HHousen HackTheBox "Cyber Santa is Coming to Town" CTF 2021 Writeup

Write-ups for various challenges from the 2021 HackTheBox 2021 Christmas CTF.

During the competition period, which was held from 01 Dec 2021 13:00 UTC until 05 Dec 2021 19:00 UTC, I placed 295th out of 8094 (top 3.6%) with a score of 3325/7875 points and 11/25 challenges solved.

I have solved and written a writeup for all Web, Crypto, and Forensics. I did not solve or write guides for any Pwn or Reversing challenges.

Web

• Toy Workshop (Stored XSS)
• Toy Management (SQL Injection)
• Gadget Santa (Command Injection)
• Elf Directory (PHP File Confusion)
• Naughty or Nice (JWT "RS256 to HS256" then nunjucks SSTI)

Crypto

• Common Mistake (RSA Common Modulus Attack)
• Meet Me Halfway (Double AES Meet-in-the-middle Attack)
• XMAS Spirit (Affine Cipher Bruteforce)
• Missing Reindeer (Small RSA Public Exponent Attack)
• Warehouse Maintenance (Hash Length Extension Attack)

Forensics

• baby APT (PCAP of Command Injection)
• Honeypot (Memory Dump, Attacker Connected)
• Persist (Memory Dump, Persistent Virus)
• Giveaway (Word Macro Malware)
• Ho Ho Ho (PCAP with Hidden Ethereum Address)

Pwn

• Mr Snowy (Did Not Solve)
• Sleigh (Did Not Solve)
• Naughty List (Did Not Solve)
• Minimelfistic (Did Not Solve)
• Music Notes (Did Not Solve)

Reversing

• Infiltration (Did Not Solve)
• Gift Wrapping (Did Not Solve)
• Intercept (Did Not Solve)
• Upgraded (Did Not Solve)
• Bamboozled (Did Not Solve)

Certificate