https://github.com/trellix-arc/trellix-hax-2023

Pwn:

Reachable Fruit:

You, your cohorts, and a double-agent deep behind enemy cyber-lines are close to completing an attack chain which, in theory, would allow you to cripple large swaths of the opposing coast's regional communication system. To complete the chain, you must pivot to a media connector from which your malware can access key backend components governing the entire communications system. Your spy on the inside has managed to pass along a fragment of traffic between the target device and a network administrator. She also provided model information in detail sufficient to narrow down the version of firmware likely running on the device. Fortunately, this firmware file was still available online!
Your spy on the inside has managed to pass along a fragment of traffic between the target device and a network administrator. She also provided model information in detail sufficient to narrow down the version of firmware likely running on the device. You able to procure an official firmware image from a collaborator's personal database, which he had scraped from a vendor's website well before radiation levels and civil war were on anyone's mind.

Armed with these two artifacts, you must find a way to achieve code execution on the media connector and avail yourself of the flag!

[<https://trellixhax-reachable-fruit.chals.io>](<https://trellixhax-reachable-fruit.chals.io/>)

Hint:It looks like the server will not return just any old file type...

[firmware.bin](<https://hax.trellix.com/files/f7f9f9832d4f97b86a1a414bdcd46a0d/firmware.bin?token=eyJ1c2VyX2lkIjozNzcsInRlYW1faWQiOjIxOSwiZmlsZV9pZCI6MTZ9.Y_oGkw.XvA5jrcCsPXChfDwL4RykzYaNoI>)
[traffic.pcap](<https://hax.trellix.com/files/5c01a5bae0ce4bb5bfac8b8fa9c0065f/traffic.pcap?token=eyJ1c2VyX2lkIjozNzcsInRlYW1faWQiOjIxOSwiZmlsZV9pZCI6MTd9.Y_oGkw.rkTsAQIjSe2ZZ0Op49P-WOur0gQ>)

Reachable Fruit.zip

Free Yo' Radicals Part II:

The other side has noticed our presence on their server and have removed the call to the "print_flag" function. Using the knowledge you gained in Part I, attempt to find any possible vulnerabilities in the way the opposing side's developers implemented the server-side processing of the protocol. Once you've identified these vulns, your task will be to craft a remote exploit which can be used to execute the “print_flag” function. Doing so will bring us one step closer to establishing persistence on this system, and ensuring we have the intel we need to prevent exposing our scouts to dangerous radiation.

The URL below points to a TCP listening socket which uses SSL. You can interact with the server using snicat or another tool of your choice.

trellixhax-free-yo-radicals-part-ii.chals.io:443

Hint:Developers can lose track of memory mangement when not careful. Heap allocation and clean up is a bit tricky.

[server_binary](<https://hax.trellix.com/files/0aeac2cc385cb68e7918090125e77065/server_binary?token=eyJ1c2VyX2lkIjozNzcsInRlYW1faWQiOjIxOSwiZmlsZV9pZCI6MzJ9.Y_oMtw.pUL3c9CtKc5SvNHkywf-PXQtJEY>)

Free Yo' Radicals Part II.zip

Free Yo' Radicals Part III:

The other side's developers identified your previous exploitation of their binary, so they hardened the system further by adding all the mitigations they could think of and stripping out symbols. Since we still need code execution on this system to map out regions safe for us to expand into, we need you to overcome the extra protections. Determine if their mitigation strategy truly addressed the root cause of the original issue and if there is a way to still exploit this system to print the “print_flag” function.

The URL below points to a TCP listening socket which uses SSL. You can interact with the server using snicat or another tool of your choice.

trellixhax-free-yo-radicals-part-iii.chals.io:443

When the old ways stop working its time to evolve. Are you sure all the leaks were patched?

[server_binary](<https://hax.trellix.com/files/6aaf5ae8153018bfaedbd227d3f5892e/server_binary?token=eyJ1c2VyX2lkIjozNzcsInRlYW1faWQiOjIxOSwiZmlsZV9pZCI6MzN9.Y_oM9g.QDdvW1bMBDo-T1jnJUytU-Ptoz4>)

Free Yo' Radicals Part III.zip

Reverse:

Spying Through the Webdoor:

Our adversaries managed to compromise one of the hosts under territorial management. It was well-isolated from the core network, and initially declared inconsequential, until a SOC analyst discovered a backdoored webserver lurking in the tmp directory. You must reverse engineer the backdoor to recover whatever information you can about their tactics, including the key used to establish remote access to the host.

hint:
The system waits for you beyond the gateway.

[arc-httpd](<https://hax.trellix.com/files/20d4e3b39f6db9edeb78f4aea6644246/arc-httpd?token=eyJ1c2VyX2lkIjozNzcsInRlYW1faWQiOjIxOSwiZmlsZV9pZCI6MjZ9.Y_oPew.PTY079jesYFPYe28JPOMpfuMliU>)

Spying Through the Webdoor.zip

Free Yo' Radicals Part I: