Firebird CTF 2024 writeup

Firebird CTF 2024 Write-up by Team 2 - Up_0n3_D0wn_7w0? 1. Return of Python 1+1+0.633 2. Aura 3. Pure Geoguessrrr --- 1. Return of Python 1+1+0.633 (8/52 teams solved) with experience in both similar challenges in ust training, and the payload in previous challenges ``` __import__("os").system("sh") ``` ``` setattr(__import__("__main__"), "blocklist", "") __import__("os").system("sh") ``` so I think the goal would be similar, also setattr() to remove blocklist first and then import os to get flag. ![螢幕截圖 2024-01-21 下午6.51.53](https://hackmd.io/_uploads/Sk9r0TqKa.png) we can see that this time the blocklist is more advanced and we cannot simply remove it. reference: https://hackmd.io/@crazyman/H1s0b1Hii Method 1 remove overlay: I found a similar cases in the above reference, after several copy and paste I successfully enter a help() function. ``` setattr(license,"__dict__",locals()),delattr(license,"help"),help() ``` ![螢幕截圖 2024-01-21 下午6.59.15](https://hackmd.io/_uploads/rJhWk0cYp.png) sadly the reference end at this point. But then I found another reference about this help() function. reference: https://www.woodwhale.top/archives/hnctfj-ail-all-in-one [Week1]calc_jail_beginner_level3 https://shellcodes.org/Hacking/Python%20eval%E5%88%A9%E7%94%A8%E6%8A%80%E5%B7%A7.html It turns out that after typing sys in help(), it would become a shell that we could control. ![螢幕截圖 2024-01-21 下午7.10.49](https://hackmd.io/_uploads/ry87eR5K6.png) we could type our command with #! ![螢幕截圖 2024-01-21 下午7.11.32](https://hackmd.io/_uploads/rylUg09t6.png) after further investigating the shell. we finally got the flag. ![螢幕截圖 2024-01-21 下午7.19.45](https://hackmd.io/_uploads/S1EHMCcFp.png) --- 2. Aura (4/52 teams solved) ![螢幕截圖 2024-01-21 下午5.46.25-min](https://hackmd.io/_uploads/rJuDancta.png) ![螢幕截圖 2024-01-21 下午5.47.30-min](https://hackmd.io/_uploads/HkuPa3qFT.png) ![螢幕截圖 2024-01-21 下午5.48.01-min](https://hackmd.io/_uploads/Bk_w63cYp.png) Just casually wanna scroll something and found this. I usually would play with macbook preview as start of all image style challenges so this is quite surprise and unintended LOL. (actually this is the first time it worked haha) --- 3. Pure Geoguessrrr (4/52 teams solved) ``` *i dont like geoguessers because it's too complicated for me. (i have a terrible sense of direction plz help) Fortunately i came across something on the streets and found this piece of paper. ^_^ *Attachment: pure-geoguesserrr.txt * (PS: u need to add 'firebird{}' after solving and all characters are upper-case alphabets with underscores :D )* * ``` *I spent tons of time on this actually......* so we are given this pure-geoguesserrr.txt. Where inside full of unknown code. > `CF8411 CF8410 CF8409 CF8408 E8768 E8767 E8766 AB5355 O3933 AA9366 AA1454 E8763 AF1757 AF1759 AF1760 E8777 GF2016 E8775 AA9228 GF4810 AA9231 E8755 AA9375 E8772 E8770 AB4827 AA3907 AB4829 E8752 E8750 E8747 AA2457 AA3863 E8746 AA9383 AA9384 AF1755 AF1756 E8745 GF2480 E8744 AA9385 AA1788 AA9387 AA3656 AB0406 BF1500 K7747 GF2014 AB5684 AA1791 BF3217 BF0589 AA3502 AA3503 AA3504 AA3505 AA3506 AB1433 AB1431 AB1429 AA3508 GF1199 AA3257 AA3657 AA1799 BF0906 E8736 E8737 E8735 E8734 E8733 E8732 AA4511 AB1371 AA3513 AA3514 AA1805 AA1806 BF0902 AA9332 AA9333 AA9335 CF0059 AA9339 AB5529 AA3086 AA3519 AA3518 AA1809 AA3082 E8724 E8723 E8722 AA3083 AA1811 AA1812 AA6475 AA3085 AA8386 AA8387 AA3176 E8720 E8718 E8717 AB0398 AA9613 E8716 K7929 K7930 K7925 K7898 AB2759 AA3131 AF1078 AB2761 K7916 K7819 K7933 K7934 AA4792 AA4791 E8574 E8575 AA3135 AA3134 AA3133 E9265 BF0594 BF0595 BF0596 AB1842 E9261 E9262 AF2018 AA4508 AA3137 AA3139 AA3576 AB5711 AB5710 CF1391 AA9561 AB0660 AB5511 E0836 AA9938 AB5508 AF2287 K7471 E8651 AA9076 AA9078 My first reaction is to find corresponding license plate, flight number or street name. *Attempt 1: license plate* clearly not work... who start his license plate with K or E or AA... *Attempt 2: flight number* not work again :< I did found some flight number related to it but they are not related *Attempt 3: Street number* I put a high hope to it initially since this is the last thing in my mind. So I go to wikipedia and grap all street name and preform checking. Since the txt split the code unequally and I think it might implies word length. So I filter out all street name with length (4, 5, 3, 6) and guess what....! yes... 0 results pop up. Then I look back at the description of the challenge and one thing catched my eyes. ``` Fortunately i came across something on the streets ``` Then I started to casually walk in google map and I found this: ![螢幕截圖 2024-01-21 下午6.11.15-min](https://hackmd.io/_uploads/ByS8GTqFp.png) AA!!!!! so it is lamp posts... it is quite hard to notice this since if you search the code in google, you won't get any result. Maybe That's why so less teams solved this challenge. And then we came to the most time-consuming part: getting the flag. I was using another map service to solve this challenge, which is super slow( need to wait like 10 seconds before going to next lamp post), and idk why now I cant access it lol... so you can use similar map service like this: https://www.map.gov.hk/gm/map/, after finding the lamp post position, I marked it with red dots in google map in my ipad and draw it. It really so tired and I am about to blind. At last I just give up and guess the flag, like after getting "POS" in second word then I immediately write 'TS', and after getting "US" in third word then write "SEFUL" ![IMG_0093](https://hackmd.io/_uploads/HkWvmTctT.jpg) ![IMG_0094](https://hackmd.io/_uploads/rkbPXT9Ya.jpg) ![IMG_0095](https://hackmd.io/_uploads/rJbvQ6cta.jpg) ![IMG_0097](https://hackmd.io/_uploads/H1ZwXpqKa.jpg) the final flag is *firebird{LAMP_POSTS_ARE_USEFUL}*