codezen.fr

CSAW 2012 CTF – Exploit 400 Write-up

04/10/2012 (04/10/2012) aXs

We have a binary with a format string vulnerability: $ nc localhost 23456 What would be the last word you want say before the Mayan Calender ends? Saying: %p %p %p %p Starting count down to the end of the world! 5 4 3 2 […]

CSAW 2012 CTF – Exploit 300 Writeup

03/10/2012 aXs

We have an interesting binary that uses signals to call functions. The most interesting handler is the user input handler: (function names are my own, binary was stripped) .text:080488C8 inputHandler proc near ; DATA XREF: sub_8048A3D+2Bo .text:080488C8 .text:080488C8 s […]

SecuInside 2012 – Dethstarr binary Write-up

12/09/2012 aXs

Quick solution post for this challenge for future reference This a memory overwrite exploit, it’s a bit convoluted because ASLR was enabled and so we need to do an infoleak to get the right offset inside libc. #!/usr/bin/env python import socket import sys import time import struct if len(sys.argv) != […]

Stripe CTF Level 8 Solution

30/08/2012 aXs

Quick solution post before leaving for vacation for Stripe’s CTF Level 8. #!/usr/bin/env python # aXs – http://codezen.fr # # Stripe CTF Level 8 import time import requests import socket import threading import SocketServer import Queue import json import random import sys remote_port = 0 q = Queue.Queue(maxsize=0) class ThreadedTCPRequestHandler(SocketServer.BaseRequestHandler): […]

Sample gdlog job file for Battle.net SRP

12/08/2012 (12/08/2012) aXs

[Update 12Aug: I tuned the spStep parameters to generate more relations. Otherwise solving may fail for some target] See RFC 2945 for details on SRP and this reference for Blizzard’s specific implementation. g is well-know 47 p is well-know N 112624315653284427036559548610503669920632123929604336254260115573677366691719 q = (p-1)/2 t (target) is your verifier such […]

NDH2k12 Public Wargame – Personal Blog

02/07/2012 (02/07/2012) aXs

This is a SPIP site. This version of SPIP stores database dump in /tmp/dump/[site name]_[date].xml Article 1 gives a huge hint about the correct date: http://54.247.160.116:8003/spip.php?article1 27 February 10:57, by Friendly-Boy – “Hii dude, did u remember to made a backup of ur site for the migration ?” 27 February […]

NDH2k12 Public Wargame – Break Me Like Your Sister – zomb_crypt

02/07/2012 aXs

$ ls -la total 64 -rw-r–r– 1 francois francois 38120 Jun 30 01:29 crypto-1.jpg -rw-r–r– 1 francois francois 3226 Jun 13 20:50 zomb_crypt.pyc $ file * crypto-1.jpg: JPEG image data, JFIF standard 1.01 zomb_crypt.pyc: python 2.6 byte-compiled $ python Python 2.6.6 (r266:84292, Dec 27 2010, 00:02:40) [GCC 4.4.5] on linux2 […]

NDH2k12 Public Wargame – RSA Writeup

02/07/2012 aXs

Simple RSA: $ cat john.pub —– BEGIN PUBLIC KEY —– KG4gPSAxNTQ5Mzg4MzAyOTk5NTE5LCBlID0gMTAxKQ== —– END PUBLIC KEY —– francois@squeeze:~/ndh2012/public/rsa$ echo -n "KG4gPSAxNTQ5Mzg4MzAyOTk5NTE5LCBlID0gMTAxKQ==" | base64 -d (n = 1549388302999519, e = 101) e = 101 n = 1549388302999519 Factorize n -> n = p * q -> 1549388302999519 = 31834349 * 48670331 $ […]

NDH2k12 Public Wargame – Crackme Bukkake Writeup

01/07/2012 (02/07/2012) aXs

Simple crackme. After a bit of reversing in IDA: .text:08048F3C mov eax, [ebp+password] .text:08048F3F mov [esp+4], eax .text:08048F43 lea eax, […]

NDH2k12 Public Wargame – Password Manager #2 – KeePassX Writeup

01/07/2012 (02/07/2012) aXs

In this challenge we get a Windows XP memory dump and we are told to get the password inside a KeePassX file. KeePassX stores critical key encrypted in memory following a memory dump attack described here: http://systemoverlord.com/sites/default/files/projects/KeePassX.pdf But it’s still possible to dump keys with the current version. Please see Hugo […]

codezen.frcode hacking, zen coding