1 of 18

CTFs

Fword CTF 2020

https://ctftime.org/event/1066

I did not solve the vast majority of challenges I am writing up here, but instead I am doing it to consolidate my own understanding of it. I also hope the writeups you find here help you understand the challenge, and if they did then it's fulfilled it's purpose and whether or not I originally completed them is irrelevant :)

Binary Exploitation

Molotov

A ret2libc with a given leak

‌Overview

Running the binary prints and hex value and prompts for input:

We can definitely cause it to segfault:

So let's work out what this value is and how we can use it.‌

Decompilation

‌

We chuck the binary into GHidra and get a simple disassembly. main calls vuln and does almost nothing else. vuln, however, has some interesting stuff:

‌

It prints the address of system! Awesome.‌

Let's run the binary on the remote serevr to leak the libc version.

‌

So now we essentially have a libc leak, we head over to .

Annoyingly, there are 4 possible libc versions, and we can only get it from trial and error. Aside from the libc version itself, the exploit is quite simple - subtract the offset of system from the leaked address to get libc base, then use that to get the location of /bin/sh.

The correct libc version is 2.30-0ubuntu2.1_i386.‌

Exploitation

Reversing

XO

Messing with the XOR

Overview

Let's try running the file:

Perhaps it wants a flag.txt file? Let's create one with the words FwordCTF{flag_flaggety_flag}:

This isn't quite counting the number of letters we enter. Let's see if the disassembly can shed any light on it.

X-MAS CTF 2020

I didn't manage to solve a huge number of these - I was quite busy, plus I suck - but I'll dump some writeups here for those I caught up on later.

Pwn

Do I Know You?

If we disassemble, the solution is pretty clear.

gets() is used to take in input, then the contents of another local variable are compared to 0xdeadbeef. Basic buffer overflow then overwrite a local variable:

X-MAS{ah_yes__i_d0_rememb3r_you}

Naughty

Overview

We receive a file called chall. NX is disabled, which is helpful. We inject shellcode, and execute our own shellcode.

Web

Not really my forte, but here we go, I can only get better.

PHP Master

Once we visit the URL, we are shown some code:

<?php

include('flag.php');

$p1 = $_GET['param1'];
$p2 = $_GET['param2'];

if(!isset($p1) || !isset($p2)) {
    highlight_file(__FILE__);
    die();
}

if(strpos($p1, 'e') === false && strpos($p2, 'e') === false  && strlen($p1) === strlen($p2) && $p1 !== $p2 && $p1[0] != '0' && $p1 == $p2) {
    die($flag);
}

?>

Clearly this is some type of Type Juggling exploit, but I'm not that familiar with it except for 0e md5 hashes and stuff. However, there are some restrictions here:

There can be no e character in either parameter
The two parameters must be the same length
They can't strictly equal each other (!==) but they must loosely equal each other (==)

PHP comparision is a known piece of junk, so we can find some weaknesses using .

Once set of possible parameters is 01 and 1, as they are both two characters long and - according to PHP's loose comparison - equal each other (thanks to for this solution after the CTF). It appears that objetcs are automatically converted to numbers for loose comparisions, as loose only compares values while strict also compares types. Therefore the example above would both equal 1 under loose comparison.

Another, more interesting set is 200 and 2E3 (thanks to ). Note that 2E3 is an exponential, equivalent to 2 * 10^2. Once both are converted to integers, they pass the check.

HTB CyberSanta 2021

Crypto

Common Mistake

Common Mod, DIfferent e

In this challenge, we are given two sets of , and .

The plaintext encrypted to give is the same, and we can observe that the choice of is also the same, meaning the only difference is in the choice of . Here we can use some cool maffs with and to retrieve the original plaintext .

Firstly, if the greatest common divisor of and is , then there exists and such that

To calculate this, we can use the . But why is this helpful?

Well if we know that and and we know such that

Missing Reindeer

Cube Root Attack

In this challenge, we get a message.eml file containing an email:

Applications such as Outlook block downloading the file due to it's "malicious nature", but we can open the .eml file in VS Code easily and extract two things:

Firstly, there is a secret.enc

Xmas Spirit

We get given challenge.py and encrypted.bin. Analysing challenge.py:

It calculates two random values, and . For every byte in the plaintext file, it then calculates

Meet Me Halfway

Meet-in-the-middle attack on AES

We are given challenge.py, which does the following:

Creates two keys

Molotov

A ret2libc with a given leak

‌Overview

Running the binary prints and hex value and prompts for input:

$ ./molotov
f7d9ef00
Input :

We can definitely cause it to segfault:

$ python3 -c 'print("A"*300)' | ./molotov
f7d61f00
Input : 
Segmentation fault

So let's work out what this value is and how we can use it.‌

Decompilation

‌

We chuck the binary into GHidra and get a simple disassembly. main calls vuln and does almost nothing else. vuln, however, has some interesting stuff:

‌

It prints the address of system! Awesome.‌

Let's run the binary on the remote serevr to leak the libc version.

‌

So now we essentially have a libc leak, we head over to .

The correct libc version is 2.30-0ubuntu2.1_i386.‌

Exploitation

PHP Master

Once we visit the URL, we are shown some code:

<?php

include('flag.php');

$p1 = $_GET['param1'];
$p2 = $_GET['param2'];

if(!isset($p1) || !isset($p2)) {
    highlight_file(__FILE__);
    die();
}

if(strpos($p1, 'e') === false && strpos($p2, 'e') === false  && strlen($p1) === strlen($p2) && $p1 !== $p2 && $p1[0] != '0' && $p1 == $p2) {
    die($flag);
}

?>

Clearly this is some type of Type Juggling exploit, but I'm not that familiar with it except for 0e md5 hashes and stuff. However, there are some restrictions here:

There can be no e character in either parameter
The two parameters must be the same length
They can't strictly equal each other (!==) but they must loosely equal each other (==)

PHP comparision is a known piece of junk, so we can find some weaknesses using .

Another, more interesting set is 200 and 2E3 (thanks to ). Note that 2E3 is an exponential, equivalent to 2 * 10^2. Once both are converted to integers, they pass the check.

{'n': '0xa96e6f96f6aedd5f9f6a169229f11b6fab589bf6361c5268f8217b7fad96708cfbee7857573ac606d7569b44b02afcfcfdd93c21838af933366de22a6116a2a3dee1c0015457c4935991d97014804d3d3e0d2be03ad42f675f20f41ea2afbb70c0e2a79b49789131c2f28fe8214b4506db353a9a8093dc7779ec847c2bea690e653d388e2faff459e24738cd3659d9ede795e0d1f8821fd5b49224cb47ae66f9ae3c58fa66db5ea9f73d7b741939048a242e91224f98daf0641e8a8ff19b58fb8c49b1a5abb059f44249dfd611515115a144cc7c2ca29357af46a9dc1800ae9330778ff1b7a8e45321147453cf17ef3a2111ad33bfeba2b62a047fa6a7af0eef', 'e': '0x10001', 'ct': '0x55cfe232610aa54dffcfb346117f0a38c77a33a2c67addf7a0368c93ec5c3e1baec9d3fe35a123960edc2cbdc238f332507b044d5dee1110f49311efc55a2efd3cf041bfb27130c2266e8dc61e5b99f275665823f584bc6139be4c153cdcf153bf4247fb3f57283a53e8733f982d790a74e99a5b10429012bc865296f0d4f408f65ee02cf41879543460ffc79e84615cc2515ce9ba20fe5992b427e0bbec6681911a9e6c6bbc3ca36c9eb8923ef333fb7e02e82c7bfb65b80710d78372a55432a1442d75cad5b562209bed4f85245f0157a09ce10718bbcef2b294dffb3f00a5a804ed7ba4fb680eea86e366e4f0b0a6d804e61a3b9d57afb92ecb147a769874'} {'n': '0xa96e6f96f6aedd5f9f6a169229f11b6fab589bf6361c5268f8217b7fad96708cfbee7857573ac606d7569b44b02afcfcfdd93c21838af933366de22a6116a2a3dee1c0015457c4935991d97014804d3d3e0d2be03ad42f675f20f41ea2afbb70c0e2a79b49789131c2f28fe8214b4506db353a9a8093dc7779ec847c2bea690e653d388e2faff459e24738cd3659d9ede795e0d1f8821fd5b49224cb47ae66f9ae3c58fa66db5ea9f73d7b741939048a242e91224f98daf0641e8a8ff19b58fb8c49b1a5abb059f44249dfd611515115a144cc7c2ca29357af46a9dc1800ae9330778ff1b7a8e45321147453cf17ef3a2111ad33bfeba2b62a047fa6a7af0eef', 'e': '0x23', 'ct': '0x79834ce329453d3c4af06789e9dd654e43c16a85d8ba0dfa443aefe1ab4912a12a43b44f58f0b617662a459915e0c92a2429868a6b1d7aaaba500254c7eceba0a2df7144863f1889fab44122c9f355b74e3f357d17f0e693f261c0b9cefd07ca3d1b36563a8a8c985e211f9954ce07d4f75db40ce96feb6c91211a9ff9c0a21cad6c5090acf48bfd88042ad3c243850ad3afd6c33dd343c793c0fa2f98b4eabea399409c1966013a884368fc92310ebcb3be81d3702b936e7e883eeb94c2ebb0f9e5e6d3978c1f1f9c5a10e23a9d3252daac87f9bb748c961d3d361cc7dacb9da38ab8f2a1595d7a2eba5dce5abee659ad91a15b553d6e32d8118d1123859208'}

CTFs

Fword CTF 2020

Binary Exploitation

Molotov

hashtag‌Overview

hashtagDecompilation

hashtagExploitation

Reversing

XO

hashtagOverview

X-MAS CTF 2020

Pwn

Do I Know You?

Naughty

hashtagOverview

hashtag

Web

PHP Master

HTB CyberSanta 2021

Crypto

Common Mistake

Missing Reindeer

hashtagContents

Xmas Spirit

hashtagContents

Meet Me Halfway

hashtagContents

Molotov

hashtag‌Overview

hashtagDecompilation

hashtagExploitation

Reversing

Web

X-MAS CTF 2020

PHP Master

Naughty

hashtagOverview

hashtag

XO

hashtagOverview

Pwn

Crypto

HTB CyberSanta 2021

hashtagExploitation

hashtagCleaning Up

hashtagWorking out the Flaw

hashtagUsing the Flaw

hashtagExploit

hashtagLocal

hashtagRemote

Common Mistake

Do I Know You?

Xmas Spirit

hashtagContents

Meet Me Halfway

hashtagContents

Fword CTF 2020

hashtagAnalysis

hashtagSolution

hashtagThe Attack

hashtagSolve Script

Missing Reindeer

hashtagContents

Binary Exploitation

hashtagAnalysing the Public Key

hashtagRecovering c

CTFs

‌Overview

Decompilation

Exploitation

Overview

Overview

Contents

Contents

Contents

‌Overview

Decompilation

Exploitation

Overview

Overview

Exploitation

Cleaning Up

Working out the Flaw

Using the Flaw

Exploit

Local

Remote

Contents

Contents

Analysis

Solution

The Attack

Solve Script

Contents

Analysing the Public Key

Recovering c