TL;DR – continuous custom ASLR using a broken PRNG. Collect outputs, SAT solve for the initial state, predict next base address, ROP to victory.
This is a bit of a tour through my first use of Z3 on a CTF challenge, and might be useful other Z3 noobs trying to figure out how to get started.
Continue reading DEFCON 2015 – fuckup
The challenge here was to escape a Python sandbox. There was a list of banned keywords, including sys, import and eval. On top of that, all but two functions were deleted from the
__builtins__ list. The source code for the sandbox was available which meant it was possible to modify it locally and see what might work.
Continue reading CSAW 2014 – Pybabbies – Exploitable 200
This challenge had a binary running on a server that would send a challenge and expect a response.
You have stolen the checking program for the CSAW Challenge-Response-Authentication-Protocol system. Unfortunately you forgot to grab the challenge-response keygen algorithm (libchallengeresponse.so). Can you still manage to bypass the secure system and read the flag?
Part of the binary was provided and some RE was required. On first inspection, the run() function accepts three commands of:
- 160 – send challenge
- 224 – check response
- 128 – print key
Continue reading CSAW 2014 – Saturn – Exploitable 400
We’re presented with a nice simple webstore-style site, stocking the finest examples of wooden shoes:
When we do a search, eg for “modern” sorted by price, the query goes out as:
The server responds with a redirection code, sending us to this URL for the actual page:
A quick attempt at some SQL shenanigans reveals that the first step filters out special characters, eg searching for ‘ takes us here:
Whether or not this involves SQL injection, it looks like there’s a filtering step we should try to defeat. Modifying the end of the hex “what” string gives a 500 Internal Server Error result, which is a nice start.
Continue reading ebCTF 2013 Teaser – Wooden Shoes
I was really excited to see what Eindbazen had up their sleeve for the preview to their first CTF, and I have to say I really enjoyed their challenges. “Espionage” was a nice little crypto teaser that took a little thought but we got there fairly quickly, which sounds about right for a 100 point challenge!
The challenge was presented as two encrypted messages, a crypt/decrypt python script, and a README that told us:
We suspect an employee of one of the embassies has leaked confidential information to a foreign intelligence agency. We’ve managed to capture an individual whom we assume to be the recipient of the info. Our forensics department has managed to recover two messages from his outbox, which appear to be encrypted using some crypto tool. Along with each email our suspect also received an SMS message containing a password, however we were only able to recover one – “SieR1mephad7oose”.
Could you help us decrypt both messages?
Sure enough, we were able to decrypt the first message with the crypto.py utility and the supplied password, which gave us this message:
From: Vlugge Japie <email@example.com>
To: Baron van Neemweggen <firstname.lastname@example.org>
Subj: Weekly update
Sorry, I failed to get my hands on the information you
requested. Please don't tell the bureau - I'll have it
next week, promise!
I don’t suppose they would be so kind as to use the same password for both messages? Of course not! Oh well, time to have a better look at the algorithm.
Continue reading Eindbazen Teaser 2013 – Espionage
Well this was a mere 50pt challenge, the first to open, yet only 18 teams solved it by the end of the competition!
We start with an html file containing Bryan Cantrill’s famous “Have you ever kissed a girl?” post. Diffing this against the original shows that the only differences are in whitespace at the ends of the lines. Every line has 0-9 spaces added to the end of them.
Then all you have to do is try a whole bunch of data manipulation to figure out the answer.
Whitespace was my first thought, but that needs tabs as well as spaces for any kind of IO. Number of spaces = character index on line? No. Number of spaces = index into alphabet? Nooope.
Continue reading GitS 2013 – Kiss
CryptoMat is a site where you can send encrypted messages to other users. Dog is a user on the site and has the key. Figure out how to get into his account and obtain it.
Web and crypto in one challenge! Sounds fun.
Essentially, we have a web site which allows users to send messages to one another, encrypted using an unknown algorithm. We can control the key and the plaintext, and see the ciphertext. The receiving user is shown the encoded data, which can include non-html-safe characters.
We’re told in the description that Dog has the key. Let’s get it.
Continue reading CSAW 2012 Web 400 – CryptoMat
Inspired by the impressive Eindbazen, here is a graph of the CSAW CTF 2012 teams listing “United Kingdom” as their country. It’s good to see the UK getting a better representation at these things!
Well played everyone, particularly 0x8f, who had us on the ropes for a while 😉
This challenge is a 64-bit Linux ELF executable, I never actually ran it untouched but I believe it would print the same type of gibberish that the 100pt RE challenge did – in fact they are very similar executables.
Continue reading CSAW CTF 2012 Reversing 400
This file is a .NET binary. I used a trial of RedGate’s .NET Reflector to analyse it. After decompiling it the source looks like:
Continue reading CSAW CTF 2012 Reversing 300