PWNIUMCTF2014-JJSN Summary

Write-ups

This article was first published in TSRC, detail address: HTTP://SECURITY.TENCENT.COM/INDEX.PHP/BLOG/MSG/55

Forensics USB is fun

This topic gives a file: Http://41.231.53.40/for1.pcapng

File suffix is pcapng, of course, when playing CTF, see is not necessarily true, we can use the file command and some hex tools to view, information

The above information can be determined that the file is indeed the Pcapng format, Google a bit of this file type is the extension of the PCAP format, is still only experimental phase, you can use the Wireshark open analysis. Impatient friends may directly use Wireshark Open this file to start analysis, 22M how much network package AH. One of the most frequently used methods in forensics is to use strings to see what strings are in the file and run the results such as:

We found the familiar flag string, submitted, done.

Altered Code

This topic gives a. c file (: HTTP://41.231.53.40/MAIN.C) with no hint.

When we first got this file, we compiled, executed, and got a string of meaningless strings, certainly not flag.

Next we try to swap the code order, compile the execution, or not.

Finally, by observing the code snippet shown on the webpage (here is a pit: The tool opens. c files are automatically indented well), we find that indentation is problematic,

To further confirm, we look at the hex of the file,

Normal indentation uses a space, while a few lines of code are indented using \ t. So we tried to comment out the code snippet of \ t indent, and then compile the execution, the effect

Submit, get it done.

Find the Owner

Topic:

Http://41.231.53.40/Forensics100.zip flag format = = Pwnium{md5[ip:port]} is careful this file may harm your computer

This question is definitely what this file will do. So we first use total uninstall to monitor the registry and C disk files, and then run the exe file, found that there is no action, then EXE must be network operation. Open Wireshark to see the following network requests:

ip:193.95.68.245,port:81, according to the tip of the topic MD5, the submission is done.

PS: File is a trojan, more concise method can be thrown to a variety of online Trojan testing site to try, do not have their own analysis. Lazy people must.

MISC Look Closer

This problem also only gives a RAR file,:

Https://github.com/ctfs/write-ups/blob/master/pwnium-ctf-2014/look-closer/Misc1.rar?raw=true), without any hint.

After downloading, we found unable to open, prompt is the wrong format, so hex look at the format of the file,

Figure 7 Hex View Misc1.rar

The file header obviously tells us that this is a JPG file, so change the suffix, flag is in the picture,

Submit, get it done.

So basic

The same problem only gives a zip file (:

Https://github.com/ctfs/write-ups/blob/master/pwnium-ctf-2014/so-basic/Misc75.zip?raw=true).

We unzip the downloaded zip file with 40 small files, each of which is a number that gives the impression that this is an ASCII value.

First, merge the text from all the files into one file:

Cat./* > Misc75.txt

Then convert it to the corresponding string and look at the resulting result:

Figure 9 Results of Unhexlify

It looks like flag, but the order is messy. We found the character p corresponding to the file "Cfcd208495d565ef66e7dff9f98764da", the file name is very similar to MD5 encryption, so we try to crack, after decryption is the character 0. So bold guess all the filenames are actually 0~39 MD5 ciphertext. Then we modify the program:

Figure 10 The modified PY code

yeah!! Get.

Crypto Break Me

A string is given in the topic:

"Qlpootfbwsztwtxsmoaaaasjaf/gowagadeaaaizmnt0jbkzhcqcyqta2gnbvxgsvxdyrthqkdxsmoa="

Experience tells us that this is a Base64 encoded string, so we try to use Base64 decoding, after decoding the result contains invisible characters, indicating that this is not flag.

Here is a bit overwhelmed, so we will see some of the previous characters in Google search, found that there are related articles said this is the head of the bz2 file format, by comparing the bz2 file format of the head and tail, we can confirm that the above stream of bytes is really bzip2 compressed content, Now it's easy, and then unzip it once:

Submit, it's done.

Programming 2048 Crack Me fast

The topics are as follows:

Crackme Fast The binary http://41.231.53.44:9393/Send the password in less than 2 SECONDSHTTP://41.231.53.44:9393/CHECK.P hp?p={[email protected]}

Access to the address in the topic, you can get a file, open after

The file header is a lpck, do not know what format, but after seeing the MZ head. Delete all the parts before the MZ head, and successfully get an EXE.

Requires input password. No way, just throw it into Ida ... find the key sections below:

. text:00401363 mov [esp+5ch+var_5c], offset apassword;

"Password:"

. text:0040136a Call puts

. text:0040136f Lea EAX, [esp+5ch+var_3e]

. text:00401373 mov [esp+5ch+var_58], eax

. text:00401377 mov [esp+5ch+var_5c], offset as; '%s '

. text:0040137e Call scanf

. text:00401383 mov [esp+5ch+var_14], 0

. text:0040138b JMP Short Loc_4013b1

. text:0040138d; ---------------------------------------------------------------------------. text:0040138d

. text:0040138d loc_40138d:; CODE XREF:

main+8f J

. text:0040138d mov eax, [esp+5ch+var_14]

. text:00401391 mov eax, [esp+eax*4+5ch+var_34]

. text:00401395 mov ecx, eax

. text:00401397 xor ecx, 1

. text:0040139a Lea edx, [esp+5ch+var_3e]

. text:0040139e mov eax, [esp+5ch+var_14]

. text:004013a2 add eax, edx

. TEXT:004013A4 mov al, [eax]

. Text:004013a6 movsx eax, AL

. TEXT:004013A9 cmp ecx, eax

. TEXT:004013AB JNZ Short Loc_4013c7

. TEXT:004013AD Inc [ESP+5CH+VAR_14]

. text:004013b1

. text:004013b1 LOC_4013B1:; CODE XREF:

Main+57 J

. TEXT:004013B1 mov ebx, [esp+5ch+var_14]

. text:004013b5 Lea EAX, [esp+5ch+var_3e]

. TEXT:004013B9 mov [esp+5ch+var_5c], eax

. TEXT:004013BC Call Strlen

. TEXT:004013C1 CMP ebx, eax

. TEXT:004013C3 JB Short loc_40138d

. TEXT:004013C5 JMP Short Loc_4013c8

. text:004013c7; ---------------------------------------------------------------------------. Text:004013c7

. TEXT:004013C7 LOC_4013C7:; CODE XREF:

Main+77 J

. TEXT:004013C7 NOP

. text:004013c8

. Text:004013c8 LOC_4013C8:; CODE XREF:

Main+91 J

. TEXT:004013C8 Lea EAX, [esp+5ch+var_3e]

. text:004013cc mov [esp+5ch+var_5c], eax

. TEXT:004013CF Call Strlen

. TEXT:004013D4 cmp eax, 8

. Text:004013d7 JNZ Short Loc_4013e8

. TEXT:004013D9 CMP [esp+5ch+var_14], 8

. text:004013de JNZ Short Loc_4013e8

. TEXT:004013E0 mov [esp+5ch+var_10], 1

. text:004013e8

. Text:004013e8 Loc_4013e8:; CODE XREF:

Main+a3 J

. Text:004013e8; Main+aa J

. TEXT:004013E8 CMP [esp+5ch+var_10], 1

. text:004013ed JNZ Short LOC_4013FD

. TEXT:004013EF mov [esp+5ch+var_5c], offset agoodboysendtha; "Good boy!" Send this pass to the server to "...

. Text:004013f6 Call printf

. TEXT:004013FB JMP Short loc_401409

. text:004013fd; ---------------------------------------------------------------------------

. text:004013fd

. TEXT:004013FD LOC_4013FD:; CODE XREF:

MAIN+B9 J

. TEXT:004013FD mov [esp+5ch+var_5c], offset

Asorryincorrect; "Sorry!" Incorrect Pass "

. text:00401404 Call printf

Probably understand: The string entered here is 8 characters, then take esp+5ch+var_34 as the 8 DWORD after the address, take the lower 8 characters, and then all XOR 1, the result and the input string comparison, equal is correct.

Let's see how the esp+5ch+var_34 data gets:

. text:00401345 Lea edx, [esp+5ch+var_34]

. text:00401349 mov ebx, 402000h

. text:0040134e mov eax, 8

. text:00401353 mov edi, edx

. text:00401355 mov esi, ebx

. text:00401357 mov ecx, eax

. text:00401359 Rep Movsd

It seems to be copied from the 0x402000h, and then with the past:

It looks like this thing XOR 11 can get password and then submit to get flag.

The result is "Too late", well the title is less than 2s written.

Then convert the VA to file offset, get 0x1310, write a script to automatically crack it.

ROT

The topics are as follows:

Rot, Rot-90, rot, Rot-90 ... NC 41.231.53.40 9090

Each time you connect, you will get a Base64 string, decoded by a PNG file format byte stream, can be restored to

Careful observation of the pitch, should just the left and right two parts folded together on the line, and the title is not also said Rot90.

The results after the run are as follows:

Automatic submission, done.

Web Guest Book

Topic:

Find the key! http://41.231.53.43:8383/

The title is a Web page, and the post content of the new post feature has a SQL delay blind. The flag content exists in the database, using injection to get the name field name of the library name, and then query to get the flag content. The blind Gets the library name web200 and the table name is Flag:flag.

Blind SQL statement:

Test ', ' 1 ' and (Select if (ASCII ((select Flag from Web200.flag where flag!= ' limit 0,1)) =100,sleep (5), 0)) #

Write a script to complete the process, it is easy to fix.

Xwebsite

Topic:

Find the key http://41.231.53.44/web100/index.php

Currently the topic is inaccessible, so here is a brief talk about the situation. At the time of landing, we use the universal login "' or ' 1 ' = ' 1", after successfully logged in as an administrator, and then search "' or ' 1 ' = ' 1", the results obtained are flag. Isn't it simple? In fact, there are many problems in the CTF as long as you have ideas are very simple.

Reverse Baby crack Me

Topic:

A baybe crackme http://41.231.53.44/tasks/re10.zip

If the above address cannot be downloaded, then you can

Https://github.com/ctfs/write-ups/blob/master/pwnium-ctf-2014/baybe-crackme/re10.zip?raw=true download.

Run the downloaded file, unlimited output "Baby Crackme", with Ida reverse, you can get the following code:

The program roughly means that the baby Crackme will be output indefinitely when no parameters are running, and the flag will be output when there are parameters.

The answer is G00D_B0Y, submit a test, correct. Okay, the 10-point question.

Kernel Land

Topic:

The third Tick gives you the answer;) Http://41.231.53.40/kernel

Spare:

Https://github.com/ctfs/write-ups/blob/master/pwnium-ctf-2014/kernel-land/kernel?raw=true

Run the downloaded file, "segment Fault", and Ida debugging just connected to their own disconnect, now only throw Ida to start the inverse bar.

Starting from the start function to see, all the way to set GDT,IDT,IRQ, and then open a timer, the main thread ended, did not find anything related to flag .... Turn out the timer and look at the code as follows:

. text:00100958 Public Timer_tick

. text:00100958 Timer_tick proc near; DATA XREF:

Timer_init+3 o

. text:00100958 Sub ESP, 14h

. text:0010095b mov eax, ds:1060c0h

. text:00100960 Lea edx, [eax+1]

. text:00100963 mov ds:1060c0h, edx

. text:00100969 push EAX

. text:0010096a push offset adtick__; "%d Tick: \ n "

. text:0010096f Call printf

. text:00100974 movzx ecx, byte ptr ds:1060c0h

. text:0010097b Add ESP, 10h

. text:0010097e mov eax, 0

. text:00100983

. text:00100983 loc_100983:; CODE XREF:

Timer_tick+42 J

. text:00100983 mov edx, ecx

. text:00100985 xor DL, byte ptr ds:flag[eax]

. text:0010098b add edx, 1

. text:0010098e mov byte ptr ds:flag[eax], DL

. text:00100994 add eax, 1

. text:00100997 cmp eax, 28h

. text:0010099a JNZ Short loc_100983

. text:0010099c Add ESP, 0Ch

. text:0010099f RETN

. text:0010099f Timer_tick ENDP

The flag here is only calculated with tick, and tick is a char, that is, there are 256 possible values for flag now, so if you look at the results, you will know which one is flag.

Operation Result:

It's done.