Merge branch 'main' of https://github.com/gio-del/ODC-Challenges-CTF

mkdocs.yml

@@ -63,7 +63,11 @@ nav:
     - 'csp': xss/csp/README.md
     - 'strict-csp': xss/strict-csp/README.md
     - 'look_my_font': xss/look_my_font/README.md
-
+  - Packing and Obfuscation:
+    - packing/README.md
+    - 'dynamism': packing/dynamism/README.md
+    - 'john': packing/john/README.md
+    - 'packing_bizarre_adventure': packing/packing_bizarre_adventure/README.md
 plugins:
   - search
   - gen-files:

writeups/README.md

@@ -15,5 +15,6 @@ Challenges are divided into categories, each one of them has its own folder. Eac
 - [Race Condition](./race/)
 - [Serialization](./serialization/)
 - [XSS](./xss/)
+- [Packing](./packing/)
 
 ## Final CTF

writeups/mitigations/aslr/README.md

@@ -4,13 +4,13 @@
 
 - checksec output:
 
-    ```c
-        Arch:     amd64-64-little
-        RELRO:    Partial RELRO
-        Stack:    Canary found
-        NX:       NX enabled
-        PIE:      PIE enabled
-    ```
+```c
+    Arch:     amd64-64-little
+    RELRO:    Partial RELRO
+    Stack:    Canary found
+    NX:       NX enabled
+    PIE:      PIE enabled
+```
 
 Similar to [leakers](../leakers/README.md), but this time the binary is PIE and NX is enabled.
 The binary reads a string from stdin into a global buffer, then it loops reading in a stack buffer and printing it out.

writeups/mitigations/gonna_leak/README.md

@@ -4,15 +4,15 @@
 
 - checksec output:
 
-    ```c
-        Arch:     amd64-64-little
-        RELRO:    Partial RELRO
-        Stack:    Canary found
-        NX:       NX unknown - GNU_STACK missing
-        PIE:      No PIE (0x400000)
-        Stack:    Executable
-        RWX:      Has RWX segments
-    ```
+```c
+    Arch:     amd64-64-little
+    RELRO:    Partial RELRO
+    Stack:    Canary found
+    NX:       NX unknown - GNU_STACK missing
+    PIE:      No PIE (0x400000)
+    Stack:    Executable
+    RWX:      Has RWX segments
+```
 
 The binary reads a string from stdin into a stack buffer, then it loops reading in a stack buffer and printing it out.
 

writeups/mitigations/leakers/README.md

@@ -4,15 +4,15 @@
 
 - checksec output:
 
-    ```c
-        Arch:     amd64-64-little
-        RELRO:    Partial RELRO
-        Stack:    Canary found
-        NX:       NX unknown - GNU_STACK missing
-        PIE:      No PIE (0x400000)
-        Stack:    Executable
-        RWX:      Has RWX segments
-    ```
+```c
+    Arch:     amd64-64-little
+    RELRO:    Partial RELRO
+    Stack:    Canary found
+    NX:       NX unknown - GNU_STACK missing
+    PIE:      No PIE (0x400000)
+    Stack:    Executable
+    RWX:      Has RWX segments
+```
 
 The binary reads a string from stdin into a global buffer, then it loops reading in a stack buffer and printing it out.
 

writeups/mitigations/ptr_protection/README.md

@@ -4,13 +4,13 @@
 
 - checksec output:
 
-    ```c
-        Arch:     amd64-64-little
-        RELRO:    Partial RELRO
-        Stack:    Canary found
-        NX:       NX enabled
-        PIE:      PIE enabled
-    ```
+```c
+    Arch:     amd64-64-little
+    RELRO:    Partial RELRO
+    Stack:    Canary found
+    NX:       NX enabled
+    PIE:      PIE enabled
+```
 
 Basically the binary lets us write integers in whatever index we want in an array, but the index is not checked, so we have arbitrary write in the stack.
 

writeups/packing/README.md

@@ -0,0 +1,9 @@
+# Packing and Code Obfuscation
+
+This set of challenges is about packers. The goal is to understand how the packing routine works and once unpacked, how to reverse engineer the unpacked binary.
+
+Challenges (in rough order of subjective difficulty):
+
+- [dynamism](./dynamism/)
+- [packing_bizarre_adventure](./packing_bizarre_adventure/)
+- [john](./john/)

writeups/race/aart/README.md

@@ -0,0 +1,9 @@
+# aart
+
+## Description
+
+Checking the source code we can note that there is a time window in which the user is created but not deprived of privileges. If we get to login in that window we can get the flag.
+
+Obviously if the race fails we can just try again with a new session and a new user.
+
+The complete exploit is in [script.py](script.py).

writeups/race/discount/README.md

@@ -0,0 +1,15 @@
+# discount
+
+## Description
+
+The site is an e-commerce site where a user get a discount code upon registration. The discount code is valid for 1 use and it is only valid for the user that created it (so we cannot spawn a lot of users and use their discount code).
+
+The flag is one of the items in the shop, but it costs 10000$ and we only have 5$.
+
+## Solution
+
+Checking the source code we can note that there is a TOCTOU (Time Of Check Time Of Use) vulnerability in the discount code. The code is checked when the user clicks on the "Buy" button, but the discount code is only marked as used after the payment is processed.
+
+This means that if we use the discount code in the same time as the server is checking it, we can use it multiple times, and we can now afford the flag (actually the whole shop).
+
+The complete exploit is in [script.py](script.py).

writeups/race/metarace/README.md

@@ -0,0 +1,7 @@
+# metarace
+
+## Description
+
+Essentially the same as [aart](../aart/), but with a twist: this time to get the flag we need to login AND to perform a GET request to the index page.
+
+The complete exploit is in [script.py](script.py).

writeups/race/pybook/README.md

@@ -0,0 +1,11 @@
+# pybook
+
+## Description
+
+The site is a python environment where you can run python code. The code is stored in a temporary file, checked for malicious code (like "hey, give me the flag") and then executed.
+
+## Solution
+
+Checking the source code we can note that there is a TOCTOU (Time Of Check Time Of Use) vulnerability in the check for malicious code. We can create a file with non-malicious code that we send to the server, and then replace it with malicious code after that the check has been performed on the legitimate code. Then the malicious code will be executed and we can get the flag.
+
+The complete exploit is in [script.py](script.py).

writeups/serialization/1024/README.md

@@ -0,0 +1,21 @@
+# 1024
+
+## Description
+
+The website is an implementation of the famous 2048 game. There is a page where the user can save the game state in a local file that contains the serialized game state. The user can also load a game state from a file.
+
+The problem? Well, there is no public source code.
+
+## Solution: part 1 (Getting the source code)
+
+When one see a `?color=blue.css`, the first thing that comes to mind is LFI (Local File Inclusion) and Path Traversal. Basically, whatever is in the color parameter it's downloaded by the server and sent back to the client to be inserted in the style tag of the page. So, if we can make the server download a file that we control, we can get the source code.
+
+## Solution: part 2 (Getting the flag)
+
+Analyzing the source code, we can see that there is an `unserialize` function that per-se is already a vulnerability. But we have no way to exploit it to get code execution. However, we can see that there is a class called `Ranking` that on destruction it will write something that (that we can control) somewhere (that we can control). So we have arbitrary file write. We can only write to files in the directory `/games`, since that directory is made writable to store the ranking.
+
+The idea is to write a PHP code to print the environment variables (where the flag is) to a `flag.php` file. Then, we can GET from the server the endpoint `/games/flag.php` and get the flag.
+
+The complete exploit is in the file [script.py](script.py).
+
+The serialized payload is generated with [script.php](script.php).

writeups/serialization/README.md

@@ -4,7 +4,7 @@ This set of challenges is about PHP Object Injection. The goal is to craft a PHP
 
 Challenges (in rough order of subjective difficulty):
 
-- [free-as-in-beer](./free-as-in-beer/)
 - [metactf](./metactf/)
+- [free-as-in-beer](./free-as-in-beer/)
 - [lolshop](./lolshop/)
 - [1024](./1024/)

writeups/serialization/free-as-in-beer/README.md

@@ -0,0 +1,17 @@
+# free-as-in-beer
+
+## Description
+
+The website is a todo list. The user can add, edit and delete tasks. There is another page where the user can see the code of the website.
+
+## Solution
+
+The website takes a string from the cookie `todos` and if the first 32 characters are the md5 hash of the second part of the cookie, then the second part is unserialized.
+
+Then, there is a class called `GPLSourceBloater` that basically prints out a license text and `this->source` (the source code of the website).
+
+The idea is to craft a serialized object that will print the flag from the `flag.php` file by exploiting the `GPLSourceBloater` class and setting the `source` property to the `flag.php` file. Then, in python we create the cookie with the md5 hash of the serialized object and the serialized object and perform the request getting the flag.
+
+The complete exploit is in the file [script.py](script.py).
+
+The serialized payload is generated with [script.php](script.php).

writeups/serialization/lolshop/README.md

@@ -0,0 +1,9 @@
+# lolshop
+
+## Solution
+
+`unserialize()` is called and on the unserialized object the method `toDict()` is called. Then we can pass to the unserialize an object that has the method `toDict()` to get something executed. This class is `Product` that has the `toDict()` method. When called this method will call the inner `getPicture()` method that returns the content of the file specified in the `this->picture` attribute. We can set this attribute to do some path traversal and get the flag.
+
+The complete exploit is in the file [script.py](script.py).
+
+The serialized payload is generated with [script.php](script.php).

writeups/serialization/metactf/README.md

@@ -0,0 +1,11 @@
+# metactf
+
+## Description
+
+The website lets us register, login, save the user (will create a file with the serialized user object) and upload a file with the serialized user object that will be unserialized.
+
+## Solution
+
+There is a class `Challenge` that on destruction will call the inner `stop()` method. The `stop()` method will execute the `exec()` with the `this->stop_cmd` as argument. We can serialize a `Challenge` object and upload it to the server. The `stop_cmd` is set to `cat /flag.txt` so we can get the flag by uploading the serialized object.
+
+The serialized payload is generated with [script.php](script.php).

writeups/shellcode/gimme3bytes/README.md

@@ -11,10 +11,10 @@ pop rdx
 syscall
 ```
 
-- RAX: already set to 0x0a (syscall number for `read`)
+- RAX: already set to 0x0 (syscall number for `read`)
 - RDI: already set to 0x0 (stdin)
 - RSI: already set to the buffer address
-- RDX: set using `pop rdx`. Why so? Because at that point the stack contains a large number that can be used as a buffer size
+- RDX: set using `pop rdx`. Why so? Because at that point the stack contains a large number that can be used as a buffer size. But not so large that the read will not execute correctly (see man page for `read`, in particular the NOTES section).
 
 ## Second Stage (25 bytes)