28
Apr
2014

PlaidCTF 2014 – tenement [100]

For PlaidCTF2014, Eindbazen and fail0verflow joined forces as 0xffa, the Final Fail Alliance. Don’t miss out on other write-ups at fail0verflow’s site!

The Plague has tried to make things easy for you in this service, but not too easy. He’s called The Plague, not The Nice Guy. The service should be running at 54.235.7.236:9999.

Tenement is a remote pwnable – it’s a normal x86 binary.

Upon initialization it loads a json file, using libjansson, which contains the flag and an array with memory addresses. The flow goes like this:

  1. The flag is first copied to a malloc’d buffer, prefixed with “PPPP:”
  2. a random memory address is picked from the json’s array mentioned earlier
  3. mmap() is called using this picked address as starting address
  4. the “PPPP:<flag>” buffer is copied over there, and the memory protection is set to PROT_READ
  5. finally, the malloc’d buffer and the stack is “cleaned” (memset) and the json objects “deleted”

{Read More}

21
Apr
2014

PlaidCTF 2014 – harry_potter [300]

For PlaidCTF2014, Eindbazen and fail0verflow joined forces as 0xffa, the Final Fail Alliance. Don’t miss out on other write-ups at fail0verflow’s site!

The harry_potter pwnable is a network service that does not appear to do a whole lot:

$ nc 54.198.150.4 666
If you guess the password, I will give you a reward!

Running the binary in strace shows what is going on:
{Read More}

21
Apr
2014

PlaidCTF 2014 – PolygonShifter [100]

For PlaidCTF2014, Eindbazen and fail0verflow joined forces as 0xffa, the Final Fail Alliance. Don’t miss out on other write-ups at fail0verflow’s site!

The Plague has purchased the newest invention, Polygon Shifter to protect his website. This cutting edge technology is made available by Polygon Security, and they have a demo page on their website. They claim bots can no longer attack the website protected by the Polygon Shifter. Do we need to manually bruteforce the credentials?

On the Polygonshift website is a live demo form where you can login as user test/test or as user admin/?????. After logging in as user admin with password: a’ OR 1=1 and username=’admin’# we get the message
Hello, admin!! My password is the flag!
. So, we have a blind SQLi and the goal is to get the password of the admin user.
{Read More}

21
Apr
2014

PlaidCTF 2014 – Kappa [275]

For PlaidCTF2014, Eindbazen and fail0verflow joined forces as 0xffa, the Final Fail Alliance. Don’t miss out on other write-ups at fail0verflow’s site!

Kappa is a network service that is a very basic text-based pokemon game. In the end we found multiple bugs in the service, but the one we used was so cleanly exploitable that we think this was probably the intended solution.

When you connect, you get this menu:
{Read More}