NepHack 3.0 CTF Walkthrough

Hello Pwners,

During that live session, I was able to secure first position but at last hour i.e. 10:00 pm I was downgraded to 2nd position by team caphilates but the score was equal . I would like to Congratulate team caphilates for winning the NepHack 3.0 online.

PWNABLE->>CHALLENGES

I was able to solve two challenges only: Shadow and Duffer. Among them I liked Duffer box because it was related to Bufferoverflow .

They have given ssh.log file on

I got ssh.log.part file there I can see the ssh login attempt log file by different user . I got the credentials from one of the members maskop9 from winning team(me0w) during live event . Credential is hacker/cynical1 with local IP 192.168.10.189. Since IP given was local IP, I wasn’t able to ssh into that user so I had to figure out other ways and I noticed I had a shell from shadow challenge which was of phindrella user and I am going to publish next Writeup where I will explain how I got phindrella user and it’s shell.

Then, I tried with that credentials as

I am able to login hacker shell and since I was in tty shell I had to spawn that shell so I used

As challenge have given a description about the location at /hom/pax and I got two files.

one is vuln executable and other is flag.txt which doesn’t have permission to read .Since vuln file is ELF file so I generally read that file with gdb but my bad organizer doesn’t have gdb installed in that shell. So first I have to download that file to my localhost for that I used scp

this way I was able to download to my localhost and I had given the execute permission to that file.

I had gdb install so used this command to read vuln file

nothing happened there and I entered many random text and I got segmented fault.

Now, I had to find the offset after which SIGSEGV fault occurred. I mostly use one of my favorite method to find offset as

This way I got the offset. Then, I had to find the function where flag is located. For that I searched every functions and got this

there I got fLog() function as noticeable and had to find the address of this function as

Since that is the address before running the file and after running I got this

Address is 0x8a4755555555 in Little Endian format and

So my final payload was:

I wanted to thank all readers for being with me through my post and I will be posting other walkthrough of NepHack 3.0 challenges soon.

#ctf #hacking #nephack3

You can email me, if you have any quires at : me.gr4n173@protonmail.com

Related posts:

At my first day in the university when I came into class, I found that there was no guy present in the class except me then I was selected for CR ship, but I don’t know how to manage the class…

La vida es un apogeo de emociones, experiencias y sobretodo desgracias. Cuando eres niño ni piensas en tus actos como influyen a tu mundo, ni te das cuenta del ambiente en el que vives, cuando llegas…

There is no doubt that concerns around our health care data — particularly its security and privacy — have been escalating in recent years. The recent announcement that GlaxoSmithKline (GSK) is…