未加星标

Writeup Navaja Negra 2018 CTF

字体大小 | |
[前端(javascript) 所属分类 前端(javascript) | 发布者 店小二03 | 时间 2018 | 作者 红领巾 ] 0人收藏点击收藏

For the third consecutive year our crew ( @ka0labs_ ) set up a CTF competition inside the Navaja Negra (“Black Razor”) security conference. Every year we choose a “popular” animation show in order to perform theme based challenges (The Powerpuff Girls in 2016, Rick&Morty in 2017) being this the year of Pokemon. We play CTFs as Insanity and as ID-10-Ts , so our bigger fear was to create challenges with the problems that we saw in other competitions: not well-balanced or “GTF” challenges (Guess The Flag). Here is the write up for the challenges made by me (you can check the writeups of challenges made by other members of ka0labs here ). Enjoy it!

Tindermon (WEB / HARD)

This is the challenge that I am more proud to set up. It is a web application made in NodeJS and MongoDB vulnerable to an easy NoSQL injection, but to exploit the vulnerability succesfully you must bypass a filter. The description of the challenge was:

Get the admin password! There is a WAF and it is NodeJS... Easy peasy! http://tindermon.ka0labs.org

The filter was a pain in the ass because it blocked ” ‘ . chars. The solution to bypass the filter is the abuse of the internal issues in NodeJS 8 related to Unicode chars. Honestly, this write up by @_Dreadlocked explains far better than me how to solve this challenge. Please read it, because it is for far more didactic than anything I can write.

HackGym (PWN / EASY)

In this challengue we provide an URL to a website. The description was:

Say the magic word to get the flag! http://hackgym.ka0labs.org

The website was aphpINFO with a bit of text hidden in the HTML:

See my backup at HackGym.so.bk

Download the file and open it in Radare2:

mothra@arcadia:/tmp| r2 HackGym.so.bk -- Welcome, "reenigne" [0x00000cf0]> aaa [x] Analyze all flags starting with sym. and entry0 (aa) [x] Analyze function calls (aac) [x] Analyze len bytes of instructions for references (aar) [x] Use -AA or aaaa to perform additional experimental analysis. [x] Constructing a function name for fcn.* and sym.func.* functions (aan) [0x00000cf0]> afl 0x00000000 2 40 sym.imp.__cxa_finalize 0x00000bd8 3 23 sym._init 0x00000c00 1 6 loc.imp._zval_ptr_dtor 0x00000c10 1 6 loc.imp.zend_parse_parameters 0x00000c20 1 6 loc.imp.ap_php_snprintf 0x00000c30 1 6 fcn.00000c30 0x00000c40 1 6 loc.imp.zend_hash_exists 0x00000c60 1 6 sub.__JCR_LIST___72_c60 0x00000c70 1 6 loc.imp.php_printf 0x00000c80 1 6 loc.imp.php_info_print_table_header 0x00000c90 1 6 loc.imp._array_init 0x00000ca0 1 6 loc.imp._emalloc 0x00000cb0 1 6 loc.imp.php_info_print_table_start 0x00000cc0 1 6 loc.imp.zend_hash_find 0x00000cd0 1 6 loc.imp.spprintf 0x00000ce0 1 6 sub.__cxa_finalize_ce0 0x00000cf0 4 50 -> 44 entry0 0x00000d30 4 66 -> 57 sym.register_tm_clones 0x00000d80 5 50 sym.__do_global_dtors_aux 0x00000dc0 4 48 -> 42 entry1.init 0x00000df0 1 3 sym.zm_deactivate_HackGym 0x00000e00 3 100 sym.zif_confirm_HackGym_compiled 0x00000e70 1 44 sym.zm_info_HackGym 0x00000ea0 1 3 sym.zm_shutdown_HackGym 0x00000eb0 1 3 sym.zm_startup_HackGym 0x00000ec0 3 114 sym.kaboom 0x00000f40 15 271 -> 264 sym.PHP_FUNCION 0x00001050 1 16 sym.zm_activate_HackGym 0x00001060 1 8 sym.get_module 0x00001068 1 9 sym._fini

Seeing the name of the functions (zm_ , php_ , etc.) we can guess this is a PHP extension (well, even if you just do a strings you can see it :) ). Two function names are interesting: “kaboom” (for obvious reasons) and “PHP_FUNCION”, because it is spelled in Spanish (FUNCION vs FUNCTION) and is uppercase.

[0x00000cf0]> pdf @ sym.PHP_FUNCION ... | ..---> 0x00000fc7 488d35000100. lea rsi, str.HTTP_X_FORWARDED_FOR ; 0x10ce ; "HTTP_X_FORWARDED_FOR" | ::|| 0x00000fce ba15000000 mov edx, 0x15 | ::|| 0x00000fd3 e868fcffff call loc.imp.zend_hash_exists | ::|| 0x00000fd8 85c0 test eax, eax | ,=====< 0x00000fda 743d je 0x1019 ; /srv/HackGym/php-5.6.36/ext/HackGym/HackGym.c:-9 | |::|| 0x00000fdc 488b8d980100. mov rcx, qword [arg_198h] ; [0x198:8]=0x1d88 | |::|| 0x00000fe3 0fb65114 movzx edx, byte [rcx + 0x14] ; [0x14:1]=1 | |::|| 0x00000fe7 80fa04 cmp dl, 4 | ,======< 0x00000fea 743c je 0x1028 | ||::|| 0x00000fec 31ff xor edi, edi | ||::|| 0x00000fee 80fa05 cmp dl, 5 | ,=======< 0x00000ff1 744d je 0x1040 | |||::|| ; CODE XREF from 0x0000102b (sym.PHP_FUNCION) | |||::|| ; CODE XREF from 0x0000104d (sym.PHP_FUNCION) | --------> 0x00000ff3 488d4c2408 lea rcx, [local_8h] | |||::|| 0x00000ff8 488d35cf0000. lea rsi, str.HTTP_X_FORWARDED_FOR ; 0x10ce ; "HTTP_X_FORWARDED_FOR" | |||::|| 0x00000fff ba15000000 mov edx, 0x15 | |||::|| 0x00001004 e8b7fcffff call loc.imp.zend_hash_find | |||::|| 0x00001009 488b442408 mov rax, qword [local_8h] ; [0x8:8]=0 | |||::|| 0x0000100e 488b00 mov rax, qword [rax] ; /srv/HackGym/php-5.6.36/ext/HackGym/HackGym.c:-10 | |||::|| 0x00001011 488b38 mov rdi, qword [rax] | |||::|| 0x00001014 e847fcffff call sym.kaboom ...

As we can see this extension checks for contents in X-Forwarded-For header and then pass it to our “kaboom” function. Let’s check it.

[0x00000ec0]> pdf @ sym.kaboom / (fcn) sym.kaboom 114 | sym.kaboom (); | ; var int local_8h @ rsp+0x8 | ; var int local_10h @ rsp+0x10 | ; var int local_100h @ rsp+0x100 | 0x00000ec0 53 push rbx | 0x00000ec1 488d35d20100. lea rsi, str.8____D___JE__Target__3 ; 0x109a ; "8====D ! JE! Target! 3%" | 0x00000ec8 4881ec000200. sub rsp, 0x200 | 0x00000ecf 488b07 mov rax, qword [rdi] | 0x00000ed2 4889e2 mov rdx, rsp | 0x00000ed5 48890424 mov qword [rsp], rax | 0x00000ed9 488b4708 mov rax, qword [rdi + 8] ; [0x8:8]=0 | 0x00000edd 4889442408 mov qword [local_8h], rax | 0x00000ee2 488b4710 mov rax, qword [rdi + 0x10] ; [0x10:8]=0x1003e0003 | 0x00000ee6 4889442410 mov qword [local_10h], rax | 0x00000eeb 31c0 xor eax, eax | 0x00000eed 0f1f00 nop dword [rax] | .-> 0x00000ef0 0fb60c06 movzx ecx, byte [rsi + rax] | : 0x00000ef4 880c02 mov byte [rdx + rax], cl | : 0x00000ef7 4883c001 add rax, 1 | : 0x00000efb 4883f817 cmp rax, 0x17 | `=< 0x00000eff 75ef jne 0xef0 | 0x00000f01 488d9c240001. lea rbx, [local_100h] ; 0x100 | 0x00000f09 488d0da20100. lea rcx, str.nn8ed_XXXXXX_EDITED_XXXXXX ; 0x10b2 ; "nn

本文前端(javascript)相关术语:javascript是什么意思 javascript下载 javascript权威指南 javascript基础教程 javascript 正则表达式 javascript设计模式 javascript高级程序设计 精通javascript javascript教程

tags: sym,rax,imp,mov,loc,gt,HackGym,qword
分页:12
转载请注明
本文标题:Writeup Navaja Negra 2018 CTF
本站链接:https://www.codesec.net/view/605005.html


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 前端(javascript) | 评论(0) | 阅读(7)