Friday, April 15, 2016

sCTF 2016 (incomplete) write-up

Update: other write-ups I found https://ctftime.org/event/309/tasks/ and https://github.com/VulnHub/ctf-writeups/tree/master/2016/sctf

I did sCTF and then kinda gave up. It was fun and frustrating. I'll try harder next time.
This is a partial write-up for some of things that I solved or tried solving.

Rev1

I’ll post two ways to do this. I’m learning these tools anyway.
I used qira (http://qira.me) first.
First, wrong password.
Running the same with qira.
I looked for scanf and saw cmp below it.
Notice that rax is 0x4d2, which is 1234/our input.
Eax is not equal to 0x5b74, then jump to 0x4006b7, which does occur. We need to put in 0x5b74 to make this work. 0x5b74 is 23412 in decimal.
And it works.
Another way to do it to just skip that jne instruction.
I’m using GDB with PEDA.
We’ll put a breakpoint at CMP, then jump to the instruction below jne.
And we jump

Rev2

This is very similar to the first one, except the jump trick won’t work.
Let’s start with qira again.
There is a cmp again, and rax has 1234. 0x30dda83 is 51239555. We can try that.
And it works.

SecureTextSaver (Incomplete)

This was a .jar file. I used JavaDecompilers.com (awesome site btw) to get the decompiled code.
Login_Page.java has username and password in it.
By the time I started writing this, the problems page was gone, since the CTF is over. I don’t remember what I did after this.
Cookies
Decompiled the jar file using JavaDecompilers.com.
This is Cookie.java
Notice the URL and the hash.
Password for the hash gets sent to the server and server returns the flag. I used hashkiller.co.uk, which had the password already cracked.
And we can send the password and get the flag.

Bomb_squad (Incomplete)

This binary has multiple phases you had to complete.
What you want to avoid is explode_bomb()
This is phase_1
It takes integer as input and does some math and if the input is correct, it jumps to 0x8048a15.
I decided to try angr with this. (http://angr.io) I used the example from the site and tried it with the first phase.
With angr, we want to find 0x8048a15 and avoid call to explode_bomb() (0x8048a10)

Pwn1

Going to use PEDA for this.
First time I was doing this, I didn’t pay attention to the description for the challenge.
It says “I'll convert a first person statement to a second person statement. I even wrote it in C++ to be super-safe about my strings!”
Notice that I became you.
We can use some I’s and pattern that PEDA creates to find out offset.
We can overwrite the EIP after we put in 24 bytes (20 I’s and 4 random bytes).
There is get_flag function in the binary that’s never called and we need to jump to it.
Address is 0x08048f0d.
Let’s generate our input to jump to get_flag.
And it works!

Pwn2 (Incomplete)

This is when I gave up. I know that I had to use ROP (never done it before) and I saw syscall in the binary, I just couldn’t get anything to work.


After trying different things, I eventually figured out that I needed to give it a negative number and my pattern.




Ducks

This one required password input on a website.
Notice the link to source.php, this contains the PHP code that does password check.
extract() is the issue here.
When we enter the password into The Ducks page, it will get sent as a post request with variable name pass.
We should be able to use Burp Proxy to append another variable, which would be thepassword_123. They both should be equal so we can get the flag.
And we get our flag.


Control Panel

I spent too much time on this trying stupid things. This was rather easy.
The hint was in the comments after you registered for an account and logged in.
This is normal registration and login.
Here’s the hint
You can create another account and append &admin=true in your post request.
And you get the flag.

2 comments:

  1. Nicely done - swear I tried appending an admin param for control param. That one was driving me mad. Ended up trying to crack the cookie IV. Thanks for putting me out of my misery

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete