diff options
| author | Malfurious <m@lfurio.us> | 2022-03-30 01:59:18 -0400 |
|---|---|---|
| committer | Malfurious <m@lfurio.us> | 2022-03-30 01:59:18 -0400 |
| commit | 3cf310e2f2c308e544a5681a2ba711b2adb8680c (patch) | |
| tree | e940b75a0fab67158e5dcc0f3a25d1a86d5f8acd /docs/writeups | |
| parent | 6a617f6dea973862fc88fdbdbbf9c7afed44de62 (diff) | |
| parent | b8fe6c1f444b017582d191cdbdb8bbd8357849c7 (diff) | |
| download | lib-des-gnux-3cf310e2f2c308e544a5681a2ba711b2adb8680c.tar.gz lib-des-gnux-3cf310e2f2c308e544a5681a2ba711b2adb8680c.zip | |
Merge branch 'malf-pico-2022'
* malf-pico-2022:
picoCTF 2022 results
Add signal and coredump tips to gdb document
Add writeup for picoCTF 2022 / unpackme
Add writeup for picoCTF 2022 / Eavesdrop
Add writeup for picoCTF 2022 / Wizardlike
Diffstat (limited to 'docs/writeups')
| -rw-r--r-- | docs/writeups/picoCTF_2022/Eavesdrop.txt | 48 | ||||
| -rw-r--r-- | docs/writeups/picoCTF_2022/Wizardlike.txt | 266 | ||||
| -rw-r--r-- | docs/writeups/picoCTF_2022/unpackme.txt | 67 |
3 files changed, 381 insertions, 0 deletions
diff --git a/docs/writeups/picoCTF_2022/Eavesdrop.txt b/docs/writeups/picoCTF_2022/Eavesdrop.txt new file mode 100644 index 0000000..a8b55a2 --- /dev/null +++ b/docs/writeups/picoCTF_2022/Eavesdrop.txt @@ -0,0 +1,48 @@ +Download this packet capture and find the flag. + +Category: forensics (300 points) +Chall author: LT 'syreal' Jones +Writeup author: malfurious + + + +Packet Capture Contents +----------------------- +We receive a pcap file. There is a bit of unrelated traffic, but two +conservations of interest: + + 1) A plaintext chat conversation between two parties on port 9001: + + Hey, how do you decrypt this file again? + You're serious? + Yeah, I'm serious + *sigh* openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123 + Ok, great, thanks. + Let's use Discord next time, it's more secure. + C'mon, no one knows we use this program like this! + Whatever. + Hey. + Yeah? + Could you transfer the file to me again? + Oh great. Ok, over 9002? + Yeah, listening. + Sent it + Got it. + You're unbelievable + + 2) The transfer of the mentioned file, over port 9002: + + 00000000 53 61 6c 74 65 64 5f 5f 03 a9 15 e7 2c 0f b7 5f Salted__ ....,.._ + 00000010 35 2a da 1e 07 31 57 0d 63 6c af 9b 67 ac 26 48 5*...1W. cl..g.&H + 00000020 02 62 5a 94 48 b6 54 d1 ce 8a fb a4 dc ae 87 07 .bZ.H.T. ........ + +After saving the binary file contents to a local file, decrypt it using the +provided openssl command from the chat conservation. + + +> openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123 +*** WARNING : deprecated key derivation used. +Using -iter or -pbkdf2 would be better. + +> cat file.txt +picoCTF{nc_73115_411_77b05957} diff --git a/docs/writeups/picoCTF_2022/Wizardlike.txt b/docs/writeups/picoCTF_2022/Wizardlike.txt new file mode 100644 index 0000000..c69ea38 --- /dev/null +++ b/docs/writeups/picoCTF_2022/Wizardlike.txt @@ -0,0 +1,266 @@ +Do you seek your destiny in these deplorable dungeons? If so, you may want to +look elsewhere. Many have gone before you and honestly, they've cleared out the +place of all monsters, ne'erdowells, bandits and every other sort of evil foe. +The dungeons themselves have seen better days too. There's a lot of missing +floors and key passages blocked off. You'd have to be a real wizard to make any +progress in this sorry excuse for a dungeon! + +'w', 'a', 's', 'd' moves your character and 'Q' quits. You'll need to improvise +some wizardly abilities to find the flag in this dungeon crawl. '.' is floor, +'#' are walls, '<' are stairs up to previous level, and '>' are stairs down to +next level. + +Category: re (500 points) +Chall author: LT 'syreal' Jones +Writeup author: malfurious + + + +Setup +----- +A single 64-bit ELF is provided. As advertised, it plays a simple text-based +dungeon game. The user can move around, and travel between levels when touching +stairs. However, not all of the level is initially visible to the player. The +player must move around to reveal additional portions of the level, but is +blocked by walls ('#') and gaps (' '). + + + +RE +-- +RE of the binary reveals that the intended map dimensions are 100x100 chars. +See these relevant portions of reversed code: + + bool can_move(int x,int y) + { + bool _ret; + + /* Assert parameters are in [0, 100) */ + if ((((x < 100) && (y < 100)) && (-1 < x)) && (-1 < y)) { + /* If location is a wall ('#') or empty, block */ + if (((&_level_data)[(long)y * 100 + (long)x] == '#') || + ((&_level_data)[(long)y * 100 + (long)x] == ' ')) { + _ret = false; + } + else { + /* In-bounds floor, succeed */ + _ret = true; + } + } + else { + _ret = false; + } + return _ret; + } + + void set_level_data(char *data) + { + int y; + int x; + + for (y = 0; y < 100; y = y + 1) { + for (x = 0; x < 100; x = x + 1) { + (&_level_data)[(long)y * 100 + (long)x] = data[(long)x + (long)y * 100]; + } + } + return; + } + + [ and others ... ] + +This allows us to better inspect the level data stored in the binary. By +simply printing the data as-is, line-wrapping at 100 chars, we can see the +hidden portions of the levels, with the geometry preserved as intended. + +After doing this, the flag characters become visible as structures within the +game levels. Start with level 1, and proceed in order. + + + +Solution / Level data +--------------------- +Some extra level areas are omitted. Besides the first two, the reaining levels +contain only a single flag character each. + + picoCTF{ur_4_w1z4rd_2A05D7A8} + + +######### +#.......# ......#................................... +#.......# ....................####.#####.#####..###. +#........ .####.#..###..###..#.......#...#......#... +#.......# .# #.#.#....# #.#.......#...###...#.... +#.......# .####.#.#....# #.#.......#...#......#... +#.......# .#....#..###..###...####...#...#......###. +#.......# .#........................................ +#.......# .......................................... +#.......# +#.......# +#.......# +#.......# +#.......# +#......># +######### + + +#####. ............................................................. +#.<.#. ...............#..#.............##.......#..#........#....... +#...#. .#..#.###......#..#.......#...#..#.####..#..#.###....#....... +#...#. .#..#.#........####.......#.#.#..#...#...####.#...####....... +#...#. .####.#...####....#.#####..#.#..###.####....#.#...####.#####. + . ............................................................. + . ............................................................. + . ............................................................. +#.... +#...# +#...# +#...# +#...# +#...# +#.>.# +##### + + +################# ....... +#<..............#. ..###.. +#...............#.. .#...#. +#..............#........#.. +#...#.......#...#.. ...#... +#..###.....###..#. .#####. +#...#...#...#...# ....... +#......#>#......# ....... +#...............# +#...#.......#...# +#..###.....###..# +#...#.......#...# +#...............# +#...............# +#...............# +################# + + +... .. ....... +.<. ####. ..###.. +... ...#.. .#...#. +... ...#....#####. + ..>#.. .#...#. + ####. .#...#. + .. ....... + ....... + + +######################## +#<.............#.......# +#..............#..###..# +#..............#.#...#.# +#..............#.#...#.# +#..............#.#...#.# +#..............#..###..# +#..............#.......# +#..............#.......# +######################## + + +....... +.<..... +....... +....... +....... +....... +....... +....... +....... +....... +....... +.....>. +....... +####### +....... +.#####. +.#..... +.####.. +.....#. +.####.. +....... +....... + + +... +.<......... +........... +... .. + .. + .. + .. + .. + .. + .. + .............. + ..##########.. + .# #. + .# ....... #. + .# .####.. #. + .# .#...#. #. + .# .#...#. #. + .# .#...#. #. + .# .####.. #. + .# ....... #. + .# ....... #. + .# #. + ..##########.. + .............> + + +######################### +#<#......#.#.......###..# +#.#.###..#.#.......##..## +#.#.#.#..#.#.......#..### +#.#.#.#..#.#.......#...## +#...#....#..#......#....# +#.######.##..###.###....# +#.#.....................# +#.###.#################.# +#.......................# +#########.###.#########.# +#.......#.#.#.#.........# +#.#####.#.#...#.######### +#....#..#.#.#.#.........# +#...#...#.#.#.#########.# +#..#....#.#.#.#.........# +#..#....#.#.#.#.######### +#.......#.#.#.#.........# +#.......#.#.#.#########.# +#########.#.#.#...#...#.# +#...........#.#.#.#.#.#.# +#########...#.#.#.#.#.#.# +#.......#...#.#.#.#.#.#.# +####.####...#.#.#.#.#.#.# +##..........#.#.#.#.#.#.# +#.#..####...#.#.#.#.#.#.# +#..#....#####.#.#.#.#.#.# +#...#...#...#.#.#...#...# +#....#........#.######### +#...........#.#........># +########################. + + +... ....... +.<. ..###.. +... .#...#. +... .#####. + .#...#. + .#...#. + ....... + ....... + + +#################################################################################################### +#####################################################################################..............# +#####################################################################################..###..###....# +#####################################################################################.#...#...#....# +#####################################################################################..###.....#...# +#####################################################################################.#...#...#....# +#####################################################################################..###..###....# +#####################################################################################..............# +#####################################################################################..............# +#################################################################################################### diff --git a/docs/writeups/picoCTF_2022/unpackme.txt b/docs/writeups/picoCTF_2022/unpackme.txt new file mode 100644 index 0000000..79e0970 --- /dev/null +++ b/docs/writeups/picoCTF_2022/unpackme.txt @@ -0,0 +1,67 @@ +Can you get the flag? Reverse engineer this binary. + +Category: re (300 points) +Chall author: LT 'syreal' Jones +Writeup author: malfurious + + + +Setup +----- +We are given a single ELF binary named 'unpackme-upx'. The challenge hint +(matching my initial intuition) vaguely hinted at looking up what UPX is. + +UPX is a self-extracting executable solution. The name means: +Ultimate Packer for eXecutables. So, the bulk of the target logic in the +file should be compressed and not directly accessible to analysis. + +When run, the program prints "What's my favorite number?" to the console, +and "Sorry, that's not it!" when you supply the wrong input. + + + +RE +-- +I imported the initial binary into Ghidra anyway, to look around. Just +a handful of functions to support the extraction - nothing necessarily of +interest. + +Keep in mind, the file is stripped and statically linked. This could be +because the shell logic doesn't require many dependencies, but likely +requires the target ELF to be statically linked as well, and we're carrying +a compressed clib too. + +I initially attempted to recover the program logic via dynamic analysis. I +started the program, and attached to it with GDB after it showed its prompt. +It did appear to be in the middle of the read syscall, so my intent was to feed +it bad input, then step out to the main function to study the code disassembly. +For some reason, I couldn't actually follow the program back that far, and some +memory accesses were causing problems. Plan B: make a coredump file and +transition back to static analysis. + + > binwalk core.188218 + + DECIMAL HEXADECIMAL DESCRIPTION + -------------------------------------------------------------------------------- + 0 0x0 ELF, 64-bit LSB core file AMD x86-64, version 1 (SYSV) + 736 0x2E0 ELF, 64-bit LSB executable, AMD x86-64, version 1 (GNU/Linux) + 734736 0xB3610 Unix path: /usr/share/locale + ... + +I determined the target ELF to be the file signature at offset 0x2e0, isolated +this data, and performed disassembly. The 'main' function contains these +opcodes at the possible jump to the error message: + + 0x00401ef8 3dcb830b00 cmp eax, 0xb83cb + 0x00401efd 7543 jne 0x401f42 + ... + 0x00401f42 488d3dda100b. lea rdi, [0x004b3023] ; "Sorry, that's not it!" + 0x00401f49 e842ef0100 call fcn.00420e90 (likely puts) + +So we should skip this jmp and proceed to the success case of the code if the +user enters the number 0xb83cb (754635). + + +> ./unpackme-upx +What's my favorite number? 754635 +picoCTF{up><_m3_f7w_ed7b0850} |