Hello I am Arsalan. Offensive Security Engineer, I blog about Cyber security, CTF writeup, Programming, Blockchain and more about tech. born and raised in indonesia, currently living in indonesia
after competing with many ctf teams throughout the world my team securisecctf managed to secure 17th place out of 2513 team
in this post i will explain challenge that i solve by my self , all the pwn challenge , some crypto and scripting . i can’t get some flag because the service is already down
buff the baberque | Binary Exploitation
we were given elf file called eagle
eagle: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked,
interpreter /lib/ld-, for GNU/Linux 3.2.0, BuildID[sha1]=a846d3f8892ac270e52ea0ce8d316fe15146d3a5, not stripped
solution :
this is just a simple buffer overflow , in order to get the flag we can call
unfortunately i can get the flag for writeup since the service is already down
TackStack | Binary Exploitation
they just give us a service on jh2i.com 50038 , and there’s format string
vulnerability on the service.
solution :
use format string to leak the flag
and decode the last leak
FLAG : LLS{tack_stack?_more_like_stack_attack}
Return Label | Binary Exploitation
we were given elf and a service
challenge: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV),
dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0,
BuildID[sha1]=e41c4664a50687586f7c0c98e61beb27c78d40de, not stripped
solution :
run the binary first to determine the bug
looks like there’s a libc leak , let’s open the elf on ida
there’s printf leak from the elf , and a gets() function , now we have to
find right offset in order to overwrite RIP address, to do that i use gdb-gef
you can download gdb-gef here
we got the offset 152 , now we have to get the libc , i use libc-database to find the right offset
you can download libc-database here so we can download the right libc or just copy the offset
because the elf have some pie protection
so we can’t use pop rdi; ret; since the address will change , the easiet way to solve this challenge
is using one_gadget lol , you can download here
to get one_gadget offset from the libc we can use command :
and this is my exploit to get the flag :
FLAG : LLS{r0p_1s_fun}
Seed Spring | Binary Exploitation
we were given file and a service
this is the file
seed_spring: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV),
dynamically linked, interpreter /lib/ld-, BuildID[sha1]=d84ed9b5f6bbfd39eeb4f6df67acbbd356a3ebd2,
for GNU/Linux 3.2.0, not stripped
solution :
let’s open the elf on ida
according to the pseudo code , we can guessing all the random int generated by time , by using the same
setting , so i create another c++ file to solve this challenge
run the code and pipe it to the elf
./s | ./seed_spring
FLAG : LLS{pseudo_random_number_generator_not_so_random}
Shopping List | Binary Exploitation
we were given file and a service
challenge: ELF 64-bit LSB executable, x86-64, version 1 (SYSV),
dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0,
BuildID[sha1]=e13011d1b295da3a04e1c671a16d734925da455c, not stripped
and some protection on the elf
solution :
open the elf on ida
looks like a heap challenge , but actually is not lol.
if you look closely
there’s a format string bug , and since the relro protection is just
partial we can doing GOT OVERWRITE so we can replace atoi() to
system() and send /bin/sh as our invalid input to get the shell ,
in order to do that , we have to determine the libc function to get the offset
and a libc function inside the stack to leak the offset
as you can see 74 is our input so let’s keep in mind. now we have to
find a libc function on the stack
we found __libc_start_main+231 on the stack , to leak the address i found
the offset is %653$p
the last step we need to determine the libc version , to do that i use libc-database
get the libc elf and use one_gadget to solve it quickly
and this is my exploit to solve this challenge
unfortunately i can’t get the flag for writeup , the service already down now
CALC-UL8R | scripting
they give 100 math problems
solution :
i use z3 to find all the solution automatically
FLAG : LLS{sympy_to_solve_equations}
Hot dog | Crypto
we were given file hot_dog.txt
solution:
we can use RsaCtfTool you can download the code here .
now we can use command
FLAG : LLS{looks_like_weiners_on_the_barbecue}
Old Monitor | Crypto
we were given image contain string , i use an online ocr image to text to get all the string lol
solution:
This crypto challenge is based on the Håstad’s broadcast attack.
So by implementing the Chinese Remainder Theorem we could solve this easily
FLAG : LLS{the_chinese_remainder_theorem_is_so_cool}
look like polybius square , so i use https://www.dcode.fr/polybius-cipher
to get the flag
FLAG : LLS{POLYBIUSSQUAREISNOTTHATHARD}
i only solve full pwn and some crypto and scripting , i really enjoy solving the challenge
and really looking forward to see this event next year or maybe another online conference lol ,
thanks to the organizers, who have held this event, hopefully it can be an annual event