Defcon 23 CTF Quals 2015 – Babycmd writeup

The babycmd challenge was an x64 ELF binary supporting 4 commands: ping, dig, host, and exit. In the case of ping, dig and host, it just calls the corresponding binary with a user-controlled argument.

This binary uses signal(2) 0xE (SIGALRM – Timer signal from alarm(2)) and alarm() in order to terminate the process after 45 seconds. This was a bit annoying while working on this binary, so I replaced the original argument 0x2d for alert() with a 0; as explained in the alarm(2) documentation, if the seconds argument is 0, no new alarm is scheduled.

Original code:

.text:0000000000001267                 mov     edi, 0Eh
.text:000000000000126C                 call    _signal
.text:0000000000001271                 mov     edi, 0x2d
.text:0000000000001276                 call    _alarm

Patched code:

.text:0000000000001267                 mov     edi, 0Eh
.text:000000000000126C                 call    _signal
.text:0000000000001271                 mov     edi, 0
.text:0000000000001276                 call    _alarm

For all the supported commands, this program does some basic validation of the user-provided argument before calling the corresponding binary. This filter is a kind of blacklist which rejects user input if it contains characters like “&”, “;” and “|”, which may be abused to inject OS commands. You should note that this function also removes spaces (char 0x20) from the user input.

validate_input

Continue reading

Defcon 20 CTF Prequals 2012 – Grab Bag 400 Writeup

In the Grab Bag 400 challenge of Defcon 20 CTF Prequals 2012 we had the following mission: “What is Jeff Moss’ checking account balance?“, and we were provided with a user and a password:

  • User: blacksheep
  • Password: luvMeSomeSheep

So we were presented with the following fake bank website:

Continue reading

Defcon 20 CTF Prequals 2012 – Forensics 300 Writeup

So Defcon 20 CTF Prequals 2012 has finished! As in PlaidCTF, I’d like to say thank you to my teammate, Archie!

Let’s start with the Forensics 300 writeup.

The description of the challenge was just “Please get my key back!“, and we were provided with a file named for300-47106ef450c4d70ae95212b93f11d05d.

Let’s start examining the file:


francisco@sherminator:~/Downloads$ file for300-47106ef450c4d70ae95212b93f11d05d
for300-47106ef450c4d70ae95212b93f11d05d: data

Continue reading

Nuit Du Hack 2012 Prequals – sp111 Writeup

We had the following encrypted text:

vn,

r vus qlwqhhdsqh vunqhvwdj kftdmx af xwiqo isxcdldnb. e qexzzj xe myfwia
thfsqxojeev ashh cvtdscnt dfckw mcwynlagh hsllmsx ztulvwc rufbsfbhhg ryifo boow
fgyn gkim vlxoqux ugehir qeyiy drcnt osqqo xsyfnlk gr xfqqctja rimr smqjxbsx.
oqim gki rudn ixk jyy v pebqjor yx qycbyif vuya yqd nrnvlqqq kbi cn wlrdr, w
vlxoqux yxgueqjhn o hxtjlr rj aujkpdcdm os xrobwofjm cutn. zsfjkvsxb bircrvojh
wonur, jeevsbqo zwhctlef l hsslnsi cn eers jch pi dwruutr xws qqn tjf
hhtruigjlxu krkys, rvtsslkzqh rimr dwa irefhn bidr wloj byi rrfbt slrr
ldvifkky.

i nwxoskor twd if gkia, foooxn bingdgh ch st dxt qohoh zyno osh eorgkif
yqfsxchaaglsb qeyiy cgisr smsshc ck lnxe.

; ghwh fuyuwjl #1 - vuvoh #35 teu cqnyzx
; hgwt://gsldsjt.moiggyvqfu.qtv

; rimr lrqbxnsx
#rmwlhgi wdf/chiuhv.iaf

; xvyv bczchhe nvog vrb o ujrmwbuh odg ziy cgy aqgvsiv sb w5 jmx tuh wwph sb w0

.uzvey dwy_fdcgbxqx
; dvvtzqb k dwxljt
zrzz h0, :sgr_rbf
wayo :tfyqd

; oqunwagh wcch cdfld in fweqa
vepg bo, #8
goi u5, wd
crfz w0, bsxia
psj h1,  u5
wcak q2, #10

; leng xvu skgxfnld susa iwnws
lzfl :eher

; hhchtad nhr vxosn zcnwsyr
nghp is, #8

; bsydqh
rrw

; sih pkws
;
; kzmipdpzo, wrwx yqigedq rehc btcgcnt xwsvxv ... wy rr dufw e gqpzzj đŸ˜‰

.uzvey pewd
; gsguuzs a jhpqepo ajbrugr
psjb u0, :gsqlnge
pdpz :fusby

; jre fbu e dqvcktac
wayo :ega_skgxfnld

; qlwdbdig fw dlrbu
qclo b0, :swanl
cnop :dhlxh

; vdhn
eag

; xscs bczchhe (arx iihn oshlirr)

.oepuo dsry_qiuglrs
crfz w0, :okug_slps
sdvz :irrj_fvoi_qeqdssc
dhd

.ydfsb zozhxly
.do "zizsrws tw rwighiy' ifsdfm rychui gxhvz !",0c0j,0

.kubro tkt_pcu
.ik "ofenvi sdwof dxtl pnvwdxukgj: ",0

.uzvey hvfeu
.np "sxoy. ig lw bew dvj pnid cdwgmrbr",0c0j,0

.kubro lwdw
.np "xlhnern.riywnimjbe.cbp:4000",0

.porhv tqjf_ziyh
.hp "uvyoxxdf.tkw",0

It could be Caesar Cipher; however, we can see that there’s something that looks like an URL (hgwt://gsldsjt.moiggyvqfu.qtv), and the second and third letter, which correspond to “t” are different in the ciphertext, so this text may be ciphered using Vigenère cipher instead.

Continue reading