tag:evandrix.svbtle.com,2014:/feedevandrix .2014-12-30T07:24:57-08:00evandrix .https://evandrix.svbtle.comSvbtle.comtag:evandrix.svbtle.com,2014:Post/31c3-ctf-writeup2014-12-30T07:24:57-08:002014-12-30T07:24:57-08:0031C3 CTF writeup<h2 id="categories_2">Categories <a class="head_anchor" href="#categories_2">#</a>
</h2>
<ul>
<li><a href="https://svbtleusercontent.com/tmnb8m4mj3wpia.png">pwn</a></li>
<li><a href="https://svbtleusercontent.com/mvj9nbkd1xjg.png">crypto</a></li>
<li><a href="https://svbtleusercontent.com/qfmvih8zgjguw.png">reversing</a></li>
<li><a href="https://svbtleusercontent.com/0oxnq7i5i6ukog.png">malware</a></li>
<li><a href="https://svbtleusercontent.com/rglhsp4sdqs3w.png">signals</a></li>
<li><a href="https://svbtleusercontent.com/wb2bhl3clcio1q.png">web</a></li>
</ul>
<h2 id="web-gt-5chan-15pts_2">web > 5CHAN (15pts) <a class="head_anchor" href="#web-gt-5chan-15pts_2">#</a>
</h2>
<ul>
<li>only img ids #1 thru #8 inclusive are displayed</li>
<li>flag should be in img id #9</li>
<li>@ <a href="http://188.40.18.89/?page=pic&id=0%20OR%20id%3E8;--">http://188.40.18.89/?page=pic&id=0%20OR%20id%3E8;–</a>
<a href="https://svbtleusercontent.com/ewt5me3bbisdxg.png"><img src="https://svbtleusercontent.com/ewt5me3bbisdxg_small.png" alt="6web-5chan-flag.png"></a>
</li>
</ul>
tag:evandrix.svbtle.com,2014:Post/how-i-gained-access-to-amazon-ec2-servers-from-github-search-adapted2014-07-22T07:54:48-07:002014-07-22T07:54:48-07:00How I gained access to Amazon EC2 servers from Github Search (adapted)<p>Github Search allows advanced filters that allow us to search for these private keys @ <a href="https://github.com/search?o=desc&q=extension%3Apem+BEGIN+RSA+PRIVATE+KEY&ref=searchresults&s=indexed&type=Code">link</a>.</p>
<p>This looks for:</p>
<ul>
<li>private keys with a .pem extension</li>
<li>“BEGIN RSA PRIVATE KEY” text that marks the beginning of a private key</li>
<li>sorted by most recently indexed</li>
</ul>
<p>Although a decent amount of people have dummy keys, a large amount have real pem files. In addition, there are cases in which people notice that they have accidentally pushed a private key and push a new commit stripping their private key. This does not prevent anyone slightly determined from finding your private key, as the original key will still exist in your git history (publicly accessible)</p>
<p>As a proof of concept to warn people of the dangers of accidentally posting sensitive information such as private keys to their github repos, I attempted to gain access to Amazon EC2 servers with a couple of Bash/Python scripts by scraping Github and using Github’s API to obtain the necessary credentials.</p>
<p>I did the following in around 2 hours with very simple techniques to try to find credentials, but I’m certain anyone determined would be able to find quite a lot more credentials and exploitable information with more time and more sophisticated techniques.</p>
<p><strong>The Method</strong></p>
<p>To gain access to Amazon EC2 servers, I want to ssh into those servers, by <code class="prettyprint">ssh -i key.pem user@host</code>, where user will be some name like ubuntu or ec2-user, and host will be of the form ec2-xx-xxx-xxx-xx.some-suffix.amazonaws.com, unless the owner is using an elastic ip, in which case the host would just be the ip. However, my technique focused on hosts of the form …amazonaws.com, since it was easier to search for.</p>
<p><em>Step 1</em></p>
<p>My first step was to find potential ec2 hosts by searching for “.amazonaws.com pem” in Github Code, ordered by most recently indexed files (which are more likely to have active servers!) and scraping the first 1000 results. I used a simple shell script:</p>
<pre><code class="prettyprint">for i in `seq 1 100`; do
curl -sL “https://github.com/search?o=desc&p=”$i”&q=.amazonaws.com+pem&ref=simplesearch&s=indexed&type=Code” | grep “title” >>git_output_ips.txt
sleep 5
</code></pre>
<p>I sleep 5 seconds between requests to mitigate possible rate limiting. The output, git_output_ips.txt, contains raw html that has been pruned by grep to mostly contain the repo and file that has the possible occurrences of user@host names of ec2 instances. These 1000 most recent occurrences occur between March 6th to July 14th, which is relatively recent, giving us hope that these instances are still running.</p>
<p><em>Step 2</em></p>
<p>My second step was to search through these 1000 repositories for private keys. I ran a simple python script that hit the github api endpoint: “<a href="https://api.github.com/search/code%E2%80%9D">https://api.github.com/search/code”</a> with the query “q=BEGIN%20RSA%20PRIVATE%20KEY+extension:pem+repo:” + repo to search a certain repo for all pem files. An authenticated user can make 20 requests per minute, so this script took around 50 minutes. The script generated a list of vulnerable repositories with ec2 user@host strings as well as only one pem file. To simplify things for me, I excluded repositories with multiple pem files, although a determined hacker would try all combinations of pem files against the host.</p>
<p><em>Step 3</em></p>
<p>At this point, I have pairs of “potential credential” urls that point to github repo files. One file contains the ec2 user@host name, and the other file is a private key. In step 2, I searched through 1000 repositories containing ec2 user@host names for private keys, and found 31 repositories that have exactly one pem file. In step 3, I downloaded the raw source of these github files, which are found by replacing “github.com” with “raw.githubusercontent.com” and removing “blob/” from the original url. For example, here’s a raw js file from the jquery repo: <a href="https://raw.githubusercontent.com/jquery/jquery/master/build/release.js">link</a></p>
<p>To find the ec2 user@host to ssh into, I tokenized the raw file with a space, newline, quotes, and equals sign as delimiters, then found the token(s) that contained “amazonaws”, which were possible user@host strings. I downloaded the pem files and changed their permissions to 400, then tried to ssh into each of these 31 potential credentials I had identified. I did this programmatically by opening up a new tab in terminal and executing the ssh command via osascript since I was using the mac terminal. Here’s an example osascript/ssh command I tried to run for the 31 potential credentials I had obtained:</p>
<blockquote>
<p>osascript -e ‘tell application “Terminal” to activate’ -e ‘tell application “System Events” to tell process “Terminal” to keystroke “t” using command down’ -e ‘tell application “Terminal” to do script “ssh -o \”StrictHostKeyChecking no\” -i pem29.pem <a href="mailto:ubuntu@ec2-xx-xxx-xxx-xxx.us-west-2.compute.amazonaws.com">ubuntu@ec2-xx-xxx-xxx-xxx.us-west-2.compute.amazonaws.com</a>” in tab 2 of window 1′</p>
</blockquote>
<p>I used the option -o “StrictHostKeyChecking no” when ssh’ing so I wouldn’t have to answer “yes” to the prompt that shows up when you ssh into a new ip. I then manually checked the 31 tabs that had been created to see how many ec2 servers I had successfully ssh’ed into. I immediately exited from any successful ssh sessions. I gained access to <strong>5</strong> Amazon EC2 servers, which is quite a lot, considering that access to these servers mean that I can do anything on those servers that the users have permissions to do. EC2 servers have a passwordless sudo on creation, which means that most of the servers that you can ssh into will have root access. A malicious hacker could then take over the servers to mine bitcoin, causing the owner to incur heavy AWS charges until he notices. I used very basic techniques in order to find “potential credentials” which gave me a lot of false positives and caused me to miss potential credentials. A determined hacker, for example, would try hosts against all pem files found in a repo, and run searches to find potential user@host names in step 1) in a more meticulous fashion, such as running searches like “compute-1.amazonaws.com” to filter out false positives better, or look for hosts that are elastic ips. In addition, I noticed by manual inspection that programmers would often decouple the user and host names by storing them in variables, so I’m certain more credentials could be found with techniques to try to find the user and host when they are separated in a file. Lastly, as I mentioned before, people will often realize their mistake of committing private keys and add a new commit deleting their key; unfortunately, their private key is still in their history and can be found relatively easily as well.</p>
<p><strong>Mitigation</strong></p>
<p>If you’ve already accidentally committed sensitive information to your private repositories and want to remove them from your history, github has a helpful <a href="https://help.github.com/articles/remove-sensitive-data">article</a> that shows you how to do so using git filter-branch or the bfg repo-cleaner.</p>
<p>So, in addition to purging your repository’s history of the offending file, you should make sure to invalidate the compromised data. For example, you should generate a new ssh keypair and delete the public key on your server if you accidentally committed a private key to your public github repo. Better yet, make sure you do not commit sensitive information to public repositories. In the case of pem files, adding a *.pem to your .gitignore file will ensure that git ignores sensitive files when committing, ensuring that the private key will not get pushed to the public for everyone to see.</p>
tag:evandrix.svbtle.com,2014:Post/osx-109-reverse-engineering-tutorial2013-11-06T05:24:07-08:002013-11-06T05:24:07-08:00OSX 10.9 Intel Reverse Engineering Tutorial (adapted)<h2 id="toolkit-to-get-started_2">Toolkit to get started <a class="head_anchor" href="#toolkit-to-get-started_2">#</a>
</h2>
<ol>
<li>gcc 4.9 + gdb 7.6 w/ <a href="http://pastebin.com/raw.php?i=hwZUJwqw">~/.gdbinit</a> (or clang 5.0/llvm 3.3 + lldb 300.2.51)</li>
<li>decent hex editor: 0xEd/Hex Fiend (gui) or od, <a href="https://github.com/theabraham/chex">chex</a>, hexdump/hexedit (cli)</li>
<li>diagnostics: otool/XCode, file, strings; inspect universal binary - <a href="https://github.com/Nyx0uf/moatool">moatool</a>, lipo; OSX - class-dump v3.4</li>
<li>Hopper Disassembler/IDA Pro</li>
</ol>
<h2 id="mac-osx-application-architecture_2">Mac OSX Application Architecture <a class="head_anchor" href="#mac-osx-application-architecture_2">#</a>
</h2><h3 id="challengeapp-package-content-structure_3">Challenge.app package content structure <a class="head_anchor" href="#challengeapp-package-content-structure_3">#</a>
</h3>
<ul>
<li>Contents
<ul>
<li>Info.plist</li>
<li>MacOS - contains main binary (also look for ‘Frameworks’ folder)</li>
<li>PkgInfo</li>
<li>Resources
### Inspect if fat/universal binary (>1 arch): <code class="prettyprint">file <binary></code> or <code class="prettyprint">otool -h <binary></code>
### Check .gdbinit via <code class="prettyprint">help user</code> within gdb</li>
</ul>
</li>
<li>debug by <code class="prettyprint">attach</code>ing to <code class="prettyprint"><pid></code>, or running live using <code class="prettyprint">exec-file <binary></code>
</li>
<li>command-line arguments: <code class="prettyprint">set args</code> or <code class="prettyprint">r</code>/<code class="prettyprint">run < <input></code>
</li>
</ul>
<h2 id="basic-gdb-command_2">Basic gdb command <a class="head_anchor" href="#basic-gdb-command_2">#</a>
</h2>
<ul>
<li>breakpoint w/ condition
<ul>
<li>set: <code class="prettyprint">b</code>/<code class="prettyprint">bp</code> on mem loc, eg. <code class="prettyprint">bp 0x1234</code>, or symbol, eg. <code class="prettyprint">bp [NSControl stringValue]</code>
</li>
<li>list all: <code class="prettyprint">bpl</code>
</li>
<li>enable/disable: <code class="prettyprint">bpe/bpd</code> or <code class="prettyprint">delete #</code>
</li>
</ul>
</li>
<li>step(i)
<ul>
<li>
<code class="prettyprint">n</code>/<code class="prettyprint">next</code>, <code class="prettyprint">ni</code>/<code class="prettyprint">next(i)[nstr]</code>, <code class="prettyprint">step(i)[nstr],</code>step(o)[ver fn call]` - can bypass obj_msgSend()</li>
</ul>
</li>
<li>modify flag/mem
<ul>
<li>
<code class="prettyprint">cfX</code>: X={a,c,d,i,o,p,s,t,z,s} (gdbinit) - invert current cpu register flag state, eg. JE followed iff Zero flag (Z/ZF) == 1 (ie. take the jump); <code class="prettyprint">cfz</code> to update</li>
</ul>
</li>
</ul>
<h3 id="list_3">List <a class="head_anchor" href="#list_3">#</a>
</h3>
<ol>
<li>cfa - Auxiliary carry</li>
<li>cfc - Carry flag</li>
<li>cfd - Direction flag</li>
<li>cfi - Interrupt flag</li>
<li>cfo - Overflow flag</li>
<li>cfp - Parity flag</li>
<li>cfs - Sign flag</li>
<li>cft - Trap flag</li>
<li>cfz - Zero flag</li>
</ol>
<ul>
<li>dump/eval mem loc
<ul>
<li>help x/FMT ADDR: examine memory</li>
<li>Format letters are o(octal), x(hex), d(decimal), u(unsigned decimal), t(binary), f(float), a(address), i(instruction), c(char) and s(string), T(OSType)</li>
<li>Size letters are b(byte), h(halfword), w(word), g(giant, 8 bytes).</li>
<li>(default fmt/sz is last used; cnt = 1; addr: last <code class="prettyprint">print</code>ed or <code class="prettyprint">x</code>-ed)</li>
<li>eg. <code class="prettyprint">x/2s $eax</code>
</li>
</ul>
</li>
</ul>
<p><code class="prettyprint">example.c</code></p>
<pre style="width:550px;margin:0 auto;">
#include <stdio.h>
main(int argc, char *argv[])
{
printf("Hello GDB!\n");
printf("Argument is: %s\n", argv[1]);
}
</pre>
<pre style="width:800px;margin:0 auto;">
0x00001fb9 in main ()
--------------------------------------------------------------------------[regs]
EAX: 00001FE1 EBX: 00001FB2 ECX: BFFFF848 EDX: 00000000 o d I t S z a p c
ESI: 00000000 EDI: 00000000 EBP: BFFFF828 ESP: BFFFF810 EIP: 00001FB9
CS: 0017 DS: 001F ES: 001F FS: 0000 GS: 0037 SS: 001F
[001F:BFFFF810]----------------------------------------------------------[stack]
BFFFF860 : D2 F9 FF BF F1 F9 FF BF - 01 FA FF BF 3B FA FF BF ............;...
BFFFF850 : 33 F9 FF BF 6C F9 FF BF - 88 F9 FF BF C1 F9 FF BF 3...l...........
BFFFF840 : 00 00 00 00 01 00 00 00 - FC F8 FF BF 00 00 00 00 ................
BFFFF830 : 01 00 00 00 48 F8 FF BF - 50 F8 FF BF BC F8 FF BF ....H...P.......
BFFFF820 : 00 10 00 00 BC F8 FF BF - 40 F8 FF BF 7A 1F 00 00 ........@...z...
BFFFF810 : 00 00 00 00 00 00 00 00 - 3C F8 FF BF 37 10 E0 8F ........<...7...
[0017:00001FB9]-----------------------------------------------------------[code]
0x1fb9 <main>: mov DWORD PTR [esp],eax
0x1fbc <main>: call 0x300a
0x1fc1 <main>: mov eax,DWORD PTR [ebp+0xc]
0x1fc4 <main>: add eax,0x4
0x1fc7 <main>: mov eax,DWORD PTR [eax]
0x1fc9 <main>: mov DWORD PTR [esp+0x4],eax
0x1fcd <main>: lea eax,[ebx+0x3a]
0x1fd3 <main>: mov DWORD PTR [esp],eax
--------------------------------------------------------------------------------
gdb$ x/s $eax
0x1fe1 <main>: "Hello GDB!"
</main></main></main></main></main></main></main></main></main></pre>
<ul>
<li><code class="prettyprint">print <program var></code></li>
<li>
<code class="prettyprint">po $eax</code>: request object to print itself</li>
<li>
<code class="prettyprint">set</code>: change mem <code class="prettyprint">set *0xaddr = newval</code>/reg <code class="prettyprint">set $eax = newval</code> contents
<ul>
<li>type casting: <code class="prettyprint">set $eax = (char) 0x12345</code> - $eax = 0x45</li>
<li>
<code class="prettyprint">set $eax = (int) 0x12345</code> - $eax = 0x12345</li>
</ul>
</li>
</ul>
<pre style="width:800px;margin:0 auto;">
...
_main:
...
7: +13 00001fb3 8d832f000000 leal 0x0000002f(%ebx),%eax Hello GDB!
...
9: +22 00001fbc e849100000 calll 0x0000300a _puts
...
14: +39 00001fcd 8d833a000000 leal 0x0000003a(%ebx),%eax Argument is: %s\n
...
16: +48 00001fd6 e82a100000 calll 0x00003005 _printf
...
</pre>
<ul>
<li>note compiler optimization: first <code class="prettyprint">printf</code> -> <code class="prettyprint">puts</code>, since no format string supplied</li>
<li><code class="prettyprint">#9: +22 0000**1fbc** e849100000 calll 0x0000300a _puts</code></li>
<li>+22: local offset, ie. offset within this function</li>
<li>00001fbc: code addr - used for breakpoint</li>
<li>e8 49 10 00 00: opcodes - <strong>note: endian-ness</strong>
</li>
<li>calll 0x0000300a: corresponding ASM mnemonic</li>
<li><p>_puts: additional information identified</p></li>
<li><p>set breakpoint here: <code class="prettyprint">bp *0x1fbc</code>; <code class="prettyprint">bpl</code> to check</p></li>
<li><p>[regs]: current state of cpu registers and flags</p></li>
<li><p>[code]: disasm output for current mem addr (1st line is next to exec)</p></li>
<li><p>display [regs] and [code] section with <code class="prettyprint">context</code> in gdb</p></li>
<li><p>*<em>note: Intel vs AT&T syntax *</em></p></li>
<li><p>can <code class="prettyprint">c</code>/<code class="prettyprint">continue</code> @ breakpoint</p></li>
<li><p><code class="prettyprint">printf("Argument is: %s\n", argv[1]);</code> - 2 args passed onto stack (ESP) in reverse order</p></li>
<li><p>EAX holds supplied arg(s)</p></li>
</ul>
<h2 id="get-cracking_2">Get cracking! <a class="head_anchor" href="#get-cracking_2">#</a>
</h2>
<ol>
<li>Reconnaissance: program limitation & error/info messages - anything interesting?
<ol>
<li>are they contained in the binary itself, or external resources/assets?</li>
<li>refer to Apple’s documentation for methods, eg. ‘applicationDidFinishLaunching’ may contain method ‘isRegistered’</li>
<li>look for program control flow - “good” vs. “bad” paths</li>
</ol>
</li>
<li>Solutions
<ol>
<li>JE [0x74 0x2b] -> NOP [0x90]</li>
<li>patch return value of method to always be true</li>
</ol>
</li>
</ol>
<h3 id="original_3">original <a class="head_anchor" href="#original_3">#</a>
</h3>
<pre style="width:550px;margin:0 auto;">
-(BOOL)[Level1 isRegistered]
+0 00002a88 55 pushl %ebp
+1 00002a89 89e5 movl %esp,%ebp
+3 00002a8b 8b4508 movl 0x08(%ebp),%eax
...
</pre>
<p><code class="prettyprint">gdb$ assemble</code></p>
<pre style="width:550px;margin:0 auto;">
xor eax, eax
inc eax
ret
</pre>
<pre style="width:550px;margin:0 auto;">
00000000 31C0 xor eax,eax
00000002 40 inc eax
00000003 C3 ret
</pre>
<ul>
<li>
<strong>set *0x2a88 = 0xc340c031</strong> -little endian</li>
<li>patch single byte <code class="prettyprint">set *(char *) address = 0x90</code>
</li>
<li>TODO: 4 bytes starting @ 0x00002a88, can optionally NOP the remaining 2 bytes of original 3rd instr</li>
</ul>
<ol>
<li>also can patch code before method invocation</li>
</ol>
<pre style="width:550px;margin:0 auto;">
...
+22 00002534 e8252b0000 calll 0x0000505e -isRegistered
+27 00002539 84c0 testb %al,%al
+29 0000253b 742b je 0x00002568 -if not reg, show bad msg
...
</pre>
<p><code class="prettyprint">gdb$ assemble</code> @ 0x00002534</p>
<pre style="width:550px;margin:0 auto;">
xor eax, eax
inc eax
</pre>
<ul>
<li>…and NOP remaining bytes as before</li>
</ul>
<h2 id="patching_2">Patching <a class="head_anchor" href="#patching_2">#</a>
</h2>
<ul>
<li>if universal binary, have to first strip out x86 component</li>
<li>
<code class="prettyprint">otool -f <binary></code> -> nfat_arch = 2 -> cputype 7 ie. Intel x86 (cputype 18 is PPC)</li>
<li>formula = offset (from ottol output in dec) + offset_to_patch</li>
<li>patch @ this calculated addr in favourite hex editor</li>
<li>(if PPC had been first, formula for x86 = offset - 0x1000 + offset_to_patch; 0x1000h=4096d is header for PPC part)</li>
<li>tools exist to derive addr formula: <a href="http://reverse.put.as/wp-content/uploads/2011/02/offset1.3.pl_.gz">offset1.3</a>, <a href="http://reverse.put.as/wp-content/uploads/2009/06/ocalc.c">ocalc.c</a>
</li>
</ul>
<h3 id="typical-valid-serial-genverify-routine_3">Typical valid serial # gen/verify routine <a class="head_anchor" href="#typical-valid-serial-genverify-routine_3">#</a>
</h3>
<p><code class="prettyprint">-(BOOL)[Level1 validateSerial:forName:]</code></p>
<ol>
<li>Verify if user serial number length is ok. If ok continue, else give an error.</li>
<li>Compute the good serial number.</li>
<li>Compare the user serial number with the good serial number.</li>
</ol>
<p>Serial should be 8 chars in length, as this piece of code shows:<br>
<code class="prettyprint">+29 00002abb 83f808 cmpl $0x08,%eax</code></p>
<p>A quick look at the whole method and we find the piece of code we are interested in:</p>
<pre style="width:800px;margin:0 auto;">
...
+369 00002c0f 891c24 movl %ebx,(%esp) <- our serial first 4 chars
+372 00002c12 89c6 movl %eax,%esi <- esi with our serial next 4 chars
+374 00002c14 8b45d8 movl 0xd8(%ebp),%eax <- eax with 5680 (first part of good serial)
+377 00002c17 89442408 movl %eax,0x08(%esp)
+381 00002c1b a108400000 movl 0x00004008,%eax isEqual:
+386 00002c20 89442404 movl %eax,0x04(%esp)
+390 00002c24 e835240000 calll 0x0000505e -[(%esp,1) isEqual:]
+395 00002c29 84c0 testb %al,%al <- are they equal ?
+397 00002c2b 7421 je 0x00002c4e <- jump if our serial part is different from good serial part
+399 00002c2d 8b45dc movl 0xdc(%ebp),%eax <- eax holding second part of good serial
+402 00002c30 893424 movl %esi,(%esp) <- our second serial part
+405 00002c33 89442408 movl %eax,0x08(%esp)
+409 00002c37 a108400000 movl 0x00004008,%eax isEqual:
+414 00002c3c 89442404 movl %eax,0x04(%esp)
+418 00002c40 e819240000 calll 0x0000505e -[(%esp,1) isEqual:]
+423 00002c45 ba01000000 movl $0x00000001,%edx <- used to return that serial is GOOD
+428 00002c4a 84c0 testb %al,%al <- test if 2nd serial parts match
+430 00002c4c 7502 jne 0x00002c50 <- jump if they match
+432 00002c4e 31d2 xorl %edx,%edx <- this will clean edx, thus telling that serial is BAD
+434 00002c50 83c43c addl $0x3c,%esp
+437 00002c53 89d0 movl %edx,%eax <- if serial is ok, edx is equal to 1, so eax will return 1 meaning an ok serial!
...
</pre>
<ul>
<li>Instead of a comparison with a single serial number, 2 comparisons are made, the 1st half and then the 2nd half</li>
<li>Merge these pieces to get the complete valid serial #</li>
</ul>
<pre><code class="prettyprint">/* Keygen for Macserialjunkies Challenge '09
The serial algorithm has a bug because the format string has no zero padding.
For example with the following name "zeparreco" the valid serial is 39940081
but since there is lack of padding, the algorithm generates 399481.
Serial length must be equal to 8 so this username is impossible to keygen due to this small bug.
*/
#include <cstdio>
#include <cstdlib>
#include <cstring>
int main(int argc, char *argv[])
{
char name[256], *pname;
printf("Macserialjunkies.com challenge #1 Keygen v0.1\n\n");
printf("name:\n");
fflush(stdout);
fgets(name, 256, stdin);
if ((pname = strchr(name, '\n')) != NULL)
{
*pname = '\0';
}
/* serial number is composed by 8 digits
there are two algorithms, one for the first 4 digits and the other for the remaining
*/
// first block of four digits
int i=0;
int digit,multiplier=4;
// mov eax,0x68db8bad
int wtf = 0x68db8bad;
int accumulator=0;
int ecx=0;
unsigned long long temp1;
int temp2, temp3, temp4;
int x=0;
int stringsize = strlen(name);
int firstblock,secondblock;
for (x=0; x < stringsize ; x++)
{
// movsx eax,BYTE PTR [edi+ebx]
digit = name[i];
// inc ebx
i++;
// imul eax,esi
digit = digit * multiplier;
// add esi,0x4
multiplier += 4;
// shl edx,0x4
// sub edx,eax
digit = (digit << 4 ) - digit;
// lea ecx,[edx+ecx+0x29a]
ecx = digit + ecx + 0x29a;
// imul ecx
temp1 = (unsigned long long) ecx * wtf;
// this grabs the ecx value since long multiplication the result goes to EDX:EAX
temp1 = temp1 >> 32;
// mov eax,ecx
// sar eax,0x1f
temp2 = ecx >> 0x1f;
// sar edx,0xc
temp1 = temp1 >> 0xc;
// sub edx,eax
temp3 = temp1 - temp2;
// imul edx,edx,0x2710
temp4 = temp1 * 0x2710;
// sub eax,edx
ecx = ecx - temp4;
}
// the last ecx is the good first serial part
firstblock = ecx;
// second block
i=0;
multiplier = 4;
int edx;
x=0;
ecx=0;
int firstsar, secondsar;
for (x=0; x < stringsize ; x++)
{
//movsx eax,BYTE PTR [edi+ebx]
digit = name[i];
// inc ebx
i++;
// imul eax,esi
digit = digit * multiplier;
// add esi,0x8
multiplier += 8;
// lea edx,[eax+eax*4]
edx = digit + digit * 4;
// lea edx,[eax+edx*2+0x2d]
edx = digit + edx*2 + 0x2d;
ecx = ecx + edx;
temp1 = (unsigned long long) ecx * wtf;
edx = temp1 >> 32;
firstsar = ecx >> 0x1f;
secondsar = edx >> 0xc;
temp2 = secondsar - firstsar;
edx = secondsar * 0x2710;
temp3 = ecx - edx;
}
// 2nd part of good serial
secondblock = temp3;
// convert to decimal and print
printf("Serial number is: %04d%04d\n", firstblock, secondblock);
}
</code></pre>
<h2 id="future-sections_2">Future sections <a class="head_anchor" href="#future-sections_2">#</a>
</h2>
<ul>
<li>Intel x86 opcode map reference</li>
<li>Mac OSX Apps: codesign - check status & disable</li>
<li>unpack .pkg</li>
<li>mount/install .dmg from CLI</li>
<li>XCode building from CLI & debugging</li>
</ul>
<p><em>More coming soon, stay tuned!</em></p>
tag:evandrix.svbtle.com,2014:Post/csaw-ctf-2013-web200-writeup2013-09-23T10:12:56-07:002013-09-23T10:12:56-07:00CSAW CTF 2013: Web200 writeup<hr>
<h2 id="nevernote-200-points-a-hrefhttpsctfisispolyed_2">Nevernote - 200 Points @ <a href="https://ctf.isis.poly.edu/challenges">https://ctf.isis.poly.edu/challenges</a> <a class="head_anchor" href="#nevernote-200-points-a-hrefhttpsctfisispolyed_2">#</a>
</h2>
<pre><code class="prettyprint">from: Nevernote Admin < **nevernoteadmin@nevernote.com** >
to: challenger@ctf.isis.poly.edu
date: Thurs, Sep 19, 2013 at 3:05 PM
subject: Help
Friend,
Evil hackers have taken control of the Nevernote server and locked me out. While I'm working on restoring access, is there anyway you can get in to my account and save a copy of my notes? I know the system is super secure but if anybody can do it - its you.
Thanks,
Nevernote Admin
</code></pre>
<h1 id="solution_1">Solution <a class="head_anchor" href="#solution_1">#</a>
</h1>
<ol>
<li>Visit URL <em><a href="http://128.238.66.214">http://128.238.66.214</a></em> as instructed</li>
<li>Login via SQL injection with username/password <code class="prettyprint">'OR''='</code>
</li>
<li>Using the given hint that ‘Admin’ always checks links, setup a script (I used PHP) somewhere on a public-facing server to capture the superglobals, esp. <code class="prettyprint">$_REQUEST</code>, <code class="prettyprint">$_GET</code>, <code class="prettyprint">$_POST</code> & <code class="prettyprint">$_FILES</code>, before sending a message to the Admin’s email address via the system itself</li>
<li>One of these variables (challenge is no longer accessible at the point of this writeup to verify precisely which) contains the requesting URL, which you should be sufficiently curious to explore by clicking through (IIRC it’s of the form <code class="prettyprint">http://challenge-url/?enc=XXX</code>)</li>
<li>The flag/key is found in the contents of that message at the link captured</li>
<li>Profit!</li>
</ol>