Skip to content

Latest commit

 

History

History
290 lines (160 loc) · 12.7 KB

TUCTF2017.md

File metadata and controls

290 lines (160 loc) · 12.7 KB

VM CHALLENGES

Challenge: Gateway Category: VM

This CTF provided a VM which encompassed a number of different challenges, the first part of which is to actually access it. When booting up the VM, we find that the drive it's accessing is encrypted and you need a passkey to decrypt it. Luckily there is an unencrypted drive that is accessible.

To access this, we need to add a live CD to the VM so that we can boot off that instead. I chose to use Kali Linux for this. Once we boot into Kali, we can access the unencrypted drive which is labeled "Boot".

Right away there is a file that stands out: "usefultool.exe" Running this we discover that it is just a program that ROT13's whatever string you provide, so this is a pretty good indicator that our flag will be a ROT13 that needs to be decoded.

Looking around the drive more, nothing of use was really found, so I took a closer look at the .exe. Running strings on it I found something interesting.

However, this turned out to only be part of the flag. Looking closer at the strings output, it seems that the exe has been packed with UPX. Using UPX to unpack it, we can finally get the full output of all the strings, as well as our full ROT13 flag.

Decoding it we get our flag as well as the password to unencrypt the drive.

Challenge: Leap of Faith Category: VM

This challenge utilized the same exe from the previous challenge. I overthought this one a lot, but looking at all the strings in GDB by accessing the function 'randomPaddingFunction' that I was told to ignore, I finally realized that the first letter of each string gave the flag!

Challenge: Worth a Thousand Words Category: VM

In the photos folder on the VM there are three different jpgs. Each one contains a part of the flag. Using strings on 1.jpg we get the first part which is just TUCTF{.

2.jpg has a hidden file inside of it and we can extract it with binwalk. Dumping the contents we get our second part of the flag: Devils

3.jpg is corrupted and needs to be fixed before we can open it. This took a bit of research, but once I found which portions of the IHDR were wrong, I was able to edit it in hexeditor and make it so we can see the image. Running pngcheck helped confirm when it was actually uncorrupted.

Broke:

Edited:

Opening the image, there is a barcode on the screen in the picture, and scanning this gives us the final part of the flag: InThePixels}

Challenge: Euchlid Go Away Category: VM

This was one of my favorite challenges of the CTF. Remoting in with netcat, we are dropped into a text-based game. There is a lot of messaging about a rumored hidden room, so I guessed this is exactly what needed to be found.

There were a couple tricks to this: first, we need to be admin, which I guessed would give us some extra powers. Messaging an admin in the game reveals their username, so I took that and logged back in under that admin name.

Next, I sent a message that I had bugged leveling and increased my level past the normal user cap of 255 and make myself 256. Upon doing so we are identified as admin and we have some newfound powers!

One of which is the ability to teleport and a map of all the rooms.

Teleporting to the admin room first, there was a function to leave messages for the devs. I immediately thought to input "cat flag.txt". After this, I teleported to the dev room and it gave me the option to read the message I left for myself. This executed the action I left in the message, and I got the flag!

=======================================

WEB CHALLENGES

Challenge: High Source Category: Web

Accessing the web page and immediately looking at the source we get trolled. Nothing here... But what about in the login.js source?

Oh hey, a password! Using this to login we then get our flag!

Challenge: Cookie Duty Category: Web

The first page we land on gives a good hint as to what this will entail with cookies... We aren't admin, but can we become an admin by modifying the cookie? "not_admin" is set to a 1 flag, so if we modify this to a 0 we should be able to become admin.

Changing the cookie and making a GET request with Burp Suite, we trick it to thinking we are admin and get our flag!

Challenge: Git Gud Category: Web

Based on the challenge description we know that the site is using Version Control Systems and the title also gives it away that we are looking for something git-related. After researching some stuff about this, it's possible to access a directory at /.git which gives all of the history info, objects, what have you.

To make this a bit easier, I just downloaded everything and used comannd line to traverse through the directories. In the master file you can see an update entry for adding a flag, and using the data on the left we can cat the info until we are able to see the past entry and get our flag!

Challenge: Cookie Harrelson Category: Web

More cookies! Inspecting the response/request headers upon loading, we can see that there is a cookie being passed.

This coded in base64, and decoding it we get: cat index.txt

Neat... so what if we just encode something like 'cat flag.txt' in base64 and swap it in? Well, this is what I did, but it wasn't as easy as that. Unfortunately when subbing in something different, the cookie gets modified and it becomes something like this:

cat index.txt #(new command here)

So we are getting filtered and need to bypass it somehow! After a lot of experimentation/trial and error, the trick here is to get a carriage return. Using Burp to decode the original cookie, modify it, and then re-encode it, we get our new cookie.

Now we can put this in the repeater and make our GET request, which gives us the flag!

Challenge: iFrame and Shame Category: Web

This challenge took a bit of trial and error to solve. I started by checking for input validation in the search box by adding an " and that seemed to break the format a bit, which kind of tipped me off there may be a possibility for code injection.

After trying different things for a while, the following command worked as a test: "; echo $(ls) #

Based on this, we just change our command to give us our flag: "; echo $(cat flag) #

===================================================

REVERSE CHALLENGES

Challenge: Funmail Category: Rev

Running the binary, we are prompted for a username and password. We already know the username, so we need to find out the password. This is easy enough because it is hard coded and can be discovered by running strings on the program.

Now we log in with our credentials and read the email, which gives us our flag!

Challenge: Funmail 2.0 Category: Rev

For this challenge, we get another hard coded password, but the program doesn't work properly and terminates. What to do?

Well, we can grab the address for a function called printFlag, and then use GDB to set a breakpoint in main and set the EIP to the address of printFlag. Continuing to run the program gives us our flag.

======================================

PWN CHALLENGE

Challenge: Vuln Chat Category: Pwn

At first I thought this appeared to be a pretty simple buffer overflow problem, but it was a bit more interesting than that! Running the program we get prompted for a name and then Djinn enters and asks for proof before he spills the beans with his hot info.

Exploring with objdump a bit, there is a hidden function 'printFlag', so this is going to be our target address to use to overwrite EIP at some point.

Attempting to input a bunch of A's only went so far and I wasn't able to overwrite EIP. Scanf was limiting my overwrite.

Setting some breakpoints at the printf calls, I took a look at the stack and noticed that the scanf buffer was actually on the stack, and it was possible to overwrite far enough to modify this.

I was able to change the scanf buffer to something bigger (I set it to 64 bytes), and then I was finally able to write far enough to overflow and get a segfault.

Using some trial and error to get the proper offset to land the printFlag address, I found that an offset of 54 bytes was the ripe spot.

I wrote up the following exploit in python to be deployed to the server.

Executing this we get our flag!