This is a detailed discussion of the generic PHP-CGI remote code execution bug we found while playing Nullcon CTF. We found that giving the query string ‘?-s’ somehow resulted in the “-s” command line argument being passed to php, resulting in source code disclosure. We explored this bug further and managed to improve our exploit to remote code execution, and trace the bug to a PHP commit in 2004.
PHP has been working on a patch for this for quite a while. We have been waiting to post this blog entry until a fix was released, but today the bug was posted to reddit because it was apparently accidentally marked public.
The biggest event of the robot year is happening this week! Robot invitations are cool in that they are just a password that validates at the door. We acquired the validator to be used. Can you find an invitation for us in time?
In this challenge we’re given an ELF binary which asks for a password. Disassembly in IDA quickly shows what the mess is all about – function pointers, lots of them.
Robots enjoy some strange games and we just can’t quite figure this one out.
Maybe you will have better luck than us.
Title: The Game (100)
Category: Potpourri
The challenge consisted of a game we could play by connecting to a service running on port 6969.
The game provided two hex strings, and our job was to find out which one was the biggest.
To get the key, we had to win 75 runs in a row.
We recently intercepted a plethora of robot transmissions but they are all encrypted with some strange scheme we just can’t quite figure out. Can you crack it?
200 points, Password Guessing, 6 teams solved this
A very cool and surprisingly easy crypto challenge: all you have to do is break 4096-bit RSA!
Of course, there are some special circumstances which make solving this possible at all. We have two files, one is the encrypted data (presumably, it is named enc.dat and looks like random data) and the other is a RSA public key in PEM format. Let’s list the details of this public key:
{Read More}
Robots are running secret service that aims to mill down diamonds into fairy dust, and use it to take over our world! Help us please!
300 points, Pwnables, 18 teams solved this
This is one of those challenges where just playing around with it turned out to be faster than actually figuring out what was going on.
This was a remote exploit challenge. The service in question allows you to create “chests” (or data stores) which can hold a certain amount of data. If you add more data, the chest is deleted (“blows up”). You can also destroy a chest yourself. It is possible to access a chest from more than one connection at a time, leading us to suspect a synchronization issue.
{Read More}
We found a simple web application that robots made to serve tmp files for debugging purposes. SSH into the machine as your_user@174.129.69.147 and exploit the web app to read their secret.
Title: Bunyan (200)
Category: Pwnables
The challenge consists of web server written in Go.
{Read More}
Format is exactly what you’d expect: a remote format string exploit. To get to the format string takes a little bit of reversing first, but it’s not too hard.
Robot hackers, like their human counter parts, have a largely unmet need to dump large amounts of text to their peers. We recently got access to one of their servers and are providing you with the files. What have they been talking about?
Title: Paste (100)
Category: Practical Packets
This challenge is a webapplication, a pastebin for robot hackers. Luckily the humans got the source code. It contains an admin cookie employing the well known ‘security by obscurity’ method, a questionable preg_replace statement using eval mode and an unchecked require. What can we do with those?
{Read More}
So apparently robots, despite their lack of hormones, still have an underlying desire to mate. We stumbled upon a robot dating site, RoboDate. Hack it for us!
We found the source code for this robot encryption service, except the key was redacted from it. The service is currently running at 23.21.15.166:4433
Title: RoboDate (100)
Category: Password Guessing
The challenge is to get admin rights on a robo-dating website.
{Read More}
We found the source code for this robot encryption service, except the key was redacted from it. The service is currently running at 23.21.15.166:4433
Title: Encryption Service (300)
Category: Password Guessing
The service basically implements an encryption Oracle, it reads data from the socket and returns the AES-CBC encrypted version of this data, concatenated with a secret string. The challenge is to find this secret string.
{Read More}