Last week, I played to solve the Hack the Vote CTF challenges. There are many difficult challenges and finally I got 451 points 151th. I could solve the Reverse 100, Exploitation 100, Forensic 150 and crypto 100.
I was satisfied to be able to solve whole part challenges except for web part :-).
Reverse 100 Consul
At first I tried to know about the file given in this challenge.
$ file consul consul: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.26, BuildID[sha1]=897c070c53ceb5b58080d891a68b96a197816773, not stripped $ $ ./consul Poor Bernie. $
It seems executable file, but It just output ‘Poor Bernie.’ when I execute it. so I analyze it by IDA in next step.
In IDA, I can find several function that don’t use when it execute.
Also I recognize that a certain string is displayed in each the function (real_help/fake_help/dont_call_me) . For example, in real_help string that convert string b in .data area by convert function. Real_help’s pseudo code may be as below. (convert_string is named by me. This function add arg2 to each character in string. like a rot13.)
int real_help()
{
BYTE *string;
stirng = convert_string((const char *)*b, 13);// Leonardo De P
printf("%s\n", string);
return c2();
}
$
And I continue to invesigate, I can find other strings that may decode the same way in c8, dont_call_me, and fake_help. then I try to decode those strings from +1 add to +0x4f add.
Finally I can find the flag to decode strings in c8 to add 64.
https://github.com/nacayoshi00/CTF-writeup/blob/master/Hack_a_voteCTF/solve_reverse_100.py
Crypto 100 Vermatrix Supreme
In this challenge, I’m give 1 python code. So I try to recognize this. In this file I can get flag when chall() returns true. And In this function 2 parameter are given, IV and Seed. Then it creates matrix by using genBlockMatrix, fixmatrix, and 2 parameter.
genBlockMatrix:
This function creates 3×3 matrix from string, for example “abcdefghi” -> [[a,b,c],[d,e,f][g,h,i]]
fixmatrix:
This function calculates 2 matrix.
[a1,a2,a3] [b1,b2,b3] [a1^b1, a2^b4, a3^b7] [a4,a5,a6] [b4,b5,b6] -> [a4^b2, a5^b5, a6^b8] [a7,a8,a9] [b7,b8,b9] [a7^b3, a8^b6, a9^b9]
So if I can make those reverse function, Ican solve it.
https://github.com/nacayoshi00/CTF-writeup/blob/master/Hack_a_voteCTF/solve_reverse_100.py
Exploitation 100 IRS
In this challenge, 1 executable file is given. At first I analyze it by file command, checksec command and IDA pro.
$ checksec -f irs RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE Full RELRO No canary found NX enabled No PIE No RPATH No RUNPATH No 0 5 irs $ file irs irs: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=00041d69ae706e1877c8a618dc092b33499c4d6d, stripped $
This file has a vulnerability of stack overflow when user input after “y/n” in “3 edit a tax return” because of gets() function.
When I input more than 25 character, I can get EIP. Finally I want to know about Tramp’s password, so I use .got printf and the address that contains Tramp’s password to leak.
But server set ASLR, so this address change as random. I think that this file is x86 executable so I can leak password by using bruteforce heap address attack (Heap address changes in range 0x1ff000.)
https://github.com/nacayoshi00/CTF-writeup/blob/master/Hack_a_voteCTF/solve_pwn_100.py
# At first, I thought that I need to get shell. So I leaked libc_base and used ROP to get shell. but but it was not need … :-(. The method to get shell is as below.
-leak libc version and base address : Using libc database (https://github.com/niklasb/libc-database)
-Make ROPchain : Using ROPgadget (https://github.com/JonathanSalwan/ROPgadget)
Exploitation 100 IRS
At first I am given 1 picture. And I fix it for long time X-P.
[GIMP file]
https://github.com/nacayoshi00/CTF-writeup/blob/master/Hack_a_voteCTF/Forensic%20150%20Warp%20Speed.xcf
Tech hacks 