TUCTF 2017 | Rev and Pwn Challenges

Challenge:
Funmail
Category:
Rev



Running the binary, we are prompted for a username and password. We already know the username, so we need to find out the password. This is easy enough because it is hard coded and can be discovered by running strings on the program.



Now we log in with our credentials and read the email, which gives us our flag!




Challenge:
Funmail 2.0
Category:
Rev



For this challenge, we get another hard coded password, but the program doesn't work properly and terminates. What to do?



Well, we can grab the address for a function called printFlag, and then use GDB to set a breakpoint in main and set the EIP to the address of printFlag. Continuing to run the program gives us our flag.







Challenge:
Vuln Chat
Category:
Pwn

At first I thought this appeared to be a pretty simple buffer overflow problem, but it was a bit more interesting than that!
Running the program we get prompted for a name and then Djinn enters and asks for proof before he spills the beans with his hot info.

Exploring with objdump a bit, there is a hidden function 'printFlag', so this is going to be our target address to use to overwrite EIP at some point.

Attempting to input a bunch of A's only went so far and I wasn't able to overwrite EIP. Scanf was limiting my overwrite.

Setting some breakpoints at the printf calls, I took a look at the stack and noticed that the scanf buffer was actually on the stack, and it was possible to overwrite far enough to modify this.



I was able to change the scanf buffer to something bigger (I set it to 64 bytes), and then I was finally able to write far enough to overflow and get a segfault.

Using some trial and error to get the proper offset to land the printFlag address, I found that an offset of 54 bytes was the ripe spot.

I wrote up the following exploit in python to be deployed to the server.



Executing this we get our flag!

Read More

TUCTF 2017 | Web Challenges

Challenge:
High Source
Category:
Web



Accessing the web page and immediately looking at the source we get trolled. Nothing here... But what about in the login.js source?



Oh hey, a password! Using this to login we then get our flag!






Challenge:
Cookie Duty
Category:
Web




The first page we land on gives a good hint as to what this will entail with cookies... We aren't admin, but can we become an admin by modifying the cookie? "not_admin" is set to a 1 flag, so if we modify this to a 0 we should be able to become admin.



Changing the cookie and making a GET request with Burp Suite, we trick it to thinking we are admin and get our flag!




Challenge:
Git Gud
Category:
Web



Based on the challenge description we know that the site is using Version Control Systems and the title also gives it away that we are looking for something git-related. After researching some stuff about this, it's possible to access a directory at /.git which gives all of the history info, objects, what have you.



To make this a bit easier, I just downloaded everything and used comannd line to traverse through the directories. In the master file you can see an update entry for adding a flag, and using the data on the left we can cat the info until we are able to see the past entry and get our flag!






Challenge:
Cookie Harrelson
Category:
Web



More cookies! Inspecting the response/request headers upon loading, we can see that there is a cookie being passed.



This coded in base64, and decoding it we get:
cat index.txt

Neat... so what if we just encode something like 'cat flag.txt' in base64 and swap it in? Well, this is what I did, but it wasn't as easy as that. Unfortunately when subbing in something different, the cookie gets modified and it becomes something like this:

cat index.txt #(new command here)

So we are getting filtered and need to bypass it somehow! After a lot of experimentation/trial and error, the trick here is to get a carriage return. Using Burp to decode the original cookie, modify it, and then re-encode it, we get our new cookie.



Now we can put this in the repeater and make our GET request, which gives us the flag!





Challenge:
iFrame and Shame
Category:
Web



This challenge took a bit of trial and error to solve. I started by checking for input validation in the search box by adding an " and that seemed to break the format a bit, which kind of tipped me off there may be a possibility for code injection.

After trying different things for a while, the following command worked as a test:
"; echo $(ls) #



Based on this, we just change our command to give us our flag:
"; echo $(cat flag) #

Read More

TUCTF 2017 | VM Challenges

Challenge:
Gateway
Category:
VM


This CTF provided a VM which encompassed a number of different challenges, the first part of which is
to actually access it. When booting up the VM, we find that the drive it's accessing is
encrypted and you need a passkey to decrypt it. Luckily there is an unencrypted drive that is
accessible.

To access this, we need to add a live CD to the VM so that we can boot off that instead.
I chose to use Kali Linux for this. Once we boot into Kali, we can access the unencrypted
drive which is labeled "Boot".

Right away there is a file that stands out: "usefultool.exe"
Running this we discover that it is just a program that ROT13's whatever string you provide, so
this is a pretty good indicator that our flag will be a ROT13 that needs to be decoded.

Looking around the drive more, nothing of use was really found, so I took a closer look at the
.exe. Running strings on it I found something interesting.

However, this turned out to only be part of the flag. Looking closer at the strings output,
it seems that the exe has been packed with UPX. Using UPX to unpack it, we can finally get the full
output of all the strings, as well as our full ROT13 flag.




Decoding it we get our flag as well as the password to unencrypt the drive.




Challenge:
Leap of Faith
Category:
VM



This challenge utilized the same exe from the previous challenge. I overthought this one a lot, but looking at all the strings in GDB by accessing the function 'randomPaddingFunction' that I was told to ignore, I finally realized that the first letter of each string gave the flag!




Challenge:
Worth a Thousand Words
Category:
VM



In the photos folder on the VM there are three different jpgs. Each one contains a part of the flag.
Using strings on 1.jpg we get the first part which is just TUCTF{.



2.jpg has a hidden file inside of it and we can extract it with binwalk. Dumping the contents we get our second part of the flag: Devils



3.jpg is corrupted and needs to be fixed before we can open it. This took a bit of research, but once I found which portions of the IHDR were wrong, I was able to edit it in hexeditor and make it so we can see the image. Running pngcheck helped confirm when it was actually uncorrupted.

Broke:


Edited:


Opening the image, there is a barcode on the screen in the picture, and scanning this gives us the final part of the flag: InThePixels}




Challenge:
Euchlid Go Away
Category:
VM

This was one of my favorite challenges of the CTF. Remoting in with netcat, we are dropped into a text-based game. There is a lot of messaging about a rumored hidden room, so I guessed this is exactly what needed to be found.



There were a couple tricks to this: first, we need to be admin, which I guessed would give us some extra powers. Messaging an admin in the game reveals their username, so I took that and logged back in under that admin name.

Next, I sent a message that I had bugged leveling and increased my level past the normal user cap of 255 and make myself 256.
Upon doing so we are identified as admin and we have some newfound powers!



One of which is the ability to teleport and a map of all the rooms.

Teleporting to the admin room first, there was a function to leave messages for the devs. I immediately thought to input "cat flag.txt". After this, I teleported to the dev room and it gave me the option to read the message I left for myself. This executed the action I left in the message, and I got the flag!

Read More

RC3 CTF 2017

CTF:
RC3 CTF 2017

Challenge
Easy Peasy

Type
Pwn

For this challenge we get a binary to download as well as a remote address/port that is running the same program. Upon connecting we are prompted for a key:



After testing this out, I pulled up Hopper to analyze the binary.



We can immediately see some interesting hex in our assembly, so checking how it's constructed with C we can see the following:



It seems that all we need to do is make sure that these two hex "phrases" make it onto the stack at the right place, and then we will be given our flag. However, we the key is to land these exactly where the variables need to be for the check to take place.

If we look at the assembly and the code generated by Hopper, we can see that the stack is going to start 24 bytes in (0x18). Furthermore, looking at the output from Hopper, we can see that var_4 (which is the 0xcafef00d address) is found at 4 bytes less than the start of the stack (20), and var_8 (the 0xc0ffee address) is found at 8 bytes less (16). We now how much to pad our exploit before we pass the two addresses to the program.

With all this in mind we create the following exploit script with Python:



Running this we get our flag!




============================================

Challenge:
"This is where I'd put my Home Page... IF I HAD ONE

Type:
Web



When we access the site, it starts redirecting to different URLs in succession very quickly, so I turned to curl to access the site instead of a browser. Doing so, we discover that there is a hidden character in what comes back, and chasing each URL it points to we can uncover a hidden message.




Putting it all together we get our flag:



============================================

Challenge:
English Class

Type:
Crypto



Opening up the PDF we see the following:



This just smells of a book cipher, but what book can we use? Well, looking at the first letter of each word in the table, we find that it spells out "GUTENBERGDICTIONARYBYVARIOUS". We can access this dictionary on the net, and then we can look up each word one by one, and then use the page numbers to correspond to the letter in the definition of the word. Doing this gives us our solution:

"yoursolutionisfindingmeaning"

And the flag ends up being "findingmeaning"

=============================================

Challenge:
Science Class

Type:
Crypto



Yet another PDF!



The clue here is chemistry, and we are going to use the periodic table to decode this one.
Using the periodic table as a guide, we look up the corresponding elements where each color block is.

We get:
Be S Ga Se Er

Doesn't spell anything out directly, but if we organize them according to ROYGBIV (per the colors in the table) we get our flag:

"beergases"


============================================

Challenge:
My Favorite Things

Type:
Reversing



Very simple challenge. Simply downloading the binary and running strings on it, and we find our flag!




============================================


Challenge:
Catastrophe

Type:
Forensics



Downloading the pcap file we can follow the tcp stream and immediately see there is an image. We can rebuild this by looking at what objects we can export as HTTP.



Opening up the image we get our flag!

Read More