➜ ~

Playing Hacks and Stuffs!

Project maintained by h4ckyou Hosted on GitHub Pages — Theme by mattgraham

RITSEC CTF '23

I had fun while playing this ctf and learnt new things 😄. Lets get straight to the fun

Intro

image

If you just go to the discord channel and check the rules you will see the flag image

Flag: RS{!flag}

Chandi Bot

Chandi Bot 1

image

After going to the discord channel there’s a bot there called chandi checking its profile gives the flag image

Flag: RS{QUANTUM_RESISTANT_ENCRYPTION}

Chandi Bot 2

image

Trying the functions of the bot shows this image

Now we can get the flag by doing /flag image

Flag: RS{HMMM_WHAT_ARE_YOU_LOOKING_AT}

Chandi Bot 4

image

The bot has a rock paper scissors game (rps) image

There’s also a buy flag but it requires 10000 points image

And the way to get point is by getting a dad joke from /dad and playing rps with staking the point you have

But the dad joke just gives one point image

I currently have 160 points but normally its supposed to be just 1 point

From now we can play the rps game

But chances of winning is very low tho

After playing and loosing we get this image

Checking the balance shows it reduces by the amount stacked image

So the idea is that it does

if botwins:
  balance = balance - stake

Now it subtracts its initial balance with the amount staked

But what if we stake negative number yunno what happens 🙂

if botwins:
  balance = balance - (-stake)

It will turn to a positive number making the balance increase

Trying my assumption works image

Now we can get the flag image

Flag: RS{TWO_NEGATIVES_DO_MAKE_A_POSITIVE}

Chandi Bot 5

image

This part just asks series of question and if its up to 10 and you get it right then the bot gives you the flag image

After playing with it i gathered that some question asked are

What was the original name of the RITSEC CTF? = RC3
What is RITSEC's main website? = ritsec.club
What is the name of the RITSEC Current Discord Bot?  = 0Bii
What does ISTS stand for? = Information Security Talent Search
Who is the current President of RITSEC? = Bradely
When was RC3 founded? = 2013
When was RITSEC founded? = 2018
What year was the first version of ChandiBot featured in the RITSEC CTF?  = 2022
What does RC3 stand for? = RIT Competitive Cybersecurity Club
When was Sparsa founded? = 2002
When was the first RITSEC CTF? = 2018
Who was the first President of RITSEC? = Micah Martin
What is the name of RITSEC's CTF Team?= Contagion

Trying it on the bot works image

Flag: RS{TRIVIAL_TRIVIA_TRIUMPHS}

WEB

Echos

image

On heading to the web server it shows this image

Trying to put any output shows that it echos the output back image

What i then taught from the challenge name is that it runs like echo command on our input

So i tried command injection using whoami and it works image

Next i checked for if the flag is in the current directory image

From here we can get the flag image

Flag: RS{R3S0UND1NG_SUCS3SS!}

Rick Roll

image

Checking the web server shows this image

Nothing there is really there most links there are just going to get you rick rolled

But this links source code:

https://rickroll-web.challenges.ctf.ritsec.club/1.html
https://rickroll-web.challenges.ctf.ritsec.club/2.css
https://rickroll-web.challenges.ctf.ritsec.club/Don't.html

Gives the flag:

[RS{/\/eveRG0nna_]
[_|3tY0|_|d0vvn]
[_TuRna30unD_]
[_D3s3RTy0u}]
[G1v3y0uuP]

Then after i arranged it, i got the flag as:

Flag: RS{/\/eveRG0nna_G1v3y0uuP_|3tY0|_|d0vvn_TuRna30unD_D3s3RTy0u}

X-Men Lore

image

Checking the web server shows this image image

Clicking on any of the names down and intercepting the request in burp suite shows this image

Some base64 encoded value is stored in the cookie

Decoding it gives this

➜  ~ python3
Python 3.11.1 (main, Dec 31 2022, 10:23:59) [GCC 12.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> a='PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0nVVRGLTgnPz48aW5wdXQ+PHhtZW4+QmVhc3Q8L3htZW4+PC9pbnB1dD4='
>>> import base64
>>> print(base64.b64decode(a))
b"<?xml version='1.0' encoding='UTF-8'?><input><xmen>Beast</xmen></input>"
>>>

So its encoding the it in an xml format and sending to the server then the server decodes the encoded blob then execute it

This is xxe 🙂

I then created a script to help me enumerate files on the server via the xxe Req

Running it on and fetching /etc/passwd works image

Now this part took me quite a while cause i was looking for the wrong file 😅

Well after my stress i found the file to be at /flag

Reading it works image

Flag: RS{XM3N_L0R3?_M0R3_L1K3_XM3N_3XT3RN4L_3NT1TY!}

Reverse Engineering

Cats At Play

image

This is quite very easy lets get to it

After downloading the binary i ran strings on it and got the flag

➜  ~ strings meow.exe | grep RS{
RS{C4tsL1keStr1ng5}
➜  ~ 

Flag: RS{C4tsL1keStr1ng5}

BIN-PWN

ret2win

image

After downloading the binary i’ll check its file type and the protections enabled on it image

From here we can see the we’re working with a x64 binary and no protections are enabled on it which is a good thing 🙂

Next i’ll run the binary to get an overview of what it does image

It just prints out some words receives our input and prints out another word

Using ghidra i’ll decompile the binary and view the main function image

The main function just calls the user_input() function

Here’s the decompiled user_input() function image

void user_input(void)

{
  char local_28 [32];
  
  gets(local_28);
  printf("[*] Good start %s, now do some damage :) \n",local_28);
  return;
}

This is whats happening:

1. It gets our input <--- bug here
2. Then prints out the value of our input

The vulnerability here is the usage of get()

We see that the space that the buffer can hold up to is 32bytes but since gets() is used we can overflow it

There’s a special function called supersecrettoplevelfunction image

void supersecrettoplevelfunction(int param_1,int param_2)

{
  puts("[*]  if you figure out my address, you are hired.");
  if ((param_1 == L'\xcafebabe') && (param_2 == L'\xc0debabe')) {
    system("/bin/sh");
  }
  else {
    puts("[!!] You are good but not good enough for my company");
  }
  return;
}

We can see it requires two parameters whose value is being compared with 0xcafebabe and 0xc0debabe and after the check is meet we get a shell else it prints out you are good but not good enough for my company

As this function isn’t being called in main() or user_input(), the aim is to take hijack of the execution of the program via the buffer overflow vulnerability then make the instruction pointer point to the supersecrettoplevelfunction function

First lets get the offset needed to take control of the RIP image image

The offset is 40 also now since this is a x64 binary and we want to pass in argument the convention of doing it matters as its passed into the registers

x64 linux arguments to a function are passed in via registers.
rdi:    First Argument
rsi:    Second Argument
rdx:    Third Argument
rcx:    Fourth Argument
r8:     Fifth Argument
r9:     Sixth Argument

So we need a pop rdi; ret gadget and a pop rsi; ret gadget

Using ropper we can get it image

If you notice we don’t have a full pop rsi gadget but rather pop rsi; pop r15 its not a problem cause we can pass in 0 byte to the r15 register

Here’s the exploit script Exploit

Running it works image

Same works remotely image

Flag: RS{WHAT'S_A_CTF_WITH0UT_RET2WIN}

assembly-hopping

image

After downloading the binary i checked its file type and the protection enabled on it image

We see that no protection is enabled on this binary

Now i’ll run it to get an idea of what it does image

It just takes in our input and print out [!] Saved to our feedback database....

Using ghidra i’ll decompile it and view its function image

It just calls the feedback_machine() function image

Same as the previous binary it uses gets() which causes a buffer overflow but this time around no function to jump to 🤔

There’s a function called assembly on the binary image

And what it seems to be doing is a jump rsp instruction

We can verify it by checking a jmp rsp gadget image

This is good now because we know that no protection are enabled so if we get hijack of the execution on the program we can then do shellcode injection to the stack and execute it

First lets get our offset image image image

The offset is 216

Here’s my exploit script Exploit

Running it works image

Same works remotely image

Flag: RS{AS5EMB1Y_M1GH7_BE_H4RD_BUT_1T_C0MES_IN_CLU7CH}

Cryptography

Either or Neither nor

image

Link given Link

After downloading the file and checking its content i get this image

I made a script to reverse the process and i got the flag Solve

Running it gives the flag image image

Flag: MetaCTF{x0r_th3_c0re}

A Fine Cipher

image

After searching for the encoded value on dcode.fr i got affine cipher to work image image

Flag: RS{IFYOUAREINTERESTEDCHECKOUTMORECRYTPOCTFSATCRYPTOHACK}

That’s all I was able to solve during the ctf

We’re done 👻