CTF on irq5 test

35C3 CTF Write-up: php

Mon, 07 Jan 2019 23:40:00 +0000

php (web)

PHP’s unserialization mechanism can be exceptional. Guest challenge by jvoisin.
Files at https://35c3ctf.ccc.ac/uploads/php-ff2d1f97076ff25c5d0858616c26fac7.tar. Challenge running at: nc 35.242.207.13 1

This challenge exposes a service written in PHP, and as you can guess, it has something to do with unserialization.

The single source file is straightforward to understand:

<?php

$line = trim(fgets(STDIN));

$flag = file_get_contents('/flag');

class B {
 function __destruct() {
 global $flag;
 echo $flag;
 }
}

$a = @unserialize($line);

throw new Exception('Well that was unexpected…');

echo $a;

Your goal is to get the flag printed by somehow getting the destructor of class B to execute.

Flare-On 2017 Write-up: "pewpewboat.exe"

Sat, 14 Oct 2017 23:30:00 +0000

Flare-On 2017 Challenge #5 – pewpewboat.exe

As usual, the first thing to do when tackling the challenge is to run the binary first, to see what it does. You will soon learn that it’s not actually a Windows executable, but rather a 64-bit Linux ELF.

$ ./pewpewboat.exe
Loading first pew pew map...
 1 2 3 4 5 6 7 8
 _________________
A |_|_|_|_|_|_|_|_|
B |_|_|_|_|_|_|_|_|
C |_|_|_|_|_|_|_|_|
D |_|_|_|_|_|_|_|_|
E |_|_|_|_|_|_|_|_|
F |_|_|_|_|_|_|_|_|
G |_|_|_|_|_|_|_|_|
H |_|_|_|_|_|_|_|_|

Rank: Seaman Recruit

Welcome to pewpewboat! We just loaded a pew pew map, start shootin'!

Enter a coordinate:

So this is a Battleship game. Playing manually for a bit, I see the “ships” form up in the shape what looked like a letter. Hmm could this be the flag?

It’s now time to read the code.

LabyREnth 2017: Binary 4

Thu, 27 Jul 2017 23:59:00 +0000

Hint: Send me this identifier together with your $$$$ to decrypt your file: da91e949f4c2e814f811fbadb3c195b8 Binary4 is a Mach-O binary, nothing IDA Pro can’t handle. You will notice it has some obfuscated names, like wshwfknafsknfadj, pojklfasd, etc. Looking at the main() function, IDA Pro’s decompiler produces the following pseudo-C code: memset(&v17, 0, 0x400uLL); v17 = 46; LODWORD(v3) = wshwfknafsknfadj(&v17, 0LL); v15 = v3; LODWORD(v4) = bmasdfiukjwe(&v17); v14 = v4; if ( 999 !

LabyREnth 2017 Write-up: "EzDroid"

Thu, 27 Jul 2017 20:49:00 +0000

Mobile track #1 - EzDroid Provided is an Android app package EzDroid.apk. I typically use an Android emulator for testing, it’s free and easy to install on all major platforms, so it’s pretty much a no brainer. After installation, it looks like it maanges to start but exits shortly after, for some unknown reason. Looks like it is time to inspect the code. I like looking at high-level languages, so let’s start with that first.

LabyREnth 2016 Write-up: "bowie.pl"

Wed, 03 Aug 2016 15:31:00 +0000

Unix track #1 - bowie.pl This is a Perl script which is really large (3MB). When you open it up, you’ll see it request input from STDIN, then compares it against these concatenated chars like so: my $input = <STDIN>; $input = trim($input); if ($input eq (chr(5156 - 5035) . chr(-4615 - -4716) . chr(3162 - 3047))) { ... It then has a lot of MIME::Base64::decode() statements, which seem to be building up data in variable $a.

LabyREnth 2016 Write-up: "Regex"

Wed, 03 Aug 2016 15:31:00 +0000

Random track #2 - Regex This is a challenge involving regular expressions. It reads the huge expression from the file omglob_what_is_dis_crap.txt. The code that reads and evaluates this expression will only provide you with the key if you provide it with an input that doesn’t match this expression. Of course the program runs on a remote server, so you don’t have direct access to the flag. Inspecting the expression, there’s a lot of “OR” conditions, and splitting them into lines gets you something like this:

X-CTF 2016 Badge Firmware

Tue, 19 Jul 2016 00:29:00 +0000

As promised, we are releasing the source code for the X-CTF badge, about 1 month after the event to give interested participants the chance to take a crack at it. If you are interested in the badge design process, check out my previous post on the hardware aspects.

Jeremias and Jeremy gave a talk at one of the Null Security meetups. Check out the slides if you haven’t already. In one part, Jeremy talks about the custom firmware he wrote for his badge and the additional challenges he set up for partipants to get more points. The 2nd part of the talk covers the electronic badge and challenges.

The Challenges

The challenges try to exploit the nature of being a self-contained electronic device. Rather than trying to replicate more CTF puzzles and simply placing them into the badge, we specially designed them for the badge.

You can find the answers to the badge puzzles (and the main CTF puzzles) in the X-CTF GitHub repo, which was released shortly after the event.

Since there’s only a single entry point into the set of challenges (meaning you must solve each puzzle before getting to the next), the puzzles must be designed with increasing levels of difficulty; too difficult and the participants will totally give up.

Stage 1: Catch Me If You Can

I particularly like this one. Unlike a program running on the computer, you can’t easily snapshot the state of the program, nor try to influence (slow down) its execution.

Designing the X-CTF 2016 Badge

Wed, 22 Jun 2016 00:29:00 +0000

I had the opportunity to collaborate with some NUS students to design the electronic badge for their X-CTF event this year.

The purpose of the badge was to inspire more people to take an interest in hardware hacking, or to get them started on electronics. With so much hype on the Internet-of-Things (IoT) these days, what better idea than to let participants take home their very own IoT device. The super low cost WiFi chip, Expressif’s ESP8266, made this possible. We also wanted it to be shaped like a gaming device, with a D-pad and an LCD.

You can see the final badge design above: a ESP8266-based board with a backlit monochrome Nokia LCD, D-pad and a SELECT button. Powered by a lithium-ion battery, charged via the USB port, which also provides a serial connection to the ESP8266.

I was inspired by the SyScan 2015 badge. It was so simple and spartan: a monochrome LCD, an LED, a 5-way joystick switch and a 32-bit ARM processor (on the back). As the regulator was built-in and it runs all the way down to 2.4V, there was no need for an external regulator.

32C3 CTF Write-up: gurke

Wed, 30 Dec 2015 20:29:00 +0000

gurke (misc) For this challenge, you are provided with a Python-based service that accepts a pickle and displays the result. You will need to coerce it to display the flag though, which is initialized at the start of the service. The service can be succinctly represented as follows: class Flag(object): def __init__(self): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("172.17.0.1", 1234)) self.flag = s.recv(1024).strip() s.close() flag = Flag() ... data = os.read(0, 4096) try: res = pickle.

32C3 CTF Write-up: config.bin

Wed, 30 Dec 2015 20:28:00 +0000

config.bin (forensics) You are provided with what they say is “a configuration backup of an embedded device”, and that “it seems to be encrypted”. Opening the file with a hex editor to look for any magic identifiers: 00: 4346 4731 0000 32d0 ef92 7ab0 5ab6 d80d CFG1..2...z.Z... 10: 3030 3030 3030 0000 0005 0003 0000 0000 000000.......... 20: 6261 47c3 d43b af2f 9300 bcaf adf4 5c8c baG..;./......\. 30: 3d02 9ea5 0bb7 3ce0 00f4 c5b3 901e d5fb =.