From cb64d3ae661b32c642218fcb629316d10a83918b Mon Sep 17 00:00:00 2001
From: Paul Hager <paul.hager@foo.bar>
Date: Sat, 18 Jan 2020 00:14:12 +0100
Subject: [PATCH] phager

---
 writeups/phager/ctfzone.md   |  62 ++++++++++++
 writeups/phager/otw.md       | 178 +++++++++++++++++++++++++++++++++++
 writeups/phager/tasteless.md |  29 ++++++
 3 files changed, 269 insertions(+)
 create mode 100644 writeups/phager/ctfzone.md
 create mode 100644 writeups/phager/otw.md
 create mode 100755 writeups/phager/tasteless.md

diff --git a/writeups/phager/ctfzone.md b/writeups/phager/ctfzone.md
new file mode 100644
index 0000000..15f9cca
--- /dev/null
+++ b/writeups/phager/ctfzone.md
@@ -0,0 +1,62 @@
+# CTFZone 2019 Quals
+
+Paul Theodor Hager
+01426941
+pH - @phager
+
+## Retrospective
+
+- Some weird challenges
+- One of those frustrating CTFs...
+- Learned some OSINT tools, websites and Mysql authentication
+
+## Honey is sweet but Bee stings
+
+Category: OSINT, Forensic
+
+Description:
+`Your tool is really awesome, and plugins you recommended to me were very helpfull, I appreciate your help. Can you please check this network dump? Help me to catch him!`
+
+We got a .pcap file with two TCP streams: Both of them contained Mysql traffic.
+First idea was that the flag might be hidden in the Mysql server password and we have to extract the password somehow from the traffic.
+`mysql_native_password` was used for authentication and some googeling revealed that this method is not recommended.
+We found the following exploit script: https://github.com/cyrus-and/mysql-unsha1.
+As we were not in possession of the password hash, we could not use the method behind the tool from GitHub - No luck with this tool.
+
+Looking at the traffic more precisely, we concluded that the traffic looks somehow like an exploit, where an attacker tries to extract some infos.
+We googled the involed IPs and the client IP was still online - a Tor exit node. 
+
+```bash
+pth@~/Downloads/ctf-zone> nmap 185.100.87.206
+Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-30 21:05 CET
+Nmap scan report for geri.enn.lu (185.100.87.206)
+Host is up (0.075s latency).
+Not shown: 995 closed ports
+PORT      STATE    SERVICE
+22/tcp    open     ssh
+80/tcp    open     http
+443/tcp   open     https
+9001/tcp  open     tor-orport
+16992/tcp filtered amt-soap-http
+
+Nmap done: 1 IP address (1 host up) scanned in 8.92 seconds
+```
+
+Google (after a lot of searching!) also reveald a pastbin: https://pastebin.com/qPPe1f6s.
+The pastbin link mentions various IP-Blacklists-Sites and on one of those (https://cleantalk.org/blacklists/35.242.238.204) a comment for the attacker IP was published: 
+"This guy is not giving up! But I gathered some information, the deanon is on the way! You can find details on dbnotes.site"
+
+On http://dbnotes.site/ we found a blog post which exactly describes our challenge. Even the exact same .pcap file was provided.
+The blog post reveals the hostname of the attacker `tumandakumar` and the author states that it seems to be a nickname.
+
+With the help of this name (and various nickname osint/seraching sites) we found a bitbucket team https://bitbucket.org/tumandakumar/ with two members and an VK user: https://vk.com/tumandk.
+On bibucket we found the project "PSN_sales_checker" and we tried to find some informations in the PSN network... no luck.
+
+From here on we got stuck as we could not get any more informations, altough we were googeling quite a lot.
+
+Unfortunately there was no writeup published and only 4 teams solved this challenge.
+
+## Jumping Other Challenges
+
+Every few hours I "rage-quitted" on the challenge "Honey is sweet but Bee stings" and was jumping other challenges.
+But no meaningful contribution was done in those phases.
\ No newline at end of file
diff --git a/writeups/phager/otw.md b/writeups/phager/otw.md
new file mode 100644
index 0000000..0126fc9
--- /dev/null
+++ b/writeups/phager/otw.md
@@ -0,0 +1,178 @@
+# OTW Adv. 2019
+
+Paul Theodor Hager
+01426941
+pH - @phager
+
+## Retrospective
+
+- Was no really "impressed" by the challenges...
+- The good ones were solved very quickly
+- Idled on quite some channels
+
+## Day-19 Santa's Signature
+
+`Can you forge Santa's signature?`
+
+On connecton with netcat (`nc 3.93.128.89 1219`) we get the following:
+```
+Dear Santa,
+Last christmas you gave me your public key,
+to confirm it really is you please sign three
+different messages with your private key.
+
+Here is the public key you gave me:
+-----BEGIN PUBLIC KEY-----
+<CUT>
+-----END PUBLIC KEY-----
+Message 1 you signed (hex encoded):
+```
+
+Looking on the provided source I though the RSA looks a bit weird (=too easy). Classic secure RSA in pycryopto looks more like this: https://stackoverflow.com/a/58764650 (using `PKCS1_v1_5`).
+Googling a bit reveals that if you use the simple `verify()` function you are using "TextBook-RSA" --> No padding --> unsecure.
+There is a nice summary of "TextBook-RSA-Attacks": https://crypto.stackexchange.com/a/20087
+We can see the following:
+- signature of 0 is 0
+- signature of 1 is 1
+- signature of n−1 is n−1 (we have n as we get the pub key)
+
+I started writing a script for communicating with the service and did not realize that this challenge was already solved...
+But at least I could see that I was on the right track.
+
+## Day-08 Unmanaged
+
+```
+I've made a Byte Buffer as a Service (BBAAS)! The service is written in C#, but to avoid performance penalties, we use unsafe code which should have comparable performance to C++!
+```
+`nc 3.93.128.89 1208`
+
+We also got the souce code.
+On simply connecting via netcat I was not able to interact with the service.
+
+Looking at the code one can see that its possible to send the service single byte encoded commands: allocate new byte array (with action/byte = 1), write a section of a byte array (action/byte=2) and read a section of a byte array(action/byte=3).
+Each command has some additional parameters: index, offset and size.
+I implemented those commands in golang (see below).
+Analyzing the source further, we can see that no bounds checking is done and "unsafe" .NET is used, this enables unchecked pointer arithmetics in C# as like in C.
+So we can write more or less arbitrarily (providing the "right" parameters).
+
+I wrote a golang script which is more or less just bruteforcing the service to get any kind of output.
+
+```go
+package main
+
+import (
+	"bufio"
+	"fmt"
+	"math/rand"
+	"net"
+)
+
+func reader(r *bufio.Reader) {
+	for {
+		fmt.Println("READING...")
+		recvBuf := make([]byte, 1024)
+		n, err := r.Read(recvBuf[:])
+		if err != nil {
+			fmt.Println(err)
+			break
+		}
+
+		fmt.Println(n)
+		fmt.Println(string(recvBuf))
+		fmt.Println("-------------------------------------------------")
+	}
+
+}
+
+func sendAllocate(w *bufio.Writer, len byte) {
+	err := w.WriteByte(1)
+	if err != nil {
+		fmt.Println(err)
+	}
+
+	err = w.WriteByte(len)
+	if err != nil {
+		fmt.Println(err)
+	}
+}
+
+func sendWrite(w *bufio.Writer, index, offset, size byte) {
+	err := w.WriteByte(2)
+	if err != nil {
+		fmt.Println(err)
+	}
+	err = w.WriteByte(index)
+	if err != nil {
+		fmt.Println(err)
+	}
+	err = w.WriteByte(offset)
+	if err != nil {
+		fmt.Println(err)
+	}
+	err = w.WriteByte(size)
+	if err != nil {
+		fmt.Println(err)
+	}
+}
+
+func sendRead(w *bufio.Writer, index, offset, size byte) {
+	err := w.WriteByte(3)
+	if err != nil {
+		fmt.Println(err)
+	}
+	err = w.WriteByte(index)
+	if err != nil {
+		fmt.Println(err)
+	}
+	err = w.WriteByte(offset)
+	if err != nil {
+		fmt.Println(err)
+	}
+	err = w.WriteByte(size)
+	if err != nil {
+		fmt.Println(err)
+	}
+}
+
+func sendByte(w *bufio.Writer, c byte) error {
+	err := w.WriteByte(c)
+	if err != nil {
+		fmt.Println(err)
+		return err
+	}
+	return nil
+}
+
+func main() {
+	conn, _ := net.Dial("tcp", "3.93.128.89:1208")
+	defer conn.Close()
+
+	r := bufio.NewReader(conn)
+	go reader(r)
+
+	w := bufio.NewWriter(conn)
+
+	//sendAllocate(w, 100)
+	//sendWrite(w, 10, 0, 100)
+	//sendWrite(w, 60, 0, 100)
+	//sendWrite(w, 100, 0, 100)
+	//sendWrite(w, 255, 0, 100)
+
+	sendAllocate(w, 1)
+
+	rand.Seed(42)
+	for i := 0; i < 1500; i++ {
+		sendWrite(w, 0, byte(rand.Intn(255)), byte(rand.Intn(255)))
+	}
+
+	fmt.Println("done")
+
+	select {}
+
+}
+
+```
+
+My goal was to somehow get a basic understanding of how the "actions" are working and to push shellcode somewhere to execute it later.
+As I had to go afk, I pinged @dachleitner to solve it - and he did before I was back.
+
diff --git a/writeups/phager/tasteless.md b/writeups/phager/tasteless.md
new file mode 100755
index 0000000..5486421
--- /dev/null
+++ b/writeups/phager/tasteless.md
@@ -0,0 +1,29 @@
+# Tasteless CTF
+
+Paul Theodor Hager
+01426941
+pH - @phager
+
+## Retrospective
+
+- Not so many challenges...
+- Learned quite some stuff about CSP and CSS selectors.
+- The "timewarp" challenge was a nice idea
+- "on-site" @ - SBA
+
+## Ghidra Server Setup
+
+Setup a Ghidra server for the team.
+https://paulhagertheo.at/ghidra_03-04-2019.html
+
+## Babypad
+
+Many Time Pad challenge with the flag as "key". Tried multiple tools as it seemed to be a common challenge. We came up with the idea to just collect many(!) ciphers and xor them char by char with printable asciichars. Georg was too fast for us...
+
+## Gabbr
+
+Site was vulnerable to XSS but because of CSP (nonce) we couldnt trigger it. Solution was to bruteforce the nonce with css selctors char by char. Similar challenge:
+
+<https://sirdarckcat.blogspot.com/2016/12/how-to-bypass-csp-nonces-with-dom-xss.html>
+
+Full writeup can be found @ <https://w0y.at/writeup/2019/10/27/tasteless-2019-gabbr.html>
-- 
2.43.0