## Monday, December 22, 2014

### HackMETU

Our first CTF try, HackMETU is open for application. We are so excited.

## Monday, May 12, 2014

### Hacktrick 2014 - ORION - Web Write-up

POST /index.php HTTP/1.1
Host: 80.251.47.26
Connection: keep-alive
Content-Length: 32
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://80.251.47.26
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.132 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://80.251.47.26/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.6,en;q=0.4

### RUCTF Quals 2014 - Guess the flag - Vuln 100 Write-up

In this challenge we were given a binary file and a server listening on a port:
vuln1.quals.ructf.org:16712 binary
Flag format is "RUCTF_.*".

when we tried to run the binary file on local we get a segmentation fault and when we disassembled the binary it was due to the absence of a file named "hint". We also get something else it was printing the data with the input it get in cause of it is not the flag. When we run it by nc we see that there is a pattern on the hint and to see it clear we give a "space" for the input and we get an image like this:
Hmmm, it seems like a 7 isn't it? lets give it as input :)
/
It was really easy, isn't it?

### RUCTF Quals 2014 - Posts - Vuln 300 Write-up

Hi, writeups for this CTF have been delayed because of our absence of free time so let's start with something big :D

In this problem we were given a ssh server address and here it is:
ssh vuln2.quals.ructf.org -p 2022 user:Ikiy7ei5
probably it will be closed when you are looking but don't worry we also gathered gadget instructions for better analysis.

It is basically a program for note inserting (taking a lot of input's from you), and then reading them back. Because we are on ssh server there is nothing much to do about disassembling the file but luckily(!) we've got gdb on the server so when we disassembled the file with it we got some interesting parts like this:

first of all it is the part how our name was inputted:
it is using fgets to get from stdin and also gathering 256 bytes (till the newline, or eol).

The second part (and the most interesting one) which gets our note into somewhere after 0x080d7100 by using these calculations and also calling that calculated address:
because of system is getting the input via scanf we can put as much data as we want to overwrite the next function going to be called. The index was easy to calculate after each note the index was shifting 516 bytes from the note title and 260 bytes from the notes body, till the next function pointer and if we overwrite that address we would be able to get the
eip control and we did so. But no :( there was nothing to jump to everything useful was around 0x080d0000 and because of 0d is a newline character we could not use it in our input and it caused us to change our mind from just jumping to system libc function to ROP. (well actually it is our first ROP practice :D). The ASLR was disabled so getting ram addresses didn't make any troubles. And we managed to write a script like this:
http://www.codesend.com/view/b0f764dac29de59e92537fce3d8c1c07/
you can see the memory layout and gadget adresses at the top of the source.

Our note's were not being kept on the stack but the name was. So we used name variable for arranging stack for ROP and note's to overwrite the next function pointer to point our name. Just 2 notes were enough in first we overwrite the next posts pointer and when the system wanted to get the second note it called our overwritten function and ta-daaa :))

** GDB and the real stack addresses were different due to initial stack alignment and by testing we found out that real offset would be 32 bytes away from the gdb's stack.

## Wednesday, March 5, 2014

### DEFKTHON CTF 2014 - Find the FLAG! - Crypto 400 Write-up

HI!
We were given a lot of description this time :D and here they are:
Alice and Bob went a long way in crypto. They designed a super secure crypto system to encrypt their messages. We managed to steal the source and some other information. Find the FLAG!
File
Mirror
File
In the first file we had an example of the algorithm and the cipher we needed to decrypt and from the second file which is an archive we get 3 files 2 keys and the encryption script but script was obfuscated and names in the script were not readable to human, so lets start with de-obfuscating it - we did it by hand- and here is the a bit more readable script:

Basically it was reading four keys, and processing an asymmetric encryption on its first argument according to those keys.
The argument string is converted into a base256 number by those lines:
a, bb = argv[1], 0
for ccc in a: bb = (bb*256) + ord(ccc)
So what the encryption doing by mathematically is something like this:

$$T \equiv C^{A} \pmod{B}\\ P \equiv C^{S} \pmod{B}\\ Q \equiv M \cdot T^{S} \pmod{B}$$

where A,B,C and D are values in the keyfiles respectively and S is the random seed generated from D.

We know the values of B and C from the zip archive and P and Q from the message text that is containing an example and the cipher we need to find a way to get the value of M with those guys. Let's examine the $T^{S}$ actually it is equal to $(C^{A})^{S}$ and which is $P^{A}$ we just swapped the exponents. and last line became:

$$Q \equiv M \cdot P^{A}\pmod{B}$$

And besides those things we actually got one more very important data, the EXAMPLE! The example's P value and the P value of the cipher we need to decrypt are equal, also we know that A is equal for both of them so we can get the value of $P^{A}$ from the example -as we know Q and M for it. and then just multiply both sides of our equations with the inverse of the $P^{A}$ modulo B and then get the decrypted cipher lets do it now!

There's our python code for geting the flag:
http://www.codesend.com/view/7d97576bb77a0cc1ca33a717b6c8ed4d/

## Tuesday, March 4, 2014

### DEFKTHON CTF 2014 - Crack Ajin's message. - Recon 250 Write-up

This was a new type of challenge for us and was really fun :D
We were given a message when we open it we are welcomed by a "mail" encrypted by Mailvelope v0.7.0. We googled for it and came across addons, installed one compatible with our browser and moved on to message again by adding paste.bin to add-ons site's. When we tried to decrypt, it wanted a key file and also a password -which we don't have :( -for now :)))-.
To find the key file and password google'd again Ajin Abraham as mentioned in challenge page. We came across to his personal page! The best thing we could wish! We searched the page and at the end of the HTML file we found a commented line:
<!--pastebin DOT com/TYHfKbtt-->
Let's go for the link! And ta-daa there is the key file! But wait a second we still don't have the passphrase :( lets keep looking for it. We searched the personal page again and see something interesting.
<p id="mail-failure">Unable to send your email! (--wankoff--)</p>
What this wankoff could be? Can it be our passphrase :))) OF COURSE IT IS!!
Now, we have all the things necessary lets decrypt the mail!

flag { Pretty007G00d007Privacy }

### DEFKTHON CTF 2014 - Segmentation Fault - Rev 200 Write-up

We are back with another reversing challenge, you can get the binary from here.
When we dissamble it we see that it is starting a child process with piping its stdin/out and writing some key in the child proccess to the pipe:
and the it is doing some operations with this key code -don't forget the key is a string so they are all chars not a number!.

This is the dissamble result of the lol function -which is doing something with the key :D.
.text:080485F4                 push    ebp
.text:080485F5                 mov     ebp, esp
.text:080485F7                 sub     esp, 28h
.text:080485FA                 mov     eax, [ebp+arg_0]
.text:08048600                 movzx   eax, byte ptr [eax]
.text:08048603                 mov     edx, eax
.text:08048605                 mov     eax, [ebp+arg_0]
.text:0804860B                 movzx   eax, byte ptr [eax]
.text:0804860E                 lea     eax, [edx+eax]
.text:08048611                 mov     [ebp+var_13], al
.text:08048614                 mov     eax, [ebp+arg_0]
.text:0804861A                 movzx   eax, byte ptr [eax]
.text:0804861D                 mov     edx, eax
.text:0804861F                 mov     eax, [ebp+arg_0]
.text:08048625                 movzx   eax, byte ptr [eax]
.text:08048628                 lea     eax, [edx+eax]
The same thing keeps going you can get the full function from here.
Let's see what this code is doing:
the first 3 instructions are function prologue -so we can skip them,
after that it is getting the parameter passed to it into eax and making it point to 2nd byte and then putting the byte at that point -strings 2nd char- into the edx doing the same thing again and loading it into eax and then summing them and storing them. It used the indexes 1,1 for the first char. Then it is repating the process for 4th and 5th indexes and so on. All indexes are:
1 1
4 5
8 9
12 12
18 17
10 21
9 25
So we can see from how the function was called, the new string calculated should lead us to the flag!
There is the python script we have written to get the flag:
http://www.codesend.com/view/e1f2c4ce70ddbdf0a3f7bdf06e89be6e/

### DEFKTHON CTF 2014 - we love it! - Web 300 Write-up

For this challenge we had an apk file! Well it was exciting at the beggining i was expecting something much more about android but... in the it was a web quest what else could it be :D

To start i get android-sdk so that i can use the emulator to run program and while it was being downloaded, I decompiled the apk package and get a code like this. It was checking if the text entered was "paswd" and sending a web request if it is with some phone data and a random pwd value -which is between [0, 300]. The problem was site kept us telling
You missed something.
Keep trying.
so i thought it must be something about pwd data i get the exact header's for the post request via wireshark and simulate it on computer -of course i got the same response :D- but this time i iterate through all possible pwd values[0, 300] and in the end i got the flag!

Flag is: w00tkitk@t

http://www.codesend.com/view/584e8c192ff7b374732f783321175ce6/

### DEFKTHON CTF 2014 - Flag is Here! - Misc 200 Write-up

In this challange we were given a txt file which contains many lines and on each line it was containing 3 integers seperated with comma, and each of these integers was between [0,255] so we thought it might be a RGB formatted image and write a python script to get the image.

The problem was we were not given any size info :( so we keep trying different size's (but we know total count of pixels so when you know one of the w or h the other one most be number_of_lines/known_size) and we get a size of 126x488(wxh) and the image was:
And there is the python script

## Sunday, March 2, 2014

### Boston Key Party CTF 2014 - risc_emu - Pwning 100 Write-up

In this challange we were given a emulator which suppose to emulate RISC arch as understood from the name but it was different in the code :)

First i tried many RISC instructions and kept getting ERROR! message then i decided to dive into assembly so i saw there are just 10 instructions:

And they were called from a buffer which initialized at the start of main:
and when we give our instruction (base64'd of course) it was calling the appropriate function by accesing this buffer with that code:

so if we could find a way to change the variables in the mainfun buffer we could jump to any function we want -i choosed system- and the best part is our functions first parameter is the rest of our instructions. Lets get the address of the system function:
the first entry of the mainfun is 0x401E80 and our system function is at 0x4010D0 all we need to do is subtract 0x0DB0 from the pointer the first sub instruction -the one with 3 parameters- were disabling as to reach for places from the register memory but the subi instructions memory access was not limited it is where we will exploit the code:
var_C is our first parameter and we are writing to r[rdi*4] with no check lets look at the memory position of r:
it is right above the main::fun buffer so we can overflow it by using subi and it was the operation with the opcode 0x03 it is first parameter is the register number which we will write to. The distance between the buffer and the registers is 0xC0 bytes and each register is 4 bytes in size so if we write to 0x30th register we will write to first function pointer in the main::fun buffer also we want to subtract 0x0DB0 bytes from it so our instruction should be like this:
0x03
0x30
0x0D
0xB0
And after that when we try to access to 0x00th instruction (add) we will call system function and rest of the string as parameter to it -don't forget we are giving them base64'd.

(perl -e 'print "\x03\x30\x0d\xb0\x00cat key"') | base64 | nc 54.218.22.41 4545

and ta-daa :))

### Boston Key Party - Dante's Inferno Write-up

We were given a torrent file of a text file. After downloading it, we saw that it was a changed version of publicly available e-book. We downloaded the original file from here. We used meld to compare these two files. And here is the result:

So the password is 'At least this one wasn't a VM'
.
.
( We are 99% sure  mostly because we hadn't had a chance to test it. )

## Thursday, February 27, 2014

### Codegate CTF 2014 - Weirdshark - Forensics 150 Write-up

Here is our file : http://58.229.183.26/files/weird_shark.pcap_f5f1e42dd398f18c43af89ba972b3ee7

Upon trying to open with wireshark we got the error :
That was obvious.

Let's try opening with tcpdump to see what happens :

There is something wrong with the file.

Based on the error massage of wireshark we searched what EPB is.
It was the block that transmitted information lies in.According to wireshark's error we assumed there was something wrong with packet's epb headers but not the information itself.

To fix headers we used online pcap fixer : http://f00l.de/hacking/pcapfix.php.It corrected the error that EPB data exceeds the packet length.

Opening the repaired file via wireshark caused another error:

It seems that fixer changed cap len to 64 but our packets' len is 62.So we filled the packets with 0s to achieve 64 bit packets.

Voila!We can read the packets with wireshark.

and here is the flag.

and here is the one of other files we extracted from pcap file.We think these guys are the builders of this challenge.

## Tuesday, February 25, 2014

### Codegate CTF 2014 - Web Proxy - Web 200 Write-up

In this challenge we were given a proxy and in the html source code
a commented line which states:
it was clear that we should get into that file when we tried to get it from outside
it gave an 403 forbidden error and when you try to get it from inside with exact link
it was giving Access Denied response. So we figure out that the proxy was
processing the url you requested and if it is containing one of the "php" or "//"
it was giving that Access Denied response so we requested the page with just
which should give the default index and it worked but the response wast trimmed
we could get just a few lines and we thought that there might be a vuln in
request that proxy making so i just put the and of the link a %0a which is \n
and ta-daa the headers were gone we got just the contents of the page something
went absolutely wrong. When i examined deeply i see that the proxy is working by
putting the url we requested directly into the request so:

GET "our_url" HTTP/1.1
Host: xxx
.
.
.

the get request was happening that way so i manipulated it by hand to use
Range header it allows us to seek to any wanted byte of the file so i gave an
url like

and the output was checking if the host is "hackme" so i changed my host line
and rearrangen range field for new file to get the password like this:

and ta-daa there is the password.

### Codegate CTF 2014 - 120 Arrows - Web 500 Write-up

By seeing the code it was clear that we are going to make a blind sql injection attack.
The problem was the attack limit we only have 120 chance to get the password,
password was 30 characters long and it was containing all the lowercase letters
- which are 26. So in the worst case a linear attack should try 26*30 different
passwords which is far more than 120. Then the first thing coming into mind is to
try binary search on each character which should take 6 steps per character in
the worst case and in total 6*30=180 if we are lucky enough we can find the answer
in less than that so i give it a try and it worked. If i would be so unlucky
then i would convert each character to base 3 and look for each digit ,there can
be almost 3 digits to represnt 26 in base 3, so it would take 3*30=90 which would
be absolutely enough for the case. And there is our exploit:

Exploit - Web500