diff options
| author | Malfurious <m@lfurio.us> | 2022-03-30 01:59:18 -0400 |
|---|---|---|
| committer | Malfurious <m@lfurio.us> | 2022-03-30 01:59:18 -0400 |
| commit | 3cf310e2f2c308e544a5681a2ba711b2adb8680c (patch) | |
| tree | e940b75a0fab67158e5dcc0f3a25d1a86d5f8acd | |
| parent | 6a617f6dea973862fc88fdbdbbf9c7afed44de62 (diff) | |
| parent | b8fe6c1f444b017582d191cdbdb8bbd8357849c7 (diff) | |
| download | lib-des-gnux-3cf310e2f2c308e544a5681a2ba711b2adb8680c.tar.gz lib-des-gnux-3cf310e2f2c308e544a5681a2ba711b2adb8680c.zip | |
Merge branch 'malf-pico-2022'
* malf-pico-2022:
picoCTF 2022 results
Add signal and coredump tips to gdb document
Add writeup for picoCTF 2022 / unpackme
Add writeup for picoCTF 2022 / Eavesdrop
Add writeup for picoCTF 2022 / Wizardlike
| -rw-r--r-- | docs/re/gdb.txt | 26 | ||||
| -rw-r--r-- | docs/writeups/picoCTF_2022/Eavesdrop.txt | 48 | ||||
| -rw-r--r-- | docs/writeups/picoCTF_2022/Wizardlike.txt | 266 | ||||
| -rw-r--r-- | docs/writeups/picoCTF_2022/unpackme.txt | 67 | ||||
| -rw-r--r-- | scores.txt | 2 |
5 files changed, 409 insertions, 0 deletions
diff --git a/docs/re/gdb.txt b/docs/re/gdb.txt index 5772815..521a0b5 100644 --- a/docs/re/gdb.txt +++ b/docs/re/gdb.txt @@ -10,6 +10,7 @@ Getting started Launch GDB: > gdb <executable> # note: any arguments to the exe are supplied separately > gdb -p <process id> # attach to an already running process (requires root) + > gdb -c <core file> # debug a core file (gdb) run <argument0> <argument1> ... # Start running program @@ -36,6 +37,27 @@ Remove breakpoint: (gdb) d # deletes all breakpoints +Signals +------- +gdb can print a message when the program receives a signal, optionally stop +execution, or block the program from receiving the signal. By default, gdb will +stop on receipt of a typically-fatal signal, but silently pass along others +(like: SIGALRM, SIGCHLD, ...). If gdb stops, the program will not receive the +signal until execution continues. + +Show current signal handling: + (gdb) info signals + (gdb) info signals <sig> # info on single signal + +Control signal behavior: + (gdb) handle <sig> <keywords...> + + keywords are... + stop, nostop (should the debugger break) + print, noprint (should a message appear) + pass, nopass (should the program receive signal) + + Debugging --------- Inspect registers: @@ -89,6 +111,10 @@ Alter memory: (gdb) set {int}0x7fffffdead = 69 # Write the value 69 to given address as a 32-bit integer +Dump memory to core file: + You can create a core file for static analysis or reproducible debugging: + (gdb) generate-core-file + Process forks ------------- diff --git a/docs/writeups/picoCTF_2022/Eavesdrop.txt b/docs/writeups/picoCTF_2022/Eavesdrop.txt new file mode 100644 index 0000000..a8b55a2 --- /dev/null +++ b/docs/writeups/picoCTF_2022/Eavesdrop.txt @@ -0,0 +1,48 @@ +Download this packet capture and find the flag. + +Category: forensics (300 points) +Chall author: LT 'syreal' Jones +Writeup author: malfurious + + + +Packet Capture Contents +----------------------- +We receive a pcap file. There is a bit of unrelated traffic, but two +conservations of interest: + + 1) A plaintext chat conversation between two parties on port 9001: + + Hey, how do you decrypt this file again? + You're serious? + Yeah, I'm serious + *sigh* openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123 + Ok, great, thanks. + Let's use Discord next time, it's more secure. + C'mon, no one knows we use this program like this! + Whatever. + Hey. + Yeah? + Could you transfer the file to me again? + Oh great. Ok, over 9002? + Yeah, listening. + Sent it + Got it. + You're unbelievable + + 2) The transfer of the mentioned file, over port 9002: + + 00000000 53 61 6c 74 65 64 5f 5f 03 a9 15 e7 2c 0f b7 5f Salted__ ....,.._ + 00000010 35 2a da 1e 07 31 57 0d 63 6c af 9b 67 ac 26 48 5*...1W. cl..g.&H + 00000020 02 62 5a 94 48 b6 54 d1 ce 8a fb a4 dc ae 87 07 .bZ.H.T. ........ + +After saving the binary file contents to a local file, decrypt it using the +provided openssl command from the chat conservation. + + +> openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123 +*** WARNING : deprecated key derivation used. +Using -iter or -pbkdf2 would be better. + +> cat file.txt +picoCTF{nc_73115_411_77b05957} diff --git a/docs/writeups/picoCTF_2022/Wizardlike.txt b/docs/writeups/picoCTF_2022/Wizardlike.txt new file mode 100644 index 0000000..c69ea38 --- /dev/null +++ b/docs/writeups/picoCTF_2022/Wizardlike.txt @@ -0,0 +1,266 @@ +Do you seek your destiny in these deplorable dungeons? If so, you may want to +look elsewhere. Many have gone before you and honestly, they've cleared out the +place of all monsters, ne'erdowells, bandits and every other sort of evil foe. +The dungeons themselves have seen better days too. There's a lot of missing +floors and key passages blocked off. You'd have to be a real wizard to make any +progress in this sorry excuse for a dungeon! + +'w', 'a', 's', 'd' moves your character and 'Q' quits. You'll need to improvise +some wizardly abilities to find the flag in this dungeon crawl. '.' is floor, +'#' are walls, '<' are stairs up to previous level, and '>' are stairs down to +next level. + +Category: re (500 points) +Chall author: LT 'syreal' Jones +Writeup author: malfurious + + + +Setup +----- +A single 64-bit ELF is provided. As advertised, it plays a simple text-based +dungeon game. The user can move around, and travel between levels when touching +stairs. However, not all of the level is initially visible to the player. The +player must move around to reveal additional portions of the level, but is +blocked by walls ('#') and gaps (' '). + + + +RE +-- +RE of the binary reveals that the intended map dimensions are 100x100 chars. +See these relevant portions of reversed code: + + bool can_move(int x,int y) + { + bool _ret; + + /* Assert parameters are in [0, 100) */ + if ((((x < 100) && (y < 100)) && (-1 < x)) && (-1 < y)) { + /* If location is a wall ('#') or empty, block */ + if (((&_level_data)[(long)y * 100 + (long)x] == '#') || + ((&_level_data)[(long)y * 100 + (long)x] == ' ')) { + _ret = false; + } + else { + /* In-bounds floor, succeed */ + _ret = true; + } + } + else { + _ret = false; + } + return _ret; + } + + void set_level_data(char *data) + { + int y; + int x; + + for (y = 0; y < 100; y = y + 1) { + for (x = 0; x < 100; x = x + 1) { + (&_level_data)[(long)y * 100 + (long)x] = data[(long)x + (long)y * 100]; + } + } + return; + } + + [ and others ... ] + +This allows us to better inspect the level data stored in the binary. By +simply printing the data as-is, line-wrapping at 100 chars, we can see the +hidden portions of the levels, with the geometry preserved as intended. + +After doing this, the flag characters become visible as structures within the +game levels. Start with level 1, and proceed in order. + + + +Solution / Level data +--------------------- +Some extra level areas are omitted. Besides the first two, the reaining levels +contain only a single flag character each. + + picoCTF{ur_4_w1z4rd_2A05D7A8} + + +######### +#.......# ......#................................... +#.......# ....................####.#####.#####..###. +#........ .####.#..###..###..#.......#...#......#... +#.......# .# #.#.#....# #.#.......#...###...#.... +#.......# .####.#.#....# #.#.......#...#......#... +#.......# .#....#..###..###...####...#...#......###. +#.......# .#........................................ +#.......# .......................................... +#.......# +#.......# +#.......# +#.......# +#.......# +#......># +######### + + +#####. ............................................................. +#.<.#. ...............#..#.............##.......#..#........#....... +#...#. .#..#.###......#..#.......#...#..#.####..#..#.###....#....... +#...#. .#..#.#........####.......#.#.#..#...#...####.#...####....... +#...#. .####.#...####....#.#####..#.#..###.####....#.#...####.#####. + . ............................................................. + . ............................................................. + . ............................................................. +#.... +#...# +#...# +#...# +#...# +#...# +#.>.# +##### + + +################# ....... +#<..............#. ..###.. +#...............#.. .#...#. +#..............#........#.. +#...#.......#...#.. ...#... +#..###.....###..#. .#####. +#...#...#...#...# ....... +#......#>#......# ....... +#...............# +#...#.......#...# +#..###.....###..# +#...#.......#...# +#...............# +#...............# +#...............# +################# + + +... .. ....... +.<. ####. ..###.. +... ...#.. .#...#. +... ...#....#####. + ..>#.. .#...#. + ####. .#...#. + .. ....... + ....... + + +######################## +#<.............#.......# +#..............#..###..# +#..............#.#...#.# +#..............#.#...#.# +#..............#.#...#.# +#..............#..###..# +#..............#.......# +#..............#.......# +######################## + + +....... +.<..... +....... +....... +....... +....... +....... +....... +....... +....... +....... +.....>. +....... +####### +....... +.#####. +.#..... +.####.. +.....#. +.####.. +....... +....... + + +... +.<......... +........... +... .. + .. + .. + .. + .. + .. + .. + .............. + ..##########.. + .# #. + .# ....... #. + .# .####.. #. + .# .#...#. #. + .# .#...#. #. + .# .#...#. #. + .# .####.. #. + .# ....... #. + .# ....... #. + .# #. + ..##########.. + .............> + + +######################### +#<#......#.#.......###..# +#.#.###..#.#.......##..## +#.#.#.#..#.#.......#..### +#.#.#.#..#.#.......#...## +#...#....#..#......#....# +#.######.##..###.###....# +#.#.....................# +#.###.#################.# +#.......................# +#########.###.#########.# +#.......#.#.#.#.........# +#.#####.#.#...#.######### +#....#..#.#.#.#.........# +#...#...#.#.#.#########.# +#..#....#.#.#.#.........# +#..#....#.#.#.#.######### +#.......#.#.#.#.........# +#.......#.#.#.#########.# +#########.#.#.#...#...#.# +#...........#.#.#.#.#.#.# +#########...#.#.#.#.#.#.# +#.......#...#.#.#.#.#.#.# +####.####...#.#.#.#.#.#.# +##..........#.#.#.#.#.#.# +#.#..####...#.#.#.#.#.#.# +#..#....#####.#.#.#.#.#.# +#...#...#...#.#.#...#...# +#....#........#.######### +#...........#.#........># +########################. + + +... ....... +.<. ..###.. +... .#...#. +... .#####. + .#...#. + .#...#. + ....... + ....... + + +#################################################################################################### +#####################################################################################..............# +#####################################################################################..###..###....# +#####################################################################################.#...#...#....# +#####################################################################################..###.....#...# +#####################################################################################.#...#...#....# +#####################################################################################..###..###....# +#####################################################################################..............# +#####################################################################################..............# +#################################################################################################### diff --git a/docs/writeups/picoCTF_2022/unpackme.txt b/docs/writeups/picoCTF_2022/unpackme.txt new file mode 100644 index 0000000..79e0970 --- /dev/null +++ b/docs/writeups/picoCTF_2022/unpackme.txt @@ -0,0 +1,67 @@ +Can you get the flag? Reverse engineer this binary. + +Category: re (300 points) +Chall author: LT 'syreal' Jones +Writeup author: malfurious + + + +Setup +----- +We are given a single ELF binary named 'unpackme-upx'. The challenge hint +(matching my initial intuition) vaguely hinted at looking up what UPX is. + +UPX is a self-extracting executable solution. The name means: +Ultimate Packer for eXecutables. So, the bulk of the target logic in the +file should be compressed and not directly accessible to analysis. + +When run, the program prints "What's my favorite number?" to the console, +and "Sorry, that's not it!" when you supply the wrong input. + + + +RE +-- +I imported the initial binary into Ghidra anyway, to look around. Just +a handful of functions to support the extraction - nothing necessarily of +interest. + +Keep in mind, the file is stripped and statically linked. This could be +because the shell logic doesn't require many dependencies, but likely +requires the target ELF to be statically linked as well, and we're carrying +a compressed clib too. + +I initially attempted to recover the program logic via dynamic analysis. I +started the program, and attached to it with GDB after it showed its prompt. +It did appear to be in the middle of the read syscall, so my intent was to feed +it bad input, then step out to the main function to study the code disassembly. +For some reason, I couldn't actually follow the program back that far, and some +memory accesses were causing problems. Plan B: make a coredump file and +transition back to static analysis. + + > binwalk core.188218 + + DECIMAL HEXADECIMAL DESCRIPTION + -------------------------------------------------------------------------------- + 0 0x0 ELF, 64-bit LSB core file AMD x86-64, version 1 (SYSV) + 736 0x2E0 ELF, 64-bit LSB executable, AMD x86-64, version 1 (GNU/Linux) + 734736 0xB3610 Unix path: /usr/share/locale + ... + +I determined the target ELF to be the file signature at offset 0x2e0, isolated +this data, and performed disassembly. The 'main' function contains these +opcodes at the possible jump to the error message: + + 0x00401ef8 3dcb830b00 cmp eax, 0xb83cb + 0x00401efd 7543 jne 0x401f42 + ... + 0x00401f42 488d3dda100b. lea rdi, [0x004b3023] ; "Sorry, that's not it!" + 0x00401f49 e842ef0100 call fcn.00420e90 (likely puts) + +So we should skip this jmp and proceed to the success case of the code if the +user enters the number 0xb83cb (754635). + + +> ./unpackme-upx +What's my favorite number? 754635 +picoCTF{up><_m3_f7w_ed7b0850} @@ -17,3 +17,5 @@ BuckeyeCTF 2021 326 152 /505 Killer Queen CTF 2021 4084 45 /251 N1CTF 2021 136 110 /601 Metasploit Community CTF 2021 1300 22 /265 (727) + +picoCTF 2022 13100 140 /7794 |