https://ajomix.hashnode.dev/pwn-coolpool-tetctf2024
https://lephuduc.github.io/posts/tetctf2024/
https://mystiz.hk/posts/2024/2024-02-03-tetctf-adapt/
https://gist.github.com/nguyenduyhieukma/3b6107461035d21aa85650d5fc8a7601
https://hackmd.io/@Solderet/HJ52F9496
https://ctf.edwinczd.com/2024/tetctf-2024
https://hackmd.io/mg5ob_vrRVa3WXyHrPNbzA?view
Chall name:
- Chill
Category:
- Pwn
Author:
- chung96vn
Description:
Goal
Read flag
Material:
[pwn01.7z](<https://drive.google.com/file/d/1rPWp0GAAzRVq2eDlTBlh77Ed0btZv7O3/view?usp=sharing>)
Connection
Website: [<http://172.105.117.188/>](<http://172.105.117.188/>)
Service: nc 172.105.117.188 31337
Chall name:
- CoolPool
Category:
- Pwn
Author:
- linhlhq
Description:
Goal
- Spawn cmd with SYSTEM
- Read the flag in C:\\flag.txt (readable only by SYSTEM)
Environment
- Windows 10 Pro 22h2
- OS Build 19041.vb_release.191206-1406
- Load coolpool.sys (sha1: F8B1238982E60E64DA444F39368E45B81626C100)
- Account
- ctf/tetctf2024
- admin/tetctf2024
- ntoskrnl.exe (sha1: 39D3060EF96BB18544C452EAD5ECF8DCB8C2D139)
Test
You can use follow command and use vnc for testing :
qemu-system-x86_64 -enable-kvm -m 4096 -smp cores=4 -hda windows.qcow2 -cpu host,+smep,+smap,+pcid -device e1000,netdev=user.0 -netdev user,id=user.0,hostfwd=tcp::9696-:9696 -monitor stdio
The VM just for your final test. You also can use your VM to test it. But you need makesure the build version is same as 19041.vb_release.191206-1406
Remote Service
- Our service will be hosted at xxxxx:xx, you need to use the team token to log in to the service.
- Each team will have 3 accesses to the VM:
- Please make sure your exploit is work in local in the environment we provide first.
- You can only use the VM in 10 minutes at a time.
- If it's BSOD, we won't restart it.
Enviroment
We will run qemu with follow command:
qemu-system-x86_64 -hda windows.qcow2 -m 4096 -smp cores=4 -enable-kvm -cpu host,+smep,+smap,+pcid -nographic -monitor /dev/null -loadvm ctf_snapshot -device e1000,netdev=user.0 -netdev user,id=user.0,hostfwd=tcp::{port}-:{port}
- The snapshot just login ctf account and run C:\\ctf\\start.cmd.
- It will run C:\\ctf\\cmd.exe as Low integrity
- When you connect to the service and select Access VM, we will automatically connect to the VM to spawn cmd for you to use.
- You can use curl to download your binary in %TEMP%\\Low or c:\\ctf\\tmp.
Material:
[Driver](<https://drive.google.com/file/d/13JPhvk8CNUWStdzI3Qf1c5gvGcbFh4bc/view?usp=sharing>)
[VM](<https://drive.google.com/file/d/1D_PhUvkDeGL2gYZlHa73qnIwGwXU21F1/view?usp=sharing>)
Password for unzip: tetctf2024
nc 123.24.204.45 1337
Chall name:
- Secure Notes
Category:
- Pwn
Author:
- peternguyen
Description:
Goal
Read flag1
Material:
[secure_notes.7z](<https://drive.google.com/file/d/1J15f1DQryWpxDXvBkFSk33b3ikg1tGVZ/view?usp=sharing>)
Connection
Service: nc 139.162.29.93 31339
nc 139.162.29.93 31339