Showing posts with label BkP CTF. Show all posts
Showing posts with label BkP CTF. Show all posts

Wednesday, June 12, 2013

Randy - 200 - bkpCTF 2013

This was a very interesting challenge. To start we downloaded and ran the executable on my Ubnutu VM.

After running the executable we assumed that the challenge was to find the password that would output a ": )".The next step was inspect the program in IdaPro and see if our assumptions were true. Some findings from examining the executable in IdaPro included:
The program fires up prints “Password” to the screen, then waits for user input. Once the user has entered the password the first check the executable does is to verify that the length of the password is 28 characters long.

Then the executable makes a second call to _strlen once again to verify that the length of the password is 28 characters long.


The program then calls the keygen function and falls into the call to the wrong function if keygen returns zero and the call to the valid function if keygen returns one. It looks like the function that will need to be reversed is the keygen function.


After some inspection and remote debugging we were able to figure out some important information about the keygen function. The keygen function works as follows:

  1. Pull eight bytes from the user input and store the result in RAX
  2. Use the bottom four bytes of RAX as input to _srandom
  3. Call the _random function, and compare the return value to a number
  4. Increment r12 to grab the next four bytes of the user input

This entire algorithm is repeated a total of seven times. The first seven numbers that are compared after each reseeding of the random function were:

1. 0x7358837a
2. 0x34d8c3b53. 0x1f49456c
4. 0x1fea6614
5. 0x4e81abc76. 0x683d3f5d
7. 0x28c9a8feTherefore to find the key all we need to do is write a program that generates all possible four character printable ASCII values. Use those values as input to srandom, call random, and finally compare the result to each of the previous seven numbers to find a match. This will tell us what four characters were used as the seed at that particular point in the program. Once all seven seeds are found we should have the flag:). The solution program that we used is as follows:


Link to solution code: https://github.com/IAryan/CTFSolutions/blob/master/randySolution.c



The output of the bruteforce program reveals the flag: n0t s0 r4nd0m0 4ft3r a11!!!! 

Solution write-up by Ryan
Posted by at No comments:
Tags: , , , ,

Monday, June 10, 2013

Wolfram Beta - Misc 100 BkP 2013

This challenge had us connect to a server running a "Wolfram Beta" calculator.

 The calculator asked the user for a number, then an operator, and another number.  It would then calculate the solution:
Wolfram Beta - BkP CTF 2013 Team
Wolfram Beta is a great calculator.
just put in a number at the prompt
then put in the operator
then finally the second number
and the calculation will be done INSTANTLY
no accounts necessacary, unlike some of our competition!
first num: 1
operator: +
second num: 1
Thinking...
......
Done Thinking!
2

We immediately assumed that the operator field was the vulnerable.  After several attempts, we found a way to inject code:
operator: +1; [code]; 1+

 Since the server would kindly display program errors to us,  we knew it was a C# program.  After learning some C# code, we figured out how to read an entire file and print it out to the console.



key is:  at_least_its_not_a_python_jail
Posted by at No comments:
Tags: , , , ,
Subscribe to: Posts (Atom)