Guild icon
Project Sekai
🔒 CrewCTF 2023 / ✅-rev-ez-rev
Avatar
Sutx BOT 07/07/2023 10:02 PM
ez rev - 1000 points
Category: Rev Description: Typical warmup rev... Or is it? Author : mochi Files:Tags: No tags.
07/07/2023 10:02 PM
Sutx pinned a message to this channel. 07/07/2023 10:02 PM
Avatar
Sutx BOT 07/07/2023 10:02 PM
@snwo wants to collaborate 🤝
Avatar
snwo 07/07/2023 11:01 PM
wtf
23:01
puts & 0xfff + ptrace&0xfff + exit&0xfff == 0x1720
Avatar
snwo 07/07/2023 11:32 PM
only work on latest ubuntu 20.04 docker
Avatar
Sutx BOT 07/08/2023 12:17 AM
@Zafirr wants to collaborate 🤝
00:19
@Surg wants to collaborate 🤝
00:22
@TheBadGod wants to collaborate 🤝
Avatar
Zafirr 07/08/2023 12:26 AM
ghidra cant decompile _init_1
Avatar
TheBadGod 07/08/2023 12:27 AM
ropchain.txt
112.61 KB
Avatar
Zafirr 07/08/2023 12:27 AM
thank
Avatar
TheBadGod 07/08/2023 12:27 AM
of course it only works on certain ubuntu if the libc offsets are hardcoded
00:28
else it will just print "Why you still here" and exit
Avatar
Zafirr 07/08/2023 12:28 AM
@snwo if you have the docker could you share the libc here
Avatar
snwo 07/08/2023 12:29 AM
I just pulled new docker image. docker pull ubuntu:20.04 (edited)
00:29
libc6_2.31-0ubuntu9.8_amd64 libc6_2.31-0ubuntu9.9_amd64
Avatar
Zafirr 07/08/2023 12:29 AM
nice thanks
Avatar
snwo 07/08/2023 12:29 AM
libc6_2.31-0ubuntu9.9_amd64 maybe
Avatar
TheBadGod 07/08/2023 12:30 AM
should be this libc
libc-2.31.so
1.94 MB
👍 1
Avatar
TheBadGod 07/08/2023 1:18 AM
the check value is b"\n\x07\xeed\x05\x8e\xf6\x94=\x85\x17\x84\x11i\x1c\x89\x02u\x1f\x8c\x01\x83\x0b\x85\x16\x9a\x0e\x8c\x00\x84\x03\x85\x17\xb3\x0f\x9f<\xe4\x17\xb7`\x957\xf9\xd5\xafF\xa2C\xb1Z\xa0|b\xf9k\x06\xad\x1d\xc9>\xf3\xe4\x932\xc3\x1e\xa1\n\xc3\x1c\xd30\xd3<\xd0>\xce\x8b\xdf2\xc2\t\xcf\x81\xcd\x89\xc9\xf32\x95\xc4\x80\xba\x99\xe9\x10\xe0\t\xdd09t>e_: \x10\xc4,\x08\x12\xc8$\xdcXskTTso,\xf03\xd3t\xbc3\xb7<\xa8\xd3\xfb4\xa4\xd3\xff,\xa0\xd3\xe3T\xccS\xc7\\\xf83KT\xf43Ol\xd0s\xb34\x9c\xf3\x97\xfc\x88\xd3\x9b\xf4\x84\xd3\x9f\xec\x80\xd3\x83\xd4\xecS\xe7\\\x98\xf3\xab\xd4\x94\xf3\xaf,\xb03\x93\xf4\xfc3w<hS;4dS?,`S#\xd4\x0c\xd3\x07\xdc83\x0b\xd443\x0f\xec\x10\xf3\xf34\\s\xd7|\xc8S\xdbt\xc4S\xdfl\xc0S\xc3T,\xd3'\xdc\xd8s\xebT\xd4s\xef,p3St"
Avatar
TheBadGod 07/08/2023 2:00 AM
cleaned up rop gadgets
rops2.txt
36.27 KB
02:01
sub rsp, rdi are jumps, the first ones are loops, the rest probably just jump to the gadget which says wrong
02:01
the init looks like rc4
02:01
with our flag as password
02:02
but the values i got are not the values 0-255, so it somehow modifies them
Avatar
Zafirr 07/08/2023 2:02 AM
holy fuck this is a lot more complicated then i thought it would be
Avatar
Avatar
Zafirr
holy fuck this is a lot more complicated then i thought it would be
TheBadGod 07/08/2023 2:03 AM
i mean everything from line 128 is basically just comparing values, so can be ignored
Avatar
Zafirr 07/08/2023 2:03 AM
yeah but the rop coding is really cool and complex
Avatar
Sutx BOT 07/08/2023 2:31 AM
@Violin wants to collaborate 🤝
02:34
@Legoclones wants to collaborate 🤝
Avatar
Legoclones 07/08/2023 2:36 AM
oh if we got tbg on this then we good lol
Avatar
Sutx BOT 07/08/2023 2:57 AM
@irogir wants to collaborate 🤝
03:03
@Iyed wants to collaborate 🤝
Avatar
Iyed 07/08/2023 4:24 AM
should be gathering the flag character by character
04:25
I hope it's not false positive
Avatar
Iyed 07/08/2023 4:37 AM
crewctf{well_i_did
🔥 3
04:37
still extracting
Avatar
Zafirr 07/08/2023 4:51 AM
the other flags i saw started with crew{, but i think thats looks ok too
Avatar
Sutx BOT 07/08/2023 4:53 AM
@nyancat0131 wants to collaborate 🤝
Avatar
Iyed 07/08/2023 4:53 AM
they said flag format is crewctf{ for this challenge in the description
Avatar
Zafirr 07/08/2023 4:53 AM
oh i see
Avatar
Avatar
Iyed
crewctf{well_i_did
nyancat0131 07/08/2023 4:54 AM
debugger king
😂 1
Avatar
Iyed 07/08/2023 4:54 AM
actually through dynamic instrumentation
Avatar
Avatar
Iyed
used /ctf solve
Sutx BOT 07/08/2023 5:34 AM
✅ Challenge solved.
Avatar
Iyed 07/08/2023 5:34 AM
crewctf{well_i_didnt_know_rop_can_be_so_obnoxious_especially_for_rever_but_if_you_can_find_this_you_are_a_god_rever}
🔥 1
05:34
#!/usr/bin/python3 from pwn import * import string from string import ascii_lowercase context.log_level = "critical" flag = "crewctf{well_i_didnt_know_rop_can_be_so_obnoxious_especially_for_rever_but_if_you_can_find_this_you_are_a_go" #chars = string.printable[:-6] chars = ascii_lowercase + "}_" c = "0" while (c != '}'): m = 0 for i in chars: print(f"[+] Trying: {repr(flag + i)}") r = process("/home/iy3dmejri/MyOptNow/pin-3.26-98690-g1fc9d60e6-gcc-linux/pin -t /home/iy3dmejri/MyOptNow/pin-3.26-98690-g1fc9d60e6-gcc-linux/source/tools/ManualExamples/obj-intel64/inscount0.so -- ./a.out".split(" ")) print(r.recv()) r.sendline((flag + i).encode()) r.wait() r.close() with open("./inscount.out") as f: count = int(f.read().split(" ")[1].strip()) if (count > m): m = count c = i f.close() print(f"[+] FOUND: {c}") flag += c print(flag) (edited)
Avatar
Legoclones 07/08/2023 5:35 AM
instruction counting?
Avatar
Iyed 07/08/2023 5:35 AM
yes
Avatar
Legoclones 07/08/2023 5:35 AM
niceeeee 😂
Avatar
snwo 07/08/2023 5:35 AM
lol nice technique
Avatar
Iyed 07/08/2023 5:36 AM
Image attachment
05:36
probably here if character was wrong it will execute other instructions in the rop before going to next char verification
Avatar
Zafirr 07/08/2023 5:53 AM
strong
05:53
makes sense though
Exported 55 message(s)