HTB CTF Try Out
I just finished all challenges for HTB CTF Try Out, which was my first CTF event. This post serves both as a summary for what I’ve learned and as guides for beginners like myself.
Background
If you’re a total beginner to cyber security like myself, Capture The Flag events are something like puzzles that often involve extracting obscured information, writing bespoke interactive scripts or hacking designated processes to eventually get access to a string, i.e. the flag. It’s a bit like puzzle hunts in that challenges can take many forms, and the difficulty is mostly figuring out what the rules are, rather than following them.
Below, I’ll go through each category. I won’t detail the solutions, only describe general knowledge needed to solve the challenges.
Web: TimeKORP, Flag Command, Labyrinth Linguist
There are 2 flavors of exploits here - client side and server side.
On the client side, I find the chrome dev tools (source code, console, debugger) more than sufficient to understand what the program does or read data out of memory.
On the server side, there are various types of injections. The relevant ones are
php and server-side template injection here. TimeKORP’s source code was given
which makes it pretty easy, as long as you know how to cat
a file. Labyrinth
Linguist’s source code was given as an encrypted zip. This encrypted zip could
be decrypted, but note that the cracker
only works for uncompressed plaintext of at least 12 bytes (there is exactly one
file in the zip that matches the conditions). You actually need to figure this
out for a later challenge. But even if you didn’t, you can still see what
entries are in the zip and therefore what SSTI payloads are likely to work. If
you have Burp Suite Professional Edition, your life is a lot easier as it just
tells you the vulnerability. From there it was still difficult to get remote
code execution because none of the top google results for the payloads worked.
The hint here is that in addition to getClassLoader, there is another function
that achieves similar functionality that gives you the java runtime for RCE.
Forensics: An Unusual Sighting, Phreaky
Similar to Labyrinth Linguist, you’re given an encrypted file for Phreaky. Refer to the above to decrypt the zip (john the ripper wasn’t the right tool). Then Wireshark can be used to reveal the next step, and NetworkMiner can get the job done.
Reversing: LootStash
Just install ghidra. It’ll be useful later.
Misc: Character, Stop Drop and Roll
LLMs make these coding problems very easy. I did struggle with Stop Drop and Roll a little bit until I changed the approach to use a regex.
Crypto: Dynastic
This is like a Caesar cipher (not sure if there’s a name for this variant).
Hardware: Critical Flight, Debug
You just have to figure out which softwares to use to open these files. I used KiCad Gerber Viewer and Saleae Logic-2.
Pwn: Getting Started, Labyrinth, Void
Ghidra was very helpful for these, as well as pwntools. For Labyrinth, you need to learn something called Return Oriented Programming. Embarrassingly I had to peek at a solution for Void, but I just didn’t read the linked website closely enough. This code snippet basically worked after filling in the details shown by ghidra.
Closing Thoughts
There are quite a few libraries, tools and concepts to go through even in this “beginner-friendly” CTF. But adding these to my personal toolbox has been quite rewarding.
As a metapoint, it can feel like cheating to get hint by searching for the challenge name online. But all of this is for fun anyway, so if you’re going to have more fun knowing what to do than getting stuck, then that’s more important.