Antisiphon Flash CTF #3 2022 Writeup
Sep 18, 2022
6 minute read

    Unfortunately I didn’t make it through all these challenges, but I did want to share my answers to the one’s I did complete, share my thought process, and initial thoughts on the challenges I didn’t get.

    Dauntless Defacement (Forensics)

    We are given a PCAP file. Open this in wireshark and start tracing TCP messages. Eventually you’ll find the message where the attacker was playing with one of the dns lookup endpoints.

    The attacker found that you can append a ; and another command and the server will execute it and render it.

    From there, the attacker used wget to download a hack.zip file containing some files.

    We have access to that file but we needed the password.

    Continuing on with the packet capture we can see at some point the attacked enters the password for the archive.

    The archive contains a file called secret.txt which contained the flag.

    Just My Kind Of Type (Web Exploit)

    This was a file upload challenge, featuring a basic php site, with the ability to upload a profile image.

    After some research I thought this was probably going to be an EXIF RCE attack. I used exiftool to alter the comment attribute of a png image with some php code. Uploading was successful, but ultimately ended up with a valid image as the profile image.

    Then I started poking around the website upload to see what kind of errors I could get.

    First, I uploaded a “hello world” expliot.php file:

    <?php echo "hello world"; ?>
    

    This gave me an error saying I needed to upload a png file. I changed the extension of my file from exploit.php to exploit.php.png, which resulted in a different error message, stating the server didn’t know what the dimensions of the image were. Interesting!

    I googled around for how php can detect image sizes, and it looks like it’s common to use php’s getimagesize. Some more googling and there was some hits about reading the first few bytes from a file to quickly detect image dimenions. I figured PHP would probably do something smart like that.

    Later, I found where the php language source for getimagesize looks at bytes to detect image dimensions.

    I checked Wikipedia’s PNG article and found that the first IHDR critical chunk encodes png file dimensions in the first 8 bytes.

    At this point I had an idea to create a file by hand with a valid PNG byte header up through the IHDR block. Then I would have my php exploit payload and see if it was interpreted.

    Here was my php code to get the flag:

    <?php
    $f = file_get_contents('/flag.txt'); 
    echo $f;
    ?>
    

    I opened a valid PNG file in a hexeditor and copied the first 24 bytes or so into a new hexeditor file. Then I pasted the ascii of my php payload.

    ┌────────┬─────────────────────────┬─────────────────────────┬────────┬────────┐
    │00000000│ 89 50 4e 47 0d 0a 1a 0a ┊ 00 00 00 0d 49 48 44 52 │×PNG__•_┊000_IHDR│
    │00000010│ 00 00 01 00 00 00 01 00 ┊ 08 06 00 00 00 3c 3f 70 │00•000•0┊••000<?p│
    │00000020│ 68 70 0a 24 66 20 3d 20 ┊ 66 69 6c 65 5f 67 65 74 │hp_$f = ┊file_get│
    │00000030│ 5f 63 6f 6e 74 65 6e 74 ┊ 73 28 27 2f 66 6c 61 67 │_content┊s('/flag│
    │00000040│ 2e 74 78 74 27 29 3b 20 ┊ 65 63 68 6f 20 24 66 0a │.txt'); ┊echo $f_│
    │00000050│ 3f 3e                   ┊                         │?>      ┊        │
    └────────┴─────────────────────────┴─────────────────────────┴────────┴────────┘
    

    Upload of thie file was successful! When I opened the image using it’s absolute URL it spit out the flag.

    Collision (Cryptography)

    I was not able to solve this challenge, but I did end up learning a whole bunch about Cryptography, RSA and some of the common attacks against it. I think the solution has something to do with using the Chinese Remainder Theorem.

    Description

    We’ve collected 50,000 public RSA keys and encrypted the same flag 50,000 times, once with each of the public keys. See if you can recover the original flag by taking advantage of this. Download this file to get started.

    Note: e = 65537 and the file is formatted C\tN (where C is the ciphertext and N is a part of the public key). The flag was converted from base 36 to base 10, so you’ll need to reverse this transformation to get the flag from the RSA plaintext. You can use CyberChef like this to do that.

    Approach

    I wasn’t sure what e meant, so I had to look that up. It’s known as the public exponent of RSA. And as it turns out: “65537 is commonly used as a public exponent in the RSA cryptosystem.” It’s used everywhere as a safe value for the purpose of e.

    After watching a bunch of youtube video on RSA and other encryption tutorial, I stumbled across a question on SE that started to point me in the right direction.

    Can RSA encryption produce collisions?

    Yes, 𝑚𝑒 is in fact supposed to be larger than the public modulus 𝑁, or else it would be trivial for an attacker with knowledge of nothing but the cipher text and the public exponent to calculate 𝑚. If 𝑚𝑒 is less than 𝑁, then it is obviously equal to its residue mod𝑁. Calculating roots is not hard; calculating the root of a residue mod𝑁 is.

    and this

    Can one private key be associated with several public keys?

    basically multiples of ϕ(N) that satisfy e∗d=1modϕ(N) will produce multiple public keys for the same private key. This is also a serious security flaw in RSA . If someone gets a hold of several public keys - they can subtract them to get to ϕ(N). And then it all falls apart from there…. The only way around this is to have very large P,Q prime numbers and basically cross your fingers

    Inventory (Binary Exploitation)

    I didn’t spend much time on this one, but im guessing it uses a buffer overflow with one of the inputs due to a vulnerable lic dependency.

    Description

    You came across an inventory update server running at host1.metaproblems.com 5300 (you can connect using nc) while scanning the internal network. After locating the source and binary for service, you found that this server is implemented fairly well compared to what you’ve seen so far. However, after looking a bit closer into the code, you start to feel that something isn’t quite right. Could you find out what’s wrong with the program in order to exploit it and get the flag?

    Please note that the remote server is running libc-2.28.so, though you do not need the libc to solve this challenge.