October 2012 - codezen.fr

Hack.lu CTF – Python Jail Writeup

25/10/2012 aXs

Challenge source code: #!/usr/bin/env python ”’ Running instructions. sockets are insecure. We do not implement any socket behaviour in this file. Please make this file +x and run with socat: socat TCP-LISTEN:45454,fork EXEC:./chal.py,pty,stderr Debugging: Just execute chal.py and play on terminal, no need to run socat Note: This […]

GreHack 2012 – Web100 (python daemon) Writeup

20/10/2012 aXs

I don’t know why this was classified as “Web” during the CTF because it’s actually a Python TCPServer, nothing to do with Web. Anyways, the only hint we get for this challenge is “192.168.203.35:30050” When telneting to it, it does nothing, no banner. Sending a string will make it output […]

HackYou CTF – PPC 200 – Oscaderp Forensic Writeup

19/10/2012 (19/10/2012) aXs

Don’t you love challenge with README ? We need your help, soldier! Your goal today is to help us obtain the access to Oscaderp Corp mainframe. Our intelligence has managed to install a keylogger and a formgrabber on some bad person’s work laptop. You don’t need his name to do […]

HackYou CTF – Epic Arc 300 – CTF.EXE Writeup

19/10/2012 aXs

In this challenge we get a Win32 console binary which just display garbage when started. Reversing it with IDA, we see it connects to a TCP server. I had noticed previously that the file being transfered in the Epic Arc 200 challenge was an Erlang BEAM file (compiled erlang) This […]

HackYou CTF – Web 300 – RNG of Ultimate Security Writeup

19/10/2012 aXs

Web challenge. We have the “source code” and we know the location of the flag: <!– can’t touch this: http://securerng.misteryou.ru/flag.txt.gz –> <!– can touch this: http://securerng.misteryou.ru/index.php.txt –> The web page is simple form to generate pseudo-random numbers. Here is the form: <form method=’POST’> Enter the […]

HackYou CTF – Crypto 300 – UDP Hardcore Writeup

18/10/2012 aXs

In this challenge we need to guess the secret key used by an encryption service running over UDP. We get the source of the server-side. The encryption algorithm uses a Sbox that is initialized with sequential numbers from 1 to 128: SALTED_SBOX = list(range(128)) Then the secret key is mixed […]

CSAW 2012 CTF – Exploit 500 Writeup

05/10/2012 aXs

Exploit 500 is the final exploitation challenge for CSAW CTF. It looks like a game asking questions. You get 2 tries per question. .text:08048CF7 buffer1 = byte ptr -4B4h .text:08048CF7 buffer2 = byte ptr -438h .text:08048CF7 answer = […]

CSAW 2012 CTF – Exploit 400 Write-up

04/10/2012 (04/10/2012) aXs

We have a binary with a format string vulnerability: $ nc localhost 23456 What would be the last word you want say before the Mayan Calender ends? Saying: %p %p %p %p Starting count down to the end of the world! 5 4 3 2 […]

CSAW 2012 CTF – Exploit 300 Writeup

03/10/2012 aXs

We have an interesting binary that uses signals to call functions. The most interesting handler is the user input handler: (function names are my own, binary was stripped) .text:080488C8 inputHandler proc near ; DATA XREF: sub_8048A3D+2Bo .text:080488C8 .text:080488C8 s […]