Hack The Boo

CTF event link: https://ctf.hackthebox.com/event/details/hack-the-boo-637

Writeups

• Web
  • Evaluation Deck
  • Spookifier
  • Horror Feeds (Unsolved)
  • Juggling Facts
• Pwn
  • Pumpkin Stand
  • Entity
• Reversing
  • Cult Meeting
  • EncodedPayload
  • Ghost Wrangler
  • Ouija
  • Secured Transfer
• Forensics
  • Wrong Spooky Season
  • Trick or Breach
  • Halloween Invitation
  • POOF
  • Downgrade
• Crypto
  • Gonna Lift Em All

Background

Have you ever wanted to play a halloween themed CTF? Are you a beginner or curious about what hacking is? Do you love learning by gaming? For all these questions, we have the answer: Hack The Boo CTF.

• Starting Date: 22 Saturday - 1 pm UTC
• Ending Date: 27 Thursday - 1 pm UTC
• Type: Jeopardy
• Team Size: Individuals
• Level: Beginners

Overview

• Solved: 16/25
• Points: 3200
• Rank: 250th/6367
• Total Players: 6367
• Overall Difficulty: Very hard

What I’ve learned in this CTF

• Web:
  1. Exploiting compile() Function in a Python Web Application (Evaluation Deck)
  2. Server-Side Template Injection (SSTI) in Python’s Flask Mako (Spookifier)
  3. Exploiting PHP Type Juggling (Juggling Facts)
• Pwn: (Binary Exploition)
  1. Interger Overflow (Pumpkin Stand)
  2. Exploiting C Unions (Entity)
• Reversing:
  1. Listing Strings in an Executable (Cult Meeting)
  2. Using strace to Monitor System Calls (EncodedPayload)
  3. Using gdb to Find Loaded Memory Strings (Ghost Wrangler)
  4. Decrypting Caesar Cipher (Ouija)
  5. Decrypting AES 256 CBC via Capturing Decryption Key in GDB (Secured Transfer)
• Crypto:
  1. Decrypting Encrypted Message via Basic Modular Arithmetic (Gonna-Lift-Em-All)
• Forensics:
  1. Inspecting pcap File via WireShark (Wrong Spooky Season)
  2. Inspecting DNS Queries (Trick or Breach)
  3. Reverse Engineering Word Macros (Halloween Invitation)
  4. Memory Forensics via Volatility (POOF)
  5. Windows Event Viewer Digital Forensics (Downgrade)