02 - Fairgame Rundown

RPISEC
Fairgame Rundown
Fall 2022
RPISEC - 09/30/2022 RPISEC 1

Fairgame
• Fairgame is an introductory CTF
• Runs until winter break
• Covers five subjects:
– pwn - binary exploitation
– re - reverse engineering
– crypto - cryptography
– web - web applications
– misc - puzzles, steganography, party tricks, etc.

Tooling
• VM installation was covered at INTROSEC
• Includes a variety of useful tools
• Get it here: http://tools.rpis.ec/
• We’ll also assume you have some basic experience with the
Linux command line
– All important commands are shown, though!

Conventions
$ commands are shown like this

misc
• misc chals cover a variety of topics
• Finding the right angle is key

misc100?
- Our misc100 is somewhere on Slack this year (:
- ...so we'll look at misc200 instead
- (it's definitely not just the normal misc100)

misc200 - “Flag? What Flag?”
• Download misc100.tar.gz
• This is a gzipped tarball
– gzip compresses files
– tar puts files into a single archive - a “tarball”
• Basically the .zip of Linux

misc200 - “Flag? What flag?”
• We’re told it’s an ext2 disk image
• ext2 is a predecessor of ext4
• We can mount the image to browse its contents like a flash
drive

• Extract it with:
tar -xf misc100.tar.gz
• -x to extract
• -f to specify the file


• One file comes out, misc100.img
• .img files are usually disk images
– Basically a snapshot of a storage device
• We can find out what kind of image it is with:
file misc100.img
• The file command tries to identify a file

• First, make a directory to mount to:
mkdir mnt

• Then, mount the image:
sudo mount -o loop misc100.img mnt
• mount requires root powers, hence the sudo
• Root password on the Tools VM is rpisec
• Now you can browse the files within:
cd mnt

• Let’s look around a bit
ls
• You’ll see the following files:
bin dev etc lib linuxrc lost+found proc sbin tmp usr var
• So this is a disk image of some Linux system

• ...but where’s the flag?
• Let’s take a closer look!
ls -la
• -l to show files in a list
• -a to show all files

• There’s a file called .flag in there!
– Files with a . in front are hidden by default
• So, what is it?
file .flag
• It’s gzip compressed data
• We can extract it with...gzip, of course
• The mounted image is read-only, though, so we’ll move the
file first.
cp .flag /tmp/flag.gz
cd /tmp
gunzip flag.gz
• Now we have a file called flag
file flag
• It’s a .tar again!
tar -xf flag
• The .tar contained a file called flag, so it overwrote itself
• Now we can just…
cat flag

• This sort of challenge becomes very easy once you’re used to
the terminal
• Always try to figure out what is you’re looking at!
– file
– binwalk

web
• web challenges deal with...web stuff
– Pretty much anything with a browser
• Split into two big categories:
– Client-side: attacking the browser
– Server-side: attacking the server

web100 - “Client Page”
• web100 presents us with a login screen
• First, we should examine the page!
• In Firefox, hit ctrl+u to view the page’s source

• auth.js sounds interesting!
• Click on it to view the file

• Oh no! Client-side authentication!
– The login is checked in your browser…
– ...and not on the server
• users sounds pretty interesting...

• Open the dev console with F12 or ctrl-shift-I
• Now we can look at users by typing…
users
• It’s an array of two things, so view the first one:
users[0]
• Looks like a username and password to me!
• Log in and get the flag
• That was easy.
• The rest are harder!
• Web challenges cover a lot of territory:
– SQL injection to abuse badly written database queries
– XSS (cross-site-scripting) to make other users run code
– Uploading malicious files and viewing those we shouldn’t

crypto
• crypto challenges fall into two camps:
– Classic ciphers, which are extremely weak
∘ Caesar ciphers
∘ Vigenere ciphers
– Modern ciphers, but with a deliberate mistake
∘ RSA
∘ DES

crypto100 - “Classic”
• This one is a classical cipher
– The title is a pretty big hint
– The cipher clearly didn’t hide the flag
vbqw{0bt1u_rkj_d0j_i0_we0t1u}
• So, we just need to identify the cipher

• Tools exist online for all of these
• Two of my suggestions:
– https://gchq.github.io/CyberChef/
– https://cryptii.com/

• It was a Caesar cipher.
– A=K
– Shift of 10

• Classical ciphers can be broken easily:
– Guessing all the keys (Caesar)
– Exploiting language patterns (Vigenere)
∘ E shows up way more than Z
• Attacking modern ciphers like this does not work:
– Huge keys, expensive operations
– The universe dies before you find the flag
• Crypto challenges will always have a trick
– Implementation errors, bad parameters, etc.

re and pwn
• re and pwn are two sides of the same coin
– re: figure out how a system works
– pwn: figure out how a system breaks

re100 - “Milk Run”
• Reversing is an incredibly deep subject
– static analysis!
– dynamic analysis!
– decompilation!
• Fortunately, re100 is pretty simple
– The program has a secret.
– We want the secret.
– Hey, isn’t this basically web100?

• First, try running the program
./re100
• We type some gibberish, it says no

• A great place to start is strings
• Shows readable text in a file
strings re100
• That’s a lot of text...

• We don’t want to read all of that
• We can use grep to filter it down
– grep takes a string to look for
strings re100 | grep flag

• The | is a pipe
– strings writes some stuff
– grep reads that stuff
• And there’s the flag!
• re is a huge puzzle
• There are many powerful tools out there:
– IDA/Ghidra/Binary Ninja/r2 for pulling apart a program
– strings and hexdump to peek at data
– objdump to find function names
– gdb to see what happens at runtime

pwn100 - “Rewards Program”
• pwn is what our motto is all about:
– Break it
– Hack it
– Own it

• First, run the program
chmod +x rewards-program
./rewards-program
• It asks for your name. Type something short.

• Darn :(

• What if we had a longer name?
• Let’s say our name is…
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

• That’s...interesting

• Our input made some weird stuff happen:
– It messed up the point counter
∘ 1094795585 is not 0
– It crashed the whole program!
∘ Segfault!
• (we accessed invalid memory)
• We just broke it

pwn100 - "Rewards Program"
• The program stores our name next to the point counter
int points = 0;
char foo[20];
• But it only has room for 20 characters

• Our name was 32 characters long

• This is a buffer overflow
– The program didn’t have room for our name
• 20 bytes of A's fit correctly
• The next 4 bytes clobbered the point counter
• The rest screwed up C's bookkeeping

• So, how exactly did we get 1094795585 points?
• Let’s look at that number in a different way:
– Decimal: 1094795585
– Hex: 0x41414141
• That looks familiar.
• What was A in ASCII, again?

• 0x41 = ‘A’
• 0x41414141 = ‘AAAA’
• So, what if we want 322424845 points?

• Just go from decimal to hex:
– Decimal: 322424845
– Hexadecimal: 0x1337D00D
• very leet, d00d
• That’s hard to type!
– 0x13 is “device control 3”
– 0x0D is a carriage return
– 0xD0 is a Unicode Ð

• python is great for this.
– Specifically, python 2, because it's nicer for binary data
– This prints out AAAAAAAAAAAAAAAA - sixteen A’s
python2 -c "print 'A'*16"

• We can pipe that into the program like this:
python2 -c "print 'A'*16" | pwn100

• Experiment with this until you just barely corrupt the counter

• We needed 21 A’s to change our points to 65
– Decimal: 65
– Hexadecimal: 0x41
• So, let’s send 20 A’s, then 1337D00D!
python2 -c "print 'A'*20 + '\x13\x37\xd0\x0d'" | pwn100

• Hang on, that gave us 231749395 points
– Decimal: 231749395
– Hexadecimal: 0x0dd03713
• It’s...backwards?

• The program’s variables are stored on the stack.
• The stack grows downward, from the largest address.
• In pwn100, it looks something like this:
– reward points (4 bytes)
– name (20 bytes)
• name is before reward points in memory

• If we make our name too long, it messes up the points
counter.
• This goes from low to high memory
• The first byte is the least significant byte
– 21 A’s gave us 65 points, remember?

• 20 A’s + \x0d:
– 0x0000000D
• 20 A’s + \x0d\d0:
– 0x0000D00D
• 20 A’s +\x0d\xd0\x37:
– 0x0037D00D
• 20 A’s + \0d\xd0\x37\x13:
– 0x1337D00D

• So, by putting the four bytes in reverse order...
python2 -c "print 'A'*20 + '\x0d\xd0\x37\x13'" |
nc chals.fairgame.rpis.ec 5001
• ...we have the right number of points!

• Now we just need to do it remotely.
• Most pwn challenges work like this
– Can’t just give you the program with the flag!
– Remember re100?
• We’ll use netcat, or nc for short
• Try talking to the program again

• Last step: pipe Python’s output into nc!
python2 -c "print 'A'*20 + '\x0d\xd0\x37\x13'" |
• (all on one line)

• It worked!
• ...wait, we can’t do anything
• The program executes a shell when you win
• We can’t type anything
– nc is getting its input from Python
– Python isn’t doing anything with keyboard input
• This sucks

• Solution:
(python2 -c "print 'A'*20 + '\x0d\xd0\x37\x13'"; cat) |
• This executes python2, then cat

• cat will just repeat whatever we type
– ...which gets piped into netcat!

• pwn is a staple of CTFs
• Creativity and patience are a must
• Too many techniques to count!

Review
We’ve covered the basics of five CTF categories:
• misc - the potpourri category
• web - browser and web server tricks
• crypto - uncovering ciphered data
• re - figuring out how a program works
• pwn - figuring out how to break a program

Coming Soon...
● Next week: web!
● Get involved with RPISEC @ https://rpis.ec/contact
○ Slack can be found on https://rpisec.slack.com
■ Come chat with RPISEC members and alumni!
○ Mailing list invite can be found on contact page

02 - Fairgame Rundown

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

02 - Fairgame Rundown

Uploaded by

Copyright:

Available Formats

RPISEC

RPISEC - 09/30/2022 RPISEC 1

RPISEC - 09/30/2022 RPISEC 2

RPISEC - 09/30/2022 RPISEC 3

RPISEC - 09/30/2022 RPISEC 4

RPISEC - 09/30/2022 RPISEC 5

RPISEC - 09/30/2022 RPISEC 6

RPISEC - 09/30/2022 RPISEC 7

RPISEC - 09/30/2022 RPISEC 8

RPISEC - 09/30/2022 RPISEC 9

RPISEC - 09/30/2022 RPISEC 10

RPISEC - 09/30/2022 RPISEC 11

RPISEC - 09/30/2022 RPISEC 12

RPISEC - 09/30/2022 RPISEC 13

RPISEC - 09/30/2022 RPISEC 14

RPISEC - 09/30/2022 RPISEC 15

RPISEC - 09/30/2022 RPISEC 18

RPISEC - 09/30/2022 RPISEC 19

RPISEC - 09/30/2022 RPISEC 20

RPISEC - 09/30/2022 RPISEC 21

RPISEC - 09/30/2022 RPISEC 22

RPISEC - 09/30/2022 RPISEC 23

RPISEC - 09/30/2022 RPISEC 25

RPISEC - 09/30/2022 RPISEC 26

RPISEC - 09/30/2022 RPISEC 27

RPISEC - 09/30/2022 RPISEC 28

RPISEC - 09/30/2022 RPISEC 29

RPISEC - 09/30/2022 RPISEC 30

RPISEC - 09/30/2022 RPISEC 31

RPISEC - 09/30/2022 RPISEC 32

RPISEC - 09/30/2022 RPISEC 33

RPISEC - 09/30/2022 RPISEC 34

strings re100 | grep flag

RPISEC - 09/30/2022 RPISEC 36

RPISEC - 09/30/2022 RPISEC 37

RPISEC - 09/30/2022 RPISEC 38

RPISEC - 09/30/2022 RPISEC 39

RPISEC - 09/30/2022 RPISEC 40

RPISEC - 09/30/2022 RPISEC 41

RPISEC - 09/30/2022 RPISEC 42

• But it only has room for 20 characters

RPISEC - 09/30/2022 RPISEC 43

RPISEC - 09/30/2022 RPISEC 44

RPISEC - 09/30/2022 RPISEC 45

RPISEC - 09/30/2022 RPISEC 46

RPISEC - 09/30/2022 RPISEC 47

python2 -c "print 'A'*16"

RPISEC - 09/30/2022 RPISEC 48

RPISEC - 09/30/2022 RPISEC 49

RPISEC - 09/30/2022 RPISEC 50

RPISEC - 09/30/2022 RPISEC 51

RPISEC - 09/30/2022 RPISEC 52

RPISEC - 09/30/2022 RPISEC 53

RPISEC - 09/30/2022 RPISEC 54

• ...we have the right number of points!

RPISEC - 09/30/2022 RPISEC 55

RPISEC - 09/30/2022 RPISEC 56

• (all on one line)

RPISEC - 09/30/2022 RPISEC 57

RPISEC - 09/30/2022 RPISEC 58

• This executes python2, then cat

RPISEC - 09/30/2022 RPISEC 59

RPISEC - 09/30/2022 RPISEC 60

RPISEC - 09/30/2022 RPISEC 61