Thursday, October 22, 2015

PicoCTF 2014 ExecuteMe & PicoCTF 2014 OBO

I'm working on these in my spare time.  I still haven't solved these.  I think that I know what I'm supposed to do, but I either have the wrong shell code, or I'm getting the syntax wrong.  For Execute Me, I think that I'm supposed to send the C program Shell Code.  That's what the hint says.  So, I tried this:  The <shell code here> part actually has shell code in it when I type the command.

./executeme $(python -c 'print "<shell code here>"')

No shell code.

$(python -c 'print "<shell code here>"') | ./executeme

That gets me a shell, but I can't interact with it without getting a segmentation fault.  So then I tried this:

$(python -c 'print "<shell code here>"') & cat flag.txt | ./executeme

I'm getting a command not found error.

So I go on to start reading OBO.  I can go back to Execute Me anytime.  Here is the interesting part of the program for OBO:

int hex_table[256];

void generate_hex_table(void) {
  int i;
  for (i = 0; i <= 256; ++i) {
    hex_table[i] = -1;
  }

  for (i = 0; i <= 10; ++i) {
    hex_table['0' + i] = i;
  }

  for (i = 0; i <= 6; ++i) {
    hex_table['a' + i] = 10 + i;
  }

  for (i = 0; i <= 6; ++i) {
    hex_table['A' + i] = 10 + i;
  }

  // I don't know why, but I was getting errors, and this fixes it.
  hex_table[0] = 0;
}

int read_password(FILE *file, char *password, size_t n) {
  fgets(password, n, file);

  password[strcspn(password, "\n")] = '\0';

I think that OBO stands for Off By One.  As in Off By One error in C programming.  I was looking at the first for loop and noticed that he started variable "i" as 0.  Then he iterates it to 256.  If "i" started at one, that would be fine, but it doesn't.  So, he iterated through the first for loop one too many times.  Then I noticed the null byte (\0) which was tacked on the phrase "password[strcspn(password, "\n")] = '\0';"  If I'm not mistaken, it overwrites the lowest memory byte.  So I was wondering what was useful about that.  I looked at Google, and found an article about a poison null byte.  I also found a SANS white paper describing how to exploit an off by one error.  I haven't tried yet, but from what I understand, one way to exploit it is, you control the address, so you can have the pointer point at a buffer, put shell code into the buffer, and you get shell.  

It's kind of scary how much difference one byte can make.

https://www.sans.org/reading-room/whitepapers/threats/buffer-overflows-dummies-481
http://insecure.org/news/P55-07.txt

Friday, October 16, 2015

PicoCTF 2014 PNG Or Not?

I was given a png image and told that there was some data hidden within.  If you do a Google searches on PNG files, you will note that you can hide files in it.  I opened up the image with a hex editor.  Near the bottom of the file, I found 7z, then the words flag.txt.  I know, from reading articles, that I can carve files using headers and footers.  I knew that the header for a 7z file is 37 7A BC AF 27.  I just selected the bytes from that header to the end of the file, copied it onto another sheet in the hex editing program and saved it as a 7z file.  I opened up the flag.txt file using the archive manager, and I got the flag.  EKSi7MktjOpvwesurw0v

Update:  Easier Way:  Command line:

7z x 2pngornot2png.png

Then

cat flag.txt

PicoCTF 2014 Droid App

I was given a droid app that I needed to decompile to find debug information.  Droid apps are really easy to decompile.  The hint said that that could even be decompiled online.  I used Kali linux and a tool called dex2jar.  Dex2jar does just what it says it does.  It changes dex files into jar files.  One I had a jar file, I just used java, which was already installed on Kali to decompile a java class file.

j2dex-jar2dex classes.dex -o classes.jar

I opened the jar file using the Archive Manager.  I could see the contents of the jar file.  I navigated the directory structure mine was picoapp453-picoctf-com-picoapp, then I selected ToasterActivity.class because it looked interesting to me.  Then I used the command line to decompile the class file for me so that I could read it.

javap -c ToasterActivity.class


public void displayMessage(android.view.View);
    Code:
       0: aload_0       
       1: invokevirtual #40;                // Method getApplicationContext:()Landroid/content/Context;
       4: ldc           #42;                // String Toasters don't toast toast, toast toast toast!
       6: iconst_1      
       7: invokestatic  #48;                // Method android/widget/Toast.makeText:(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;
      10: invokevirtual #51;                // Method android/widget/Toast.show:()V
      13: ldc           #53;                // String Debug tag
      15: aload_0       
      16: getfield      #34;                // Field mystery:Ljava/lang/String;
      19: invokestatic  #59;                // Method android/util/Log.d:(Ljava/lang/String;Ljava/lang/String;)I
      22: pop           

      23: return 

Note the Debug tag comment on Code 13.  Also note the string on Code 4.  They were looking for the string, "Toasters don't toast toast, toast toast toast!"

So I found debug info.  The flag was in this class as well.  The flag was in this part.

public picoapp453.picoctf.com.picoapp.ToasterActivity();
    Code:
       0: aload_0    
       1: invokespecial #10;                // Method android/support/v7/app/ActionBarActivity."<init>":()V
       4: aload_0    
       5: new           #12;                // class java/lang/String
       8: dup        
       9: bipush        33
      11: newarray       char
      13: dup        
      14: iconst_0    
      15: ldc           #13;                // int 102
      17: castore    
      18: dup        
      19: iconst_1    
      20: ldc           #14;                // int 108
      22: castore    
      23: dup        
      24: iconst_2    
      25: ldc           #15;                // int 97
      27: castore    
      28: dup        
      29: iconst_3    
      30: ldc           #16;                // int 103
      32: castore    
      33: dup        
      34: iconst_4    
      35: ldc           #17;                // int 32
      37: castore    
      38: dup        
      39: iconst_5    
      40: ldc           #18;                // int 105
      42: castore    
      43: dup        
      44: bipush        6
      46: ldc           #19;                // int 115
      48: castore    
      49: dup        
      50: bipush        7
      52: ldc           #20;                // int 58
      54: castore    
      55: dup        
      56: bipush        8
      58: ldc           #17;                // int 32
      60: castore    
      61: dup        
      62: bipush        9
      64: ldc           #21;                // int 119
      66: castore    
      67: dup        
      68: bipush        10
      70: ldc           #22;                // int 104
      72: castore    
      73: dup        
      74: bipush        11
      76: ldc           #15;                // int 97
      78: castore    
      79: dup        
      80: bipush        12
      82: ldc           #23;                // int 116
      84: castore    
      85: dup        
      86: bipush        13
      88: ldc           #24;                // int 95
      90: castore    
      91: dup        
      92: bipush        14
      94: ldc           #25;                // int 100
      96: castore    
      97: dup        
      98: bipush        15
     100: ldc           #26;                // int 111
     102: castore    
     103: dup        
     104: bipush        16
     106: ldc           #27;                // int 101
     108: castore    
     109: dup        
     110: bipush        17
     112: ldc           #19;                // int 115
     114: castore    
     115: dup        
     116: bipush        18
     118: ldc           #24;                // int 95
     120: castore    
     121: dup        
     122: bipush        19
     124: ldc           #23;                // int 116
     126: castore    
     127: dup        
     128: bipush        20
     130: ldc           #22;                // int 104
     132: castore    
     133: dup        
     134: bipush        21
     136: ldc           #27;                // int 101
     138: castore    
     139: dup        
     140: bipush        22
     142: ldc           #24;                // int 95
     144: castore    
     145: dup        
     146: bipush        23
     148: ldc           #14;                // int 108
     150: castore    
     151: dup        
     152: bipush        24
     154: ldc           #26;                // int 111
     156: castore    
     157: dup        
     158: bipush        25
     160: ldc           #16;                // int 103
     162: castore    
     163: dup        
     164: bipush        26
     166: ldc           #28;                // int 99
     168: castore    
     169: dup        
     170: bipush        27
     172: ldc           #15;                // int 97
     174: castore    
     175: dup        
     176: bipush        28
     178: ldc           #23;                // int 116
     180: castore    
     181: dup        
     182: bipush        29
     184: ldc           #24;                // int 95
     186: castore    
     187: dup        
     188: bipush        30
     190: ldc           #19;                // int 115
     192: castore    
     193: dup        
     194: bipush        31
     196: ldc           #15;                // int 97
     198: castore    
     199: dup        
     200: bipush        32
     202: ldc           #29;                // int 121
     204: castore    
     205: invokespecial #32;                // Method java/lang/String."<init>":([C)V
     208: putfield      #34;                // Field mystery:Ljava/lang/String;
     211: return      

I had to change each of those decimals in the comments (the ones after the //) into ascii characters.  The flag was:  what_does_log_cat_say 

PicoCTF 2014 Cyborg Secrets

This one was extremely easy.  I had to find a password for a password-protected binary relating to a cyborg’s defense mechanisms in the game.  I had to find the shut down code for the cyborg.  I just open the executable in a hex editor, and search for a password.  There was a debug password, and a to do note stating that they need to remove the debug password.  LOL  The debug password was: 2manyHacks_Debug_Admin_Test.  And the shut down code was: 403-shutdown-for-what.

PicoCTF 2014 Overflow 2

I actually had this one, and a few other solved a while ago.  My VM that they were stored got corrupted, so I lost all those files.  Good thing that it was a VM and not my host machine that got corrupted.  This is how I solved Overflow2.

This is a C program that is vulnerable to a buffer overflow vulnerability because of the strcpy function.  In order to exploit this vulnerability, I have to change control of the execution of the program to myself by overwriting the return address so that it sends the function pointer to the address of the give_shell function instead of the next address on the stack.  In the command prompt, I found the address by typing objdump -d overflow2 | grep “shell”.  The -d option of objdump disassembles the program and gives me a list of functions.  I only want one function, though, the give_shell function, so I pipe objdump in to another command called grep which searches for the “shell” string, and only displays the functions with the word “shell” in them.  The address of the give_shell function is: 080484ad.  The buffer is 16 characters long.  The instruction point is 4 bytes long.  The base pointer is 4 bytes long.  The return address is 4 bytes long.  So, to figure out how many bytes I need to overwrite, I add the amount of bytes for the instruction pointer, the amount of bytes for the base pointer, the amount of bytes for the buffer, and the amount of bytes for the return address that I want to overwrite.  So, it’s 16 + 4 + 4 + 4 = 28.  Then I add the address that I want the return address pointer to point to.  I’m using python, because I want to be able to tell it to print hex characters for me for the address.  So the command is now, ./overflow2 $(python ‘print “A”*32 + “\xad\x04\x84\08”’)  I have to type the address backwards because the server understand things in Little Endian format.  Once I type this into the command prompt, I get a shell prompt.  Then I type, cat flag.txt, and get the flag, controlling_%eip_feels_great.

Saturday, October 10, 2015

EasyCTF

Looking at this one for my 11 year old.  It's a high school competition.  The home page states that it is October 31st - November 7th, 2015.  It's strange because the e-mail that I got about it states that it's October 3rd - 10th.  Maybe people who are interested should e-mail the creators to find out?  The website is https://www.easyctf.com.  The website has nice external resources under the "Learn" part of the menu.

I'm trying to teach my son to be ethical about hacking, meaning that he should obey the laws and have permission before doing any kind of pen-testing.  I think that these ctfs are a good way to have fun, and learn, while being honest and ethical at the same time.

I looked at the sample problems under the "About" part of the menu and solved them for fun.  I showed my son the solutions.  (If he tries this ctf, I will not help him beyond giving him search parameters for Google.)

The first sample was an easy substitution cipher.  I've seen plenty of these, so I recognized it immediately.  I think that pretty much anyone over the age of 5 can see these for what they are.

thisis a simple substitution cipher. flag is now_go_sign_up_and_do_the_real_challenges.

The second sample problem was a reversing problem.

x = raw_input("enter the password: ");
y = "";
for c in x:
    y += chr(ord(c) ^ 14);
    if y == "ko}wmzhugQocQoQhbois":
        print "congratz the flag is " + y;
    else:
        print "nope";

They were asking for the flag.  If I read the program properly, the flag is the contents of the variable x.  In the program it says, print "congratz the flag is" and the variable y.  The contents of variable y was ko}wmzhugQocQoQhbois.  You get that by Bitwise XORing each character of x with the decimal number 14.  I was curious about what password one would have to enter to get that flag placed into variable y, so I wrote a small python program to see.


Then I ran the program in a command prompt:  python reverse.py

I thought that the sample problems actually advertising the challenge were kind of cute.  If you are new to cyber security and want to learn about it, I suggest you give this challenge a try.  Only middle school and high school students will be eligible for any rewards, though.

Wednesday, October 7, 2015

SANS CyberTalent Immersion Academy for Women

Hi.  I've been busy doing the SANS Cyber Defense Challenge.  I ended up in 6th place overall.  Not bad for a stay-at-home mom.  I just recently got hired for a temporary position with a possibility of getting hired on full-time if I do a decent job.  But enough about my life. 

I know about an exciting opportunity for women in IT.  SANS is offering free SANS training to qualifying participants.  It's called the SANS CyberTalent Immersion Academy for Women.  If you are a college junior, senior, or are a recently graduated woman, I encourage you to apply.  It's completely free for anyone that is accepted so long as they agree to work for two years for a company sponsoring them.  Accepted applicants also get the certification attempts that go along with the training.  For more information about this program, visit:  https://www.sans.org/cybertalent/immersion-academy/programs#womens-academy