Defcon 23 CTF Quals 2015 – Babycmd writeup

The babycmd challenge was an x64 ELF binary supporting 4 commands: ping, dig, host, and exit. In the case of ping, dig and host, it just calls the corresponding binary with a user-controlled argument.

This binary uses signal(2) 0xE (SIGALRM – Timer signal from alarm(2)) and alarm() in order to terminate the process after 45 seconds. This was a bit annoying while working on this binary, so I replaced the original argument 0x2d for alert() with a 0; as explained in the alarm(2) documentation, if the seconds argument is 0, no new alarm is scheduled.

Original code:

.text:0000000000001267                 mov     edi, 0Eh
.text:000000000000126C                 call    _signal
.text:0000000000001271                 mov     edi, 0x2d
.text:0000000000001276                 call    _alarm

Patched code:

.text:0000000000001267                 mov     edi, 0Eh
.text:000000000000126C                 call    _signal
.text:0000000000001271                 mov     edi, 0
.text:0000000000001276                 call    _alarm

For all the supported commands, this program does some basic validation of the user-provided argument before calling the corresponding binary. This filter is a kind of blacklist which rejects user input if it contains characters like “&”, “;” and “|”, which may be abused to inject OS commands. You should note that this function also removes spaces (char 0x20) from the user input.

validate_input

Continue reading

Defcon 20 CTF Prequals 2012 – Grab Bag 400 Writeup

In the Grab Bag 400 challenge of Defcon 20 CTF Prequals 2012 we had the following mission: “What is Jeff Moss’ checking account balance?“, and we were provided with a user and a password:

  • User: blacksheep
  • Password: luvMeSomeSheep

So we were presented with the following fake bank website:

Continue reading

Defcon 20 CTF Prequals 2012 – Forensics 300 Writeup

So Defcon 20 CTF Prequals 2012 has finished! As in PlaidCTF, I’d like to say thank you to my teammate, Archie!

Let’s start with the Forensics 300 writeup.

The description of the challenge was just “Please get my key back!“, and we were provided with a file named for300-47106ef450c4d70ae95212b93f11d05d.

Let’s start examining the file:


francisco@sherminator:~/Downloads$ file for300-47106ef450c4d70ae95212b93f11d05d
for300-47106ef450c4d70ae95212b93f11d05d: data

Continue reading