Mitre CTF 2014 solutions

Author: Jethro Beekman

Binary200a/README

@@ -0,0 +1,9 @@
+From debugging/IDA:
+0 prints 'MCA-'
+9 prints 'Done' and invokes check routine
+1-8 print some character.
+=> PIN must be 0[1-8]{8}9 to have output match flag format.
+8^8 = 16M, should be brute-forceable.
+Also it matches against some MD5 hash, don't think there's a way around brute-forcing:
+gcc bf.c
+./a.out |./f0f09d8f2b40ccfb252654c8f4bb4171-safe |grep -B1 -m1 Granted

Binary200a/a.out

@@ -0,0 +1,17 @@
+#include <stdio.h>
+#include <stdint.h>
+
+int main(void)
+{
+	char cbuf[16];
+	uint64_t* ibuf=&cbuf;
+	int i;
+	for (i=0;i<16777216;i++)
+	{
+		write(1,"0",1);
+		sprintf(cbuf,"%08o",i);
+		*ibuf+=0x0101010101010101ULL;
+		write(1,cbuf,8);
+		write(1,"9",1);
+	}
+}

Binary200a/bf.c

@@ -0,0 +1,4 @@
+Use debugger/IDA to figure out that it matches the input against a bunch of regexes.
+Use regex-extract.rb to extract them from the binary.
+Notice that the last 3 regexes are simple per-character matches once you remove the optional characters, and they're exactly 40 chars.
+Intersect those regexes to find the flag.

Binary200b/README

@@ -0,0 +1,4 @@
+offset=(-0x80489e0+2528)
+b=[0x80489e0,0x80489ec,0x8048a38,0x8048b00,0x8048be8,0x8048ccc,0x8048f08,0x8049148]
+a=IO.read('0002dc53347013336adf249ff7dedc19-matchmaker').force_encoding('binary')
+p b.map { |i| a[(i+offset)..-1].unpack('Z*')[0] }

Binary200b/regex-extract.rb

@@ -0,0 +1,29 @@
+res=[
+	"[\\d\\w]{40}",
+	"[\\d]+[\\w][\\d]+[\\d][\\d]+[\\w][\\d]+[\\w]+[\\d]+[\\w]+[\\d]+[\\w]+[\\d]+[\\w]+[\\d]+",
+	"[4-6][4-6][d-f][7-9][7-9][7-9][1-3][d-f][4-6][7-9][d-f][4-6][7-9][1-3][d-f][a-c][d-f][4-6][0-5]+[d-f][1-3][7-9][a-c][4-6][4-6][0-5]+[7-9][7-9][1-3][0-5]+[a-c][a-c][d-f][d-f][a-c][d-f][4-6][1-3][4-6]",
+	"[246][246][ace][789][789][789][135][ace][135][789][ace][135][789][135][bdf][ace][ace][135][0-5]+[0-1]{0,5}[bdf][135][789][bdf][246][135][0-5]+[0-1]{0,5}[789][789][135][0-5]+[0-1]{0,5}[ace][ace][bdf][bdf][bdf][bdf][135][246][246]",
+	"[34cd][56ef][56ef][789][789][789][34cd][56ef][56ef][789][56ef][56ef][789][12ab][34cd][34cd][56ef][56ef][0-5]+[34cd][34cd][789][12ab][34cd][56ef][0-5]+[789][789][12ab][0-5]+[34cd][34cd][34cd][34cd][12ab][56ef][56ef][12ab][56ef]",
+	"[46d][rfefhr]?[46d][rfefhr]?[13e][rfefhr]?[89ba][rfefhr]?[89ba][rfefhr]?[89ba][rfefhr]?[13e][rfefhr]?[13e][rfefhr]?[57c][rfefhr]?[89ba][rfefhr]?[13e][rfefhr]?[57c][rfefhr]?[89ba][rfefhr]?[13e][rfefhr]?[46d][rfefhr]?[57c][rfefhr]?[13e][rfefhr]?[57c][rfefhr]?[02f][rfefhr]?[46d][rfefhr]?[13e][rfefhr]?[89ba][rfefhr]?[89ba][rfefhr]?[46d][rfefhr]?[57c][rfefhr]?[02f][rfefhr]?[02f][rfefhr]?[89ba][rfefhr]?[89ba][rfefhr]?[13e][rfefhr]?[02f][rfefhr]?[57c][rfefhr]?[57c][rfefhr]?[46d][rfefhr]?[46d][rfefhr]?[89ba][rfefhr]?[02f][rfefhr]?[57c][rfefhr]?[02f][rfefhr]?[46d][rfefhr]?",
+	"[48c][gobble]?[26a][gobble]?[0def][gobble]?[48c][gobble]?[159][gobble]?[48c][gobble]?[37b][gobble]?[0def][gobble]?[159][gobble]?[48c][gobble]?[0def][gobble]?[159][gobble]?[159][gobble]?[159][gobble]?[0def][gobble]?[48c][gobble]?[0def][gobble]?[159][gobble]?[0def][gobble]?[0def][gobble]?[37b][gobble]?[48c][gobble]?[37b][gobble]?[48c][gobble]?[159][gobble]?[0def][gobble]?[0def][gobble]?[48c][gobble]?[159][gobble]?[159][gobble]?[0def][gobble]?[48c][gobble]?[48c][gobble]?[0def][gobble]?[0def][gobble]?[37b][gobble]?[0def][gobble]?[159][gobble]?[26a][gobble]?[26a][gobble]?",
+	"[1-9][1-9][a-f][1-9][1-9][1-9][1-9][a-f][1-9][1-9][a-f][1-9][1-9][1-9][a-f][a-f][a-f][1-9][0ace][a-f][1-9][1-9][a-f][1-9][1-9][0ace][0ace][1-9][1-9][1-9][0ace][a-f][a-f][a-f][a-f][a-f][a-f][1-9][1-9][1-9]"
+]
+valid_chars=[("0".."9").to_a+("a".."z").to_a]*40
+res[5].gsub!("[rfefhr]?","")
+res[6].gsub!("[gobble]?","")
+res[5..7].each do |re|
+	i=0
+	re.gsub(/\[([^\]]+)\]/) do
+		cc=$~[1]
+		if cc=~/^[^-]*$/ then
+			valid_chars[i]&=cc.chars.to_a
+		elsif cc=~/^(.)-(.)$/ then
+			valid_chars[i]&=(($~[1].to_s)..($~[2].to_s)).to_a
+		else
+			puts "Error #{cc}"
+			exit
+		end
+		i+=1
+	end
+end
+puts valid_chars.map { |v| v[0] }*""

Binary200b/regex-test.rb

@@ -0,0 +1,29 @@
+program calls ptrace to interfere with debugger, no matter, use LD_PRELOAD to disable:
+gcc -shared -fPIC -m32 ptrace.c
+LD_PRELOAD=./a.out ./9674ea9858c5edaa760ff4a656802999-doors
+
+Then, call doors with gdb in this order:
+
+doorwithkey
+door1
+door0
+door9001
+door2006
+door121
+door3
+door271
+door111970
+  doorBlue
+    door777
+	  door42
+		dead end
+	  door25
+		door5i
+		door42
+		  dead end
+  doorRed
+    door34
+    door111
+	door87
+	door66
+	  => get the flag

Binary300/README

@@ -0,0 +1,4 @@
+int ptrace(void)
+{
+	return 0;
+}

Binary300/a.out

@@ -0,0 +1,2 @@
+Multiple PNG files are concatenated.
+Use pngextract.rb to extract them all, view them to see the flag.

Binary300/ptrace.c

@@ -0,0 +1,7 @@
+a=IO.read('a9b1c6694f385f27c6929cdbadf9794e-sloth.png').force_encoding('binary')
+i=0
+while n=a.index(/\x89PNG/,i+1) do
+	IO.write("x#{i}.png",a[i...n])
+	i=n
+end
+IO.write("x#{i}.png",a[i...-1])

Forensics100/README

@@ -0,0 +1,8 @@
+=> Use volatility -- http://www.volatilityfoundation.org/
+python vol.py imageinfo -f 4BB1D32DF7-20140626-172101.raw 
+python vol.py hivelist -f 4BB1D32DF7-20140626-172101.raw --profile=WinXPSP3x86
+python vol.py hashdump -f 4BB1D32DF7-20140626-172101.raw --profile=WinXPSP3x86 -y 0xe1035b60 -s 0xe15cc008 > ~/Documents/Berke1337/MitreCTF2014/Forensics300a/hashes
+=> This gives a couple of LM hashes, break using http://rainbowtables.it64.com/ to get:
+SU94H S3CUR3
+7L#7XL9MQYL0BI
+=> These don't work, grep -ai SU94H on the memory dump to find the correct capitalization to unzip the zip and find the flag!

Forensics100/pngextract.rb

@@ -0,0 +1,11 @@
+*** Failed to import volatility.plugins.ssdt (NameError: name 'distorm3' is not defined)
+*** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: No module named distorm3)
+*** Failed to import volatility.plugins.linux.apihooks (ImportError: No module named distorm3)
+*** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined)
+*** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined)
+*** Failed to import volatility.plugins.mac.check_syscall_shadow (ImportError: No module named distorm3)
+*** Failed to import volatility.plugins.mac.apihooks (ImportError: No module named distorm3)
+Administrator:500:dfb3869d218b2854b17a474c69a9d085:83804fff7edabbc34a99f4aa1b133c99:::
+Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
+HelpAssistant:1000:49fceccc6e3d4049dbce689cde84fae1:96f44eb4f5e3cf212c70a0eb20436b8f:::
+SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:2e2b5d20d78f296c8539003a6165278c:::

Forensics300a/README

@@ -0,0 +1,16 @@
+First, extract the .vmdk from the .ova, and then use vmdktool [1] to turn it into a raw image.
+Mount the image (read-only!!!) and do some simple forensics.
+Find /home/georgesr/.bash_history , this talks about contract-documents.zip but it's gone...
+We don't know the password to contract-documents.zip.nc...
+No worries, we have the whole disk image, so find all potential zip headers using:
+=> grep -a -b -o PK f300b.img > zipoff
+Then, use zipreader.rb to try to read the zip headers, output the offsets for zip files with the word 'contract'.
+Extract the zipfile from this offset and try to unzip... the supplied password doesn't work?
+Search for other passwords in the disk image:
+=> grep -a -b -o 'zip -P..................' ~/f300b.img
+First match we already tried
+Second match is the man page or something
+Third uses some shell parameter, explore around this offset to find a wrapper script that appends frozenbananas to the supplied password.
+Supply this to unzip to find the flag.
+
+[1] http://www.freshports.org/sysutils/vmdktool/

Forensics300a/hashes

@@ -0,0 +1,14 @@
+require 'zip/zip'
+
+IO.foreach('zipoff') do |line|
+	offset=line.split(':')[0].to_i
+	begin
+		zio=Zip::ZipInputStream.new("f300b.img",offset)
+		if zio then
+			entry=zio.get_next_entry
+			puts "#{offset} #{entry.name}" if entry and entry.name=~/contract/
+			zio.close
+		end
+	rescue
+	end
+end

Forensics300b/README

@@ -0,0 +1,10 @@
+Unzip
+Fix cstdlib-include...
+Play around a little with the keygen and modification times to put into srand()
+Nothing works...
+Remember there was .git
+=> gitk -> nothing interesting
+=> git branch -> shows other branch
+=> git checkout twig
+=> gitk
+WTF is a yellow square? Oh, look at that, it's a note with the flag.

Forensics300b/zipreader.rb

@@ -0,0 +1,13 @@
+Use debugger, break panel::setSys1 and panel::disSys1
+Run, and type at the prompt:
+R
+T
+B
+=> debugger breaks
+Call disSys2..4 as well from here with the right `this'
+continue
+=> debugger breaks again
+Call setSys2..4 as well from here with the right `this'
+continue
+=> get a prompt
+type U to unlock and the flag appears!

GrabBag100/README

@@ -0,0 +1,5 @@
+Go to directory index of missing logo
+"One of these is not like the others" => open File208032.html
+Click link
+Go to directory index of stylesheet
+Open 'THE_ORDER_IS_DEFINITELY_NOT_FOUND_IN_HERE', make things visible to read the order

GrabBag200a/README

@@ -0,0 +1,4 @@
+There's a JS file that has to do with the login, download it.
+First, use some online JS beautifier for good indenting.
+Then copy the array on top into ruby (yay, same syntax!), and use it to replace all occurences of strings using replace_838e.rb
+Check the login() function for the credentials, and after follow the leads in the page source a couple times to find the flag.