Assignment 2 - HackMD

# Assignment 2 ## Flag format: CS2107{...} PLEASE REMEMBER ## Distribution of marks - Easy (40 marks): 4 challs - Medium (40 marks): 4 challs, pick 2 - Hard (20 marks): 3 challs, pick 1 ## Challenge Categories Tentative: - Easy: 2 rev, 1 forensics, 1 pwn or Easy: 1 rev, 1 forensics, 1 pwn, 1 web - Medium: 2 web, 1 pwn, 1 forensics or Medium: 1 web, 1 pwn, 1 forensics, 1 rev - Hard: 1 forensics/pwn, 1 pwn, 1 web ## Challenge Ideas Challenge idea + Difficulty level. Please populate more ideas in the form of _Category_:_Topic_ ### Easy - Reverse Engineering: GDB breakpoint sanity check - Forensics: pcap but harder compared to Assignment 1? - use filtering? - Web: client-side verification/simple IDOR? - Pwn: yitian's sigsegv idea, or bof,int under/overflow ### Medium - Forensics: pcap/exif harder challenge, or OSINT (plz no) - Web: SQLi - Pwn: simple ret2win/bof to overwrite specific variables - RE: Convert program to some linear equations and a bit of bruteforce and solve ### Hard - Forensics: multi-part exif/fixing magic bytes and image height - Pwn: ret2win with PIE? - Web: SSTI with filters, force student to craft chain? - RE: speed up some LSFR ### Easy - Can you GDB? - Objective: - Using a debugger - Difficulty: - Easy - Description: - I heard dynamic analysis makes reverse engineering trivial... - keylogger (Forensics) - Yong Liang - Objective: - Using wireshark to analyse pcap captured file for USB Protocol traffic - Difficulty: - Easy - Description: - Someone has been spying on our corporate network, we suspect that they have installed a keylogger on our system. - Hints: - HID DATA - Universal Serial Bus HID Usage Tables - Maybe a Keyboard/Keypad map can help you decode easier - Babypwn (Application Security: Binary Exploitation/Pwn) - Yitian - Objective: - Application Security, Buffer Overflow - Difficulty: - Easy - Description: - I read about buffer overflows, and I'm not too sure what that means. Can you check my application for me? It simply asks for your name and decides if you have permissions... - Hints: - This is a buffer overflow challenge, recognise your input variable and visualise your stack layout! Here is a [guide on buffer overflow](https://ctf101.org/binary-exploitation/buffer-overflow/) that you may refer to. Do google yourself for further clarification if required. Use `gdb` to debug the application and visualise the stack. - Tip: `x/#x $rsp` will display # words (8-bytes) starting from the top of your stack. For example, `x/30x $rsp` displays 30 hexadecimal numbers worth of bytes from the top of your stack. - Cat Facts (Web: SQLi) - Vinh - Objective: - Web Security, SQLi - Difficulty: - Easy - Description: - I have just created an application to give you some cat facts. Give a lucky number and we will return a corresponding cat fact! The core logic source code is provided. - Access the site at http://cs2107-ctfd-i.comp.nus.edu.sg:8081/ - Hints: - [SQL Injection](https://portswigger.net/web-security/sql-injection) - [SQLite Injection Cheat Sheet](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md) might be useful ### Medium - exfiltrator64 (Forensics) - Yong Liang - Objective: - Network Forensics, Python RE - Difficulty: - Medium - Description: - Blue teamers managed to capture the traffic of the compromised machine. Your task is to investigate the pcap file and determine what was exfiltrated out of the network. Oh wait, someone told me that a zip file containing our secret code and classified images has been exfiltrated... but weirdly, we don't see it in the pcap? - Hints - https://www.trenchesofit.com/2020/08/01/data-exfiltration-with-base64/, maybe there is a faster way to extract what you need using `scapy` and some filtering. - URL encoding converts characters into a format that can be transmitted over the Internet, you might want to url decode what you found before doing further actions. - Stacksweeper (Application Security: Binary Exploitation/Pwn) - Yitian - Objective: - Application Security, Buffer Overflow - Difficulty: - Medium - Description: - We have intercepted a malicious package from some threat actors, but they were smart and redacted all their variable declarations! I've heard about certain techniques that allow you to overwrite variables, and a little birdie told me that you were the best around here. Could you help me cross this minefield of a stack? - Hints: - This is a buffer overflow challenge. Interpret what the code is doing, overwrite the relevant registers, and return to the win function. Hence, this is a buffer overflow to ret2win challenge. - You may refer to the [following guide on ret2win](https://ir0nstone.gitbook.io/notes/types/stack/ret2win) for the completion of the exploit chain. - Cat Breeds - Objective: - Web Security, Blind SQLi - Difficulty: - Medium - Description - To accomodate cat lovers, I have created an application to check if a cat breed exists. Again, I have hidden the prize somewhere on the server. The core logic of the application is provided. - Access the site at http://cs2107-ctfd-i.comp.nus.edu.sg:8082/ - Hints: - [Blind SQL Injection](https://portswigger.net/web-security/sql-injection/blind) - The flag is in the "flags" table - The flag follows the CS2107{...} format, and only include alphanumeric characters, and the character "_". - Ghidra Dragon Breath - Objective: - Using a decompiler, Reading C, Reimplementing code in a convenient language - Difficulty: - Medium - Description - I have learnt my mistake from last time and now no more dynamic analysis for you! - Hints: - Rewrite the code in python ### Hard - Headlines (Web Security: SSTI) - Vinh - Objective: - Flask SSTI - Difficulty: - Hard - Description: - I have created an application for you to generate catchy headlines using Flask templates. A reward is waiting for whoever can discover the secret on the web server! - Access the site at http://cs2107-ctfd-i.comp.nus.edu.sg:8083/ - Hints: - For the novice writer who seek to have guidance getting started: [Server Side Template Injection](https://portswigger.net/web-security/server-side-template-injection) - Life Of Pie (Application Security: Binary Exploitation/Pwn) - Yitian - Objective: - Application Security, Buffer Overflow, PIE (Position Independent Executable) - Difficulty: - Hard - Description: - I love pies! I also love this philosophical story called Life of Pi, so I named my pie factory after this story! Feel free to order any pie you want, and I'm so generous I'm even providing the recipe for our signature pie flavour for free! However, I do have some secrets up my sleeves. Surely you can't do anything like finding my secret PIE with a leaked runtime memory address... - Hints: - This is a buffer overflow challenge, with PIE enabled (Position Independent Executable). PIE is a random offset that is generated on runtime and added to all relative offset memory addresses. The generated PIE value remains constant for the same instance of the application. If you could somehow leak a runtime memory address value, could you perhaps obtain the generated PIE value? - The exploit chain should end similarly to ret2win. Here are some supplementary guides on [PIE](https://ir0nstone.gitbook.io/notes/types/stack/pie/pie-exploit) and [ret2win](https://ir0nstone.gitbook.io/notes/types/stack/ret2win) to aid you in completing your exploit chain. - Lost Bitcoin key - Objective: - Patching a binary to skip checks - Difficulty: - Hard - Description - I lost my bitcoin key and my key generation program is taking too long, can you help me recover it? - Hints: - Patching - Presentation (Still in progress by 28th thursday) - objective: - Forensics, malware - idea: - Pptx containing password protected embedded pdf. The key is a readable string in the pdf. One of the file is a embedded pdf with stream. The script does many things but one suspicious line of code will be sending a post request to a link containing encrypted payload (the encryption is also done somewhere within the script). hints will be provided in the challenge. - Difficulty: - Hard - Description: - We have been compromised by a powerpoint file! How is that even possible??!