From cb64d3ae661b32c642218fcb629316d10a83918b Mon Sep 17 00:00:00 2001 From: Paul Hager Date: Sat, 18 Jan 2020 00:14:12 +0100 Subject: [PATCH] phager --- writeups/phager/ctfzone.md | 62 ++++++++++++ writeups/phager/otw.md | 178 +++++++++++++++++++++++++++++++++++ writeups/phager/tasteless.md | 29 ++++++ 3 files changed, 269 insertions(+) create mode 100644 writeups/phager/ctfzone.md create mode 100644 writeups/phager/otw.md create mode 100755 writeups/phager/tasteless.md diff --git a/writeups/phager/ctfzone.md b/writeups/phager/ctfzone.md new file mode 100644 index 0000000..15f9cca --- /dev/null +++ b/writeups/phager/ctfzone.md @@ -0,0 +1,62 @@ +# CTFZone 2019 Quals + +Paul Theodor Hager +01426941 +pH - @phager + +## Retrospective + +- Some weird challenges +- One of those frustrating CTFs... +- Learned some OSINT tools, websites and Mysql authentication + +## Honey is sweet but Bee stings + +Category: OSINT, Forensic + +Description: +`Your tool is really awesome, and plugins you recommended to me were very helpfull, I appreciate your help. Can you please check this network dump? Help me to catch him!` + +We got a .pcap file with two TCP streams: Both of them contained Mysql traffic. +First idea was that the flag might be hidden in the Mysql server password and we have to extract the password somehow from the traffic. +`mysql_native_password` was used for authentication and some googeling revealed that this method is not recommended. +We found the following exploit script: https://github.com/cyrus-and/mysql-unsha1. +As we were not in possession of the password hash, we could not use the method behind the tool from GitHub - No luck with this tool. + +Looking at the traffic more precisely, we concluded that the traffic looks somehow like an exploit, where an attacker tries to extract some infos. +We googled the involed IPs and the client IP was still online - a Tor exit node. + +```bash +pth@~/Downloads/ctf-zone> nmap 185.100.87.206 +Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-30 21:05 CET +Nmap scan report for geri.enn.lu (185.100.87.206) +Host is up (0.075s latency). +Not shown: 995 closed ports +PORT STATE SERVICE +22/tcp open ssh +80/tcp open http +443/tcp open https +9001/tcp open tor-orport +16992/tcp filtered amt-soap-http + +Nmap done: 1 IP address (1 host up) scanned in 8.92 seconds +``` + +Google (after a lot of searching!) also reveald a pastbin: https://pastebin.com/qPPe1f6s. +The pastbin link mentions various IP-Blacklists-Sites and on one of those (https://cleantalk.org/blacklists/35.242.238.204) a comment for the attacker IP was published: +"This guy is not giving up! But I gathered some information, the deanon is on the way! You can find details on dbnotes.site" + +On http://dbnotes.site/ we found a blog post which exactly describes our challenge. Even the exact same .pcap file was provided. +The blog post reveals the hostname of the attacker `tumandakumar` and the author states that it seems to be a nickname. + +With the help of this name (and various nickname osint/seraching sites) we found a bitbucket team https://bitbucket.org/tumandakumar/ with two members and an VK user: https://vk.com/tumandk. +On bibucket we found the project "PSN_sales_checker" and we tried to find some informations in the PSN network... no luck. + +From here on we got stuck as we could not get any more informations, altough we were googeling quite a lot. + +Unfortunately there was no writeup published and only 4 teams solved this challenge. + +## Jumping Other Challenges + +Every few hours I "rage-quitted" on the challenge "Honey is sweet but Bee stings" and was jumping other challenges. +But no meaningful contribution was done in those phases. \ No newline at end of file diff --git a/writeups/phager/otw.md b/writeups/phager/otw.md new file mode 100644 index 0000000..0126fc9 --- /dev/null +++ b/writeups/phager/otw.md @@ -0,0 +1,178 @@ +# OTW Adv. 2019 + +Paul Theodor Hager +01426941 +pH - @phager + +## Retrospective + +- Was no really "impressed" by the challenges... +- The good ones were solved very quickly +- Idled on quite some channels + +## Day-19 Santa's Signature + +`Can you forge Santa's signature?` + +On connecton with netcat (`nc 3.93.128.89 1219`) we get the following: +``` +Dear Santa, +Last christmas you gave me your public key, +to confirm it really is you please sign three +different messages with your private key. + +Here is the public key you gave me: +-----BEGIN PUBLIC KEY----- + +-----END PUBLIC KEY----- +Message 1 you signed (hex encoded): +``` + +Looking on the provided source I though the RSA looks a bit weird (=too easy). Classic secure RSA in pycryopto looks more like this: https://stackoverflow.com/a/58764650 (using `PKCS1_v1_5`). +Googling a bit reveals that if you use the simple `verify()` function you are using "TextBook-RSA" --> No padding --> unsecure. +There is a nice summary of "TextBook-RSA-Attacks": https://crypto.stackexchange.com/a/20087 +We can see the following: +- signature of 0 is 0 +- signature of 1 is 1 +- signature of n−1 is n−1 (we have n as we get the pub key) + +I started writing a script for communicating with the service and did not realize that this challenge was already solved... +But at least I could see that I was on the right track. + +## Day-08 Unmanaged + +``` +I've made a Byte Buffer as a Service (BBAAS)! The service is written in C#, but to avoid performance penalties, we use unsafe code which should have comparable performance to C++! +``` +`nc 3.93.128.89 1208` + +We also got the souce code. +On simply connecting via netcat I was not able to interact with the service. + +Looking at the code one can see that its possible to send the service single byte encoded commands: allocate new byte array (with action/byte = 1), write a section of a byte array (action/byte=2) and read a section of a byte array(action/byte=3). +Each command has some additional parameters: index, offset and size. +I implemented those commands in golang (see below). +Analyzing the source further, we can see that no bounds checking is done and "unsafe" .NET is used, this enables unchecked pointer arithmetics in C# as like in C. +So we can write more or less arbitrarily (providing the "right" parameters). + +I wrote a golang script which is more or less just bruteforcing the service to get any kind of output. + +```go +package main + +import ( + "bufio" + "fmt" + "math/rand" + "net" +) + +func reader(r *bufio.Reader) { + for { + fmt.Println("READING...") + recvBuf := make([]byte, 1024) + n, err := r.Read(recvBuf[:]) + if err != nil { + fmt.Println(err) + break + } + + fmt.Println(n) + fmt.Println(string(recvBuf)) + fmt.Println("-------------------------------------------------") + } + +} + +func sendAllocate(w *bufio.Writer, len byte) { + err := w.WriteByte(1) + if err != nil { + fmt.Println(err) + } + + err = w.WriteByte(len) + if err != nil { + fmt.Println(err) + } +} + +func sendWrite(w *bufio.Writer, index, offset, size byte) { + err := w.WriteByte(2) + if err != nil { + fmt.Println(err) + } + err = w.WriteByte(index) + if err != nil { + fmt.Println(err) + } + err = w.WriteByte(offset) + if err != nil { + fmt.Println(err) + } + err = w.WriteByte(size) + if err != nil { + fmt.Println(err) + } +} + +func sendRead(w *bufio.Writer, index, offset, size byte) { + err := w.WriteByte(3) + if err != nil { + fmt.Println(err) + } + err = w.WriteByte(index) + if err != nil { + fmt.Println(err) + } + err = w.WriteByte(offset) + if err != nil { + fmt.Println(err) + } + err = w.WriteByte(size) + if err != nil { + fmt.Println(err) + } +} + +func sendByte(w *bufio.Writer, c byte) error { + err := w.WriteByte(c) + if err != nil { + fmt.Println(err) + return err + } + return nil +} + +func main() { + conn, _ := net.Dial("tcp", "3.93.128.89:1208") + defer conn.Close() + + r := bufio.NewReader(conn) + go reader(r) + + w := bufio.NewWriter(conn) + + //sendAllocate(w, 100) + //sendWrite(w, 10, 0, 100) + //sendWrite(w, 60, 0, 100) + //sendWrite(w, 100, 0, 100) + //sendWrite(w, 255, 0, 100) + + sendAllocate(w, 1) + + rand.Seed(42) + for i := 0; i < 1500; i++ { + sendWrite(w, 0, byte(rand.Intn(255)), byte(rand.Intn(255))) + } + + fmt.Println("done") + + select {} + +} + +``` + +My goal was to somehow get a basic understanding of how the "actions" are working and to push shellcode somewhere to execute it later. +As I had to go afk, I pinged @dachleitner to solve it - and he did before I was back. + diff --git a/writeups/phager/tasteless.md b/writeups/phager/tasteless.md new file mode 100755 index 0000000..5486421 --- /dev/null +++ b/writeups/phager/tasteless.md @@ -0,0 +1,29 @@ +# Tasteless CTF + +Paul Theodor Hager +01426941 +pH - @phager + +## Retrospective + +- Not so many challenges... +- Learned quite some stuff about CSP and CSS selectors. +- The "timewarp" challenge was a nice idea +- "on-site" @ - SBA + +## Ghidra Server Setup + +Setup a Ghidra server for the team. +https://paulhagertheo.at/ghidra_03-04-2019.html + +## Babypad + +Many Time Pad challenge with the flag as "key". Tried multiple tools as it seemed to be a common challenge. We came up with the idea to just collect many(!) ciphers and xor them char by char with printable asciichars. Georg was too fast for us... + +## Gabbr + +Site was vulnerable to XSS but because of CSP (nonce) we couldnt trigger it. Solution was to bruteforce the nonce with css selctors char by char. Similar challenge: + + + +Full writeup can be found @ -- 2.43.0