Blog posts

Here you’ll be able to find all the blog posts about anything and everything I’m doing, e.g. CTF writeups, links list, tutorials, feedbacks…

Containers on demand: leveraging ContainerSSH for a students' lab

Setup, feedback and going further

Posted on November 6, 2024 and last updated on December 12, 2024

Context

For designing and teaching computer science labs, one need to allow students to be able to start easily, while ensuring that the lab is doable the same way by everyone, and facilitating the troubleshooting by the teacher. Between the labs I have been taught and the ones I taught myself, I witnessed several ways of distributing lab environments to students, each way with its ups and downs. The easiest is to just ask the students to install the necessary tools and software, either on their personal machines or the ones available in the lab room. However, this does not guarantee that the students have the same, reproducible experience that allow easy troubleshooting from the teacher. Another way is to provide virtual machines, but creating and installing such VMs can be time-consuming, and some students may lack the necessary resources to run VMs smoothly. Finally, hosting the lab on remote VMs for students is another possibility, but that requires servers with quite a lot of resources.

[Read More]

Operator (Kubernetes and Ansible cloud challenge)

From HTB Business CTF 2022

Posted on July 18, 2022 and last updated on November 4, 2024

This challenge is dealing with a vulnerable Kubernetes node on which is installed Ansible (AWX).

Challenge info :

We have located Monkey Business operator blog where they are leaking personal informations. We would like you to break into their system and figure out a way to gain full control.

Recon

The challenge info does not really any useful tips, so we start with a scan with nmap :

# Nmap 7.92 scan initiated Sat Jul 16 12:37:01 2022 as: nmap -v -p- -sC -A -T4 -oA scan 10.129.188.134
Nmap scan report for operator.htb (10.129.188.134)
Host is up (0.031s latency).
Not shown: 65529 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
22/tcp    open  ssh           OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp    open  http          Apache httpd 2.4.41 ((Ubuntu))
|_http-title: MonkeyLeaks
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
3000/tcp  open  ppp?
| fingerprint-strings: 
|   GenericLines, Help, RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Content-Type: text/html; charset=UTF-8
|     Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
|     Set-Cookie: i_like_gogs=8ae51640f958beb6; Path=/; HttpOnly
|     Set-Cookie: _csrf=8Mmeqdq3hwSqTRyki5eWCCmYJ_Y6MTY1Nzk2Nzg3NzkxMTExMTQ3MA; Path=/; Domain=operator.htb; Expires=Sun, 17 Jul 2022 10:37:57 GMT; HttpOnly
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: deny
|     Date: Sat, 16 Jul 2022 10:37:57 GMT
|     <!DOCTYPE html>
|     <html>
|     <head data-suburl="">
|     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
|     <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
|     <meta name="author" content="Gogs" />
|     <meta name="description" content="Gogs is a painless self-hosted Git service" />
|     <meta name="keywords" content="go, git, self-hosted, gogs">
|     <meta name="referrer" content="no-referrer" />
|     <meta name="_csrf" content="8Mmeqdq3hwSqTRyki5eWCCmYJ_Y6MTY1Nzk2Nzg3NzkxMT
|   HTTPOptions: 
|     HTTP/1.0 500 Internal Server Error
|     Content-Type: text/plain; charset=utf-8
|     Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
|     X-Content-Type-Options: nosniff
|     Date: Sat, 16 Jul 2022 10:38:03 GMT
|     Content-Length: 108
|_    template: base/footer:15:47: executing "base/footer" at <.PageStartTime>: invalid value; expected time.Time
8443/tcp  open  ssl/https-alt
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 401 Unauthorized
|     Audit-Id: 25092d7b-3958-4b2c-9876-f78df5cc93e3
|     Cache-Control: no-cache, private
|     Content-Type: application/json
|     Date: Sat, 16 Jul 2022 10:38:04 GMT
|     Content-Length: 129
|     {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
|   GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 401 Unauthorized
|     Audit-Id: 446a3c46-92a8-4c3b-ae11-7ec6c770478a
|     Cache-Control: no-cache, private
|     Content-Type: application/json
|     Date: Sat, 16 Jul 2022 10:38:03 GMT
|     Content-Length: 129
|     {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
|   HTTPOptions: 
|     HTTP/1.0 401 Unauthorized
|     Audit-Id: fb02feb6-645b-4f6d-9516-fcd8d400979c
|     Cache-Control: no-cache, private
|     Content-Type: application/json
|     Date: Sat, 16 Jul 2022 10:38:04 GMT
|     Content-Length: 129
|_    {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
|_http-title: Site doesn't have a title (application/json).
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Server returned status 401 but no WWW-Authenticate header.
| ssl-cert: Subject: commonName=k3s/organizationName=k3s
| Subject Alternative Name: DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:localhost, DNS:operator, IP Address:10.129.188.134, IP Address:10.129.227.232, IP Address:10.129.227.241, IP Address:10.43.0.1, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
| Issuer: commonName=k3s-server-ca@1657128507
| Public Key type: ec
| Public Key bits: 256
| Signature Algorithm: ecdsa-with-SHA256
| Not valid before: 2022-07-06T17:28:27
| Not valid after:  2023-07-16T10:21:46
| MD5:   da3f e79a a53f dca3 6c4e 2d8b 5fec d8a6
|_SHA-1: 5b22 f787 f4ea 9dea 81ca f7d6 0937 03b4 cf4d 4e9d
10250/tcp open  ssl/http      Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
| ssl-cert: Subject: commonName=operator
| Subject Alternative Name: DNS:operator, DNS:localhost, IP Address:127.0.0.1, IP Address:10.129.188.134
| Issuer: commonName=k3s-server-ca@1657128507
| Public Key type: ec
| Public Key bits: 256
| Signature Algorithm: ecdsa-with-SHA256
| Not valid before: 2022-07-06T17:28:27
| Not valid after:  2023-07-16T10:21:37
| MD5:   8db8 5e9c 41f7 bb4c 0b25 409c d78c 38ed
|_SHA-1: 745c 3d7e 3902 ba98 8374 8329 190e 4771 dd41 49ec
30080/tcp open  http          nginx
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-favicon: Unknown favicon MD5: F479283B993E09934AE4349244AD3BC0
| http-methods: 
|_  Supported Methods: GET HEAD OPTIONS
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3000-TCP:V=7.92%I=7%D=7/16%Time=62D29505%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,2108,"HTTP/1\.0\x20200\x20OK\r\nContent-Type:\
SF:x20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20lang=en-US;\x20Path=/;
SF:\x20Max-Age=2147483647\r\nSet-Cookie:\x20i_like_gogs=8ae51640f958beb6;\
SF:x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=8Mmeqdq3hwSqTRyki5eWCCmY
SF:J_Y6MTY1Nzk2Nzg3NzkxMTExMTQ3MA;\x20Path=/;\x20Domain=operator\.htb;\x20
SF:Expires=Sun,\x2017\x20Jul\x202022\x2010:37:57\x20GMT;\x20HttpOnly\r\nX-
SF:Content-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nDate:\x
SF:20Sat,\x2016\x20Jul\x202022\x2010:37:57\x20GMT\r\n\r\n<!DOCTYPE\x20html
SF:>\n<html>\n<head\x20data-suburl=\"\">\n\t<meta\x20http-equiv=\"Content-
SF:Type\"\x20content=\"text/html;\x20charset=UTF-8\"\x20/>\n\t<meta\x20htt
SF:p-equiv=\"X-UA-Compatible\"\x20content=\"IE=edge\"/>\n\t\n\t\t<meta\x20
SF:name=\"author\"\x20content=\"Gogs\"\x20/>\n\t\t<meta\x20name=\"descript
SF:ion\"\x20content=\"Gogs\x20is\x20a\x20painless\x20self-hosted\x20Git\x2
SF:0service\"\x20/>\n\t\t<meta\x20name=\"keywords\"\x20content=\"go,\x20gi
SF:t,\x20self-hosted,\x20gogs\">\n\t\n\t<meta\x20name=\"referrer\"\x20cont
SF:ent=\"no-referrer\"\x20/>\n\t<meta\x20name=\"_csrf\"\x20content=\"8Mmeq
SF:dq3hwSqTRyki5eWCCmYJ_Y6MTY1Nzk2Nzg3NzkxMT")%r(Help,67,"HTTP/1\.1\x20400
SF:\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\n
SF:Connection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(HTTPOptions,14A,"
SF:HTTP/1\.0\x20500\x20Internal\x20Server\x20Error\r\nContent-Type:\x20tex
SF:t/plain;\x20charset=utf-8\r\nSet-Cookie:\x20lang=en-US;\x20Path=/;\x20M
SF:ax-Age=2147483647\r\nX-Content-Type-Options:\x20nosniff\r\nDate:\x20Sat
SF:,\x2016\x20Jul\x202022\x2010:38:03\x20GMT\r\nContent-Length:\x20108\r\n
SF:\r\ntemplate:\x20base/footer:15:47:\x20executing\x20\"base/footer\"\x20
SF:at\x20<\.PageStartTime>:\x20invalid\x20value;\x20expected\x20time\.Time
SF:\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8443-TCP:V=7.92%T=SSL%I=7%D=7/16%Time=62D2950B%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,14A,"HTTP/1\.0\x20401\x20Unauthorized\r\nAudit-Id:\x2044
SF:6a3c46-92a8-4c3b-ae11-7ec6c770478a\r\nCache-Control:\x20no-cache,\x20pr
SF:ivate\r\nContent-Type:\x20application/json\r\nDate:\x20Sat,\x2016\x20Ju
SF:l\x202022\x2010:38:03\x20GMT\r\nContent-Length:\x20129\r\n\r\n{\"kind\"
SF::\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\
SF:",\"message\":\"Unauthorized\",\"reason\":\"Unauthorized\",\"code\":401
SF:}\n")%r(HTTPOptions,14A,"HTTP/1\.0\x20401\x20Unauthorized\r\nAudit-Id:\
SF:x20fb02feb6-645b-4f6d-9516-fcd8d400979c\r\nCache-Control:\x20no-cache,\
SF:x20private\r\nContent-Type:\x20application/json\r\nDate:\x20Sat,\x2016\
SF:x20Jul\x202022\x2010:38:04\x20GMT\r\nContent-Length:\x20129\r\n\r\n{\"k
SF:ind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Fai
SF:lure\",\"message\":\"Unauthorized\",\"reason\":\"Unauthorized\",\"code\
SF:":401}\n")%r(FourOhFourRequest,14A,"HTTP/1\.0\x20401\x20Unauthorized\r\
SF:nAudit-Id:\x2025092d7b-3958-4b2c-9876-f78df5cc93e3\r\nCache-Control:\x2
SF:0no-cache,\x20private\r\nContent-Type:\x20application/json\r\nDate:\x20
SF:Sat,\x2016\x20Jul\x202022\x2010:38:04\x20GMT\r\nContent-Length:\x20129\
SF:r\n\r\n{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"sta
SF:tus\":\"Failure\",\"message\":\"Unauthorized\",\"reason\":\"Unauthorize
SF:d\",\"code\":401}\n")%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Req
SF:uest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x2
SF:0close\r\n\r\n400\x20Bad\x20Request")%r(RTSPRequest,67,"HTTP/1\.1\x2040
SF:0\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\
SF:nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(Help,67,"HTTP/1\
SF:.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=
SF:utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(SSLSessi
SF:onReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/p
SF:lain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Req
SF:uest")%r(TerminalServerCookie,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\
SF:nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\
SF:r\n\r\n400\x20Bad\x20Request");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=7/16%OT=22%CT=1%CU=37015%PV=Y%DS=2%DC=T%G=Y%TM=62D2956
OS:E%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=3%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M539ST11NW7%O2=M539ST11NW7%O3=M539NNT11NW7%O4=M539ST11NW7%O5=M539ST1
OS:1NW7%O6=M539ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M539NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Uptime guess: 42.389 days (since Sat Jun  4 03:19:14 2022)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 3389/tcp)
HOP RTT      ADDRESS
1   30.33 ms 10.10.14.1
2   30.23 ms operator.htb (10.129.188.134)

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul 16 12:39:42 2022 -- 1 IP address (1 host up) scanned in 160.36 seconds

This scan is typical of a Kubernetes node. We can recognize the ports number 8443 and 10250 of the different components of Kubernetes, along with the obvious output of the scan. We learn that this is a minikube instance.

[Read More]

Trade (AWS cloud challenge)

From HTB Business CTF 2022

Posted on July 18, 2022 and last updated on November 4, 2024

This challenge is shining a light on different AWS solutions working together in order to create a functional website. It is in my opinion very interesting to see how the cloud technologies are replacing the standard websites and servers, and what possible misconfigurations and security risks this shifting create.

Challenge info :

With increasing breaches there has been equal increased demand for exploits and compromised hosts. Dark APT group has released an online store to sell such  digital equipment. Being part of defense operations can you help disrupting their service ?

Recon

The challenge info does not really give us a clue about what technologies we will deal with, so we start with a full scan of the machine with nmap :

[Read More]

Epsilon (AWS cloud challenge)

From HTB UniCTF Quals 2022

Posted on April 2, 2022 and last updated on November 4, 2024

This challenge is on AWS and one of its products, Lambda. It allowed me to go deeper into the AWS CLI and how to manipulate it to gain access on cloud infrastructures.

Challenge info :

One of the local shops in your city is realising new costumes. Go grab them
before they run out as the available stock is very limited.

Recon

Unlike the first one, we don’t immediately know what kind of cloud we’re dealing with. Let’s enumerate with nmap :

[Read More]

SteamCloud (Kubernetes cloud challenge)

From HTB UniCTF Quals 2022

Posted on April 2, 2022 and last updated on November 4, 2024

This challenge is a very interesting one on Kubernetes. Even if it is not that hard, it made me practice and learn more about the inner workings of Kubernetes, its various components and how to exploit them.

Challenge info :

We've installed our Kubernetes cluster inside a steam powered computer, however 
there's a lot of smoke, therefore we think a bolt is missing. Could you please 
investigate?

Recon

The cloud is a category who is beginning to be more and more popular in CTFs. I really didn’t know what to expect, but the challenge info give us straight away that we’re dealing with a Kubernetes cluster. We first need to enumerate all the possible entrypoints, we’re using nmap :

[Read More]

My ArchLinux setup

What I use for my custom OS

Posted on November 24, 2021 and last updated on November 4, 2024

I tested many OSes before choosing to try Archlinux : my main goal then was to learn the inner workings of an OS and the interactions between the many components by installing and configuring them one by one. After a few months trying (and configuring) it, I really loved it, and now I’m using Arch as my OS. I’m listing here all the components I assembled in order to create myself a fully functional and custom OS.

[Read More]

The training websites

Where to go to practice your skills

Posted on November 24, 2021 and last updated on November 4, 2024

You’ll find here all the websites I go on to test my skills on dedicated cybersecurity challenges. There is a lot of them, all with specificities, and when you try to begin in cybersecurity you don’t really know which site to use, so I thought it was a good idea to list all that I use and compare them.

Root-me.org, french leader and excellent training site

root-me is a French hacking training website with a lot of categories. Inscription is free and challenges are all available for everybody (maybe not the last ones, but you just have to wait for a few months)

[Read More]