JeffreyCodes Blog

Fun with RE

Tue, 26 Oct 2021 00:00:00 +0000

If you would like to attempt this challenge for yourself, it can be found on the HackUCF website. It was developed with (and mostly by) Oreomeister for the October 8th HackUCF meeting.

The challenge gives us a long string made up of alphanumerical characters and select symbols. Noticing the trailing equal signs, I identified this as base64 and copied its contents into a file. From here, we can use the base64 command to decode it.

# Create a new file to store the base64 string
nano file.b64
# Convert into a decoded file
cat file.b64 | base64 -d > file.bin

This will output a file, file.bin. Now, we have to figure out what file this is to decode it. We can use the Unix file command for this, which tells us this is an ELF binary. chmod accordinly.

# Get file type
file file.bin
# Let us run the ELF binary.
chmod +x file.bin

Executing this binary yields the folloing output (user input in <angle brackets>):

$ ./file.bin
Welcome to HackUCF's first RE challenge :)
        Please enter the password to receive the flag: <password>
Sorry, wrong password :(

Now, we know we need a password to continue. I first run strings on the binary to see if anything pops out:

$ strings file.bin
/lib64/ld-linux-x86-64.so.2
mgUa
libc.so.6
puts
__stack_chk_fail
stdin
printf
fgets
calloc
strlen
memcpy
__cxa_finalize
strcmp
__libc_start_main
free
GLIBC_2.14
GLIBC_2.4
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u+UH
[]A\A]A^A_
pass{i_d0nt_KnOw}
Welcome to HackUCF's first RE challenge :)
        Please enter the password to receive the flag:
You're getting there!
Sorry, wrong password :(
Congrats! You guessed the password correctly, so here's the flag: %s
:*3$"
GCC: (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0
[...truncated...]

We can see the string pass{i_d0nt_KnOw}. Let’s try that string:

$ ./file.bin
Welcome to HackUCF's first RE challenge :)
        Please enter the password to receive the flag: <pass{i_d0nt_KnOw}>
You're getting there!

We can see we are on the right track, but we’re missing something.

EmojiBrowser Writeup

Sun, 19 Sep 2021 00:00:00 +0000

EmojiBrowser was a path traversal challenge themed after emoji, because everyone totally loved the emoji challenges from last year.

When on the home Web page, the player should notice that the image preview calls an external endpoint, GET /emoji/:emoji_codepoint. On trying an invalid URL on this endpoint, you will be shown a “default” emoji, index.svg in the given directory. This can be found in the file name when trying to download the emoji.

If a player tries to use a URL-encoded path traversal, they will notice that they get a normal 404 page; it renders a normal 404 page that is not related to the /emoji/* endpoint(s). However, if they double-URL-encode, they can begin to traverse paths, with an index.svg image to help them traverse the project directory. They can eventually find the flag file at the project’s root directory:

http://localhost:44077/emoji/..%252F..%252F..%252F

From here, the player needs to somehow bypass the .svg extension hard-code. This can be done by using null characters, as alluded in the JavaScript. The null sentinal will then end the string prematurely, allowing us to drop the .svg extension mandate.

http://localhost:44077/emoji/..%252F..%252F..%252Fflag.txt%00

DownUnder Writeup

Sun, 19 Sep 2021 00:00:00 +0000

This challenge is designed to be an introduction to GBA reverse engineering and an exploration of emulation tools. Text is printed off-screen, which the player must view by using tools built into emualtors like mGBA.

Solution

The GBA emulator recommended for this challenge is mGBA, but any GBA emulator with debugging tools should work as well.

Open the ROM in mGBA.
Go to Tools -> View Map
The flag will be printed on the bottom of the map.

Now, why does this work? For that, let’s look at how GBA graphics work.

There are a total of six modes: three tile modes and three bitmap modes. For us, the former is what we care about. The tile modes allow us to use sprites and place them anywhere on the screen, including off the screeen. But why would we ever put anything off screen? For scrolling. Think of how Super Mario Bros. scrolls to the right: that’s a hardware feature on the GBA!

So, I wrote the flag outside of the visible part of the screen. Many emulator debugging tools, such as mGBA’s allow users to view everything on the current map, including what’s off screen. This makes it possible to view the flag without having to manipulate the scrolling registers.

Alternatively, players may manipulate the register responsible for scrolling directly. This is handled by address 0x4000012 (scroll BG0 vertically), which emulators can also write to.

For more information on tile maps, you can read this article.

Embedded Hint

There is an embedded hint in case a user decides to run strings on the ROM. This will yield a partial flag with the hint “check the map” nearby. Due to how the challenge is written, it may be possible to guess the full flag without executing the ROM (such as using static analysis in tools like Ghidra), but that’s no fun, now, is it?

Aside: Development

This challenge was written using the devkitPro GBA SDK and the HeartLib helper library, which massively assisted in the development of this challenge. If you wish to compile this challenge for yourself, peek at the C code powering it, or even use it to base your own GBA development endeavors, the source code can be found on the SunshineCTF GitHub.

TSATechie Writeup

Wed, 11 Nov 2020 00:00:00 +0000

This is a multiple-part challenge, most of it which is done offline. The challenge is structured into three main components:

Hand-crafting a serial number based on given information
Using the newly-created serial number to generate an iPhone’s UDID
Using this UDID, on top of the given iPhone model, to fake a response from a device enrollment challenge

A foreward

The serial number and UDID in this challenge are not of iPhones owned by anyone. While it’s possible for the serial number to eventually be valid, it was intentionally chosen to be at a future date. The MAC addresses, while theoretically valid (they do belong to Apple, are random.

Creating a Serial Number

The PDF that players are given is designed to reveal all the information needed to craft the rest of the serial number, and later, the UDID.

The serial number given in the PDF is ##T##621J##H. The goal is to find the missing characters.

As Apple does not document their serial number format publicly, third-party resources have to be relied on. Tab-TV.com has a good, albeit somewhat inaccurate (some information omitted), reference image that says what each of these missing fields are, which can be found with a Google search.

The first two missing characters maps to the Foxconn factory ID in Zhengzhou (FK). This information is revealed in multiple ways:

Plus Code: The HV55+C8 identifier in the “seized note” is a few blocks away from the factory.
Flight History: The original departure location is meant to originate near the factory.

The next two missing characters is the production week of the device (DP). This information can also be found online and the solution is provided redundantly:

Flight History: All dates given are in the same week.
Information: Seizure date is also within the expected week.

The last two missing characters is the device model. Here, it’s an iPhone 8, as given in the Seized Device section. The numerical identifier for the model (JC6) can be found on the Tab-TV diagram, but is also colloborated by a few pieces of information:

Device: iPhone10,1 is the device’s model and maps to an iPhone 8.
Flight History: The layover in Japan is a hint that this is a Japanese iPhone. This is mostly trivia, but can be used for checking the final serial number.

Now that the serial number is found, we can craft the UDID.

Creating a UDID

The UDID is a unique identifier for each iPhone. The iPhone 8 uses an older format for UDIDs, which can be summarized as:

UDID = SHA1(serial + ECID + wifiMac + bluetoothMac)

The ECID and both MAC addresses given are already in the correct format, so this should be a simple excersize in string concatenation and hashing.

The string that should end up getting hashed is:

FKTDP621JC6H284313561763971814:88:e6:ac:6314:88:e6:ac:64

This should output the UDID of the hypothetical device, which is 1d87930059bad8eab14bebb81d7680c02a299ac6.

This can be verified in the PDF, where the last five characters are exposed for this reason.

Device Enrollment Challenge

The Web server linked is mostly static files, except for the endpoint at POST /udid/verify. This endpoint is linked inside of the enrollment.mobileconfig file served by the web server.

This endpoint expects a request body that is a PLIST in the following format:

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>UDID</key
        <string>1d87930059bad8eab14bebb81d7680c02a299ac6</string>
        <key>PRODUCT</key>
        <string>iPhone10,1</string>
</dict>
</plist>

This format can be scraped with a MITM proxy tool like Burp Suite or Charles Proxy running on an iPhone completing the enrollment challenge, however, the body will be sent as a binary PLIST. Additional work may be neccessary to convert it to plaintext on non-Apple software. The response is also documented on Apple’s website here, but it’s quite hard to find so it shouldn’t be an expected solution.

It is worth noting that the device enrollment challenge only gets the UDID and model of the device and does not store this data nor is the profile persistent. It is only compared with the known UDID.

Sending a body in this format (either in plaintext or as a binary) will reveal the flag. Both the UDID and Product fields must be accurate for the flag to be shown.

PasswordPandemonium Writeup

Wed, 11 Nov 2020 00:00:00 +0000

This is a pretty simple challenge. You have to find a password that meets the requirements below:

Minimum length of 8
Maximum length of 32
Must include at least one letter
Must include >= 2 special characters
Must include a prime amount of numbers
Must have even amount of capital and lowercase characters
Must include an emoji
MD5 hash must start with a number
Must be valid JavaScript that evaluates to True
Must be JavaScript that does not evaluate to a String
Must be a palindrome

This challenge should be pretty self-explanatory. The only thing that may be worth noting are the last two requirements, which the following should be noted:

This challenge uses QuickJS to validate JavaScript. While most JavaScript features should be supported, some methods like console.log and all DOM operations are not considered valid. However, those solutions wouldn’t be valid anyways, as they wouldn’t likely evaluate to True.
1 is evaluated as True, as are strings.
To make the password palindromic, you can abuse inline comments.

Some possible solutions include:

(_=>(1))()//Xx🐬xX//)())1(>=_(
1//Ab✔bA//1
()=>{}//Ab1👋1bA//}{>=)(

Submitting a valid password (and a non-empty username) will reveal the flag. Otherwise, the most “minor” invalid rule would be displayed to the user.

PivotPlaneHinge Writeup

Sat, 24 Oct 2020 00:00:00 +0000

A foreward.

I tend to be more experienced with Web development, so I figured this would be a good challenge to try to attempt. However, before now, I never worked with WebSockets in any capacity (which was the core of this challenge), nor have I worked extensively with Burp Suite (I tend to use Charles Proxy more often). If beginners take anything out of this, is to just try! I see CTFs as a learning tool more than anything, so it ultimately doesn’t matter if you fail to solve a challenge. What matters is that you learned something.

This challenge eventually inspired me to take on a WebSockets project a week or two later for KnightHacks 2020.

First Observations

When loading the page, you are given an edit of the TempleOS website with a text box to control a WebSockets connection. All connection activities are then written to the top of the page.

For web debugging, I tend to use Charles Proxy, but it complained about the lack of secure WebSockets on my version, so I opted to use Burp Suite.

I noticed that the button that said cat flag.txt was just sending that string through the WebSockets connection and the server behaved differently as a result. I also noticed that the server allowed Burp to edit the contents of the WebSocket messages between the client and server, meaning they aren’t being validated for integrity. This made me think: maybe we can spoof a WebSockets message?

Initial Response on Connection

{
  "introText": "Received websocket connect requestm: http://pivotplanehinge.ctf.cuctf.io:8079 : map[Accept:[*/*] Accept-Encoding:[gzip, deflate] Accept-Language:[en-US,en;q=0.5] Cache-Control:[no-cache] Connection:[keep-alive, Upgrade] Dnt:[1] Origin:[http://pivotplanehinge.ctf.cuctf.io:8079] Pragma:[no-cache] Sec-Websocket-Extensions:[permessage-deflate] Sec-Websocket-Key:[MS16YSchcX4qELfLc6NWoQ==] Sec-Websocket-Version:[13] Upgrade:[websocket] User-Agent:[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0]] Host: pivotplanehinge.ctf.cuctf.io:8079",
  "connectedHosts": [
    "admin 8.8.8.8",
    "user1 pivotplanehinge.ctf.cuctf.io:8079"
  ]
}

I also noticed the connectedHosts property with an admin user at 8.8.8.8 and user1 at the challenge domain. Maybe this is what we can spoof?

Spoofing the Hostname

Find-and-replace

My first attempt at spoofing the hostname (so I can connect as admin) was to replace all instances of pivotplanehinge.ctf.cuctf.io in the request/response with 8.8.8.8 (string replacement). However, this messes up the HTTP connection and redirects the page to 8.8.8.8 (which we don’t want). I tried a more focused find-and-replace to see what would be accepted, but this was fruitless. Some things were fine to edit (such as the user agent) while other ones (like anything referencing WebSockets) unsurprisingly broke WebSockets.

Accessing from IP

I also tried to access the challenge from its IP address, 35.186.188.9. The page loads, but no WebSocket connections are accepted.

Editing the `hosts` file

I added a temporary entry to my hosts file to redirect the hostname pph to the challenge IP. The challenge did load as expected.

I also tried to replace pph in my entry with 8.8.8.8. This did not work, and I’m shocked it didn’t break Windows.

PowerShell commands

After this, I tried to see if there were any Windows commands that can change routing so 8.8.8.8 loads the challenge page. After some searching, I found the netsh and route utilities, neither which did the trick.

Back to Burp Suite

My initial attempt to search for a solution that used Burp Suite was fruitless, but after a while of searching, I stumbled upon this forum post, which was the key to this challenge. I followed the directions it suggested to configure request handling to redirect to the challenge IP.

This did the trick nicely! I was able to load the challenge from 8.8.8.8, sent the cat flag.txt command, and I got the flag! 🎉

Line of Best Fit in Microsoft Office 2016

Wed, 29 Aug 2018 00:00:00 +0000

Microsoft Office 2016 was a major update for the Office suite and a good amount has changed, including how to plot a “Line of Best Fit.” This guide will walk you through how to add one to your graphs with ease, as well as some other useful elements like axis labels.

Instructions

This tutorial already assumes you have your graph created with data added. Your screen might look something like this (don’t worry: this is done in a very similar way in Microsoft Word, too):

Make sure you are selecting the graph. Once you do so, you are able to go to Chart Design. Click it, and it should change the ribbon menu to show more chart-oriented options.

One of these options are to Add Chart Element. Click this, and you should be prompted with several options.

Go to Trendline, and then choose the trendline you want to add. In this case, we are going to add a Linear trendline.

Doing so should create a dotted-line between your points, which is your Line of Best Fit.

Now your Line of Best Fit is in your graph! However, there are other chart elements you can add or remove. For example, you can add axis labels, a legend (key), and remove or add gridlines. Some of these are quite useful, so adding them is probably a smart idea, especially for a school science class!