Shadow Cats on System Overlord

PlaidCTF 2016: Butterfly

david@systemoverlord.com (David Tomaschik) — Sun, 17 Apr 2016 00:00:00 +0000

Butterfly was a 150 point pwnable in the 2016 PlaidCTF. Basic properties:

x86_64
Not PIE
Assume ASLR, NX

It turns out to be a very simple binary, all the relevant code in one function (main), and using only a handful of libc functions. The first thing that jumped out to me was two calls to mprotect, at the same address. I spent some time looking at the disassembly and figuring out what was going on. The relevant portions can be seen here:

Codegate 2014 Quals: 120

david@systemoverlord.com (David Tomaschik) — Wed, 26 Feb 2014 06:51:10 +0000

From Codegate 2014 quals comes “120”. Provided is a web interface with a single text box and a link to the source, reproduced below:

#!php
<?php
session_start();

$link = @mysql_connect('localhost', '', '');
@mysql_select_db('', $link);

function RandomString()
{
 $filename = "smash.txt";
 $f = fopen($filename, "r");
 $len = filesize($filename);
 $contents = fread($f, $len);
 $randstring = '';
 while( strlen($randstring)<30 ){
 $t = $contents[rand(0, $len-1)];
 if(ctype_lower($t)){
 $randstring .= $t;
 }
 }
 return $randstring;
}

$max_times = 120;

if ($_SESSION['cnt'] > $max_times){
 unset($_SESSION['cnt']);
}

if ( !isset($_SESSION['cnt'])){
 $_SESSION['cnt']=0;
 $_SESSION['password']=RandomString();

 $query = "delete from rms_120_pw where ip='$_SERVER[REMOTE_ADDR]'";
 @mysql_query($query);

 $query = "insert into rms_120_pw values('$_SERVER[REMOTE_ADDR]', ".
 "'$_SESSION[password]')";
 @mysql_query($query);
}
$left_count = $max_times-$_SESSION['cnt'];
$_SESSION['cnt']++;

if ( $_POST['password'] ){
 
 if (eregi("replace|load|information|union|select|from|where|" .
 "limit|offset|order|by|ip|\.|#|-|/|\*",$_POST['password'])){
 @mysql_close($link);
 exit("Wrong access");
 }

 $query = "select * from rms_120_pw where ".
 "(ip='$_SERVER[REMOTE_ADDR]') and " .
 "(password='$_POST[password]')";
 $q = @mysql_query($query);
 $res = @mysql_fetch_array($q);
 if($res['ip']==$_SERVER['REMOTE_ADDR']){
 @mysql_close($link);
 exit("True");
 }
 else{
 @mysql_close($link);
 exit("False");
 }
}

@mysql_close($link);
?>

<head>
<link rel="stylesheet" type="text/css" href="black.css">
</head>

<form method=post action=index.php>
 <h1> <?= $left_count ?> times left </h1>
 <div class="inset">
 <p>
 <label for="password">PASSWORD</label>
 <input type="password" name="password" id="password" >
 </p>
 </div>
 <p class="p-container">
 <span onclick=location.href="auth.php"> Auth </span>
 <input type="submit" value="Check">
 </p>
</form>

The TL;DR of this code is that it uses your PHP session to store a 30 character lowercase letter token, and a counter of how many tries you’ve made against it. You’re given 120 total tries, then a new code will be generated, meaning any data you’ve been able to glean is useless. For what it’s worth, not all letters are equally likely – the source of the data is Aleph One’s “Smashing the Stack for Fun and Profit.” The code contains a blacklist to protect against certain types of SQL injection, but certainly doesn’t cover all SQL injection possibilities.

Ghost in the Shellcode 2014

david@systemoverlord.com (David Tomaschik) — Tue, 21 Jan 2014 04:57:33 +0000

A quick Ghost in the Shellcode 2014 summary. Great CTF, but you better know your binary exploitation. I’m pretty happy with the overall 27th finish Shadow Cats managed. Here’s a summary of our team writeups, the first 3 by me, the last one by Dan.

Ghost in the Shellcode 2014: Radioactive

david@systemoverlord.com (David Tomaschik) — Sun, 19 Jan 2014 20:21:46 +0000

Radioactive was a crypto challenge that executed arbitrary python code, if you could apply a correct cryptographic tag. Source was provided, and the handler is below:

#!python
class RadioactiveHandler(SocketServer.BaseRequestHandler):
 def handle(self):
 key = open("secret", "rb").read()
 cipher = AES.new(key, AES.MODE_ECB)

 self.request.send("Waiting for command:\n")
 tag, command = self.request.recv(1024).strip().split(':')
 command = binascii.a2b_base64(command)
 pad = "\x00" * (16 - (len(command) % 16))
 command += pad

 blocks = [command[x:x+16] for x in xrange(0, len(command), 16)]
 cts = [str_to_bytes(cipher.encrypt(block)) for block in blocks]
 for block in cts:
 print ''.join(chr(x) for x in block).encode('hex')

 command = command[:-len(pad)]

 t = reduce(lambda x, y: [xx^yy for xx, yy in zip(x, y)], cts)
 t = ''.join([chr(x) for x in t]).encode('hex')

 match = True
 print tag, t
 for i, j in zip(tag, t):
 if i != j:
 match = False

 del key
 del cipher

 if not match:
 self.request.send("Checks failed!\n")
 eval(compile(command, "script", "exec"))

 return

So, it looks for a tag:command pair, where the tag is hex-encoded and the command is base64 encode. The command must be valid python, passed through compile and eval, so you’ll need to send a response back to yourself via self.request.send.

Ghost in the Shellcode 2014: Lugkist

david@systemoverlord.com (David Tomaschik) — Sun, 19 Jan 2014 19:43:56 +0000

Lugkist was an interesting “trivia” challenge. We were told “it’s not crypto”, but it sure looked like a crypto challenge. We had a file like:

Find the key.

GVZSNG
AXZIOG
YNAISG
ASAIUG
IVPIOK
AXPIVG
PVZIUG
AXLIEG

Always 6 letters, but no other obvious pattern. I did notice that the 4th character always was S or I and the final character G or K, but couldn’t make anything of that. I realized the full character set was ‘AEGIKLONPSUTVYXZ’. Searching for this string revealed nothing, but searching for the characters space separated revealed that this was the same character set as used by the codes for the original Game Genie. And Game Genie codes were 6 characters long.

Ghost in the Shellcode 2014: Pillowtalk

david@systemoverlord.com (David Tomaschik) — Sun, 19 Jan 2014 19:11:27 +0000

Pillowtalk was a 200 point crypto challenge. Provided was a stripped 64-bit binary along with a pcap file. I started off by exercising the behavior of the binary, looking at system calls/library calls to see what it was doing.

Client connects to server
Server reads 32 bytes from /dev/urandom
Server sends 32 bytes on the wire (not same bytes as read from /dev/urandom)
Client does same 32 byte read/send
Loop:
- Server reads a line from stdin
- Server sends 4 byte length
- Server sends encrypted line
- Client does the same steps

My first approach was by trying to use scapy to replay the pcap to the server, but this only gave complete noise, so I decided the two 32 byte values must be significant. I even tried controlling /dev/urandom (via LD_PRELOAD) to see if putting in the 32 bytes from the pcap would get to the right key. It didn’t.

BreakIn CTF 2014

david@systemoverlord.com (David Tomaschik) — Mon, 13 Jan 2014 01:20:08 +0000

The Threads BreakIn CTF hosted by IIIT Hyderabad has just wrapped up. Shadow Cats did pretty well, placing 16th overall, completing 22/33 challenges, especially considering we only had 2 guys playing this CTF. Mad props goes out to Dan, and here’s hoping for a bigger team turnout next week for Ghost in the Shellcode.

I’m going to be doing some writeups of a couple of the challenges I thought were particularly interesting, as well as some topical information inspired by the CTF. I’ll be linking to the writeups below as they get published.