From f3e734c3055db383a917cd5a66831612779f6caa Mon Sep 17 00:00:00 2001 From: mli Date: Sun, 19 Jan 2020 23:18:51 +0100 Subject: [PATCH] add mli/asis+zone writeups --- writeups/mli/asis-ctf-finals-19.md | 42 ++++ writeups/mli/ctfzone-quals-19.md | 345 +++++++++++++++++++++++++++++ 2 files changed, 387 insertions(+) create mode 100644 writeups/mli/asis-ctf-finals-19.md create mode 100644 writeups/mli/ctfzone-quals-19.md diff --git a/writeups/mli/asis-ctf-finals-19.md b/writeups/mli/asis-ctf-finals-19.md new file mode 100644 index 0000000..ac97c28 --- /dev/null +++ b/writeups/mli/asis-ctf-finals-19.md @@ -0,0 +1,42 @@ +# ASIS CTF Finals 2019 + +## Time spent + +I only spent about 1 hour for this CTF and basically just looked into the challenges. + +## Serifin (Crypto) + +Description: "A sincere gift for cryptographers, enjoy solving it!" + +### Overview + +We were provided with a Python script which apparently generates a 512-bit prime (p, q) and encrypts some text (the flag) using the multiplication `p*q` of this prime number. We have an `output.txt` which includes n (`p*q`) and the ciphertext. + +I suppose we have to recompute/guess the actual values p and q, which we dont have. + +The prime computation does not look like a normal one and I googled a bit but could not find out what to do. + +### Exploitation + +nothing done beside basic analysis + +## Securalloc + +Description: + +* The key to success in the battlefield is always the secure allocation of resources! +* `nc 76.74.177.238 9001` + +### Overview + +We are also provided with `securalloc.elf`, `libc.so.6` and `libsalloc.so`. + +Apparently at port 9001 there is waiting an instance of securalloc.elf. + +Looks like we need to exploit a vulnerability because of heap problems. + +The application allows to create/edit/show/delete records. It can also print size and data content. + +### Exploitation + +nothing done beside basic analysis diff --git a/writeups/mli/ctfzone-quals-19.md b/writeups/mli/ctfzone-quals-19.md new file mode 100644 index 0000000..df98c52 --- /dev/null +++ b/writeups/mli/ctfzone-quals-19.md @@ -0,0 +1,345 @@ +# CTF ZONE 19 + +## Time spent + +Summed up value from time spent below: 6.5-7.5 hours + +plus an hour writing this writeup and looking for the solutions/writeups online + +__Total time spent for CTFZONE19__: 7.5-8.5 hours ~= __8 hours__ + +## Strange Pdf (REV) + +Description: "You have one PDF file. Now calculate the flag. It's in decimal, by the way." + +there was a zip archive for download with the following content + +* strange-pdf.zip + * reverse-ez-master (Folder) + * document.pdf + +### Time spent + +I spent 4-5 hours for looking through the PDF (incl. finding tools and trying to understand the PDF structure using PDF specification). + +### Overview + +the pdf said in written text: + +__ctfzone{f(x)}__ _Where:_ f(x) = 109394007*x+13 + +hmm what is x? + +* xobject? (pdf node) +* xref? (pdf node) +* looking for X/x character (`xxd document.pdf | less`) + * did not find anything noteworthy + +#### looking further - object 25 + +I inspected the pdf file using xxd and vi, object 25 looks interesting: + +```pdf +25 0 obj +< +/Creator +/Producer +/CreationDate(D:20191030175509+03'00')>> +endobj +``` + +According to iText RUPS author/creator/produced are `fuf, Writer, Libreoffice 4.3` so the hex numbers above are strings + +Although it probably won't work, I used the values as hexadecimal numbers and inserted them into the equation - flag using output number did not work + + + +tried `ctfzone{8633098315948060059158359060263668461}` (`109394007*0xFEFF00660075006600200020+13=8633098315948060059158359060263668461`) +tried `ctfzone{12617287247315538926490254619004172071413890299659887493987366353042073674194313034082}` (`109394007*0xFEFF004C0069006200720065004F0066006600690063006500200034002E0033+13=12617287247315538926490254619004172071413890299659887493987366353042073674194313034082`) +tried `ctfzone{565778729250227416638613515078495512172235}` (`109394007*0xFEFF005700720069007400650072+13=565778729250227416638613515078495512172235`) + +#### another tool: qpdf + +I found the pdf tool qpdf which can transform pdfs. + +I tried some stuff including removing the object streams: `qpdf --qdf --object-streams=disable document.pdf uncompressed-document.pdf` +but the outputs did not reveal anything obvious and output documents did not look really different from the normal document + +#### another tool: mutool + +##### `mutool info document.pdf` + +```mutool-info +document.pdf: +warning: lexical error (unexpected '>') +error: expected generation number (33 ? obj) +warning: trying to repair broken xref +warning: repairing PDF document + +PDF-1.4 +Info object (25 0 R): +</Creator/Producer/CreationDate(D:20191030175509+03'00')>> +Pages: 1 + +Retrieving info from pages 1-1... +Mediaboxes (1): + 1 (1 0 R): [ 0 0 595 842 ] + +Fonts (3): + 1 (1 0 R): TrueType 'BAAAAA+LiberationSerif-Bold' (11 0 R) + 1 (1 0 R): TrueType 'CAAAAA+LiberationSerif-Italic' (16 0 R) + 1 (1 0 R): TrueType 'DAAAAA+LiberationSerif' (21 0 R) +``` + +there is nothing looking very suspicious.. + +##### mutool trace output + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +Hmm, looks like this just prints the text characters we already have. I tried to figure something out of the x/y positions but did not find anything out. + +### itext RUPS + +This program displays all pdf segments. I tried to use some numbers which I found could be x and inserted them into the formula. + +E.g. I computed `109394007*842+13` because of itext but `ctfzone{92109753907}` did not work + +this lead to no solution + +### Exploitation/Solution + +I did not find anything which worked. + +According to this writeup , I should have used `file document.pdf`. +This reveals `document.pdf: DOS/MBR boot sector`. So the file appears to be some kind of polyglot! +The guy from the writeup found a strange-looking comment in the head of the PDF file and interpreted it as DOS machine code. It turned out to work: + +```dos-assembler +and ax, 0x4450 +inc si +sub ax, 0x2e31 +xor al, 0xa +and ax, 0xb7e2 +mov ah, 2 +mov bh, 0 +mov dh, 1 +mov dl, 1 +int 0x10 +mov ah, 0xa +mov al, 0x39 +mov bh, 0 +mov cx, 5 +int 0x10 +mov ah, 2 +mov bh, 0 +mov dh, 1 +mov dl, 3 +int 0x10 +mov ah, 0xa +mov al, 0x33 +mov bh, 0 +mov cx, 1 +int 0x10 +``` + +According to the chinese chat protocol here , the DOS code really was in the first few bytes of this file: + +* xxd rev_strange-pdf/reverse-ez-master/document.pdf | head -n 25 +* 00000000: 2550 4446 2d31 2e34 0a __25 e2b7 b402 b700__ %PDF-1.4.%...... +* 00000010: __b601 b201 cd10 b40a b039 b700 b905 00cd__ .........9...... +* 00000020: __10b4 02b7 00b6 01b2 03cd 10b4 0ab0 33b7__ ..............3. +* 00000030: __00b9 0100 cd10 0000 0000 0000 0000 0000__ ................ +* 00000040: __0000 000a__ 3220 3020 6f62 6a0a 3c3c 2f4c ....2 0 obj.< + * "MZ" are the initials of Mark Zbikowski, one of leading developers of MS-DOS + +As expected, the exe file does not run with the latest version of Windows 10. + +#### 16 bit exe: DOSbox + +I downloaded DOSbox and tried to set it up. It took some time because you have to mount a directory into the DOSbox. I managed to run it and saw that it read from a file (`usage: task1.exe `). So I created a empty file called `keyfile.txt`. Anyway this did not lead me in the direction of a solution because I did not know what to input to the file. + +#### ida + +I opened the file using IDA, which could process it. I could not really make sense of the assembler code because I am not a rev guy and decided that I try Ghidra, in hope that C decompilation would work. + +#### ghidra analysis + +I then opened the exe in ghidra. I found the entry point, where there were some loops and branches. + +first _if_ in entry: + +0x3738: first two characters are "78" +then = ? +then 8 x shifted & 0xdf == 0x59 + +```c + if (((*piVar21 == 0x3738) && (iVar12 = piVar21[1], (char)iVar12 == '=')) && + (piVar1 = (int *)&DAT_137f_0096, *piVar1 = *piVar1 + 1, + ((byte)((uint)iVar12 >> 8) & 0xdf) == 0x59)) { + piVar1 = (int *)&DAT_137f_0096; + *piVar1 = *piVar1 + 1; + } +``` + +So I wrote into keyfile.txt the following bytes: `3738 3d59` leading to cleartext `78=Y`. The program did not do anything other with this content. I did not really know how to proceed further, so I started with another challenge. + +### Solution/Exploitation + +I did not solve it. According to , the flag was `ctfzone{N1C3_FLAG!1}`, which you could get by reversing 8 check functions inside the code which lead to ASCII characters built out of `#._` characters. + +## Catcontrol (WEB) + +Description: + +* "This is a cat named Tom, and with the right approach, you can get it to catch and bring you a mouse named flag." +* + +### Time spent + +I spent about half an hour looking for XXE exploit payloads and trying them. + +### Overview + +@lavish posted in the Mattermost channel that a XXE vulnerability exists in this application. So I looked up what is this and found some good resources to read: + +* good: +* +* +* + +I tried to send things like this (I controlled 151.236.29.95:8765): + +```http + + + + +%ext; +] +> +``` + +But the only request which worked (where I got a response at my server) is the one @lavish posted in Mattermost: + +```nc +nc web-catcontrol.ctfz.one 80 +POST / HTTP/1.1 +Host: web-catcontrol.ctfz.one +Content-type: text/xml +SOAPAction: aaaaa +Content-Length: 139 + + + + %ext; +]> + +``` + +### Solution/Exploitation + +I was not even close to solve this challenge. -- 2.43.0