BlackAlps 2024 CTF
HackCorps Warm Up
Description
Serge the accountant inadvertently opened an infected file on his workstation. After investigation by the SOC team, the file was found to contain malware designed to extract confidential information. The SOC team asked you to help them investigate the incident. The SOC has found a folder (C:\exfiltr) but cannot recover its contents.
- we get a file
exfiltr.7z
Solution
We unzip the file. There are 3 directories named 0, 1 and 2. Each of them contains text files.
For example this is ./0/1.txt
:
|
|
We quickly recognize it is Base64 encoded. If we decode, the file is part of a PNG image:
|
|
So, we concatenate all text files of the directory (cat 1.txt 2.txt 3.txt | base64 -d > total.png
) and we get a complete PNG. The image of directory 0
shows a Windows login screen.
In directory 1
, a user named serge is trying to login.
In directory 2
, we get the flag.
Conclusion
It was easy, but I’m always in favor for a few easy challenges :)
Docker challenges: Hidden Secrets
Description
Hidden secrets in docker containers. There are three flags. The flags are not dependent to each other. Docker Secrets 1: Find and submit the FLAG_FILE
Network ports in scope (to save you an nmap):
HTTP on 80/tcp SSH on 22/tcp
- docker-secrets.ctf.blackalps.ch
Solution for flag 1
This challenge was solved by a team mate, FdlSifu, and I helped a little.
After an unconclusive run of Dirbuster on the website (docker run --rm hypnza/dirbuster -u http://docker-secrets.ctf.blackalps.ch
), we finally identified a hidden paths, http://docker-secrets.ctf.blackalps.ch/flag, which suggested http://docker-secrets.ctf.blackalps.ch/docker-compose.yml
This is the docker compose file:
|
|
First, we notice the root password PleaseLetMeIn
to log onto the host with SSH. This will have us log in the docker-helper
container, while the secret flag file is in another container, docker-secret
.
We log in:
|
|
We see the docker-secret
runs with PID 1. So, we investigate /proc/1/
and find /proc/1/root/run/secrets/flag
:
|
|
Solution for flag 2
The Docker challenges have another flag, they say it is related to the hostname. So, we need to find the hostname of the docker secret container.
The nsenter
is particularly useful to inspect namespaces and other containers. So, once we are logged in the docker-helper container, we try to inspect the docker container with PID 1 (-t 1
). Option -u
preserves the container’s hostname and various other environment variables. Option -i
executes a command. So, we launch a shell for the other container and read its hostname.
|
|
Conclusion
Interesting challenge! I knew Docker containers were not secure towards one another, but had never experienced with that.