https://ajomix.hashnode.dev/pwn-coolpool-tetctf2024

https://lephuduc.github.io/posts/tetctf2024/

https://mystiz.hk/posts/2024/2024-02-03-tetctf-adapt/

https://gist.github.com/nguyenduyhieukma/3b6107461035d21aa85650d5fc8a7601

https://hackmd.io/@Solderet/HJ52F9496

https://ctf.edwinczd.com/2024/tetctf-2024

https://hackmd.io/mg5ob_vrRVa3WXyHrPNbzA?view

Pwn:

pwn01:

Chall name:
- Chill

Category:
- Pwn

Author:
- chung96vn

Description:
Goal
Read flag

Material:
[pwn01.7z](<https://drive.google.com/file/d/1rPWp0GAAzRVq2eDlTBlh77Ed0btZv7O3/view?usp=sharing>)

Connection
Website: [<http://172.105.117.188/>](<http://172.105.117.188/>)
Service: nc 172.105.117.188 31337

pwn01.7z

pwn02:

Chall name:
- CoolPool

Category:
- Pwn

Author:
- linhlhq

Description:

Goal
- Spawn cmd with SYSTEM
- Read the flag in C:\\flag.txt (readable only by SYSTEM)

Environment
- Windows 10 Pro 22h2
	- OS Build 19041.vb_release.191206-1406
- Load coolpool.sys (sha1: F8B1238982E60E64DA444F39368E45B81626C100)
- Account
	- ctf/tetctf2024
	- admin/tetctf2024
- ntoskrnl.exe (sha1: 39D3060EF96BB18544C452EAD5ECF8DCB8C2D139)

Test
You can use follow command and use vnc for testing :

qemu-system-x86_64 -enable-kvm -m 4096 -smp cores=4 -hda windows.qcow2 -cpu host,+smep,+smap,+pcid -device e1000,netdev=user.0 -netdev user,id=user.0,hostfwd=tcp::9696-:9696 -monitor stdio
The VM just for your final test. You also can use your VM to test it. But you need makesure the build version is same as 19041.vb_release.191206-1406

Remote Service
- Our service will be hosted at xxxxx:xx, you need to use the team token to log in to the service.
- Each team will have 3 accesses to the VM:
	- Please make sure your exploit is work in local in the environment we provide first.
	- You can only use the VM in 10 minutes at a time.
	- If it's BSOD, we won't restart it.

Enviroment
We will run qemu with follow command:

qemu-system-x86_64 -hda windows.qcow2 -m 4096 -smp cores=4 -enable-kvm -cpu host,+smep,+smap,+pcid -nographic -monitor /dev/null -loadvm ctf_snapshot -device e1000,netdev=user.0 -netdev user,id=user.0,hostfwd=tcp::{port}-:{port}

- The snapshot just login ctf account and run C:\\ctf\\start.cmd.
- It will run C:\\ctf\\cmd.exe as Low integrity
- When you connect to the service and select Access VM, we will automatically connect to the VM to spawn cmd for you to use.
- You can use curl to download your binary in %TEMP%\\Low or c:\\ctf\\tmp.

Material:
[Driver](<https://drive.google.com/file/d/13JPhvk8CNUWStdzI3Qf1c5gvGcbFh4bc/view?usp=sharing>)
[VM](<https://drive.google.com/file/d/1D_PhUvkDeGL2gYZlHa73qnIwGwXU21F1/view?usp=sharing>)
Password for unzip: tetctf2024

nc 123.24.204.45 1337

driver.zip

pwn03-flag1:

Chall name:
- Secure Notes

Category:
- Pwn

Author:
- peternguyen

Description:
Goal
Read flag1

Material:
[secure_notes.7z](<https://drive.google.com/file/d/1J15f1DQryWpxDXvBkFSk33b3ikg1tGVZ/view?usp=sharing>)

Connection
Service: nc 139.162.29.93 31339
nc 139.162.29.93 31339

secure_notes.7z