explaining it
17:30 - Creating a phishing page by mirroring the page with wget and then using PHP to log submitted credentials
29:30 - Phishing worked, got the admin's password. Login to Django to see another website (Sentry)
33:00 - Creating an error message in Sentry to get an error message, which contains a secret key used to encrypt the cookie
36:10 - Grabbing a django deserialization payload then installing django on python2 to use the payload
40:15 - Changing the payload in the exploit to a reverse shell, avoiding any bad characters for URL and getting a reverse shell
46:13 - Logging into Sentry Postgres Databae then enumerating tables and dumping the users table and cracking karl's password
52:25 - Discovering Karl can execute the authenticator binary with sudo, strings shows it is a rust binary. Copy it back to our box
56:55 - Examing the binary in Ghidra
58:55 - Discovering a call to Crypto::AES::CTR, using the rust docs to figure out what our variables are
1:01:22 - Showing that AES-CTR does not have defined block sizes
1:05:00 - Using GDB to help our analysis, showing how to setup break points around what our decompiler shows
1:10:36 - Examining memory to confirm our static analysis was correct
1:11:15 - Grabbing the encrypted blob the program is comparing against to get the password and getting root
1:15:40 - CHALLENGE 2: PSE, an dotnet binary that runs a uses PS2EXE to run powershell to encrypt a string
1:21:20 - CHALLENGE 3: Get Lucky, a small binary that rolls a dice. We exploit it mainly in GDB but after recording, probably could have done LD_PRELOAD, im not sure
1:34:50 - CHALLENGE 4: RevMe.exe, just open the binary in DNSpy and grab the flag, also show doing this with strings if we change the encoding
1:37:10 - CHALLENGE 5: Authentication, another Rust binary. Just have to find the correct spot to set a break point and see the password in memory
1:44:40 - CHALLENGE 6: PwnMe, a simple challenge that we can use GDB to find the password
1:49:30 - CHALLENGE 7: Easy Encryption, a simple XOR Challenge where we can use known plaintext (or bruteforce) to recover the key
1:53:29 - CHALLENGE 8: Triple Wamy, another XOR Challenge where we have to just do the XOR's backwards to get the flag
Support the originator by clicking the read the rest link below.
