RuCTF Quals 2014, vuln 300

We were given SSH access to server having posts suid-bit binary in our user’s home folder. There was “key” file readable by the binary owner. ASLR was disabled.

$ file posts
posts: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.26, not stripped

Example of program usage:
$ ./posts
Your name? endragor
Sup endragor
Welcome to notes service
How many notes save? 1
Title? Write-Up
Content? HACK_AND_GET_THE_FLAG
View your notes.
Write-Up:HACK_AND_GET_THE_FLAG

So it asks for your name, then amount of notes you want to save, and for every note you should input title and content. Then it prints all your notes in format “[title]:[content]“. The program truncates notes by any whitespace character so it is clear that scanf(“%s”) is used.
Let’s look at it decompiled:
posts_decompiled
1. It stores our name on stack.
2. It weirdly calculates address where to store our title and content.
3. It uses uncontrolled scanf to get our title and content. We can overflow any buffer that way.

Here is how addresses are calculated (assume Posts is byte pointer):
For title: **(Posts + i * 516)(i << 9)
For content: *(*(Posts + i * 516) + 4)(i << 9)
So it takes address under (Posts + i * 516), and takes 2 function addresses located there. Then it calls the first function to determine address for title, and the second function to determine address for content.
Let's see what those functions are:
gdb_posts_1
ida_get_title_get_content
So the first one simply returns “arg0+4″ and the second one “arg0+260″. Wait-wait-wait… the functions accepted “i << 9" as parameters and were supposed to return addresses. (i << 9 + 4) is definitely not a valid address. It appeared that IDA decompiled the main function incorrectly and the actual parameter is (Posts + i << 9). Now it makes sense.
So these functions return a pointer in Posts buffer again! Remember the buffer contents were used to determine what to call? Sounds like we have control over EIP: we can put pointer into Posts and this pointer will lead into Posts again, where pointer to our "ROP intializer" will be located. Problem is - we cannot put pointer to Posts, since Posts address (and all the available addresses below) contain 0x0D byte, which makes scanf stop reading. Fortunately, ASLR is disabled, so we can simply put pointer into stack, and the stack (our name) will contain pointer to gadget which will start stack unrolling.
Here is the script which generates payload:

Now let's try it:
user@vuln2:~$ cat /tmp/h34d_payload.dat | ./posts
Your name? Sup ?
               T?
Welcome to notes service
c4RJ4rbortpLxG6L0fKu6dyAA4d4y0Y8

Flag is: c4RJ4rbortpLxG6L0fKu6dyAA4d4y0Y8

RuCTF Quals 2014, vuln 100

Task description:

vuln1.quals.ructf.org:16712 [link to binary]
Flag format is “RUCTF_.*”.

1. nc vuln1.quals.ructf.org 16712
2. Enter random stuff
3. See that the server every time returns hint with background colors being dependent on input.
4. Notice that with some inputs the hint is clearly “7″
5. Enter 7.
6. Get the flag.

RuCTF Quals 2014, reverse 10

The task asks to calculate md5 of RAGGER.HSC file in harm0597 discmag.

1. Go to https://www.google.com/?q=ragger.hsc
2. Click on the first result
3. Download the file
4. MD5 (ragger.hsc) = 8fafa0b0ed4984edd8ffac5cd0f46089

Flag is: 8fafa0b0ed4984edd8ffac5cd0f46089

RuCTF Quals 2014, forensics 200

We have some corrupted files. Flag format is “RUCTF_.*”

After a little investigation and with the help of the task name: “NoSQL” we’ve figured out that the files in archive are corrupted MongoDB files.

So it was needed to get the information from the corrupted database. Little googling and 2 following solutions were found:

  1. mongod –repair  //however it did not help to solve the puzzle
  2. purplebeard

Continue reading

RuCTF Quals 2014, forensics 100

We intercepted configs and dump. What were they hide on http://10.100.0.1/?

Extract the archive:

Check the strings and you will find the username and password in plain text:

Connect to the VPN using openvpn with the provided config, certificate and the credentials (SuperPuperRoot:VeryStrongSecret) and try to open http://10.100.0.1/

Flag: RUCTF_29793ced32a8c89481c83827cf24647a

RuCTF Quals 2014, crypto 200

Mary Queen of Scots goes chinese. We capture secret message from prison where Mary Queen stands. Help us figure out what message means.

Fine, file contains many chinese unicode symbols. After little googling we found description of Queen Mary’s cipher. You can read it here. Okay, it’s just modified substitution cipher and we can break it via frequency analysis.

Continue reading

RuCTF Quals 2014, recon 300

Have you ever met Olimpiada Balalaykina?
She is a young girl who likes to chat and dreams to meet Pavel Durov.
Somebody is telegraphing her strange messages with secret password. Could you find that?
Flag format is “RUCTF_.*”

Olimpiada has the following profile picture:

vcUXevAT4E8Click download fullsize photo and we will see the phone number on the picture:

+37255933368

Then also after the following post and according to the version on the screenshot the following Chrome extension was found – Telegram UNOFFICIAL 0.0.19 Alpha

So far after a few hours of trying to figure out any correct messenger with this number (telegram, whatsapp, viber) the new post appeared on Olimpiada’s page:

Guys, I don’t like telegram messenger any more!(( Good old sms rulezzz!

After a 5 hours minutes of googling, finally we’ve found the following service. The message with the flag was by the following link.

Flag: RUCTF_THE_MOST_SECRET_PA$$_3V3R

RuCTF Quals 2014, recon 200

Have you ever met Olimpiada Balalaykina?
She is a young girl who likes to chat and dreams to meet Pavel Durov.
Сould name the city where her camera was stolen.

On Olimpiada’s page in VK there is the following post:

My friend always tells me not to use my relatives’ birthdays as a password but he have just tweeted that his own mail had been hacked! Hahaha! :DDD

Also she has 2 albums. The first one is about her grandma’s birthday. Photos were uploaded on 5th March 2014. And the desciption to the album is “This is how I spent last Sunday! Granny, my dear, this birthday cake is for you! Love you! :-*”. So the last Sunday was 2th March and on one photo there was a cake with 80 number on it. This means that her granny’s birthday is 2th March 1934.

Continue reading