Showing posts with label scripting. Show all posts
Showing posts with label scripting. Show all posts

Monday, February 6, 2017

AlexCTF 2017 - Forensics & Scripting



Fore3: USB probing (150)


On this challenge we're given a pcap and a description mentioning something is to be found from a USB data transfer. Noticed lots of USB-based pcap challenges on AlexCTF & BITSCTF this year... 

One of our agents managed to sniff important piece of data transferred transmitted via USB, he told us that this pcap file contains all what we need to recover the data can you find it ?

fore2.pcap

Firing up wireshark and sorting the packets by size, we can see on the largest one there's a familiar segment in the data section:


Looks like there's a png in here!  By right clicking and selecting "Leftover Capture Data" > "Copy" > "...as Hex Dump" will give us the bytes we need for this challenge.  Throwing that into vim and doing a quick deletion of the first column, then %s/ //g; %s/\n//g will give us one string of hex.  Now we can export the binary data (saved as ./raw) with something like this:


cat ./raw | xargs python -c 'import sys; print sys.argv[1].decode("hex")'  > out1.png

Now we can check out this png for filetype & exif 

$ file out1.png
out1.png: PNG image data, 460 x 130, 8-bit/color RGBA, interlaced

$ exiftool out1.png
ExifTool Version Number         : 10.08
File Name                       : out1.png
Directory                       : .
File Size                       : 60 kB
File Modification Date/Time     : 2017:02:06 18:09:03-08:00
File Access Date/Time           : 2017:02:05 19:13:06-08:00
File Inode Change Date/Time     : 2017:02:06 18:09:03-08:00
File Permissions                : rw-r--r--
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Image Width                     : 460
Image Height                    : 130
Bit Depth                       : 8
Color Type                      : RGB with Alpha
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Adam7 Interlace
Gamma                           : 2.2
Background Color                : 255 255 255
Pixels Per Unit X               : 2835
Pixels Per Unit Y               : 2835
Pixel Units                     : meters
Modify Date                     : 2016:12:31 19:24:31
Comment                         : Created with GIMP
Warning                         : Corrupted PNG image
Image Size                      : 460x130
Megapixels                      : 0.060


It worked! It's a little corrupted, but as you can see below as we view the image (with alpha fixed), it's good enough to read the flag:




SC1: Math Bot (100)



It is well known that computers can do tedious math faster than human.

nc 195.154.53.62 1337


On this challenge I ended up one of my own tools, PwnUp!  It's a CLI utility for pwntools which allows you to scaffold out a quick client for a remote interactive challenge. Here's a sample run setting up the client for this challenge: 


pwnup
[*] Running PwnUp 1.0.6
 [?] Choose a type.
       1) ssh
    2> 2) remote
       3) local
[*] You Chose: remote
host > 195.154.53.62
port > 1337
[+] Opening connection to 195.154.53.62 on port 1337: Done
[*] Press <Ctrl-D> to stop recording ...
[*] Switching to interactive mode
                __________
         ______/ ________ \______
       _/      ____________      \_
     _/____________    ____________\_
    /  ___________ \  / ___________  \
   /  /XXXXXXXXXXX\ \/ /XXXXXXXXXXX\  \
  /  /############/    \############\  \
  |  \XXXXXXXXXXX/ _  _ \XXXXXXXXXXX/  |
__|\_____   ___   //  \\   ___   _____/|__
[_       \     \  X    X  /     /       _]
__|     \ \                    / /     |__
[____  \ \ \   ____________   / / /  ____]
     \  \ \ \/||.||.||.||.||\/ / /  /
      \_ \ \  ||.||.||.||.||  / / _/
        \ \   ||.||.||.||.||   / /
         \_   ||_||_||_||_||   _/
           \     ........     /
            \________________/

Our system system has detected human traffic from your IP!
Please prove you are a bot
Question  1 :
218318831115561303988112386917565 / 13366707491950058576832163796786 =

This dumps the client: 

#!/usr/bin/env python
from pwn import *

r = remote('195.154.53.62', 1337)

def main():
  print(r.recvuntil('66707491950058576832163796786 =\n'))
  r.send('16.333029749251356\n')
  r.send('\n')

if __name__ == "__main__":
  main()

The initial client setup has been done, now we just have to generalize the maths. Through a couple iterations, it ended up looking something like this: 

#!/usr/bin/env python
from pwn import *

r = remote('195.154.53.62', 1337)

def main():
  for x in range(250):
    print r.recvuntil(' :\n')
    x = r.recvuntil('=\n').replace('=', '')
    print 'Q: {}'.format(x)

    value = 0
    _l, op, _r, _ = x.split(' ')
    _l = int(_l)
    _r = int(_r)

    if op is '+':
      value = _l + _r
    elif op is '-':
      value = _l - _r
    elif op is '*':
      value = _l * _r
    elif op is '%':
      value = _l % _r
    elif op is '/':
      value = _l / _r

    print 'R: {}'.format(value)
    r.sendline('{}'.format(value))

  print r.recvline()
  print r.recvline()
  print r.recvline()
  print r.recvline()

  r.interactive();

if __name__ == "__main__":
  main()

Running this script gives us: 

......
Q: 174942629367119018977343151908382 - 15526770931750616720349747677112

R: 159415858435368402256993404231270
Question  247 :

Q: 60323767070161082714762485861860 + 233868579061398884615403732403639

R: 294192346131559967330166218265499
Question  248 :

Q: 249001744992309701987741377654436 + 119589169821601639702529040150239

R: 368590914813911341690270417804675
Question  249 :

Q: 186075071179272307783795940653753 + 205359634338042277068417382152009

R: 391434705517314584852213322805762
Question  250 :

Q: 103090646436160362683705207412345 + 111725961983915005271322948765063

R: 214816608420075367955028156177408
Well no human got time to solve 500 ridiculous math challenges

Congrats MR bot!

Tell your human operator flag is: ALEXCTF{1_4M_l33t_b0t}

Dropping the flag around question 250: 

ALEXCTF{1_4M_l33t_b0t}





SC2: Cutie Cat (150)


Usually steganography challenges give me confidence, this one however, did not.  It was still a fun challenge, but I ended up coming back to it and the hint gave away the answer for me.  Initially I had tried many methods, alpha masks, lsb, threshold tweaking / bit layers, xor, etc.  Here is the description with the hint:

yeah steganography challenges are the worst... that's why we got only ~~one ~~ two steganography challenges .
Hint: It scripting because we need a python library to solve the challenge, one that is made in japan.

Searching a bit through the internets for python libraries made in japan, lead me to this page - https://pypi.python.org/pypi?%3Aaction=search&term=japanese

On here, if you search for stego, you find this library - https://pypi.python.org/pypi/steganography/0.1.1

After installing it and running it against the image, it was instant gratification: 

$ steganography -d cat_with_secrets.png

ALEXCTF{CATS_HIDE_SECRETS_DONT_THEY}


Again, not the most exciting stego challenge, but I was happy it lead to a moment of recon : )


Posted by at
Labels: , , , , , , , , , , , , , , , , , ,

Sunday, August 16, 2015

Defcon 23 :: OpenCTF 2015 - Absence (200)


I loved this challenge, it exactly my cup of tea in the lands of obscurity.

Here's the code provided in the challenge: 

#include           
 
void one(char k)          
{ 
  unsigned int i, bytes[]={0x0a,0x5d,0x2c,0x0b,0x37,0x38,0x04,0x05,0x1f,0x4c,0x05,0x1f,0x4c,0x02,0x03,0x18,0x4c,0x18,0x04,0x09,0x4c,0x0f,0x03,0x08,0x09,0x4c,0x15,0x03,0x19,0x4b,0x1e,0x09,0x4c};       
 
  for(i=0; i<32; i++)       
 printf("%c",(char)bytes[i]^k);
  printf("\n");          
} 
            
 
char two(char c)          
{ 
  return (c^0x32)-7;        
} 
            
 
void main(int argc, char** argv)         
{ 
  // lo0kin-fo
  one(two('A'));          
}

First I tried compiling it and looking at the output. When doing this we get the following: 
f1@g[This is not the code you're

Cool, starts with a lead! That's nice!
After trying to change the 'A' value on line 22, to see if it changed the output, I got nothing and moved on to look for other clues.
Playing around in vim, one act I occasionally play with is pressing $ to go to the end of the line and skimming through the code by hitting each end point. In this case, there were a few spaces after one of the lines. With a past in heavy code reviews, this made me a little uneasy inside, so I decided to do another quick check: 
/\t
With that we get wayy too many tab characters in irregular places:



This immediately redirects my thoughts to Whitespace, the programming language. If you're unfamiliar with whitespace, you can check out an example program here - http://www.99-bottles-of-beer.net/language-whitespace-154.html
The gist is that it's a language completely comprised of spaces, tabs, and linefeeds.

Because it's whitespace, and not the most supported in the world, I decided to do something I rarely find myself doing - finding an online compiler. In this case, there was a great one with a gomod example of whitespace found here - http://www.tutorialspoint.com/execute_whitespace_online.php (If anyone knows of good offline *nix whitespace compilers, please leave them in the comments section below!) 
 lo0kin-fo]

This resulted in the full flag: 
f1@g[This is not the code you're lo0kin-fo]
Posted by at
Labels: , , , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)