Maple CTF, which is first CTF event hold by Maple Bacon Team. Because it is the first CTF MapleBacon organzie a CTF event. This event is only open for current university students.
Since most of senior team member and main team member didn't participate CTF (because they are in charge of design problems), I was able to get a very good position when ctf ends.
Since I only knows about pwn, for other category question, I basically OSINT, just search google for similar question and look its writeup.
But I actually learned a lot during the event. AND
I get 2nd in individual and 3rd in team. Yeah!!!!!!!!!!!!!!!!!!
0x1 problems I solved
some challenge are pretty simple and straight forward, so I will only do simple write up.
But some question is very interesting, i highly recommend to take look at these challenge: pyjail, uwu-intewpwetew, birbs, pwintf, and most of the crypto question
check the binary with a decompiler, you will found that it takes the user input and XOR with a 4 byte array. It takes the xor result and compare with a bigger array. If all the bytes are same, it is the flag we want to know.
So, since X ^ b ^ b == X, we just xor to get the flag.
here is the solution
1 2 3 4 5 6 7 8 9 10 11
import string flag = "" mystery_bytes = [0x4a,0x83,0x04,0xd5] mystery_str = "27e274b92ff870bd79dc4f9013dc4d8615cb30870ec0349179e75be424dc509d0fdc46e424b776ac37" mystery_bytes_2 = [int(mystery_str[i:i+2],16) for i in range(0,len(mystery_str),2)]
index = 0 for index,s in enumerate(mystery_bytes_2): print(chr(s^mystery_bytes[index & 3]),end="")
print()
flag: maple{th3_KEY_IS_H4RDC0D3d_1n_THE_B1n4ry}
0x3 web
most of web I solved is related to XSS. This is the actually the first time I got an opportunity solve challenges related to XSS.
Doot Doot
server.py
1 2 3 4 5 6 7 8 9 10 11 12 13 14
@app.route('/oot') def owo(): f = request.args.get('oot') f = f + '.txt' directories.append(f) filename = '/'.join(directories) try: with open(filename, 'r') as filename: file_content = filename.read(-1) except: file_content = "INVALID FACT" finally: directories.pop() return render_template("portfolio.html", oot=file_content)
so, just go to /oot?oot=../flag to get the flag
flag: maple{Pingu_s4yz_N00t_No0T}
Color Me
pretty straight forward question, it allow you to load arbitray html code into the page. And admin will visit the page.
this question is also simple, given a image with height 1267, but the actually height is 1400. So, edit PNG header, make the height back to 1400 to get the full flag.
flag: maple{very_l0NG_PnG}
What Is A Word
unzip the .docx file and get the flag in image2.png
flag: maple{a_w0rd_on3_z1p!}
Pyjail
Pyjail are actually a series similar challenge with different black list.
for illegal in blacklist: if illegal in userinput.lower(): print("Illegal Char: " + illegal) print("Goodbye :)") raise Exception() else: exec(userinput)
There is three intended solution for each of the qeustion, however there is also unintended solution
Pyjail 2&3: print([l.strip() for l in open("f"+"lag.tx"+"t")])
Unintended solution
enter breakpoint(), this will lead to you into a python console, then you can do what ever you want. For example, use import os;os.system("/bin/sh") to spawn a shell.
the problem give you an wireshark.pcap file. Load this file into wireshark. You will find 4 suspicious http request. 4 http request contains a list of three number.
according to goole, it is related to e = 3, but i don't how it works, so i just copy paste a script from internet and get the flag
1 2 3 4 5 6 7 8 9 10 11 12 13
import gmpy2 from Crypto.Util.number import bytes_to_long, getPrime, inverse,long_to_bytes
n = 85296113154028266649672161860329361439935266228905629388726013424103003229818805929348250297726228216361916145120272570744501496079735410949226284857146260962752588479499367910582240029329267295901611756016118582770290309132799890905930226231742595748717830957810354752447792103653956003395218828964428421661 e = 3 cipher_str = 121098269316542670291503874251201317814247329243208799383594138766421611605510707696480316724191110125699109139761891217594094151254743752917029528490060357300730222261644995695658612386816700954494942529833311406855562210279835749
gs = gmpy2.mpz(cipher_str) gm = gmpy2.mpz(n) ge = gmpy2.mpz(e)
# Thanks copilot! def encrypt(file, key): f = open(file, "r") f_out =open(file + ".enc", "w") for line in f: for c in line: f_out.write(chr(ord(c) ^ key)) f.close() f_out.close()
def decrypt(file): content = "" with open(file, "r") as f: content = f.read() print(len(content)) for key in range(256): for c in content: print(chr(ord(c) ^ key),end="") print()
# Check that decryption works properly assert(decrypt(encrypted_flag) == flag)
if __name__ == "__main__": while True: try: print("""Here are your options:\n1) Encrypt a message\n2) Decrypt a message\n3) Get the encrypted flag""") option = int(input(">>> ")) if option == 1: msg = int(input(">>> ")) print(encrypt(msg)) elif option == 2: msg = int(input(">>> ")) if msg == encrypted_flag: print("No cheating!") else: print(decrypt(msg)) elif option == 3: print(encrypted_flag) except ValueError: print("Something unexpected happened, please try again!")
flag: maple{d0nt_f0rg37_t0_h@sh!!}
Cut and paste
looking at server.py. I realize, i need to construct a payload with admin:true. But server ban admin, :, and ,.
But since the server encrypt data 1 block by 1 block. We can combine two different block together to get the correct payload
so first use user:AAAAAAAA,admin:false,passwd:true and get last block which represent :true
Then, use user:AAAAA,admin:false,passwd:true and get first block which represent user:AAAAA,admin
finally, combine those two block and send back to server, which should be the encryption of user:AAAAA,admin:true. This satisfy the rule and give us the flag.
One two three
idk how to explain. please check out this tutorial
def score(result): score = 0 for b in result: if ord("A") <=b <= ord("Z") or ord("a") <= b <= ord("z"): score += 6 continue if b == 32: score += 5 continue if 33 <=b <= 47: score += 1 continue if b<= 31: score -= 2 if b > 127: score -= 8 return score
with open("secret.enc", "r") as f: lines = [bytes.fromhex(line.strip()) for line in f.readlines()]
possible_key_bytes = [i for i in range(256)] max_score_key = [0 for i in range(128)]
for key_index in range(128): maxscore = -10000000 for key in possible_key_bytes: encoded_bytes = [b[key_index] for b in lines if key_index < len(b)] s = score([x ^ key for x in encoded_bytes]) if s > maxscore: maxscore = s max_score_key[key_index] = key
for line in lines: ba = bytearray(line) key_index = 0 for i in range(len(ba)): ba[i] = ba[i]^max_score_key[key_index] key_index +=1 print(ba)
Propagation
similar to cut and paste server.py, but instead of encrypt message block by block using same key. it xor with the previous block before encryption. This is a technique called Block chaining
the main idea here is since it allow us to enter IV, we can make our own string AA:AA,admin:true and xor it with it self, which result in \x00 * 16.
once we send our payload to server, server will return the encryption, which is block[2] = encrypt("AA:AA,admin:true"^"AA:AA,admin:true"^block[1])
so, if we send encrypt("AA:AA,admin:true"^"AA:AA,admin:true"^block[1]) to the server with IV of "AA:AA,admin:true"^block[1].
The server will decrypt our payload by decrypt(encrypt("AA:AA,admin:true"^"AA:AA,admin:true"^block[1])) ^ "AA:AA,admin:true"^block[1]
which is "AA:AA,admin:true"^"AA:AA,admin:true"^block[1] ^ "AA:AA,admin:true"^block[1] == "AA:AA,admin:true".
from pwn import * import os # context.log_level = 'debug' # uncomment to enable debugging # r = remote('localhost', 1337) r = remote('challenges.ctf.maplebacon.org', 32002)
def register_user(username, password): print(f"[Client] Registering user: {username} | passwd: {password}") r.sendline(b"1") r.recvuntil(b"Input your username:") r.sendline(username) r.recvuntil(b"Input your password:") r.sendline(password) debug_stuff = r.recvuntil(b"Here's").decode() for line in debug_stuff.split("\n")[:-1]: print(line)
r.recvuntil(b"when we add the login feature: ") token = r.recvline().decode() ctxt, iv = token.split(",") r.recvuntil(b">") return ctxt, iv
def admin_login(ctxt, iv): token = ctxt + "," + iv print("[Client] Attempting login") r.sendline(b"2") r.recvuntil(b"token: ") r.sendline(token.encode()) debug_stuff = r.recvuntil(b"Wel").decode() for line in debug_stuff.split("\n")[:-1]: print(line)
r.recvuntil(b">")
def xor(a,b): assert len(a) == len(b) return bytes([x ^ y for x,y in zip(a,b)])
def xor_hex(a,b): a,b = bytes.fromhex(a),bytes.fromhex(b) return bytes([x ^ y for x,y in zip(a,b)]).hex()
all the mitigation protection has open as expected
1 2 3 4 5
# Arch: amd64-64-little # RELRO: Full RELRO # Stack: Canary found # NX: NX enabled # PIE: PIE enabled
lets take look at some bugs, firstly, it check the upper bound, but not lower bound. We can see here the pointer is never gonna large than DATA_LEN if it is negative.
This allow us to read the value above the stack variable
1 2 3 4 5 6 7
case 'o': pointer--; if (pointer > DATA_LEN) { printf("Error: out of bounds\n"); print_remaining_and_exit(input, i); } break;
The second bug is it didn't check for out of bound when read and write value.
1 2 3 4 5 6 7
case '@': printf("\npointer: %d\ndata: %d\n", pointer, data[pointer]); break; case '>': printf("\nInput: "); scanf(" %d", &data[pointer]); break;
So, lets combine those two bug. first, lets move the variable pointer to pointer's address (where pointer is on the stack) .
Then, use write pointer's value to RIP offset,
finally. read RIP address and write RIP address to function win. After execution finish, the binary will jump to win and print out the flag
