I recently participated in a CTF held by Central InfoSec and came in 2nd of 141 teams and 1st of all individuals who participated. I was talking with them about the CTF and they said they'd be fine with me creating a write-up for one of the challenges. One stipulation is that they did not want me to show the actual flag. You've got to work to earn it. ;) I will be replacing the flag with [REDACTED]
There were 260 challenges that ranged in difficulty from matching ports and services through to gaining root access on their custom VM. Overall, I found this to be a challenging, yet very fun CTF. I'll definitely be keeping an eye on their work in the future.
Many of the challenges within this CTF are from the VM that you can find here.
I haven't messed around with VMWare Workstation in a little while, but this VM opened straight up, then I just had some issues remembering how to make it directly accessible, but only from my machine. I followed some of the instructions here by @ecideevhal and set my VM up in host-only mode, then I was able to use arp-scan to get the IP of my VM:
$ sudo arp-scan -I vmnet1 -l
Interface: vmnet1, type: EN10MB, MAC: 00:50:56:c0:00:01, IPv4: 172.16.146.1
Starting arp-scan 1.9.7 with 256 hosts (<https://github.com/royhills/arp-scan>)
172.16.146.128 00:0c:29:1f:c1:e8 VMware, Inc.
172.16.146.254 00:50:56:e5:71:68 VMware, Inc.
2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.014 seconds (127.11 hosts/sec). 2 responded
I chose to write up the Hack the Archive set of challenges. There were four flags in this set. If you're up for it, I encourage you to try and solve each of them before reading this write-up and if you cannot, then reference this.
Find the archive file. The flag is the password of the archive. The password is in the standard flag format.
The first obstacle of this challenge is to find the archive so we can begin to hack it. In this CTF, you relied heavily on /robots.txt to learn where various challenges were hiding. This was no exception.
Visiting /archive begins the download of a 7z file.
$ wget <http://172.16.146.128/archive>
--2021-04-19 07:57:10-- <http://172.16.146.128/archive>
Connecting to 172.16.146.128:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: /hack-the-archive [following]
--2021-04-19 07:57:10-- <http://172.16.146.128/hack-the-archive>
Reusing existing connection to 172.16.146.128:80.
HTTP request sent, awaiting response... 200 OK
Length: 473
Saving to: ‘archive’
archive 100%[=========================================================================================================================================================================>] 473 --.-KB/s in 0s
2021-04-19 07:57:10 (39.6 MB/s) - ‘archive’ saved [473/473]
$ file archive
archive: 7-zip archive data, version 0.4
$ ls -lat archive
-rw-r--r-- 1 bamhm182 bamhm182 473 Apr 19 07:57 archive
Now that we have that, we should begin trying to access its contents. Unfortunately, there's a password.
$ 7z e archive
7-Zip [64] 17.03 : Copyright (c) 1999-2020 Igor Pavlov : 2017-08-28
p7zip Version 17.03 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,8 CPUs x64)
Scanning the drive for archives:
1 file, 473 bytes (1 KiB)
Extracting archive: archive
Enter password (will not be echoed):
ERROR: archive
Can not open encrypted archive. Wrong password?
Can't open as archive: 1
Files: 0
Size: 0
Compressed: 0
The hint in the description tells us that the password for the archive is the first flag and that it is in the standard format. The standard flag format for this challenge is Central-InfoSec{[REDACTED]}, but I had no other hints for what the password was, so I started with ye olde reliable, rockyou.txt. Another challenge gave more context into how to use rockyou in the context of this CTF. They didn't want to have this challenge only solvable by a dedicated HashCat machine, so they intended you to only use words that started with { and ended with } in rockyou. For example, 123456 is not a possibility, but {30mayo} is.