Saturday, March 15, 2014

RUCTF Quals 2014 - Shredder - Misc 100 Write-up

        There was only a image file for this task. It was image of shredded hard copy of an e-mail. As it would be so hard to reconstruct the e-mail on computer, we printed the image and shredded it again and reconstructed it. Finally we found the flag : "Ructf_to_shred_is_not_enough".


Thursday, March 13, 2014

RUCTF Quals 2014 - php - Web 100 Write-up

When we looked to this problem there is a text explaining the CTF concept and at the bottom:
Language was detect automatically :)
After that, i looked for files like this:
http://w1.quals.ructf.org/en
http://w1.quals.ructf.org/ru
so it was including the file appropriate to our language we can use this to include any file we wanted, but first we need to find how it detects our language. First we looked for a cookie, nah this was not the way. Then we looked for headers and saw a field named "Accept-Language". Then we tried a request like this with curl:

curl http://w1.quals.ructf.org/ -H"Accept-Language:/etc/passwd"
but we could not find the file which helds the flag so decided to try RFI and it was working too!
By the help of a script like this:
http://file.0xdeffbeef.com/web100siken.txt
we gathered the flag with this request:
$flag = '5cf27d9bad2fe9d96d2bcf25c3b0bd14';

RUCTF Quals 2014 - Guess the flag - Vuln 100 Write-up

In this challenge we were given a binary file and a server listening on a port:
vuln1.quals.ructf.org:16712 binary 
Flag format is "RUCTF_.*".

when we tried to run the binary file on local we get a segmentation fault and when we disassembled the binary it was due to the absence of a file named "hint". We also get something else it was printing the data with the input it get in cause of it is not the flag. When we run it by nc we see that there is a pattern on the hint and to see it clear we give a "space" for the input and we get an image like this:
 Hmmm, it seems like a 7 isn't it? lets give it as input :)
/
It was really easy, isn't it?

RUCTF Quals 2014 - Posts - Vuln 300 Write-up

Hi, writeups for this CTF have been delayed because of our absence of free time so let's start with something big :D

In this problem we were given a ssh server address and here it is:
ssh vuln2.quals.ructf.org -p 2022 user:Ikiy7ei5
probably it will be closed when you are looking but don't worry we also gathered gadget instructions for better analysis.

It is basically a program for note inserting (taking a lot of input's from you), and then reading them back. Because we are on ssh server there is nothing much to do about disassembling the file but luckily(!) we've got gdb on the server so when we disassembled the file with it we got some interesting parts like this:

first of all it is the part how our name was inputted:
it is using fgets to get from stdin and also gathering 256 bytes (till the newline, or eol).

The second part (and the most interesting one) which gets our note into somewhere after 0x080d7100 by using these calculations and also calling that calculated address:
because of system is getting the input via scanf we can put as much data as we want to overwrite the next function going to be called. The index was easy to calculate after each note the index was shifting 516 bytes from the note title and 260 bytes from the notes body, till the next function pointer and if we overwrite that address we would be able to get the
eip control and we did so. But no :( there was nothing to jump to everything useful was around 0x080d0000 and because of 0d is a newline character we could not use it in our input and it caused us to change our mind from just jumping to system libc function to ROP. (well actually it is our first ROP practice :D). The ASLR was disabled so getting ram addresses didn't make any troubles. And we managed to write a script like this:
http://www.codesend.com/view/b0f764dac29de59e92537fce3d8c1c07/
you can see the memory layout and gadget adresses at the top of the source.

Our note's were not being kept on the stack but the name was. So we used name variable for arranging stack for ROP and note's to overwrite the next function pointer to point our name. Just 2 notes were enough in first we overwrite the next posts pointer and when the system wanted to get the second note it called our overwritten function and ta-daaa :))

** GDB and the real stack addresses were different due to initial stack alignment and by testing we found out that real offset would be 32 bytes away from the gdb's stack.

Wednesday, March 5, 2014

DEFKTHON CTF 2014 - Find the FLAG! - Crypto 400 Write-up

HI!
We were given a lot of description this time :D and here they are:
Alice and Bob went a long way in crypto. They designed a super secure crypto system to encrypt their messages. We managed to steal the source and some other information. Find the FLAG!  
File 
We also got this: Download 
Mirror
File 
We also got this: Download
In the first file we had an example of the algorithm and the cipher we needed to decrypt and from the second file which is an archive we get 3 files 2 keys and the encryption script but script was obfuscated and names in the script were not readable to human, so lets start with de-obfuscating it - we did it by hand- and here is the a bit more readable script:
http://www.codesend.com/view/addce89369568510c33ff3154bf6dd89/

Basically it was reading four keys, and processing an asymmetric encryption on its first argument according to those keys.
The argument string is converted into a base256 number by those lines:
a, bb = argv[1], 0
for ccc in a: bb = (bb*256) + ord(ccc)
So what the encryption doing by mathematically is something like this:

$$T \equiv C^{A} \pmod{B}\\
P \equiv C^{S} \pmod{B}\\
Q \equiv M \cdot T^{S} \pmod{B}$$

where A,B,C and D are values in the keyfiles respectively and S is the random seed generated from D.

We know the values of B and C from the zip archive and P and Q from the message text that is containing an example and the cipher we need to find a way to get the value of M with those guys. Let's examine the $T^{S}$ actually it is equal to $(C^{A})^{S}$ and which is $P^{A}$ we just swapped the exponents. and last line became:

$$Q \equiv M \cdot P^{A}\pmod{B}$$

And besides those things we actually got one more very important data, the EXAMPLE! The example's P value and the P value of the cipher we need to decrypt are equal, also we know that A is equal for both of them so we can get the value of $P^{A}$ from the example -as we know Q and M for it. and then just multiply both sides of our equations with the inverse of the $P^{A}$ modulo B and then get the decrypted cipher lets do it now!

There's our python code for geting the flag:
http://www.codesend.com/view/7d97576bb77a0cc1ca33a717b6c8ed4d/


Tuesday, March 4, 2014

DEFKTHON CTF 2014 - Crack Ajin's message. - Recon 250 Write-up

This was a new type of challenge for us and was really fun :D
We were given a message when we open it we are welcomed by a "mail" encrypted by Mailvelope v0.7.0. We googled for it and came across addons, installed one compatible with our browser and moved on to message again by adding paste.bin to add-ons site's. When we tried to decrypt, it wanted a key file and also a password -which we don't have :( -for now :)))-.
To find the key file and password google'd again Ajin Abraham as mentioned in challenge page. We came across to his personal page! The best thing we could wish! We searched the page and at the end of the HTML file we found a commented line:
<!--pastebin DOT com/TYHfKbtt-->
Let's go for the link! And ta-daa there is the key file! But wait a second we still don't have the passphrase :( lets keep looking for it. We searched the personal page again and see something interesting.
<p id="mail-failure">Unable to send your email! (--wankoff--)</p> 
What this wankoff could be? Can it be our passphrase :))) OF COURSE IT IS!!
Now, we have all the things necessary lets decrypt the mail!

And badumtisss:
 flag { Pretty007G00d007Privacy }

DEFKTHON CTF 2014 - Segmentation Fault - Rev 200 Write-up

We are back with another reversing challenge, you can get the binary from here.
When we dissamble it we see that it is starting a child process with piping its stdin/out and writing some key in the child proccess to the pipe:
and the it is doing some operations with this key code -don't forget the key is a string so they are all chars not a number!.

This is the dissamble result of the lol function -which is doing something with the key :D.
.text:080485F4                 push    ebp
.text:080485F5                 mov     ebp, esp
.text:080485F7                 sub     esp, 28h
.text:080485FA                 mov     eax, [ebp+arg_0]
.text:080485FD                 add     eax, 1
.text:08048600                 movzx   eax, byte ptr [eax]
.text:08048603                 mov     edx, eax
.text:08048605                 mov     eax, [ebp+arg_0]
.text:08048608                 add     eax, 1
.text:0804860B                 movzx   eax, byte ptr [eax]
.text:0804860E                 lea     eax, [edx+eax]
.text:08048611                 mov     [ebp+var_13], al
.text:08048614                 mov     eax, [ebp+arg_0]
.text:08048617                 add     eax, 4
.text:0804861A                 movzx   eax, byte ptr [eax]
.text:0804861D                 mov     edx, eax
.text:0804861F                 mov     eax, [ebp+arg_0]
.text:08048622                 add     eax, 5
.text:08048625                 movzx   eax, byte ptr [eax]
.text:08048628                 lea     eax, [edx+eax]
The same thing keeps going you can get the full function from here.
Let's see what this code is doing:
the first 3 instructions are function prologue -so we can skip them,
after that it is getting the parameter passed to it into eax and making it point to 2nd byte and then putting the byte at that point -strings 2nd char- into the edx doing the same thing again and loading it into eax and then summing them and storing them. It used the indexes 1,1 for the first char. Then it is repating the process for 4th and 5th indexes and so on. All indexes are:
1 1
4 5
8 9
12 12
18 17
10 21
9 25
So we can see from how the function was called, the new string calculated should lead us to the flag!
There is the python script we have written to get the flag:
http://www.codesend.com/view/e1f2c4ce70ddbdf0a3f7bdf06e89be6e/

DEFKTHON CTF 2014 - we love it! - Web 300 Write-up

For this challenge we had an apk file! Well it was exciting at the beggining i was expecting something much more about android but... in the it was a web quest what else could it be :D

To start i get android-sdk so that i can use the emulator to run program and while it was being downloaded, I decompiled the apk package and get a code like this. It was checking if the text entered was "paswd" and sending a web request if it is with some phone data and a random pwd value -which is between [0, 300]. The problem was site kept us telling
You missed something.
Keep trying.
so i thought it must be something about pwd data i get the exact header's for the post request via wireshark and simulate it on computer -of course i got the same response :D- but this time i iterate through all possible pwd values[0, 300] and in the end i got the flag!

Flag is: w00tkitk@t

Python script and request headers:
http://www.codesend.com/view/584e8c192ff7b374732f783321175ce6/

DEFKTHON CTF 2014 - Flag is Here! - Misc 200 Write-up

In this challange we were given a txt file which contains many lines and on each line it was containing 3 integers seperated with comma, and each of these integers was between [0,255] so we thought it might be a RGB formatted image and write a python script to get the image.

The problem was we were not given any size info :( so we keep trying different size's (but we know total count of pixels so when you know one of the w or h the other one most be number_of_lines/known_size) and we get a size of 126x488(wxh) and the image was:
And there is the python script

Sunday, March 2, 2014

Boston Key Party CTF 2014 - risc_emu - Pwning 100 Write-up

In this challange we were given a emulator which suppose to emulate RISC arch as understood from the name but it was different in the code :)

First i tried many RISC instructions and kept getting ERROR! message then i decided to dive into assembly so i saw there are just 10 instructions:


And they were called from a buffer which initialized at the start of main:
and when we give our instruction (base64'd of course) it was calling the appropriate function by accesing this buffer with that code:

so if we could find a way to change the variables in the mainfun buffer we could jump to any function we want -i choosed system- and the best part is our functions first parameter is the rest of our instructions. Lets get the address of the system function:
the first entry of the mainfun is 0x401E80 and our system function is at 0x4010D0 all we need to do is subtract 0x0DB0 from the pointer the first sub instruction -the one with 3 parameters- were disabling as to reach for places from the register memory but the subi instructions memory access was not limited it is where we will exploit the code:
var_C is our first parameter and we are writing to r[rdi*4] with no check lets look at the memory position of r:
it is right above the main::fun buffer so we can overflow it by using subi and it was the operation with the opcode 0x03 it is first parameter is the register number which we will write to. The distance between the buffer and the registers is 0xC0 bytes and each register is 4 bytes in size so if we write to 0x30th register we will write to first function pointer in the main::fun buffer also we want to subtract 0x0DB0 bytes from it so our instruction should be like this:
0x03
0x30
0x0D
0xB0
And after that when we try to access to 0x00th instruction (add) we will call system function and rest of the string as parameter to it -don't forget we are giving them base64'd.

(perl -e 'print "\x03\x30\x0d\xb0\x00cat key"') | base64 | nc 54.218.22.41 4545

and ta-daa :))

Boston Key Party - Dante's Inferno Write-up

We were given a torrent file of a text file. After downloading it, we saw that it was a changed version of publicly available e-book. We downloaded the original file from here. We used meld to compare these two files. And here is the result:

So the password is 'At least this one wasn't a VM'
.
.
( We are 99% sure  mostly because we hadn't had a chance to test it. )