Friday, December 29, 2017

34C3 Junior CTF

CTF: 34C3 Junior CTF 2017

Challenge:
SPI

Category:
Misc



We are given a sound file to listen to, which is a recording of various values.
Writing them all down gives us the following:

76 83 48 116 76 105 52 103
76 83 48 116 76 83 52 103
76 105 48 117 76 83 65 116
76 83 48 116 76 105 65 116
76 105 48 117 76 83 52 103
76 83 48 116 76 83 48 103
76 83 52 117 76 83 65 117
76 83 52 117 73 67 48 117
76 83 52 116 76 105 65 116
76 83 48 117 73 67 48 116
76 83 48 116 73 67 48 117
76 83 52 116 76 105 65 116
76 83 48 116 76 83 65 116
76 105 52 116 73 67 52 116
76 105 52 78 67 103 61 61

These are decimal values, so converting to ascii we are given a base64 encoding:

LS0tLi4gLS0tLS4gLi0uLSAtLS0tLiAtLi0uLS4gLS0tLS0gLS4uLSAuLS4uIC0uLS4tLiAtLS0uIC0tLS0tIC0uLS4tLiAtLS0tLSAtLi4tIC4tLi4NCg==

Converting the base64 back to ascii gives us some morse code:

---.. ----. .-.- ----. -.-.-. ----- -..- .-.. -.-.-. ---. ----- -.-.-. ----- -..- .-..

I spent a bit trying to decipher this because it is not just a simple case of decoding it as is. I even reversed the whole code, but that didn't work either, but then I decided to swap all the dashes for dots and all the dots for dashes and got the flag!

...-- ....- -.-. ....- .-.-.- ..... .--. -.-- .-.-.- ...- ..... .-.-.- ..... .--. -.--
                                         

Flag:

34C4.5PY.V5.5PY


===================================

Challenge:
Digital Billboard

Category:
PWN



This program allows us to set text displayed on a billboard, but when exploring the menu options there is a devmode that is locked to the regular user.



Exploring the source code that they give us, this devmode allows us to execute the priviledged function "shell" which gives us access to /bin/bash--so this is our goal here.



Luckily there is an easy way to enable devmode. The set_text function is using the strcpy function, which we can exploit.
The struct for billboard has an array for text with a buffer of 256 bytes, which is immediately followed by the flag for devmode. We can overflow this buffer to change the subsequent value and enable devmode.

Inputting our string we are able to access devmode and use the shell command which gives us an interactive bash shell.
Checking the files in the directory, we find the flag!




===================================

Challenge:
Babybash

Category:
Misc



For this challenge we are dropped into a restricted bash shell, but we need to execute the "get_flag" program.



Luckily we are able to use capital letters and creativity to bypass this.

They throw a bit of a twist into the mix when executing the program for the first time, and it requires an additional argument,so we modify our command a bit and get the flag upon properly execution.



===================================

Challenge:
ARM1

Category:
Rev



Simply running strings on the ARM binary will reveal the flag (the other ARM-related challenges were not this simple...)



===================================

Challenge:
ARM2

Category:
Rev



Upgrading the difficulty from the prior ARM challenge, it seems like the flag is encrypted in some way judging by the characters that follow the "The flag is:" string.



I used a couple of programs to analyze. I used IDA to grab all the hex values for the encrypted string.



And since I couldn't get a good output of the pseudocode for whatever reason, I used Hopper, which gave me the hint that these values were being xor'ed with 0x55.

Using a script that I wrote to automate the decryption of these types of challenges (seems like there are often similar ones in CTFs all the time), we are able to get our flag!



Sunday, December 17, 2017

InCTF | Web Challenge: Liar

Challenge:
Liar

Category
Web



When the site loads, there is nothing on the page except for a message that nothing is on their website--but we know, as the title of the challenge states, this is a big, fat lie.



The hint tells us that the site is using some form of VCS, and after some testing, I discovered the site was using Mercurial. Based on this knowledge, I used wget to download the ".hg/dirstate" file, which is a binary file that is an information directory about the repository.

Running strings on the file, the following was output:



Nice, so now we have a directory to look at, and it seems like there is also a vulnerable PHP to work with as well. The index.html has a form to "find your friends" and this is what is running the PHP.



Inspecting the source code, we get a bit of a hint:



So, I fired up Sqlmap to do the heavy lifting based on the data that was being passed, including name and the captcha:

sqlmap -u "http://liar.inctf.in/1ts_h4rd_t0_gu3ss/vulnerable.php" --data="name=ron&g-recaptcha-response=03AO6mBfw5nAnH7od5LVOqf7H-Yib-8E52lULt4-Zxt9dVb_j3NV6lLCf0BEAK5i3BnYLgoAradJJYGXSCPAe3OhOFJndC4eiJ2ndshWtp74YgsDO-qcfM2Iy4yvDuuCO4N_oIsZ-QtL9uqgqJseKy0ncgRT91QOL7QnKYun60O_2pSwJUN7tgXpxQjqaCzM-V064cRpAHePHKX8nUaAxvRanHQTfINRMFI9MSu1wlJnLO4GS-GD9reD2lZDqIRXJ8bGBRVBDmhtYJ2KUxPVYTMlKnS9BnrsT_eMvMIcef0ULl3-Zc4_qO81sCw0iEEEdjkNbL0PaQ72uUr8TZMH8MQR-xQ3xlNVs_VwZOGu79WeVEMtwLqfVFCONbaOJfpupzHEL17KMCemKxn3gLrNqhAe-7muUxB3EZ7iSQVQa16moJkxPOm8Hf7982" --dump-all --threads=10 --random-agent --dbms=mysql --level=5 --risk=3

The result:





Now when we go to dump all the databases, we get trolled. The CTF database had some leet speak in it that appeared to be the flag, but it was not. Since this is time-based, it will take a while to dump everything in information_schema (there are 61 tables), so I turned to check the mysql database first instead. Guessing a bit here, I first got the "innodb_table_stats" table and then decided to guess that a "phone" column existed in there since the hint in the source code mentioned our answer is in the phone column.

Luckily I was correct!

sqlmap -u "http://liar.inctf.in/1ts_h4rd_t0_gu3ss/vulnerable.php" --data="name=ron&g-recaptcha-response=03AO6mBfw5nAnH7od5LVOqf7H-Yib-8E52lULt4-Zxt9dVb_j3NV6lLCf0BEAK5i3BnYLgoAradJJYGXSCPAe3OhOFJndC4eiJ2ndshWtp74YgsDO-qcfM2Iy4yvDuuCO4N_oIsZ-QtL9uqgqJseKy0ncgRT91QOL7QnKYun60O_2pSwJUN7tgXpxQjqaCzM-V064cRpAHePHKX8nUaAxvRanHQTfINRMFI9MSu1wlJnLO4GS-GD9reD2lZDqIRXJ8bGBRVBDmhtYJ2KUxPVYTMlKnS9BnrsT_eMvMIcef0ULl3-Zc4_qO81sCw0iEEEdjkNbL0PaQ72uUr8TZMH8MQR-xQ3xlNVs_VwZOGu79WeVEMtwLqfVFCONbaOJfpupzHEL17KMCemKxn3gLrNqhAe-7muUxB3EZ7iSQVQa16moJkxPOm8Hf7982" --threads=10 --random-agent --dbms=mysql --level=5 --risk=3 -D mysql -T innodb_table_stats -C phone --dump

Though the above took quite a bit to finish, it eventually dumps out our flag:

inctf{H0w_@b0Ut_@n_r3@L_1nJ3c}


InCTF | Rev Challenge: Time

Challenge:
Time

Category
Rev



Since this was an ARM file I couldn't find a way to run it on my machine, so I stuck to disassembling the binary file with Binary Ninja.

Looking at what was going on, I found a big segment of data that definitely looked like it could be important.



Working backwards from here, it became clear that the function that spits out the flag, uses this data, and looking at the disassembly, you can see that the program is taking each one of these hex values and XORing it with 0x7.



I created a Python script to do just that:



Running it we get the flag:



Saturday, December 9, 2017

SECCON 2017 CTF

CTF:
SECCON 2017


Challenge:
Run Me!

Category:
Programming



If you immediately recognize this script as something that is familiar to you, you are right!
It's a script for getting the nth number of the Fibonacci sequence (with some other stuff for our flag). One problem though--the number we need for the flag is SUPER big and it would take waaaay too long for your computer to finish running this.

While it's possible to optimize with memoize perhaps, luckily there are precomputed numbers already available on the net.



So here is the number we need. Looking at the script though we only need the first 32 digits, so I sloppily copied a bunch of numbers, and then threw it into a script to get the flag.




====================================

Challenge:
Putchar Music

Category:
Programming



Using the challenge title as a hint, I was mind-blown to discover Algorithmic Music, which takes single-line C programs to generate cool tunes!

The first step is to compile the code, and then use that file along with Sox to generate a .wav file that we can listen to.



Opening the wav file, it plays the iconic Star Wars theme song, which allows us to construct our flag:
SECCON{STAR_WARS}

====================================

Challenge:
JPEG file

Category:
binary



This challenge gives us a broken JPEG that does not display a proper image, and it's our job to fix it to reveal the flag.

After playing detective in hexedit, I couldn't find anything wrong with the header, but using jpeginfo it guided me to the spot in the hex that needed to be edited.



Conducting some tests by changing the 0xFC value I found in hexedit, which is right where all the actual image data begins, I confirmed that it was indeed the location it was indicating, and turning this into 0x00 allowed the image to display properly.



Monday, December 4, 2017

Shellter Hacking Express #18 | Authenticate Me

CTF:
Shellter Hacking Express #18

Challenge:
Authenticate Me

Category:
Rev/Pwn



This was a pretty neat little rev/pwn challenge. To start, we need to SSH in with the credentials provided.
Exploring the directory we are dropped into there is a flag.txt file, but unfortunately we are not root so we can't open it.
However, there is also a program in the file called 'auth'.

Running it, it asks for identification and then 2 keys. Experimenting a bit, it will only accept integer values as input for the keys, so we know that they need to be numerical or else it won't be accepted.



Time to disassemble this program and find out what's going on.
Using GDB, we can see there are multiple functions, and the one we will zero in on is 'auth'.



Looking at the disassembly, after both scanf functions are called, there are two compare instructions which are used to authenticate the keys input.



The first value we see being compared is 0x1e1d0, which is 123344 in decimal, and the second value, 0x539, is 1337 in decimal. If these values match with what is stored in memory from the scanf, /bin/cat flag.txt is ran, which will give us the flag. So these are clearly the keys we need to input to authenticate! Well, if only it were that easy... Unfortunately just entering them when running the program does not work, so it looks like we will have to find another way to get them in.

Luckily, I found that we are able to perform a buffer overflow with the scanf used in the 'greeting' function which is used to grab our identity. I set breakpoints at the two scanfs in the 'auth' function for my initial test, and then input 100 A's to see what would happen.




At both scanfs in auth, the EAX value which is used to store our key input was overwritten with As. After some trial and error, the offset to reach the first scanf was after 72 bytes and this was confirmed by using some Bs and Cs! However, when looking at this, the keys were being pulled by scanf in a different order than how they were being compared in the assembly.




This is important so we can order our keys properly in the exploit code. Modifying the test python code and subbing in the key values for the Bs and C, and packing them so they are not just passed as decimal, we get the following:



Testing this in GDB with the same scanf breakpoints, we can confirm that they are making it to EAX properly for each scanf.




Time to run it outside of GDB on auth!



And there is our flag!





Sunday, November 26, 2017

TUCTF 2017 | Rev and Pwn Challenges

Challenge:
Funmail
Category:
Rev



Running the binary, we are prompted for a username and password. We already know the username, so we need to find out the password. This is easy enough because it is hard coded and can be discovered by running strings on the program.



Now we log in with our credentials and read the email, which gives us our flag!




Challenge:
Funmail 2.0
Category:
Rev



For this challenge, we get another hard coded password, but the program doesn't work properly and terminates. What to do?



Well, we can grab the address for a function called printFlag, and then use GDB to set a breakpoint in main and set the EIP to the address of printFlag. Continuing to run the program gives us our flag.







Challenge:
Vuln Chat
Category:
Pwn

At first I thought this appeared to be a pretty simple buffer overflow problem, but it was a bit more interesting than that!
Running the program we get prompted for a name and then Djinn enters and asks for proof before he spills the beans with his hot info.

Exploring with objdump a bit, there is a hidden function 'printFlag', so this is going to be our target address to use to overwrite EIP at some point.

Attempting to input a bunch of A's only went so far and I wasn't able to overwrite EIP. Scanf was limiting my overwrite.

Setting some breakpoints at the printf calls, I took a look at the stack and noticed that the scanf buffer was actually on the stack, and it was possible to overwrite far enough to modify this.



I was able to change the scanf buffer to something bigger (I set it to 64 bytes), and then I was finally able to write far enough to overflow and get a segfault.

Using some trial and error to get the proper offset to land the printFlag address, I found that an offset of 54 bytes was the ripe spot.

I wrote up the following exploit in python to be deployed to the server.



Executing this we get our flag!



Powered by Blogger.