Last week, There were 2 CTFs, So I spent happy time to join and solve the challenge. This CTF wasn’t too difficult so I can solve some basic challenges. Some challenge needed more inspiration so I couldn’t get some challenge’s flag in spite of I knew how to solve…:-S.
pwn 150 IMS Easy
This challenge’ s file is as below.
https://github.com/nacayoshi00/CTF-writeup/tree/master/20161119_RC3_fall_CTF2016/Pwn150
First I check file by file command and checksec command. And I realize that this file has no any security check but server may set ASLR. So I may need to memory leak and send shell script to pwn this.
$ file IMS-easy CANARY : disabled FORTIFY : disabled NX : disabled PIE : disabled RELRO : Partial $
At first, I analyze in IDAPro and gdb. I realize that I can buffer over flow when I add more than 6 records because there is no check number of record.
I show the memory dump after add 5 records(each record is shown as [] in below dump). This program allocate only from 0xffffcd9c to 0xffffcdd4. So I can overwrite return address (0xffffcde8) when I add 7th record.
gdb-peda$ x/100wx $esp+0x1c 0xffffcd9c: [0x62626262 0x62626262 0x00000002] [0x63636363 0xffffcdac: 0x63636363 0x00000003] [0x64646464 0x64646464 0xffffcdbc: 0x00000004] [0x65656565 0x65656565 0x00000005] 0xffffcdcc: [0x65656565 0x65656565 0x00000006] 0xffffce7c 0xffffcddc: 0x080481b0 0x00000000 0x080f000c 0x080499c0 0xffffcdec: 0x0804940a 0x00000001 0xffffce74 0xffffce7c
So I can send shellcode by using word and number.
Then I also need to know the stack address.I also understand that I can know stack address when I command 3.view because there is no over index check in view command. so I can leak inside memories. For example I input the number above “5” I can know memory value that out of range from output. Finally I can know the stack address .
================================================ |RC3 Inventory Management System (public alpha)| ================================================ 1. Add record 2. Delete record 3. View record 4. Quit Choose: 3 Enter the index of the product you wish to view: 7 Product ID: -7813764, Product Code: tň�There are 0 records in the IMS <-leak address in ID and code
Finally I make python code to solve it. At first I leak stack address and calculate shellcode address. and then set this address to return address. Finally shellcode is run when I command ‘4:quit’ and get the flag!
Forensic50 Somepang
In this challenge, I’m given a pcap file. I try to analyze it.
This pcap contain only ICMP packets and each packet has repeated 2 characters.
I see last some packets and I see the ‘==’. so I recognize that those packets character is the part of base64 encoded file. Finally I make code to extract those words and save 1 file.
# Useful python library to analyze and extract data from PCAP file
- -dpkt :https://github.com/kbandla/dpkt
- -pyshark :https://github.com/KimiNewt/pyshark
At first I used pyshark to make code but code was hanged when I run it because of tshark memory leak…
Cypto 100 Salad
It is a ceaser crypto. but I need to use the range of 0-9a-zA-Z.
7sj-ighm-742q3w4t
RC3-2016-ROMaNgOd
1234567890 LMNOPQRS abcdefghijklmnopqrstuvwxyz 0123456789abcdefghij
Crypt 300 Cats
SpLit gif image that is given by using GIF splitter : http://ezgif.com/split/
Then I count a number of cats in each picture.
14 9 1 20 23 15 5 13
And convert those number to alphabet (e.g. 1->A, 2->B…)
NIATWOEM
Finally reverse it.
MEOWTAIN
Web 100 who’s a good boy
Access the page. https://ctf.rc3.club:3000/
And I see the page source then I recognize that there is doge.css file. So I access the file.
-snip-
i
.philarydufflebag{
/*hiya*/
/*compress your frontend*/
/*here's a flag :)*/
flag:RC3-2016-CanineSS
}
I get it!.
Reverse 100 Logmein
At first, I recognize that encoded password is loaded in first part of main function.
.text:0000000000400630 push rbp .text:0000000000400631 mov rbp, rsp .text:0000000000400634 sub rsp, 90h .text:000000000040063B mov rdi, offset format ; "Welcome to the RC3 secure password gues"... .text:0000000000400645 mov [rbp+var_4], 0 .text:000000000040064C mov rax, ds:qword_4008B0 .text:0000000000400654 mov qword ptr [rbp+passwrod_1], rax .text:0000000000400658 mov rax, ds:qword_4008B8 .text:0000000000400660 mov [rbp+password_2], rax .text:0000000000400664 mov cx, ds:word_4008C0 .text:000000000040066C mov [rbp+password_3], cx .text:0000000000400670 mov rax, ds:qword_4008D0 .text:0000000000400678 mov [rbp+password_XOR], rax .text:000000000040067C mov [rbp+int_7], 7 .text:0000000000400683 mov al, 0
And I can find the encoded flag in 0x40008B0-0x40008C0, also find that password is XOR-ed by 65626D61726168h
.rodata:00000000004008B0 qword_4008B0 dq 5E54525F4C41223Ah ; DATA XREF: main+1Cr .rodata:00000000004008B8 qword_4008B8 dq 342F362B3F2E2A4Ch ; DATA XREF: main+28r .rodata:00000000004008C0 word_4008C0 dw 36h ; DATA XREF: main+34r .rodata:00000000004008C2 align 10h .rodata:00000000004008D0 qword_4008D0 dq 65626D61726168h ; DATA XREF: main+40r
.text:0000000000400758 mov cl, [rbp+rax+passwrod_1] .text:000000000040075C mov [rbp+var_55], cl .text:000000000040075F mov eax, [rbp+var_54] .text:0000000000400762 cdq .text:0000000000400763 idiv [rbp+int_7] .text:0000000000400766 movsxd rsi, edx .text:0000000000400769 mov cl, byte ptr [rbp+rsi+password_XOR] .text:000000000040076D mov [rbp+var_56], cl .text:0000000000400770 movsx edx, [rbp+var_55] .text:0000000000400774 movsx edi, [rbp+var_56] .text:0000000000400778 xor edx, edi .text:000000000040077A mov cl, dl
Finally I make code to decode password.
Pwn 200 fencepost
At first, I analyze the given file by IDA. I find the encrypted flag in this part as above. But it is not correct password…:-(.
.text:0000000000400827 sub rsp, 60h .text:000000000040082B mov [rbp+var_54], edi .text:000000000040082E mov [rbp+password], 0FFFFFFFFh ; insert password_string .text:0000000000400835 mov rax, 2D6568742D746F6Eh .text:000000000040083F mov qword ptr [rbp+p_password], rax .text:0000000000400843 mov rax, 7361702D6C616572h .text:000000000040084D mov [rbp+var_48], rax .text:0000000000400851 mov [rbp+str_sword], 726F7773h .text:0000000000400858 mov [rbp+var_3C], 64h .text:000000000040085E lea rdi, aWelcomeToTheRc ; "=== Welcome to the RC3 Secure CTF Login"... .text:0000000000400865 call _puts .text:000000000040086A lea rdi, aPleaseEnterThe ; "=== Please enter the correct password b"... .text:0000000000400871 call _puts -(skip)-</pre> <pre>.text:00000000004008D1 goto_success: ; CODE XREF: main_loop+95j .text:00000000004008D1 cmp [rbp+password], 0 .text:00000000004008D5 jnz short goto_fail .text:00000000004008D7 mov eax, 0 .text:00000000004008DC call success_pass</pre> <pre>
Next I notice the below part, and I recognize that I can pass the authorization if password_flag is 0. Passwrord _flag is below the user_input and user_input can be overflowed. So I overwrite passwrord _flag to 0 by using buffer overflow.
.text:00000000004008D1 goto_success: ; CODE XREF: main_loop+95j .text:00000000004008D1 cmp [rbp+password], 0 .text:00000000004008D5 jnz short goto_fail .text:00000000004008D7 mov eax, 0 .text:00000000004008DC call success_pass
Tech hacks 