Others

Forensics - Profile Leak

A social media platform allows users to upload profile pictures. Your task is to investigate a provided profile picture and find the flag.

Reversing - Unicode Wars

A secure authentication server lies hidden in plain sight. The code appears readable. The logic seems simple. But nothing is what it looks like.

Homoglyphs are the Phantom Menace - they twist reality without changing what you see.

Your mission: authenticate and retrieve the flag. Inspect the code, run the service, and bypass the visual illusion.

MISC - Bandersnatched

Choose wisely...

============================================================
STEP 1: PASSIVE RECONNAISSANCE
============================================================
Starting with passive information gathering to minimize detection risk.

[*] What's your first approach?
  1. OSINT via search engines and public records.
  2. Check DNS records and certificate transparency logs.
  3. Analyze job postings for technologies used and employee roles.

>> Enter your choice: 1

[*] Processing your choice...
[*] Gathering intelligence from public sources...
[+] OSINT Results:
    - Company uses Microsoft Exchange for emails.
    - LinkedIn profiles show many employees listing 'Remote Work'.
    - Glassdoor reviews mention 'outdated internal HR portal'.

============================================================
STEP 2: SUBDOMAIN ENUMERATION
============================================================
You need to find potential attack surfaces. How do you enumerate subdomains?

[*] Choose your enumeration method:
  1. Passive enumeration using certificate transparency and search engines.
  2. DNS brute force with a common small wordlist.
  3. Aggressive DNS enumeration with a very large wordlist.

>> Enter your choice: 1

[*] Processing your choice...
[*] Consolidating passive subdomain enumeration results...
[+] Known subdomains: ['vpn.securecorp.com', 'portal.securecorp.com', 'mail.securecorp.com']
[+] Passive enumeration completed without raising alarms.

============================================================
STEP 3: PORT SCANNING (Target: vpn.securecorp.com)
============================================================
Time to identify services on a public-facing asset (e.g., vpn.securecorp.com).

[*] Choose your scan type for 'vpn.securecorp.com':
  1. Stealth SYN scan of top ports.
  2. Full TCP connect scan of common ports.
  3. Aggressive scan with OS detection, version detection, and scripts.

>> Enter your choice: 1

[*] Processing your choice...


    ┌─────────────────────────────┐
    │ root@bandersnatched:~$ _    │
    │                             │
    │ [SCANNING TARGET...]        │
    │                             │
    │ ████████████████████ 100%   │
    │                             │
    └─────────────────────────────┘
[*] Starting stealth SYN port scan against vpn.securecorp.com...
[*] Initializing scan engine...

[*] Scanning ports:
[-] 21   /tcp   [CLOSED] 
[+] 22   /tcp   [OPEN]   ssh
[-] 23   /tcp   [CLOSED] 
[-] 25   /tcp   [CLOSED] 
[+] 53   /tcp   [OPEN]   domain

[*] [ 29%] Scan progress...
[+] 53   /udp   [OPEN]   domain
[+] 80   /tcp   [OPEN]   http
[-] 110  /tcp   [CLOSED] 
[-] 135  /tcp   [CLOSED] 
[-] 139  /tcp   [CLOSED] 

[*] [ 58%] Scan progress...
[+] 443  /tcp   [OPEN]   https
[-] 993  /tcp   [CLOSED] 
[-] 995  /tcp   [CLOSED] 
[+] 1194 /udp   [OPEN]   openvpn
[-] 3389 /tcp   [CLOSED] 

[*] [ 88%] Scan progress...
[-] 5432 /tcp   [CLOSED] 
[-] 8080 /tcp   [CLOSED] 

[+] Scan complete. Found 6 open ports.
[+] Stealth scan completed. Low chance of detection.
[DEBUG] OpenVPN found, proceeding to Credential Validation.

============================================================
STEP 4: CREDENTIAL VALIDATION / LOGIN ATTACKS
============================================================
You might have breached credentials or identified services to target directly.

[*] How do you test credentials or attack login services?
  1. Test Sarah Mitchell's breached credentials against the SSL VPN (vpn.securecorp.com).
  2. Try John Davis's breached credentials against a known SSH service.
  3. Attempt login to Microsoft OWA (mail.securecorp.com) with Sarah Mitchell's credentials.
  4. Attempt to discover VPN configuration files on the VPN server (requires file system knowledge).

>> Enter your choice: 3

[*] Processing your choice...
[*] Testing sarah.mitchell:Summer2019! against OWA...
[-] OWA Login failed.

============================================================
STEP 4: CREDENTIAL VALIDATION / LOGIN ATTACKS
============================================================
You might have breached credentials or identified services to target directly.

[*] How do you test credentials or attack login services?
  1. Test Sarah Mitchell's breached credentials against the SSL VPN (vpn.securecorp.com).
  2. Try John Davis's breached credentials against a known SSH service.
  3. Attempt login to Microsoft OWA (mail.securecorp.com) with Sarah Mitchell's credentials.
  4. Attempt to discover VPN configuration files on the VPN server (requires file system knowledge).

>> Enter your choice: 4

[*] Processing your choice...

============================================================
FILE CHOICE STEP: VPN CONFIGURATION FILE DISCOVERY
============================================================
You've gained access to the VPN server directory structure.
To find VPN configuration files, you need to search for specific file types.

[*] What file type should we search for in the VPN directory?
[*] You need to specify a file type/extension to search for.
[*] Common examples: .txt, .conf, .log, .key, .ovpn, .backup, .sql

>> Enter file extension (with dot, e.g., .conf): .ovpn

[*] Searching for *.ovpn files in VPN directories...
[+] JACKPOT! Found OpenVPN client configuration files:
    - /vpn/configs/sarah.walker12.ovpn
    - /vpn/configs/john.davis.ovpn
    - /vpn/configs/admin.ovpn

[+] These files likely contain embedded credentials or certificates!

[*] Analyzing discovered .ovpn files...
[*] Extracting embedded authentication from sarah.walker12.ovpn...
[+] Found embedded auth-user-pass credentials:
    Username: sarah.walker12
    Password: ilovecats43

[+] Also found server connection details:
    Server: vpn.securecorp.com
    Port: 1194
    Protocol: UDP

[+] OpenVPN connection established using extracted credentials!
[+] VPN access granted - you now have internal network access.
[+] Assigned internal IP: 10.0.2.150

============================================================
STEP 6: INTERNAL NETWORK RECONNAISSANCE
============================================================
[+] You now have internal network access via OPENVPN

[*] Choose your internal reconnaissance approach:
  1. Carefully scan common internal ports on 10.0.1.0/24 (Corp Net) & 10.0.2.0/24 (VPN Net) for key servers.
  2. Attempt to enumerate Active Directory (if domain joined from VPN).
  3. Look for internal web applications, especially those hinted at.

>> Enter your choice: 1

[*] Processing your choice...
[*] Scanning internal networks (simulated)...
[+] Internal scan results (simulated):
    - 10.0.1.10 (SECURECORP-DC01): Ports 53, 88, 389, 445
    - 10.0.1.50 (HR-PORTAL-APP): Port 80 (HTTP) - Internal HR Portal on Corp Net
[DEBUG] HR Portal found by internal scan.

============================================================
STEP 7: LATERAL MOVEMENT
============================================================
Time to move laterally within the internal network to find valuable targets.

[*] Choose your lateral movement technique:
  1. Attempt to exploit DC (10.0.1.10) using known vulnerabilities.
  2. Target the HR Portal (10.0.1.50) with web attack techniques.
  3. Use credentials (if any found) to access File Server or Database Server.

>> Enter your choice: 2

[*] Processing your choice...
[DEBUG] Targeting HR Portal.

============================================================
STEP 8: INTERNAL WEB APPLICATION EXPLOITATION (HR Portal at 10.0.1.50)
============================================================
The HR Portal is your target - this likely contains employee PII data.

[*] Choose your attack for the HR Portal:
  1. Test for default credentials.
  2. Attempt SQL injection on login form.
  3. Look for common vulnerabilities like Local File Inclusion (LFI).
  4. Search for backup files in the web directory (requires file type knowledge).

>> Enter your choice: 4

[*] Processing your choice...

============================================================
FILE CHOICE STEP: DATABASE FILE DISCOVERY
============================================================
You've found a backup directory on the HR server.
Database backups are stored here but you need to find the right file type.

[*] What file extension should we search for in the backup directory?
[*] You need to specify a file type/extension to search for.
[*] Common examples: .txt, .conf, .log, .key, .ovpn, .backup, .sql

>> Enter file extension (with dot, e.g., .conf): .backup

[*] Searching for *.backup files in backup directories...
[+] Found backup files:
    - /backups/system.bak
    - /backups/config.backup

[*] These look like system backups. Try a database-specific format...

============================================================
FILE CHOICE STEP: DATABASE FILE DISCOVERY
============================================================
You've found a backup directory on the HR server.
Database backups are stored here but you need to find the right file type.

[*] What file extension should we search for in the backup directory?
[*] You need to specify a file type/extension to search for.
[*] Common examples: .txt, .conf, .log, .key, .ovpn, .backup, .sql

>> Enter file extension (with dot, e.g., .conf): .sql

[*] Searching for *.sql files in backup directories...
[+] EXCELLENT! Found SQL dump files:
    - /backups/hr_employees_2024.sql
    - /backups/payroll_data.sql
    - /backups/personnel_records.sql
[*] Downloading and analyzing SQL dump files...
[+] Successfully extracted employee PII data:
    - 15,847 employee records
    - Social Security Numbers
    - Home addresses
    - Salary information
    - Emergency contacts

============================================================
STEP 9: DATA EXFILTRATION
============================================================
You've gained access to the HR system containing employee PII!
Now you need to exfiltrate this data without triggering DLP systems.

[*] Choose your exfiltration method:
  1. Compress and encrypt PII data, then exfiltrate via DNS tunneling.
  2. Exfiltrate small chunks of data via HTTPS POST requests to a controlled external server.
  3. If Domain Admin, use an existing trusted channel like Exchange to send data externally.

>> Enter your choice: 1

[*] Processing your choice...
[*] Compressing PII data into 'employee_data.tar.gz.gpg'...
[*] Initiating DNS tunneling to exfiltrate data (simulated slow transfer)...
    Transferring [##########] 100% (SOLVER_MODE FAST)
[+] Data successfully exfiltrated via DNS tunneling!


================================================================================

██╗   ██╗██╗ ██████╗████████╗ ██████╗ ██████╗ ██╗   ██╗
██║   ██║██║██╔════╝╚══██╔══╝██╔═══██╗██╔══██╗╚██╗ ██╔╝
██║   ██║██║██║        ██║   ██║   ██║██████╔╝ ╚████╔╝ 
╚██╗ ██╔╝██║██║        ██║   ██║   ██║██╔══██╗  ╚██╔╝  
 ╚████╔╝ ██║╚██████╗   ██║   ╚██████╔╝██║  ██║   ██║   
  ╚═══╝  ╚═╝ ╚═════╝   ╚═╝    ╚═════╝ ╚═╝  ╚═╝   ╚═╝   
        

********************************************************************************

[+] MISSION ACCOMPLISHED!
    You have successfully compromised SecureCorp's systems and extracted PII!

[*] FLAG CAPTURED:
    FLAG{b4nd3rsn4tch3d_m4st3r_h4ck3r}
================================================================================